apm resource network-access
apm resource network-access(1) BIG-IP TMSH Manual apm resource network-access(1)
NAME
network-access - Configures general settings for a network access connection.
MODULE
apm resource
SYNTAX
Configure the network-access component within the resource module using the syntax shown in the following
sections.
CREATE/MODIFY
create network-access [name]
modify network-access [name]
options:
app-service [[string] | none]
address-space-dhcp-requests-excluded [true | false]
address-space-exclude-subnet [[string] | none]
ipv6-address-space-exclude-subnet [[string] | none]
address-space-include-dns-name [[string] | none]
address-space-exclude-dns-name [[string] | none]
address-space-include-subnet [[string] | none]
ipv6-address-space-include-subnet [[string] | none]
address-space-local-subnets-excluded [true | false]
address-space-loc-dns-servers-excluded [true | false]
address-space-protect [true | false]
application-launch [[string] | none]
application-launch-warning [true | false]
auto-launch [true | false]
client-interface-speed [[integer] | none]
client-ip-filter-engine [true | false]
client-power-management [ignore | prevent | terminate]
client-proxy [true | false]
client-proxy-address [ip addr]
client-proxy-enforce-subnets [true | false]
client-proxy-exclusion-list [[string] | none]
client-proxy-ignore-auto-config-error [true | false]
client-proxy-local-bypass [true | false]
client-proxy-port [[integer] | none]
client-proxy-script [[string] | none]
client-proxy-use-http-pac [true | false]
client-proxy-use-local-proxy [true | false]
client-traffic-classifier [[string] | none]
compression [gzip | none]
customization-group [[string] | none]
description [[string] | none]
dns-primary [ip addr]
ipv6-dns-primary [ip addr]
dns-secondary [ip addr]
ipv6-dns-secondary [ip addr]
dns-suffix [[string] | none]
drive-mapping [[string] | none]
dtls [true | false]
dtls-port [[integer] | none]
execute-logoff-scripts [true | false]
idle-timeout-threshold [[integer] | none]
idle-timeout-window [[integer] | none]
leasepool-name [[string] | none]
location-specific [true | false]
ipv6-leasepool-name [[string] | none]
microsoft-network-client [true | false]
microsoft-network-server [true | false]
network-tunnel [enabled | disabled]
optimized-app [add | delete | modify | none | replace-all-with ]
provide-client-cert [true | false]
proxy-arp [true | false]
split-tunneling [true | false]
static-host [[string] | none]
supported-ip-version [ipv4 | ipv4-ipv6]
sync-with-active-directory [true | false]
type [app-tunnel | last | network-access | remote-desktop | web-application]
wins-primary [ip addr]
wins-secondary [ip addr]
edit network-access [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list network-access
list network-access [ [ [name] | [glob] | [regex] ] ... ]
show running-config network-access
show running-config network-access [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
show network-access
show network-access [name]
DELETE
delete network-access [name]
DESCRIPTION
You can use the network-access component to configure the general settings for a network access connection.
EXAMPLES
create network-access mynetwork-access customization-group mynetaccess
Creates a network access connection configuration object named mynetwork-access that uses the policies in
the customization group named mynetaccess.
delete network-access mynetwork-access
Deletes the network access connection configuration object named mynetwork-access.
OPTIONS
app-service
Specifies the name of the application service to which the object belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the object. Only the application service can modify or delete the object.
address-space-dhcp-requests-excluded
Specifies whether requests from IP addresses using DHCP are excluded from accessing the network. The
default is true.
address-space-exclude-subnet
Specifies the IPv4 address spaces whose traffic you want to exclude from access to a subnet on the
network. The default is none.
ipv6-address-space-exclude-subnet
Specifies the IPv6 address spaces whose traffic you want to exclude from access to a subnet on the
network. The default is none.
address-space-include-dns-name
Specifies a list of domain names describing the target LAN DNS addresses for split tunneling only. You
can add multiple address spaces to the list. For each address space, type the domain name, in the form
site.siterequest.com or *.siterequest.com. The default is none.
address-space-exclude-dns-name
Specifies the DNS address spaces whose traffic you want to exclude from access to a subnet on the
network. You can add multiple address spaces to the list. For each address space, type the domain name,
in the form site.siterequest.com or *.siterequest.com. The default is none.
