Manual Chapter : Hosting a BIG-IP Edge Client Download with Access Policy Manager

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Hosting a BIG-IP Edge Client Download with Access Policy Manager

About hosting a BIG-IP Edge Client file on Access Policy Manager

You can host files on BIG-IP Access Policy Manager (APM) so clients can download them.
When you host a file on Access Policy Manager, you can provide the link to the file in a number of ways. In this example, the BIG-IP Edge Client for Mac link is provided as a link on the user's webtop. The user connects through the web client, then clicks a link on the webtop to download the client file. To provide the BIG-IP Edge Client for Mac, first you must create a connectivity profile. Then, you can download the Mac client file as a ZIP file.

Configuring a connectivity profile for Edge Client for macOS

Update the connectivity profile in your Network Access configuration to configure security settings, servers, and location-awareness for BIG-IP Edge Client for macOS.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Connectivity
    Profiles
    .
    A list of connectivity profiles displays.
  2. Select the connectivity profile that you want to update and click
    Edit Profile
    .
    The Edit Connectivity Profile popup screen opens and displays General Settings.
  3. From the left pane of the popup screen, select
    Win/Mac Edge Client
    .
    Edge Client settings for Mac and Windows-based systems display in the right pane.
  4. Retain the default (selected) or clear the
    Save Servers Upon Exit
    check box.
    Specifies whether Edge Client maintains a list of recently used user-entered APM servers. Edge Client always lists the servers that are defined in the connectivity profile, and sorts them by most recent access, whether this option is selected or not.
  5. To enable the client to launch an administrator-defined script on session termination, select
    Run session log off script
    check box. The administrator specifies parameters which are passed by Edge Client to the script file. These parameters are defined by the session variable
    session.edgeclient.scripting.logoff.params
    . The client retrieves parameters from BIG-IP after session establishment. The administrator has the flexibility to set up variable values according to policy branching. Each time the Edge Client closes an APM session, the configured script is invoked. On macOS, the script is located at
    /Library/Application Support/F5Networks/EdgeClient/Scripting/onSessionTermination.bat
    .
    The
    Run session log off script
    check box is cleared by default.
  6. To enable the client to display a warning before launching the pre-defined script on session termination, select
    Show warning to user before launching script
    check box.
    This is selected by default.
  7. To support automatic reconnection without the need to provide credentials again, allow password caching.
    1. Select the
      Allow Password Caching
      check box.
      This check box is cleared by default.
      The remaining settings on the screen become available.
    2. From the
      Save Password Method
      list, select
      disk
      or
      memory
      .
      If you select
      disk
      , Edge Client caches the user's password (in encrypted form) securely on the disk where it is persisted even after the system is restarted or Edge Client is restarted.
      If you select
      memory
      , Edge Client caches the user's password within the BIG-IP Edge Client application for automatic reconnection purposes.
      If you select
      memory
      , the
      Password Cache Expiration (minutes)
      field displays with a default value of 240.
    3. If the
      Password Cache Expiration (minutes)
      field displays, retain the default value or type the number of minutes to save the password in memory.
  8. To enable automatic download and update of client packages, from the
    Component Update
    list, select
    yes
    (default).
    If you select
    yes
    , APM updates Edge Client software automatically on the client system when newer versions are available. This option applies to updates for these components only: BIG-IP Edge Client, component installer service, DNS relay proxy service, and user logon credentials access service.
  9. Beginning BIG-IP version 16.0.0, connectivity profile has optional
