BIG-IP Edge Client Operations Guide

Transcription

1 BIG-IP Edge Client Operations Guide A VPN Client that Manages and Secures Web Access With F5 BIG-IP Edge Client, organizations provide secure access and authentication to web and web-based applications. F5 BIG- IP Access Policy Manager (APM) proxies web applications, providing authentication, authorization, and endpoint inspection. Working together, they enhance secure access to webbased applications via step-up authentication.

2 CONTENTS Contents About This Guide 1 Before using this guide 1 Limits of this guide 1 Glossary 2 Customization 2 Issue escalation 2 Feedback and notifications 3 Configuration utility 3 Command-line syntax 3 Finding other documents 4 Introduction 5 VPN 5 Endpoint security checks 5 Using this guide 5 BIG-IP Edge Client VPN Lifecycle 7 Overview 7 Connecting to BIG-IP APM 11 The BIG-IP APM session lifecycle 13 Technical and reference information 17 Common Approaches to Configuring VPN 23 Client packaging options 23 Authentication options 28 Routing options 29 Proxy handling options 31 DNS and name resolution options 36 Configuration enforcement options 37 Deployment Options 40 Managed and unmanaged installations 40 Security Considerations 41 i

3 CONTENTS Frequently Asked Questions 44 What browsers are supported for endpoint inspection? 44 What app must be installed in order for endpoint inspection to work? 44 What permission-level is required to run endpoint checks? 44 Can any site perform endpoint inspection on client PCs? 45 Endpoint Inspection 46 HTTP 46 F5 inspectors 46 OPSWAT 50 Troubleshooting 55 Common installation errors 55 Commonly reported problems 56 How to collect troubleshooting data 58 Components 66 Optimizing the Support Experience 70 F5 technical support commitment 70 F5 certification 71 Self-help 72 F5 training programs and education 75 Engage F5 Support 75 Change List 86 Legal Notices 87 Trademarks 87 Patents 87 Notice 87 Publication Date 88 Copyright 88 ii

4 FIGURES Figures Figure 0.1: F5 documentation coverage 2 Figure 2.1: VPN lifecycle overview 8 Figure 2.2: VPN lifecycle 9 Figure 2.3 VPN lifecycle 10 Figure 2.4: Preparing traffic for transmission 20 iii

5 TABLES Tables Table 0.1 Command-line syntax 3 Table 2.1 Components that support the Component Update setting 14 Table 2.2 F5 VPN user authentication modes 15 Table 2.3 System configuration parameters 21 Table 3.1 BIG-IP APM connectivity profile settings 24 Table 3.2 BIG-IP Edge Client user interface settings 25 Table 3.3 BIG-IP Edge Client text settings 26 Table 3.4 BIG-IP Edge Client operation settings 26 Table 3.5 Browsers and applications that support proxy settings 31 Table 3.6 All BIG-IP Edge Client settings and parameters 33 Table 3.7 Tunnel configuraton process 37 Table 3.8 DNS and host settings 38 Table 4.1 Required permission-level to install BIG-IP Edge Client components 42 Table 5.1 Permission-level required to run endpoint checks 44 Table 6.1 Machine Info check variables 47 Table 6.2 Info check variables 49 Table 6.3 Server-side check variables 52 Table 6.4 Mobile Device Manager server-side check variables 53 Table 6.5 Checks that require a permission-level other than user 53 Table 7.1 BIG-IP Edge Client and logs 60 iv

6 TABLES Table 7.2 system log file locations 62 Table 7.3 system logs 63 Table 7.4 BIG-IP Edge Client application location 66 Table 7.5 Linux file names for the Endpoint Inspector app 68 Table 7.6 Linux file names for the F5 VPN app 69 v

7 ABOUT THIS GUIDE LimITS of this guide About This Guide The goal of this guide is to help F5 customers keep their BIG-IP system healthy, optimized, and performing as designed. It was written by F5 engineers who assist customers with solving complex problems every day. Some of these engineers were customers before joining F5, and their unique perspective and hands-on experience serves the guides F5 customers have requested. This guide describes common information technology procedures, as well as those which are exclusive to BIG-IP systems. There may be procedures particular to your industry or business that are not identified. While F5 recommends the procedures outlined in this guide, they are intended to supplement your existing operations requirements and industry standards. F5 suggests that you read and consider the information provided to find the procedures to suit your implementation, change-management process, and business-operations requirements. Doing so can result in higher productivity and fewer unscheduled interruptions. Refer to Feedback and notifications for information on how to help improve future versions of the guide. Before using this guide To get the most out of this guide, first complete the following steps, as appropriate to your implementation: Install your F5 platform according to its requirements and recommendations. Search the AskF5 (support. f5.com) for platform guide to find the appropriate guide. Follow the general environmental guidelines in the hardware platform guide to make sure of proper placement, airflow, and cooling. Set recommended operating thresholds for your industry, accounting for predictable changes in load. For assistance contact F5 Professional Services (f5.com/support/professional-services). Familiarize yourself with F5 technology concepts and reviewed and applied appropriate recommendations from F5 BIG-IP TMOS: Operations Guide. Limits of this guide This guide does not focus on installation, setup, or configuration of your BIG-IP system or modules. There is a wealth of documentation covering these areas in AskF5 (support.f5.com) The F5 self-help community, DevCentral (devcentral.f5.com), is also a good place to find answers about initial deployment and configuration. The following figure shows where the F5 operations guides can best be applied in the product life cycle. 1

