Applies To:
Show Versions
Summary:
In March 2018, Apple posted the release of F5 Access for iOS 2018 (version 3.0.0). Users should download this new version from the app store.
Applies To: BIG-IP APM 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.0, 13.1.3, 13.1.1, 13.1.0
Contents:
- User documentation for this release
- Features and enhancements in 3.0.0
- Behavior changes in 3.0.0
- Known issues affecting F5 Access 3.0.0
- Fixes in 3.0.0
- Legal notices
- Contacting F5 Networks
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to BIG-IP Access Policy Manager Documentation.
Features and enhancements in 3.0.0
Apple Network Extension
F5 Access 2018 (3.0.0) uses the new Apple Network Extension. This is the initial release with the Network Extension. This version will get the latest updates and fixes. This version is supported on iOS 11.x and later. Per-App VPN tunnels are supported, and the new Apple Network Extension supports full Layer3 connections for Per-App VPN, which includes support for TCP and UDP apps. In the future, this will be the only supported version.
Apple has deprecated support for the previous VPN framework on which F5 Access 2.1.x is based, so there will be no new development going forward. Version 2.1.x will continue to be supported for critical bug fixes.
MDM support and profiles
Because this new release of F5 Access requires MDM changes, please check with your MDM vendor before you upgrade if you require MDM support.
The VPN MDM profile for previous versions of F5 Access is not compatible with F5 Access for iOS 2018. MDM vendors must support VPNType (VPN), VPNSubType (com.f5.access.ios) and ProviderType (packet-tunnel). Please consult with your MDM vendor for how to set this up, as some may require a custom VPN type and others may not have support available at release time.
Future development
The previous version of F5 Access for iOS (2.1.1) is still supported. Critical bugs will continue to be fixed, but eventually the 2.x version will be phased out.
App IDs
F5 Access for iOS 2018 and F5 Access for iOS 2.x are different apps, and have different app IDs. F5 Access for iOS 2.x installed on a client's iOS device will not be automatically upgraded to F5 Access for iOS 2018.
Both versions can coexist on a single iOS device. This allows time for legacy migrations and features to be supported. There may be complications with such installations, and it is recommended you migrate your clients to F5 Access 2018 as soon as your infrastructure supports it.
Certificates
A client can only use a self-signed certificate if the CA is first trusted on the device. Client certificates must be installed by an MDM, or with a .mobileconfig file, and there are no runtime prompts supported.
HTTP connections must use HTTPS (RFC2818).
An X.509 digital server certificate must meet at least one of the following trust requirements:
- Issued by a certificate authority (CA) whose root certificate is incorporated into the operating system
- Issued by a trusted root CA and installed by the user or a system administrator
The negotiated Transport Layer Security (TLS) version must be TLS 1.2 (RFC 5246).
The connection must use either the AES-128 or AES-256 symmetric cipher. The negotiated TLS connection cipher suite must support perfect forward secrecy (PFS) through Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange, and must be one of the following:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
The leaf server certificate must be signed with one of the following types of keys:
- Rivest-Shamir-Adleman (RSA) key with a length of at least 2048 bits
- Elliptic-Curve Cryptography (ECC) key with a size of at least 256 bits
In addition, the leaf server certificate hashing algorithm must be Secure Hash Algorithm 2 (SHA-2) with a digest length, sometimes called a “fingerprint,” of at least 256 (that is, SHA-256 or greater).
Behavior changes in 3.0.0
Behavior changes in 3.0.0
| ID number | Description |
|---|---|
| 679249 | Starting with F5 Access version 3.0, the client is distributed with App Transport Security enabled. App Transport Security (ATS) requires that beginning with iOS 9 apps no longer be allowed to initiate insecure plain text HTTP connections, or TLS connections that don't comply with stricter requirements. The changes include:
|
| 697694 | In F5 Access 2.1.1, the session variable session.client.biometric_fingerprint was not populated when an on-demand connection was completed. In F5 Access 3.0.0, session.client.biometric_fingerprint is populated when an on-demand connection is completed. |
| 702427 | If the BIG-IP configuration contains the LaunchApplication block for the Edge Client branch, the application work for on-demand VPN scenarios and per-app VPN scenarios. The Following notification appears when the tunnel is established: The Remote Access Server is attempting to run a local application. The user must click this message or launch F5 Access to start the app. |
| 706017 | Beginning with F5 Access 3.0.0, Per-App VPN connections are L3. As a result:
|
Known issues affecting F5 Access 3.0.0
The following are known issues that affect the user experience when F5 Access is used on an iOS device. These issues may be addressed in the future by F5 or Apple.