    OAuth Settings
    that Edge Client will use for authenticating Native Apps using OpenID Connect specification. When OAuth is configured, the end-users are required to authenticate via the OAuth authentication flow. This OIDC support provides consistent authentication experience by enabling two-factor verification and Single Sign-On across Browser and Edge Client.
    For security reasons, when configuring for OAuth settings, ensure that the BIG-IP local traffic policy enforces HTTPS by redirecting HTTP requests to HTTPS for a virtual server on the BIG-IP system. Refer OIDC RFC for details on OAuth 2.0 Authorization Framework.
    1. From the left pane of the popup screen, select
      OAuth Settings
      .
    2. Select the OAuth provider in the
      Provider
      list. If you select
      None
      , OAuth configuration is disabled.
    3. Specify the OAuth Client ID identifier in the
      Client ID
      field. The client identifier is not a secret and is exposed by the BIG-IP APM virtual server. OAuth configuration is disabled if client ID is not specified.
    4. Specify the OAuth client secret in the
      Client Secret (Public)
      field. The authorization server defines this string. All printable ASCII characters from 0x20 to 0x7E are allowed.
    5. Specify the scopes that will be requested by the client in the
      Scopes
      field. The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings defined by the authorization server. When using multiple strings, the order does not matter. All printable ASCII characters are allowed excluding quote (") and backslash (\).
    6. In the
      Complete Redirection URI
      field, enter the optional URI for OAuth client to be directed to when authentication completes or fails. The default APM page is used if this URI is not specified. The URI should start with "https://", "http://" or "/".
    Refer section
    Configuring policies for OAuth client and resource server
    in the
    BIG-IP Access Policy Manager: OAuth Concepts and Configuration
    for details on adding an OAuth Resource Server to the access policy.
  10. Specify the list of APM servers to provide when the client connects.
    The servers you add here display as connection options in the BIG-IP Edge Client.
    Users can select from these servers or they can type a hostname.
    1. From the left pane of the popup screen, select
      Server List
      .
      A table displays in the right pane.
    2. Click
      Add
      .
      A table row becomes available for update.
    3. You must type a host name in the
      Host Name
      field.
      Typing an alias in the
      Alias
      field is optional.
    4. Click
      Update
      .
      The new row is added at the top of the table.
    5. Continue to add servers, and when you are done, click
      OK
      .
  11. Specify DNS suffixes that are in the local network.
    Providing a list of DNS suffixes for the download package enables Edge Client to support the autoconnect option. With
    Auto-Connect
    selected, Edge Client uses the DNS suffixes to automatically connect when a client is not on the local network (not on the list) and automatically disconnect when the client is on the local network.
    DNS suffixes specified here are considered local network suffixes and conform to the rules specified for the local network. The BIG-IP Edge Client uses these suffixes when the user clicks the Auto-Connect option. The administrator configured DNS suffixes are compared with the DNS suffixes present on the system to detect the network access connection. When the BIG-IP Edge Client detects that it is on one of the specified internal networks, the client is idle and does not connect. When the BIG-IP Edge Client detects the network as a remote, the client attempts to establish a Network Access VPN connection.
    1. From the left pane of the popup screen, select
      Location DNS List
      .
      Location DNS list information is displayed in the right pane.
    2. Click
      Add
      .
      An update row becomes available.
    3. Type a name and click
      Update
      .
      Type a DNS suffix that conforms to the rules specified for the local network.
      The new row displays at the top of the table.
    4. Continue to add DNS names and when you are done, click
      OK
      .
  12. Click
    OK
    .
    The popup screen closes, and the Connectivity Profile List displays.

