Overview

I’ve been using On-Demand VPN for a number of years as it’s a secure and easy way to access applications while on the road with the added benefit of conserving device battery life when idle.

On-Demand VPN is a simple concept. You define a domain or list of domains in the “Connect On Demand” settings. The Edge Client looks at the DNS requests made by the App (e.g Safari) and when the FQDN matches one of the defined domains, it fires up the VPN in the background and authenticates using a X.509 Client Certificate.

On-Demand VPN requires the installation of a X.509 Client Certificate on the iOS device, which can be provisioned using a number of tools. This article will not go into these tools, but I will give you a few ideas how to get the X.509 certificate on the device. Some of the methods I have used in the past:

  • Mobile Device Management (MDM) configured to use Simple Certificate Enrollment Protocol (SCEP)
  • iPhone Configuration Utility (iPCU)
  • Email the .p12 or .pfx file

When using X.509 Client Certificates, I highly recommend adding the User Principal Name (UPN), e.g. test.user@f5.demo to the Subject Alternative Name (SAN) extension. This allows APM to identify the user of the device and can be used for:

  • Single Sign On (SSO) using Kerberos or SAML
  • Active Directory / LDAP queries to determine group membership etc.
  • Logging and Reporting

In a large scale environment I recommend using MDM, SCEP, Certificate Authority (CA) and an OCSP Responder to verify the revocation status. This article will cover how to configure the APM to authenticate the user and establish the VPN tunnel automatically using the On-Demand feature.

My Example

In my working example, I have a pre-configured CA called “CA1” joined to the domain “f5.demo”. The iOS device has the client certificate (Test User) installed with a UPN “test.user@f5.demo” in the SAN extension. This certificate has been issued by CA1 and is trusted by the iOS device. I have also installed the F5 Edge Client via the App Store.

Step 1 – Import the SSL Certificates

1.1 Import the SSL Certificate/Key that will be used for SSL VPN connection

System >> File Management >> SSL Certificate List

Please follow SOL14620: Managing SSL certificates for BIG-IP systems

My configuration looks like this:

1.2 Import Certificate Authority Certificate that is signing the Client Certificates

Repeat Step 1.1 but this time you need to import the CA Certificate (without the Key) that is signing the User Certificates. It should look something similar to this:

Step 2 – Create a Client SSL Profile

Local Traffic >> Profiles >> SSL >> Client >> “Create”

Supply the following:

  • Name: vpn.f5.demo_ssl_profile
  • Parent Profile: clientssl
  • Certificate: vpn.f5.demo
  • Key: vpn.f5.demo
  • Trusted Certificate Authorities: CA1

Select “Finished” to save.

Step 3 – Create the APM Configuration

In this example I will use an On-Demand Certificate Authentication to validate the client certificate and some TCL to extract the UPN from the SAN extension. After successful authentication, a VPN tunnel is then assigned and established. You can expand on this configuration by adding an OCSP Responder to check if the certificate has been revoked. Simply modify the Names, IP addresses, DNS etc. to suit your environment.

3.1 Create a Webtop

Access Policy >> Webtop >> Webtop List >> “Create”

Supply the following:

  • Name: vpn_webtop
  • Type: Full

Select “Finished” to save.

3.2 Create a Connectivity Profile

Access Policy >> Secure Connectivity >> Connectivity Profile >> “Create”

Supply the following:

  • Name: vpn_cp
  • Parent Profile: connectivity

Select “Finished” to save.

3.3 Create a Lease Pool

Access Policy >> Network Access >> Lease Pools >> IPv4 Lease Pools >> “Create”

Supply the following:

  • Name: vpn_lease_pool_10.123.123.0
  • Start IP Adddress: 10.123.123.1
  • End IP Address: 10.123.123.254
  • Select “Add”

Select “Finished” to save.

3.4 Create a Network Access

Access Policy >> Network Access >> Network Access List >> “Create”

Supply the following:

  • Name: vpn_na
  • Caption: SSL VPN

Select “Update” to save.

Under “Network Settings”.

Supply the following:

  • IPV4 Lease Pool: vpn_lease_pool_10.123.123.0
  • Traffic Options: Use split tunneling for traffic (select appropriate option for your environment)
    • IP Address: 10.0.0.0
    • Mask: 255.0.0.0
  • Select “Add”

Select “Update” to save.

 

Under “DNS/Hosts”

Supply the following:

  • IPV4 Primary Name Server: 10.10.20.1
  • DNS Default Domain Suffix: f5.demo

Select “Update” to save.

