Applies To:
Show Versions
BIG-IP APM
- 11.4.1
Summary:
This release note documents the version 11.4.1 release of BIG-IP Access Policy Manager (APM).
Contents:
- Supported platforms
- Module combination support on the 3900
- Configuration utility browser support
- APM client browser support
- User documentation for this release
- Evaluation support
- New in 11.4.1
- New in 11.4.0
- New in 11.3.0
- New in 11.2.1
- New in 11.2.0
- New in 11.1.0
- New in 11.0.0
- Supported high availability configuration for Access Policy Manager
- Installation overview
- Upgrading from earlier versions
- Upgrading from earlier versions of APM
- Fixes in 11.4.1
- Fixes in 11.4.0
- Fixes in 11.3.0
- Fixes in 11.2.1
- Fixes in 11.2.0
- Fixes in 11.1.0
- Fixes in 11.0.0
- Usability
- Behavior changes in 11.4.0
- Known issues
- Contacting F5 Networks
- Legal notices
Supported platforms
This version of the software is supported on the following platforms:
Platform name | Platform ID |
---|---|
BIG-IP 800 (LTM only) | C114 |
BIG-IP 1600 | C102 |
BIG-IP 3600 | C103 |
BIG-IP 3900 | C106 |
BIG-IP 6900 | D104 |
BIG-IP 8900 | D106 |
BIG-IP 8950 | D107 |
BIG-IP 11000 | E101 |
BIG-IP 11050 | E102 |
BIG-IP 2000s, BIG-IP 2200s | C112 |
BIG-IP 4000s, BIG-IP 4200v | C113 |
BIG-IP 5000s, BIG-IP 5200v BIG-IP 5x50 (requires 11.4.1 HF3) |
C109 |
BIG-IP 7000s, BIG-IP 7200v BIG-IP 7x50 (requires 11.4.1 HF3) |
D110 |
BIG-IP 10x50 (requires 11.4.1 HF3) | D112 |
BIG-IP 10000s, BIG-IP 10200v | D113 |
VIPRION B2100 Blade | A109 |
VIPRION B2150 Blade | A113 |
VIPRION B2250 Blade (requires 11.4.1 HF1) | A112 |
VIPRION C2400 Chassis | F100 |
VIPRION B4100, B4100N Blade | A100, A105 |
VIPRION B4200, B4200N Blade | A107, A111 |
VIPRION B4300, B4340N Blade | A108, A110 |
VIPRION C4400, C4400N Chassis | J100, J101 |
VIPRION C4480, C4480N Chassis | J102, J103 |
VIPRION C4800, C4800N Chassis | S100, S101 |
Virtual Edition (VE) | Z100 |
vCMP Guest | Z101 |
These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.
Most of the support guidelines relate to memory on the platform or provisioned guest. For vCMP support and for Policy Enforcement Module (PEM), Carrier-Grade NAT (CGNAT), and the BIG-IP 800 platform, the following list applies for all memory levels:
- vCMP supported platforms
- VIPRION B2100, B2150, B2250, B4200, B4300, B4340N
- BIG-IP 5200v, 7200v, 10200v
- PEM and CGNAT supported platforms
- VIPRION B2150, B2250, B4300, B4340N
- BIG-IP 5200v, 7200v, 10200v
- BIG-IP Virtual Edition (VE) (Not including Amazon Web Service Virtual Edition)
- PEM and CGNAT may be provisioned on the VIPRION B4200, but it is not recommended for production, only for evaluation. PEM may be provisioned on the VIPRION B2100, but it is not recommended for production, only for evaluation. Use the B4300 or B4340N instead.
- BIG-IP 800 platform support
- The BIG-IP 800 platform supports Local Traffic Manager (LTM) only, and no other modules.
Memory: 12 GB or more
All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory.
Memory: 8 GB
The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)
- No more than three modules should be provisioned together.
- On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
- Note that Global Traffic Manager (GTM) and Link Controller (LC) do not count toward the module-combination limit.
Memory: Less than 8 GB and more than 4 GB
The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category).
- No more than three modules (not including AAM) should be provisioned together.
- Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
- Note that GTM and LC do not count toward the module-combination limit.
- Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).
Memory: 4 GB or less
The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.
- No more than two modules may be configured together.
- AAM should not be provisioned, except as Dedicated.
VIPRION and vCMP caching and deduplication requirements
Application Acceleration Manager (AAM) supports the following functionality when configuring vCMP and VIPRION platforms.
- AAM does not support disk-based caching functionality on vCMP platforms. AAM requires memory-based caching when configuring it to run on vCMP platforms.
- AAM supports disk-based caching functionality on VIPRION chassis or blades.
- AAM does not support deduplication functionality on vCMP platforms, or VIPRION chassis or blades.
vCMP memory provisioning calculations
The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory - 3 GB) x (cpus_assigned_to_guest / total_cpus).
As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.
Module combination support on the 3900
Although SOL10288 states that all modules are supported on all platforms as of BIG-IP version 11.4.0, this does not mean that all possible module combinations are allowed on every platform (especially, legacy platforms).
Configuration utility browser support
The BIG-IP Configuration Utility supports these browsers and versions:
- Microsoft Internet Explorer 8.x, 11.x
- Mozilla Firefox 27.x
- Google Chrome 32.x
APM client browser support
For a list of browser versions that the Access Policy Manager client supports, refer to the BIG-IP APM Client Compatibility Matrix.
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP APM / VE 11.4.1 Documentation page.
Evaluation support
If you have an evaluation license for BIG-IP APM VE, note that it does not include support for Oracle Access Manager.
New in 11.4.1
In this release, APM supports the following new features and enhancements.
Machine Info action retrieves MAC addresses for Linux and Mac systems
You can now use the Machine Info action (formerly, Windows Machine Info action) to retrieve the first and second network adapter MAC addresses for Linux, Mac, and Windows clients. The Machine Info action can retrieve additional machine information for Windows systems that you could retrieve using the Windows Machine Info action in earlier releases.
Maximized Enterprise Application Delivery Value
To make it easier and more affordable to get the Software Defined Application Services capabilities all organizations need, F5 introduces three software bundle offerings: Good, Better, and Best.- Good
- Provides intelligent local traffic management for increased operational efficiency and peak network performance of applications.
- Better
- Good plus enhanced network security, global server load balancing, and advanced application delivery optimization.
- Best
- Better plus advanced access management and total application security. Delivers the ultimate in security, performance, and availability for your applications and network.
New in 11.4.0
VMware View native proxy
Helps collapse visual desktop infrastructure (VDI) deployments for VMware with consolidated traffic management and authentication with context-based secure access.
Initiating Access Policy from iRules
- New iRules on the BIG-IP system allow access policies to be initiated from those iRules.
- Extends the proxy-based security F5 delivers for web applications (web apps) to non-web apps.
Recurring endpoint checks
- Allows for post-admission periodic endpoint inspections.
- Reduces the risk of malware infecting endpoints and the network after access is granted.
Always-on and locked client
- Enables BIG-IP Edge Client, once installed, to be always-on and locked.
- Increases security, forcing users to authenticate every time the client is unlocked.
Citrix traffic shaping
- Provides bandwidth control for Citrix ICA traffic.
Local user database support
- Provides a user authentication service for APM.
- Enables APM to enforce user lockout for external AAA servers.
HTML profile
- Supports rule-based patching of HTML, such as content insertion, tag modification/removal, and comment removal.
- Triggers HTML iRule events when matching specific tags or comments defined by rules.
- HTML iRules.
Rewrite profile (URI translation)
Supports rule-based URI translation in HTML and CSS.Hosted content
- Supports upload of executable files, scripts, text, HTML, CSS files, and image files to APM.
- Enables file-serving of hosted content from a webtop link, or from a portal access link.
Visual policy editor enhancements
- Enables search for action items when adding them.
- Displays action items to add to a policy by category.
- Enables swapping of policy branches.
AD and LDAP group resource assign
- Enables creation of domain user group names in APM to mirror Active Directory and LDAP group names.
- Enables resource assignment to the APM groups.
- Enables resource assignment to a user's session from every group to which the user belongs.
Endpoint security (client-side) check enhancements
- Supports anti-spyware, patch management, peer-to-peer, Windows hard disk encryption, Windows health agent software checks (in addition to antivirus and firewall software checks).
- Enables updates to the supported software through BIG-IP system EPSEC releases.
Microsoft Exchange profile
- New application access configuration screens streamline and simplify BIG-IP system configuration for various Microsoft services.
- Removes requirement for user-configured iRules.
Per client connectivity profiles
Provides new configuration screens that separate configuration items per target operating system for BIG-IP Edge Client customization.
SAML
Supports Single Logout (SLO) using POST binding.
- Supports encryption for SAML attributes and subject.
New in 11.3.0
Access Policy Sync
You can now synchronize access policies, including the resources used in them, across Sync-Only device groups. Certain resources are by default location-specific. You can choose to create them as-is or resolve them on the target system.
SAML support
You can configure a BIG-IP system as a SAML identity provider (IdP) or as a SAML service provider (SP). You can federate a group of BIG-IP systems with one acting as an IdP and others acting as SPs. APM supports both IdP- and SP-initiated connections depending on the configuration that you choose to implement. APM provides IdP discovery for SP-initiated connections to a BIG-IP system that acts as a SAML SP.
NTLM Authentication from the network edge for Outlook Anywhere clients
Access Policy Manager supports Microsoft Exchange clients that are configured to use NTLM and HTTP Basic protocols independently. Typically, mobile devices use HTTP Basic authentication, while Outlook Anywhere clients can use both NTLM and HTTP Basic authentication. To determine whether a client uses NTLM or HTTP Basic authentication, APM supplies an iRule that makes the determination and enforces the use of one or the other. After a client authenticates with NTLM, APM supports single sign-on with the back-end application or server using Kerberos constrained delegation (KCD).
Native SMS/E-Mail passcode two-factor support
Access Policy Manager supplies an OTP Generate action that generates a one-time, time-sensitive password and an OTP Verify action that verifies that a user entered the correct password before that password expired. The visual policy editor also includes new macro templates:
- AD auth query OTP by email and resources - Template for sending an OTP over email.
- AD query auth OTP by HTTP and resources - Template for sending an OTP using the HTTP Auth agent.
IP Reputation
IP intelligence is a separately licensed feature that you can enable on the BIG-IP system. The IP intelligence database includes IP addresses that might be malicious, categorized according to why they are considered untrustworthy. You can check IP reputation from an access policy with the new IP Reputation action. IP reputation is now also included in APM session reports, and a new report, Bad IP Reputation Sessions, is available.
Access policy macro loops
You can set a Maximum Macro Loop Count for a macro now. If you set it to greater than 1, a Loop branch follows the macro in the access policy; a Loop terminal becomes available for you to choose. A macro exits to the Loop branch after it runs a loop (specified with a Loop terminal) for the maximum number of times without breaking out of the loop.
