BIG-IP Edge Client Operations Guide

A VPN Client that Manages and

Secures Web Access
With F5® BIG-IP® Edge Client®, organizations
provide secure access and authentication to
web and web-based applications. F5® BIG-
IP® Access Policy Manager® (APM) proxies
web applications, providing authentication,
authorization, and endpoint inspection. Working
together, they enhance secure access to web-
based applications via step-up authentication.
CONTENTS—

Contents
About This Guide 1
Before using this guide 1

Limits of this guide 1

Glossary 2

Customization 2

Issue escalation 2

Feedback and notifications 3

Configuration utility 3

Command-line syntax 3

Finding other documents 4

Introduction 5
VPN 5

Endpoint security checks 5

Using this guide 5

BIG-IP Edge Client VPN Lifecycle 7

Overview 7

Connecting to BIG-IP APM 11

The BIG-IP APM session lifecycle 13

Technical and reference information 17

Common Approaches to Configuring VPN 23

Client packaging options 23

Authentication options 28

Routing options 29

Proxy handling options 31

DNS and name resolution options 36

Configuration enforcement options 37

Deployment Options 40
Managed and unmanaged installations 40

Security Considerations 41

i
CONTENTS—

Frequently Asked Questions 44

What browsers are supported for endpoint inspection? 44

What app must be installed in order for endpoint inspection to work? 44

What permission-level is required to run endpoint checks? 44

Can any site perform endpoint inspection on client PCs? 45

Endpoint Inspection 46
HTTP 46

F5 inspectors 46

OPSWAT 50

Troubleshooting 55
Common installation errors 55

Commonly reported problems 56

How to collect troubleshooting data 58

Components 66

Optimizing the Support Experience 70

F5 technical support commitment 70

F5 certification 71

Self-help 72

F5 training programs and education 75

Engage F5 Support 75

Change List 86

Legal Notices 87
Trademarks 87

Patents 87

Notice 87

Publication Date 88

Copyright 88

ii
FIGURES—

Figures
Figure 0.1: F5 documentation coverage 2

Figure 2.1: VPN lifecycle overview 8

Figure 2.2: Windows VPN lifecycle 9

Figure 2.3 Macintosh VPN lifecycle 10

Figure 2.4: Preparing traffic for transmission 20

iii
TABLES—

Tables
Table 0.1 Command-line syntax 3

Table 2.1 Components that support the Component Update setting 14

Table 2.2 F5 VPN user authentication modes 15

Table 2.3 System configuration parameters 21

Table 3.1 BIG-IP APM connectivity profile settings 24

Table 3.2 BIG-IP Edge Client user interface settings 25

Table 3.3 BIG-IP Edge Client text settings 26

Table 3.4 BIG-IP Edge Client operation settings 26

Table 3.5 Browsers and applications that support proxy settings 31

Table 3.6 All BIG-IP Edge Client settings and parameters 33

Table 3.7 Tunnel configuraton process 37

Table 3.8 DNS and host settings 38

Table 4.1 Required permission-level to install BIG-IP Edge Client components 42

Table 5.1 Permission-level required to run endpoint checks 44

Table 6.1 Machine Info check variables 47

Table 6.2 Windows Info check variables 49

Table 6.3 Server-side check variables 52

Table 6.4 Mobile Device Manager server-side check variables 53

Table 6.5 Checks that require a permission-level other than user 53

Table 7.1 BIG-IP Edge Client and Windows logs 60

iv
TABLES—

Table 7.2 Macintosh system log file locations 62

Table 7.3 Macintosh system logs 63

Table 7.4 BIG-IP Edge Client application location 66

Table 7.5 Linux file names for the Endpoint Inspector app 68

Table 7.6 Linux file names for the F5 VPN app 69

v
ABOUT THIS GUIDE—Limits of this guide

About This Guide

The goal of this guide is to help F5® customers keep their BIG-IP® system healthy, optimized, and performing as
designed. It was written by F5 engineers who assist customers with solving complex problems every day. Some
of these engineers were customers before joining F5, and their unique perspective and hands-on experience
serves the guides F5 customers have requested.

This guide describes common information technology procedures, as well as those which are exclusive to BIG-IP
systems. There may be procedures particular to your industry or business that are not identified. While F5
recommends the procedures outlined in this guide, they are intended to supplement your existing operations
requirements and industry standards. F5 suggests that you read and consider the information provided to find the
procedures to suit your implementation, change-management process, and business-operations requirements.
Doing so can result in higher productivity and fewer unscheduled interruptions.

Refer to “Feedback and notifications” for information on how to help improve future versions of the guide.

Before using this guide

To get the most out of this guide, first complete the following steps, as appropriate to your implementation:

• Install your F5 platform according to its requirements and recommendations. Search the AskF5™ (support.
f5.com) for “platform guide” to find the appropriate guide.

• Follow the general environmental guidelines in the hardware platform guide to make sure of proper
placement, airflow, and cooling.

• Set recommended operating thresholds for your industry, accounting for predictable changes in load. For
assistance contact F5 Professional Services (f5.com/support/professional-services).

• Familiarize yourself with F5 technology concepts and reviewed and applied appropriate recommendations
from F5 BIG-IP TMOS: Operations Guide.

Limits of this guide

This guide does not focus on installation, setup, or configuration of your BIG-IP system or modules. There is a
wealth of documentation covering these areas in AskF5 (support.f5.com) The F5 self-help community, DevCentral™
(devcentral.f5.com), is also a good place to find answers about initial deployment and configuration.

The following figure shows where the F5 operations guides can best be applied in the product life cycle.

1
ABOUT THIS GUIDE—Issue escalation

Figure 0.1: F5 documentation coverage

Glossary
A glossary is not included in this guide. Instead, the Glossary and Terms page (f5.com/glossary) offers an up-to-
date and complete listing and explanation of common industry and F5-specific terms.

Customization
Customization may benefit your implementation. You can get help with customization from a subject matter expert,
such as a professional services consultant, from F5 Consulting Services (f5.com/support/professional-services).

Issue escalation
Refer to Optimizing the Support Experience for issue escalation information.

If you have an F5 websupport contract, you can open a support case by clicking Open a support case on AskF5
(support.f5.com)

2
ABOUT THIS GUIDE—Command-line syntax

Feedback and notifications

F5 frequently updates the operations guides and new guides may be released as needed. If you would like to be
notified when new or updated content is available, or if you have feedback, corrections, or suggestions to improve
this guide, email [email protected].

Configuration utility
The BIG-IP Configuration utility is the name of the graphic user interface (GUI) of the BIG-IP system and its
modules. It is a browser-based application you can use to install, configure, and monitor your BIG-IP system.

For more information about the Configuration utility, refer to Introducing BIG-IP Systems in BIG-IP Systems:
Getting Started Guide.

Command-line syntax
We show command line input and output in courier font. The corresponding prompt is not included. For example,
the following command shows the configuration of the specified pool name:

tmsh show /ltm pool my _ pool

The following table explains additional special conventions used in command-line syntax:

Table 0.1 Command-line syntax

Character Description
Identifies a user-defined variable parameter. For
<> example, if the command has <your name>, type in
your name but do not include the brackets.
[] Indicates that syntax inside the brackets is optional.
... Indicates that you can type a series of items.

TMOS Shell syntax

The BIG-IP system includes a utility known as the TMOS® Shell (tmsh) that you can use to configure and manage
the system at the command line. Using tmsh, you can configure system features and set up network elements.
You can also configure the BIG-IP system to manage local and global traffic passing through the system and view
statistics and system performance data.

You can run tmsh and issue commands in the following ways:

• You can issue a single tmsh command at the BIG-IP system command line using the following syntax:

tmsh [command] [module . . . module] [component] (options)

• You can open tmsh by typing tmsh at the BIG-IP system command line:

(tmsh)#
3
ABOUT THIS GUIDE—Finding other documents

Once at the tmsh prompt, you can issue the same command syntax, leaving off tmsh at the beginning.

Note You can use the command line utilities directly on the BIG-IP system console, or you can run
commands using a remote shell, such as the SSH client or a Telnet client. For more information about
command line utilities, refer to the Traffic Management Shell (tmsh) Reference Guide.

Finding other documents

For information about how to locate F5 product guides, refer to AskF5 article: K12453464: Finding product
documentation on AskF5.

4
INTRODUCTION—Using this guide

Introduction
This guide covers the operation of F5® Virtual Private Network (VPN) clients and endpoint security (EPS) clients on
the Windows, Macintosh, and Linux operating systems. The intended audience is network engineers responsible
for the day-to-day administration of F5 BIG-IP® Access Policy Manager® (APM) Network Access.

VPN
The F5® BIG-IP® Edge Client® and F5 Access apps are remote access software designed to work with BIG-IP
APM. They provide VPN access (“Network Access”) and are available as stand-alone client packages that require
minimal configuration. The BIG-IP Edge Client is available for Windows- and Macintosh-based PCs.

You can also make Network Access VPN connections from desktop client computers using a web browser and F5
Access apps. These solutions are available for Windows, Macintosh, ChromeOS, Apple iOS, Android, and Intel-
based Linux PCs. Web-based VPN access operates in a similar way to the BIG-IP Edge Client.

For mobile platforms, the F5 Access app is available for Android, Apple, Microsoft, and ChromeOS. F5 Access is
not discussed in this guide.

Endpoint security checks

In addition to remote access, client security is also an important part of most deployments. BIG-IP APM has an
EPS client that transmits the client PC’s security posture information to the BIG-IP APM server.

BIG-IP APM administrators can use this information to make authentication, authorization, and access control
decisions. For example, an administrator can check for certain Windows patches or antivirus (AV) software and
deny VPN access unless this condition is satisfied.

You can also use the EPS client with other non-VPN remote access methods, such as providing web application
access based upon security information from web access management, when you combine F5 BIG-IP® Local
Traffic Manager™ (LTM) and BIG-IP APM. For more information about BIG-IP APM, refer to the AskF5 BIG-IP APM
Knowledge Center or F5 BIG-IP Access Policy Management Operations Guide.

Note For information about how to locate F5 product guides, refer to the Ask F5 article: K12453464: Finding
product documentation on AskF5.

Using this guide

This guide is divided into the chapters below.

BIG-IP Edge Client VPN Lifecycle

To establish a VPN connection, the client goes through several stages, including captive portal checks, auto-
update checks, establishing an authenticated BIG-IP APM session, establishing control channel link, a data-
transport Point-to-Point Protocol (PPP) link, routing updates, and optional proxy and Domain Name Servers (DNS)
interception. The chapter discusses the process and architecture.

5
INTRODUCTION—Using this guide

Common Approaches to Configuring VPN

This chapter describes common VPN use cases for BIG-IP APM and configurable VPN-related resources and
settings, including client packaging, authentication, routing, DNS handling, and proxy handling. If you are not
familiar with the options available, you’ll find these ideas about client configuration helpful.

Deployment Options

This chapter describes different ways to deploy BIG-IP APM VPN clients on users’ desktops, their configuration
settings, client customization, and other specifics.

Frequently Asked Questions

This chapter provides answers to the top few most frequently asked questions of F5 Technical Support.

Endpoint Checks

This chapter discusses the operation and architecture of BIG-IP APM endpoint inspection applications. BIG-IP
APM has many different types of endpoint checks. Some are developed in-house at F5 and some are third-party
products bundled with BIG-IP APM.

Troubleshooting

This chapter contains information that assists in diagnosing and investigating BIG-IP Edge Client connectivity
problems or unexpected operation. It is broken into several sections that include client-side for Windows and
Macintosh systems, as well as server-side for the BIG-IP APM system.

6
BIG-IP EDGE CLIENT VPN LIFECYCLE—Overview

BIG-IP Edge Client VPN Lifecycle

Overview
The F5® BIG-IP® Edge Client® is a Virtual Private Network (VPN) client; its purpose is to establish and maintain a
VPN tunnel.

Because parts of the BIG-IP Edge Client run in a non-linear and asynchronous fashion, the exact steps the BIG-IP
Edge Client takes to create a VPN tunnel vary depending on your configuration and client state.

That said, the BIG-IP Edge Client always completes the following phases:

1. Detect that the client should connect, either manually or automatically.

2. Detect captive portal.

3. Retrieve the connectivity profile configuration from F5® BIG-IP® Access Policy Manager® (APM) (also called
the pre-config phase).

4. Update certain components and validate cryptographic signatures of critical BIG-IP Edge Client software
components.

5. Retrieve the BIG-IP APM login page—to determine a session ID to use—and the Logon mode.

6. Completes the log-in process by using the session ID to access BIG-IP APM and move the session to
Allowed state. This process ends with a redirect to the Full or Network Access webtop to obtain the Network
Access resource information.

At the same time, the BIG-IP Edge Client typically opens a web browser that presents log-in fields to the
user and executes client inspection checks.

If the system has recurring endpoint security checks configured, the client PolicyServer component
continues to run and execute the checks.

7. Issue an HTTP transaction with the name of the Network Access resource, to start-up the server side of the
tunnel.

8. Perform a second pass of BIG-IP Edge Client component updates, if configured.

9. Connect the Network Driver Interface Specification Wide Area Network (NDISWAN) VPN driver to
TunnelServer using loopback for Point-to-Point Protocol (PPP) data.

10. Have Windows Routing and Remote Access service (RRAS) negotiate the remainder of the connection using
PPP and Link Control Protocol (LCP).

11. Perform post-connection actions as configured using the host component, such as routing, (Domain Name
System) DNS, and proxy.

7
BIG-IP EDGE CLIENT VPN LIFECYCLE—Overview

BIG-IP APM Tunnel

Disconnected Pre-Connection Post-Tunnel Connected
Session Creation

Figure 2.1: VPN lifecycle overview

During the lifecycle of a VPN connection, the BIG-IP Edge Client client establishes and maintains three types of
sessions with BIG-IP APM VPN server, which are the first three items in the following list. Each of these sessions
has its own subsequent lifecycle, and goes into connected and disconnected states based on various events.

The VPN tunnel consists of the following elements:

1. Authenticated BIG-IP APM session—Created when a user successfully authenticates to the BIG-IP APM and
terminated when one of the following happens: a user explicitly logs out, a timeout occurs based on
configuration, or the BIG-IP Edge Client experiences an error that requires session termination.

2. PPP link—Created during the establishment of a VPN connection, and used to encapsulate and transport
traffic for the client computer.

3. Optimized application link—Consists of a control channel and zero or more F5® iSession® links used to
encapsulate and transport administrator-specified traffic. Only Windows and Macintosh clients support
optimized applications links.

4. Encrypted tunnel—Is the sum of the three previously described sessions and maintained when a VPN
connection is active. The PPP and iSession links may shut down and restart multiple times during an
authenticated BIG-IP APM session.

Based on the states of the three previously described sessions, the BIG-IP Edge Client is in one of the following
states:

• Session disconnected—Occurs before a user takes an action to establish a BIG-IP APM session or the
BIG-IP Edge Client starts Auto Connect mode.

• Session connected—Occurs after a user successfully authenticates to the BIG-IP APM VPN server, and the
BIG-IP Edge Client receives a secure, encrypted identifier from the server, referred to as the BIG-IPM APM
session ID.

• Link established—Occurs when the BIG-IP Edge Client establishes a PPP link to the server by exchanging
several PPP messages which enable it to receive an IP address from the server leasepool, create a virtual
network adapter, and assign the address to the adapter.

Windows systems use a virtual dial-up adapter, whereas Macintosh and Linux systems use a tun adapter.

• Tunnel connected—Occurs when BIG-IP Edge Client creates an encrypted tunnel to the BIG-IP APM server
and starts routing client traffic through the tunnel.

Refer to the following figures for more information about BIG-IP Edge Client states and the transitions between
states.

8
BIG-IP EDGE CLIENT VPN LIFECYCLE—Overview

Pre-Connection
Connect Mode
Edge Client Start Traffic Flow (VPN Disconnected)
User State: Downloading Server Settings
• Block: Turn on IP engine
Actions:
• Allow: Turn off IP engine
• Download pre-configuration
Client Modes • Allow-Only-In-Enterprise-LAN:
Turn on IP engine • Verify client component versions
Disconnected • Download and merge server list
Always Connected Captive Portal Detection
Auto-Connect Component Update

BIG-IP APM Session

Connect Mode
Connect to BIG-IP APM • Open embedded browser control
User State: Retrieving Information • Evaluate access policy
Policy Server
Actions: Actions:
• Redirect to webtop • Run client-side checks
• Select first Network Asset • Run OPSWAT inspection OPSWAT Update
Resource from list
• Run recurring checks (if
configured)

Connect to BIG-IP APM

User State: Retrieving Information
Actions:
Component Update
• Retrieve Network Access
Resource properties

Tunnel Creation
Start Tunnel Creation (HOST)
TunnelServerX Initialize Tunnel Components
User State: Opening
Actions: User State: Initializing
Actions:
• Start TunnelServer process Actions:
• HOST control starts DIALER &
• Open TCP listener for F5 VPN TunnelServerX • Initialize control components
connection
• Connect to DNS Replay Proxy service
(if running)

TunnelServer DIALER Component Microsoft RAS

Actions: Actions: User State: Opened
• Create secure control • Create RAS phonebook entry Actions:
channel with BIG-IP APM • Initialize and connects to • Initialize F5 VPN Driver
RAS (coNDIS WAN Mini-port)

Microsoft RAS Microsoft RAS Microsoft RAS

User State: Logging in to Network User State: Authenticating User State: Device Connected
Actions: Actions: Actions:
• PPP NCP negotiation • PPP LCP configuration • Connect to TunnelServer
process

Proxy (DIALER)
Routing Table (DIALER)
User State: Finalizing TunnelServer (Local HTTP)
User State: Finalizing
Actions: Actions:
Actions:
• Detect and merge proxy and • PAC file in a local HTTP server
• Routing table modifications proxy autoconfiguration
(Full- and split-tunnel modes)
• Set PAC URL by file or local
HTTP server

Post-Tunnel
Post-Tunnel (DIALER) VPN Tunnel
User State: Finalizing User State: Connected
Actions:
• Execute drive mapping
• Launch application
• Reconnect to domain

Figure 2.2: Windows VPN lifecycle

9
BIG-IP EDGE CLIENT VPN LIFECYCLE—Overview

Pre-Connection

Connect Mode
Edge Client Start
User State: Downloading Server Settings
Actions:
Client Modes • Download preconfiguration
Disconnected Connectivity Detection/ • Verify client component versions Component
Always Connected Captive Portal • Download and merge server list Update
Auto-Connect

BIG-IP APM Session

Policy Server BIG-IP APM
Actions: User State: Session Established. If
BIG-IP APM • Execute client-side credentials are required,
User State: Connecting checks
“Connecting: Your attention is
Actions: • Execute OPSWAT OPSWAT
inspection required” displays
• Redirect to webtop Update Actions:
• Execute recurring
• Select first Network Access checks (if option is • Open embedded browser control
Resource from list configured)
• Evaluate access policy

Tunnel Creation
TunnelServer (SVPN)-
TunnelServer (SVPN) Tunnel Interface (SVPN) PPP Tunnel
User State: Connecting User State: Connecting User State: Connecting
Actions: Actions: Actions:
• Retrieve Network Access • Start utun device • Tunnel setup via PPP, LCP, & NCP
Resource properties
• Configure utun device

Proxy (SVPN) DNS (SVPN) Routing Table (SVPN)

User State: Connecting User State: Connecting User State: Connecting
Actions: Actions: Actions:
• Detect and merge proxy & proxy • Patch DNS subsystem • Routing table modifications
autoconfiguration (Full or split tunnel mode)
• Set PAC URL by file or local
HTTP server
TunnelServer (SVPN Local HTTP Server)
Actions:
• PAC file in a local HTTP server

Post-Tunnel

Post-Tunnel (SVPN) VPN Tunnel

User State: Connecting User State: Connected
Actions:
• Launch application(s)

Figure 2.3 Macintosh VPN lifecycle

10
BIG-IP EDGE CLIENT VPN LIFECYCLE—Connecting to BIG-IP APM

Connecting to BIG-IP APM

The BIG-IP Edge Client passes through several phases before it connects to a VPN tunnel.

