Release Notes : F5 Access Guard 1.1.0

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.1, 15.0.0
Release Notes

Summary:

In October 2019, F5 released F5 Access Guard 1.1.0. F5 Access Guard requires several components to function, as detailed in this release note and in the documentation.

Contents:

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the following pages:

Features and enhancements in 1.1.0

F5 Access Guard Overview

F5 Access Guard is a new set of client software tools designed to help administrators validate the security posture of incoming web connections from remote desktop clients. F5 Access Guard allows real-time posture information to be inspected with per-request policy subroutines on BIG-IP Access Policy Manager. F5 Access Guard generates posture information asynchronously and transmits it to chosen APM server endpoints using special HTTP headers.

F5 Access Guard requires several components:

  1. A system service, F5AccessGuardService, for Windows and macOS desktop clients and native messaging app for Firefox and Chrome
  2. A browser extension, F5 Access Guard
  3. An XML configuration file that must be created and deployed to client endpoints

APM has included posture checking capability since its inception, and this new service improves upon this capability by allowing for instantaneous and continuous checks. Deployment of F5 Access Guard is significantly different than previous posture check implementations.

Refer to the guide BIG-IP Access Policy Manager: Configuring F5 Access Guard for complete configuration information.

Features and enhancements in 1.1.0

Support for macOS Catalina
F5 Access Guard 1.1 features are now supported on macOS Catalina (10.15).

Fixes in 1.1.0

The following issues have been fixed in this release.

ID Number Description
781457 On Windows and macOS, if F5AccessGuardService was installed before deploying the configuration file, it may take several minutes before you can access applications protected by the F5 Identity Aware proxy. As a workaround, restart the service on Windows or restart the service using launchctl on macOS. Alternatively, you can deploy the configuration file before installing the F5AccessGuardService.

Known issues in 1.1.0

The following are known issues in this release of the F5 Access Guard.

ID number Description
767585 When starting, the F5AccessGuardService creates a Windows event log entry without a description. For example:

Message: The description for Event ID '0' in Source 'F5AccessGuardService' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event:'Starting'.

This message can be ignored.
779081 On Windows, F5 Access Guard Service and native messaging logs are not rotated and grow indefinitely. As a workaround, delete the log files manually.
779085 On macOS, F5 Access Guard Service and native messaging logs are not rotated and grow indefinitely. As a workaround, delete the log files manually.
779093 On Windows, when the F5AccessGuardService uses an expired certificate for signing, applications protected by the Identity Aware Proxy with Chrome or Firefox, with the F5 Access Guard extension installed cannot be accessed. As a workaround, replace the expired certificate with a valid certificate and restart the F5AccessGuardService.
779097 On macOS, when the F5AccessGuardService daemon uses an expired certificate for signing, you cannot access applications protected by the Identity Aware Proxy with Chrome or Firefox, with the F5 Access Guard extension installed. As a workaround, replace the expired certificate with a valid certificate and restart the F5AccessGuardService daemon.
779157 On macOS, The F5AccessGuardService continues to use the previous certificate for signing, even when the certificate is replaced with a new one in the System keychain. As a workaround, restart the F5AccessGuardService daemon after the certificate is replaced in the System keychain.
779161 On Windows, the F5AccessGuardService continues to use the previous certificate for signing even when the certificate is replaced with a new one in the certificate store. As a workaround, restart the F5AccessGuardService after the certificate is replaced in the certificate store.
779217 Access to applications protected by the F5 Identity Aware Proxy may be denied in some rare cases. As a workaround, close any processes that are consuming a large amount of CPU and causing high disk I/O.
780533 When connected through a proxy server, auto-updates for Oesis components for F5 Access Guard may fail. As a workaround, push the updates through a group policy mechanism or configure the proxy mechanism to allow a direct connection from the client to the server.
781541 In some cases, the Oesis package may not be installed immediately when the F5 Access Guard package is deployed to a user's machine.

Contacting F5

North America 1-888-882-7535 or (206) 272-6500
Outside North America, Universal Toll-Free +800 11 ASK 4 F5 or (800 11275 435)
Additional phone numbers Regional Offices
Web http://www.f5.com
Email support@f5.com

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Support

https://f5.com/support :: Self-solve Options

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5 Knowledge Base

https://support.f5.com/csp/home

The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer

https://f5.com/support/tools/ihealth

BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.

F5 DevCentral

https://devcentral.f5.com/

Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.

Communications Preference Center

https://interact.f5.com/F5-Preference-Center.html

Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products.