Manual Chapter : BIG-IP Edge Client for Windows

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

BIG-IP Edge Client for Windows

About Component Installer

The Component Installer service enables you to install and upgrade client-side Access Policy Manager (APM) components on Windows-based clients for all kinds of user accounts, regardless of the rights under which the user is working. This component is especially useful for installing and upgrading client-side components when the user has insufficient rights to install or upgrade the components directly.
After you install the Component Installer, it automatically installs and upgrades client-side APM components. It can also update itself. The Component Installer requires that installation or upgrade packages be signed using the F5 Networks certificate or another trusted certificate. By default, F5 Networks signs all components using the F5 Networks certificate.

Downloading and installing the Component Installer

You can pre-install client components for your users who do not have administrative privileges on Windows-based systems.
  1. On the Main screen, click the F5 logo to display the Welcome page.
  2. Scroll to the Downloads area.
  3. In the links for BIG-IP Edge Client Components, click
    Component Installer Package for Windows
    .
    The MSI installer downloads to your local folder.
  4. On Windows-based clients, install the Component Installer with elevated privileges so that it can install, upgrade, and run APM components that require elevated privileges.
    For information about configuring the MSI installer to run with elevated privileges, see the documentation for your operating system.

Overview: Configuring and installing Edge Client for Windows

Users of BIG-IP Edge Client for Windows can connect securely and automatically to your network while roaming using the automatic reconnect, password caching, and location awareness features of Edge Client. You can also enforce Always Connected mode, and configure the list of trusted sites to which to allow access. You can customize the client package and you must download it and make it available to users as hosted content on the BIG-IP system or through another delivery mechanism. Users must install the package, or Component Installer, if available on the client, can install it for them.

About Machine Cert Auth and user privilege

A Machine Cert Auth check requires administrative privilege. The Windows client package associated with a connectivity profile can be configured to include a Machine Certificate Checker Service component. The service can check the machine certificate on a client endpoint even when the user does not have admin privilege. The option to include this component in the package is disabled by default.

About Edge Client location awareness

The BIG-IP Edge Client provides a location-awareness feature. Using location awareness, the client connects automatically only when it is not on a specified network. The administrator specifies the networks that are considered in-network, by adding DNS suffixes to the connectivity profile. With a location-aware client enabled, a user with a corporate laptop can go from a corporate office, with a secured wireless or wired network connection, to an offsite location with a public wireless network connection, and maintain a seamless connection to allowed corporate resources. Network location-awareness can be triggered to run because of various reasons, such as IP changes and network interfaces starting up or shutting down. In reconnect mode, Edge Client might briefly establish a VPN tunnel before the network location-awareness feature can disconnect it. The Edge Client matches DNS suffixes reported by the system API to detect network location.
During a network switch, such as changing Wifi connections, Edge Client with network location-awareness must detect whether the new connection is local or remote. During this detection timeframe, there is a brief amount of time that Edge Client does not block certain external websites and can be reachable during the network switch.

About Edge Client automatic reconnection

BIG-IP Edge Client provides an automatic reconnection feature. This feature attempts to automatically reconnect the client system to corporate network resources whenever the client connection drops or ends prematurely.

About Always Connected mode

BIG-IP®Edge Client® provides Always Connected mode. This feature allows you to specify that the client is always connected to the VPN, and allows you to configure the behavior when the client is not connected. You can specify whether the client is connected automatically after Windows logon, and configure exclusion addresses.

