Network Access

Overview

This document describes the API to configure Network Access and its properties in BIG-IQ.

REST Endpoint: /mgmt/cm/access/working-config/apm/resource/network-access

Requests

GET /mgmt/cm/access/working-config/apm/resource/network-access/<id>

Request Parameters

None

Query Parameters

None

Response

HTTP/1.1 200 OK

Name Type Description
addressSpaceDhcpRequestsExcluded string Specify to allow clients to connect through the IP filtering engine and use a DHCP server that is local to the client to renew the client DHCP lease locally, in Client Side Security settings enable Allow access to local DHCP server. Otherwise, clear it. This option should be configured only when Integrated IP filtering engine is enabled. This option applies only to the local client IP address. It does not renew the DHCP lease for the IP address assigned from the Network Access lease pool.
addressSpaceExcludeDnsName array_of_strings Specify domain names. Enter the domain name in the form shown in these examples: site.siterequest.com or *.siterequest.com.
addressSpaceExcludeSubnet array_of_objects Specify IPv4 addresses that needs to be excluded in the traffic.
     subnet string Specify IP addresses and network masks for any traffic that you do not want to force through the tunnel.
addressSpaceIncludeDnsName array_of_strings Specify domain names that describe the target LAN DNS addresses. Enter the domain name in the form shown in these examples: site.siterequest.com or *.siterequest.com,
addressSpaceIncludeSubnet array_of_objects Specify IPV4 addresses and network masks that allows traffic in the Network Access tunnel.
     subnet string Specify IP addresses and network masks that describe the target LAN. Only the traffic to these addresses and network segments goes through the Network Access tunnel.
addressSpaceLocDnsServersExcluded string To enable local access to the DNS servers configured on client before establishing Network Access connections, enable Allow Local DNS Servers. Otherwise, disable it.
addressSpaceLocalSubnetsExcluded string To enable local subnet access and local access to any host or subnet in the routes in the client routing table, enable Allow Local Subnet. Otherwise, disable it. When you enable this setting, the system does not support integrated IP filtering.
addressSpaceProtect string To discard any requests to add, delete, or modify entries in the client routing table for the F5 PPP adapter, in Client Side Security settings, enable Prohibit routing table changes during Network Access connection. Otherwise, disable it.
applicationLaunch array_of_objects Specify to launch applications to a Network Access resource when your users are likely to connect to an application server for which they have a client-side component on their systems. This is useful, for example, when Network Access connects directly to an Exchange server, and users run the Microsoft Outlook program to access the server.
     osType string Specify the target operating system.
     parameter string Specify any parameters for the application separated by spaces.
     path string Path to the application Note: Do not enter single or double-quotes in this field. reconnect_to_domain - Specifies that the client should reconnect to the domain after the network access tunnel starts, if, for example, the Network Access tunnel is established before the domain controller logon occurs. Path to the application/gpo_logoff_scripts -Specifies to run group policy object logoff scripts when the Network Access tunnel stops.
applicationLaunchWarning string On enable, display security warnings before launching the application whether or not the site is in the Trusted Sites list. On disable, displays security warnings only if the site is not in the Trusted Sites list.
autoLaunch string On enable, the Network Access resource starts automatically when the user reaches the full webtop. Note: When multiple Network Access resources are assigned to a full webtop, only one can have auto launch enabled.
clientInterfaceSpeed number Specify bits per second.
clientIpFilterEngine string To protect a resource from outside traffic (that is generated by network devices on the client’s LAN), and to ensure that the resource is not leaking traffic to the client’s LAN, in Client Side Security settings select Integrated IP filtering engine. Otherwise, disable it.
clientPowerManagement string Specify how Network Access handles client power management settings (when the user puts the system in standby, or closes the lid on a laptop), for Client Power Management select one: Ignore - Ignore the client settings for power management. Prevent - Prevent power management events from occurring when the client is connected. Terminate - Terminate the Network Access connection when a power management event occurs.
clientProxy string Client proxy settings apply to the proxy behind the Access Policy Manager and do not affect the VPN tunnel transport, or interact with the TLS or DTLS configuration. Use client proxy settings when intranet web servers are not directly accessible from the Access Policy Manager internal subnet. Client proxy settings apply only to HTTP, HTTPS, and FTP connections. SOCKS connections can also be proxied, with a custom PAC file.
clientProxyAddress string Specify the IP address for the client proxy server that Network Access clients use to connect to the Internet.
clientProxyEnforceSubnets string To allow IP address space enforcement in a proxy auto-configuration script, select Enforce IP Address Space in Client Proxy Autoconfig Script. Otherwise, disable it.
clientProxyExclusionList array_of_strings For Web addresses that do not need to be accessed through your proxy server, add them to the Proxy Exclusion List. You can use wild cards to match domain names and host names or addresses. For example, www..com, 128., 240.8, 8., mygroup., *. , and so forth.
clientProxyIgnoreAutoConfigError string To have the system establish the VPN tunnel even when download of the client proxy autoconfig script fails, enable Ignore Client Proxy Autoconfig Script Download Failure. Otherwise, disable it; then if the client proxy autoconfig script fails to download, the VPN tunnel is not established.
clientProxyLocalBypass string To allow local (intranet) addresses to bypass the proxy server enable Bypass Proxy For Local Addresses.
clientProxyPort number Specify the port number on the proxy server that Network Access clients to use to connect to the Internet.
clientProxyScript string To use a URL for a proxy auto-configuration script with this connection, type the URL in Client Proxy Autoconfig Script.
clientProxyUseHttpPac string Specify the browser use http:// to locate the proxy autoconfig file, instead of file://. Some applications, such as Citrix MetaFrame, cannot use the client proxy autoconfig script when the browser attempts to use the file:// prefix to locate it.
clientProxyUseLocalProxy string Enable to continue to use proxy settings that are configured on the client after establishing a Network Access connection
clientTrafficClassifier string For Windows clients to use a client traffic classifier with this Network Access connection, enter Client Traffic Classifier. Client Traffic Classifier should be pre-created and associate name to this property.
clientTrafficClassifierReference reference Reference to the selected Client Traffic Classifier.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
clientTrayIcon string To display balloon notifications for the Network Access tray icon (for example, when a connection is made) enable Display connection tray. Otherwise, disable it.
compression string Choose compression as none or gzip. No Compression - Traffic passes between the Network Access client and the BIG-IP system without compression. GZIP Compression - All traffic between the Network Access client and the BIG-IP system is compressed using the GZIP deflate method.
customizationGroup string Specify the customization name.
customizationGroupReference reference Specify the Customization reference.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
dnsEnforceSearchOrder string On enable, APM continuously checks the DNS order on the network interface, and sets the Network Access-supplied entries first in the list if they change during a session. On disable, APM uses your local DNS settings as primary and the Network Access-supplied DNS settings as secondary. (This might be useful when split tunneling is in use and the client connects remotely.)
dnsPrimary string Specify the primary IPV4 address of a DNS server for Network Access to convey to the remote access point.
dnsRegisterConnection string Enable to register the address of this connection in the DNS server, for Register this connection’s addresses in DNS.
dnsSecondary string Specify the secondary IPV4 address of a DNS server for Network Access to convey to the remote access point.
dnsSuffix string Specify one or more DNS suffixes, separated by commas, to send to the client. On leaving it empty, then the controller sends its own DNS suffix to the client.
dnsUseDnsSuffixForRegistration string Enable to register the default domain suffix, for Use this connection’s DNS suffix in DNS.
driveMapping array_of_objects Configure Driver Mappings in the Network Access.
     drive string Enter the drive.
     path string Enter Path to the Server.
     description string Enter the description.
dtls string To specify that the Network Access connection use Datagram Transport Level Security (DTLS), enable DTLS. DTLS uses UDP instead of TCP to provide better throughput for high demand applications like VoIP or streaming video, especially with lossy connections.
dtlsPort number Specify a port number for the Network Access resource to use for secure UDP traffic with DTLS. The default value is 4433.
executeLogoffScripts string For the system to run logoff scripts (configured on the Active Directory domain) when the connection is terminated, Enable Execute logoff scripts on connection termination. Otherwise, disable it.
idleTimeoutThreshold number Specifies the average byte rate that either ingress or egress tunnel traffic must exceed in order for the tunnel to update a session. If the average byte rate falls below the specified threshold, the system applies the inactivity timeout that is defined in the Access profile to the session. The default value is 0.
idleTimeoutWindow number Specify a number to calculate the EMA (Exponential Moving Average) byte rate of ingress and egress tunnel traffic. The default value is 0.
ipv6AddressSpaceExcludeSubnet array_of_objects Specify IPv6 addresses which needs to be excluded in the traffic.
     subnet string Specify IPV6 addresses and network masks for any traffic that you do not want to force through the tunnel.
ipv6AddressSpaceIncludeSubnet array_of_objects Specify IPV6 addresses and network masks which allows traffic in the Network Access tunnel.
     subnet string Specify IP addresses and network masks that describe the target LAN. Only the traffic to these addresses and network segments goes through the Network Access tunnel.
ipv6DnsPrimary string Specify the primary IPV6 address of a DNS server for Network Access to convey to the remote access point.
ipv6DnsSecondary string Specify the Secondary IPV6 address of a DNS server for Network Access to convey to the remote access point.
ipv6LeasepoolName string First create IPV6 leasepool object then associated it’s name in this property.
ipv6LeasepoolNameReference reference Reference of the IPV6 leasepool object which is selected as IPV6 Lease Pool.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
leasepoolName string First create IPV4 leasepool object then associated object name in this property.
leasepoolNameReference reference Reference of the IPV4 leasepool object which is selected as IPV4 Lease Pool.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
microsoftNetworkClient string To allow the client PC to access remote resources over a VPN connection, in Client Options setting enable Client for Microsoft Networks. Otherwise, disable it.
microsoftNetworkServer string To allow remote hosts to access shared resources on the client computer over the secure access connection, in the Client Options area, enable File and printer sharing for Microsoft Networks Otherwise, disable it.
networkTunnel string Enable/Disable Network Tunnel.
optimizedAppReference reference Reference to the optimized app.
     link string URI link of the reference.
preserveSourcePortStrict string Choose values between ‘none’ or ‘all’. none - specify that the system does not preserve the value configured for the source port. all - specify that the system preserves the value configured for the source port. Note: You must also select ‘none’ for SNAT. This setting applies on the last leg of the Network Access tunnel connection between an internal ACL virtual server and the backend. This setting applies to all traffic passing through the Network Access tunnel.
provideClientCert string If the client certificates are required to establish an SSL connection, enable client certificate on Network Access connection when requested. However, if client certificates are requested (not required) in an SSL connection, you can disable this option; then the client does not send client certificates.
proxyArp string On enabling Proxy ARP for a Network Access resource, remote VPN tunnel clients can use IP addresses from the LAN IP subnet without additional network infrastructure changes. Ranges of IP addresses from the LAN subnet can be configured in the lease pools and assigned to tunnel clients. When a host on the LAN sends traffic to a tunnel client, an ARP query is sent to request the client address. Access Policy Manager then responds with its own MAC address. Traffic is then sent to Network Access, and forwarded to the client over the Network Access tunnel. No configuration changes are required on devices other than the Access Policy Manager.
snat string Choose between none and automap. None - The system uses no SNAT pool for this Network Access resource. You must select None if you enable Proxy ARP, enable Preserve Source Port Strict, or if you support CIFS/SMB or VoIP protocols with this Network Access resource. Automap - The system uses all of the self IP addresses as the translation addresses for the pool SNAT name if you have defined a SNAT on the BIG-IP system.
splitTunneling string Values can be ‘true’/’false’. If the value is false then All traffic, including traffic to or from the local subnet, is forced over the VPN tunnel. otherwise, Only the traffic targeted to a specified address space is sent over the Network Access tunnel. All other traffic bypasses the tunnel.
staticHost array_of_objects Specify the Static Hosts.
     address string Enter a valid related IP address
     hostname string Enter valid host name.
supportedIpVersion string Choose between IPV4 or IPV4&IPV6
syncWithActiveDirectory string For Network Access to emulate the Windows logon process for a client on an Active Directory domain, enable Synchronize with Active Directory policies on connection establishment. Otherwise, disable it. When enabled, network policies are synchronized when the connection is established, or at logoff. The following items are synchronized: Scripts are started as specified in the user profile. Drives are mapped as specified in the user profile. Group policies are synchronized as specified in the user profile. Group Policy logon scripts start when the connection is established, and Group Policy logoff scripts run when the Network Access connection is stopped.
winsPrimary string Specify the IP address of a WINS server to convey to the remote access point. This is needed for Microsoft Networking to function properly.
winsSecondary string Specify the IP address of a WINS server to convey to the remote access point. This is needed for Microsoft Networking to function properly.
type string Specify the type of the Network Access.The default value is ‘network-access’.
name string The name of the object
partition string The BIG-IP partition where the object should be placed
subPath string The BIG-IP folder where the object should be placed
lsoDeviceReference reference Reference to the device
     id string Id of the device.
     name string Device name. Typically it is device’s hostname.
     kind string Kind of the device.
     machineId string Machine ID of the device.
     link string URI link of the reference.
isLsoShared boolean Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations.
deviceGroupReference reference Reference to the device group.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
id string An ID of an application
kind string The kind of application.
selfLink string The selfLink of an application.
description string The description of an Application.

Error Response

HTTP/1.1 400 Bad Request

This response status is related to error conditions. A detailed error message displays in the response.

HTTP/1.1 401 Unauthorized

This response happens when access is denied due to invalid credentials(no Permission).

Permissions

Role Allow
Application_Editor Yes
Service_Catalog_Viewer Yes
Service_Catalog_Editor Yes
Trust_Discovery_Import Yes
Access_View Yes
Access_Edit Yes
Access_Manager Yes
Application_Manager Yes
Application_Viewer Yes
Access_Deploy Yes
Access_Policy_Editor Yes

