Applies To:
Show VersionsBIG-IP APM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0
Summary:
In July 2018, Apple posted the release of F5 Access for macOS version 2.0.0. Users should download this new version from the macOS app store.
Contents:
- F5 Access for macOS general information
- Requirements for F5 Access for macOS
- User documentation for this release
- Contacting F5 Networks
- Legal notices
F5 Access for macOS general information
General F5 Access Information
F5 Access for macOS provides Layer 3 network access for the BIG-IP APM module. The F5 Access for macOS SSL VPN application complements the existing Edge Client VPN product line, addressing similar use-case and deployment scenarios.
F5 Access for macOS supports client certification authentication, but with some caveats. When you use non-official certificates, by default, all non-officially signed server certificates are rejected. If you install your own CA, you must set the system keychain settings to Always Trust.
F5 Access for macOS has two components:
- App Extension: built on the Network Extension framework to provide traffic tunneling.
- F5 Access Container App: handles configuration management and state monitoring.
Supported Authentication Modes
- Native
- Native authentication mode is the default mode that the administrator can use to set the user logon by using username and password, optional client certificate, or both. Interactive authentication, including SAML and external logon pages, are not supported in this mode. Native mode does not require user interaction if all the credentials are previously saved.
- Web (Web Logon)
- Web-based Authentication is supported in this version. In web authentication mode, the administrator can specify interactive Web-based multi-factor authentication in the access policy. Web authentication mode can be used to support an external logon page, SAML authentication, 2-factor logon with a one-time passcode, or other interactive methods. A user can specify Web logon mode when creating a configuration. All Web logon feature are supported.
- Client certificate required mode
- In this version, client certificate required mode is supported.
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to BIG-IP Access Policy Manager Documentation.
Features and enhancements in 2.0.0
On-Demand VPN
Tunnels can be started on-demand, using either on demand rules in Safari, or directives from an MDM.Web Logon
Web Logon mode is supported in this release, allowing authentication features such as multi-factor authentication.
MDM Attributes
Device UDID is no longer provided natively, due to macOS changes. With an MDM, the device can be assigned an ID. This is assigned with the MdmDeviceUniqueId or UDID attribute. This assigned value populates the session variables session.client.mdm_device_unique_id and session.client.unique_id. If neither is provided this session variable is not present. If either field is provided by the MDM, both session variables are present.
Always-On VPN
Always-ON VPN is supported with a .mobileconfig file or with an MDM profile.
Password caching
Password caching for macOS clients is now supported. Configure this in the Connectivity Profile for F5 Access for macOS.Enforce Logon Mode
The administrator can now enforce web or native logon mode. Configure this in the Connectivity Profile for F5 Access for macOS.
Network Extension Framework
Since version 1.0.0, F5 Access for macOS has been using Apple's Network Extension Framework. Apple's Network Extension Framework is a major architectural shift for the F5 Access client related to features such as Layer 3 VPN, Per-App VPN Tunneling, Server Certificate Verification, and other features.
Feature | Description |
---|---|
Split-tunneling (include list) | Split-tunneling include list of IP address ranges/subnet masks. |
Split-tunneling (exclude list) | Split-tunneling exclude list of IP address ranges/subnet masks. |
Server SSL Certificate Verification | Verify server SSL certificate against CA store. |
Authentication w/ Username and Password Support | Username and password in native and Web Logon modes. |
Authentication with Username and Password and Client Certificate | Two-factor authentication with username and password and client certificate in native and Web Logon modes. |
Certificate-only Authentication Support | Authentication with certificate in native asnd Web Logon modes. The client certificate works only for request mode. |
Keychain | Users can use the saved password from the keychain. |
MDM Provisioning | Support configuration by endpoint management systems or MDM. |
VPN Tunnel Information | Display detailed information about the VPN tunnel. |
Per-App VPN Support Layer 3 VPN | With the macOS Network Extension Framework, Per-App VPN policies are enforced by macOS. |
Per-App VPN On-Demand | Start Per-App VPN on demand. |
TLS and DTLS Support | TLS and DTLS protocols switch when appropriate. DTLS to TLS fallback is supported today. |
Compression over TLS | The compression of traffic (GZIP) for a given TLS network tunnel. |
Landing URI support | Configuration of a landing URI for the VPN tunnel. |
Known issues in F5 Access 2.0.0
The following are known issues that affect the user experience when F5 Access is used on a macOS device. These issues may be addressed in the future by F5 or Apple.
