- MyF5 Home
- BIG-IP Access Policy Manager: Edge Client version 7.1.8 and Application Configuration
- BIG-IP Edge Client and F5 Access for macOS
Manual Chapter : BIG-IP Edge Client and F5 Access for macOS
Applies To:
Show Versions
BIG-IP APM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Requirements for client installation and use on Mac
The table lists requirements for installing and using client components on a macOS system. These requirements apply to the Network Access client component that is downloaded from the browser and to BIG-IP Edge Client for Mac and F5 Access for macOS.
Requirement | Specification |
---|---|
Browser | For App Tunnels to work, the browser must have Java enabled. For installation, Java is optional. The client uses Java to streamline the installation process only. Without Java, users can manually download and install the client packages. Java App Tunnels are supported on Edge Client only. |
Installation privilege | The remote user must have superuser authority, or, must be able to supply an administrative password to successfully install the Network Access client. |
About browser-based connections from Linux, Mac, and Windows clients
For Linux, Mac OS X, and Windows-based systems, the Network Access client component is available for automatic download from the BIG-IP® system.
The client component supports secure remote web-based access to the network. It is not the same as the customizable client package that is associated with the connectivity profile.
The first time a remote user starts Network Access, APM® downloads a client component. This client component is designed to be self-installing and self-configuring. If the browser does not meet certain requirements, APM prompts the user to download the client component and install it manually.
Overview: Configuring and installing Edge Client for Mac
Users of BIG-IP® Edge Client®for Mac can connect securely and automatically to your network while roaming using the automatic reconnect, password caching, and location awareness features of Edge Client. You can customize the client package; you must download it and make it available to users as hosted content on the BIG-IP system, or through another delivery mechanism.
Task summary
About Edge Client location awareness
The BIG-IP Edge Client provides a location-awareness feature. Using location awareness, the client connects automatically only when it is not on a specified network. The administrator specifies the networks that are considered in-network, by adding DNS suffixes to the connectivity profile. With a location-aware client enabled, a user with a corporate laptop can go from a corporate office, with a secured wireless or wired network connection, to an offsite location with a public wireless network connection, and maintain a seamless connection to allowed corporate resources. Network location-awareness can be triggered to run because of various reasons, such as IP changes and network interfaces starting up or shutting down. In reconnect mode, Edge Client might briefly establish a VPN tunnel before the network location-awareness feature can disconnect it. The Edge Client matches DNS suffixes reported by the system API to detect network location.
During a network switch, such as changing Wifi connections, Edge Client with network location-awareness must detect whether the new connection is local or remote. During this detection timeframe, there is a brief amount of time that Edge Client does not block certain external websites and can be reachable during the network switch.
About Edge Client automatic reconnection
BIG-IP Edge Client provides an automatic reconnection feature. Thisfeature attempts to automatically reconnect the client system to corporate network resources whenever the client connection drops or ends prematurely.
Configuring a connectivity profile for Edge Client for macOS
Update the connectivity profile in your Network Access configuration to configure security settings, servers, and location-awareness for BIG-IP Edge Client for macOS.
On the Main tab, click
.Access
Connectivity / VPN
Connectivity
Profiles
A list of connectivity profiles displays.
Select the connectivity profile that you want to update and click
Edit Profile
.The Edit Connectivity Profile popup screen opens and displays General Settings.
From the left pane of the popup screen, select
Win/Mac Edge Client
.Edge Client settings for Mac and Windows-based systems display in the right pane.
Retain the default (selected) or clear the
Save Servers Upon Exit
check box.Specifies whether Edge Client maintains a list of recently used user-entered APM servers. Edge Client always lists the servers that are defined in the connectivity profile, and sorts them by most recent access, whether this option is selected or not.
To enable the client to launch an administrator-defined script on session termination, select
Run session log off script
check box. The administrator specifies parameters which are passed by Edge Client to the script file. These parameters are defined by the session variablesession.edgeclient.scripting.logoff.params
. The client retrieves parameters from BIG-IP after session establishment. The administrator has the flexibility to set up variable values according to policy branching. Each time the Edge Client closes an APM session, the configured script is invoked. On macOS, the script is located at/Library/Application Support/F5Networks/EdgeClient/Scripting/onSessionTermination.bat
.The
Run session log off script
check box is cleared by default.To enable the client to display a warning before launching the pre-defined script on session termination, select
Show warning to user before launching script
check box.This is selected by default.
To support automatic reconnection without the need to provide credentials again, allow password caching.
Select the
Allow Password Caching
check box.This check box is cleared by default.
The remaining settings on the screen become available.
To require device authentication to unlock the saved password, select
Require Device Authentication.