POST /mgmt/cm/access/working-config/apm/resource/network-access

Request Parameters

Name Type Required Description
addressSpaceDhcpRequestsExcluded string False Specify to allow clients to connect through the IP filtering engine and use a DHCP server that is local to the client to renew the client DHCP lease locally, in Client Side Security settings enable Allow access to local DHCP server. Otherwise, clear it. This option should be configured only when Integrated IP filtering engine is enabled. This option applies only to the local client IP address. It does not renew the DHCP lease for the IP address assigned from the Network Access lease pool.
addressSpaceExcludeDnsName array_of_strings False Specify domain names. Enter the domain name in the form shown in these examples: site.siterequest.com or *.siterequest.com.
addressSpaceExcludeSubnet array_of_objects False Specify IPv4 addresses that needs to be excluded in the traffic.
     subnet string False Specify IP addresses and network masks for any traffic that you do not want to force through the tunnel.
addressSpaceIncludeDnsName array_of_strings False Specify domain names that describe the target LAN DNS addresses. Enter the domain name in the form shown in these examples: site.siterequest.com or *.siterequest.com,
addressSpaceIncludeSubnet array_of_objects False Specify IPV4 addresses and network masks that allows traffic in the Network Access tunnel.
     subnet string False Specify IP addresses and network masks that describe the target LAN. Only the traffic to these addresses and network segments goes through the Network Access tunnel.
addressSpaceLocDnsServersExcluded string False To enable local access to the DNS servers configured on client before establishing Network Access connections, enable Allow Local DNS Servers. Otherwise, disable it.
addressSpaceLocalSubnetsExcluded string False To enable local subnet access and local access to any host or subnet in the routes in the client routing table, enable Allow Local Subnet. Otherwise, disable it. When you enable this setting, the system does not support integrated IP filtering.
addressSpaceProtect string False To discard any requests to add, delete, or modify entries in the client routing table for the F5 PPP adapter, in Client Side Security settings, enable Prohibit routing table changes during Network Access connection. Otherwise, disable it.
applicationLaunch array_of_objects False Specify to launch applications to a Network Access resource when your users are likely to connect to an application server for which they have a client-side component on their systems. This is useful, for example, when Network Access connects directly to an Exchange server, and users run the Microsoft Outlook program to access the server.
     osType string False Specify the target operating system.
     parameter string False Specify any parameters for the application separated by spaces.
     path string False Path to the application Note: Do not enter single or double-quotes in this field. reconnect_to_domain - Specifies that the client should reconnect to the domain after the network access tunnel starts, if, for example, the Network Access tunnel is established before the domain controller logon occurs. Path to the application/gpo_logoff_scripts -Specifies to run group policy object logoff scripts when the Network Access tunnel stops.
applicationLaunchWarning string False On enable, display security warnings before launching the application whether or not the site is in the Trusted Sites list. On disable, displays security warnings only if the site is not in the Trusted Sites list.
autoLaunch string False On enable, the Network Access resource starts automatically when the user reaches the full webtop. Note: When multiple Network Access resources are assigned to a full webtop, only one can have auto launch enabled.
clientInterfaceSpeed number False Specify bits per second.
clientIpFilterEngine string False To protect a resource from outside traffic (that is generated by network devices on the client’s LAN), and to ensure that the resource is not leaking traffic to the client’s LAN, in Client Side Security settings select Integrated IP filtering engine. Otherwise, disable it.
clientPowerManagement string False Specify how Network Access handles client power management settings (when the user puts the system in standby, or closes the lid on a laptop), for Client Power Management select one: Ignore - Ignore the client settings for power management. Prevent - Prevent power management events from occurring when the client is connected. Terminate - Terminate the Network Access connection when a power management event occurs.
clientProxy string False Client proxy settings apply to the proxy behind the Access Policy Manager and do not affect the VPN tunnel transport, or interact with the TLS or DTLS configuration. Use client proxy settings when intranet web servers are not directly accessible from the Access Policy Manager internal subnet. Client proxy settings apply only to HTTP, HTTPS, and FTP connections. SOCKS connections can also be proxied, with a custom PAC file.
clientProxyAddress string False Specify the IP address for the client proxy server that Network Access clients use to connect to the Internet.
clientProxyEnforceSubnets string False To allow IP address space enforcement in a proxy auto-configuration script, select Enforce IP Address Space in Client Proxy Autoconfig Script. Otherwise, disable it.
clientProxyExclusionList array_of_strings False For Web addresses that do not need to be accessed through your proxy server, add them to the Proxy Exclusion List. You can use wild cards to match domain names and host names or addresses. For example, www..com, 128., 240.8, 8., mygroup., *. , and so forth.
clientProxyIgnoreAutoConfigError string False To have the system establish the VPN tunnel even when download of the client proxy autoconfig script fails, enable Ignore Client Proxy Autoconfig Script Download Failure. Otherwise, disable it; then if the client proxy autoconfig script fails to download, the VPN tunnel is not established.
clientProxyLocalBypass string False To allow local (intranet) addresses to bypass the proxy server enable Bypass Proxy For Local Addresses.
clientProxyPort number False Specify the port number on the proxy server that Network Access clients to use to connect to the Internet.
clientProxyScript string False To use a URL for a proxy auto-configuration script with this connection, type the URL in Client Proxy Autoconfig Script.
clientProxyUseHttpPac string False Specify the browser use http:// to locate the proxy autoconfig file, instead of file://. Some applications, such as Citrix MetaFrame, cannot use the client proxy autoconfig script when the browser attempts to use the file:// prefix to locate it.
clientProxyUseLocalProxy string False Enable to continue to use proxy settings that are configured on the client after establishing a Network Access connection
clientTrafficClassifier string False For Windows clients to use a client traffic classifier with this Network Access connection, enter Client Traffic Classifier. Client Traffic Classifier should be pre-created and associate name to this property.
clientTrafficClassifierReference reference False Reference to the selected Client Traffic Classifier.
     link string False URI link of the reference.
clientTrayIcon string False To display balloon notifications for the Network Access tray icon (for example, when a connection is made) enable Display connection tray. Otherwise, disable it.
compression string False Choose compression as none or gzip. No Compression - Traffic passes between the Network Access client and the BIG-IP system without compression. GZIP Compression - All traffic between the Network Access client and the BIG-IP system is compressed using the GZIP deflate method.
customizationGroup string True Specify the customization name.
customizationGroupReference reference True Specify the Customization reference.
     link string True URI link of the reference.
dnsEnforceSearchOrder string False On enable, APM continuously checks the DNS order on the network interface, and sets the Network Access-supplied entries first in the list if they change during a session. On disable, APM uses your local DNS settings as primary and the Network Access-supplied DNS settings as secondary. (This might be useful when split tunneling is in use and the client connects remotely.)
dnsPrimary string False Specify the primary IPV4 address of a DNS server for Network Access to convey to the remote access point.
dnsRegisterConnection string False Enable to register the address of this connection in the DNS server, for Register this connection’s addresses in DNS.
dnsSecondary string False Specify the secondary IPV4 address of a DNS server for Network Access to convey to the remote access point.
dnsSuffix string False Specify one or more DNS suffixes, separated by commas, to send to the client. On leaving it empty, then the controller sends its own DNS suffix to the client.
dnsUseDnsSuffixForRegistration string False Enable to register the default domain suffix, for Use this connection’s DNS suffix in DNS.
driveMapping array_of_objects False Configure Driver Mappings in the Network Access.
     drive string False Enter the drive.
     path string False Enter Path to the Server.
     description string False Enter the description.
dtls string False To specify that the Network Access connection use Datagram Transport Level Security (DTLS), enable DTLS. DTLS uses UDP instead of TCP to provide better throughput for high demand applications like VoIP or streaming video, especially with lossy connections.
dtlsPort number False Specify a port number for the Network Access resource to use for secure UDP traffic with DTLS. The default value is 4433.
executeLogoffScripts string False For the system to run logoff scripts (configured on the Active Directory domain) when the connection is terminated, Enable Execute logoff scripts on connection termination. Otherwise, disable it.
idleTimeoutThreshold number False Specifies the average byte rate that either ingress or egress tunnel traffic must exceed in order for the tunnel to update a session. If the average byte rate falls below the specified threshold, the system applies the inactivity timeout that is defined in the Access profile to the session. The default value is 0.
idleTimeoutWindow number False Specify a number to calculate the EMA (Exponential Moving Average) byte rate of ingress and egress tunnel traffic. The default value is 0.
ipv6AddressSpaceExcludeSubnet array_of_objects False Specify IPv6 addresses which needs to be excluded in the traffic.
     subnet string False Specify IPV6 addresses and network masks for any traffic that you do not want to force through the tunnel.
ipv6AddressSpaceIncludeSubnet array_of_objects False Specify IPV6 addresses and network masks which allows traffic in the Network Access tunnel.
     subnet string False Specify IP addresses and network masks that describe the target LAN. Only the traffic to these addresses and network segments goes through the Network Access tunnel.
ipv6DnsPrimary string False Specify the primary IPV6 address of a DNS server for Network Access to convey to the remote access point.
ipv6DnsSecondary string False Specify the Secondary IPV6 address of a DNS server for Network Access to convey to the remote access point.
ipv6LeasepoolName string False First create IPV6 leasepool object then associated it’s name in this property.
ipv6LeasepoolNameReference reference False Reference of the IPV6 leasepool object which is selected as IPV6 Lease Pool.
     link string True URI link of the reference.
leasepoolName string False First create IPV4 leasepool object then associated object name in this property.
leasepoolNameReference reference False Reference of the IPV4 leasepool object which is selected as IPV4 Lease Pool.
     link string True URI link of the reference.
microsoftNetworkClient string False To allow the client PC to access remote resources over a VPN connection, in Client Options setting enable Client for Microsoft Networks. Otherwise, disable it.
microsoftNetworkServer string False To allow remote hosts to access shared resources on the client computer over the secure access connection, in the Client Options area, enable File and printer sharing for Microsoft Networks Otherwise, disable it.
networkTunnel string False Enable/Disable Network Tunnel.
optimizedAppReference reference False Reference to the optimized app.
     link string True URI link of the reference.
preserveSourcePortStrict string False Choose values between ‘none’ or ‘all’. none - specify that the system does not preserve the value configured for the source port. all - specify that the system preserves the value configured for the source port. Note: You must also select ‘none’ for SNAT. This setting applies on the last leg of the Network Access tunnel connection between an internal ACL virtual server and the backend. This setting applies to all traffic passing through the Network Access tunnel.
provideClientCert string False If the client certificates are required to establish an SSL connection, enable client certificate on Network Access connection when requested. However, if client certificates are requested (not required) in an SSL connection, you can disable this option; then the client does not send client certificates.
proxyArp string False On enabling Proxy ARP for a Network Access resource, remote VPN tunnel clients can use IP addresses from the LAN IP subnet without additional network infrastructure changes. Ranges of IP addresses from the LAN subnet can be configured in the lease pools and assigned to tunnel clients. When a host on the LAN sends traffic to a tunnel client, an ARP query is sent to request the client address. Access Policy Manager then responds with its own MAC address. Traffic is then sent to Network Access, and forwarded to the client over the Network Access tunnel. No configuration changes are required on devices other than the Access Policy Manager.
snat string False Choose between none and automap, none - The system uses no SNAT pool for this Network Access resource. You must select None if you enable Proxy ARP, enable Preserve Source Port Strict, or if you support CIFS/SMB or VoIP protocols with this Network Access resource. automap - The system uses all of the self IP addresses as the translation addresses for the pool. snat name if you have defined a SNAT on the BIG-IP
splitTunneling string False Values can be ‘true’/’false’. If the value is false then All traffic, including traffic to or from the local subnet, is forced over the VPN tunnel. otherwise, Only the traffic targeted to a specified address space is sent over the Network Access tunnel. All other traffic bypasses the tunnel.
staticHost array_of_objects False Specify the Static Hosts.
     address string False Enter a valid related IP address
     hostname string False Enter valid host name.
supportedIpVersion string False Choose between IPV4 or IPV4&IPV6
syncWithActiveDirectory string False For Network Access to emulate the Windows logon process for a client on an Active Directory domain, enable Synchronize with Active Directory policies on connection establishment. Otherwise, disable it. When enabled, network policies are synchronized when the connection is established, or at logoff. The following items are synchronized: Scripts are started as specified in the user profile. Drives are mapped as specified in the user profile. Group policies are synchronized as specified in the user profile. Group Policy logon scripts start when the connection is established, and Group Policy logoff scripts run when the Network Access connection is stopped.
winsPrimary string False Specify the IP address of a WINS server to convey to the remote access point. This is needed for Microsoft Networking to function properly.
winsSecondary string False Specify the IP address of a WINS server to convey to the remote access point. This is needed for Microsoft Networking to function properly.
type string False Specify the type of the Network Access.The default value is ‘network-access’.
name string True The name of the object
partition string True The BIG-IP partition where the object should be placed
subPath string False The BIG-IP folder where the object should be placed
lsoDeviceReference reference False Reference to the device
     id string False Id of the device.
     link string True URI link of the reference.
isLsoShared boolean True Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations.
deviceGroupReference reference False Reference to the device group.
     link string True URI link of the reference.
description string False The description of an Application.

Query Parameters

None

Response

HTTP/1.1 200 OK

Name Type Description
addressSpaceDhcpRequestsExcluded string Specify to allow clients to connect through the IP filtering engine and use a DHCP server that is local to the client to renew the client DHCP lease locally, in Client Side Security settings enable Allow access to local DHCP server. Otherwise, clear it. This option should be configured only when Integrated IP filtering engine is enabled. This option applies only to the local client IP address. It does not renew the DHCP lease for the IP address assigned from the Network Access lease pool.
addressSpaceExcludeDnsName array_of_strings Specify domain names. Enter the domain name in the form shown in these examples: site.siterequest.com or *.siterequest.com.
addressSpaceExcludeSubnet array_of_objects Specify IPv4 addresses that needs to be excluded in the traffic.
     subnet string Specify IP addresses and network masks for any traffic that you do not want to force through the tunnel.
addressSpaceIncludeDnsName array_of_strings Specify domain names that describe the target LAN DNS addresses. Enter the domain name in the form shown in these examples: site.siterequest.com or *.siterequest.com,
addressSpaceIncludeSubnet array_of_objects Specify IPV4 addresses and network masks that allows traffic in the Network Access tunnel.
     subnet string Specify IP addresses and network masks that describe the target LAN. Only the traffic to these addresses and network segments goes through the Network Access tunnel.
addressSpaceLocDnsServersExcluded string To enable local access to the DNS servers configured on client before establishing Network Access connections, enable Allow Local DNS Servers. Otherwise, disable it.
addressSpaceLocalSubnetsExcluded string To enable local subnet access and local access to any host or subnet in the routes in the client routing table, enable Allow Local Subnet. Otherwise, disable it. When you enable this setting, the system does not support integrated IP filtering.
addressSpaceProtect string To discard any requests to add, delete, or modify entries in the client routing table for the F5 PPP adapter, in Client Side Security settings, enable Prohibit routing table changes during Network Access connection. Otherwise, disable it.
applicationLaunch array_of_objects Specify to launch applications to a Network Access resource when your users are likely to connect to an application server for which they have a client-side component on their systems. This is useful, for example, when Network Access connects directly to an Exchange server, and users run the Microsoft Outlook program to access the server.
     osType string Specify the target operating system.
     parameter string Specify any parameters for the application separated by spaces.
     path string Path to the application Note: Do not enter single or double-quotes in this field. reconnect_to_domain - Specifies that the client should reconnect to the domain after the network access tunnel starts, if, for example, the Network Access tunnel is established before the domain controller logon occurs. Path to the application/gpo_logoff_scripts -Specifies to run group policy object logoff scripts when the Network Access tunnel stops.
applicationLaunchWarning string On enable, display security warnings before launching the application whether or not the site is in the Trusted Sites list. On disable, displays security warnings only if the site is not in the Trusted Sites list.
autoLaunch string On enable, the Network Access resource starts automatically when the user reaches the full webtop. Note: When multiple Network Access resources are assigned to a full webtop, only one can have auto launch enabled.
clientInterfaceSpeed number Specify bits per second.
clientIpFilterEngine string To protect a resource from outside traffic (that is generated by network devices on the client’s LAN), and to ensure that the resource is not leaking traffic to the client’s LAN, in Client Side Security settings select Integrated IP filtering engine. Otherwise, disable it.
clientPowerManagement string Specify how Network Access handles client power management settings (when the user puts the system in standby, or closes the lid on a laptop), for Client Power Management select one: Ignore - Ignore the client settings for power management. Prevent - Prevent power management events from occurring when the client is connected. Terminate - Terminate the Network Access connection when a power management event occurs.
clientProxy string Client proxy settings apply to the proxy behind the Access Policy Manager and do not affect the VPN tunnel transport, or interact with the TLS or DTLS configuration. Use client proxy settings when intranet web servers are not directly accessible from the Access Policy Manager internal subnet. Client proxy settings apply only to HTTP, HTTPS, and FTP connections. SOCKS connections can also be proxied, with a custom PAC file.
clientProxyAddress string Specify the IP address for the client proxy server that Network Access clients use to connect to the Internet.
clientProxyEnforceSubnets string To allow IP address space enforcement in a proxy auto-configuration script, select Enforce IP Address Space in Client Proxy Autoconfig Script. Otherwise, disable it.
clientProxyExclusionList array_of_strings For Web addresses that do not need to be accessed through your proxy server, add them to the Proxy Exclusion List. You can use wild cards to match domain names and host names or addresses. For example, www..com, 128., 240.8, 8., mygroup., *. , and so forth.
clientProxyIgnoreAutoConfigError string To have the system establish the VPN tunnel even when download of the client proxy autoconfig script fails, enable Ignore Client Proxy Autoconfig Script Download Failure. Otherwise, disable it; then if the client proxy autoconfig script fails to download, the VPN tunnel is not established.
clientProxyLocalBypass string To allow local (intranet) addresses to bypass the proxy server enable Bypass Proxy For Local Addresses.
clientProxyPort number Specify the port number on the proxy server that Network Access clients to use to connect to the Internet.
clientProxyScript string To use a URL for a proxy auto-configuration script with this connection, type the URL in Client Proxy Autoconfig Script.
clientProxyUseHttpPac string Specify the browser use http:// to locate the proxy autoconfig file, instead of file://. Some applications, such as Citrix MetaFrame, cannot use the client proxy autoconfig script when the browser attempts to use the file:// prefix to locate it.
clientProxyUseLocalProxy string Enable to continue to use proxy settings that are configured on the client after establishing a Network Access connection
clientTrafficClassifier string For Windows clients to use a client traffic classifier with this Network Access connection, enter Client Traffic Classifier. Client Traffic Classifier should be pre-created and associate name to this property.
clientTrafficClassifierReference reference Reference to the selected Client Traffic Classifier.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
clientTrayIcon string To display balloon notifications for the Network Access tray icon (for example, when a connection is made) enable Display connection tray. Otherwise, disable it.
compression string Choose compression as none or gzip. No Compression - Traffic passes between the Network Access client and the BIG-IP system without compression. GZIP Compression - All traffic between the Network Access client and the BIG-IP system is compressed using the GZIP deflate method.
customizationGroup string Specify the customization name.
customizationGroupReference reference Specify the Customization reference.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
dnsEnforceSearchOrder string On enable, APM continuously checks the DNS order on the network interface, and sets the Network Access-supplied entries first in the list if they change during a session. On disable, APM uses your local DNS settings as primary and the Network Access-supplied DNS settings as secondary. (This might be useful when split tunneling is in use and the client connects remotely.)
dnsPrimary string Specify the primary IPV4 address of a DNS server for Network Access to convey to the remote access point.
dnsRegisterConnection string Enable to register the address of this connection in the DNS server, for Register this connection’s addresses in DNS.
dnsSecondary string Specify the secondary IPV4 address of a DNS server for Network Access to convey to the remote access point.
dnsSuffix string Specify one or more DNS suffixes, separated by commas, to send to the client. On leaving it empty, then the controller sends its own DNS suffix to the client.
dnsUseDnsSuffixForRegistration string Enable to register the default domain suffix, for Use this connection’s DNS suffix in DNS.
driveMapping array_of_objects Configure Driver Mappings in the Network Access.
     drive string Enter the drive.
     path string Enter Path to the Server.
     description string Enter the description.
dtls string To specify that the Network Access connection use Datagram Transport Level Security (DTLS), enable DTLS. DTLS uses UDP instead of TCP to provide better throughput for high demand applications like VoIP or streaming video, especially with lossy connections.
dtlsPort number Specify a port number for the Network Access resource to use for secure UDP traffic with DTLS. The default value is 4433.
executeLogoffScripts string For the system to run logoff scripts (configured on the Active Directory domain) when the connection is terminated, Enable Execute logoff scripts on connection termination. Otherwise, disable it.
idleTimeoutThreshold number Specifies the average byte rate that either ingress or egress tunnel traffic must exceed in order for the tunnel to update a session. If the average byte rate falls below the specified threshold, the system applies the inactivity timeout that is defined in the Access profile to the session. The default value is 0.
idleTimeoutWindow number Specify a number to calculate the EMA (Exponential Moving Average) byte rate of ingress and egress tunnel traffic. The default value is 0.
ipv6AddressSpaceExcludeSubnet array_of_objects Specify IPv6 addresses which needs to be excluded in the traffic.
     subnet string Specify IPV6 addresses and network masks for any traffic that you do not want to force through the tunnel.
ipv6AddressSpaceIncludeSubnet array_of_objects Specify IPV6 addresses and network masks which allows traffic in the Network Access tunnel.
     subnet string Specify IP addresses and network masks that describe the target LAN. Only the traffic to these addresses and network segments goes through the Network Access tunnel.
ipv6DnsPrimary string Specify the primary IPV6 address of a DNS server for Network Access to convey to the remote access point.
ipv6DnsSecondary string Specify the Secondary IPV6 address of a DNS server for Network Access to convey to the remote access point.
ipv6LeasepoolName string First create IPV6 leasepool object then associated it’s name in this property.
ipv6LeasepoolNameReference reference Reference of the IPV6 leasepool object which is selected as IPV6 Lease Pool.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
leasepoolName string First create IPV4 leasepool object then associated object name in this property.
leasepoolNameReference reference Reference of the IPV4 leasepool object which is selected as IPV4 Lease Pool.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
microsoftNetworkClient string To allow the client PC to access remote resources over a VPN connection, in Client Options setting enable Client for Microsoft Networks. Otherwise, disable it.
microsoftNetworkServer string To allow remote hosts to access shared resources on the client computer over the secure access connection, in the Client Options area, enable File and printer sharing for Microsoft Networks Otherwise, disable it.
networkTunnel string Enable/Disable Network Tunnel.
optimizedAppReference reference Reference to the optimized app.
     link string URI link of the reference.
preserveSourcePortStrict string Choose values between ‘none’ or ‘all’. none - specify that the system does not preserve the value configured for the source port. all - specify that the system preserves the value configured for the source port. Note: You must also select ‘none’ for SNAT. This setting applies on the last leg of the Network Access tunnel connection between an internal ACL virtual server and the backend. This setting applies to all traffic passing through the Network Access tunnel.
provideClientCert string If the client certificates are required to establish an SSL connection, enable client certificate on Network Access connection when requested. However, if client certificates are requested (not required) in an SSL connection, you can disable this option; then the client does not send client certificates.
proxyArp string On enabling Proxy ARP for a Network Access resource, remote VPN tunnel clients can use IP addresses from the LAN IP subnet without additional network infrastructure changes. Ranges of IP addresses from the LAN subnet can be configured in the lease pools and assigned to tunnel clients. When a host on the LAN sends traffic to a tunnel client, an ARP query is sent to request the client address. Access Policy Manager then responds with its own MAC address. Traffic is then sent to Network Access, and forwarded to the client over the Network Access tunnel. No configuration changes are required on devices other than the Access Policy Manager.
snat string Choose between none and automap, none - The system uses no SNAT pool for this Network Access resource. You must select None if you enable Proxy ARP, enable Preserve Source Port Strict, or if you support CIFS/SMB or VoIP protocols with this Network Access resource. automap - The system uses all of the self IP addresses as the translation addresses for the pool. snat name if you have defined a SNAT on the BIG-IP
splitTunneling string Values can be ‘true’/’false’. If the value is false then All traffic, including traffic to or from the local subnet, is forced over the VPN tunnel. otherwise, Only the traffic targeted to a specified address space is sent over the Network Access tunnel. All other traffic bypasses the tunnel.
staticHost array_of_objects Specify the Static Hosts.
     address string Enter a valid related IP address
     hostname string Enter valid host name.
supportedIpVersion string Choose between IPV4 or IPV4&IPV6
syncWithActiveDirectory string For Network Access to emulate the Windows logon process for a client on an Active Directory domain, enable Synchronize with Active Directory policies on connection establishment. Otherwise, disable it. When enabled, network policies are synchronized when the connection is established, or at logoff. The following items are synchronized: Scripts are started as specified in the user profile. Drives are mapped as specified in the user profile. Group policies are synchronized as specified in the user profile. Group Policy logon scripts start when the connection is established, and Group Policy logoff scripts run when the Network Access connection is stopped.
winsPrimary string Specify the IP address of a WINS server to convey to the remote access point. This is needed for Microsoft Networking to function properly.
winsSecondary string Specify the IP address of a WINS server to convey to the remote access point. This is needed for Microsoft Networking to function properly.
type string Specify the type of the Network Access.The default value is ‘network-access’.
name string The name of the object
partition string The BIG-IP partition where the object should be placed
subPath string The BIG-IP folder where the object should be placed
lsoDeviceReference reference Reference to the device
     id string Id of the device.
     name string Device name. Typically it is device’s hostname.
     kind string Kind of the device.
     machineId string Machine ID of the device.
     link string URI link of the reference.
isLsoShared boolean Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations.
deviceGroupReference reference Reference to the device group.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
id string An ID of an application
kind string The kind of application.
selfLink string The selfLink of an application.
description string The description of an Application.

