BIG-IP Edge Client and F5 Access for macOS (2024)

Table of Contents
Applies To: BIG-IP APM
  1. MyF5 Home
  2. BIG-IP Access Policy Manager: Edge Client version 7.1.8 and Application Configuration
  3. BIG-IP Edge Client and F5 Access for macOS

Manual Chapter : BIG-IP Edge Client and F5 Access for macOS

Applies To:

Show Versions BIG-IP Edge Client and F5 Access for macOS (1)

BIG-IP APM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP Edge Client and F5 Access for macOS (2)

Requirements for client installation and use on Mac

The table lists requirements for installing and using client components on a macOS system. These requirements apply to the Network Access client component that is downloaded from the browser and to BIG-IP Edge Client for Mac and F5 Access for macOS.

Requirement

Specification

Browser

For App Tunnels to work, the browser must have Java enabled. For installation, Java is optional. The client uses Java to streamline the installation process only. Without Java, users can manually download and install the client packages.

Java App Tunnels are supported on Edge Client only.

Installation privilege

The remote user must have superuser authority, or, must be able to supply an administrative password to successfully install the Network Access client.

About browser-based connections from Linux, Mac, and Windows clients

For Linux, Mac OS X, and Windows-based systems, the Network Access client component is available for automatic download from the BIG-IP® system.

The client component supports secure remote web-based access to the network. It is not the same as the customizable client package that is associated with the connectivity profile.

The first time a remote user starts Network Access, APM® downloads a client component. This client component is designed to be self-installing and self-configuring. If the browser does not meet certain requirements, APM prompts the user to download the client component and install it manually.

Overview: Configuring and installing Edge Client for Mac

Users of BIG-IP® Edge Client®for Mac can connect securely and automatically to your network while roaming using the automatic reconnect, password caching, and location awareness features of Edge Client. You can customize the client package; you must download it and make it available to users as hosted content on the BIG-IP system, or through another delivery mechanism.

Task summary

About Edge Client location awareness

The BIG-IP Edge Client provides a location-awareness feature. Using location awareness, the client connects automatically only when it is not on a specified network. The administrator specifies the networks that are considered in-network, by adding DNS suffixes to the connectivity profile. With a location-aware client enabled, a user with a corporate laptop can go from a corporate office, with a secured wireless or wired network connection, to an offsite location with a public wireless network connection, and maintain a seamless connection to allowed corporate resources. Network location-awareness can be triggered to run because of various reasons, such as IP changes and network interfaces starting up or shutting down. In reconnect mode, Edge Client might briefly establish a VPN tunnel before the network location-awareness feature can disconnect it. The Edge Client matches DNS suffixes reported by the system API to detect network location.

During a network switch, such as changing Wifi connections, Edge Client with network location-awareness must detect whether the new connection is local or remote. During this detection timeframe, there is a brief amount of time that Edge Client does not block certain external websites and can be reachable during the network switch.

About Edge Client automatic reconnection

BIG-IP Edge Client provides an automatic reconnection feature. Thisfeature attempts to automatically reconnect the client system to corporate network resources whenever the client connection drops or ends prematurely.

Configuring a connectivity profile for Edge Client for macOS

Update the connectivity profile in your Network Access configuration to configure security settings, servers, and location-awareness for BIG-IP Edge Client for macOS.

  1. On the Main tab, click

    Access

    Connectivity / VPN

    Connectivity

    Profiles

    .

    A list of connectivity profiles displays.

  2. Select the connectivity profile that you want to update and click

    Edit Profile

    .

    The Edit Connectivity Profile popup screen opens and displays General Settings.

  3. From the left pane of the popup screen, select

    Win/Mac Edge Client

    .

    Edge Client settings for Mac and Windows-based systems display in the right pane.

  4. Retain the default (selected) or clear the

    Save Servers Upon Exit

    check box.

    Specifies whether Edge Client maintains a list of recently used user-entered APM servers. Edge Client always lists the servers that are defined in the connectivity profile, and sorts them by most recent access, whether this option is selected or not.

