Applies To:Show Versions
Important: We only test the latest maintenance releases of BIG-IP and update their corresponding compatibility matrices. To find the latest maintenance release of BIG-IP, refer to the https://support.f5.com/csp/article/K5903 article. You should then refer to the latest compatibility matrix of that version for an updated list of supported software.
F5 Networks supports the functionality of BIG-IP Access Policy Manager on the most-used platforms and ensures support with the commonly used operating systems (OS) and browsers. Both IPv4 and IPv4+IPv6 deployments are supported, except as noted below.
Supported Access and Endpoint Security Features
|F5 Helper Application for Endpoint Inspection||+ 1||+ 1||+ 1|
|F5 Helper Application for Network Access||+ 1||+ 1||+ 1|
|ActiveSync and Outlook Anywhere||+||n/a||+|
|Machine Certificate Checker||+||n/a||+|
|Machine Info Inspector||+||+3||+3|
|DNS Relay Proxy Service||+||n/a||n/a|
|Traffic Control Service||+||n/a||n/a|
|Inbox F5 VPN Client||+||n/a||n/a|
|Reconnect to Domain||+||n/a||n/a|
|Citrix Terminal Services||+||+||+|
|Microsoft Native RDP Client||+||-||+|
|Microsoft ActiveX RDP Client||+||n/a||n/a|
|Java RDP Client||+7||+7||+7|
1 Refer to release notes of the F5 Helper Application for specific browser support.
2 Visit www.askf5.com for a list of supported products and vendors
3 Machine Info Inspector can only collect MAC addresses on Mac and Linux platforms.
4 For Linux, the Network Access feature does not work with a proxy server.
5 IPv6 not supported.
6 Microsoft Edge Browser and all the Universal Windows Platform (UWP) applications are not supported with BIG-IP APM application tunnels and optimized applications.
7 Java RDP and Java AppTunnels are not supported on Google Chrome and Firefox.
8 Optimised tunnels are not supported for Windows on ARM64.
Supported features on Remote Access clients
F5 has several client software packages that facilitate secure remote connectivity for different device platforms. Because of differences in platforms, the capabilities of each client are also different. Refer to the K23653432 article for the list of available features in the F5 Remote Access clients.
OS / Browser and Browser Compatibility
F5 supports the listed operating systems and browser releases, with the latest service pack or service pack equivalent, for up to 3 years from the time of initial release, as long as the listed operating systems and browsers are still supported by the vendor.
If an operating system or browser vendor ends mainstream support before the end of that 3 year period for a release or service pack, F5 will also end support at the same time. Once an operating system or browser has surpassed the 3-year date from release, F5 will continue to monitor the user base of this operating system or browser release. When a release reaches a usage level that can no longer justify development, test, and support resources, we will issue an EoL (End of Life) Solution at least three months prior to the planned EoDS (End of Development Support).
Microsoft’s policy of Servicing Channels with Windows 11 and Windows 10 has changed the F5 support policy for Windows 11 and Windows 10 as follows:
- F5 supports Microsoft Windows 11 version 21H2 General Availability Channel for 24 or 36 months from the date of the release. F5 supports Microsoft Windows 10 version 21H2 General Availability Channel for 18 or 30 months from the date of the release. The General Availability channel replaces the Semi-Annual Channel and is considered as a primary servicing channel recommended for Windows 10 servicing. For more details, refer to the Windows 11 and Windows 10 release information.
- F5 supports Microsoft Windows 10 version 21H1 Semi-Annual Channel for 18 months from the date of release. The Semi-Annual Channel replaces the Current Branch (CB) and Current Branch for Business (CBB) concepts.
- F5 supports Windows 10 versions 21H2 and 21H1 Long-Term Servicing Channel (LTSC) releases for up to two years from the initial release date, as long as such a release is within the "mainstream support" period. The Long-Term Servicing Channel replaces the Long-Term Servicing Branch (LTSB) concept.
Once a release has passed two years from the release date, F5 will monitor the user base of this release. When a release reaches a usage level that can no longer justify development, test, and support resources, we will issue an EoL (End of Life) Solution at least three months prior to the planned EoDS (End of Development Support).
See https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet for more details. For specific information about which builds Microsoft supports as part of its servicing branches, see https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#servicing-branches.
Important: This policy only applies to the BIG-IP end-user interfaces, and not the administrative web console for BIG-IP or any other F5 product.
Microsoft® Windows OS
F5 supports Windows 11 64-bit version 21H2 (Intel/AMD/ARM), Windows 10 64-bit versions 21H2 and 21H1 on Intel/AMD/ARM, and Windows 10 32-bit versions 21H2 and 21H1 on Intel/AMD running Microsoft Edge, Firefox, or Chrome. Other browsers using F5 Helper Applications can support 32-bit and 64-bit versions to provide Network Access and Endpoint Check functionality.
