Applies To:
Show Versions
BIG-IP APM
- 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.5, 12.1.3, 11.6.3, 11.5.7
Updated Date: 12/18/2018
- Overview: VPN support for Windows 10 and Windows 10 Mobile
- Overview: About VPN deployment using Airwatch
- Overview: BIG-IP APM Configuration Notes
- Contacting F5 Networks
- Legal notices
Version | Version 1.2.x-1.3.x |
---|---|
Publication Number | PUB-0292-00 |
Publication Date | June 14 , 2016 |
Overview: VPN support for Windows 10 and Windows 10 Mobile
F5 Access is supported on Microsoft Windows 10 and Windows 10 Mobile clients. It supports F5 VPN connections with BIG-IP Access Policy Manager (APM).
After you configure a VPN profile on your device for F5 Access, select it from Network Connections.
Configuring a new VPN profile
You must first download the F5 Access application from the Microsoft Windows 10 Store before you can create a new VPN profile.
Connecting to an existing VPN profile
Terminating an existing VPN connection
F5 Access profile parameters
This table specifies parameters that are specific to F5 Access; the client supports these parameters in addition to other parameters that are available for VPN profiles. When you configure a VPN profile from PC Settings on your client, it takes the default values displayed in the table. These parameters are available for configuring a VPN profile using an MDM solution orPowerShell commands.
Parameter | Type | Default value | Description |
---|---|---|---|
port | number | 443 | Port to connect to VPN server (Access Policy Manager). |
landing-uri | text | Landing URI to use for authentication (APM). | |
ssl-encryption | boolean | true | If set to false, SSL encryption is not used. |
authenticate-retries | number | 3 | Maximum number of attempts to prompt for credentials when authentication fails. |
log-level | default, minimum, info, debug | default | Specifies maximum level for log entries. |
client-certificate | string | Specifies issuer of client certificate being used for authentication. | |
optimize-for-low-cost-network | boolean | false | If set to true, client tries to reconnect to cheapest available network connection. |
single-sign-on-credential | boolean | true | If set to true, client tries to use VPN credentials to connect to Windows File Shares. |
prompt-for-credentials | boolean | true | If set to false, user is not asked for credentials and server receives empty username and password fields. Can be used in certificate-only authentication. |
tls1.2 | boolean | true | Use TLS1.2 protocol for TLS/SSL communication. |
Examples: VPN profile configuration
These examples show how to specify F5 parameters for a VPN profile using PowerShell commands and the CustomConfiguration property.
Creating a client certificate for second-factor authentication
This example shows how to create a VPN profile that uses a certificate issued by Site Request, Inc. for second-factor authentication. The certificate must already be installed on the client device. F5 Access can read the certificate from certificate storage on the device or from a smart card inserted into the device.
$xml = "<f5-vpn-conf><client-certificate><issuer>Site Request Inc</issuer></client-certificate></f5-vpn-conf>" $sourceXml=New-Object System.Xml.XmlDocument $sourceXml.LoadXml($xml) Add-VpnConnection -Name F5_vpn_cert -ServerAddress apm_server_fqdn -SplitTunneling $True -PluginApplicationID F5Networks.vpn.client_btcnfmkykcjs2 -CustomConfiguration $sourceXml
Using a nonstandard port
This example shows how to create a VPN profile using port 444 to connect to the BIG-IP system.
$xml = "<f5-vpn-conf><port>444</port></f5-vpn-conf>" $sourceXml=New-Object System.Xml.XmlDocument $sourceXml.LoadXml($xml) Add-VpnConnection -Name F5_vpn_port_444 -ServerAddress apm_server_fqdn -SplitTunneling $True -PluginApplicationID F5Networks.vpn.client_btcnfmkykcjs2 -CustomConfiguration $sourceXml
Using the landing URI
This example shows how to create a VPN profile using the landing URI to connect to the BIG-IP system.
$xml = "<f5-vpn-conf><landing-uri>test</landing-uri></f5-vpn-conf>" $sourceXml=New-Object System.Xml.XmlDocument $sourceXml.LoadXml($xml) Add-VpnConnection -Name F5_vpn_landing_uri -ServerAddress apm_server_fqdn -SplitTunneling $True -PluginApplicationID F5Networks.vpn.client_btcnfmkykcjs2 -CustomConfiguration $sourceXml
Configuring multiple servers for VPN connection
This example shows how you can configure multiple servers for VPN connection. F5 Access attempts to reach each server in the list until it successfully authenticates the user.
