Manual Chapter : Configuring Access Policy Manager for F5 Access

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.0, 14.1.0, 14.0.0, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.3, 11.6.3, 11.5.7
Manual Chapter

Configuring Access Policy Manager for F5 Access

What does F5 Access do for macOS devices?

F5 Access for macOS provides full network access through BIG-IP® Access Policy Manager® . With network access, users can run applications such as RDP, SSH, Citrix, VMware View, and other enterprise applications on their macOS devices.

F5 Access features include:
  • User name and password, and client certificate support
  • Support for DNS address space for split-tunneling configurations
  • Landing URI support
  • Logging support to report issues
  • Support client certificate for DTLS tunnels and SSL tunnels
  • Per-app VPN support
  • Password caching support

About supported authentication types

F5 Access for macOS provides these authentication types:

Authentication type Connection Type
Client certificate
  • User-initiated connections, in native mode or Web Logon mode
  • Device-wide VPN On-Demand, in native mode or Web Logon mode
  • Per-App VPN connections, in native mode only

Per-App VPN does not support Web Logon mode.

Client certificate + username and password

Runtime prompts (login dialogs, and other user input prompts) are allowed for:

  • User-initiated connections, in native mode or Web Logon mode
  • Device-wide VPN On-Demand connections, in native mode or Web Logon mode
  • Per-App VPN connections, in native mode only

Per-App VPN does not support Web Logon mode.

Username and password

Runtime prompts (login dialogs, and other user input prompts) are allowed for:

  • User-initiated connections, in native mode or Web Logon mode
  • Device-wide VPN On-Demand connections, in native mode or Web Logon mode
  • Per-App VPN connections, in native mode only

Per-App VPN does not support Web Logon mode.

About establishing VPN connections

The F5 Access application (app) for macOS devices provides users with two options to establish a VPN tunnel connection. A user can start a tunnel connection explicitly with the F5 Access application, or implicitly through the VPN On-Demand functionality.

For example, a connection can be configured to automatically trigger whenever a certain domain or host name pattern is matched.

About pre-logon checks supported for macOS devices

For macOS devices, Access Policy Manager® can use only the following preconfigured pre-logon checks:
  • Client Type - result is F5 Access
  • Client OS - result is MacOS

Other session variables can be checked using custom expressions. See the list of session variables for macOS for more information.

Setting up network access

You can force traffic through a tunnel on F5 Access.
Note: Although you disable Allow local subnet access while enabling Force all traffic through tunnel, the client still permits local subnet traffic to travel outside of the tunnel. This is a limitation of macOSand not of F5 Access.
  1. On the Main tab, click Access Policy > Network Access > Network Access List .
    The Network Access List screen opens.
  2. Click the name to select a network access resource on the Resource List.
    The Network Access editing screen opens.
  3. To configure the network settings for the network access resource, click Network Settings on the menu bar.
  4. To optionally force all traffic through the tunnel, next to Traffic Options, enable Force all traffic through tunnel.

    If you enable Use split tunneling for traffic, you must also specify either a DNS suffix or DNS Address Space pattern to use the VPN DNS servers. If the "DNS Suffix" and "DNS Address Space" fields are both left blank, then F5 Access does not use the VPN DNS servers and sends all DNS traffic to public DNS servers.

  5. To allow local subnet traffic to bypass the tunnel, select the Enable check box for Allow Local Subnet. This traffic bypasses the tunnel.
  6. Click Update.

Configuring the connectivity profile for macOS

You can configure password caching and enforce native or web logon mode by configuring the connectivity profile.
  1. On the Main tab, click Access > Connectivity / VPN > Connectivity > Profiles .
    The Connectivity Profiles screen opens.
  2. Click the name of the Connectivity profile that you use with F5 Access for macOS, and click Edit Profile.
  3. Click the F5 Access for macOS item to configure F5 Access for macOS settings.
  4. To allow password caching on the macOS client, click Allow Password Caching. From the Save Password Method list, select disk or memory.
    If you select disk, an encrypted password is saved on disk with no expiration time. If you select memory, an encrypted password is cached on the device for the time specified in the Password Cache Expiration (minutes) field. The default value is 240 minutes (4 hours).
  5. To enforce the logon mode, click Enforce Logon Mode. Select native or web for the logon mode.
    If Enforce Logon Mode is enabled in the Connectivity Profile, the user cannot change the Web Logon option.
  6. Click OK.

Prerequisites for configuring F5 Access

Before configuring F5 Access for macOS devices, you must complete the following requirements:

  • Set up BIG-IP® Access Policy Manager®.
  • Run the Network Access Setup Wizard.
Additional information about network access and connectivity profiles can be found in the BIG-IP® Access Policy Manager®: Network Access Configuration guide.

Access Policy Manager configuration for F5 Access for macOS devices

To configure F5 Access for macOS device support on BIG-IP® Access Policy Manager®, use the following configuration steps:

  • Run the Network Access Setup Wizard.
  • Optionally, set up SSO and ACLs for your network access. Refer to the BIG-IP® Access Policy Manager® Configuration Guide on the AskF5™ Knowledge Base for instructions.
  • Customize an access policy to support F5 Access.

Running the Network Access Setup wizard

Configure Access Policy Manager® to provide users with full network access from their devices using the Network Access Setup wizard for remote access.
  1. On the Main tab, click Wizards > Device Wizards .
    The Device Wizards screen opens.
  2. For Access Policy Manager Configuration, select Network Access Setup Wizard for Remote Access, and then click Next.
  3. Click Finished.
You now have network access resource that supports F5 Access for mobile devices.