Applies To:
Show Versions
BIG-IP APM
- 11.2.1
Summary:
This release note documents the version 11.2.1 release of BIG-IP Access Policy Manager.
Contents:
- Supported hardware
- Configuration utility browser support
- APM client browser support
- User documentation for this release
- Evaluation support
- New in 11.2.1
- New in 11.2.0
- New in 11.1.0
- New in 11.0.0
- Supported high availability configuration for Access Policy Manager
- Installation overview
- Upgrading from earlier versions
- Upgrading from earlier versions of APM
- Fixes in 11.2.1
- Fixes in 11.2.0
- Fixes in 11.1.0
- Fixes in 11.0.0
- Behavior changes in 11.2.0
- Usability
- Known issues
- Contacting F5 Networks
- Legal notices
Supported hardware
You can apply the software upgrade to systems running software versions 10.1.0 (or later) or 11.x. For a list of supported platforms, see SOL9412: The BIG-IP release matrix. For information about which platforms support which module combinations, see SOL10288: BIG-IP software and platform support matrix.
Configuration utility browser support
The BIG-IP Configuration Utility supports these browsers and versions:
- Microsoft Internet Explorer 8.x and 9.x
- Mozilla Firefox 15.0.x
- Google Chrome 21.x
APM client browser support
For a list of browser versions that the Access Policy Manager client supports, refer to the BIG-IP APM Client Compatibility Matrix.
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP APM / VE 11.2.1 Documentation page.
Evaluation support
If you have an evaluation license for BIG-IP APM VE, note that it does not include support for Oracle Access Manager.
New in 11.2.0
Secure access features
- Java applet patching
With Java Applet Patching enabled, BIG-IP APM can patch server-side Java applets in real-time. The clients that run the patched Java applet connect back through the BIG-IP system using SSL in an authenticated APM session. Patched Java applet code is stored in RAM cache, eliminating the need to rewrite every time.
Note: If the applet contains encrypted JAR files, the BIG-IP system cannot rewrite the applet. - Java RDP support for Linux, Mac, and Windows
A Java RDP client now supports Mac, Linux and Windows clients, providing a cross-platform method to access remote desktops using the RDP protocol over a non-L3 tunnel.
- Google Chrome browser support
BIG-IP APM supports the Google Chrome browser. For the latest supported browser versions, refer to the BIG-IP APM Client Compatibility Matrix.
- Custom parameter fields for terminals
You can now set custom parameters for remote desktops. These parameters affect the rendering of certain features for both the Citrix and RDP terminal resource types.
- Pool assignment agent
In the Visual Policy Editor, you can configure a new agent, Pool Assign, which assigns an LTM pool to a session dynamically.
- High availability for Active Directory
Support for high availability for Active Directory authentication had been added; this includes the ability to define an Active Directory pool.
- Session ID Rotation
To improve security, part of the session ID is rotated on each response while an access policy is executing.
Manageability and optimization features
- Improved OPSWAT package management
To scan for antivirus products on the end client, F5 uses a library from OPSWAT. The library provides the administrator with a consistent API to use against various antivirus products. When an antivirus vendor updates their code base and, in response, OPSWAT updates the library, F5 verifies the library and posts a hotfix. This improvement enables you to apply the hotfix to multiple BIG-IP systems more quickly, by uploading the file to a single BIG-IP system manually and then syncing the file to all devices in a device group.
- Form-based SSO improvements
With BIG-IP APM 11.2, in addition to collecting, caching, and proxying user credentials to multiple backend systems using Kerberos, NTLM, and form-based SSO, there is a second method of achieving form-based SSO. This new form-based client-initiated SSO method works by detecting logon request pages from the client application and then parsing the server response for a logon form. Then APM inserts JavaScript that sets the form’s logon name and password placeholder (or token) to match the user’s and perform auto submit. When the client submits this form, APM replaces the password token with the user’s actual credentials and then submits this to the backend application. If the server returns any errors, the form-based client-initiated SSO mechanism disables SSO for that application to preserve connectivity to that application for other users.
- Mesh Data Deduplication
A new version of Symmetric Data Deduplication, SDD v3, is optimized for performance in hub and spoke or mesh deployments involving multiple sites.