This option links the option to use a saved password to a device authentication method. Supported device authentication methods include PIN, passphrase, and biometric (fingerprint) authentication on iOS and Android. Android devices also support pattern unlocking.
From the
Save Password Method
list, selectdisk
ormemory
.If you select
disk
, Edge Client caches the user's password (in encrypted form) securely on the disk where it is persisted even after the system is restarted or Edge Client is restarted.If you select
memory
, Edge Client caches the user's password within the BIG-IP Edge Client application for automatic reconnection purposes.If you select
memory
, thePassword Cache Expiration (minutes)
field displays with a default value of 240.If the
field displays, retain the default value or type the number of minutes to save the password in memory.Password Cache Expiration (minutes)
To enable automatic download and update of client packages, from the
Component Update
list, selectyes
(default).If you select
yes
, APM updates Edge Client software automatically on the client system when newer versions are available.Specify the list of APM servers to provide when the client connects.
The servers you add here display as connection options in the BIG-IP Edge Client.
Users can select from these servers or they can type a hostname.
From the left pane of the popup screen, select
Server List
.A table displays in the right pane.
Click
Add
.A table row becomes available for update.
You must type a host name in the
Host Name
field.Typing an alias in the
Alias
field is optional.Click
Update
.The new row is added at the top of the table.
Continue to add servers, and when you are done, click
OK
.
Specify DNS suffixes that are considered to be in the local network.
Providing a list of DNS suffixes for the download package enables Edge Client to support the autoconnect option. With
Auto-Connect
selected, Edge Client uses the DNS suffixes to automatically connect when a client is not on the local network (not on the list) and automatically disconnect when the client is on the local network.From the left pane of the popup screen, select
Location DNS List
.Location DNS list information is displayed in the right pane.
Click
Add
.An update row becomes available.
Type a name and click
Update
.Type a DNS suffix that conforms to the rules specified for the local network.
The new row displays at the top of the table.
Continue to add DNS names and when you are done, click
OK
.
Click
OK
.The popup screen closes, and the Connectivity Profile List displays.
Customizing a downloadable client package for Mac
Customize a Mac client package for a connectivity profile to specify whether to launch BIG-IP Edge Client after a user logs in to the Mac.
On the Main tab, click
.Access
Connectivity / VPN
Connectivity
Profiles
A list of connectivity profiles displays.
Select a connectivity profile.
Click the arrow on the
Customize Package
button and selectMac
.The Customize Mac Client Package screen displays.
Retain the selection or clear the
Auto launch BIG-IP Edge Client after User Log In
check box.Click Download.
The customized package,
BIGIPMacEdgeClient.zip
, is downloaded to your client. It is available for you to distribute.
If you plan to distribute Mac client packages to your users and you customize multiple Mac client packages (for different connectivity profiles), you need to rename or otherwise organize the packages. Otherwise, your download location contains packages named BIGIPMacEdgeClient.zip BIGIPMacEdgeClient.zip(1)
Downloading the ZIP file for Edge Client for Mac
You can download a Mac Client package and distribute it to clients.
On the Main tab, click
.Access
Connectivity / VPN
Connectivity
Profiles
A list of connectivity profiles displays.
Select a connectivity profile.
Click the arrow on the
Customize Package
button and selectMac
.The Customize Mac Client Package screen displays.
Click
.Download
The screen closes and the package,
BIGIPMacEdgeClient.zip
, downloads.
The ZIP file includes a Mac installer package (PKG) file and configuration settings.
Specifying applications to start on a Mac
The launch application feature specifies a client application that starts when the client begins a Network Access session. You can use this feature when you have remote clients who routinely use Network Access to connect to an application server, such as a mail server.
On the Main tab, click
.Access
Connectivity / VPN
Network Access (VPN)
Network Access Lists
The Network Access Lists screen opens.
In the Name column, click the name of the network access resource you want to edit.
To configure applications to start for clients that establish a Network Access connection with this resource, click
Launch Applications
on the menu bar.Click
Add
to add an application list.In the
Application Path
field, typeopen
.In the
Parameters
field, type a parameter.For example, type
-a/Applications/ie.app http://www.f5.com
.From the
Operating System
list, selectMac
.Click
Finished
to add the configuration.
Now when remote users with assigned resources make a Network Access connection, the application you configured starts automatically.
Editing the log level for Edge Client on Mac
You can edit log settings in the configuration file on Mac systems.
In the
~/Library/F5Networks.
directory, open thef5networks.conf
file.Edit the settings to change the log level.
For debugging purposes, set the values to 48.
About connection options on Edge Client for Mac
BIG-IP® Edge Client® for Mac user interface displays these connection options.
Auto-Connect
Starts a secure access connection as it is needed. This option uses the DNS suffix information defined in the connectivity profile to determine when the computer is on a defined local network. When the computer is not on a defined local network, the secure access connection starts. When the computer is on a local network, the client disconnects, but remains active in the system tray. This option does not display if DNS suffixes were not defined.
