Manual Chapter : Configuration Notes: F5 Access for Microsoft Windows 10 and Windows 10 Mobile

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.0.0, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 12.1.4, 12.1.3
Manual Chapter

Configuration Notes: F5 Access for Microsoft Windows 10 and Windows 10 Mobile

Overview: VPN support for Windows 10 and Windows 10 Mobile

F5 Access is supported on Microsoft Windows 10 and Windows 10 Mobile clients. It supports F5 VPN connections with BIG-IP Access Policy Manager (APM).
After you configure a VPN profile on your device for F5 Access, select it from Network Connections.
For information about how to configure remote access on a BIG-IP system with APM, refer to the
BIG-IP APM Configuration Notes
section.

Configuring a new VPN profile

You must first download the F5 Access application from the Microsoft Windows 10 Store before you can create a new VPN profile.
To use F5 Access for network access on Microsoft Windows 10, you must configure a VPN profile and specify F5 VPN as the VPN provider.
A VPN connection that you configure this way uses default parameter values, such as port 443. To specify other values, you should configure a profile using the
Add-VpnConnection
PowerShell
command and specify options using the
CustomConfiguration
property.
  1. On your Windows system, select
    Settings
    VPN
    . On Windows Mobile, select
    Settings
    Network & Wireless
    VPN
    As you make selections, the display changes in response.
  2. Click
    Add a VPN Connection
    .
  3. From the VPN provider list, select
    F5 Access
    .
  4. In the Connection name field, type a name for the connection.
  5. In the Server name or address field, type the FQDN or IP address of the BIG-IP system with BIG-IP Access Policy Manager.
    Do not type a URL.
  6. Select the
    Remember my sign in info
    check box.
    When you select this check box, the Windows client caches your credentials and you do not need to enter them again.
  7. Click
    Save
    .
The new VPN profile appears on the list.

Connecting to an existing VPN profile

Connect to a profile to use the connections to your network supported by F5 Access.
  1. On your Windows system, select
    Settings
    VPN
    . On Windows Mobile, select
    Settings
    Network & Wireless
    VPN
    As you make selections, the display changes in response.
  2. Select the existing VPN profile.
    Additional options display.
  3. From the new options, select
    Connect
    .
The VPN profile displays as "Connected."

Terminating an existing VPN connection

You can terminate an existing VPN connection on the BIG-IP® Edge Client® for Windows Phone.
  1. On the main screen of the Windows Phone, tap
    Settings
    VPN
    .
    The VPN screen displays.
  2. Tap a VPN profile.
    The VPN profile displays
    connected, manual
    before you tap the profile.
    The VPN profile displays
    not connected, manual
    after you tap the profile.
You have now terminated an existing VPN connection.

F5 Access profile parameters

This table specifies parameters that are specific to F5 Access; the client supports these parameters in addition to other parameters that are available for VPN profiles. When you configure a VPN profile from PC Settings on your client, it takes the default values displayed in the table. These parameters are available for configuring a VPN profile using an MDM solution or
PowerShell
commands.
Parameter
Type
Default value
Description
port
number
443
Port to connect to VPN server (Access Policy Manager).
landing-uri
text
Landing URI to use for authentication (APM).
ssl-encryption
boolean
true
If set to
false
, SSL encryption is not used.
authenticate-retries
number
3
Maximum number of attempts to prompt for credentials when authentication fails.
log-level
default
,
minimum
,
info
,
debug
default
Specifies maximum level for log entries.
client-certificate
string
Specifies issuer of client certificate being used for authentication.
optimize-for-low-cost-network
boolean
false
If set to
true
, client tries to reconnect to cheapest available network connection.
single-sign-on-credential
boolean
true
If set to
true
, client tries to use VPN credentials to connect to Windows File Shares.
prompt-for-credentials
boolean
true
If set to
false
, user is not asked for credentials and server receives empty username and password fields. Can be used in certificate-only authentication.
tls1.2
boolean
true
Use TLS1.2 protocol for TLS/SSL communication.

Examples: VPN profile configuration

These examples show how to specify F5 parameters for a VPN profile using
PowerShell
commands and the
CustomConfiguration
property.

Creating a client certificate for second-factor authentication

This example shows how to create a VPN profile that uses a certificate issued by Site Request, Inc. for second-factor authentication. The certificate must already be installed on the client device.
F5 Access
can read the certificate from certificate storage on the device or from a smart card inserted into the device.
The client supports smart cards that work with Microsoft Base Smart Card Cryptographic Service Provider.
$xml = "<f5-vpn-conf><client-certificate><issuer>Site Request Inc</issuer></client-certificate></f5-vpn-conf>" $sourceXml=New-Object System.Xml.XmlDocument $sourceXml.LoadXml($xml)
Add-VpnConnection
-Name
F5_vpn_cert
-ServerAddress
apm_server_fqdn
-SplitTunneling
$True
-PluginApplicationID
F5Networks.vpn.client_btcnfmkykcjs2
-CustomConfiguration
$sourceXml

