Skip to main content

F5 VPN Config

This document details the steps to configure routing to make internal apps available over the vpn.

Routing

  1. Connect to the VPN
  2. Login to https://vpn.platform.hmcts.net/ or if this does not work look for the VM mgmt-vpn-2-vm and use its public IP to login If you are accessing the F5 portal for the first time, submit a pull request to the user accounts file in this repo and ask someone with existing access to create your account. If you lose your login details, a person with existing access can provide you with new credentials.

  3. For making the changes to the ACL: click ‘Access → 'Access Control Lists’ → ‘User-defined ACLs’ → ‘acl_vpn_reform’, direct link

  4. Make sure the range in question is NOT already added (If the range is already there and your app still not accessible through f5, see Common Issues section below)

  5. You will see a list of ACLs for all the entries. Open two tabs in your browser on the same page, open an existing one and then click ‘Add’ for your new one. Copy the required details from the existing one to the new one. Note: If using Firefox then the search function probably won’t find the IP address you type in.

  6. You will find 2 entries; HTTP and HTTPS. Change it to add new CIDR range, such as below:

Access Policy

  1. Navigate to Connectivity profiles to make a corresponding change to the routing.\ Connectivity Profiles

  2. Add the new CIDR range under IPV4 and IPV6 . After verification, click on the Apply Access policy on the top left corner of the portal to propagate the routing changes.\ VPN ACL

  3. Logout of your current F5 VPN session (https://portal.platform.hmcts.net) and log back in to validate if the routing table update has taken place for the new network address space as shown below:

Apply Access Policy

Once you have made a change to F5, you are required to Apply Access Policy.

  • When a change has been made, you need to Apply Access Policy before change is effective on F5. You will notice this in top left of the F5 Portal when you have made a change.

Select Apply Access Policy

  • Review Access profile & ensure option prof_portal.platform.hmcts.net is ticked

Select Apply

  • Access profile policies are then shown, it should already be ticked for all.

Select Apply

  • Once successful apply, all access profiles should be green

Common Issues

App not available through f5, after CIDR range added to ‘acl_vpn_reform’ Access Control Lists?

If your app is not available after adding CIDR range and you know that app is accessible internally (from internal pod etc.), and only not available through f5, check if the CIDR range or the DNS zone is missing in the network access lists. Please follow below.

  1. Click ‘Access → 'Connectivity/VPN’ → ‘Network Access(VPN)’ → ‘Network Access Lists’ and then select netacl_mojvpn from the list

  1. Click on Network Settings tab

  2. Change from Basic to Advanced in the Client Settings

  3. Add new CIDR range under IPV4 and IPV6 if its not there already

  4. Make sure private dns zone has been added under DNS Address Space too

Other Common issue

  • Failed HDD encryption check: Likely means that FileVault is turned off if it’s Mac, or some other whitelisted Full Disk encryption needs to be installed and used on a Windows/Ubuntu machine.
  • User is not assigned to a role for the application: https://hmcts.github.io/onboarding/person/#person
  • Failed to open tunnel, Tunnel server already launched: Find the svpn process id: ps alx | grep svpn, on the result process ID use the kill command: kill -9 [the process id from the ps command], and or restart the machine.

If the issue persists or has no available solution, you may need to initiate a support request with F5. To do this you’ll need the F5 serial number / Registration key.
To get this, you need to access the command line by SSHing into the VPN

To ssh you will need an account on the F5 VPN admin site with terminal access set.

ssh from your local terminal session - for example ‘ssh willw@%public IP address%’ Your connection may be blocked by the NSG containing the F5.

There you can run this command: show sys license or tmsh show sys license.

The registration key will show in the output (last seven characters required) and you can then initiate the support request.

To raise a case you will need an account setup using your hmcts.net on my.f5.com (https://my.f5.com/manage/s/contactsupport). You can also call 0-800-404-9597

Further instructions on how to raise cases: https://my.f5.com/manage/s/article/K000135931

This page was last reviewed on 1 May 2024. It needs to be reviewed again on 1 May 2025 by the page owner platops-build-notices .
This page was set to be reviewed before 1 May 2025 by the page owner platops-build-notices. This might mean the content is out of date.