BIG-IP Access Policy Manager Tech Note for BIG-IP Edge Client App for ios

BIG-IP ^® Access Policy Manager ^™ Tech

Note for BIG-IP ^® Edge Client ^™ App for iOS

Contents

What is BIG-IP Edge Client app for iOS?... 3

About supported authentication types... 3

About establishing VPN connections...4

Running the Network Access Setup Wizard... 4

Customizing an access policy to support BIG-IP Edge Client app...4

List of session variables to identify iOS clients... 5

Session variables to identify iOS clients... 5

About access policies for BIG-IP Edge Client app... 6

About the basic access policy example to support BIG-IP Edge Client app... 6

Additional Access Policy Manager configuration information...7

Additional Edge Client information... 7

OpenTopic | What is BIG-IP Edge Client app for iOS? | 3

What is BIG-IP Edge Client app for iOS?

The BIG-IP^® Edge Client^™ app for iOS provides full network access through BIG-IP ^® Access Policy Manager^™. Using network access, users can run applications such as RDP, SSH, Citrix, VMware View, as well as other enterprise applications on their iOS devices.

For information on how to use the BIG-IP Edge Client app, refer to the online user guide for the Edge client on your iOS device.

BIG-IP Edge Client app features include:

• N-factor auth (at least two input fields, password and passcode) support

• Username/password, client certificate, RSA SecurID support

• Multiple input field support

• Credential caching support

• Split tunneling support

• Support for roaming between 3G and WiFi networks

• Landing URI support

• Logging support to report issues

About supported authentication types

The BIG-IP^® Edge Client^™ app for iOS devices provides the following authentication methods.

Authentication method Description

VPN On-Demand Provides the following two options:

• Client certificate

• Client certificate + Username and Password (no runtime prompt)

Regular Logon Provides the following two options:

• Username and Password

• Client certificate + Username and Password (prompt if password is empty)

Web Logon Provides the following two options:

• Username and Password

• Username/password + RSA + any other server-side checks Note: With RSA token-based authentication, due to an iOS platform limitation, if you switch away from the Edge Client to retrieve the token, when you switch back, you must retype your credentials.

Note: Client certificate is currently not supported for the web logon authentication method.

About establishing VPN connections

The BIG-IP^® Edge Client^™ app for iOS provides users with two options to establish a VPN tunnel connection. A user can start a tunnel connection explicitly with the Edge Client application, or implicitly through the iOS VPN On- Demand functionality.

For example, a connection can be configured to automatically trigger whenever a certain domain or hostname pattern is matched.

VPN On-Demand considerations:

• VPN On-Demand configuration is only allowed if the client certificate authentication method is used (legacy logon mode). Username and Password could be used along with the client certificate, but are optional.

• If a connection is initiated by VPN On-Demand , user intervention is not allowed. For example, the connection will fail if a password is not supplied in the configuration but it's needed for authentication). RSA authentication is also not supported for VPN-On-Demand configuration.

• If you use VPN On-Demand, only 2 authentication types are supported. In order to add additional credential authentication for this type of configuration, you must perform additional configurations through the app, after you have imported the configuration profile.

Running the Network Access Setup Wizard

Although optional, you can also set up SSO and ACLsfor your network access. Refer to the BIG-IP Access Policy Manager Adminstrative Guide on AskF5.com for instructions.

Running the Network Access Setup Wizard for Remote Access allows you to quickly configure Access Policy Manager to perform the necessary authentication setup, lease pool, DNS servers, and other configurations required to set up your users so that they can achieve full network access using their iOS devices.

1. Configure the following settings in the wizard to ensure that your users can connect to the BIG-IP Edge Client app:

a) Uncheck the Enable Antivirus Check in Access Policy box.

2. Click Finished.

You have just completed configuring a network access to support the Edge Client for iOS devices.

The next task is to create an access policy.

