Release Notes : APM Client 7.2.3

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Release Notes
Updated Date: 08/30/2023

Summary:

BIG-IP Edge Client establishes secure communications to applications and networks. It provides users with full access to IP-based applications, resources, and intranet files as if they were physically working on the office network. This release note contains information about the changes made for the current version only. Refer to the prior release note versions for additional information.

The Edge Client version 7.2.3 is now available on downloads.f5.com (under the APM Clients container).

Contents:

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the following pages:

Features and enhancements

Discard non-VPN adapter registration on Network Access DNS server

Microsoft registers the system adapter’s IP and hostname on the DNS Servers (Dynamic address registration) when the Register this connection's addresses in DNS option is enabled for the adapter on Windows. However, users noticed that Microsoft registers the local connection address and PPP adapter (VPN) address on tunnel DNS servers when the Register this connection's addresses in DNS option is enabled on the network adapter and full tunneling is used.

BIG-IP Edge client can intercept DNS traffic and decide whether DNS traffic should be routed to a tunnel DNS server or a local DNS server. To achieve this function, Edge Client uses two components such as service and driver. The driver is TDI-based (Intel platform) and captures DNS events and redirects them to a service that has listeners configured.

The DNS Relay proxy service has been enhanced to drop the registration of local adapters (non-PPP) on DNS Servers configured on Network Access settings.

Administrators can use the APM Variable Assign agent to enable or disable DNS Dynamic Update as per their preference. Following are the possible configuration options:

To disable DNS Dynamic Update, add the following entries to the Variable Assign agent in your policy:
  • Custom variable:

    config.connectivity_resource_network_access./Common/F5Access_NetworkAccess.client.IPv6LAN

  • Custom expression:

    "return {</IPv6LAN><dynamicUpdatePacketFilter0>0</dynamicUpdatePacketFilter0><IPv6LAN>}"

    Note: By default, the configuration option value is set to 0 and the feature to intercept/filter DNS Dynamic Update packet is disabled.

For a deployment that uses a non-secure DNS Dynamic update and would like to filter registration calls, add the following entries to the Variable Assign agent in your policy:
  • Custom variable:

    config.connectivity_resource_network_access./Common/F5Access_NetworkAccess.client.IPv6LAN

  • Custom expression:

    "return {</IPv6LAN><dynamicUpdatePacketFilter0>1</dynamicUpdatePacketFilter0><IPv6LAN>}"

    Note: System generated DNS Update packets are modified and sent to Network Access DNS server.

For a deployment that uses secured DNS Dynamic update and would like to filter registration calls, add the following entries to the Variable Assign agent in your policy:
  • Custom variable:

    config.connectivity_resource_network_access./Common/<F5Access_NetworkAccess>.client.IPv6LAN

  • Custom expression:

    "return {</IPv6LAN><dynamicUpdatePacketFilter0>2</dynamicUpdatePacketFilter0><IPv6LAN>}"

    Note: System generated DNS Update packets are dropped and a new secured record is created by proxy code and sent to the DNS server.

For any value other than 0, 1, 2, the DNS relay proxy sets to 0.

IPv6 stonewall service support

With this release, added support to block the IPv6 traffic on Windows and this service performs AAAA queries for the administrator added hostname exclusions, and adds appropriate allow or deny rules for IPv6 traffic into the driver. Stonewall service supports the blocking of IPv6 traffic except for the essential protocols like DNS, DHCP, and ICMPv6 for neighbor discovery and it supports IPv6-based (IP and DNS) exclusions. Stonewall service reads the exclusions from the registry key in the HLKM\Software location that can be hostnames or IPV4 or IPV6 addresses.

Fixes

The following issues have been fixed in this release.

ID Number Description
756468 When the Edge client package was upgraded to 7.2.2, the VPN driver covpn64.sys crashed which lead the windows 10 system to crash and restart eventually. This issue is fixed, and now the Edge client package is upgraded to 7.2.2 without any VPN driver crash.
940737 Fixed the issue where the security certificate warning alert was reported when Edge Client downloaded the PAC file from the specified location.
1047501 Fixed the issue where the JavaScript error occurs when clients connect to the login page or external IdP and click the YES button to establish the VPN connection. These JavaScript errors are seen usually when the embedded browser is redirected to the SAML IdP site.
1059025 The Locked mode of all Edge Client versions failed to work on macOS version 12.3 due to the deprecated Python 2.x version, and no other Python version was shipped with the operating system. This issue is fixed, and now the pyinstaller executable is introduced along with the package to support the firewall controller service. Compatibility is maintained for older macOS versions as well with the newly introduced mechanism. Refer to the K37264030 article for more information.
1073653 Fixed the issue where the Client Type agent variable 'session.client.app_id' returns the value 'api' regardless of access method after an upgrade to Edge Client 7.2.1.3 version.
1102345 Fixed the issue where the Firewall Controller service failed to work when the Edge Client was upgraded on the macOS. Uninstall the plist file for agents and install after the auto-upgrade.
1103565 Fixed the issue where the Firewall Controller failed to load or unload the firewall rules based on the VPN connection status.
1103593 Previously, the FSMonitor fwctl service failed to detect the changes to the exception list. This issue is fixed, and now the Python 3.x compatible code changes are made to monitor the configuration file update during a runtime update.
1103597 Previously, the code signing verification failed with py-installer changes on the BIG-IP Edge Client. This issue is fixed, a now the FSMonitor fwctl is able to detect the changes to the exception list after updating the Entitlement plist file with the proper pyinstaller string.
1103601 For Edge Client installed on macOS, the multithreading library failed to work properly in Always Connected mode. This issue is fixed, and now the multithreading works with proper compatible python 3.x APIs successfully.
1103605 Fixed the Edge Client uninstallation scripts in Always connected mode changed to Bash script. The Edge Client uninstall script for macOS has been rewritten in bash.
1113377-2 A regression issue is seen after upgrading to a build with a 1059025 bug fix. Now, this issue is fixed by properly cleaning up the intermediary files after the upgrade.
1114897-1 After the Edge Client upgraded to the 7.2.2 version, the VPN failed to establish the connection when the machine tunnel service was running. This issue is fixed and now the Edge Client is able to establish the connection after an upgrade while machine tunnel service is enabled.
1116933-2 Fixed the issue where EdgeClient failed to establish the connection at Initialising state for more than 10 minutes for the first time after an upgrade on Windows10 20H2. Pause the Machine tunnel while trying to upgrade the VPN driver.
1124497-1 After the Edge Client upgraded to version 7.2.2, the VPN failed to establish the connection when the system woke up from sleep mode. During the sleep mode, the VPN Dialler device became invalid and was unable to establish the VPN connection but it makes several attempts to connect before starting a new connection. This issue is fixed, and now the Edge Client cleans the VPN Dialler device while the system goes into sleep mode and could able to establish the connection when the system wakes up from the sleep mode.

