Defining Connectivity Options
A connectivity profile defines connectivity and client settings for a Network Access session.
A connectivity profile contains:
- Compression settings for network access connections and application tunnels
- Citrix client settings
- Virtual servers and DNS-location awareness settings for BIG-IP Edge Client® for Windows, Mac, and Linux
- Password caching settings for BIG-IP Edge Client for Windows, Mac, and mobile clients
- Settings for mobile clients
A connectivity profile is also associated with customizable client download packages for Edge Client for Windows and Edge Client for Mac.
You create a connectivity profile to configure client connections for a network access tunnel, application access tunnel, and clients.
-
On the Main tab, click Access > Connectivity / VPN > Connectivity > Profiles.
A list of connectivity profiles displays.
-
Click Add.
The Create New Connectivity Profile popup screen opens and displays General Settings.
-
Type a Profile Name for the connectivity profile.
-
Select a Parent Profile from the list.
APM provides a default profile, /Common/connectivity.
-
Select a FEC Profile from the list.
This setting is optional.
Note: You can select a previously configured FEC profile only when FEC is included in the BIG-IP system.
-
From the Compression Settings folder, click Network Access and make changes to the network access compression settings.
The settings specify compression settings for network access tunnels.
The default settings are displayed in the right pane.
-
From the Compression Settings folder, click App Tunnel and make changes to the application tunnel compression settings.
The settings specify available compression codecs for server-to-client connections. By default, compression is enabled, but no codecs are selected in the Available Codecs area.
The default settings are displayed in the right pane.
-
Click Citrix Client Settings folder to specify the Citrix client bundle. A Citrix client bundle enables delivery of a Citrix Receiver client to a user’s Windows computer when a client is not currently installed, or when a newer client is available. By default, a connectivity profile includes the default Citrix bundle, /Common/default-citrix-client-bundle, which contains a download URL, receiver.citrix.com.
-
To configure security settings, servers, OAuth settings, and location-awareness for BIG-IP Edge Client for Windows and macOS, click Win/Mac Edge Client. Edge Client settings for Mac and Windows-based systems display in the right pane.
Note: Refer sections Configuring a connectivity profile for Edge Client for Windows and macOS in the BIG-IP Access Policy Manager: Edge Client and Application Configuration for more details.
-
Retain the default (selected) or clear the Save Servers Upon Exit check box to specify Edge Client to maintain a list of recently used user-entered APM servers.
-
To enable the client to try to use the Windows logon session for an APM session also, select the Reuse Windows Logon Session check box.
-
To enable the client to try to use the credentials that they typed for Windows logon in an APM session also, select the Reuse Windows Logon Credentials check box.
Note: To support this option, you must also include the User Logon Credentials Access Service in the Windows client package for this connectivity profile, and you must ensure that the access policy includes an uncustomized Logon Page action.
-
To enable the client to launch an administrator-defined script on session termination, select the Run session log off script check box.
-
To enable the client to display a warning before launching the pre-defined script on session termination, select Show warning to user before launching script check box.
-
To support automatic reconnection without the need to provide credentials again, select the Allow Password Caching check box.
-
To cache the user’s password securely on the disk or in the memory, select the location to save from the Save Password Method list. If you select memory, the Password Cache Expiration (minutes) field displays with a default value of 240. You can either retain the default value or type the number of minutes to save the password in memory.
-
To enable automatic download and update of client packages, from the Component Update list, select yes (default).
-
Click OAuth Settings in the left pane to specify optional OAuth settings that Edge Client will use for authenticating Native Apps using OpenID Connect specification. When OAuth is configured, the end-users are required to authenticate via the OAuth authentication flow. This OIDC support provides consistent authentication experience by enabling two-factor verification and Single Sign-On across Browser and Edge Client. Refer section Configuring policies for OAuth client and resource server in the BIG-IP Access Policy Manager: OAuth Concepts and Configuration for details on adding an OAuth Resource Server to the access policy.
Important: BIG-IP 16.0.0 includes ability to configure OAuth settings that will work only with a compatible version of client (7.2.1 or above).
Note: For security reasons, when configuring for OAuth settings, ensure that the BIG-IP local traffic policy enforces HTTPS by redirecting HTTP requests to HTTPS for a virtual server on the BIG-IP system. Refer OIDC RFC for details on OAuth 2.0 Authorization Framework.
-
Select the OAuth provider in the Provider list. If you select None, OAuth configuration is disabled.
-
Specify the OAuth Client ID identifier in the Client ID field. OAuth configuration is disabled if the client ID is not specified.