Using a nonstandard port

This example shows how to create a VPN profile using port 444 to connect to the BIG-IP system.
$xml = "<f5-vpn-conf><port>444</port></f5-vpn-conf>" $sourceXml=New-Object System.Xml.XmlDocument $sourceXml.LoadXml(
$xml
)
Add-VpnConnection
-Name
F5_vpn_port_444
-ServerAddress
apm_server_fqdn
-SplitTunneling
$True
-PluginApplicationID
F5Networks.vpn.client_btcnfmkykcjs2
-CustomConfiguration
$sourceXml

Using the landing URI

This example shows how to create a VPN profile using the landing URI to connect to the BIG-IP system.
$xml = "<f5-vpn-conf><landing-uri>test</landing-uri></f5-vpn-conf>" $sourceXml=New-Object System.Xml.XmlDocument $sourceXml.LoadXml(
$xml
)
Add-VpnConnection
-Name
F5_vpn_landing_uri
-ServerAddress
apm_server_fqdn
-SplitTunneling
$True
-PluginApplicationID
F5Networks.vpn.client_btcnfmkykcjs2
-CustomConfiguration
$sourceXml

Configuring multiple servers for VPN connection

This example shows how you can configure multiple servers for VPN connection.
F5 Access
attempts to reach each server in the list until it successfully authenticates the user.
$VPNConnectionName = "Global VPN" $PluginApplicationID = "
F5Networks.vpn.client_btcnfmkykcjs2
" $VPNServerList = @() $VPNServerList += New-VpnServerAddress my1.server.fqdn
-FriendlyName
Africa $VPNServerList += New-VpnServerAddress my2.server.fqdn
-FriendlyName
Europe $VPNServerList += New-VpnServerAddress my3.server.fqdn
-FriendlyName
Asia $VPNServerList += New-VpnServerAddress my4.server.fqdn
-FriendlyName
"North America" $VPNServerList += New-VpnServerAddress my5.server.fqdn
-FriendlyName
"South America" $VPNServerList += New-VpnServerAddress my6.server.fqdn
-FriendlyName
Antarctica $VPNServerList += New-VpnServerAddress my7.server.fqdn
-FriendlyName
Australia $xml = "<f5-vpn-conf><log-level>debug</log-level></f5-vpn-conf>" # Validate XML configuration $ErrorActionPreference = "Stop" $sourceXml=New-Object System.Xml.XmlDocument $sourceXml.LoadXml (
$xml
) # Remove existing entry $VPNConnections =
Get-VpnConnection
foreach ($i in
$VPNConnections
) { if ($i.Name -eq
$VPNConnectionName
) {
Write-Host
"Remove VPN connection:"
$VPNConnectionName
Remove-VpnConnection
-Name
$VPNConnectionName
} } # Add new entry
Write-Host
> "Configure VPN connection:"
$VPNConnectionName
"with default server:"
$VPNServerList
[0].ServerAddress "VPNP ID:"
$PluginApplicationID
Add-VpnConnection
-Name
$VPNConnectionName
-ServerAddress
$VPNServerList
[0].ServerAddress
-SplitTunneling
$True
-PluginApplicationID
$PluginApplicationID
-CustomConfiguration
$sourceXml
-ServerList
$VPNServerList

Commands and parameters: VPN profile configuration

The
AddVpnConnection
PowerShell
command supports a
CustomConfiguration
property that you can use to specify F5 parameters for a VPN profile. The input for the command is in XML format; the schema is available in the
XML Schema: F5-specific configuration parameters
section of this document. For help customizing a VPN profile, refer to the
Examples: VPN profile configuration
section.

Useful PowerShell commands

Command
Description
Add-VpnConnection
Add a VPN profile.
Get-VpnConnection
View configured VPN profiles.
Remove-VpnConnection
Delete a VPN profile.

Powershell command syntax

Use the
Get-Help
command in
Powershell
to view command syntax. For example, type
Get-Help Add-VpnConnection
.

Auto-triggered VPN connections

When you select an app or resource that needs access through
F5 Access
, such as a company intranet site,
Windows 10
can automatically prompt you to sign in with one click. For command syntax, open
PowerShell
and type
Get-Help
for
this command
:
  • Add-VpnConnectionTriggerApplication

Triggering a connection (SR_SanJose) with the application notepad.exe

Add-VpnConnectionTriggerApplication -ConnectionName SR_SanJose -ApplicationID "C:\Windows\System32\notepad.exe"