Known issues

The following are known issues in this release.

ID Number Description
1072901 The Windows logon integration does not work with TLS 1.3 on windows 10 and Windows 11.

Workaround: Enable other versions of TLS to allow Windows Logon client to fallback to an older version of TLS protocol.

1077749 EPSEC version 1156 is not certified on Windows 10 and Windows 11 on the ARM processors.
1079621 When the application is moved to the trash, the respective application F5 EPI or F5 VPN directory is getting deleted from the following path:

/Applications/F5 Endpoint Inspector.app/Contents/Resources/

Whereas, the respective application specific (F5 EPI or F5 VPN) folder is not getting deleted from the following path:

/Users/<username>/Library/Applications Support/F5 EPI

The plist file of the respective application is not deleted from the following path:

/Users/<username>/Library/Launchagents/

Workaround:
  1. Upgrade to the latest build and verify the time stamps available in the following paths:

    Application directory: /Users/<username>/Library/Applications Support/F5 EPI

    Plist file path : /Users/<username>/Library/Launchagents/

  2. Check the EPI and VPN functionality in all the cases.
  3. Restart and install the EPI and VPN.
  4. Uninstall and re-install the EPI and VPN.
  5. Check whether the F5 EPI and F5 VPN applications are removed from the /Applications/ path.
1082821 When trying to establish a VPN connection using a browser, it does not work with TLS 1.3 on all versions of macOS.

Workaround: Enable other versions of TLS to allow the browser to fallback to any other versions of TLS protocol.

1082825 When trying to establish a VPN connection using a browser, it does not work with TLS 1.3 on Linux.

Workaround: Enable other versions of TLS to allow the browser to fallback to any other versions of TLS protocol.

1082909 When trying to establish a VPN connection, it does not work with TLS 1.3 on Windows 11.

Workaround: Enable other versions of TLS to allow APM client to fallback to any other versions of TLS protocol.

1083397 Installation of the Edge Client versions prior to 7.2.2 may be successful on the ARM64-based Windows 10 and Windows 11 but fails to establish the VPN connection.

Workaround: Uninstall the prior versions of Edge Client 7.2.2 and install the ARM64-supported Edge Client version using the MSI installer package.

1084369 Optimized tunnels are not supported on ARM64-based Windows 10 and Windows 11 systems. When Optimized tunnels are used, the tunnel connection fails without user notification.

Workaround: In some cases, use a static app tunnel to establish a tunnel connection.

1107385 When the Windows Edge Client is redirected to an External Logon page, it fails to render the External Logon page in the small pop-up window using the default rendering engine. The default rendering engine leads to multiple javascript errors and the page remains stuck.
Workaround 1:
  1. Launch a command prompt with the administrator privilege and run regedit.
  2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION location.
  3. On the right side panel, right click on the empty area and navigate to the New > DWORD (32-bit) Value . Set the value name as rundll32.exe.
  4. Double click the rundll32.exe value and enter the value data as 2af8 (if the Hexadecimal option is selected) or 11000 (if the Decimal option is selected). Click OK.
  5. Exit the Edge Client application and relaunch it.

Workaround 2:

On the External Logon site, when external logon page responds with HTML codes, add the following meta tag at a specific location:

<meta http-equiv="X-UA-Compatible" content="IE=edge">

For example:

<html>

<head>

<meta http-equiv="X-UA-Compatible" content="IE=edge">

<meta http-equiv="Content-Type" content="text/html;charset=UTF-8">

<meta http-equiv="Cache-Control" content="no-cache">

Contacting F5

North America 1-888-882-7535 or (206) 272-6500
Outside North America, Universal Toll-Free +800 11 ASK 4 F5 or (800 11275 435)
Additional phone numbers Regional Offices
Web http://www.f5.com
Email support@f5.com

How to Contact F5 Support or the Anti-Fraud SOC

You can contact a Network Support Center as follows:

You can manage service requests and other web-based support online at F5 My Support (registration required). To register email CSP@F5.com with your F5 hardware serial numbers and contact information.

You can contact the Anti-Fraud SOC as follows:

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Support

https://f5.com/support :: Self-solve Options

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5 Knowledge Base

https://support.f5.com/csp/home

The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer

https://f5.com/support/tools/ihealth

BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.

F5 DevCentral

https://devcentral.f5.com/

Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.

Communications Preference Center

https://interact.f5.com/F5-Preference-Center.html

Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products.