APM Cookbook: On-Demand VPN for iOS Devices
Overview
I’ve been using On-Demand VPN for a number of years as it’s a secure and easy way to access applications while on the road with the added benefit of conserving device battery life when idle.
On-Demand VPN is a simple concept. You define a domain or list of domains in the “Connect On Demand” settings. The Edge Client looks at the DNS requests made by the App (e.g Safari) and when the FQDN matches one of the defined domains, it fires up the VPN in the background and authenticates using a X.509 Client Certificate.
On-Demand VPN requires the installation of a X.509 Client Certificate on the iOS device, which can be provisioned using a number of tools. This article will not go into these tools, but I will give you a few ideas how to get the X.509 certificate on the device. Some of the methods I have used in the past:
- Mobile Device Management (MDM) configured to use Simple Certificate Enrollment Protocol (SCEP)
- iPhone Configuration Utility (iPCU)
- Email the .p12 or .pfx file
When using X.509 Client Certificates, I highly recommend adding the User Principal Name (UPN), e.g. test.user@f5.demo to the Subject Alternative Name (SAN) extension. This allows APM to identify the user of the device and can be used for:
- Single Sign On (SSO) using Kerberos or SAML
- Active Directory / LDAP queries to determine group membership etc.
- Logging and Reporting
In a large scale environment I recommend using MDM, SCEP, Certificate Authority (CA) and an OCSP Responder to verify the revocation status. This article will cover how to configure the APM to authenticate the user and establish the VPN tunnel automatically using the On-Demand feature.
My Example
In my working example, I have a pre-configured CA called “CA1” joined to the domain “f5.demo”. The iOS device has the client certificate (Test User) installed with a UPN “test.user@f5.demo” in the SAN extension. This certificate has been issued by CA1 and is trusted by the iOS device. I have also installed the F5 Edge Client via the App Store.
Step 1 – Import the SSL Certificates
1.1 Import the SSL Certificate/Key that will be used for SSL VPN connection
System >> File Management >> SSL Certificate List
Please follow SOL14620: Managing SSL certificates for BIG-IP systems
My configuration looks like this:
1.2 Import Certificate Authority Certificate that is signing the Client Certificates
Repeat Step 1.1 but this time you need to import the CA Certificate (without the Key) that is signing the User Certificates. It should look something similar to this:
Step 2 – Create a Client SSL Profile
Local Traffic >> Profiles >> SSL >> Client >> “Create”
Supply the following:
- Name: vpn.f5.demo_ssl_profile
- Parent Profile: clientssl
- Certificate: vpn.f5.demo
- Key: vpn.f5.demo
- Trusted Certificate Authorities: CA1
Select “Finished” to save.
Step 3 – Create the APM Configuration
In this example I will use an On-Demand Certificate Authentication to validate the client certificate and some TCL to extract the UPN from the SAN extension. After successful authentication, a VPN tunnel is then assigned and established. You can expand on this configuration by adding an OCSP Responder to check if the certificate has been revoked. Simply modify the Names, IP addresses, DNS etc. to suit your environment.
3.1 Create a Webtop
Access Policy >> Webtop >> Webtop List >> “Create”
Supply the following:
- Name: vpn_webtop
- Type: Full
Select “Finished” to save.
3.2 Create a Connectivity Profile
Access Policy >> Secure Connectivity >> Connectivity Profile >> “Create”
Supply the following:
- Name: vpn_cp
- Parent Profile: connectivity
Select “Finished” to save.
3.3 Create a Lease Pool
Access Policy >> Network Access >> Lease Pools >> IPv4 Lease Pools >> “Create”
Supply the following:
- Name: vpn_lease_pool_10.123.123.0
- Start IP Adddress: 10.123.123.1
- End IP Address: 10.123.123.254
- Select “Add”
Select “Finished” to save.
3.4 Create a Network Access
Access Policy >> Network Access >> Network Access List >> “Create”
Supply the following:
- Name: vpn_na
- Caption: SSL VPN
Select “Update” to save.
Under “Network Settings”.
Supply the following:
- IPV4 Lease Pool: vpn_lease_pool_10.123.123.0
- Traffic Options: Use split tunneling for traffic (select appropriate option for your environment)
- IP Address: 10.0.0.0
- Mask: 255.0.0.0
- Select “Add”
Select “Update” to save.
Under “DNS/Hosts”
Supply the following:
- IPV4 Primary Name Server: 10.10.20.1
- DNS Default Domain Suffix: f5.demo
Select “Update” to save.
3.5 Create an Access Policy
We can now bring it all together using the Visual Policy Editor (VPE).
Access Policy >> Access Profiles >> Access Profile List >> “Create”
Supply the following:
- Name: vpn.f5.demo_ap
- Languages: English (en)
- Use the default settings for all other settings.
Select “Finished” to save.
3.6 Edit the Access Policy in the VPE
Access Policy >> Access Profiles >> Access Profile List >> “Edit” (vpn.f5.demo_ap)
On the fallback branch after the Start object, add an On-Demand Cert Auth object.
