Applies To:
Show VersionsBIG-IP APM
- 12.1.0
Summary:
This release note documents the version 12.1.0 release of BIG-IP Access Policy Manager (APM).
Contents:
- Platform support
- Module combination support on the 3900
- Configuration utility browser support
- Compatibility of BIG-IQ products with BIG-IP releases
- APM client browser support
- User documentation for this release
- Documentation changes in 12.1.0
- Evaluation support
- New in 12.1
- Supported high availability configuration for Access Policy Manager
- Installation overview
- Upgrading from earlier versions
- Upgrading from earlier versions of APM
- Fixes in 12.1.0
- Usability
- Behavior changes in 12.1.0
- Known issues
- Contacting F5 Networks
- Legal notices
Platform support
This version of the software is supported on the following platforms:
Platform name | Platform ID |
---|---|
BIG-IP 1600 | C102 |
BIG-IP 3600 | C103 |
BIG-IP 3900 | C106 |
BIG-IP 6900 | D104 |
BIG-IP 8900 | D106 |
BIG-IP 8950 | D107 |
BIG-IP 11000 | E101 |
BIG-IP 11050 | E102 |
BIG-IP 2000s, BIG-IP 2200s | C112 |
BIG-IP 4000s, BIG-IP 4200v | C113 |
BIG-IP 5000s, 5050s, 5200v, 5250v | C109 |
BIG-IP 7000s, 7050s, 7055, 7200v, 7250v, 7255 | D110 |
BIG-IP 12250v | D111 |
BIG-IP 10150s-NEBS, 10350v (AC), 10350v-NEBS (requires 12.0.0 HF1), 10350v-FIPS | D112 |
BIG-IP 10000s, 10050s, 10055, 10200v, 10250v, 10255 | D113 |
VIPRION B2100 Blade | A109 |
VIPRION B2150 Blade | A113 |
VIPRION B2250 Blade | A112 |
VIPRION B4200, B4200N Blade | A107, A111 |
VIPRION B4300, B4340N Blade | A108, A110 |
VIPRION B4450 Blade | A114 |
VIPRION C2200 Chassis | D114 |
VIPRION C2400 Chassis | F100 |
VIPRION C4400, C4400N Chassis | J100, J101 |
VIPRION C4480, C4480N Chassis | J102, J103 |
VIPRION C4800, C4800N Chassis | S100, S101 |
Virtual Edition (VE) | Z100 |
vCMP Guest | Z101 |
These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.
Most of the support guidelines relate to memory. The following list applies
- vCMP supported platforms
- VIPRION B2100, B2150, B2250, B4200
- VIPRION B4300 blade in the 4400(J100)/4480(J102) and the 4800(S100)
- BIG-IP 5200v, 5250v, 7200v, 7250v, 10200v, 10250v, 10350v, 12250v
Memory: 12 GB or more
All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.
Memory: 8 GB
The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)
- No more than three modules should be provisioned together.
- On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
- To use Access Policy Manager (APM) and Secure Web Gateway (SWG) modules together on platforms with exactly 8 GB of memory, Local Traffic Manager (LTM) provisioning must be set to None.
Memory: Less than 8 GB and more than 4 GB
The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)
- No more than three modules (not including AAM) should be provisioned together.
- Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
- Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).
Memory: 4 GB or less
The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.
- No more than two modules may be configured together.
- AAM should not be provisioned, except as Dedicated.
- ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.
vCMP memory provisioning calculations
The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest/ total_cpus).
As an example, for the B2100 with two guests, provisioned memory calculates
- BIG-IP LTM standalone only
- BIG-IP GTM standalone only
- BIG-IP LTM and GTM combination only
Module combination support on the 3900
Although SOL10288 states that all modules are supported on all platforms as of BIG-IP version 11.4.0, this does not mean that all possible module combinations are allowed on every platform (especially, legacy platforms).
Configuration utility browser support
The BIG-IP Configuration Utility supports these browsers and versions:
- Microsoft Internet Explorer 11.x
- Mozilla Firefox 27.x
- Google Chrome 32.x
Compatibility of BIG-IQ products with BIG-IP releases
SOL14592: Compatibility between BIG-IQ and BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.
APM client browser support
For a list of browser versions that the Access Policy Manager client supports, refer to the BIG-IP APM Client Compatibility Matrix.
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP APM / VE 12.0.0 Documentation page.
Documentation changes in 12.1.0
In the 12.1.0 release, the following chapters were removed from BIG-IP Access Policy Manager: Third-Party Integration Implementations:
- Citrix Requirements for Integration with APM
- Integrating APM with a Citrix Web Interface Site
- Integrating APM with Citrix XML Brokers
An iApps template is available for configuring Access Policy Manager and Local Traffic Manager to integrate with Citrix applications. The template can be used on the BIG-IP system to create an application
Evaluation support
If you have an evaluation license for BIG-IP APM VE, note that it does not include support for Oracle Access Manager.
New in 12.1
Application Access
Smartcard SSO Support for VMware Horizon PCoIP Proxy (VDI)
Users of APM in VMware Horizon VDI use cases can now use single sign-on (SSO) from smartcards. APM is easily configured as a SAML Identity Provider (IdP) for VMware View Connection Server, supporting two-factor authentication with RSA SecurID/RADIUS.
Support and Control USB Redirection and Client Drive Mapping for VMware Horizon
APM delivers data loss protection by supporting USB redirection for VMware Horizon desktops. Policies can be set in APM for contextual control over which user and which user device can or cannot use USB devices, such as disks, mitigating data loss protection via USB on those managed accounts and devices. This feature also supports and provides policy control over client drive redirection.
Support for Linux Desktops for VMware Horizon
APM supports Linux desktops in the VDI proxy for VMware Horizon, using the VMware Blast Extreme protocol.
Authentication
Step-up Authentication Preview
This version of APM includes a preview of step-up authentication, which is based on per-request policies and the introduction of “subroutines”. Step-up authentication enables additional credential validation and revalidation for more security-sensitive areas of multi-layer web applications. Example: Anonymous authentication for parts of a web application and Active Directory authentication required for specific areas of the same web application.
Client
Edge Client for Windows: Always Connected Mode Respects Network Location Awareness
BIG-IP Edge Client for Windows does not require a VPN connection when the users’ device is already on the corporate network and
Secure Web Gateway Services
Continue and Confirm
Continue and confirm enables you to prompt a user with two options, "Continue" or “Cancel". By clicking Continue, the end user acknowledges acceptance of the corporate policy and expresses the intention to surf the website. A customizable IT policy message can be placed as well.Request Analytics
This capability reads URL, query strings, IP, headers, and POST payload in request packets to better categorize URLs. More accurate social media and malware categories
General
Additional iRules
APM provides greater flexibility through additional iRule commands and making the iRule agent available from the per-request policy (supported for use in APM and SWG).
iRule commands:
- CATEGORY:
:lookup custom - CATEGORY:
:result
Enhanced Registry Checker returns values for policy branching
The Windows Registry access policy agent can now retrieve full registry values and put them into session variables for enhanced policy branching. The agent supports partial registry value matching and verification using combined registry values.
REST APIs for managing user sessions in APM
New iControl REST requests make it easier to manage sessions within APM by letting you list all user sessions and retrieve session ID, user login, and IP address for each APM server. Additional APIs are available for retrieving session information based on username or client IP address and for deleting the session based on the session ID.
User Identity
F5 DC Agent
The F5 DC Agent software picks up user login events from Active Directory and relays current user and IP address information to BIG-IP APM, allowing APM to transparently authenticate users to access the APM or SWG Services forward proxy. The new solution is faster and more accurate in capturing
Supported high availability configuration for Access Policy Manager
Installation overview
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.
Installation checklist
Before you begin:
- Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the
qkview utility. - Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see SOL7727 - License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
- Ensure that your system is running version 10.1.0 or later and is using the volumes formatting scheme.
- Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
- Configure a management port.
- Set the console and system baud rate to 19200, if it is not already.
- Log on as an administrator using the management port of the system you want to upgrade.
- Boot into an installation location other than the target for the installation.
- Save the user configuration set (UCS) in the /var/local/
ucs directory on the source installation location, and copy the UCS file to a safe place on another device. - Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
- Turn off mirroring.
- If you are running Application Acceleration Manager, set provisioning to Minimum.
- If you are running Policy Enforcement Manager, set provisioning to Nominal.
- If you are running Advanced Firewall Manager, set provisioning to Nominal.