  5. To enable the client to launch an administrator-defined script on session termination, select

    Run session log off script

    check box. The administrator specifies parameters which are passed by Edge Client to the script file. These parameters are defined by the session variable

    session.edgeclient.scripting.logoff.params

    . The client retrieves parameters from BIG-IP after session establishment. The administrator has the flexibility to set up variable values according to policy branching. Each time the Edge Client closes an APM session, the configured script is invoked. On macOS, the script is located at

    /Library/Application Support/F5Networks/EdgeClient/Scripting/onSessionTermination.bat

    .

    The

    Run session log off script

    check box is cleared by default.

  6. To enable the client to display a warning before launching the pre-defined script on session termination, select

    Show warning to user before launching script

    check box.

    This is selected by default.

  7. To support automatic reconnection without the need to provide credentials again, allow password caching.

    1. Select the

      Allow Password Caching

      check box.

      This check box is cleared by default.

      The remaining settings on the screen become available.

    2. To require device authentication to unlock the saved password, select

      Require Device Authentication.

      This option links the option to use a saved password to a device authentication method. Supported device authentication methods include PIN, passphrase, and biometric (fingerprint) authentication on iOS and Android. Android devices also support pattern unlocking.

    3. From the

      Save Password Method

      list, select

      disk

       or

      memory

      .

      If you select

      disk

      , Edge Client caches the user's password (in encrypted form) securely on the disk where it is persisted even after the system is restarted or Edge Client is restarted.

      If you select

      memory

      , Edge Client caches the user's password within the BIG-IP Edge Client application for automatic reconnection purposes.

      If you select

      memory

      , the

      Password Cache Expiration (minutes)

       field displays with a default value of 240.

    4. If the

      Password Cache Expiration (minutes)

      See Also
      Configuration Notes: F5 Access for Microsoft Windows 10 and Windows 10 MobileF5 Edge Client 7.2.1: Improving Security And Simplifying User Experience for Network and Web Application AccessF5 Access - Chrome Web StoreHow Secure is your VPN?

      field displays, retain the default value or type the number of minutes to save the password in memory.

  8. To enable automatic download and update of client packages, from the

    Component Update

    list, select

    yes

     (default).

    If you select

    yes

    , APM updates Edge Client software automatically on the client system when newer versions are available.

  9. Specify the list of APM servers to provide when the client connects.

    The servers you add here display as connection options in the BIG-IP Edge Client.

    Users can select from these servers or they can type a hostname.

    1. From the left pane of the popup screen, select

      Server List

      .

      A table displays in the right pane.

    2. Click

      Add

      .

      A table row becomes available for update.

    3. You must type a host name in the

      Host Name

      field.

      Typing an alias in the

      Alias

      field is optional.

    4. Click

      Update

      .

      The new row is added at the top of the table.

    5. Continue to add servers, and when you are done, click

      OK

      .

  10. Specify DNS suffixes that are considered to be in the local network.

    Providing a list of DNS suffixes for the download package enables Edge Client to support the autoconnect option. With

    Auto-Connect

    selected, Edge Client uses the DNS suffixes to automatically connect when a client is not on the local network (not on the list) and automatically disconnect when the client is on the local network.

    1. From the left pane of the popup screen, select

      Location DNS List

      .

      Location DNS list information is displayed in the right pane.

    2. Click

      Add

      .

      An update row becomes available.

    3. Type a name and click

      Update

      .

      Type a DNS suffix that conforms to the rules specified for the local network.

      The new row displays at the top of the table.

    4. Continue to add DNS names and when you are done, click

      OK

      .

  11. Click

    OK

    .

    The popup screen closes, and the Connectivity Profile List displays.

Customizing a downloadable client package for Mac

Customize a Mac client package for a connectivity profile to specify whether to launch BIG-IP Edge Client after a user logs in to the Mac.

  1. On the Main tab, click

    Access

    Connectivity / VPN

    Connectivity

    Profiles

    .

    A list of connectivity profiles displays.

  2. Select a connectivity profile.

  3. Click the arrow on the

    Customize Package

    button and select

    Mac

    .

