Frequently Asked Questions - F5 Access 2018

FAQ - F5 Access 2018

1. (Introduction): What are F5 Networks’ plans for F5 Access and F5 Access 2018 long-term?

   1. F5 is committed to providing the latest in SSL VPN technology to its users. Long-term, F5 Networks will focus on providing F5 Access 2018 users with the newest features and bug-fixes necessary for secure remote access. F5 Access will continue to be fully supported until it is transitioned to “Legacy F5 Access” in Fall 2018.

2. What are the differences between the F5 Access and F5 Access 2018 applications?

   1. F5 Access and F5 Access 2018 are both SSL VPN applications that are published by F5 Networks on the App Store to provide secure access to enterprise applications. F5 Access 2018 uses Apple’s Network Extension framework to deliver SSL VPN functionality, whereas F5 Access utilizes an older Apple-provisioned plug-in framework. F5 Access will be deprecated over time, but continues to be deployed in many enterprise environments. 

3. Which application should my organization use?

   1. F5 Access supports Apple iOS v10 and later; it remains the recommended version for organizations that want to leverage the full feature set offered today. F5 Access 2018 will support Apple iOS v11.0 and later.
   2. F5 Access 2018 and F5 Access Differences: Configuration Deployment

VPN Type	Manual Configured	MDM Configured
Device-wide VPN	No Client Certificate import in F5 Access 2018 User has to permit adding the first configuration	VPNSubType change:  F5 Access: com.f5.F5-Edge-Client.vpnplugin F5 Access 2018: com.f5.access.ios Managed user configuration mode is not supported in F5 Access 2018
Per-App VPN	N/A	VPNSubType change:  F5 Access: com.f5.F5-Edge-Client.vpnplugin F5 Access 2018: com.f5.access.ios Extra key ProviderType must be set to "packet-tunnel" in F5 Access 2018 Key PerAppVpn is no longer required in VendorConfig dictionary in F5 Access 2018

 

     iii. F5 Access 2018 and F5 Access Differences: VPN Establishment

VPN Type	Manual	On-Demand
Device-wide VPN	F5 Access 2018: Notifications must be enabled for any user prompts or weblogon interactions User is able to save password during connection establishment in native mode if 'save password' is set to 'disk' on BIG-IP	F5 Access 2018: Notifications must be enabled for any user prompts or weblogon interactions. With mechanism of notifications following is supported in F5 Access 2018: Web Logon mode; Authentication prompt in native mode; Device authentication
Per-App VPN	N/A	Per-App VPN cannot be established if user interaction is required. For F5 Access 2018, configure the F5 Access policy so that user interaction is not required to establish the VPN connection.

 

1. F5 Access 2018 and F5 Access Differences: BIG-IP Configuration

   1. Configuring BIG-IP for Per-App VPN
      • Virtual server changes:
        1. Application Tunnels (Java & Per-App VPN) option is no longer needed to be enabled
      • Access policy changes:
        1. Since per-app VPN is L3 tunnel in F5 Access 2018 following resources must be assigned to access policy:
           1. Network Access resource
           2. Webtop
   2. Enforce Logon Mode Support
      • Admin can enforce logon mode on server side in the connectivity profile. 
      • User cannot change Web Logon option value if it's enforced by BIG-IP.

2. ATS-related changes in F5 Access 2018

   1. Plain text HTTP connections are no longer allowed, and HTTPS with the strongest TLS configuration (TLS 1.2 and PFS cipher suites) is required.
   2. Self-signed certificates are not supported (unless CA certificate is set to Trusted on device)

3. Client Cert Authentication

   1. Client Certificate Authentication Is Not Supported in Web Logon mode.
   2. If you want to use client certificate, it can only be installed via configuration profile (.mobileconfig file) or by your MDM service. 

4. What are the support terms for F5 Access and F5 Access 2018?

   1. F5 Networks will continue to support both F5 Access and F5 Access 2018 applications simultaneously, but will announce the updated legacy support terms for the F5 Access iOS application in Fall 2018.

5. Can both F5 Access and F5 Access 2018 applications coexist on iOS devices?

   1. Yes, both applications can coexist on iOS devices, although it is neither recommended nor supported by F5 Networks.

6. Do I need to change my MDM configurations when transitioning from F5 Access to F5 Access 2018? 

   1. F5 Access and F5 Access 2018 have different App IDs, so when deploying F5 Access 2018 any existing MDM policies that include the F5 Access application should be re-purposed for the F5 Access 2018 application.
   2. All cached F5 Access application data should be removed before deploying and using the F5 Access 2018 application. This includes: saved configurations and certificates.
   3. Certificates that were previously deployed for F5 Access can be re-distributed for F5 Access 2018.

7. Are there any usability changes in the F5 Access 2018 application?

   1. There are some minor usability changes in the F5 Access 2018 application. These are described in more detail below:
      1. Initially Launching F5 Access 2018
         • Upon the initial launch of the F5 Access 2018 the user is prompted with the following message: “F5 Access 2018” Would Like to Send You Notifications may include alerts, sounds, and icon badges. These can be configured in Settings.
         • It is imperative that the user allow this particular prompt because if he/she doesn’t accept the application will not be able to display prompts necessary to allow native authentication and web logon for multi-factor authentication.
         • Granting initial access to the F5 Access 2018 creates a more seamless user experience. Due to changes in Network Extension, only when user interface interaction is required is the user prompted with modal windows; otherwise the F5 Access 2018 runs quietly in the background.
      2. Adding VPN Configurations
         • Adding a VPN configuration results in an additional prompt for permission to create the configuration after the user selects the Save button. Please note: prompt is shown only for 1^st configuration. For 2^nd configuration and all further configurations prompt won’t be shown. 
         • If the device is secured with a password, pin, or TouchID authentication methods, the user will be prompted to authenticate.
         • If the user selects “Don’t Allow” in the Add Configuration modal window, the configuration fails to save.

8. Are there specific hardware limitations for using F5 Access or F5 Access 2018?

   1. No, F5 Access and F5 Access 2018 can be used from any iOS device including all versions historically available for the following models: iPhones, iPad, and iPod touch. 

9. How should I setup a VPN-profile for F5 Access 2018 in Mobile Device Management solution?

   1. Device-wide VPN profile:
      1. Add VPN profile
      2. Select Connection type: “Custom”
      3. Set Identifier to “com.f5.access.ios”
      4. Complete the rest of configuration as needed.
   2. Per-app VPN profile:
      1. Add VPN profile
      2. Select Connection type: “Custom”
      3. Set Identifier to “com.f5.access.ios”
      4. Select Provider Type: “Packet Tunnel”
      5. Complete the rest of configuration as needed.