Release Notes : Configuration Notes: Inbox F5 VPN Client for Microsoft Windows 8.1

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 12.1.0, 11.6.1, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Release Notes
Original Publication Date: 10/31/2018 Updated Date: 04/18/2019

Summary:

Contents:

Inbox F5 VPN Client Configuration Notes

The Inbox F5 VPN Client is built into Microsoft Windows 8.1 and Windows RT clients. It supports F5 VPN with BIG-IP Access Policy Manager (APM).

After you configure a VPN profile on your device for Inbox F5 VPN Client, select it from Network Connections.

Note: For information about how to configure remote access on a BIG-IP system with APM, refer to the BIG-IP APM Configuration Notes section.

Configuring a new VPN profile

To use Inbox F5 VPN Client for network access on a Microsoft Windows 8.1 or Windows RT 8.1 client, you must configure a VPN profile and specify F5 VPN as the VPN provider.
Note: A VPN connection that you configure this way uses default parameter values, such as port 443. To specify other values, you should configure a profile using the Add-VpnConnection Powershell command and specify options using the CustomConfiguration property.
  1. On your Windows system, select PC Settings > Network > Connections. As you make selections, the display changes in response.
  2. In the right pane, click Add VPN Connection.
  3. From the VPN provider list, select F5 VPN.
  4. In the Server name or address field, type the FQDN or IP address of the BIG-IP system with BIG-IP Access Policy Manager.
  5. Optional: Select the Remember my sign in info check box. When you select this check box, the Windows client caches your credentials and you do not need to enter them again.

F5 VPN profile parameters

This table specifies parameters that are specific to Inbox F5 VPN Client; the client supports these parameters in addition to other parameters that are available for VPN profiles. When you configure a VPN profile from PC Settings on your client, it takes the default values displayed in the table. These parameters are also available for configuring a VPN profile using Powershell commands.

Parameter Type Default value Description
port number 443 Port to connect to VPN server (Access Policy Manager).
landing-uri text Landing URI to use for authentication (APM).
ssl-encryption boolean true If set to false, SSL encryption is not used.
authenticate-retries number 3 Maximum number of attempts to prompt for credentials when authentication fails.
log-level default, minimum, info, debug default Specifies maximum level for log entries.
client-certificate string Specifies issuer of client certificate being used for authentication.
optimize-for-low-cost-network boolean false If set to true, client tries to reconnect to cheapest available network connection.
single-sign-on-credential boolean true If set to true, client tries to use VPN credentials to connect to Windows File Shares.

Commands and parameters: VPN profile configuration

The AddVpnConnection Powershell command supports a CustomConfiguration property that you can use to specify F5 parameters for a VPN profile. The input for the command is in XML format; the schema is available in the XML Schema: F5-specific configuration parameters section of this document. For help customizing a VPN profile, refer to the Examples: VPN profile configuration section.

Useful Powershell commands

Command Description
Add-VpnConnection Add a VPN profile.
Get-VpnConnection View configured VPN profiles.
Remove-VpnConnection Delete a VPN profile.

Powershell command syntax

Use the Get-Help command in Powershell to view command syntax. For example, type Get-Help Add-VpnConnection.

Examples: VPN profile configuration

These examples show how to specify F5 parameters for a VPN profile using Powershell commands and the CustomConfiguration property.

Creating a client certificate for second-factor authentication

This example shows how to create a VPN profile that uses a certificate issued by Site Request, Inc. for second-factor authentication. The certificate must already be installed on the client device. Inbox F5 VPN Client can read the certificate from certificate storage on the device or from a smart card inserted into the device.

Note: The client supports smart cards that work with Microsoft Base Smart Card Cryptographic Service Provider.
$xml = "<f5-vpn-conf><client-certificate><issuer>Site Request Inc</issuer></client-certificate></f5-vpn-conf>"
$sourceXml=New-Object System.Xml.XmlDocument
$sourceXml.LoadXml($xml) Add-VpnConnection -Name F5_vpn_cert -ServerAddress apm_server_fqdn -SplitTunneling $True -PluginApplicationID F5.vpn.client_cw5n1h2txyewy -CustomConfiguration $sourceXml

Using a nonstandard port

This example shows how to create a VPN profile using port 444 to connect to the BIG-IP system.