    The Customize Mac Client Package screen displays.

  4. Retain the selection or clear the

    Auto launch BIG-IP Edge Client after User Log In

    check box.

  5. Click Download.

    The customized package,

    BIGIPMacEdgeClient.zip

    , is downloaded to your client. It is available for you to distribute.

If you plan to distribute Mac client packages to your users and you customize multiple Mac client packages (for different connectivity profiles), you need to rename or otherwise organize the packages. Otherwise, your download location contains packages named

BIGIPMacEdgeClient.zip

,

BIGIPMacEdgeClient.zip(1)

, and so on.

Downloading the ZIP file for Edge Client for Mac

You can download a Mac Client package and distribute it to clients.

  1. On the Main tab, click

    Access

    Connectivity / VPN

    Connectivity

    Profiles

    .

    A list of connectivity profiles displays.

  2. Select a connectivity profile.

  3. Click the arrow on the

    Customize Package

    button and select

    Mac

    .

    The Customize Mac Client Package screen displays.

  4. Click

    Download

    See Also
    Overview: F5 Access for macOS Devices

    .

    The screen closes and the package,

    BIGIPMacEdgeClient.zip

    , downloads.

The ZIP file includes a Mac installer package (PKG) file and configuration settings.

Specifying applications to start on a Mac

The launch application feature specifies a client application that starts when the client begins a Network Access session. You can use this feature when you have remote clients who routinely use Network Access to connect to an application server, such as a mail server.

  1. On the Main tab, click

    Access

    Connectivity / VPN

    Network Access (VPN)

    Network Access Lists

    .

    The Network Access Lists screen opens.

  2. In the Name column, click the name of the network access resource you want to edit.

  3. To configure applications to start for clients that establish a Network Access connection with this resource, click

    Launch Applications

    on the menu bar.

  4. Click

    Add

    to add an application list.

  5. In the

    Application Path

    field, type

    open

     .

  6. In the

    Parameters

    field, type a parameter.

    For example, type

    -a/Applications/ie.app http://www.f5.com

    .

  7. From the

    Operating System

    list, select

    Mac

    .

  8. Click

    Finished

    to add the configuration.

Now when remote users with assigned resources make a Network Access connection, the application you configured starts automatically.

Editing the log level for Edge Client on Mac

You can edit log settings in the configuration file on Mac systems.

  1. In the

    ~/Library/F5Networks.

    directory, open the

    f5networks.conf

     file.

  2. Edit the settings to change the log level.

    For debugging purposes, set the values to 48.

About connection options on Edge Client for Mac

BIG-IP Edge Client and F5 Access for macOS (3)

BIG-IP® Edge Client® for Mac user interface displays these connection options.

Auto-Connect

Starts a secure access connection as it is needed. This option uses the DNS suffix information defined in the connectivity profile to determine when the computer is on a defined local network. When the computer is not on a defined local network, the secure access connection starts. When the computer is on a local network, the client disconnects, but remains active in the system tray. This option does not display if DNS suffixes were not defined.

Connect

Starts and maintains a secure access connection at all times, regardless of the network location.

Disconnect

Stops an active secure access connection, and prevents the client from connecting again until a user clicks

Connect

or

Auto-Connect

.

Overview: Always connected mode for macOS

BIG-IP Edge Client provides Always Connected mode for macOS. This feature allows you to specify that the client is always connected to the VPN, and allows you to configure exclusion addresses to grant connectivity when the VPN is not connected. The FWCTL service in always connected mode manages the connectivity. To configure and install Always Connected mode for macOS, you must create a config file for the exclusion list and prepare the Edge Client installation package for macOS.

About FWCTL service and exclusion list

macOS has a network Packet Filter (PF) firewall that is installed and disabled by default. FWCTL is the PF Firewall management service for macOS that is bundled and installed along with Edge Client installation. When the VPN is disconnected, the firewall becomes active, and the FWCTL service ensures that the user can only access the list of addresses in the whitelist. The FWCTL service is configured when the Edge Client installation package

BIGIPMacEdgeClient.zip

is customized for download for macOS.

