Release Notes : APM Client 7.1.7.1

Applies To:

Show Versions Show Versions
Release Notes
Updated Date: 03/09/2020

Summary:

Version 7.1.7.1 of the Edge Client is now available on downloads.f5.com.

Applies To: BIG-IP APM 15.1.0, 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0

Contents:

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the following pages:

Features and enhancements in 7.1.7.1

There are no features or enhancements in 7.1.7.1.

Features and Enhancements in 7.1.7

The Machine Tunnel Service is a new Desktop Client feature for Windows only. When installed on client machines as a Windows service, a machine tunnel starts during the machine boot sequence, and establishes a VPN connection to the specified APM servers in background. No user interaction or interactive Windows session is required. This can be used for several different scenarios.
Off-premise or remote initial provisioning
Machine tunnels can provide connectivity to the corporate datacenter when the user logs in to a corporate laptop for the very first time.
Remote computer maintenance
IT staff can manage the machine and update software when the user is not logged in, but the device is on and idle.
Remote troubleshooting
Support Staff are able to log into a user machine via a secure tunnel.
Remote self-service
When users forget their passwords, IT staff can use machine tunnels to reset the user passwords.

Fixes in 7.1.7.1

Fixes in 7.1.7.1

ID Number Description
714628-2 Previously, the split tunneling scope was too small to allow a large number of entries. The split tunneling scope size has been increased.
737443-1, 737443-2, 739090-1,739094-1

These fix CVE-2018-5546 (https://support.f5.com/csp/article/K54431371). The svpn and policyserver components of the F5 BIG-IP APM client prior to version 7.1.7.1 for Linux and macOS runs as a privileged process and can allow an unprivileged user to get ownership of files owned by root on the local client host.

A malicious local unprivileged user may gain knowledge of sensitive information, manipulate certain data, or assume super-user privileges on the local client host.

738704-1,737362-1 These fix CVE-2018-5547 (https://support.f5.com/csp/article/K10015187). The logon integration component of APM window client prior to version 7.1.7.1 runs under the system account. This module throws a certificate UI dialog which contains the link to certificate policy. By clicking on this link, an unprivileged user can open an additional dialog and get access to Windows Explorer, which can be used to get Administrator privileges.

Fixes in 7.1.7

ID Number Description
610436 Previously, when two network adapters used the same DNS Server address on Microsoft Windows version 10, there could be DNS resolution errors. Now, DNS addresses are resolved correctly with two network adapters.
666497 Korean translation strings have been corrected.
673025 Previously, when the copyright was customized, the customized copyright was not displayed in the Edge Client for macOS. This has been fixed.
686718-4 Tunnel adapter is now closed on VPN termination even when Application launch is configured.
699330 Previously, On a Fedora 27 client, f5vpn and f5epi crashed upon start. This has been fixed.
700780 Now F5 DNS Relay Proxy service clears TC flag in all proxied packets, preventing client DNS resolvers from using TCP. An appropriate log entry is printed into the service's log.
700960 Previously on Ubuntu 17.10, after disconnecting from the VPN, the default route was not restored. This has been fixed.
702490 Previously, in some situations, Windows Credential Reuse did not work, requiring the EdgeClient end user to log in separately. This issue has been fixed.
702873 Previously, the Windows Logon Integration feature sometimes caused the Windows Logon screen to freeze. Now, this issue has been fixed. As a side effect of the fix, the Logon screen now shows duplicates of the pre-logon VPN Entries, which might be confusing for users. One duplicate comes from the Microsoft Credentials Provider. To disable the default Microsoft Credentials Provider see https://social.technet.microsoft.com/Forums/windows/en-US/9c23976a-3e2b-4b71-9f19-83ee3df0848b/how-to-disable-additional-credential-providers?forum=w8itprosecurity.
703984 In the previous release, the macOS machine cert agent checked only the beginning of the client hostname and certificate common name. The machine cert agent now checks the entire strings.
704535 F5 VPN and F5 EPI now properly consume data processed by Chrome 64+. Because earlier versions of F5 VPN or F5 EPI do not work properly with the Chrome 64+ browser, on those releases applications must be launched out-of-band (by standalone installer), or by launching F5 VPN/F5 EPI from another browser (such as Firefox or Edge).
705208 In the previous release, Edge Client on Windows was unable to establish a VPN connection after SAML authentication. Now, Edge Client can now successfully establish a VPN connection after SAML authentication.
707448 Strings are now properly translated into German.
707738 Due to an issue introduced in Windows RS4, a VPN connection could not be established. This has been fixed.
710188 Previously, Google reCAPTCHA was not displayed on the logon page, when implmented. Now Google reCAPTCHA is displayed.
710407 Previously, the F5 VPN and F5 EPI apps would quit on Linux distributions with Qt version 5.10.1 or higher. This has been fixed.
712728 On Linux, F5 helper apps (f5vpn and f5epi) are not automatically upgraded to version 7.1.7. As a workaround, manually uninstall f5epi and f5vpn. Connect to Access Policy Manager using a web browser. Follow the instructions when prompted to install f5epi or f5vpn.
714542 Now, when a user right-clicks the Edge Client tray icon in Always Connected mode, the Always Connected Mode text is displayed on the tray icon pop-up menu.