Connected mode detection

You configure the BIG-IP Edge Client to operate in one of three connection modes: Always Connect, Manually
Connect, or Auto Connect.

In Auto Connect mode, the client detects if it should connect by examining Local Area Network (LAN) parameters
provided by local servers. The exact mechanism the client uses to determine if a network is on the enterprise
network differs by operating system.

Windows

On the Windows system, the BIG-IP Edge Client uses the following methods to match a network with a configured
Location DNS Name.

• DNS suffix match—Matches a DNS suffix obtained through Dynamic Host Configuration Protocol (DHCP)
with a configured DNS name.

• Domain controller reachability—Tries to reach the domain controller for the configured Location DNS Name
when a client is not connected to VPN.

Macintosh

On the Macintosh system, the BIG-IP Edge Client only uses the DNS suffix match method.

Linux

Linux is not supported.

Captive portal detection

Detection mechanism

Captive portal systems are commonly used by hotels, restaurants, airports, and similar facilities to enable
monitoring, the display of End User License Agreements (EULA), and payment from connecting clients. Most
captive portals hijack the user’s web browsing session by returning spoofed DNS responses to legitimate queries.

The BIG-IP Edge Client captive portal detection feature detects captive portal when it encounters one of the
following events:

•  When it doesn’t get the expected response during initial connection to the BIG-IP APM

•  On any network state change

•  On tunnel disconnect

11
BIG-IP EDGE CLIENT VPN LIFECYCLE—Connecting to BIG-IP APM

To detect if a user’s network is under a captive portal, the BIG-IP Edge Client sends an HTTP request to a known
probe URL, and compares the returned content with some known content. If the request succeeds but the content
does not match, the BIG-IP Edge Client concludes that a captive portal is actively redirecting requests and the
user’s network is held in a captive portal.

Windows
On Windows, the BIG-IP Edge Client uses a native Windows captive portal detection mechanism. In the event that
the Windows mechanism fails to detect a captive portal, the BIG-IP Edge Client falls back to using the F5 default
probe URL for detection.

Macintosh
On the Macintosh system, the BIG-IP Edge Client uses the Macintosh probe URL only as a fallback option. When
the BIG-IP Edge Client detects captive portal using the F5 default probe URL, it makes another query to the
Macintosh probe URL to confirm the user’s network is under captive portal.

If it is, in most cases, the Machintosh system’s captive portal dialog box displays. Users are unlikely to see the
BIG-IP Edge Client’s internal dialog box.

Default probe URL for captive portal detection

The default probe URL on both the Macintosh and Windows systems is:

http://cdn.f5.com/product/avail.txt

You can only override the default probe URL on Windows; you override it with an alternative value. In most cases,
you won’t be required to.

To do so, modify the following registry entries, under the following hive:

HKEY _ LOCAL _ MACHINE\SOFTWARE\F5 Networks\RemoteAccess

ActiveWebProbeHost

• The default value is cdn.f5.com.

ActiveWebProbePath

• The default value is product/avail.txt.

ActiveWebProbeContent

• The default value is avail\n.

Integrated captive portal resolution

The BIG-IP Edge Client for both the Windows and Macintosh systems has an integrated web rendering engine that
resolves captive portal by launching an authentication page.

12
BIG-IP EDGE CLIENT VPN LIFECYCLE—The BIG-IP APM session lifecycle

Windows
On Windows, when captive portal is detected, the BIG-IP Edge Client restores the routing table and displays the
captive portal authentication page. Windows uses an Internet Explorer WebBrowser control to render the page.
During this time, the BIG-IP Edge Client continuously monitors the probe URL.

Every time the user updates the authentication page, the BIG-IP Edge Client probes the captive URL to determine
if the user has a valid captive portal session. After the user successfully authenticates, the probe URL check
succeeds and the browser closes.

Macintosh
On the Macintosh system, when captive portal is detected, the BIG-IP Edge Client checks whether the Macintosh
captive portal authentication page is open. Macintosh uses WebKit to render the page. If it is not open, the BIG-IP
Edge Client displays its own page.

As on Windows, every time the user updates the authentication page, the BIG-IP Edge Client probes the captive
URL to determine if the user has a valid captive portal session. After the user successfully authenticates to the
captive portal, the BIG-IP Edge Client closes the page.

Pre-configuration

The BIG-IP APM system enables clients to identify properties of the VPN server, including versions of the
components available for client endpoints. The following URL is available on any BIG-IP virtual server that has a
connectivity profile associated with it.

/pre/config.php?version=2.0

Updates and signature validation

The BIG-IP Edge Client has a security feature that validates the cryptographic signatures of critical client-side
components before use to prevent accidental or intentional tampering. The BIG-IP Edge Client completes these
validation checks before each VPN connection.

The BIG-IP APM session lifecycle

The BIG-IP Edge Client and BIG-IP APM must exchange multiple HTTP messages to establish an authenticated
session. The number of messages depends on the configuration of the BIG-IP APM access policy. Typically, these
messages fulfill the following functions:

• Client auto-update—Detecting the version of client components and updating them

• Endpoint checks—Providing client endpoint information to the server

• User authentication—Proving that the client has permission to access to the system

13
BIG-IP EDGE CLIENT VPN LIFECYCLE—The BIG-IP APM session lifecycle

Client auto-update

After entering Connected mode, and immediately prior to creating a BIG-IP APM session, the BIG-IP Edge Client
fetches version numbers of client components on the target server at the following BIG-IP APM URI:

/pre/config.php?version=2.0

The BIG-IP Edge Client compares the local component versions with the BIG-IP APM versions, and (optionally)
updates the client if a newer version is available.

This update behavior is controlled by the Component Update setting in the BIG-IP Edge Client configuration file.
BIG-IP APM generates a BIG-IP Edge Client installer package, based on its connectivity profile, that includes this
setting. The following are valid options for the setting:

• Yes—Update the client components

• No—Do not update the client components

• Prompt—Prompt the user to update the client components

Important The Component Update setting is inside of the BIG-IP Edge Client install package. After
installing the BIG-IP Edge Client, the setting cannot be updated unless the BIG-IP Edge Client is reinstalled
with the new setting. When you change this setting on the BIG-IP APM server, the BIG-IP Edge Client does
not automatically detect and use the new setting.

The components in the following table have the Component Update setting.

Table 2.1 Components that support the Component Update setting

Windows Macintosh
BIG-IP Edge Client for Windows Edge Client application
BIG-IP Edge Client COM API SVPN TunnelServer
InstallerControl
Component installer
DNS Relay Proxy
Traffic Control
Credential Manager

Other components—including Windows ActiveX components, such as Host Control, InspectionHost, and
SuperHost—are updated automatically regardless of the Component Update setting.

Note Clients that use Simple Logon mode, as explained in the following section, do not support auto-
update.

14
BIG-IP EDGE CLIENT VPN LIFECYCLE—The BIG-IP APM session lifecycle

User Authentication

The BIG-IP APM system authenticates clients using one of the following Logon modes. The BIG-IP Edge Client
selects the mode automatically (F5 Access VPN client users must manually select a mode).

• Simple Logon mode—Used by VPN clients that can’t render HTML pages (or when HTML is not desired).
This mode only supports username and password authentication, with optional client certificate-based
authentication.

• Web Logon mode—Used by VPN clients that can render HTML pages and support all the advanced
authentication methods BIG-IP APM offers, including Security Assertion Markup Language (SAML) and
OAuth 2, which provides secure delegated access to third-party clients.

This mode also provides endpoint checks for supported client platforms.

When clients use Web Logon mode, the operating system uses the web browser specific to its platform to render
the login page. Windows uses the WebBrowser control to create the page, while Macintosh, Android, and other
operating systems use WebKit.

Table 2.2 F5 VPN user authentication modes

Web Logon mode with

F5 VPN client Web Logon mode Simple Logon mode
endpoint checks
BIG-IP Edge Client Yes Yes Yes
F5 Access for Windows No No Yes
F5 Access for Android Yes No Yes
F5 Access for iOS Yes No Yes
F5 Access for ChromeOS Yes No Yes
Windows SDK Yes Yes Yes
Linux CLI No No Yes
VPN helper apps (browser-
based VPN) for Macintosh, Yes Yes Not applicable
Windows and Linux

15
BIG-IP EDGE CLIENT VPN LIFECYCLE—The BIG-IP APM session lifecycle

Reasons for terminating a session

BIG-IP APM terminates a session for one of following reasons:

• Manual termination—The user explicitly terminates the session by logging out or clicking Disconnect on the
BIG-IP Edge Client page.

A BIG-IP APM administrator can also terminate a session from the BIG-IP APM administration user interface.
Configurable session timeouts—One of the following two server settings forces a session to terminate:

• inactivity_timeout—Sets the duration for which a session remains active while the traffic flowing
between the client and server is below a given threshold.

• max_session_timeout—Determines the maximum time a session is valid, starting from session creation.
You configure this setting in the access profile. This setting is used to force users to reauthenticate.

• Hard-coded session timeouts—One of the following built-in timeouts forces a session to terminate:

• Transmission Control Protocol (TCP) reconnect timeout—The maximum amount of time the BIG-IP Edge
Client can attempt to reconnect a VPN tunnel using a valid session. The period is hard-coded to 15
minutes.

• Control channel connection timeout

• Device posture information timeout—When an access policy requires continuous client-side checks, and
the server does not get updated posture information from the client for five minutes.

• Client device posture change—When an access policy requires continuous checks, and the client device
posture based on those checks changes, the BIG-IP Edge Client terminates the session.

• Network location change—When the BIG-IP Edge Client has the Network Location Awareness setting
configured, and the user joins a network that is part of the enterprise network, it terminates the session.

Note The Network Location Awareness setting enables the BIG-IP Edge Client to automatically
establish and terminate a VPN and BIG-IP APM session when it detects that it is connected to a
specified network. The network is specified using a DNS suffix in the DNS name setting of the BIG-IP
APM connectivity profile.

For more information, see Configuration Guide for BIG-IP Access Policy Manager for your system
version. For information about how to locate F5 product guides, refer to the Ask F5 article: K12453464:
Finding product documentation on AskF5.

Viewing the session termination reason

In most cases, BIG-IP APM logs the reason for session termination. However, both BIG-IP APM and the BIG-IP
Edge Client can initiate the termination. F5 recommends that you review the logs for both at the same time,
because when the BIG-IP Edge Client terminates a session, the BIG-IP APM doesn’t necessarily know the cause.

Note When the BIG-IP Edge Client terminates a session because it can’t reach BIG-IP APM, you must
inspect the BIG-IP Edge Client logs for a detailed reason, because BIG-IP APM simply logs the incident as
a generic error.

16
BIG-IP EDGE CLIENT VPN LIFECYCLE—Technical and reference information

Technical and reference information

VPN tunnel devices

On the client-side, the BIG-IP Edge Client installs a PPP pseudo-interface driver. At tunnel establishment time, the
BIG-IP Edge Client opens PPP interfaces.

The BIG-IP Edge Client modifies the routing table on the client PC to route specified traffic over the VPN. The PPP
adapter transports traffic using a loopback TCP connection to the local TunnelServer (on Windows) or svpn (on
Macintosh), which then encapsulates it into PPP packets over Secure Sockets Layer () and Datagram Transport
Layer Security (DTLS), and forwards it to BIG-IP APM.

Note Sometimes AV programs incorrectly identify the loopback connection as malicious, which can cause
the VPN to fail.

On the server-side, BIG-IP APM uses the connectivity profile on the ingress virtual server to remove the PPP
encapsulation from client IP/PPP packets and forwards the traffic to a virtual server. For more information about
this process, refer to AskF5 articles: K03113285: Overview of BIG-IP APM layered virtual servers and K11312:
Creating network access with SSO capabilities.

Windows

Windows uses the RRAS subsystem to create and maintain the tunnel. The PPP driver (a coNDIS driver) is
responsible for encapsulating and removing encapsulation from PPP frames, and sending traffic to the network
stack in the operating system.

The BIG-IP Edge Client invokes the RRAS using the dial-up entry to configure the driver, initiate the adapter call,
and configure the adapter with the IP address, protocol bindings, and other settings.

Macintosh and Linux

Macintosh and Linux systems use the utun subsystem or tun and tap subsystem to create and maintain the tunnel.
Macintosh and Linux clients have their own LCP and PPP implementation, whereas Windows uses a Windows-
embedded implementation.

The VPN tunnel

Establishing the link

To establish the link to the VPN tunnel, peers send LCP frames to configure the link. In this phase, each peer
negotiates communication options used to transport data. Some of these parameters include maximum receive
unit (MRU), compression, and protocol ID.

17
BIG-IP EDGE CLIENT VPN LIFECYCLE—Technical and reference information

Authentication

During the PPP authentication phase (optional), the BIG-IP Edge Client does not use traditional Internet Protocol
Control Protocol (IPCP) authentication because all PPP and LCP communication happens inside an authenticated
and secured HTTP connection.

MRU calculations

Windows
The BIG-IP Edge Client relies on the Windows implementation of LCP to calculate MRU.

Macintosh and Linux

The BIG-IP Edge Client uses the following formula to calculate MRU:

DesiredClientMRU = MIN(DEFAULT _ MTU, (InterfaceMTU – f5Overhead)) (where f5Overhead

is 64 bytes for IPv4/TCP, DEFAULT _ MTU is 1500)

IntermediateValue = MIN(DesiredClientMRU , BIG-IP _ MRU)

If (IntermediateValue < minumValueWithoutIPFragmentation) {

If (DesiredClientMRU < minumValueWithoutIPFragmentation) {

Use DesiredClientMRU as final value

} else {

Use 1500.

This calculation keeps fragmentation overhead low and allows Internet Protocol version 6 (IPv6) to work on
networks where the physical maximum transmission unit (MTU) is very low, such as 1300 bytes.

Configuring the protocol

In this phase, Network Control Protocol (NCP) packets determine which protocols will be used across the PPP link.
The client configures its IP address using NCP or Internet Protocol version 6 Control Protocol (IPv6CP).

Note When a failure occurs during any of the setup phases, the PPP link disconnects. Windows reports this
as a remote access services (RAS) error.

18
BIG-IP EDGE CLIENT VPN LIFECYCLE—Technical and reference information

Maintaining the VPN session

Keep-Alive

On Windows, the BIG-IP Edge Client primarily uses the built-in LCP to maintain the tunnel connection and ensure
it reconnects the tunnel at the correct time.

LCP has a mechanism similar to a ping utility that uses “Echo Request” and “Echo Reply” messages to ensure the
connected peers can communicate. To do this, each PPP peer sends a Keep-Alive message in the form of an LCP
“Echo Request,” expecting an “Echo Reply” shortly afterwards. When there are several consecutive misses, RRAS
marks the PPP link down (unavailable) and the BIG-IP Edge Client attempts to reconnect. The reconnect
messages are logged on both the client- and server-sides.

Preparing traffic for transmission

On Windows, dialup entry receives the application IP payload and uses the NDIS driver framework to pump the
packet to TunnelServer.

On the Machintosh and Linux systems, the tun0 device sends this payload.

19
BIG-IP EDGE CLIENT VPN LIFECYCLE—Technical and reference information

PPP over SSL

Client SSL Connection

BIG-IP APM
Application Data Application Data
TCP TCP
Servers
F5 PPP IP
Application
GZIP (Optional)
SSL
TCP
IP

Tunnel Server

F5 PPP Driver

PPP over DTLS

Client DTLS Connection

BIG-IP APM
Application Data Application Data
TCP TCP
Servers
F5 PPP IP
Application
DTLS
UDP
IP

Tunnel Server

F5 PPP Driver

Figure 2.4: Preparing traffic for transmission

20
BIG-IP EDGE CLIENT VPN LIFECYCLE—Technical and reference information

Monitoring system configuration parameters

BIG-IP Edge Client continuously monitors and corrects system configuration parameters to ensure the VPN
connection works correctly.

Table 2.3 System configuration parameters

Setting Windows Macintosh Linux

DNS server and suffix Yes Yes Yes
/etc/hosts Not applicable Yes Yes
/etc/resolv.conf Not applicable Yes Yes
Proxy server and port settings No No Not applicable
Dial-Up Adapter Configuration Yes Not applicable Not applicable
Proxy PAC file content No No Not applicable
Proxy PAC file URL Yes Yes Not applicable
Routing table (IPv6 and IPv4) Yes Yes Yes

Timeouts

While the tunnel is established, there are many network communication events that must happen for the tunnel to
operate correctly. Some of these timers are configurable while others are not.

These timers define tunnel behavior for various cases, such as regular operations, loss of network connectivity,
and short network disconnects. The following list contains several important timeouts; however, it is not
comprehensive:

• TunnelServer provides 65 second timers, in case DTLS tunnels are in use. When TunnelServer doesn’t
receive a reply from the server after 65 seconds, it disconnects the tunnel.

• The BIG-IP APM provides 30 seconds for tunnels to connect (TCP) by default.

• The BIG-IP APM instantly detects when TCP disconnects for most reasons, such as a TCP reset.

• Widows monitors the routing table every 500 miliseconds.

• The Macintosh system checks the routing table and DNS subsystems every three seconds.

• The Macintosh system detects changes to the proxy auto-config (PAC) file URL instantaneously.