Configuring a connectivity profile for Edge Client for Windows

Update the connectivity profile in your Network Access configuration to configure security settings, servers, and location-awareness for BIG-IP Edge Client for Windows.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Connectivity
    Profiles
    .
    A list of connectivity profiles displays.
  2. Select the connectivity profile that you want to update and click
    Edit Profile
    .
    The Edit Connectivity Profile popup screen opens and displays General Settings.
  3. From the left pane of the popup screen, select
    Win/Mac Edge Client
    .
    Edge Client settings for Mac and Windows-based systems display in the right pane.
  4. Set Edge Client action settings:
    1. Retain the default (selected) or clear the
      Save Servers Upon Exit
      check box.
      Specifies whether Edge Client maintains a list of recently used user-entered APM servers. Edge Client always lists the servers that are defined in the connectivity profile, and sorts them by most recent access, whether this option is selected or not.
    2. To enable the client to try to use the Windows logon session for an APM session also, select the
      Reuse Windows Logon Session
      check box.
      This is cleared by default.
    3. To enable the client to try to use the credentials that they typed for Windows logon in an APM session also, select the
      Reuse Windows Logon Credentials
      check box.
      This is cleared by default.
      To support this option, you must also include the
      User Logon Credentials Access Service
      in the Windows client package for this connectivity profile and you must ensure that the access policy includes an uncustomized
      Logon Page
      action.
    4. To enable the client to launch an administrator-defined script on session termination, select the
      Run session log off script
      check box. The administrator specifies parameters which are passed by Edge Client to the script file. These parameters are defined by the session variable
      session.edgeclient.scripting.logoff.params
      . The client retrieves parameters from BIG-IP after session establishment. The administrator has the flexibility to set up variable values according to policy branching. Each time the Edge Client closes an APM session, the configured script is invoked. On Windows, the script is located at
      C:\Program Files\F5 VPN\scripts\onSessionTermination.bat
      .
      The
      Run session log off script
      check box is cleared by default.
    5. To enable the client to display a warning before launching the pre-defined script on session termination, select
      Show warning to user before launching script
      check box.
      This is selected by default.
  5. To support automatic reconnection without the need to provide credentials again, allow password caching.
    1. Select the
      Allow Password Caching
      check box.
      This check box is cleared by default.
      The remaining settings on the screen become available.
    2. To require device authentication to unlock the saved password, select
      Require Device Authentication.
      This option links the option to use a saved password to a device authentication method. Supported device authentication methods include PIN, passphrase, and biometric (fingerprint) authentication on iOS and Android. Android devices also support pattern unlocking.
    3. From the
      Save Password Method
      list, select
      disk
      or
      memory
      .
      If you select
      disk
      , Edge Client caches the user's password (in encrypted form) securely on the disk where it is persisted even after the system is restarted or Edge Client is restarted.
      If you select
      memory
      ,  Edge Client caches the user's password within the BIG-IP Edge Client application for automatic reconnection purposes.
      If you select
      memory
      , the
      Password Cache Expiration (minutes)
      field displays with a default value of 240.
    4. If the
      Password Cache Expiration (minutes)
      field displays, retain the default value or type the number of minutes to save the password in memory.
  6. To enable automatic download and update of client packages, from the
    Component Update
    list, select
    yes
    (default).
    If you select
    yes
    , APM updates Edge Client software automatically on the client system when newer versions are available. This option applies to updates for theses components only: BIG-IP Edge Client, component installer service, DNS relay proxy service, and user logon credentials access service.
  7. Specify DNS suffixes that are considered to be in the local network.
    Providing a list of DNS suffixes for the download package enables Edge Client to support the autoconnect option. With
    Auto-Connect
    selected, Edge Client uses the DNS suffixes to automatically connect when a client is not on the local network (not on the list) and automatically disconnect when the client is on the local network.
    1. From the left pane of the popup screen, select
      Location DNS List
      .
      Location DNS list information is displayed in the right pane.
    2. Click
      Add
      .
      An update row becomes available.
    3. Type a name and click
      Update
      .
      Type a DNS suffix that conforms to the rules specified for the local network.
      The new row displays at the top of the table.
    4. Continue to add DNS names and when you are done, click
      OK
      .
  8. Click
    OK
    .
    The popup screen closes, and the Connectivity Profile List displays.

Configuring Always Connected mode for the Windows Edge Client

Update the connectivity profile in your Network Access configuration to configure Always Connected mode.
  1. On the Main tab, click
    Access
    Connectivity/VPN
    Connectivity
    Profiles
    .
  2. Select the connectivity profile that you want to update and click
    Edit Profile
    .
    The Edit Connectivity Profile popup screen opens and displays General Settings.
  3. From the left pane of the popup screen, select
    Win/Mac Edge Client
    .
    Edge Client settings for Mac and Windows-based systems display in the right pane.
  4. Set Edge Client action settings:
    1. Retain the default (selected) or clear the
      Save Servers Upon Exit
      check box.
      Specifies whether Edge Client maintains a list of recently used user-entered APM servers. Edge Client always lists the servers that are defined in the connectivity profile, and sorts them by most recent access, whether this option is selected or not.
    2. To enable the client to try to use the Windows logon session for an APM session also, select the
      Reuse Windows Logon Session
      check box.
      This is cleared by default.
    3. To enable the client to try to use the credentials that they typed for Windows logon in an APM session also, select the
      Reuse Windows Logon Credentials
      check box.
      This is cleared by default.
      To support this option, you must also include the
      User Logon Credentials Access Service
      in the Windows client package for this connectivity profile and you must ensure that the access policy includes an uncustomized
      Logon Page
      action.
  5. To support automatic reconnection without the need to provide credentials again, allow password caching.
    1. Select the
      Allow Password Caching
      check box.
      This check box is cleared by default.
      The remaining settings on the screen become available.
    2. To require device authentication to unlock the saved password, select
      Require Device Authentication.
      This option links the option to use a saved password to a device authentication method. Supported device authentication methods include PIN, passphrase, and biometric (fingerprint) authentication on iOS and Android. Android devices also support pattern unlocking.
    3. From the
      Save Password Method
      list, select
      disk
      or
      memory
      .
      If you select
      disk
      , Edge Client caches the user's password (in encrypted form) securely on the disk where it is persisted even after the system is restarted or Edge Client is restarted.
      If you select
      memory
      ,  Edge Client caches the user's password within the BIG-IP Edge Client application for automatic reconnection purposes.
      If you select
      memory
      , the
      Password Cache Expiration (minutes)
      field displays with a default value of 240.
    4. If the
      Password Cache Expiration (minutes)
      field displays, retain the default value or type the number of minutes to save the password in memory.
  6. To enable automatic download and update of client packages, from the
    Component Update
    list, select
    yes
    (default).
    If you select
    yes
    , APM updates Edge Client software automatically on the client system when newer versions are available. This option applies to updates for theses components only: BIG-IP Edge Client, component installer service, DNS relay proxy service, and user logon credentials access service.
  7. Specify DNS suffixes that are considered to be in the local network.
    Providing a list of DNS suffixes for the download package enables Edge Client to support the autoconnect option. With
    Auto-Connect
    selected, Edge Client uses the DNS suffixes to automatically connect when a client is not on the local network (not on the list) and automatically disconnect when the client is on the local network.
    1. From the left pane of the popup screen, select
      Location DNS List
      .
      Location DNS list information is displayed in the right pane.
    2. Click
      Add
      .
      An update row becomes available.
    3. Type a name and click
      Update
      .
      Type a DNS suffix that conforms to the rules specified for the local network.
      The new row displays at the top of the table.
    4. Continue to add DNS names and when you are done, click
      OK
      .
  8. Click
    OK
    .
    The popup screen closes, and the Connectivity Profile List displays.