Customizing an access policy to support BIG-IP Edge Client app

1. On the Main tab, click Access Policy > Access Profiles . The Access Profile List screen opens.

2. Click the Edit link for the profile you want to configure to launch the visual policy editor.

The visual policy editor opens the access profile in a separate window or tab.

3. Click the plus [+] sign that appears before the Logon Page action.

4. Under Server Side Checks, select UI Mode, and click Add Item.

5. Click Save.

The UI Mode action is added to the access policy, and several new branches appear.

6. On the Standalone Client branch of the UI Mode action, click the plus [+] sign.

7. Under General Puropse, select Empty, and click Add Item.

8. Click the Branch Rules tab.

9. Rename the new branch rule Branch Rule n to iOS Edge Client.

10. Next to Expression: Empty click the change link.

OpenTopic | What is BIG-IP Edge Client app for iOS? | 5

11. Click the Advanced tab.

12. Type the following rule in the box: expr { [mcget {session.client.platform}] == "iOS" } 13. Add the network access resource to the branch.

14. Click Save.

You have just customized your access policy to support the Edge Client app for iOS.

List of session variables to identify iOS clients

Refer to the following table for a list of session variables and their attributes.

Session variables to identify iOS clients

Session variables for iOS devices

Session Variable Description

session.ui.mode Provides the result ui mode of 7.

session.client.type Indicates the client type, such as Standalone.

session.client.platform Indicates the platform type, such as iOS.

session.client.agent Indicates the browser, type of iOS device, and OS version used, and the version of the Edge Client.

About access policies for BIG-IP Edge Client app

In your configuration, you might be required to configure separate access policy branches for the BIG-IP^® Edge Client^™ app.

The BIG-IP Edge Client app does not support client-side checks. There are a number of ways you can configure an access policy to allow a network access connection for iOS clients. The following methods can work:

• Start the access policy with the Client-Side Check Capability check. This provides a branch for clients that do not support client-side checks, including iOS devices. Assign authentication and a network access resource to this branch.

• Use an existing access policy with client-side checks. The iOS device will fail to the fallback branch of the first client-side check. Assign authentication and a network access resource to this branch.

• Create a specific branch for iOS clients. You can use an empty action and session variables to identify the iOS client. On the branch you identify for iOS clients, add authentication and assign a network access resource for iOS devices.

About the basic access policy example to support BIG-IP Edge Client app

You configure your access policy branch to direct mobile device users to have access to the BIG-IP Edge Client app, and provide a Fallback branch to those non-mobile device users.

This example displays a simple access policy.

Basic access policy to support Edge Client

OpenTopic | Additional Access Policy Manager configuration information | 7

Additional Access Policy Manager configuration information

Refer to the following table on tips to ensure that you successfully set up the BIG-IP^® Edge Client^™ app for iOS devices.

Additional Edge Client information

Feature and Information

Feature Information

VPN On-Demand A connection cannot be established if the server has an invalid certificate. To work around this issue, the invalid certificate must be manually imported onto the device.

Proxy servers There is currently no support for either public or private-side proxy servers.

Client endpoint checks There is currently no support for client end-point checks.

Password caching policy • Under Client Policy, if the Enforce session settings is not enabled, the clients are allowed to save their encrypted password on disk, regardless of what settings were configured under Session Settings

• Under the Password Caching Options, if you set Cache

password within application for for a specific amount of time, after a successful logon, the submitted credentials are cached until one of the following occurs:

• the specified credential cache duration expires

• the server address of the configuration within the app changes

• the username of the configuration within the app changes

• the Edge Client user switches between configurations and makes a new connection

• the configuration is deleted and a new one is created

• On the iOS client device, when a user clicks Disconnect, terminates the application, or restarts the device, cached credentials are not cleared until the specified cache time.

Client certificates Client certificate authentication is supported, either with a certificate alone or with a certificate secured with a username and password.

Client certificate authentication is not supported for the web logon option.

On-Demand Cert Auth If used, the On-Demand Cert Auth action must be placed after other authentication actions in the access policy.