New action items in access policies
- Date Time - Checks the date or the time to enable time-based access.
- License Check - Enables license-based access. Checks number of remaining licenses against an absolute value or checks the percentage of licenses remaining against a threshold. You can run a license check for access licenses, connectivity licenses, and concurrent users.
- IP Reputation - Checks whether an IP address is good (no reputation) or bad with respect to the IP intelligence database, if you have licensed and enabled it.
- SAML Auth - Authenticates users against an external SAML identity provider when you configure the BIG-IP system as a SAML service provider.
- IP Subnet Match - Checks whether the client IP address matches an IP subnet.
- NTLM Auth Result Check - Checks the result of NTLM authentication.Note: Use this action only in conjunction with a configuration specified in the BIG-IP Access Policy Manager Authentication guide.
Other new features
- APM now supports Java-based Application Tunnels on non-Windows endpoints.
- You can configure the Logon page action to add a CAPTCHA to a login page. Access Policy Manager CAPTCHA support is based on the API that the Google reCAPTCHA service provides. You can use any CAPTCHA service with a compatible API.
New in 11.2.0
Secure access features
- Java applet patching
With Java Applet Patching enabled, BIG-IP APM can patch server-side Java applets in real-time. The clients that run the patched Java applet connect back through the BIG-IP system using SSL in an authenticated APM session. Patched Java applet code is stored in RAM cache, eliminating the need to rewrite every time.
Note: If the applet contains encrypted JAR files, the BIG-IP system cannot rewrite the applet. - Java RDP support for Linux, Mac, and Windows
A Java RDP client now supports Mac, Linux and Windows clients, providing a cross-platform method to access remote desktops using the RDP protocol over a non-L3 tunnel.
- Google Chrome browser support
BIG-IP APM supports the Google Chrome browser. For the latest supported browser versions, refer to the BIG-IP APM Client Compatibility Matrix.
- Custom parameter fields for terminals
You can now set custom parameters for remote desktops. These parameters affect the rendering of certain features for both the Citrix and RDP terminal resource types.
- Pool assignment agent
In the Visual Policy Editor, you can configure a new agent, Pool Assign, which assigns an LTM pool to a session dynamically.
- High availability for Active Directory
Support for high availability for Active Directory authentication had been added; this includes the ability to define an Active Directory pool.
- Session ID Rotation
To improve security, part of the session ID is rotated on each response while an access policy is executing.
Manageability and optimization features
- Improved OPSWAT package management
To scan for antivirus products on the end client, F5 uses a library from OPSWAT. The library provides the administrator with a consistent API to use against various antivirus products. When an antivirus vendor updates their code base and, in response, OPSWAT updates the library, F5 verifies the library and posts a hotfix. This improvement enables you to apply the hotfix to multiple BIG-IP systems more quickly, by uploading the file to a single BIG-IP system manually and then syncing the file to all devices in a device group.
- Form-based SSO improvements
With BIG-IP APM 11.2, in addition to collecting, caching, and proxying user credentials to multiple backend systems using Kerberos, NTLM, and form-based SSO, there is a second method of achieving form-based SSO. This new form-based client-initiated SSO method works by detecting logon request pages from the client application and then parsing the server response for a logon form. Then APM inserts JavaScript that sets the form’s logon name and password placeholder (or token) to match the user’s and perform auto submit. When the client submits this form, APM replaces the password token with the user’s actual credentials and then submits this to the backend application. If the server returns any errors, the form-based client-initiated SSO mechanism disables SSO for that application to preserve connectivity to that application for other users.
- Mesh Data Deduplication
A new version of Symmetric Data Deduplication, SDD v3, is optimized for performance in hub and spoke or mesh deployments involving multiple sites.
Usability enhancements
- Captive Portal Detection in Edge Client
BIG-IP Edge Client now automatically detects whether the user is behind a captive portal, such as those at hotels and airports, and waits until the user completes sign in to the portal.
- Citrix Xenapp server non-default ports
APM now supports Citrix XenApp server configured with ICA/CGP services on ports other than the default ports (1494 for ICA and 2598 for CGP).
New in 11.1.0
Access Policy Manager Clustering
This release adds support for running Access Policy Manager on a chassis platform and in a virtualized Clustered Multi-Processing (vCMP) environment. Access Policy Manager features work in the same fashion when clustered as not with the following caveat. Upon tunnel reconnect due to a blade going down on a chassis platform, flows inside the tunnel are not preserved; users need to reconnect their applications after an underlying tunnel goes down.
XenApp/XenDesktop Support Enhancements
- Eliminating the need for XenApp Services Sites
- Simplifying configuration and number of boxes required
Other enhancements:
- Provides enhanced support on challenge events in 2-factor authentication when using a Citrix Receiver. Specifically, Access Policy Manager can gracefully handle requests for RSA new PIN codes and AD password expiration.
- Enables the Webtop to display folders of published apps, mapping what has been shown on the XenApp server.
- Provides session reliability support for ICA connections: In case of a network problem between the Citrix client and the XenApp server, the application on XenApp Server continues to run and XenApp server buffers the ICA traffic until the client reconnects. The user’s session does not go into a disconnected state as long as the XenApp Server is buffering data for the user. After the connection is restored, XenApp Server flushes the buffered ICA data to the client and the session continues. Access Policy Manager sits between the Citrix client and the XenApp server and interprets and proxies these ICA communications. This feature improves user experience.
- Supports multi-Stream ICA: BIG-IP Access Policy Manager is first on the market with support for multi-stream ICA. This feature allows for true network-based Quality of Service (QoS) to the ICA/HDX protocol in XenDesktop 5.5 and XenApp 6.5. It is a mechanism to prioritize network traffic, helping to ensure that the most important data gets through the network as quickly as possible.
Windows Credential Manager Integration
This feature integrates with the Windows Credential Manager such that when a user hits ctrl-alt-del, the actual Windows boot process is halted so that the Edge Client can establish a network access tunnel before resuming it. This allows admins to configure new Windows machines to force a password expiration the very first time a laptop/workstation is used regardless of whether it is on a local net or remote.Linux standalone client
This client can be downloaded from Access Policy Manager and installed on Linux endpoints. This is a command-line client (unlike the Windows or Mac edge clients) but supports endpoint inspection and auto-updates. It provides a simple CLI interface with commands such as Connect, Disconnect, Auto-connect.
New Packaging
Edge Gateway VEs
- F5-BIG-EGW-VE-200M targets the small enterprise; includes support for 100 concurrent users in the base package; supports 500 maximum concurrent users; limits aggregate throughput to 200Mbps
- F5-BIG-EGW-VE-1G targets the medium enterprise; includes support for 300 concurrent users in the base package; supports 2500 maximum concurrent users; limits throughput to 1Gbps
- F5-BIG-EGW-VE-LAB
APM 1600 standalone: Unlike other Access Policy Manager modules, this platform can be used without Local Traffic Manager. It includes support for 500 concurrent users in the base package.
APM on VIPRIONs: Support for APM on VIPRION is provided as an add-on SKU to the VIPRION chassis. There is one add-APM SKU for each chassis model. The format will be similar to appliance add-APM SKUs, with support for 500 concurrent users (for the entire chassis) in the base package and a maximum limit that assumes a fully populated chassis.
IPv6
With this release Access Policy Manager supports IPv6, enabling connectivity between IPv4 and IPv6 networks. Administrators can configure network access lists per supported IP version, IPV4 or IPV4&IPV6 and then configure lease pools and LAN address spaces for IPv4 only or for both IPv4 and IPv6.
This table provides a summary of IPv6 support for various authentication methods:Authentication Type | IPv6 Support | Configuration Notes |
---|---|---|
AD Auth | Supported |
Note: Starting in 11.3, also supported with the pool option.
|
AD Query | Supported using layered virtuals Note: Starting in 11.3, also supported with the pool option.
|
|
LDAP Auth and Query | Supported via the pool option | Admin needs to use the pool option for using IPv6 with LDAP. |
RADIUS Auth and Acct | Supported via the pool option | Admin needs to use the pool option for using IPv6 with RADIUS. |
OCSP | Not supported | |
CRLDP | Supported via the pool option | Admin needs to use the pool option for using IPv6 with CRLDP. |
TACACS+ | Supported | TACACS+ server can be configured with IPv6 address. |
SecurID | Not tested/supported | IPv6 support for SecurID is supported in Authentication Manager 7.1 for Windows 2008. However, this is not tested. |
Kerberos | Supported | Â |
HTTP | Supported | Start URI can be configured with IPv6 address. |
Access Type | Supported Feature or Client | Caveat |
---|---|---|
Network | IPv6 VPN | To use an IPv6 tunnel, both an IPv6 tunnel and an IPv4 tunnel must run to the client system simultaneously. On the server side, configure the network access resource with both IPv4 and IPv6 lease pools and set the supported IP version to IPv4&IPv6. Note: IPv6 VPN is not supported for Android and Windows Mobile.
|
Android | No IPv6 VPN support. | |
Linux | Linux and Linux client CLI are supported. | |
|
|
|
Windows 7 |
|
|
Windows mobile | No IPv6 VPN support. | |
Application | Application tunnel | Accessing IPv6 resources with a static application tunnel is not supported. |
Portal | IPv6 web applications | To support portal access to IPv6 web applications, configure the portal access using either an IPv6 address or a host name. (Host name resolves to both IPv4 and IPv6 addresses.) Note: The DNS configuration on the APM machine includes an option to specify the IP address family preference; this setting controls which address type to use when the hostname configured in the portal access resource resolves to both IPv4 and IPv6 address types. By default, the setting is empty and the default IP address family preference is IPv4. When the hostname resolves to both IPv4 and IPv6 addresses, APM picks the IPv4 address.
To enable IPv6 preference in 11.1 (so that when the hostname resolves to both IPv4 and IPv6 addresses, APM picks the IPv6 address), you must use a tmsh command, as shown here. root@(bigipsys)(cfg-sync Standalone)(Active)(/Common)(tmos.sys.dns)# modify include "options inet6" Warning: Do not use the include option without assistance from the F5 Technical Support team. The system does not validate the commands issued using the include option. If you use this option incorrectly, you put the functionality of the system at risk.
|
Logging and Reporting
With this release: For logging, both scalability and performance are enhanced. As a result, report performance is also enhanced. For reporting, when configuring a custom report, available report fields are now organized for selection by: user, resources, sessions, and access policy.
New in 11.0.0
Application Tunnels
This release provides application tunnels to a single application on a remote user's desktop without the security risk of opening a full network access tunnel.
Optimized Network Access Tunnels
With this feature, you can layer full network access tunnels with optimized tunnels for Windows clients.
Remote Desktops
This release provides a hosted remote desktop connection, from a specific remote desktop application to the remote user's desktop, without the security risk of opening a full network access tunnel. Remote desktop is supported for Citrix XenApp server and Microsoft RDP clients.