Customizing a downloadable client package for Windows

Customize a Windows client package to specify the client components to install, and to customize settings for BIG-IP Edge Client and Dialup Settings components if you include them.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Connectivity
    Profiles
    .
    A list of connectivity profiles displays.
  2. Select a connectivity profile.
  3. Click the
    Customize Package
    button.
    The Customize Windows Client Package popup screen displays with Available Components displayed.
  4. Make sure that only the components that you want to include in the package are selected.
  5. To include the software service that allows the client to store encrypted Windows logon credentials and use those credentials to log on to APM, select the
    User Logon Credentials Access Service
    check box.
    For clients to use the service, you must also select the
    Reuse Windows Logon Credentials
    check box in the connectivity profile.
  6. To include a service that can check the machine certificate on a client endpoint even when the user does not have admin privilege, select the
    Machine Certificate Checker Service
    check box.
    Without this service, a user running without admin privilege cannot pass the Machine Cert Auth endpoint security check.
  7. If the
    BIG-IP Edge Client
    check box is selected, from the left pane select
    BIG-IP Edge Client
    .
    BIG-IP Edge Client settings display in the right pane.
    1. To enable the Edge Client to try to connect to VPN right after the user logs on to Windows and to prohibit the user from disconnecting VPN, select the
      Enable always connected mode
      check box. This setting is cleared by default.
    2. Specify the traffic flow for this feature when the VPN is disconnected.
      • Select
        Allow
        to allow all traffic when the VPN is disconnected.
      • Select
        Allow-Only-In-Enterprise-LAN
        to allow LAN traffic only when the VPN is disconnected.
      • Select
        Block
        to deny all traffic when the VPN is disconnected.
    3. To add the virtual servers that are defined in the Windows/Mac Edge Client settings of the connectivity profile to the Windows Trusted sites list the first time the client starts, retain selection of the
      Add virtual server to trusted sites list
      check box. Otherwise, clear it.
      Virtual servers added to the Trusted sites list with this option remain on the trusted sites list indefinitely. This works with the
      User Logon Credentials Access Service
      setting (available on the Available Components screen) to provide seamless logon with Edge Client if APM accepts the same credentials that users use to log on to Windows.
    4. To automatically start the Edge Client after the user logs on to Windows, retain selection of the
      Auto launch after Windows Logon
      check box. Otherwise, clear it.
    5. To add sites to the Exclusions list to be excluded from the traffic flow options action, click
      Add
      , and add the IP address or FQDN. You can add a total of 10 values to the whitelist. However this list can be extended on client side using the registry editor or group policy.
      Configured exclusion list
      Screenshot Customize Window Client Package
      When you specify the port after the host name (for both IPv4 or DNS names), then access will be granted only to specified ports for both TCP and UDP protocols as well as for ICMP. When the port is not specified, then full access is granted to a remote host.
  8. To customize Dialup Settings (if selected on the Available Components screen), from the left pane select
    Dialup Settings
    .
    Dialup Entry / Windows Logon Integration settings display in the right pane.
  9. With
    Dialup Settings
    selected, you can specify how you want the user to authenticate to APM.
    Users must always type a user name and password to log on to Windows. Subsequently, clients authenticate to APM.
    • If you want the access policy to run and display a screen where the user must click
      Logon
      , select the
      Enforce Access Policy in Custom Dialer
      check box and clear the
      Prompt Username and Password
      check box. (With these settings, username and password fields are prefilled and the access policy runs.)
    • If you want the user to view a logon prompt and click
      Connect
      , clear the
      Enforce Access Policy in Custom Dialer
      check box and select the
      Prompt Username and Password
      check box. (With these settings, username and password fields are prefilled and the access policy does not run.)
    • If you do not want the user to do anything to authenticate to APM, clear the
      Enforce Access Policy in Custom Dialer
      and
      Prompt Username and Password
      check boxes. (With these settings, the access policy does not run and the logon prompt is suppressed.)
  10. Click
    Download
    .
    The screen closes and the package,
    BIGIPEdgeClient.exe
    , downloads.
The customized package,
BIGIPEdgeClient.exe
, is downloaded to your client. It is available for you to distribute.