Installing the software
Installation method | Command |
---|---|
Install to existing volume, migrate source configuration to destination | |
Install from the browser-based Configuration utility | Use the Software Management screens in a web browser. |
Sample installation command
The following command installs version 11.2.0 to volume 3 of the main hard drive.
Post-installation tasks
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.
- Ensure the system rebooted to the new installation location.
- Use BIG-IP iHealth to verify your configuration file. For more information, see SOL12878: Generating BIG-IP diagnostic data using the
qkview utility. - Log on to the browser-based Configuration utility.
- Run the Setup utility.
- Provision the modules.
- Convert any
bigpipe scripts totmsh . (Versions later than 10.x do not support thebigpipe utility.)
Installation tips
- The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
- You can check the status of an active installation operation by running the command watch
tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature. - If
installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.
Upgrading from earlier versions
Your upgrade process differs depending on the version of
Upgrading from version 10.1.0 (or later) or 11.x
When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.
Upgrading from versions earlier than 10.1.0 11.x
You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.
Automatic firmware upgrades
If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.
Upgrading from earlier versions of APM
When you upgrade from an earlier version of Access Policy Manager (APM), you might need to resolve issues related to these configurations.
Access policy logging
Starting in version 12.0.0, APM supports
Connectivity profiles
When upgrading from 10.x.x to 11.4.x, connectivity profiles are not fully recovered. You can work around the problem using one of these options:
- Option 1: Upgrade from 10.x.x to 11.4.x, then reconfigure connectivity profiles in the Access Policy Secure Connectivity area of the Configuration utility.
- Option 2: Upgrade from 10.x.x to 11.x.x, where 11.x.x is earlier than 11.4.x, then continue upgrading to 11.4.x.
Antivirus and firewall software checks in access policies
If your access policies include custom expressions that rely on session variables created by the antivirus or firewall software checks, after upgrade to 11.4.x, you must configure the antivirus or firewall software checks so that the Store information about client software in session variables property is set to Enabled. (It is disabled by default.)
If the custom expressions include multiple sub-expressions, you might need to edit the expressions.
Kerberos SSO
Kerberos SSO does not work after upgrading from 11.3.0 to 11.4.0 and later. This happens because, starting in 11.4.0 the password is saved in encrypted form, while the password in 11.3.0 is saved as clear text. Re-enter Kerberos SSO password after upgrading from 11.3.0.
Citrix client packages
The 11.4.x upgrade script cannot recover any file object with a name that includes space characters. If a Citrix client package file name includes a space, the configuration loads after
- Outside of APM, name or rename a Citrix client package without spaces in the name.
- Use the correctly named Citrix client package.
- To fix the problem before
upgrade , replace any improperly named Citrix client package as needed. - To fix the problem after upgrade, upload a properly named Citrix client package and select it from the connectivity profiles.
- To fix the problem before
Machine accounts for NTLM front-end authentication
APM does not restore NLAD connections when the configuration is restored from a UCS file. After upgrading to 11.4.x, if the previous configuration was using NTLM front-end authentication, the functionality is not restored. To work around this problem, after the upgrade, manually delete the existing machine account configurations and then recreate them.Advanced customization
If you performed any advanced customization of files, you must upgrade these files manually.
Custom reports
Custom reports are lost after upgrade. To work around this issue, export your custom reports before you upgrade and then reimport them after you upgrade.
OAM configuration
When upgrading from version 10.2.x to 11.x with an OAM configuration,
Access policies that use session variables
If you are upgrading from 10.x, you might need to update access policies that use session variables. Version 11.x introduces the concept of partitions. A partition is added to an object name. An access policy that compares a session variable against a value would behave differently after
- Version 10.x - session.ad.MyPolicy_act_active_directory_auth_ag.authresult
- Version 11.x - session.ad./Common/MyPolicy_act_active_directory_auth_ag.authresult
The partition, /Common, is added to the version 11.x object name.
Fixes in 12.1.0
ID Number | Description |
---|---|
372139 | Manage Sessions are now showing correct current sessions on VIPRION chassis. |
383801 | Session variables that don't start with "session." show up in active session variable APM Reports. |
402793 | APM clients for Linux and Mac modified to perform better during secure re-negotiation. |
403991 | BIG-IP Edge Client for Mac now supports Proxy.pac file size of up to 1 MB; previously, the limit was 32KB. |
409323 | On Demand Cert Auth support for non standard port has been added to include the port information from VS as part of redirect URL. |
419776 | |
420284 | Support has been added for no cache option for the |
426492 | APM now supports the use of custom ports on the virtual server that is used for initial access with a |
427125 | Now Networks Access shows statistics table properly for Japanese language. |
432126 | |
439680 | Unsupported algorithm will be logged correctly now. |
440013 | The Upload, Install, and Delete buttons will only be enabled on the Active platform. |
446860 | Now APM Exchange Proxy honors the tmm.access. |
453649 | Now BIG-IP Edge Client respects network location awareness (NLA) settings from connectivity profile: disconnects VPN when inside enterprise network, establishes VPN when outside of enterprise network. Edge Client has no button in this mode. To achieve that, Edge Client should be configured in way: 1. 'Enable Always connected mode' checked. 2. 'Traffic flow when VPN is disconnected' set to 'Allow only in enterprise LAN' or 'Always'. 3. Connectivity profile should have suffixes configured." |
457773 | Changed "apmAccessStatCurrentActiveSessions" OID type to Gauge/counterbasedgauge64. |
461084 | Client's Kerberos auth will succeed now. |
462598 | Now when an APM renderer or renderer pool (used for serving internal pages) goes down, APM detects the unavailability and sends a TCP Reset to the client. |
472446 | A configuration error in config sync or |
477177 | When creating ACL entries via |
482145 | Buttons are now correctly scaled for Windows DPI setting. |
482241 | Windows 10 can now be detected out-of-the-box by Client OS and Windows Info agents. |
482266 | Users running on Windows 10 running the BIG-IP Edge Client will no longer see a "Network Access Connection Device was not found." error message. |
482625 | Erroneous multibyte charset setting is ignored if META tag is inside ASCII-compatible page. |
486601 | Now HTML pages with inline JavaScript code that use multibyte character sets are processed correctly. |
488866 | Now BIG-IP Edge Client respects network location awareness (NLA) settings from connectivity profile: disconnects VPN when inside enterprise network, establishes VPN when outside of enterprise network. Edge Client has no button in this mode. To achieve that Edge Client should be configured in this way: 1 .'Enable Always connected mode' checked. 2. 'Traffic flow when VPN is disconnected' set to 'Allow only in enterprise LAN'. 3. Connectivity profile should have suffixes configured." |
490830 | Protected Workspace disabled on Windows 10 client. |
492122 | Now the 'f5 Pre-Logon User' is created only once, which allows a Domain or System Administrator to manage it, because the SSID does not change. When the user is no longer required (that is, when the |
495702 | BIG-IP Edge Client for Mac can now be downloaded from the connectivity profile screen of the APM GUI. |
498610 | Exporting Access Profile containing text with logging actions and colons is successful. |
503025 | Cipher and Hash algorithm information is now shown correctly. |
503825 | Error 4001 is fully customizable using the customization editor. |
504266 | Now DNS Relay proxy forwards dynamic update DNS requests. |
505927 | Now APM supports Citrix XenApp 6.x load balancing policies when working as WI/SF replacement. |
506349 | APM now correctly identifies BIG-IP Edge Client for Mac as an Edge Client even if the user opens a new session by clicking the link on the logout page that says "Click here to open new session". |
507321 | Now user-defined JavaScript objects with 'origin', 'source' and 'data' fields may contain any values in these fields. |
508477 | Now Network Access components print session ID in four messages: Starting pending session ID: %sessionid, Session %sessionid established, Session %sessionid closed: Status, and Failed to open session %sessionid." |
508630 | An additional fix was made to restore DNS suffixes correctly. |
508719 | The title displays on the |
509586 | Browser cache plays no role for updating endpoint software check component on browser. |
509595 | Now old document reference is used if document.open returns 'null'. So document.write() for closed document works as expected. |
509596 | Web applications work correctly, with no 'F5_Invoke_write is not defined' error on JavaScript Console. |
509758 | Now, the BIG-IP Edge Client does not show an incorrect cosmetic warning message. |
510459 | Resolved issue in which clients receive a file not found message from Access due to out of date White List entry in OPSWAT. |
510596 | DNS resolution on Linux works now even when the "DNS Default Domain Suffix" setting in the Network Access configuration is empty. |