8 ABOUT THIS GUIDE ISSUE escalation Figure 0.1: F5 documentation coverage Glossary A glossary is not included in this guide. Instead, the Glossary and Terms page (f5.com/glossary) offers an up-todate and complete listing and explanation of common industry and F5-specific terms. Customization Customization may benefit your implementation. You can get help with customization from a subject matter expert, such as a professional services consultant, from F5 Consulting Services (f5.com/support/professional-services). Issue escalation Refer to Optimizing the Support Experience for issue escalation information. If you have an F5 websupport contract, you can open a support case by clicking Open a support case on AskF5 (support.f5.com) 2

9 ABOUT THIS GUIDE CommAND-LINE syntax Feedback and notifications F5 frequently updates the operations guides and new guides may be released as needed. If you would like to be notified when new or updated content is available, or if you have feedback, corrections, or suggestions to improve this guide, Configuration utility The BIG-IP Configuration utility is the name of the graphic user interface (GUI) of the BIG-IP system and its modules. It is a browser-based application you can use to install, configure, and monitor your BIG-IP system. For more information about the Configuration utility, refer to Introducing BIG-IP Systems in BIG-IP Systems: Getting Started Guide. Command-line syntax We show command line input and output in courier font. The corresponding prompt is not included. For example, the following command shows the configuration of the specified pool name: tmsh show /ltm pool my _ pool The following table explains additional special conventions used in command-line syntax: Table 0.1 Command-line syntax Character Description Identifies a user-defined variable parameter. For <> example, if the command has <your name>, type in your name but do not include the brackets. [] Indicates that syntax inside the brackets is optional.... Indicates that you can type a series of items. TMOS Shell syntax The BIG-IP system includes a utility known as the TMOS Shell (tmsh) that you can use to configure and manage the system at the command line. Using tmsh, you can configure system features and set up network elements. You can also configure the BIG-IP system to manage local and global traffic passing through the system and view statistics and system performance data. You can run tmsh and issue commands in the following ways: You can issue a single tmsh command at the BIG-IP system command line using the following syntax: tmsh [command] [module... module] [component] (options) You can open tmsh by typing tmsh at the BIG-IP system command line: (tmsh)# 3

10 ABOUT THIS GUIDE FINDING other documents Once at the tmsh prompt, you can issue the same command syntax, leaving off tmsh at the beginning. Note You can use the command line utilities directly on the BIG-IP system console, or you can run commands using a remote shell, such as the SSH client or a Telnet client. For more information about command line utilities, refer to the Traffic Management Shell (tmsh) Reference Guide. Finding other documents For information about how to locate F5 product guides, refer to AskF5 article: K : Finding product documentation on AskF5. 4

11 INTRODUCTION USING this guide Introduction This guide covers the operation of F5 Virtual Private Network (VPN) clients and endpoint security (EPS) clients on the,, and Linux operating systems. The intended audience is network engineers responsible for the day-to-day administration of F5 BIG-IP Access Policy Manager (APM) Network Access. VPN The F5 BIG-IP Edge Client and F5 Access apps are remote access software designed to work with BIG-IP APM. They provide VPN access ( Network Access ) and are available as stand-alone client packages that require minimal configuration. The BIG-IP Edge Client is available for - and -based PCs. You can also make Network Access VPN connections from desktop client computers using a web browser and F5 Access apps. These solutions are available for,, ChromeOS, Apple ios, Android, and Intelbased Linux PCs. Web-based VPN access operates in a similar way to the BIG-IP Edge Client. For mobile platforms, the F5 Access app is available for Android, Apple, Microsoft, and ChromeOS. F5 Access is not discussed in this guide. Endpoint security checks In addition to remote access, client security is also an important part of most deployments. BIG-IP APM has an EPS client that transmits the client PC s security posture information to the BIG-IP APM server. BIG-IP APM administrators can use this information to make authentication, authorization, and access control decisions. For example, an administrator can check for certain patches or antivirus (AV) software and deny VPN access unless this condition is satisfied. You can also use the EPS client with other non-vpn remote access methods, such as providing web application access based upon security information from web access management, when you combine F5 BIG-IP Local Traffic Manager (LTM) and BIG-IP APM. For more information about BIG-IP APM, refer to the AskF5 BIG-IP APM Knowledge Center or F5 BIG-IP Access Policy Management Operations Guide. Note For information about how to locate F5 product guides, refer to the Ask F5 article: K : Finding product documentation on AskF5. Using this guide This guide is divided into the chapters below. BIG-IP Edge Client VPN Lifecycle To establish a VPN connection, the client goes through several stages, including captive portal checks, autoupdate checks, establishing an authenticated BIG-IP APM session, establishing control channel link, a datatransport Point-to-Point Protocol (PPP) link, routing updates, and optional proxy and Domain Name Servers (DNS) interception. The chapter discusses the process and architecture. 5

12 INTRODUCTION USING this guide Common Approaches to Configuring VPN This chapter describes common VPN use cases for BIG-IP APM and configurable VPN-related resources and settings, including client packaging, authentication, routing, DNS handling, and proxy handling. If you are not familiar with the options available, you ll find these ideas about client configuration helpful. Deployment Options This chapter describes different ways to deploy BIG-IP APM VPN clients on users desktops, their configuration settings, client customization, and other specifics. Frequently Asked Questions This chapter provides answers to the top few most frequently asked questions of F5 Technical Support. Endpoint Checks This chapter discusses the operation and architecture of BIG-IP APM endpoint inspection applications. BIG-IP APM has many different types of endpoint checks. Some are developed in-house at F5 and some are third-party products bundled with BIG-IP APM. Troubleshooting This chapter contains information that assists in diagnosing and investigating BIG-IP Edge Client connectivity problems or unexpected operation. It is broken into several sections that include client-side for and systems, as well as server-side for the BIG-IP APM system. 6

