Release Notes : F5 Access for iOS 3.0.3

Applies To:

Show Versions Show Versions
Release Notes
Updated Date: 08/19/2019

Summary:

In October 2018, Apple posted the release of F5 Access for iOS 3.0.3. Users should download this new version from the app store.

Applies To: BIG-IP APM 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 12.1.5, 12.1.4, 12.1.3, 11.6.4, 11.6.3, 11.6.2, 11.5.7

Contents:

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to BIG-IP Access Policy Manager Documentation.

Features and enhancements in 3.0.3

Features and enhancements in 3.0.3

There are no features and enhancements in 3.0.3.

Features and enhancements in 3.0.2

There are no features and enhancements in 3.0.2.

Features and enhancements in 3.0.1

Client Certificate
F5 Access 3.0.1 allows you to install client certificates in the following ways:
  • Import directly using a URL link or with the shared extension.
  • Deploy with a VPN configuration by an MDM service or mobile configuration profile. When using a mobile configuration profile, the certificate must be associated with a valid VPN configuration for F5 Access 3.x.

Behavior changes in 3.0.3

Behavior changes in 3.0.3

ID number Description
744910 For F5 Access version 3.0.1 and later, when a reconnect occurs due to a network change or brief network outage, F5 Access reconnects successfully, and the status of connected time is reset to zero. This connection time is provided by Apple iOS PacketTunnel framework and functions as designed.

Behavior changes in 3.0.2

There are no behavior changes in 3.0.2.

Behavior changes in 3.0.1

Name Change
The name of the app is changed from "F5 Access 2018" to "F5 Access".
Privacy Policy
When launching F5 Access 3.0.1 for the first time, you will receive an alert screen about Apple's privacy policy agreement. You need to click "Agree" to start using the App. (ID 738281).

Known issues affecting F5 Access 3.0.3

Known issues affecting F5 Access iOS 3.0.3

ID number Description
504919 F5 Access does not resolve the BIG-IP APM hostname each time it reconnects after the connection is broken. This limits the use of load balancing with BIG-IP DNS as it keeps using the same IP address for the connection.
557905 On iOS 9, if a managed app is being updated while per-app VPN is active, the updated app might not make use of the active session until the active session is expired and a new one is created. As a workaround, wait until the current session expires, and restart the updated app.
587775 iOS may frequently sleep/wakeup VPN plugin in the sleep mode of the device and send DNS queries. This causes APM session to keep alive for a long time. The DNS queries are sent from every 10 seconds to a few minutes. The issue was reported to Apple to confirm and tracked through 25739124.
695712 Due to an iOS issue (Apple Radar 36006149), it is currently not possible to switch between configurations widget added to the Today view.
696882 F5 Access does not support user interaction prompts for per-app VPN scenario. Server configuration should not require any user interaction to establish VPN.
699062 Per-app VPN that requires user interaction works only with a single per-app VPN configuration, and only with clients running iOS 12. We currently do not support user interaction in a per-app VPN scenario with any other per-app VPN configurations. Administrators should configure the BIG-IP so as not to require user interaction to establish VPN for configurations that require more than a single per-app VPN.
700849 When you use an MDM to push a device-wide VPN that includes the SavePasswordEnabled feature, the setting enforceWebLogon does not work after the device is restored from backup.
700903 You may have to enter the password again when there are network connectivity changes. For example, enable/disable wifi and wifi roaming. This issue is currently reported to Apple as 36379795 and is under investigation.
701247 With the use of Apple Transport Security (ATS) in version 3.x, insecure HTTP does not work for most connections. However, in some cases an HTTP (not HTTPS) IP address still works. This may or may not be removed in the future by Apple.
701636 The Session expired or closed by server message will not appear when the session is killed by an administrator or by timeout. The tunnel will be silently closed instead. Similarly, the message will not be shown if no lease pool is specified for the NA resource or the NA's lease pool is exhausted.
704309 Before iOS 12, F5 access did not send the client certificate to BIG-IP if the weblogon mode was enabled in configuration, due to framework limitations. In iOS 12, Apple partially fixed this issue, but the client certificate is attached twice. We are still waiting for Apple to update us.
704554 In a scenario where F5 Access requires user input to authenticate, the error message Authentication failed is displayed if notifications are not enabled for F5 Access. As a workaround, you should enable notifications in Settings > F5 Access .
706718 If the per-app VPN configuration does not have SafariDomains specified, it is displayed as Enterprise VPN in F5 Access.
707434 The confirmation message F5 Access would like to Add VPN Configurations that appears when you attempt to save a first VPN configuration is not localized in iOS 11. Regardless of the selected system language, the message appears in English.
708016 After you perform Network Settings Reset on the iPhone, the following items of an MDM VPN configuration may get corrupted:
  • Web logon
  • Enforce logon mode
  • Password expiration time
  • Web logon auto populate
  • Save password policy

As a workaround, contact the MDM administrator and re-deploy the MDM configuration.