Default firewall rules

The following default firewall rules are applied when the firewall is enabled. A static exclusion rule overrides these default rules.

  • Allow all incoming traffic

  • Block all outgoing traffic

  • Allow all traffic on the loopback interface

  • Allow all UDP traffic on port 68 for DHCP protocol

  • Allow all UDP and TCP traffic on port 53 for DNS protocol

  • Allow all traffic to captive portal probe destination configured on the system

  • APM virtual destinations are excluded

Static Exclusion List

The static exclusion list is an XML file in which you specify the destination hosts. All traffic is allowed to the destinations you add to the exclusion list. The config file must be named

f5fwctl.xml

and placed in the

/Library/Application Support/F5Networks/

 directory. The exclusion list supports the following data format.

  • IPv4 or IPv6 address (preferred)

  • Hostname

  • HTTP or HTTPS URL

  • Port number may be included to the hostname, IP address and HTTP or HTTPS URL separated by ':' (colon)

An example entry is:

<ITEM>vpn.example.com</ITEM>

<ITEM>10.1.1.1</ITEM>

<ITEM>http://www.mydomain.com</ITEM>

When an IP address, Hostname or URL is specified, complete access to the endpoint is given, and requests can be sent to multiple ports on the server with the same IP address, whereas when a port is specified, access is given to only to that particular port.

Static exclusion list does not support subnet mask or network address.

Configured firewall settings

The following settings are configured to enable and disable the firewall rules.

  • Enable firewall when VPN is disconnected

  • Disable firewall when VPN is connected

  • Disable firewall when inside a corporate network

  • When firewall is enabled, only the FWCTL firewall rules are in effect. The static exclusion rule overrides the default firewall rules. Use

    <FLUSH_RULES>false</FLUSH_RULES>

    in the

    f5fwctl.xml

     file to keep the connection alive. This option is TRUE by default.

  • When firewall is disabled, the default firewall rules remain in effect.

Periodic re-evaluation of static exclusion list

The FWCTL service does a periodic re-evaluation of the static exclusion and APM server host lists, and updates the firewall rules in the following cases.

  • changes in the static exclusion list

  • changes in the APM server configuration file

  • network change event

When the IP address list is unchanged, the FWCTL service does not update the firewall rule.

The FWCTL service caches IP addresses for re-evaluation of exclusion and APM server host lists for the period of DNS TTL (time-to-live) or Maximum TTL - whichever is smaller. By default, maximum TTL is 30 minutes. The cache expires when the DNS server is changed. When the cache expires, the FWCTL service resolves IP addresses and updates the firewall rules if there is any change. When an IP address cannot be resolved, the FWCTL service builds the firewall rules using previously resolved addresses (if any). The FWCTL service retries unresolved hosts in a 15 seconds interval. The DNS TTL can be configured in the

f5fwctl.xml

file.

Network Location Awareness based on DNS Suffixes

The following options used for

DISCONNECTED_VPN_TRAFFIC_OPTION

in the Edge Client configuration filedecide the behavior of the firewall when the VPN is not connected.

DISCONNECTED_VPN_TRAFFIC_OPTION

Behavior

Description

Block

Enable firewall irrespective of whether the user is in anenterprise or non-enterprise LAN. Any connectivity will be blocked until theuser establishes VPN.

1

Allow

The firewall is not installed. The user can connect to theexternal networks even when VPN is not established.

2

AllowInLan

Disable firewall only in an enterprise LAN. The user canconnect to external networks in an enterprise LAN which is determined by theNLA configuration. If the user is not in enterprise LAN and if VPN is notestablished, the firewall will remain active.

Any other value

Block

If any other value is set, it is ignored and will defaultto 0, blocking any connectivity until the user establishes VPN.

No value set

Block

If no value is set, it will default to 0, blocking anyconnectivity until the user establishes VPN.

Option missing

Block

If this option is missing, it will default to 0, blockingany connectivity until the user establishes VPN.

