Manual Chapter : F5 Access Apps

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 13.1.0
Manual Chapter

Overview: Configuring APM for F5 Access Apps

F5® Access for Android, F5 Access for iOS, and F5 Access for Chrome OS enable secure network access for supported mobile clients. Previously, the Android and iOS products were called BIG-IP® Edge Client® for Android and BIG-IP Edge Client for iOS. For the clients to connect, you need a Network Access configuration on BIG-IP Access Policy Manager®. The Network Access Wizard creates a Network Access configuration with authentication, an access policy, and a virtual server with connectivity and access profiles.

You might need to update the connectivity profile or the network access resource to complete the configuration on APM®. Optionally, you can also configure SSO and ACLs, and add items to the access policy to enable SSO and enforce ACLs.

Task summary

Running the Network Access Setup wizard

Your DNS server must be configured to resolve internal addresses with DNS.
Configure Access Policy Manager® to provide users with full network access when they use BIG-IP® Edge Client® for iOS or BIG-IP Edge Client for Android.
Important: You must specify either the DNS Default Domain Suffix or the DNS Address Space in the Network Access configuration. Otherwise, the system cannot resolve internal DNS addresses.
  1. On the Main tab, click Wizards > Device Wizards .
    The Device Wizards screen opens.
  2. Select Network Access Setup Wizard for Remote Access, and then click Next.
    Tip: Follow the instructions in the wizard to create your access policy and virtual server.
  3. To ensure that Edge Apps can connect from supported mobile devices, for Client Side Checks, clear the Enable Antivirus Check in Access Policy check box.
    Tip: Follow the instructions in the wizard to create your access policy and virtual server.
  4. To specify the DNS Address Space setting, on the Network Access screen perform these substeps:
    1. From Traffic Options, select Force Use split tunneling for traffic.
      Additional settings display.
    2. In the DNS Address Space setting, for each address space, type the address in the form site.siterequest.com or *.siterequest.com , and click Add.
  5. On the DNS Hosts screen, you can type a value in the DNS Default Domain Suffix field.
  6. After you complete the wizard screens and create the configuration, on the Setup Summary screen click Finished.
You now have a network access configuration that supports BIG-IP Edge Client for mobile devices. All configuration object names are prefixed with the policy name that you entered in the wizard.

Configuring a connectivity profile for F5 Access for iOS

A connectivity profile automatically contains default settings for F5 Access for iOS. You should configure the connectivity profile settings to fit your situation.
  1. On the Main tab, click Access > Connectivity / VPN > Connectivity > Profiles .
    A list of connectivity profiles displays.
  2. Select the connectivity profile that you want to update and click Edit Profile.
    The Edit Connectivity Profile popup screen opens and displays General Settings.
  3. From Mobile Client Settings in the left pane, select iOS Edge Client.
    Settings for the iOS Edge Client display in the right pane.
  4. To enable users to save their passwords for reconnection purposes within a specified time period, select the Allow Password Caching check box.
    The additional fields in the area become available.
  5. To enable device authentication on the client, select Require Device Authentication.
  6. For Save Password Method, specify how to perform password caching:
    • To allow the user to save the encrypted password on the device without a time limit, select disk.
    • To specify that the user password is cached in the application on the user's device for a configurable period of time, select memory.
    If you select memory, the Password Cache Expiration (minutes) field becomes available.
  7. If the Password Cache Expiration (minutes) field displays, type the number of minutes you want the password to be cached in memory.
  8. In the On Demand Disconnect Timeout (minutes) field, retain the default 2, or type a different number of minutes before VPN on demand times out.
  9. To force the app to use a selected logon mode and prevent users from changing it:
    1. Select the Enforce Logon Mode check box.
    2. From the Logon Method list, select web or native.
    Note: This feature is supported with F5 Access for iOS and F5 Access for Android.
  10. Click OK.
    The popup screen closes, and the Connectivity Profile List displays.
You have now configured the security settings for BIG-IP Edge Client for iOS.
To provide functionality with a connectivity profile, you must add the connectivity profile and an access profile to a virtual server.