Usability enhancements
- Captive Portal Detection in Edge Client
BIG-IP Edge Client now automatically detects whether the user is behind a captive portal, such as those at hotels and airports, and waits until the user completes sign in to the portal.
- Citrix Xenapp server non-default ports
APM now supports Citrix XenApp server configured with ICA/CGP services on ports other than the default ports (1494 for ICA and 2598 for CGP).
New in 11.1.0
Access Policy Manager Clustering
This release adds support for running Access Policy Manager on a chassis platform and in a virtualized Clustered Multi-Processing (vCMP) environment. Access Policy Manager features work in the same fashion when clustered as not with the following caveat. Upon tunnel reconnect due to a blade going down on a chassis platform, flows inside the tunnel are not preserved; users need to reconnect their applications after an underlying tunnel goes down.
XenApp/XenDesktop Support Enhancements
- Eliminating the need for XenApp Services Sites
- Simplifying configuration and number of boxes required
Other enhancements:
- Provides enhanced support on challenge events in 2-factor authentication when using a Citrix Receiver. Specifically, Access Policy Manager can gracefully handle requests for RSA new PIN codes and AD password expiration.
- Enables the Webtop to display folders of published apps, mapping what has been shown on the XenApp server.
- Provides session reliability support for ICA connections: In case of a network problem between the Citrix client and the XenApp server, the application on XenApp Server continues to run and XenApp server buffers the ICA traffic until the client reconnects. The user’s session does not go into a disconnected state as long as the XenApp Server is buffering data for the user. After the connection is restored, XenApp Server flushes the buffered ICA data to the client and the session continues. Access Policy Manager sits between the Citrix client and the XenApp server and interprets and proxies these ICA communications. This feature improves user experience.
- Supports multi-Stream ICA: BIG-IP Access Policy Manager is first on the market with support for multi-stream ICA. This feature allows for true network-based Quality of Service (QoS) to the ICA/HDX protocol in XenDesktop 5.5 and XenApp 6.5. It is a mechanism to prioritize network traffic, helping to ensure that the most important data gets through the network as quickly as possible.
Windows Credential Manager Integration
This feature integrates with the Windows Credential Manager such that when a user hits ctrl-alt-del, the actual Windows boot process is halted so that the Edge Client can establish a network access tunnel before resuming it. This allows admins to configure new Windows machines to force a password expiration the very first time a laptop/workstation is used regardless of whether it is on a local net or remote.Linux standalone client
This client can be downloaded from Access Policy Manager and installed on Linux endpoints. This is a command-line client (unlike the Windows or Mac edge clients) but supports endpoint inspection and auto-updates. It provides a simple CLI interface with commands such as Connect, Disconnect, Auto-connect.
New Packaging
Edge Gateway VEs
- F5-BIG-EGW-VE-200M targets the small enterprise; includes support for 100 concurrent users in the base package; supports 500 maximum concurrent users; limits aggregate throughput to 200Mbps
- F5-BIG-EGW-VE-1G targets the medium enterprise; includes support for 300 concurrent users in the base package; supports 2500 maximum concurrent users; limits throughput to 1Gbps
- F5-BIG-EGW-VE-LAB
APM 1600 standalone: Unlike other Access Policy Manager modules, this platform can be used without Local Traffic Manager. It includes support for 500 concurrent users in the base package.
APM on VIPRIONs: Support for APM on VIPRION is provided as an add-on SKU to the VIPRION chassis. There is one add-APM SKU for each chassis model. The format will be similar to appliance add-APM SKUs, with support for 500 concurrent users (for the entire chassis) in the base package and a maximum limit that assumes a fully populated chassis.
IPv6
With this release Access Policy Manager supports IPv6, enabling connectivity between IPv4 and IPv6 networks. Administrators can configure network access lists per supported IP version, IPV4 or IPV4&IPV6 and then configure lease pools and LAN address spaces for IPv4 only or for both IPv4 and IPv6.