Error Response

HTTP/1.1 400 Bad Request

This response status is related to error conditions. A detailed error message displays in the response.

HTTP/1.1 401 Unauthorized

This response happens when access is denied due to invalid credentials(no Permission).

Permissions

Role Allow
Application_Editor No
Service_Catalog_Viewer No
Service_Catalog_Editor No
Trust_Discovery_Import No
Access_View No
Access_Edit Yes
Access_Manager Yes
Application_Manager No
Application_Viewer No
Access_Deploy No
Access_Policy_Editor No

PUT /mgmt/cm/access/working-config/apm/resource/network-access/<id>

Request Parameters

Name Type Required Description
addressSpaceDhcpRequestsExcluded string False Specify to allow clients to connect through the IP filtering engine and use a DHCP server that is local to the client to renew the client DHCP lease locally, in Client Side Security settings enable Allow access to local DHCP server. Otherwise, clear it. This option should be configured only when Integrated IP filtering engine is enabled. This option applies only to the local client IP address. It does not renew the DHCP lease for the IP address assigned from the Network Access lease pool.
addressSpaceExcludeDnsName array_of_strings False Specify domain names. Enter the domain name in the form shown in these examples: site.siterequest.com or *.siterequest.com.
addressSpaceExcludeSubnet array_of_objects False Specify IPv4 addresses that needs to be excluded in the traffic.
     subnet string False Specify IP addresses and network masks for any traffic that you do not want to force through the tunnel.
addressSpaceIncludeDnsName array_of_strings False Specify domain names that describe the target LAN DNS addresses. Enter the domain name in the form shown in these examples: site.siterequest.com or *.siterequest.com,
addressSpaceIncludeSubnet array_of_objects False Specify IPV4 addresses and network masks that allows traffic in the Network Access tunnel.
     subnet string False Specify IP addresses and network masks that describe the target LAN. Only the traffic to these addresses and network segments goes through the Network Access tunnel.
addressSpaceLocDnsServersExcluded string False To enable local access to the DNS servers configured on client before establishing Network Access connections, enable Allow Local DNS Servers. Otherwise, disable it.
addressSpaceLocalSubnetsExcluded string False To enable local subnet access and local access to any host or subnet in the routes in the client routing table, enable Allow Local Subnet. Otherwise, disable it. When you enable this setting, the system does not support integrated IP filtering.
addressSpaceProtect string False To discard any requests to add, delete, or modify entries in the client routing table for the F5 PPP adapter, in Client Side Security settings, enable Prohibit routing table changes during Network Access connection. Otherwise, disable it.
applicationLaunch array_of_objects False Specify to launch applications to a Network Access resource when your users are likely to connect to an application server for which they have a client-side component on their systems. This is useful, for example, when Network Access connects directly to an Exchange server, and users run the Microsoft Outlook program to access the server.
     osType string False Specify the target operating system.
     parameter string False Specify any parameters for the application separated by spaces.
     path string False Path to the application Note: Do not enter single or double-quotes in this field. reconnect_to_domain - Specifies that the client should reconnect to the domain after the network access tunnel starts, if, for example, the Network Access tunnel is established before the domain controller logon occurs. Path to the application/gpo_logoff_scripts -Specifies to run group policy object logoff scripts when the Network Access tunnel stops.
applicationLaunchWarning string False On enable, display security warnings before launching the application whether or not the site is in the Trusted Sites list. On disable, displays security warnings only if the site is not in the Trusted Sites list.
autoLaunch string False On enable, the Network Access resource starts automatically when the user reaches the full webtop. Note: When multiple Network Access resources are assigned to a full webtop, only one can have auto launch enabled.
clientInterfaceSpeed number False Specify bits per second.
clientIpFilterEngine string False To protect a resource from outside traffic (that is generated by network devices on the client’s LAN), and to ensure that the resource is not leaking traffic to the client’s LAN, in Client Side Security settings select Integrated IP filtering engine. Otherwise, disable it.
clientPowerManagement string False Specify how Network Access handles client power management settings (when the user puts the system in standby, or closes the lid on a laptop), for Client Power Management select one: Ignore - Ignore the client settings for power management. Prevent - Prevent power management events from occurring when the client is connected. Terminate - Terminate the Network Access connection when a power management event occurs.
clientProxy string False Client proxy settings apply to the proxy behind the Access Policy Manager and do not affect the VPN tunnel transport, or interact with the TLS or DTLS configuration. Use client proxy settings when intranet web servers are not directly accessible from the Access Policy Manager internal subnet. Client proxy settings apply only to HTTP, HTTPS, and FTP connections. SOCKS connections can also be proxied, with a custom PAC file.
clientProxyAddress string False Specify the IP address for the client proxy server that Network Access clients use to connect to the Internet.
clientProxyEnforceSubnets string False To allow IP address space enforcement in a proxy auto-configuration script, select Enforce IP Address Space in Client Proxy Autoconfig Script. Otherwise, disable it.
clientProxyExclusionList array_of_strings False For Web addresses that do not need to be accessed through your proxy server, add them to the Proxy Exclusion List. You can use wild cards to match domain names and host names or addresses. For example, www..com, 128., 240.8, 8., mygroup., *. , and so forth.
clientProxyIgnoreAutoConfigError string False To have the system establish the VPN tunnel even when download of the client proxy autoconfig script fails, enable Ignore Client Proxy Autoconfig Script Download Failure. Otherwise, disable it; then if the client proxy autoconfig script fails to download, the VPN tunnel is not established.
clientProxyLocalBypass string False To allow local (intranet) addresses to bypass the proxy server enable Bypass Proxy For Local Addresses.
clientProxyPort number False Specify the port number on the proxy server that Network Access clients to use to connect to the Internet.
clientProxyScript string False To use a URL for a proxy auto-configuration script with this connection, type the URL in Client Proxy Autoconfig Script.
clientProxyUseHttpPac string False Specify the browser use http:// to locate the proxy autoconfig file, instead of file://. Some applications, such as Citrix MetaFrame, cannot use the client proxy autoconfig script when the browser attempts to use the file:// prefix to locate it.
clientProxyUseLocalProxy string False Enable to continue to use proxy settings that are configured on the client after establishing a Network Access connection
clientTrafficClassifier string False For Windows clients to use a client traffic classifier with this Network Access connection, enter Client Traffic Classifier. Client Traffic Classifier should be pre-created and associate name to this property.
clientTrafficClassifierReference reference False Reference to the selected Client Traffic Classifier.
     name string False Name of the resource
     kind string False The kind of the resource.
     link string False URI link of the reference.
clientTrayIcon string False To display balloon notifications for the Network Access tray icon (for example, when a connection is made) enable Display connection tray. Otherwise, disable it.
compression string False Choose compression as none or gzip. No Compression - Traffic passes between the Network Access client and the BIG-IP system without compression. GZIP Compression - All traffic between the Network Access client and the BIG-IP system is compressed using the GZIP deflate method.
customizationGroup string False Specify the customization name.
customizationGroupReference reference False Specify the Customization reference.
     name string False Name of the resource
     kind string False The kind of the resource.
     link string False URI link of the reference.
dnsEnforceSearchOrder string False On enable, APM continuously checks the DNS order on the network interface, and sets the Network Access-supplied entries first in the list if they change during a session. On disable, APM uses your local DNS settings as primary and the Network Access-supplied DNS settings as secondary. (This might be useful when split tunneling is in use and the client connects remotely.)
dnsPrimary string False Specify the primary IPV4 address of a DNS server for Network Access to convey to the remote access point.
dnsRegisterConnection string False Enable to register the address of this connection in the DNS server, for Register this connection’s addresses in DNS.
dnsSecondary string False Specify the secondary IPV4 address of a DNS server for Network Access to convey to the remote access point.
dnsSuffix string False Specify one or more DNS suffixes, separated by commas, to send to the client. On leaving it empty, then the controller sends its own DNS suffix to the client.
dnsUseDnsSuffixForRegistration string False Enable to register the default domain suffix, for Use this connection’s DNS suffix in DNS.
driveMapping array_of_objects False Configure Driver Mappings in the Network Access.
     drive string False Enter the drive.
     path string False Enter Path to the Server.
     description string False Enter the description.
dtls string False To specify that the Network Access connection use Datagram Transport Level Security (DTLS), enable DTLS. DTLS uses UDP instead of TCP to provide better throughput for high demand applications like VoIP or streaming video, especially with lossy connections.
dtlsPort number False Specify a port number for the Network Access resource to use for secure UDP traffic with DTLS. The default value is 4433.
executeLogoffScripts string False For the system to run logoff scripts (configured on the Active Directory domain) when the connection is terminated, Enable Execute logoff scripts on connection termination. Otherwise, disable it.
idleTimeoutThreshold number False Specifies the average byte rate that either ingress or egress tunnel traffic must exceed in order for the tunnel to update a session. If the average byte rate falls below the specified threshold, the system applies the inactivity timeout that is defined in the Access profile to the session. The default value is 0.
idleTimeoutWindow number False Specify a number to calculate the EMA (Exponential Moving Average) byte rate of ingress and egress tunnel traffic. The default value is 0.
ipv6AddressSpaceExcludeSubnet array_of_objects False Specify IPv6 addresses which needs to be excluded in the traffic.
     subnet string False Specify IPV6 addresses and network masks for any traffic that you do not want to force through the tunnel.
ipv6AddressSpaceIncludeSubnet array_of_objects False Specify IPV6 addresses and network masks which allows traffic in the Network Access tunnel.
     subnet string False Specify IP addresses and network masks that describe the target LAN. Only the traffic to these addresses and network segments goes through the Network Access tunnel.
ipv6DnsPrimary string False Specify the primary IPV6 address of a DNS server for Network Access to convey to the remote access point.
ipv6DnsSecondary string False Specify the Secondary IPV6 address of a DNS server for Network Access to convey to the remote access point.
ipv6LeasepoolName string False First create IPV6 leasepool object then associated it’s name in this property.
ipv6LeasepoolNameReference reference False Reference of the IPV6 leasepool object which is selected as IPV6 Lease Pool.
     name string True Name of the resource
     kind string False The kind of the resource.
     link string False URI link of the reference.
leasepoolName string False First create IPV4 leasepool object then associated object name in this property.
leasepoolNameReference reference False Reference of the IPV4 leasepool object which is selected as IPV4 Lease Pool.
     name string True Name of the resource
     kind string False The kind of the resource.
     link string False URI link of the reference.
microsoftNetworkClient string False To allow the client PC to access remote resources over a VPN connection, in Client Options setting enable Client for Microsoft Networks. Otherwise, disable it.
microsoftNetworkServer string False To allow remote hosts to access shared resources on the client computer over the secure access connection, in the Client Options area, enable File and printer sharing for Microsoft Networks Otherwise, disable it.
networkTunnel string False Enable/Disable Network Tunnel.
optimizedAppReference reference False Reference to the optimized app.
     link string True URI link of the reference.
preserveSourcePortStrict string False Choose values between ‘none’ or ‘all’. none - specify that the system does not preserve the value configured for the source port. all - specify that the system preserves the value configured for the source port. Note: You must also select ‘none’ for SNAT. This setting applies on the last leg of the Network Access tunnel connection between an internal ACL virtual server and the backend. This setting applies to all traffic passing through the Network Access tunnel.
provideClientCert string False If the client certificates are required to establish an SSL connection, enable client certificate on Network Access connection when requested. However, if client certificates are requested (not required) in an SSL connection, you can disable this option; then the client does not send client certificates.
proxyArp string False On enabling Proxy ARP for a Network Access resource, remote VPN tunnel clients can use IP addresses from the LAN IP subnet without additional network infrastructure changes. Ranges of IP addresses from the LAN subnet can be configured in the lease pools and assigned to tunnel clients. When a host on the LAN sends traffic to a tunnel client, an ARP query is sent to request the client address. Access Policy Manager then responds with its own MAC address. Traffic is then sent to Network Access, and forwarded to the client over the Network Access tunnel. No configuration changes are required on devices other than the Access Policy Manager.
snat string False Choose between none and automap, none - The system uses no SNAT pool for this Network Access resource. You must select None if you enable Proxy ARP, enable Preserve Source Port Strict, or if you support CIFS/SMB or VoIP protocols with this Network Access resource. automap - The system uses all of the self IP addresses as the translation addresses for the pool. snat name if you have defined a SNAT on the BIG-IP
splitTunneling string False Values can be ‘true’/’false’. If the value is false then All traffic, including traffic to or from the local subnet, is forced over the VPN tunnel. otherwise, Only the traffic targeted to a specified address space is sent over the Network Access tunnel. All other traffic bypasses the tunnel.
staticHost array_of_objects False Specify the Static Hosts.
     address string False Enter a valid related IP address
     hostname string False Enter valid host name.
supportedIpVersion string False Choose between IPV4 or IPV4&IPV6
syncWithActiveDirectory string False For Network Access to emulate the Windows logon process for a client on an Active Directory domain, enable Synchronize with Active Directory policies on connection establishment. Otherwise, disable it. When enabled, network policies are synchronized when the connection is established, or at logoff. The following items are synchronized: Scripts are started as specified in the user profile. Drives are mapped as specified in the user profile. Group policies are synchronized as specified in the user profile. Group Policy logon scripts start when the connection is established, and Group Policy logoff scripts run when the Network Access connection is stopped.
winsPrimary string False Specify the IP address of a WINS server to convey to the remote access point. This is needed for Microsoft Networking to function properly.
winsSecondary string False Specify the IP address of a WINS server to convey to the remote access point. This is needed for Microsoft Networking to function properly.
type string False Specify the type of the Network Access.The default value is ‘network-access’.
name string False The name of the object
partition string False The BIG-IP partition where the object should be placed
subPath string False The BIG-IP folder where the object should be placed
lsoDeviceReference reference False Reference to the device
     id string False Id of the device.
     name string True Device name. Typically it is device’s hostname.
     kind string False Kind of the device.
     machineId string False Machine ID of the device.
     link string True URI link of the reference.
isLsoShared boolean False Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations.
deviceGroupReference reference True Reference to the device group.
     name string True Name of the resource
     kind string False The kind of the resource.
     link string False URI link of the reference.
id string False An ID of an application
kind string False The kind of application.
selfLink string False The selfLink of an application.
description string False The description of an Application.