-
Specify the OAuth client secret in the Client Secret (Public) field. The authorization server defines this string. All printable ASCII characters from 0x20 to 0x7E are allowed.
-
Specify the scopes that will be requested by the client in the Scopes field. The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings defined by the authorization server. When using multiple strings, the order does not matter. All printable ASCII characters are allowed excluding quote (") and backslash (\).
-
In the Complete Redirection URI field, enter the optional URI for OAuth client to be directed to when authentication completes or fails. The default APM page is used if this URI is not specified.
-
Click Server List in the left pane to specify the list of APM servers to provide when the client connects. The servers you add here display as connection options in the BIG-IP Edge Client.
-
Click Location DNS List in the left pane to specify DNS suffixes that are in the local network. Providing a list of DNS suffixes for the download package enables Edge Client to support the auto-connect option. With Auto-Connect selected, Edge Client uses the DNS suffixes to automatically connect when a client is not on the local network (not on the list) and automatically disconnect when the client is on the local network.
-
-
The Mobile Client Settings folder in the left pane contains settings to configure F5 Access for iOS and Android and Edge Portal for iOS and Android. A connectivity profile contains default settings for mobile clients, but you can configure them to fit your situation.
Note: Refer sections Configuring a connectivity profile for Edge Portal for iOS and Android and Configuring a connectivity profile for F5 Access for iOS and Android in the BIG-IP Access Policy Manager: Edge Client and Application Configuration for more details.
-
Click OK.
The popup screen closes, and the Connectivity Profile List displays.
To provide functionality with a connectivity profile, you must add the connectivity profile and an access profile to a virtual server.
Compression settings specify the available compression codecs for server-to-client connections. The server compares the available compression types configured in the connectivity profile with the available compression types on the client, and chooses the most effective mutual compression setting.
You can configure the following general settings in a connectivity profile.
|
Profile setting |
Value |
Description |
|---|---|---|
|
Profile Name |
Text. |
Specifys the name of the connectivity profile. |
|
Parent Profile |
A connectivity profile, selected from a list. |
Specifies the parent profile from which the profile inherits settings. |
|
FEC Profile |
A forward error correcting (FEC) profile, selected from a list. |
Specifies a FEC profile that applies to a network access tunnel. Note: FEC profiles might not be available on all BIG-IP systems. |
|
Description |
Text. |
Specifies the description of the connectivity profile. |
|
Partition |
Text. |
Specifies the partition and path in which the profile is stored and used. |
You can configure the following network access compression settings in a connectivity profile.
| Setting | Value | Description |
|---|---|---|
| Compression Buffer Size | Number of bytes. The default is 4096. |
Specifies the size of the output buffers containing compressed data. |
| gzip Compression Level | A preset, or a value between 1 and 9. |
Specifies the degree to which the system compresses the content. Higher compression levels cause the compression process to be slower and the result to be more compressed. The default compression level is 6 - Optimal Compression (Recommended), which provides a balance between level of compression and CPU processing time. You can also select compression level 1 - Least Compression (Fastest), the lowest amount of compression, which requires the least processing time, or 9 - Most Compression (Slowest), the highest level of compression, which requires the most processing time. You can also select a number between 1 and 9. |
| gzip Memory Level | 1-256 kb. |
Specifies the number of kilobytes of memory that the system uses for internal compression buffers when compressing data. You can select a value between 1 and 256. |
| gzip Window Size | 1-128 kb. |
Specifies the number of kilobytes in the window size that the system uses when compressing data. You can select a value between 1 and 128. |
| CPU Saver | Selected or cleared. | Specifies, when enabled, that the system monitors the percentage of CPU usage and adjusts compression rates automatically when the CPU usage reaches either the High value or the Low Value. |
| High | Percentage | Specifies the percentage of CPU usage at which the system starts automatically decreasing the amount of content being compressed, as well as the amount of compression which the system is applying. |
| Low | Percentage | Specifies the percentage of CPU usage at which the system resumes content compression at the user-defined rates. |
You can configure the following application tunnel compression settings in a connectivity profile.