• When a web browser is used as client on the Macintosh system and you close the browser, TunnelServer
quits within two minutes.

21
BIG-IP EDGE CLIENT VPN LIFECYCLE—Technical and reference information

Session reconnection logic

Windows
On Windows, when TunnelServer can’t reach a server, it retries the connection for about 15 minutes. It also
throttles the delay between subsequent connections, delaying a bit more with every retry.

When the BIG-IP Edge Client encounters fatal errors, it informs the user. For example, a fatal error occurs when
the system routing table changes mid-connection due to third-party software or network changes, and cannot be
restored to the original VPN state.

During a VPN session, clients are agnostic to any reachability issues that result from a proxy server change.

Macintosh
On the Macintosh and Linux systems, svpn tries to reconnect a VPN session, unless the user disconnects or
another application tells it to stop. When the server is unreachable, every reconnection has a 30 second timeout.

Terminating a session

LCP is responsible for terminating a session. To do so, the client or server initiates the action by sending an LCP
Terminate-Request and expects a Terminate-Ack (tunnel termination acknowledgment) from the other side in
response. Windows detects this change using RRAS, while the Macintosh and Linux systems use Point-to-Point
Protocol Daemon (PPPD).

22
COMMON APPROACHES TO CONFIGURING VPN—Client packaging options

Common Approaches to Configuring VPN

Each F5® BIG-IP® Access Policy Manager® (APM) site has unique VPN and authentication requirements for you to
consider when configuring your site and making decisions about the many options available with BIG-IP APM.

To assist you, this chapter describes common VPN use cases for BIG-IP APM and configurable VPN-related
resource and packaging parameters. If you are not familiar with the options available, you’ll find these ideas about
client configuration helpful.

Configuration options can be organized into the following general categories: client packaging, authentication,
routing, DNS handling, and proxy handling. The sections in this chapter discuss these categories, rather than each
individual configuration setting.

Client packaging options

F5® BIG-IP® automatically assembles the Windows and Macintosh F5® BIG-IP® Edge Client® installation package
from base component packages on your current BIG-IP system. After you select configuration options in the
connectivity profile, you distribute the package to end-users.

The components and options you select are included in a configuration file, config.f5c, inside the BIG-IP Edge
Client package. During installation, this configuration file is applied to the client PC. This minimizes manual
configuration by the user.

For detailed information about component options, refer to the AskF5 articles: K14045: The BIG-IP Edge Client
components for Windows and K14947: The BIG-IP Edge Client components for Mac OS X.

Packaging considerations

• The outer installer package is not signed with a code-signing certificate. However, all the inner individual
components inside the package are signed. This is because BIG-IP assembles the outer client package
dynamically, and F5 protects its code-signing key from distribution. Optionally, you can work around this by
signing the customized BIG-IP Edge Client package with a code-signing certificate that your organization
trusts.

• You select client packaging options in BIG-IP APM using the Customize Package setting in the connectivity
profile settings. Client packaging options are volatile and not stored in BIG-IP except in the running
configuration. Operations that reload the running configuration, such as upgrade, HA synchronization, and
backup and restore, cause BIG-IP to lose the settings.

• F5 generally recommends that you do not include the Traffic Control Service, unless it is required by Always
Connected mode or other options.

Connectivity profile settings

There are several connectivity profile settings. For example, BIG-IP Edge Client maintains a drop-down list (similar
to bookmarks) of target servers to help users identify and connect to the appropriate server. The options in the
target server list are a connectivity profile setting.

23
COMMON APPROACHES TO CONFIGURING VPN—Client packaging options

Install-time settings

You populate the target server list using a settings file that the BIG-IP Edge Client installer places on the user’s
system after installation. The installer places the file outside the user directory, typically in a system directory.

You configure the target server list and several other install-time options in this file using the connectivity profile
settings in BIG-IP APM.

Runtime settings

After installing the BIG-IP Edge Client, when users want to connect to a BIG-IP APM server that is not in the target
server list, they can add a new server name or IP address. By doing so, users may connect to servers with
different server lists and options than those provided by their installation settings. The servers that users add to
their server list and those servers’ settings are merged into the runtime settings file stored in each user’s home
directory path.

You configure these and other runtime settings in the connectivity profile settings in BIG-IP APM.

Miscellaneous packaging options

You configure the following options in the connectivity profile settings in BIG-IP APM:

Table 3.1 BIG-IP APM connectivity profile settings

Operating
Setting or parameter Description Setting type
system
Enable when locked client is installed.

Three options:

• Allow—Allow Internet connectivity always.

Enable Always Connected
• Block—Block Internet connectivity when VPN is Windows Install-time
mode
disconnected.

• Allow-in-Enterprise-Only—Allow Internet
connectivity when VPN is disconnected in the
corporate LAN.
Virtual server list is added to the Trusted Sites
Add virtual server list to database on the client-side. Client components that
Windows Install-time
Trusted Sites check the Trusted Sites list do not throw an extra
prompt for these servers during session establishment.
Auto launch after Windows
Launch BIG-IP Edge Client after user log in. Windows Install-time
logon
Auto launch BIG-IP Edge
Launch BIG-IP Edge Client after user log in. Macintosh Install-time
Client after user log in
Contains servers that are allowed when the VPN is
Exclusions list Windows Install-time
disconnected and Always Connected mode is enabled.

24
COMMON APPROACHES TO CONFIGURING VPN—Client packaging options

Customization

Many customers want the BIG-IP Edge Client to reflect corporate branding, and BIG-IP APM allows branding
customization. You configure some settings in the connectivity profile settings and some on the page at this
location: Access > Profiles/Policies > Customization > Quick Start/Basic (page location varies depending on
your system version).

For information about all customization settings, refer to BIG-IP Access Policy Manager: Customization for your
system version.

Note For information about how to locate F5 product guides, refer to the Ask F5 article: K12453464: Finding
product documentation on AskF5.

Customizing user interface settings in the access profile

Table 3.2 BIG-IP Edge Client user interface settings

Operating
Setting or parameter Description Setting type
system
Windows
Banner Color BIG-IP Edge Client displays this color in its banner. Install-time
Macintosh
BIG-IP Edge Client displays this text in the main Windows
Banner Text Install-time
window’s banner. Macintosh
The BIG-IP Edge Client logo, which is displayed in its
banner. This logo is NOT a tray icon.

The F5 logo displays on system applications like

Windows
Logo Windows Program Files, and Macintosh Finder and Install-time
Macintosh
Spotlight.

On Macintosh, you can’t change the logo in the

Advanced pane of Security & Privacy preferences.
You can change the Start menu shortcut icon to one
Start menu shortcut icon Windows Install-time
other than the default F5 logo icon.
BIG-IP Edge Client provides two tray icon sets: an F5
icon set and a generic icon set. The generic set Windows
Tray Icon Set Install-time
provides generic icons for the system tray and its Macintosh
notifications.

Notes

When you change the settings in the previous table, you must redeploy BIG-IP Edge Client.

Customized logos aren’t displayed everywhere in the operating system.

25
COMMON APPROACHES TO CONFIGURING VPN—Client packaging options

Customizing text settings in the access profile

Table 3.3 BIG-IP Edge Client text settings

Operating
Setting/parameter Description Setting type
system
The link that displays on the About BIG-IP Edge Client Windows
About link Install-time
page. Macintosh
The text that displays on the About BIG-IP Edge Windows
About text Install-time
Client page. Macintosh
The title that displays at the top of all BIG-IP Edge Windows
Application Name Install-time
Client windows. Macintosh

Customizing server-side settings in the connectivity profile

These settings affect client operation.

Table 3.4 BIG-IP Edge Client operation settings

Operating
Setting/parameter Description Setting type
system
Network access Windows
TunnelServer uses this runtime buffer size to
compression settings: Macintosh Runtime
compress data.
Compression Buffer Size* Linux
Specifies the rate of compression, or how
Network access
aggressively data is compressed. The higher the level, Windows
compression settings: gzip Macintosh Runtime
the slower the compression, but data may be
Compression Level* Linux
compressed more.
Network access The gzip compression module uses this memory size Windows
compression settings: gzip by default. More memory can yield better Macintosh Runtime
Memory Level* performance. Linux
Network access F5® BIG-IP® Local Traffic Manager™ (LTM) uses this Windows
compression settings: gzip number of kilobytes in window size when Macintosh Runtime
Window Size* compressing a server response. Linux
Requires the system to monitor CPU usage and adjust
Network access Windows
compression rates automatically when the CPU
compression settings: Macintosh Runtime
reaches either CPU Saver High Threshold or CPU
CPU Saver* Linux
Saver Low Threshold.
Specifies whether the BIG-IP Edge Client maintains a
list of recently used BIG-IP APM servers. BIG-IP Edge
Windows
Save Servers Upon Exit Client always lists the servers defined in the Runtime
Macintosh
connectivity profile; however, it also lists user-entered
servers when this option is enabled.

26
COMMON APPROACHES TO CONFIGURING VPN—Client packaging options

Operating
Setting/parameter Description Setting type
system
Enables BIG-IP Edge Client to use a Windows logon
session for the BIG-IP APM session.

When you use Windows Logon Integration, the BIG-IP

Edge Client creates a VPN connection to validate the
provided user credentials. This pre-logon VPN
Reuse Windows Logon
session is terminated, then re-established after logon Windows Runtime
Session
time. This setting causes the BIG-IP Edge Client to
use the same APM session for the pre- and post-
logon VPN connections.

When disabled, a new APM session will be

established post-logon.
Used with User Logon Credentials Access Service, it
Reuse Windows Logon
enables BIG-IP Edge Client to use Windows logon Windows Runtime
Credentials
credentials to establish a BIG-IP APM session.
BIG-IP Edge Client displays a Save password check
box on the log-in page. The Save Password method
Windows
Allow Password Caching determines where the password is cached: on disk, Runtime
Macintosh
which is persistent, or in memory, which is cleared
upon exiting.
Defines how components are updated when the
Windows
Component Update BIG-IP Edge Client connects to an upgraded BIG-IP. Install-time
Macintosh
For more information, refer to Client auto-update.
BIG-IP Edge Client automatically populates this list of
best geograhically-located servers for users’
connections. Windows
Server List Runtime
When there are duplicates, the connectivity profile Macintosh
takes precedence over the install-time server list and
user-added servers.
Runtime
The Auto-Connect feature uses this list. System DNS Exception:
suffix settings define a user’s location. When the client Windows Locked
Location
machine is in the defined location, BIG-IP Edge Client Macintosh clients use
disconnects the VPN. an install-
time setting.

* Compression only occurs in Transport Layer Security (TLS) mode.

27
COMMON APPROACHES TO CONFIGURING VPN—Authentication options

Options for starting the BIG-IP Edge Client

User starts VPN manually

Most F5 customers enable users to start the BIG-IP Edge Client and VPN when they need it. When you want users
to connect and disconnect from VPN themselves, disable the Always Connected mode in the connectivity profile.

Note Starting with BIG-IP APM 13.0, you can start VPN connections and endpoint inspection with all
popular web browsers, so you may not need to distribute the BIG-IP Edge Client.

VPN in Always Connected mode

The BIG-IP Edge Client supports VPNs that are always connected. In Always Connected mode, you have the
option to block all Internet access from the client PC until the client is connected. There are a couple of drawbacks
when the client is connected to a domain.

• Traffic to the domain controller is also blocked, which can interfere with the Windows logon process and
cause delays.

• When the VPN service uses a third-party federated log-in mechanism, such as SAML, the connection to the
third-party is blocked.

There is a whitelist feature, but it is limited to 10 IP or hostname entries and does not support wildcards. These
limitations may render it unsuitable for some deployments.

VPN connection or disconnection triggered automatically

BIG-IP Edge Client provides an Auto-Connect mode. This mode uses the DHCP relay suffix assigned to the local
LAN adapter to trigger a connection or disconnection based on a DNS prefix configured inside the connectivity
profile. To configure this setting, set the LAN suffix to match the one assigned by the corporate DHCP server.
Multiple entries are supported. For more information, refer to Connected mode detection.

VPN starts before user log in (Windows only)

This mode is called Windows Logon Integration. For more information, refer to AskF5 article: K8092: Configuring
Windows Logon Integration.

Authentication options
BIG-IP APM supports many ways for users to authenticate before accessing the VPN resource.

Plain username and password

In Simple Logon mode, you use one-factor authentication to check a password against an authentication,
authorization, and accounting (AAA) server. You configure exactly two fields in the visual policy editor on the
Logon Page Agent: Username and Password. The domain is discovered automatically when you use AD Auth with
an Active Directory (AD) AAA server.

28
COMMON APPROACHES TO CONFIGURING VPN—Routing options

There are a few advantages to this approach: all F5 clients use Simple Logon mode, it doesn’t require a
WebBrowser control object, and you can save several hundred milliseconds in the authentication process.

Multi-factor

You use multi-factor authentication with BIG-IP APM and an access policy of arbitrary complexity. Authentication
can require zero or more log-in pages prompting users for any kind of password or token. Because the client
opens up a WebBrowser control (or Webkit), you can render any HTML. The user experience in this mode should
match Internet Explorer 7 (Windows) or Webkit (Macintosh).

Third-party IdP with a SAML service

Because the BIG-IP Edge Client can open a web browser for authentication, you can offer federated VPN as a
SAML service provider (SP) service. This enables the client to use any third-party SAML Identity Provider (IdP) for
authentication, greatly expanding the possible use cases.

Routing options

Enforcing routing table changes

The BIG-IP Edge Client modifies the local routing table on the user’s machine to comply with the network access
configuration defined on BIG-IP APM. The client PC is usually configured for normal Internet access prior to
starting VPN access.

To force the client PC to route traffic to internal resources, the BIG-IP Edge Client must reroute it to direct traffic
over the VPN, and then prevent the user from tampering with these settings (optional).

Routing can be complex in certain situations. In Extended Logging mode, the BIG-IP Edge Client logs information
about the routes it adds and removes during the connection. This can greatly aid troubleshooting.

The BIG-IP Edge Client goes through the following steps to modify the PC’s routing table:

1. Saves a current snapshot of the system routing table, which it uses to restore routing tables after the VPN
connection is terminated.

2. Modifies the system routing table based on the network access configuration it fetches from the network
access resource assigned to the user (or selected by the user).

Disallowing routing table changes

For all routing modes, the Prohibit routing table changes during Network Access connection option directs
BIG-IP Edge Client to disconnect the VPN and log out the user when it detects a change in the traffic routed over
the tunnel. Some firewall and AV software manipulate the routing table, which can unintentionally trigger this
behavior.

29
COMMON APPROACHES TO CONFIGURING VPN—Routing options

The Prohibit routing table changes during Network Access connection option is intended to stop routing
table changes that do not conform to the network access configuration policy. BIG-IP Edge Client monitors the
routing table for manual and automatic changes using a snapshot. When a network change is detected—for
example, the user roams from one network to another—the BIG-IP Edge Client immediately reverts the routing
table to match the table’s snapshot at the start of the VPN session. Meanwhile, the VPN session remains
connected. Each operating systems handles enforcement differently.

Windows

When the Prohibit routing table changes during Network Access option is enabled, the BIG-IP Edge Client
monitors the routing table several times a second. The BIG-IP Edge Client excludes routing changes from the
Windows system to ensure network interface changes and metric updates are allowed while maintaining VPN
connectivity. The BIG-IP Edge Client reverts operating system route changes that interfere with the VPN tunnel
route, such as adding a duplicate route.

Windows may also dynamically manipulate routing metrics in PCs by using multiple network adapters to direct
traffic over a faster interface. The BIG-IP Edge Client detects this behavior but doesn’t disconnect the VPN
because Windows doesn’t modify the traffic routing over the tunnel.

Macintosh and Linux

The BIG-IP Edge Client monitors the routing table and enforces the Prohibit routing table changes during
Network Access option regardless of the setting. The BIG-IP Edge Client excludes routing changes from the
operating system unless they interfere with VPN connectivity.

Routing only corporate traffic over the tunnel / Split Tunnel mode

You can route only corporate traffic over VPNs and have PCs handle other traffic locally. The advantage of this
mode is that you conserve bandwidth because normal web browsing doesn’t traverse the VPN.

Routing all traffic over the tunnel / Full Tunnel mode

When you use this mode, after the BIG-IP Edge Client connects the tunnel, it adds a route to the target BIG-IP
APM’s IP address using the Internet-facing adapter. Then, it adds a low metric default route over the VPN adapter,
which causes all traffic to be routed over the VPN. The advantage of this mode is that it allows inspection of all
user browsing traffic, at the cost of handling normal web browsing, streaming video, and similar browsing activity.

Routing all traffic over the tunnel, with exceptions

You can also implement a VPN routing policy that directs all traffic over the tunnel, with some exceptions for
certain sites. To use this approach, configure the Network Access Settings by doing the following:

1. In the Traffic Options section, select Use split tunneling for traffic.

2. In the IVP4 LAN Address Space section, in the IP Address and Mask fields, enter 0.0.0.0.

30
COMMON APPROACHES TO CONFIGURING VPN—Proxy handling options

3. In the DNS Address Space section, add all hosts associated with the site(s). Wildcards are allowed.

Note DNS Relay Proxy is an optional Windows-based service that enables hostname-based full tunnel
exceptions to function properly. To ensure traffic does NOT traverse the tunnel, this service intercepts DNS
requests made by the PC, listens to the response, and then adds temporary routes to the routing table for
all returned addresses. Because the Mac and Linux clients lack this service, DNS-based exceptions do not
function the same way on those platforms.

Proxy handling options

The BIG-IP Edge Client modifies the system proxy configuration to ensure that VPN tunnel traffic uses the proxy
configuration in the network access configuration on BIG-IP APM, while other traffic uses the local proxy
configuration. To do so, the BIG-IP Edge Client merges users’ local proxy settings with the remote proxy settings
on BIG-IP APM.

Browsers and applications that support proxy settings

Table 3.5 Browsers and applications that support proxy settings

Operating system Browsers and applications

Firefox browser and all applications that utilize the system proxy settings in Internet
Windows
Options
Mac OS X Safari, Chrome, Firefox, and applications that use MAC System proxy configuration
Linux Not supported

Note Most, but not all, Windows applications honor the proxy settings in Internet Options. Consult your
application vendor for details, if necessary.

Local proxy settings

Local proxy settings refers to the Internet Explorer proxy configuration on Windows operating systems and the
proxy system configuration on MAC OS X. You can determine the current settings by using the following
commands.