$xml = "<f5-vpn-conf><port>444</port></f5-vpn-conf>"
$sourceXml=New-Object System.Xml.XmlDocument
$sourceXml.LoadXml($xml) Add-VpnConnection -Name F5_vpn_port_444 -ServerAddress apm_server_fqdn -SplitTunneling $True -PluginApplicationID F5.vpn.client_cw5n1h2txyewy -CustomConfiguration $sourceXml

Using the landing URI

This example shows how to create a VPN profile using the landing URI to connect to the BIG-IP system.

$xml = "<f5-vpn-conf><landing-uri>test</landing-uri></f5-vpn-conf>"
$sourceXml=New-Object System.Xml.XmlDocument
$sourceXml.LoadXml($xml) Add-VpnConnection -Name F5_vpn_landing_uri -ServerAddress apm_server_fqdn -SplitTunneling $True -PluginApplicationID F5.vpn.client_cw5n1h2txyewy -CustomConfiguration $sourceXml

Configuring multiple servers for VPN connection

This example shows how you can configure multiple servers for VPN connection. Inbox F5 VPN Client attempts to reach each server in the list until it successfully authenticates the user.

$VPNConnectionName = "Global VPN"
$PluginApplicationID = "F5.vpn.client_cw5n1h2txyewy"
$VPNServerList = @()
$VPNServerList += New-VpnServerAddress my1.server.fqdn -FriendlyName Africa
$VPNServerList += New-VpnServerAddress my2.server.fqdn -FriendlyName Europe
$VPNServerList += New-VpnServerAddress my3.server.fqdn -FriendlyName Asia
$VPNServerList += New-VpnServerAddress my4.server.fqdn -FriendlyName "North America"
$VPNServerList += New-VpnServerAddress my5.server.fqdn -FriendlyName "South America"
$VPNServerList += New-VpnServerAddress my6.server.fqdn -FriendlyName Antarctica
$VPNServerList += New-VpnServerAddress my7.server.fqdn -FriendlyName Australia
$xml = "<f5-vpn-conf><log-level>debug</log-level></f5-vpn-conf>"
# Validate XML configuration
$ErrorActionPreference = "Stop"
$sourceXml=New-Object System.Xml.XmlDocument
$sourceXml.LoadXml ($xml)
# Remove existing entry
$VPNConnections = Get-VpnConnection
foreach ($i in $VPNConnections) {
    if ($i.Name -eq $VPNConnectionName) {
        Write-Host "Remove VPN connection:" $VPNConnectionName
        Remove-VpnConnection -Name $VPNConnectionName
    }
}
# Add new entry
Write-Host "Configure VPN connection:" $VPNConnectionName "with default server:" $VPNServerList[0].ServerAddress "VPNP ID:" $PluginApplicationID
Add-VpnConnection -Name $VPNConnectionName -ServerAddress $VPNServerList[0].ServerAddress -SplitTunneling $True -PluginApplicationID $PluginApplicationID -CustomConfiguration $sourceXml -ServerList $VPNServerList

Auto-triggered VPN connections

When you select an app or resource that needs access through Windows Inbox VPN, such as a company intranet site, Windows 8.1 can automatically prompt you to sign in with one click. For command syntax, open Powershell and type Get-Help for these commands:

  • Add-VpnConnectionTriggerDnsConfiguration
  • Add-VpnConnectionTriggerApplication
  • Add-VpnConnectionTriggerTrustedNetwork

Auto-triggering a connection (SR_SanJose) for web sites in the *.siterequestnet.com domain

Add-VpnConnectionTriggerDnsConfiguration -ConnectionName "SR_SanJose" -DnsSuffix "siterequestnet.com" -DnsIPAddress 165.160.15.20
Note: You must specify the DnsIPAddress parameter with the real DNS server IP address; the connection does not work otherwise. This parameter cannot be overwritten by configuration from the BIG-IP system.

Removing an existing auto-trigger configuration

Remove-VpnConnectionTriggerDnsConfiguration -ConnectionName "SR_SanJose" -DnsSuffix "siterequestnet.com"

XML Schema: F5 configuration parameters

This is the schema for the CustomConfiguration property of the AddVpnConnection Powershell command.

