Configuring a Per-App VPN Using F5 App Tunnels

Steve_Lyons · ‎27-Nov-2018

So if anyone of you has sat in a tech talk of mine, I am sure you have heard me mention the use of F5 app tunnels or split tunnel VPN's. The capability is very similar to the article I wrote about in regards to network access on DevCentral which can be found here though in this case, we are using a split tunnel capability to allow VPN access to a single application.

When might this be useful? Well the use cases I have seen are for logical Out of Band management solutions and in the event, a user requires network access to internal resources though they do not have permissions to install a VPN client on their workstation.

Prerequisites

LTM licensed and provisioned
APM licensed and provisioned

Create a Connectivity Profile

Navigate to Access >> Connectivity / VPN >> Profiles.
Click Add.

Profile Name*: demo_connectivity_profile
Parent Profile*: /Common/connectivity
Click OK.

Create a Webtop

Navigate to Access >> Webtops >> Webtop Lists.
Click Create.

Name: demo_webtop
Type: Full
Click Finished.

Create an App Tunnel Object

When you create an app tunnel object, that object becomes a simple container that holds app tunnel resources. Once you specify those resources from within the app tunnel resource, you can then assign the resource to an access policy.

Navigate to Access >> Connectivity / VPN >> App Tunnels .
Click Create.

Name: demo_app_tunnel
Caption: demo_app_tunnel
Click Create.

Configure an App Tunnel Resource

Navigate to Access >> Connectivity / VPN > >App Tunnels .
Click demo_app_tunnel.
Under Resource Items, click Add.

Destination: 10.1.20.134
Port(s): 443
Application Path: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Note: This is the application on the client side that will be launched when the app tunnel is selected from the webtop. I am using Chrome as an example though real-world use cases can also include other apps such as putty to access resources in an organizations DMZ over port 22.

Parameters: https://%host%/xui

Note: If using Host Name, ensure the hostname or fqdn is resolvable by the client that will be connecting to this resource. If you use DNS and it does not show up on the webtop, it is due to the client being unable to resolve that resource.

Click Finished.

Create a Per-Session Access Policy

Navigate to Access > > Profiles / Policies >> Profiles / Policies : Access Profiles (Per-Session Policies).
Click Create.

Name: demo_ap
Profile Type: All
Profile Scope: Profile
Languages: The language of your choice
Click Finished.

When redirected back to the Access Profiles page, select Edit in the same row as the access policy created in the previous step.

Between Start and Deny click +.

From the Assignment tab, select Advanced Resource Assign.
Click Add Item.

Click Add new entry.

Click Add/Delete.

From the App Tunnel tab, select the app tunnel created in previous steps.

From the Webtop tab, select demo_webtop.

Click Update.
Click Save.
Select Deny from the Visual Policy Editor (VPE).
Change the ending to Allow.

Click Save.
Click Apply Access Policy.

Create a Virtual Server and Assign Resources

Navigate to Local Traffic >> Virtual Servers.
Click Create.

Name: demo_app_tunnel
Type: Standard
Destination Address/Mask: 10.1.10.123
Service Port: 443

Protocol Profile (Client): f5-tcp-wan
HTTP Profile: http
SSL Profile (Client): clientssl
SSL Profile (Server): serverssl

Source Address Translation: Auto Map

Access Profile: demo_ap
Connectivity Profile: demo_connectivity_profile

Click Finished.

Validating App Tunnel Functionality

Navigate to a browser of your choice and attempt to access the IP or hostname of the virtual server created in the previous step.
From the webtop, click demo_app_tunnel.

If prompted with a Security Alert regarding a Network Access/Application Tunnel attempt, click either the Add or Allow option.

If prompted regarding launching an application, click Yes.

In this example, Chrome is launched and navigated to the portal access resource created in the steps above.

You can also launch the F5 VPN icon in the system tray which will show the results of your tunnel.

