Scribd
Upload
75 views

Creating A SSL VPN Using F5 Full Webtop DevCentral

Uploaded by

Teguh Berikat
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
75 views

Creating A SSL VPN Using F5 Full Webtop DevCentral

Uploaded by

Teguh Berikat
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 25

3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

F5.COM (https://f5.com/) | DEVCENTRAL (/s/) | SUPPORT (https://support.f5.com/) | PARTNERS (https://partnercentral.f5.com/) | MYF5


(/s/) (https://my.f5.com/)

(/s/) TOPICS QUESTIONS (/s/questions) ARTICLES (/s/articles) CODE (/s/codeshare) RESOURCES (/s/resources)

ABOUT (/s/getting-started)

F5.COM (https://f5.com/)DEVCENTRAL (/s/)SUPPORT (https://support.f5.com/)PARTNERS (https://partners.f5.com/)MYF5 (https://my.f5.com/)

Sign In (/DEVC_LoginToCommunity?startURL=//s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146) | Create Account (/DEVC_SignUpToCommunity)

Search DevCentral and Support

Back to Article List

 
Creating a SSL VPN Using F5 Full Webtop
Updated 1 year ago Originally posted March 02, 2018 by Steve Lyons F5    0    0
(/s/profile/0051T000008tyTtQAI)
Topics in this Article: apm (/s/articles?tag=apm), application delivery (/s/articles?tag=application delivery), big-ip (/s/articles?tag=big-ip)

As we continue our discussions into additional use cases for your BIG-IP, I wanted to provide some details
and a guide on how to implement a SSL VPN using F5.

So, what is network access? Using your F5 BIG-IP, it is a way to provide your users secure access to
internal applications and data. Some of you may be familiar with F5’s Webtop to provide links to common
applications, though did you know you could also use that same Webtop to implement a network access
solution? On the other hand, if you wanted an always on solution or a client on a workstation you could
also use F5’s edge client.

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 1/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

With that, let’s talk about two network access features provided by F5; full access and split tunnel VPN's.
The difference between the two is pretty straight forward. The use of a full access VPN simply means you
are forcing all network traffic through a single network tunnel. Whereas the split tunnel VPN is forwarding
only traffic that has been defined using an application which is often times deployed using the F5
Webtop. All other traffic not destined to the network where the application resides is then routed directly
to the public internet rather than the users corporate or internal network.

Now that we have gone over a few details around the F5 network access solution, let us get started
deploying it. The use case we are going to complete is deploying a network access solution using the F5
Webtop.

In order to begin the deployment and configuring the Webtop, let us validate APM has been provisioned.

From the traffic management user interface, navigate to System > Resource Provisioning.

Ensure there is a check box enabling APM as shown in the screenshot below. If it is not, check the box,
configure resources to be provisioned and click Submit.

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 2/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/1-min.png?ver=2018-02-26-050831-047)

Now that we have validated the provisioning of APM, lets begin the deployment!

Navigate to Access > Webtops > Webtop Lists: Create

From the drop down select Full for the type of Webtop you will be deploying, provide a name and select
Finished.

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 3/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/2-min.png?ver=2018-02-26-050836-203)

Now that we have created a Webtop, we will go ahead and create a lease pool in order to provide our
VPN client's an IP address once they successfully establish a VPN connection.

IN order to do this, navigate to Access > Connectivity / VPN > Network Access (VPN) > IPV4 Lease
Pools: Create

Name: Demo_Lease_Pool

Type: IP Address Range

Start IP Address: xxx.xxx.xxx.xxx

End IP Address: xxx.xxx.xxx.xxx

Select Add

Select Finished

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 4/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/3-min.png?ver=2018-02-26-050841-217)

Once you have completed creating the lease pool, you will now create the Network Access resource.

Navigate to Access > Connectivity / VPN > Network Access (VPN) > Network Access Lists: Create

Name: demo_vpn_resource

Caption: Demo VPN

Select Finished

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 5/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/4-min.png?ver=2018-02-26-050846-030)

After clicking finish, the page will refresh presenting you with the page below allowing you to define
lease pools, primary and secondary DNS servers, drives to map upon successful connection or even
applications to launch once the end user has connected.

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 6/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/5-min.png?ver=2018-02-26-050855-437)

At this point, select the Network Settings tab where we will define the lease pool for our demo VPN
solution.

Using the drop down, select demo_lease pool for our IPV4 Lease Pool. Leave all additional settings in
their default options and click Update.

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 7/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/6-min.png?ver=2018-02-26-050901-767)

Edited: With a recommendation from one reader of this article, I wanted include the configuration of DNS
within the network resource configuration as well.

After configuring the lease pool, select the DNS/Hosts tab.

IPV4 Primary Name Server: xxx.xxx.xxx.xxx

Static Hosts: demo-dc xxx.xxx.xxx.xxx and demo-dc.demo.lab xxx.xxx.xxx.xxx

Select Update

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 8/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/7-min.png?ver=2018-02-26-050906-453)

Once complete, navigate to Access > Connectivity / VPN > Connectivity > Profiles: Add

While there are many customization options within a connectivity profile, for demo purposes we will only
define a profile name and parent profile.

