Network Access and Portal Access for Internal Web links

Question

I'm a bit confused about the variety of links that I can create with APM, as I am fairly new at this platform. &nbsp;
We have a number of sites that cannot be used unless they are from internal IP addresses. We really want to limit the Network Access as much as possible, too. I see that adding webtop links really are just bookmarks, and the users still get warnings that they are accessing those sites from an untrusted public IP.&nbsp;
Am I correct in that if I use the portal access, and even if I am using split-tunneling, that users  given an IP from an internal pool and that those resources SHOULD then be accessible?&nbsp;
I think we don't really want the resources rewritten, but I'm not sure I understand how that works.&nbsp;

amit_karnik · Answer

Webtop links are as you explain just links so that the user can conviniently access those resources from the webtop.&nbsp;
Portal access is when you want to provide access to resources within the network from outside but only after a strong authentication/client-side checks, etc. , etc.&nbsp;
For portal access, users are not "given" and IP address from an internal pool as with network resource. Portal access works like conventional LTM VS as-in a SNAT ip/pool is used to create a new connection towards your internal resource. So the internal resource will see a connection come in on an IP address which is internal and on the APM.&nbsp;
Talking about rewrite profiles, it really depends on the application. Some applications respond with content which has links embedded in it which are pointing to other internal resources referreed with internal DNS names/zones. When this content is received at the client, the client may not be able to even resolve these names and connect to them. This is where a rewrite profile comes in handy. The rewrite profile will replace all links with an externally resolvable link and map it back to an internal link. This will force access to the other internal resources to also go via the APM.&nbsp;
Best !!&nbsp;

ryandm2_175490 · Answer

"For portal access, users are not "given" and IP address from an internal pool as with network resource. Portal access works like conventional LTM VS as-in a SNAT ip/pool is used to create a new connection towards your internal resource. So the internal resource will see a connection come in on an IP address which is internal and on the APM."&nbsp;
-- so, it is critical that I have either an ip or pool from an internal resource that will be recognized, or, simply that my internal self_ip needs to be that recognized internal resource? Because what I think you're saying is that for that resource, when the user uses vpn, there has to be a termination on that internal ip for it to work.&nbsp;

amit_karnik_269 · Answer

Not really. The user's termination can happen on an internal or external/public IP.

But then the user clicks(launches) the portal resource from the webtop, then the connection towards the resource will be initiated by the APM using an internal IP which can be a SNAT or if you set it to automap then it will be the self-if of the outgoing interface.

ryandm2_175490 · Answer

ok!&nbsp;

Forum Discussion

Network Access and Portal Access for Internal Web links

4 Replies

Recent Discussions

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

ASM instance creation

Can iRule mask the payload content on event logs of security

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

F5Access | MacOS Sonoma

Related Content

Create isolated environment for internal and external networks

What is Multi-Cloud Networking?

Demo Guide & Video Series for F5 Distributed Cloud Network Connect (Multi-Cloud Networking)

Community Learning Path: Multi-Cloud Networking

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations