E XERCISE 7.2 – C ONFIGURING SSL VPN N ETWORK A CCESS
Required virtual images: BIGIP_A_v11.5.1, LAMP_3.4.
Estimated completion time: 45 minutes
TASK 1 – Use the Wizard to Allow Secure Network Access
Use the Device Wizard to create an APM access policy that will provide secure network access for users.
In the VMware library, power on the BIGIP_A_v11.5.1 and LAMP_3.4 images.
Access and log in to BIGIP_A_v11.5.1.
Verify that you have restored using bc_7.1_apm_webapp_auth_v11.5.1 (there should be an access policy named webauth_policy).
Open the Wizards > Device Wizards page, and with Network Access Setup Wizard for Remote Access selected click Next.
On the Basic Properties page:
o In the Policy Name box, type network_access.
o Leave the Default Language set to en.
o Leave the Full Webtop option cleared.
o Clear the Client Side Checks checkbox, and then click Next.
Select No Authentication, and then click Next.
Add an IP Address Range of 10.128.20.220 through 10.128.20.222, and then click Next.
On the Configure Network Access page:
o Leave No Compression selected in the Compression list.
o Use the following Client Settings:
Traffic Options Use split tunneling for traffic IPV4 LAN Address Space: IP Address 10.128.20.0
IPV4 LAN Address Space: Mask 255.255.255.0 DNS Address Space: DNS 10.128.20.252 o Click Next.
Exercise 7.2 – Configuring SSL VPN Network Access
On the Configure DNS Hosts for Network Access page:
o Use the following information:
IPV4 Primary Name Server 10.128.20.252 DNS Default Domain Suffix f5demo.com
Static Hosts: Host Name yourfirstname.f5demo.com Static Hosts: IP Address 10.128.20.17 (Click Add) o Click Next.
On the Virtual Server (HTTPS connection) page:
o In the Virtual Server IP Address box, type 10.128.10.45.
o Leave the Create Redirect Virtual Server (HTTP to HTTPS) checkbox selected, and then click Next.
Click Next, and then click Finished.
TASK 2 – Test Network Access
Use a Web browser to test network access through BIG-IP APM.
Use a new tab to access http://10.128.20.14.
While the request is processing, use an SSH session to access 10.128.20.15.
Both connection attempts fail, as you do not currently have access to the servers.
Close the tab and SSH session.
Use a new tab to access https://10.128.10.45.
→NOTE: You can’t be connected to the F5 corporate VPN while you test network tunnel access.
On the Secure Logon for F5 Networks page, leave both the Username and Password fields empty, and click Logon.
On the Security Warning dialog box, click View certificate.
Question:
Who issued this certificate? ______________________________________
Click OK, and then click Yes.
Questions:
Did you connect successfully? ______________
Exercise 7.2 – Configuring SSL VPN Network Access
Use an SSH client to access 10.128.20.15.
→NOTE: It’s not necessary to log into the CLI to complete this task.
Close the Web browser and SSH session.
In the Taskbar, click the icon to Show hidden icons.
Right-click on the F5 icon, and then select Restore.
The network access Webtop displays.
In the Webtop window, click the Show details link.
Click the Show IP configuration link.
Question:
What is the IP address assigned to the PPP adapter? ___________________
Close the f5ipconfig Notepad window.
Click the Show routing table link.
Questions:
Which interface does traffic to 0.0.0.0 go through? _________________________
Which interface does traffic to 10.128.20.0 go through? _________________________
Close the f5routingtable Notepad window.
Use a new tab to access http://yourfirstname.f5demo.com.
Question:
Were you able to access this hostname? ___________________
Close the tab.
Open a command prompt and type:
ping yourfirstname.f5demo.com
Logout using the button in the Webtop window, and then close the Webtop tab.
In the command prompt, try pinging the same hostname once more.
Exercise 7.2 – Configuring SSL VPN Network Access
Question:
Can you still resolve this hostname after closing the network tunnel? _______________
Close the command prompt window.
