Manual Chapter :
Additional Access Policy Manager Configuration Information
Applies To:
Show Versions
BIG-IP APM
- 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Additional Access Policy Manager Configuration Information
F5 Access for Android and Chrome OS session variables
F5 Access for Android and Chrome OS
session variablesThe following table contains a list of session variables and their
attributes.
Session variable |
Description |
|---|---|
session.client.type |
Indicates the client type. For example,
Standalone . |
session.client.platform |
Indicates the platform type, such as Android
or Chrome OS |
session.client.plugin |
Indicates whether the client is a plugin. This is always set to
0 . |
session.client.app_id |
The app ID for the client. For F5 Access for Android and Chrome OS this is
com.f5.edge.client_ics . |
session.client.app_version |
The Android and Chrome OS app version for the client. For F5 Access for Android
3.0.4 this is 3.0.4 . |
session.user.agent |
Indicates the browser, device type, and operating system version of the client,
as well as the version of F5 Access. |
session.client.model |
Indicates the model name of the mobile device. For example, Nexus
6P |
session.client.platform_version |
Indicates the platform and version of the mobile device. For example, 7.0.0
For Android Runtime on Chrome (ARC) the platform version
points to Android container version instead of Chrome OS version. |
session.client.unique_id |
Indicates the unique ID of the device. For example, 8ccaf965e51e3077. |
session.client.imei |
Indicates the IMEI ID of the device. For example, 490154203237518. (Not
applicable for Chrome OS) |
session.client.jailbreak |
Indicates the jailbreak status of the device. 0
indicates the device is not jailbroken, 1 indicates the
device is jailbroken, and an empty response indicates that the status of the device is
unknown. |
session.client.biometric_fingerprint |
Indicates whether the device supports biometric fingerprint authentication.
1 indicates that a fingerprint is configured,
0 indicates that a fingerprint is not configured, or
the device does not support fingerprint authentication. |
session.client.vpn_scope |
Indicates the scope of the VPN tunnel. The result is
device for a device-wide VPN connection and
per-app for a per-app VPN. (Not applicable for Chrome
OS) |
session.client.vpn_tunnel_type |
Indicates the type of VPN tunnel. For F5 Access for Android
and Chrome OS, this is L3 . |
session.client.vpn_start_type |
Indicates how the VPN connection was initiated.
|
session.client.device_passcode_set |
Indicates whether the user has a device unlock passcode, PIN, pattern, or
biometric authentication configured. The result is 1 if a
device lock is configured, and 0 if it is not. |
session.client.always_connected_mode |
Indicates whether Always-On Mode is configured for the device. The result is
1 if Always-On Mode is enabled, and
0 if it is not. |
session.client.hostname |
This is a human-readable mobile device name. The results depend on the device
manufacturer and OS version, this might be a Bluetooth device name that can be changed
by the user, a Wi-Fi Direct device name that can be changed by the user, or a Linux
hostname (for example, android-8ab2bead5c56a02a ). |
session.client.js |
Indicates whether the device used Web Logon mode to log on. The result is
1 if Web Logon Mode was used, and
0 if it was not. |
Access Policy Manager configuration tips
The following table provides tips for setting up F5 Access
for devices.
Feature |
Information |
|---|---|
Proxy servers |
Public and private-side proxy servers are not currently
supported. |
Client endpoint checks |
Client end-point checks are not currently supported.
|
Require device authentication |
You can configure F5 Access to require device
authentication with one of the device locking methods, including biometric
authentication, a PIN, a pattern, or a passphrase. To enable device authentication
for F5 Access, navigate to Connectivity Profile under Android Edge Client , enable the
options Allow Password
Caching and Require
Device Authentication . |
Enforce Device Lock |
You can configure specific device locking method by
navigating to Connectivity
Profile under Android Edge
Client , and enabling the Enforce Device Lock option.The following options become available
for configuration:
|
Password caching policy |
|
Enforce Logon Mode |
You can enforce
the logon mode for the Android client. In the Connectivity Profile, select Android Edge Client , and click
Enforce Logon Mode . Select
Native or Web and click OK . The logon mode will be enforced
for all clients that use the connectivity profile. |
Client certificates |
Client certificate authentication is supported
in Web Logon mode with or without a password. In standard logon mode, certificates
are supported, but a password is required. A password (including an empty password)
can be saved in the configuration.
|
About starting the client from a URL scheme
You can start F5 Access connections for users from a URL. You can then provide these URLs to
users, so they can start the VPN connection without having to manually start the application.