13 BIG-IP EDGE CLIENT VPN LIFECYCLE OVERVIEw BIG-IP Edge Client VPN Lifecycle Overview The F5 BIG-IP Edge Client is a Virtual Private Network (VPN) client; its purpose is to establish and maintain a VPN tunnel. Because parts of the BIG-IP Edge Client run in a non-linear and asynchronous fashion, the exact steps the BIG-IP Edge Client takes to create a VPN tunnel vary depending on your configuration and client state. That said, the BIG-IP Edge Client always completes the following phases: 1. Detect that the client should connect, either manually or automatically. 2. Detect captive portal. 3. Retrieve the connectivity profile configuration from F5 BIG-IP Access Policy Manager (APM) (also called the pre-config phase). 4. Update certain components and validate cryptographic signatures of critical BIG-IP Edge Client software components. 5. Retrieve the BIG-IP APM login page to determine a session ID to use and the Logon mode. 6. Completes the log-in process by using the session ID to access BIG-IP APM and move the session to Allowed state. This process ends with a redirect to the Full or Network Access webtop to obtain the Network Access resource information. At the same time, the BIG-IP Edge Client typically opens a web browser that presents log-in fields to the user and executes client inspection checks. If the system has recurring endpoint security checks configured, the client PolicyServer component continues to run and execute the checks. 7. Issue an HTTP transaction with the name of the Network Access resource, to start-up the server side of the tunnel. 8. Perform a second pass of BIG-IP Edge Client component updates, if configured. 9. Connect the Network Driver Interface Specification Wide Area Network (NDISWAN) VPN driver to TunnelServer using loopback for Point-to-Point Protocol (PPP) data. 10. Have Routing and Remote Access service (RRAS) negotiate the remainder of the connection using PPP and Link Control Protocol (LCP). 11. Perform post-connection actions as configured using the host component, such as routing, (Domain Name System) DNS, and proxy. 7

14 BIG-IP EDGE CLIENT VPN LIFECYCLE OVERVIEw Disconnected Pre-Connection BIG-IP APM Session Tunnel Creation Post-Tunnel Connected Figure 2.1: VPN lifecycle overview During the lifecycle of a VPN connection, the BIG-IP Edge Client client establishes and maintains three types of sessions with BIG-IP APM VPN server, which are the first three items in the following list. Each of these sessions has its own subsequent lifecycle, and goes into connected and disconnected states based on various events. The VPN tunnel consists of the following elements: 1. Authenticated BIG-IP APM session Created when a user successfully authenticates to the BIG-IP APM and terminated when one of the following happens: a user explicitly logs out, a timeout occurs based on configuration, or the BIG-IP Edge Client experiences an error that requires session termination. 2. PPP link Created during the establishment of a VPN connection, and used to encapsulate and transport traffic for the client computer. 3. Optimized application link Consists of a control channel and zero or more F5 isession links used to encapsulate and transport administrator-specified traffic. Only and clients support optimized applications links. 4. Encrypted tunnel Is the sum of the three previously described sessions and maintained when a VPN connection is active. The PPP and isession links may shut down and restart multiple times during an authenticated BIG-IP APM session. Based on the states of the three previously described sessions, the BIG-IP Edge Client is in one of the following states: Session disconnected Occurs before a user takes an action to establish a BIG-IP APM session or the BIG-IP Edge Client starts Auto Connect mode. Session connected Occurs after a user successfully authenticates to the BIG-IP APM VPN server, and the BIG-IP Edge Client receives a secure, encrypted identifier from the server, referred to as the BIG-IPM APM session ID. Link established Occurs when the BIG-IP Edge Client establishes a PPP link to the server by exchanging several PPP messages which enable it to receive an IP address from the server leasepool, create a virtual network adapter, and assign the address to the adapter. systems use a virtual dial-up adapter, whereas and Linux systems use a tun adapter. Tunnel connected Occurs when BIG-IP Edge Client creates an encrypted tunnel to the BIG-IP APM server and starts routing client traffic through the tunnel. Refer to the following figures for more information about BIG-IP Edge Client states and the transitions between states. 8