3.5 Create an Access Policy

We can now bring it all together using the Visual Policy Editor (VPE).

Access Policy >> Access Profiles >> Access Profile List >> “Create”

Supply the following:

  • Name: vpn.f5.demo_ap
  • Languages: English (en)
  • Use the default settings for all other settings.

Select “Finished” to save.

Screen Shot 2014-07-09 at 6.16.18 pm

3.6 Edit the Access Policy in the VPE

Access Policy >> Access Profiles >> Access Profile List >> “Edit” (vpn.f5.demo_ap)

On the fallback branch after the Start object, add an On-Demand Cert Auth object.

  • Leave the defaults and “Save”.

On the Successful branch after the On-Demand Cert Auth object, add a Variable Assign object.

Supply the following:

  • Name: Extract UPN
  • Add the following variable assignments by selecting “Add new entry” >> “change”.

Variable Assignment 1:

  • Custom Variable (Unsecure): session.logon.last.domain
  • Custom Expression:

    set upn [mcget {session.logon.last.upn}];

    if {[string first "@" $upn] >= 0} {
      return [string range $upn [expr { [string first "@" $upn] + 1 } ] end ];
      } else {
      return "";
    }

Variable Assignment 2:

  • Custom Variable (Unsecure): session.logon.last.username
  • Custom Expression:

    set upn [mcget {session.logon.last.upn}];

    if {[string first "@" $upn] >= 0} {
      return [string range $upn 0 [expr { [string first "@" $upn] - 1 } ] ];
      } else {
      return $upn;
    }

Variable Assignment 3:

  • Custom Variable (Unsecure): session.logon.last.upn
  • Custom Expression:

    set e_fields [split [mcget {session.ssl.cert.x509extension}] "\n"];

    foreach qq $e_fields {
      if {[string first "othername:UPN" $qq] >= 0} {
      return [string range $qq [expr { [string first "<" $qq] + 1 } ] [expr { [string first ">" $qq] - 1 } ] ];
      }
    }

    return "";

Select “Finished”, then “Save” when your done.

Screen Shot 2014-07-10 at 9.37.14 am

The VPE should look similar to this:

Screen Shot 2014-07-10 at 9.39.33 am

On the fallback branch after the Extract UPN object, add a Full Resource Assign object.

Supply the following:

  • Name: SSL VPN
  • Select “Add new entry” >> “Add/Delete”
  • Add the Webtop: /Common/vpn_webtop (from step 3.1)
  • Add the Network Access: /Common/vpn_na (from step 3.4)

Select “Update” then “Save”.

On the fallback branch after the SSL VPN object, change Deny ending to Allow. The finished policy should look similar to this:

Step 4 – Create the Virtual Server for SSL VPN

In this step, you need to create a HTTPS Virtual Server (VS) for the Edge Client to establish the connection. I also recommend creating a DTLS VS in addition to the HTTPS VS. This configuration is well documented in the APM Manual and I will not go through the DTLS VS creation.

4.1 Create the HTTP VS

Local Traffic >> Virtual Servers >> Virtual Server List >> “Create”

Supply the following:

  • Name: vpn.f5.demo_https_vs
  • Destination: 10.10.20.100
  • Service Port: HTTPS
  • HTTP Profile: http
  • SSL Profile (Client): vpn.f5.demo_ssl_profile (from step 2)
  • SNAT Pool: Auto Map
  • Access Profile: vpn.f5.demo_ap (from step 3.5)
  • Connectivity Profile: vpn_cp (from step 3.2)

Select “Finished" to save.

Step 5 – Configure the Edge Client on the iOS device and Test

5.1 Create a new Edge Client Configuration

  • Open the Edge Client and select “Settings” then “Add Configuration…”
  • Supply the following:
    • Description: On Demand VPN
    • Server: vpn.f5.demo
    • Use Certificate: On
    • Certificate: Test User
    • Connect On Demand: On
  • Select Domain List
  • Add Domain…
    • In my example: demo.vpn
  • Don’t forget to Save

5.2 Test

Open Safari and access a URL that will cause the VPN trigger. In my example http://intranet.demo.vpn, a Sharepoint site. The VPN will start up when it sees the DNS query for intranet.demo.vpn and the data will flow across the VPN as per the Network Access settings.

IMG_0043

Conclusion

On-Demand VPN with APM is a simple way to enable the workforce by providing a secure and easy to use remote access solution while out of the office.