•  On Windows:

netsh winhttp show proxy

•  On Macintosh:

networksetup -getwebproxy <network service name>

31
COMMON APPROACHES TO CONFIGURING VPN—Proxy handling options

Detecting current settings

Windows

On Windows, the BIG-IP Edge Client determines the proxy server in one of the following ways, in this order of
precedence:

1. Automatic proxy detection using Web Proxy Auto-Discovery Protocol (WPAD)

2. Using a PAC file

3. Using a fixed proxy server, an exception list that indicates the destinations that should not go through the
proxy, and an option to bypass the proxy for destinations on a local network

Mac OS X

On Mac OS X, the BIG-IP Edge Client determines the proxy server in one of the following ways, in this order of
precedence:

1. Using a PAC file

2. Using a fixed proxy server and an exception list that indicates the destinations that should not go through
the proxy.

Merging and applying local and remote proxy configuration

After the BIG-IP Edge Client establishes the tunnel, it merges the remote and local proxy configuration.

The BIG-IP Edge Client reads the local proxy configuration and fetches the PAC file to be used (if any). When the
local proxy configuration uses Automatically Detect Proxy Settings, the BIG-IP Edge Client uses the cached
location PAC file, which it discovered using last auto-discovery. When Use Proxy Auto Configuration Script is
set, the BIG-IP Edge client determines the location of the PAC file from this setting.

The BIG-IP Edge Client uses the remote proxy configuration and fetches the PAC file if (any) to generate a new
PAC file that includes the contents of the local PAC file, the remote PAC file, and the split tunnel configuration
settings. The merge enables the proxy server to use remote proxy settings for destinations routed over the tunnel,
and use local proxy settings for destinations routed outside the tunnel.

The BIG-IP Edge Client creates a local HTTP server to host the merged PAC file. This server listens on the local
loopback address (127.0.0.0) and an available port between 4477 to 4487.

Lastly, the BIG-IP Edge Client changes the system configuration to use the PAC file from location 127.0.0.0:4477.

32
COMMON APPROACHES TO CONFIGURING VPN—Proxy handling options

Proxy handling notes

•  In cases when the PC shuts down unexpectedly, the BIG-IP Edge Client attempts to restore the original
proxy settings when the system restarts.

•  On both Windows and Macintosh, when a change is detected while the VPN is in Connected mode, the
BIG-IP Edge Client monitors the system settings for the proxy URL location and reapplies the configuration.
However, the BIG-IP Edge Client does not monitor the contents of the Client Proxy Auto Configuration script.

IP address assignnment

The BIG-IP APM uses an automatic mechanism to assign IP addresses to VPN users. Available addresses are
selected from either the IPV4 or IPV6 lease pool, and returned to the pool after a user’s connection is terminated.

The administrator can optionally assign an IP address to a user by assigning an IPv4 or IPv6 in the user session
variable session.assigned.clientip. In either case, this address is negotiated in the NCP IPCP or IPv6CP in order to
set the Layer 3 (L3) IP address. For more information on this process, refer to The VPN tunnel.

Configuration details

The BIG IP APM Network Access resource contains settings that control the BIG-IP Edge Client. The following
table outlines all the BIG-IP Edge Client settings and parameters.

Table 3.6 All BIG-IP Edge Client settings and parameters

Operating Tunnel
Setting or parameter Effect on BIG-IP Edge Client Type
system mode
Assigns internal IP addresses to remote BIG-IP Windows
Lease Pool (IPv4 or Full Tunnel
Edge Clients, using configured leasepools. The Macintosh Runtime
IPv6) Split Tunnel
leasepool IP is set during PPP negotiation. Linux
Compresses all traffic between the BIG-IP Edge Windows
Full Tunnel
Compression Client and BIG-IP APM, using the gzip Deflate Macintosh Runtime
Split Tunnel
method. Linux
Windows
IPV4 LAN Address Targets IPv4 traffic to the tunnel using a routing
Macintosh Split Tunnel Runtime
Space table manipulation.
Linux
Windows
IPV6 LAN Address Targets IPv6 traffic to the tunnel using a routing
Macintosh Split Tunnel Runtime
Space table manipulation.
Linux
Domain names that target the tunnel-configured
nameserver. Important when the Windows DNS Windows
DNS Address Space Relay Proxy is installed, because it determines Macintosh Split Tunnel Runtime
whether to send the DNS request to the local or Linux
tunnel nameserver.
Windows
IPV4 Exclude Targets IPv4 traffic away from the tunnel using a
Macintosh Split Tunnel Runtime
Address Space routing table manipulation.
Linux

33
COMMON APPROACHES TO CONFIGURING VPN—Proxy handling options

Operating Tunnel
Setting or parameter Effect on BIG-IP Edge Client Type
system mode
Windows
IPV6 Exclude Targets IPv6 traffic away from the tunnel using a
Macintosh Split Tunnel Runtime
Address Space routing table manipulation.
Linux
Windows
DNS Exclude
Provides DNS exclusions. Macintosh Split Tunnel Runtime
Address Space
Linux
Provides local and local subnet access to any host
or subnet in routes that you specified in the client
routing table.
Windows
On Windows, the system does not support Full Tunnel
Allow Local Subnet Macintosh Runtime
integrated IP filtering. On Macintosh and Linux, in Split Tunnel
Linux
Full Tunnel mode, routes to local subnets are
preserved, and in Split Tunnel mode, regardless of
this setting, routes are not deleted.
Allows access to the locally configured DNS server
Windows
Allow Local DNS using a routing table entry. BIG-IP Edge Client adds Full Tunnel
Macintosh Runtime
Servers an explicit route to the DNS server. If these routes Split Tunnel
Linux
are deleted, they are then restored.
Prohibits routing table changes during the VPN
Client Side Security
session by comparing the current routing table to a Full Tunnel
> Prohibit routing Windows Runtime
previous snapshot. Always enforced on Macintosh Split Tunnel
table changes
and Linux, regardless of the setting.
Client Side Security
Enables a Windows kernel driver that ensures traffic Full Tunnel
> Integrated IP Windows Runtime
is not leaking to the client PC’s LAN. Split Tunnel
filtering engine
Allows the client PC to access remote resources
Client Options >
over the VPN. Enabled by default, it allows users to Full Tunnel
Client for Microsoft Windows Runtime
access files and printers from the remote Microsoft Split Tunnel
Networks
network.
Client Options > File Allows remote hosts to access shared resources on
and printer sharing the client PC over the VPN so that users can share Full Tunnel
Windows Runtime
for Microsoft file-shares and printers with remote LAN users and Split Tunnel
Networks other VPN users.

34
COMMON APPROACHES TO CONFIGURING VPN—Proxy handling options

Operating Tunnel
Setting or parameter Effect on BIG-IP Edge Client Type
system mode
Emulates the Windows logon process for a client
on an AD domain. The following network policies
are synchronized when the connection is
Reconnect to established, or at logoff, as specified in the user
domain > profile:
Synchronize with AD Full Tunnel
• Logon scripts are started. Windows Runtime
Policies on Split Tunnel
connection • Drives are mapped.
establishment
• Group Policy logon scripts are started when the
connection is established, and Group Policy
logoff scripts are run when the VPN stops.
Uses DTLS, and DTLS uses User Datagram
Protocol (UDP) instead of TCP, to provide better Windows
Full Tunnel
DTLS throughput for high demand applications like VoIP Macintosh Runtime
Split Tunnel
or streaming video, especially with lossy Linux
connections.
BIG-IP Edge Client proxy settings
Use Local Proxy Prevents changes to local proxy settings, using Windows Full Tunnel
Runtime
Settings them as they are for the VPN. Macintosh Split Tunnel
Client Proxy Uses Describes the protocol to use for locating the proxy
Windows Full Tunnel
HTTP for Proxy PAC file. In the current version, this setting is Runtime
Macintosh Split Tunnel
Autoconfig Script ignored.
When this setting is not enabled and the proxy PAC
file can’t be downloaded, BIG-IP Edge Client fails to
Ignore Client Proxy establish a VPN.
Windows Full Tunnel
Autoconfig Script Runtime
Macintosh Split Tunnel
Download Failure When this setting is enabled and there are failures,
it logs these errors in a log file and successfully
establishes a VPN.
Client Proxy Provides the network location to download the Windows Full Tunnel
Runtime
Autoconfig Script proxy PAC file URL. Macintosh Split Tunne
Windows Full Tunnel
Client Proxy Address Uses this proxy address to connect to the Internet. Runtime
Macintosh Split Tunne
Uses this proxy address port to connect to the Windows Full Tunnel
Client Proxy Port Runtime
Internet. Macintosh Split Tunnel
Bypass Proxy For Changes the system to bypass the proxy for local Windows Full Tunnel
Runtime
Local Addresses network subnets. Macintosh Split Tunnel
Client Proxy Identifies URLs that cannot be sent to the proxy Windows Full Tunnel
Runtime
Exclusion List server. Macintosh Split Tunnel

35
COMMON APPROACHES TO CONFIGURING VPN—DNS and name resolution options

DNS and name resolution options

The BIG-IP Edge Client uses DNS settings from a Network Access resource to manage and enforce DNS on the
local operating system. When the VPN is connected, part of a successful and useful connection is the PC’s ability
to perform the correct DNS resolution to both short and full hostnames. The BIG-IP Edge Client has special
functions to ensure that this functionality works as seamlessly as possible.

DNS Relay Proxy

You install the DNS Relay Proxy service, an optional Windows component, for DNS management. The service
provides kernel integration with the Windows operating system to perform rule-based DNS resolution without the
use of the host file. This avoids conditions where an administrator permission-level is required to patch the host
file. In Full Tunnel mode, the service intercepts all DNS requests and forwards them to the DNS server(s)
configured in the Network Access resource (Primary / Secondary Name Server). In Split Tunnel mode, the DNS
Relay Proxy intercepts all DNS requests but only forwards those matching the DNS Address Space to the DNS
server(s) configured in the Network Access resource.

Enforce DNS search order

The BIG-IP Edge Client has an Enforce DNS search order option that causes the DNS settings to be applied in
different ways. A more detailed description of this behavior might be called “Tamper with the system DNS settings
in favor of Network Access requirements.” This means that the option causes the BIG-IP Edge Client to modify the
network settings to behave more like the user is connected locally to the company LAN. To accomplish this, the
BIG-IP Edge Client must modify not only the VPN adapter’s DNS, but also the LAN adapter’s DNS settings.

When Enforce DNS search order is enabled, it works as follows:

1. BIG-IP Edge Client pushes the DNS server supplied by BIG-IP APM to the real interface and puts it in first
place, with the highest priority.

2. DNS suffixes:

• Full Tunnel—The BIG-IP Edge Client applies all suffixes from DNS Default Domain Suffix to Search List, in
given order.

• Split Tunneling—All actions of Full Tunnel, plus applying suffixes from the real interfaces to the Search
List, at the end (lowest priority).

Operational notes

• For Windows, items 1 and 2 require High integrity level. When the BIG-IP Edge Client is running on Medium
or Low integrity level (typical case), it uses the F5 Elevation Helper, with its corresponding User Account
Control (UAC) prompt. It logs the integrity level in the logterminal.txt file upon startup.

• The BIG-IP Edge Client enforces items 1 and 2 in periodic checks. When someone changes the settings
(automatically by DHCP or manually), it reverts them back to the settings desired by BIG-IP APM.

• When DNS Relay Proxy service is running on the client machine, Elevation Helper is not used for performing
items 1 and 2.

36
COMMON APPROACHES TO CONFIGURING VPN—Configuration enforcement options

• The BIG-IP Edge Client performs item 2 in the same way: registry modification by service.

• The BIG-IP Edge Client performs item 1 in a different way: it doesn’t modify the registry.

The BIG-IP Edge Client logs the integrity level when using Extended Logging mode. For more information about
Windows intergrity levels, refer to the Microsoft article: Windows Integrity Mechanism Design.

Split Tunnel vs. Full Tunnel

For Full-Tunnel, the DNS Relay Proxy service sends client-DNS requests to DNS server(s) supplied by the BIG-IP
APM. However, due to the nature of Full Tunnel, all requests go to a DNS server specified by the VPN RAS
interface, even without the service. This may seem confusing, but in this scenario it prevents any possible DNS
request leaks. You can easily test this by using the following explicit DNS query against another server:

nslookup <desired-domain-name> <any-other-non-APM-supplied-DNS-server>.

For Split-Tunneling, the DNS Relay Proxy service sends DNS requests that match the DNS Address Space list
supplied by BIG-IP APM (there is also a DNS Exclude Address Space exclusion list). When DNS Address Space is
empty, the DNS Relay Proxy service remains inactive.

The following table shows a representation of the configuration process.

Table 3.7 Tunnel configuraton process

Enforce DNS search order Adapter Windows behavior Macintosh and Linux behavior
Applies primary suffix to Applies all suffixes to Search
Dial-Up interface
Search Order Order
Enabled Apples all suffixes, order Apples all suffixes, order
Other Interface(s) dependent on Full or Split dependent on Full or Split
Tunnel Tunnel
Applies all suffixes to Search
Dial-Up interface Applies primary suffix
Disabled Order
Other Interface(s) Unchanged Unchanged

For more information, refer to Microsoft article: What is the Windows Integrity Mechanism?

Configuration enforcement options

An important part of the overall operation of the BIG-IP Edge Client is configuring the client PC’s network
parameters to be consistent with the desired network use policy and enforcing these configuration parameters.
This section describes such configuration enforcements on the client PC. The purpose of configuration
enforcement is to preserve the client’s configuration during the life of the VPN tunnel. The general enforcement
areas are:

• Routing

• DNS

37
COMMON APPROACHES TO CONFIGURING VPN—Configuration enforcement options

• Proxy configuration

• Egress traffic and firewall

Routing

The client PC enforces a routing configuration to ensure that administrator-approved traffic is routed over the VPN.

DNS

The client PC monitors and maintains the DNS nameserver, search list, and order during the life of the VPN
session.

Windows

The client PC only enforces the DNS search order when the Network Access Enforce DNS search order setting
is enabled.

Macintosh and Linux

The client PC preserves the DNS settings (nameserver, search list, and order) during the life of the VPN session,
regardless of the Network Access settings. When a change is detected, the original settings are restored.

Optimization

Application-optimized tunnels are outside the scope of an L3 Network Access tunnel, and use an L4 F5® iSession®
tunnel.

DNS and hosts

Table 3.8 DNS and host settings

Operating Tunnel
Setting or parameter Description Type
system mode
Windows
IPV4 Primary Name Full Tunnel
IPv4 primary name server. Macintosh Runtime
Server Split Tunnel
Linux
Windows
IPV4 Secondary Full Tunnel
Secondary name server. Macintosh Runtime
Name Server Split Tunnel
Linux
Sets Windows Internet Name Service (WINS) Full Tunnel
Primary WINS Server Windows Runtime
server. Split Tunnel
Secondary WINS Full Tunnel
Sets WINS server. Windows Runtime
Server Split Tunnel

38
COMMON APPROACHES TO CONFIGURING VPN—Configuration enforcement options

Operating Tunnel
Setting or parameter Description Type
system mode
Corporate DNS suffix list. The BIG-IP Edge Client
DNS Default Domain Windows Full Tunnel
patches the system DNS suffix settings with this Runtime
Suffix Macintosh Split Tunnel
list.
Register this Sends client DNS and leasepool IP information to
Full Tunnel
connections the tunnel DNS server to register hostname and Windows Runtime
Split Tunnel
addresses in DNS leasepool IP on the tunnel DNS server.
Enforce DNS search Enforces DNS search order during the lifetime of Full Tunnel
Windows Runtime
order the BIG-IP APM session. Split Tunnel
These entries are set in /etc/hosts, and DNS
Windows
subsystems like Windows DNS Relay Proxy and Full Tunnel
Static hosts Macintosh Runtime
Macintosh mDNSResponder respect these Split Tunnel
Linux
changes.

39
DEPLOYMENT OPTIONS—Managed and unmanaged installations

Deployment Options
You can use several methods to deploy the BIG-IP Edge Client, including both managed and unmanaged
deployments on Windows, Macintosh and Linux platforms.

The BIG-IP Edge Client uses many configuration settings, including install-time and run-time settings. You can
also change install-time settings after deployment.

The components the BIG-IP Edge Client uses during installation, and the location of files used for settings,
customization information, cookies, trusted sites, and log files vary, depending on your platform.

Managed and unmanaged installations

You can deploy the BIG-IP Edge Client on managed and unmanaged desktops. A managed solution, which is
third-party software such as Microsoft System Center Configuration Manager (SCCM), Apple macOS Server
Profile Manager, and Jamf, pushes applications to client machines. Managed solutions enable you to package the
BIG-IP Edge Client and deploy it to multiple users, providing a streamlined and automated way to send it to
desktops that can then install it.

Unmanaged solutions require more work for users.

Managed Installations

Windows

In managed installations, F5® BIG-IP® Access Policy Manager® (APM) administrators download the BIG-IP
executable file and extract the Windows Installer package file (.msi) from it. Windows-based systems provide
various switches for using the msiexec.exe file to install the BIG-IP Edge Client on Windows-based machines.
You can then use the msiexec command and third-party tools to deploy it.

For more information on extracting the .msi file from the BIG-IP Edge Client, refer to AskF5 article K13710:
Installing the BIG-IP Edge Client from the Windows command line.

Macintosh

The installation file for the Macintosh platform is a .zip file that can be used by third-party tools, such as Jamf or
Apple Server Profile Manager. For more information, refer to documentation for the third-party tool.

Unmanaged installations

Downloading

In unmanaged installations, administrators make the BIG-IP Edge Client available for users to install themselves
from BIG-IP APM using an external file store, email, or web link.

40
DEPLOYMENT OPTIONS—Security Considerations

For information on downloading the BIG-IP Edge Client, refer to BIG-IP Edge Client for Windows, BIG-IP Edge
Client for Mac, or BIG-IP Edge Client for Linux in BIG-IP Access Policy Manager: Edge Client and
Application Configuration for your system version.

Note For information about how to locate F5 product guides, refer to the Ask F5 article K12453464: Finding
product documentation on AskF5.

Sharing

Before sharing the installation, administrators first check for a BIG-IP Edge Client file using an operating system
(OS) and file check, or a Client Type check in the BIG-IP APM visual policy editor.

For more information on performing an OS Check, Client Type check, and an OS-specific file check, refer to
Access Policy Item Reference in BIG-IP Access Policy Manager: Visual Policy Editor for your system version.
For information on VPN-related files and their locations, see Components.

Tip If the BIG-IP Edge Client is not present, the policy may redirect the user agent to an external file server
where it can be downloaded, or to a web top that has a link to the hosted BIG-IP Edge Client for the specific
OS.

For more information, refer to Hosting a BIG-IP Edge Client Download with Access Policy Manager in BIG-IP
Access Policy Manager: Hosted Content Implementations for your system version. For more information about
using a web link, refer to Creating a webtop link for the client installer in BIG-IP Access Policy Manager:
Implementations for your system version.