| ID number | Description |
|---|---|
| 504919 | F5 Access does not resolve the BIG-IP APM hostname each time it reconnects after the connection is broken. This limits the use of load balancing with BIG-IP DNS as it keeps using the same IP address for the connection. |
| 557905 | On iOS 9, if a managed app is being updated while Per-App VPN is active, the updated app might not make use of the active session until the active session is expired and a new one is created. As a workaround, wait until the current session expires, and restart the updated app. |
| 587775 | iOS may frequently sleep/wakeup VPN plugin in sleep mode of device and sending DNS queries. This causes APM session keeps alive for long time. The DNS queries are sent every from 10 seconds to a few minutes. The issue was reported to Apple to confirm and tracked through 25739124 |
| 601404 | When the iPhone user changes the default text settings to a larger size, the UI will not be render properly. |
| 695712 | Due to an iOS issue (Apple Radar 36006149), it is currently not possible to switch between configurations using a Today widget. |
| 696882 | In this release, we don't support user interaction (prompts) for per-App VPN scenario. Server configuration should not require any user interaction to establish VPN. |
| 699062 | We currently don't support user interaction in per-App VPN scenario, admin should configure server that don't need user interaction to establish VPN. |
| 700849 | MDM pushed device-type vpn's feature including SavePasswordEnabled, enforceWebLogon is break after it is restored from device backup. |
| 700903 | User may have to enter password again when there is a network connectivity changes, eg, enable/disable wifi and wifi roaming. This issue is currently reported to Apple as 36379795 and under investigation. |
| 701247 | With the use of Apple Transport Security (ATS) in version 3.x, insecure HTTP does not work for most connections. However, in some cases an HTTP (not HTTPS) IP address does still work. This may or may not be removed in the future by Apple. |
| 701636 | The Session expired or closed by server message will not appear when session is killed by an administrator or by timeout. The tunnel will be silently closed instead. Similarly, the message will not be shown if no lease pool is specified for the NA resource or the NA's lease pool is exhausted. |
| 704309 | F5 access doesn't send client certificate to BIG-IP if weblogon mode is enabled in configuration due to framework limitations. |
| 704554 | The error message "Authentication failed" is displayed if notifications are not allowed for F5 Access, in a scenario where F5 Access requires user input to authenticate. As a workaround, the user should enable notifications in . |
| 707434 | The confirmation message "F5 Access 2018 Would like to Add VPN Configurations" that appears when the user attempts to save a first VPN configuration is not localized in iOS 11. Regardless of the selected system language, the message appears in English. |
Fixes in 3.0.0
Fixes in 3.0.0
| ID number | Description |
|---|---|
| 521817 | Previously, Per-App VPN supported only DNS Resource Record (RR) types A and PTR. Now, Per-App VPN also supports DNS Resource Record type SRV. |
| 562772 | F5 Access 3.0 does not require the user to accept enabling VPN on the first launch. This allows the client to use MDM-deployed configurations without launching F5 Access first. For configurations that require user interaction, notifications must be enabled, which can be done in or on the first launch of F5 Access. |
| 650411 | Previously, the Session ID was sometimes included in Edge Client URI requests. Session ID is no longer included in URI requests. |
| 664981 | Previously, if the password in an On-Demand configuration failed due to password expiration, there was no notification. Now a notification is posted to the user when expired password causes the authentication failure. |
| 695687 | With iOS 10, when the access policy required a client certificate to authenticate and the client certificate provided by the VPN configuration was incorrect or invalid, F5 Access attempted to reconnect until the request timeout threshold, then an error message was displayed. With iOS 11 in such a scenario the error occurs and the message is displayed immediately. |
| 697722 | Prior to version 3.0.0, the setting Ignore Client Proxy Autoconfig Script Download Failure in the Network Access Network Settings was ignored and the VPN was established whether the PAC file failed to download or not. Now, this setting is honored, and the VPN will not connect when the PAC file does not download and this setting is not enabled. |
| 700651 | In previous versions, Per-App VPN connections did not disconnect immediately after the timeout, as the timeout calculation was triggered by incoming or outgoing traffic. This could create problems as some apps could not reliably detect offline scenarios. In version 3.0.0, this problem is fixed. |
Contacting F5 Networks
| Phone - North America: | 1-888-882-7535 or (206) 272-6500 |
| Phone - Outside North America, Universal Toll-Free: | +800 11 ASK 4 F5 or (800 11275 435) |
| Fax: | See Regional Support for your area. |
| Web: | https://support.f5.com/csp/home |
| Email: | support@f5.com |
For additional information, please visit http://www.f5.com.
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
- The F5 Networks Technical Support web site: https://f5.com/support
- The AskF5 web site: https://support.f5.com/csp/home
- The F5 DevCentral web site: https://devcentral.f5.com/
- AskF5 Publication Preference Center: https://interact.f5.com/AskF5-SubscriptionCenter.html
F5 Networks Technical Support
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5
AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
F5 DevCentral
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
AskF5 Publication Preference Center
To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.
- TechNews Weekly eNewsletters: Up-to-date information about product and hotfix releases, new and updated articles, and new feature notices.
- TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
- Security Alerts: Timely security updates and ASM attack signature updates from F5.