Query Parameters

None

Response

HTTP/1.1 200 OK

Name Type Description
addressSpaceDhcpRequestsExcluded string Specify to allow clients to connect through the IP filtering engine and use a DHCP server that is local to the client to renew the client DHCP lease locally, in Client Side Security settings enable Allow access to local DHCP server. Otherwise, clear it. This option should be configured only when Integrated IP filtering engine is enabled. This option applies only to the local client IP address. It does not renew the DHCP lease for the IP address assigned from the Network Access lease pool.
addressSpaceExcludeDnsName array_of_strings Specify domain names. Enter the domain name in the form shown in these examples: site.siterequest.com or *.siterequest.com.
addressSpaceExcludeSubnet array_of_objects Specify IPv4 addresses that needs to be excluded in the traffic.
     subnet string Specify IP addresses and network masks for any traffic that you do not want to force through the tunnel.
addressSpaceIncludeDnsName array_of_strings Specify domain names that describe the target LAN DNS addresses. Enter the domain name in the form shown in these examples: site.siterequest.com or *.siterequest.com,
addressSpaceIncludeSubnet array_of_objects Specify IPV4 addresses and network masks that allows traffic in the Network Access tunnel.
     subnet string Specify IP addresses and network masks that describe the target LAN. Only the traffic to these addresses and network segments goes through the Network Access tunnel.
addressSpaceLocDnsServersExcluded string To enable local access to the DNS servers configured on client before establishing Network Access connections, enable Allow Local DNS Servers. Otherwise, disable it.
addressSpaceLocalSubnetsExcluded string To enable local subnet access and local access to any host or subnet in the routes in the client routing table, enable Allow Local Subnet. Otherwise, disable it. When you enable this setting, the system does not support integrated IP filtering.
addressSpaceProtect string To discard any requests to add, delete, or modify entries in the client routing table for the F5 PPP adapter, in Client Side Security settings, enable Prohibit routing table changes during Network Access connection. Otherwise, disable it.
applicationLaunch array_of_objects Specify to launch applications to a Network Access resource when your users are likely to connect to an application server for which they have a client-side component on their systems. This is useful, for example, when Network Access connects directly to an Exchange server, and users run the Microsoft Outlook program to access the server.
     osType string Specify the target operating system.
     parameter string Specify any parameters for the application separated by spaces.
     path string Path to the application Note: Do not enter single or double-quotes in this field. reconnect_to_domain - Specifies that the client should reconnect to the domain after the network access tunnel starts, if, for example, the Network Access tunnel is established before the domain controller logon occurs. Path to the application/gpo_logoff_scripts -Specifies to run group policy object logoff scripts when the Network Access tunnel stops.
applicationLaunchWarning string On enable, display security warnings before launching the application whether or not the site is in the Trusted Sites list. On disable, displays security warnings only if the site is not in the Trusted Sites list.
autoLaunch string On enable, the Network Access resource starts automatically when the user reaches the full webtop. Note: When multiple Network Access resources are assigned to a full webtop, only one can have auto launch enabled.
clientInterfaceSpeed number Specify bits per second.
clientIpFilterEngine string To protect a resource from outside traffic (that is generated by network devices on the client’s LAN), and to ensure that the resource is not leaking traffic to the client’s LAN, in Client Side Security settings select Integrated IP filtering engine. Otherwise, disable it.
clientPowerManagement string Specify how Network Access handles client power management settings (when the user puts the system in standby, or closes the lid on a laptop), for Client Power Management select one: Ignore - Ignore the client settings for power management. Prevent - Prevent power management events from occurring when the client is connected. Terminate - Terminate the Network Access connection when a power management event occurs.
clientProxy string Client proxy settings apply to the proxy behind the Access Policy Manager and do not affect the VPN tunnel transport, or interact with the TLS or DTLS configuration. Use client proxy settings when intranet web servers are not directly accessible from the Access Policy Manager internal subnet. Client proxy settings apply only to HTTP, HTTPS, and FTP connections. SOCKS connections can also be proxied, with a custom PAC file.
clientProxyAddress string Specify the IP address for the client proxy server that Network Access clients use to connect to the Internet.
clientProxyEnforceSubnets string To allow IP address space enforcement in a proxy auto-configuration script, select Enforce IP Address Space in Client Proxy Autoconfig Script. Otherwise, disable it.
clientProxyExclusionList array_of_strings For Web addresses that do not need to be accessed through your proxy server, add them to the Proxy Exclusion List. You can use wild cards to match domain names and host names or addresses. For example, www..com, 128., 240.8, 8., mygroup., *. , and so forth.
clientProxyIgnoreAutoConfigError string To have the system establish the VPN tunnel even when download of the client proxy autoconfig script fails, enable Ignore Client Proxy Autoconfig Script Download Failure. Otherwise, disable it; then if the client proxy autoconfig script fails to download, the VPN tunnel is not established.
clientProxyLocalBypass string To allow local (intranet) addresses to bypass the proxy server enable Bypass Proxy For Local Addresses.
clientProxyPort number Specify the port number on the proxy server that Network Access clients to use to connect to the Internet.
clientProxyScript string To use a URL for a proxy auto-configuration script with this connection, type the URL in Client Proxy Autoconfig Script.
clientProxyUseHttpPac string Specify the browser use http:// to locate the proxy autoconfig file, instead of file://. Some applications, such as Citrix MetaFrame, cannot use the client proxy autoconfig script when the browser attempts to use the file:// prefix to locate it.
clientProxyUseLocalProxy string Enable to continue to use proxy settings that are configured on the client after establishing a Network Access connection
clientTrafficClassifier string For Windows clients to use a client traffic classifier with this Network Access connection, enter Client Traffic Classifier. Client Traffic Classifier should be pre-created and associate name to this property.
clientTrafficClassifierReference reference Reference to the selected Client Traffic Classifier.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
clientTrayIcon string To display balloon notifications for the Network Access tray icon (for example, when a connection is made) enable Display connection tray. Otherwise, disable it.
compression string Choose compression as none or gzip. No Compression - Traffic passes between the Network Access client and the BIG-IP system without compression. GZIP Compression - All traffic between the Network Access client and the BIG-IP system is compressed using the GZIP deflate method.
customizationGroup string Specify the customization name.
customizationGroupReference reference Specify the Customization reference.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
dnsEnforceSearchOrder string On enable, APM continuously checks the DNS order on the network interface, and sets the Network Access-supplied entries first in the list if they change during a session. On disable, APM uses your local DNS settings as primary and the Network Access-supplied DNS settings as secondary. (This might be useful when split tunneling is in use and the client connects remotely.)
dnsPrimary string Specify the primary IPV4 address of a DNS server for Network Access to convey to the remote access point.
dnsRegisterConnection string Enable to register the address of this connection in the DNS server, for Register this connection’s addresses in DNS.
dnsSecondary string Specify the secondary IPV4 address of a DNS server for Network Access to convey to the remote access point.
dnsSuffix string Specify one or more DNS suffixes, separated by commas, to send to the client. On leaving it empty, then the controller sends its own DNS suffix to the client.
dnsUseDnsSuffixForRegistration string Enable to register the default domain suffix, for Use this connection’s DNS suffix in DNS.
driveMapping array_of_objects Configure Driver Mappings in the Network Access.
     drive string Enter the drive.
     path string Enter Path to the Server.
     description string Enter the description.
dtls string To specify that the Network Access connection use Datagram Transport Level Security (DTLS), enable DTLS. DTLS uses UDP instead of TCP to provide better throughput for high demand applications like VoIP or streaming video, especially with lossy connections.
dtlsPort number Specify a port number for the Network Access resource to use for secure UDP traffic with DTLS. The default value is 4433.
executeLogoffScripts string For the system to run logoff scripts (configured on the Active Directory domain) when the connection is terminated, Enable Execute logoff scripts on connection termination. Otherwise, disable it.
idleTimeoutThreshold number Specifies the average byte rate that either ingress or egress tunnel traffic must exceed in order for the tunnel to update a session. If the average byte rate falls below the specified threshold, the system applies the inactivity timeout that is defined in the Access profile to the session. The default value is 0.
idleTimeoutWindow number Specify a number to calculate the EMA (Exponential Moving Average) byte rate of ingress and egress tunnel traffic. The default value is 0.
ipv6AddressSpaceExcludeSubnet array_of_objects Specify IPv6 addresses which needs to be excluded in the traffic.
     subnet string Specify IPV6 addresses and network masks for any traffic that you do not want to force through the tunnel.
ipv6AddressSpaceIncludeSubnet array_of_objects Specify IPV6 addresses and network masks which allows traffic in the Network Access tunnel.
     subnet string Specify IP addresses and network masks that describe the target LAN. Only the traffic to these addresses and network segments goes through the Network Access tunnel.
ipv6DnsPrimary string Specify the primary IPV6 address of a DNS server for Network Access to convey to the remote access point.
ipv6DnsSecondary string Specify the Secondary IPV6 address of a DNS server for Network Access to convey to the remote access point.
ipv6LeasepoolName string First create IPV6 leasepool object then associated it’s name in this property.
ipv6LeasepoolNameReference reference Reference of the IPV6 leasepool object which is selected as IPV6 Lease Pool.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
leasepoolName string First create IPV4 leasepool object then associated object name in this property.
leasepoolNameReference reference Reference of the IPV4 leasepool object which is selected as IPV4 Lease Pool.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
microsoftNetworkClient string To allow the client PC to access remote resources over a VPN connection, in Client Options setting enable Client for Microsoft Networks. Otherwise, disable it.
microsoftNetworkServer string To allow remote hosts to access shared resources on the client computer over the secure access connection, in the Client Options area, enable File and printer sharing for Microsoft Networks Otherwise, disable it.
networkTunnel string Enable/Disable Network Tunnel.
optimizedAppReference reference Reference to the optimized app.
     link string URI link of the reference.
preserveSourcePortStrict string Choose values between ‘none’ or ‘all’. none - specify that the system does not preserve the value configured for the source port. all - specify that the system preserves the value configured for the source port. Note: You must also select ‘none’ for SNAT. This setting applies on the last leg of the Network Access tunnel connection between an internal ACL virtual server and the backend. This setting applies to all traffic passing through the Network Access tunnel.
provideClientCert string If the client certificates are required to establish an SSL connection, enable client certificate on Network Access connection when requested. However, if client certificates are requested (not required) in an SSL connection, you can disable this option; then the client does not send client certificates.
proxyArp string On enabling Proxy ARP for a Network Access resource, remote VPN tunnel clients can use IP addresses from the LAN IP subnet without additional network infrastructure changes. Ranges of IP addresses from the LAN subnet can be configured in the lease pools and assigned to tunnel clients. When a host on the LAN sends traffic to a tunnel client, an ARP query is sent to request the client address. Access Policy Manager then responds with its own MAC address. Traffic is then sent to Network Access, and forwarded to the client over the Network Access tunnel. No configuration changes are required on devices other than the Access Policy Manager.
snat string Choose between none and automap, none - The system uses no SNAT pool for this Network Access resource. You must select None if you enable Proxy ARP, enable Preserve Source Port Strict, or if you support CIFS/SMB or VoIP protocols with this Network Access resource. automap - The system uses all of the self IP addresses as the translation addresses for the pool. snat name if you have defined a SNAT on the BIG-IP
splitTunneling string Values can be ‘true’/’false’. If the value is false then All traffic, including traffic to or from the local subnet, is forced over the VPN tunnel. otherwise, Only the traffic targeted to a specified address space is sent over the Network Access tunnel. All other traffic bypasses the tunnel.
staticHost array_of_objects Specify the Static Hosts.
     address string Enter a valid related IP address
     hostname string Enter valid host name.
supportedIpVersion string Choose between IPV4 or IPV4&IPV6
syncWithActiveDirectory string For Network Access to emulate the Windows logon process for a client on an Active Directory domain, enable Synchronize with Active Directory policies on connection establishment. Otherwise, disable it. When enabled, network policies are synchronized when the connection is established, or at logoff. The following items are synchronized: Scripts are started as specified in the user profile. Drives are mapped as specified in the user profile. Group policies are synchronized as specified in the user profile. Group Policy logon scripts start when the connection is established, and Group Policy logoff scripts run when the Network Access connection is stopped.
winsPrimary string Specify the IP address of a WINS server to convey to the remote access point. This is needed for Microsoft Networking to function properly.
winsSecondary string Specify the IP address of a WINS server to convey to the remote access point. This is needed for Microsoft Networking to function properly.
type string Specify the type of the Network Access.The default value is ‘network-access’.
name string The name of the object
partition string The BIG-IP partition where the object should be placed
subPath string The BIG-IP folder where the object should be placed
lsoDeviceReference reference Reference to the device
     id string Id of the device.
     name string Device name. Typically it is device’s hostname.
     kind string Kind of the device.
     machineId string Machine ID of the device.
     link string URI link of the reference.
isLsoShared boolean Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations.
deviceGroupReference reference Reference to the device group.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
id string An ID of an application
kind string The kind of application.
selfLink string The selfLink of an application.
description string The description of an Application.

Error Response

HTTP/1.1 400 Bad Request

This response status is related to error conditions. A Detailed error message displays in the response.

HTTP/1.1 401 Unauthorized

This response happens when access is denied due to invalid credentials(no Permission).

Permissions

Role Allow
Application_Editor No
Service_Catalog_Viewer No
Service_Catalog_Editor No
Trust_Discovery_Import No
Access_View No
Access_Edit Yes
Access_Manager Yes
Application_Manager No
Application_Viewer No
Access_Deploy No
Access_Policy_Editor No