About Edge Client Profile Options

The NLA feature is enabled when the option

DISCONNECTED_VPN_TRAFFIC_OPTION

is set to

2

 (Allow in Enterprise LAN) in the Edge Client configuration file. The firewall reads the configured DNS suffixes and performs NLA on the matching suffixes. When suffixes match, the network is detected as a corporate network and the firewall rules are disabled, thereby allowing all traffic. The NLA service only runs at startup or when a network connection changes.

Edge Client profile with DNS suffixes for Always Connected NLA

The following is a sample Edge Client profile with DNS suffixes:

 <?xml version="1.0" encoding="UTF-8"?> <PROFILE VERSION="2.0"> <ALWAYS_CONNECTED_MODE>YES</ALWAYS_CONNECTED_MODE> <DISCONNECTED_VPN_TRAFFIC_OPTION>3</DISCONNECTED_VPN_TRAFFIC_OPTION> <LOCATIONS> <CORPORATE> <DNSSUFFIX>domain1.com</DNSSUFFIX> </CORPORATE> <CORPORATE> <DNSSUFFIX>domain2.com</DNSSUFFIX> </CORPORATE> <CORPORATE> <DNSSUFFIX>*.domain2.com</DNSSUFFIX> </CORPORATE> </LOCATIONS> </PROFILE>

Creating a config file for FWCTL

Create an XML file for the FWCTL service.

  1. Populate the exclusion list with an IP address, hostname, URL, FLUSH RULES and DNS TTL. Following is a sample config file: 

     <?xml version="1.0" encoding="UTF-8"?> <CLIENT_CONFIGURATOR> <STONEWALL_EXCLUSIONS> <ITEM>vpn.example.com</ITEM> <ITEM>10.1.1.1</ITEM> <ITEM>http://www.mydomain.com</ITEM> </STONEWALL_EXCLUSIONS> <DNS_TTL>30</DNS_TTL> <FLUSH_RULES>false</FLUSH_RULES> </CLIENT_CONFIGURATOR>

  2. Name the config file

    f5fwctl.xml

    .

  3. Place the file in the

    /Library/Application Support/F5Networks/

    directory.

Installing Always On Edge Client on macOS

To configure and install Always Connected mode for macOS, you must create a config file for the exclusion list and prepare the Edge Client installation package for macOS.

  1. Install the

    APM client.iso

    available from downloads.f5.com to the BIG-IP APM server.

  2. On the Main tab, click

    Access

    Connectivity / VPN

    Connectivity

    Profiles

    .

    A list of connectivity profiles displays.

  3. Select the connectivity profile that you want to update and click

    Edit Profile

    .

    The Edit Connectivity Profile popup screen opens and displays General Settings.

  4. From the left pane of the popup screen, select

    Win/Mac Edge Client

    Location DNS List

    .

  5. Add one or more DNS names for the Enterprise Network and click

    OK

    .

  6. Click the arrow on the

    Customize Package

    button and select

    Mac

    .

    The Customize Mac Client Package screen displays.

  7. Clear the

    Auto launch BIG-IP Edge Client after User Log In

    check box.

  8. Click Download.

    The customized package,

    BIGIPMacEdgeClient.zip

    , is downloaded to your client.

  9. Extract the content of the zip file on a macOS system.

  10. Place the config file

    f5fwctl.xml

    created for the exclusion list in the same location as

    mac_edgesvpn.pkg

     file.

  11. Create

    opt-fwctl

    (an empty file - 'touch opt-fwctl'), and place it in the same locations as

    mac_edgesvpn.pkg

     file.

  12. Double click the file

    mac_edgesvpn.pkg

    to install the Edge Client.

When Edge Client installation completed, the FWCTL application and the related files and modules are downloaded to the

/Applications/BIG-IP Edge Client.app/Contents/Resources

directory.

Uninstalling Edge Client in Always Connected mode

To uninstall Edge Client installed in Always Connected mode, perform the following steps:

Dragging and dropping the Edge Client application to the trash for uninstalling is not supported in Always Connected mode.

  1. Open the terminal application as an administrative user.

  2. To start a privileged session, type the

    sudo-i

    command.