<?xml version="1.0" encoding="utf-8"?>
<xs:schema id="XMLSchema"
        targetNamespace="http://tempuri.org/XMLSchema.xsd"
        elementFormDefault="qualified"
        xmlns="http://tempuri.org/XMLSchema.xsd"
        xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <xs:simpleType name="log-levelType">
        <xs:restriction base="xs:string">
            <xs:enumeration value="default"/>
            <xs:enumeration value="minimum"/>
            <xs:enumeration value="info"/>
            <xs:enumeration value="debug"/>
        </xs:restriction>
    </xs:simpleType>
    <xs:element name="f5-vpn-conf">
        <xs:complexType>
            <xs:all minOccurs="0">
                <xs:element name="port" type="xs:unsignedShort" default="443"/>
                <xs:element name="landing-uri" type="xs:anyURI"/>
                <xs:element name="ssl-encryption" type="xs:boolean" default="true"/>
                <xs:element name="tls1.2" type="xs:boolean" default="true"/>
                <xs:element name="authenticate-retries" type="xs:unsignedByte" default="3"/>
                <xs:element name="log-level" type="log-levelType" default="default"/>
                <xs:element name="optimize-for-low-cost-network" type="xs:boolean" default="false"/>
                <xs:element name="single-sign-on-credential" type="xs:boolean" default="true"/>
                <xs:element name="client-certificate">
                    <xs:complexType>
                        <xs:all minOccurs="0" maxOccurs="1">
                            <xs:element name="issuer" type="xs:string" minOccurs="1"/>
                        </xs:all>
                    </xs:complexType>
                </xs:element>
            </xs:all>
        </xs:complexType>
    </xs:element>
</xs:schema>

Useful XML schema examples

XML schema example Example syntax
Multifactor authentication with client certificate <f5-vpn-conf><client-certificate><issuer>Snake Oil</issuer></client-certificate></f5-vpn-conf>
Client certificate authentication only <f5-vpn-conf><prompt-for-credentials>false</prompt-for-credentials><client-certificate><issuer>Snake Oil Ltd</issuer></client-certificate></f5-vpn-conf>
Connecting to an APM server over port 80, no SSL encryption, for debugging purposes only <f5-vpn-conf><port>80<ssl-encryption></ssl-encryption></f5-vpn-conf>

BIG-IP APM Configuration Notes

On Access Policy Manager (APM), you need to configure an access policy for Inbox F5 VPN Client.

Additionally, you need a standard network access configuration. For more information, refer to BIG-IP Access Policy Manager Network Access Configuration on the AskF5 website at http://support.f5.com.

Authentication support

Your access policy can collect this type of information for authentication purposes:

  • User name and password
  • Client certificate as second-factor authentication

Client certificate configuration requirements

In the access policy, use the Client Cert access policy item. (The On-Demand Cert Auth access policy item is not supported.)

In the client SSL profile for the virtual server, select request for the Client Certificate property.

Inbox F5 VPN Client and Windows RT detection

You can detect whether the Inbox F5 VPN Client is in use to ensure that your access policy branches run supported access policy items only.

Note: Inbox F5 VPN Client does not support client-side checks.

In addition to detecting the client, you might want to differentiate between Microsoft Windows 8.1 and Windows RT operating systems.

Inbox F5 VPN Client detection

The Client Type access policy item detects the type of client that a user selects to establish a VPN connection on a Windows system. The Client Type action automatically provides a Windows Built-In Client branch. A Windows client on which the Inbox F5 VPN client is configured takes that branch. You do not need to configure any properties in the Client Type item for this to occur.

Windows RT detection

After an access policy determines that the Inbox F5 VPN client is in use, you might need it to differentiate between Windows 8.1 and Windows RT operating systems. The Client OS access policy item automatically supplies a Windows RT branch that, in addition to checking for Windows 8.1, verifies that the CPU is ARM.

Related documentation

For additional information, refer to the AskF5 web site (http://support.f5.com) for documentation specific to the version of Access Policy Manager that you are using.

Document Description
Release Note for BIG-IP APM New features and known issues.
BIG-IP Access Policy Manager Network Access Configuration How to configure network access.
Configuration Guide for BIG-IP Access Policy Manager Access profiles, access policies, visual policy editor.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802
Web: http://support.f5.com
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews
The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
Periodic plain text TechNews
F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.