BIG-IP APM system supports Windows 10 IoT Enterprise as BIG-IP APM client.
Note: BIG-IP APM system does not support Windows 10 IoT Core as BIG-IP APM client.
Note: Microsoft Edge Browser and all the Universal Windows Platform (UWP) applications are not supported with BIG-IP APM application tunnels and optimized applications. When using BIG-IP APM app tunnels or optimized applications, F5 recommends the following practices:
- Use a supported browser, such as Chrome, or Firefox to access your protected resources.
- Use the BIG-IP Edge Client to establish a network access VPN connection.
Note: F5 does not support the Microsoft Internet Explorer 11 desktop application as it went out of support. For more information, refer to the Lifecycle policy for Internet Explorer and Microsoft Edge.
BIG-IP APM supports two Linux clients, a CLI and Network Access client components for browser-based access. On the CLI for Linux, APM supports logon with user name and password only and does not support any endpoint security features. On the client component for Linux, APM supports all of the primary Network Access features, except for Drive Mappings and some endpoint security features.
Refer to https://support.f5.com/csp/article/K23653432 for details on the features supported.
Safari 13 and macOS Catalina (10.15) are supported with APM Client 18.104.22.168 on BIG-IP 13.1.x or later.
Browser plugin support has largely been discontinued by browser manufacturers and is not supported on BIG-IP 13.1.x or later. Only BIG-IP APM 12.x and earlier versions support browser plugins. For more information refer https://support.f5.com/csp/article/K15326.
To use endpoint checks with macOS High Sierra (10.13), EPSEC build 580.0+ must be installed on the Access Policy Manager.
* APM Client compatibility testing was performed on the major release of macOS Monterey and macOS Big Sur. Any patches (security updates) and minor versions released on top of a major release are supported by default. Refer to https://support.f5.com/csp/article/K16070101 for details and APM Client release notes for known issues.
F5 provides F5 App software fixes for the current major version of Android and one major version back. For older Android versions, F5 will provide configuration assistance on a case-by-case basis.
For software released on any vendor’s App Store, F5 provides software fixes only for the currently released version of the corresponding F5 App.
Note: For Network Access support, install F5 Access (previously known as BIG-IP Edge Client) from Google Play. Only the latest version of F5 Access is available on Google Play Store. The BIG-IP Edge Portal app, which previously provided secure mobile access to enterprise web applications, is no longer provided for download.
F5 provides F5 App software fixes for the current major version of iOS and one major version back. For older iOS versions, F5 will provide configuration assistance on a case-by-case basis.
For Network Access support, please install F5 Access through the App Store. The Safari browser has been tested for compatibility with Portal Access and Webtop features.
* F5 Access is compatible with iOS 15.x versions and is waiting for Apple to resolve the iOS 15 per-app VPN connectivity issue while switching between Wi-Fi and cellular networks. This issue is currently reported to Apple and tracked through the bug id 1064177.
Note: The compatibility testing is performed on iOS 15.1 version. Any patches (security updates) and minor versions released after iOS 15.1 version are supported.
Application tunnels and MS RDP Terminal Services are not supported on these platforms. Windows RT supports Network Access through Inbox F5 VPN Client. Network Access is supported on Windows Phone 8.1 using BIG-IP Edge Client for Windows Phone 8.1 that is available from the Windows Phone Store.
Clientless features (Portal Access, Citrix, and VMware Webtop-based launch) are supported on Chrome OS.
For Network Access functionality please install F5 Access for Chrome OS from Chrome Web Store.
Java SE 7 and Java SE 8 have been fully qualified by F5. Java-related features can't be utilized using Google Chrome on OS X and Linux because Google Chrome doesn't support Java plugin on OS X and Linux.
- Portal Access (PA) is designed to provide access to the organization's internal web applications. Due to their rapidly changing nature, cloud-based applications are better suited for the identity federation use case.
- Portal Access does not support web applications that rely on identity federation scenarios (Oauth/SAML/Azure AD) with token forwards and does not work as expected, especially when Azure AD is configured behind the PA. The topology becomes complex because the PA needs to split the ingress for rewriting and non-rewriting.
- While configuring a SAML Service Provider (SP), you cannot configure any SAML SP as a resource for portal access. If the BIG-IP system is configured as portal access to the backend resource which is an actual SAML SP, then the portal access (rewrite filter) performs a URL rewriting which is not compatible with SAML functionality. The SAML SP backend resource should be configured as a pool for portal access to work. For more information, refer to the Using APM as a SAML Service Provider.
- Portal Access does not support the Compression Mode (Compression Profiles).
- Portal Access and web applications do not support Transport Layer Security (TLS) Server Name Indication (SNI) that depend on the SNI would fail to work as expected. Mitigation of this issue is possible using an iRule. Refer to the K40453455 article.
