Release Notes : APM Client

Applies To:

Show Versions Show Versions


  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Release Notes
Updated Date: 08/30/2023


BIG-IP Edge Client establishes secure communications to applications and networks. It provides users with full access to IP-based applications, resources, and intranet files as if they were physically working on the office network.

The Edge Client version is now available on


User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the following pages:

Features and enhancements

Generate endpoint check report using CTU tool

Earlier, the BIG-IP Edge Client for Windows logged endpoint inspection checks information in its log data. Now, you can generate an OPSWAT Endpoint Inspection report using the latest client troubleshooting utility (CTU) tool, making it more secure and manageable for troubleshooting and debugging purposes. The third-party inspection libraries from OPSWAT are used as the basis for F5 endpoint posture checks and includes reports on firewall, antivirus, peer-to-peer software, patch management, hard disk encryption, anti-spyware, and windows health agent.

Network Location Awareness (NLA) on machine tunnel support

The Network Location Awareness (NLA) on machine tunnel determines when a service should establish a Network Access connection with configured APM server. 

During a network switch, based on the configured DNS Suffixes, NLA detects whether a network connection is in corporate or non-corporate. If the NLA detects current network connection as corporate network, it enables Machine tunnel service to automatically terminate a Network Access connection and establishes connection back on a non-corporate network.

Refer to the Location detection mechanism section in the article for details on detecting a corporate network.

You can enable NLA for machine tunnels using registry editor or push the registry key using group policy:

  1. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\F5MachineTunnelService\Parameters folder.
  2. On the Edit menu, click New > String Value .
  3. For String Value, type name as DNSSuffixes.
  4. The type of the registry key is REG_SZ.
  5. Edit the string value and enter the DNS Suffixes that you want to be detected as corporate network. Multiple DNS Suffixes are allowed and they must be separated by a comma. For example,,


The following issues have been fixed in this release.

ID Number Description
971293-1 Previously, when Always Connected Mode was enabled, windows clients could configure the network servers by using the Manage VPN Servers option. This issue is fixed, and now, the server's list is non-editable when the client is configured in Always Connected mode.
1000965-2 Fixed an issue in Edge Client for macOS, where when both an expired and a valid certificate exists with the same name, the machine certificate check failed.
Workaround: Follow the steps to delete the expired certificate:
  1. From the Finder, click Go > Utilities > KeyChain Access .
  2. In the left pane, click System to list all the certificates.
  3. Click on the expired certificate that you want to delete.
  4. In the menu bar, click Edit > Delete .
1008213-1 Previously, during access policy evaluation for the On-Demand Cert Auth, the Edge Client for Windows showed an additional certificate selection prompt instead of selecting the certificate automatically. This happened even when there was only a single valid certificate installed on the client, whereas the dialog is expected to be shown when there are several user certificates installed. This issue is now resolved.
1020609-2 Fixed an issue where the SSL VPN did not follow best practices when responding to an invalid host request.
1021141-1 Previously, after upgrading to epsec-1.0.0-969.0.iso, Edge Client for macOS and failed to perform the endpoint inspection check, and the VPN connection failed. A fix for the problem was included in the following apmclient.iso releases and update 1. This release also includes the fix. Refer to the article for details.
1023621-1 Fixed the issue where on Windows 10 20H1 devices, older versions of DNS relay proxy service corrupted the DNS Suffix Search List value to REG_BINARY instead of REG_SZ. This resulted in a failure to resolve DNS names.

Workaround: Modify the Windows Registry with the Registry Editor, Command Prompt, or Logon Scripts.

To modify using the Windows Registry Editor:

  1. Log in to the affected Windows system using an account with privileges to edit the registry for the users on the system.
  2. Click Start > Run and type regedit. Click OK.
  3. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters folder.
  4. Delete the SearchList REG_BINARY value.
  5. On the Edit menu, click New > String Value .
  6. For String Value, type SearchList.
  7. On the File menu, click Exit.
To modify using the Windows Command Prompt run the following commands:
  1. reg delete HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ /v SearchList /f
  2. reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /t REG_SZ /v SearchList /f
1031977-1 Previously, if the machine tunnel was running and you tried to establish a VPN connection using Edge Client, two concurrent connected users (CCU's) were consumed per user. This issue is fixed, and now, only one CCU is consumed per user.
1032633-1 Previously, when DataSafe was enabled on the virtual server, endpoint inspection failed. This issue is fixed, and now, the endpoint inspections are performed successfully.
1045117-2 Previously, after upgrading to APM Client, the client could not connect to the VPN on Windows 10 32-bit edition and kept displaying the Waiting to connect to server message. This issue is fixed, and now, VPN connects successfully.

Workaround: Modify the Windows Registry:

  1. Log in to the affected Windows system using an account with privileges to edit the registry for the users on the system.
  2. Click Start > Run and type regedit. Click OK.
  3. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\F5 Networks\RemoteAccess\SingleProcessLogon and add a new DWORD.
  4. Set its value to 1.
  5. On the File menu, click Exit.

Known issues

There are no known issues in this release.

Contacting F5

North America 1-888-882-7535 or (206) 272-6500
Outside North America, Universal Toll-Free +800 11 ASK 4 F5 or (800 11275 435)
Additional phone numbers Regional Offices

How to Contact F5 Support or the Anti-Fraud SOC

You can contact a Network Support Center as follows:

You can manage service requests and other web-based support online at F5 My Support (registration required). To register email with your F5 hardware serial numbers and contact information.

You can contact the Anti-Fraud SOC as follows:

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Support :: Self-solve Options

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5 Knowledge Base

The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer

BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.

F5 DevCentral

Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.

Communications Preference Center

Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products.