511961 | Clients using the BIG-IP Edge Client for Mac supplied with this APM release can continue to log in and do not get stuck at a "Connecting..." screen. |
513201 | BIG-IP Edge Client is correctly localized for Japanese locale. |
513474 | Resolved multiple vulnerabilities in OpenSSL. CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, CVE-2015-0293, CVE-2015-0209, CVE-2015-0288 |
513706 | Fixed an issue causing incorrect metric restoration on Network Access on disconnect. |
513865 | Now it is possible to send HTTP status 503 for responses with APM-generated errors. This behavior is used by most of proxy servers (like Squid) in similar situations and is handled correctly by all web applications. This feature is disabled by default and may be enabled via special option in Access Profile or by setting special environment variable in Access Policy. |
513969 | Now Machine Certificate Check service is used for certificate verification even for non-limited users. |
516075 | Linux command line client works with On-Demand Cert Auth now. |
516462 | Fixed reason causing this issue; now excluded address routes are applied correctly even if a client machine roams between different networks. |
516839 | Improvement: Microsoft Edge browser is now detected properly and only supported resources are shown on the webtop now. All components that require ActiveX are not supported. |
517872 | Now proxy hostname is printed to logfile when resolution fails. |
518159 | APM no longer detects BIG-IP Edge Client for Mac as a browser when a user clicks "Start a New session" on access policy expired page. |
518550 | Now value of form 'action' attribute is correct inside event handlers. |
519012 | APM side handling has been fixed to work properly with VMware View RDS desktops. |
519059 | WebApp links are now properly rewritten. |
519119 | Internal exceptions are now logged at the "Error" level instead of "Critical". |
520118 | Single entry in the server list. |
521491 | Adjusted User agent string to report as Internet Explorer 10. This will allow access through firewalls that don't allow old user agent strings to pass. |
521506 | Fixed issues causing improper routing table management. |
522124 | With the fix, secondary MCPD will no longer restart when the admin creates APM SAML IdP/SP Connector. |
522670 | It is now possible to use the BIG-IP GUI to switch between Detached Signature and Enveloped Signature for BIG-IP as SP SAML Authentication Requests. |
523327 | Now both service and elevation helper can find those specific certificates. |
523429 | BIG-IP Edge Client for Mac now applies DNS server settings correctly. |
523696 | BIG-IP Edge Client for Mac doesn't show duplicate entries in the servers list. |
523701 | Machine Cert Auth agent passes on OS X 10.8 and OS X 10.9. |
524392 | RSA pin is not cached now irrespective of the password caching policy |
524909 | Now BIG-IP APM support Windows Info action on Windows 10 clients. |
525384 | Now Network Access components can obtain PAC file from SMB share. |
526084 | BIG-IP APM was enhanced to report session.client.platform session variable for BIG-IP Edge Client on Windows 10. |
526140 | ACCESS was not waiting for the response of an asynchronous operation before enforcing the max, which created a race condition. ACCESS now waits for the response before enforcing the max. |
526192 | APM now supports out-of-the-box detection of Microsoft Windows 10 in visual policy editor action items, such as, Client OS and Client Type. |
526492 | DNS resolution is successful for static and optimized tunnels on Microsoft Windows 10. |
526519 | The sessiondump utility was modified. The NULL termination byte of a NULL-terminated string is no longer printed. Furthermore, non-printable data is now printed as a hexdump, instead of raw binary data. |
526578 | Now proxy settings are correctly applied on client machine with German localization and Internet Explorer 10. However, Windows still shows empty fields in proxy settings GUI of Internet Explorer. |
526610 | JavaScript parsing is fixed to avoid this issue. |
526637 | tmm will no longer crash in APM clientless mode; it now sends a reset. |
526677 | Starting with the 6.1.1 release of View Connection Server, the communication protocol used by the View HTML5 client has changed. This change breaks BIG-IP APM's HTML5 View client implementation. As such, APM users cannot use this client to access their View Desktop. This fix implements the new View communication protocol to support launching of the View HTML5 client from an APM Full Webtop." |
527799 | OpenSSL library in APM clients updated to resolve multiple vulnerabilities in OpenSSL. CVE-2015-4000,CVE-2015-1792,CVE-2015-1791,CVE-2015-1790,CVE-2015-1789,CVE-2015-1788,CVE-2014-8176 |
528064 | The GUI now sets the address to be "::" when saving the Server Connection to be No Server. |
528139 | DHCP lease can now be renewed correctly. |
528548 | Fixed CSS rewriting for: @import ""URL"" and @import 'URL'" |
528675 | Captive portal detection request modified to properly close HTTP connection. |
528994 | Now simplified check for native functions is used for Internet Explorer to avoid problems with context replacing in Internet Explorer 10+ even in compatibility mode. |
529392 | Internet Explorer 11 on Microsoft Windows 10 is detected correctly now if local proxy autoconfig script is configured with DIRECT rule for BIG-IP. |
529438 | Restore the source address translation correctly even if an iRule has disabled APM. |
530092 | Group name with spaces shall not be encoded with backslashes. |
530549 | Form action will have the correct value if it's modified after submitting form. |
530648 | User is able to sync a large policy, resolve LSOs on target and complete the sync without any error. |
530697 | Windows Phone 10 platform is detected correctly now. |
530800 | Fixed an issue where extra data was added to some OWA2010 requests making it impossible to send messages in configuration with Form-based SSOv2. |
531483 | Issue resolved. |
531719 | When using the CATEGORY::lookup command in an iRule to retrieve a classification for a URL, only categories matched in the URL database are returned. Starting in version 12.1, there are new flags available to be used as follows: CATEGORY::lookup - returns the same results as previous versions (list of all Websense categories, but no custom categories) CATEGORY::lookup request_default_and_custom - returns a list of all Websense categories as well as all custom categories CATEGORY::lookup request_default - returns a list of all Websense categories CATEGORY::lookup custom - returns a list of all custom categories" |
531883 | Windows 10 App Store VPN Client is now detected by BIG-IP APM out of the box using the Client Type agent. |
531983 | Routing table now updates correctly when new adapter is added to the system while SSL VPN tunnel is already established over an network adapter. |
532096 | Fixed issue causing Machine Certificate checker agent backward incompatibility. |
532375 | A new agent has been added (request analytics) that will allow outgoing Facebook messages to be blocked. To use this agent requires an additional URL Filter Assign item in the per-request policy. Correct per-request policy implementation should follow the general idea of Category Lookup > Request Analytics > URL Filter Assign > Response Analytics > URL Filter Assign. |
532394 | To provide better traceability, APM client creates log entry each time F5 software reads or writes "SearchList" or "SearchList_F5_BACKUP_VALUE" registry keys. |
532509 | The 'onmessage' handler added with window.attachEvent() now correctly recieves data sent through window.postMessage(). |
532616 | OpenSSL library in APM clients updated to resolve vulnerabilities in OpenSSL. CVE-2015-1793 |
533422 | The sessiondump utility now reuses the TCP connections. |
533566 | Added support for View HTML5 client v3.5 shipped with View Connection Server 6.2. |
533723 | Content rewriting is suppressed on the client side for the textarea tag. |
534373 | Fixed grammar. |
534374 | Pipe-separated session variables are now separated into multiple values of assertion attribute. For example, given session variable value '| a | b | c |', assertion attribute will look similar to this: <saml2:Attribute Name="name"> <saml2:AttributeValue>a</saml2:AttributeValue> <saml2:AttributeValue>b</saml2:AttributeValue> <saml2:AttributeValue>c</saml2:AttributeValue </saml2:Attribute>" |
534378 | APM now correctly handles Latin-1 (high ASCII) characters in username and password for ActiveSync clients. |
534555 | Due to customer demand, starting with BIG-IP v12.1.0, the RSA v1.5 algorithm can be enabled on BIG-IP as IdP manually via console to TMSH, using this command: modify apm sso saml <saml IdP object name> key-transport-algorithm rsa-v1.5 NOTE: Be sure to save the configuration after changes are made via TMSH. Starting with BIG-IP v12.1.0, support for RSA v1.5 on BIG-IP as SP is enabled by default with no required configuration." |
534901 | Fixes the handling of chunked responses coming during the HTML5 client load. |
535119 | At log table initialization, add extra 1-second gaps between the times to create individual log tables, to avoid the problem of 1-second granularity in MySQL timestamps. |
536575 | For an access policy that includes On-Demand Cert Auth, Dynamic ACL, or Per-App VPN, the Session Variable Report now shows session variables correctly. |
537000 | Installation of BIG-IP Edge Client on Windows 10 does not cause system crash anymore. |
537614 | Machine certificate checker service works now with a display language other than English. |
538192 | Second cache-control header was removed. |
538198 | Web page requests information from Applet instead of calling JavaScript function by Applet. |
539013 | After VPN connection has been established, DNS resolution works, in the case of a Windows 10 desktop with multiple NICs and one of them is in a disconnected state and has a statically assigned IPv4 configuration. |