- Portal Access does not support the HTTP/2 protocol.
- MS Office 2010 for Windows
- MS Office 2011 for Mac
- MS Office 2013 for Windows
- MS Office 2016 for Windows and Mac (This includes an Office 365 subscription)
- Virtual Apps and Desktops 7 1808.2, 1811, 1906*, 1912*, 2003*, 2006*, 2009*, 2012*, 2103*, 2106*, 2109*, 2112*, 2203*, 2206*
- XenApp 7.5, 7.6, 7.7, 7.8, 7.9, 7.11, 7.13, 7.14, 7.15, 7.16, 7.18
- XenDesktop 7, 7.1, 7.5, 7.6, 7.7, 7.8, 7.9, 7.11, 7.13, 7.14, 7.15, 7.16, 7.18
- Storefront 2.5, 2.6, 3.0, 3.6, 3.7, 3.8, 3.9, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 1811, 1906, 1912, 2203**
- Citrix Receiver for HTML5 1.3, 1.4, 1.5, 1.6 (Storefront 2.5 and 2.6)
- Citrix Receiver for HTML5 1.7 (Storefront 3.0)
- Citrix Receiver for HTML5 2.0 (Storefront 3.5 and 3.6)
- Citrix Receiver for HTML5 2.1 (Storefront 3.5 and 3.6)
- Citrix Receiver for HTML5 2.4 (Storefront 3.9)
- Citrix Receiver for HTML5 2.5.1 (Storefront 3.9)
* Only features available in XenApp and XenDesktop are supported.
** Storefront does not work when upgraded from version 1912 to 2203. To resolve this issue, uninstall and install the Storefront with the new release version.
The following clients were tested:
- Citrix Workspace app for Windows 1808, 1809, 1812, 1907*, 1911*, 2006*, 2009*, 2010*, 2103.1*, 2105*, 2106*, 2109*, 2202*, 2207*
- Citrix Workspace app for Mac 1808, 1812, 1906*, 1912 *, 2009*, 2010*, 2102*, 2104*, 2108*, 2109*, 2112*, 2206*
- Citrix Workspace app for iOS 1808, 1811, 1907* ** , 20.1.0* **, 21.3.5**, 21.5.2*, 21.7.5*, 21.9.5*, 22.2.5*, 22.3.0*, 22.8.0*
- Citrix Workspace app for Android 1809, 1812, 1907*, 20.1.5*, 21.3.5*, 21.5.0*, 21.8.0*, 21.10.0*, 22.2.0*, 22.3.0*, 22.7.5*
- Citrix Workspace App for Linux: 1810, 1906*, 1912*, 2004*, 2009*, 2010*, 2103*, 2104*, 2106*, 2109*, 2112*, 2207*
- Citrix Workspace App for HTML5: 1811, 1906*, 2005*, 2009*, 2010*, 2101*, 2105.6 *, 2109*
- Citrix Receiver for Windows 4.0, 4.1, 4.2, 4.3, 4.4, 4.5, 4.9, 4.10
- Citrix Receiver for Windows Phone 8 1.2.2
- Citrix Receiver for Windows 8/RT 1.3, 1.4
- Citrix Receiver for Java 10, 10.1
- Citrix Receiver for Linux 12.0, 12.1, 13.3, 13.4, 13.6, 13.8
- Citrix Receiver for Mac 11.7, 11.8, 11.9, 12.0, 12.1, 12.2, 12.6, 12.8
- Citrix Receiver for iOS 5.8, 5.9, 7.0, 7.1, 7.2.2, 7.3, 7.4
- Citrix Receiver for Android 3.4, 3.5. 3.6, 3.7, 3.8, 3.9, 3.11.2, 3.12.1
- Citrix Online plug-in 12.3
- Dell Wyse Xenith Zero client: Xenith C00X with 1.7_122 firmware version
- Dell Wyse Xenith Zero client: Xenith Pro 2 D00DX with 2.0_104 firmware version
* Only features available in Citrix Receiver are supported.
** Citrix Workspace App 1903 and higher does not work with legacy PNAgent based access. Use newer Storefront based access instead.