ID number | Description |
---|---|
712947 | In Web Logon mode, the prompt to install the browser plugin is shown to the user when client-side EPS checks are running, instead of using the fallback branch. If a connection is established in native mode, the fallback branch is taken on all client-side checks. As a workaround, the user should click the link in the Continue without installing software section. The user is then routed to the fallback branch. |
713854-2 | When APM reaches the concurrent session limit, it does not allow newer APM sessions to be created. In such a scenario, if an F5 Access client that has saved credentials on the client connects to APM, the VPN fails to establish. The credentials are assumed to be invalid and deleted. As a workaround, use the following iRule:# # A simple rule to send reset when F5 Access sends a request with an errorcode=14 # # # Ref: https://devcentral.f5.com/articles/http-event-order-access-policy-manager # when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST { if { [HTTP::uri] contains "my.logout.php3?errorcode=14" && [HTTP::header value "User-Agent"] contains "F5Access/2.1.1" } { log local0. "DEBUG LOG: [HTTP::uri] => rejecting" # simply reject reject } } |
714132 | When a VPN configuration is installed by an MDM or configured from a .mobileconfig file, and authentication fails, the VPN connection switches to Disconnected mode without displaying an "Authentication failed" error message. |
714426 | In this release, compression for inbound traffic works correctly. However, on the Details statistics screen, the Received Compression percentage is always displayed as 0.0. |
714635 | When On-Demand Cert Auth is set to Require in the access policy, and there is no certificate, the wrong certificate, or if Web Logon mode is used to connect, F5 Access switches to Disconnected state with no error message. |
715985 | If a per-app VPN configuration doesn't have SafariDomains specified, it is detected as an Enterprise (device-wide) VPN. |
715989 | The OnDemandRule action EvaluateConnection doesn't work with per-app VPN connections. It does work for device-wide VPN connections on macOS 10.13.4 with Safari. This is expected behavior. Only the Disconnect action works with per-app VPN. |
716909 | When you create a VPN configuration with a certificate and Web Logon enabled, then connects to the VPN configuration for the first time, a number of prompts are displayed. For most of the prompts, you can select "Always Allow," and proceed. Some prompts may require you to acknowledge them each time they appear. |
717157 | Password cannot be entered for a new configuration if the password field has been in disabled state while editing another configuration that was afterwards reverted. As a workaround, close the F5 Access Configuration window to resolve the issue. When user goes to Manage VPN Configurations again, the password field can be populated successfully. |
718122 | On macOS 10.12, the client proxy exclusion list does not work correctly for wildcard IP addresses (for example, 172.29.68.*, 172.*.197). Such traffic still routes through the proxy, and does not bypass the proxy. The exclusion list does work correctly for names, names with wildcards, and IP addresses without wildcards. |
718843 | In Web Logon mode, with the client certificate set to require in the clientssl profile, the session is not deleted from the BIG-IP when the user disconnects. Native logon mode is not affected. |
722550 | With Network Access configured for split tunneling, and the DNS address space is not set to the wildcard *, client proxy settings are not used by Chrome or Firefox. Instead, traffic bypasses the proxy. Safari uses client proxy settings correctly in this scenario. If Network Access is configured to force all traffic through the tunnel, or it is configured for split tunneling, but the DNS Address Space is set to *, then both Chrome and Firefox successfully use client proxy settings. |
725804 | On F5 Access for macOS, when a client certificate is requested, Web Logon mode is specified, and the user chooses Always Allow when presented with the prompt "com.apple.Webkit.Networking wants to sign using key...", a network tunnel cannot be established. |
Contacting F5 Networks
Phone - North America: | 1-888-882-7535 or (206) 272-6500 |
Phone - Outside North America, Universal Toll-Free: | +800 11 ASK 4 F5 or (800 11275 435) |
Fax: | See Regional Support for your area. |
Web: | https://support.f5.com/csp/home |
Email: | support@f5.com |
For additional information, please visit http://www.f5.com.
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
- The F5 Networks Technical Support web site: https://f5.com/support
- The AskF5 web site: https://support.f5.com/csp/home
- The F5 DevCentral web site: https://devcentral.f5.com/
- AskF5 Publication Preference Center: https://interact.f5.com/AskF5-SubscriptionCenter.html
F5 Networks Technical Support
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5
AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
F5 DevCentral
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
AskF5 Publication Preference Center
To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.
- TechNews Weekly eNewsletters: Up-to-date information about product and hotfix releases, new and updated articles, and new feature notices.
- TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
- Security Alerts: Timely security updates and ASM attack signature updates from F5.