Kerberos Protocol Translation
With this feature, APM is able to authenticate the user with Active Directory, and then receive a Kerberos ticket on the user's behalf, allowing secure access to the Application server and offloading SSL negotiation from the app server. This feature also makes SSL offload for Smart Card authentication possible.
Kerberos Single Sign-On
With this feature, a user can automatically sign onto backend applications and services that are part of a Kerberos realm, for seamless authentication after the user completes an access policy using a supported authentication scheme.
Oracle Access Manager (OAM) integration
With this release, you can design access policies and manage policy-based access services for Oracle applications on an Oracle Access Manager server from one location.
Flash Patching
In Portal Access, HTML-formatted fields in Flash content are patched by the APM rewrite engine. When rendering an application through the Access Policy Manager, the rewrite engine rewrites the Flash content to render links properly.
Dynamic webtops
The dynamic webtop displays a list of network resources, which include applications, network access and remote desktops, available to a user after authentication. The content of the webtop is dynamic in the sense that only resources for which the user is authorized are displayed to the user. The webtop is customizable based on a user’s identity, context, and group membership.
Reporting system
With the new reporting system, you can generate customized, granular reporting for analysis and troubleshooting purposes. You can generate reports based on many parameters, for example, access failures, users, resources accessed, group usage, or geolocation.
Machine info inspection
The machine info client check allows administrators to examine the security posture of a device, including attributes such as MAC address, CPU ID and HDD ID. The access policy can compare information collected by the machine info check to an allowed list of hardware devices or configurations, then add the result to the access policy. This enables the access policy administrator to identify IT-controlled assets.
Client Type inspector
The client type inspector replaces the UI mode inspector, and includes new branches for the BIG-IP Edge Client, iOS, and Android devices.
Dynamic ACLs
BIG-IP Access Policy Manager can load ACLs from an external authentication database (Active Directory, RADIUS, or LDAP) and apply them dynamically. This allows for a single policy per user, no matter which Access Policy Manager the user is connecting to.
Edge Client for MacOS
The optional BIG-IP Edge Client can be delivered by browser or as a standalone application. Its functionality is identical to the Windows version (though Windows provides more client side checks), in a native MacOS interface. The Edge Client for MacOS is supported on Mac 10.5.x and later, and supports 64-bit OSes.
Adaptive Compression
Compression in resources now compresses downstream data to the client using the best available compression codec, based on network conditions and compressibility of the data.
Supported high availability configuration for Access Policy Manager
Installation overview
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Active-Standby Systems and BIG-IP Systems: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.
Installation checklist
Before you begin:
- Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
- Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
- Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
- Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
- Configure a management port.
- Set the console and system baud rate to 19200, if it is not already.
- Log on as an administrator using the management port of the system you want to upgrade.
- Boot into an installation location other than the target for the installation.
- Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
- Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
- Turn off mirroring.
- If you are running Application Acceleration Manager, set provisioning to Minimum.
- If you are running Policy Enforcement Manager, set provisioning to Nominal.
- If you are running Advanced Firewall Manager, set provisioning to Nominal.
Installing the software
Installation method | Command |
---|---|
Install to existing volume, migrate source configuration to destination | tmsh install sys software image [image name] volume [volume name] |
Install from the browser-based Configuration utility | Use the Software Management screens in a web browser. |
Sample installation command
The following command installs version 11.2.0 to volume 3 of the main hard drive.
tmsh install sys software image BIGIP-11.2.0.2446.0.iso volume HD1.3
Post-installation tasks
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Active-Standby Systems and BIG-IP Systems: Upgrading Active-Active Systems, and we strongly recommend that you reference these documents to ensure successful completion of the installation process.
- Ensure the system rebooted to the new installation location.
- Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the qkview utility (10.x - 11.x).
- Log on to the browser-based Configuration utility.
- Run the Setup utility.
- Provision the modules.
- Convert any bigpipe scripts to tmsh. (Version 11.x does not support the bigpipe utility.)
Installation tips
- The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
- You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
- If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.
Upgrading from earlier versions
Your upgrade process differs depending on the version of software you are currently running.
Upgrading from version 10.1.0 (or later) or 11.x
When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.
Upgrading from versions earlier than 10.1.0
You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.
Automatic firmware upgrades
If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.
Upgrading from earlier versions of APM
When you upgrade from an earlier version of Access Policy Manager (APM), you might need to resolve issues related to these configurations.
Connectivity profiles
When upgrading from 10.x.x to 11.4.x, connectivity profiles are not fully recovered. You can work around the problem using one of these options:
- Option 1: Upgrade from 10.x.x to 11.4.x, then reconfigure connectivity profiles in the Access Policy Secure Connectivity area of the Configuration utility.
- Option 2: Upgrade from 10.x.x to 11.x.x, where 11.x.x is earlier than 11.4.x, then continue upgrading to 11.4.x.
Antivirus and firewall software checks in access policies
If your access policies include custom expressions that rely on session variables created by the antivirus or firewall software checks, after upgrade to 11.4.x, you must configure the antivirus or firewall software checks so that the Store information about client software in session variables property is set to Enabled. (It is disabled by default.)
If the custom expressions include multiple sub-expressions, you might need to edit the expressions.
Citrix client packages
The 11.4.x upgrade script cannot recover any file object with a name that includes space characters. If a Citrix client package file name includes a space, the configuration loads after upgrade, but the Citrix client package file does not function properly. To work around this problem:
- Outside of APM, name or rename a Citrix client package without spaces in the name.
- Use the correctly named Citrix client package.
- To fix the problem before upgrade, replace any improperly named Citrix client package as needed.
- To fix the problem after upgrade, upload a properly named Citrix client package and select it from the connectivity profiles.
Machine accounts for NTLM front-end authentication
APM does not restore NLAD connections when the configuration is restored from an UCS file. After upgrading to 11.4.x, if the previous configuration was using NTLM front-end authentication, the functionality is not restored. To work around this problem, after the upgrade, manually delete the existing machine account configurations and then recreate them.Advanced customization
If you performed any advanced customization of files, you must upgrade these files manually.
Custom reports
Custom reports are lost after upgrade. To work around this issue, export your custom reports before you upgrade and then reimport them after you upgrade.
OAM configuration
When upgrading from version 10.2.x to 11.x with an OAM configuration, upgrade fails. To work around this issue: before you upgrade, delete the OAM configuration; after the upgrade is complete, create a new OAM configuration in version 11.x.
APM Windows group policy configuration
When upgrading from version 10.x.x to 11.x.x with a Windows group policy configuration, upgrade fails. To work around the problem:
- Save the 10.x.x configuration in a UCS file, such as the _10.X_use_file, using tmsh. For example: tmsh load sys ucs the_10.X_ucs_file
- Upgrade to 11.x.x without forwarding the configuration.
- After the upgrade to 11.x.x completes successfully, restore the saved configuration file using tmsh. For example: tmsh load sys ucs the_10.X_ucs_file
Access policies that use session variables
If you are upgrading from 10.x, you might need to update access policies that use session variables. Version 11.x introduces the concept of partitions. A partition is added to an object name. An access policy that compares a session variable against a value would behave differently after upgrade. This example shows the difference in the value of a session variable between these versions.
- Version 10.x - session.ad.MyPolicy_act_active_directory_auth_ag.authresult
- Version 11.x - session.ad./Common/MyPolicy_act_active_directory_auth_ag.authresult
The partition, /Common, is added to the version 11.x object name.
Fixes in 11.4.1
ID number | Description |
---|---|
392250 | When Access Policy OAM Support is enabled on a virtual server and the AccessGate setting specifies a particular accessgate instead of Default, users are no longer intermittently redirected to an OAM error page. |
413661 | Access policies that were copied from other policies no longer lose their images when the original policy is deleted. |
417908 | Now accounts in Citrix Receiver can be registered by entering only the domain name of the APM virtual server. |
418231 | Now ICA Proxy does not attempt to modify an ICA file if it detects that an STA ticket is used. The list of STA servers configured through a session variable named session.citrix.sta_servers is used to resolve STA tickets. The list of STAs should contain one or more URLs delimited by a semicolon. |
419780 | This release uses a less aggressive mechanism to encode URLs for the prevention of XSS attacks. |
420740 | Policy Sync now works for an access policy that includes a Windows Registry action. |
420743 | SAML IdP automation now gracefully handles a metadata file that is missing an EntityDescriptor tag. |
421068 | When you use APM portal access and click a link that runs an HTML file that includes a parent.document.write (some_html_with_script) statement, an Internet browser screen no longer hangs. |
421315 | A TMM core for network access scenarios no longer occurs. |
421356 | This release fixes a rewrite plugin crash that could happen when accessing some HTML pages through APM portal access. |
421566 | The root cause of the logd core has been corrected. |
422331 | The access policy Deny ending agent displays the correct error message now for some additional cases: Your session could not be established. |
424861 | When you configure the antivirus action in the Client Classification and Prelogon Checks VPE macro template, it now presents an entry on the Property page. It also presents the correct expression on the Branch Rules tab: expr { [mcget {session.check_software.last.av.result}] == 1 }. |
424969 | This release prevents a rewrite plugin crash that could occur when sending POST requests with specific XML data through portal access. |
Fixes in 11.4.0
ID number | Description |
---|---|
354628 | When using portal access to access OWA using NTLM authentication without SSO configured, the upload of a large attachment to attach to an email message no longer stops and the server no longer provides a 401 response. |