Configuring a connectivity profile for F5 Access for Android

A connectivity profile automatically contains settings for F5 Access for Android. You should configure the settings to fit your situation.
  1. On the Main tab, click Access > Connectivity / VPN > Connectivity > Profiles .
    A list of connectivity profiles displays.
  2. Select the connectivity profile that you want to update and click Edit Profile.
    The Edit Connectivity Profile popup screen opens and displays General Settings.
  3. From Mobile Client Settings in the left pane, select Android Edge Client.
    Settings for the Android Edge Client display in the right pane.
  4. To enable users to save their passwords for reconnection purposes within a specified time period, select the Allow Password Caching check box.
    The additional fields in the area become available.
  5. For Save Password Method, specify how to perform password caching:
    • To allow the user to save the encrypted password on the device without a time limit, select disk.
    • To specify that the user password is cached in the application on the user's device for a configurable period of time, select memory.
    If you select memory, the Password Cache Expiration (minutes) field becomes available.
  6. If the Password Cache Expiration (minutes) field displays, type the number of minutes you want the password to be cached in memory.
  7. To enhance security on the client, retain the selection of the Enforce Device Lock check box (or clear the check box).
    This check box is selected by default. Edge Portal® and Edge Client support password locking, but do not support pattern locking. If you clear this check box, the remaining settings in the area become unavailable.
  8. For Device Lock Method, retain the default numeric, or select a different method from the list.
  9. For Minimum Passcode Length, retain the default 4, or type a different passcode length.
  10. For Maximum Inactivity Time (minutes), retain the default 5, or type a different number of minutes.
  11. To force the app to use a selected logon mode and prevent users from changing it:
    1. Select the Enforce Logon Mode check box.
    2. From the Logon Method list, select web or native.
    Note: This feature is supported with F5 Access for iOS and F5 Access for Android.
  12. Click OK.
    The popup screen closes, and the Connectivity Profile List displays.
You have now configured the security settings for BIG-IP Edge Client for Android.

Overview: Configuring APM for Edge Portal Mobile Apps

BIG-IP® Edge Portal® for Android and BIG-IP Edge Portal for iOS streamline access to portal access web sites and applications that reside behind BIG-IP Access Policy Manager® (APM®). To support the clients, you need a Portal Access configuration on APM. The Portal Access Wizard creates a configuration with authentication, an access policy, and a virtual server with connectivity and access profiles.

You might need to update the connectivity profile or the access policy to complete the configuration on APM.

Task summary

Running the Portal Access wizard

Run the Portal Access Setup Wizard to quickly set up an access policy and a virtual server for your users.
  1. On the Main tab, click Wizards > Device Wizards .
    The Device Wizards screen opens.
  2. Select Portal Access Setup Wizard and click Next.
  3. On the Basic Properties screen in the Policy Name field, type a name for the access policy.
    Note: The name you type here prepends the name of the objects (for example, the virtual server) that the wizard creates for this configuration.
  4. To ensure that Edge Apps can connect from supported mobile devices, for Client Side Checks, clear the Enable Antivirus Check in Access Policy check box.
    Tip: Follow the instructions in the wizard to create your access policy and virtual server.
  5. Click Finished.
You have created the configuration objects that are required for a Portal Access configuration to support BIG-IP® Edge Portal® mobile apps.

Configuring an access policy to support Edge Portal app

Configure an access policy to process access correctly for various client types, including the Edge Portal ® app.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click Add New Macro.
  4. In the Select macro template: select Client Classification and Prelogon checks from the drop-down list.
    The macro inserts an antivirus check for those clients that can support it, and provides the appropriate terminal for each type of client.
  5. Click Save.
  6. Click the plus [+] sign that appears before the Logon Page action.
  7. In the Macrocalls area, click the Client Classification and Prelogon checks button.
  8. Click Add item.
    The Client Classification and Prelogon checks action appears in the access policy sequence.
  9. Click the underlined word Deny in the ending field.
  10. In the Select Ending area, click Allow.
  11. Click Save.

Assigning ACLs to your access policy

Assign ACLs to limit access to resources.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the Resource Assign agent in the access policy branch.
    The Properties screen opens.
  4. Click the Add/Delete Resources link.
    A popup screen with a tab for each resource type displays.
  5. Select the tab, select the ACLs to add to the access policy, and click Update when finished.
  6. Click Apply Access Policy.