address-space-include-subnet
Specifies a list of IPv4 addresses or address/mask pairs describing the target LAN. When using split
tunneling, only the traffic to these addresses and network segments goes through the tunnel configured
for Network Access. You can add multiple address spaces to the list. For each address space, type the
IPv4 address and network mask. The default is none.
ipv6-address-space-include-subnet
Specifies a list of IPv6 addresses or address/mask pairs describing the target LAN. When using split
tunneling, only the traffic to these addresses and network segments goes through the tunnel configured
for Network Access. You can add multiple address spaces to the list. For each address space, type the
IPv6 address and network mask. The default is none.
address-space-local-subnets-excluded
Specifies whether to exclude local access to any host or subnet in routes that you have specified in the
client routing table. The default is false. When you set this option to true, the system does not support
integrated IP filtering.
address-space-loc-dns-servers-excluded
Specifies whether to exclude local access to DNS servers configured on client prior to establishing
network access connection. The default is false.
address-space-protect
Specifies whether the IP address spaces whose traffic is forced through the tunnel are protected. The
default is false.
app-service
The default is none.
application-launch
Specifies the applications to launch when the client accesses the network. The default is none.
application-launch-warning
Specifies whether the user is warned that an application is being launched. The default is true.
auto-launch
Specifies whether NA resource is to be launched automatically from full webtop. The default is false.
client-interface-speed
Specifies the baud rate of the client interface with the network. The default is 100000000.
client-ip-filter-engine
Specifies whether the client IP address is filtered. The default is .
client-power-management
Specifies how to interact with Windows power management features.
prevent
Prevents Windows from entering standby/hibernate during connection.
terminate
Terminate network access connection if Windows is entering standby/hibernate
ignore
Do nothing. Ignore power management events. This is the default value.
client-proxy
Specifies whether this resource handles a client proxy. The default is false.
client-proxy-address
Specifies the IP address of the proxy client. The default is any6.
client-proxy-enforce-subnets
Specifies whether address space subnets must be enforced in proxy auto-configuration. The default is
true.
client-proxy-exclusion-list
Specifies the Web addresses that do not need to be accessed through your proxy server. You can use wild
cards to match domain and host names or addresses, for example, www.*.com, 128.*, 240.8, 8., mygroup.*,
and *.*. The default is none.
client-proxy-ignore-auto-config-error
Allow client to connect even after an error in merging or downloading a proxy auto-configuration file.
The default is false.
client-proxy-local-bypass
Specifies whether you want to allow local (intranet) addresses to bypass the proxy server. The default is
false.
client-proxy-port
Specifies the port number of the proxy server you want Network Access clients to use to connect to the
Internet. The default is 0 (zero).
client-proxy-script
Specifies the URL for a proxy auto-configuration script, if one is used with this connection. The default
is none.
client-proxy-use-http-pac
Specifies whether the browser uses http:// to locate the proxy the autoconfig file, instead of file://.
Set this to true for applications, like Citrix MetaFrame, that cannot use the client proxy autoconfig
script when the browser attempts to use the prefix file:// to locate the script. The default is false.
client-proxy-use-local-proxy
Specifies whether the browser uses the proxy configured on client prior to establishing network access
connection. The default is false.
client-traffic-classifier
Specifies a client traffic classifier to use with this network access connection. The default is none.
compression
Specifies whether you want to compress all traffic between the Network Access client and the controller.
The default is none.
customization-group
Specifies the customization group that defines the policies that apply to network access. This option is
required.
description
Specifies a unique description of the network access configuration object. The default is none.
dns-primary
For split tunneling, specifies the IPv4 address of the primary name server that is conveyed to the remote
access point for IPv4 traffic. The default is any6.
ipv6-dns-primary
For split tunneling, specifies the IPv6 address of the primary name server that is conveyed to the remote
access point for IPv6 traffic. The default is any6.
dns-secondary
For split tunneling, specifies the IPv4 address of the secondary name server that is conveyed to the
remote access point for IPv4 traffic. The default is any6.
ipv6-dns-secondary
For split tunneling, specifies the IPv6 address of the secondary name server that is conveyed to the
remote access point for IPv6 traffic. The default is any6.
