I am new to APM and have been asked to provide an external vendor to connectivity to a specific internal subnet through our existing APM SSL VPN. I know how to add App tunnels and RDP access, I just cannot put my finger on how to grant access to an entire subnet. Would it be a custom ACL? Grasping at straws here. Thanks in advance for any assistance.
I think creating a custom access control list attached to a full webtop seems like the perfect way to solve your problem. There's an f5 article on ACLs here that would be a good place to get started on implementing them into your existing SSL VPN set-up.
Basically, I would have the ACL limit access to a specific destination IP address range (the range being the subnet) for this external vendor. There's a couple different ways of doing it but the basic principle would be the same across the board. The benefit of an ACL is that it is highly customizable; you can set it up however you want.
Feel free to ask if you have any follow-up questions,
Thanks for the feedback. So, I have created a custom ACL and applied it to a full webtop. I have no ideas what this vendor intends on doing once connected ( RDP or SSH into a server, something else???, etc ), so I guess my question now becomes, how to they access what they need? They are used to having a full VPN client, connect to our network and just open up the native Windows applications they need to use. Now, it would seem that any application access would need to be initiated through the webtop. Am I correct in this thinking? If so, how would they do that, since just opening the native Windows applications would bypass the SSL VPN and try to go out their standard Internet connection.
For you need you will have to implement a specific VPN. So if you want to restrict access to a specific Vlan I suppose you wil use split tunneling for traffic. In this case you will be able to specify only the vlan that you want to reach trough your VPN (for other traffic, it will go directly on the internet ).
The second point, in order to enhance security you have to create an specific acl in order to allow the desired network. Once you create the acl you can add it on your VPE.
let me know if you need more details.
Thank you for your response. I think I am going down the ( somewhat ) correct path now.
Sounds good! Just keep in mind that, as of Windows 10 v. 1809, split tunneling is no longer supported and causes connectivity issues as detailed here. But if you're using any other OS you should be golden.