Forum Discussion

Son_of_Tom_1379's avatar
Son_of_Tom_1379
Icon for Nimbostratus rankNimbostratus
Aug 12, 2014

BigIP SSL VPN with APM Webtops

Hey There,

 

I've setup SSL VPNs everywhere, as they're awesome, and I've also setup APM webtops everywhere publishing Citrix XenApp/Desktop, portal access objects etc. What I've never tried to do is access portal objects when connected to the SSL VPN and this is the issue.

 

It appears that when connected to the SSL VPN, I can telnet port 443 and ping the portal webtop VS IP, but the browser just fails to display the page. All other resources that aren't on box work fine (reverse proxying anything else), it's just the local portal webtops that don't display.

 

It's as if the F5 is not allowing the traffic out the SSL VPN IP connection and back in again (which we're all used to) but, as I can telnet the VS IP on port 443 I'm not so sure that's the issue.

 

I've messed around with varying configurations and have easily replicated the issue, I've added/removed SNAT from the VS and the network access list, enabled/disabled proxy ARP (I know this was a reach but TCP dump was showing no replies so meh), created/removed IP forwarding VS's for the SSL VPN stub subnet to the VS subnet, and even moved the SSL VPN subnet into the BigIP SelfIP subnet.

 

Another important piece of information, this is a single armed configuration. I might try and bind the SSL VPN to new arm and see how that goes although I don't think it will help.

 

Any thoughts please?

 

Kind Regards Frazer Thompson

 

APM
application delivery
availability
deployment
LTM
security

3 Replies

Sort By
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Aug 19, 2014

    just a question, why? do you want to do something specific or just trying to gain knowledge?

     

    i have seen questions in the past about people wanting to reach the big-ip for management access via the SSL VPN. it might be those can help you out.

     

  • Son_of_Tom_1379's avatar
    Son_of_Tom_1379
    Icon for Nimbostratus rankNimbostratus
    Aug 19, 2014

    I've now even tried this configuration within separate routing domains, I thought although complicated, that would actually work. I was surprised to find that it did not.

     

    Still plugging away...

     

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Aug 20, 2014

    ah, now i get it, you want the users that are connected to the SSL VPN virtual server also being able to reach another virtual server that hosts the portal access right?

     

    is it just the portal access VS you can't reach or can't you reach any VS on the system?

     

    these are the two dev central questions i recall around this issue, perhaps they trigger something for you:

     

    https://devcentral.f5.com/questions/apm-portal-access-to-configuration-utility

     

    https://devcentral.f5.com/questions/management-through-apm-with-network-access