Manual Chapter : Configuring Per-App VPN with APM and F5 Access

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Configuring Per-App VPN with APM and F5 Access

What is per-app VPN?

Apple's Network Extension framework supports layer-3 tunneling for both device-wide and Per-App VPN tunnels. This means that TCP and UDP protocols are supported for apps configured for Per-App VPN on F5 Access for iOS 3.x. Apps that are managed by a Mobile Device Manager (MDM) can be configured to automatically connect to a VPN when they are started. In addition, Mobile Safari can be managed for per-app VPN with a configuration profile and without an MDM. Per-app VPN gives IT granular control over corporate network access, and ensures that data transmitted by managed apps travels only through a VPN. Meanwhile, other data, like an employee's personal web browsing activity, does not use the VPN. Per-app VPN also works with Safari on a per-URL basis.
A per-app VPN configuration requires three configuration components.
  • A device under MDM management, or a configuration profile file installed manually. For more information, see Configuration Profile Reference.
  • A managed app installed on the device, or Mobile Safari.
  • F5 Access for iOS installed on the managed device.
The managed app and the MDM profile must be deployed with an MDM solution, except in the case of Mobile Safari. The F5 Access configurations may or may not be deployed with an MDM solution. Any app other than Mobile Safari must be installed by the MDM solution, and associated with a VPN configuration.

About deploying MDM apps over VPNs

The per-app VPN framework allows the administrator to limit VPN access to explicit apps only. Specifically, it allows applications to use one F5 Access configuration (or VPN connection).
In practice, some applications may be associated with one F5 Access configuration, and other applications may be associated with other F5 Access configurations.
Once an app is associated with an F5 Access configuration by the MDM, it will use that VPN only.
In this example, App 1 or App 2 can be active at the same time, because they use different VPN configurations.
Apps associated with different VPN configurations
On iOS, you can only activate only one device-wide (user-initiated) VPN configuration at a time. However, multiple per-app VPNs can be active and connected simultaneously, on their own or in addition to the device VPN.

Creating an access profile

You create an access profile to provide the secured connection between the per-app VPN and the virtual server.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click
    Create
    .
    The New Profile screen opens.
  3. In the
    Name
    field, type a name for the access profile.
  4. From the
    Profile Type
    list, select
    SSL-VPN
    .
  5. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click
    Finished
    .
The access profile appears in the Access Profiles List.

Adding a version check to the access policy

A version check allows you to distinguish between F5 Access for iOS 3.0.x and earlier versions. You can use this information to assign the required full network access resource to the 3.0.x branch, for example, in a Per-App VPN scenario.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    Edit
    link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the
    (+)
    sign anywhere in the access policy to add a new action item.
    An Add Item screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Click
    Add Item
    .
    The screen is not active while the visual policy editor creates the action. The screen closes and a Properties screen displays.
  5. Click the
    Endpoint Security (Server-Side)
    tab.
  6. Select the
    Client Type
    item, and click
    Add Item
    .
  7. Click
    Save
    .
  8. On the Edge Client branch, click the
    (+)
    sign to add a new action item.
  9. Click the
    Endpoint Security (Server-Side)
    tab.
  10. Select the
    Client OS
    item, and click
    Add Item
    .
  11. Click
    Save
    .
  12. On the iOS branch, click the
    (+)
    sign to add a new action item.
  13. Click the
    General Purpose
    tab.
  14. Select the
    Empty
    item, and click
    Add Item
    .
  15. On the Properties screen in the
    Name
    field, type
    iOS Version
    .
  16. Click the Branch Rules tab.
  17. Click
    Add Branch Rule
    .
  18. In the Name field, type
    Version 3
    .
  19. Click the Advanced tab.
    Use this tab to enter Tcl expressions.
    A text input field displays.
  20. In the text field, type
    expr { [mcget {session.client.app_version}] >= "3.0"}
    , and click Finished.
  21. Click
    Save
    .
  22. Add a Network Access resource to the Version 3 branch. On the Version 3 branch, click the
    (+)
    sign to add a new action item.
  23. Click the
    Assignment
    tab.
  24. Select the
    Advanced Resource Assign
    item, and click
    Add Item
    .
  25. Under Resource Assignment, click
    Add new entry
    .
  26. Under Expression, click
    Add/Delete
    .
  27. Click the
    Network Access
    tab, and select a Network Access resource to assign.
  28. Click the
    Webtop
    tab, and select a webtop to assign.
  29. Click
    Update
    .
  30. Click
    Save
    .
  31. On the
    fallback
    branch following the Advanced Resource Assign item, click the Deny ending.
  32. Change the Deny ending to Allow, and click
    Save
    .
  33. If you support F5 Access version 2.x clients, on the fallback branch, click the Deny ending.
  34. Change the Deny ending to Allow, and click
    Save
    .
  35. Click
    Apply Access Policy
    to save your configuration.
The access profile appears in the Access Profiles List.
Configure the virtual server to include this access policy, and make sure the Client SSL profile is enabled on the server.

Adding a client certificate check to the access policy

A client certificate check allows you to authenticate the device to the access policy, without requiring any user interaction that would cause the creation of the per-app VPN tunnel to fail.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
  2. Click the
    (+)
    sign anywhere in the access policy to add a new action item.
    An Add Item screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  3. Click
    Add Item
    .
    The screen is not active while the visual policy editor creates the action. The screen closes and a Properties screen displays.
  4. Click the
    Authentication
    tab.
  5. Select the
    Client Cert Inspection
    item, and click
    Add Item
    .
  6. The properties screen opens. Click
    Save
    .
  7. On the
    Successful
    branch following the Client Cert Inspection item, click the Deny ending.
  8. Change the Deny ending to Allow, and click
    Save
    .
  9. Click
    Apply Access Policy
    to save your configuration.
The access profile appears in the Access Profiles List.
Configure the virtual server to include this access policy, and make sure the Client SSL profile is enabled on the server.

About setting up Access Policy Manager for per-app VPN

You configure specific settings in the Access Policy Manager® to provide per-app VPN tunnels. Per-app VPN tunnels are full network access tunnels, and require Network Access resources in the Access Policy. Configure these items on the Access Policy Manager.
  • The virtual server must be configured with an access profile.
  • The virtual server should be configured with a basic configuration for the network access resource.
  • You must specify the Client SSL profile on the virtual server. You must also include the same CA bundle on the server that is used to generate the certificate for the client devices.
Access policies for F5 Access Legacy 2.1.x have different requirements. If you are planning to have both clients connect to the same virtual server, refer to your F5 Acccess 2.1.0 documentation for more information.

Configuring a virtual server for per-app VPN

You must have Access Policy Manager® licensed and provisioned.
A virtual server profile enables support for the network access used by per-app VPN tunnels.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. For the
    SSL Profile (Client)
    setting, from the
    Available
    list, select the name of the Client SSL profile you previously created, and using the Move button, move the name to the
    Selected
    list.
  4. In the Access Policy area, from the
    Access Profile
    list, select the access profile.
  5. From the
    Connectivity Profile
    list, select the connectivity profile.
  6. Click
    Update
    to save the changes.
The virtual server is configured for per-app VPN.