If there is already an active connection, a prompt appears to warn the user that the existing
connection must be stopped before the new connection can start. The connection uses a client
certificate if it is specified in the existing configuration.
URL connections use the following parameters. This is an example, you must provide your own
parameters and values.
f5access://{start|stop}?[parameter1=value1¶meter2=value2...]
Special characters in parameters must be URL-encoded.
You can start an alternate light client with no client branding, using the
following parameters.
f5access-lite://{start|stop}?[parameter1=value1¶meter2=value2...]
The syntax to start a connection from a URL follows.
- start
- Starts a connection. Thestartcommand requires either thenameorserverparameter to be present in the URL. If thenameparameter is specified, then F5 Access looks for the name in the list of existing configuration entries. If theserverparameter is specified, then thenameparameter is set to the same value as theserverparameter. A new configuration is created if a configuration with that name does not exist. If the specified configuration already exists, the other parameters specified in the URL are merged with the existing configuration. The result of this merged configuration is used only for the current, active connection, and does not persist. If anameis specified with other parameters, such asserver,username, orpassword, those parameters override what is specified in the configuration.
- sid
- A parameter used to specify the session ID with which to start the connection. When the parametersidis provided, theusernameandpasswordparameters are ignored, and no additional authentication occurs.
- username
- A parameter used to specify the user name with which to start the connection. When theusernameis specified without apassword, then an authentication prompt is displayed.
- password
- A parameter used to specify the password with which to start the connection. When thepasswordparameter is specified, it is used as a one-time password and not saved in the configuration.
- postlaunch_url
- A parameter used to specify the URL that starts after the connection starts.
- logon_mode
- An optional parameter that specifies whether the logon mode is the standard logon (native) or web logon (web). The default logon mode isnative.
- hide_ui_when_connected
- An optional parameter to minimize the F5 Access user interface for users when a connection has been established successfully. The value can be eitheryesorno. The default value isno.
- fips_mode
- An optional parameter to enable a connection compatible with FIPS 140-2 operation mode. The value can be eitheryesorno. The default value isno. The modefips_mode=yescannot be used withlogon_mode=web.
- allowed_appsanddisallowed_apps
- Allows or prevents a list of applications access to the VPN. Only one option can be used at a given time.
- securid_sn
- An optional parameter to present the software token serial number for RSA SecurID authentication.
- allow_bypass
- An optional parameter to allow apps to bypass VPN connection. The value can be eitheryesorno. The default value isno.
Examples of starting a client from a URL
The following examples illustrate how to start F5 Access connections for users from a
URL.
Connecting to an existing configuration called
MYVPN
:f5access://start?name=MYVPN
Connecting to an existing configuration called
MYVPN
and
including the server URL
myvpn.siterequest.com
:f5access://start?name=MYVPN&server=myvpn.siterequest.com
Connecting to a specific server called
myvpn.siterequest.com
:f5access://start?server=myvpn.siterequest.com
Connecting to a specific server called
myvpn.siterequest.com
with web logon
enabled:f5access://start?server=myvpn.siterequest.com&logon_mode=web
Connecting to an existing configuration called
MYVPN
and
including the username smith
and the password
passw0rd
:f5access://start?name=MYVPN&username=smith&password=passw0rd
Starting a connection to a
configuration called
MYVPN
and specifying the post-launch URL
jump://?host=10.10.1.10&username=smith
:f5access://start?name=MYVPN&postlaunch_url=jump%3A%2F%2F%3Fhost%3D10.10.1.10%26username%3Dsmith
Note:
The jump
is an example of the application URL scheme. Replace the jump with
the URL scheme of the application that the administrator plans to
launch. The string available after the URL scheme that contains
parameters for the URL scheme should be URL-encoded. For more
details, contact the app developer to know the URL scheme of the
application.Examples:
Launching Google Chrome browser to access
http://example.com/login?username=smith&from=10.10.10.10:443
after VPN tunnel:f5access://start?name=MYVPN&postlaunch_url=googlechrome%3A%2F%2Fexample.com%2Flogon%3Fusername%3Dsmith%26from%3D10.10.10.10%3A443
Launching Google Chrome browser to access
https://example.com/login?username=smith&from=10.10.10.10:443
after VPN tunnel:f5access://start?name=MYVPN&postlaunch_url=googlechromes%3A%2F%2Fexample.com%2Flogon%3Fusername%3Dsmith%26from%3D10.10.10.10%3A443
Starting a connection called
apm_rsa
with a SecurID software token
000117906115
.f5access://start?name=apm_rsa&securid_sn=000117906115
Stopping a connection:
f5access://stop
Minimizing the F5
Access UI:
f5access://start?name=MYVPN&username=smith&password=passw0rd&hide_ui_when_connected=yes
Starting a connection in Lite
mode:
f5access-lite://start?name=apm&server=edgeportal.siterequest.com
&username=test&x-cancel=http%3A%2F%2Fgoogle.com
&x-error=http%3A%2F%2Fyahoo.com&x-success=http%3A%2F%2Ff5.com
Stopping a connection in Lite
mode:
f5access-lite://stop?x-cancel=edgeportal.siterequest.com
&x-error=http%3A%2F%2Fyahoo.com&x-success=http%3A%2F%2Ff5.com
Allowing a list of applications to access the
VPN:
f5access://start?name=myvpn&allowed_apps=com.android.chrome,org.mozilla.firefox
Preventing a list of applications access the
VPN:
f5access://start?name=mvypn&disallowed_apps=com.android.chrome,org.mozilla.firefox
About defining a server from a URL
You can add BIG-IP® server definitions to F5 Access from a URL. You can
provide these URLs to users, so they can create and/or start VPN connections without having to
manually start the application.
