Manual Chapter :
Configuring Access Policy Manager for F5 Access
Applies To:
Show VersionsBIG-IP APM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Configuring Access Policy Manager for F5 Access
What does F5 Access do for macOS devices?
F5 Access for macOS provides full network access through
BIG-IP®
Access Policy Manager®
. With network access,
users can run applications such as RDP, SSH, Citrix, VMware View, and other enterprise
applications on their macOS devices. F5 Access features include:
- User name and password, and client certificate support
- Support for DNS address space for split-tunneling configurations
- Landing URI support
- Logging support to report issues
- Support client certificate for DTLS tunnels and SSL tunnels
- Per-app VPN support
- Password caching support
About supported authentication types
F5 Access for macOS provides these authentication types:
Authentication type |
Connection Type |
---|---|
Client certificate |
Per-App VPN does not support Web Logon mode. |
Client certificate + username and password |
Runtime prompts (login dialogs, and other user input prompts) are allowed for:
Per-App VPN does not support Web Logon mode. |
Username and password |
Runtime prompts (login dialogs, and other user input prompts) are allowed for:
Per-App VPN does not support Web Logon mode. |
About establishing VPN connections
The F5 Access application (app) for
macOS devices
provides users
with two options to establish a VPN tunnel connection. A user can start a tunnel connection
explicitly with the F5 Access application, or implicitly through the VPN On-Demand
functionality.For example, a connection can be configured to automatically trigger whenever a certain
domain or host name pattern is matched.
About pre-logon checks supported for macOS devices
For macOS devices, Access Policy Manager® can use only the following
preconfigured pre-logon checks:
- Client Type - result is F5 Access
- Client OS - result is MacOS
Other session variables can be checked using custom expressions. See the list of session
variables for macOS for more information.
Setting up network access
You can force traffic through a tunnel on F5
Access.
Although you disable
Allow local subnet access
while
enabling Force all traffic through
tunnel
, the client still permits local subnet traffic to travel
outside of the tunnel. This is a limitation of
macOS
and not of F5 Access.
- On the Main tab, click.The Network Access List screen opens.
- Click the name to select a network access resource on the Resource List.The Network Access editing screen opens.
- To configure the network settings for the network access resource, clickNetwork Settingson the menu bar.
- To optionally force all traffic through the tunnel, next toTraffic Options, enableForce all traffic through tunnel.If you enableUse split tunneling for traffic, you must also specify either a DNS suffix or DNS Address Space pattern to use the VPN DNS servers. If the "DNS Suffix" and "DNS Address Space" fields are both left blank, then F5 Access does not use the VPN DNS servers and sends all DNS traffic to public DNS servers.
- To allow local subnet traffic to bypass the tunnel, select theEnablecheck box forAllow Local Subnet. This traffic bypasses the tunnel.
- ClickUpdate.
Configuring the connectivity profile for macOS
You can configure password caching and enforce native or web logon mode by
configuring the connectivity profile.
- On the Main tab, click.The Connectivity Profiles screen opens.
- Click the name of the Connectivity profile that you use with F5 Access for macOS, and clickEdit Profile.
- Click theF5 Access for macOSitem to configure F5 Access for macOS settings.
- To allow password caching on the macOS client, clickAllow Password Caching. From the Save Password Method list, selectdiskormemory.If you selectdisk, an encrypted password is saved on disk with no expiration time. If you selectmemory, an encrypted password is cached on the device for the time specified in thePassword Cache Expiration (minutes)field. The default value is240minutes (4 hours).
- To enforce the logon mode, clickEnforce Logon Mode. Selectnativeorwebfor the logon mode.IfEnforce Logon Modeis enabled in the Connectivity Profile, the user cannot change the Web Logon option.
- ClickOK.
Prerequisites for configuring F5 Access
Before configuring F5 Access
for
macOS
devices, you must complete the following requirements: - Set up BIG-IP® Access Policy Manager®.
- Run the Network Access Setup Wizard.
BIG-IP®
Access Policy Manager®: Network Access
Configuration
guide.Access Policy Manager configuration for F5 Access
To configure F5 Access for
macOS
device support on BIG-IP Access Policy Manager, use the
following configuration steps:- Run the Network Access Setup Wizard.
- Optionally, set upSSOandACLsfor your network access. Refer to theBIG-IP Access Policy Manager Configuration Guideon the AskF5 Knowledge Base for instructions.
- Customize an access policy to support F5 Access.
Running the Network Access Setup wizard
Configure Access Policy Manager® to provide users with full network
access from their devices using the Network Access Setup wizard for remote
access.
- On the Main tab, click.The Device Wizards screen opens.
- For Access Policy Manager Configuration, selectNetwork Access Setup Wizard for Remote Access, and then clickNext.
- Fill in the fields for Device Wizard screens.
- ClickFinished.
You now have network access resource that
supports F5 Access for mobile devices.