Release Notes : APM Client 7.2.1

Applies To:

Show Versions Show Versions
Release Notes
Updated Date: 05/31/2022

Summary:

BIG-IP Edge Client establishes secure communications to applications and networks. It provides users with full access to IP-based applications, resources, and intranet files as if they were physically working on the office network.

The Edge Client version 7.2.1 is now available on downloads.f5.com.

Applies To: 13.1.0, 13.1.1, 13.1.3, 13.1.4, 13.1.5, 14.0.0, 14.0.1, 14.1.0, 14.1.2, 14.1.3, 14.1.4, 14.1.5, 15.0.0, 15.0.1, 15.1.0, 15.1.1, 15.1.2, 15.1.3, 15.1.4, 15.1.5, 15.1.6, 16.0.0, 16.0.1, 16.1.0, 16.1.1, 16.1.2, 16.1.3, 17.0.0 

Contents:

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the following pages:


Features and enhancements in 7.2.1

DTLS 1.2 Support

Edge Client now supports Datagram Transport Layer Security (DTLS) protocol version 1.2. The protocol allows client/server applications to communicate in a way that prevents eavesdropping, tampering, or message forgery.

Beginning BIG-IP version 16.0.0, the clientssl SSL profile has a new No DTLSv1.2 setting that needs to be explicitly disabled to enable DTLS v1.2 on the virtual server. Edge Client continues to be backward compatible with older versions BIG-IP versions (pre 16.0) that do not support DTLS v1.2.

Name-based split tunneling support for Round-robin DNS

Edge Client for Windows enhances name-based split tunneling by preserving the IPv4 addresses from DNS resolution of the hostname that matches the exclude domain scope. This improvement will allow traffic to pass for long-lived connections (such as those used by streaming services) even when a subsequent name resolution results in a different IP address and maintain connectivity to servers.

Supports Yubikey and other U2F/FIDO based authentication systems

Edge Client for macOS and Windows can now behave as an OpenID Connect (OIDC) client, obtain a bearer token and present it to APM for authentication. This OIDC support provides consistent authentication experience by enabling two-factor verification and Single Sign-On across Browser and Edge Client.

Beginning BIG-IP version 16.0.0, the connectivity profile has OAuth Settings that allow administrators to specify the OIDC server discovery endpoint, Client ID, Scopes, and the Complete Redirection URI. With this release, Edge Client provides the following abilities:

  • Use security keys such as Yubikey, U2F, and FIDO authentication systems as an additional factor of authentication
  • Support password-less authentication through public key registration and authentication
  • Single Sign-On for Edge Client and other enterprise apps that share a common IDP

Fixes in 7.2.1

The following issues have been fixed in this release.

ID Number Description
706054 Previously, on Windows, in a captive portal environment, sometimes, an existing VPN connection was terminated even if you already authenticated to the captive portal. This resulted in connection resets for some applications. With this release, the VPN stays active, and this issue has been fixed.
738446 Fixed the issue, where one of the endpoint checks failed randomly in certain scenarios on Windows displaying an Access Denied page. Now, the endpoint checks pass, and the VPN connection is successful.
842717 Fixed the security risk where when the Windows Logon Integration feature is configured for the Edge Client, unauthorized users having physical access to an authorized user's machine could get shell access to internal resources or compromise the availability of the resources.
848353 Previously, on Windows, the endpoint check failed to start on a browser when some specific system events were missing, and the browser page indicated that it is waiting for the endpoint status. This issue is now fixed, and now endpoint check runs successfully.
881293, 881317 Fixed the issue, where the temporary directory created by the Edge Client Windows Installer for extracting various archives and cab files, had weak file and folder permissions. This vulnerability allowed the execution of signed .exe and MSI files and could be exploited by an unprivileged user to gain privileged escalation on the client system.
881445 Previously, the Edge Client Windows Stonewall driver did not sanitize the pointer received from the userland. A local user on the Windows client system could send crafted DeviceIoControl requests to a \\.\urvpndrv device, causing the Windows kernel to crash. Now, the Stonewall driver sanitizes the pointer before dereferencing it, and this issue is fixed.
882185, 882189 Fixed a use-after-free memory vulnerability that existed in the Edge Client Windows ActiveX component. This vulnerability allowed an attacker to trigger memory corruption to the browser or execute code from the browser when the attacker crafted a malicious webpage and loaded it into the Internet Explorer browser.
883549 Previously, in Lock mode or Auto Connect mode, the Edge Client did not close the logon page when the user roamed to an enterprise network. This issue has been fixed, and now the logon window closes after successful authentication.
899781 Previously, attempting to establish a VPN connection using a WinLogon Integration/Custom dialup failed and reported the following error:

