Release Notes : APM Client 7.1.9

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.0.0, 15.1.0, 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0
Release Notes

Summary:

The Edge Client version 7.1.9 is now available on downloads.f5.com.

Contents:

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the following pages:


Features and enhancements in 7.1.9

User interface simplified

Edge Client for macOS has a new and improved UI with quickly accessible connections options on the Edge Client menu in the menu bar. To start a VPN connection, the user launches Edge Client and logs in to establish the VPN. When the Auto-Connect and Always-Connected mode is enabled, the user is automatically logged in, and the VPN is established.

Temporarily disconnect from the VPN without logging out

Edge Client now allows the users to temporarily disconnect from the VPN without logging out. The login session remains active, and when the user chooses to Turn VPN On, the VPN establishes without the need for re-authentication. The logon session remains active until the user quits, or the session times out.

Touch ID support for macOS Edge Client

For Touch ID enabled macOS devices, Edge Client now allows a returning user to provide fingerprint as device authentication, thereby protecting data from unauthorized access.

Auto-Connect in Network Location Awareness

Edge Client's Auto-Connect lets you start a secure access connection as needed. When Auto-Connect is enabled, and the user is on an enterprise network, the client disconnects and remains active in the status menu. When the user moves outside the enterprise network, the login session remains active, and the VPN connection establishes automatically without the need for re-authentication. Auto-Connect option is available in the Preferences popup screen when the Network Location Awareness feature is enabled.

Delete log files

New command to simplify deleting log files has been added to the Client Troubleshooting Utility.

F5 CTU Report improvements

The CTU Report shows the adapter name and device ID and includes more information in the logs. Also, the CTU System Summary report results now match those in the system registry.

Load client certificates from the Local Machine Store

Previously, for on-demand certificate authentication, machine tunnels service could select only the client certificate presented in the service store. With this release, you can now configure to select a client certificate from the Local Machine store.

To configure using the Windows Registry:

  1. Start the registry editor (Start > regedit).
  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\F5MachineTunnelService\Parameters.
  3. Set string ClientCertStoreLocation to system or service.
  4. Set string ClientCertStoreName to the store name. The default store name is MY and can be changed to a custom store.
Note: When no registry setting is specified, then the machine tunnels service will pick the client certificate from the service store.

To configure using the F5MachineTunnelInfo utility:

From the command prompt that is run as an administrator:

  • type F5MachineTunnelInfo.exe --set_client_certstore system <store name> to set the client certificate store location as the Local Machine store.
  • type F5MachineTunnelInfo.exe --set_client_certstore service <store name> to set the client certificate store location as the F5MachineTunnelService store.
  • type F5MachineTunnelInfo.exe --remove_client_certstore to remove the client certificate store location and name configuration.

 

System Tray notifications replace Growl Notifications

Edge Client for macOS now uses system notifications replacing the Growl notifications, which were interruptive and displayed even when the main window was in focus. The new system tray notifications are non-intrusive and disappear once the VPN is connected. These notifications appear in the top-right corner of the screen and the Notifications pane. The user can disable notifications in the Preferences.

Fixes in 7.1.9

The following issues have been fixed in this release.

ID Number Description
488172 Changed the wording of a confusing DHCP Server could not be reached message to say that the system is waiting for interface initialization to be complete.
582348-1 Previously, the Edge Client for macOS displayed the You need to enable cookies in order to remember this device error message when the virtual server was configured with DUO two-factor authentication and the option Remember me for 30 days was selected on the DUO logon page. With this release, the Edge Client accepts 3rd party cookies without any error.
745969 Previously, in always connected mode, the VPN had trouble connecting after Edge Client version 7.1.5 or earlier auto-updated to version 7.1.6 or later due to certificate problems. The VPN now connects properly after auto-updates.
759343 Previously, the BIG-IP Edge Client for macOS could allow unprivileged users to access files owned by the root account. Now, all existing installation log files are removed, and this issue is fixed.
759640 Previously, when Session Expired/Timeout window popup was produced on the Logon Page via the Edge Client for macOS, then clicking on the Start new session link resulted in the BIG-IP APM server categorizing uimode as Full Browser (0) for the new session. If your Access Policy logic had a uimode check where Full Browser mode resulted in no Network Access resource, logon failure could occur. This issue has been fixed, and now on macOS, Edge Client is no longer detected as Full Browser (uimode 0) by APM.
765045 Previously, the Edge Client installation failed on Windows 10 with Korean Locale and Escort PC security installed. Now, this issue is fixed, and the Edge Client installation is successful.
767609 Previously, on some Ubuntu Linux v18.04 systems, when you logged out from VPN after connecting using Firefox, the WiFi connectivity was lost, and the f5vpn process did not terminate. Now, after logging out from the VPN, the WiFi connection is not lost, and the issue is fixed.
773621, 773633, 773637, 773641, 773649, 773653 Fixed issues where the Edge Client log could expose sensitive information to local users. The sensitive data is now masked to resolve the vulnerability.
775513 Previously, the Edge Client system tray icon disappeared, when you changed the display resolution while Edge Client was connected. Now, this issue is fixed, and the F5 icon stays in place after changing the display settings.
776141 In the past, Edge Client notifications did not display if the text was scaled above 100%. Now state change notifications are shown when text is scaled.
782117

Previously, when redirecting from one virtual server to another virtual server that is reachable only by a client-side proxy having a different hostname, the request for detecting APM failed. This happened because the Client Type variable for the session created was IE instead of standalone and resulted in denying access to the user when the policy had a Client Type agent. In another scenario, when redirecting from a virtual server to an external 3rd party server, there was a delay in completing logon when the redirected hostname had multiple IP addresses.

