Manual Chapter : Overview: APM Clients
back-action BIG-IP Access Policy Manager: Edge Client 7.2.7 and Application Configuration

Updated Date: 04/09/2026

Overview: APM Clients

The browser-based Network Access client component provides full network access through BIG-IP Access Policy Manager. The client component provides users with access to IP-based applications, network resources, and intranet files available, as if they were physically working on the office network.

BIG-IP Edge Client provides full network access through BIG-IP Access Policy Manager. Edge Client for Windows, Edge Client for Mac, and F5 Access for macOS provide clients with access to IP-based applications, network resources, and intranet files available, as if they were physically working on the office network. Edge Client software comprises individual components that provide network access features and application access.

In addition, Edge Client provides these features:

  • Automatic reconnection
  • Location awareness
  • Password caching
  • Captive portal detection
  • Notifications

F5 Access Apps are available from external download sites and provide network access for supported mobile clients. F5 Access Apps can be downloaded from the OS App stores (App Store for iPhone, iPad, and iPod touch (iOS) devices, at the Google Play Store for Android devices, at the Chrome Web Store for Google Chrome OS, and at the Windows Phone Apps+Games store).

Access Policy Manager (APM®) CLIs are available for Linux and Windows clients. The CLIs support making a VPN connection with an access policy that includes a Logon Page and any authentication types that require user name and password only. Endpoint security inspections are not supported.

The Linux CLI for Linux is available for download from the BIG-IP system. The Windows CLI is installed with the BIG-IP Edge Client® for Windows.

IPv6 stonewall service support is added to block the IPv6 traffic on Windows and this service performs AAAA queries for the administrator added hostname exclusions, and adds appropriate allow or deny rules for IPv6 traffic into the driver. Stonewall service supports the blocking of IPv6 traffic except for the essential protocols like DNS, DHCP, and ICMPv6 for neighbor discovery and it supports IPv6-based (IP and DNS) exclusions. Stonewall service reads the exclusions from the registry key in the HLKM\Software location that can be hostnames or IPV4 or IPV6 addresses.

IPV6 addresses with port should be enclosed in the square brackets []. For example, [2001:8900:6701:abcd:aabc:bbbb:cccc:23ac]:80

IPV6 addresses without port can be specified without square brackets []. For example, 2001:8900:6701:abcd:aabc:bbbb:cccc:23ac

APM Client 7.2.7 introduces support for Post-Quantum Cryptography (PQC) cipher groups, ensuring secure VPN connectivity in alignment with emerging quantum-resistant encryption standards. The legacy cryptographic infrastructure (such as Openssl 1.1.1 and SChannel) is replaced with Openssl 3.5.0, to enable the support for TLS 1.3 and PQC-ready cipher suites, such as X25519+MLKEM768.

Following APM Clients support PQC:

  • Windows Edge Client
  • MacOS F5 Access
  • Linux CLI client
  • Windows Web Client
  • Linux Web Client

To leverage PQC support in APM Clients:

  • Upgrade Edge Client/Web Client to 7.2.7.
  • Upgrade BIG-IP APM system to 17.5.1 or later.
  • Configure the BIG-IP SSL Profiles to include PQC cipher groups, such as: X25519+MLKEM768
  • Ensure that your environments support PQC-ready (e.g., Dilithium) certificates and certificate chains.
  • Ensure that the end-user Default Browsers can support TLS 1.3 with PQC.

