Applies To:
Show VersionsBIG-IP APM
- 12.0.0
Clients for Linux
About Linux clients
Access Policy Manager® (APM®) supports two Linux clients, a CLI and Network Access client components for browser-based access. On the CLI for Linux, APM supports logon with user name and password only and does not support any endpoint security features.
On the client component for Linux, APM supports all of the primary Network Access features, except for Drive Mappings and some endpoint security features. For endpoint security support for the web client for Linux, refer to BIG-IP® APM® Client Compatibility Matrix on AskF5™ at http://support.f5.com/. For information about Network Access features, refer to BIG-IP® Access Policy Manager: Network Access on AskF5™ at http://support.f5.com/.
About browser-based connections from Linux, Mac, and Windows clients
For Linux, Mac OS X, and Windows-based systems, the Network Access client component is available for automatic download from the BIG-IP® system.
The first time a remote user starts Network Access, APM® downloads a client component. This client component is designed to be self-installing and self-configuring. If the browser does not meet certain requirements, APM prompts the user to download the client component and install it manually.
Requirements for client installation and use on Linux
The table lists requirements for installing Network Access client components on a Linux system and using them for web-based access.
Requirement | Specification |
---|---|
Browser | Use Firefox for installing the client component. The browser must support the installation of plugins. |
Firewall settings | If you have a firewall enabled on your Linux system, you must enable access on IP address 127.0.0.1, port 44444. |
PPP | The system must support PPP. (This is usually the case.) The user must have permission to run the PPP daemon. |
Installation privilege | The remote user must have superuser authority, or, must be able to supply an administrative password to successfully install the Network Access client. |
About Network Access features for Linux clients
Access Policy Manager® (APM®) supports two Linux clients, a CLI and Network Access client components that support web-based access. On the CLI for Linux, APM supports logon with user name and password only and does not support any endpoint security features.
With the web-based client components for Linux, APM supports all of the primary Network Access features, except for Drive Mappings and some endpoint security features. For endpoint security support for the web client for Linux, refer to BIG-IP® APM® Client Compatibility Matrix on AskF5™ at http://support.f5.com/. For information about Network Access features, refer to BIG-IP® Access Policy Manager: Network Access on AskF5 at http://support.f5.com/.
Specifying applications to start on a Linux client
Overview: Installing and using the CLI for Linux
The BIG-IP® Access Policy Manager® includes a CLI for Linux. With the CLI, users can initiate VPN connections through APM® from the command line. You can download and deploy this client to your organization's Linux desktops.
Task summary
Downloading the Linux command line client
Installing the CLI for Linux
- Extract the file linux_sslvpn.tgz to your local directory.
- Extract the file linux_sslvpn.tar to your local directory.
- Run the install script Install.sh under the root account.
--> Please check f5fpc --help command to get started
--> Uninstaller located in /usr/local/lib/F5Networks/uninstall_F5.shImporting a certificate to the local trust store
Linux client commands
The following commands are supported by the Linux command line client. All commands that are invoked on the Linux command line client begin with the command f5fpc.
To start a VPN connection, type either of the following commands:
- f5fpc -- start [arguments]
- f5fpc - s [arguments]
Use the following table to assign arguments to the Linux commands.
Arguments | Description |
---|---|
--nonblock
|
Returns the command line interface immediately after the command. |
--host [https://]hostname[:port]
|
The host name to which the client starts the VPN connection. This is required. |
--user username
|
The optional user name for the connection. |
--password password
|
The optional password for the connection. |
--userhex hex-encoded-username
|
The optional hex-encoded user name for the connection. |
--passwordhex hex-encoded-password
|
The optional hex-encoded password for the connection. |
--cert certificate
|
Specifies an optional client certificate. |
--key certificate_key
|
Specifies the key for an optional client certificate. |
--keypass SSL_certificate_password
|
Specifies the password for an optional SSL certificate. |
--cacert trusted_CA_certificate
|
Specifies a certificate from a trusted certificate authority (CA). If --cacert or --cacertdir is specified, then the server certificate validates for trust against the specified certificate or directory. If --cacert or --cacertdir is not specified, then the default location /etc/ssl/certs is checked to verify trust. The --nocheck option can be specified if a server certificate check is not desired, though this is not recommended. |
--cacertdir trusted_CA_certificate_directory
|
Specifies a certificate directory that contains a certificate from a trusted CA. If --cacert or --cacertdir is specified, then the server certificate validates for trust against the specified certificate or directory. If --cacert or --cacertdir is not specified, then the default location /etc/ssl/certs is checked to verify trust. The --nocheck option can be specified if a server certificate check is not desired, though this is not recommended. |
--nocheck
|
Specifies that the trusted CA certiicate is not verified for trust at all. If --cacert or --cacertdir is specified, then the server certificate validates for trust against the specified certificate or directory. If --cacert or --cacertdir is not specified, then the default location /etc/ssl/certs is checked to verify trust. The --nocheck option can be specified if a server certificate check is not desired, though this is not recommended. |
- f5fpc -- stop
- f5fpc --o
- f5fpc -- info
- f5fpc --i
- f5fpc -- help
- f5fpc --h
Info command status and error codes
The following status codes and error codes might be displayed when you run the --info command.
Error code/command status | Hex value | Shell value | Description |
---|---|---|---|
CLI_ERROR_SUCCESS | 0x0 | 0 | The command line operation was successful. |
CLI_ERROR_USERS_DISCONNECT | 0x150 | 80 | The user was disconnected |
CLI_ERROR_LOGON_FAILURE | 0x151 | 81 | Login failed due to incorrect authenticaion information or login errors. |
CLI_ERROR_ATTENTION_REQUIRED | 0x154 | 84 | The user's attention is required. |
CLI_ERROR_GENERIC_FAILURE | 0x155 | 85 | An error occurred in the system API. |
CLI_ERROR_UNKNOWN_PARAMETER | 0x156 | 86 | An incorrect or unknown parameter was passed to the command line. |
CLI_ERROR_WRONG_VALUE | 0x157 | 87 | This is an undefined error. |
CLI_ERROR_UNKNOWN_SESSION_ID | 0x158 | 88 | An unknown session ID was encountered. The user should reconnect to the server. |
CLI_ERROR_NO_PROFILE | 0x15B | 91 | No such profile exists. |
CLI_ERROR_MSGQ_OPEN_FAILURE | 0x15D | 93 | The system failed to open the message queue. |
CLI_ERROR_OPERATION_IN_PROGRESS | 0x15F | 95 | An operation is in progress, please retry. |
kss_Initialized | 1 | 1 | The session is initialized. |
kss_LogonInProgress | 2 | 2 | The user login is in progress. |
kss_Idle | 3 | 3 | The session is idle. |
kss_Established | 5 | 5 | The session is established. |
kss_AttentionReq | 6 | 6 | The session requires the user's attention. |
kss_LogonDenied | 7 | 7 | Login was denied. |
kss_LoggedOut | 8 | 8 | The user is logged out of the server. |
Editing the log level for Edge Client on Linux
VPN component installation and log locations on Linux
On Linux operating systems, the client installs the VPN components and writes VPN logs to the locations listed in the table.
Category | Location |
---|---|
VPN component | /usr/local/lib/F5Networks |
VPN logs | ~/.F5Networks |