PATCH /mgmt/cm/access/working-config/apm/resource/network-access/<id>

Request Parameters

Name Type Required Description
addressSpaceDhcpRequestsExcluded string False Specify to allow clients to connect through the IP filtering engine and use a DHCP server that is local to the client to renew the client DHCP lease locally, in Client Side Security settings enable Allow access to local DHCP server. Otherwise, clear it. This option should be configured only when Integrated IP filtering engine is enabled. This option applies only to the local client IP address. It does not renew the DHCP lease for the IP address assigned from the Network Access lease pool.
addressSpaceExcludeDnsName array_of_strings False Specify domain names. Enter the domain name in the form shown in these examples: site.siterequest.com or *.siterequest.com.
addressSpaceExcludeSubnet array_of_objects False Specify IPv4 addresses that needs to be excluded in the traffic.
     subnet string False Specify IP addresses and network masks for any traffic that you do not want to force through the tunnel.
addressSpaceIncludeDnsName array_of_strings False Specify domain names that describe the target LAN DNS addresses. Enter the domain name in the form shown in these examples: site.siterequest.com or *.siterequest.com,
addressSpaceIncludeSubnet array_of_objects False Specify IPV4 addresses and network masks that allows traffic in the Network Access tunnel.
     subnet string False Specify IP addresses and network masks that describe the target LAN. Only the traffic to these addresses and network segments goes through the Network Access tunnel.
addressSpaceLocDnsServersExcluded string False To enable local access to the DNS servers configured on client before establishing Network Access connections, enable Allow Local DNS Servers. Otherwise, disable it.
addressSpaceLocalSubnetsExcluded string False To enable local subnet access and local access to any host or subnet in the routes in the client routing table, enable Allow Local Subnet. Otherwise, disable it. When you enable this setting, the system does not support integrated IP filtering.
addressSpaceProtect string False To discard any requests to add, delete, or modify entries in the client routing table for the F5 PPP adapter, in Client Side Security settings, enable Prohibit routing table changes during Network Access connection. Otherwise, disable it.
applicationLaunch array_of_objects False Specify to launch applications to a Network Access resource when your users are likely to connect to an application server for which they have a client-side component on their systems. This is useful, for example, when Network Access connects directly to an Exchange server, and users run the Microsoft Outlook program to access the server.
     osType string False Specify the target operating system.
     parameter string False Specify any parameters for the application separated by spaces.
     path string False Path to the application Note: Do not enter single or double-quotes in this field. reconnect_to_domain - Specifies that the client should reconnect to the domain after the network access tunnel starts, if, for example, the Network Access tunnel is established before the domain controller logon occurs. Path to the application/gpo_logoff_scripts -Specifies to run group policy object logoff scripts when the Network Access tunnel stops.
applicationLaunchWarning string False On enable, display security warnings before launching the application whether or not the site is in the Trusted Sites list. On disable, displays security warnings only if the site is not in the Trusted Sites list.
autoLaunch string False On enable, the Network Access resource starts automatically when the user reaches the full webtop. Note: When multiple Network Access resources are assigned to a full webtop, only one can have auto launch enabled.
clientInterfaceSpeed number False Specify bits per second.
clientIpFilterEngine string False To protect a resource from outside traffic (that is generated by network devices on the client’s LAN), and to ensure that the resource is not leaking traffic to the client’s LAN, in Client Side Security settings select Integrated IP filtering engine. Otherwise, disable it.
clientPowerManagement string False Specify how Network Access handles client power management settings (when the user puts the system in standby, or closes the lid on a laptop), for Client Power Management select one: Ignore - Ignore the client settings for power management. Prevent - Prevent power management events from occurring when the client is connected. Terminate - Terminate the Network Access connection when a power management event occurs.
clientProxy string False Client proxy settings apply to the proxy behind the Access Policy Manager and do not affect the VPN tunnel transport, or interact with the TLS or DTLS configuration. Use client proxy settings when intranet web servers are not directly accessible from the Access Policy Manager internal subnet. Client proxy settings apply only to HTTP, HTTPS, and FTP connections. SOCKS connections can also be proxied, with a custom PAC file.
clientProxyAddress string False Specify the IP address for the client proxy server that Network Access clients use to connect to the Internet.
clientProxyEnforceSubnets string False To allow IP address space enforcement in a proxy auto-configuration script, select Enforce IP Address Space in Client Proxy Autoconfig Script. Otherwise, disable it.
clientProxyExclusionList array_of_strings False For Web addresses that do not need to be accessed through your proxy server, add them to the Proxy Exclusion List. You can use wild cards to match domain names and host names or addresses. For example, www..com, 128., 240.8, 8., mygroup., *. , and so forth.
clientProxyIgnoreAutoConfigError string False To have the system establish the VPN tunnel even when download of the client proxy autoconfig script fails, enable Ignore Client Proxy Autoconfig Script Download Failure. Otherwise, disable it; then if the client proxy autoconfig script fails to download, the VPN tunnel is not established.
clientProxyLocalBypass string False To allow local (intranet) addresses to bypass the proxy server enable Bypass Proxy For Local Addresses.
clientProxyPort number False Specify the port number on the proxy server that Network Access clients to use to connect to the Internet.
clientProxyScript string False To use a URL for a proxy auto-configuration script with this connection, type the URL in Client Proxy Autoconfig Script.
clientProxyUseHttpPac string False Specify the browser use http:// to locate the proxy autoconfig file, instead of file://. Some applications, such as Citrix MetaFrame, cannot use the client proxy autoconfig script when the browser attempts to use the file:// prefix to locate it.
clientProxyUseLocalProxy string False Enable to continue to use proxy settings that are configured on the client after establishing a Network Access connection
clientTrafficClassifier string False For Windows clients to use a client traffic classifier with this Network Access connection, enter Client Traffic Classifier. Client Traffic Classifier should be pre-created and associate name to this property.
clientTrafficClassifierReference reference False Reference to the selected Client Traffic Classifier.
     link string False URI link of the reference.
clientTrayIcon string False To display balloon notifications for the Network Access tray icon (for example, when a connection is made) enable Display connection tray. Otherwise, disable it.
compression string False Choose compression as none or gzip. No Compression - Traffic passes between the Network Access client and the BIG-IP system without compression. GZIP Compression - All traffic between the Network Access client and the BIG-IP system is compressed using the GZIP deflate method.
customizationGroup string False Specify the customization name.
customizationGroupReference reference False Specify the Customization reference.
     link string False URI link of the reference.
dnsEnforceSearchOrder string False On enable, APM continuously checks the DNS order on the network interface, and sets the Network Access-supplied entries first in the list if they change during a session. On disable, APM uses your local DNS settings as primary and the Network Access-supplied DNS settings as secondary. (This might be useful when split tunneling is in use and the client connects remotely.)
dnsPrimary string False Specify the primary IPV4 address of a DNS server for Network Access to convey to the remote access point.
dnsRegisterConnection string False Enable to register the address of this connection in the DNS server, for Register this connection’s addresses in DNS.
dnsSecondary string False Specify the secondary IPV4 address of a DNS server for Network Access to convey to the remote access point.
dnsSuffix string False Specify one or more DNS suffixes, separated by commas, to send to the client. On leaving it empty, then the controller sends its own DNS suffix to the client.
dnsUseDnsSuffixForRegistration string False Enable to register the default domain suffix, for Use this connection’s DNS suffix in DNS.
driveMapping array_of_objects False Configure Driver Mappings in the Network Access.
     drive string False Enter the drive.
     path string False Enter Path to the Server.
     description string False Enter the description.
dtls string False To specify that the Network Access connection use Datagram Transport Level Security (DTLS), enable DTLS. DTLS uses UDP instead of TCP to provide better throughput for high demand applications like VoIP or streaming video, especially with lossy connections.
dtlsPort number False Specify a port number for the Network Access resource to use for secure UDP traffic with DTLS. The default value is 4433.
executeLogoffScripts string False For the system to run logoff scripts (configured on the Active Directory domain) when the connection is terminated, Enable Execute logoff scripts on connection termination. Otherwise, disable it.
idleTimeoutThreshold number False Specifies the average byte rate that either ingress or egress tunnel traffic must exceed in order for the tunnel to update a session. If the average byte rate falls below the specified threshold, the system applies the inactivity timeout that is defined in the Access profile to the session. The default value is 0.
idleTimeoutWindow number False Specify a number to calculate the EMA (Exponential Moving Average) byte rate of ingress and egress tunnel traffic. The default value is 0.
ipv6AddressSpaceExcludeSubnet array_of_objects False Specify IPv6 addresses which needs to be excluded in the traffic.
     subnet string False Specify IPV6 addresses and network masks for any traffic that you do not want to force through the tunnel.
ipv6AddressSpaceIncludeSubnet array_of_objects False Specify IPV6 addresses and network masks which allows traffic in the Network Access tunnel.
     subnet string False Specify IP addresses and network masks that describe the target LAN. Only the traffic to these addresses and network segments goes through the Network Access tunnel.
ipv6DnsPrimary string False Specify the primary IPV6 address of a DNS server for Network Access to convey to the remote access point.
ipv6DnsSecondary string False Specify the Secondary IPV6 address of a DNS server for Network Access to convey to the remote access point.
ipv6LeasepoolName string False First create IPV6 leasepool object then associated it’s name in this property.
ipv6LeasepoolNameReference reference False Reference of the IPV6 leasepool object which is selected as IPV6 Lease Pool.
     link string True URI link of the reference.
leasepoolName string False First create IPV4 leasepool object then associated object name in this property.
leasepoolNameReference reference False Reference of the IPV4 leasepool object which is selected as IPV4 Lease Pool.
     link string True URI link of the reference.
microsoftNetworkClient string False To allow the client PC to access remote resources over a VPN connection, in Client Options setting enable Client for Microsoft Networks. Otherwise, disable it.
microsoftNetworkServer string False To allow remote hosts to access shared resources on the client computer over the secure access connection, in the Client Options area, enable File and printer sharing for Microsoft Networks Otherwise, disable it.
networkTunnel string False Enable/Disable Network Tunnel.
optimizedAppReference reference False Reference to the optimized app.
     link string True URI link of the reference.
preserveSourcePortStrict string False Choose values between ‘none’ or ‘all’. none - specify that the system does not preserve the value configured for the source port. all - specify that the system preserves the value configured for the source port. Note: You must also select ‘none’ for SNAT. This setting applies on the last leg of the Network Access tunnel connection between an internal ACL virtual server and the backend. This setting applies to all traffic passing through the Network Access tunnel.
provideClientCert string False If the client certificates are required to establish an SSL connection, enable client certificate on Network Access connection when requested. However, if client certificates are requested (not required) in an SSL connection, you can disable this option; then the client does not send client certificates.
proxyArp string False On enabling Proxy ARP for a Network Access resource, remote VPN tunnel clients can use IP addresses from the LAN IP subnet without additional network infrastructure changes. Ranges of IP addresses from the LAN subnet can be configured in the lease pools and assigned to tunnel clients. When a host on the LAN sends traffic to a tunnel client, an ARP query is sent to request the client address. Access Policy Manager then responds with its own MAC address. Traffic is then sent to Network Access, and forwarded to the client over the Network Access tunnel. No configuration changes are required on devices other than the Access Policy Manager.
snat string False Choose between none and automap, none - The system uses no SNAT pool for this Network Access resource. You must select None if you enable Proxy ARP, enable Preserve Source Port Strict, or if you support CIFS/SMB or VoIP protocols with this Network Access resource. automap - The system uses all of the self IP addresses as the translation addresses for the pool. snat name if you have defined a SNAT on the BIG-IP
splitTunneling string False Values can be ‘true’/’false’. If the value is false then All traffic, including traffic to or from the local subnet, is forced over the VPN tunnel. otherwise, Only the traffic targeted to a specified address space is sent over the Network Access tunnel. All other traffic bypasses the tunnel.
staticHost array_of_objects False Specify the Static Hosts.
     address string False Enter a valid related IP address
     hostname string False Enter valid host name.
supportedIpVersion string False Choose between IPV4 or IPV4&IPV6
syncWithActiveDirectory string False For Network Access to emulate the Windows logon process for a client on an Active Directory domain, enable Synchronize with Active Directory policies on connection establishment. Otherwise, disable it. When enabled, network policies are synchronized when the connection is established, or at logoff. The following items are synchronized: Scripts are started as specified in the user profile. Drives are mapped as specified in the user profile. Group policies are synchronized as specified in the user profile. Group Policy logon scripts start when the connection is established, and Group Policy logoff scripts run when the Network Access connection is stopped.
winsPrimary string False Specify the IP address of a WINS server to convey to the remote access point. This is needed for Microsoft Networking to function properly.
winsSecondary string False Specify the IP address of a WINS server to convey to the remote access point. This is needed for Microsoft Networking to function properly.
type string False Specify the type of the Network Access.The default value is ‘network-access’.
isLsoShared boolean False Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations.
description string False The description of an Application.

Query Parameters

None

Response

HTTP/1.1 200 OK

Name Type Description
addressSpaceDhcpRequestsExcluded string Specify to allow clients to connect through the IP filtering engine and use a DHCP server that is local to the client to renew the client DHCP lease locally, in Client Side Security settings enable Allow access to local DHCP server. Otherwise, clear it. This option should be configured only when Integrated IP filtering engine is enabled. This option applies only to the local client IP address. It does not renew the DHCP lease for the IP address assigned from the Network Access lease pool.
addressSpaceExcludeDnsName array_of_strings Specify domain names. Enter the domain name in the form shown in these examples: site.siterequest.com or *.siterequest.com.
addressSpaceExcludeSubnet array_of_objects Specify IPv4 addresses that needs to be excluded in the traffic.
     subnet string Specify IP addresses and network masks for any traffic that you do not want to force through the tunnel.
addressSpaceIncludeDnsName array_of_strings Specify domain names that describe the target LAN DNS addresses. Enter the domain name in the form shown in these examples: site.siterequest.com or *.siterequest.com,
addressSpaceIncludeSubnet array_of_objects Specify IPV4 addresses and network masks that allows traffic in the Network Access tunnel.
     subnet string Specify IP addresses and network masks that describe the target LAN. Only the traffic to these addresses and network segments goes through the Network Access tunnel.
addressSpaceLocDnsServersExcluded string To enable local access to the DNS servers configured on client before establishing Network Access connections, enable Allow Local DNS Servers. Otherwise, disable it.
addressSpaceLocalSubnetsExcluded string To enable local subnet access and local access to any host or subnet in the routes in the client routing table, enable Allow Local Subnet. Otherwise, disable it. When you enable this setting, the system does not support integrated IP filtering.
addressSpaceProtect string To discard any requests to add, delete, or modify entries in the client routing table for the F5 PPP adapter, in Client Side Security settings, enable Prohibit routing table changes during Network Access connection. Otherwise, disable it.
applicationLaunch array_of_objects Specify to launch applications to a Network Access resource when your users are likely to connect to an application server for which they have a client-side component on their systems. This is useful, for example, when Network Access connects directly to an Exchange server, and users run the Microsoft Outlook program to access the server.
     osType string Specify the target operating system.
     parameter string Specify any parameters for the application separated by spaces.
     path string Path to the application Note: Do not enter single or double-quotes in this field. reconnect_to_domain - Specifies that the client should reconnect to the domain after the network access tunnel starts, if, for example, the Network Access tunnel is established before the domain controller logon occurs. Path to the application/gpo_logoff_scripts -Specifies to run group policy object logoff scripts when the Network Access tunnel stops.
applicationLaunchWarning string On enable, display security warnings before launching the application whether or not the site is in the Trusted Sites list. On disable, displays security warnings only if the site is not in the Trusted Sites list.
autoLaunch string On enable, the Network Access resource starts automatically when the user reaches the full webtop. Note: When multiple Network Access resources are assigned to a full webtop, only one can have auto launch enabled.
clientInterfaceSpeed number Specify bits per second.
clientIpFilterEngine string To protect a resource from outside traffic (that is generated by network devices on the client’s LAN), and to ensure that the resource is not leaking traffic to the client’s LAN, in Client Side Security settings select Integrated IP filtering engine. Otherwise, disable it.
clientPowerManagement string Specify how Network Access handles client power management settings (when the user puts the system in standby, or closes the lid on a laptop), for Client Power Management select one: Ignore - Ignore the client settings for power management. Prevent - Prevent power management events from occurring when the client is connected. Terminate - Terminate the Network Access connection when a power management event occurs.
clientProxy string Client proxy settings apply to the proxy behind the Access Policy Manager and do not affect the VPN tunnel transport, or interact with the TLS or DTLS configuration. Use client proxy settings when intranet web servers are not directly accessible from the Access Policy Manager internal subnet. Client proxy settings apply only to HTTP, HTTPS, and FTP connections. SOCKS connections can also be proxied, with a custom PAC file.
clientProxyAddress string Specify the IP address for the client proxy server that Network Access clients use to connect to the Internet.
clientProxyEnforceSubnets string To allow IP address space enforcement in a proxy auto-configuration script, select Enforce IP Address Space in Client Proxy Autoconfig Script. Otherwise, disable it.
clientProxyExclusionList array_of_strings For Web addresses that do not need to be accessed through your proxy server, add them to the Proxy Exclusion List. You can use wild cards to match domain names and host names or addresses. For example, www..com, 128., 240.8, 8., mygroup., *. , and so forth.
clientProxyIgnoreAutoConfigError string To have the system establish the VPN tunnel even when download of the client proxy autoconfig script fails, enable Ignore Client Proxy Autoconfig Script Download Failure. Otherwise, disable it; then if the client proxy autoconfig script fails to download, the VPN tunnel is not established.
clientProxyLocalBypass string To allow local (intranet) addresses to bypass the proxy server enable Bypass Proxy For Local Addresses.
clientProxyPort number Specify the port number on the proxy server that Network Access clients to use to connect to the Internet.
clientProxyScript string To use a URL for a proxy auto-configuration script with this connection, type the URL in Client Proxy Autoconfig Script.
clientProxyUseHttpPac string Specify the browser use http:// to locate the proxy autoconfig file, instead of file://. Some applications, such as Citrix MetaFrame, cannot use the client proxy autoconfig script when the browser attempts to use the file:// prefix to locate it.
clientProxyUseLocalProxy string Enable to continue to use proxy settings that are configured on the client after establishing a Network Access connection
clientTrafficClassifier string For Windows clients to use a client traffic classifier with this Network Access connection, enter Client Traffic Classifier. Client Traffic Classifier should be pre-created and associate name to this property.
clientTrafficClassifierReference reference Reference to the selected Client Traffic Classifier.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
clientTrayIcon string To display balloon notifications for the Network Access tray icon (for example, when a connection is made) enable Display connection tray. Otherwise, disable it.
compression string Choose compression as none or gzip. No Compression - Traffic passes between the Network Access client and the BIG-IP system without compression. GZIP Compression - All traffic between the Network Access client and the BIG-IP system is compressed using the GZIP deflate method.
customizationGroup string Specify the customization name.
customizationGroupReference reference Specify the Customization reference.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
dnsEnforceSearchOrder string On enable, APM continuously checks the DNS order on the network interface, and sets the Network Access-supplied entries first in the list if they change during a session. On disable, APM uses your local DNS settings as primary and the Network Access-supplied DNS settings as secondary. (This might be useful when split tunneling is in use and the client connects remotely.)
dnsPrimary string Specify the primary IPV4 address of a DNS server for Network Access to convey to the remote access point.
dnsRegisterConnection string Enable to register the address of this connection in the DNS server, for Register this connection’s addresses in DNS.
dnsSecondary string Specify the secondary IPV4 address of a DNS server for Network Access to convey to the remote access point.
dnsSuffix string Specify one or more DNS suffixes, separated by commas, to send to the client. On leaving it empty, then the controller sends its own DNS suffix to the client.
dnsUseDnsSuffixForRegistration string Enable to register the default domain suffix, for Use this connection’s DNS suffix in DNS.
driveMapping array_of_objects Configure Driver Mappings in the Network Access.
     drive string Enter the drive.
     path string Enter Path to the Server.
     description string Enter the description.
dtls string To specify that the Network Access connection use Datagram Transport Level Security (DTLS), enable DTLS. DTLS uses UDP instead of TCP to provide better throughput for high demand applications like VoIP or streaming video, especially with lossy connections.
dtlsPort number Specify a port number for the Network Access resource to use for secure UDP traffic with DTLS. The default value is 4433.
executeLogoffScripts string For the system to run logoff scripts (configured on the Active Directory domain) when the connection is terminated, Enable Execute logoff scripts on connection termination. Otherwise, disable it.
idleTimeoutThreshold number Specifies the average byte rate that either ingress or egress tunnel traffic must exceed in order for the tunnel to update a session. If the average byte rate falls below the specified threshold, the system applies the inactivity timeout that is defined in the Access profile to the session. The default value is 0.
idleTimeoutWindow number Specify a number to calculate the EMA (Exponential Moving Average) byte rate of ingress and egress tunnel traffic. The default value is 0.
ipv6AddressSpaceExcludeSubnet array_of_objects Specify IPv6 addresses which needs to be excluded in the traffic.
     subnet string Specify IPV6 addresses and network masks for any traffic that you do not want to force through the tunnel.
ipv6AddressSpaceIncludeSubnet array_of_objects Specify IPV6 addresses and network masks which allows traffic in the Network Access tunnel.
     subnet string Specify IP addresses and network masks that describe the target LAN. Only the traffic to these addresses and network segments goes through the Network Access tunnel.
ipv6DnsPrimary string Specify the primary IPV6 address of a DNS server for Network Access to convey to the remote access point.
ipv6DnsSecondary string Specify the Secondary IPV6 address of a DNS server for Network Access to convey to the remote access point.
ipv6LeasepoolName string First create IPV6 leasepool object then associated it’s name in this property.
ipv6LeasepoolNameReference reference Reference of the IPV6 leasepool object which is selected as IPV6 Lease Pool.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
leasepoolName string First create IPV4 leasepool object then associated object name in this property.
leasepoolNameReference reference Reference of the IPV4 leasepool object which is selected as IPV4 Lease Pool.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
microsoftNetworkClient string To allow the client PC to access remote resources over a VPN connection, in Client Options setting enable Client for Microsoft Networks. Otherwise, disable it.
microsoftNetworkServer string To allow remote hosts to access shared resources on the client computer over the secure access connection, in the Client Options area, enable File and printer sharing for Microsoft Networks Otherwise, disable it.
networkTunnel string Enable/Disable Network Tunnel.
optimizedAppReference reference Reference to the optimized app.
     link string URI link of the reference.
preserveSourcePortStrict string Choose values between ‘none’ or ‘all’. none - specify that the system does not preserve the value configured for the source port. all - specify that the system preserves the value configured for the source port. Note: You must also select ‘none’ for SNAT. This setting applies on the last leg of the Network Access tunnel connection between an internal ACL virtual server and the backend. This setting applies to all traffic passing through the Network Access tunnel.
provideClientCert string If the client certificates are required to establish an SSL connection, enable client certificate on Network Access connection when requested. However, if client certificates are requested (not required) in an SSL connection, you can disable this option; then the client does not send client certificates.
proxyArp string On enabling Proxy ARP for a Network Access resource, remote VPN tunnel clients can use IP addresses from the LAN IP subnet without additional network infrastructure changes. Ranges of IP addresses from the LAN subnet can be configured in the lease pools and assigned to tunnel clients. When a host on the LAN sends traffic to a tunnel client, an ARP query is sent to request the client address. Access Policy Manager then responds with its own MAC address. Traffic is then sent to Network Access, and forwarded to the client over the Network Access tunnel. No configuration changes are required on devices other than the Access Policy Manager.
snat string Choose between none and automap, none - The system uses no SNAT pool for this Network Access resource. You must select None if you enable Proxy ARP, enable Preserve Source Port Strict, or if you support CIFS/SMB or VoIP protocols with this Network Access resource. automap - The system uses all of the self IP addresses as the translation addresses for the pool. snat name if you have defined a SNAT on the BIG-IP
splitTunneling string Values can be ‘true’/’false’. If the value is false then All traffic, including traffic to or from the local subnet, is forced over the VPN tunnel. otherwise, Only the traffic targeted to a specified address space is sent over the Network Access tunnel. All other traffic bypasses the tunnel.
staticHost array_of_objects Specify the Static Hosts.
     address string Enter a valid related IP address
     hostname string Enter valid host name.
supportedIpVersion string Choose between IPV4 or IPV4&IPV6
syncWithActiveDirectory string For Network Access to emulate the Windows logon process for a client on an Active Directory domain, enable Synchronize with Active Directory policies on connection establishment. Otherwise, disable it. When enabled, network policies are synchronized when the connection is established, or at logoff. The following items are synchronized: Scripts are started as specified in the user profile. Drives are mapped as specified in the user profile. Group policies are synchronized as specified in the user profile. Group Policy logon scripts start when the connection is established, and Group Policy logoff scripts run when the Network Access connection is stopped.
winsPrimary string Specify the IP address of a WINS server to convey to the remote access point. This is needed for Microsoft Networking to function properly.
winsSecondary string Specify the IP address of a WINS server to convey to the remote access point. This is needed for Microsoft Networking to function properly.
type string Specify the type of the Network Access.The default value is ‘network-access’.
name string The name of the object
partition string The BIG-IP partition where the object should be placed
subPath string The BIG-IP folder where the object should be placed
lsoDeviceReference reference Reference to the device
     id string Id of the device.
     name string Device name. Typically it is device’s hostname.
     kind string Kind of the device.
     machineId string Machine ID of the device.
     link string URI link of the reference.
isLsoShared boolean Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations.
deviceGroupReference reference Reference to the device group.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
id string An ID of an application
kind string The kind of application.
selfLink string The selfLink of an application.
description string The description of an Application.

