Manual Chapter : Defining Connectivity Options

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.0.0
Manual Chapter

Defining Connectivity Options

About connectivity profiles and Network Access

A connectivity profile defines connectivity and client settings for a Network Access session.
A connectivity profile contains:
  • Compression settings for network access connections and application tunnels
  • Citrix client settings
  • Virtual servers and DNS-location awareness settings for BIG-IP Edge Client® for Windows, Mac, and Linux
  • Password caching settings for BIG-IP Edge Client for Windows, Mac, and mobile clients
  • Settings for mobile clients
A connectivity profile is also associated with customizable client download packages for Edge Client for Windows and Edge Client for Mac.

Create a connectivity profile for access tunnels and clients

You create a connectivity profile to configure client connections for a network access tunnel, application access tunnel, and clients.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Connectivity
    Profiles
    .
    A list of connectivity profiles displays.
  2. Click
    Add
    .
    The Create New Connectivity Profile popup screen opens and displays General Settings.
  3. Type a
    Profile Name
    for the connectivity profile.
  4. Select a
    Parent Profile
    from the list.
    APM provides a default profile,
    /Common/connectivity
    .
  5. Select a
    FEC Profile
    from the list.
    This setting is optional.
    You can select a previously configured FEC profile only when FEC is included in the BIG-IP system.
  6. From the Compression Settings folder, click
    Network Access
    and make changes to the network access compression settings.
    The settings specify compression settings for network access tunnels.
    The default settings are displayed in the right pane.
  7. From the Compression Settings folder, click
    App Tunnel
    and make changes to the application tunnel compression settings.
    The settings specify available compression codecs for server-to-client connections. By default, compression is enabled, but no codecs are selected in the Available Codecs area.
    The default settings are displayed in the right pane.
  8. Click
    Citrix Client Settings
    folder to specify the Citrix client bundle. A Citrix client bundle enables delivery of a Citrix Receiver client to a user's Windows computer when a client is not currently installed, or when a newer client is available. By default, a connectivity profile includes the default Citrix bundle, /Common/default-citrix-client-bundle, which contains a download URL, receiver.citrix.com.
  9. To configure security settings, servers, OAuth settings, and location-awareness for BIG-IP Edge Client for Windows and macOS, click
    Win/Mac Edge Client
    . Edge Client settings for Mac and Windows-based systems display in the right pane.
    Refer sections
    Configuring a connectivity profile for Edge Client
    for Windows and macOS in the
    BIG-IP Access Policy Manager: Edge Client and Application Configuration
    for more details.
    1. Retain the default (selected) or clear the
      Save Servers Upon Exit
      check box to specify Edge Client to maintain a list of recently used user-entered APM servers.
    2. To enable the client to try to use the Windows logon session for an APM session also, select the
      Reuse Windows Logon Session
      check box.
    3. To enable the client to try to use the credentials that they typed for Windows logon in an APM session also, select the
      Reuse Windows Logon Credentials
      check box.
      To support this option, you must also include the
      User Logon Credentials Access Service
      in the Windows client package for this connectivity profile, and you must ensure that the access policy includes an uncustomized
      Logon Page
      action.
    4. To enable the client to launch an administrator-defined script on session termination, select the
      Run session log off script
      check box.
    5. To enable the client to display a warning before launching the pre-defined script on session termination, select
      Show warning to user before launching script
      check box.
    6. To support automatic reconnection without the need to provide credentials again, select the
      Allow Password Caching
      check box.
    7. To cache the user's password securely on the
      disk
      or in the
      memory
      , select the location to save from the
      Save Password Method
      list. If you select
      memory
      , the
      Password Cache Expiration (minutes)
      field displays with a default value of 240. You can either retain the default value or type the number of minutes to save the password in memory.
    8. To enable automatic download and update of client packages, from the
      Component Update
      list, select
      yes
      (default).
    9. Click
      OAuth Settings
      in the left pane to specify optional OAuth settings that Edge Client will use for authenticating Native Apps using OpenID Connect specification. When OAuth is configured, the end-users are required to authenticate via the OAuth authentication flow. This OIDC support provides consistent authentication experience by enabling two-factor verification and Single Sign-On across Browser and Edge Client. Refer section
      Configuring policies for OAuth client and resource server
      in the
      BIG-IP Access Policy Manager: OAuth Concepts and Configuration
      for details on adding an OAuth Resource Server to the access policy.
      BIG-IP 16.0.0 includes ability to configure OAuth settings that will work only with a compatible version of client (7.2.1 or above).
      For security reasons, when configuring for OAuth settings, ensure that the BIG-IP local traffic policy enforces HTTPS by redirecting HTTP requests to HTTPS for a virtual server on the BIG-IP system. Refer OIDC RFC for details on OAuth 2.0 Authorization Framework.
    10. Select the OAuth provider in the
      Provider
      list. If you select
      None
      , OAuth configuration is disabled.
    11. Specify the OAuth Client ID identifier in the
      Client ID
      field. OAuth configuration is disabled if the client ID is not specified.
    12. Specify the scopes that will be requested by the client in the
      Scopes
      field. The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings defined by the authorization server. When using multiple strings, the order does not matter. All printable ASCII characters are allowed excluding quote (") and backslash (\).
    13. In the
      Complete Redirection URI
      field, enter the optional URI for OAuth client to be directed to when authentication completes or fails. The default APM page is used if this URI is not specified.
    14. Click
      Server List
      in the left pane to specify the list of APM servers to provide when the client connects. The servers you add here display as connection options in the BIG-IP Edge Client.
    15. Click
      Location DNS List
      in the left pane to specify DNS suffixes that are in the local network. Providing a list of DNS suffixes for the download package enables Edge Client to support the auto-connect option. With
      Auto-Connect
      selected, Edge Client uses the DNS suffixes to automatically connect when a client is not on the local network (not on the list) and automatically disconnect when the client is on the local network.
  10. The
    Mobile Client Settings
    folder in the left pane contains settings to configure F5 Access for iOS and Android and Edge Portal for iOS and Android. A connectivity profile contains default settings for mobile clients, but you can configure them to fit your situation.
    Refer sections
    Configuring a connectivity profile for Edge Portal
    for iOS and Android and
    Configuring a connectivity profile for F5 Access
    for iOS and Android in the
    BIG-IP Access Policy Manager: Edge Client and Application Configuration
    for more details.
  11. Click
    OK
    .
    The popup screen closes, and the Connectivity Profile List displays.
To provide functionality with a connectivity profile, you must add the connectivity profile and an access profile to a virtual server.