About exclusion list modification

The exclusion addresses are stored as registry keys, and not values in the registry in
HKLM\SOFTWARE\WOW6432Node\F5 Networks\RemoteAccess\AlwaysConnected\Exclusions
key. Any values in the key are ignored. You may manually add, edit or remove values under this key using the registry editor or group policy mechanisms. The always-connected service reads those values on start, restart and on network events.
The traffic to the exclusion list is never blocked until the VPN is established, so you can whitelist known identity providers (IdPs) and other sites that are deemed harmless, which improves the usability of locked client mode. After VPN establishment, the client behaves according to the Network Access resource configuration.

Downloading the client package for Windows

You can download a Windows client package and distribute it to clients.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Connectivity
    Profiles
    .
    A list of connectivity profiles displays.
  2. Select a connectivity profile.
  3. Click the
    Customize Package
    button.
    The Customize Windows Client Package popup screen displays with Available Components displayed.
  4. Click
    Download
    .
    The screen closes and the package,
    BIGIPEdgeClient.exe
    , downloads.
The customized package,
BIGIPEdgeClient.exe
, is downloaded to your client. It is available for you to distribute. Users must install the package, or, if Component Installer is available on the client, it can install the package for the user.

About Network Access features for Windows-based clients

Access Policy Manager® (APM®) supports all Network Access features with BIG-IP® Edge Client® for Windows. For a complete list of Network Access features, refer to
BIG-IP® Access Policy Manager®: Network Access
on AskF5 at
http://support.f5.com/
. For notes about endpoint security features, refer to
BIG-IP® APM® Client Compatibility Matrix
on AskF5 at
http://support.f5.com/
.

About connection options on Edge Client for Windows

User interface on a Windows-based system
Screenshot Edge Client for Windows
BIG-IP® Edge Client® for Windows user interface displays these connection options.
Auto-Connect
Starts a secure access connection as it is needed. This option uses the DNS suffix information defined in the connectivity profile to determine when the computer is on a defined local network. When the computer is not on a defined local network, the secure access connection starts. When the computer is on a local network, the client disconnects, but remains active in the system tray. This option does not display if DNS suffixes were not defined.
Connect
Starts and maintains a secure access connection at all times, regardless of the network location.
Disconnect
Stops an active secure access connection, and prevents the client from connecting again until a user clicks
Connect
or
Auto-Connect
.

About browser-based connections from Linux, Mac, and Windows clients

For Linux, Mac OS X, and Windows-based systems, the Network Access client component is available for automatic download from the BIG-IP® system.
The client component supports secure remote web-based access to the network. It is not the same as the customizable client package that is associated with the connectivity profile.
The first time a remote user starts Network Access, APM® downloads a client component. This client component is designed to be self-installing and self-configuring. If the browser does not meet certain requirements, APM prompts the user to download the client component and install it manually.

About machine tunnels for Windows

Machine Tunnels are a new Desktop Client feature for Windows only. When installed on client machines as a Windows Service, a machine tunnel starts during the machine boot sequence, and establishes a VPN connection to the specified APM servers in background. No user interaction or interactive Windows session is required. This can be used for several different scenarios.
  • Off-premise or remote initial provisioning
    : Machine tunnels can provide connectivity to the corporate datacenter when the user logs in to a corporate laptop for the very first time.
  • Remote computer maintenance
    : IT staff can manage the machine and update software when the user is not logged in, but the device is on and idle.
  • Remote troubleshooting
    : Support Staff are able to log into a user machine via a secure tunnel.
  • Remote self-service
    : When users forget their passwords, IT staff can use machine tunnels to reset the user passwords.

About machine tunnels and proxy servers

Machine Tunnel works as a privileged, non-interactive process under the LocalSystem account and does not support BIG-IP proxy configuration. Machine Tunnels ignore proxy settings configured in APM network access resource and do not use Local Area Network (LAN) proxy settings on the client, instead, the machine tunnel leaves its per-VPN connection proxy settings empty.
If the network access resource has a network route to 0.0.0.0 and the VPN is connected, Windows tries to apply proxy settings from this connection. Because the connection does not have proxy settings, Windows applies empty proxy settings. If the network access resource does not have a route to 0.0.0.0, Windows does not override the system's proxy settings.
Windows has separate proxy settings for the LAN adapter and each Dial-Up/VPN connection. It uses the proxy settings from the active internet connection which can be either LAN or a Dial-Up/VPN type. When Machine Tunnels are connected with the default full tunnel (0.0.0.0) routing, it is the Active Internet Connection, and Windows uses its empty proxy settings. This results in an effective configuration without proxy regardless of the current LAN settings.
To resolve this issue, split the VPN tunnel resource into multiple subnets. As a result, the machine tunnel VPN client does not create any 0.0.0.0 route.
For example:
1.0.0.0/255.0.0.0
2.0.0.0/254.0.0.0
4.0.0.0/252.0.0.0
8.0.0.0/248.0.0.0
16.0.0.0/240.0.0.0
32.0.0.0/224.0.0.0
64.0.0.0/192.0.0.0
128.0.0.0/128.0.0.0
After this routing change, Windows does not consider the machine tunnel VPN as the primary internet connection and uses the LAN proxy settings regardless of the VPN connection status.