Connect
Starts and maintains a secure access connection at all times, regardless of the network location.
Disconnect
Stops an active secure access connection, and prevents the client from connecting again until a user clicks
Connect
orAuto-Connect
.
Overview: Always connected mode for macOS
BIG-IP Edge Client provides Always Connected mode for macOS. This feature allows you to specify that the client is always connected to the VPN, and allows you to configure exclusion addresses to grant connectivity when the VPN is not connected. The FWCTL service in always connected mode manages the connectivity. To configure and install Always Connected mode for macOS, you must create a config file for the exclusion list and prepare the Edge Client installation package for macOS.
About FWCTL service and exclusion list
macOS has a network Packet Filter (PF) firewall that is installed and disabled by default. FWCTL is the PF Firewall management service for macOS that is bundled and installed along with Edge Client installation. When the VPN is disconnected, the firewall becomes active, and the FWCTL service ensures that the user can only access the list of addresses in the whitelist. The FWCTL service is configured when the Edge Client installation package BIGIPMacEdgeClient.zip
Default firewall rules
The following default firewall rules are applied when the firewall is enabled. A static exclusion rule overrides these default rules.
Allow all incoming traffic
Block all outgoing traffic
Allow all traffic on the loopback interface
Allow all UDP traffic on port 68 for DHCP protocol
Allow all UDP and TCP traffic on port 53 for DNS protocol
Allow all traffic to captive portal probe destination configured on the system
APM virtual destinations are excluded
Static Exclusion List
The static exclusion list is an XML file in which you specify the destination hosts. All traffic is allowed to the destinations you add to the exclusion list. The config file must be named
f5fwctl.xml
and placed in the/Library/Application Support/F5Networks/
directory. The exclusion list supports the following data format.IPv4 or IPv6 address (preferred)
Hostname
HTTP or HTTPS URL
Port number may be included to the hostname, IP address and HTTP or HTTPS URL separated by ':' (colon)
An example entry is:
<ITEM>vpn.example.com</ITEM>
<ITEM>10.1.1.1</ITEM>
<ITEM>http://www.mydomain.com</ITEM>
When an IP address, Hostname or URL is specified, complete access to the endpoint is given, and requests can be sent to multiple ports on the server with the same IP address, whereas when a port is specified, access is given to only to that particular port.
Static exclusion list does not support subnet mask or network address.
Configured firewall settings
The following settings are configured to enable and disable the firewall rules.
Enable firewall when VPN is disconnected
Disable firewall when VPN is connected
Disable firewall when inside a corporate network
When firewall is enabled, only the FWCTL firewall rules are in effect. The static exclusion rule overrides the default firewall rules. Use
<FLUSH_RULES>false</FLUSH_RULES>
in thef5fwctl.xml
file to keep the connection alive. This option is TRUE by default.When firewall is disabled, the default firewall rules remain in effect.
Periodic re-evaluation of static exclusion list
The FWCTL service does a periodic re-evaluation of the static exclusion and APM server host lists, and updates the firewall rules in the following cases.
changes in the static exclusion list
changes in the APM server configuration file
network change event
When the IP address list is unchanged, the FWCTL service does not update the firewall rule.
The FWCTL service caches IP addresses for re-evaluation of exclusion and APM server host lists for the period of DNS TTL (time-to-live) or Maximum TTL - whichever is smaller. By default, maximum TTL is 30 minutes. The cache expires when the DNS server is changed. When the cache expires, the FWCTL service resolves IP addresses and updates the firewall rules if there is any change. When an IP address cannot be resolved, the FWCTL service builds the firewall rules using previously resolved addresses (if any). The FWCTL service retries unresolved hosts in a 15 seconds interval. The DNS TTL can be configured in the
f5fwctl.xml
file.
