Manual Chapter : Configuring Access Policy Manager for F5 Access

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Configuring Access Policy Manager for F5 Access

What does F5 Access do for macOS devices?

F5 Access for macOS provides full network access through
BIG-IP® Access Policy Manager®
. With network access, users can run applications such as RDP, SSH, Citrix, VMware View, and other enterprise applications on their macOS devices.
F5 Access features include:
  • User name and password, and client certificate support
  • Support for DNS address space for split-tunneling configurations
  • Landing URI support
  • Logging support to report issues
  • Support client certificate for DTLS tunnels and SSL tunnels
  • Per-app VPN support
  • Password caching support

About supported authentication types

F5 Access for macOS provides these authentication types:
Authentication type
Connection Type
Client certificate
  • User-initiated connections, in native mode or Web Logon mode
  • Device-wide VPN On-Demand, in native mode or Web Logon mode
  • Per-App VPN connections, in native mode only
Per-App VPN does not support Web Logon mode.
Client certificate + username and password
Runtime prompts (login dialogs, and other user input prompts) are allowed for:
  • User-initiated connections, in native mode or Web Logon mode
  • Device-wide VPN On-Demand connections, in native mode or Web Logon mode
  • Per-App VPN connections, in native mode only
Per-App VPN does not support Web Logon mode.
Username and password
Runtime prompts (login dialogs, and other user input prompts) are allowed for:
  • User-initiated connections, in native mode or Web Logon mode
  • Device-wide VPN On-Demand connections, in native mode or Web Logon mode
  • Per-App VPN connections, in native mode only
Per-App VPN does not support Web Logon mode.

About establishing VPN connections

The F5 Access application (app) for
macOS devices
provides users with two options to establish a VPN tunnel connection. A user can start a tunnel connection explicitly with the F5 Access application, or implicitly through the VPN On-Demand functionality.
For example, a connection can be configured to automatically trigger whenever a certain domain or host name pattern is matched.

About pre-logon checks supported for macOS devices

For macOS devices, Access Policy Manager® can use only the following preconfigured pre-logon checks:
  • Client Type - result is F5 Access
  • Client OS - result is MacOS
Other session variables can be checked using custom expressions. See the list of session variables for macOS for more information.

Setting up network access

You can force traffic through a tunnel on F5 Access.
Although you disable
Allow local subnet access
while enabling
Force all traffic through tunnel
, the client still permits local subnet traffic to travel outside of the tunnel. This is a limitation of
macOS
and not of F5 Access.
  1. On the Main tab, click
    Access Policy
    Network Access
    Network Access List
    .
    The Network Access List screen opens.
  2. Click the name to select a network access resource on the Resource List.
    The Network Access editing screen opens.
  3. To configure the network settings for the network access resource, click
    Network Settings
    on the menu bar.
  4. To optionally force all traffic through the tunnel, next to
    Traffic Options
    , enable
    Force all traffic through tunnel
    .
    If you enable
    Use split tunneling for traffic
    , you must also specify either a DNS suffix or DNS Address Space pattern to use the VPN DNS servers. If the "DNS Suffix" and "DNS Address Space" fields are both left blank, then F5 Access does not use the VPN DNS servers and sends all DNS traffic to public DNS servers.
  5. To allow local subnet traffic to bypass the tunnel, select the
    Enable
    check box for
    Allow Local Subnet
    . This traffic bypasses the tunnel.
  6. Click
    Update
    .

Configuring the connectivity profile for macOS

You can configure password caching and enforce native or web logon mode by configuring the connectivity profile.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Connectivity
    Profiles
    .
    The Connectivity Profiles screen opens.
  2. Click the name of the Connectivity profile that you use with F5 Access for macOS, and click
    Edit Profile
    .
  3. Click the
    F5 Access for macOS
    item to configure F5 Access for macOS settings.
  4. To allow password caching on the macOS client, click
    Allow Password Caching
    . From the Save Password Method list, select
    disk
    or
    memory
    .
    If you select
    disk
    , an encrypted password is saved on disk with no expiration time. If you select
    memory
    , an encrypted password is cached on the device for the time specified in the
    Password Cache Expiration (minutes)
    field. The default value is
    240
    minutes (4 hours).
  5. To enforce the logon mode, click
    Enforce Logon Mode
    . Select
    native
    or
    web
    for the logon mode.
    If
    Enforce Logon Mode
    is enabled in the Connectivity Profile, the user cannot change the Web Logon option.
  6. Click
    OK
    .

Prerequisites for configuring F5 Access

Before configuring F5 Access
for macOS
devices, you must complete the following requirements:
  • Set up BIG-IP® Access Policy Manager®.
  • Run the Network Access Setup Wizard.
Additional information about network access and connectivity profiles can be found in the
BIG-IP® Access Policy Manager®: Network Access Configuration
guide.

Access Policy Manager configuration for F5 Access

To configure F5 Access for
macOS
device support on BIG-IP Access Policy Manager, use the following configuration steps:
  • Run the Network Access Setup Wizard.
  • Optionally, set up
    SSO
    and
    ACLs
    for your network access. Refer to the
    BIG-IP Access Policy Manager Configuration Guide
    on the AskF5 Knowledge Base for instructions.
  • Customize an access policy to support F5 Access.

Running the Network Access Setup wizard

Configure Access Policy Manager® to provide users with full network access from their devices using the Network Access Setup wizard for remote access.
  1. On the Main tab, click
    Wizards
    Device Wizards
    .
    The Device Wizards screen opens.
  2. For Access Policy Manager Configuration, select
    Network Access Setup Wizard for Remote Access
    , and then click
    Next
    .
  3. Fill in the fields for Device Wizard screens.
  4. Click
    Finished
    .
You now have network access resource that supports F5 Access for mobile devices.