539018 | Register all TMM threads with Monitor process and monitor process signal the right TMM thread if looping and TMM stack trace comes to the right TMM thread log file. |
539201 | APM now refers to IBM's Endpoint Management System by its correct name 'IBM MaaS360'. |
539229 | EAM handles exceptions gracefully during the authentication process when Oracle Access Manager is used. |
539847 | Now Variable Assign support and preserves newlines |
541622 | Create one cURL session for each user session that requires CAPTCHA verification |
541978 | Added check for nonexistent perflow variable and error log for non-existing perflow variables. |
543222 | With this release: 1. Only values starting from 0x are treated as hex-encoded. 2. If hex decoding fails, apd does not crash." |
544146 | Make the session ID available in each log message when available. |
544988 | Having /Common/vdi and /Common/vdiplugin assigned to a Virtual Server does not affect other profiles. Profile changes on a virtual server are immediately effective and do not require tmm restart. |
546405 | A new "Export as VMWare View Format" checkbox has been added to the meta-data exporting dialog. |
547546 | Added support of auto-update to MachineCertService. |
548259 | A check of cf->peer is in place to prevent the core. |
549086 | Now Windows 10 is properly detected with the Firefox browser. |
549292 | Fixed 0.3s latency between client and server SSL hello if VDI profile is added to virtual server. |
549513 | Customer should upgrade to BIGIP 12.1. |
549588 | EAM memory usage no longer grows. Cookie objects are deleted prior to deleting cookieMap from obAction destructor. |
550221 | User can sync a previously sync'ed policy after removing items from it successfully. |
550536 | The correct information/text (in French) is now displayed when the Edge Client is launched. |
550537 | When you configure an AAA Endpoint Management System in the GUI, the online help now specifies IBM Maas360 as one of the system types. If you use tmsh instead of the GUI, the aaa endpoint-management-system command still specifies and displays fiberlink as the corresponding type. |
551260 | Redirect URL is no longer truncated after ampersand sign. |
551764 | Upon successful execution of the Access Policy in clientless mode, the request is forwarded to the configured backend as needed. |
551819 | NTLM Type 1 message will set NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY flag now. |
551999 | Edge Client for Mac now tries to restore session after lost network connectivity is restored. |
552216 | var $redirectOrigURI = """";' is not valid PHP syntax. Changing the var $redirectOrigURI = """"; to $redirectOrigURI = """"; the issue is no longer seen." |
552342 | Passwords in headers are logged as asterisks as is done for post data. |
552346 | Add a newline character to the end of each of the affected log messages. |
552498 | Domain fields in Set-Cookie headers found in 401 responses are processed correctly. |
553268 | Session cookies are now cleaned up properly when user explicitly disconnects BIG-IP Edge Client. |
553734 | The issue is fixed for non string value types. |
553925 | Fixed installer package. |
554041 | Edge Client now ignores DNS location settings in Always Connected mode and establishes VPN even inside enterprise networks. |
554074 | Fixed code to trigger VPN connection immediately even when user clicked cancel before. |
554081 | The right validation is added. The configurations that has invalid excluded content type could make the configuration fail with this error message: 01070734:3: Configuration error: Response Analytics agent /Common/prp1_act_response_analytics_ag needs a valid content type. Provided content type /Common/invalid is not valid. Please go and edit bigip.conf to include the valid values such as All-Compressed, All-Images, All-Executable, Application-Flash, Text-html, Text-pdf" |
554228 | OneConnect now works when WEBSSO is enabled/configured, so that the system reuses the pooled server side connections. |
554364 | You can create a new document with Microsoft SharePoint 2010. |
554690 | VPN Server Module doesn't generate repeated Error Log "iface eth0 (4)" every 2 secs |
554899 | MCPD no longer cores with access policy macro during config sync in high availability configuration. |
554993 | The current active sessions, current pending sessions, and current established sessions counts of profile access stats now report correctly after failover. |
555435 | AD Query now completes as expected if cross-domain option is enabled and administrator's credentials are not specified. |
555457 | After F5 Networks components have been uninstalled, the system does not require reboot, and uses the latest installed software-device for VPN, as expected. |
555507 | SSO plugin no longer overruns memory not owned by the plugin, so the system supports the following configuration without memory issues: The BIG-IP system is configured and used as a SAML Identity Provider. Single Logout (SLO) protocol is configured on the attached Service Provider (SP) connector. At least one user executed SAML webSSO profile." |
556597 | Fixed crash cause in CertHelper. Crash was happening only in TMOS v12.0.0 |
556774 | Install EdgeClient on a PC that connects to the APM through a captive portal now opens as expected. |
557369 | The BIG-IP system now processes NTLM requests for affected Lync clients, and users of the client are able to authenticate. |
557399 | Resolved an issue in Portal Access where certain user-defined Javascript objects could cause a loop in F5 helper code and unresponsiveness of a browser. |
558631 | The APM Network Access VPN feature no longer leaks memory. |
559138 | Fixed bug in certificate verification code. |
559159 | Correctly rewriting on nested conditional expressions on the client side JavaScript. |
559218 | Now iFrame with empty origin inherits origin value from parent window being accessed via Portal Access in the same manner as all browsers do. |
559270 | APM virtual server that can have multiple ABORTs events to a connection will no longer cause TMM to crash and restart. |
560640 | Network Access works as expected on Windows platform even a Java AppTunnel resource has been assigned. |
560851 | Enabling both clientssl and remotedesktop/vdi profiles on a UDP virtual server now produces validation error. |
560968 | AD or LDAP groups retrieval no longer leads to /tmp overflow. |
561798 | Edge Client now runs embedded browser in Internet Explorer 10 emulation mode, which has support for modern JavaScript. |
561849 | Trigger discrete join deletion from policy item upon its own deletion. |
562919 | TMM no longer cores in renew lease timer handler |
563443 | This release fixes a rare core dump related to the Websso plugin. |
563474 | F5-BIGIP-APM-MIB::apmPmStatConfigSyncState now returns the correct non-zero value. |
563503 | Fixed code to perform a complete match. |
563676 | Applied patches for CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 |
564482 | Delegation account can be enforced to use AES256 encryption, provided the delegation account is configured as SPN format on the Kerberos SSO configuration. |
564496 | Applying APM add-on license now increases Access and CCU license limits, as expected. |
564537 | The RADIUS server setting must be changed only from the APM RADIUS server config page. If AAA RADIUS Server is configured for ""both"" mode, then create layered virtual server/pool with * (any) port." |
565167 | Now it properly logs the message with correct domain name and user name. |
565231 | Objects are being exported correctly without error. |
565527 | Static proxy settings are now applied in Network Access configurations. This allow applications that do not support PAC files to work inside the VPN. |
565554 | An iRule can be attached to the APM virtual server to retrieve and then explicitly set the HSTS header upon URL redirection. DevCentral iRule example: https://devcentral.f5.com/questions/hsts-and-apm-ssllabs" |
565648 | The APM process (apmd) no longer leaks file descriptors when access policy functions are invoked by internal BIGIP functions. |
566264 | Application editor can access and modify customization in APM UI |
566646 | Fixed the issue where Portal Access could try to buffer contents of some large files and respond with significant delay. |
566908 | Webserver listening on local Wifi or Ethernet IP can be accessed after VPN even if proxy.pac is defined in a way that forwards all web traffic over VPN to corporate proxy server. |
566998 | Edge client upgrade no longer fails if client was configured in locked mode. |
567660 | APM RDG feature now works as expected when Auto Last Hop is disabled. |
568238 | Firefox v44.0 through v46.0 can now install F5 Network plugins, perform endpoint checking, and establish network access connections. |
568410 | Network Access now works as expected even when DNS cannot be resolved on client and PAC file contains DNS resolution code. |
568963 | User can now launch Internet Explorer or Firefox inside protected workspace. |
569284 | Completely fixed. |
569317 | Now logged on credentials are used automatically to connect to VPN |
569742 | Now Network Access remains stable when a second network interface is being connected, so any long-standing TCP connections (such as VPN over Network Access) continue as expected. |
570242 | Enhance Java applet manifest file parsing to support manifests generated by Mozilla NSS Signtool. |
570309 | BIG-IP now accepts SAML SSO requests from Office365 containing a query in the URL and sent via HTTP-POST binding. |
570403 | PAC file download and merging issues were considered critical before and Edge Client disconnects the tunnel. This behavior is controlled by a new setting called "Ignore PAC download error" on BIG-IP now. |
570563 | Import and export of CRL is fully supported. |
571003 | TMM no longer generates core file and restarts upon upgrade. |
571083 | An iRule can be attached to the APM virtual server to retrieve and then explicitly set the HSTS header upon URL redirection. DevCentral iRule example: https://devcentral.f5.com/questions/hsts-and-apm-ssllabs" |
