Manual Chapter : Additional Access Policy Manager Configuration Information

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 12.1.4, 12.1.3
Manual Chapter

Additional Access Policy Manager Configuration Information

F5 Access for Android and Chrome OS
session variables

The following table contains a list of session variables and their attributes.
Session variable
Description
session.client.type
Indicates the client type. For example,
Standalone
.
session.client.platform
Indicates the platform type, such as
Android or Chrome OS
.
session.client.plugin
Indicates whether the client is a plugin. This is always set to
0
.
session.client.app_id
The app ID for the client. For F5 Access for Android and Chrome OS this is
com.f5.edge.client_ics
.
session.client.app_version
The Android and Chrome OS app version for the client. For F5 Access for Android 3.0.4 this is
3.0.4
.
session.user.agent
Indicates the browser, device type, and operating system version of the client, as well as the version of F5 Access.
session.client.model
Indicates the model name of the mobile device. For example,
Nexus 6P
session.client.platform_version
Indicates the platform and version of the mobile device. For example,
7.0.0
For Android Runtime on Chrome (ARC) the platform version points to Android container version instead of Chrome OS version.
session.client.unique_id
Indicates the unique ID of the device. For example, 8ccaf965e51e3077.
session.client.imei
Indicates the IMEI ID of the device. For example, 490154203237518. (Not applicable for Chrome OS)
session.client.jailbreak
Indicates the jailbreak status of the device.
0
indicates the device is not jailbroken,
1
indicates the device is jailbroken, and an empty response indicates that the status of the device is unknown.
session.client.biometric_fingerprint
Indicates whether the device supports biometric fingerprint authentication.
1
indicates that a fingerprint is configured,
0
indicates that a fingerprint is not configured, or the device does not support fingerprint authentication.
session.client.vpn_scope
Indicates the scope of the VPN tunnel. The result is
device
for a device-wide VPN connection and
per-app
for a per-app VPN. (Not applicable for Chrome OS)
session.client.vpn_tunnel_type
Indicates the type of VPN tunnel.
For F5 Access for Android and Chrome OS, this is
L3
.
session.client.vpn_start_type
Indicates how the VPN connection was initiated.
  • manual
    - Indicates that the connection was initiated by the user.
  • mdm
    - Indicates that the connection was initiated by an MDM.
  • system
    - Indicates that the connection was initiated on system start-up, in Always-On Mode.
session.client.device_passcode_set
Indicates whether the user has a device unlock passcode, PIN, pattern, or biometric authentication configured. The result is
1
if a device lock is configured, and
0
if it is not.
session.client.always_connected_mode
Indicates whether Always-On Mode is configured for the device. The result is
1
if Always-On Mode is enabled, and
0
if it is not.
session.client.hostname
This is a human-readable mobile device name. The results depend on the device manufacturer and OS version, this might be a Bluetooth device name that can be changed by the user, a Wi-Fi Direct device name that can be changed by the user, or a Linux hostname (for example,
android-8ab2bead5c56a02a
).
session.client.js
Indicates whether the device used Web Logon mode to log on. The result is
1
if Web Logon Mode was used, and
0
if it was not.

Access Policy Manager configuration tips

The following table provides tips for setting up F5 Access for devices.
Feature
Information
Proxy servers
Public and private-side proxy servers are not currently supported.
Client endpoint checks
Client end-point checks are not currently supported.
Require device authentication
For devices with Android 6.0 or later, F5 Access can require device authentication with one of the device locking methods, including biometric authentication, a PIN, a pattern, or a passphrase. To enable device authentication for F5 Access, in the
Connectivity Profile
under
Android Edge Client
, enable the options
Allow Password Caching
and
Require Device Authentication
.
This setting has no effect on devices with a pre-Android 6.0 OS. On such devices, even with this setting configured on the server, users must enter a password for each connection.
Password caching policy
  • In the Connectivity profile, you can configure password caching by enabling the setting
    Allow Password Caching
    . When this setting is enabled, after a successful logon the submitted credentials are cached.
  • Specify a
    Save Password Method
    .
    • If you select
      disk
      , an encrypted password is cached on the device with no expiration time.
    • If you select
      memory
      , an encrypted password is cached on the device for the time specified in the
      Password Cache Expiration (minutes)
      field.
  • Credentials are not cleared if the user disconnects or restarts the device.
  • If credentials are cached and the
    Save Password Method
    is
    memory
    , then credentials are cached until one of the following events occurs:
    • The specified credential cache duration expires.
    • The server address of the configuration within the application changes.
    • The username of the configuration within the application changes.
    • The F5Access user switches between configurations.
  • To require the user to authenticate on the device before unlocking the cached credentials, select
    Require Device Authentication.
Client certificates
Client certificate authentication is supported in Web Logon mode with or without a password. In standard logon mode, certificates are supported, but a password is required. A password (including an empty password) can be saved in the configuration.

