Applies To:
Show Versions
BIG-IP APM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0
Summary:
In August 2019, Apple posted the release of F5 Access for macOS version 2.0.1. Users should download this new version from the macOS app store.
Contents:
- Requirements for F5 Access for macOS
- User documentation for this release
- Features and enhancements in 2.0.1
- Fixed issues in F5 Access 2.0.1
- Known issues in F5 Access 2.0.1
- Contacting F5
- Legal notices
Requirements for F5 Access for macOS
F5 Access for macOS 2.0.1 has the following minimum software requirements:
- Mac OS X 10.3 or later
- BIG-IP v13.0 or later
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to BIG-IP Access Policy Manager Documentation.
Fixed issues in F5 Access 2.0.1
The following issues have been fixed in this release.
| ID number | Description |
|---|---|
| 713640 | Previously, for BIG-IP configured with a DTLS server, F5 Access for macOS failed to reconnect in some cases if mac went to sleep and is then woken up. For example, if the laptop lid is closed and reopened, or the device goes to sleep using the power button or the menu option. Now, this issue is fixed, and the F5 Access for macOS reconnects successfully. |
| 720093-1 | Previously, F5 Access did not support opening links for App Store app during authentication with Web Logon. When the user selected the link, an error message "Unsupported URL" was displayed. Now, with this release, the app store opens without any issues. The Web Logon also stays open, and the user can get back by switching to F5 Access. |
| 725682 | Previously, with the Ethernet cable plugged in, when the wifi connection was lost over network access tunnel using DTLS or TLS, F5 Access was stuck in a reasserting state. Now, this issue is fixed, and the tunnel reconnects over Ethernet successfully. |
| 738442-1 | Previously, under certain circumstances, per-app VPN sessions could intermittently close with APM log Session deleted (network_error; code - 4) or new sessions could be established while current sessions were still active. This issue is fixed. |
| 741849-1 | Previously, when an F5 Access connection was redirected from one virtual server to another, the VPN connection would fail to establish. Now, the VPN is established, and this issue is fixed. |
| 742270-1 | Previously, F5 Access failed to recognize SAML HTTP POST request and wrongly treated it as an external redirect before restarting the weblogon. With this release, the issue is resolved, and the Weblogon does not restart. |
| 742285-1 | Previously, F5 Access did not pass the VHOST cookie to the controller, causing a connection failure when accessing a web application that contains a landing URI. Now, the cookie is set, and this issue is resolved. |
| 745614-1 | Previously, when Access Profile is configured with a Domain Cookie on BIG-IP, then F5 Access web logon mode failed to connect. Now, this issue is resolved, and the VPN connection is established. |
| 751187-1 | Previously, F5 Access displayed DNS error notifications when the device was not able to resolve the FQDN for F5 Access Server, and the on-demand VPN connection attempt failed. These error messages were displayed on the device until the VPN on-demand connection was restored. Now, there are no DNS error notifications for on-demand triggered connections, and this issue has been fixed. |
| 757704-1 | Previously, F5 Access failed to resolve the iOS DNS requests for root servers, causing a delay in establishing the VPN tunnel (60+ seconds). This issue has been fixed, and now the F5 Access VPN tunnel establishment process connects and reconnects immediately. |
Known issues in F5 Access 2.0.1
The following are known issues that affect the user experience when F5 Access is used on a macOS device. These issues may be addressed in the future by F5 or Apple.