571718 | Customer will not see the passwords logged. Instead in the log statement , the password will be masked as "******" |
572062 | When you delete EPSEC packages using the GUI, APM now correctly deletes the corresponding EPSEC ISO file from the filestore (/config/filestore/files_d/Common_d/epsec_package_d/). Before creating archives, administrators are now required to delete non-active EPSEC packages using the GUI to make sure that non-active EPSEC ISO files are not included in the archives. Although this issue has been resolved for newly downloaded EPSEC ISO files, you might still need to perform some cleanup: 1. You must remove previous leftover EPSEC ISO files as follows: a. Delete the EPSEC package from the GUI: Select System > Software Management > Antivirus Check Updates; select an existing EPSEC package from the list and click Delete. b. Go to /config/filestore/files_d/Common_d/epsec_package_d/ and find files for which there is no corresponding entry in /config/bigip.conf. c. Delete those extraneous files manually using the rm command. 2. You cannot import huge previously created UCS archives. Instead, you should delete non-active EPSEC packages prior to creating a UCS. 3. If you want to include only one (active) EPSEC ISO in a UCS archive, you must first delete non-active EPSEC packages using the GUI." |
572068 | Now VPN can be established from browser even if Network Access configuration is big. |
572257 | This release handles large single log values. |
572563 | Internet Explorer can now launch a Protected Workspace session. |
572580 | The most recently installed EPSEC version now remains configured, and does not roll back after reboot or shutdown-restart. |
573429 | Network Access now correctly manages its memory resources. |
574517 | Freed the necessary memory so the leak is no longer present. |
574781 | APM Network Access now correctly manages its memory resources. |
575040 | When ACCESS::disable is used in an iRule on a virtual server with an Access Profile and Per-Request Policy assigned, BIG-IP APM will not run the Per-Request policy. |
575499 | No more stale renew_lease timer in vpn_ctx to cause TMM core. |
575609 | Difficult to compress requests may be dropped. |
576165 | Fixed. |
576294 | Blank password is allowed in access-accept RADIUS requests. |
576350 | Am HTTP_401_RESPONSE page can be placed anywhere in the access policy chain. Any pre-authenticated information for the targeted agent will not be consumed by another agent sitting in front. |
576375 | Service now reports correct status to service control manager immediately. |
577962 | DNS Suffixes are now restored properly. |
579560 | Nitrox hardware acceleration support was fixed |
579909 | Fixed such that Secondary MCP will not exit but only log the warning message as the partition is successfully deleted. |
580059 | Fixed DNS relay proxy so it does not go in a state where it starts consuming huge CPU cycles. |
580225 | The system now passes the expected arguments with the WEBSSO::select command so TMM no longer crashes. |
581602 | Excessive DNS queries are no longer being sent from the EDGE client if the DNS server is unreachable. |
Usability
Session ID rotation has been
Known issues
This release contains the following known issues.
Upgrade issues
ID number | Description |
---|---|
417711 | After the upgrade, if the previous configuration used NTLM |
421456 | Kerberos SSO does not work after upgrading from 11.3.0 to 11.4.0, because in 11.4.0 the password is saved in encrypted form while the password in 11.3.0 is saved as clear text. Kerberos SSO password is saved as clear text in 11.3.0. Cannot access Kerberos server. Re-enter Kerberos SSO password after |
Admin issues
ID number | Description |
---|---|
360141 | Modifying the SSO configuration does not cause the Apply Access Policy button to show up on the Admin GUI or the visual policy editor. The configuration change takes effect immediately for new sessions established after the change. Old sessions (those that were already created before the configuration change) continue to use the old SSO configuration. |
362200 | When customizing messages, you cannot use special characters, such as ', ", &, <. Special characters in the Description field or message field of a portal policy The special characters will be escaped To work around this problem, do not use such characters, manually fix customization |
362351 | Branch names cannot start with the word fallback in the visual policy editor. Do not start branch names with the word fallback. The terminal name must begin with an alphabetic character (for example, a or A). The remainder of the name can contain only alphanumeric characters (numbers and letters), spaces, and these symbols ( + - _ ( ) [ ] ). The terminal name cannot begin with the text fallback. Please rename the terminal. |
363188 | Using a space in an alias for a virtual server can cause unexpected results when you use |
384479 | When you configure a virtual server for Oracle Access Manager integration (by selecting the OAM Support option), the option to select a specific AccessGate does not apply to OAM 10g environments. |
398361 | Not all configuration objects validate and reject an object name that contains the space character. As a best practice, when you create a configuration object do not include a space in the object name. |
403722 | If you initiate an access policy sync from the Standby node, an admin must resolve any conflicts on the Active partner. Ideally, an access policy created on the Standby node would be synced to the Active node automatically without admin intervention. To work around this problem, avoid syncing an access policy from a Standby node. Otherwise, you must resolve conflicts, if any, on the Active node. |
404936 | Files named core. |
405352 | If you enter a bad FQDN for domain controller in an NTLM Auth configuration and a DNS server responds with DNS SERVFAIL, the NTLM Auth configuration does not work even after you fix the incorrect FQDN. NTLM auth configured in APM Invalid domain controller specified, or the domain controller goes down. NTLM auth will stop working. To work around this problem, after you correct the FQDN in the NTLM Auth configuration, restart the ECA plugin and NLAD daemon using this command: |
414411 | When you use visual policy editor from the Chrome browser, images do not preload and as a result, the navigation bar flickers. To work around the problem, use Firefox or Internet Explorer. |
419748 | After a hosted content file is referenced by a Portal Access resource, the file cannot be deleted, even if the link-type of the resource is not "hosted-content". This problem occurs in this sequence of steps. Use the GUI. Create a resource such as portal-access or webtop. Set the link-type to "hosted-content" and select a sandbox file. Now change the link-type to ' |
419754 | When using a local user database instance for authentication on APM, if a user that is flagged to change password leaves the password field empty, the user is prompted again to change |
419836 | When you switch from editing one file to editing another file in advanced customization without saving the first file, changes to the first file are lost. This is not |
419996 | When you import users to a local user database, any first or last name with a space in it is truncated to the first space. |
420506 | When using the Local Database agent with a write action, the list of properties available includes groups; however, this property is read-only and any attempt to write to it fails. This issue arises when using the APM general purpose Local Database agent with an action that includes writing to the |
423137 | The compression setting pull-down is available on the Network Access resource page. If an end-user |
582673 | It takes long or completely impossible to display huge policies (more than 4000 elements). VPE returns server timeout error or simple |
Application access issues
ID number | Description |
---|---|
223712 | During a web applications session, when a user logs out of Microsoft Office Communicator and then attempts to log on again, the |
339865 | Microsoft SharePoint 2007 with Office Integration does not work in LTM+APM mode when Windows Protected Workspace is used in an access policy. When you try to open a Microsoft Office document, an alert about a wrong URL is displayed. |
340549 | The rewrite plugin does not implement forwarding HTTPS requests through the HTTPS proxy correctly. (However, forwarding HTTP requests through the HTTP proxy does work correctly.) |
362325 | Links in content are rewritten in HTML attachments from Outlook Web Access (OWA) after you open the attachments in the browser or save them to disk using the Save as action. This happens because APM application access patches the links in HTML attachments. This occurs with OWA 2003, 2007, and 2010. |
389881 | The Portal Access feature in APM does not support Flex Runtime Shared Libraries using ActionScript3. Access Portal enabled Applications |
404899 | Webpage errors occur when opening a chat window in IBM Lotus iNotes 8.5 with Sametime through a Portal Access webtop. This happens only when using Internet Explorer 9. To work around this problem, add a Portal Access item with the path "/ |
406745 | Office for Mac 2011 gets login page |
416759 | Microsoft Dynamics CRM might not work correctly through |
421063 | JavaScript code that deletes 'call' or 'apply' methods from Function.prototype does not work through Portal Access. Errors can occur. Some web-applications might stop working or work with errors. This issue has no workaround at this time. |
422525 | Portal Access resources with proxy host configured and no DNS record available to BIG-IP will be blocked by APM ACL. All requests to these resources will result in APM DNS error page. Some resources accessible only via |
430976 | Some of Portal Access wrappers for client-side JavaScript code could use |
431337 | The LinkedIn button is a part of the new feature, Apps in Outlook Web App, in Outlook Web App 2013. A JavaScript error occurs if you click the LinkedIn button in Outlook Web App 2013 while using Internet Explorer 11. |