About connectivity profile compression settings

Compression settings specify the available compression codecs for server-to-client connections. The server compares the available compression types configured in the connectivity profile with the available compression types on the client, and chooses the most effective mutual compression setting.

Connectivity profile general settings

You can configure the following general settings in a connectivity profile.
Profile setting
Value
Description
Profile Name
Text.
Text specifying name of the connectivity profile.
Parent Profile
A connectivity profile, selected from a list.
A profile inherits settings from its parent profile.
FEC Profile
A forward error correcting (FEC) profile, selected from a list.
A FEC profile applies to a network access tunnel.
FEC profiles might not be available on all BIG-IP systems.
Description
Text.
Text description of the connectivity profile.
Partition
Text.
Text specifying the partition and path in which the profile is stored and used.

Connectivity profile network access compression settings

You can configure the following network access compression settings in a connectivity profile.
Setting
Value
Description
Compression Buffer Size
Number of bytes. The default is
4096
.
Specifies the size of the output buffers containing compressed data.
gzip Compression Level
A preset, or a value between
1
and
9
.
Specifies the degree to which the system compresses the content. Higher compression levels cause the compression process to be slower and the result to be more compressed. The default compression level is
6 - Optimal Compression (Recommended)
, which provides a balance between level of compression and CPU processing time. You can also select compression level
1 - Least Compression (Fastest)
, the lowest amount of compression, which requires the least processing time, or
9 - Most Compression (Slowest)
, the highest level of compression, which requires the most processing time. You can also select a number between
1
and
9
.
gzip Memory Level
1
-
256
kb.
Specifies the number of kilobytes of memory that the system uses for internal compression buffers when compressing data. You can select a value between
1
and
256
.
gzip Window Size
1
-
128
kb.
Specifies the number of kilobytes in the window size that the system uses when compressing data. You can select a value between
1
and
128
.
CPU Saver
Selected or cleared.
Specifies, when enabled, that the system monitors the percentage of CPU usage and adjusts compression rates automatically when the CPU usage reaches either the
High
value or the
Low
Value.
High
Percentage
Specifies the percentage of CPU usage at which the system starts automatically decreasing the amount of content being compressed, as well as the amount of compression which the system is applying.
Low
Percentage
Specifies the percentage of CPU usage at which the system resumes content compression at the user-defined rates.