Disabling the Home Tab

Disabling the Home Tab ensures that the BIG-IP® Edge Portal® app renders properly.
Note: The Home Tab property exists for each portal access resource item.
  1. On the Main tab, click Access > Connectivity / VPN > Portal Access > Portal Access Lists .
    The Portal Access List screen opens.
  2. Click the name of a resource item for the portal access resource that you created.
    The properties screen for that resource item opens.
  3. In the Resource Items Properties area, select Advanced and for Home Tab, make sure the Enabled check box is cleared.
  4. Click Update.
Repeat this task for each portal access resource item.

Configuring a connectivity profile for Edge Portal for Android

A connectivity profile automatically contains settings for BIG-IP® Edge Portal® for Android clients. You should configure the settings to fit your situation.
  1. On the Main tab, click Access > Connectivity / VPN > Connectivity > Profiles .
    A list of connectivity profiles displays.
  2. Select the connectivity profile that you want to update and click Edit Profile.
    The Edit Connectivity Profile popup screen opens and displays General Settings.
  3. From Mobile Client Settings in the left pane, select Android Edge Portal.
    Settings for the Android Edge Portal display in the right pane.
  4. To enable users to save their passwords for reconnection purposes within a specified time period, select the Allow Password Caching check box.
    The additional fields in the area become available.
  5. For Save Password Method, specify how to perform password caching:
    • To allow the user to save the encrypted password on the device without a time limit, select disk.
    • To specify that the user password is cached in the application on the user's device for a configurable period of time, select memory.
    If you select memory, the Password Cache Expiration (minutes) field becomes available.
  6. If the Password Cache Expiration (minutes) field displays, type the number of minutes you want the password to be cached in memory.
  7. To enhance security on the client, retain the selection of the Enforce Device Lock check box (or clear the check box).
    This check box is selected by default. Edge Portal® and Edge Client support password locking, but do not support pattern locking. If you clear this check box, the remaining settings in the area become unavailable.
  8. For Device Lock Method, retain the default numeric, or select a different method from the list.
  9. For Minimum Passcode Length, retain the default 4, or type a different passcode length.
  10. For Maximum Inactivity Time (minutes), retain the default 5, or type a different number of minutes.
  11. To force the app to use a selected logon mode and prevent users from changing it:
    1. Select the Enforce Logon Mode check box.
    2. From the Logon Method list, select web or native.
    Note: This feature is supported with F5 Access for iOS and F5 Access for Android.
  12. Click OK.
    The popup screen closes, and the Connectivity Profile List displays.
You have now configured the security settings for BIG-IP Edge Portal for Android clients.

Configuring connectivity profiles for Edge Portal for iOS

A connectivity profile automatically contains settings for BIG-IP® Edge Portal® for iOS. You should configure the settings to fit your situation.
  1. On the Main tab, click Access > Connectivity / VPN > Connectivity > Profiles .
    A list of connectivity profiles displays.
  2. Select the connectivity profile that you want to update and click Edit Profile.
    The Edit Connectivity Profile popup screen opens and displays General Settings.
  3. From Mobile Client Settings in the left pane, select iOS Edge Portal.
    Settings for the iOS Edge Portal display in the right pane.
  4. To enable users to save their passwords for reconnection purposes within a specified time period, select the Allow Password Caching check box.
    The additional fields in the area become available.
  5. For Save Password Method, specify how to perform password caching:
    • To allow the user to save the encrypted password on the device without a time limit, select disk.
    • To specify that the user password is cached in the application on the user's device for a configurable period of time, select memory.
    If you select memory, the Password Cache Expiration (minutes) field becomes available.
  6. If the Password Cache Expiration (minutes) field displays, type the number of minutes you want the password to be cached in memory.
  7. Specify security by keeping Enforce PIN Lock set to Yes.
    Edge Portal supports PIN locking, but does not support pattern locking.
  8. For Maximum Grace Period (minutes), retain the default 2, or type a different number of minutes.
  9. To force the app to use a selected logon mode and prevent users from changing it:
    1. Select the Enforce Logon Mode check box.
    2. From the Logon Method list, select web or native.
    Note: This feature is supported with F5 Access for iOS and F5 Access for Android.
  10. Click OK.
    The popup screen closes, and the Connectivity Profile List displays.
You have now configured the security settings for BIG-IP Edge Portal for iOS.