About desktop client interactions with machine tunnels

The service establishes a machine tunnel connection on system boot. Once a user logs in to her machine, the user can establish a new VPN connection with the desktop client. A manual client VPN connection overrides the machine tunnel, effectively putting the machine tunnel connection "on hold". The machine tunnel VPN connection pauses, until one of the following events occurs:
  • The user explicitly disconnects from the user-initiated VPN session.
  • The user logs out of Windows.
  • The user-initiated VPN session times out.
  • The user's VPN client is stopped, or the client crashes.
Once one of the interactions above occurs, the machine tunnel connection is resumed.

About creating the machine tunnel installer package

Edge Client 7.1.7 and later supports the ability to create a VPN based on machine credentials with BIG-IP versions 13.1 and above. However, the ability to create a Machine Tunnel installer package through the
Connectivity/VPN
Profiles
Customize Windows Client Package
utility is available for BIG-IP 14.x and above. For BIG-IP 13.x and earlier versions, you must set up the installer package manually and use the Powershell script to build the machine tunnel package.

PowerShell script to create the machine tunnel installer

This script can be used to create the machine tunnel installer on Windows.

PowerShell script createMachineTunnelsPkg.ps1

param([Parameter(Mandatory=$true)][string] $client_iso) $MountResult = Mount-DiskImage -ImagePath $client_iso -PassThru $mountdrive = ($MountResult | Get-Volume).DriveLetter $tempDirectoryBase = [System.IO.Path]::GetTempPath(); Do { $newTempDirPath = [String]::Empty; [string] $name = [System.Guid]::NewGuid(); $newTempDirPath = (Join-Path $tempDirectoryBase $name); } While (Test-Path $newTempDirPath); New-Item -ItemType Directory -Path $newTempDirPath; $setupConfig = @" <?xml version="1.0" encoding="UTF-8"?> <CLIENT_CONFIGURATOR> <SETUP_CONFIGURATION> <PRODUCTNAME>BIG-IP Edge Client (TM) package</PRODUCTNAME> <DATABASE>f5fpclients.msi</DATABASE> <MINIMUM_MSI>150</MINIMUM_MSI> <PROPERTIES>STARTAPPWITHWINDOWS=1</PROPERTIES> <OPERATION>INSTALLUPD</OPERATION> </SETUP_CONFIGURATION> <FEATURES> <FEATURE>MachineTunnelService</FEATURE> <FEATURE>PortRedirector</FEATURE> </FEATURES> <STONEWALL_EXCLUSIONS> </STONEWALL_EXCLUSIONS> </CLIENT_CONFIGURATOR> "@ $setupConfig | Add-Content (-join ($newTempDirPath, "\_setup_configuration_.f5c")); Copy-Item -Path (-join ($mountdrive, ":\sam\www\webtop\public\download\f5fpclients.msi")) -Destination (-join ($newTempDirPath, "\f5fpclients.msi")); $F5_VPNPath = (Join-Path $newTempDirPath "F5 VPN"); $amd64Path = (Join-Path $F5_VPNPath "amd64"); $F5_TMPPath = (Join-Path $F5_VPNPath "F5_TMP"); New-Item -ItemType Directory -Path $F5_VPNPath; New-Item -ItemType Directory -Path $amd64Path; New-Item -ItemType Directory -Path $F5_TMPPath; Copy-Item -Path (-join ($mountdrive, ":\sam\www\webtop\public\download\F5MachineTunnelService.exe")) -Destination (-join ($F5_VPNPath, "\F5MachineTunnelService.exe")); Copy-Item -Path (-join ($mountdrive, ":\sam\www\webtop\public\download\scew_uls.dll")) -Destination (-join ($F5_VPNPath, "\scew_uls.dll")); Copy-Item -Path (-join ($mountdrive, ":\sam\www\webtop\public\download\F5MachineTunnelInfo.exe")) -Destination (-join ($F5_VPNPath, "\F5MachineTunnelInfo.exe")); Copy-Item -Path (-join ($mountdrive, ":\sam\www\webtop\public\download\F5FltSrv.exe")) -Destination (-join ($F5_VPNPath, "\F5FltSrv.exe")); Copy-Item -Path (-join ($mountdrive, ":\sam\www\webtop\public\download\F5FltDrv.sys")) -Destination (-join ($F5_VPNPath, "\F5FltDrv.sys")); Copy-Item -Path (-join ($mountdrive, ":\sam\www\webtop\public\download\F5FltSrvAMD64.exe")) -Destination (-join ($amd64Path, "\F5FltSrv.exe")); Copy-Item -Path (-join ($mountdrive, ":\sam\www\webtop\public\download\F5FltDrvAMD64.sys")) -Destination (-join ($amd64Path, "\F5FltDrv.sys")); Copy-Item -Path (-join ($mountdrive, ":\sam\www\webtop\public\download\urxvpn.cab")) -Destination (-join ($F5_TMPPath, "\urxvpn.cab")); Set-Location $newTempDirPath; $pkgPath = (Join-Path $tempDirectoryBase "MachineTunnelsSetup.exe") zip -r (-join ($newTempDirPath, ".zip")) "F5 VPN" _setup_configuration_.f5c f5fpclients.msi gc (-join ($mountdrive, ":\sam\www\webtop\public\download\setupstub.exe")),(-join ($newTempDirPath, ".zip")) -Enc Byte -Read 512 | sc $pkgPath -Enc Byte