Connectivity profile application tunnel compression settings

You can configure the following application tunnel compression settings in a connectivity profile.
Setting
Value
Description
Compression
Enable
or
Disable
Specifies the available compression codecs for server-to-client connections. The server compares the available compression types configured here, with the available compression types on the client, and chooses the most effective mutual compression setting.
Adaptive Compression
Enable
or
Disable
Specifies whether to enable to disable adaptive compression between the client and the server.
Deflate Level
From 1 to 9
Specifies a compression level for deflate compression. Higher numbers compress more, at the cost of more processing time.
lzo
Enable
or
Disable
Specifies LZO compression. LZO compression offers a balance between CPU resources and compression ratio, compressing more than Deflate compression, but with less CPU resources than Bzip2.
deflate
Enable
or
Disable
Specifies deflate compression. Deflate compression uses the least CPU resources, but compresses the least effectively.
bzip2
Enable
or
Disable
Specifies Bzip2 compression. Bzip2 compression uses the most CPU resources, but compresses the most effectively.

Connectivity profile Win/Mac Edge Client settings

You can configure the following Windows and Mac Edge Client settings in a connectivity profile.
Setting
Value
Description
Save Servers Upon Exit
Enable
or
Disable
Specifies whether Edge Client maintains a list of recently used user-entered APM servers. Edge Client always lists the servers that are defined in the connectivity profile, and sorts them by most recent access, whether this option is selected or not. This is selected by default.
Reuse Windows Logon Session
Enable
or
Disable
Specifies to enable the client to reuse the Windows logon session for an APM session too. This is cleared by default.
Reuse Windows Logon Credentials
Enable
or
Disable
Specifies to enable the client to reuse the credentials that end-users typed for Windows logon for the APM session too. This is cleared by default.
Run session log off script
Enable
or
Disable
Specifies to enable the client to launch an administrator-defined script on session termination. This is cleared by default. The administrator specifies parameters which are passed by Edge Client to the script file. These parameters are defined by the session variable
session.edgeclient.scripting.logoff.params
. The client retrieves parameters from BIG-IP after session establishment. The administrator has the flexibility to set up variable values according to policy branching. Each time the Edge Client closes an APM session, the configured script is invoked. On Windows, the script is located at
C:\Program Files\F5 VPN\scripts\onSessionTermination.bat
.
Show warning to user before launching script
Enable
or
Disable
Specifies to enable the client to display a warning before launching the pre-defined script on session termination. This is selected by default.
Allow Password Caching
Enable
or
Disable
Specifies to support automatic reconnection without the need to provide credentials again. This is cleared by default.
Save Password Method
Password method, selected from a list.
Specifies the location to cache the user's password securely. Select
disk
to cache the user's password (in encrypted form) securely on the disk where it is persisted even after the system is restarted or Edge Client is restarted. Select
memory
to cache the user's password within the BIG-IP Edge Client application for automatic reconnection purposes.
Password Cache Expiration (minutes)
Unsigned integer with value between
0
and
4294967295
.
Specifies the number of minutes until the password expires. The default value is 240.
Component Update
Client component update, selected from a list.
Specifies how Windows and Mac Edge Clients associated with this connectivity profile get secure access client component updates. Select
yes
to automatically update client components when available, select
prompt
to prompt before installing updates, and select
no
to neither prompt nor install updates.

OAuth Settings

Specifies optional
OAuth Settings
that Edge Client will use for authentication.
Setting
Value
Description
Provider
An OAuth provider, selected from a list.
Specifies the OAuth provider. If you select
None
, OAuth configuration is disabled.
Client ID
Text.
Specifies the OAuth Client ID identifier. The client identifier is not a secret and is exposed by the BIG-IP APM virtual server. OAuth configuration is disabled if client ID is not specified.
Scopes
Text. The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings defined by the authorization server.
Specifies the scopes that will be requested by the client. All printable ASCII characters are allowed excluding quote (") and backslash (\).
Complete Redirection URI
Text.
Specifies the optional URI for OAuth client to be directed to when authentication completes or fails. The default APM page is used if this URI is not specified. The URI should start with "https://", "http://" or "/".

Server List

Specifies virtual servers for the connectivity profile.
Setting
Value
Description
Alias
Text.
Specifies an alternative name of the host name.
Host Name
Text.
Specifies the host name of the APM server to provide to the end-user when the client connects.

Location DNS List

Specifies DNS suffixes that are considered to be in the local, or internal network.
Setting
Value
Description
Location DNS Name
Text.
Specifies the DNS suffixes that are in the local network. With
Auto-Connect
selected, Edge Client uses the DNS suffixes to automatically connect when a client is not on the local network (not on the list) and automatically disconnect when the client is on the local network.