on 27-Nov-2018 17:14
So if anyone of you has sat in a tech talk of mine, I am sure you have heard me mention the use of F5 app tunnels or split tunnel VPN's. The capability is very similar to the article I wrote about in regards to network access on DevCentral which can be found here though in this case, we are using a split tunnel capability to allow VPN access to a single application.
When might this be useful? Well the use cases I have seen are for logical Out of Band management solutions and in the event, a user requires network access to internal resources though they do not have permissions to install a VPN client on their workstation.
When you create an app tunnel object, that object becomes a simple container that holds app tunnel resources. Once you specify those resources from within the app tunnel resource, you can then assign the resource to an access policy.
Note: This is the application on the client side that will be launched when the app tunnel is selected from the webtop. I am using Chrome as an example though real-world use cases can also include other apps such as putty to access resources in an organizations DMZ over port 22.
Note: If using Host Name, ensure the hostname or fqdn is resolvable by the client that will be connecting to this resource. If you use DNS and it does not show up on the webtop, it is due to the client being unable to resolve that resource.
In this how-to guide, we successfully created a per-app VPN to the BIG-IP Traffic Management User Interface as a quick example. So I didn't lose everyone, I did not include authentication or endpoint checks as it would have certainly increased the size of this guide significantly. However, to give you an idea of what a complete solution may look like, take a look at the VPE below. Until next time!
Hi,
Just curious about two things:
Piotr
Hi Piotr! Good questions...find responses in line.
Steve - You are correct. I used Chrome as one example but one of the most common use cases I see in my customer base is using putty to access a network device over SSH. So, in that case, you would use putty as the program versus Chrome but honestly, you can launch almost any app that you know will be installed on the workstation of the user that will be using the app tunnel.
Steve - In this example, I am accessing the BIG-IP management UI of the same device though it doesn't have to be. When you define a resource it can be the same device or different. To be transparent regarding my use case, I actually got frustrated using portal access because of the javascript rewrites required which caused a bit of latency. Certainly, for most apps that is not an issue but in my case I wanted to find a solution that could provide an encrypted tunnel internally without exposing something via virtual server (though you can). I will say though one downfall of using apptunnels is the lack of SSO which portal access does provide. Hope this helps but if it doesn't lets keep tthe conversation going. Let me know.
Hi,
Thanks for answer, I was surprised that it is so easy to access MGMT IP of BIG-IP that holds App tunnel definition. Good to know that achieving such result is really easy 🙂
Piotr
Hi Steve,
What adjustments would you make to allow SSH to a resource using your Per-App VPN Guide? I got the Chrome example to work where the resource was pointed to another F5 but curious about SSH using Putty.
Good question Shann_P. Check out the screenshot below. With this config, putty.exe is launched and connects to the host 10.1.1.246.
Your second paragraph " When might this be useful? Well the use cases I have seen are for logical Out of Band management solutions and in the event, a user requires network access to internal resources though they do not have permissions to install a VPN client on their workstation. "
Q1: I must be missing something - how does this work without a VPN client? How does the putty client know to tunnel via APM session (Browser)?
Q2: Can user enter the IP they want to connect on the back-end for ssh/rdp OR does this only work if the webtop / resource is statically per-defined for the user? (ex: I have 1000s of servers on the back-end I would like users to ssh/rdp to).
Thank you!
Q1: , since the writing of this article, F5 replaced NPAPI plug-ins with F5 Helper Applications for all browsers except Internet Explorer, and then replaced ActiveX control for Internet Explorer in version 14.1.0. To my knowledge, the EPS helper app required for app tunnels does not require administrative privilege's to install.
AskF5 | Release Notes: F5 Helper Applications for Chrome, Firefox, and Edge Browsers for BIG-IP 13.0
The helper app then updates routes based on the app tunnel configuration object. This defines an app to network association which is much different than a full VPN network tunnel which you can certainly do using the Edge client but that requires administrative privilege's to install.
Q2: In my experience I have always used a static resource, however I do believe you can configure an IP range of resources. From a security standpoint though, I would be very cautious to not allow users access to an entire enterprise unless additional end point checks, etc. are performed. To limit the resources users can access, simply define an ACL on the app tunnel resource object.
Hope this helps.