- Leave the defaults and “Save”.
On the Successful branch after the On-Demand Cert Auth object, add a Variable Assign object.
Supply the following:
- Name: Extract UPN
- Add the following variable assignments by selecting “Add new entry” >> “change”.
Variable Assignment 1:
- Custom Variable (Unsecure): session.logon.last.domain
- Custom Expression:
set upn [mcget {session.logon.last.upn}];
if {[string first "@" $upn] >= 0} {
return [string range $upn [expr { [string first "@" $upn] + 1 } ] end ];
} else {
return "";
}
Variable Assignment 2:
- Custom Variable (Unsecure): session.logon.last.username
- Custom Expression:
set upn [mcget {session.logon.last.upn}];
if {[string first "@" $upn] >= 0} {
return [string range $upn 0 [expr { [string first "@" $upn] - 1 } ] ];
} else {
return $upn;
}
Variable Assignment 3:
- Custom Variable (Unsecure): session.logon.last.upn
- Custom Expression:
set e_fields [split [mcget {session.ssl.cert.x509extension}] "\n"];
foreach qq $e_fields {
if {[string first "othername:UPN" $qq] >= 0} {
return [string range $qq [expr { [string first "<" $qq] + 1 } ] [expr { [string first ">" $qq] - 1 } ] ];
}
}return "";
Select “Finished”, then “Save” when your done.
The VPE should look similar to this:
On the fallback branch after the Extract UPN object, add a Full Resource Assign object.
Supply the following:
- Name: SSL VPN
- Select “Add new entry” >> “Add/Delete”
- Add the Webtop: /Common/vpn_webtop (from step 3.1)
- Add the Network Access: /Common/vpn_na (from step 3.4)
Select “Update” then “Save”.
On the fallback branch after the SSL VPN object, change Deny ending to Allow. The finished policy should look similar to this:
Step 4 – Create the Virtual Server for SSL VPN
In this step, you need to create a HTTPS Virtual Server (VS) for the Edge Client to establish the connection. I also recommend creating a DTLS VS in addition to the HTTPS VS. This configuration is well documented in the APM Manual and I will not go through the DTLS VS creation.
4.1 Create the HTTP VS
Local Traffic >> Virtual Servers >> Virtual Server List >> “Create”
Supply the following:
- Name: vpn.f5.demo_https_vs
- Destination: 10.10.20.100
- Service Port: HTTPS
- HTTP Profile: http
- SSL Profile (Client): vpn.f5.demo_ssl_profile (from step 2)
- SNAT Pool: Auto Map
- Access Profile: vpn.f5.demo_ap (from step 3.5)
- Connectivity Profile: vpn_cp (from step 3.2)
Select “Finished" to save.
Step 5 – Configure the Edge Client on the iOS device and Test
5.1 Create a new Edge Client Configuration
- Open the Edge Client and select “Settings” then “Add Configuration…”
- Supply the following:
- Description: On Demand VPN
- Server: vpn.f5.demo
- Use Certificate: On
- Certificate: Test User
- Connect On Demand: On
- Select Domain List
- Add Domain…
- In my example: demo.vpn
- Don’t forget to Save
5.2 Test
Open Safari and access a URL that will cause the VPN trigger. In my example http://intranet.demo.vpn, a Sharepoint site. The VPN will start up when it sees the DNS query for intranet.demo.vpn and the data will flow across the VPN as per the Network Access settings.
Conclusion
On-Demand VPN with APM is a simple way to enable the workforce by providing a secure and easy to use remote access solution while out of the office.
Published Jul 25, 2014
Version 1.0
Smithy
Cirrostratus
CirrostratusSmithyCirrostratus
Cirrostratus
Robell_Pontes_7Nimbostratus
really useful stuff. Thanks
Toby_Garcia_146Altostratus
Found a TCL syntax error in the ‘Variable Assignment 3’ iRule, used to populate session.logon.last.upn. It worked properly in 11.4.1, but stopped working after upgrading to 11.6.0. There is a missing semicolon between the final curly brace and return. Here's the corrected expression: set e_fields [split [mcget {session.ssl.cert.x509extension}] "\n"]; foreach qq $e_fields { if {[string first "othername:UPN" $qq] >= 0} { return [string range $qq [expr { [string first "<" $qq] + 1 } ] [expr { [string first ">" $qq] - 1 } ] ]; } }; return "";- pradeepkumar020hai brett, ... this is very helpful.... but i have one doubt..... by the scenario which you explained above, all the users who is having certificate issued by the same CA which we kept in trusted CA can access the resources right ??? Is there any scenario like even all users having cerificates issued by same CA, cant use resource ... i mean only particular users can access the resources by using the details in cerificate....
Maarten_BrugmanHi Brett (or colleague), useful cookbook! In the per-app VPN setup, can I specify somewhere which apps can access the VPN tunnel? I want only the apps that I specify, to be able to access a specific endpoint. If not, any app can access internal endpoints, and this is a security risk.
- brad_11480
Is there a way to keep the VPN always on once it fires up??
Basically want it to fire up on demand but once it is setup it should not go away even if the application goes idle..This is now using the Access VPN that replaced the Edge for iOS.
thanks so much.
SmithyHi Maarten,
 