358876 | When a user's password for Active Directory authentication expires, Access Policy Manager (APM) presents a form to the user to change and confirm a new password. If the new password does not comply with password complexity checks, APM no longer requests old credentials a second time, but prompts for a new password and confirmation until surpassing the maximum number of password reset attempts. |
365453 | Now APM Citrix proxy fully supports Wyse Xenith terminals. |
369780 | When you use the client to access Microsoft SharePoint 2010 and upload multiple files, the Upload Multiple Documents dialog box now closes automatically after upload. |
369815 | If Kerberos Key Distribution Center (KDC) is not accessible, Active Directory authentication module log messages now include a user name. |
373273 | To use the HD Encryption Endpoint Security client-side check, you should disable the User Account Control (UAC). |
376000 | Uploading files when accessing a web application using APM portal access mode now works correctly. This includes sending an email message with an attached file using Outlook Web Access (OWA). |
376260 | Portal access now patches URLs in HTTP refresh headers. |
378969 | Now a captive portal is properly detected in the Force all traffic through tunnel mode. |
381488 | Applications that report a HTTP user-agent string that APM does not understand are treated as an unknown client type. |
382993 | Previously, the access policy redirect ending did not support arbitrary session variables. Now any session variables specified in the redirect URL are supported. |
383332 | When an administrator makes changes in Advanced Customization mode and switches to the Properties Customization mode, changes are now saved. |
383917 | The service type that is specified in the RADIUS AAA server configuration is now included in RADIUS accounting stop messages. |
384313 | A newly uploaded EPSEC package is now available on all devices in the device group where the most recent EPSEC installation was done. |
384391 | Now one Network Access resource can be launched automatically, directly after user login. |
385055 | Now you can create more than one AAA Active Domain server object that specifies the same domain name but different domain controllers. |
385597 | Introduced quiet mode for BIG-IP Edge Client for Windows standalone in which it does not show any screen or pop-ups. |
386046 | A confusing message about the RAS subsystem was displayed when running self-diagnostics. The message is now correct. |
386147 | APM now supports Department of Defense (DoD) Common Access Care (CAC) authentication using single sign-on to back end servers that run Citrix applications. |
386342 | A Mac network access client now properly deallocates memory after routing table manipulation. |
386478 | If the state of the VPN connection to the BIG-IP system changes, a notification displays. |
386758 | You can now import an access policy when a new ACL is order 0 and an ACL with that order already exists. |
386887 | Citrix Receiver clients now work with multiple APM Citrix remote desktop resources. Previously, they were limited to one resource. |
388023 | This release fixes a rare case in which Edge Client would crash. |
388514 | Previously when accessing public folders on OWA 2003 through portal access, a customer might see an error, Login Timeout failed with HTTP status code 440. The error occurred because backend cookies were not inserted. Now, the rewrite plugin inserts backend cookies correctly for this case and errors do not occur when accessing public folders on OWA 2003. |
388784 | There was a conflict between Windows Server 2008 and MIT Kerberos interpretation of kvno field size. As a result, users could not sign on using APM Kerberos SSO when the BIG-IP system used a read only domain controller as a KDC. The conflict is resolved. |
389262 | A crash occurred when looking up a property name beginning with 0 (zero). Portal access rewrite no longer crashes in this case. |
389564 | DNS SRV records are now redirected according to the network access split tunneling mask. |
389744 | BIG-IP Edge Client for Mac now displays the current server after redirection. |
391428 | Now if macro settings change and the macro is in use, the link Apply Access Policy displays at the top of screen. |
391514 | The system now handles the condition where the DNS relay proxy service fails to get the list of DNS servers on a particular machine. |
391517 | Some icons for Citrix published applications were not rendered correctly on an APM webtop, and the default icon was used instead of an application-specific icon. Now all icons render correctly on a webtop. |
392250 | When Access Policy OAM Support is enabled on a virtual server and the AccessGate setting specifies a particular accessgate instead of Default, users are no longer intermittently redirected to an OAM error page. |
392745 | BIG-IP Edge Client customizations (for example, banner color and logo) for Chinese languages are now correctly applied. |
394025 | A simplified Flash rewriting algorithm is used to avoid a problem with patching of SWF content with AS2. |
394363 | BIG-IP Edge Client and client components could not be installed due to an expired certificate. This problem no longer occurs. |
395990 | In some route domain and SNATpool deployments, the APM virtual server (used to send reset) was not accessible. This issue is now fixed. |
397088 | APM now supports more than one referral by Active Directory authentication during cross-domain authentication. |
399148 | For a Citrix remote desktop resource on a webtop, visible application icons (those that are not in folders) are now loaded first. |
399411 | The Protected Workspace (PWS) option, Allow write access to USB flash drives, is now applied to Windows portable devices. |
399957 | Now an administrator can select the Kerberos Preauthentication Encryption Type option for an AAA Active Directory server and include preauthentication within the first AS-REQ packet. |
399999 | APM now supports Citrix Receiver email-based auto-discovery using DNS SRV records. |
400675 | When an XML Broker is used in standalone mode, Citrix icons are now displayed on an APM full webtop in Internet Explorer 9. |
400896 | An issue with handling certain types of commands within Flash is corrected. |
401658 | APM now hides network access, remote desktop, and application tunnel resources from APM webtops on Windows 8 ARM. |
401835 | In HA active/standby setup, EPSEC Software Status on Active is no longer lost on upgrade from 11.2.x. |
402715 | After an administrator changes the SSO client-initiated form-based configuration in multi-domain SSO multiple times, SSO now continues to work correctly. |
402741 | The BIG-IP Edge Client now cleans up on exit when a user logs off while a network access connection is established. |
402745 | This release improves handling of URL arguments in Flash objects. |
402878 | If a failover happens while an access policy sync is in progress, APM now handles it correctly. |
403062 | APM now correctly throws a security exception when a DOM security violation occurs. |
403214 | APM no longer prompts a user to change password when Password never expires is enabled for the user even when you define required attributes in the AD Query action. |
403227 | Access policies that are not in the /Common partition can now be synced. |
403668 | Now when using XenDesktop backend servers, high resolution application icons are displayed on Citrix PNAgent clients. |
404461 | APM has improved response time when processing an index of type number. |
404608 | A scrollbar is not longer displayed on a Remote Desktop screen in the Chrome browser. |
404675 | Kerberos SSO configurations where Server Principal Name (SPN) is specified literally in SPN Pattern field (that is, HTTP/server.host.name@SERVER.REALM without %s or %h) now work. |
404739 | A BIG-IP system configured as a SAML identity provider (IdP) now supports IdP-initiated SSO to Google Apps. |
405088 | If you have a Java application tunnel for Linux or Mac with an application that includes a space in the application path, the application now runs. |
405215 | The user role Manager now grants a user permission to create and modify SAML configurations. |
405218 | APM rewrite profiles can now handle a bypass list that contains more than 26 entries. |
405429 | Internet Explorer 8 no longer hangs for five minutes when all browser connections are in use; this was observed previously during portal access rewrite. |
405572 | TMM no longer crashes during establishment of a network access connection. |
405746 | Citrix resources now load correctly on an APM webtop even when the Internet Explorer advanced setting, Enable native XMLHTTP, is cleared. |
405948 | Multi-domain single sign-on (SSO) now saves the correct landing URI in the session.server.multidomain_landinguri session variable. |
405956 | A transient interruption in communication with a key distribution center (KDC) resulted in a 10-minute lockout if no alternate KDC was available. The lockout interval could save time by preventing repeated attempts to use an unavailable KDC. However, if no alternate KDC is available and the interruption is actually brief, the lockout is excessive. The lockout value is now configurable. For more information, see SOL14319: BIG-IP APM Active Directory authentication may not recognize an offline domain controller has been restored, available in the AskF5 Knowledge Base. |
405972 | Flash rewriting errors are now reported with the correct log level, ERR. |
406033 | The iRule ACCESS::enable no longer sends a TCP reset when used with portal access or SAML. |
406036 | APM now correctly handles Access Server TimeOut Exceededexceptions from the Oracle Access Manager SDK. |
406130 | This release fixes a rarely occurring TMM crash. Previously, TMM crashed when a user session was terminated while a form-based client-initiated SSO operation was in progress. |
406382 | An APM remote desktop, with Java client enabled in full screen mode, now gets keyboard input from a Mac OS X 10.8 client with Java 7. |
407148 | APM now works with ActiveSync on Windows Phone 8, Windows Phone 7, and Windows Runtime (RT) devices. |
407327 | The BIG-IP system now detects Internet Explorer in desktop mode on a Windows Phone 8 device as a Windows RT device (Windows 8 running on ARM processor). |
407603 | Possible XSS by cookie tampering on APM logout pages is fixed. |
407833 | When a report fails to run, the Configuration utility now displays a specific error and logs error exception details to the webui.log file even when it is configured in default logging mode. |
407940 | The Session Details report now runs without error. |
408695 | Split domain now works consistently with the HTTP 401 Response action. |
408917 | BIG-IP Edge Client for Mac no longer displays a captive portal when the XML response from the Mac system omits the doctype element. |
409887 | APM can now display up to 100 resources (maximum 20 characters length) on a webtop. |
409998 | You can now export SAML metadata from the Configuration utility without seeing this error: File(s) access/permission or signing key mismatch error. See log file. |
410303 | Users with Guest and Operator roles are now able to access OTP and email agents in the visual policy editor. |
410338 | After the server closes a transport TCP connection, APM now recovers the iSession control channel correctly. |
410548 | The SSO URL in the IdP Connector template, BIG-IP, is now correct; it is /saml/idp/profile/redirectorpost/sso. |
410578 | APM now replaces the authorization header, if one exists, with a header for Kerberos SSO. |
410850 | Client components of APM are no longer susceptible to the attacks described in CVE-2013-0169. |
411107 | Upload of large files using APM with HTTP Basic SSO no longer fails. |
411792 | If you use the iRule ACCESS::session data set with an invalid SID, TMM no longer crashes. |
412041 | Now PWS starts on Windows XP even when the browser uses a large amount of memory. |
412084 | The network access client now supports TLS1.2. |
412146 | HTTP 404 errors no longer occur for an APM virtual server with Citrix & Java Support enabled and the iRule ACCESS::restrict_irule_events disable. |
412493 | This release fixes a memory leak that occurred when APM cached many /vdesk/my.acl URIs for tunnel traffic. |
413467 | TMM now handles ACLs correctly. |
