F5 BigIP Configuration

This section covers the steps required to be performed within the BigIP web configuration utility. The BigIP you will be accessing for this lab has been pre-configured for the lab environment.

1. Launch Chrome Browser

Launch Chrome Browser

Double-click the Chrome Browser on the lab desktop.

2. Open F5 Web Admin Console

Open a Browser and the F5 Web Admin Console
  1. Select the "BIG-IP" shortcut from the bookmarks bar or navigate to "https://bigip-01.corp.local".
  2. Enter "admin" for the Username field.
  3. Enter "VMware1!" for the Password field.
  4. Click Login.

3. Create A Network Access Policy

This step will use the BIG-IP configuration utility wizard to assist you in creating a remote access configuration using Access Policy Manager (APM).

3.1. Start the Network Access Policy Wizard

Start the Network Access Policy Wizard
  1. Click Wizards.
  2. Click Device Wizards.
  3. Select Network Access Setup Wizard for Remote Access.
  4. Click Next.

3.2. Set the Basic Properties

Set the Basic Properties
  1. Enter "f5_airwatch_policy" for the Policy Name field.
  2. Enter "f5_airwatch_policy" for the Caption field.
  3. Uncheck Enable Antivirus Check in Access Policy.
  4. Enter "192.168.120.1" for the IPv4 Gateway Address field.
  5. Click "Next".

3.3. Select Access Policy Authentication

Select Access Policy Authentication

We will be setting the authentication type at a later step.

  1. Select No Authentication for the Select Authentication choice.
  2. Click Next.

3.4. Set the Lease Pool Range

Set the Lease Pool Range

A lease pool is a pool of available IP addresses that BIG-IP will assign to remote clients for network access. The size of this pool needs to be large enough to provide enough address space for the total concurrent connections licensed by APM.

  1. Enter "192.168.2.100" for the Start IP Address field.
  2. Enter "192.168.2.199" for the End IP Address field.
  3. Click Add.
  4. Click Next.

3.5. Configure Network Access Settings

Configure Network Access Settings

The client settings should be set according to the deployment scenario requirements. In this example, all traffic will be forced through the SSL VPN tunnel.

  1. Ensure that for Traffic Options, the preselected option is Force all traffic through tunnel.
  2. Click Next.

3.6. Configure DNS Hosts

Configure DNS Hosts
  1. Enter "192.168.110.10" for the first Primary Name Server field.
  2. Enter "corp.local" for the DNS Default Domain Suffix field.
  3. Scroll down if necessary.
  4. Click Next.

3.7. Enter the Virtual Server IP Address

Enter the Virtual Server IP Address

Finally, the Virtual Server IP Address needs to be defined.

  1. Enter "192.168.5.11" for the Virtual Server IP Address field.
  2. Uncheck the Create Redirect Virtual Server checkbox.
  3. Click Next.

3.8. Review & Confirm Configuration

Review & Confirm Configuration

Review your settings, scroll down and select Next

3.9. Review Summary of F5 Network Access Configuration

Review Summary of F5 Network Access Configuration

Review your configuration again and click on Finished

NOTE - You may need to click on the image to enlarge it.

4. Adjust the Access Policy to Authenticate Client Certificates for Access

Adjust the Access Policy to Authenticate Client Certificates for Access

The Network Access Wizard created several components and we will now need to make a few changes to the default settings of those components to enable per-app VPN. Please note that the configuration we are setting up here is as basic as possible. Your organization can configure a more advanced security and access policy that suits your needs.

  1. Click Access Policy.
  2. Click Access Profiles.
  3. Click Edit... on the f5_airwatch_policy Access Policy.

4.1. Add a Node to the Access Policy

Add a Node to the Access Policy

Click the first + in front of Logon Page,

4.2. Enable Client Certificate Authentication

Enable Client Certificate Authentication
  1. Click Authentication.
  2. Select On-Demand Cert Auth.
  3. Click Add Item.

4.3. Set Cert Auth Mode to Require

Set Cert Auth Mode to Require
  1. Set Auth Mode to Require.
  2. Click Save.

4.4. Apply the Access Policy Updates

Apply the Access Policy Updates
  1. Click Apply Access Policy.
  2. Close the Access Policy Editor tab in the browser to return the F5 Admin Console.

5. Configure Advanced Settings of the Virtual Server

Configure Advanced Settings of the Virtual Server
  1. Click Local Traffic.
  2. Click Virtual Servers.
  3. Click f5_airwatch_policy_vs.

5.1. Change the Service Port

Change the Service Port

Enter "5011" for the Service Port field.

5.2. Edit the Virtual Server Settings

Edit the Virtual Server Settings

We will need to change the SSL Profile on the F5 Virtual Server to accept Client Certificates from our Enterprise PKI and enable a few options that are required for Per-App VPN.

  1. Scroll down to find the SSL Profile (Client) section.
  2. Select clientssl in the Selected list under SSL Profile (Client).
  3. Click the >> button to remove clientssl from the Selected list.
  4. Select clientssl_holcertreq in the Available list under Client Profile (Client).
  5. Click the <<  button to move clientssl_holcertreq to the Selected list.
  6. Select Auto Map for the Source Address Translation dropdown.

5.3. Edit the Virtual Server Settings

Edit the Virtual Server Settings
  1. Scroll down to the section Access Policy
  2. Set Application Tunnels to Enabled by checking the box.
  3. Click Update

6. F5 Configuration Wrap-Up

We've now completed configuration of the F5 Big IP. We have created a basic Network Access Policy that will allow us to connect our devices with the F5 Edge Client and securely access internal resources. Our next steps are to configure AirWatch to push all the necessary configurations and activate specified applications to leverage the VPN connection while ensuring other device applications are blocked from accessing your internal network.