Use the following URL and parameters to create a server:
f5access://create?server=server_address[¶meter1=value1¶meter2=value2...]
Special characters in parameters must be URL-encoded.
The syntax to define a server from a URL follows.
- server
- The server address is either a DNS name or an IP address.
- name
- An optional description of the server.
- username
- An optional parameter used to specify the user name with which to start the connection. When theusernameis specified without apassword, then an authentication prompt is displayed. If nousernameis specified during server creation, the user is prompted for it at session initiation, if required.
- password
- An optional parameter used to specify the password with which to start the server connection. When thepasswordparameter is specified, it is used as a one-time password and not saved in the configuration.
- cert_url
- The URL for downloading a client certificate in .P12 format.
- cert_keychain_alias
- Identifies a certificate from the device credentials storage.
- certcn
- Certificate common name. Matches the common name of the issuer of a valid certificate pre-installed on the device.Only one ofcertcn,cert_url, orcert_keychain_aliascan be specified.
- logon_mode
- Specifies whether the logon mode is the standard logon (native) or web logon (web). The default logon mode isnative.
- fips_mode
- An optional parameter to enable a connection compatible with FIPS 140-2 operation mode. The value can be eitheryesorno. The default value isno. The modefips_mode=yescannot be used withlogon_mode=web.
- allowed_appsanddisallowed_apps
- Allows or prevents a list of applications access to the VPN. Only one option can be be used at a given time.
- securid_sn
- An optional parameter to present the software token serial number for RSA SecurID authentication.
- allow_bypass
- An optional parameter to allow apps to bypass VPN connection. The value can be eitheryesorno. The default value isno.
Examples of defining a server from a URL
The following examples illustrate how to define servers for F5 Access connections
from a URL.
Create a server at
edgeportal.siterequest.com
:f5access://create?server=edgeportal.siterequest.com
Create a server named
EdgePortal
with the server URL edgeportal.siterequest.com
:f5access://create?name=EdgePortal&server=edgeportal.siterequest.com
Create the
same server with a user name, password, and certificate:
f5access://create?name=EdgePortal&server=edgeportal.siterequest.com&username=edgeportal&password=androiddemo&certcn=clientcert-cert.siterequest.com
Create the
same server with a user name and certificate:
f5access://create?name=EdgePortal&server=edgeportal.siterequest.com&username=edgeportal&certcn=clientcert-cert.siterequest.com
Identify a
certificate from the device credentials storage:
f5access://create?server=edgeportal.siterequest.com&name=EdgePortal&cert_keychain_alias=<
certificate
alias
>Creating a
connection called
apm_rsa
to server https://rsa.siterequest.com
with a SecurID software token
000117906115
.f5access://create?name=apm_rsa&server=https%3A%2F%2rsa.siterequest.com&logon_mode=web&securid_sn=000117906115
Creating a
list of applications allowed to access the VPN:
f5access://create?server=edgeportal.siterequest.com&name=EdgePortal&allowed_apps=com.android.chrome,org.mozilla.firefox
Creating a
list of applications forbidden to access the VPN:
f5access://create?server=edgeportal.siterequest.com&name=EdgePortal&disallowed_apps=com.android.chrome,org.mozilla.firefox