Profile Name: demo_connectivity_profile

Parent Profile: /Common/connectivity

Click OK

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 9/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/8-min.png?ver=2018-02-26-050913-360)

Next we will create our AAA server for active directory authentication. While there are numerous
authentication methods provided within APM, we are going to perform AD authentication for demo
purposes. If you would like to determine how to configure CAC, PIV, Radius, Tacacs+, multi factor
authentication, etc. please perform a search using your favorite search engine for "CAC auth
site:devcentral.f5.com" or "radius site:f5.com" to name a few examples.

Navigate to Access > Authentication > Active Directory: Create

Name: demo_ad

Domain Name: demo.com

Server Connection: Direct

Domain Controller: xxx.xxx.xxx.xxx

Admin Name: administrator

Password: ###########

Select Finished

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 10/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/9-min.png?ver=2018-02-26-050917-843)

Now that we have created our lease pool, network access resource, connectivity profile and AAA server,
we ware now able to begin creating our access profile.

Navigate to Access > Profiles / Policies > Access Profiles (Per-Session Policies): Create

Name: demo_network_access

Profile Type: All

Languages: Define the language of your choice

Select Finished

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 11/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/10-

min.png?ver=2018-02-26-050923-173)

Upon selecting Finished, you will be redirected to the list of all access policies. Locate the Access Profile
Name you created in the previous step and select Edit which will then launch the APM visual policy
editor (VPE).

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/11-min.png?ver=2018-02-26-050927-657)

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 12/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

The default VPE begins with a Start and Deny and nothing more. Between the two, select the + symbol in
order to add items. We will begin by adding a logon page which is completely customization though
outside the scope of this article. Select the Logon tab, select the radio button next to Logon Page and
select Add Item.

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/12-min.png?ver=2018-02-26-050932-140)

You will then be presented with a customization page though accept all defaults and select Save.

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 13/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/13-min.png?ver=2018-02-26-050937-720)

Next select the + symbol between Logon Page and Deny. Once again you will be presented with a pop
up window where we will select AD Auth and Add Item. Now this is a guide on how to implement remote
access but I want you to take a second and look at all of the authentication methods supported natively
by APM. I wasn't able to capture them all in a screenshot though I have included a link at the end of this
article to view them all. Pretty cool, huh?

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 14/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/14-min.png?ver=2018-02-26-050942-750)

When you are presented by the AD Auth options, select /Common/demo_ad from the drop down and
click Save.

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/15-min.png?ver=2018-02-26-050947-157)

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 15/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

Up to this point we have created a logon page, added an authentication method so now we must assign a
resource.

Following the Successful branch, select the + symbol between AD Auth and the Deny ending. Once we
add our resource we will modify the ending to allow. When the pop up appears, select the Assignment
tab, click the Advanced Resource Assign radio and click Add Item.

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/16-min.png?ver=2018-02-26-050951-813)

When the Resource Assignment options appear, click Add new entry. From Expression 1, click
Add/Delete.

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/17-min.png?ver=2018-02-26-050955-750)

On the following screen, select the Network Access tab, click within the box next to our VPN resource.

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/18-min.png?ver=2018-02-26-050959-627)

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 16/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

Click the Webtop tab, select demo_webtop and Update.

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/19-min.png?ver=2018-02-26-051003-407)

When returned to the previous screen, click Save.

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/20-min.png?ver=2018-02-26-051007-703)

Now that we have a authentication method and resources assigned we will modify our ending to allow
and apply the access policy. Select Deny following Advanced Resource Assign and change the radio
from Deny to Allow and click Save. Once saved, select the Apply Access Policy link in the upper left
hand corner and Close.

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 17/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/21-min.png?ver=2018-02-26-051012-830)

Because the BIG-IP is a default deny device, we now need to create a method for the BIG-IP to listen and
respond to client requests. To do this we will create a new virtual server.

Navigate to Local Traffic > Virtual Servers > Virtual Server List: Create

Name: demo_vs

Destination: xxx.xxx.xxx.xxx

Service Port: 443

HTTP profile: http

SSL Profile (Client): clientssl

Access Profile: demo_network_access

Connectivity Profile: demo_connectivity_profile

Click Finished

For demo purposes, we will use default settings unless otherwise defined.

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 18/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/22-min.png?ver=2018-02-26-051017-470)

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/23-min.png?ver=2018-02-26-051022-550)

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 19/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

Now that we have deployed all of the necessary resources to establish a VPN connection to our internal
network, lets test the configuration.

Log into your development workstation and attempt to connect to the virtual server we configured
whether it be by IP or host name if a DNS record has been configured.