Create the machine tunnel install package

Following are the prerequisites for creating an installer package on BIG-IP versions that do not include the machine tunnel installer:
  • Desktop APM Clients ISO 7.1.7 or later, available from downloads.f5.com.
  • GNU win32 zip package, installed and available in the path. Get this package from http://gnuwin32.sourceforge.net/downlinks/zip.php.
  • A PowerShell script,
    createMachineTunnelsPgk.ps1
    , used to create machine tunnels. This script is included for reference. Download or create the PowerShell script to a user temp directory.
  • Administrator privileges on a Windows 10 machine.
  • Windows PowerShell with an unrestricted execution policy. If not already configured, you can set the unrestricted execution policy for PowerShell by starting power shell as an administrator, and executing the following command at the PowerShell prompt:
    set-executionpolicy unrestricted
Use these steps to manually create the installer package.
  1. Open a PowerShell window.
  2. Run the PowerShell script
    createMachineTunnelsPkg.ps1
    , with the path to the APM Desktop client 7.1.7 ISO as the parameter.
    C:\users\example_user\temp\createMachineTunnelsPkg.ps1 c:\Users\example_user\Downloads\apmclients-7166.2018.307.1909-2552.0.iso
    The installer package is created and made available under the temp directory, as
    MachineTunnelsSetup.exe
    .
You can use
MachineTunnelsSetup.exe
to install the Machine Tunnels service on Windows 10 client machines.

Apps installed for machine tunnel support

These apps are installed to support machine tunnels on Windows.
App
Location
Description
f5MachineTunnelService.exe
%WINDIR%\SysWOW64 (64-bit), %WINDIR%\System32 (32-bit)
The machine tunnel srevice runs on the machine to provide machine tunnel functionality.
f5MachineTunnelInfo.exe
%WINDIR%\SysWOW64 (64-bit), %WINDIR%\System32 (32-bit)
The console application for the machine tunnel, which provides configuration support and allows the user to get additional information about the service.

Registry keys for machine tunnel configuration

These registry keys control configuration for machine tunnels on Windows.

VPN Servers (Required Parameter)

This key should be created in
HKLM\SYSTEM\CurrentControlSet\services\F5MachineTunnelService\Parameters\VPNServers
.
Name
Registry Type
Type
Description
Default
Server0
REG_SZ
URL
The URL to which the VPN connects. Only one VPN server URL is supported. For example,
https://vpn.company.com/
.

Connection Parameters (Optional)

These keys should be created in
HKLM\SYSTEM\CurrentControlSet\services\F5MachineTunnelService\Parameters
. If the keys are not created, then the default values will be used for these parameters.
Name
Registry Type
Type
Description
Default
LogonAttemptsInterval
REG_DWORD
DWORD
Maximum delay between logon attempts in seconds.
30
IgnoreSSLErrors
REG_DWORD
DWORD
Allows access to a virtual server without a valid certificate. You can add this value for testing or debugging purposes.
1
- Ignore SSL errors and allow access to insecure servers.
0
, or any other value - SSL errors are not ignored, and connections to insecure servers fail.
N/A

Credential Parameters (Optional)

These keys should be created in
HKEY_USERS\<Service_account_SID>\Software\F5 Networks\MachineTunnelService
.
Name
Registry Type
Type
Description
Default
username
REG_SZ
Base64 encoded binary data
Base64 encoded encrypted user name for authentication (optional).
N/A
password
REG_SZ
Base64 encoded binary data
Base64 encoded encrypted password (optional)
N/A