Known issues in 7.1.7.1

Known issues in 7.1.7.1

The following are known issues in 7.1.7.1.

ID Number Description
681023 F5 endpoint inspection and F5 VPN applications are not upgraded automatically on OpenSuse 42.3 and Suse Enterprise Desktop 12 SP2. "As a workaround, with the F5 EPI or F5 VPN downloads linux_f5epi.tgz or linux_f5vpn.tgz in the platform's download folder.
  1. Untar the file. tar -xvf linux_f5epi.tgz
  2. Select the appropriate file. For example, for a 64-bit CPU select linux_f5epi.x86_64.rpm
  3. Install the package: rpm --force -ivh linux_f5epi.x86_64.rpm, or uninstall the older component first: rpm -e f5epi or rpm -ivh linux_f5epi.x86_64.rpm.
681281 On Fedora 26, after disconnecting from the VPN, the default route is not restored. As a workaround, disable and re-enable the network adapter.
681956 If a user disconnects from the VPN while there is no connectivity on a statically-configured network adapter, and network connectivity is then restored to that adapter after the disconnection, the default route is not restored. As a workaround, you can either manually add a default route to the network adapter gateway, or enable DHCP on the network adapter.
683819 When Edge Client is installed using the CLI or msiexec, the following config parameters are not installed.
  • Exclusion List is not installed properly
  • Auto Launch option is not installed properly
As a workaround, use the F5 Edge Client installer to install the client. From CLI this can be performed with the command BIGIPEdgeClient.exe /q.
700770 With Always Connected mode, when hosts and IP addresses are added to the exclusion list in the registry manually after the client is installed, they are deleted after the client is uninstalled. As a workaround, after the client is reinstalled, add the exclusions again.
703874 If the VPN is connected and disconnected repeatedly, a user may fail to logon. Logon will be retried automatically, and eventually succeed.
708922 Client side proxy configuration will be ignored after VPN is established, if proxy configuration is deployed using DHCP option 252. As a workaround, configure client side proxy information in IE configuration
714043 NPAPI inspection host plugin on macOS does not work with the latest Endpoint Security (EPSEC) update image because policyserver not being part of OESIS package since it's bundled with individual applications. There is no workaround at this time.

Contacting F5 Networks

Phone - North America: 1-888-882-7535 or (206) 272-6500
Phone - Outside North America, Universal Toll-Free: +800 11 ASK 4 F5 or (800 11275 435)
Additional phone numbers: See Product Support Regional Contact Information for your area.
Web: https://f5.com/
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5 Knowledge Base

AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

F5 Publication Subscription Center AskF5 Publication Preference Center

To subscribe, click F5 Publication Subscription Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the F5 Publication Subscription Center screen.

  • TechNews Weekly eNewsletters: Timely information about known issues, product releases, hotfix releases, point releases, updated and new articles, and new feature notices.
  • TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
  • Security Alerts: Application Classification Signature and Service Provider Notifications .

Legal notices