Note: If using the following browser versions, NPAPI plugin support has been discontinued.  For these
browsers, functionality that was previously installed with NPAPI plugins is now handled by helper
applications, which are installed on the user's machine, and handled with protocol handlers. We install
an Endpoint Check application and a Network Access application. These clients can be downloaded
from the APM administration console and can be distributed for download by users, installed by group
policy, or installed by device management solutions.

• Chrome 45 or later
• Firefox 52 or later
• Safari 10 or later
• Edge browsers
https://techdocs.f5.com/kb/en-us/products/big-ip_apm/releasenotes/related/relnote-helper-apps-13-0-
0.html (https://techdocs.f5.com/kb/en-us/products/big-ip_apm/releasenotes/related/relnote-helper-apps-
13-0-0.html)

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/24-min.png?ver=2018-02-26-051026-517)

Once you have authenticated to the F5 Webtop, select the Network Access resource that we created in
previous steps.

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 20/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/25-min.png?ver=2018-02-26-051030-283)

Now, if you have never used the VPN or other F5 solutions you will be required to install an Active X
Controller to allow the VPN to function.

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/26-min.png?ver=2018-02-26-051033-800)

After the successful installation of the controller, you should see the pop up screen which shows the
tunnel initializing, connecting, finalizing and then connected!

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 21/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

(https://devcentral.f5.com/s/Portals/0/Users/122/54/236154/27-min.png?ver=2018-02-26-051037-457)

You have now successfully deployed an SSL VPN solution with something you potentially already have in
your data center! I hope this was useful everyone out there reading and I look forward to writing the next
article. Please feel free to provide feedback whether positive or negative.

Reference Documentation

https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-network-access-13-0-
0/9.html (https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-network-access-13-
0-0/9.html)

https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-network-access-13-0-
0/2.html (https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-network-access-13-
0-0/2.html)

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 22/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

https://support.f5.com/content/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-
13-0-0/_jcr_content/pdfAttach/download/file.res/BIG-
IP_Access_Policy_Manager__Authentication_and_Single_Sign-On.pdf
(https://support.f5.com/content/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-sso-
13-0-0/_jcr_content/pdfAttach/download/file.res/BIG-
IP_Access_Policy_Manager__Authentication_and_Single_Sign-On.pdf)

Topics in this Article:


apm (/s/articles?tag=apm) application delivery (/s/articles?tag=application delivery) big-ip (/s/articles?tag=big-ip)

The DevCentral Team (/s/profile/0051T000008OdrBQAS) (F5) published this


new Knowledge.
April 28, 2020 at 12:00 PM (/s/feed/0D51T00007TGiIZSA1)

Like Comment 4 comments 34 views

More comments 1 of 4
Steve Lyons (/s/profile/0051T000008tyTtQAI)
2 years ago

Really happy to hear it! Thanks for the feedback.


 
Like

Log In to Comment

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 23/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral

About DevCentral
An F5 Networks Community

We are an online community of technical peers


dedicated to learning, exchanging ideas, and
solving problems - together.

Learn More (/s/getting-started)

Get a developer Lab license (/s/articles/f5-developer-edition-how-to-obtain-a-


developer-license-key)

Contact us - Feedback and Help (/s/contactsupport)

Become an MVP (/s/mvp)

  HAVE A QUESTION?   |   Support and Sales >


(https://www.f5.com/company/contact)  

Follow Us (https://twitter.com/F5)
(https://www.linkedin.com/company/f5-networks/)
(https://www.facebook.com/f5networksinc)
(https://www.youtube.com/user/f5networksinc) (/s/)

About F5
Corporate Information
(https://www.f5.com/company)
Newsroom F5 Sites
Education
(https://www.f5.com/company/news) F5.com
Training
https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 24/25
3/30/2021 Creating a SSL VPN Using F5 Full Webtop DevCentral
Training
Investor Relations (https://www.f5.com/)
(https://www.f5.com/services/training)
DevCentral
(https://www.f5.com/company/investor- Professional Certification
(/s)
relations) (https://www.f5.com/services/certification)
Support Portal
Careers LearnF5
(https://f5.com/careers) (https://support.f5.com/csp/home)
(https://account.f5.com/learnf5/signin)
Contact Information Partner Central
Free Online Training
(https://f5.com/about-us/contact) (https://partnercentral.f5.com/)
(https://f5.com/education/training/free-
Communication Preferences F5 Labs
courses)
(https://interact.f5.com/F5-Preference- (https://www.f5.com/labs)
Center.html?utm_source=optin-f5footer)
Product Certifications
(https://www.f5.com/company/certifications)

©2020 F5, Inc. All rights reserved.


Policies (https://www.f5.com/company/policies) | Privacy (https://www.f5.com/company/policies/privacy-notice) | Trademarks (https://www.f5.com/company/policies/trademarks) | Cookie Preferences | DevCentral
Terms of Use (/s/EULA)

https://devcentral.f5.com/s/articles/creating-a-ssl-vpn-using-f5-full-webtop-30146 25/25

You might also like