413921 | The rewrite plugin now correctly handles Visual Basic event handlers attached to HTML tags for HTML portal access resources. |
414354 | ACCESS no longer sends multiple HUDCTL_RESPONSE_DONE messages, so HTTP no longer logs many errors. |
414475 | A cross-site scripting vulnerability has been fixed. |
415266 | The password warning feature now works consistently during the first login attempt after an APD restart and on subsequent attempts. The correct message warns a user about password expiration. |
419295 | An ACCESS session can no longer be inadvertently shared by a Citrix Receiver that connects to different virtual servers on the same BIG-IP system. |
416115 | After detecting an IP address change, the BIG-IP Edge Client now resolves the host name during reconnection and initiates full reconnection. |
416339 | After an authorization failure, APM webgate redirect behavior is now similar to Oracle webgate redirect behavior and obssocookie is no longer reset to loggedoutcontinue. |
Fixes in 11.3.0
ID Number | Description |
---|---|
225705 | UDP applications that use fixed port numbers now work over APM Network Access tunnel if you set the Preserve Source Port Strict option to All. You can find the option in Advanced Client Settings of Network Access Resource. |
356241 | APM now supports Java-based application tunnels on non-Windows endpoints. |
360678 | Previously, SMB traffic went directly even when network access was configured with the Force all traffic option. This now works correctly, so the previous workaround (SOL13086: SMB traffic may bypass VPN tunnel when split tunneling disabled) is no longer necessary. |
367434 | It is now possible to change the Active Directory password when IPv6 is used. |
370053 | When using customization and other upload and import operations, temporary files no longer accumulate in the /tmp directory. |
371467 | Previously, users could not log in after an HA Active node primary blade was rebooted on chassis systems or vCMP guests; this happened when the chassis systems or vCMP guests were configured to run on more than one blade. This problem no longer occurs. |
379550 | Unicode white space characters outside the ASCII range are now recognized as such in JavaScript. JavaScript containing these characters is now rewritten correctly. |
380678 | Citrix published applications are displayed with correct Webtop icons in Internet Explorer version 10. |
381332 | Single sign-on to Citrix StoreFront is properly supported now. |
384115 | Provisioning validation fails now when there is no disk for modules that require a disk. |
384138 | Description text is now removed from Citrix application folders on APM Webtop to match Web Interface look and feel. |
384217 | Fixed improper patching of SWF files with AS1/AS2 scripts when function/try/with/branch length is too close to maximum value. |
384509 | A Show Statistics While Connected setting is added to Common Webtop Settings in Customization Quick Start; valid values are on and off. This setting shows and hides statistics in the remote connection popup screen; it affects the application tunnel popup screen, in addition to the Network Access popup screen. |
384937 | Added session variable replacement support for the start_uri field of the AAA HTTP Auth agent. |
385518 | Strings that were not translated previously have been translated. |
385918 | A tmm panic/assert no longer occurs when running an access policy. |
386051 | This change makes it possible to display a simple popup screen for Network Access on a full webtop. You can choose the more simple popup screen through the customization menu. |
386217 | When you set the Access Policy Timeout value in an access profile to greater than the default of 300 seconds, it works correctly. Previously, user sessions expired after 300 seconds while waiting for user input on the logon page; the user logon would fail. |
386277 | Visual policy editor no longer times out when you edit complex policies that assign many resources. |
386654 | If the system shuts down unexpectedly, any changes that a Network Access client made to the registry are cleaned up now upon system startup. |
387264 | After an administrator changes the SSO configuration in an access policy multiple times, SSO stops working. This usually happens after using an SSO configuration with a longer name and then trying to use an SSO configuration with a shorter name. With this release, SSO continues to work after changing the SSO configuration. |
388014 | WEBSSO now works when you select a BASIC SSO configuration using the WEBSSO::select iRule command even in the following situation. The default configuration in the ACCESS profile (or resource) is FORM BASED and uses session variables (for example, in Hidden Form parameters). |
388035 | Multi-Stream ICA connections were targeted to the same primary CGP port on XenApp backends. Now each connection goes to the corresponding Multi-Stream ICA port configured by the administrator in XenApp policies. |
388220 | APM now supports XenDesktop at PNAgent mode. |
388514 | Previously, when accessing public folders on OWA2003 through Portal Access, you might see an error, Login Timeout failed with HTTP status code 440. The error occurred because backend cookies were not inserted. Now, the rewrite plugin inserts backend cookies correctly for this case and errors do not occur when accessing public folders on OWA 2003. |
388860 | The toolbar icon for Edge Client now displays properly on a MacBook with a Retina display. |
389262 | A crash occurred when looking up a property name beginning with 0 (zero). Portal access rewrite no longer crashes in this case. |
389412 | An APM out of license error no longer occurs when APM is under a high load and subject to additional circumstances, such as: users logging in and out frequently; APM failing over multiple times; services restarting on APM. |
389564 | DNS SRV records are now redirected according to the Network Access split tunneling mask. |
389258 | An HTTP POST request hung due to its HTTP POST payload not being released from BIG-IP system to the backend HTTP server. This happened after the eam plugin received a TMEVT_RESPONSE event followed by TMEVT_INGRESS event. Now when the eam plugin receives TMEVT_RESPONSE and TMEVT_INGRESS events successively, the BIG-IP system sends the payload to the backend server, and the backend server reacts properly with a response. |
389617 | A file descriptor leak in APD that can result in APD consuming 100% CPU has been corrected. |
389716 | If you opened an SSO Forms Client-Initiated window and your session timed out before you entered data, a blank page was displayed and remained for some time. This no longer occurs. |
391514 | The system now handles the condition where the DNS Relay Proxy service fails to get the list of DNS servers on a particular machine. |
392250 | When Access Policy OAM Support is enabled on a virtual server and the AccessGate setting specifies a particular accessgate instead of Default, users are no longer intermittently redirected to an OAM error page. |
392255 | A double free issue in APM under high load has been corrected. |
392481 | Web application content processed by client-initiated form-based SSO is no longer truncated as would sometimes happen in the presence of client-side congestion. |
392507 | You can now copy and paste information from APM reports. |
392886 | Now an administrator can configure the machine certificate checker not to check the private key when User Account Control right elevation is required for this operation. |
393941 | The assertion, valid isession pcb, no longer occurs when application or optimized tunnels are terminated. |
395179 | You can now use Safari 6 to establish a network access connection even when the client or server has proxy configuration, rather than not using proxy at all after establishing NA connection. |
395625 | Google Chrome web browser (version 22 or higher) for MAC OS X has a problem loading the already installed inspection host and network access plugins. You might see a yellow error bar near the address bar that displays a message Plugin cannot be loaded. Upgrading to the new plugins does not work seamlessly. To fix the problem, uninstall the old plugins. See Installing plug-ins for Google Chrome 22 on Mac OS X (after this table). |
395754 | From the Basic Customization view, the Network Access screen now displays and allows you to update customization values after upgrades from 10.x.y. |
396213 | A memory leak that happened when AD module made a query to get all domain groups has been fixed. |
396366 | Prior to this release, it was possible to create an AAA AD server configuration from the CLI without supplying a domain name. This resulted in an incorrect configuration. The CLI now checks for a domain name. |
397168 | A Network Access connection can be established now even when the OS X system is localized to a language other than English. |
397668 | An OAM exception from the Oracle ASDK, that occurred when an invalid host name passed to the ObUserSession constructor, has been resolved. |
397958 | These logs (referer_log and agent_log) under the path /var/log/httpd/ are now being rotated periodically under the control of logrotate. |
398007 | In Network Access, tunnel cases with both TLS and DTLS, ICMP traffic would be dropped in some cases. This no longer occurs. |
399212 | Previously, you could save an advanced customization for an access profile stored in a partition, but not for one stored in a folder. Now you can save an advanced customization for an access profile in a partition or in a folder. |
399212 | When using Advanced Customization, you can now save the Access Policy pages that you customize under Access Profiles. |
399411 | PWS option Allow write access to USB flash drives is now applied to Windows Portable Devices. |
401025 | The F5 WebGate did not set the Expires header in the HTTP response for SSO logout URL. Due to this, the browser continued to use the old ObSSOCookie value, so a new user who logged in without closing the browser could access information for the previously logged in user. Now the F5 WebGate sets the Expires header and matches the behavior of the Oracle-fabricated WebGate when receiving an SSO logout URL. |
401351 | Epsec Package Versions are no longer lost after upgrade. |
401738 | The BIG-IP system did not return a RADIUS attribute, state, in unmodified format with the second access-request. This has been corrected; the BIG-IP system now returns the state attribute in unmodified (and therefore, compliant) format. |
402147 | A regression that caused a missing RADIUS accounting stop message on session finish is resolved. |
402741 | Edge Client now cleans up on exit when a user logs off while Network Access is established. |
Installing plug-ins for Google Chrome 22 on Mac OS X
Try these methods in the following order.
Safari method
Using the Safari browser, try connecting to the BIG-IP system to see whether the plugins upgrade seamlessly.
Manual plugin removal method
Try each of these steps until you succeed in removing the plugin:
- In Spotlight, type f5 sam inspection host plugin.plugin and drag and drop the plugin that is found to the Trash.
- Using terminal, go to the Internet Plugin-Ins directory using this command: cd "~/Library/Internet Plug-Ins" and remove the inspection host plugin directory rm -rf "f5 sam inspection host plugin.plugin
- In Spotlight, type F5 SSL VPN Plugin.plugin and drag and drop the document that is found to the Trash. (To verify that it is a Plugin-in document before you drag it to the trash, mouse over the document to see whether its type is Plugin-in.)
- Using terminal, go to the Internet Plugin-Ins directory using this command: cd "/Library/Internet Plug-Ins". Then remove the inspection host plugin directory using this command: sudo rm -rf "F5 SSL VPN Plugin.plugin"
Choosing a simpler Network Access popup method
- Create a full webtop.
- Assign the webtop in an access policy.
- Apply the access profile to a virtual server.
- Select .
- Select Branding.
- In the Webtop tree, locate the webtop from step 1.
- Select Full Webtop Popup Window Settings and verify that the Show Table Switch property appears.
- Select one of the following for the Show Table Switch setting: on (the NA popup screen displays a statistics table) or off (the NA popup screen is small and contains only a status indicator and a Disconnect button).