Please refer to:
 
https://devcentral.f5.com/s/articles/solving-secure-mobile-access-with-f5-and-ios-7-per-app-vpn-part-1 https://devcentral.f5.com/s/articles/solving-secure-mobile-access-with-f5-and-ios-7-per-app-vpn-part-2
 
You need to configure a SOCKS proxy.
 
- Smithy
Hi Brad,
On the APM side, you would need to change the Inactivity Timeout: If there is no activity (defined by the Session Update Threshold and Session Update Window settings in the Network Access configuration) between the client and server within the specified threshold time, the system closes the current session. By default, the timeout is 900 seconds. However, if an inactivity timeout value is set, when server traffic exceeds the specified threshold, the inactivity timeout is reset. To disable the inactivity timeout, set the Inactivity Timeout to 0.
On the iOS side, I'm not 100% of the behaviour when the device goes to sleep, I would assume the VPN would disconnect and would require another On-Demand request to re-establish.
Cheers,
Brett
- TSSRShot
I am having an issue where I am trying to do mostly the same thing in your article (now using F5 Access instead of F5 Edge), however, I am uncertain how to tackle the Sharepoint Part. I'm not an SSO, Claims, or STS type expert. When I do this with a browser separate from VPN I notice that I get a temporary redirect to an STS server, is it possible to do this on behalf of the user in order to allow non-certificate aware application to access SharePoint (like WebDAV for instance).
Thank you! and great article.
- brad_11480
Thanks Brett. That explains it fairly well. I found another document that described the behavior when the device goes to sleep.... article K13832.. https://support.f5.com/csp/article/K13832
Basically it will disconnect the VPN. When the device wakes up the on-demand will resume. Which I assume means that it will remain disconnected until a reference is made to cause it to fire up.
But we are now running into a situation where it doesn't seem to be waiting for an 'on-demand' domain reference to occur. it will fire up as soon as the device wakes up.. but we might have a misconfiguration. What is the on-demand action if there are no domains listed in any of the three categories?? does that mean that it will fire up when active? We are finding out why the MDM didn't set the list up even though it seems to have been configured to do so-- it just isn't appearing on the device). Hoping he solution is simple, but all if this is helping us understand how this thing behaves..
- Smithy
Hi TSSRShot,
 
STS Server? Sounds like you have ADFS performing SSO? You will need to use a Kerberos SSO configuration applied to the SSL VPN Tunnel VLAN.
 
Similar to my other article: https://devcentral.f5.com/s/articles/apm-cookbook-single-sign-on-sso-using-kerberos
 
Cheers,
 
Brett