Error Response

HTTP/1.1 400 Bad Request

This response status is related to error conditions. A detailed error message displays in the response.

HTTP/1.1 401 Unauthorized

This response happens when access is denied due to invalid credentials(no Permission).

Permissions

Role Allow
Application_Editor No
Service_Catalog_Viewer No
Service_Catalog_Editor No
Trust_Discovery_Import No
Access_View No
Access_Edit Yes
Access_Manager Yes
Application_Manager No
Application_Viewer No
Access_Deploy No
Access_Policy_Editor No

DELETE /mgmt/cm/access/working-config/apm/resource/network-access/<id>

Request Parameters

None

Query Parameters

None

Response

HTTP/1.1 200 OK

Name Type Description
addressSpaceDhcpRequestsExcluded string Specify to allow clients to connect through the IP filtering engine and use a DHCP server that is local to the client to renew the client DHCP lease locally, in Client Side Security settings enable Allow access to local DHCP server. Otherwise, clear it. This option should be configured only when Integrated IP filtering engine is enabled. This option applies only to the local client IP address. It does not renew the DHCP lease for the IP address assigned from the Network Access lease pool.
addressSpaceExcludeDnsName array_of_strings Specify domain names. Enter the domain name in the form shown in these examples: site.siterequest.com or *.siterequest.com.
addressSpaceExcludeSubnet array_of_objects Specify IPv4 addresses that needs to be excluded in the traffic.
     subnet string Specify IP addresses and network masks for any traffic that you do not want to force through the tunnel.
addressSpaceIncludeDnsName array_of_strings Specify domain names that describe the target LAN DNS addresses. Enter the domain name in the form shown in these examples: site.siterequest.com or *.siterequest.com,
addressSpaceIncludeSubnet array_of_objects Specify IPV4 addresses and network masks that allows traffic in the Network Access tunnel.
     subnet string Specify IP addresses and network masks that describe the target LAN. Only the traffic to these addresses and network segments goes through the Network Access tunnel.
addressSpaceLocDnsServersExcluded string To enable local access to the DNS servers configured on client before establishing Network Access connections, enable Allow Local DNS Servers. Otherwise, disable it.
addressSpaceLocalSubnetsExcluded string To enable local subnet access and local access to any host or subnet in the routes in the client routing table, enable Allow Local Subnet. Otherwise, disable it. When you enable this setting, the system does not support integrated IP filtering.
addressSpaceProtect string To discard any requests to add, delete, or modify entries in the client routing table for the F5 PPP adapter, in Client Side Security settings, enable Prohibit routing table changes during Network Access connection. Otherwise, disable it.
applicationLaunch array_of_objects Specify to launch applications to a Network Access resource when your users are likely to connect to an application server for which they have a client-side component on their systems. This is useful, for example, when Network Access connects directly to an Exchange server, and users run the Microsoft Outlook program to access the server.
     osType string Specify the target operating system.
     parameter string Specify any parameters for the application separated by spaces.
     path string Path to the application Note: Do not enter single or double-quotes in this field. reconnect_to_domain - Specifies that the client should reconnect to the domain after the network access tunnel starts, if, for example, the Network Access tunnel is established before the domain controller logon occurs. Path to the application/gpo_logoff_scripts -Specifies to run group policy object logoff scripts when the Network Access tunnel stops.
applicationLaunchWarning string On enable, display security warnings before launching the application whether or not the site is in the Trusted Sites list. On disable, displays security warnings only if the site is not in the Trusted Sites list.
autoLaunch string On enable, the Network Access resource starts automatically when the user reaches the full webtop. Note: When multiple Network Access resources are assigned to a full webtop, only one can have auto launch enabled.
clientInterfaceSpeed number Specify bits per second.
clientIpFilterEngine string To protect a resource from outside traffic (that is generated by network devices on the client’s LAN), and to ensure that the resource is not leaking traffic to the client’s LAN, in Client Side Security settings select Integrated IP filtering engine. Otherwise, disable it.
clientPowerManagement string Specify how Network Access handles client power management settings (when the user puts the system in standby, or closes the lid on a laptop), for Client Power Management select one: Ignore - Ignore the client settings for power management. Prevent - Prevent power management events from occurring when the client is connected. Terminate - Terminate the Network Access connection when a power management event occurs.
clientProxy string Client proxy settings apply to the proxy behind the Access Policy Manager and do not affect the VPN tunnel transport, or interact with the TLS or DTLS configuration. Use client proxy settings when intranet web servers are not directly accessible from the Access Policy Manager internal subnet. Client proxy settings apply only to HTTP, HTTPS, and FTP connections. SOCKS connections can also be proxied, with a custom PAC file.
clientProxyAddress string Specify the IP address for the client proxy server that Network Access clients use to connect to the Internet.
clientProxyEnforceSubnets string To allow IP address space enforcement in a proxy auto-configuration script, select Enforce IP Address Space in Client Proxy Autoconfig Script. Otherwise, disable it.
clientProxyExclusionList array_of_strings For Web addresses that do not need to be accessed through your proxy server, add them to the Proxy Exclusion List. You can use wild cards to match domain names and host names or addresses. For example, www..com, 128., 240.8, 8., mygroup., *. , and so forth.
clientProxyIgnoreAutoConfigError string To have the system establish the VPN tunnel even when download of the client proxy autoconfig script fails, enable Ignore Client Proxy Autoconfig Script Download Failure. Otherwise, disable it; then if the client proxy autoconfig script fails to download, the VPN tunnel is not established.
clientProxyLocalBypass string To allow local (intranet) addresses to bypass the proxy server enable Bypass Proxy For Local Addresses.
clientProxyPort number Specify the port number on the proxy server that Network Access clients to use to connect to the Internet.
clientProxyScript string To use a URL for a proxy auto-configuration script with this connection, type the URL in Client Proxy Autoconfig Script.
clientProxyUseHttpPac string Specify the browser use http:// to locate the proxy autoconfig file, instead of file://. Some applications, such as Citrix MetaFrame, cannot use the client proxy autoconfig script when the browser attempts to use the file:// prefix to locate it.
clientProxyUseLocalProxy string Enable to continue to use proxy settings that are configured on the client after establishing a Network Access connection
clientTrafficClassifier string For Windows clients to use a client traffic classifier with this Network Access connection, enter Client Traffic Classifier. Client Traffic Classifier should be pre-created and associate name to this property.
clientTrafficClassifierReference reference Reference to the selected Client Traffic Classifier.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
clientTrayIcon string To display balloon notifications for the Network Access tray icon (for example, when a connection is made) enable Display connection tray. Otherwise, disable it.
compression string Choose compression as none or gzip. No Compression - Traffic passes between the Network Access client and the BIG-IP system without compression. GZIP Compression - All traffic between the Network Access client and the BIG-IP system is compressed using the GZIP deflate method.
customizationGroup string Specify the customization name.
customizationGroupReference reference Specify the Customization reference.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
dnsEnforceSearchOrder string On enable, APM continuously checks the DNS order on the network interface, and sets the Network Access-supplied entries first in the list if they change during a session. On disable, APM uses your local DNS settings as primary and the Network Access-supplied DNS settings as secondary. (This might be useful when split tunneling is in use and the client connects remotely.)
dnsPrimary string Specify the primary IPV4 address of a DNS server for Network Access to convey to the remote access point.
dnsRegisterConnection string Enable to register the address of this connection in the DNS server, for Register this connection’s addresses in DNS.
dnsSecondary string Specify the secondary IPV4 address of a DNS server for Network Access to convey to the remote access point.
dnsSuffix string Specify one or more DNS suffixes, separated by commas, to send to the client. On leaving it empty, then the controller sends its own DNS suffix to the client.
dnsUseDnsSuffixForRegistration string Enable to register the default domain suffix, for Use this connection’s DNS suffix in DNS.
driveMapping array_of_objects Configure Driver Mappings in the Network Access.
     drive string Enter the drive.
     path string Enter Path to the Server.
     description string Enter the description.
dtls string To specify that the Network Access connection use Datagram Transport Level Security (DTLS), enable DTLS. DTLS uses UDP instead of TCP to provide better throughput for high demand applications like VoIP or streaming video, especially with lossy connections.
dtlsPort number Specify a port number for the Network Access resource to use for secure UDP traffic with DTLS. The default value is 4433.
executeLogoffScripts string For the system to run logoff scripts (configured on the Active Directory domain) when the connection is terminated, Enable Execute logoff scripts on connection termination. Otherwise, disable it.
idleTimeoutThreshold number Specifies the average byte rate that either ingress or egress tunnel traffic must exceed in order for the tunnel to update a session. If the average byte rate falls below the specified threshold, the system applies the inactivity timeout that is defined in the Access profile to the session. The default value is 0.
idleTimeoutWindow number Specify a number to calculate the EMA (Exponential Moving Average) byte rate of ingress and egress tunnel traffic. The default value is 0.
ipv6AddressSpaceExcludeSubnet array_of_objects Specify IPv6 addresses which needs to be excluded in the traffic.
     subnet string Specify IPV6 addresses and network masks for any traffic that you do not want to force through the tunnel.
ipv6AddressSpaceIncludeSubnet array_of_objects Specify IPV6 addresses and network masks which allows traffic in the Network Access tunnel.
     subnet string Specify IP addresses and network masks that describe the target LAN. Only the traffic to these addresses and network segments goes through the Network Access tunnel.
ipv6DnsPrimary string Specify the primary IPV6 address of a DNS server for Network Access to convey to the remote access point.
ipv6DnsSecondary string Specify the Secondary IPV6 address of a DNS server for Network Access to convey to the remote access point.
ipv6LeasepoolName string First create IPV6 leasepool object then associated it’s name in this property.
ipv6LeasepoolNameReference reference Reference of the IPV6 leasepool object which is selected as IPV6 Lease Pool.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
leasepoolName string First create IPV4 leasepool object then associated object name in this property.
leasepoolNameReference reference Reference of the IPV4 leasepool object which is selected as IPV4 Lease Pool.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
microsoftNetworkClient string To allow the client PC to access remote resources over a VPN connection, in Client Options setting enable Client for Microsoft Networks. Otherwise, disable it.
microsoftNetworkServer string To allow remote hosts to access shared resources on the client computer over the secure access connection, in the Client Options area, enable File and printer sharing for Microsoft Networks Otherwise, disable it.
networkTunnel string Enable/Disable Network Tunnel.
optimizedAppReference reference Reference to the optimized app.
     link string URI link of the reference.
preserveSourcePortStrict string Choose values between ‘none’ or ‘all’. none - specify that the system does not preserve the value configured for the source port. all - specify that the system preserves the value configured for the source port. Note: You must also select ‘none’ for SNAT. This setting applies on the last leg of the Network Access tunnel connection between an internal ACL virtual server and the backend. This setting applies to all traffic passing through the Network Access tunnel.
provideClientCert string If the client certificates are required to establish an SSL connection, enable client certificate on Network Access connection when requested. However, if client certificates are requested (not required) in an SSL connection, you can disable this option; then the client does not send client certificates.
proxyArp string On enabling Proxy ARP for a Network Access resource, remote VPN tunnel clients can use IP addresses from the LAN IP subnet without additional network infrastructure changes. Ranges of IP addresses from the LAN subnet can be configured in the lease pools and assigned to tunnel clients. When a host on the LAN sends traffic to a tunnel client, an ARP query is sent to request the client address. Access Policy Manager then responds with its own MAC address. Traffic is then sent to Network Access, and forwarded to the client over the Network Access tunnel. No configuration changes are required on devices other than the Access Policy Manager.
snat string Choose between none and automap, none - The system uses no SNAT pool for this Network Access resource. You must select None if you enable Proxy ARP, enable Preserve Source Port Strict, or if you support CIFS/SMB or VoIP protocols with this Network Access resource. automap - The system uses all of the self IP addresses as the translation addresses for the pool. snat name if you have defined a SNAT on the BIG-IP
splitTunneling string Values can be ‘true’/’false’. If the value is false then All traffic, including traffic to or from the local subnet, is forced over the VPN tunnel. otherwise, Only the traffic targeted to a specified address space is sent over the Network Access tunnel. All other traffic bypasses the tunnel.
staticHost array_of_objects Specify the Static Hosts.
     address string Enter a valid related IP address
     hostname string Enter valid host name.
supportedIpVersion string Choose between IPV4 or IPV4&IPV6
syncWithActiveDirectory string For Network Access to emulate the Windows logon process for a client on an Active Directory domain, enable Synchronize with Active Directory policies on connection establishment. Otherwise, disable it. When enabled, network policies are synchronized when the connection is established, or at logoff. The following items are synchronized: Scripts are started as specified in the user profile. Drives are mapped as specified in the user profile. Group policies are synchronized as specified in the user profile. Group Policy logon scripts start when the connection is established, and Group Policy logoff scripts run when the Network Access connection is stopped.
winsPrimary string Specify the IP address of a WINS server to convey to the remote access point. This is needed for Microsoft Networking to function properly.
winsSecondary string Specify the IP address of a WINS server to convey to the remote access point. This is needed for Microsoft Networking to function properly.
type string Specify the type of the Network Access.The default value is ‘network-access’.
name string The name of the object
partition string The BIG-IP partition where the object should be placed
subPath string The BIG-IP folder where the object should be placed
lsoDeviceReference reference Reference to the device
     id string Id of the device.
     name string Device name. Typically it is device’s hostname.
     kind string Kind of the device.
     machineId string Machine ID of the device.
     link string URI link of the reference.
isLsoShared boolean Specifies if the location-specific object instance is shared across all devices. Use this only during POST. Warning: Do not flip this flag during PUT/PATCH operations.
deviceGroupReference reference Reference to the device group.
     name string Name of the resource
     kind string The kind of the resource.
     link string URI link of the reference.
id string An ID of an application
kind string The kind of application.
selfLink string The selfLink of an application.
description string The description of an Application.

