Applies To:Show Versions
- 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4
In October 2019, F5 released F5 Access Guard 1.1.0. F5 Access Guard requires several components to function, as detailed in this release note and in the documentation.
- User documentation for this release
- Features and enhancements in 1.1.0
- Fixes in 1.1.0
- Known issues in 1.1.0
- Contacting F5
- Legal notices
User documentation for this release
Features and enhancements in 1.1.0
F5 Access Guard Overview
F5 Access Guard is a new set of client software tools designed to help administrators validate the security posture of incoming web connections from remote desktop clients. F5 Access Guard allows real-time posture information to be inspected with per-request policy subroutines on BIG-IP Access Policy Manager. F5 Access Guard generates posture information asynchronously and transmits it to chosen APM server endpoints using special HTTP headers.
F5 Access Guard requires several components:
- A system service, F5AccessGuardService, for Windows and macOS desktop clients and native messaging app for Firefox and Chrome
- A browser extension, F5 Access Guard
- An XML configuration file that must be created and deployed to client endpoints
APM has included posture checking capability since its inception, and this new service improves upon this capability by allowing for instantaneous and continuous checks. Deployment of F5 Access Guard is significantly different than previous posture check implementations.
Refer to the guide BIG-IP Access Policy Manager: Configuring F5 Access Guard for complete configuration information.
Features and enhancements in 1.1.0
- Support for macOS Catalina
- F5 Access Guard 1.1 features are now supported on macOS Catalina (10.15).
Fixes in 1.1.0
The following issues have been fixed in this release.
|On Windows and macOS, if F5AccessGuardService was installed before deploying the configuration file, it may take several minutes before you can access applications protected by the F5 Identity Aware proxy. As a workaround, restart the service on Windows or restart the service using launchctl on macOS. Alternatively, you can deploy the configuration file before installing the F5AccessGuardService.
Known issues in 1.1.0
The following are known issues in this release of the F5 Access Guard.
|When starting, the F5AccessGuardService creates a Windows event log entry without a description. For example:
Message: The description for Event ID '0' in Source 'F5AccessGuardService' cannot be found. The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them. The following information is part of the event:'Starting'.This message can be ignored.
|On Windows, F5 Access Guard Service and native messaging logs are not rotated and grow indefinitely. As a workaround, delete the log files manually.
|On macOS, F5 Access Guard Service and native messaging logs are not rotated and grow indefinitely. As a workaround, delete the log files manually.
|On Windows, when the F5AccessGuardService uses an expired certificate for signing, applications protected by the Identity Aware Proxy with Chrome or Firefox, with the F5 Access Guard extension installed cannot be accessed. As a workaround, replace the expired certificate with a valid certificate and restart the F5AccessGuardService.
|On macOS, when the F5AccessGuardService daemon uses an expired certificate for signing, you cannot access applications protected by the Identity Aware Proxy with Chrome or Firefox, with the F5 Access Guard extension installed. As a workaround, replace the expired certificate with a valid certificate and restart the F5AccessGuardService daemon.
|On macOS, The F5AccessGuardService continues to use the previous certificate for signing, even when the certificate is replaced with a new one in the System keychain. As a workaround, restart the F5AccessGuardService daemon after the certificate is replaced in the System keychain.
|On Windows, the F5AccessGuardService continues to use the previous certificate for signing even when the certificate is replaced with a new one in the certificate store. As a workaround, restart the F5AccessGuardService after the certificate is replaced in the certificate store.
|Access to applications protected by the F5 Identity Aware Proxy may be denied in some rare cases. As a workaround, close any processes that are consuming a large amount of CPU and causing high disk I/O.
|When connected through a proxy server, auto-updates for Oesis components for F5 Access Guard may fail. As a workaround, push the updates through a group policy mechanism or configure the proxy mechanism to allow a direct connection from the client to the server.
|In some cases, the Oesis package may not be installed immediately when the F5 Access Guard package is deployed to a user's machine.
You can find additional support resources and technical documentation through a variety of sources.
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
|AskF5 Knowledge Base
The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
|BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer
BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.
Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.
|Communications Preference Center
Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products.