Configuring an access policy for machine tunnel support

Configure an access policy to detect the machine tunnel client type.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile you want to edit.
  3. On the menu bar, click
    Access Policy
    .
  4. For the
    Visual Policy Editor
    setting, click the
    Edit access policy for Profile
    policy_name
    link.
    The visual policy editor opens the access policy in a separate window or tab.
  5. Click the
    (+)
    icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  6. On the Endpoint Security (Server-Side) tab, select
    Client Type
    , and then click
    Add Item
    .
    The Client Type action identifies clients and enables branching based on the client type.
    A properties screen opens.
  7. On the Machine Tunnel client branch, change the ending to
    Allowed
    .
  8. Click
    Save
    .
    The Access Policy screen reopens.
  9. Set up the appropriate authentication and client-side checks required for application access at your company, and click
    Add Item
    .
  10. Change the Successful rule branch from
    Deny
    to
    Allow
    and click the
    Save
    button.
  11. If needed, configure further actions on the successful and fallback rule branches of this access policy item, and save the changes.
  12. At the top of the screen, click the
    Apply Access Policy
    link to apply and activate your changes to this access policy.
  13. Click the
    Close
    button to close the visual policy editor.
To apply this access policy to network traffic, add the access profile to a virtual server.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Configuring a username and password for the machine tunnel

This task requires that the f5MachineTunnelInfo.exe is installed on the client system on which you are configuring the machine tunnel.
Configure a username and password for the machine tunnel connection. This is recommended only for testing purposes.You must run f5MachineTunnelInfo.exe as an administrator.
  1. From a DOS command prompt in Windows, type
    f5MachineTunnelInfo -s -u <
    username
    > -p <
    password
    >
    .
The machine tunnel username and password is set.

Defining the VPN server for the machine tunnel

This task requires that f5MachineTunnelInfo.exe is installed on the client system on which you are configuring the machine tunnel. This task requires admin access and the ability to edit the Windows Registry.
  1. Start the registry editor (
    Start
    regedit
    ).
  2. Navigate to
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\F5MachineTunnelService\Parameters\VPNServers
    .
  3. In the right pane, right-click and select
    New
    String Value
    .
  4. In the
    Name
    field, type
    Server0
    .
  5. Right-click the value and select
    Modify
    .
    The Edit String dialog opens.
  6. Type the VPN server FQDN or IP address and click
    OK
    .
  7. Exit the Registry Editor.
The VPN server for the machine tunnel is now defined.

Configuring client certificates for machine tunnel authentication

This task requires that the f5MachineTunnelService is installed on the client system on which you are configuring certificates.
Configure a client certificate for the f5 Machine Tunnel Service.
  1. On a Windows client or administrative system, click
    Start
    Run
    and type
    mmc
    , then click
    OK
    .
  2. Click
    File
    Add/Remove Snap-in
    and then click
    Add
    .
  3. Under
    Snap-in
    , double-click
    Certificates
    , click
    Service account
    , then click
    Next
    .
  4. Do one of the following.
    • To manage certificates for services on your local computer, click
      Local computer
      , and then click
      Next
      .
    • To manage certificates for a remote computer, click
      Another computer
      and type the name of the computer, or click
      Browse
      to select the computer name, and then click
      Next
      .
  5. Click the service for which you are managing certificates. In this case this is the F5MachineTunnelService Personal store.
  6. Click
    Finish
    , and then click
    Close
    .
    Certificates - Service (f5MachineTunnelService) on
    Computer Name
    appears on the list of selected snap-ins for the new console.
  7. Click
    OK
    .
  8. Click
    File
    Save
    .
The machine tunnel service is associated with the certificate.

Generating a troubleshooting report from Edge Client for Windows

A troubleshooting report provides numerous details about the client and its functioning, such as log files and their contents, components and versions, and so on.
  1. Open the BIG-IP Edge Client user interface.
    On a client with a
    Start
    button, you can type
    BIG-IP
    in the search field and, in the results, click
    BIG-IP Edge Client
    .
  2. Click the
    View Details
    button.
    The Details popup screen displays.
  3. Click the
    Diagnostics Report
    button.
    A Save As popup screen opens.
  4. Select a location, specify a file name, and click
    Save
    .
    A Collecting data popup screen remains open until the report completes.
  5. Navigate to the location with the downloaded file, extract the files to a folder, and click the HTML file in the folder.
    The F5 Report displays in a browser screen.
  6. Open the BIG-IP Edge Client user interface.
    On a client with a
    Start
    button, you can type
    BIG-IP
    in the search field and, in the results, click
    BIG-IP Edge Client
    .
  7. Click the
    View Details
    button.
    The Details popup screen displays.
  8. Click the
    Diagnostics Report
    button.
    A Save As popup screen opens.
  9. Select a location, specify a file name, and click
    Save
    .
    A Collecting data popup screen remains open until the report completes.
  10. Navigate to the location with the downloaded file, unzip it to a folder, and click the HTML file in the folder.
    The report displays.

Overview: Installing and using the client troubleshooting utility

Access Policy Manager® provides a client troubleshooting utility for Windows-based systems. Users can access the utility to check the availability and version information for Windows client components, and run Network Access diagnostic tests. The utility is integrated into BIG-IP® Edge Client® for Windows. To run Network Access diagnostics and troubleshooting reports on clients that have only the browser-based Network Access client component, you can download and install the client troubleshooting utility.