About starting the client from a URL scheme

You can start F5 Access connections for users from a URL. You can then provide these URLs to users, so they can start the VPN connection without having to manually start the application. If there is already an active connection, a prompt appears to warn the user that the existing connection must be stopped before the new connection can start. The connection uses a client certificate if it is specified in the existing configuration.
URL connections use the following parameters. This is an example, you must provide your own parameters and values.
f5access://{start|stop}?[
parameter1
=
value1
&
parameter2
=
value2
...]
Special characters in parameters must be URL-encoded.
You can start an alternate light client with no client branding, using the following parameters.
f5access-lite://{start|stop}?[
parameter1
=
value1
&
parameter2
=
value2
...]
The syntax to start a connection from a URL follows.
start
Starts a connection. The
start
command requires either the
name
or
server
parameter to be present in the URL. If the
name
parameter is specified, then F5 Access looks for the name in the list of existing configuration entries. If the
server
parameter is specified, then the
name
parameter is set to the same value as the
server
parameter. A new configuration is created if a configuration with that name does not exist. If the specified configuration already exists, the other parameters specified in the URL are merged with the existing configuration. The result of this merged configuration is used only for the current, active connection, and does not persist. If a
name
is specified with other parameters, such as
server
,
username
, or
password
, those parameters override what is specified in the configuration.
sid
A parameter used to specify the session ID with which to start the connection. When the parameter
sid
is provided, the
username
and
password
parameters are ignored, and no additional authentication occurs.
username
A parameter used to specify the user name with which to start the connection. When the
username
is specified without a
password
, then an authentication prompt is displayed.
password
A parameter used to specify the password with which to start the connection. When the
password
parameter is specified, it is used as a one-time password and not saved in the configuration.
postlaunch_url
A parameter used to specify the URL that starts after the connection starts.
logon_mode
An optional parameter that specifies whether the logon mode is the standard logon (
native
) or web logon (
web
). The default logon mode is
native
.
hide_ui_when_connected
An optional parameter to minimize the F5 Access user interface for users when a connection has been established successfully. The value can be either
yes
or
no
. The default value is
no
.
fips_mode
An optional parameter to enable a connection compatible with FIPS 140-2 operation mode. The value can be either
yes
or
no
. The default value is
no
. The mode
fips_mode=yes
cannot be used with
logon_mode=web
.
allowed_apps
and
disallowed_apps
Allows or prevents a list of applications access to the VPN. Only one option can be used at a given time.
securid_sn
An optional parameter to present the software token serial number for RSA SecurID authentication.
allow_bypass
An optional parameter to allow apps to bypass VPN connection. The value can be either
yes
or
no
. The default value is
no
.

Examples of starting a client from a URL

The following examples illustrate how to start F5 Access connections for users from a URL.
Connecting to an existing configuration called
MYVPN
:
f5access://start?name=MYVPN
Connecting to an existing configuration called
MYVPN
and including the server URL
myvpn.siterequest.com
:
f5access://start?name=MYVPN&server=myvpn.siterequest.com
Connecting to a specific server called
myvpn.siterequest.com
:
f5access://start?server=myvpn.siterequest.com
Connecting to a specific server called
myvpn.siterequest.com
with web logon enabled:
f5access://start?server=myvpn.siterequest.com&logon_mode=web
Connecting to an existing configuration called
MYVPN
and including the username
smith
and the password
passw0rd
:
f5access://start?name=MYVPN&username=smith&password=passw0rd
Starting a connection to a configuration called
MYVPN
and specifying the post-launch URL
jump://?host=10.10.1.10&username=smith
:
f5access://start?name=MYVPN&postlaunch_url=jump%3A%2F%2F%3Fhost%3D10.10.1.10%26username%3Dsmith
Note:
The jump is an example of the application URL scheme. Replace the jump with the URL scheme of the application that the administrator plans to launch. The string available after the URL scheme that contains parameters for the URL scheme should be URL-encoded. For more details, contact the app developer to know the URL scheme of the application.
Examples:
Launching Google Chrome browser to access
http://example.com/login?username=smith&from=10.10.10.10:443
after VPN tunnel:
f5access://start?name=MYVPN&postlaunch_url=googlechrome%3A%2F%2Fexample.com%2Flogon%3Fusername%3Dsmith%26from%3D10.10.10.10%3A443
Launching Google Chrome browser to access
https://example.com/login?username=smith&from=10.10.10.10:443
after VPN tunnel:
f5access://start?name=MYVPN&postlaunch_url=googlechromes%3A%2F%2Fexample.com%2Flogon%3Fusername%3Dsmith%26from%3D10.10.10.10%3A443
Starting a connection called
apm_rsa
with a SecurID software token
000117906115
.
f5access://start?name=apm_rsa&securid_sn=000117906115
Stopping a connection:
f5access://stop
Minimizing the F5 Access UI:
f5access://start?name=MYVPN&username=smith&password=passw0rd&hide_ui_when_connected=yes
Starting a connection in Lite mode:
f5access-lite://start?name=apm&server=edgeportal.siterequest.com &username=test&x-cancel=http%3A%2F%2Fgoogle.com &x-error=http%3A%2F%2Fyahoo.com&x-success=http%3A%2F%2Ff5.com
Stopping a connection in Lite mode:
f5access-lite://stop?x-cancel=edgeportal.siterequest.com &x-error=http%3A%2F%2Fyahoo.com&x-success=http%3A%2F%2Ff5.com
Allowing a list of applications to access the VPN:
f5access://start?name=myvpn&allowed_apps=com.android.chrome,org.mozilla.firefox
Preventing a list of applications access the VPN:
f5access://start?name=mvypn&disallowed_apps=com.android.chrome,org.mozilla.firefox

