apm resource network-access
apm resource network-access(1)BIG-IP TMSH Manualapm resource network-access(1)
NAME
network-access - Configures general settings for a network access
connection.
MODULE
apm resource
SYNTAX
Configure the network-access component within the resource module using
the syntax shown in the following sections.
CREATE/MODIFY
create network-access [name]
modify network-access [name]
options:
app-service [[string] | none]
address-space-dhcp-requests-excluded [true | false]
address-space-exclude-subnet [[string] | none]
ipv6-address-space-exclude-subnet [[string] | none]
address-space-include-dns-name [[string] | none]
address-space-exclude-dns-name [[string] | none]
address-space-include-subnet [[string] | none]
ipv6-address-space-include-subnet [[string] | none]
address-space-local-subnets-excluded [true | false]
address-space-loc-dns-servers-excluded [true | false]
address-space-protect [true | false]
application-launch [[string] | none]
application-launch-warning [true | false]
auto-launch [true | false]
client-interface-speed [[integer] | none]
client-ip-filter-engine [true | false]
client-power-management [ignore | prevent | terminate]
client-proxy [true | false]
client-proxy-address [ip addr]
client-proxy-enforce-subnets [true | false]
client-proxy-exclusion-list [[string] | none]
client-proxy-ignore-auto-config-error [true | false]
client-proxy-local-bypass [true | false]
client-proxy-port [[integer] | none]
client-proxy-script [[string] | none]
client-proxy-use-http-pac [true | false]
client-proxy-use-local-proxy [true | false]
client-traffic-classifier [[string] | none]
compression [gzip | none]
customization-group [[string] | none]
description [[string] | none]
dns-primary [ip addr]
ipv6-dns-primary [ip addr]
dns-secondary [ip addr]
ipv6-dns-secondary [ip addr]
dns-suffix [[string] | none]
drive-mapping [[string] | none]
dtls [true | false]
dtls-port [[integer] | none]
execute-logoff-scripts [true | false]
idle-timeout-threshold [[integer] | none]
idle-timeout-window [[integer] | none]
leasepool-name [[string] | none]
location-specific [true | false]
ipv6-leasepool-name [[string] | none]
microsoft-network-client [true | false]
microsoft-network-server [true | false]
network-tunnel [enabled | disabled]
optimized-app [add | delete | modify | none | replace-all-with ]
provide-client-cert [true | false]
proxy-arp [true | false]
split-tunneling [true | false]
static-host [[string] | none]
supported-ip-version [ipv4 | ipv4-ipv6]
sync-with-active-directory [true | false]
type [app-tunnel | last | network-access | remote-desktop | web-application]
wins-primary [ip addr]
wins-secondary [ip addr]
edit network-access [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list network-access
list network-access [ [ [name] | [glob] | [regex] ] ... ]
show running-config network-access
show running-config network-access [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
show network-access
show network-access [name]
DELETE
delete network-access [name]
DESCRIPTION
You can use the network-access component to configure the general
settings for a network access connection.
EXAMPLES
create network-access mynetwork-access customization-group mynetaccess
Creates a network access connection configuration object named
mynetwork-access that uses the policies in the customization group
named mynetaccess.
delete network-access mynetwork-access
Deletes the network access connection configuration object named
mynetwork-access.
OPTIONS
app-service
Specifies the name of the application service to which the object
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the object. Only the application
service can modify or delete the object.
address-space-dhcp-requests-excluded
Specifies whether requests from IP addresses using DHCP are
excluded from accessing the network. The default is true.
address-space-exclude-subnet
Specifies the IPv4 address spaces whose traffic you want to
exclude from access to a subnet on the network. The default is
none.
ipv6-address-space-exclude-subnet
Specifies the IPv6 address spaces whose traffic you want to
exclude from access to a subnet on the network. The default is
none.
address-space-include-dns-name
Specifies a list of domain names describing the target LAN DNS
addresses for split tunneling only. You can add multiple address
spaces to the list. For each address space, type the domain name,
in the form site.siterequest.com or *.siterequest.com. The default
is none.
address-space-exclude-dns-name
Specifies the DNS address spaces whose traffic you want to exclude
from access to a subnet on the network. You can add multiple
address spaces to the list. For each address space, type the
domain name, in the form site.siterequest.com or
*.siterequest.com. The default is none.
