Manual Chapter : Configuring Per-App VPN with APM and F5 Access

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.0, 14.1.0, 14.0.0, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.3, 11.5.7
Manual Chapter

Configuring Per-App VPN with APM and F5 Access

What is per-app VPN?

Apple's Network Extension framework supports layer-3 tunneling for both device-wide and Per-App VPN tunnels. This means that TCP and UDP protocols are supported for apps configured for Per-App VPN on F5 Access for iOS 3.x. Apps that are managed by a Mobile Device Manager (MDM) can be configured to automatically connect to a VPN when they are started. In addition, Mobile Safari can be managed for per-app VPN with a configuration profile and without an MDM. Per-app VPN gives IT granular control over corporate network access, and ensures that data transmitted by managed apps travels only through a VPN. Meanwhile, other data, like an employee's personal web browsing activity, does not use the VPN. Per-app VPN also works with Safari on a per-URL basis.

A per-app VPN configuration requires three configuration components.

  • A device under MDM management, or a configuration profile file installed manually. For more information, see Configuration Profile Reference.
  • A managed app installed on the device, or Mobile Safari.
  • F5 Access for iOS installed on the managed device.
Important: The managed app and the MDM profile must be deployed with an MDM solution, except in the case of Mobile Safari. The F5 Access configurations may or may not be deployed with an MDM solution. Any app other than Mobile Safari must be installed by the MDM solution, and associated with a VPN configuration.

About deploying MDM apps over VPNs

The per-app VPN framework allows the administrator to limit VPN access to explicit apps only. Specifically, it allows applications to use one F5 Access configuration (or VPN connection).

In practice, some applications may be associated with one F5 Access configuration, and other applications may be associated with other F5 Access configurations.

Important: Once an app is associated with an F5 Access configuration by the MDM, it will use that VPN only.

In this example, App 1 or App 2 can be active at the same time, because they use different VPN configurations.

Apps associated with different VPN configurations

Note: On iOS, you can only activate only one device-wide (user-initiated) VPN configuration at a time. However, multiple per-app VPNs can be active and connected simultaneously, on their own or in addition to the device VPN.

Creating an access profile

You create an access profile to provide the secured connection between the per-app VPN and the virtual server.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click Create.
    The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
  4. From the Profile Type list, select SSL-VPN.
  5. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click Finished.
The access profile appears in the Access Profiles List.

Adding a version check to the access policy

A version check allows you to distinguish between F5 Access for iOS 3.0.x and earlier versions. You can use this information to assign the required full network access resource to the 3.0.x branch, for example, in a Per-App VPN scenario.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) sign anywhere in the access policy to add a new action item.
    An Add Item screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Click Add Item.
    The screen is not active while the visual policy editor creates the action. The screen closes and a Properties screen displays.
  5. Click the Endpoint Security (Server-Side) tab.
  6. Select the Client Type item, and click Add Item.
  7. Click Save.
  8. On the Edge Client branch, click the (+) sign to add a new action item.
  9. Click the Endpoint Security (Server-Side) tab.
  10. Select the Client OS item, and click Add Item.
  11. Click Save.
  12. On the iOS branch, click the (+) sign to add a new action item.
  13. Click the General Purpose tab.
  14. Select the Empty item, and click Add Item.
  15. On the Properties screen in the Name field, type iOS Version.
  16. Click the Branch Rules tab.
  17. Click Add Branch Rule.
  18. In the Name field, type Version 3.
  19. Click the change link in the Expression area.
    A popup screen opens.
  20. Click the Advanced tab.
    Use this tab to enter Tcl expressions.
    A text input field displays.
  21. In the text field, type expr { [mcget {session.client.app_version}] >= "3.0"}, and click Finished.
  22. Click Save.
  23. Add a Network Access resource to the Version 3 branch. On the Version 3 branch, click the (+) sign to add a new action item.
  24. Click the Assignment tab.
  25. Select the Advanced Resource Assign item, and click Add Item.
  26. Under Resource Assignment, click Add new entry.
  27. Under Expression, click Add/Delete.
  28. Click the Network Access tab, and select a Network Access resource to assign.
  29. Click the Webtop tab, and select a webtop to assign.
  30. Click Update.
  31. Click Save.
  32. On the fallback branch following the Advanced Resource Assign item, click the Deny ending.
  33. Change the Deny ending to Allow, and click Save.
  34. If you support F5 Access version 2.x clients, on the fallback branch, click the Deny ending.
  35. Change the Deny ending to Allow, and click Save.
  36. Click Apply Access Policy to save your configuration.
The access profile appears in the Access Profiles List.
Configure the virtual server to include this access policy, and make sure the Client SSL profile is enabled on the server.

Adding a client certificate check to the access policy

A client certificate check allows you to authenticate the device to the access policy, without requiring any user interaction that would cause the creation of the per-app VPN tunnel to fail.
  1. On the Main tab, click Access > Profiles / Policies .
  2. In the Access Policy column, click the Edit link for the access profile you want to configure to launch the visual policy editor.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) sign anywhere in the access policy to add a new action item.
    An Add Item screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Click Add Item.
    The screen is not active while the visual policy editor creates the action. The screen closes and a Properties screen displays.
  5. Click the Authentication tab.
  6. Select the Client Cert Inspection item, and click Add Item.
  7. The properties screen opens. Click Save.
  8. On the Successful branch following the Client Cert Inspection item, click the Deny ending.
  9. Change the Deny ending to Allow, and click Save.
  10. Click Apply Access Policy to save your configuration.
The access profile appears in the Access Profiles List.
Configure the virtual server to include this access policy, and make sure the Client SSL profile is enabled on the server.

About setting up Access Policy Manager for per-app VPN

You configure specific settings in the Access Policy Manager® to provide per-app VPN tunnels. Per-app VPN tunnels are full network access tunnels, and require Network Access resources in the Access Policy. Configure these items on the Access Policy Manager.

  • The virtual server must be configured with an access profile.
  • The virtual server should be configured with a basic configuration for the network access resource.
  • You must specify the Client SSL profile on the virtual server. You must also include the same CA bundle on the server that is used to generate the certificate for the client devices.
Note: Access policies for F5 Access Legacy 2.1.x have different requirements. If you are planning to have both clients connect to the same virtual server, refer to your F5 Acccess 2.1.0 documentation for more information.

Configuring a virtual server for per-app VPN

You must have Access Policy Manager® licensed and provisioned.

A virtual server profile enables support for the network access used by per-app VPN tunnels.

  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. For the SSL Profile (Client) setting, from the Available list, select the name of the Client SSL profile you previously created, and using the Move button, move the name to the Selected list.
  4. In the Access Policy area, from the Access Profile list, select the access profile.
  5. From the Connectivity Profile list, select the connectivity profile.
  6. Click Update to save the changes.
The virtual server is configured for per-app VPN.