Task summary

Downloading the client troubleshooting utility

To run the client troubleshooting utility from the command line on a Windows-based system, you must first download the utility from the BIG-IP system.
  1. On the Main screen, click the F5 logo to display the Welcome page.
  2. Scroll to the Downloads area.
  3. In the links for BIG-IP Edge Client Components, click
    Client Troubleshooting Utility for Windows
    .
The file
f5wininfo.exe
is saved to your local disk.

Viewing client components in the client troubleshooting utility

You can use the client troubleshooting utility to view client components on Windows-based systems.
  1. Double-click
    f5wininfo.exe
    to start the client troubleshooting utility.
    The F5 BIG-IP Edge Components Troubleshooting screen opens.
  2. Use the navigation panel on the left to explore the component categories.

Generating a client troubleshooting report

You can generate a client troubleshooting report on Windows-based systems and include several types of data, a Network Access diagnostic test and so on, in the report.
  1. Double-click
    f5wininfo.exe
    to start the client troubleshooting utility.
    The F5 BIG-IP Edge Components Troubleshooting screen opens.
  2. Click
    File
    Generate Report
    .
    The Report screen opens.
  3. Under
    Type
    , select the types of reports that you want to run.
  4. Under
    Format
    , select
    html
    or
    text
    for the type of report.
  5. To generate a compressed report, select the
    compressed
    option.
  6. To view the report without saving the report, click
    View
    .
    While the report runs, a Collecting Data popup screen opens and a System Information popup screen opens if the system information report type runs; the popup screens close. If you selected
    html
    format, the report opens in a browser screen.

Running a Network Access diagnostic test

You can use the client troubleshooting utility to run a Network Access diagnostic test on Windows-based systems.
If BIG-IP Edge Client for Windows is installed, you can run a Network Diagnostics test from the user interface.
  1. Double-click
    f5wininfo.exe
    to start the client troubleshooting utility.
    The F5 BIG-IP Edge Components Troubleshooting screen opens.
  2. Click
    Tools
    Network Access Diagnostic
    .
    The Network Access Diagnostic popup screen opens.

Overview: Reusing Windows logon credentials for Edge Client

If you want users of BIG-IP® Edge Client® for Windows to start a Network Access session with the credentials that they typed to log on to a Windows-based system, you must configure the connectivity profile, the client download package, and the access policy to support this.
A client must be joined to a domain to reuse Windows logon credentials. This will not work if the client is standalone, and not joined to a domain.

Task summary

Configuring a connectivity profile to reuse Windows logon credentials

For users to reuse Windows credentials to start a Network Access session, you must select the
Reuse Windows Logon Credentials
check box in the connectivity profile.
A client must be joined to a domain to reuse Windows logon credentials. This will not work if the client is standalone, and not joined to a domain.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Connectivity
    Profiles
    .
    A list of connectivity profiles displays.
  2. Select the connectivity profile that you want to update and click
    Edit Profile
    .
    The Edit Connectivity Profile popup screen opens and displays General Settings.
  3. From the left pane of the popup screen, select
    Win/Mac Edge Client
    .
    Edge Client settings for Mac and Windows-based systems display in the right pane.
  4. Select the
    Reuse Windows Logon Credentials
    check box.
  5. Click
    OK
    .
    The popup screen closes, and the Connectivity Profile List displays.

Customizing the Edge Client package for Windows logon credentials reuse

For users to reuse their Windows credentials to start a Network Access session, the Edge Client package must contain the user logon credentials access service.
A client must be joined to a domain to reuse Windows logon credentials. This will not work if the client is standalone, and not joined to a domain.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Connectivity
    Profiles
    .
    A list of connectivity profiles displays.
  2. Select the connectivity profile for which you want to customize the client package.
  3. Click the
    Customize Package
    button.
    The Customize Windows Client Package popup screen displays with Available Components displayed.
  4. Select the
    User Logon Credentials Access Service
    check box.
    This software service allows the client to store encrypted Windows logon credentials and use those credentials to log on to Access Policy Manager.
  5. Click
    Download
    .
    The screen closes and the package,
    BIGIPEdgeClient.exe
    , downloads.
You must make the downloaded package available to your users, as hosted content or through some other delivery mechanism. Users must install the package or, Component Installer, if present on user systems, can install it for them.

Configuring an access policy for Windows logon credentials reuse

For users to reuse Windows credentials to start a Network Access session, you must ensure that the access policy includes a Logon Page action that has not been customized.
A client must be joined to a domain to reuse Windows logon credentials. This will not work if the client is standalone, and not joined to a domain.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    Edit
    link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Make any adjustments needed to the access policy to ensure that it includes a Logon Page action that has not been customized. (Other logon page actions do not support the reuse Windows logon credentials option.)
    The Logon Page action must contain only the default fields and the JavaScript cannot be removed or otherwise changed as can be done through Access Policy Manager Customization. If necessary, you can delete a Logon Page action and add it to the policy again to ensure that it is not customized.
  4. Click
    Finished
    .
    The popup screen closes.
  5. Click the
    Apply Access Policy
    link to apply and activate the changes to the policy.