This table provides a summary of IPv6 support for various authentication methods:Authentication Type | IPv6 Support | Configuration Notes |
---|---|---|
AD Auth | Supported |
Note: Starting in 11.3, also supported with the pool option.
|
AD Query | Supported using layered virtuals Note: Starting in 11.3, also supported with the pool option.
|
|
LDAP Auth and Query | Supported via the pool option | Admin needs to use the pool option for using IPv6 with LDAP. |
RADIUS Auth and Acct | Supported via the pool option | Admin needs to use the pool option for using IPv6 with RADIUS. |
OCSP | Not supported | |
CRLDP | Supported via the pool option | Admin needs to use the pool option for using IPv6 with CRLDP. |
TACACS+ | Supported | TACACS+ server can be configured with IPv6 address. |
SecurID | Not tested/supported | IPv6 support for SecurID is supported in Authentication Manager 7.1 for Windows 2008. However, this is not tested. |
Kerberos | Supported | |
HTTP | Supported | Start URI can be configured with IPv6 address. |
Access Type | Supported Feature or Client | Caveat |
---|---|---|
Network | IPv6 VPN | To use an IPv6 tunnel, both an IPv6 tunnel and an IPv4 tunnel must run to the client system simultaneously. On the server side, configure the network access resource with both IPv4 and IPv6 lease pools and set the supported IP version to IPv4&IPv6. Note: IPv6 VPN is not supported for Android and Windows Mobile.
|
Android | No IPv6 VPN support. | |
Linux | Linux and Linux client CLI are supported. | |
|
|
|
Windows 7 |
|
|
Windows mobile | No IPv6 VPN support. | |
Application | Application tunnel | Accessing IPv6 resources with a static application tunnel is not supported. |
Portal | IPv6 web applications | To support portal access to IPv6 web applications, configure the portal access using either an IPv6 address or a host name. (Host name resolves to both IPv4 and IPv6 addresses.) Note: The DNS configuration on the APM machine includes an option to specify the IP address family preference; this setting controls which address type to use when the hostname configured in the portal access resource resolves to both IPv4 and IPv6 address types. By default, the setting is empty and the default IP address family preference is IPv4. When the hostname resolves to both IPv4 and IPv6 addresses, APM picks the IPv4 address.
To enable IPv6 preference in 11.1 (so that when the hostname resolves to both IPv4 and IPv6 addresses, APM picks the IPv6 address), you must use a tmsh command, as shown here. root@(bigipsys)(cfg-sync Standalone)(Active)(/Common)(tmos.sys.dns)# modify include "options inet6" Warning: Do not use the include option without assistance from the F5 Technical Support team. The system does not validate the commands issued using the include option. If you use this option incorrectly, you put the functionality of the system at risk.
|
Logging and Reporting
With this release: For logging, both scalability and performance are enhanced. As a result, report performance is also enhanced. For reporting, when configuring a custom report, available report fields are now organized for selection by: user, resources, sessions, and access policy.
New in 11.0.0
Application Tunnels
This release provides application tunnels to a single application on a remote user's desktop without the security risk of opening a full network access tunnel.
Optimized Network Access Tunnels
With this feature, you can layer full network access tunnels with optimized tunnels for Windows clients.
Remote Desktops
This release provides a hosted remote desktop connection, from a specific remote desktop application to the remote user's desktop, without the security risk of opening a full network access tunnel. Remote desktop is supported for Citrix XenApp server and Microsoft RDP clients.
Kerberos Protocol Translation
With this feature, APM is able to authenticate the user with Active Directory, and then receive a Kerberos ticket on the user's behalf, allowing secure access to the Application server and offloading SSL negotiation from the app server. This feature also makes SSL offload for Smart Card authentication possible.
Kerberos Single Sign-On
With this feature, a user can automatically sign onto backend applications and services that are part of a Kerberos realm, for seamless authentication after the user completes an access policy using a supported authentication scheme.
Oracle Access Manager (OAM) integration
With this release, you can design access policies and manage policy-based access services for Oracle applications on an Oracle Access Manager server from one location.
Flash Patching
In Portal Access, HTML-formatted fields in Flash content are patched by the APM rewrite engine. When rendering an application through the Access Policy Manager, the rewrite engine rewrites the Flash content to render links properly.