Error Response

HTTP/1.1 400 Bad Request

This response status is related to error conditions. A detailed error message displays in the response.

HTTP/1.1 401 Unauthorized

This response happens when access is denied due to invalid credentials(no Permission).

Permissions

Role Allow
Application_Editor No
Service_Catalog_Viewer No
Service_Catalog_Editor No
Trust_Discovery_Import No
Access_View No
Access_Edit Yes
Access_Manager Yes
Application_Manager No
Application_Viewer No
Access_Deploy No
Access_Policy_Editor No

Examples

Get Network Access

GET /mgmt/cm/access/working-config/apm/resource/network-access/<id>

Response

HTTP/1.1 200 OK
{
    "addressSpaceDhcpRequestsExcluded": "true",
    "addressSpaceExcludeDnsName": "['*example.com']",
    "addressSpaceExcludeSubnet": [{
        "subnet": "192.16.0.0/21"
    }],
    "addressSpaceIncludeDnsName": "['*.example.com *.example.com example.com example.com']",
    "addressSpaceIncludeSubnet": [{
        "subnet": "198.1.1.0/32"
    }],
    "addressSpaceLocDnsServersExcluded": "false",
    "addressSpaceLocalSubnetsExcluded": "false",
    "addressSpaceProtect": "false",
    "applicationLaunch": [{
        "osType": "windows",
        "parameter": "[mcget { example session variable } ]",
        "path": "example.app"
    }],
    "applicationLaunchWarning": "true",
    "autoLaunch": "true",
    "clientInterfaceSpeed": 100000000,
    "clientIpFilterEngine": "false",
    "clientPowerManagement": "ignore",
    "clientProxy": "false",
    "clientProxyAddress": "any6",
    "clientProxyEnforceSubnets": "true",
    "clientProxyExclusionList": "['10.*']",
    "clientProxyIgnoreAutoConfigError": "false",
    "clientProxyLocalBypass": "false",
    "clientProxyPort": 0,
    "clientProxyScript": "function FindProxyForURL(url, host) { return 'PROXY proxy.example.com:8080; DIRECT';}",
    "clientProxyUseHttpPac": "false",
    "clientProxyUseLocalProxy": "false",
    "clientTrafficClassifier": "/common/client_traffic_1",
    "clientTrafficClassifierReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "clientTrayIcon": "true",
    "compression": "none",
    "customizationGroup": "/Common/frog1-F5_VPN_netac_customization",
    "customizationGroupReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "dnsEnforceSearchOrder": "true",
    "dnsPrimary": "any6",
    "dnsRegisterConnection": "false",
    "dnsSecondary": "any6",
    "dnsSuffix": "localhost example.example.com lab.fp.example.com fp.example.com example.com example.com",
    "dnsUseDnsSuffixForRegistration": "false",
    "driveMapping": [{
        "drive": "d",
        "path": "iexplore.exe",
        "description": "Description of Drive D and path configuration."
    }],
    "dtls": "false",
    "dtlsPort": 4433,
    "executeLogoffScripts": "false",
    "idleTimeoutThreshold": 0,
    "idleTimeoutWindow": 0,
    "ipv6AddressSpaceExcludeSubnet": [{
        "subnet": "3456::/16"
    }],
    "ipv6AddressSpaceIncludeSubnet": [{
        "subnet": "1234::/16"
    }],
    "ipv6DnsPrimary": "any6",
    "ipv6DnsSecondary": "any6",
    "ipv6LeasepoolName": "/Common/leasepool1",
    "ipv6LeasepoolNameReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "leasepoolName": "/Common/rly_NA_wiz_601_lp",
    "leasepoolNameReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "microsoftNetworkClient": "true",
    "microsoftNetworkServer": "false",
    "networkTunnel": "enabled",
    "optimizedAppReference": {
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "preserveSourcePortStrict": "none",
    "provideClientCert": "true",
    "proxyArp": "false",
    "snat": "automap",
     "snatpool": "/Common/snatpool1",
    "splitTunneling": "false",
    "staticHost": [{
        "address": "203.0.113.0",
        "hostname": "www.example.com"
    }],
    "supportedIpVersion": "ipv4",
    "syncWithActiveDirectory": "false",
    "winsPrimary": "any6",
    "winsSecondary": "any6",
    "type": "network-access",
    "name": "foo",
    "partition": "Common",
    "subPath": "/folder",
    "lsoDeviceReference": {
        "id": "844cfd8a-9e02-48e9-ba94-bb21a4ab444",
        "name": "bigip.foo.com",
        "kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
        "machineId": "844cfd8a-9e02-48e9-ba94-bb21a4ab444",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "isLsoShared": false,
    "deviceGroupReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
    "kind": "cm:access:working-config:apm:aaa:state",
         "selfLink": "https://localhost/mgmt/cm/access/working-config/apm/f0938680-57d5-377f-8c73-da4c2ce561ed"
    "description": "Application configuration details."
}

Create Network Access

POST /mgmt/cm/access/working-config/apm/resource/network-access/
{
    "addressSpaceDhcpRequestsExcluded": "true",
    "addressSpaceExcludeDnsName": "['*example.com']",
    "addressSpaceExcludeSubnet": [{
        "subnet": "192.16.0.0/21"
    }],
    "addressSpaceIncludeDnsName": "['*.example.com *.example.com example.com example.com']",
    "addressSpaceIncludeSubnet": [{
        "subnet": "198.1.1.0/32"
    }],
    "addressSpaceLocDnsServersExcluded": "false",
    "addressSpaceLocalSubnetsExcluded": "false",
    "addressSpaceProtect": "false",
    "applicationLaunch": [{
        "osType": "windows",
        "parameter": "[mcget { example session variable } ]",
        "path": "example.app"
    }],
    "applicationLaunchWarning": "true",
    "autoLaunch": "true",
    "clientInterfaceSpeed": 100000000,
    "clientIpFilterEngine": "false",
    "clientPowerManagement": "ignore",
    "clientProxy": "false",
    "clientProxyAddress": "any6",
    "clientProxyEnforceSubnets": "true",
    "clientProxyExclusionList": "['10.*']",
    "clientProxyIgnoreAutoConfigError": "false",
    "clientProxyLocalBypass": "false",
    "clientProxyPort": 0,
    "clientProxyScript": "function FindProxyForURL(url, host) { return 'PROXY proxy.example.com:8080; DIRECT';}",
    "clientProxyUseHttpPac": "false",
    "clientProxyUseLocalProxy": "false",
    "clientTrafficClassifier": "/common/client_traffic_1",
    "clientTrafficClassifierReference": {
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "clientTrayIcon": "true",
    "compression": "none",
    "customizationGroup": "/Common/frog1-F5_VPN_netac_customization",
    "customizationGroupReference": {
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "dnsEnforceSearchOrder": "true",
    "dnsPrimary": "any6",
    "dnsRegisterConnection": "false",
    "dnsSecondary": "any6",
    "dnsSuffix": "localhost example.example.com lab.fp.example.com fp.example.com example.com example.com",
    "dnsUseDnsSuffixForRegistration": "false",
    "driveMapping": [{
        "drive": "d",
        "path": "iexplore.exe",
        "description": "Description of Drive D and path configuration."
    }],
    "dtls": "false",
    "dtlsPort": 4433,
    "executeLogoffScripts": "false",
    "idleTimeoutThreshold": 0,
    "idleTimeoutWindow": 0,
    "ipv6AddressSpaceExcludeSubnet": [{
        "subnet": "3456::/16"
    }],
    "ipv6AddressSpaceIncludeSubnet": [{
        "subnet": "1234::/16"
    }],
    "ipv6DnsPrimary": "any6",
    "ipv6DnsSecondary": "any6",
    "ipv6LeasepoolName": "/Common/leasepool1",
    "ipv6LeasepoolNameReference": {
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "leasepoolName": "/Common/rly_NA_wiz_601_lp",
    "leasepoolNameReference": {
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "microsoftNetworkClient": "true",
    "microsoftNetworkServer": "false",
    "networkTunnel": "enabled",
    "optimizedAppReference": {
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "preserveSourcePortStrict": "none",
    "provideClientCert": "true",
    "proxyArp": "false",
    "snat": "automap",
    "snatpool": "/Common/snatpool1",
    "splitTunneling": "false",
    "staticHost": [{
        "address": "203.0.113.0",
        "hostname": "www.example.com"
    }],
    "supportedIpVersion": "ipv4",
    "syncWithActiveDirectory": "false",
    "winsPrimary": "any6",
    "winsSecondary": "any6",
    "type": "network-access",
    "name": "foo",
    "partition": "Common",
    "subPath": "/folder",
    "lsoDeviceReference": {
        "id": "844cfd8a-9e02-48e9-ba94-bb21a4ab444",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "isLsoShared": false,
    "deviceGroupReference": {
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "description": "Application configuration details."
}

Response

HTTP/1.1 200 OK
{
    "addressSpaceDhcpRequestsExcluded": "true",
    "addressSpaceExcludeDnsName": "['*example.com']",
    "addressSpaceExcludeSubnet": [{
        "subnet": "192.16.0.0/21"
    }],
    "addressSpaceIncludeDnsName": "['*.example.com *.example.com example.com example.com']",
    "addressSpaceIncludeSubnet": [{
        "subnet": "198.1.1.0/32"
    }],
    "addressSpaceLocDnsServersExcluded": "false",
    "addressSpaceLocalSubnetsExcluded": "false",
    "addressSpaceProtect": "false",
    "applicationLaunch": [{
        "osType": "windows",
        "parameter": "[mcget { example session variable } ]",
        "path": "example.app"
    }],
    "applicationLaunchWarning": "true",
    "autoLaunch": "true",
    "clientInterfaceSpeed": 100000000,
    "clientIpFilterEngine": "false",
    "clientPowerManagement": "ignore",
    "clientProxy": "false",
    "clientProxyAddress": "any6",
    "clientProxyEnforceSubnets": "true",
    "clientProxyExclusionList": "['10.*']",
    "clientProxyIgnoreAutoConfigError": "false",
    "clientProxyLocalBypass": "false",
    "clientProxyPort": 0,
    "clientProxyScript": "function FindProxyForURL(url, host) { return 'PROXY proxy.example.com:8080; DIRECT';}",
    "clientProxyUseHttpPac": "false",
    "clientProxyUseLocalProxy": "false",
    "clientTrafficClassifier": "/common/client_traffic_1",
    "clientTrafficClassifierReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "clientTrayIcon": "true",
    "compression": "none",
    "customizationGroup": "/Common/frog1-F5_VPN_netac_customization",
    "customizationGroupReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "dnsEnforceSearchOrder": "true",
    "dnsPrimary": "any6",
    "dnsRegisterConnection": "false",
    "dnsSecondary": "any6",
    "dnsSuffix": "localhost example.example.com lab.fp.example.com fp.example.com example.com example.com",
    "dnsUseDnsSuffixForRegistration": "false",
    "driveMapping": [{
        "drive": "d",
        "path": "iexplore.exe",
        "description": "Description of Drive D and path configuration."
    }],
    "dtls": "false",
    "dtlsPort": 4433,
    "executeLogoffScripts": "false",
    "idleTimeoutThreshold": 0,
    "idleTimeoutWindow": 0,
    "ipv6AddressSpaceExcludeSubnet": [{
        "subnet": "3456::/16"
    }],
    "ipv6AddressSpaceIncludeSubnet": [{
        "subnet": "1234::/16"
    }],
    "ipv6DnsPrimary": "any6",
    "ipv6DnsSecondary": "any6",
    "ipv6LeasepoolName": "/Common/leasepool1",
    "ipv6LeasepoolNameReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "leasepoolName": "/Common/rly_NA_wiz_601_lp",
    "leasepoolNameReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "microsoftNetworkClient": "true",
    "microsoftNetworkServer": "false",
    "networkTunnel": "enabled",
    "optimizedAppReference": {
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "preserveSourcePortStrict": "none",
    "provideClientCert": "true",
    "proxyArp": "false",
    "snat": "automap",
    "snatpool": "/Common/snatpool1",
    "splitTunneling": "false",
    "staticHost": [{
        "address": "203.0.113.0",
        "hostname": "www.example.com"
    }],
    "supportedIpVersion": "ipv4",
    "syncWithActiveDirectory": "false",
    "winsPrimary": "any6",
    "winsSecondary": "any6",
    "type": "network-access",
    "name": "foo",
    "partition": "Common",
    "subPath": "/folder",
    "lsoDeviceReference": {
        "id": "844cfd8a-9e02-48e9-ba94-bb21a4ab444",
        "name": "bigip.foo.com",
        "kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
        "machineId": "844cfd8a-9e02-48e9-ba94-bb21a4ab444",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "isLsoShared": false,
    "deviceGroupReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
    "kind": "cm:access:working-config:apm:aaa:state",
         "selfLink": "https://localhost/mgmt/cm/access/working-config/apm/f0938680-57d5-377f-8c73-da4c2ce561ed"
    "description": "Application configuration details."
}

Edit Network Access

PUT /mgmt/cm/access/working-config/apm/resource/network-access/<id>
{
    "addressSpaceDhcpRequestsExcluded": "true",
    "addressSpaceExcludeDnsName": "['*example.com']",
    "addressSpaceExcludeSubnet": [{
        "subnet": "192.16.0.0/21"
    }],
    "addressSpaceIncludeDnsName": "['*.example.com *.example.com example.com example.com']",
    "addressSpaceIncludeSubnet": [{
        "subnet": "198.1.1.0/32"
    }],
    "addressSpaceLocDnsServersExcluded": "false",
    "addressSpaceLocalSubnetsExcluded": "false",
    "addressSpaceProtect": "false",
    "applicationLaunch": [{
        "osType": "windows",
        "parameter": "[mcget { example session variable } ]",
        "path": "example.app"
    }],
    "applicationLaunchWarning": "true",
    "autoLaunch": "true",
    "clientInterfaceSpeed": 100000000,
    "clientIpFilterEngine": "false",
    "clientPowerManagement": "ignore",
    "clientProxy": "false",
    "clientProxyAddress": "any6",
    "clientProxyEnforceSubnets": "true",
    "clientProxyExclusionList": "['10.*']",
    "clientProxyIgnoreAutoConfigError": "false",
    "clientProxyLocalBypass": "false",
    "clientProxyPort": 0,
    "clientProxyScript": "function FindProxyForURL(url, host) { return 'PROXY proxy.example.com:8080; DIRECT';}",
    "clientProxyUseHttpPac": "false",
    "clientProxyUseLocalProxy": "false",
    "clientTrafficClassifier": "/common/client_traffic_1",
    "clientTrafficClassifierReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "clientTrayIcon": "true",
    "compression": "none",
    "customizationGroup": "/Common/frog1-F5_VPN_netac_customization",
    "customizationGroupReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "dnsEnforceSearchOrder": "true",
    "dnsPrimary": "any6",
    "dnsRegisterConnection": "false",
    "dnsSecondary": "any6",
    "dnsSuffix": "localhost example.example.com lab.fp.example.com fp.example.com example.com example.com",
    "dnsUseDnsSuffixForRegistration": "false",
    "driveMapping": [{
        "drive": "d",
        "path": "iexplore.exe",
        "description": "Description of Drive D and path configuration."
    }],
    "dtls": "false",
    "dtlsPort": 4433,
    "executeLogoffScripts": "false",
    "idleTimeoutThreshold": 0,
    "idleTimeoutWindow": 0,
    "ipv6AddressSpaceExcludeSubnet": [{
        "subnet": "3456::/16"
    }],
    "ipv6AddressSpaceIncludeSubnet": [{
        "subnet": "1234::/16"
    }],
    "ipv6DnsPrimary": "any6",
    "ipv6DnsSecondary": "any6",
    "ipv6LeasepoolName": "/Common/leasepool1",
    "ipv6LeasepoolNameReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "leasepoolName": "/Common/rly_NA_wiz_601_lp",
    "leasepoolNameReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "microsoftNetworkClient": "true",
    "microsoftNetworkServer": "false",
    "networkTunnel": "enabled",
    "optimizedAppReference": {
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "preserveSourcePortStrict": "none",
    "provideClientCert": "true",
    "proxyArp": "false",
    "snat": "automap",
    "snatpool": "/Common/snatpool1",
    "splitTunneling": "false",
    "staticHost": [{
        "address": "203.0.113.0",
        "hostname": "www.example.com"
    }],
    "supportedIpVersion": "ipv4",
    "syncWithActiveDirectory": "false",
    "winsPrimary": "any6",
    "winsSecondary": "any6",
    "type": "network-access",
    "name": "foo",
    "partition": "Common",
    "subPath": "/folder",
    "lsoDeviceReference": {
        "id": "844cfd8a-9e02-48e9-ba94-bb21a4ab444",
        "name": "bigip.foo.com",
        "kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
        "machineId": "844cfd8a-9e02-48e9-ba94-bb21a4ab444",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "isLsoShared": false,
    "deviceGroupReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
    "kind": "cm:access:working-config:apm:aaa:state",
         "selfLink": "https://localhost/mgmt/cm/access/working-config/apm/f0938680-57d5-377f-8c73-da4c2ce561ed"
    "description": "Application configuration details."
}