address-space-include-subnet
Specifies a list of IPv4 addresses or address/mask pairs
describing the target LAN. When using split tunneling, only the
traffic to these addresses and network segments goes through the
tunnel configured for Network Access. You can add multiple address
spaces to the list. For each address space, type the IPv4 address
and network mask. The default is none.
ipv6-address-space-include-subnet
Specifies a list of IPv6 addresses or address/mask pairs
describing the target LAN. When using split tunneling, only the
traffic to these addresses and network segments goes through the
tunnel configured for Network Access. You can add multiple address
spaces to the list. For each address space, type the IPv6 address
and network mask. The default is none.
address-space-local-subnets-excluded
Specifies whether to exclude local access to any host or subnet in
routes that you have specified in the client routing table. The
default is false. When you set this option to true, the system
does not support integrated IP filtering.
address-space-loc-dns-servers-excluded
Specifies whether to exclude local access to DNS servers
configured on client prior to establishing network access
connection. The default is false.
address-space-protect
Specifies whether the IP address spaces whose traffic is forced
through the tunnel are protected. The default is false.
app-service
The default is none.
application-launch
Specifies the applications to launch when the client accesses the
network. The default is none.
application-launch-warning
Specifies whether the user is warned that an application is being
launched. The default is true.
auto-launch
Specifies whether NA resource is to be launched automatically from
full webtop. The default is false.
client-interface-speed
Specifies the baud rate of the client interface with the network.
The default is 100000000.
client-ip-filter-engine
Specifies whether the client IP address is filtered. The default
is .
client-power-management
Specifies how to interact with Windows power management features.
prevent
Prevents Windows from entering standby/hibernate during
connection.
terminate
Terminate network access connection if Windows is entering
standby/hibernate
ignore
Do nothing. Ignore power management events. This is the
default value.
client-proxy
Specifies whether this resource handles a client proxy. The
default is false.
client-proxy-address
Specifies the IP address of the proxy client. The default is any6.
client-proxy-enforce-subnets
Specifies whether address space subnets must be enforced in proxy
auto-configuration. The default is true.
client-proxy-exclusion-list
Specifies the Web addresses that do not need to be accessed
through your proxy server. You can use wild cards to match domain
and host names or addresses, for example, www.*.com, 128.*, 240.8,
8., mygroup.*, and *.*. The default is none.
client-proxy-ignore-auto-config-error
Allow client to connect even after an error in merging or
downloading a proxy auto-configuration file. The default is false.
client-proxy-local-bypass
Specifies whether you want to allow local (intranet) addresses to
bypass the proxy server. The default is false.
client-proxy-port
Specifies the port number of the proxy server you want Network
Access clients to use to connect to the Internet. The default is 0
(zero).
client-proxy-script
Specifies the URL for a proxy auto-configuration script, if one is
used with this connection. The default is none.
client-proxy-use-http-pac
Specifies whether the browser uses http:// to locate the proxy the
autoconfig file, instead of file://. Set this to true for
applications, like Citrix MetaFrame, that cannot use the client
proxy autoconfig script when the browser attempts to use the
prefix file:// to locate the script. The default is false.
client-proxy-use-local-proxy
Specifies whether the browser uses the proxy configured on client
prior to establishing network access connection. The default is
false.
client-traffic-classifier
Specifies a client traffic classifier to use with this network
access connection. The default is none.
compression
Specifies whether you want to compress all traffic between the
Network Access client and the controller. The default is none.
customization-group
Specifies the customization group that defines the policies that
apply to network access. This option is required.
description
Specifies a unique description of the network access configuration
object. The default is none.
dns-primary
For split tunneling, specifies the IPv4 address of the primary
name server that is conveyed to the remote access point for IPv4
traffic. The default is any6.
ipv6-dns-primary
For split tunneling, specifies the IPv6 address of the primary
name server that is conveyed to the remote access point for IPv6
traffic. The default is any6.
dns-secondary
For split tunneling, specifies the IPv4 address of the secondary
name server that is conveyed to the remote access point for IPv4
traffic. The default is any6.
ipv6-dns-secondary
For split tunneling, specifies the IPv6 address of the secondary
name server that is conveyed to the remote access point for IPv6
traffic. The default is any6.
dns-suffix
Type in a DNS suffix to send to the client. If this field is left
blank, the controller sends its own DNS suffix. You can specify
multiple default domain suffixes separated with commas. The
default is none.