Dynamic webtops
The dynamic webtop displays a list of network resources, which include applications, network access and remote desktops, available to a user after authentication. The content of the webtop is dynamic in the sense that only resources for which the user is authorized are displayed to the user. The webtop is customizable based on a user’s identity, context, and group membership.
Reporting system
With the new reporting system, you can generate customized, granular reporting for analysis and troubleshooting purposes. You can generate reports based on many parameters, for example, access failures, users, resources accessed, group usage, or geolocation.
Machine info inspection
The machine info client check allows administrators to examine the security posture of a device, including attributes such as MAC address, CPU ID and HDD ID. The access policy can compare information collected by the machine info check to an allowed list of hardware devices or configurations, then add the result to the access policy. This enables the access policy administrator to identify IT-controlled assets.
Client Type inspector
The client type inspector replaces the UI mode inspector, and includes new branches for the BIG-IP Edge Client, iOS, and Android devices.
Dynamic ACLs
BIG-IP Access Policy Manager can load ACLs from an external authentication database (Active Directory, RADIUS, or LDAP) and apply them dynamically. This allows for a single policy per user, no matter which Access Policy Manager the user is connecting to.
Edge Client for MacOS
The optional BIG-IP Edge Client can be delivered by browser or as a standalone application. Its functionality is identical to the Windows version (though Windows provides more client side checks), in a native MacOS interface. The Edge Client for MacOS is supported on Mac 10.5.x and later, and supports 64-bit OSes.
Adaptive Compression
Compression in resources now compresses downstream data to the client using the best available compression codec, based on network conditions and compressibility of the data.
Supported high availability configuration for Access Policy Manager
Installation overview
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in Upgrading Active-Standby Systems and Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.
Installation checklist
Before you begin:
- Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
- Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
- Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
- Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
- Configure a management port.
- Set the console and system baud rate to 19200, if it is not already.
- Log on as an administrator using the management port of the system you want to upgrade.
- Boot into an installation location other than the target for the installation.
- Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
- Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
- Turn off mirroring.
- If you are running WAN Optimization Manager, set provisioning to Minimum.
- If you are running Policy Enforcement Manager, set provisioning to Nominal.
- If you are running Advanced Firewall Manager, set provisioning to Nominal.
Installing the software
Installation method | Command |
---|---|
Install to existing volume, migrate source configuration to destination | tmsh install sys software image [image name] volume [volume name] |
Install from the browser-based Configuration utility | Use the Software Management screens in a web browser. |
Sample installation command
The following command installs version 11.2.0 to volume 3 of the main hard drive.
tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3
Post-installation tasks
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in Upgrading Active-Standby Systems and Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.
- Ensure the system rebooted to the new installation location.
- Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
- Log on to the browser-based Configuration utility.
- Run the Setup utility.
- Provision the modules.
- Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Installation tips
- The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
- You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
- If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.
Upgrading from earlier versions
Your upgrade process differs depending on the version of software you are currently running.
Upgrading from version 10.1.0 (or later) or 11.x
When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.
Upgrading from versions earlier than 10.1.0
You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.
Automatic firmware upgrades
If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.
Upgrading from earlier versions of APM
When you upgrade from an earlier version of Access Policy Manager (APM), you might need to take care of issues related to these configurations.
Advanced customization
If you performed any advanced customization of files, you must upgrade these files manually.
Custom reports
Custom reports are lost after upgrade. To work around this issue, export your custom reports before you upgrade and then reimport them after you upgrade.
OAM configuration
When upgrading from version 10.2.x to 11.x with an OAM configuration, upgrade fails. To work around this issue: before you upgrade, delete the OAM configuration; after the upgrade is complete, create a new OAM configuration in 11.x.