With this release, the created Client Type session variable is standalone, and the issue is resolved.

803921 In the past, some access policies with 3rd party redirection for authentication incorrectly redirected some URLs to APM. Now, redirection to APM is only triggered when navigating to a document, not for every resource downloaded for the document.
805929 DNS resolution does not work in split tunnel configurations that specify DNS exclude address space but no DNS address space.

As a workaround, specify some patterns in the DNS address space. If the intention is to provide DNS excluding address space, then specify * in the DNS address space.

807517

Previously, the DNS relay proxy service was unable to handle a larger number of DNS requests and gave errors causing the servers to become unresponsive. Now, this issue is fixed, and the service handles bulk requests without any error.

812433 In past releases, in some configurations, DNS relay proxy service forwarded DNS requests to IPv6 site-local addresses and automatically added those addresses as DNS servers resulting in slower DNS resolution. Now, the DNS relay proxy no longer forwards DNS requests to those IPV6 site-local addresses.
815129 Previously, the EdgeClient UI could become unresponsive while changing states when Machine Tunnel was installed but not configured. Now, the Edge Client changes state without delay, and this issue is resolved.
818621 When using F5 Helper Apps (f5-epi and f5-vpn) with IE/Edge Browser on Windows, security warnings used to occur. The warnings no longer appear.
825049 New code signing was not possible as the code signing certificate expired on December 11, 2019. The Edge Client now includes a newer signing certificate.
825813 Previously Edge Client could not be installed on macOS 10.15 Catalina because macOS Catalina requires the application installation package to be notarized by default. Now, this issue is fixed, and the Edge Client installation package is notarized to meet the new security requirements of macOS Catalina. macOS 10.14.5 and 10.15 are fully supported with APM Clients 7.1.8.2 and BIG-IP 13.1.x.

To support macOS 10.14.5 and above on BIG-IP 11.6.x and BIG-IP 12.1.x, use the following workarounds:

Workaround 1: Temporarily override your Mac security settings

  1. On macOS, when Edge Client fails to install because it has not been notarized, it will appear in System Preferences > Security & Privacy under the General tab. Click Open Anyway to confirm your intent to open or install the app.
  2. Click Open in the warning prompt.

Edge Client is now saved as an exception to your security settings, and you can open it in the future by double-clicking it.

Workaround 2: Open Edge Client in the Applications folder

  1. Drag the downloaded Edge Client to the Applications folder.
  2. Right-click on the application or press the control button on the keyboard and click on the app.
  3. From the options, click on Open.
  4. Click Open in the warning prompt.

Workaround 3: Use Terminal to allow all apps

  1. Open Terminal in macOS.
  2. Type the command sudo spctl --master-disable. Press Enter.
  3. Enter the administrator password.
  4. Open System Preferences > Security & Privacy under the General tab. The Allow apps downloaded from section will display the Anywhere option. Select Anywhere, and save changes.
Note: This workaround may risk your security. To hide the allow apps from anywhere option, open terminal and type the command sudo spctl –master-enable.
831953 Previously, the EdgeClient for macOS built with an Apple WebView WebKit could not display certain captive portal login pages. Now, this issue is fixed, and the captive portal login page is displayed correctly.
832337 Previously, the remove_client_certstore command for Machine Tunnel service did not display any output message. Now, the output messages are displayed informing users about the success and failure of the client certificate configuration removal.
833021 Configuring the Machine Tunnel Service to use the service store requires the store name to be prepended with F5MachineTunnelService\ such as F5MachineTunnelService\MY when using the Windows registry or the command line utility. The system now does this automatically.
838909 Previously, a malicious captive portal could prompt the user to provide his enterprise credentials and get access to the password hash. Now, with this release, Edge client does not respond to such credential requests from captive portals.
857689 Previously, when using DTLS connection, the CPU usage could increase to 100%, impacting performance and throughput. Now, the issue is fixed, and the throughput speed is not impacted.
862641 Previously, in the Edge Client for Windows, the Stonewall service failed to disconnect traffic after the VPN is disconnected, and the user could access resources over the internet. Now, this issue is fixed, and traffic is blocked when the VPN is disconnected.
862709 On Windows Enterprise LTSC 2019, the Edge Client crashes after being connected for a period of time. Now, the issue is fixed, and the Edge Client no longer crashes.
863957 If the OPSWAT Endpoint Security (EPSEC) package is signed using a newer version of the certificate than the APM client, then each time the user logs in and an endpoint check is performed, OPSWAT components are downloaded and installed in a new folder. APM 7.1.8.3 release fixed this issue and is compatible with the latest version of EPSEC. Refer EPSEC Release Notes and follow the guidelines to ensure APM client compatibility with EPSEC.
867413 Previously, in the Edge Client for macOS, sometimes the captive portal resolution feature did not work after reboot due to an issue in detecting the captive portal state. Now, the captive portal state is successfully detected, and this issue is fixed.
881213 Previously, the Edge Client's status bar icon displayed the maximum session timeout Session expires in hh:mm:ss tooltip, and did not show an actual or a session timeout information. Now, this tooltip has been removed to avoid confusion, and the issue is fixed.