XML Schema: F5 configuration parameters

This is the schema for the
CustomConfiguration
property of the VPN profile.
<?xml version="1.0" encoding="utf-8"?> <xs:schema id="XMLSchema" targetNamespace="http://siterequest.com/XMLSchema.xsd" elementFormDefault="qualified" xmlns="http://tempuri.orgsiterequest.com/XMLSchema.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:simpleType name="log-levelType"> <xs:restriction base="xs:string"> <xs:enumeration value="default"/> <xs:enumeration value="minimum"/> <xs:enumeration value="info"/> <xs:enumeration value="debug"/> </xs:restriction> </xs:simpleType> <xs:element name="f5-vpn-conf"> <xs:complexType> <xs:all minOccurs="0"> <xs:element name="port" type="xs:unsignedShort" default="443"/> <xs:element name="landing-uri" type="xs:anyURI"/> <xs:element name="ssl-encryption" type="xs:boolean" default="true"/> <xs:element name="tls1.2" type="xs:boolean" default="true"/> <xs:element name="authenticate-retries" type="xs:unsignedByte" default="3"/> <xs:element name="log-level" type="log-levelType" default="default"/> <xs:element name="optimize-for-low-cost-network" type="xs:boolean" default="false"/> <xs:element name="single-sign-on-credential" type="xs:boolean" default="true"/> <xs:element name="client-certificate"> <xs:complexType> <xs:all minOccurs="0" maxOccurs="1"> <xs:element name="issuer" type="xs:string" minOccurs="1"/> </xs:all> </xs:complexType> </xs:element> </xs:all> </xs:complexType> </xs:element> </xs:schema>
Configuration example
Example XML syntax
Multifactor authentication with client certificate
<f5-vpn-conf><client-certificate> <issuer>Snake Oil</issuer> </client-certificate></f5-vpn-conf>
Client certificate authentication only
<f5-vpn-conf><prompt-for-credentials> false</prompt-for-credentials> <client-certificate><issuer> Snake Oil Ltd</issuer></client-certificate> </f5-vpn-conf>
Connecting to an APM server over port 80, no SSL encryption, for debugging purposes only
<f5-vpn-conf><port>80<ssl-encryption>false </ssl-encryption></f5-vpn-conf>

Overview: About VPN deployment using Airwatch

You can deploy an F5 VPN profile for
Windows 10 Mobile
using the Airwatch MDM provider. This options provides more options than the standard VPN deployment, such as monitoring the client certificate usage and setting the landing URL.
This example displays a username and password authentication access policy.
Edge Client access policy

Deploying a VPN profile using Airwatch

You can deploy a VPN connection on
F5 Access
for
F5 Access
using Airwatch.
  1. On the Airwatch console, create a VPN configuration with the connection type
    F5 Edge VPN
    .
    For more information on creating an Airwatch profile, refer to Airwatch documentation.
  2. Create an access policy in BIG-IP® Access Policy Manager®.
  3. Install
    F5 Access
    from the Windows Store.
  4. Enroll the device with
    F5 Access
    .
    F5 Access
    deploys the F5 VPN profile.
    The MDM profile is deployed to devices, regardless of whether the F5 Access app is installed.
  5. Check that the VPN profile is created on the device or devices.
You have now deployed an F5 VPN connection profile.

Overview: BIG-IP APM Configuration Notes

On Access Policy Manager (APM), you need to configure an access policy for
F5 Access
.
Additionally, you need a standard network access configuration. For more information, refer to
BIG-IP Access Policy Manager Network Access Configuration
on the AskF5 website at
http://support.f5.com
.

Authentication support

Your access policy can collect this type of information for authentication purposes:
  • User name and password
  • Client certificate as second-factor authentication

Client certificate configuration requirements

In the access policy, you can use the Client Cert access policy item or the On-Demand Cert Auth access policy item.
In the client SSL profile for the virtual server, select
request
for the
Client Certificate
property.

Access policy example

An access policy to support
F5 Access
might include a Client Type item, a Client OS item, appropriate authentication items, and some resource assignment access policy items.

F5 Access for Windows 10 access policy example

To configure F5 Access for Windows 10 to be detected, use the F5 Access branch of the Client Type access policy item. F5 Access is detected as "F5 Access" on this branch. The Client Type for F5 Access differs from F5 Inbox VPN Client for Windows 8.1 (detected as "Windows Inbox F5 VPN Client") and BIG-IP Edge Client for Windows Phone 8.1 (detected as "Edge Client").
To detect F5 Access for Windows 10 with the Client OS access policy item, you must modify the Client OS branch rule for Windows as follows.
Click the
Client OS
item, click the
Branch Rules
tab, and click
change
at the bottom of the Windows branch rule.
branch rule button
Click the
Advanced
tab, and add the following to the Windows expression.
|| [mcget {session.client.platform}] == "Windows"}
Windows expression for Windows 10
Click
Finished
, then
Save
, and change the ending to
Allow
on the Windows branch. The access policy appears as follows.
example Windows 10 access policy
You can also configure the access policy item to further detect the Windows version for Windows 10. To do this, you can add a custom access policy item or a branch rule with the custom expression
[mcget {session.client.platform_version}] == "10"
.
Typically, in a network access configuration after authentication, you assign resources to the client. Resource assignment access policy items are omitted from this example for the sake of readability.

Related documentation

For additional information, refer to the AskF5 web site (
http://support.f5.com
) for documentation specific to the version of Access Policy Manager that you are using.
Document
Description
Release Note for BIG-IP APM
New features and known issues.
BIG-IP Access Policy Manager Network Access Configuration
How to configure network access.
Configuration Guide for BIG-IP Access Policy Manager
Access profiles, access policies, visual policy editor.