Applies To:
Show VersionsBIG-IP APM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4
Summary:
In May 2019, F5 released F5 Access Guard. F5 Access Guard requires several components to function, as detailed in this release note and in the documentation.
Contents:
- User documentation for this release
- Features and enhancements in 1.0.0
- Known issues with F5 Access Guard 1.0.0
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the following pages:
Features and enhancements in 1.0.0
F5 Access Guard is a new set of client software tools designed to help administrators validate the security posture of incoming web connections from remote desktop clients. F5 Access Guard allows real-time posture information to be inspected with per-request policy subroutines on BIG-IP Access Policy Manager. F5 Access Guard generates posture information asynchronously and transparently transmits it to chosen APM server endpoints using special HTTP headers.
F5 Access Guard requires several components:
- A system service, F5AccessGuardService, for Windows and macOS desktop clients
- A browser extension, F5 Access Guard, and associated native messaging app for Firefox and Chrome
- An XML configuration file that must be created and deployed to client endpoints
APM has included posture checking capability since its inception, and this new service improves upon this capability by allowing for instantaneous and continuous checks. Deployment of F5 Access Guard is significantly different than previous posture check implementations.
Refer to the guide BIG-IP Access Policy Manager: Configuring F5 Access Guard for complete configuration information.
Known issues with F5 Access Guard 1.0.0
The following are known issues in this release of F5 Access Guard.
ID number | Description |
---|---|
767585 | When starting, the F5AccessGuardService createsn a Windows event log entry without a description. For example: "Message : The description for Event ID '0' in Source 'F5AccessGuardService' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event:'Starting"". This message can be ignored. |
779081 | On Windows, F5 Access Guard Service and native messaging logs are not rotated and grow indefinitely. As a workaround, delete the log files manually. |
779085 | On macOS, F5 Access Guard Service and native messaging logs are not rotated and grow indefinitely. As a workaround, delete the log files manually. |
779093 | On Windows, when the F5AccessGuardService uses an expired certificate for signing, a user cannot access applications protected by the Identity Aware Proxy with Chrome or Firefox, with the F5 Access Guard extension installed. As a workaround, replace the expired certificate with a valid certificate and restart the F5AccessGuardService. |
779097 | On macOS, when the F5AccessGuardService daemon uses an expired certificate for signing, a user cannot access applications protected by the Identity Aware Proxy with Chrome or Firefox, with the F5 Access Guard extension installed. As a workaround, replace the expired certificate with a valid certificate and restart the F5AccessGuardService daemon using the launchctl utility. |
779157 | On macOS, The F5AccessGuardService continues to use the previous certificate for signing, even when the certificate is replaced with a new one in the System keychain. As a workaround, restart the F5AccessGuardService daemon after the certificate is replaced in the System keychain with the launchctl utility. |
779161 | On Windows, the F5AccessGuardService continues to use the previous certificate for signing even when the certificate is replaced with a new one in the certificate store. As a workaround, restart the F5AccessGuardService after the certificate is replaced in the certificate store. |
779217 | Access to applications protected by the F5 Identity Aware Proxy may be denied in some rare cases. As a workaround, close any processes that are consuming a large amount of CPU and causing high disk I/O. |
780533 | When connected through a proxy server, auto updates for Oesis components for F5 Access Guard may fail. As a workaround, push the updates through a group policy mechanism, or configure the proxy mechanism to allow a direct connection from the client to the server. |
781541 | In some cases the Oesis package may not be installed immediately when the F5 Access Guard package is deployed to a user's machine. |
781457 | On Windows and macOS, if F5AccessGuardService was installed before deploying the configuration file, the user may have to wait for a long time before they can access applications protected by the F5 Identity Aware proxy. As a workaround, restart the service on Windows, or restart the service using launchctl on macOS. Alternatively, you can deploy the configuration file before installing the F5AccessGuardService. |