Configuring a Per-App VPN Using F5 App Tunnels

So if anyone of you has sat in a tech talk of mine, I am sure you have heard me mention the use of F5 app tunnels or split tunnel VPN's. The capability is very similar to the article I wrote about in regards to network access on DevCentral which can be found here though in this case, we are using a split tunnel capability to allow VPN access to a single application.

When might this be useful? Well the use cases I have seen are for logical Out of Band management solutions and in the event, a user requires network access to internal resources though they do not have permissions to install a VPN client on their workstation.

Prerequisites

  • LTM licensed and provisioned
  • APM licensed and provisioned

Create a Connectivity Profile

  • Navigate to Access >> Connectivity / VPN >> Profiles.
  • Click Add.

  • Profile Name*: demo_connectivity_profile
  • Parent Profile*: /Common/connectivity
  • Click OK.

Create a Webtop

  • Navigate to Access >> Webtops >> Webtop Lists.
  • Click Create.

  • Name: demo_webtop
  • Type: Full
  • Click Finished.

Create an App Tunnel Object

When you create an app tunnel object, that object becomes a simple container that holds app tunnel resources. Once you specify those resources from within the app tunnel resource, you can then assign the resource to an access policy.

  • Navigate to Access >> Connectivity / VPN >> App Tunnels .
  • Click Create.

  • Name: demo_app_tunnel
  • Caption: demo_app_tunnel
  • Click Create.

Configure an App Tunnel Resource

  • Navigate to Access >> Connectivity / VPN > >App Tunnels .
  • Click demo_app_tunnel.
  • Under Resource Items, click Add.

  • Destination: 10.1.20.134
  • Port(s): 443
  • Application Path: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

Note: This is the application on the client side that will be launched when the app tunnel is selected from the webtop. I am using Chrome as an example though real-world use cases can also include other apps such as putty to access resources in an organizations DMZ over port 22.

  • Parameters: https://%host%/xui

Note: If using Host Name, ensure the hostname or fqdn is resolvable by the client that will be connecting to this resource. If you use DNS and it does not show up on the webtop, it is due to the client being unable to resolve that resource.

  • Click Finished.

Create a Per-Session Access Policy

  • Navigate to Access > > Profiles / Policies >> Profiles / Policies : Access Profiles (Per-Session Policies).
  • Click Create.

  • Name: demo_ap
  • Profile Type: All
  • Profile Scope: Profile
  • Languages: The language of your choice
  • Click Finished.

  • When redirected back to the Access Profiles page, select Edit in the same row as the access policy created in the previous step.

  • Between Start and Deny click +.

  • From the Assignment tab, select Advanced Resource Assign.
  • Click Add Item.

  • Click Add new entry.

  • Click Add/Delete.

  • From the App Tunnel tab, select the app tunnel created in previous steps.

  • From the Webtop tab, select demo_webtop.

  • Click Update.
  • Click Save.
  • Select Deny from the Visual Policy Editor (VPE).
  • Change the ending to Allow.

  • Click Save.
  • Click Apply Access Policy.

Create a Virtual Server and Assign Resources

  • Navigate to Local Traffic >> Virtual Servers.
  • Click Create.

  • Name: demo_app_tunnel
  • Type: Standard
  • Destination Address/Mask: 10.1.10.123
  • Service Port: 443

  • Protocol Profile (Client): f5-tcp-wan
  • HTTP Profile: http
  • SSL Profile (Client): clientssl
  • SSL Profile (Server): serverssl

  • Source Address Translation: Auto Map

  • Access Profile: demo_ap
  • Connectivity Profile: demo_connectivity_profile

  • Click Finished.

Validating App Tunnel Functionality

  • Navigate to a browser of your choice and attempt to access the IP or hostname of the virtual server created in the previous step.
  • From the webtop, click demo_app_tunnel.

  • If prompted with a Security Alert regarding a Network Access/Application Tunnel attempt, click either the Add or Allow option.

  • If prompted regarding launching an application, click Yes.

  • In this example, Chrome is launched and navigated to the portal access resource created in the steps above.

  • You can also launch the F5 VPN icon in the system tray which will show the results of your tunnel.

In this how-to guide, we successfully created a per-app VPN to the BIG-IP Traffic Management User Interface as a quick example. So I didn't lose everyone, I did not include authentication or endpoint checks as it would have certainly increased the size of this guide significantly. However, to give you an idea of what a complete solution may look like, take a look at the VPE below. Until next time!