...finished with code, -1073740512

This issue has been fixed, and now WinLogon Integration/Custom dialup establishes VPN successfully.
904617 Fixed the issue where split tunneling failed to exclude certain traffic, to flow inside the tunnel. Now, the DNS-based exclusion works correctly.
904977 Previously, Edge Client did not recognize the onkeypress event when used with a <input> tag, and users could not submit the login form by pressing the Enter key. This issue has been fixed, and now the Edge Client detects the Enter key, and the event attached to the onkeypress event is executed.
910825 Previously, the EdgeClient for macOS disconnected and reconnected the established tunnel, even when there was no issue with the internet. This issue has been fixed, and now the VPN does not get disconnected.
913841 Fixed the issue where after upgrading the APM client and switching to another VPN server, the clients were unable to connect.
924941 Previously, on a client running Linux or macOS, when the hostname present in /etc/hosts partially matched the hostname configured in the static host entry in Network Access, the local host (/etc/hosts) entry got deleted. With this release, the local host entry is not deleted, and this issue has been fixed.
926689 Previously, after upgrading from 12.1.2.2.0.276 to 12.1.2.5, users could not connect to RDP via AppTunnel, which loads the ActiveX control. With this release, the issue has been fixed.
928173 Previously, the Edge Client for macOS did not properly support the Duo Trusted Endpoints feature when using Client Certificate Authentication. This prevented the client from connecting. It instead displayed the Your Session has Ended error. This issue has been fixed.
932781 Fixed the issue, where the Edge Client failed to connect on a system running Windows 10 and with Secure Boot enabled.

As a workaround, disable Secure Boot on Windows systems.

Note: Some systems running Windows 10 have Secure Boot enabled by default to ensure that the client computers boot using only software trusted by the computer.

Known issues in 7.2.1

The following are known issues in this release.

ID Number Description
809409 Edge Client OAuth is currently incompatible with an F5 BIG-IP APM Authorization Server.
915973 On Windows, when an APM Network Access resource is configured with DTLS, the VPN may fail to access the client certificate key and may establish a TLS connection instead of a DTLS 1.2 connection. This happens when the key for the SHA-2 algorithm (SHA-256, SHA-384, and SHA-512) is not available for Microsoft Enhanced RSA and AES Cryptographic Provider.

As a workaround, perform the following steps:

  1. Import client certificate key into Microsoft Enhanced RSA and AES Cryptographic Provider.
  2. When creating a certificate package, explicitly specify the crypto provider as Microsoft Enhanced RSA and AES Cryptographic Provider.

    For example, use -CSP argument with OpenSSL command:

    openssl pkcs12 -export -in client_auth.crt -inkey client_auth.key -out client_auth_2.pkcs12 -CSP "Microsoft Enhanced RSA and AES Cryptographic Provider"

920477 DNS lookups for hostnames mentioned in DNS Exclude Address Space fails when the IP filtering engine option is enabled in Network Access configurations.

As a workaround, disable the IP filtering engine option in Network Access configuration.

926201 For macOS and Windows, when OAuth scope agent is placed between other agents in an access policy, the access policy fails to display a Deny Ending page in Edge Client after completing the OAuth logon successfully.

As a workaround, in the access policy, place the OAuth scope agent either at the beginning or after all the other agents (right before network access resource is assigned).

928289 Edge Client UI does not show the Click here to retry authentication link when the browser opens for OAuth logon. This link allows you to display the OAuth logon page if you accidentally close the web browser without logging in. This happens in an Always connected/Locked mode when non-OAuth APM redirects to OAuth configured APM via access policy.

As a workaround, sign out of the Windows logon session and sign back in. This will start a new instance of Edge Client, and the logon sequence will run again.

939925 Edge Client does not indicate errors against OAuth Token Endpoint and displays the Waiting to connect to server... message. New tabs with the OAuth done page open in the already open default web browser because OAuth logon encounters an issue with the token endpoint when trying to get the access token.
939929 Edge Client OAuth does not support AzureAD.

Contacting F5

North America 1-888-882-7535 or (206) 272-6500
Outside North America, Universal Toll-Free +800 11 ASK 4 F5 or (800 11275 435)
Additional phone numbers Regional Offices
Web http://www.f5.com
Email support@f5.com

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Support

https://f5.com/support :: Self-solve Options

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5 Knowledge Base

https://support.f5.com/csp/home

The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer

https://f5.com/support/tools/ihealth

BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.

F5 DevCentral

https://devcentral.f5.com/

Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.

Communications Preference Center

https://interact.f5.com/F5-Preference-Center.html

Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products.