drive-mapping
For split tunneling, specifies the drive to which this resource
provides a network access connection. The default is none.
dtls Specifies whether the network access connection uses Datagram
Transport Level Security (DTLS). DTLS uses UDP instead of TCP, to
provides better throughput for high demand applications like VoIP
or streaming video, especially with lossy connections. The default
is false.
dtls-port
Specifies the port number that the network access resource uses
for secure UDP traffic with DTLS. The default is 4433.
execute-logoff-scripts
Specifies whether the system to executes logoff scripts
(configured on the Active Directory domain) when the connection is
terminated. The default is false.
idle-timeout-threshold
Defines the average byte rate that either ingress or egress tunnel
traffic must exceed for the tunnel to update a session. If the
average byte rate falls below the specified threshold, the system
applies the inactivity timeout, which is defined in the session's
Access Profile. The default is 0 (zero).
idle-timeout-window
Defines the value that the system uses to calculate the
Exponential Moving Average (EMA) byte rate of ingress and egress
tunnel traffic. The default is 0 (zero).
leasepool-name
Specifies the IPv4 lease pools that the user can access with this
network access connection. The default is none.
ipv6-leasepool-name
Specifies the IPv6 lease pools that the user can access with this
network access connection. The default is none.
location-specific
Specifies whether or not this object contains one or more
attributes with values that are specific to the location where the
BIG-IP device resides. The location-specific attribute is either
true or false. When using policy sync, mark an object as location-
specific to prevent errors that can occur when policies reference
objects, such as authentication servers, that are specific to a
certain location.
microsoft-network-client
Specifies whether the client PC can access remote resources over a
VPN connection. The default is true.
microsoft-network-server
Specifies whether the server can access remote resources over a
VPN connection. The default is false.
network-tunnel
Enables or disables the network tunnel. The default is enabled.
optimized-app
Specifies the optimized applications that you want to users to
access using this network access connection resource. You can add,
delete, modify, or replace the current optimized applications. The
default is none.
partition
Displays the partition within which this network access connection
component resides. The default is Common.
provide-client-cert
Specifies whether client certificates are required to establish an
SSL connection. You can set this option to false if the client
certificates are only requested in an SSL connection. In this
case, the client is configured to not send client certificates.
The default is true.
proxy-arp
Select Enable to enable Proxy ARP for this network access
resource. When you implement Proxy ARP for a network access
resource, remote VPN tunnel clients can use IP addresses from the
LAN IP subnet without additional network infrastructure changes.
Ranges of IP addresses from the LAN subnet can be configured in
the lease pools and assigned to tunnel clients. When a host on the
LAN sends traffic to a tunnel client, an ARP query is sent to
request the client address. Access Policy Manager then responds
with its own MAC address. Traffic is then sent to network access
and forwarded to the client over the network access tunnel. No
configuration changes are required on devices other than the
Access Policy Manager.
See your Network Access documentation for more information about
Proxy ARP configuration. The default is false.
split-tunneling
Specifies whether only traffic targeted to a specified address
space is sent over the network access tunnel. With split
tunneling, all other traffic bypasses the tunnel. The default is
false. When you set this option to true, all traffic passing over
the network access connection uses this setting.
static-host
Specifies the static hosts to which this resource provides a
network access connection. The default is none.
supported-ip-version
Specifies the supported IP protocol version. The default is ipv4.
sync-with-active-directory
Specifies whether you want the network access connection to
emulate the Windows logon process for a client on an Active
Directory domain. The default is false.
When this option is set to true, network policies are synchronized
when the connection is established, or at logoff. The following
items are synchronized:
o Logon scripts are started as specified in the user profile.
o Drives are mapped as specified in the user profile.
o Group policies are synchronized as specified in the user
profile. Group Policy logon scripts are started when the
connection is established, and Group Policy logoff scripts
are run when the network access connection is stopped.
type Specifies the type of network access connection this component
provides. The default is network-access.
wins-primary
Specifies the primary IP address to which this resource provides a
network access connection. The default is any6.
wins-secondary
Specifies the secondary IP address to which this resource provides
a network access connection. The default is any6.
SEE ALSO
tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2011-2013, 2016. All rights
reserved.
BIG-IP 2016-03-14 apm resource network-access(1)