15 BIG-IP EDGE CLIENT VPN LIFECYCLE OVERVIEw Pre-Connection Edge Client Start Client Modes Disconnected Always Connected Auto-Connect Traffic Flow (VPN Disconnected) Block: Turn on IP engine Allow: Turn off IP engine Allow-Only-In-Enterprise-LAN: Turn on IP engine Captive Portal Detection Connect Mode User State: Downloading Server Settings Actions: Download pre-configuration Verify client component versions Download and merge server list Component Update BIG-IP APM Session Connect to BIG-IP APM User State: Retrieving Information Actions: Redirect to webtop Select first Network Asset Resource from list Connect to BIG-IP APM User State: Retrieving Information Actions: Retrieve Network Access Resource properties Policy Server Actions: Run client-side checks Run OPSWAT inspection Run recurring checks (if configured) Connect Mode Open embedded browser control Evaluate access policy OPSWAT Update Component Update Tunnel Creation TunnelServerX Actions: Start TunnelServer process Open TCP listener for F5 VPN connection Start Tunnel Creation (HOST) User State: Opening Actions: HOST control starts DIALER & TunnelServerX Connect to DNS Replay Proxy service (if running) Initialize Tunnel Components User State: Initializing Actions: Initialize control components TunnelServer Actions: Create secure control channel with BIG-IP APM DIALER Component Actions: Create RAS phonebook entry Initialize and connects to RAS Microsoft RAS User State: Opened Actions: Initialize F5 VPN Driver (condis WAN Mini-port) Microsoft RAS User State: Logging in to Network Actions: PPP NCP negotiation Microsoft RAS User State: Authenticating Actions: PPP LCP configuration Microsoft RAS User State: Device Connected Actions: Connect to TunnelServer process Routing Table (DIALER) User State: Finalizing Actions: Routing table modifications (Full- and split-tunnel modes) Proxy (DIALER) User State: Finalizing Actions: Detect and merge proxy and proxy autoconfiguration Set PAC URL by file or local HTTP server TunnelServer (Local HTTP) Actions: PAC file in a local HTTP server Post-Tunnel Figure 2.2: VPN lifecycle Post-Tunnel (DIALER) User State: Finalizing Actions: Execute drive mapping Launch application Reconnect to domain VPN Tunnel User State: Connected 9

16 BIG-IP EDGE CLIENT VPN LIFECYCLE OVERVIEw Pre-Connection Edge Client Start Client Modes Disconnected Always Connected Auto-Connect Connectivity Detection/ Captive Portal Connect Mode User State: Downloading Server Settings Actions: Download preconfiguration Verify client component versions Download and merge server list Component Update BIG-IP APM Session BIG-IP APM User State: Connecting Actions: Redirect to webtop Select first Network Access Resource from list Policy Server Actions: Execute client-side checks Execute OPSWAT inspection Execute recurring checks (if option is configured) OPSWAT Update BIG-IP APM User State: Session Established. If credentials are required, Connecting: Your attention is required displays Actions: Open embedded browser control Evaluate access policy Tunnel Creation TunnelServer (SVPN) User State: Connecting Actions: Retrieve Network Access Resource properties Tunnel Interface (SVPN) User State: Connecting Actions: Start utun device TunnelServer (SVPN)- PPP Tunnel User State: Connecting Actions: Tunnel setup via PPP, LCP, & NCP Configure utun device Proxy (SVPN) User State: Connecting Actions: Detect and merge proxy & proxy autoconfiguration Set PAC URL by file or local HTTP server DNS (SVPN) User State: Connecting Actions: Patch DNS subsystem TunnelServer (SVPN Local HTTP Server) Actions: PAC file in a local HTTP server Routing Table (SVPN) User State: Connecting Actions: Routing table modifications (Full or split tunnel mode) Post-Tunnel Post-Tunnel (SVPN) User State: Connecting Actions: Launch application(s) VPN Tunnel User State: Connected Figure 2.3 VPN lifecycle 10

17 BIG-IP EDGE CLIENT VPN LIFECYCLE CONNECTING to BIG-IP APM Connecting to BIG-IP APM The BIG-IP Edge Client passes through several phases before it connects to a VPN tunnel. Connected mode detection You configure the BIG-IP Edge Client to operate in one of three connection modes: Always Connect, Manually Connect, or Auto Connect. In Auto Connect mode, the client detects if it should connect by examining Local Area Network (LAN) parameters provided by local servers. The exact mechanism the client uses to determine if a network is on the enterprise network differs by operating system. On the system, the BIG-IP Edge Client uses the following methods to match a network with a configured Location DNS Name. DNS suffix match Matches a DNS suffix obtained through Dynamic Host Configuration Protocol (DHCP) with a configured DNS name. Domain controller reachability Tries to reach the domain controller for the configured Location DNS Name when a client is not connected to VPN. On the system, the BIG-IP Edge Client only uses the DNS suffix match method. Linux Linux is not supported. Captive portal detection Detection mechanism Captive portal systems are commonly used by hotels, restaurants, airports, and similar facilities to enable monitoring, the display of End User License Agreements (EULA), and payment from connecting clients. Most captive portals hijack the user s web browsing session by returning spoofed DNS responses to legitimate queries. The BIG-IP Edge Client captive portal detection feature detects captive portal when it encounters one of the following events: When it doesn t get the expected response during initial connection to the BIG-IP APM On any network state change On tunnel disconnect 11

18 BIG-IP EDGE CLIENT VPN LIFECYCLE CONNECTING to BIG-IP APM To detect if a user s network is under a captive portal, the BIG-IP Edge Client sends an HTTP request to a known probe URL, and compares the returned content with some known content. If the request succeeds but the content does not match, the BIG-IP Edge Client concludes that a captive portal is actively redirecting requests and the user s network is held in a captive portal. On, the BIG-IP Edge Client uses a native captive portal detection mechanism. In the event that the mechanism fails to detect a captive portal, the BIG-IP Edge Client falls back to using the F5 default probe URL for detection. On the system, the BIG-IP Edge Client uses the probe URL only as a fallback option. When the BIG-IP Edge Client detects captive portal using the F5 default probe URL, it makes another query to the probe URL to confirm the user s network is under captive portal. If it is, in most cases, the Machintosh system s captive portal dialog box displays. Users are unlikely to see the BIG-IP Edge Client s internal dialog box. Default probe URL for captive portal detection The default probe URL on both the and systems is: You can only override the default probe URL on ; you override it with an alternative value. In most cases, you won t be required to. To do so, modify the following registry entries, under the following hive: HKEY _ LOCAL _ MACHINE\SOFTWARE\F5 Networks\RemoteAccess ActiveWebProbeHost The default value is cdn.f5.com. ActiveWebProbePath The default value is product/avail.txt. ActiveWebProbeContent The default value is avail\n. Integrated captive portal resolution The BIG-IP Edge Client for both the and systems has an integrated web rendering engine that resolves captive portal by launching an authentication page. 12