434464 | If a JavaScript function contains an Internet Explorer conditional compilation directive and a 'try ... catch' block inside this directive, it becomes inaccessible before declaration after re-writing. Invocation of JavaScript function with conditional compilation and try...catch block inside can't be used before |
439887 | Drag-and-drop and some other mouse operations work incorrectly in Outlook Web App (OWA) 2010 if accessed using APM Portal Access from the Chrome v.31.x browser. Navigation and message copy/move operations can be done using the keyboard only; mouse operations might not work. There is no workaround. |
443629 | Microsoft Dynamics CRM might not work correctly through |
444767 | Access to Office365 Outlook Web Access services using Portal Access is broken for HTML5-supported browsers. The user is redirected to the APM Logout page after successfully logging in to Office365. |
453166 | Rewrite writes many recovery logs. Rewrite plugin recovery procedure sometimes resets the plugin to an unstable state. Portal Access is not available. |
454306 | When HTML style attributes with HTML entities are rewritten, it results in direct or incorrect links to resources. This occurs when using HTML style attributes with HTML entities. It results in broken styles in |
480283 | Some backend servers cannot be accessed using BIG-IP Edge Portal for iOS over mobile networks. Authentication fails; (a cookie related to authentication goes missing). It also happens when connected using WiFi but much less often (possibly due to timing). Web-application fails to update cookie when running Edge Portal on mobile networks. The issue is intermittent and hard to reproduce. The impact of this issue is that web-application logic can be broken. This issue has no workaround at this time. |
494135 | If 'eval' JavaScript call is redefined in |
521822 | Referer header received by backend contains in the path component(s) 'f5-w- |
572698 | HTML page with document.write() operations inside event handlers may not be processed correctly. Internet Explorer may show error on this page. HTML page with document.write() calls inside event handlers or |
576325 | Access to some field names of classes inherited from flash.utils.Proxy is broken. Presence of flash.utils.Proxy descendants. Customer application malfunction. None. |
591588 | Applications that use appendChild() or similar functions to build UI might experience slow performance in Microsoft Internet Explorer browser. Intense usage of methods such as: appendChild(), insertBefore(), and so on. Very low web application performance when using Microsoft Internet Explorer. None. |
595477 | HTML page with document.write() operations inside event handlers may not be processed correctly. Internet Explorer may show error on this page. HTML page with document.write() calls inside event handlers or |
Authentication and SSO-related issues
ID number | Description |
---|---|
355490 | TACACS+ accounting STOP messages are sent successfully and are properly logged on the TACACS+ accounting server. Sometimes, when the reply from the TACACS+ server is processed, "Invalid reply error message" is logged on APM. However, this message does not indicate any failure in sending the accounting STOP message to the TACACS+ server. This error message can be ignored because the accounting functionality works. |
355981 | APM CRLDP Authentication Agent binds anonymously to the LDAP server to retrieve CRL files. An option for a strong authentication bind is not currently supported. |
399696 | Selecting an SSO configuration with WEBSSO: |
433242 | SAML Single Logout (SLO) does not work when all of the following are true: The BIG-IP system is acting as a SAML Identity Provider (IdP) or SAML Service Provier (SP); The other party configuration has SLO configured; The SP connector or IdP connector on the BIG-IP system is missing a SAML SLO Request URL or SAML SLO Response URL. If SAML SLO is configured with SAML other party and other party does not have both SLO Request URL and SLO Response URL. SAML SLO does not work. To work around the problem, configure both SAML SLO Request URL and SAML SLO Response URL for SP and IdP connectors. |
435719 | When AD Query is configured in an Access Policy, and the password expiration warning is enabled, or the user password is expired and the user types the wrong original password, then password change fails. However, the BIG-IP system continues to prompt for new credentials until reaching the value specified for Max Password Reset Attempts Allowed and all attempts fail because the original password is incorrect. This issue occurs when all of the following conditions are met: - The BIG-IP APM access policy is configured to execute an AD query. - The session.logon.last.password session variable value, when hitting the AD query agent, does not contain the correct user AD password (either because it was wrongly typed on the Logon Page or because it contains the password for another authentication method) - user AD password is expired or the user authentication password expiration warning is enabled on the AD Query. Users are unable to complete an update of their AD password. You can work around the problem in one of these ways. 1. Close the tab or browser and open the logon page in a new tab or new browser window or 2. In the same browser, remove everything after FQDN/ and click Enter. That will initiate a new session. 3. The following configuration change can be performed: On the VPE, create a Macro and move between Start to the AD Query (included) in the Macro. On the AD Query inside the Macro, set the "Max Password Reset Attempts Allowed" to 1. Set the "Maximum Macro Loop Count" of the Macro to 3. Call the created Macro right after the Start |
436138 | If you use Kerberos authentication with the Request Based Auth option set to Enabled and you use Secure Web Gateway explicit forward proxy, access to web sites fails. To work around the problem, set the Request Based Auth option to Disabled. |
438344 | APM WebSSO (SSOv1) incorrectly handles POST request to Start URI. WebSSO appends SSO parameters to the payload from a POST request without adding the ampersand (&) delimiter. WebSSO does not update Content-Length on sending to backend server. This issue has no workaround at this time. |
440395 | If you have an HA pair and try to reset AD cache (group cache or PSO cache), the standby node logs this misleading message: Cannot cleanup cache if other options were changed for AAA AD Server. HA is configured, AD module is configured to use caches (password warning option is enabled AND/OR fetch nested groups option is enabled AND/OR fetch primary group is enabled AND/OR password complexity check option is enabled) admin is trying to reset any of caches at active node. The message can be skipped. There is no functional impact. |
441537 | In APM form-based SSO, some special characters are incorrectly URL-encoded for certain fields, such as hidden parameters. (This does not apply to form-based client-initiated SSO.) This occurs when using form-based client-initiated SSO with a hidden parameter that contains a special character, such as dash ( - ), underscore ( _ ), period ( . ), exclamation mark ( ! ), tilde ( ~ ), asterisk ( * ), left round bracket ( ( ), right round bracket ( ) ), and backslash ( \ ). Form might not work as expected. To work around the problem, use form-based client-initiated SSO if possible. Form-based client-initiated SSO has the correct URL encoding implementation. Alternatively, use an iRule to change the special ASCII characters back to the correct character. |
574435 | BIG-IP as a SAML Service Provider fails to resolve Artifact for Assertion when using a default route domain other than 0 in administrative partitions other than "Common". - SAML Service Provider objects 'apm aaa saml' and 'apm aaa saml-idp-connector' are created in an administrative partition other than 'Common' - Default route domain other than 0 is used for a partition where objects are created. - BIG-IP used as a SAML BIG-IP can fail to resolve Artifact for an Assertion, which subsequently will fail SAML SSO. Configure SAML Service Provider to use HTTP-POST binding instead of Artifact binding. |
588172 | Client certification revocation check will fail. Two conditions will trigger this problem: 1. A CRLDP agent is configured in the access policy without server hostname and port, which is needed for DirName type processing. AND 2. At least one DirName type CRLDP is present in the client certification and it is the first in the list. Users may fail access policy evaluation when client certification is used. Configure an LDAP server for the CRLDP object. It need not return a valid CRL. |
590670 | After end-user successfully performs SP initiated SAML SSO with a original request URI other then "/", SP will redirect user back to '/' as landing URI. BIG-IP is used as SAML SP and no relay state is configured on either SP or IdP User is not redirected to original request URI. Workaround provided below works when first client request to BIG-IP as SP is 'GET'. This workaround is not applicable when first client request is 'POST'. SP object can be configured with relay state pointing to the landing URI: %{session.server.landinguri} After successful authentication, end-user will be redirected to the landing URI (reflected back by IdP in the relay-state). |
Client issues
ID number | Description |
---|---|
223583 | Inside Protected Workspace (PWS) on Microsoft Windows Vista, a user can create folders only in some locations using the context menu; that is, only a Folder item appears on the New menu. However, a user can create standard type files using the context menu directly on the desktop and in the user's home folder. Files can be created on the Desktop and then moved to the desired location. |
369772 | Renaming or moving files smaller than 16 bytes might corrupt its contents. Renaming of small files inside PWS. File content might get corrupted. Do not rename or move small files inside PWS. |