Microsoft’s Trident engine (Embedded Browser) does not support PQC MLKEM ciphers. As a result, any HTTPS requests initiated by Trident will not use PQC MLKEM ciphers during the TLS handshake. This affects the following scenarios:

  • Edge Client: When configured to use the embedded browser for user authentication, all HTTPS requests initiated from the Trident engine will not support PQC ciphers. This limitation is limited to authentication (using the embedded browser). To overcome this limitation, system’s Default Web Browser can be configured for user authentication.
  • Web VPN: Web VPN uses Trident to render the VPN connectivity UI. UI related HTML file requests (/vdesk/resource_all_info.eui, webtop_resource_inner.eui) and subsequent requests such as CSS or JS files and timeoutagent-i.php initiated by the Trident engine will not use PQC ciphers.
  • Windows Pre-Logon: Similar to Edge Client, when Pre-Logon uses the embedded browser for user authentication, HTTPS requests from this engine will not support PQC ciphers. Note: These limitations do not affect the Machine Tunnel client. VPN tunnel establishment of all the Windows Clients is unaffected by the Trident limitation.

You can access all of the BIG-IP system documentation from the AskF5 Knowledge Base located at https://support.f5.com/.

Document Description
BIG-IP Access Policy Manager: Application Access This guide contains information for an administrator to configure application tunnels for secure, application-level TCP/IP connections from the client to the network.
BIG-IP Access Policy Manager: Authentication Essentials This guide contains information to help an administrator understand authentication concepts, such as AAA server, SSL certificate, local user database, and so on.
BIG-IP Access Policy Manager: Authentication Methods This guide contains information describes different types of authentication, including Active Directory, LDAP and LDAPS, RSA SecurID, RADIUS, OCSP, CRLDP, Certificate, TACACS+, and so on.
BIG-IP Access Policy Manager: OAuth Concepts and Configuration This guide describes OAuth concepts and explains how to configure the system to use OAuth authorization servers, resource servers, and other examples.
BIG-IP Access Policy Manager: SAML Configuration This guide introduces SAML concepts and provides several examples using APM as a SAML IdP, as a SAML service provider, and others.
BIG-IP Access Policy Manager: Single Sign-On Concepts and Configuration This guide describes how to configure different types of single sign-on methods, such as HTTP basic, HTTP forms-based, NTLMV1, NTLMV2, Kerberos, OAuth Bearer.
BIG-IP Access Policy Manager: Customization This guide provides information about using the APM customization tool to provide users with a personalized experience for access policy screens, and errors. An administrator can apply your organization’s brand images and colors, change messages and errors for local languages, and change the layout of user pages and screens.
BIG-IP Access Policy Manager: Edge Client and Application Configuration This guide contains information for an administrator to configure the BIG-IP system for browser-based access with the web client as well as for access using BIG-IP Edge Client and F5 Access Apps. It also includes information about how to configure or obtain client packages and install them for BIG-IP Edge Client for Windows, Mac, and Linux, and Edge Client command-line interface for Linux.
BIG-IP Access Policy Manager: Implementations This guide contains implementations for synchronizing access policies across BIG-IP systems, hosting content on a BIG-IP system, maintaining OPSWAT libraries, configuring dynamic ACLs, web access management, and configuring an access policy for routing.
BIG-IP Access Policy Manager: Network Access This guide contains information for an administrator to configure APM Network Access to provide secure access to corporate applications and data using a standard web browser.
BIG-IP Access Policy Manager: Portal Access This guide contains information about how to configure APM Portal Access. In Portal Access, APM communicates with back-end servers, rewrites links in application web pages, and directs additional requests from clients back to APM.
BIG-IP Access Policy Manager: Secure Web Gateway This guide contains information to help an administrator configure Secure Web Gateway (SWG) explicit or transparent forward proxy and apply URL categorization and filtering to Internet traffic from your enterprise.
BIG-IP Access Policy Manager: Third-Party Integration This guide contains information about integrating third-party products with Access Policy Manager (APM). It includes implementations for integration with VMware Horizon View, Oracle Access Manager, Citrix Web Interface site, and so on.
BIG-IP Access Policy Manager: Visual Policy Editor This guide contains information about how to use the visual policy editor to configure access policies.
Release notes Release notes contain information about the current software release, including a list of associated documentation, a summary of new features, enhancements, fixes, known issues, and available workarounds.
KB articles Knowledge base articles are responses and resolutions to known issues, additional configuration instructions, and how-to information.