Security Considerations

Windows

When you deploy the BIG-IP Edge Client to Windows-based systems, you need certain permission-level for the
components to install. F5 recommends that you use the Component Installer service to assist with UAC prompting
when installing or upgrading components. This service streamlines the installation for all necessary network
access connection components.

For information about the permission-level required for installing the Component Installer service and the other
components you need to run Network Access, see BIG-IP Edge Client for Windows for your system version.

Nevertheless, there are scenarios in which a package is deployed without this service. For these cases, you may
be required to have the user permission-level on the system in order for the Network Access connection to work
properly. For more information, see the following table:

41
DEPLOYMENT OPTIONS—Security Considerations

Table 4.1 Required permission-level to install BIG-IP Edge Client components

For information about controls,

refer to the following section in the Minimum install-time
Service name
AskF5 article: K14045: The BIG-IP Edge permission-level
Client components for Windows
InstallerControl User
SuperHost User
Base Control
Host User
InspectionHost User
VPN Admin
SuperHost User
Network Access
Host User
InstallerControl User
TunnelServer User
Protected Workspace (PWS) User
Application Tunnels SuperHost User
Host User
InstallerControl User
Protected Workspace (PWS) User
Win32 Inspector User
OPSWAT Integration Libraries User
Endpoint Security Machine Certificate Checker User
Cache Cleaner User
InspectionHost User
Windows Group Policy Obsolete

Custom Dialer
Admin
Windows Logon Integration Note This only comes with MSI

VPN Admin
Services
Component installer Component installer Admin
BIG-IP Edge Client for Windows BIG-IP Edge Client for Windows Admin
BIG-IP Edge Client COM API BIG-IP Edge Client COM API Admin
DNS Relay Proxy DNS Relay Proxy Admin
Traffic Control Traffic Control Admin

Macintosh

Some of the features available on Windows systems are not available on Macintosh systems. For example, the
DNS Relay Proxy and Component Installer Services are not available.

42
DEPLOYMENT OPTIONS—Security Considerations

As a result, you need less controls when deploying the BIG-IP Edge Client on a Macintosh computer. However,
there are still OS-level restrictions. For more information on the restrictions for installing and updating Network
Access on Macintosh, refer to BIG-IP Edge Client for Mac in BIG-IP Access Policy Manager: Edge Client and
Application Configuration for your system version.

Linux

For information about deploying the BIG-IP Edge Client on Linux systems, refer to BIG-IP Edge Client for Linux
in BIG-IP Access Policy Manager: Edge Client and Application Configuration for your system version.

Signing
In general, all components are signed by F5 Networks.

Windows

BIG-IP Edge Client components extensively check the certificates of subcomponents; therefore, the modification
or alteration of any components or signatures may break functionality. When this happens, the BIG-IP Edge Client
or web components continue trying to re-download components from the server. For more information, refer to
BIG-IP Edge Client for Windows in BIG-IP Access Policy Manager: Edge Client and Application
Configuration for your system version.

Macintosh
F5 does not recommend changing or modifying any file or component within the BIG-IP Edge Client as this may
break the integrity of the system and cause problems.

Linux

BIG-IP Edge Client components are not signed.

Security software whitelisting and antivirus software

When you deploy the BIG-IP Edge Client, make sure you consider the various processes and files that are
installed. Some stop users’ anti-virus protection from working or potentially cause corporate security software to
mark BIG-IP Edge Client components, services, or files as a threat, preventing their use.

If this happens, open a support ticket with the offending third-party software company. As the security software
administrator, you or the end-user should be able to “whitelist” the F5 Virtual Private Network (VPN) folder location
so that operations can continue normally. Contact the software company for more information on whitelisting.

Also consider AV) software when deploying the BIG-IP Edge Client or network access using a browser. Windows,
Macintosh, and Linux all support AV checking.

In BIG-IP 12.1.1, the list of supported software can be found by logging in to the administrative user interface and
navigating to System > Software Management > Antivirus Check Updates > Device EPSEC Status, where
there is a link to the version of the OPSWAT Endpoint Security Integration SDK (OESIS) that is installed. Click the
link to see the list of supported AV software. Use the drop-down menu at the top of the page to select your
operating system.

43
FREQUENTLY ASKED QUESTIONS—What permission-level is required to run endpoint checks?

Frequently Asked Questions

What browsers are supported for endpoint inspection?
The F5® BIG-IP® Edge Client® opens an Internet Explorer, Safari, or equivalent browser control object, which then
opens the Inspection Host Plug-in to perform endpoint inspection checks. The checking operation is very similar
to that performed by the BIG-IP Edge Client.

F5® BIG-IP® Access Policy Manager® (APM) 13.0 and later also have a browser-activated checking mechanism that
works in most web browsers. However, F5 supports only Chrome, Firefox, Safari, Internet Explorer, and Microsoft
Edge browsers.

What app must be installed in order for endpoint inspection to work?

The BIG-IP Edge Client package provides required Endpoint Inspector components. You can preinstall the
package on client PCs. For more information, refer to Deployment Options.

What permission-level is required to run endpoint checks?

Table 5.1 Permission-level required to run endpoint checks

Endpoint check Windows Macintosh Linux

Antispyware User User User
Antivirus User User User
Firewall User User User
Hard disk encryption Local administrator Standard Not applicable
Linux file Not applicable Standard User
Linux process Not applicable Standard User
Macintosh file Not applicable Standard User
Macintosh process Not applicable Standard Not applicable
Machine Cert Auth User Standard Not applicable
Machine info User Standard User
Patch management User Administrator Not applicable
Peer-to-peer User Standard User
Windows cache and
User Not applicable Not applicable
session control
Windows file User Not applicable Not applicable
Windows Health Agent User Not applicable Not applicable
Windows info User Not applicable Not applicable
Windows process User Not applicable Not applicable
Windows Protected
User Not applicable Not applicable
Workspace
Windows Registry User Not applicable Not applicable

44
FREQUENTLY ASKED QUESTIONS—Can any site perform endpoint inspection on client PCs?

Can any site perform endpoint inspection on client PCs?

No, it is not possible for malicious sites to perform checks on client PCs. The client PC maintains an allowed list of
sites. In Internet Explorer, sites listed in the Trusted Sites zone are allowed for inspection. Other sites can be
allowed manually by the user.

Linux and Macintosh components maintain their own trusted sites list.

45
ENDPOINT INSPECTION—F5 inspectors

Endpoint Inspection
F5® BIG-IP® Access Policy Manager® (APM) offers a wide variety of endpoint inspection options for inspecting
client PC configuration and current operating environment. There are three main categories of inspectors:

• HTTP—Items related solely to the client’s initial HTTP request. No helper applications are required.

• F5 inspectors—Items that require a special F5 application or the F5® BIG-IP® Edge Client®.

• OPSWAT—Items that require both a special application and OPSWAT integration.

HTTP
All client types begin their connection to the BIG-IP APM server with an HTTP request over a secure Transport
Layer Security (TSL) or SSL connection. BIG-IP APM parses the client request into several session variables used
as logic for executing the access policy.

F5 inspectors
F5 inspection components perform system checks and communicate results to BIG-IP APM using HTTP requests
over a secure TSL or SSL connection.

Windows, Macintosh and Linux files

There are three client-side endpoint check agents that look for the presence of one or more files on their
respective operating systems: Windows, Macintosh, or Linux. Each agent can inspect for the presence of a given
file, as specified by a full path name. In addition, it can inspect the file’s MD5 hash value, size in bytes, and the last
modified date.

The Windows agent can also inspect the file signer certificate and file version. When the file is missing or any of
the optionally specified parameters do not match, the check fails.

The file check agents rely on a helper application installed on the client. After the file check agent runs, it sets a
session variable, session.windows_check_file.last.result, and the following variables with a value that corresponds
to the binary result of the file check.

Windows variables:

• windows_check_file.last.item_#1.exist

• windows_check_file.last.item_#1.filename

• windows_check_file.last.item_#1.name

• windows_check_file.last.item_#1.size

• windows_check_file.last.item_#1.md5

• windows_check_file.last.item_#1.version

46
ENDPOINT INSPECTION—F5 inspectors

• windows_check_file.last.item_#1.signer

• windows_check_file.last.item_#1.modified

Macintosh and Linux variables:

•  linux_check_file.last.item_<#>.exist

•  linux_check_file.last.item_<#>.filename

•  linux_check_file.last.item_<#>.name

•  linux_check_file.last.item_<#>.size

•  linux_check_file.last.item_<#>.md5

•  linux_check_file.last.item_<#>.modified

Windows, Macintosh and Linux processes

There are three client-side endpoint check agents that look for the presence of one or more processes on their
respective operating systems: Windows, Macintosh, or Linux. Using the configurable logical expressions provided
in BIG-IP APM, it’s possible to specify any combination of processes that are running or not running. When an
expression evaluates to false, the check fails.

The process check agents rely on a helper application installed on the client. After the process check agent runs,
it sets a session variable, session.windows_check_process.last.result, with a value that corresponds to the binary
result of the process check.

Machine Info check

The Machine Info check obtains information about the client PC. The variable the application uses, the information
the check obtains, and whether the check runs for each operating system is in the following table.

Table 6.1 Machine Info check variables

Session variable Information obtained Windows Macintosh Linux

session.machine_info.last.bios.
BIOS manufacturer Yes No No
manufacturer
session.machine_info.last.bios.sn BIOS serial number Yes No No
session.machine_info.last.bios.version BIOS version Yes No No
session.machine_info.last.cpu.description CPU description Yes No No
session.machine_info.last.cpu.max_clock CPU clock speed Yes No No
session.machine_info.last.cpu.name CPU type Yes No No
session.machine_info.last.cpu.vendor CPU vendor Yes No No
session.machine_info.last.error Result of the last check Yes Yes Yes
session.machine_info.last.hdd.count Number of hard disk devices Yes No No

47
ENDPOINT INSPECTION—F5 inspectors

Session variable Information obtained Windows Macintosh Linux

session.machine_info.last.hdd.list.[x].
Model of hard disk device x Yes No No
model
Serial number of hard disk
session.machine_info.last.hdd.list.[x].sn Yes No No
device x
session.machine_info.last.motherboard.
Motherboard vendor Yes No No
manufacturer
session.machine_info.last.motherboard.
Motherboard model Yes No No
product
session.machine_info.last.motherboard.
Motherboard serial number Yes No No
sn
session.machine_info.last.net_adapter.
Number of network adapters Yes Yes Yes
count
session.machine_info.last.net_adapter. Macintosh address of network
Yes Yes Yes
list.[x].mac_address adapter x
session.machine_info.last.net_adapter.
Name of network adapter x Yes Yes Yes
list.[x].name

Windows Cache and Session Control agent

The Windows Cache and Session Control agent uses a helper application to provide clean up actions at session
termination, including the following actions:

• Clean temporary internet files and cookies

• Clean form and password autocomplete data

• Empty Recycle Bin

• Empty the Temporary folder

• Remove dial-up entries used by the Network Access client

The agent can also:

• Force session termination if the browser or webtop is closed

• Terminate a session due to user inactivity

• Lock a workstation due to user inactivity

This agent is primarily designed to work with Internet Explorer (IE), and most of the previously listed actions do not
work with other browsers.

Note As of January 12, 2016, only the most current version of Internet Explorer available for a supported
operating system receives technical supports and security updates. Internet Explorer 11 is the last version
of Internet Explorer, and continues to receive security updates, compatibility fixes, and technical support on
Windows 7, Windows 8.1, and Windows 10.

48
ENDPOINT INSPECTION—F5 inspectors

Windows Info check

The Windows Info check uses a helper application to query the Windows operating system for information about
the version, updates for Windows and IE, and current users. This information is written to the following session
variables:

Table 6.2 Windows Info check variables

Session variable Information obtained

session.windows_info_os.last.computer Network computer name
session.windows_info_os.last.ie_updates IE updates installed
session.windows_info_os.last.ie_version Version of browser or browser control
session.windows_info_os.last.platform Windows OS version
session.windows_info_os.last.updates Pipe delimited list of Microsoft hotfixes
session.windows_info_os.last.user Current logged on user

The Windows Info agent also uses the operating system version (platform) and update information to create a
number of branches for various Windows versions, from Windows XP to Windows 10, depending on the BIG-IP
version.

Windows Registry check

The Windows Registry check uses a helper application to inspect registry values, either to determine the registry
value exists or to compare it against a predetermined value. Using the configurable logical expressions provided in
BIG-IP APM, it’s possible to inspect a combination of registry entries.

Beginning in BIG-IP 12.1, it’s possible to fetch the data stored in a registry entry into a session variable. BIG-IP
APM sets a session variable, session.windows_check_registry.last.data.variable_name, with a value that
corresponds to the result from the GET operator specified for variable_name.

The registry check agent is part of the F5 inspection package and relies on a helper application installed on the
client. After the process check agent runs, it sets a session variable, session. windows_check_registry.last.result,
with a value that corresponds to the binary result of the process registry check.

Machine certificate authentication

Many sites use certificate authentication or mutual SSL authentication, either with a client certificate installed on
the client PC or with some type of smart card. In the simplest form, this consists of the client machine transmitting
a certificate in the SSL handshake and cryptographically proving that it can access the private key that matches
the certificate.

In contrast, machine certificates (or local computer certificates) consist of both a certificate and private key stored
in the local machine store. These are commonly used in Windows and Macintosh environments that must prove
the identity of a particular machine. Windows stores the certificate in a secure area that is only accessible by local
administrators of the client machine. The certificate is then inspected by F5 code that runs on client machines.
Though they are both a bundle of certificate and key, the storage location and permission-level required to access
them are different.

49
ENDPOINT INSPECTION—OPSWAT

This machine certificate approach offers more flexibility and security, at the cost of having to install the F5 client
inspection app or the BIG-IP Edge Client.

On the Macintosh system, certificate and key can be stored in the user or system domain. Only the administrator
has access to the system domain certificates. The administrator needs to set proper keychain access control list
(ACL) for system domain certificates.

How it works

1. BIG-IP APM sends a certificate authentication request to the client containing certificate selection criteria
and nonce (random data).

2. The client opens the certificate store and finds the specified certificate based on the provided criteria.

3. The client finds the certificate’s private key and validates it against the certificate.

Note On Windows, the BIG-IP Edge Client may use a special elevated helper application (F5 Elevation
Helper) to access the private key, because the private key is only available to administrators. Typically,
using the helper application would activate a UAC prompt requiring administrator credentials; however,
the BIG-IP Edge Client uses its Machine Certificate service to enable users without the administrator
permission-level to access private keys without those credentials.

4. The client signs the nonce using cryptographic functions and sends it to the BIG-IP APM for analysis.

5. BIG-IP APM must validate the certificate against the configured CA profile.

6. BIG-IP APM validates the signed nonce using the public part of the certificate.

Session variables

• Input: None

• Output: Machine Certificate check produces many session variables which contain parsed certificate fields
(if enabled), certificate status, and signature status. One of the most important variables is session.check_
machinecert.last.result, which provides the overall status of the check.

• 0 = Failed

• 1 = Passed

• 2 = Certificate found, key not found (or signed nonce is not valid)

OPSWAT
The BIG-IP Edge Client includes third-party inspection libraries from OPSWAT. These are used as the basis for
several F5 endpoint posture checks, including the following checks:

• Anti-Spyware

• Antivirus

50
ENDPOINT INSPECTION—OPSWAT

• Firewall

• Hard Disk Encryption

• Patch Management

• Peer-to-peer

• Windows Health Agent

How OPSWAT checks work

The endpoint security application receives details of the desired security check from BIG-IP APM.

1. The endpoint security application launches the policy server helper application.

2. The policy server helper application invokes the OESIS inspection library. In this call, the policy server
application instructs OESIS to get all of the installed software previously listed (such as antispyware and
antivirus).

3. The inspection library returns results as a list of installed security software to the policy server application.

4. The policy server application matches the configuration with the BIG-IP APM policy to ensure the software
complies properly.

5. The policy server application creates a report, which is returned to the endpoint security application.

6. The endpoint security application encapsulates the response from the policy server activation and sends
HTTP POST requests containing the data to the BIG-IP APM server to report compliance status.

7. The BIG-IP APM server populates the session variables based on the results of the check.

Updates

The auto-update process updates the OPSWAT library in the same way that it updates other client components.
For more information on the update process, refer to Client auto-update.

Server-side vs. client-side checks

Client-side endpoint checks require a helper application that runs on client machines. Server-side endpoint checks
do not require an application to run on the client machine, because they run on BIG-IP and rely on information that
is collected and stored in session variables when the client first connects to BIG-IP.

BIG-IP supports multiple versions of client operating systems (Windows, Macintosh, and Linux); the client
operating system versions your BIG-IP system supports are dependent on your version of BIG-IP. For more
information, refer to BIG-IP APM Client Compatibility Matrix for your system version.

Note For information about how to locate F5 product guides, refer to the Ask F5 article: K12453464: Finding
product documentation on AskF5.

51
ENDPOINT INSPECTION—OPSWAT

The server-side endpoint checks and the session variables used by each agent are in the following table. These
agents have an empty Property tab in the visual policy editor and do not perform any action based on session
variable values, other than branching.

Table 6.3 Server-side check variables

Policy item in visual policy editor Session variable

Client for MS Exchange session.user.microsoft-exchange-client
session.client.platform
Client OS
session.client.cpu
session.client.type
Client Type session.client.app_id
session.ui.mode
session.client.js
Client-Side Capability session.client.activex
session.client.plugin
Date Time session.user.starttime
session.user.ipgeolocation.country_code
session.user.ipgeolocation.country_name
IP Geolocation Match
session.user.ipgeolocation.continent
session.user.ipgeolocation.state
IP Reputation session.user.ip_reputation
P Subnet Match session.user.clientip
Jailbroken or Rooted Device Detection session.client.jailbreak
Landing URI session.server.landinguri
tmm.license.global_access
tmm.license.global_access#
tmm.license.global_connectivity
tmm.license.global_connectivity#
License
tmm.license.global_urlf
tmm.license.global_urlf#
tmm.profilelicense.<session.access.profile>
tmm.profilelicense.<session.access.profile>#

The first four agents in the table rely on session variables derived from the browser user agent string, which itself
is a session variable: session.user.agent.

The Date Time agent is based on the BIG-IP system clock, and the next three agents are based on the client IP
address (and an optional IP reputation database for one of them).

The Jailbroken agent is based on proprietary information gleaned by the BIG-IP.

The Landing URI agent is based on the URI of the initial connection to BIG-IP, and the License agent is based on a
combination of total licenses (in-use and unused) and licenses in-use for four separate categories.