The following iApp versions were qualified for Citrix compatibility:
iApp 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6
- VMware Horizon View 5.2
- VMware Horizon View 5.3
- VMware Horizon View 6.0
- VMware Horizon View 6.1
- VMware Horizon View 6.1.1
- VMware Horizon View 6.2
- VMware Horizon View 6.2.2
- VMware Horizon View 6.2.3
- VMware Horizon View 6.2.4
- VMware Horizon View 7.0*
- VMware Horizon View 7.02*
- VMware Horizon View 7.03*
- VMware Horizon View 7.1*
- VMware Horizon View 7.2*
- VMware Horizon View 7.3.1* **
- VMware Horizon View 7.4* **
- VMware Horizon View 7.5* **
- VMware Horizon View 7.6* **
- VMware Horizon View 7.7* **
- VMware Horizon View 7.8* **
- VMware Horizon View 7.9* **
- VMware Horizon View 7.10* **
- VMware Horizon View 7.11* **
- VMware Horizon View 7.12* **
- VMware Horizon View 7.13* **
- VMware Horizon View 8 (2006)* **
- VMware Horizon View 8 (2012)* **
- VMware Horizon View 8 (2103)* **
- VMware Horizon View 8 (2106)* **
- VMware Horizon View 8 (2111)* **
- VMware Horizon View 8 (2203)* **
- VMware Horizon View 8 (2206)* **
* APM supports Blast Extreme protocol over TCP and UDP and also supports the Blast Extreme Adaptive Transport (BEAT) for Windows and Linux desktops and applications; APM supports VMware True SSO with Horizon.
** APM supports access to VMware Horizon desktops and applications using VMware Workspace ONE as an IDP.
The following VMware Identity Manager releases were tested:
- VMware Identity Manager 2.8, 2.9, 3.0, 3.1, 3.2, 22.214.171.124
The following clients were tested:
- VMware Horizon View Client for Windows 3.3, 3.4, 3.5.2, 4.0.1, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6.1, 4.7, 4.8, 4.9, 4.10, 5.0, 5.1, 5.2, 5.3, 5.4.3, 8.0 (2006), 8.0 (2012), 8.2.0 (2103), 8.3.0 (2106), 8.4.0 (2111), 8.5.0 (2203), 8.6.0 (2206)
- VMware Horizon View Client for Windows Store 3.2, 3.4
- VMware Horizon View Client for Mac 3.2, 3.4, 3.5.2, 4.0.1, 4.1, 4.2, 4,3, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 4.10, 5.0, 5.1, 5.2, 5.3, 8.0 (2006), 8.0 (2012), 8.2.0 (2103), 8.3.0 (2106), 8.4.0 (2111), 8.5.0 (2203), 8.6.0 (2206)
- VMware Horizon View Client for Android 3.2, 3.4, 4.0.1, 4.1, 4.2, 4,3, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 4.10, 5.0, 5.1, 5.2, 5.3, 8.2.0 (2103), 8.3.0 (2106), 8.4.0 (2111), 8.5.0 (2203), 8.6.0 (2206)
- VMware Horizon View Client for iOS 3.2, 3.4, 4.0.1, 4.1, 4.2, 4,3, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 4.10, 5.0, 5.1, 5.2, 5.3, 8.2.0 (2103), 8.3.0 (2106), 8.4.0 (2111), 8.5.0 (2203), 8.6.0 (2206)
- VMware Horizon View Client for Linux 3.4, 3.5.2, 4.0.1, 4.1, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 4.10, 5.0, 5.1, 5.1, 5.2, 5.3, 5.4.1, 8.0 (2006), 8.0 (2012), 8.2.0 (2103), 8.3.0 (2106), 8.4.0 (2111), 8.5.0 (2203), 8.6.0 (2206)
- Dell Wyse P25 Zero Client starting from firmware v 4.1.0
- VMware Horizon View HTML5 Client*
* Support for VMware Horizon View 7.4 HTML5 Client requires BIGIP-126.96.36.199-0.0.3 or newer.
The following iApp versions were qualified for VMware View compatibility:
iApp 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9
Remote Desktop Gateway Compatibility Matrix
The following server products were qualified for compatibility with F5 BIG-IP APM Secure Remote Desktop Gateway:
- Microsoft Windows Server 2016
- Microsoft Windows Server 2012 R2
- Microsoft Windows Server 2012
- Microsoft Windows Server 2008 R2 SP1*
- Microsoft Windows 10
- Microsoft Windows Server 2019
- Microsoft Windows Server 2022
* Please install Microsoft Windows KB2592687.
The following clients were tested:
- Microsoft Remote Desktop for Mac v 8.0.7, 10.2.0, 10.7.2
- Microsoft Remote Desktop for Android v 8.0.6, 8.0.11, 8.1.3, 10.0.3
- Microsoft Remote Desktop for iOS v 8.0.7, 8.1.4, 10.3.6
- Microsoft Remote Desktop for Windows v 6.2, 6.3, 10.0.10240, 10.0.10586, 10.0.14393, 10.0.16299, 11.0
Contacting F5 Networks
For additional information, please visit http://www.f5.com.
You can find additional support resources and technical documentation through a variety of sources.
- The F5 Networks Technical Support website: http://www.f5.com/support/
- The AskF5 web site: http://support.f5.com/kb/en-us.html
- The F5 DevCentral web site: http://devcentral.f5.com/
- AskF5 TechNews
F5 Networks Technical Support
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
- Weekly HTML TechNews
- The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
- Periodic plain text TechNews
- F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to email@example.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to firstname.lastname@example.org.