$VPNConnectionName = "Global VPN" $PluginApplicationID = "F5Networks.vpn.client_btcnfmkykcjs2" $VPNServerList = @() $VPNServerList += New-VpnServerAddress my1.server.fqdn -FriendlyName Africa $VPNServerList += New-VpnServerAddress my2.server.fqdn -FriendlyName Europe $VPNServerList += New-VpnServerAddress my3.server.fqdn -FriendlyName Asia $VPNServerList += New-VpnServerAddress my4.server.fqdn -FriendlyName "North America" $VPNServerList += New-VpnServerAddress my5.server.fqdn -FriendlyName "South America" $VPNServerList += New-VpnServerAddress my6.server.fqdn -FriendlyName Antarctica $VPNServerList += New-VpnServerAddress my7.server.fqdn -FriendlyName Australia $xml = "<f5-vpn-conf><log-level>debug</log-level></f5-vpn-conf>" # Validate XML configuration $ErrorActionPreference = "Stop" $sourceXml=New-Object System.Xml.XmlDocument $sourceXml.LoadXml ($xml) # Remove existing entry $VPNConnections = Get-VpnConnection foreach ($i in $VPNConnections) { if ($i.Name -eq $VPNConnectionName) { Write-Host "Remove VPN connection:" $VPNConnectionName Remove-VpnConnection -Name $VPNConnectionName } } # Add new entry Write-Host> "Configure VPN connection:" $VPNConnectionName "with default server:" $VPNServerList [0].ServerAddress "VPNP ID:" $PluginApplicationID Add-VpnConnection -Name $VPNConnectionName -ServerAddress $VPNServerList[0].ServerAddress -SplitTunneling $True -PluginApplicationID $PluginApplicationID -CustomConfiguration $sourceXml -ServerList $VPNServerList
Commands and parameters: VPN profile configuration
The AddVpnConnection PowerShell command supports a CustomConfiguration property that you can use to specify F5 parameters for a VPN profile. The input for the command is in XML format; the schema is available in the XML Schema: F5-specific configuration parameters section of this document. For help customizing a VPN profile, refer to the Examples: VPN profile configuration section.
Useful PowerShell commands
Command | Description |
---|---|
Add-VpnConnection | Add a VPN profile. |
Get-VpnConnection | View configured VPN profiles. |
Remove-VpnConnection | Delete a VPN profile. |
Powershell command syntax
Use the Get-Help command in Powershell to view command syntax. For example, type Get-Help Add-VpnConnection.
Auto-triggered VPN connections
When you select an app or resource that needs access through F5 Access, such as a company intranet site, Windows 10 can automatically prompt you to sign in with one click. For command syntax, open PowerShell and type Get-Help for this command:
- Add-VpnConnectionTriggerApplication
Triggering a connection (SR_SanJose) with the application notepad.exe
Add-VpnConnectionTriggerApplication -ConnectionName SR_SanJose -ApplicationID "C:\Windows\System32\notepad.exe"XML Schema: F5 configuration parameters
This is the schema for the CustomConfiguration property of the VPN profile.
