Forum Discussion

Bullish_35184's avatar
Bullish_35184
Icon for Nimbostratus rankNimbostratus
Jun 18, 2013

Forcing SSL VPN Client Traffic through a certain proxy (on APM).

So, while using Nortel IPSEC VPN I can edit my Internet Options / Connections / LAN Settings and enter an IP for my Proxy Server. This will force my internal internet traffic through that device. If I decide to change it then the setting s would workk on the fly, (no need to disconnect and re-coonect). When I try this via the APM SSL VPN connection it doesn't work. Meaning the internet traffic continues to go through the Proxy server for that particular site.

 

 

So to expand: If I connect to "Site A" using the Nortel IPSEC VPN my internet traffic will go through the Proxy at "Site A". I can force that traffic through Proxies at "Site B" or "Site C" if I choose. When I use the F5 APM to connect to "Site A" my internet traffic will only go through the Proxy at "Site A". Hardcodeing the IE proxy server doesn't help.

 

Does someone know how to change this behaviour?

 

Using BIG IP 11.2

 

3 Replies

  • Hi Bullish,

     

     

    Are you wanting to manually change the proxy settings on your client? If so are you changing it in "Internet Options"->"Connections"->"LAN Settings" or are you changing them in "Internet Options"->"Connections"->"Dial-up and Virtual Private Network Settings"->"select VPN adapter name"->"Settings"?

     

     

    Are you using split tunnel or full tunnel? I have noticed if you are using split tunnel you may need to apply the settings on the virtual adapter.

     

     

    Now if you want to set it for all users connecting to the VPN you will have to make the change in the Admin CLI and have the users reconnect.

     

     

    Seth Cooper
  • Hi Seth, thanks for the response. I did try both "Internet Options"->"Connections"->"LAN Settings" and "Internet Options"->"Connections"->"Dial-up and Virtual Private Network Settings"->"select VPN adapter name"->"Settings". There was no change after performing it on the LAN Settings. Once I changed it on the virtual adapter and clicked refresh it worked, (sending traffic to the Proxy I command). Yet, it only worked for that initial refresh. Once I clicked refresh a second time traffic reverted back to the original proxy. I then checked the Virtual Adapter settings and saw where the hard-coded IP was still there but the option to use it had been disabled. So, If I can just figure out how to get that to stick I might be good to go... I'm going to open a ticket with support and see what they have to say. Thanks for your assistance.

     

  • Can't be done. Here is the response from F5 Support:

     

     

    It is not going to work to change routing on the LAN side of APM Network Access, by forcing things on the browser side. The best explanation I can think of is this;

     

     

    The client / browser communication is with the APM, in an SSL client side connection. The APM, upon successful negotiation of that Access session, opens a connection to the Lan side, setting up a lease pool address and proxying between client connection and LAN connections.

     

     

    Changes on the client side, in the browser for instance, affect the client side connection. Desired changes of routing on the LAN side are not going to be initiated by changes in the browser.

     

     

    Once the Network Access connection is set up; that is, once an SSL vpn connection to APM from the client is established, the routing on LAN side is also established. We do not expect changes in the client browser settings to change the LAN routing tables.