apm resource network-access
apm resource network-access(1) BIG-IP TMSH Manual apm resource network-access(1)
NAME
network-access - Configures general settings for a network access connection.
MODULE
apm resource
SYNTAX
Configure the network-access component within the resource module using the syntax shown in the following sections.
CREATE/MODIFY
create network-access [name]
modify network-access [name]
options:
app-service [[string] | none]
address-space-dhcp-requests-excluded [true | false]
address-space-exclude-subnet [[string] | none]
ipv6-address-space-exclude-subnet [[string] | none]
address-space-include [add | delete | modify | replace-all-with] {
[ name ]*
}
address-space-exclude [add | delete | modify | replace-all-with] {
[ name ]*
}
address-space-include-dns-name [[string] | none]
address-space-exclude-dns-name [[string] | none]
address-space-include-subnet [[string] | none]
ipv6-address-space-include-subnet [[string] | none]
address-space-local-subnets-excluded [true | false]
address-space-loc-dns-servers-excluded [true | false]
address-space-protect [true | false]
application-launch [[string] | none]
application-launch-warning [true | false]
auto-launch [true | false]
client-interface-speed [[integer] | none]
client-ip-filter-engine [true | false]
client-power-management [ignore | prevent | terminate]
client-proxy [true | false]
client-proxy-address [ip addr]
client-proxy-enforce-subnets [true | false]
client-proxy-exclusion-list [[string] | none]
client-proxy-ignore-auto-config-error [true | false]
client-proxy-local-bypass [true | false]
client-proxy-port [[integer] | none]
client-proxy-script [[string] | none]
client-proxy-use-http-pac [true | false]
client-proxy-use-local-proxy [true | false]
client-traffic-classifier [[string] | none]
compression [gzip | none]
customization-group [[string] | none]
description [[string] | none]
dns-primary [ip addr]
ipv6-dns-primary [ip addr]
dns-secondary [ip addr]
ipv6-dns-secondary [ip addr]
dns-suffix [[string] | none]
drive-mapping [[string] | none]
dtls [true | false]
dtls-port [[integer] | none]
execute-logoff-scripts [true | false]
idle-timeout-threshold [[integer] | none]
idle-timeout-window [[integer] | none]
leasepool-name [[string] | none]
location-specific [true | false]
ipv6-leasepool-name [[string] | none]
microsoft-network-client [true | false]
microsoft-network-server [true | false]
network-tunnel [enabled | disabled]
optimized-app [add | delete | modify | none | replace-all-with ]
provide-client-cert [true | false]
proxy-arp [true | false]
split-tunneling [true | false]
static-host [[string] | none]
supported-ip-version [ipv4 | ipv4-ipv6]
sync-with-active-directory [true | false]
type [app-tunnel | last | network-access | remote-desktop | web-application]
wins-primary [ip addr]
wins-secondary [ip addr]
edit network-access [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list network-access
list network-access [ [ [name] | [glob] | [regex] ] ... ]
show running-config network-access
show running-config network-access [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
show network-access
show network-access [name]
DELETE
delete network-access [name]
DESCRIPTION
You can use the network-access component to configure the general settings for a network access connection.
EXAMPLES
create network-access mynetwork-access customization-group mynetaccess
Creates a network access connection configuration object named mynetwork-access that uses the policies in the
customization group named mynetaccess.
delete network-access mynetwork-access
Deletes the network access connection configuration object named mynetwork-access.
OPTIONS
app-service
Specifies the name of the application service to which the object belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service that owns the object, you cannot modify or delete the
object. Only the application service can modify or delete the object.
address-space-dhcp-requests-excluded
Specifies whether requests from IP addresses using DHCP are excluded from accessing the network. The default is true.
address-space-exclude
Specifies the name of address space object whose traffic you want to exclude from access to a subnet on the network.
You can add multiple address spaces to the list. The default is none.
address-space-exclude-subnet
Specifies the IPv4 address spaces whose traffic you want to exclude from access to a subnet on the network. The
default is none.
ipv6-address-space-exclude-subnet
Specifies the IPv6 address spaces whose traffic you want to exclude from access to a subnet on the network. The
default is none.
address-space-include-dns-name
Specifies a list of domain names describing the target LAN DNS addresses for split tunneling only. You can add
multiple address spaces to the list. For each address space, type the domain name, in the form site.siterequest.com or
*.siterequest.com. The default is none.
address-space-exclude-dns-name
Specifies the DNS address spaces whose traffic you want to exclude from access to a subnet on the network. You can add
multiple address spaces to the list. For each address space, type the domain name, in the form site.siterequest.com or
*.siterequest.com. The default is none.
address-space-include
Specifies the name of address space object whose traffic you want to include for the target LAN. When using split
tunneling, only the traffic to these addresses and DNS names goes through the tunnel configured for Network Access.