Fixes in 11.2.1
Fixes in 11.2.0
ID Number | Description |
---|---|
226524 | Active Directory forest mode was not supported in earlier versions. Starting in this release, APM supports the cross-domain option for AD Query and AD Auth agents. |
354486 | Previously, a Mac Edge Client did not automatically try to reestablish a connection if the Tunnel Server (svpn) was still alive from the previous connection; instead, this status was displayed: Error: VPN disconnected. This issue has been resolved. |
358874 | Previously, APM did not inform the user about the Active Directory password policy at logon. We have implemented Active Directory password policy check in this release. |
365344 | The Linux command line client now supports PEM and PKCS12 client certificates. |
367511 | An AAA configuration using the LDAPS protocol did not negotiate SSL. Previously, you needed to use a layered virtual server with an SSL profile to work around this problem. You no longer need to use the workaround. |
368210 | In versions 11.0, an iRule that was present in version 10.2.x was replaced with a Remote Desktop profile. During upgrade from version 10.2.x to version 11.x, the configuration failed to load, displaying the error message Virtual server /Common/citrix_vs references rule _sys_APM_Citrix which does not exist. We have resolved this issue. |
369151 | In earlier versions, after an upgrade, configuration reload failed if duplicate resource names existed. We have resolved this issue as follows: It is no longer possible to create APM webtop links and connectivity resources with the same names. |
369657 | In earlier versions, help was missing for the confirmation window that was displayed when you deleted an access policy. Help now displays correctly. |
369714 | Previously, the Advanced Customization Editor did not work with multi-byte character sets. Now it does. |
370336 | Performance has been improved for creating and updating custom reports. |
371046 | Active Directory authentication now works with IPv6 as expected. |
371577 | Server-initiated connections to VPN tunnel clients frequently failed after the client's VPN tunnel dropped and reconnected on a system running in CMP mode. This issue has been resolved. |
371691 | APM no longer depends on reverse DNS records to resolve the fully qualified domain name (FQDN) of the domain controller. Instead, APM uses LDAP protocol to retrieve the ldapHostName attribute from domain rootDSE and uses reverse DNS only as a fallback. |
371692 | This version introduces native HA functionality in APM. (In addition, APM still supports HA using a layered virtual server.) Native HA works as follows: If only a domain name is specified for an AAA Active Directory server object, APM discovers a list of domain controllers (DCs) for that domain using DNS SRV request. After that, APM tries to use the DCs in the list for AD Auth (or AD Query). If AD Auth (or AD Query) fails due to a connectivity issue, APM marks that DC as unavailable for 10 minutes and tries the next one. |
371854 | Previously, when the rewrite plugin sent a list of application cookies to the backend server using the Cookie: header, it appended a semicolon to the value of the last cookie; this broke compliance with RFC2109. Now, the value of the last cookie does not include a trailing semicolon. |
371959 | Previously, a database error occurred when running a report that returned a large amount of data (over a million records). Now when you run reports, you can specify a time range or accept a default value (the most recent 8 hours). The timeout value has also been increased. |
371989 | Previously, when running custom reports, pagination was not enabled. For large reports, this caused the Configuration utility to be slow. This issue has been resolved. |
372034 | Previously, if a domain controller was specified using an IPv6 address, AD Query reported as successful without running in the access policy. This issue has been resolved. It is no longer necessary to work around this problem. |
372060 | Previously, the Timeout popup window in French and Spanish locales would display a JavaScript error. The error was due to extra spaces in a parameter that prevented the proper loading of subsequent pages. Pages now load correctly, and the error does not occur. |
372092 | Due to a known problem with cookie support in the Linux Citrix Receiver client 12.0, every request made to APM started a new session. This issue has been resolved. |
372494 | It is no longer necessary to use a layered virtual server to use IPv6 addresses with Active Directory or LDAP. Now, you can specify Active Directory and LDAP AAA servers using IPv6 addresses. AD Auth, AD Query, LDAP Auth, and LDAP Query now work with IPv6 addresses as expected. |