dns-suffix
Type in a DNS suffix to send to the client. If this field is left blank, the controller sends its own DNS
suffix. You can specify multiple default domain suffixes separated with commas. The default is none.
drive-mapping
For split tunneling, specifies the drive to which this resource provides a network access connection. The
default is none.
dtls Specifies whether the network access connection uses Datagram Transport Level Security (DTLS). DTLS uses
UDP instead of TCP, to provides better throughput for high demand applications like VoIP or streaming
video, especially with lossy connections. The default is false.
dtls-port
Specifies the port number that the network access resource uses for secure UDP traffic with DTLS. The
default is 4433.
execute-logoff-scripts
Specifies whether the system to executes logoff scripts (configured on the Active Directory domain) when
the connection is terminated. The default is false.
idle-timeout-threshold
Defines the average byte rate that either ingress or egress tunnel traffic must exceed for the tunnel to
update a session. If the average byte rate falls below the specified threshold, the system applies the
inactivity timeout, which is defined in the session's Access Profile. The default is 0 (zero).
idle-timeout-window
Defines the value that the system uses to calculate the Exponential Moving Average (EMA) byte rate of
ingress and egress tunnel traffic. The default is 0 (zero).
leasepool-name
Specifies the IPv4 lease pools that the user can access with this network access connection. The default
is none.
ipv6-leasepool-name
Specifies the IPv6 lease pools that the user can access with this network access connection. The default
is none.
location-specific
Specifies whether or not this object contains one or more attributes with values that are specific to the
location where the BIG-IP device resides. The location-specific attribute is either true or false. When
using policy sync, mark an object as location-specific to prevent errors that can occur when policies
reference objects, such as authentication servers, that are specific to a certain location.
microsoft-network-client
Specifies whether the client PC can access remote resources over a VPN connection. The default is true.
microsoft-network-server
Specifies whether the server can access remote resources over a VPN connection. The default is false.
network-tunnel
Enables or disables the network tunnel. The default is enabled.
optimized-app
Specifies the optimized applications that you want to users to access using this network access
connection resource. You can add, delete, modify, or replace the current optimized applications. The
default is none.
partition
Displays the partition within which this network access connection component resides. The default is
Common.
provide-client-cert
Specifies whether client certificates are required to establish an SSL connection. You can set this
option to false if the client certificates are only requested in an SSL connection. In this case, the
client is configured to not send client certificates. The default is true.
proxy-arp
Select Enable to enable Proxy ARP for this network access resource. When you implement Proxy ARP for a
network access resource, remote VPN tunnel clients can use IP addresses from the LAN IP subnet without
additional network infrastructure changes. Ranges of IP addresses from the LAN subnet can be configured
in the lease pools and assigned to tunnel clients. When a host on the LAN sends traffic to a tunnel
client, an ARP query is sent to request the client address. Access Policy Manager then responds with its
own MAC address. Traffic is then sent to network access and forwarded to the client over the network
access tunnel. No configuration changes are required on devices other than the Access Policy Manager.
See your Network Access documentation for more information about Proxy ARP configuration. The default is
false.
split-tunneling
Specifies whether only traffic targeted to a specified address space is sent over the network access
tunnel. With split tunneling, all other traffic bypasses the tunnel. The default is false. When you set
this option to true, all traffic passing over the network access connection uses this setting.
static-host
Specifies the static hosts to which this resource provides a network access connection. The default is
none.
supported-ip-version
Specifies the supported IP protocol version. The default is ipv4.
sync-with-active-directory
Specifies whether you want the network access connection to emulate the Windows logon process for a
client on an Active Directory domain. The default is false.
When this option is set to true, network policies are synchronized when the connection is established, or
at logoff. The following items are synchronized:
· Logon scripts are started as specified in the user profile.
· Drives are mapped as specified in the user profile.
· Group policies are synchronized as specified in the user profile. Group Policy logon scripts are
started when the connection is established, and Group Policy logoff scripts are run when the network
access connection is stopped.
type Specifies the type of network access connection this component provides. The default is network-access.
wins-primary
Specifies the primary IP address to which this resource provides a network access connection. The default
is any6.
wins-secondary
Specifies the secondary IP address to which this resource provides a network access connection. The
default is any6.
SEE ALSO
tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2011-2013, 2016. All rights reserved.
BIG-IP 2017-05-09 apm resource network-access(1)