Known issues in 7.1.9

The following are known issues in this release.

ID Number Description
753793 The customized logo on the Edge Client logon page for macOS is not displayed. The customized elements are hidden by default and require additional updates to the apm_edge.css for making the logo appear on the logon page. Complete the following two tasks to customizing the logo for EdgeClient for macOS:
Task 1: Customize the Header left image using the customization tool and the Front Image using the visual policy editor as desired.
  1. Navigate to Access > Profiles / Policies > Customization > General .
  2. Click Form Factor and click Full/Mobile Browser.
  3. On the Branding tab, navigate to Customization Settings > Access Profiles > /Common/access_profile_name > Common > Page Header Settings .
  4. For Header left image (Mobile Devices size), click the file path of the image, then click the replace icon to the right of the pathname.
  5. Click Replace, click your custom image, then click Change.
  6. Click Save. Select Apply Access Policy.
  7. Go to Access Policy > Access Profiles > Access Profiles Lists.
  8. Select Edit to the right of the access profile name and locate the Logon Page policy item.
  9. Under customization, for Front Image, select Replace Image or Revert to Default as desired.
  10. Select Save. Select Apply Access Policy.
Task 2: Update apm_edge.css file for making the logo appear on the logon page.
  1. Navigate to Access > Profiles / Policies > Customization > Advanced.
  2. Click Form Factor and click Full/Mobile Browser.
  3. On the Branding tab, navigate to Customization Settings > Access Profiles > /Common/access_profile_name > Common > apm_edge.css .
  4. In the css-stylesheet modify display: none to display: block to display the customized elements that are hidden by default. The following elements control the visibility of the elements containing customization:
    • /* Header */ 
       table#page_header 
      { display: none; 
      }
      
    • /* Footer */ 
      div#page_footer 
      { display: none; 
      }
      
    • /* Main Table Image cell */ 
      table#main_table td#main_table_image_cell 
      { 
      /* vertical-align: top; 
      width: %[page_i_mage_cell_width]; */ 
      /* side image align */ 
      /* text-align: %[page_i_mage_align]; */ 
      display: none; 
      }
      
    • /* Main Table Image cell: image*/ 
      table#main_table td#main_table_image_cell img 
      { 
      width: 0px; 
      height: 0px; 
      display: none; 
      }
      
871989 When you configure an access policy with end-point checks, the Edge Client for macOS displays a detached window with the Checking for antivirus software... message. If you click on the status bar icon before the logon page is displayed, it pauses the access policy execution.
875461

If you skip an auto-update during an initial connection and connect to the VPN, the edge client tries to re-initiate the auto-update and prompt for a root password when you resume a paused VPN by clicking Turn VPN On. If you cancel this prompt for the root password, then the VPN does not resume, the Turn VPN Off option is disabled, and the Edge Client icon on the status menu displays an error icon (red triangle with an exclamation).

Workaround 1: Quit and restart the Edge Client application.

Workaround 2: Change the VPN server to switch the VPN connection.

879497 EdgeClient on macOS fails to start after installation because the installation files have the com.apple.quarantine extended attribute associated with it. This attribute is automatically added by macOS to ask the user for confirmation the first time the downloaded program is run.

Workaround: Strip out the extended file attribute

  1. Run the command xattr -cr * /path/to/edge/client/installation/files.
  2. Reinstall the Edge Client.
880033 The Save password option does not work on Edge Client for macOS when the two-factor authentication is configured on the logon page, causing the user to re-enter the password on every login.
881217 If the VPN is connected, then disabling Auto-Connect in the Preferences popup screen, disconnects the VPN.

Workaround: Click Turn VPN On to manually connect to the VPN.

883549 Edge Client does not close the logon page when the user enters the enterprise network.

Workaround: The logon page disappears after successful authentication. Enter your credentials and click logon.

Contacting F5

North America 1-888-882-7535 or (206) 272-6500
Outside North America, Universal Toll-Free +800 11 ASK 4 F5 or (800 11275 435)
Additional phone numbers Regional Offices
Web http://www.f5.com
Email support@f5.com

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Support

https://f5.com/support :: Self-solve Options

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5 Knowledge Base

https://support.f5.com/csp/home

The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer

https://f5.com/support/tools/ihealth

BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.

F5 DevCentral

https://devcentral.f5.com/

Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.

Communications Preference Center

https://interact.f5.com/F5-Preference-Center.html

Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products.