Response

HTTP/1.1 200 OK
{
    "addressSpaceDhcpRequestsExcluded": "true",
    "addressSpaceExcludeDnsName": "['*example.com']",
    "addressSpaceExcludeSubnet": [{
        "subnet": "192.16.0.0/21"
    }],
    "addressSpaceIncludeDnsName": "['*.example.com *.example.com example.com example.com']",
    "addressSpaceIncludeSubnet": [{
        "subnet": "198.1.1.0/32"
    }],
    "addressSpaceLocDnsServersExcluded": "false",
    "addressSpaceLocalSubnetsExcluded": "false",
    "addressSpaceProtect": "false",
    "applicationLaunch": [{
        "osType": "windows",
        "parameter": "[mcget { example session variable } ]",
        "path": "example.app"
    }],
    "applicationLaunchWarning": "true",
    "autoLaunch": "true",
    "clientInterfaceSpeed": 100000000,
    "clientIpFilterEngine": "false",
    "clientPowerManagement": "ignore",
    "clientProxy": "false",
    "clientProxyAddress": "any6",
    "clientProxyEnforceSubnets": "true",
    "clientProxyExclusionList": "['10.*']",
    "clientProxyIgnoreAutoConfigError": "false",
    "clientProxyLocalBypass": "false",
    "clientProxyPort": 0,
    "clientProxyScript": "function FindProxyForURL(url, host) { return 'PROXY proxy.example.com:8080; DIRECT';}",
    "clientProxyUseHttpPac": "false",
    "clientProxyUseLocalProxy": "false",
    "clientTrafficClassifier": "/common/client_traffic_1",
    "clientTrafficClassifierReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "clientTrayIcon": "true",
    "compression": "none",
    "customizationGroup": "/Common/frog1-F5_VPN_netac_customization",
    "customizationGroupReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "dnsEnforceSearchOrder": "true",
    "dnsPrimary": "any6",
    "dnsRegisterConnection": "false",
    "dnsSecondary": "any6",
    "dnsSuffix": "localhost example.example.com lab.fp.example.com fp.example.com example.com example.com",
    "dnsUseDnsSuffixForRegistration": "false",
    "driveMapping": [{
        "drive": "d",
        "path": "iexplore.exe",
        "description": "Description of Drive D and path configuration."
    }],
    "dtls": "false",
    "dtlsPort": 4433,
    "executeLogoffScripts": "false",
    "idleTimeoutThreshold": 0,
    "idleTimeoutWindow": 0,
    "ipv6AddressSpaceExcludeSubnet": [{
        "subnet": "3456::/16"
    }],
    "ipv6AddressSpaceIncludeSubnet": [{
        "subnet": "1234::/16"
    }],
    "ipv6DnsPrimary": "any6",
    "ipv6DnsSecondary": "any6",
    "ipv6LeasepoolName": "/Common/leasepool1",
    "ipv6LeasepoolNameReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "leasepoolName": "/Common/rly_NA_wiz_601_lp",
    "leasepoolNameReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "microsoftNetworkClient": "true",
    "microsoftNetworkServer": "false",
    "networkTunnel": "enabled",
    "optimizedAppReference": {
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "preserveSourcePortStrict": "none",
    "provideClientCert": "true",
    "proxyArp": "false",
    "snat": "automap",
    "snatpool": "/Common/snatpool1",
    "splitTunneling": "false",
    "staticHost": [{
        "address": "203.0.113.0",
        "hostname": "www.example.com"
    }],
    "supportedIpVersion": "ipv4",
    "syncWithActiveDirectory": "false",
    "winsPrimary": "any6",
    "winsSecondary": "any6",
    "type": "network-access",
    "name": "foo",
    "partition": "Common",
    "subPath": "/folder",
    "lsoDeviceReference": {
        "id": "844cfd8a-9e02-48e9-ba94-bb21a4ab444",
        "name": "bigip.foo.com",
        "kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
        "machineId": "844cfd8a-9e02-48e9-ba94-bb21a4ab444",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "isLsoShared": false,
    "deviceGroupReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
    "kind": "cm:access:working-config:apm:aaa:state",
         "selfLink": "https://localhost/mgmt/cm/access/working-config/apm/f0938680-57d5-377f-8c73-da4c2ce561ed"
    "description": "Application configuration details."
}

Edit Network Access

PATCH /mgmt/cm/access/working-config/apm/resource/network-access/<id>
{
    "addressSpaceDhcpRequestsExcluded": "true",
    "addressSpaceExcludeDnsName": "['*example.com']",
    "addressSpaceExcludeSubnet": [{
        "subnet": "192.16.0.0/21"
    }],
    "addressSpaceIncludeDnsName": "['*.example.com *.example.com example.com example.com']",
    "addressSpaceIncludeSubnet": [{
        "subnet": "198.1.1.0/32"
    }],
    "addressSpaceLocDnsServersExcluded": "false",
    "addressSpaceLocalSubnetsExcluded": "false",
    "addressSpaceProtect": "false",
    "applicationLaunch": [{
        "osType": "windows",
        "parameter": "[mcget { example session variable } ]",
        "path": "example.app"
    }],
    "applicationLaunchWarning": "true",
    "autoLaunch": "true",
    "clientInterfaceSpeed": 100000000,
    "clientIpFilterEngine": "false",
    "clientPowerManagement": "ignore",
    "clientProxy": "false",
    "clientProxyAddress": "any6",
    "clientProxyEnforceSubnets": "true",
    "clientProxyExclusionList": "['10.*']",
    "clientProxyIgnoreAutoConfigError": "false",
    "clientProxyLocalBypass": "false",
    "clientProxyPort": 0,
    "clientProxyScript": "function FindProxyForURL(url, host) { return 'PROXY proxy.example.com:8080; DIRECT';}",
    "clientProxyUseHttpPac": "false",
    "clientProxyUseLocalProxy": "false",
    "clientTrafficClassifier": "/common/client_traffic_1",
    "clientTrafficClassifierReference": {
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "clientTrayIcon": "true",
    "compression": "none",
    "customizationGroup": "/Common/frog1-F5_VPN_netac_customization",
    "customizationGroupReference": {
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "dnsEnforceSearchOrder": "true",
    "dnsPrimary": "any6",
    "dnsRegisterConnection": "false",
    "dnsSecondary": "any6",
    "dnsSuffix": "localhost example.example.com lab.fp.example.com fp.example.com example.com example.com",
    "dnsUseDnsSuffixForRegistration": "false",
    "driveMapping": [{
        "drive": "d",
        "path": "iexplore.exe",
        "description": "Description of Drive D and path configuration."
    }],
    "dtls": "false",
    "dtlsPort": 4433,
    "executeLogoffScripts": "false",
    "idleTimeoutThreshold": 0,
    "idleTimeoutWindow": 0,
    "ipv6AddressSpaceExcludeSubnet": [{
        "subnet": "3456::/16"
    }],
    "ipv6AddressSpaceIncludeSubnet": [{
        "subnet": "1234::/16"
    }],
    "ipv6DnsPrimary": "any6",
    "ipv6DnsSecondary": "any6",
    "ipv6LeasepoolName": "/Common/leasepool1",
    "ipv6LeasepoolNameReference": {
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "leasepoolName": "/Common/rly_NA_wiz_601_lp",
    "leasepoolNameReference": {
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "microsoftNetworkClient": "true",
    "microsoftNetworkServer": "false",
    "networkTunnel": "enabled",
    "optimizedAppReference": {
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "preserveSourcePortStrict": "none",
    "provideClientCert": "true",
    "proxyArp": "false",
    "snat": "automap",
    "snatpool": "/Common/snatpool1",
    "splitTunneling": "false",
    "staticHost": [{
        "address": "203.0.113.0",
        "hostname": "www.example.com"
    }],
    "supportedIpVersion": "ipv4",
    "syncWithActiveDirectory": "false",
    "winsPrimary": "any6",
    "winsSecondary": "any6",
    "type": "network-access",
    "isLsoShared": false,
    "description": "Application configuration details."
}

Response

HTTP/1.1 200 OK
{
    "addressSpaceDhcpRequestsExcluded": "true",
    "addressSpaceExcludeDnsName": "['*example.com']",
    "addressSpaceExcludeSubnet": [{
        "subnet": "192.16.0.0/21"
    }],
    "addressSpaceIncludeDnsName": "['*.example.com *.example.com example.com example.com']",
    "addressSpaceIncludeSubnet": [{
        "subnet": "198.1.1.0/32"
    }],
    "addressSpaceLocDnsServersExcluded": "false",
    "addressSpaceLocalSubnetsExcluded": "false",
    "addressSpaceProtect": "false",
    "applicationLaunch": [{
        "osType": "windows",
        "parameter": "[mcget { example session variable } ]",
        "path": "example.app"
    }],
    "applicationLaunchWarning": "true",
    "autoLaunch": "true",
    "clientInterfaceSpeed": 100000000,
    "clientIpFilterEngine": "false",
    "clientPowerManagement": "ignore",
    "clientProxy": "false",
    "clientProxyAddress": "any6",
    "clientProxyEnforceSubnets": "true",
    "clientProxyExclusionList": "['10.*']",
    "clientProxyIgnoreAutoConfigError": "false",
    "clientProxyLocalBypass": "false",
    "clientProxyPort": 0,
    "clientProxyScript": "function FindProxyForURL(url, host) { return 'PROXY proxy.example.com:8080; DIRECT';}",
    "clientProxyUseHttpPac": "false",
    "clientProxyUseLocalProxy": "false",
    "clientTrafficClassifier": "/common/client_traffic_1",
    "clientTrafficClassifierReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "clientTrayIcon": "true",
    "compression": "none",
    "customizationGroup": "/Common/frog1-F5_VPN_netac_customization",
    "customizationGroupReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "dnsEnforceSearchOrder": "true",
    "dnsPrimary": "any6",
    "dnsRegisterConnection": "false",
    "dnsSecondary": "any6",
    "dnsSuffix": "localhost example.example.com lab.fp.example.com fp.example.com example.com example.com",
    "dnsUseDnsSuffixForRegistration": "false",
    "driveMapping": [{
        "drive": "d",
        "path": "iexplore.exe",
        "description": "Description of Drive D and path configuration."
    }],
    "dtls": "false",
    "dtlsPort": 4433,
    "executeLogoffScripts": "false",
    "idleTimeoutThreshold": 0,
    "idleTimeoutWindow": 0,
    "ipv6AddressSpaceExcludeSubnet": [{
        "subnet": "3456::/16"
    }],
    "ipv6AddressSpaceIncludeSubnet": [{
        "subnet": "1234::/16"
    }],
    "ipv6DnsPrimary": "any6",
    "ipv6DnsSecondary": "any6",
    "ipv6LeasepoolName": "/Common/leasepool1",
    "ipv6LeasepoolNameReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "leasepoolName": "/Common/rly_NA_wiz_601_lp",
    "leasepoolNameReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "microsoftNetworkClient": "true",
    "microsoftNetworkServer": "false",
    "networkTunnel": "enabled",
    "optimizedAppReference": {
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "preserveSourcePortStrict": "none",
    "provideClientCert": "true",
    "proxyArp": "false",
    "snat": "automap",
    "snatpool": "/Common/snatpool1",
    "splitTunneling": "false",
    "staticHost": [{
        "address": "203.0.113.0",
        "hostname": "www.example.com"
    }],
    "supportedIpVersion": "ipv4",
    "syncWithActiveDirectory": "false",
    "winsPrimary": "any6",
    "winsSecondary": "any6",
    "type": "network-access",
    "name": "foo",
    "partition": "Common",
    "subPath": "/folder",
    "lsoDeviceReference": {
        "id": "844cfd8a-9e02-48e9-ba94-bb21a4ab444",
        "name": "bigip.foo.com",
        "kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
        "machineId": "844cfd8a-9e02-48e9-ba94-bb21a4ab444",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "isLsoShared": false,
    "deviceGroupReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
    "kind": "cm:access:working-config:apm:aaa:state",
         "selfLink": "https://localhost/mgmt/cm/access/working-config/apm/f0938680-57d5-377f-8c73-da4c2ce561ed"
    "description": "Application configuration details."
}

Delete Network Access

DELETE /mgmt/cm/access/working-config/apm/resource/network-access/<id>

Response

HTTP/1.1 200 OK
{
    "addressSpaceDhcpRequestsExcluded": "true",
    "addressSpaceExcludeDnsName": "['*example.com']",
    "addressSpaceExcludeSubnet": [{
        "subnet": "192.16.0.0/21"
    }],
    "addressSpaceIncludeDnsName": "['*.example.com *.example.com example.com example.com']",
    "addressSpaceIncludeSubnet": [{
        "subnet": "198.1.1.0/32"
    }],
    "addressSpaceLocDnsServersExcluded": "false",
    "addressSpaceLocalSubnetsExcluded": "false",
    "addressSpaceProtect": "false",
    "applicationLaunch": [{
        "osType": "windows",
        "parameter": "[mcget { example session variable } ]",
        "path": "example.app"
    }],
    "applicationLaunchWarning": "true",
    "autoLaunch": "true",
    "clientInterfaceSpeed": 100000000,
    "clientIpFilterEngine": "false",
    "clientPowerManagement": "ignore",
    "clientProxy": "false",
    "clientProxyAddress": "any6",
    "clientProxyEnforceSubnets": "true",
    "clientProxyExclusionList": "['10.*']",
    "clientProxyIgnoreAutoConfigError": "false",
    "clientProxyLocalBypass": "false",
    "clientProxyPort": 0,
    "clientProxyScript": "function FindProxyForURL(url, host) { return 'PROXY proxy.example.com:8080; DIRECT';}",
    "clientProxyUseHttpPac": "false",
    "clientProxyUseLocalProxy": "false",
    "clientTrafficClassifier": "/common/client_traffic_1",
    "clientTrafficClassifierReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "clientTrayIcon": "true",
    "compression": "none",
    "customizationGroup": "/Common/frog1-F5_VPN_netac_customization",
    "customizationGroupReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "dnsEnforceSearchOrder": "true",
    "dnsPrimary": "any6",
    "dnsRegisterConnection": "false",
    "dnsSecondary": "any6",
    "dnsSuffix": "localhost example.example.com lab.fp.example.com fp.example.com example.com example.com",
    "dnsUseDnsSuffixForRegistration": "false",
    "driveMapping": [{
        "drive": "d",
        "path": "iexplore.exe",
        "description": "Description of Drive D and path configuration."
    }],
    "dtls": "false",
    "dtlsPort": 4433,
    "executeLogoffScripts": "false",
    "idleTimeoutThreshold": 0,
    "idleTimeoutWindow": 0,
    "ipv6AddressSpaceExcludeSubnet": [{
        "subnet": "3456::/16"
    }],
    "ipv6AddressSpaceIncludeSubnet": [{
        "subnet": "1234::/16"
    }],
    "ipv6DnsPrimary": "any6",
    "ipv6DnsSecondary": "any6",
    "ipv6LeasepoolName": "/Common/leasepool1",
    "ipv6LeasepoolNameReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "leasepoolName": "/Common/rly_NA_wiz_601_lp",
    "leasepoolNameReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "microsoftNetworkClient": "true",
    "microsoftNetworkServer": "false",
    "networkTunnel": "enabled",
    "optimizedAppReference": {
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "preserveSourcePortStrict": "none",
    "provideClientCert": "true",
    "proxyArp": "false",
    "snat": "automap",
    "snatpool": "/Common/snatpool1",
    "splitTunneling": "false",
    "staticHost": [{
        "address": "203.0.113.0",
        "hostname": "www.example.com"
    }],
    "supportedIpVersion": "ipv4",
    "syncWithActiveDirectory": "false",
    "winsPrimary": "any6",
    "winsSecondary": "any6",
    "type": "network-access",
    "name": "foo",
    "partition": "Common",
    "subPath": "/folder",
    "lsoDeviceReference": {
        "id": "844cfd8a-9e02-48e9-ba94-bb21a4ab444",
        "name": "bigip.foo.com",
        "kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
        "machineId": "844cfd8a-9e02-48e9-ba94-bb21a4ab444",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "isLsoShared": false,
    "deviceGroupReference": {
        "name": "resourceName",
        "kind": "shared:resolver:device-groups:devicegroupstate",
        "link": "https://localhost/mgmt/shared/foo/bar/844cfd8a-9e02-48e9-ba94-bb21a4ab444"
    },
    "id": "8f1fcb69-1f3c-3c0d-812e-af4fdde0ac11",
    "kind": "cm:access:working-config:apm:aaa:state",
         "selfLink": "https://localhost/mgmt/cm/access/working-config/apm/f0938680-57d5-377f-8c73-da4c2ce561ed"
    "description": "Application configuration details."
}