52
ENDPOINT INSPECTION—OPSWAT

There are two remaining server-side endpoint checks that are used for Mobile Device Manager (MDM) solutions.
Both have a Property tab used to specify the endpoint management system. The first one, listed in the following
table, is used to enable notification and does not use session variables or branches. The second does use session
variables and branches.

Table 6.4 Mobile Device Manager server-side check variables

Policy item in visual policy editor Session variable

Managed Endpoint Notification None
session.managed_device_status.last.result
Managed Endpoint Status session.mdm.device.enrolled
session.mdm.device.compliant

Recurring checks

BIG-IP APM can perform some endpoint checks continuously during the session lifetime. These recurring checks
are performed every 90 seconds on Windows and every 5 seconds on the Macintosh and Linux systems.

The output of a recurrent check is different from a regular check. When a regular check is performed, the browser
control sends all requested data to the server. The recurring check only compares the cached result from the initial
non-recurring check against the current value. If the current value for any check differs from the cached value, the
policy server issues a direct HTTP request to BIG-IP APM, which causes session termination.

When the recurring check succeeds, the policy server sends heartbeats (“I am alive” signals) to the BIG-IP APM,
indicating that the client is still compliant with the policy specified on the server. In short, the policy server simply
informs BIG-IP APM with a Boolean flag: yes or no.

When the BIG-IP APM does not receive heartbeats for five minutes, it terminates the session.

BIG-IP APM can have multiple recurring checks. The following are the supported, recurring checks:

• File and Process checks (Windows, Macintosh, and Linux),

• Registry check (Windows only)

• OPSWAT checks (Windows, Macintosh, and Linux)

Permissions

Most actions require only a standard, or user, permission-level after BIG-IP APM is installed. The exceptions are in
the following table.

Table 6.5 Checks that require a permission-level other than user

Check Windows Macintosh Linux

Anti-Spyware User* Standard User
Antivirus User* Standard User
Firewall User* Standard User

53
ENDPOINT INSPECTION—OPSWAT

Check Windows Macintosh Linux

Hard Disk Encryption Local Admin Standard Not applicable
Linux File Not applicable User User
Linux Process Not applicable User User
Mac File Not applicable Standard Not applicable
Mac Process Not applicable Standard Not applicable
Machine Cert Auth User †
Standard Not applicable
Machine Info User Standard User
Patch Management User* Administrator ‡
Not applicable
Peer-to-peer User* Standard User
Windows cache and
User Not applicable Not applicable
session control
Windows File User Not applicable Not applicable
Windows Health Agent User Not applicable Not applicable
Windows Info User Not applicable Not applicable
Windows Process User Not applicable Not applicable
Windows Protected
User Not applicable Not applicable
Workspace User
Windows Registry User Not applicable Not applicable

* May require the administrator permission-level, because some security software prohibits those with the user
permission-level from inspecting some properties.
†
Those with the user permission-level have access to certificates but not private keys; they must use F5 help
applications to access private keys. For more information, refer to Machine certificate authentication.
‡
Should require only the user permission-level but currently requires the administrator permission-level—tracked
by F5 ID 465755.

54
TROUBLESHOOTING—Common installation errors

Troubleshooting
If your issue is not included in this chapter, you should consider other F5 techniques covered in the Optimizing the
Support Experience chapter in this guide. If there are configurations or issues you would like to see covered in
future versions of this guide, send your detailed request to [email protected].

Common installation errors

Each of the following errors have been pain points for our customers that deserve mention in this document to
highlight some common “Gotcha” items.

• Installing the F5® BIG-IP® Edge Client® without administrat

• Missing components

• Improper uninstallation

• Third-party program conflicts

Installing the BIG-IP Edge Client without administrator permission-level

You must have the administrator permission-level to install the BIG-IP Edge Client, because it uses Windows
services that require you to be an administrator. If the BIG-IP Edge Client does not have administrator permission-
level, it cannot write logs to disk, access the NDISWAN interface for delivery to the network stack, nor perform
other functions required to connect.

When you need to recover from a bad installation, use the Client Troubleshooting Utility (CTU) to remove the
BIG-IP Edge Client, and then reinstall it with the appropriate permission-level.

Missing components

The BIG-IP Edge Client uses several components that support and enhance the performance of the application.

• The Windows Component Installer service enhances the functionality of the BIG-IP Edge Client. When the
service is missing, errors with Windows operating system permissions can cause some functions to fail.

• The DNS Relay Proxy service facilitates the quick handling of DNS requests, and makes DNS handling
decisions for both the tunnel and the client’s local DNS. When this component is missing, VPN or AppTunnel
services may not work correctly, or DNS requests may be delayed, causing slow response to DNS requests.

Improper removal of the BIG-IP Edge Client

When you are attempting to uninstall the BIG-IP Edge Client, there are components and files that may continue to
operate while you are trying to shut down. To prevent this error, use the CTU to remove the BIG-IP Edge Client.

55
TROUBLESHOOTING—Commonly reported problems

Third-party program conflicts

The BIG-IP Edge Client can encounter conflicts with other third-party programs. For more information, refer to
Potential conflicts with third-party applications.

Commonly reported problems

This section describes a general approach to diagnosing common complaints about the BIG-IP Edge Client
received by F5 Support.

DNS doesn’t work

DNS resolution enables users to resolve names and access internal resources. Hostnames can be resolved using
a long, fully-qualified domain name (FQDN) or using the short form: hostname only. Name resolution occurs
differently on different operating systems and with different connection settings.

Start troubleshooting by taking the following actions:

• Try pinging the target DNS server by IP address to verify basic routing connectivity.

• Compare the behavior of short hostname and long hostname resolution.

• Use the nslookup utility and manually switch servers to compare the behavior for different targets.

• (Windows only) Disable and re-enable F5 Networks DNS Relay Proxy service. Compare the name resolution
behavior in both cases.

• (Windows only) Check configured DNS servers and their order using the ipconfig /all command. Make sure
the system is configured as desired.

• Use a packet capture in F5® BIG-IP® as the client performs name resolution to ensure DNS traffic is being
forwarded correctly. This traffic is not encrypted, so it’s simple to analyze. Use the following command:

tcpdump -i <connectivity profile name> -s0 -n -vvv port 53

The results of these information gathering and troubleshooting steps greatly aid diagnosis and resolution of
problems. If you decide to open a case with F5 Technical Support, forward the results of these test to them.

For a flowchart illustrating DNS resolution in Windows, refer to the Microsoft article: Name Resolution.

Traffic doesn’t work

When the BIG-IP Edge Client successfully connects but traffic does not seem to work, try taking the following
actions:

• Check the traffic counters on the BIG-IP Edge Client at the following location to ensure they’re correctly
incrementing when sending traffic: View Details > Statistics.

• Try basic ping connectivity that doesn’t require DNS or proxy settings.

56
TROUBLESHOOTING—Commonly reported problems

• As the BIG-IP Edge Client sends traffic, use a packet capture in BIG-IP to look for the ping request and reply
using the following command:

tcpdump -i <connectivity profile name> -s0 -n -vvv

• Use the route print command to ensure the destinations displayed in the IPV4 and/or IPV6 route tables are
correct.

VPN is slow

There are many factors in each environment that contribute to increased or decreased performance. Some
Internet service providers (ISPs) can deprioritize certain types of traffic after others, and there can be different
latencies or bandwidth caps for single-stream connections. Also, testing is often performed in an uncontrolled
environment, so tests can be subject to the vagaries of ISP peering agreements, Internet congestion, and other
factors.

F5 recommends trying the following actions to see if performance becomes better or worse for your application:

• Make sure you’re not using source network address translation (SNAT) with client traffic and Server Message
Block (SMB) protocol for Windows file sharing at the same time. Some Windows networking filers don’t work
well when several clients are accessing the same servers with the same source IP.

• Note that the appropriate SNAT settings are in the Network Access profile, not the virtual server.

• If you are not using SNAT, ensure that your leasepool doesn’t conflict with existing networks, and your
internal routers route traffic back to BIG-IP for the pool.

• For more information, refer to Configuring Network Access Resources in BIG-IP Access Policy
Manager: Network Access Configuration for your system version.

Note For information about how to locate F5 product guides, refer to the Ask F5 article: K12453464:
Finding product documentation on AskF5.

• You can use these two protocols with Network Access: TLS (TCP) or DTLS (UDP). DTLS usually (but not
always!) has better performance.

• Configure the Optimized Applications setting for specific TCP ports, for example 80 or 443.

On Windows, Optimized Applications is a high-performance technique for transferring TCP data that
supports varying levels of compression and transfers data at a faster rate than either the main PPP DTLS or
TLS transport.

Note For FTP connections, you must use port 0 because the data channel is dynamic.

For more information, refer to Creating Optimized Application Tunnels in BIG-IP Access Policy
Manager: Network Access Configuration Guide for your system version.

• Check the CPU usage of the client PC while performing speed tests. There is overhead with encryption, and
the BIG-IP Edge Client is single-threaded, so it only utilizes a single core for encryption and compression
operations.

57
TROUBLESHOOTING—How to collect troubleshooting data

• Check the log levels. The default log level for access is Notice. Do not use the Debug log level in production
except for testing purposes. For more information, refer to AskF5 article: K5532: Configuring the level of
information logged for TMM-specific events.

F5 Technical Support typically resolves complaints about Network Access slowness with a combination of these
configuration options.

How to collect troubleshooting data

Client-side Windows

There are various ways to collect troubleshooting data from the client machine and BIG-IP Edge Client.
Understanding techniques to gather information, both from the client-side and the BIG-IP APM server, helps you
efficiently diagnose and identify issues with connectivity, operation, and maintenance of the BIG-IP Edge Client.

This chapter covers the following information:

• The CTU, which is the f5wininfo.exe file.

• Where to find diagnostic data

• How to reset or clear diagnostic data

• How to increase log detail

• Automated log gathering tools

Client Troubleshooting Utility (Windows only)

Administrators use the CTU, which consists of the single f5wininfo.exe file, to check F5 client components,
perform diagnostics, and collect logs.

To download the CTU, do the following:

1. On the main screen, click the F5 logo to display the Welcome page.

2. In the Downloads section, click Client Troubleshooting Utility for Windows.

Your system saves f5wininfo.exe to the local disk.

Note You can also download the CTU (f5wininfo.exe) at the following address: https://<apm
hostname>/public/download/f5wininfo.exe.

To view client components using the CTU, do the following:

1. Double-click f5wininfo.exe to start the CTU.

The F5 BIG-IP Edge Components Troubleshooting window opens.

2. Use the navigation panel on the left to explore the component categories.

58
TROUBLESHOOTING—How to collect troubleshooting data

To generate a client troubleshooting report using the CTU, do the following:

1. Double-click f5wininfo.exe to start the CTU.

The F5 BIG-IP Edge Components Troubleshooting window opens.

2. Click File > Generate Report.

The Report window opens.

3. Under Type, select the type of report you want to generate. For a complete report, select all four options.

4. Under Format, select html or text for the type of report.

To generate a compressed report, select the compressed option.

5. To view the report without saving the report, click View.

Finding diagnostic data

BIG-IP Edge Client single-click logs

On Windows, you can generate a diagnostics report using the BIG-IP Edge Client by following these steps:

1. Open the BIG-IP Edge Client.

2. Click View Details > Diagnostics Report.

OPSWAT OESIS endpoint diagnostic tool

The BIG-IP Edge Client includes third-party inspection libraries from OPSWAT. You use the OPSWAT OESIS
diagnostic tool to investigate and identify whether the client-side checks are correctly identifying and detecting
your AV, anti-malware, firewall, and other OPSWAT scan objects.

To download and install the OESIS Diagnose tool for Windows, do the following:

1. Use Secure Copy (SCP) protocol to download it from the BIG-IP device, or go to https://downloads.f5.com.

2. Locate the EPSEC.ISO file, where the tool is located, and extract it by mounting the ISO image and
extracting the files in the .Tools directory.

3. Unzip the OESISDiagnose_V3V4.zip file and execute the OesisDiagnose_bridge.exe file it contains.

The tool generates a report (.log and .xml files) in the same directory which displays the client-side objects
detected by the scan.

BIG-IP Edge Client logs and Windows diagnostic tools

The BIG-IP Edge Client logs and Windows diagnostic tools are useful in investigating BIG-IP Edge Client issues.
Learn more about the log files that are available in the following table.

59
TROUBLESHOOTING—How to collect troubleshooting data

Table 7.1 BIG-IP Edge Client and Windows logs

Operating
Log file Description
system
logterminal.txt Primary log file Windows
logterminal.txt (Low) Used when IE is used in low integrity level Windows
F5DialServer.txt Used by Windows Logon Integration feature Windows
f5dskctl.txt For Protected Work Space (PWS) feature browser control Windows
f5dsklog.txt For PWS primary component Windows
f5TunnelServerX.txt For TunnelServer ActiveX control Windows
For TunnelServer ActiveX control when IE is used in low integrity
f5TunnelServerX.txt (Low) Windows
level
F5InspHostCtrl.txt For Inspection Host (endpoint check launch component) Windows
f5Install.txt For installer processes Windows
f5Install.txt (Low) For installer processes when launched from IE in low integrity level Windows
firepass_desktop_msi.txt Deprecated Windows
f5certhelper.txt For Machine Certificate launch service Windows
f5mcertcheck.txt For Machine Certificate checker Windows
F5InstServLog.txt For F5 Installer service Windows
FltRedirSrv.txt Deprecated Windows
F5TrafficSrv.txt For F5 Traffic Control service Windows
F5CredMgrSrv.txt For F5 Credential Manager service Windows
setupapi.dev.log Debugs log file for driver installation, deprecated Windows
For F5 DC Agent (only used for Secure Web Gateway (SWG)
DCAgent.log Windows
authenticator)
dc_users.dat For DC Agent (SWG) Windows
dc_config.txt For DC Agent (SWG) Windows
ah_users.dat For DC Agent (SWG) Windows
LogonAgent.log For DC Agent (SWG) Windows
la_users.txt For DC Agent (SWG) Windows
FullArmor GPAnywhere log file Deprecated Windows

Resetting and clearning diagnostic data

Resetting log files

Close and shut down the BIG-IP Edge Client before you clear or reset log files. After closing the BIG-IP Edge
Client, navigate to the file location and delete the log files. The BIG-IP Edge Client automatically re-creates the log
files when you reopen the client.

60
TROUBLESHOOTING—How to collect troubleshooting data

Modifying log rotation size

The BIG-IP Edge Client and associated components produce log files that grow over time. The log files are rotated
at a predetermined size so that they do not grow to an excessive size.

• By default, file rotation is at 5 megabytes (MB). This size can vary slightly because the rotation-check is
performed at 50 log line intervals.

• Every 50 log entries, the component checks to see if files need to be rotated. If a rotation is necessary, it
rotates the current file to a .bak file and reopens the .txt file.

On Windows, you can increase or decrease log file rotation by adding and modifying a new registry key, using the
following steps:

1. Create a new registry value (DWORD), MaxLogFileSize, in the registry key below.

HKCU\Software\F5 Networks\RemoteAccess\Logging

2. Modify the variable as a decimal to the size desired. For example, use the value 25000000 to increase a size
to 25 MB.

Note It is not possible to modify the log rotation size on Macintosh machines.

Increasing log detail

Log verbosity
On Windows, you can increase the BIG-IP Edge Client log detail by doing the following:

1. On the Edge Client window, click View Details.

2. For normal day-to-day operation, select Standard logging, or if you are investigating an issue, select
Extended logging.

Reading log files

You can use the built-in log viewer in the BIG-IP Edge Client to parse and examine logs. Because the files are plain
text, you can also use standard text tools.

On the Macintosh system, you can use the Console application.

Automated log gathering tools

Packet capture
When you are examining routes and DNS, and you are unable to reveal the source of a problem using common
tools, use packet tracing (verifying the path of an IP packet).

F5 VPN provides remote access (RRAS) using a dial-up network adapter, which is not supported by the libpcap
library used in Wireshark (a network protocol analyzer). Therefore, you must use the Network Monitor (Netmon)

61
TROUBLESHOOTING—How to collect troubleshooting data

utility to capture traffic inside the VPN tunnel. You can only use Wireshark to capture data that is outside the
tunnel.

Many customers use the Netmon utility to perform packet captures, and then import the data into Wireshark to
utilize the mostly superior protocol dissectors.

On the server-side of the connection, you can use tcpdump to capture an unencrypted version of the traffic
traversing the tunnel. To do so, simply use the -i option to specify the appropriate Connectivity Profile as the
capture interface.

Microsoft Message Analyzer

You can use Microsoft Message Analyzer, a network messaging analysis tool, to investigate communication
between the BIG-IP Edge Client and operating system processes. For more information, refer to the Microsoft
TechNet guide: Microsoft Message Analyzer Operating Guide.

Client-side Macintosh

Log file locations

The following table provides the location of log files on the Macintosh system:

Table 7.2 Macintosh system log file locations

Log file Location

Network Access plugin /Library/Internet Plugins/
Endpoint security (client checks) ~/Library/Internet Plugins/
Proxy PAC file /Library/Internet Plug-Ins/F5 SSL VPN Plugin.plugin/var/run/proxy.pac
User logs ~/Library/Logs/F5Networks/
BIG-IP Edge Client config ~/Library/F5Networks/f5networks.conf

Note The tilde character (~) represents the local user’s home directory path. For example, the complete
location for the second row of the table is: /Users/<user name>/Library/Internet Plugins/.

Resetting log files

You can reset or clean the BIG-IP Edge Client for Mac log files by doing the following:

1. Stop the Edge Client for Mac.

2. Remove the files located under the location below.

~/Library/Logs/F5Networks

62
TROUBLESHOOTING—How to collect troubleshooting data

Increasing the log level

You increase the log level for the BIG-IP Edge Client for Mac by doing the following:

1. Shut down the BIG-IP Edge Client for Mac.

2. Open ~/Library/F5Networks/f5networks.conf with a text editor.

3. Locate the following line, in which the log level value is set at 31:

default _ log _ level=31

4. Replace it with the value 63, as in the following example:

default _ log _ level=63

Collecting logs on the Macintosh

To collect logs on the Macintosh system, do the following:

1. Navigate to ~/Library/Logs/F5Networks/.

2. Select all the files available in that directory and compress them into a single file.

Macintosh client log files

Macintosh log files are located in the ~/Library/Logs/F5Networks folder.

Note Most log files are automatically rotated, so a <logfile name>.bak log file may be present.

