APM Cookbook: On-Demand VPN for iOS Devices
Overview
I’ve been using On-Demand VPN for a number of years as it’s a secure and easy way to access applications while on the road with the added benefit of conserving device battery life when idle.
On-Demand VPN is a simple concept. You define a domain or list of domains in the “Connect On Demand” settings. The Edge Client looks at the DNS requests made by the App (e.g Safari) and when the FQDN matches one of the defined domains, it fires up the VPN in the background and authenticates using a X.509 Client Certificate.
On-Demand VPN requires the installation of a X.509 Client Certificate on the iOS device, which can be provisioned using a number of tools. This article will not go into these tools, but I will give you a few ideas how to get the X.509 certificate on the device. Some of the methods I have used in the past:
- Mobile Device Management (MDM) configured to use Simple Certificate Enrollment Protocol (SCEP)
- iPhone Configuration Utility (iPCU)
- Email the .p12 or .pfx file
When using X.509 Client Certificates, I highly recommend adding the User Principal Name (UPN), e.g. test.user@f5.demo to the Subject Alternative Name (SAN) extension. This allows APM to identify the user of the device and can be used for:
- Single Sign On (SSO) using Kerberos or SAML
- Active Directory / LDAP queries to determine group membership etc.
- Logging and Reporting
In a large scale environment I recommend using MDM, SCEP, Certificate Authority (CA) and an OCSP Responder to verify the revocation status. This article will cover how to configure the APM to authenticate the user and establish the VPN tunnel automatically using the On-Demand feature.
My Example
In my working example, I have a pre-configured CA called “CA1” joined to the domain “f5.demo”. The iOS device has the client certificate (Test User) installed with a UPN “test.user@f5.demo” in the SAN extension. This certificate has been issued by CA1 and is trusted by the iOS device. I have also installed the F5 Edge Client via the App Store.
Step 1 – Import the SSL Certificates
1.1 Import the SSL Certificate/Key that will be used for SSL VPN connection
System >> File Management >> SSL Certificate List
Please follow SOL14620: Managing SSL certificates for BIG-IP systems
My configuration looks like this:
1.2 Import Certificate Authority Certificate that is signing the Client Certificates
Repeat Step 1.1 but this time you need to import the CA Certificate (without the Key) that is signing the User Certificates. It should look something similar to this:
Step 2 – Create a Client SSL Profile
Local Traffic >> Profiles >> SSL >> Client >> “Create”
Supply the following:
- Name: vpn.f5.demo_ssl_profile
- Parent Profile: clientssl
- Certificate: vpn.f5.demo
- Key: vpn.f5.demo
- Trusted Certificate Authorities: CA1
Select “Finished” to save.
Step 3 – Create the APM Configuration
In this example I will use an On-Demand Certificate Authentication to validate the client certificate and some TCL to extract the UPN from the SAN extension. After successful authentication, a VPN tunnel is then assigned and established. You can expand on this configuration by adding an OCSP Responder to check if the certificate has been revoked. Simply modify the Names, IP addresses, DNS etc. to suit your environment.
3.1 Create a Webtop
Access Policy >> Webtop >> Webtop List >> “Create”
Supply the following:
- Name: vpn_webtop
- Type: Full
Select “Finished” to save.
3.2 Create a Connectivity Profile
Access Policy >> Secure Connectivity >> Connectivity Profile >> “Create”
Supply the following:
- Name: vpn_cp
- Parent Profile: connectivity
Select “Finished” to save.
3.3 Create a Lease Pool
Access Policy >> Network Access >> Lease Pools >> IPv4 Lease Pools >> “Create”
Supply the following:
- Name: vpn_lease_pool_10.123.123.0
- Start IP Adddress: 10.123.123.1
- End IP Address: 10.123.123.254
- Select “Add”
Select “Finished” to save.
3.4 Create a Network Access
Access Policy >> Network Access >> Network Access List >> “Create”
Supply the following:
- Name: vpn_na
- Caption: SSL VPN
Select “Update” to save.
Under “Network Settings”.