373668 | Previously, you could not copy an access policy if the name (including the partition) exceeded 62 characters. Now when you copy such an access policy, the name of the copy is truncated: characters in the middle of the name are removed. |
373825 | When you include a dot (".") in an access profile name, authentication works correctly now. |
373830 | The current active sessions statistic in the access profile no longer underflows, showing unreasonably large values. |
373831 | The current pending sessions statistic in the access profile no longer underflows, showing unreasonably large values. |
374531 | Previously, dynamic ACL generated an incorrect IPv4 netmask during the parsing of an ACL entry. In certain cases, the order of bits in an octet were reversed, and dynamic ACL presented an error message for a correct ACL entry. For example {allow tcp any 172.31.0.0/25} and {allow tcp any 172.31.0.128/25 } are both correct ACL entries, but dynamic ACL would give an error message for the latter entry. This issue has been resolved. |
374953 | Previously, you could not start Citrix applications configured with custom encryption from an APM dynamic webtop. Now, APM supports custom encryption settings on a per application basis. |
375263 | In previous versions, if you enabled the Server-Side SSL setting for a Remote Desktop resource of the Citrix terminal type, the setting was not saved. This issue has been resolved. |
375495 | Previously, iSession socket connections through the BIG-IP APM system were not reused. We have added connection reuse capability, which should improve data latency. |
376115 | Previously, on Windows 7 clients with more than one network interface running Internet Explorer 8 in protected mode, the APM client caused memory allocation failures, resulting in an Internet Explorer crash. This issue has been resolved. |
376556 | Exchange support system iRule did not comply with RFC 2617 with respect to non case-sensitivity for handling the HTTP Authorization Basic header. Although it is extremely rare, a particular Exchange client might send the credential using a different case; for example, sending "basic", instead of "Basic". Previously when this happened, the system iRule failed to extract the credentials and rejected the request. This issue has been resolved. |
377853 | To ensure that SSO works for Active Directory whether cross-domain support is enabled or not, a new session variable is registered: session.ad.agent_name.actualdomain . This variable contains the user domain to which the user successfully authenticated. |
378362 | Access policy branches that originate from macrocalls are followed correctly now. |
378926 | With the behavior change introduced in ACCESS hudfilter for 11.1.0 release on handling clientless-mode header, the existing iRule code did not work properly with this new functionality. Due to this, the OutlookAnywhere system iRule did not work. This issue has been resolved. |
378991 | Previously, a user name that contained special characters might be logged incorrectly. This issue has been resolved. |
379413 | ActiveSync clients were detected incorrectly as Windows NT Internet Explorer 7. It is no longer necessary to rely on properties other than client type to detect an ActiveSync client; the issue has been resolved. |
380725 | Previously with Windows Phone, reverse-proxy was unable recognize a Windows object. For example, when a Windows Mobile 7.x device connected to an APM full webtop and started a Portal Access favorite, the URL request was not rewritten and therefore did not take the user to APM for connection. This issue has been resolved. |
380838 | We have introduced a database variable to allow the administrator to disable LDAP DN/Filter escape in LDAP/AD Query agent in case the administrator wants to prepare the DN/Filter escape in advance. |
381118 | TMM no longer restarts with a SIGSEGV when running ACCESS::session exists iRule commands in ACCESS_SESSION_CLOSED events. |
383008 | The Msxml2.XMLHTTP.6.0 object was not supported in web applications. Now it is supported. |
383201 | Previously, WebSSO crashed when receiving a response without headers from a server. This no longer happens. |
383708 | Previously, VBscript (contained within a vbscript script tag or referenced externally, using the src attribute) was treated as JavaScript. Therefore, content was not patched correctly. This issue has been resolved. |
385786 | After integrating APM with Oracle Access Manager (OAM) so that APM acts as an OAM 10g webgate, an HTTP post request against OAM protected resources would fail. This issue has been resolved. |
Fixes in 11.1.0
ID Number | Description |
---|---|