The following table describes the log files that are available:

Table 7.3 Macintosh system logs

Log file Description Operating system

svpn.log Primary log file Macintosh
uninstall.log For the uninstall function Macintosh
install.log For component updates Macintosh
For proxy between BIG-IP Edge
svpn_proxy.log Macintosh
Client and svpn process
For F5 helper applications in the
vpn.log Macintosh
BIG-IP Edge Client 13.0 and later
Primary log file for the BIG-IP Edge
edge.log Macintosh
Client
For F5 Endpoint Inspector (helper)
epi.log application in the BIG-IP Edge Macintosh
Client 13.0 and later
For NPAPI browser endpoint check
eps_plugin.log Macintosh
plug-in

63
TROUBLESHOOTING—How to collect troubleshooting data

Log file Description Operating system

policyserver.log For endpoint security checks Macintosh
svpn_plugin.log For NPAPI VPN plug-in Macintosh

Log verbosity

You can increase the BIG-IP Edge Client log detail on the Macintosh by doing the following:

1. Clicking the BIG-IP Edge Client tray icon and select View Details.

2. Under Troubleshooting, select Extended logging.

For information about how to manually make this change in the configuration, refer to the AskF5 article: K12321:
Enabling Network Access debugging for Mac OS X and Linux.

OPSWAT OESIS endpoint diagnostic tool for Macintosh

The OESIS Diagnose utility provides a user interface that enables you to explore the AV, antispam, and firewall
products installed on your machine and all the details that the OESIS library can detect, such as last scan time and
product version.

You can submit a bug directly to OPSWAT through the utility or collect diagnostic information for F5 Technical
Support.

For information about how to generate the OESIS diagnostic log on the Macintosh, refer to AskF5 article: K11643:
Troubleshooting with the OPSWAT OESIS Diagnose tool.

Server-side BIG-IP APM log collection and diagnostic tools

The other half of the BIG-IP Edge Client connection is the BIG-IP APM. Since troubleshooting steps always include
looking at both sides of the connection process, here are some tools to investigate and diagnose issues on the
BIG-IP APM.

• BIG-IP APM logs

• Session variables

• BIG-IP QkView

BIG-IP APM logs

You can use the logs for the access policy on BIG-IP APM to diagnose connection issues, from the initial
connection through the completion of the VPN connection.

• In BIG-IP APM 11.x, you can increase logging levels using the log configuration at the following location:
System > Logs > Configuration > Options.

• In BIG-IP APM 12.x, you can increase logging levels using the log configuration at the following location:
Access Policy > Event Logs > Log Settings.

64
TROUBLESHOOTING—How to collect troubleshooting data

Sessiondump

Sessiondump is a command line utility that displays all of the variables collected for a given user session. This
information is useful for reviewing whether variables have been set correctly or troubleshooting access policy
execution.

Configdump

Configdump is a command line utility that produces a list of all available data within BIG-IP APM about the access
policy configuration.

iHealth and QKView

BIG-IP products have a diagnostic support file called QKView that contains diagnostic and reporting information
about BIG-IP, including all modules, logs, and some reporting data. The data is useful when looking at the overall
performance of the device, but it can also include information specific to user events.

You can upload the diagnostic file to BIG-IP iHealth®, or give it to F5 Technical Support to help them troubleshoot
any issues. For information about how to use QKView, refer to the AskF5 article: K12878: Generating diagnostic
data using the qkview utility.

Note Ensure you use your user account to upload the QKView output file to https://ihealth.f5.com (iHealth).

Potential conflicts with third-party applications

The BIG-IP Edge Client is compatible with most applications, but there are some that can cause conflicts, such as
security products and third-party applications that limit access to resources the BIG-IP Edge Client needs to
function. These include:

• Antivirus programs—Can block ports or mark application files as a threat if the BIG-IP Edge Client is not
allowed. Real-time monitoring can also block certain traffic that is misidentified as threat traffic. You can
usually add the BIG-IP Edge Client to these programs’ whitelist to prevent this problem.

• Antispyware and antimalware programs—Can block traffic or files that may be misidentified as a threat,
much like anitvirus programs. They also typically have a whitelist.

• Software firewall programs—Can block specific traffic, ports, and protocols used by the BIG-IP Edge Client
when they are configure to do so. For example, the traffic between the VPN driver and the tunnelserver
process utilizes a local TCP socket connection that can be blocked.

• Other third-party VPN software—Can attempt to access the same VPN network resources. This can happen
with any other VPN software that is installed and running, in any configuration.

65
TROUBLESHOOTING—Components

Packet tracing

When you experience problems with tunnel negotiation, the tcpdump utility is useful for capturing specfic packet
data. Use one of the following two methods, depending on the problem:

• For problems outside the tunnel, such as creating a VPN, premature disconnects, and reconnects, use
tcpdump of the VPN tunnel to BIG-IP APM. For more information, refer to AskF5 article: K411: Overview of
packet tracing with the tcpdump utility.

• Enables you to investigate encrypted packets involved in the negotiation of the tunnel connection.

• Requires you to use the ssldump utility to decrypt the packets. For more information, refer to the AskF5
article: K10209: Overview of packet tracing with the ssldump utility.

• For problems inside the tunnel, such as back-end connectivity or usability, use tcpdump with the
connectivity profile.

• Enables you to investigate the decrypted packets involved in the traffic between the BIG-IP Edge Client
and back-end servers.

• Requires you to use the connectivity profile as an interface. For more information, refer to the AskF5
article: K13301: Overview of packet tracing a BIG-IP APM Network Access tunnel with the tcpdump
utility.

Components
The following table provides the BIG-IP Edge Client application file location on each operating system.

Table 7.4 BIG-IP Edge Client application location

Operating system File location

Windows C:\Program Files (x86)\F5 VPN\f5fpclientW.exe
macOS /Applications/BIG-IP Edge Client.app/Contents/MacOS/BIG-IP Edge Client
Linux /usr/local/lib/F5Networks/f5fpc

Windows

You find the file locations for the BIG-IP Edge Client components using the CTU.

For more information about the CTU, refer to the AskF5 article: K12444: Overview of the Client Troubleshooting
Utility for Windows. For information about how to download and install the CTU, refer to Overview: Installing and
using the client troubleshooting utility in BIG-IP Access Policy Manager: Edge Client and Application
Configuration for your system version.

66
TROUBLESHOOTING—Components

Linux

The BIG-IP Edge Client for Linux is only available as a command line interface (CLI) client for Linux operating
systems.

• The installer package is inux_sslvpn.tgz and installs in the following file location:

/usr/local/lib/F5Networks/

• To successfully install the CLI client, the remote user must have the administrator permission-level or be able
to provide an administrator password.

• Linux web browser components install in one of the following two locations:

~/.mozilla/firefox/<profileid>/

~/.mozilla/plugins/

For more information about installing and operating the BIG-IP Edge Client for Linux, refer to Clients for Linux in
BIG-IP Access Policy Manager: Edge Client and Application Configuration.

Web browser protocol handler components

In BIG-IP 13.0, F5 replaced NPAPI plug-ins with new web browser protocol handler applications (more commonly
known as helper applications).

You download these components as part of the BIG-IP Edge Client from the BIG-IP connectivity profile at Access
Policy > Secure Connectivity > (connectivity profile name) or from Access Policy > Secure Connectivity >
Clients Download. The helper applications are also automatically delivered to connecting clients.

Endpoint Inspector application

This application is a browser protocol handler for the f5-epi protocol. The URI takes the following form:

f5-epi://<URI>

Windows
For managed PCs running Windows, you can download the application as part of BIG-IP Edge Client by selecting
the Endpoint Security component and pre-install on the end-user client system.

On unmanaged PCs, the f5epi_setup.exe installer automatically downloads from the web browser when the
access policy has any client-side checks configured.

67
TROUBLESHOOTING—Components

Macintosh
On the Macinstosh system, the installer is a separate package file, mac_f5epi.pkg, that installs in the following
location:

~/Applications/F5 Endpoint Inspector

The application doesn’t require the administrator permission-level because it installs under user domain rights.

Linux
On the Linux system, the installer is a separate package, based on specific architecture and Linux distribution
types, that installs in the following location:

/opt/f5/epi/

You must have the administrator permission-level to install the application.

The following table presents the naming conventions for the Linux file:

Table 7.5 Linux file names for the Endpoint Inspector app

Architecture/distribution type Debian/Ubuntu Redhat/Fedora

64 bit linux_f5epi.x86_64.deb linux_f5epi.x86_64.rpm
32 bit linux_f5epi.i386.deb linux_f5epi.i386.rpm

F5 VPN application

This application is a browser protocol handler for the f5-vpn protocol. The URI takes the following form:

f5-vpn://<URI>

Windows
For unmanaged PCs running Windows, when users click the Network Access icon on the webtop, the f5vpn_
setup.exe installer automatically downloads from the web browser.

The F5 VPN appliation can be pre-installed on managed PCs.

Download the application from the Downloads section on the BIG-IP home page, where it is located alongside
BIG-IP Edge Client, and then distribute it using your preferred method.

Macintosh
On the Macintosh system, the application is a separate package file, mac_f5vpn.pkg, that installs in the following
location:

/Applications/F5 VPN

You install it for all users on the system and must have the administrator permission-level to install it.

68
TROUBLESHOOTING—Components

Linux
On Linux, the VPN installer is a separate package, based on specific architecture and Linux distribution types, that
installs at the following location:

/opt/f5/vpn/

You must have the administrator permission-level to install it.

The following table presents the naming conventions for the Linux file:

Table 7.6 Linux file names for the F5 VPN app

Architecture/distribution type Debian/Ubuntu Redhat/Fedora

64 bit linux_f5vpn.x86_64.deb linux_f5vpn.x86_64.rpm
32 bit linux_f5vpn.i386.deb linux_f5vpn.i386.rpm

69
OPTIMIZING THE SUPPORT EXPERIENCE—F5 technical support commitment

Optimizing the Support Experience

F5 technical support commitment
F5® strives to continuously improve its support service and create closer customer relationships. Designed to
provide assistance with specific break-fix issues and ongoing maintenance of F5 products, F5 professional
support services are consistently high-quality.

This means:

• F5 network support engineers conduct themselves professionally at all times.

• F5 is committed to providing the best customer experience possible.

• F5 treats customers are with respect and give them every consideration possible.

• F5 aims to provide resolutions the first time, every time.

• You can ask for manager escalation for unresolved or “site down” issues.

Some technical support issues arise from configuration errors, either within the BIG-IP® system or with other
devices in the network. In other cases, a misunderstanding of BIG-IP capabilities can lead to support questions
and issues. Although F5 does everything possible to prevent defects in BIG-IP hardware and software, these
issues may still arise periodically. Regardless of the root cause of a problem, the goal is to resolve any issues
quickly.

F5 technical support offerings

A variety of technical support offerings are available to provide the right level of support for any organization.

F5 Standard and Premium Support include remote assistance from F5 network support engineers, both online
and over the phone.

Premium Plus customers receive priority status at F5, with fast, easy access to a dedicated team of senior-level,
F5-certified network support engineers and a Technical Account Manager.

To learn more, refer to F5 Technical Support Offerings or send email to [email protected].

Professional services

Take advantage of the full range of F5 Professional Services to help you design, customize, and implement a
solution that is right for your IT infrastructure and which supports your business goals.

Professional Services (f5.com/support/professional-services) provides information on a wide range of F5

Professional Services offerings and Professional Services Partners. You can use our online forms to request
Consulting Services OnDemand for custom, shorter scope consulting engagements, or iRules® OnDemand to get
fast access to iRules scripts tailored to your specific needs.

You can make an online request for specific support services by filling out a request form:

70
OPTIMIZING THE SUPPORT EXPERIENCE—F5 certification

• Consulting request form (f5.com/support/professional-services/consulting-request-form).

• iRules consulting request form (f5.com/support/professional-services/irules-consulting-request-form).

GUARDIAN Professional Services Partners

F5 GUARDIAN® Professional Services Partners are authorized as installation providers and are also available to
assist you. F5 GUARDIANs are selected because they have the skills and experience required to ensure successful
implementations of F5 BIG-IP installations.

Refer to F5 GUARDIAN Professional Service Partners (f5.com/support/professional-services#guardian) for a

complete list of partners.

F5 certification
F5 Certified® exams test the skills and knowledge necessary to be successful when working with today’s
application delivery challenges. Our technically relevant and appropriate exams deliver consistently reproducible
results that guarantee excellence in those that achieve certification.

Certification levels

F5 Certified! is the F5 certification program, with a progressive program of four levels (Administrator, Specialist,
Expert, and Professional), each of which build on the skills and knowledge demonstrated on previous exams.

C1 – F5 Certified BIG-IP Administrator (F5-CA)

The starting point for all certifications: a certified BIG-IP Administrator has basic network and application
knowledge to be successful in application delivery.

C2 – F5 Certified Technology Specialists (F5-CTS)

The Technology Specialist certification assures employers that the candidate is fully qualified to design,
implement, and maintain that specific product and its advanced features.

C3 – F5 Certified Solution Expert (F5-CSE)

The Solution Expert focuses on how F5 technologies combine with industry technology to create real-world
business solutions.

C4 – F5 Certified Application Delivery Engineer (F5-CADE)

The Application Delivery Engineer certification exam and requirements are still under development.

C5 – F5 Certified Application Delivery Architect (F5-CADA)

The Application Delivery Architect certification exam and requirements are still under development.

Certificate expiration

F5 certifications are valid for two (2) years. Three months before the expiration date, the holder becomes

71
OPTIMIZING THE SUPPORT EXPERIENCE—Self-help

recertification-eligible and can register for the exam necessary to re-certify. Only the last exam in the highest level
certification achieved needs to be retaken.

Certification beta program

F5 uses beta exams in the creation of all our exams and to maintain their relevancy and accuracy after production.
Beta exams are open to all and give candidates an opportunity to have an impact on the F5 Certified program.
While beta exams are twice as long, they cost less than regular exams and give candidates the chance to leave
feedback on the exam. Beta exams are critical to our exam development process and a great way to change the
F5 Certified program for the better.

Get involved

There are a several ways to get involved with the F5 certification beta program:

• Beta participation. Interested in taking our beta exams? Contact us at [email protected] to learn
more.

• Exam development. Contact us at [email protected] if you’re interested in helping us create our

Certified exams.

• LinkedIn community. Join us on LinkedIn for answers to frequently asked questions, community developed
resources, and more.

Note: This link takes you to a resource outside of F5, and it is possible that the document may be removed
without our knowledge.

Visit F5 Credential Manager System (certification.f5.com) for information or follow the steps to get registered.

Self-help
F5 offers a number of resources to assist in managing and supporting your F5 systems:

• AskF5™ (support.f5.com)

• Downloads (downloads.f5.com) User name and password required.

• Security Updates (interact.f5.com/AskF5-SubscriptionCenter.html)

• BIG-IP iHealth® (f5.com/support/tools/ihealth)

• TechNews (interact.f5.com/AskF5-SubscriptionCenter.html)

• RSS feeds (https://support.f5.com/csp/article/K9957)

• DevCentral (devcentral.f5.com/) User name and password required.

• F5 Training Programs and Education (f5.com/education/training)

72
OPTIMIZING THE SUPPORT EXPERIENCE—Self-help

AskF5

AskF5 (support.f5.com) is a great resource for thousands of articles and other documents to help you manage your
F5 products more effectively. Step-by-step instructions, downloads, and links to additional resources give you the
means to solve known issues quickly and without delay, and to address potential issues before they become
reality.

Whether you want to search the knowledge base to research an issue, or you need the most recent news on your
F5 products, AskF5 is your source for product manuals, operations guides, and release notes, including the
following:

• F5 announcements

• Known issues

• Security advisories

• Recommended practices

• Troubleshooting tips

• How-to documents

• Changes in behavior

• Diagnostic and firmware upgrades

• Hotfix information

• Product life cycle information

Downloads

Downloads are available from the F5 website. F5 strongly recommends that you keep your F5 software up-to-date,
including hotfixes, security updates, OPSWAT updates, BIG-IP Application Security Manager™ (ASM®) signature
files, and geolocation database updates. All software downloads are available from F5 Downloads (https://
downloads.f5.com).

Security updates

You can receive timely security updates and BIG-IP ASM attack signature updates from F5. When remote
vulnerabilities are discovered, F5 implements, tests, and releases security hotfixes for any vulnerable supported
version, and sends an email alert to the F5 Security mailing list. F5 encourages customers with an active support
account to subscribe to this list. For more information, refer to AskF5 article: K41942608: Overview of AskF5
security advisory articles.

73
OPTIMIZING THE SUPPORT EXPERIENCE—Self-help

BIG-IP iHealth

The BIG-IP iHealth® (iHealth.f5.com) diagnostic viewer is among the most important preventative tools to verify the
proper operation of your BIG-IP system. It ensures hardware and software are functioning at peak efficiency and
helps detect and address issues that may potentially affect F5 systems. BIG-IP iHealth is not integrated within the
BIG-IP system. It is hosted by F5 and can be accessed with any web browser.

F5 recommends you generate a BIG-IP iHealth qkview file on the BIG-IP system and upload it to iHealth on a
weekly basis in order to benefit from the many regularly occurring diagnostic updates. Uploading qkviews to
iHealth also provides F5 technical support with access to your qkviews if you open a support case.

By reviewing the iHealth output, many of the issues commonly experienced by customers can be resolved without
the need for opening a support case with F5.

For more information on running BIG-IP iHealth diagnostics, refer to BIG-IP iHealth in the TMOS Operations
Guide.

TechNews

AskF5 Publications Preference Center provides two email publications to help keep administrators up-to-date on
various F5 updates and other offerings:

• TechNews Weekly eNewsletter Up-to-date information about product and hotfix releases, new and
updated articles, and new feature notices.

• TechNews Notifications Do you want to get release information, but not a weekly eNewsletter? Sign up to
get an HTML notification email any time F5 releases a product or hotfix.

• Security Alerts Receive timely security updates and ASM attack signature updates from F5.

AskF5 recent additions and updates

You can subscribe to F5 RSS feeds to stay informed about new documents pertaining to your installed products or
products of interest. The New and Updated Articles page on AskF5 provides an overview of all the documents
recently added to AskF5.

New and updated articles are published over RSS. You can configure feeds that pertain to specific products,
product versions, and/or document sets. You can also aggregate multiple feeds into your RSS reader to display
one unified list of all selected documents.

DevCentral

DevCentral™ (devcentral.f5.com) is an online forum of F5 employees and customers that provides technical
documentation, discussion forums, blogs, media and more, related to application delivery networking. DevCentral
is a resource for education and advice on F5 technologies and is especially helpful for iRules and iApps®
developers. Access to DevCentral is free, but registration is required.

74
OPTIMIZING THE SUPPORT EXPERIENCE—Engage F5 Support

As a DevCentral member, you can do the following:

• Ask forum questions.

• Rate and comment on content.

• Contribute to “wikis.”

• Download lab projects.

• Join community interest groups.