19 BIG-IP EDGE CLIENT VPN LIFECYCLE THE BIG-IP APM session lifecycle On, when captive portal is detected, the BIG-IP Edge Client restores the routing table and displays the captive portal authentication page. uses an Internet Explorer WebBrowser control to render the page. During this time, the BIG-IP Edge Client continuously monitors the probe URL. Every time the user updates the authentication page, the BIG-IP Edge Client probes the captive URL to determine if the user has a valid captive portal session. After the user successfully authenticates, the probe URL check succeeds and the browser closes. On the system, when captive portal is detected, the BIG-IP Edge Client checks whether the captive portal authentication page is open. uses WebKit to render the page. If it is not open, the BIG-IP Edge Client displays its own page. As on, every time the user updates the authentication page, the BIG-IP Edge Client probes the captive URL to determine if the user has a valid captive portal session. After the user successfully authenticates to the captive portal, the BIG-IP Edge Client closes the page. Pre-configuration The BIG-IP APM system enables clients to identify properties of the VPN server, including versions of the components available for client endpoints. The following URL is available on any BIG-IP virtual server that has a connectivity profile associated with it. /pre/config.php?version=2.0 Updates and signature validation The BIG-IP Edge Client has a security feature that validates the cryptographic signatures of critical client-side components before use to prevent accidental or intentional tampering. The BIG-IP Edge Client completes these validation checks before each VPN connection. The BIG-IP APM session lifecycle The BIG-IP Edge Client and BIG-IP APM must exchange multiple HTTP messages to establish an authenticated session. The number of messages depends on the configuration of the BIG-IP APM access policy. Typically, these messages fulfill the following functions: Client auto-update Detecting the version of client components and updating them Endpoint checks Providing client endpoint information to the server User authentication Proving that the client has permission to access to the system 13

20 BIG-IP EDGE CLIENT VPN LIFECYCLE THE BIG-IP APM session lifecycle Client auto-update After entering Connected mode, and immediately prior to creating a BIG-IP APM session, the BIG-IP Edge Client fetches version numbers of client components on the target server at the following BIG-IP APM URI: /pre/config.php?version=2.0 The BIG-IP Edge Client compares the local component versions with the BIG-IP APM versions, and (optionally) updates the client if a newer version is available. This update behavior is controlled by the Component Update setting in the BIG-IP Edge Client configuration file. BIG-IP APM generates a BIG-IP Edge Client installer package, based on its connectivity profile, that includes this setting. The following are valid options for the setting: Yes Update the client components No Do not update the client components Prompt Prompt the user to update the client components Important The Component Update setting is inside of the BIG-IP Edge Client install package. After installing the BIG-IP Edge Client, the setting cannot be updated unless the BIG-IP Edge Client is reinstalled with the new setting. When you change this setting on the BIG-IP APM server, the BIG-IP Edge Client does not automatically detect and use the new setting. The components in the following table have the Component Update setting. Table 2.1 Components that support the Component Update setting BIG-IP Edge Client for BIG-IP Edge Client COM API InstallerControl Component installer DNS Relay Proxy Traffic Control Credential Manager Edge Client application SVPN TunnelServer Other components including ActiveX components, such as Host Control, InspectionHost, and SuperHost are updated automatically regardless of the Component Update setting. Note Clients that use Simple Logon mode, as explained in the following section, do not support autoupdate. 14

21 BIG-IP EDGE CLIENT VPN LIFECYCLE THE BIG-IP APM session lifecycle User Authentication The BIG-IP APM system authenticates clients using one of the following Logon modes. The BIG-IP Edge Client selects the mode automatically (F5 Access VPN client users must manually select a mode). Simple Logon mode Used by VPN clients that can t render HTML pages (or when HTML is not desired). This mode only supports username and password authentication, with optional client certificate-based authentication. Web Logon mode Used by VPN clients that can render HTML pages and support all the advanced authentication methods BIG-IP APM offers, including Security Assertion Markup Language (SAML) and OAuth 2, which provides secure delegated access to third-party clients. This mode also provides endpoint checks for supported client platforms. When clients use Web Logon mode, the operating system uses the web browser specific to its platform to render the login page. uses the WebBrowser control to create the page, while, Android, and other operating systems use WebKit. Table 2.2 F5 VPN user authentication modes F5 VPN client Web Logon mode Web Logon mode with endpoint checks Simple Logon mode BIG-IP Edge Client Yes Yes Yes F5 Access for No No Yes F5 Access for Android Yes No Yes F5 Access for ios Yes No Yes F5 Access for ChromeOS Yes No Yes SDK Yes Yes Yes Linux CLI No No Yes VPN helper apps (browserbased VPN) for, and Linux Yes Yes Not applicable 15