376615 | Username and password are not sent when the On-Demand Cert Auth agent is used in an access policy; as a |
393043 | During an APM remote connection, the progress bar might not render correctly on a Linux system when using the Chrome browser. |
399552 | CD/DVD burning through SPTI inside PWS works even though the policy disallows it. 1. |
404890 | This is a rare issue that happens for Internet Explorer when pop-up screens are set to be blocked by |
409233 | VMware View Client becomes unresponsive for about one minute after associated APM session is terminated by the administrator. APM session associated with VMware View Client connection is terminated by the administrator. VMware View Client becomes unresponsive for about one minute. |
428904 | Printer redirection and keyboard redirection ('special keyboard commands') in non-fullscreen mode do not work on Microsoft Windows version 7 or 8. This happens when the client OS is Windows version 7 or 8. |
432020 | By default, Internet Explorer 11 starts with Enhanced Protected Mode enabled and the browser process runs inside AppContainer. Enhanced Protected Mode (AppContainer technology) in Internet Explorer 11 prevents the interception of connection requests. As a |
432515 | The external |
434831 | When the client connects to APM (with Safari) and launches the Application Tunnel, the tunnel is created, but the application configured to launch does not. This happens after upgrading OS X to version 10.9 (Mavericks), connecting to APM with Safari, and launching a Java Application Tunnel configured to launch an application upon startup. As a result, you can not auto-start an application upon Application Tunnel start. You must open the application manually. There is no error; the only indication is that the application is not started by the Application Tunnel. The problem comes from a constraint of Sandbox/Safe mode of |
440375 | Under the Built-in Administrator account inside Protected Workspace, a VPN connection cannot be established if VPN components are not installed already. This occurs when a user is using |
440504 | If compatibility view settings are disabled in Internet Explorer 10 and Internet Explorer 11, protected workspace feature of BIG-IP Edge Client won't work. User unchecks default compatibility view settings in Internet Explorer 10 and Internet Explorer 11. Access policy is configured to launch protected workspace. Protected workspace won't be launched. Keep default compatibility view setting in Internet Explorer 10 and Internet Explorer 11. |
454509 | The |
472382 | The VMware View |
514143 | When using Windows firewall check, the policy check is failing. |
529503 | BIG-IP Edge Client continues to connect to a previously resolved IP address even when the DNS server points to a different server for that name. Edge Client has made |
532713 | VPN establishment fails and client goes in retry loop without notifying |
589708 | Adding a new login account onto |
592948 | When using Google Chrome or Safari (WebKit-based) browser to launch VMware View HTML5 client for Horizon 7 from APM webtop, this attempt fails with a blank screen in place of remote desktop session. -- BIG-IP APM configured as PCoIP proxy for Horizon 7. -- APM webtop in which the HTML5 client is used to launch a remote desktop. Cannot use HTML5 client. Only native client (Horizon View client) is available. when HTTP_REQUEST { if { [HTTP::header "Origin"] ne "" } { HTTP::header remove "Origin" } if { [ HTTP::method ] == "POST" && [ HTTP::uri ] == "/broker/xml" } { set BROKER_REQUEST 1 HTTP::collect [HTTP::header Content-Length] } } when HTTP_REQUEST_DATA { if { [ info exists BROKER_REQUEST ] && [ regexp {<have-authentication-types[ \t\r\n]*>[ \t\r\n]*<name[ \t\r\n]*>[ \t\r\n]*saml[ \t\r\n]*</name>[ \t\r\n]*</have-authentication-types>} [HTTP::payload] ] } { HTTP::respond 200 content {<?xml version="1.0" encoding="UTF-8"?><broker version="11.0"><set-locale><result>ok</result></set-locale><configuration><result>ok</result><broker-guid>1</broker-guid><authentication><screen><name>saml</name><params></params></screen></authentication></configuration></broker>} Content-Type text/xml } } when HTTP_RESPONSE { if { ! [ IP::addr [ IP::remote_addr ] equals 127.0.0.0/8 ] } { return } set BROKER_RESPONSE 1 set content_length 0 if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{ set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } # Check if $content_length is not set to 0 if { $content_length > 0} { HTTP::collect $content_length } } when HTTP_RESPONSE_DATA { if { ! [ info exists BROKER_REQUEST ] || ! [ info exists BROKER_RESPONSE ] } { return } |
693739-3 |
For some Network Access configurations, a VPN cannot be established with Mac using F5 Edge client or Browser helper apps. The following conditions must be true: 1- The Network Access resource Traffic Options setting is configured for Force all Traffic Through Tunnel. 2- The Network Access resource Allow Local Subnet setting is disabled. (Both of these options are defaults.) As a workaround, do the following. 1- Navigate to the Network Access resource. 2- Modify the Network Access resource Allow Local Subnet checkbox setting to Enabled. 3- Save the setting and apply the Access Policy. |
Network access issues
ID number | Description |
---|---|
342035 | A SIP client cannot communicate with a SIP server when connecting over a Network Access tunnel. SIP protocol uses fixed UDP ports, and communication fails because Network Access tunnel translates the source port of the connection. To work around the problem, configure a layered virtual server using the SIP UDP port and set the Source Port option to Preserve Strict. |
351360 | Sometimes when assigning different route domains to Network Access clients connecting to the same virtual server or using the same connectivity profile, traffic from the client can go out into the network associated with the wrong route domain. This could happen when two clients are assigned the same IP address (from different lease pools containing the same address ranges) and different route domains and try to access the same IP address on the internal network using the same TCP/IP protocol. - Both source and destination IP addresses are the same - IP protocol is the same (i.e. ICMP, TCP, or UDP), - For TCP/UDP both source and destination ports are the same, - For ICMP the message type and ID are the same, - Connection.VlanKeyed option is enabled (which is default), - Both clients use the same connectivity profile. Client connection can be directed to the wrong network. To work around this problem, when sharing IP address ranges among route domains, use separate virtual servers for each route domain, with different connectivity profiles. |
356766 | Removing or updating Network Access device or client components while the system has an active Network Access connection might cause the system to drop the existing connection and fail to establish a new connection until after a system reboot. |
373889 | You can configure a Network Access tunnel to update a session (that is, to extend expiration time) based on a traffic threshold and a window of time. Traffic measurements are taken every 5 seconds, but they are not divided by 5 before being used in the calculation. As a result, instead of bytes per second, bytes per 5 seconds is calculated, which is incorrect. Network Access tunnels, with Inactivity Timeout configured with an activity threshold The inactivity timeout counter is not getting reset like it should, and client connections could be dropped due to inactivity even though their activity is above the Session Update Threshold. To work around this problem, select the Network Access resource you want to update, then select Network Settings and Advanced from General Settings. Proceed as follows: 1. Set Session Update Threshold to 5 times the desired bytes/second rate. 2. Set Session Update Window to 2 or higher. Note: The session life management might not be exact. |
383607 | After a Network Access client loses connectivity and reconnects with another IP address, the client cannot open tunnels to optimized hosts for 4 to 7 minutes. |
398339 | When you use the Fedora operating system with SELinux enabled and use the Firefox web browser to connect to APM for network access, you might get SELinux blocking notifications. To work around the problem, perform these steps: A. Execute the following commands on a terminal as root user (not |
403082 | Networks Access cannot perform routing table clean-up if a user closes browser windows without logging out from the webtop, or if a user closes a browser window without waiting for the logout process to complete. To work around the problem, add the APM virtual server address to the Trusted Sites list. |
423161 | When a Network Access session and an APM session are closed simultaneously, one of these logs is written: |
438056 | The APM Network Access client for Windows systems can fail to establish a VPN connection if the client SSL profile is configured with the options no- |
444110 | An IPv6 only Network Access configuration is not supported. Either IPv4 or IPv4&IPv6 are the supported IP versions. |
469852 | Users lose connectivity to resources through VPN when standard or forwarding virtual servers are disabled. This occurs when standard or forwarding virtual servers are disabled and the connectivity profile is enabled. User loses connectivity to resources through VPN. Network Access connectivity works if all the standard and forwarding virtual servers are enabled or deleted completely. |
476279 | Network Access with |
528424 | Tooltips/Toast notification are not displayed when Network Access changes state (Connect, Disconnect, Reconnect, etc). Beginning with Microsoft Windows 8, tooltips are replaced by Toast Notifications; Windows does not convert tooltips to toast notification for F5 |
541261 | The failure happens when we get the redirect to / |