<?xml version="1.0" encoding="utf-8"?> <xs:schema id="XMLSchema" targetNamespace="http://siterequest.com/XMLSchema.xsd" elementFormDefault="qualified" xmlns="http://tempuri.orgsiterequest.com/XMLSchema.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:simpleType name="log-levelType"> <xs:restriction base="xs:string"> <xs:enumeration value="default"/> <xs:enumeration value="minimum"/> <xs:enumeration value="info"/> <xs:enumeration value="debug"/> </xs:restriction> </xs:simpleType> <xs:element name="f5-vpn-conf"> <xs:complexType> <xs:all minOccurs="0"> <xs:element name="port" type="xs:unsignedShort" default="443"/> <xs:element name="landing-uri" type="xs:anyURI"/> <xs:element name="ssl-encryption" type="xs:boolean" default="true"/> <xs:element name="tls1.2" type="xs:boolean" default="true"/> <xs:element name="authenticate-retries" type="xs:unsignedByte" default="3"/> <xs:element name="log-level" type="log-levelType" default="default"/> <xs:element name="optimize-for-low-cost-network" type="xs:boolean" default="false"/> <xs:element name="single-sign-on-credential" type="xs:boolean" default="true"/> <xs:element name="client-certificate"> <xs:complexType> <xs:all minOccurs="0" maxOccurs="1"> <xs:element name="issuer" type="xs:string" minOccurs="1"/> </xs:all> </xs:complexType> </xs:element> </xs:all> </xs:complexType> </xs:element> </xs:schema>
Configuration example | Example XML syntax |
---|---|
Multifactor authentication with client certificate | <f5-vpn-conf><client-certificate> <issuer>Snake Oil</issuer> </client-certificate></f5-vpn-conf> |
Client certificate authentication only | <f5-vpn-conf><prompt-for-credentials> false</prompt-for-credentials> <client-certificate><issuer> Snake Oil Ltd</issuer></client-certificate> </f5-vpn-conf> |
Connecting to an APM server over port 80, no SSL encryption, for debugging purposes only | <f5-vpn-conf><port>80<ssl-encryption>false </ssl-encryption></f5-vpn-conf> |
Overview: About VPN deployment using Airwatch
You can deploy an F5 VPN profile for Windows 10 Mobile using the Airwatch MDM provider. This options provides more options than the standard VPN deployment, such as monitoring the client certificate usage and setting the landing URL.
This example displays a username and password authentication access policy.

Overview: BIG-IP APM Configuration Notes
On Access Policy Manager (APM), you need to configure an access policy for F5 Access.
Additionally, you need a standard network access configuration. For more information, refer to BIG-IP Access Policy Manager Network Access Configuration on the AskF5 website at http://support.f5.com.
Authentication support
Your access policy can collect this type of information for authentication purposes:
- User name and password
- Client certificate as second-factor authentication
Client certificate configuration requirements
In the access policy, you can use the Client Cert access policy item or the On-Demand Cert Auth access policy item.
In the client SSL profile for the virtual server, select request for the Client Certificate property.
Access policy example
An access policy to support F5 Access might include a Client Type item, a Client OS item, appropriate authentication items, and some resource assignment access policy items.
F5 Access for Windows 10 access policy example
To configure F5 Access for Windows 10 to be detected, use the F5 Access branch of the Client Type access policy item. F5 Access is detected as "F5 Access" on this branch. The Client Type for F5 Access differs from F5 Inbox VPN Client for Windows 8.1 (detected as "Windows Inbox F5 VPN Client") and BIG-IP Edge Client for Windows Phone 8.1 (detected as "Edge Client").
To detect F5 Access for Windows 10 with the Client OS access policy item, you must modify the Client OS branch rule for Windows as follows.
Click the Client OS item, click the Branch Rules tab, and click change at the bottom of the Windows branch rule.
Click the Advanced tab, and add the following to the Windows expression.
|| [mcget {session.client.platform}] == "Windows"}
Click Finished, then Save, and change the ending to Allow on the Windows branch. The access policy appears as follows.
Related documentation
For additional information, refer to the AskF5 web site (http://support.f5.com) for documentation specific to the version of Access Policy Manager that you are using.
Document | Description |
---|---|
Release Note for BIG-IP APM | New features and known issues. |
BIG-IP Access Policy Manager Network Access Configuration | How to configure network access. |
Configuration Guide for BIG-IP Access Policy Manager | Access profiles, access policies, visual policy editor. |
Contacting F5 Networks
Phone: | (206) 272-6888 |
Fax: | (206) 272-6802 |
Web: | http://support.f5.com |
Email: | support@f5.com |
For additional information, please visit http://www.f5.com.
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: http://support.f5.com/kb/en-us.html
- The F5 DevCentral web site: http://devcentral.f5.com/
- AskF5 TechNews
F5 Networks Technical Support
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
F5 DevCentral
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
AskF5 TechNews
- Weekly HTML TechNews
- The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
- Periodic plain text TechNews
- F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.