22 BIG-IP EDGE CLIENT VPN LIFECYCLE THE BIG-IP APM session lifecycle Reasons for terminating a session BIG-IP APM terminates a session for one of following reasons: Manual termination The user explicitly terminates the session by logging out or clicking Disconnect on the BIG-IP Edge Client page. A BIG-IP APM administrator can also terminate a session from the BIG-IP APM administration user interface. Configurable session timeouts One of the following two server settings forces a session to terminate: inactivity_timeout Sets the duration for which a session remains active while the traffic flowing between the client and server is below a given threshold. max_session_timeout Determines the maximum time a session is valid, starting from session creation. You configure this setting in the access profile. This setting is used to force users to reauthenticate. Hard-coded session timeouts One of the following built-in timeouts forces a session to terminate: Transmission Control Protocol (TCP) reconnect timeout The maximum amount of time the BIG-IP Edge Client can attempt to reconnect a VPN tunnel using a valid session. The period is hard-coded to 15 minutes. Control channel connection timeout Device posture information timeout When an access policy requires continuous client-side checks, and the server does not get updated posture information from the client for five minutes. Client device posture change When an access policy requires continuous checks, and the client device posture based on those checks changes, the BIG-IP Edge Client terminates the session. Network location change When the BIG-IP Edge Client has the Network Location Awareness setting configured, and the user joins a network that is part of the enterprise network, it terminates the session. Note The Network Location Awareness setting enables the BIG-IP Edge Client to automatically establish and terminate a VPN and BIG-IP APM session when it detects that it is connected to a specified network. The network is specified using a DNS suffix in the DNS name setting of the BIG-IP APM connectivity profile. For more information, see Configuration Guide for BIG-IP Access Policy Manager for your system version. For information about how to locate F5 product guides, refer to the Ask F5 article: K : Finding product documentation on AskF5. Viewing the session termination reason In most cases, BIG-IP APM logs the reason for session termination. However, both BIG-IP APM and the BIG-IP Edge Client can initiate the termination. F5 recommends that you review the logs for both at the same time, because when the BIG-IP Edge Client terminates a session, the BIG-IP APM doesn t necessarily know the cause. Note When the BIG-IP Edge Client terminates a session because it can t reach BIG-IP APM, you must inspect the BIG-IP Edge Client logs for a detailed reason, because BIG-IP APM simply logs the incident as a generic error. 16

23 BIG-IP EDGE CLIENT VPN LIFECYCLE TECHNICAL and reference information Technical and reference information VPN tunnel devices On the client-side, the BIG-IP Edge Client installs a PPP pseudo-interface driver. At tunnel establishment time, the BIG-IP Edge Client opens PPP interfaces. The BIG-IP Edge Client modifies the routing table on the client PC to route specified traffic over the VPN. The PPP adapter transports traffic using a loopback TCP connection to the local TunnelServer (on ) or svpn (on ), which then encapsulates it into PPP packets over Secure Sockets Layer () and Datagram Transport Layer Security (DTLS), and forwards it to BIG-IP APM. Note Sometimes AV programs incorrectly identify the loopback connection as malicious, which can cause the VPN to fail. On the server-side, BIG-IP APM uses the connectivity profile on the ingress virtual server to remove the PPP encapsulation from client IP/PPP packets and forwards the traffic to a virtual server. For more information about this process, refer to AskF5 articles: K : Overview of BIG-IP APM layered virtual servers and K11312: Creating network access with SSO capabilities. uses the RRAS subsystem to create and maintain the tunnel. The PPP driver (a condis driver) is responsible for encapsulating and removing encapsulation from PPP frames, and sending traffic to the network stack in the operating system. The BIG-IP Edge Client invokes the RRAS using the dial-up entry to configure the driver, initiate the adapter call, and configure the adapter with the IP address, protocol bindings, and other settings. and Linux and Linux systems use the utun subsystem or tun and tap subsystem to create and maintain the tunnel. and Linux clients have their own LCP and PPP implementation, whereas uses a embedded implementation. The VPN tunnel Establishing the link To establish the link to the VPN tunnel, peers send LCP frames to configure the link. In this phase, each peer negotiates communication options used to transport data. Some of these parameters include maximum receive unit (MRU), compression, and protocol ID. 17

24 BIG-IP EDGE CLIENT VPN LIFECYCLE TECHNICAL and reference information Authentication During the PPP authentication phase (optional), the BIG-IP Edge Client does not use traditional Internet Protocol Control Protocol (IPCP) authentication because all PPP and LCP communication happens inside an authenticated and secured HTTP connection. MRU calculations The BIG-IP Edge Client relies on the implementation of LCP to calculate MRU. and Linux The BIG-IP Edge Client uses the following formula to calculate MRU: } DesiredClientMRU = MIN(DEFAULT _ MTU, (InterfaceMTU f5overhead)) (where f5overhead is 64 bytes for IPv4/TCP, DEFAULT _ MTU is 1500) IntermediateValue = MIN(DesiredClientMRU, BIG-IP _ MRU) If (IntermediateValue < minumvaluewithoutipfragmentation) { If (DesiredClientMRU < minumvaluewithoutipfragmentation) { } else { } Use DesiredClientMRU as final value Use This calculation keeps fragmentation overhead low and allows Internet Protocol version 6 (IPv6) to work on networks where the physical maximum transmission unit (MTU) is very low, such as 1300 bytes. Configuring the protocol In this phase, Network Control Protocol (NCP) packets determine which protocols will be used across the PPP link. The client configures its IP address using NCP or Internet Protocol version 6 Control Protocol (IPv6CP). Note When a failure occurs during any of the setup phases, the PPP link disconnects. reports this as a remote access services (RAS) error. 18