You can add multiple address spaces to the list. The default is none.
address-space-include-subnet
Specifies a list of IPv4 addresses or address/mask pairs describing the target LAN. When using split tunneling, only
the traffic to these addresses and network segments goes through the tunnel configured for Network Access. You can add
multiple address spaces to the list. For each address space, type the IPv4 address and network mask. The default is
none.
ipv6-address-space-include-subnet
Specifies a list of IPv6 addresses or address/mask pairs describing the target LAN. When using split tunneling, only
the traffic to these addresses and network segments goes through the tunnel configured for Network Access. You can add
multiple address spaces to the list. For each address space, type the IPv6 address and network mask. The default is
none.
address-space-local-subnets-excluded
Specifies whether to exclude local access to any host or subnet in routes that you have specified in the client
routing table. The default is false. When you set this option to true, the system does not support integrated IP
filtering.
address-space-loc-dns-servers-excluded
Specifies whether to exclude local access to DNS servers configured on client prior to establishing network access
connection. The default is false.
address-space-protect
Specifies whether the IP address spaces whose traffic is forced through the tunnel are protected. The default is
false.
app-service
The default is none.
application-launch
Specifies the applications to launch when the client accesses the network. The default is none.
application-launch-warning
Specifies whether the user is warned that an application is being launched. The default is true.
auto-launch
Specifies whether NA resource is to be launched automatically from full webtop. The default is false.
client-interface-speed
Specifies the baud rate of the client interface with the network. The default is 100000000.
client-ip-filter-engine
Specifies whether the client IP address is filtered. The default is .
client-power-management
Specifies how to interact with Windows power management features.
prevent
Prevents Windows from entering standby/hibernate during connection.
terminate
Terminate network access connection if Windows is entering standby/hibernate
ignore
Do nothing. Ignore power management events. This is the default value.
client-proxy
Specifies whether this resource handles a client proxy. The default is false.
client-proxy-address
Specifies the IP address of the proxy client. The default is any6.
client-proxy-enforce-subnets
Specifies whether address space subnets must be enforced in proxy auto-configuration. The default is true.
client-proxy-exclusion-list
Specifies the Web addresses that do not need to be accessed through your proxy server. You can use wild cards to match
domain and host names or addresses, for example, www.*.com, 128.*, 240.8, 8., mygroup.*, and *.*. The default is none.
client-proxy-ignore-auto-config-error
Allow client to connect even after an error in merging or downloading a proxy auto-configuration file. The default is
false.
client-proxy-local-bypass
Specifies whether you want to allow local (intranet) addresses to bypass the proxy server. The default is false.
client-proxy-port
Specifies the port number of the proxy server you want Network Access clients to use to connect to the Internet. The
default is 0 (zero).
client-proxy-script
Specifies the URL for a proxy auto-configuration script, if one is used with this connection. The default is none.
client-proxy-use-http-pac
Specifies whether the browser uses http:// to locate the proxy the autoconfig file, instead of file://. Set this to
true for applications, like Citrix MetaFrame, that cannot use the client proxy autoconfig script when the browser
attempts to use the prefix file:// to locate the script. The default is false.
client-proxy-use-local-proxy
Specifies whether the browser uses the proxy configured on client prior to establishing network access connection. The
default is false.
client-traffic-classifier
Specifies a client traffic classifier to use with this network access connection. The default is none.
compression
Specifies whether you want to compress all traffic between the Network Access client and the controller. The default
is none.
customization-group
Specifies the customization group that defines the policies that apply to network access. This option is required.
description
Specifies a unique description of the network access configuration object. The default is none.
dns-primary
For split tunneling, specifies the IPv4 address of the primary name server that is conveyed to the remote access point
for IPv4 traffic. The default is any6.
ipv6-dns-primary
For split tunneling, specifies the IPv6 address of the primary name server that is conveyed to the remote access point
for IPv6 traffic. The default is any6.
dns-secondary
For split tunneling, specifies the IPv4 address of the secondary name server that is conveyed to the remote access
point for IPv4 traffic. The default is any6.