About defining a server from a URL

You can add BIG-IP® server definitions to F5 Access from a URL. You can provide these URLs to users, so they can create and/or start VPN connections without having to manually start the application.
Use the following URL and parameters to create a server:
f5access://create?server=server_address[&
parameter1
=
value1
&
parameter2
=
value2
...]
Special characters in parameters must be URL-encoded.
The syntax to define a server from a URL follows.
server
The server address is either a DNS name or an IP address.
name
An optional description of the server.
username
An optional parameter used to specify the user name with which to start the connection. When the
username
is specified without a
password
, then an authentication prompt is displayed. If no
username
is specified during server creation, the user is prompted for it at session initiation, if required.
password
An optional parameter used to specify the password with which to start the server connection. When the
password
parameter is specified, it is used as a one-time password and not saved in the configuration.
cert_url
The URL for downloading a client certificate in .P12 format.
cert_keychain_alias
Identifies a certificate from the device credentials storage.
certcn
Certificate common name. Matches the common name of the issuer of a valid certificate pre-installed on the device.
Only one of
certcn
,
cert_url
, or
cert_keychain_alias
can be specified.
logon_mode
Specifies whether the logon mode is the standard logon (
native
) or web logon (
web
). The default logon mode is
native
.
fips_mode
An optional parameter to enable a connection compatible with FIPS 140-2 operation mode. The value can be either
yes
or
no
. The default value is
no
. The mode
fips_mode=yes
cannot be used with
logon_mode=web
.
allowed_apps
and
disallowed_apps
Allows or prevents a list of applications access to the VPN. Only one option can be be used at a given time.
securid_sn
An optional parameter to present the software token serial number for RSA SecurID authentication.
allow_bypass
An optional parameter to allow apps to bypass VPN connection. The value can be either
yes
or
no
. The default value is
no
.

Examples of defining a server from a URL

The following examples illustrate how to define servers for F5 Access connections from a URL.
Create a server at
edgeportal.siterequest.com
:
f5access://create?server=edgeportal.siterequest.com
Create a server named
EdgePortal
with the server URL
edgeportal.siterequest.com
:
f5access://create?name=EdgePortal&server=edgeportal.siterequest.com
Create the same server with a user name, password, and certificate:
f5access://create?name=EdgePortal&server=edgeportal.siterequest.com&username=edgeportal&password=androiddemo&certcn=clientcert-cert.siterequest.com
Create the same server with a user name and certificate:
f5access://create?name=EdgePortal&server=edgeportal.siterequest.com&username=edgeportal&certcn=clientcert-cert.siterequest.com
Identify a certificate from the device credentials storage:
f5access://create?server=edgeportal.siterequest.com&name=EdgePortal&cert_keychain_alias=<
certificate alias
>
Creating a connection called
apm_rsa
to server
https://rsa.siterequest.com
with a SecurID software token
000117906115
.
f5access://create?name=apm_rsa&server=https%3A%2F%2rsa.siterequest.com&logon_mode=web&securid_sn=000117906115
Creating a list of applications allowed to access the VPN:
f5access://create?server=edgeportal.siterequest.com&name=EdgePortal&allowed_apps=com.android.chrome,org.mozilla.firefox
Creating a list of applications forbidden to access the VPN:
f5access://create?server=edgeportal.siterequest.com&name=EdgePortal&disallowed_apps=com.android.chrome,org.mozilla.firefox