Network Location Awareness based on DNS Suffixes
The following options used for DISCONNECTED_VPN_TRAFFIC_OPTION
DISCONNECTED_VPN_TRAFFIC_OPTION | Behavior | Description |
---|---|---|
Block | Enable firewall irrespective of whether the user is in anenterprise or non-enterprise LAN. Any connectivity will be blocked until theuser establishes VPN. | |
1 | Allow | The firewall is not installed. The user can connect to theexternal networks even when VPN is not established. |
2 | AllowInLan | Disable firewall only in an enterprise LAN. The user canconnect to external networks in an enterprise LAN which is determined by theNLA configuration. If the user is not in enterprise LAN and if VPN is notestablished, the firewall will remain active. |
Any other value | Block | If any other value is set, it is ignored and will defaultto 0, blocking any connectivity until the user establishes VPN. |
No value set | Block | If no value is set, it will default to 0, blocking anyconnectivity until the user establishes VPN. |
Option missing | Block | If this option is missing, it will default to 0, blockingany connectivity until the user establishes VPN. |
About Edge Client Profile Options
The NLA feature is enabled when the option DISCONNECTED_VPN_TRAFFIC_OPTION 2
Edge Client profile with DNS suffixes for Always Connected NLA
The following is a sample Edge Client profile with DNS suffixes:
<?xml version="1.0" encoding="UTF-8"?> <PROFILE VERSION="2.0"> <ALWAYS_CONNECTED_MODE>YES</ALWAYS_CONNECTED_MODE> <DISCONNECTED_VPN_TRAFFIC_OPTION>3</DISCONNECTED_VPN_TRAFFIC_OPTION> <LOCATIONS> <CORPORATE> <DNSSUFFIX>domain1.com</DNSSUFFIX> </CORPORATE> <CORPORATE> <DNSSUFFIX>domain2.com</DNSSUFFIX> </CORPORATE> <CORPORATE> <DNSSUFFIX>*.domain2.com</DNSSUFFIX> </CORPORATE> </LOCATIONS> </PROFILE>
Creating a config file for FWCTL
Create an XML file for the FWCTL service.
Populate the exclusion list with an IP address, hostname, URL, FLUSH RULES and DNS TTL. Following is a sample config file:
<?xml version="1.0" encoding="UTF-8"?> <CLIENT_CONFIGURATOR> <STONEWALL_EXCLUSIONS> <ITEM>vpn.example.com</ITEM> <ITEM>10.1.1.1</ITEM> <ITEM>http://www.mydomain.com</ITEM> </STONEWALL_EXCLUSIONS> <DNS_TTL>30</DNS_TTL> <FLUSH_RULES>false</FLUSH_RULES> </CLIENT_CONFIGURATOR>
Name the config file
f5fwctl.xml
.Place the file in the
/Library/Application Support/F5Networks/
directory.
Installing Always On Edge Client on macOS
To configure and install Always Connected mode for macOS, you must create a config file for the exclusion list and prepare the Edge Client installation package for macOS.
Install the
APM client.iso
available from downloads.f5.com to the BIG-IP APM server.On the Main tab, click
.Access
Connectivity / VPN
Connectivity
Profiles
A list of connectivity profiles displays.
Select the connectivity profile that you want to update and click
Edit Profile
.The Edit Connectivity Profile popup screen opens and displays General Settings.
From the left pane of the popup screen, select
.Win/Mac Edge Client
Location DNS List
Add one or more DNS names for the Enterprise Network and click
OK
.Click the arrow on the
Customize Package
button and selectMac
.The Customize Mac Client Package screen displays.
Clear the
Auto launch BIG-IP Edge Client after User Log In
check box.Click Download.
The customized package,
BIGIPMacEdgeClient.zip
, is downloaded to your client.Extract the content of the zip file on a macOS system.
Place the config file
f5fwctl.xml
created for the exclusion list in the same location asmac_edgesvpn.pkg
file.Create
opt-fwctl
(an empty file - 'touch opt-fwctl'), and place it in the same locations asmac_edgesvpn.pkg
file.Double click the file
mac_edgesvpn.pkg
to install the Edge Client.
When Edge Client installation completed, the FWCTL application and the related files and modules are downloaded to the /Applications/BIG-IP Edge Client.app/Contents/Resources
Uninstalling Edge Client in Always Connected mode
To uninstall Edge Client installed in Always Connected mode, perform the following steps:
Dragging and dropping the Edge Client application to the trash for uninstalling is not supported in Always Connected mode.
Open the terminal application as an administrative user.
To start a privileged session, type the
sudo-i
command.When prompted, enter your administrator password.
To start the uninstallation script type the following command:
/Applications/BIG-IP\ Edge\ Client.app/Contents/Resources/uninstall.sh
When the uninstall of Edge Client completes, the FWCTL application and all related files and modules are removed from the system.
About Network Access features for Mac clients
Access Policy Manager (APM) supports all of the primary Network Access features for Mac clients, except for Drive Mappings and some endpoint security features.
For endpoint security support, refer to BIG-IP APM Client Compatibility Matrix http://support.f5.com/
For information about Network Access features, refer to BIG-IP Access Policy Manager: Network Access http://support.f5.com/
VPN component installation and log locations on a Mac
On Macintosh operating systems, the client installs the VPN components and writes VPN logs to the locations listed in the table.
VPN component | Location |
---|---|
Network Access plugin | /Library/Internet Plugins/ |
Endpoint Security (client checks) | ~/Library/Internet Plugins/ |
VPN logs are written to the following directory: ~/Library/Logs/F5Networks