So if anyone of you has sat in a tech talk of mine, I am sure you have heard me mention the use of F5 app tunnels or split tunnel VPN's. The capability is very similar to the article I wrote about in regards to network access on DevCentral which can be found here though in this case, we are using a split tunnel capability to allow VPN access to a single application.

When might this be useful? Well the use cases I have seen are for logical Out of Band management solutions and in the event, a user requires network access to internal resources though they do not have permissions to install a VPN client on their workstation.



  • LTM licensed and provisioned
  • APM licensed and provisioned

Create a Connectivity Profile

  • Navigate to Access >> Connectivity / VPN >> Profiles.
  • Click Add.


  • Profile Name*: demo_connectivity_profile
  • Parent Profile*: /Common/connectivity
  • Click OK.


Create a Webtop

  • Navigate to Access >> Webtops >> Webtop Lists.
  • Click Create.


  • Name: demo_webtop
  • Type: Full
  • Click Finished.


Create an App Tunnel Object

When you create an app tunnel object, that object becomes a simple container that holds app tunnel resources. Once you specify those resources from within the app tunnel resource, you can then assign the resource to an access policy.

  • Navigate to Access >> Connectivity / VPN >> App Tunnels .
  • Click Create.


  • Name: demo_app_tunnel
  • Caption: demo_app_tunnel
  • Click Create.


Configure an App Tunnel Resource

  • Navigate to Access >> Connectivity / VPN > >App Tunnels .
  • Click demo_app_tunnel.
  • Under Resource Items, click Add.


  • Destination:
  • Port(s): 443
  • Application Path: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Note: This is the application on the client side that will be launched when the app tunnel is selected from the webtop. I am using Chrome as an example though real-world use cases can also include other apps such as putty to access resources in an organizations DMZ over port 22.

  • Parameters: https://%host%/xui

Note: If using Host Name, ensure the hostname or fqdn is resolvable by the client that will be connecting to this resource. If you use DNS and it does not show up on the webtop, it is due to the client being unable to resolve that resource.

  • Click Finished.


Create a Per-Session Access Policy

  • Navigate to Access > > Profiles / Policies >> Profiles / Policies : Access Profiles (Per-Session Policies).
  • Click Create.


  • Name: demo_ap
  • Profile Type: All
  • Profile Scope: Profile
  • Languages: The language of your choice
  • Click Finished.



  • When redirected back to the Access Profiles page, select Edit in the same row as the access policy created in the previous step.


  • Between Start and Deny click +.


  • From the Assignment tab, select Advanced Resource Assign.
  • Click Add Item.


  • Click Add new entry.


  • Click Add/Delete.


  • From the App Tunnel tab, select the app tunnel created in previous steps.


  • From the Webtop tab, select demo_webtop.


  • Click Update.
  • Click Save.
  • Select Deny from the Visual Policy Editor (VPE).
  • Change the ending to Allow.


  • Click Save.
  • Click Apply Access Policy.

Create a Virtual Server and Assign Resources

  • Navigate to Local Traffic >> Virtual Servers.
  • Click Create.


  • Name: demo_app_tunnel
  • Type: Standard
  • Destination Address/Mask:
  • Service Port: 443


  • Protocol Profile (Client): f5-tcp-wan
  • HTTP Profile: http
  • SSL Profile (Client): clientssl
  • SSL Profile (Server): serverssl


  • Source Address Translation: Auto Map


  • Access Profile: demo_ap
  • Connectivity Profile: demo_connectivity_profile


  • Click Finished.

Validating App Tunnel Functionality

  • Navigate to a browser of your choice and attempt to access the IP or hostname of the virtual server created in the previous step.
  • From the webtop, click demo_app_tunnel.


  • If prompted with a Security Alert regarding a Network Access/Application Tunnel attempt, click either the Add or Allow option.


  • If prompted regarding launching an application, click Yes.


  • In this example, Chrome is launched and navigated to the portal access resource created in the steps above.


  • You can also launch the F5 VPN icon in the system tray which will show the results of your tunnel.


In this how-to guide, we successfully created a per-app VPN to the BIG-IP Traffic Management User Interface as a quick example. So I didn't lose everyone, I did not include authentication or endpoint checks as it would have certainly increased the size of this guide significantly. However, to give you an idea of what a complete solution may look like, take a look at the VPE below. Until next time!