  3. When prompted, enter your administrator password.

  4. To start the uninstallation script type the following command:

    /Applications/BIG-IP\ Edge\ Client.app/Contents/Resources/uninstall.sh

When the uninstall of Edge Client completes, the FWCTL application and all related files and modules are removed from the system.

About Network Access features for Mac clients

Access Policy Manager (APM) supports all of the primary Network Access features for Mac clients, except for Drive Mappings and some endpoint security features.

For endpoint security support, refer to

BIG-IP APM Client Compatibility Matrix

on AskF5 at

http://support.f5.com/

.

For information about Network Access features, refer to

BIG-IP Access Policy Manager: Network Access

on AskF5 at

http://support.f5.com/

.

VPN component installation and log locations on a Mac

On Macintosh operating systems, the client installs the VPN components and writes VPN logs to the locations listed in the table.

VPN component

Location

Network Access plugin

/Library/Internet Plugins/

Endpoint Security (client checks)

~/Library/Internet Plugins/

VPN logs are written to the following directory:

~/Library/Logs/F5Networks

.

BIG-IP Edge Client and F5 Access for macOS (2024)
Top Articles
Offres et tarifs ING Direct : Carte et compte, Assurance Vie, Bourse, Livret
Assurance-vie ING : pourquoi faut-il miser sur elle ?
Radikale Landküche am Landgut Schönwalde
Libiyi Sawsharpener
Erika Kullberg Wikipedia
Ofw Pinoy Channel Su
Usborne Links
DL1678 (DAL1678) Delta Historial y rastreo de vuelos - FlightAware
Paula Deen Italian Cream Cake
Bustle Daily Horoscope
Imbigswoo
Carter Joseph Hopf
Top Hat Trailer Wiring Diagram
Where does insurance expense go in accounting?
House Party 2023 Showtimes Near Marcus North Shore Cinema
The best TV and film to watch this week - A Very Royal Scandal to Tulsa King
R Personalfinance
Glenda Mitchell Law Firm: Law Firm Profile
How To Tighten Lug Nuts Properly (Torque Specs) | TireGrades
Craig Woolard Net Worth
Preggophili
SOGo Groupware - Rechenzentrum Universität Osnabrück
Busted Mugshots Paducah Ky
Xxn Abbreviation List 2017 Pdf
O'reilly's In Mathis Texas
Xxn Abbreviation List 2023
Www Mydocbill Rada
Osrs Important Letter
Downloahub
Rogold Extension
Rlcraft Toolbelt
Wasmo Link Telegram
Tendermeetup Login
Babylon 2022 Showtimes Near Cinemark Downey And Xd
Dmitri Wartranslated
Anya Banerjee Feet
Craigslist Ludington Michigan
Tsbarbiespanishxxl
Man Stuff Idaho
Bunkr Public Albums
Torrid Rn Number Lookup
Locate phone number
Comanche Or Crow Crossword Clue
Swoop Amazon S3
10 Types of Funeral Services, Ceremonies, and Events » US Urns Online
Sea Guini Dress Code
The Complete Uber Eats Delivery Driver Guide:
UNC Charlotte Admission Requirements
Enter The Gungeon Gunther
Erica Mena Net Worth Forbes
Mmastreams.com
Pilot Travel Center Portersville Photos
Latest Posts
The Cincinnati Enquirer from Cincinnati, Ohio
The Cincinnati Post from Cincinnati, Ohio
Article information

Author: Merrill Bechtelar CPA

Last Updated:

Views: 5616

Rating: 5 / 5 (50 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Merrill Bechtelar CPA

Birthday: 1996-05-19

Address: Apt. 114 873 White Lodge, Libbyfurt, CA 93006

Phone: +5983010455207

Job: Legacy Representative

Hobby: Blacksmithing, Urban exploration, Sudoku, Slacklining, Creative writing, Community, Letterboxing

Introduction: My name is Merrill Bechtelar CPA, I am a clean, agreeable, glorious, magnificent, witty, enchanting, comfortable person who loves writing and wants to share my knowledge and understanding with you.