ipv6-dns-secondary
For split tunneling, specifies the IPv6 address of the secondary name server that is conveyed to the remote access
point for IPv6 traffic. The default is any6.
dns-suffix
Type in a DNS suffix to send to the client. If this field is left blank, the controller sends its own DNS suffix. You
can specify multiple default domain suffixes separated with commas. The default is none.
drive-mapping
For split tunneling, specifies the drive to which this resource provides a network access connection. The default is
none.
dtls Specifies whether the network access connection uses Datagram Transport Level Security (DTLS). DTLS uses UDP instead
of TCP, to provides better throughput for high demand applications like VoIP or streaming video, especially with lossy
connections. The default is false.
dtls-port
Specifies the port number that the network access resource uses for secure UDP traffic with DTLS. The default is 4433.
execute-logoff-scripts
Specifies whether the system to executes logoff scripts (configured on the Active Directory domain) when the
connection is terminated. The default is false.
idle-timeout-threshold
Defines the average byte rate that either ingress or egress tunnel traffic must exceed for the tunnel to update a
session. If the average byte rate falls below the specified threshold, the system applies the inactivity timeout,
which is defined in the session's Access Profile. The default is 0 (zero).
idle-timeout-window
Defines the value that the system uses to calculate the Exponential Moving Average (EMA) byte rate of ingress and
egress tunnel traffic. The default is 0 (zero).
leasepool-name
Specifies the IPv4 lease pools that the user can access with this network access connection. The default is none.
ipv6-leasepool-name
Specifies the IPv6 lease pools that the user can access with this network access connection. The default is none.
location-specific
Specifies whether or not this object contains one or more attributes with values that are specific to the location
where the BIG-IP device resides. The location-specific attribute is either true or false. When using policy sync, mark
an object as location-specific to prevent errors that can occur when policies reference objects, such as
authentication servers, that are specific to a certain location.
microsoft-network-client
Specifies whether the client PC can access remote resources over a VPN connection. The default is true.
microsoft-network-server
Specifies whether the server can access remote resources over a VPN connection. The default is false.
network-tunnel
Enables or disables the network tunnel. The default is enabled.
optimized-app
Specifies the optimized applications that you want to users to access using this network access connection resource.
You can add, delete, modify, or replace the current optimized applications. The default is none.
partition
Displays the partition within which this network access connection component resides. The default is Common.
provide-client-cert
Specifies whether client certificates are required to establish an SSL connection. You can set this option to false if
the client certificates are only requested in an SSL connection. In this case, the client is configured to not send
client certificates. The default is true.
proxy-arp
Select Enable to enable Proxy ARP for this network access resource. When you implement Proxy ARP for a network access
resource, remote VPN tunnel clients can use IP addresses from the LAN IP subnet without additional network
infrastructure changes. Ranges of IP addresses from the LAN subnet can be configured in the lease pools and assigned
to tunnel clients. When a host on the LAN sends traffic to a tunnel client, an ARP query is sent to request the client
address. Access Policy Manager then responds with its own MAC address. Traffic is then sent to network access and
forwarded to the client over the network access tunnel. No configuration changes are required on devices other than
the Access Policy Manager.
See your Network Access documentation for more information about Proxy ARP configuration. The default is false.
split-tunneling
Specifies whether only traffic targeted to a specified address space is sent over the network access tunnel. With
split tunneling, all other traffic bypasses the tunnel. The default is false. When you set this option to true, all
traffic passing over the network access connection uses this setting.
static-host
Specifies the static hosts to which this resource provides a network access connection. The default is none.
supported-ip-version
Specifies the supported IP protocol version. The default is ipv4.
sync-with-active-directory
Specifies whether you want the network access connection to emulate the Windows logon process for a client on an
Active Directory domain. The default is false.
When this option is set to true, network policies are synchronized when the connection is established, or at logoff.
The following items are synchronized:
• Logon scripts are started as specified in the user profile.
• Drives are mapped as specified in the user profile.
• Group policies are synchronized as specified in the user profile. Group Policy logon scripts are started when the
connection is established, and Group Policy logoff scripts are run when the network access connection is stopped.
type Specifies the type of network access connection this component provides. The default is network-access.
wins-primary
Specifies the primary IP address to which this resource provides a network access connection. The default is any6.
wins-secondary
Specifies the secondary IP address to which this resource provides a network access connection. The default is any6.
SEE ALSO
tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2011-2013, 2016. All rights reserved.
BIG-IP 2020-10-13 apm resource network-access(1)