Fixes in 11.2.1
Fixes in 11.2.0
ID Number | Description |
---|---|
226524 | Active Directory forest mode was not supported in earlier versions. Starting in this release, APM supports the cross-domain option for AD Query and AD Auth agents. |
354486 | Previously, a Mac Edge Client did not automatically try to reestablish a connection if the Tunnel Server (svpn) was still alive from the previous connection; instead, this status was displayed: Error: VPN disconnected. This issue has been resolved. |
358874 | Previously, APM did not inform the user about the Active Directory password policy at logon. We have implemented Active Directory password policy check in this release. |
365344 | The Linux command line client now supports PEM and PKCS12 client certificates. |
367511 | An AAA configuration using the LDAPS protocol did not negotiate SSL. Previously, you needed to use a layered virtual server with an SSL profile to work around this problem. You no longer need to use the workaround. |
368210 | In versions 11.0, an iRule that was present in version 10.2.x was replaced with a Remote Desktop profile. During upgrade from version 10.2.x to version 11.x, the configuration failed to load, displaying the error message Virtual server /Common/citrix_vs references rule _sys_APM_Citrix which does not exist. We have resolved this issue. |
369151 | In earlier versions, after an upgrade, configuration reload failed if duplicate resource names existed. We have resolved this issue as follows: It is no longer possible to create APM webtop links and connectivity resources with the same names. |
369657 | In earlier versions, help was missing for the confirmation window that was displayed when you deleted an access policy. Help now displays correctly. |
369714 | Previously, the Advanced Customization Editor did not work with multi-byte character sets. Now it does. |
370336 | Performance has been improved for creating and updating custom reports. |
371046 | Active Directory authentication now works with IPv6 as expected. |
371577 | Server-initiated connections to VPN tunnel clients frequently failed after the client's VPN tunnel dropped and reconnected on a system running in CMP mode. This issue has been resolved. |
371691 | APM no longer depends on reverse DNS records to resolve the fully qualified domain name (FQDN) of the domain controller. Instead, APM uses LDAP protocol to retrieve the ldapHostName attribute from domain rootDSE and uses reverse DNS only as a fallback. |
371692 | This version introduces native HA functionality in APM. (In addition, APM still supports HA using a layered virtual server.) Native HA works as follows: If only a domain name is specified for an AAA Active Directory server object, APM discovers a list of domain controllers (DCs) for that domain using DNS SRV request. After that, APM tries to use the DCs in the list for AD Auth (or AD Query). If AD Auth (or AD Query) fails due to a connectivity issue, APM marks that DC as unavailable for 10 minutes and tries the next one. |
371854 | Previously, when the rewrite plugin sent a list of application cookies to the backend server using the Cookie: header, it appended a semicolon to the value of the last cookie; this broke compliance with RFC2109. Now, the value of the last cookie does not include a trailing semicolon. |
371959 | Previously, a database error occurred when running a report that returned a large amount of data (over a million records). Now when you run reports, you can specify a time range or accept a default value (the most recent 8 hours). The timeout value has also been increased. |
371989 | Previously, when running custom reports, pagination was not enabled. For large reports, this caused the Configuration utility to be slow. This issue has been resolved. |
372034 | Previously, if a domain controller was specified using an IPv6 address, AD Query reported as successful without running in the access policy. This issue has been resolved. It is no longer necessary to work around this problem. |
372060 | Previously, the Timeout popup window in French and Spanish locales would display a JavaScript error. The error was due to extra spaces in a parameter that prevented the proper loading of subsequent pages. Pages now load correctly, and the error does not occur. |
372092 | Due to a known problem with cookie support in the Linux Citrix Receiver client 12.0, every request made to APM started a new session. This issue has been resolved. |
372494 | It is no longer necessary to use a layered virtual server to use IPv6 addresses with Active Directory or LDAP. Now, you can specify Active Directory and LDAP AAA servers using IPv6 addresses. AD Auth, AD Query, LDAP Auth, and LDAP Query now work with IPv6 addresses as expected. |
373668 | Previously, you could not copy an access policy if the name (including the partition) exceeded 62 characters. Now when you copy such an access policy, the name of the copy is truncated: characters in the middle of the name are removed. |
373825 | When you include a dot (".") in an access profile name, authentication works correctly now. |
373830 | The current active sessions statistic in the access profile no longer underflows, showing unreasonably large values. |
373831 | The current pending sessions statistic in the access profile no longer underflows, showing unreasonably large values. |
374531 | Previously, dynamic ACL generated an incorrect IPv4 netmask during the parsing of an ACL entry. In certain cases, the order of bits in an octet were reversed, and dynamic ACL presented an error message for a correct ACL entry. For example {allow tcp any 172.31.0.0/25} and {allow tcp any 172.31.0.128/25 } are both correct ACL entries, but dynamic ACL would give an error message for the latter entry. This issue has been resolved. |
374953 | Previously, you could not start Citrix applications configured with custom encryption from an APM dynamic webtop. Now, APM supports custom encryption settings on a per application basis. |
375263 | In previous versions, if you enabled the Server-Side SSL setting for a Remote Desktop resource of the Citrix terminal type, the setting was not saved. This issue has been resolved. |
375495 | Previously, iSession socket connections through the BIG-IP APM system were not reused. We have added connection reuse capability, which should improve data latency. |
376115 | Previously, on Windows 7 clients with more than one network interface running Internet Explorer 8 in protected mode, the APM client caused memory allocation failures, resulting in an Internet Explorer crash. This issue has been resolved. |
376556 | Exchange support system iRule did not comply with RFC 2617 with respect to non case-sensitivity for handling the HTTP Authorization Basic header. Although it is extremely rare, a particular Exchange client might send the credential using a different case; for example, sending "basic", instead of "Basic". Previously when this happened, the system iRule failed to extract the credentials and rejected the request. This issue has been resolved. |
377853 | To ensure that SSO works for Active Directory whether cross-domain support is enabled or not, a new session variable is registered: session.ad.agent_name.actualdomain . This variable contains the user domain to which the user successfully authenticated. |
378362 | Access policy branches that originate from macrocalls are followed correctly now. |
378926 | With the behavior change introduced in ACCESS hudfilter for 11.1.0 release on handling clientless-mode header, the existing iRule code did not work properly with this new functionality. Due to this, the OutlookAnywhere system iRule did not work. This issue has been resolved. |
378991 | Previously, a user name that contained special characters might be logged incorrectly. This issue has been resolved. |
379413 | ActiveSync clients were detected incorrectly as Windows NT Internet Explorer 7. It is no longer necessary to rely on properties other than client type to detect an ActiveSync client; the issue has been resolved. |
380725 | Previously with Windows Phone, reverse-proxy was unable recognize a Windows object. For example, when a Windows Mobile 7.x device connected to an APM full webtop and started a Portal Access favorite, the URL request was not rewritten and therefore did not take the user to APM for connection. This issue has been resolved. |
380838 | We have introduced a database variable to allow the administrator to disable LDAP DN/Filter escape in LDAP/AD Query agent in case the administrator wants to prepare the DN/Filter escape in advance. |
381118 | TMM no longer restarts with a SIGSEGV when running ACCESS::session exists iRule commands in ACCESS_SESSION_CLOSED events. |
383008 | The Msxml2.XMLHTTP.6.0 object was not supported in web applications. Now it is supported. |
383201 | Previously, WebSSO crashed when receiving a response without headers from a server. This no longer happens. |
383708 | Previously, VBscript (contained within a vbscript script tag or referenced externally, using the src attribute) was treated as JavaScript. Therefore, content was not patched correctly. This issue has been resolved. |
385786 | After integrating APM with Oracle Access Manager (OAM) so that APM acts as an OAM 10g webgate, an HTTP post request against OAM protected resources would fail. This issue has been resolved. |
Fixes in 11.1.0
ID Number | Description |
---|---|
248018, 354427 | Now, multiple Network Access resources can be assigned to a user session at one time, and displayed on the dynamic webtop. A user can only start one Network Access session, however. |
307017 | Network Access tunnels running on Mac now use the client system's proxy settings. |
350161 | Upon exit, protected workspace now attempts to clean up the system paging file and RAM to prevent information leaks. |
353010 | APM session cookies now support the HttpOnly attribute for certain security settings. This attribute is supported in LTM+APM mode, and cannot be used with client-side endpoint checks. |
355549 | Previously the SSO credential mapping agent added unnecessary braces { } around the expression. Now these braces are not added. |
360374 | Mac OS X 10.7 is now supported for Network Access connections. |
360442 | Network Access now supports two-factor authentication with Windows Logon Integration. This feature added two options for the Network Access client: Enable Full Pre-logon Sequence and Reuse Winlogon Session. |
363034 | The Z parameter in the /myvpn request on iOS, Mac and Linux clients previously required a special iRule. Now the Z parameter is supported without an iRule. |
363724 | Previously in access policies, the logging agent had to be configured explicitly with "session.client.unique_id. Now, the logging agent "session.client.*" can be configured with the wildcard asterisk, to allow logging of all UUIDs. |
364684 | An issue with logout URIs building up on the system was fixed. |
364853 | The webtop-type last is no longer listed as a supported option in the command line interface. |
364936 | Previously, in some circumstances the Logon Page action could not be customized in the Visual Policy Editor. This is now fixed. |
365096 | ACCESS_POLICY_AGENT_EVENT now probperly starts in clientless mode. |
365175 | Import of access policies that include objects that were created in the non-common partition now succeeds. |
365347 | After the BIG-IP box restarted, in some circumstances, users could not establish new sessions and received TCP RST messages. In /var/log/apm, the following error appeared: Access policy configuration version: configuration-id in use by user session was not found. This issue is now fixed. |
365349 | Previously, if an app tunnel was configured with multiple addresses to the same destination but different ports, and the DNS Relay Proxy was not enabled, only the first address/port combination would be reachable. This was corrected by enabling the DNS Relay automatically. |
365597 | Previously, custom reports with a very large database could consume up to 40% of the CPU. This issue has been fixed. |
365662 | In the Customization tool preview page, macro ending page nodes, which cannot be previewed, have been removed from the preview tree nodes. |
365882 | The Installer control setup file that controls all installable components was previously unsigned and caused warning messages on some systems. The setup file is now signed by F5. |
365948 | In a protected workspace session, if a webtop was configured with the Minimize to tray option enabled, the webtop was correctly minimized to the system tray, but if the user restored it from the system tray by double clicking, the protected workspace session closed. This has been fixed. |
366190 | Access policy inactivity timeouts sometimes failed in a previous version, when the Cache and Session Control action was enabled. Access policy inactivity timeouts now work properly. |
367070 | When an access policy manager session was stopped by the system administrator or expired, the Citrix Receiver attempted to reconnect until the window was closed by the user. This has been fixed. |
367512 | The administrator is no longer prompted to select the SSL server profile when configuring an LDAP server in direct mode. |
367726 | Citrix applications can now be started from the dynamic webtop on Internet Explorer 9. |
367850 | Previously, the Network Access status window remained active after a session was terminated by the administrator, or expired due to timeout. This has been fixed. |
368488 | All roles above operator can now manage sessions. |
369248 | The network access web client now supports proxy autoconfig (PAC) scripts located on HTTP or HTTPS servers, in addition to locally stored PAC files. |
369407 | In a previous release, access policies created using the Access Policy Manager wizards did not allow the choice of the dynamic webtop, and labeled the Full Resource Assign action incorrectly. These issues have been fixed. |
Fixes in 11.0.0
The current release includes the fixes and enhancements from previous releases and the fixes that were distributed in SOL12729: Overview of BIG-IP version 10.2.1 HF1, SOL12778: Overview of BIG-IP version 10.2.1 HF2, and SOL12816: Overview of BIG-IP version 10.2.1 HF3.
