For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mike_Ho's avatar
Mike_Ho
Icon for Cirrus rankCirrus
May 11, 2009

Installed HF603 2.1.1 and controller list changed

I installed the hotfix rollup for 6.0.3 Sunday which went smoothly.

We have a broad deployment of the F5 Networks VPN Client which generally works very well.

When I ran the client after applying the hotfix it downloaded updates, since I have the following settings enabled for the client: 

 
 Automatically Update Components 
 Dynamically Download Session Settings During Logon

Now to my problems -

1) After updating, a host was added to the "Firepass Controller List" which I have not configured in the "customize client components" configuration section.

2) The client apparently automatically connects to this new host after updating, and users get an error. Why? Because my pre-logon inspection does not allow connections to the base URI of the server.

How can I prevent the F5 Networks VPN Client from adding entries to the Controller List when I have not configured them in the client configuration?

 

 

Why does it try to log on to the newly added controller after updating?

 

For example

For example, say my client has the following controllers configured:

https://foobar.domain.com/vpn1

https://foobar.domain.com/vpn2

https://bozboo.domain.com/vpn1

. . .

When the updates occur they are retrieved from (say) https://bozboo.domain.com/ and then a new entry is created in the controller list for "https://bozboo.domain.com/" and after updating the client tries connecting there and errors out since I don't allow logons to "https://bozboo.domain.com/" but instead require one of a set of landings.

Thoughts?
BIG-IP Access Policy Manager (APM)
remote access
security

3 Replies

  • mal_57091's avatar
    mal_57091
    Icon for Nimbostratus rankNimbostratus
    May 12, 2009
    Hi There,

     

     

    Under Device Management -> Client Downloads -> Windows (x86) -> Customize Client Components (tab) is the new host listed here? If so, delete it if its not needed.

     

     

    Also, on this same page, if you scroll all the way down to the bottom there is an option called "Dynamically Download Session Settings During Logon". If this is ticked in then it really doesn't matter what is configured on the FirePass client as it will be overriden by whats on the FirePass so you may want to check this out also.

     

     

    Cheers,

     

    Mal
  • Mike_Ho's avatar
    Mike_Ho
    Icon for Cirrus rankCirrus
    May 12, 2009
    Hiya Mal!

     

     

    Posted By mal on 05/12/2009 5:59 AM

     

    Hi There,

     

    Under Device Management -> Client Downloads -> Windows (x86) -> Customize Client Components (tab) is the new host listed here? If so, delete it if its not needed.

     

     

     

    No it is not listed there.

     

     

     

    Also, on this same page, if you scroll all the way down to the bottom there is an option called "Dynamically Download Session Settings During Logon". If this is ticked in then it really doesn't matter what is configured on the FirePass client as it will be overriden by whats on the FirePass so you may want to check this out also.

     

    Cheers,

     

    Mal

     

     

     

    Yes I do have that box checked. I was under the assumption that would keep the client controller list "synched" with the list I have configured on each Firepass, which is why I'm confused that one got added for me by the update.
  • Mike_Ho's avatar
    Mike_Ho
    Icon for Cirrus rankCirrus
    May 12, 2009
    My users are seeing this too, so it's not just one client install that got munged. I have a case open with F5 and hopefully they will help me find a way to prevent this. I have gotten a TON of calls from users about the udpate -> error -> new "default" controller added to the list.