TASK 3 – Review Objects Created by the Device Wizard
Use the Configuration Utility to view the different objects that the Device Wizard created during Task 1.
Open the Virtual Server List page, and then click network_access_vs.
For SSL Profile (Client), select clientssl in the Selected field and click >>.
For SSL Profile (Client), select f5demo_client_ssl and click <<.
In the Access Policy section, verify that this virtual server is configured with both an Access Profile and a Connectivity Profile.
Click Update.
Open the Access Policy > Network Access > Lease Pools page, and then click network_access_lp.
Add 10.128.20.224 – 10.128.20.226 to the Member List, and then click Update.
Open the Access Policy > Network Access > Network Access List page, and then click network_access_na_res.
Question:
What is the caption for this resource? _________________________________
Update the network_access_na_res object using the following information:
o Modify the Network Settings, and then click Update.
Traffic Options Force all traffic through tunnel o Add another DNS static host, and then click Update.
Static Hosts: Host Name yourlastname.f5demo.com Static Hosts: IP Address 10.128.20.19
Exercise 7.2 – Configuring SSL VPN Network Access
o Add a launch application, and then click Finished.
Options Display warning (leave checkbox selected)
New Application: Application Path %SystemRoot%\notepad.exe New Application: Operating System Windows
Open the Access Policy > Secure Connectivity page, then click network_access_cp, and then click Edit Profile.
Select Compression Settings > Network Access.
Change the gzip Compression Level to 1 – Least Compression (Fastest), and then click OK.
Open the Access Policy > Webtops > Webtop List page, and then click network_access_webtop.
Question:
What type of Webtop is this? ____________________________________
Can other resource types be added on this Webtop? _________________________
Clear the Minimize to Tray checkbox, and then click Update.
Open the Access Policy > Access Profiles > Access Profiles List page.
Question:
Why is the network_access object displayed with a yellow icon?
____________________________________________________________
Click network_access.
Exercise 7.2 – Configuring SSL VPN Network Access
Customize the Maximum Session Timeout to 60 seconds, and then click Update.
Open the Access Policy > Access Profiles > Access Profiles List page.
In the network_access row, click the Edit link to open the Visual Policy Editor.
Question:
At this point, is either of these policy items unnecessary? _______________
If “yes”, which item and why is it unnecessary? ______________________
_____________________________________________________________
Click on the X above the unnecessary policy item to delete it.
Leave the Connect previous node to fallback branch option selected and click Delete.
Click Resource Assign.
Verify that this item is assigning the network_access_na_res network access resource and the network_access_webtop Webtop.
Click Cancel to close the Full Resource Assign item.
Click Apply Access Policy, then click Close, and then click Yes.
Exercise 7.2 – Configuring SSL VPN Network Access
TASK 4 – Test Updated Network Access
Use a Web browser to re-test network access through BIG-IP APM.
Use a new tab to access https://access.vlab.f5demo.com.
Confirm all dialog boxes that are presented.
Questions:
Did you receive the logon page? _______________
Did the Webtop window stay active or minimize to the tray? ________________
Did Notepad open? _____________
Close Notepad.
In the Webtop window, click the Show details link.
Click the Show routing table link.
Question:
Which interface does traffic to 0.0.0.0 go through? _________________________
Close the f5routingtable Notepad window.
Right-click in the top area of the screen and select Properties, and then click Certificates.
Question:
Who issued this certificate? _________________________________
After 60 seconds, does the connection automatically close? ____________
Close the Webtop Web browser.
Open the Access Policy > Access Profiles > Access Profiles List page, and then click network_access.
Customize the Maximum Session Timeout to 7200 seconds, and then click Update.
Click Apply Access Policy.
Exercise 7.2 – Configuring SSL VPN Network Access
Click Apply Access Policy.
Create an archive file named bc_7.2_apm_network_access_v11.5.1.