Configuring IPv4 Full and Split Tunnel

BIG-IP Next has enhanced the network access profiles for tunneling:

Full Tunneling

Full Tunneling specifies that all traffic from client devices connected to network access (including traffic to or from the local subnet) is forced over the VPN tunnel. This allows for greater control of traffic from remote users. Traffic destined for the Internet can traverse through the company’s gateway security devices and have a corporate policy applied to it. After client devices are connected to BIG-IP Next network access VPN, changes are made to their routing configurations. This includes changes to the client routing table, default route, and default gateway.

Follow the procedure to configure the Full Tunnel mode:

  1. Create the Per-Session Policy.

  2. Click the Resources configuration and retain the other policy configurations to the default values.

  3. On the Resources tab, click the Start Creating option and select the Network Access option from the drop-down list. A Network Access page appears

  4. On the Network Access page, click the Network Settings tab. Scroll down to the Client Settings, under the Traffic Options section, select the Force all traffic through tunnel radio button. Additional options are displayed. Keep the default values.

  5. On the IP Pools tab, add the IPv4 lease pool name in the textbox. Click Continue and then Finish.

  6. Add the required policy agents to create a policy such as a Logon page, Active Directory Authentication, Client Operating System.

  7. Fill the required active directory server information, branch, and password details.

  8. To create the webtop, navigate to the Resources tab, click the Start Creating option, and select Webtop from the drop-down list.

Note: A network access webtop allows end-users to connect and disconnect from the network access connection. You can assign only a single network access resource to this webtop for starting a network access connection. The Network Access Webtop configuration is defined in the resources property in the Access policy.

  1. Under the Properties section, add the name of the webtop.

  2. Select the required Fallback section Initial State from the drop-down list. Available options are Expanded and Collapsed.

  3. Under the Options section, select all the checkboxes. Available options are Minimize to Tray, Show Warning When Closed, and Show Resource Search.

  4. Click Finish.

  5. At the end of the configuration, click Next. Click Save to save the policy.

Split Tunneling

Split tunneling for traffic specifies that only the traffic targeted to a specified address space is sent over the network access tunnel. It results in less traffic flowing through BIG-IP Next, as only traffic destined for the VPN traverses the tunnel. Less traffic leads to a smaller workload for BIG-IP Next and lowered bandwidth requirements. Split tunneling also allows for a strict separation between corporate intranet traffic and private Internet use. In addition, it allows the administrator to specify multiple networks/hosts in the LAN address space.

Follow the steps to configure the policy for Split Tunnel mode:

  1. Create the Per-Session Policy.

  2. Click the Resources configuration and retain the other policy configurations to the default values.

  3. On the Resources tab, Click the Start Creating option and select the Network Access option from the drop-down list. A Network Access page appears

  4. On the Network Access page, click the Network Settings tab. Scroll down to the Client Settings, under the Traffic Options section, select the Use Split tunneling for traffic radio button. Additional options are displayed.

  5. Under the Include Static Address Spaces section, click the Start Adding option.

  6. Select the type of address from the drop-down. Available options are DNS and IPv4

  7. Enter the respective IPv4 or DNS Address and add the description

  8. Similarly, under the Exclude Address Spaces section, the user can provide DNS or IPv4 addresses for exclusion. Click Continue.

  9. On the IP Pools tab, add the IPv4 lease pool name.

  10. On the DNS/Hosts tab, enter the respective DNS or IPv4 address in the IPv4 Primary Name Server textbox and click Continue.

  11. To create the Webtop, navigate to the Resources tab, click the Start Creating option, and select Webtop from the drop-down list.

Note: A network access webtop allows end-users to connect and disconnect from the network access connection. You can assign only a single network access resource to this webtop for starting a network access connection. The Network Access Webtop configuration is defined in the resources property in the Access policy.

  1. Under the Properties section, add the name of the webtop.

  2. Select the required Fallback section Initial State from the drop-down list. Available options are Expanded and Collapsed.

  3. Under the Options section, select all the checkboxes. Available options are Minimize to Tray, Show Warning When Closed, and Show Resource Search.

  4. Click Finish.

  5. At the end of the configuration, click Next. Click Save. An access policy is saved.