| ID number | Description |
|---|---|
| 712947 | In the Web Logon mode, you are shown a prompt to install the browser plugin when the client-side EPS checks are running, instead of using the fallback branch for client-side checks. In the native mode, the fallback branch is chosen on all client-side checks without any prompt. As a workaround, in the Web Logon mode, click the Click here link, in the Continue without installing software section of the prompt, to be routed to the fallback branch. Alternatively, you can configure an access policy configuration that uses Detect F5 Access macro for detecting F5 Access for Mac and the Access Policy macro for logon and authorization. How it works In the Detect F5 Access macro:
The Access Policy macro is the actual policy using the combination of Logon Page and any required authentication actions to authenticate users directly against a local user database. It may use either an Advanced Resource Assign action or a Webtop and Links Assign action to add webtop or webtop links. |
| 713854-2 | When APM reaches the concurrent session limit, it does not allow newer APM sessions to be created. In such a scenario, if an F5 Access client that has saved credentials on the client connects to APM, the VPN fails to establish. The credentials are assumed to be invalid and deleted. As a workaround, use the following iRule:# # A simple rule to send reset when F5 Access sends a request with an errorcode=14 # # # Ref: https://devcentral.f5.com/articles/http-event-order-access-policy-manager # when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST { if { [HTTP::uri] contains "my.logout.php3?errorcode=14" && [HTTP::header value "User-Agent"] contains "F5Access/2.1.1" } { log local0. "DEBUG LOG: [HTTP::uri] => rejecting" # simply reject reject } } |
| 714132 | When a VPN configuration is installed by an MDM or configured from a .mobileconfig file, and authentication fails, the VPN connection switches to Disconnected mode without displaying an "Authentication failed" error message. |
| 714426 | In this release, compression for inbound traffic works correctly. However, on the Details statistics screen, the Received Compression percentage is always displayed as 0.0. |
| 714635 | When the On-Demand Cert Auth is set to Require in the access policy, and there is no certificate, the wrong certificate, or if Web Logon mode is used to connect, F5 Access switches to Disconnected state with no error message. |
| 715985 | If a per-app VPN configuration does not have SafariDomains specified, it is detected as an Enterprise (device-wide) VPN. |
| 715989 | The OnDemandRule action EvaluateConnection does not work with per-app VPN connections. It does work for device-wide VPN connections on macOS 10.13.4 with Safari. This is the expected behavior. Only the Disconnect action works with per-app VPN. |
| 716909 | When you create a VPN configuration with a certificate with Web Logon enabled, and then connect to the VPN configuration for the first time, several prompts are displayed. For most of the prompts, you can select "Always Allow" and proceed. Some prompts may require you to acknowledge them each time they appear. |
| 717157 | Password cannot be entered for a new configuration if the password field has been disabled while editing another configuration that was reverted later. As a workaround, close the F5 Access Configuration window to resolve the issue. When the user goes to Manage VPN Configurations again, the password field can be populated successfully. |
| 718122 | On macOS 10.12, the client proxy exclusion list does not work correctly for wildcard IP addresses (for example, 172.29.68.*, 172.*.197). Such traffic still routes through the proxy and does not bypass the proxy. The exclusion list does work correctly for names, names with wildcards, and IP addresses without wildcards. |
| 718843 | In Web Logon mode, with the client certificate set to require in the clientssl profile, the session is not deleted from the BIG-IP when the user disconnects. Native logon mode is not affected. |
| 722550 | When the Network Access is configured for split tunneling, and the DNS address space is not set to the wildcard *, then the client proxy settings are not used by Chrome or Firefox and the traffic bypasses the proxy. Safari uses client proxy settings correctly in this scenario. Workaround: Chrome and Firefox successfully use client proxy settings when the Network Access is configured to force all traffic through the tunnel, or it is configured for split tunneling, with the DNS Address Space set to *. |
| 724230 | When you enable per-app VPN with Chrome as a managed application and reboot or wakeup Mac, there are multiple log-in prompts. This issue is currently reported to Apple and tracked through 41166852. |
| 725804 | On F5 Access for macOS, when a client certificate is requested, Web Logon mode is specified, and the user chooses Always Allow when presented with the prompt com.apple.Webkit.Networking wants to sign using key...", a network tunnel cannot be established. |
Contacting F5
| North America | 1-888-882-7535 or (206) 272-6500 |
| Outside North America, Universal Toll-Free | +800 11 ASK 4 F5 or (800 11275 435) |
| Additional phone numbers | Regional Offices |
| Web | http://www.f5.com |
| support@f5.com |
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
| F5 Support | Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology. |
| AskF5 Knowledge Base | The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source. |
| BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer | BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration. |
| F5 DevCentral | Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more. |
| Communications Preference Center | Here, you can subscribe to a number of communications from F5. For information about the types of notifications, F5 provides, see K9970: Subscribing to email notifications regarding F5 products. |
