How can I configure a split-tunnel on APM for all the private IPs but also include some FQDNs that resolve to public IPs to go through the tunnel?
You should be able to achieve this with Address spaces (Access ›› Connectivity / VPN : Network Access (VPN) : Address Spaces)
Fill in the publicIP's of the application, together with their FQDN's, and then attach it to the tunnel, under the Split Tunneling section. More details: https://techdocs.f5.com/en-us/bigip-16-1-0/big-ip-access-policy-manager-network-access/configuring-a...
Please note though that this address space only exists since version 16.1. If you are running on earlier versions, you should be able to achieve the same result with with the IP address space and DNS address space directly under the Split Tunneling configuration.
Hope this helps.
@AlexBCT I see IP and DNS space in my settings. Can I just put the RFC 1918 space in the IP space tab and add public app's fqdn with wildcard for e.g. *.example.com in DNS space? Will this ensure all the private IPs along with any traffic to that public fqdn passes through the VPN tunnel? I'm little confused with the description has provided for these tabs.
Thank you so much for your response.
Should I list the IPs of the public apps in the IP space? there are far too many for me to get a list. I thought a wildcard as mentioned above in the DNS space would solve my issue here. AM I wrong with that?
Yes, filling in the Public IP's as well as the FQDN's is what's needed - this will ensure the correct routes get injected when the tunnel gets created and the traffic traverses the tunnel. Yes, you can also use wildcards, as well as subnet definitions. If you have a whole bunch of separate IP's though, that will be quite a bit of work indeed.
If possible, you may then want to have a look at using the dynamic Address Space feature, which relies on an endpoint (Discovery URL) somewhere that contains (and maintains) a list of IP's that are relevant for that application. There are two predefined examples for Zoom and Office365 that you can use as examples.
For the rest I'd recommend just giving a test, and see where the traffic gets routed through.
Hope this helps.
@AlexBCT Thanks for your response. I tried placing the wildcards(for e.g. *.example.com) in the DNS address space under Network settings in Connectivity/VPN tab. DNS requests are traversing the tunnel but http traffic to site.example.com is not traversing the tunnel. I donot want to add the IPs of all the sites/apps as they are too many and dynamic. Can you please help configure this?Thanks.