ID Number | Description |
---|---|
225512 | Previously, Access Policy Manager clients that started network access tunnels that ended up on different Traffic Management Microkernels (TMMs) could not communicate. Now, such clients can communicate. |
225870 | Previously, a rare condition could cause a crash in the system when APM tried to connect or reconnect a network access tunnel. We have corrected this. |
226423 | Previously, Access Policy Manager's active sessions graph erroneously reported a maximum value when active sessions existed and a failover event occurred. Now, this issue no longer occurs. |
336284 | Previously, network access tunnels on a system that failed over could not restart after the failover because the lease pool was not created. Now the lease pool is created and network access tunnels fail over correctly. |
339171 | Previously, when an administrator created a AAA server with the web interface, some legal characters could not be used in the AAA server name. Now the name field accepts all legal characters. |
339951 | Previously, Access Policy Manager HTTP 404 Not Found errors could not be configured. Now, the message for these errors is configurable as part of the logout group. |
341377 | The following new iRule commands have been introduced to allow the use of multiple SSO profiles and make them selectable based on user-defined criteria:
|
344713 | Previously, WebSSO crashed when the HTTP header dictionary was invalidated and refreshed. Now this no longer occurs. |
346047 | Previously, the documentation for portal access described a patching method (No patching) that is no longer supported. The patching method is no longer described. |
347568 | In portal access, JavaScript rewriting has been enhanced to better handle SVG elements. |
348742 | Previously, the Client OS action in Access Policy Manager did not support Microsoft Internet Explorer 9. The Client OS action now supports clients identifying themselves as Internet Explorer 9. |
349490 | Previously, when you configured an access policy using HTTP form-based authentication, the username and password were sent to the authentication server in POST variables, even if a username and password were not specified in the server configuration, resulting in authentication failures. Now the username and password are sent only when specified. |
351757 | In a previous release, when the admin configured client power management settings in Network Access network properties, those power management settings were ignored by Windows Vista and Windows 7 clients. Now, Windows Vista and Windows 7 clients use the Network Access power management settings. |
351895 | Previously, when you created multiple Active Directory AAA servers, or changed the realm on multiple Active Directory server, several default_realm entries were erroneously added to the /etc/krb5.conf configuration file, causing authentication errors. Now, only one default_realm entry is added to the configuration file. |
354748 | Previously, when you configured portal access for a backend server with the same host name as the Access Policy Manager virtual server, portal access failed to rewrite some links. Now, portal access rewrites links correctly when the backend web server has the same host name as the virtual server. |
358873 | Previously, when a Portal Access connection was made to an SAP Netweaver backend server, some JavaScript Function() calls were not correctly handled, resulting in errors on the client. Now, NetWeaver JavaScript functions are handled correctly by Portal Access. |
359330 | Previously, when you configured an Access Policy Manager LTM Access connection with at least one pool member, and source IP persistence or persistent cookies enabled, some connection errors occurred with certain web servers. Now, this configuration works correctly. |
359530 | Previously, when a user accessed a SharePoint 2007 site through portal access, the rewrite engine used the wrong parser to patch some URLs incorrectly, causing connection errors and failures. Now, the rewrite engine for SharePoint 2007 sites uses the correct parser. |
365107 | Previously, when the Access Policy Manager received an HTTP 100 continue response from a backend server, the system could fail or experience instability. The system no longer fails or becomes unstable in this scenario. |
Usability
Session ID rotation has been implemented, and starting from 11.2.0, it is on by default. This breaks compatibility with earlier BIG-IP Edge Client and plugin versions. For example, when APM is configured for session ID rotation, an 11.1.0 Edge client is not allowed to log in to Access Policy Manager (APM) version 11.2.x. The expected behavior in this case is for APM to present the login page to the Edge client after each login attempt. To disable session ID rotation per-box, you can use the following tmsh command: tmsh modify sys db apm.rotatesessionid value disable
Behavior changes in 11.4.0
ID number | Description |
---|---|
389330 | Access Policy Manager (APM) no longer supports the Windows Mobile client. |
391351 | With new access profiles and access policies that include logon page and authentication actions, there is a random delay in error response to a user when authentication fails. By default, the delay is between two and five seconds. You can change these values in access profile settings. To disable this behavior, set the minimum and maximum authentication failure delay value settings to 0 (zero) in the access profile. |
413019 | When you use the GUI to upload a Windows Group Policy file, the file is now stored as hosted content in a user-windows-group-policy area. When you a add or edit a Windows Group Policy action, you must select a policy from a list. The entries on the list include the partition name and the hosted content area name; for example,/Common/user-windows-group-policy/group1. |
413173 | In this release, APM introduces hosted content; you can upload custom files to APM and then provide resources directly to users. The user interface for managing Citrix bundles remains the same. However, now if you upload a Windows package file (Citrix client package), APM treats it as a hosted content file. Note: APM has strict rules for hosted content files and, consequently, you cannot use a Windows package file with the same file name for two different Citrix client bundles.
|
Known issues
This release contains the following known issues.
Upgrade issues
ID number | Description |
---|---|
365014 | If you upgrade from APM version 10.2.x to version 11.0.0 or later, you might run into this error: 012e0008:3: The requested command (connectivity resource) is invalid To prevent the error, perform these steps.
|
366001 | If you have performed any advanced customization, you must upgrade the files manually when upgrading from version 10.2 to version 11.x. |
372114 | On a chassis-based system after upgrade and first reboot if APM is configured, very rarely end users might be unable to log in to the virtual server. An access denied screen displays this message: Access policy configuration has changed on gateway. Please login again to comply with new access policy configuration. To recover from this error, restart the primary blade. From the Configuration utility, select and select the Reboot Blade option. |
374781 | When upgrading from version 10.2.x to 11.x with an OAM configuration, the upgrade fails. To work around this issue: before you upgrade, delete the OAM configuration; after the upgrade is complete, create a new OAM configuration in version 11.x. |
403028 | When upgrading from version 10.x.x to 11.x.x with an APM Windows group policy configuration, upgrade fails. To work around the problem:
|
421456 | Kerberos SSO does not work after upgrading from 11.3.0 to 11.4.0, because in 11.4.0 the password is saved in encrypted form while the password in 11.3.0 is saved as clear text. Re-enter Kerberos SSO password after upgrade to 11.4.0. |
Application access issues
ID number | Description |
---|---|
371763 | If Application Access Resource type RDP is created with a host name and a DNS server is not configured, the resource is not assigned to a user session and will not be displayed on full webtop. To work around this problem, configure a DNS server on the BIG-IP system ( ) and make sure that the DNS server is up and running. |
394184 | Java RDP does not work with Windows Server 2012 and Windows 8 remote desktop host servers. |
Portal access issues
ID number | Description |
---|---|
223712 | During a web applications session, when a user logs out of Microsoft Office Communicator and then attempts to log on again, the login request fails. |
340541 | When you open a Microsoft Office document in Windows XP with Office 2010 over a portal access connection to SharePoint, and you attempt to save the document using the Save As command, the document is saved but an error message appears stating that the document could not be saved. You can safely ignore this message. |
340549 | The rewrite plugin does not implement forwarding HTTPS requests through the HTTPS proxy correctly. (However, forwarding HTTP requests through the HTTP proxy does work correctly.) To work around this problem, create a layered virtual server to catch HTTPS traffic leaving APM and forward it to a HTTPS proxy server using CONNECT. Proxy authentication is not implemented, and if response status from HTTPS proxy server is not 200, then use an iRule to close the connection. |
343280 | When using portal access in Safari 5.X, sometimes web pages do not load properly. A bug in Safari 5.X leads to accidental loss of all HTMLElement.prototype changes when setting HTMLElement.prototype properties in a window and accessing window.frameElement from any of its frames. (The problem also occurs in other less-defined cases.) |
347100 | Every time the Hometab loads, a message displays, such as: This Page contains both secure and nonsecure items. Do you want to continue? To work around this problem, disable the Hometab. |
364030 | The Hometab disappears for Domino Web Access (DWA) 8.5 through reverse proxy. |
378524 | The following problem occurs with Google Chrome support on Windows and Linux machines for the Citrix Web Interface 5.4 application in full webtop. If you open a full webtop and click an application icon on it, nothing happens. |
384405 | With Access Policy Manager Portal Access, if you add a web-acceleration profile to the local traffic virtual server, it does not take effect until you go to the command line and type bigstart restart tmm. The web-acceleration profile is important to Portal Access performance, so this step is necessary to ensure caching occurs for Portal Access content. |
387566 | When Java patching is disabled, any applets that are served through APM are placed into ramcache. Subsequently, if you enable Java patching, it might not appear to take effect until you clear ramcache (this is by design). To work around this problem, before you start to test Java patching, make sure that Java patching is disabled and ask the administrator to clear ramcache on APM. |
399696 | Selecting an SSO configuration with WEBSSO::select does not work for form-based client initiated and SAML configurations. You can work around the problem by using a variable to assign the configuration object name. For example: set sso_config /Common/SAML-config WEBSSO::select $sso_config unset sso_config |
404899 | Webpage errors occur when opening a chat window in IBM Lotus iNotes 8.5 with Sametime through a portal access webtop. This happens only when using Internet Explorer 9. To work around this problem, add a portal access item with the path /sametime/stlinks/* to the portal access resource and disable Home Tab for this item. |
Client issues
Network access
ID number | Description |
---|---|
337178 | When HTTPS proxy is configured on a Windows client, neither BIG-IP Edge Client nor APM client can use DTLS with Network Access. After some delay, the client automatically switches (falls back) to Network Access over TLS connection through HTTPS proxy. |
342035 | SIP client cannot communicate with SIP server when connecting over Network Access tunnel. SIP protocol uses fixed UDP ports, and communication fails because Network Access tunnel translates the source port of the connection. To work around this problem configure a layered virtual server using the SIP UDP port and set the Source Port option to Preserve Strict. |
351360 | Sometimes when assigning different route domains to Network Access clients connecting to the same virtual server or using the same connectivity profile, traffic from the client can go out into the network associated with the wrong route domain. This could happen when two clients are assigned the same IP address (from different lease pools containing the same address ranges) and different route domains and try to access the same IP address on the internal network using the same TCP/IP protocol. To work around this problem, when sharing IP address ranges among route domains, use separate virtual servers for each route domain, with different connectivity profiles. |
356419 | On Linux, PPP routes might be lost if network access is configured with the Allow Local Subnet option enabled. This behavior is very rare. To work around the problem, disconnect from the server using the f5fpc -o command, and then reconnect to the server. |
356766 | Removing or updating Network Access device or client components while the system has an active Network Access connection might cause the system to drop the existing connection and fail to establish a new connection until after a system reboot. |
364061 | On a Linux client, the network access Show log file link does not display the log file unless gedit is installed. To work around this problem, install gedit on the Linux client. |
373889 | You can configure a network access tunnel to update a session (that is, to extend expiration time) based on a traffic threshold and a window. Traffic measurements are taken every 5 seconds, but they are not divided by 5 before being used in the calculation. As a result, instead of bytes per second, bytes per 5 seconds is calculated, which is incorrect. To work around this problem:
Note: The session life management might not be exact.
|
383607 | Network Access: After a client loses connectivity and reconnects with another IP address, the client cannot open tunnels to optimized hosts for 4-7 minutes. |
398339 | When you use the Fedora OS with SELinux enabled and use the Firefox web browser to connect to APM for network access, you might get SELinux blocking notifications. To work around the problem, execute the following commands on terminal as root user (not sudo).
|
425853 | Launch Application fails to launch the application on Mac OS X and Linux if the string contains special characters such as quotes or ampersand. |
Admin issues
ID number | Description |
---|---|
224145 | On rare occasions, the visual policy editor can return a non-specific failure when attempting to create new items. The failure is transient; the request invariably succeeds on retry. |
348839 | Oracle Access Manager Access SDK (OAM ASDK) logging level might not be updated automatically corresponding to the BIG-IP system SSO logging level (that is, log.sso.level). Note: You need to set OAM ASDK logging level only when an administrator wants to collect the log messages that are directly reported by OAM ASDK library at run time. These log messages are different from the log messages reported by the BIG-IP system and APM processes.