In this how-to guide, we successfully created a per-app VPN to the BIG-IP Traffic Management User Interface as a quick example. So I didn't lose everyone, I did not include authentication or endpoint checks as it would have certainly increased the size of this guide significantly. However, to give you an idea of what a complete solution may look like, take a look at the VPE below. Until next time!

dragonflymr · ‎03-Dec-2018

Hi,

Just curious about two things:

Launching Chrome is just to show that it's possible to launch specific app when using App Tunnel - to access Webtop we need anyway to use some browser - Am I right?
BIG-IP Management accessed via App tunnel is on the same BIG-IP where App Tunnel is defined or it's another BIG-IP?

Piotr

Steve_Lyons · ‎03-Dec-2018

Hi Piotr! Good questions...find responses in line.

Launching Chrome is just to show that it's possible to launch a specific app when using App Tunnel - to access Webtop we need anyway to use some browser - Am I right?

Steve - You are correct. I used Chrome as one example but one of the most common use cases I see in my customer base is using putty to access a network device over SSH. So, in that case, you would use putty as the program versus Chrome but honestly, you can launch almost any app that you know will be installed on the workstation of the user that will be using the app tunnel.

BIG-IP Management accessed via App tunnel is on the same BIG-IP where App Tunnel is defined or it's another BIG-IP?

Steve - In this example, I am accessing the BIG-IP management UI of the same device though it doesn't have to be. When you define a resource it can be the same device or different. To be transparent regarding my use case, I actually got frustrated using portal access because of the javascript rewrites required which caused a bit of latency. Certainly, for most apps that is not an issue but in my case I wanted to find a solution that could provide an encrypted tunnel internally without exposing something via virtual server (though you can). I will say though one downfall of using apptunnels is the lack of SSO which portal access does provide. Hope this helps but if it doesn't lets keep tthe conversation going. Let me know.

dragonflymr · ‎03-Dec-2018

Hi,

Thanks for answer, I was surprised that it is so easy to access MGMT IP of BIG-IP that holds App tunnel definition. Good to know that achieving such result is really easy 🙂

Piotr

Shann_P_160848 · ‎04-Dec-2018

Hi Steve,

What adjustments would you make to allow SSH to a resource using your Per-App VPN Guide? I got the Chrome example to work where the resource was pointed to another F5 but curious about SSH using Putty.

Steve_Lyons · ‎04-Dec-2018

Good question Shann_P. Check out the screenshot below. With this config, putty.exe is launched and connects to the host 10.1.1.246.

Shann_P_160848 · ‎04-Dec-2018

Thanks Steve!

Songseajoon_222 · ‎17-Dec-2018

Thank you so much!!

jk303 · ‎03-May-2021

Your second paragraph " When might this be useful? Well the use cases I have seen are for logical Out of Band management solutions and in the event, a user requires network access to internal resources though they do not have permissions to install a VPN client on their workstation. "

Q1: I must be missing something - how does this work without a VPN client? How does the putty client know to tunnel via APM session (Browser)?

Q2: Can user enter the IP they want to connect on the back-end for ssh/rdp OR does this only work if the webtop / resource is statically per-defined for the user? (ex: I have 1000s of servers on the back-end I would like users to ssh/rdp to).

Thank you!

Steve_Lyons · ‎03-May-2021

Q1: , since the writing of this article, F5 replaced NPAPI plug-ins with F5 Helper Applications for all browsers except Internet Explorer, and then replaced ActiveX control for Internet Explorer in version 14.1.0. To my knowledge, the EPS helper app required for app tunnels does not require administrative privilege's to install.

AskF5 | Release Notes: F5 Helper Applications for Chrome, Firefox, and Edge Browsers for BIG-IP 13.0

The helper app then updates routes based on the app tunnel configuration object. This defines an app to network association which is much different than a full VPN network tunnel which you can certainly do using the Edge client but that requires administrative privilege's to install.

Q2: In my experience I have always used a static resource, however I do believe you can configure an IP range of resources. From a security standpoint though, I would be very cautious to not allow users access to an entire enterprise unless additional end point checks, etc. are performed. To limit the resources users can access, simply define an ACL on the app tunnel resource object.

Hope this helps.