Downloading the ZIP file for Edge Client for Mac

You can download a Mac Client package and distribute it to clients.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Connectivity
    Profiles
    .
    A list of connectivity profiles displays.
  2. Select a connectivity profile.
  3. Click the arrow on the
    Customize Package
    button and select
    Mac
    .
    The Customize Mac Client Package screen displays.
  4. Click
    Download
    .
    The screen closes and the package,
    BIGIPMacEdgeClient.zip
    , downloads.
The ZIP file includes a Mac installer package (PKG) file and configuration settings.

Uploading BIG-IP Edge Client to hosted content on Access Policy Manager

Upload the client file to the Access Policy Manager hosted content repository so you can provide it to clients through a download link.
  1. On the Main tab, click
    Access
    Webtops
    Hosted Content
    Manage Files
    .
    The Manage Files screen opens.
  2. Click the
    Upload
    button.
    The Create New File popup screen opens.
  3. For the
    Select File
    setting, click the
    Browse
    button. Browse and select the
    BIGIPMacEdgeClient.zip
    file that you previously downloaded.
    The
    Select File
    and
    File Name
    fields are populated with the file name.
  4. From the
    File Action
    list, select
    Upload Only
    .
  5. In the
    File Destination Folder
    field, specify the folder path in which to place the file. For purposes of this example, the folder
    /client
    is specified.
  6. Click
    OK
    .
    The file appears in the hosted content list.
You must associate any access profiles that will access hosted content with the hosted content repository.

Associating hosted content with access profiles

A user can access hosted content that is associated with that user's access profile. Each access profile that requires hosted content access must be associated with the entire hosted content repository.
  1. On the Main tab, click
    Access
    Webtops
    Hosted Content
    Manage Files
    .
    The Manage Files screen opens.
  2. On the
    Upload
    button, click the right-side arrow to select
    Manage Access
    from the list.
    The Access Settings popup screen opens.
  3. Select the access profiles to associate with hosted content, then click
    OK
    .
    A user must belong to an associated access profile to access hosted content.
View the hosted content list and verify that the access policy association was successful.

Creating a webtop link for the client installer

You can create and customize links that you can assign to full webtops. In this context,
links
are defined applications and web sites that appear on a webtop, and can be clicked to open a web page or application. You can customize these links with descriptions and icons.
  1. On the Main tab, click
    Access
    Webtops
    Webtop Links
    .
  2. Click
    Create
    .
    The New Webtop Link screen opens.
  3. In the
    Name
    field, type a name for the webtop.
  4. From the
    Link Type
    list, select
    Hosted Content
    .
  5. From the
    Hosted File
    link, select
    public/share/client/BIGIPMacEdgeClient.zip
    .
  6. In the
    Caption
    field, type a descriptive caption.
    The
    Caption
    field is pre-populated with the text from the
    Name
    field. Type the link text that you want to appear on the web link.
  7. If you want to add a detailed description, type it in the
    Detailed Description
    field.
  8. To specify an icon image for the item on the webtop, click in the
    Image
    field and choose an image, or click the
    Browse
    button.
    Click the
    View/Hide
    link to show or hide the currently selected image.
  9. Click
    Finished
    .
The webtop link is now configured, and appears in the list, and on a full webtop assigned with the same action. You can edit the webtop link further, or assign it to an access policy.
Before you can use this webtop link, it must be assigned to an access policy with a full webtop, using either an advanced resource assign action or a webtop,links and sections assign action.

Add a webtop, links, and sections to an access policy

You must have an access profile set up before you can add a webtop, links, and sections to an access policy.
You can add an action to an access policy to add a webtop, webtop links, and webtop sections to an access policy branch. Webtop links and webtop sections are displayed on a full webtop.
Do not assign a webtop for a portal access connection configured for minimal patching mode; this configuration does not work.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile for which you want to edit the access policy.
    The properties screen opens for the profile you want to edit.
  3. On the menu bar, click
    Access Policy
    .
  4. In the General Properties area, click the
    Edit Access Policy for Profile
    profile_name
    link.
    The visual policy editor opens the access policy in a separate screen.
  5. On a policy branch, click the
    (+)
    icon to add an item to the policy.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  6. On the Assignment tab, select the
    Webtop, Links and Sections Assign
    agent and click
    Add Item
    .
    The Webtop, Links and Sections Assignment screen opens.
  7. In the
    Name
    field, type a name for the policy item.
    This name is displayed in the action field for the policy.
  8. For each type of resource that you want assign:
    1. Click the
      Add/Delete
      link next to the resource type (
      Webtop Links
      ,
      Webtop Sections
      , or
      Webtop
      ).
      Available resources are listed.
    2. Select from the list of available resources.
      Select only one webtop.
    3. Click
      Save
      .
  9. Click the
    Save
    button to save changes to the access policy item.
You can now configure further actions on the successful and fallback rule branches of this access policy item.
Click the
Apply Access Policy
link to apply and activate your changes to this access policy.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.