Forum Discussion
SvenWil
Altostratus
AltostratusF5 VPN client + Endpoint Inspection
Hey guys,
I've got an issue that confuses me the more i look and read into it.
The issue
We have a web portal that is externally accessible where users (after MFA authentication) can login and start a F5 VPN client to access the corporate network. Upon logon we see a message stating it wants us to download a "Endpoint Inspection client components". If we download manually it's the file "f5epi_setup.exe"
The goal is to avoid this popup for our users.
What we currently do
From our network team i get a file "BIGIPEdgeClient.exe" (latest version 72.23.0428.0523"). I extract this file and there's a MSI-file "BIGIPComponentInstaller.exe". We install this silently through SCCM. This installs, as far as i understand it the F5 VPN-client (which works fine, we do not get the same popup as above).
The problem
I've read various support-articles:
- Installing BIG-IP Edge Client from the Windows command line (f5.com)
- BIG-IP Edge Client for Windows Component Installer (f5.com)
- Deployment options | BIG-IP Edge Client operations guide (f5.com)
- ...
The more i read, the more it confuses me. Specifically: how can i avoid this popup and preinstall the EndPoint Inspection client components? What am i missing?
Thanks in advance everyone!
SvenWilGood morning Lucas,
And thank you. This was indeed the bit i was missing. Thanks to your info everything works out fine now. Thanks a million ;-)
With regards,
Sven
- Lucas_Thompson
Employee
It sounds like you run Edge Client, enter connected mode, then it opens up a browser control, and then can't run the inspector ActiveX.
I believe there is a group policy setting that can disallow webview (also knows as "browser control", "embedded IE", "mini browser") from running ActiveX, which seems like what's going on here. The setting you want to enable is "run activex controls and plug-ins".
This should be enabled by default. Also the server URL should be in Trusted Sites.
Here's some additional information about that:
- Lucas_Thompson
This might be confusing because there are two different ways that the endpoint inspector can fire, depending on if the users are connecting with Edge Client or not.
If you're using Edge Client to start the VPN, it has special functions that recognize and start up the EPS process by calling the library directly.
If you're using a browser to start the VPN, the endpoint-inspection javascript code delivered to the browser tries to call a special URL scheme "f5-epi://" that should be registered to the EPI app. This is similar to how Zoom works to launch the Zoom thick app from a browser.
To get that endpoint inspector installed and registered as a URL scheme, choose these options when you create the Edge Client package from the big-ip GUI:
The inspector ones that should install that are "Endpoint Security", "Inspector Service", and "Web Browser Add-ons for BIG-IP Edge Client".
- SvenWil
Hello Lucas,
Following up on the above issue. Some users (a minority, yet to determine exact numbers) are seeing something unexpected after we upgraded some of our (test)users to the new VPN-client:
'a browser component is needed'
'1) Your current security settings prohibit running ActiveX controls on this page, or 2) You have blocked a publisher of one of the controls. As a result, the page might not display correctly."'
Are these notifications something that is known? I deploy with SCCM with the command:"msiexec /i "BIGIPComponentInstaller.msi" ALLUSERS=1 REBOOT=REALLYSUPPRESS /q /l*v %TEMP%\F5_BIGIP_Install.log" with a created installer package as advised above. Installation runs ok on all pc's.
'Install the addon and continue' or 'Continue without installing':
'Permission required':
Thanks in advance.
With kind regards,Sven