25 BIG-IP EDGE CLIENT VPN LIFECYCLE TECHNICAL and reference information Maintaining the VPN session Keep-Alive On, the BIG-IP Edge Client primarily uses the built-in LCP to maintain the tunnel connection and ensure it reconnects the tunnel at the correct time. LCP has a mechanism similar to a ping utility that uses Echo Request and Echo Reply messages to ensure the connected peers can communicate. To do this, each PPP peer sends a Keep-Alive message in the form of an LCP Echo Request, expecting an Echo Reply shortly afterwards. When there are several consecutive misses, RRAS marks the PPP link down (unavailable) and the BIG-IP Edge Client attempts to reconnect. The reconnect messages are logged on both the client- and server-sides. Preparing traffic for transmission On, dialup entry receives the application IP payload and uses the NDIS driver framework to pump the packet to TunnelServer. On the Machintosh and Linux systems, the tun0 device sends this payload. 19

26 BIG-IP EDGE CLIENT VPN LIFECYCLE TECHNICAL and reference information PPP over SSL Client SSL Connection Application Data BIG-IP APM Application Data Application TCP F5 PPP GZIP (Optional) TCP IP Servers SSL TCP IP Tunnel Server F5 PPP Driver PPP over DTLS Client DTLS Connection Application Data BIG-IP APM Application Data Application TCP F5 PPP DTLS TCP IP Servers UDP IP Tunnel Server F5 PPP Driver Figure 2.4: Preparing traffic for transmission 20

27 BIG-IP EDGE CLIENT VPN LIFECYCLE TECHNICAL and reference information Monitoring system configuration parameters BIG-IP Edge Client continuously monitors and corrects system configuration parameters to ensure the VPN connection works correctly. Table 2.3 System configuration parameters Setting Linux DNS server and suffix Yes Yes Yes /etc/hosts Not applicable Yes Yes /etc/resolv.conf Not applicable Yes Yes Proxy server and port settings No No Not applicable Dial-Up Adapter Configuration Yes Not applicable Not applicable Proxy PAC file content No No Not applicable Proxy PAC file URL Yes Yes Not applicable Routing table (IPv6 and IPv4) Yes Yes Yes Timeouts While the tunnel is established, there are many network communication events that must happen for the tunnel to operate correctly. Some of these timers are configurable while others are not. These timers define tunnel behavior for various cases, such as regular operations, loss of network connectivity, and short network disconnects. The following list contains several important timeouts; however, it is not comprehensive: TunnelServer provides 65 second timers, in case DTLS tunnels are in use. When TunnelServer doesn t receive a reply from the server after 65 seconds, it disconnects the tunnel. The BIG-IP APM provides 30 seconds for tunnels to connect (TCP) by default. The BIG-IP APM instantly detects when TCP disconnects for most reasons, such as a TCP reset. Widows monitors the routing table every 500 miliseconds. The system checks the routing table and DNS subsystems every three seconds. The system detects changes to the proxy auto-config (PAC) file URL instantaneously. When a web browser is used as client on the system and you close the browser, TunnelServer quits within two minutes. 21

28 BIG-IP EDGE CLIENT VPN LIFECYCLE TECHNICAL and reference information Session reconnection logic On, when TunnelServer can t reach a server, it retries the connection for about 15 minutes. It also throttles the delay between subsequent connections, delaying a bit more with every retry. When the BIG-IP Edge Client encounters fatal errors, it informs the user. For example, a fatal error occurs when the system routing table changes mid-connection due to third-party software or network changes, and cannot be restored to the original VPN state. During a VPN session, clients are agnostic to any reachability issues that result from a proxy server change. On the and Linux systems, svpn tries to reconnect a VPN session, unless the user disconnects or another application tells it to stop. When the server is unreachable, every reconnection has a 30 second timeout. Terminating a session LCP is responsible for terminating a session. To do so, the client or server initiates the action by sending an LCP Terminate-Request and expects a Terminate-Ack (tunnel termination acknowledgment) from the other side in response. detects this change using RRAS, while the and Linux systems use Point-to-Point Protocol Daemon (PPPD). 22

29 COmmON APPROACHES TO CONFIGURING VPN CLIENT packaging options Common Approaches to Configuring VPN Each F5 BIG-IP Access Policy Manager (APM) site has unique VPN and authentication requirements for you to consider when configuring your site and making decisions about the many options available with BIG-IP APM. To assist you, this chapter describes common VPN use cases for BIG-IP APM and configurable VPN-related resource and packaging parameters. If you are not familiar with the options available, you ll find these ideas about client configuration helpful. Configuration options can be organized into the following general categories: client packaging, authentication, routing, DNS handling, and proxy handling. The sections in this chapter discuss these categories, rather than each individual configuration setting. Client packaging options F5 BIG-IP automatically assembles the and F5 BIG-IP Edge Client installation package from base component packages on your current BIG-IP system. After you select configuration options in the connectivity profile, you distribute the package to end-users. The components and options you select are included in a configuration file, config.f5c, inside the BIG-IP Edge Client package. During installation, this configuration file is applied to the client PC. This minimizes manual configuration by the user. For detailed information about component options, refer to the AskF5 articles: K14045: The BIG-IP Edge Client components for and K14947: The BIG-IP Edge Client components for Mac OS X. Packaging considerations The outer installer package is not signed with a code-signing certificate. However, all the inner individual components inside the package are signed. This is because BIG-IP assembles the outer client package dynamically, and F5 protects its code-signing key from distribution. Optionally, you can work around this by signing the customized BIG-IP Edge Client package with a code-signing certificate that your organization trusts. You select client packaging options in BIG-IP APM using the Customize Package setting in the connectivity profile settings. Client packaging options are volatile and not stored in BIG-IP except in the running configuration. Operations that reload the running configuration, such as upgrade, HA synchronization, and backup and restore, cause BIG-IP to lose the settings. F5 generally recommends that you do not include the Traffic Control Service, unless it is required by Always Connected mode or other options. Connectivity profile settings There are several connectivity profile settings. For example, BIG-IP Edge Client maintains a drop-down list (similar to bookmarks) of target servers to help users identify and connect to the appropriate server. The options in the target server list are a connectivity profile setting. 23