To work around the problem, perform these steps.
|
356562 | Custom reports are lost after upgrade. To work around this issue, export custom reports before you upgrade, and then import them after you upgrade. |
359639 | Some long captions for resources can be longer than the bounding box in Firefox 7. This problem does not affect the workflow. |
360734 | When previewing Customization pages, the Preview pane does not automatically refresh when the language is switched. To cause the page to refresh in the new language, click an item in the Preview tree pane |
360742 | When the logon page is customized in visual policy editor in multiple languages, the images appear broken. To work around the problem, customize the logon page using localization customization. (On the Main tab of the Configuration utility, select | .)
362200 | When customizing messages, you cannot use special characters (such as ', ", &, <). |
362351 | Branch names cannot start with the word "fallback" in the visual policy editor. |
363188 | Using a space in an alias for a virtual server can cause unexpected results when you use tmsh to add or update a connectivity profile. No spaces are allowed in aliases for virtual server. |
363227 | In Access Policy Manager customization, common partition objects are not made read-only for managers of a partition. |
371015 | On chassis platforms in some scenarios, more than one value is displayed in the Local Time column of the All Sessions report. |
371747 | When a report has a large number of rows and you click Export to CSV File, the Admin user interface might become unavailable. To work around the problem, create and export reports that contain fewer rows. Define a custom report with the required fields and report constraints. When you run the report, specify the time constraints appropriately. After the report is displayed, click Export to CSV File. |
371887 | Localization changes in one language are applied to all languages when using Access Policy Customization. The problem occurs when the Apply to all Locales check box is selected on the Branding tab. This setting should not affect the Localization tab, but appears to impact it. To work around this issue, clear the Apply to all Locales check box on the Branding tab before making localization changes. |
383464 | In reports, names that contain a single quote are displayed in hex-encoded format. For example, the name O'Brian might be displayed as O%27Brian. |
383605 | The following information is missing from the Logging and Reporting chapter of Configuration Guide for BIG-IP Access Policy Manager. When running performance tests or under very high traffic loads, the /var/log/apm log file can grow to a very large size. Under these conditions, it is advised to disable logging to /var/log/apm. To disable logging to /var/log/apm/, use this command: tmsh modify sys db log.access.syslog value disable Alternatively, you can set the log level to emergency only by using this command: tmsh modify sys db log.accesscontrol.level value emergency |
384490 | In advanced customization, when an access policy uses an image that includes spaces in its name, problems can occur. It can be impossible to export the access policy. Problems with upgrade can also occur. |
398361 | Not all configuration objects validate and reject an object name that contains the space character. The best thing to do when you create a configuration object is to not include a space in the object name. |
403722 | If you initiate an access policy sync from the Standby node, an admin must resolve any conflicts on the Active partner. Ideally, an access policy created on the Standby node would be synced to the Active node automatically without admin intervention. To work around this problem, avoid syncing an access policy from a Standby node. Otherwise, you must resolve conflicts, if any, on the Active node. |
403782 | When you run an access policy sync, sometimes the status (available from the top left corner of the screen) is Not all devices in Sync or Unknown. This can happen even when the access policy sync succeeds. Although the status is confusing, there is no functional impact. |
403935 | At times, during a second or subsequent sync of an access policy, an error is displayed: Failed to create sync object for policy. Additional information in the error message describes the object. To work around this problem:
|
404936 | Files named core.xxxx, where xxxx is a number, are created in advanced customization directories during the build process when the customization build cores because of invalid characters in the default customization file. These core files are listed in the user interface. Ignore these files under logout / deny folders, if present, in Advanced Customization - Advanced Edit. |
453722 | While a policy-sync is in progress from a device to other member devices (5 members or more), the user loses GUI connection to the BIG-IP systems for a few minutes. To prevent this problem, restrict the sync-only device group to no more than 5 members. |
Authentication and SSO-related issues
ID number | Description |
---|---|
337757 | A user cannot use the NAS-IP as the source IP of the RADIUS Authentication request client. To work around this issue, create a layered forwarding-IP virtual server with the same IP/port as the AAA server, and add a SNAT pool created with the IP address that must be used as a source IP of RADIUS/SecurID packets. You can do this either with the Configuration utility, or using tmsh commands.
|
340344 | Currently, you cannot specify the source IP address of the packet when you set up AAA server definitions. To work around this issue, you must create a layered forwarding-IP virtual server with the same IP address and port number as the AAA server. Use these steps.
|
355490 | TACACS+ accounting STOP messages are sent successfully and are properly logged on the TACACS+ accounting server. However, sometimes when the reply from the TACACS+ server is processed, APM logs the message Invalid reply error message. This error message does not indicate any failure in sending the accounting STOP message to the TACACS+ server, and you can ignore it because the accounting functionality works fine. |
355981 | APM CRLDP Authentication Agent binds anonymously to the LDAP server to retrieve CRL files. An option for a strong authentication bind is not currently supported. |
360141 | Modifying the SSO configuration does not cause the Apply Access Policy button to show up on the Admin UI or the visual policy editor. The configuration change takes effect immediately for new sessions established after the change. Old sessions (those that were already created before the configuration change) continue to use the old SSO configuration. |
367621 | Access Policy Manager (APM) does not support IPv6 for communicating with the OCSP responder. Configuring the OCSP URL with an IPv6 address or a host name that resolves to an IPv6 address does not work. Access Policy Manager uses OpenSSL BIO APIs to connect to the OCSP responder, and these calls do not support IPv6. |
376615 | User name and password are not sent when the On-Demand Cert Auth agent is used in an access policy; as a result, logon fails. The problem happens for these clients: iOS, Android, Windows Mobile, and Linux command line. To work around this problem, configure the access policy so that the Logon page agent is before the On-Demand Cert Agent. |
381490 | Android Citrix Receiver does not support RSA New PIN mode if APM is configured for Session ID Rotation. Session ID Rotation can be turned off per-box with the following tmsh command: tmsh modify sys db apm.rotatesessionid value disable |
382390 | OCSP authentication support for the Machine Cert agent does not work. |
383341 | When using form-based client-initiated Single Sign-On (SSO) with web applications that return chunked content, the chunking might not be removed when the modified logon page is returned to the client browser. Usually, this is harmless and does not break SSO. In rare cases, chunking occurs in the middle of HTML tags. If this occurs and SSO breaks, you should apply one of the following workarounds.
|
383355 | In rare cases, when used with APM form-based client-initiated Single Sign-On (SSO), web applications display JavaScript errors in the browser, such as: Can't move focus to the control because it is invisible, not enabled, or of a type that does not accept the focus. This only happens when using Internet Explorer 8 or earlier. The error is generated because logon page content is forced to not be displayed during the SSO process, and the web application tries to set focus on one of the logon fields. To work around this problem, disable the Display a notification about every script error option in Internet Explorer 7 and 8. To find the option and verify that it is disabled, click . |
399732 | When a BIG-IP systems acts as a SAML service provider, it supports only assertions of size 64K or less. Also, when a BIG-IP system acts as a SAML IdP, it supports only authentication requests of size 64K or less. |
400726 | When the BIG-IP system acts as a SAML IdP, you cannot create an assertion with multi-valued attributes. When the BIG-IP system acts as a SAML SP and the assertion contains a multi-valued attribute, then the BIG-IP system processes only the first value of that multi-valued attribute. |
403659 | When configuring a BIG-IP system as a SAML Identity Provider, the displayed range of possible values in seconds for the assertion validity timeout is incorrect. The correct range is 1-86400 seconds. To work around this, click | . A list of Local IdP Services is displayed. When you configure a local IdP service, in the Assertion Settings, set Assertion Validity (seconds) to a value between 1-86400 seconds only.
404765 | If you export an access policy with a SAML SP connector that uses a certificate, the certificate name (including partition) is not formatted correctly. This prevents import from working. To work around the problem, migrate the SP connector and associated certificate manually. |
404936 | Files named core.xxxx, where xxxx is a number, are created in advanced customization directories during the build process when the customization build cores because of invalid characters in the default customization file. These core files are listed in the user interface. |
406040 | If an application uses a non-standard location for favicons (as permitted by the LINK meta tag) and you use Internet Explorer 10 for access to the application, then the BIG-IP system creates a new session for that URI. If you use Google Chrome version 25 or higher, the BIG-IP system closes the current session during fetching favicons from the non-standard location. |
405352 | If you enter a bad FQDN for domain controller in an NTLM Auth configuration and a DNS server responds with DNS SERVFAIL, the NTLM Auth configuration does not work even after you fix the incorrect FQDN. To work around this problem, after you correct the FQDN in the NTLM Auth configuration, restart the ECA plugin and NLAD daemon using this command: bigstart restart nlad. (To avoid future problems due to misconfigurations, you can configure your DNS server to return a negative response.) |
420506 | When using the Local Database agent with a write action, the list of properties available includes groups; however, this is a read-only property and any attempt to write to it fails. |
421796 | SAML single logout (SLO) fails if one of the SAML Service Provider sessions times out and the user initiates SLO. The user will see connection reset. |
439680 | The BIG-IP system as SP supports only rsa-oaep (as defined here: http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p) for key transport. When the BIG-IP system configured as SP receives a SAML assertion with an unsupported encryption algorithm (for example, rsa-1_5 for key transport instead of rsa-oaep), the BIG-IP system fails to report that algorithms are unsupported, and proceeds to the decryption phase, which fails. The only issue here is that the error reported does not directly point to the cause of failure which makes troubleshooting more difficult. |
475977 | The BIG–IP system supports exclusive canonicalization only, which is recommended in the SAML 2.0 specification. As a result, signed messages canonicalized with other algorithms are rejected by the BIG-IP system. The supported algorithm is documented at http://www.w3.org/2001/10/xml-exc-c14n#. |
485387 | An encrypted assertion from an external IdP can contain the RetrievalMethod element to specify a link to the EncryptedKey element. The EncryptedKey element contains the key for decrypting the CipherData associated with an EncryptedData element. BIG-IP as SP does not support the RetrievalMethod element while processing an encrypted assertion. As a result, the assertion is not processed properly, and error messages are printed to the log files: - Cannot decrypt SAML Assertion - failed to process encrypted assertion, error: Cipher value from EncryptedKey element not found. |
Other issues
Documentation Errata
Contacting F5 Networks
Phone: | (206) 272-6888 |
Fax: | (206) 272-6802 |
Web: | http://support.f5.com |
Email: | support@f5.com |
For additional information, please visit http://www.f5.com.
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: http://support.f5.com/kb/en-us.html
- The F5 DevCentral web site: http://devcentral.f5.com/
- AskF5 TechNews
F5 Networks Technical Support
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
F5 DevCentral
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
AskF5 TechNews
- Weekly HTML TechNews
- The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
- Periodic plain text TechNews
- F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.