Prevent BIG-IP Edge Client VPN Driver to roll back (or forward) during PPP/RAS errors
If you (like some of my customers) want to have the BIG-IP Edge Client packaged and distributed as a software package within your corporate infrastructure and therefore have switched off automatic component updates in your connectivity profiles, you might still get the covpn64.sys file upgraded or downgraded to the same version as the one installed on the BIG-IP APM server.
Background
We discovered that on some Windows clients the file covpn64.sys file got a newer/older timestamp in and started to investigate what caused this.
The conclusion was that sometimes after hibernation or sleep, the Edge Client is unable to open the VPN interface and therefore tries to reinstall the driver. However, instead of using a local copy of the CAB file where the covpn64.sys file resides, it downloads it from the APM server regardless of if the version on the server and client match each other or not.
In normal circumstances when you have automatic upgrades on the clients, this might not be a problem, however when you need to have full control on which version is being used on each connected client, this behavior can be a bit of a problem.
Removing the Installer Component?
Now you might be thinking, hey… Why don't you just remove the Component Installer module from the Edge Client and you won't have this issue. Well the simple answer to this is the fact that the Component Installer module is not only used to install/upgrade the client. In fact, it seems like it's also used when performing the Machine Check Info from the Access Policy when authenticating the user. So by removing the Component Installer module result in other issues.
The Solution/workaround
The Solution I came up with is to store each version of the urxvpn.cab file in an IFile and then use an iRule to deliver the correct version whenever a client tries to fetch the file for reinstallation.
What's needed?
In order to make this work we need to
- Grab a copy of urxvpn.cab from each version of the client
- Create an IFile for each of these versions
- Install iRule
- Attach iRule to the Virtual Server that is running the Access Policy
Fetching the file from the apmclients ISOs
For every version of the APM client that is available within your organization a corresponding iFile needs to be created. To create the iFiles automatically you can do the following on the APM server.
- Login to the CLI console with SSH
- Make sure you are in bash by typing bash
- Create temporary directories
mkdir /tmp/apm-urxvpn
mkdir /tmp/apm-iso
- Run the following (still in bash not TMSH) on the BIG-IP APM server to automatically extract the urxvpn.cab file from each installed image and save them in the folder /tmp/apm-urxvpn.
for c in /shared/apm/images/apmclients-*
do
version="$(echo "$c" | awk -F. \
'{gsub(".*apmclients-","");printf "%04d.%04d.%04d.%04d", $1, $2, $3, $4}')" && \
(mount -o ro $c /tmp/apm-iso
cp /tmp/apm-iso/sam/www/webtop/public/download/urxvpn.cab \
/tmp/apm-urxvpn/URXVPN.CAB-$version
umount /tmp/apm-iso)
done
- Check the files copied
ls -al /tmp/apm-urxvpn
- Import each file either with tmsh or with GUI. We will cover how to import with tmsh below. If you prefer to do it with the GUI, more information abour how to do it can be found in K13423
- You can use the following script to automatically import all files
cd /tmp/apm-uxrvpn
for f in URXVPN.CAB-*
do
printf "create sys file ifile $f source-path file:$(pwd)/$f\ncreate ltm ifile $f file-name $f\n" | tmsh
done
- Save the new configuration
tmsh -c “save sys config”
Time to create the iRule
when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
set uri [HTTP::uri]
set ua [HTTP::header "User-Agent"]
if {$uri starts_with "/vdesk" || $uri starts_with "/pre"} {
set version ""
regexp -- {EdgeClient/(\d{4}\.\d{4}\.\d{4}\.\d{4})} $ua var version
if {$version != ""} {
table set -subtable vpn_client_ip_to_versions [IP::client_addr] $version 86400 86400
} else {
log local0.debug "Unable to parse version from: $ua for IP: [IP::client_addr] URI: $uri"
}
} elseif {$uri == "/public/download/urxvpn.cab"} {
set version ""
regexp -- {EdgeClient/(\d{4}\.\d{4}\.\d{4}\.\d{4})} $ua var version
if {$version == ""} {
log local0.warning "Unable to parse version from: $ua, will search session table"
set version [table lookup -subtable vpn_client_ip_to_versions [IP::client_addr]]
log local0.warning "Version in table: $version"
}
if {$version == ""} {
log local0.warning "Unable to find version session table"
HTTP::respond 404 content "Missing version in request" "Content-Type" "text/plain"
} else {
set out ""
catch {
set out [ifile get "/Common/URXVPN.CAB-$version"]
}
if {$out == ""} {
log local0.error "Didn't find urxvpn.cab file for Edge Client version: $version"
HTTP::respond 404 content "Unable to find requested file for version $version\n" "Content-Type" "text/plain"
} else {
HTTP::respond 200 content $out "Content-Type" "application/vnd.ms-cab-compressed"
}
}
}
}
Add the iRule to the APM Virtual Server
Known Limitations
If multiple clients with different versions of the Edge Client are behind the same IP address, they might download the wrong version. This is due to the fact that the client doesn't present the version when the request for the file urxvpn.cab reaches the iRule. This is why the iRule tries to store IP addresses based on the source IP address of other requests related to the VPN.
More information about this problem can be found in K000132735