Applies To:Show Versions
- 12.1.0, 11.6.1, 11.5.4, 11.5.3, 11.5.2, 11.5.1
- Inbox F5 VPN Client Configuration Notes
- BIG-IP APM Configuration Notes
- Contacting F5 Networks
Inbox F5 VPN Client Configuration Notes
The Inbox F5 VPN Client is built into Microsoft Windows 8.1 and Windows RT clients. It supports F5 VPN with BIG-IP Access Policy Manager (APM).
After you configure a VPN profile on your device for Inbox F5 VPN Client, select it from Network Connections.
Configuring a new VPN profile
- On your Windows system, select As you make selections, the display changes in response. .
- In the right pane, click Add VPN Connection.
- From the VPN provider list, select F5 VPN.
- In the Server name or address field, type the FQDN or IP address of the BIG-IP system with BIG-IP Access Policy Manager.
- Optional: Select the Remember my sign in info check box. When you select this check box, the Windows client caches your credentials and you do not need to enter them again.
F5 VPN profile parameters
This table specifies parameters that are specific to Inbox F5 VPN Client; the client supports these parameters in addition to other parameters that are available for VPN profiles. When you configure a VPN profile from PC Settings on your client, it takes the default values displayed in the table. These parameters are also available for configuring a VPN profile using Powershell commands.
|port||number||443||Port to connect to VPN server (Access Policy Manager).|
|landing-uri||text||Landing URI to use for authentication (APM).|
|ssl-encryption||boolean||true||If set to false, SSL encryption is not used.|
|authenticate-retries||number||3||Maximum number of attempts to prompt for credentials when authentication fails.|
|log-level||default, minimum, info, debug||default||Specifies maximum level for log entries.|
|client-certificate||string||Specifies issuer of client certificate being used for authentication.|
|optimize-for-low-cost-network||boolean||false||If set to true, client tries to reconnect to cheapest available network connection.|
|single-sign-on-credential||boolean||true||If set to true, client tries to use VPN credentials to connect to Windows File Shares.|
Commands and parameters: VPN profile configuration
The AddVpnConnection Powershell command supports a CustomConfiguration property that you can use to specify F5 parameters for a VPN profile. The input for the command is in XML format; the schema is available in the XML Schema: F5-specific configuration parameters section of this document. For help customizing a VPN profile, refer to the Examples: VPN profile configuration section.
Useful Powershell commands
|Add-VpnConnection||Add a VPN profile.|
|Get-VpnConnection||View configured VPN profiles.|
|Remove-VpnConnection||Delete a VPN profile.|
Powershell command syntax
Use the Get-Help command in Powershell to view command syntax. For example, type Get-Help Add-VpnConnection.
Examples: VPN profile configuration
These examples show how to specify F5 parameters for a VPN profile using Powershell commands and the CustomConfiguration property.
Creating a client certificate for second-factor authentication
This example shows how to create a VPN profile that uses a certificate issued by Site Request, Inc. for second-factor authentication. The certificate must already be installed on the client device. Inbox F5 VPN Client can read the certificate from certificate storage on the device or from a smart card inserted into the device.
Using a nonstandard port
This example shows how to create a VPN profile using port 444 to connect to the BIG-IP system.$xml = "<f5-vpn-conf><port>444</port></f5-vpn-conf>"
Using the landing URI
This example shows how to create a VPN profile using the landing URI to connect to the BIG-IP system.$xml = "<f5-vpn-conf><landing-uri>test</landing-uri></f5-vpn-conf>"
Configuring multiple servers for VPN connection
This example shows how you can configure multiple servers for VPN connection. Inbox F5 VPN Client attempts to reach each server in the list until it successfully authenticates the user.$VPNConnectionName = "Global VPN"
Auto-triggered VPN connections
When you select an app or resource that needs access through Windows Inbox VPN, such as a company intranet site, Windows 8.1 can automatically prompt you to sign in with one click. For command syntax, open Powershell and type Get-Help for these commands:
Auto-triggering a connection (SR_SanJose) for web sites in the *.siterequestnet.com domainAdd-VpnConnectionTriggerDnsConfiguration -ConnectionName "SR_SanJose" -DnsSuffix "siterequestnet.com" -DnsIPAddress 22.214.171.124
Removing an existing auto-trigger configurationRemove-VpnConnectionTriggerDnsConfiguration -ConnectionName "SR_SanJose" -DnsSuffix "siterequestnet.com"
XML Schema: F5 configuration parameters
This is the schema for the CustomConfiguration property of the AddVpnConnection Powershell command.
Useful XML schema examples
|XML schema example||Example syntax|
|Multifactor authentication with client certificate||<f5-vpn-conf><client-certificate><issuer>Snake Oil</issuer></client-certificate></f5-vpn-conf>|
|Client certificate authentication only||<f5-vpn-conf><prompt-for-credentials>false</prompt-for-credentials><client-certificate><issuer>Snake Oil Ltd</issuer></client-certificate></f5-vpn-conf>|
|Connecting to an APM server over port 80, no SSL encryption, for debugging purposes only||<f5-vpn-conf><port>80<ssl-encryption></ssl-encryption></f5-vpn-conf>|
BIG-IP APM Configuration Notes
On Access Policy Manager (APM), you need to configure an access policy for Inbox F5 VPN Client.
Additionally, you need a standard network access configuration. For more information, refer to BIG-IP Access Policy Manager Network Access Configuration on the AskF5 website at http://support.f5.com.
Your access policy can collect this type of information for authentication purposes:
- User name and password
- Client certificate as second-factor authentication
Client certificate configuration requirements
In the access policy, use the Client Cert access policy item. (The On-Demand Cert Auth access policy item is not supported.)
In the client SSL profile for the virtual server, select request for the Client Certificate property.
Inbox F5 VPN Client and Windows RT detection
You can detect whether the Inbox F5 VPN Client is in use to ensure that your access policy branches run supported access policy items only.
In addition to detecting the client, you might want to differentiate between Microsoft Windows 8.1 and Windows RT operating systems.
Inbox F5 VPN Client detectionThe Client Type access policy item detects the type of client that a user selects to establish a VPN connection on a Windows system. The Client Type action automatically provides a Windows Built-In Client branch. A Windows client on which the Inbox F5 VPN client is configured takes that branch. You do not need to configure any properties in the Client Type item for this to occur.
Windows RT detectionAfter an access policy determines that the Inbox F5 VPN client is in use, you might need it to differentiate between Windows 8.1 and Windows RT operating systems. The Client OS access policy item automatically supplies a Windows RT branch that, in addition to checking for Windows 8.1, verifies that the CPU is ARM.
For additional information, refer to the AskF5 web site (http://support.f5.com) for documentation specific to the version of Access Policy Manager that you are using.
|Release Note for BIG-IP APM||New features and known issues.|
|BIG-IP Access Policy Manager Network Access Configuration||How to configure network access.|
|Configuration Guide for BIG-IP Access Policy Manager||Access profiles, access policies, visual policy editor.|
Contacting F5 Networks
For additional information, please visit http://www.f5.com.
You can find additional support resources and technical documentation through a variety of sources.
F5 Networks Technical Support
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
- Weekly HTML TechNews
- The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.
- Periodic plain text TechNews
- F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to email@example.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to firstname.lastname@example.org.