734519 On the iPad, in the Credentials prompt, the Save Password box is not aligned correctly.
738742 There is a DTLS fragmentation when F5 Access version 3.0.1 (and 3.0.0) is used.
742410 F5 Access 3.0.x cannot access certificates on an iOS device that were previously configured for F5 Access 2.1.x. For F5 Access 3.0.x, you must redeploy all required certificates.
743249 When F5 Access Legacy (2.1.x) and F5 Access 3.0.x are running on the same device, if there are configurations created in each VPN client with the same name (for example, MyVPN), after the iOS device restarts, a "2" is appended to the name of whatever configuration was created last (for example, MyVPN and MyVPN2).
743801 On a redirect, the Server URL name in connection details of F5 Access is displayed incorrectly. However, there is no functional impact on the server connection and establishes the connection accurately.
743918 VPN connection cannot be established if PAC file cannot be downloaded without the established VPN.

As a workaround, set the Ignore Client Proxy Autoconfig Script Download Failure setting to enabled, so the client does not attempt to download the PAC file before establishing the connection. The tunnel will be created with PAC specification as provided in NA resource.

As a workaround for BIG-IP versions 11.6.3 and 11.5.7, where the Ignore Client Proxy Autoconfig Script Download Failure setting is not available in the user interface, add Variable Assign agent with the following entries to your Access Policy:

  • Custom variable:

    config.connectivity_resource_network_access.NA_RESOURCE_NAME.client_proxy_settings

  • Custom expression:

    return {<client_proxy_settings><client_proxy>yes</client_proxy><client_proxy_script>CLIENT_PROXY_AUTOCONFIG_SCRIPT</client_proxy_script><client_proxy_ignore_auto_config_error>1</client_proxy_ignore_auto_config_error></client_proxy_settings>}

    This will enable the Ignore Client Proxy Autoconfig Script Download Failure setting.

745999 The session is not deleted from the BIG-IP system v11.6.3 when F5 Access is disconnected with the Weblogon mode enabled.
747350 F5 Access may not go to reasserting state for 30 - 60 seconds when a mobile network connection is lost over TLS established tunnel. As a workaround, use DTLS protocol instead of TLS, as tunnels over DTLS are not affected by this issue.

Fixes in 3.0.3

Fixes in 3.0.3

ID number Description
738442 Previously, under certain circumstances, per-app VPN sessions can intermittently close with APM log Session deleted (network_error; code - 4) or new sessions can be established while current sessions are still active. This issue is resolved.
739513 Fixed this issue where F5 Access for iOS web logon failed in some cases when there are multiple redirects to external pages.
744672 Previously, F5 Access failed to reconnect VPN when network changed state (connect, disconnect, reconnect, etc.) from wifi to 4G or vice versa. This issue has been fixed.
745614 Previously, when Access Profile is configured with a Domain Cookie on BIG-IP, then F5 Access web logon mode failed to connect. This issue is resolved.

Fixes in 3.0.2

ID number Description
741595 Previously, F5 Access 3.0.x ignored the password specified in the URL-schema request if password caching is disabled in the connectivity profile. Instead of using the password, F5 Access showed the credentials prompt to the user. This issue is resolved in version 3.0.2.
741849 Previously, when an F5 Access 3.0.x connection was redirected from one virtual server to another, the VPN connection would fail to establish. This has been fixed.
742270 Previously, F5 Access for iOS weblogon failed when the virtual server for a BIG-IP system is configured as a SAML service provider (SP). This caused F5 Access to fail to recognize SAML redirects and treat them as external redirects, restarting the weblogon. Now, the issue is resolved, and F5 Access recognizes SAML redirects.
742285 Previously, F5 Access 3.0.x did not send the VHOST cookie for the landing URI. This has been fixed.

Contacting F5 Networks

Phone - North America: 1-888-882-7535 or (206) 272-6500
Phone - Outside North America, Universal Toll-Free: +800 11 ASK 4 F5 or (800 11275 435)
Fax: See Regional Support for your area.
Web: https://support.f5.com/csp/home
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 Publication Preference Center

To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.

  • TechNews Weekly eNewsletters: Up-to-date information about product and hotfix releases, new and updated articles, and new feature notices.
  • TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
  • Security Alerts: Timely security updates and ASM attack signature updates from F5.

Legal notices