Forum Discussion

Rusty_M_140798's avatar
Rusty_M_140798
Icon for Nimbostratus rankNimbostratus
Sep 22, 2014

Exclude traffic from SSL VPN

I am trying to exclude traffic from a SSL VPN. We have internal sites that are available externally and we would like user to stay connected to the external site and not resolve internally.

 

For example mysite.f5.com, is available external and resolves to a public IP. But when you are on site the site resolves to a internal private IP.

 

How would I exclude or force this site to always be external even when connected to VPN?

 

3 Replies

  • Specify a hosts file entry on the VPN connection. There is a section for it under network access. This will override the existing DNS setting and given how APM works is probably the simplest way to solve the problem.

     

    • Rusty_M_140798's avatar
      Rusty_M_140798
      Icon for Nimbostratus rankNimbostratus
      I found a box labeled "DNS Exclude Address Space", I put the URL's here but when I ping or do a nslookup it still resolves internal? Under the "DNS/Hosts" tab I have "Enforce DNS search order" checked should this possibly be un-checked?
  • Finally figured this one out, the issue was not with F5 but the clients not having the correct permissions to the host file on their machine. Even though the user has local admin rights on windows 7/8 it still did not update the host file?!?! UAT even if disabled still prevented direct access to the host file, you have 2 options:

     

    1. Change the permissions on the host file (not very easy or easily completed though GPO) best way we found was though a log on scrip
    2. Or as a work around the user can enable the client to run as administrator by setting the option on the properties of the f5fpclientW.exe.

    (From APM Guide) Static Hosts Here you can add, edit, and delete static host names. With static hosts, you can configure a list of static hosts for the network access client to use. The static hosts you configure modify a client computers local hosts table and override the configured DNS server, so you should use them only when you need to augment or override the existing DNS. You can also use static hosts when the client machine is locked down, and the DNS relay service is installed, to provide host resolution. For this file-change operation, users on Windows platforms must have local administrative rights to modify the hosts file during the connection, or the administrator must change the attributes of the hosts file to allow non-administrative modification, or the system must have the DNS Relay service installed. Static hosts are supported on Windows clients only.

     

    As a work around the user can enable the client to run as administrator by setting the option on the properties of the f5fpclientW.exe.

     

    Default Folder location: C:\Program Files (x86)\F5 VPN\

     

    See below for the change on the client exe properties:​