Published Nov 28, 2018
Version 1.0

Was this article helpful?

10 Comments

  • Hi,

     

    Just curious about two things:

     

    • Launching Chrome is just to show that it's possible to launch specific app when using App Tunnel - to access Webtop we need anyway to use some browser - Am I right?
    • BIG-IP Management accessed via App tunnel is on the same BIG-IP where App Tunnel is defined or it's another BIG-IP?

    Piotr

     

  • Hi Piotr! Good questions...find responses in line.

     

    • Launching Chrome is just to show that it's possible to launch a specific app when using App Tunnel - to access Webtop we need anyway to use some browser - Am I right?

    Steve - You are correct. I used Chrome as one example but one of the most common use cases I see in my customer base is using putty to access a network device over SSH. So, in that case, you would use putty as the program versus Chrome but honestly, you can launch almost any app that you know will be installed on the workstation of the user that will be using the app tunnel.

     

    • BIG-IP Management accessed via App tunnel is on the same BIG-IP where App Tunnel is defined or it's another BIG-IP?

    Steve - In this example, I am accessing the BIG-IP management UI of the same device though it doesn't have to be. When you define a resource it can be the same device or different. To be transparent regarding my use case, I actually got frustrated using portal access because of the javascript rewrites required which caused a bit of latency. Certainly, for most apps that is not an issue but in my case I wanted to find a solution that could provide an encrypted tunnel internally without exposing something via virtual server (though you can). I will say though one downfall of using apptunnels is the lack of SSO which portal access does provide. Hope this helps but if it doesn't lets keep tthe conversation going. Let me know.

     

  • Hi,

     

    Thanks for answer, I was surprised that it is so easy to access MGMT IP of BIG-IP that holds App tunnel definition. Good to know that achieving such result is really easy :-)

     

    Piotr

     

  • Hi Steve,

     

    What adjustments would you make to allow SSH to a resource using your Per-App VPN Guide? I got the Chrome example to work where the resource was pointed to another F5 but curious about SSH using Putty.

     

  • Good question Shann_P. Check out the screenshot below. With this config, putty.exe is launched and connects to the host 10.1.1.246.

     

     

  • jk303's avatar
    jk303
    Icon for Nimbostratus rankNimbostratus

    Your second paragraph " When might this be useful? Well the use cases I have seen are for logical Out of Band management solutions and in the event, a user requires network access to internal resources though they do not have permissions to install a VPN client on their workstation. "

     

    Q1: I must be missing something - how does this work without a VPN client? How does the putty client know to tunnel via APM session (Browser)?

     

    Q2: Can user enter the IP they want to connect on the back-end for ssh/rdp OR does this only work if the webtop / resource is statically per-defined for the user? (ex: I have 1000s of servers on the back-end I would like users to ssh/rdp to).

     

    Thank you!

  • Q1:  , since the writing of this article, F5 replaced NPAPI plug-ins with F5 Helper Applications for all browsers except Internet Explorer, and then replaced ActiveX control for Internet Explorer in version 14.1.0. To my knowledge, the EPS helper app required for app tunnels does not require administrative privilege's to install.

     

    AskF5 | Release Notes: F5 Helper Applications for Chrome, Firefox, and Edge Browsers for BIG-IP 13.0

     

    The helper app then updates routes based on the app tunnel configuration object. This defines an app to network association which is much different than a full VPN network tunnel which you can certainly do using the Edge client but that requires administrative privilege's to install.

     

    Q2: In my experience I have always used a static resource, however I do believe you can configure an IP range of resources. From a security standpoint though, I would be very cautious to not allow users access to an entire enterprise unless additional end point checks, etc. are performed. To limit the resources users can access, simply define an ACL on the app tunnel resource object.

     

    Hope this helps.

  • Hi Steve, 

     Thank you for your brief explanation because it helped me a lot and I want some clarifications from you.

    1. you have used the 10.1.20.134 address as a resource for App Tunnel as the 10.1.10.123 address is as destination address for the virtual server. my question is the App tunnel resource address need to be the node address that is located back end or should be another virtual server address....?

    2. In the App tunnel resource configuration what is the exact usage of the parameters and how can I set it?