30 COmmON APPROACHES TO CONFIGURING VPN CLIENT packaging options Install-time settings You populate the target server list using a settings file that the BIG-IP Edge Client installer places on the user s system after installation. The installer places the file outside the user directory, typically in a system directory. You configure the target server list and several other install-time options in this file using the connectivity profile settings in BIG-IP APM. Runtime settings After installing the BIG-IP Edge Client, when users want to connect to a BIG-IP APM server that is not in the target server list, they can add a new server name or IP address. By doing so, users may connect to servers with different server lists and options than those provided by their installation settings. The servers that users add to their server list and those servers settings are merged into the runtime settings file stored in each user s home directory path. You configure these and other runtime settings in the connectivity profile settings in BIG-IP APM. Miscellaneous packaging options You configure the following options in the connectivity profile settings in BIG-IP APM: Table 3.1 BIG-IP APM connectivity profile settings Setting or parameter Description Operating system Setting type Enable when locked client is installed. Three options: Allow Allow Internet connectivity always. Enable Always Connected mode Block Block Internet connectivity when VPN is disconnected. Install-time Add virtual server list to Trusted Sites Auto launch after logon Auto launch BIG-IP Edge Client after user log in Exclusions list Allow-in-Enterprise-Only Allow Internet connectivity when VPN is disconnected in the corporate LAN. Virtual server list is added to the Trusted Sites database on the client-side. Client components that check the Trusted Sites list do not throw an extra prompt for these servers during session establishment. Install-time Launch BIG-IP Edge Client after user log in. Install-time Launch BIG-IP Edge Client after user log in. Install-time Contains servers that are allowed when the VPN is disconnected and Always Connected mode is enabled. Install-time 24

31 COmmON APPROACHES TO CONFIGURING VPN CLIENT packaging options Customization Many customers want the BIG-IP Edge Client to reflect corporate branding, and BIG-IP APM allows branding customization. You configure some settings in the connectivity profile settings and some on the page at this location: Access > Profiles/Policies > Customization > Quick Start/Basic (page location varies depending on your system version). For information about all customization settings, refer to BIG-IP Access Policy Manager: Customization for your system version. Note For information about how to locate F5 product guides, refer to the Ask F5 article: K : Finding product documentation on AskF5. Customizing user interface settings in the access profile Table 3.2 BIG-IP Edge Client user interface settings Setting or parameter Description Operating system Setting type Banner Color BIG-IP Edge Client displays this color in its banner. Install-time Banner Text BIG-IP Edge Client displays this text in the main window s banner. Install-time The BIG-IP Edge Client logo, which is displayed in its banner. This logo is NOT a tray icon. Logo The F5 logo displays on system applications like Program Files, and Finder and Spotlight. Install-time On, you can t change the logo in the Advanced pane of Security & Privacy preferences. Start menu shortcut icon You can change the Start menu shortcut icon to one other than the default F5 logo icon. Install-time Tray Icon Set BIG-IP Edge Client provides two tray icon sets: an F5 icon set and a generic icon set. The generic set provides generic icons for the system tray and its notifications. Install-time Notes When you change the settings in the previous table, you must redeploy BIG-IP Edge Client. Customized logos aren t displayed everywhere in the operating system. 25

32 COmmON APPROACHES TO CONFIGURING VPN CLIENT packaging options Customizing text settings in the access profile Table 3.3 BIG-IP Edge Client text settings Setting/parameter Description Operating system Setting type About link The link that displays on the About BIG-IP Edge Client page. Install-time About text The text that displays on the About BIG-IP Edge Client page. Install-time Application Name The title that displays at the top of all BIG-IP Edge Client windows. Install-time Customizing server-side settings in the connectivity profile These settings affect client operation. Table 3.4 BIG-IP Edge Client operation settings Setting/parameter Network access compression settings: Compression Buffer Size* Network access compression settings: gzip Compression Level* Network access compression settings: gzip Memory Level* Network access compression settings: gzip Window Size* Network access compression settings: CPU Saver* Save Servers Upon Exit Description TunnelServer uses this runtime buffer size to compress data. Specifies the rate of compression, or how aggressively data is compressed. The higher the level, the slower the compression, but data may be compressed more. The gzip compression module uses this memory size by default. More memory can yield better performance. F5 BIG-IP Local Traffic Manager (LTM) uses this number of kilobytes in window size when compressing a server response. Requires the system to monitor CPU usage and adjust compression rates automatically when the CPU reaches either CPU Saver High Threshold or CPU Saver Low Threshold. Specifies whether the BIG-IP Edge Client maintains a list of recently used BIG-IP APM servers. BIG-IP Edge Client always lists the servers defined in the connectivity profile; however, it also lists user-entered servers when this option is enabled. Operating system Linux Linux Linux Linux Linux Setting type Runtime Runtime Runtime Runtime Runtime Runtime 26