594422 | OpenSSL library modified to keep it compatible with RFC 6347 complaint DTLS server renegotiation sequence number implementation. The old OpenSSL library is not compatible with RFC6347, the new OpenSSL library is modified to be compatible with RFC6347. The current APM client is compatible with old OpenSSL code, not the new OpenSSL code. The current APM client is not compatible with new OpenSSL |
Portal access issues
ID number | Description |
---|---|
384405 | With Access Policy Manager Portal Access, if you add a web-acceleration profile to the Local Traffic virtual server, it does not take effect until |
386517 | When configuring multidomain SSO, a pool must be assigned to the virtual, even if one is not being used. A typical symptom of not assigning the pool is that after |
406040 | The general pattern is that there is a request to the main resource, and also a request for some other resource, like an image file. The request to the main resource will create a session, and the BIG-IP system will set a cookie. But if the request to the other file comes before the cookie is set, then a second session will be created. One example of this occurred with an iPad using SAML Auth. Other clients were okay, but the iPad would send requests for "/" as well as a PNG file, which would lead to multiple sessions and sometimes this confusion would lead to SAML assertion failures. Another example is the fetching of favicons. If an application uses a non-standard location for favicons (as permitted by the LINK meta tag), the client might make requests to both "/" and the favicon, leading to multiple sessions. Different clients behaved differently. Internet Explorer 10 seems to create multiple sessions. Google Chrome 25 and above seems to create the second session and then close the first session. |
426963 | When the client sends an HTTP POST with an expect 100-continue, APM will fail to forward it to the backend server. The client will wait about 3 seconds to timeout before sending the actual data of the POST request. This occurs when the Access profile is enabled. The client will not receive a 100-continue. Usually, it waits for about 3 seconds and then forwards the data anyway. The following iRule appears to resolve the issue. when HTTP_REQUEST { if {([HTTP::method] eq "POST") && [HTTP::header exists "Expect"] } { HTTP::header remove "Expect" SSL::respond "HTTP/1.1 100 Continue\r\n\r\n" } } |
439965 | BIG-IP APM currently cannot handle multiple browser tabs trying to create sessions at the same time. The most common example is saving multiple homepages in a web browser. When the web browser opens, requests from these tabs are sent within milliseconds. This can cause very unpredictable behavior where sometimes it will function correctly, and other times there will be connection resets or the user will see error pages. This applies any time a user is attempting to create a new session. Once a session exists, multiple tabs are supported. This can cause very unpredictable behavior: sometimes it will work, other times there will be connection resets, and other times the user will see error pages. Affects All APM products, except SWG. If the user is already authenticated and has a session, then multiple tabs can be opened. However, there is no workaround for session creation. |
455975 | Using MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns displays incorrect information and description. Using SNMP MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns. Using MIB F5-BIGIP-APM-MIB::apmGlobalConnectivityStatCurConns displays incorrect information and description. This issue has no workaround at this time. |
468130 | When Kerberos authentication is used with request-based authentication (RBA) enabled, the first POST request sent to the BIG-IP system could be replaced by a dummy POST and authentication then fails. This can occur when the BIG-IP system is configured as a SAML Identity Provider (IdP) and the |
470389 | Garbled characters (or control characters) are seen in the /var/log/ |
Secure Web Gateway issues
ID number | Description |
---|---|
505264 | There is a delay before F5DCAgent updates the IF-MAP server with workstation's new IP address when it is changed due to DHCP lease expired, or when the user changes it manually. This occurs when the following conditions are met: - TGT and TGS tickets do not have client's IP addresses. - IP addresses are not enforced in TGT and TGS tickets. Users might be denied access to resources. To work around the problem, use a password to lock and then unlock the workstation. |
594860 | When certain |
Other issues
ID number | Description |
---|---|
238556 | AAA types for SecurID and RADIUS in APM will not source packets from the floating IP address for the traffic group, as customers would expect. Because RSA authentication server is sensitive to the incoming IP address of the authentication packets, an extra virtual server is required to SNAT the authentication requests to the correct (floating) address so that the same source IP will be used in both members of an HA pair. You see this when you use RADIUS AAA or RSA AAA in an APM access policy. Authentication will fail because RSA expects the source IP address to be specific, and will not tolerate changes for HA failover. |
294032 | When you access an older version of APM software using the Windows system client and a pre-logon antivirus check is configured, the OPSWAT AV control gets loaded into your browser. The control does not unload successfully and, as a result, the antivirus check fails. You cannot log on until the control is unloaded. Reboot the client system. |
360889 | For ACLs that are generated from a Portal Access resource, port 0 (zero) matches against port 80 (when the scheme is HTTP) and against port 443 (when the scheme is HTTPS). For ACLs otherwise, port 0 matches against any port. |
383464 | In reports, names that contain a single quote are displayed in hex-encoded format. For example, the name O'Brian might be displayed as O%27Brian. |
383511 | The Device EPSEC Status screen should reflect the recent status of all devices in the device group. When a request to see the device status of a device group is made, the Changes pending link displays. After sync, the link should disappear and the status should be displayed. To work around the problem, perform Sync from |
415262 | If you use |
447051 | Access Policy import fails if the policy has at least one customization image file associated with it. |
452059 | When the storage partition for MySQL is full and the system is under a heavy load, |
481659 | Recurring check fails during connection. The problem occurs when APM BIG-IP virtual server DNS record has been updated or DNS load balancing is used. Mac or Linux client is used. Recurring check fails. Network Access clients fail to |
503359 | Policy sync fails with error status "Created failed on target" on target devices. 1. Create a connectivity or rewrite profile from the default one. 2. Create another child profile using the one created above as parent. 3. Create a virtual server, with the child connectivity and/or rewrite profile, and an access policy. 4. Initiate a policy sync for the access profile. Policy sync function fails. To work around the problem, create connectivity or rewrite profile, only use the default profile as |
518153 | Policy Sync fails for an access policy that was generated from an iApp. Use iApp template to create an application which includes access policy. Initiate a policy sync on the access policy. Policy sync function does not work for policy created by iApp. Use Config Sync at least initially to sync the iApp template, the application. and even all the objects in the application to the target device. |
543794 | AVG AV Free Edition 2015 not detected by APM endpoint inspection antivirus check. AVG AV Free Edition 2015, APM endpoint inspection antivirus check. Antivirus check will fail for AVG AV Free edition 2015 AV. |
545527 | BIG-IP Edge Client endpoint checking component cannot detect real-time protection state of ESET Endpoint Security software version 6.2.2021.0 on Microsoft Windows. ESET Endpoint Security software version 6.2.2021.0 is installed on user's machine and real-time protection is enabled. Access policy requires |
564890 | Endpoint checking reports incorrect 'last scan time' for Windows Defender v4.8.10240.16384 on Windows 10 User is connecting to APM on Windows 10. Access policy has an endpoint check configured. Access decision is made based on last scan time. Client system has Windows Defender v4.8.10240.16384 installed on it. Access policy will be evaluated incorrectly. In some cases, access policy evaluation might fail. Don't use 'last scan time' in access policy. As an alternative, you can provide read-only access to the folder that OPSWAT needs to access: C:\ProgramData\Microsoft\Windows Defender. This requires an Administrator to set read-only folder access for the Windows system that is being accessed. This is not a BIG-IP system-specific workaround, and depends completely on your internal networking configuration and permissions settings. |
581449 | State of antivirus software ESET NOD32 Antivirus 9 is not detected correctly by F5 endpoint checking module. APM has access policy configured to check antivirus software on user's machine User uses ESET NOD32 Antivirus 9 for protection against viruses Access policy may fail |
595285 | When configuring the same |
Contacting F5 Networks
Phone: | (206) 272-6888 |
Fax: | (206) 272-6802 |
Web: | http://support.f5.com |
Email: | support@f5.com |
For additional information, please visit http://www.f5.com.
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
- The F5 Networks Technical Support web site: http://www.f5.com/support/
- The AskF5 web site: http://support.f5.com/kb/en-us.html
- The F5 DevCentral web site: http://devcentral.f5.com/
- AskF5 TechNews
F5 Networks Technical Support
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
F5 DevCentral
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
AskF5 TechNews
- Weekly HTML TechNews
- The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
- Periodic plain text TechNews
- F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.