248018, 354427 | Now, multiple Network Access resources can be assigned to a user session at one time, and displayed on the dynamic webtop. A user can only start one Network Access session, however. |
307017 | Network Access tunnels running on Mac now use the client system's proxy settings. |
350161 | Upon exit, protected workspace now attempts to clean up the system paging file and RAM to prevent information leaks. |
353010 | APM session cookies now support the HttpOnly attribute for certain security settings. This attribute is supported in LTM+APM mode, and cannot be used with client-side endpoint checks. |
355549 | Previously the SSO credential mapping agent added unnecessary braces { } around the expression. Now these braces are not added. |
360374 | Mac OS X 10.7 is now supported for Network Access connections. |
360442 | Network Access now supports two-factor authentication with Windows Logon Integration. This feature added two options for the Network Access client: Enable Full Pre-logon Sequence and Reuse Winlogon Session. |
363034 | The Z parameter in the /myvpn request on iOS, Mac and Linux clients previously required a special iRule. Now the Z parameter is supported without an iRule. |
363724 | Previously in access policies, the logging agent had to be configured explicitly with "session.client.unique_id. Now, the logging agent "session.client.*" can be configured with the wildcard asterisk, to allow logging of all UUIDs. |
364684 | An issue with logout URIs building up on the system was fixed. |
364853 | The webtop-type last is no longer listed as a supported option in the command line interface. |
364936 | Previously, in some circumstances the Logon Page action could not be customized in the Visual Policy Editor. This is now fixed. |
365096 | ACCESS_POLICY_AGENT_EVENT now probperly starts in clientless mode. |
365175 | Import of access policies that include objects that were created in the non-common partition now succeeds. |
365347 | After the BIG-IP box restarted, in some circumstances, users could not establish new sessions and received TCP RST messages. In /var/log/apm, the following error appeared: Access policy configuration version: configuration-id in use by user session was not found. This issue is now fixed. |
365349 | Previously, if an app tunnel was configured with multiple addresses to the same destination but different ports, and the DNS Relay Proxy was not enabled, only the first address/port combination would be reachable. This was corrected by enabling the DNS Relay automatically. |
365597 | Previously, custom reports with a very large database could consume up to 40% of the CPU. This issue has been fixed. |
365662 | In the Customization tool preview page, macro ending page nodes, which cannot be previewed, have been removed from the preview tree nodes. |
365882 | The Installer control setup file that controls all installable components was previously unsigned and caused warning messages on some systems. The setup file is now signed by F5. |
365948 | In a protected workspace session, if a webtop was configured with the Minimize to tray option enabled, the webtop was correctly minimized to the system tray, but if the user restored it from the system tray by double clicking, the protected workspace session closed. This has been fixed. |
366190 | Access policy inactivity timeouts sometimes failed in a previous version, when the Cache and Session Control action was enabled. Access policy inactivity timeouts now work properly. |
367070 | When an access policy manager session was stopped by the system administrator or expired, the Citrix Receiver attempted to reconnect until the window was closed by the user. This has been fixed. |
367512 | The administrator is no longer prompted to select the SSL server profile when configuring an LDAP server in direct mode. |
367726 | Citrix applications can now be started from the dynamic webtop on Internet Explorer 9. |
367850 | Previously, the Network Access status window remained active after a session was terminated by the administrator, or expired due to timeout. This has been fixed. |
368488 | All roles above operator can now manage sessions. |
369248 | The network access web client now supports proxy autoconfig (PAC) scripts located on HTTP or HTTPS servers, in addition to locally stored PAC files. |
369407 | In a previous release, access policies created using the Access Policy Manager wizards did not allow the choice of the dynamic webtop, and labeled the Full Resource Assign action incorrectly. These issues have been fixed. |
Fixes in 11.0.0
The current release includes the fixes and enhancements from previous releases and the fixes that were distributed in SOL12729: Overview of BIG-IP version 10.2.1 HF1, SOL12778: Overview of BIG-IP version 10.2.1 HF2, and SOL12816: Overview of BIG-IP version 10.2.1 HF3.