• Solve problems and search for information.

• Attend online community events.

• View educational videos.

F5 training programs and education

F5 provides training programs and education, including traditional classroom learning opportunities, live online
training, and free, self-paced online courses to help you get the most out of your investment. F5 Training and
Education (f5.com/education/training) provides links to course schedules, pricing, and registration details. It also
has information about alternative training solutions such as virtual and web-based training for those who cannot
attend training in person.

•  In-person courses: F5 courses are available in multiple training facilities across five continents. Each one
combines instructor presentations, classroom discussions, and interactive labs. The hands-on learning
environment helps provide a fast track to accomplishing your goals.

•  Virtual instructor-led training: Remote on-line courses mirror classroom training. Participants watch the
remote instructors’ live lecture online, participate in discussions, and perform lab exercises using remote
desktop control.

•  Free online training: You can use the self-paced Getting Started series of free, web-based courses to learn
how to deploy F5 solutions to address your most common application delivery problems.

Links to more information are provided on F5 Training and Education for those interested in F5 Professional
Certification or a non-accredited Application Delivery Networking Certificate through F5 and the University of
Phoenix.

Note: This link takes you to a resource outside of F5, and it is possible that the document may be removed
without our knowledge.

Engage F5 Support
F5 Support is designed to provide support for specific break-fix issues for customers with active support
contracts. For more information about F5 scope of support, refer to Support Policies.

75
OPTIMIZING THE SUPPORT EXPERIENCE—Engage F5 Support

F5 Support resources

F5 Support resources are available 24 hours a day, seven days a week, and are distributed around the world in
multiple support centers. Live support is provided by our professional network support engineers. Hours of
availability may vary depending on the service contract with F5.

Contact numbers

Standard, Premium, and Premium Plus Support customers can open and manage cases by calling one of the
contact numbers listed below.

North America

North America: 1-888-882-7535 or (206) 272-6500

Traffix® Support Only: 1-855-849-5673 or (206) 272-5774

Outside North America

Outside North America, Universal Toll-Free: +800 11 ASK 4 F5 or (800 11275 435)

Additional contact numbers by country

Australia: 1800 784 977

China: 010 5923 4123

Egypt: 0800-000-0537

Greece: 00-800-11275435

Hong Kong: 001-800-11275435

India: 000-800-650-1448; 000-800-650-0356 (Bharti Air users)

Indonesia: 001-803-657-904

Israel: 972-37630516

Japan: 81-3-5114-3260 or 0066-33-812670

Malaysia: 1-800-814994

New Zealand: 0800-44-9151

Philippines: 1-800-1-114-2564

Saudi Arabia: 800-844-7835

Singapore: 6411-1800

South Africa: 080-09-88889

76
OPTIMIZING THE SUPPORT EXPERIENCE—Engage F5 Support

South Korea: 002-800-11275435

Taiwan: 00-800-11275435

Thailand: 001-800-12-0666763

United Arab Emirates: 8000-3570-2437

United Kingdom: 44-(0)8707-744-655

Vietnam: 120-11585

Open a support case

F5 provides several resources to help find solutions to problems. Before opening a support case with F5 technical
support, check to see if the issue you are encountering is already documented.

The following is a list of resources to consult before opening a support case with F5:

• Deployment guides and white papers provide information about specific deployment configurations.

• AskF5 provides many articles including known issues, how-to guides, security issues, release notes, and
general information about products. Many of the issues customers encounter are already documented on
this site.

• BIG-IP iHealth enables customers to upload qkview configuration snapshots in order to verify operation of
any BIG-IP system.

Gather information to open a support case

If your issue cannot be solved using the resources listed, and you need to open a support case, you must first
gather several pieces of important information about your issue. Providing full and accurate information helps
speed the path to resolution. The required information for the majority of situations is summarized below:

• The serial number or base registration key of the specific BIG-IP system requiring support. For more
information, refer to AskF5 article: K917: Finding the serial number or registration key of your F5 device.

• A full description of the issue. A clear problem statement is the best tool in helping to troubleshoot issues.
Your description should include as much of the following information as you can provide.

• Occurrences and changes: The date and times of initial and subsequent recurrences. Did this issue arise at
implementation or later? Were there any changes or updates made to the BIG-IP system prior to the issue
arising? If so, what were they?

• Symptoms: Ensuring your list of symptoms is as detailed as possible gives more information for support
personnel to correlate with.

• Scope of the problem: Note whether the problem is system-wide or limited to a particular configuration
feature, service, or element (such as VLAN, interface, application service, virtual server, pool, and so on).

• BIG-IP component: The feature, configuration element, or service being used when the problem occurred

77
OPTIMIZING THE SUPPORT EXPERIENCE—Engage F5 Support

(for example: portal access, network access, authentication services, VDI, Exchange).

• Steps to reproduce: The steps to reproduce the problem as accurately and in as much detail as possible.
Include expected behavior (what should happen) as well as actual behavior (what does happen).

• Errors: Complete text of any error messages produced.

• Environment: Current usage of the system. (Is this unit in production? If so, is there currently a workaround
in place?)

• Browsers: Types and versions, if applicable.

• Changes: System changes made immediately prior to the problem’s first occurrence. This may include
upgrades, hardware changes, network maintenance, and so on. Have any changes been made to resolve
the problem? If so, what were they?

• Issue Severity: A description of the impact the issue is having on your site or case severity

• Severity 1: Software or hardware conditions on your F5 device are preventing the execution of critical
business activities. The device does not power up or is not passing traffic.

• Severity 2: Software or hardware conditions on your F5 device are preventing or significantly impairing
high-level commerce or business activities.

• Severity 3: Software or hardware conditions on your F5 device are creating degradation of service or
functionality in normal business or commerce activities.

• Severity 4: Questions regarding configurations (“how to”), troubleshooting non-critical issues, or requests
for product functionality that are not part of the current product feature set.

• Contact and availability information including alternate contacts authorized to work on the problem with F5
Support. When there are more personnel available to work with F5 Support, the resolution of your issue may
be expedited.

• Remote access information, if possible.

• A qkview file obtained while problem symptoms are manifesting. A qkview of the system before the
occurrence is also useful. F5 recommends archiving qkviews regularly. For more information, refer to
BIG-IP iHealth in the TMOS Operations Guide.

• Product-specific information: Software versions and types of equipment in use.

• Platform and system. Version and provisioned software modules of the affected system.

To locate platform and system information using tmsh at the command line

• Type the following command:

tmsh show /sys hardware

Output appears similar to the following example:

<SNIP some of the output>

78
OPTIMIZING THE SUPPORT EXPERIENCE—Engage F5 Support

Platform

Name BIG-IP 3900

BIOS Revision F5 Platform: C106 OBJ-0314-03 BIOS (build: 010) Date: 02/15/12

Base MAC 00:01:d7:be:bf:80

System Information

Type C106

Chassis Serial f5-jspv-lzxw

Level 200/400 Part 200-0322-02 REV C

Switchboard Serial

Switchboard Part Revision

Host Board Serial

Host Board Part Revision

To copy software version and build number information at the command line

1. Type the following command:

cat /VERSION

Output appears similar to the following example:

Product: BIG-IP

Version: 11.6.0

Build: 0.0.401

Sequence: 11.6.0.0.0.401.0

BaseBuild: 0.0.401

Edition: Final

Date: Mon Aug 11 21:08:03 PDT 2014

Built: 140811210803

Changelist: 1255500

JobID: 386543

2. Highlight and copy the output information and include it with your support case.

To copy provisioned module information at the command line

1. Type the following command:

79
OPTIMIZING THE SUPPORT EXPERIENCE—Engage F5 Support

tmsh list /sys provision

Output appears similar to the following example:

sys provision afm { }

sys provision am { }

sys provision apm {

level nominal

sys provision asm { }

sys provision avr { }

sys provision fps { }

sys provision gtm { }

sys provision lc { }

sys provision ltm {

level minimum

sys provision pem { }

sys provision swg { }

2. Highlight and copy the output information and include it with your support case.

Open a support case

If you cannot find the answer to your problem using the resources listed above, you can open a support case
online, using F5 Support (f5.com/support).

Before you open a support case, you need to log in to F5. If you do not have an F5 login, you’ll need to register for
one.

To register for support access

1. Navigate to login.f5.com.

2. Click Register for an F5 Support Account.

3. Enter your email address.

4. Enter your contact information. If you have a support contract, click I have a support contract
and need access to MySupport.

80
OPTIMIZING THE SUPPORT EXPERIENCE—Engage F5 Support

5. Enter your serial number or registration key in the Serial Number or Registration Key (optional)
field.

Once you’ve submitted your information, your service contract is reviewed. If your information is
accurate you receive an email from MySupport, and you can use this to open your case.

Send information to Support

Once you have the information listed in “Gather information to open a support case”, transfer it to F5 technical
support following the steps in “Share diagnostic files with F5 technical support”. For more information, refer to
AskF5 article: K2486: Providing files to F5 Technical Support.

Share diagnostic files with F5 technical support

You can provide files to F5 Support using BIG-IP iHealth or Support Files, the F5 file transfer tool. Support Files
complies with global data protection standards to safeguard the data you send.

Prerequisites

Two categories of customers provide files to F5 Technical Support:

•  Permanent account holders—Customers who have an F5 support account, including a user email and
password for the AskF5 website

•  Temporary users—Associates of permanent account holders who assist them with uploading or
downloading files for an F5 service request

Obtaining a Support Files tool user name and password for a temporary user

If you are a permanent account holder who wants a temporary user to upload or download files for one of your
service requests, you must provide them with a user name and password for logging in to the Support Files
website.

The user name is the case ID from your service request, and the password is in the activity notes of your service
request. You can also request the password directly from F5 Technical Support via email. Temporary passwords
cannot be provided over the phone.

Note Temporary user credentials are only active for a specific service request.

To locate a password for a temporary user in the activity notes of your service request

1. Open the Service Request Details view.

2. In the Activities section, locate the temporary password which should appear in the following
format:

Case file access password : XXyy=zZzZ123

81
OPTIMIZING THE SUPPORT EXPERIENCE—Engage F5 Support

Uploading qkview diagnostic files to BIG-IP iHealth

BIG-IP iHealth allows you to quickly diagnose the health and proper operation of your BIG-IP system, and provides
a convenient location for you to send diagnostic data for case resolution with F5 Technical Support.

If you are running BIG-IP 10.x or later and need to provide a qkview diagnostic file to F5, the preferred way to do
so is to upload the file to the BIG-IP iHealth website. For more information, refer to K12878: Generating diagnostic
data using the qkview utility.

Uploading and downloading files using Support Files

Accessing Support Files

To access Support Files as a permanent account holder

1. In the upper-right corner of the AskF5 home page, click My Support.

If you have not already logged in, you are prompted to do so.

2. Under Service Requests, click the service request for which you want to upload or download
files.

3. On the right side of the Service Request Details section, click Manage Attachments.

The F5 Support Files site opens in a new window.

To access Support Files as a temporary user

• Navigate to the Support Files website and log in using the user name and password provided by a
permanent account holder.

Uploading files using a web browser

1. On the Home folder page, click the folder for the service request you want.

2. Click Incoming (upload to F5).

3. In the upper-right corner of the Upload to F5 page, click the Upload files icon.

4. In the Upload files dialog box, click Browse.

5. In the Open dialog box, navigate to each file you want to upload, point at it with your cursor, select
the check box that displays, and when you are finished selecting files, click Open.

Either a success or failure notification displays. When an upload fails, close the notification and try
again.

82
OPTIMIZING THE SUPPORT EXPERIENCE—Engage F5 Support

6. In the Upload Files dialog box, click Done.

Note You cannot see the files in the folder after uploading them.

Downloading files using a web browser

1. On the Home folder page, click the folder for the service request you want.

2. Click Outgoing (download from F5).

3. Select the check box next to the files you want to download.

4. In the upper-right corner of the Download from F5 page, click the Download selected items
icon.

5. Depending on which browser you have, you may be prompted to save your files to the location of
your choice, or they may simply download to your Downloads folder.

Uploading files using SFTP

For permanent account holders, your user name and password are the same as your AskF5 credentials. For
temporary users, your user name is the service request number, and your password must be the correct
passphrase for that service request.

Important Support Files does not support the Secure Copy (SCP) protocol.

Note Support Files supports the SFTP protocol, but only a subset of features provided by many SFTP
clients. The SFTP server does not support or allow setting file ownership or permissions, updating
timestamps, or creating symlinks.

Note The supportfiles.f5.com RSA server key MD5 fingerprint is MD5: 04:a6:4b:9b:d4:eb:48:97:15:e6:7f:90
:64:bf:35:96 and the SHA256 fingerprint is SHA256:stQCq50hEwDPfRMeRf/
Ya9dXcm1KCdx5I5llOwODgNU.

1. From the F5 device, SFTP to the supportfiles.f5.com site using the following syntax:

sftp user@host

For example:

sftp [email protected]

or

sftp [email protected]

Note On the first attempt to connect, you must accept the host key. You should compare that output

83
OPTIMIZING THE SUPPORT EXPERIENCE—Engage F5 Support

with the fingerprints listed in this article.

2. When prompted for the password, enter the email address of the user associated with the case.

3. To upload the requested files, use the following command syntax for each file:

put <name _ of _ file> <SR _ number>/INCOMING/

For example:

put mybigip.conf C123456/INCOMING/

4. To exit the SFTP utility when all files have been uploaded, type the following command:

quit

For more information, refer to the manual or man pages for the SFTP utility by typing man sftp at the command
line.

You may also use external SFTP applications to upload files if they are on a workstation or other system.

Downloading files using SFTP

To download a file from Support Files, you must use the exact file name and location (path) provided by your F5
Technical Support representative.

Important Support Files does not support the SCP protocol.

Note Support Files supports the SFTP protocol, but only a subset of features provided by many SFTP
clients. The SFTP server does not support or allow setting file ownership or permissions, updating
timestamps, or creating symlinks.

1. From the F5 device, SFTP to the supportfiles.f5.com site using the following syntax:

sftp user@host

For example:

sftp [email protected]

or

sftp [email protected]

2. When prompted for the password, enter the password.

3. To list the files available for download, type the following command:

ls C123456/OUTGOING

84
OPTIMIZING THE SUPPORT EXPERIENCE—Engage F5 Support

4. To download the requested files, use the following command syntax for each file:

Note The <full_path_to_file> section indicates the full path to the file.

get <full _ path _ to _ file>

For example:

get C123456/OUTGOING/ Hotfix-BIGIP-12.1.0.0.40.1434-ENG.iso

5. To exit the SFTP utility when all files have been downloaded, type the following command:

quit

You may also use external SFTP applications to download files if the files are on a workstation or on another
system.

85
CHANGE LIST—

Change List

Date Chapter/Section Change Reason

Optimizing the Support Removed reference to Dropbox use
August 2017
Experience F5 Dropbox discontinued
Change Disallow
Routing Table Changes
Use Cases/Common option to Prohibit
Approaches to
routing table changes Error
Configuring VPN-
Routing Options during Network
September 2017 Access connection
option
Added section on
Optimize the Support providing files to F5
New
Experience Technical Support using
F5 Support Files

86
LEGAL NOTICES—

Legal Notices
Trademarks
AAM, Access Policy Manager, Advanced Client Authentication, Advanced Firewall Manager, Advanced Routing,
AFM, APM, Application Acceleration Manager, Application Security Manager, Applications without Constraints,
ARX, AskF5, ASM, BIG-IP, BIG-IP EDGE GATEWAY, BIG-IQ, BIG-IP iControl, Cloud Extender, CloudFucious,
Cloud Manager, Clustered Multiprocessing, CMP, COHESION, Data Manager, DDoS Frontline, DDoS Hybrid
Defender, DDoS SWAT, Defense.net, DevCentral, DevCentral [DESIGN], DNS Express, DSC, DSI, Edge Client,
Edge Gateway, EDGE MOBILE, EDGE MOBILITY, EdgePortal, ELEVATE, EM, Enterprise Manager, ENGAGE, F5,
F5 Agility, F5 iApps, F5[DESIGN], F5 Certified [DESIGN], F5 iControl, F5 LINK CONTROLLER, F5 Networks,
F5SalesXchange [DESIGN], F5Synthesis, f5Synthesis, F5Synthesis[DESIGN], F5 TechXchange [DESIGN], F5
TMOS, Fast Application Proxy, Fast Cache, FCINCO, Global Traffic Manager, GTM, GUARDIAN, Herculon, iApps,
IBR, Intelligent Browser Referencing, Intelligent Compression, IPv6 Gateway, iCall, iControl, iHealth, iQuery,
iRules, iRules OnDemand, iSeries, iSession, L7 RateShaping, LC, Link Controller, Local Traffic Manager, LTM,
LineRate Operating System, LineRate Point, LineRate Precision, LineRate Systems [DESIGN], LROS, LTM,
Message Security Manager, MSM, OneConnect, Packet Velocity, PEM, Policy Enforcement Manager, Protocol
Security Manager, PSM, Real Traffic Policy Builder, Ready Defense, SalesXchange, ScaleN, Signalling Delivery
Controller, Silverline, Silverline Threat Intelligence, SDC, SSL Acceleration, SSL Everywhere, SSL Orchestrator,
SDAC (except in Japan), StrongBox, SuperVIP, SYN Check, SYNTHESIS, TCP Express, TDR, TechXchange,
TMOS, TotALL, Traffic Management Operating System, Traffix Systems, Traffix Systems (DESIGN), Transparent
Data Reduction, UNITY, VAULT, vCMP, VE F5 [DESIGN], Versafe, Versafe [DESIGN], VIPRION, Virtual Clustered
Multiprocessing, WAF Express, WebSafe, We Make Apps Go [DESIGN], We Make Apps GO, and ZoneRunner, are
trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without
express written consent.

All other product and company names herein may be trademarks of their respective owners.

Patents
This product may be protected by one or more patents. See the F5 Patents page (https://www.f5.com/about/
guidelines-policies/patents).

Notice
THE SOFTWARE, SCRIPTING, AND COMMAND EXAMPLES ARE PROVIDED “AS IS,” WITHOUT WARRANTY OF
ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES, OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE, SCRIPTING AND COMMAND EXAMPLES, OR THE USE OR OTHER
DEALINGS WITH THE SOFTWARE, SCRIPTING, AND COMMAND EXAMPLES.

87
LEGAL NOTICES—Copyright

Publication Date
This document was published in September 2017.

Copyright
Copyright © 2013-2017, F5 Networks®, Inc. All rights reserved.

F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no
responsibility for the use of this information, nor any infringement of patents or other rights of third parties which
may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other
intellectual property right of F5 except as specifically described by applicable user licenses. F5 reserves the right
to change specifications at any time without notice.

88