| Setting | Value | Description |
|---|---|---|
| Compression | Enable or Disable | Specifies the available compression codecs for server-to-client connections. The server compares the available compression types configured here, with the available compression types on the client, and chooses the most effective mutual compression setting. |
| Adaptive Compression | Enable or Disable | Specifies whether to enable to disable adaptive compression between the client and the server. |
| Deflate Level | From 1 to 9 | Specifies a compression level for deflate compression. Higher numbers compress more, at the cost of more processing time. |
| lzo | Enable or Disable | Specifies LZO compression. LZO compression offers a balance between CPU resources and compression ratio, compressing more than Deflate compression, but with less CPU resources than Bzip2. |
| deflate | Enable or Disable | Specifies deflate compression. Deflate compression uses the least CPU resources, but compresses the least effectively. |
| bzip2 | Enable or Disable | Specifies Bzip2 compression. Bzip2 compression uses the most CPU resources, but compresses the most effectively. |
You can configure the following Windows and Mac Edge Client settings in a connectivity profile.
| Setting | Value | Description |
|---|---|---|
| Save Servers Upon Exit | Enable or Disable | Specifies whether Edge Client maintains a list of recently used user-entered APM servers. Edge Client always lists the servers that are defined in the connectivity profile, and sorts them by most recent access, whether this option is selected or not. This is selected by default. |
| Reuse Windows Logon Session | Enable or Disable | Specifies to enable the client to reuse the Windows logon session for an APM session too. This is cleared by default. |
| Reuse Windows Logon Credentials | Enable or Disable | Specifies to enable the client to reuse the credentials that end-users typed for Windows logon for the APM session too. This is cleared by default. |
| Run session log off script | Enable or Disable | Specifies to enable the client to launch an administrator-defined script on session termination. This is cleared by default. The administrator specifies parameters which are passed by Edge Client to the script file. These parameters are defined by the session variable session.edgeclient.scripting.logoff.params. The client retrieves parameters from BIG-IP after session establishment. The administrator has the flexibility to set up variable values according to policy branching. Each time the Edge Client closes an APM session, the configured script is invoked. On Windows, the script is located at C:\Program Files\F5 VPN\scripts\onSessionTermination.bat. |
| Show warning to user before launching script | Enable or Disable | Specifies to enable the client to display a warning before launching the pre-defined script on session termination. This is selected by default. |
| Allow Password Caching | Enable or Disable | Specifies to support automatic reconnection without the need to provide credentials again. This is cleared by default. |
| Save Password Method | Password method, selected from a list. | Specifies the location to cache the user’s password securely. Select disk to cache the user’s password (in encrypted form) securely on the disk where it is persisted even after the system is restarted or Edge Client is restarted. Select memory to cache the user’s password within the BIG-IP Edge Client application for automatic reconnection purposes. |
| Password Cache Expiration (minutes) | Unsigned integer with value between 0 and 4294967295. |
Specifies the number of minutes until the password expires. The default value is 240. |
| Component Update | Client component update, selected from a list. | Specifies how Windows and Mac Edge Clients associated with this connectivity profile get secure access client component updates. Select yes to automatically update client components when available, select prompt to prompt before installing updates, and select no to neither prompt nor install updates. |
Specifies optional OAuth Settings that Edge Client will use for authentication.
| Setting | Value | Description |
|---|---|---|
| Provider | An OAuth provider, selected from a list. | Specifies the OAuth provider. If you select None, OAuth configuration is disabled. |
| Client ID | Text. | Specifies the OAuth Client ID identifier. The client identifier is not a secret and is exposed by the BIG-IP APM virtual server. OAuth configuration is disabled if client ID is not specified. |
| Client Secret (Public) | Text. | Specifies the OAuth client secret. The authorization server defines this string. The client secret for the public client is not a secret and is exposed by the BIG-IP APM virtual server. All printable ASCII characters from 0x20 to 0x7E are allowed. |
| Scopes | Text. The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings defined by the authorization server. | Specifies the scopes that will be requested by the client. All printable ASCII characters are allowed excluding quote (") and backslash (\). |
| Complete Redirection URI | Text. | Specifies the optional URI for OAuth client to be directed to when authentication completes or fails. The default APM page is used if this URI is not specified. The URI should start with “https://”, “http://” or “/”. |
Specifies virtual servers for the connectivity profile.
| Setting | Value | Description |
|---|---|---|
| Alias | Text. | Specifies an alternative name of the host name. |
| Host Name | Text. | Specifies the host name of the APM server to provide to the end-user when the client connects. |
Specifies DNS suffixes that are considered to be in the local, or internal network.
| Setting | Value | Description |
|---|---|---|
| Location DNS Name | Text. | Specifies the DNS suffixes that are in the local network. With Auto-Connect selected, Edge Client uses the DNS suffixes to automatically connect when a client is not on the local network (not on the list) and automatically disconnect when the client is on the local network. |