ID Number | Description |
---|---|
225512 | Previously, Access Policy Manager clients that started network access tunnels that ended up on different Traffic Management Microkernels (TMMs) could not communicate. Now, such clients can communicate. |
225870 | Previously, a rare condition could cause a crash in the system when APM tried to connect or reconnect a network access tunnel. We have corrected this. |
226423 | Previously, Access Policy Manager's active sessions graph erroneously reported a maximum value when active sessions existed and a failover event occurred. Now, this issue no longer occurs. |
336284 | Previously, network access tunnels on a system that failed over could not restart after the failover because the lease pool was not created. Now the lease pool is created and network access tunnels fail over correctly. |
339171 | Previously, when an administrator created a AAA server with the web interface, some legal characters could not be used in the AAA server name. Now the name field accepts all legal characters. |
339951 | Previously, Access Policy Manager HTTP 404 Not Found errors could not be configured. Now, the message for these errors is configurable as part of the logout group. |
341377 | The following new iRule commands have been introduced to allow the use of multiple SSO profiles and make them selectable based on user-defined criteria:
|
344713 | Previously, WebSSO crashed when the HTTP header dictionary was invalidated and refreshed. Now this no longer occurs. |
346047 | Previously, the documentation for portal access described a patching method (No patching) that is no longer supported. The patching method is no longer described. |
347568 | In portal access, JavaScript rewriting has been enhanced to better handle SVG elements. |
348742 | Previously, the Client OS action in Access Policy Manager did not support Microsoft Internet Explorer 9. The Client OS action now supports clients identifying themselves as Internet Explorer 9. |
349490 | Previously, when you configured an access policy using HTTP form-based authentication, the username and password were sent to the authentication server in POST variables, even if a username and password were not specified in the server configuration, resulting in authentication failures. Now the username and password are sent only when specified. |
351757 | In a previous release, when the admin configured client power management settings in Network Access network properties, those power management settings were ignored by Windows Vista and Windows 7 clients. Now, Windows Vista and Windows 7 clients use the Network Access power management settings. |
351895 | Previously, when you created multiple Active Directory AAA servers, or changed the realm on multiple Active Directory server, several default_realm entries were erroneously added to the /etc/krb5.conf configuration file, causing authentication errors. Now, only one default_realm entry is added to the configuration file. |
354748 | Previously, when you configured portal access for a backend server with the same host name as the Access Policy Manager virtual server, portal access failed to rewrite some links. Now, portal access rewrites links correctly when the backend web server has the same host name as the virtual server. |
358873 | Previously, when a Portal Access connection was made to an SAP Netweaver backend server, some JavaScript Function() calls were not correctly handled, resulting in errors on the client. Now, NetWeaver JavaScript functions are handled correctly by Portal Access. |
359330 | Previously, when you configured an Access Policy Manager LTM Access connection with at least one pool member, and source IP persistence or persistent cookies enabled, some connection errors occurred with certain web servers. Now, this configuration works correctly. |
359530 | Previously, when a user accessed a SharePoint 2007 site through portal access, the rewrite engine used the wrong parser to patch some URLs incorrectly, causing connection errors and failures. Now, the rewrite engine for SharePoint 2007 sites uses the correct parser. |
365107 | Previously, when the Access Policy Manager received an HTTP 100 continue response from a backend server, the system could fail or experience instability. The system no longer fails or becomes unstable in this scenario. |
Behavior changes in 11.2.0
ID Number | Description |
---|---|
371693 | Previously, if a domain controller was not specified for an AAA Active Directory server object, Access Policy Manager (APM) discovered domain controllers using the DNS AAAA/A request. Now, APM discovers domain controllers using the DNS SRV request. |
379363 | To fully support cross-domain AD Query, as well as AD Auth, a change was needed. Previously, APM used the sAMAccountName filter to search for users. APM now uses (userPrincipalName=username) in the following two cases:
|
Usability
Session ID rotation has been implemented, and starting from 11.2.0, it is on by default. This breaks compatibility with earlier Edge client and plugin versions. For example, when APM is configured for session ID rotation, an 11.1.0 Edge client is not allowed to log in to Access Policy Manager (APM) verson 11.2.x. The expected behavior in this case is for APM to present the login page to the Edge client after each login attempt. To disable session ID rotation per-box, you can use the following tmsh command: tmsh modify sys db apm.rotatesessionid value disable
Known issues
This release contains the following known issues.
Contacting F5 Networks
Phone: | (206) 272-6888 |
Fax: | (206) 272-6802 |
Web: | http://support.f5.com |
Email: | support@f5.com |
For additional information, please visit http://www.f5.com.
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: http://support.f5.com/kb/en-us.html
- The F5 DevCentral web site: http://devcentral.f5.com/
- AskF5 TechNews
F5 Networks Technical Support
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
F5 DevCentral
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
AskF5 TechNews
- Weekly HTML TechNews
- The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
- Periodic plain text TechNews
- F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.