Supply the following:
- IPV4 Lease Pool: vpn_lease_pool_10.123.123.0
- Traffic Options: Use split tunneling for traffic (select appropriate option for your environment)
- IP Address: 10.0.0.0
- Mask: 255.0.0.0
- Select “Add”
Select “Update” to save.
Under “DNS/Hosts”
Supply the following:
- IPV4 Primary Name Server: 10.10.20.1
- DNS Default Domain Suffix: f5.demo
Select “Update” to save.
3.5 Create an Access Policy
We can now bring it all together using the Visual Policy Editor (VPE).
Access Policy >> Access Profiles >> Access Profile List >> “Create”
Supply the following:
- Name: vpn.f5.demo_ap
- Languages: English (en)
- Use the default settings for all other settings.
Select “Finished” to save.
3.6 Edit the Access Policy in the VPE
Access Policy >> Access Profiles >> Access Profile List >> “Edit” (vpn.f5.demo_ap)
On the fallback branch after the Start object, add an On-Demand Cert Auth object.
- Leave the defaults and “Save”.
On the Successful branch after the On-Demand Cert Auth object, add a Variable Assign object.
Supply the following:
- Name: Extract UPN
- Add the following variable assignments by selecting “Add new entry” >> “change”.
Variable Assignment 1:
- Custom Variable (Unsecure): session.logon.last.domain
- Custom Expression:
set upn [mcget {session.logon.last.upn}];
if {[string first "@" $upn] >= 0} {
return [string range $upn [expr { [string first "@" $upn] + 1 } ] end ];
} else {
return "";
}
Variable Assignment 2:
- Custom Variable (Unsecure): session.logon.last.username
- Custom Expression:
set upn [mcget {session.logon.last.upn}];
if {[string first "@" $upn] >= 0} {
return [string range $upn 0 [expr { [string first "@" $upn] - 1 } ] ];
} else {
return $upn;
}
Variable Assignment 3:
- Custom Variable (Unsecure): session.logon.last.upn
- Custom Expression:
set e_fields [split [mcget {session.ssl.cert.x509extension}] "\n"];
foreach qq $e_fields {
if {[string first "othername:UPN" $qq] >= 0} {
return [string range $qq [expr { [string first "<" $qq] + 1 } ] [expr { [string first ">" $qq] - 1 } ] ];
}
}return "";
Select “Finished”, then “Save” when your done.
The VPE should look similar to this:
On the fallback branch after the Extract UPN object, add a Full Resource Assign object.
Supply the following:
- Name: SSL VPN
- Select “Add new entry” >> “Add/Delete”
- Add the Webtop: /Common/vpn_webtop (from step 3.1)
- Add the Network Access: /Common/vpn_na (from step 3.4)
Select “Update” then “Save”.
On the fallback branch after the SSL VPN object, change Deny ending to Allow. The finished policy should look similar to this:
Step 4 – Create the Virtual Server for SSL VPN
In this step, you need to create a HTTPS Virtual Server (VS) for the Edge Client to establish the connection. I also recommend creating a DTLS VS in addition to the HTTPS VS. This configuration is well documented in the APM Manual and I will not go through the DTLS VS creation.
4.1 Create the HTTP VS
Local Traffic >> Virtual Servers >> Virtual Server List >> “Create”
Supply the following:
- Name: vpn.f5.demo_https_vs
- Destination: 10.10.20.100
- Service Port: HTTPS
- HTTP Profile: http
- SSL Profile (Client): vpn.f5.demo_ssl_profile (from step 2)
- SNAT Pool: Auto Map
- Access Profile: vpn.f5.demo_ap (from step 3.5)
- Connectivity Profile: vpn_cp (from step 3.2)
Select “Finished" to save.
Step 5 – Configure the Edge Client on the iOS device and Test
5.1 Create a new Edge Client Configuration
- Open the Edge Client and select “Settings” then “Add Configuration…”
- Supply the following:
- Description: On Demand VPN
- Server: vpn.f5.demo
- Use Certificate: On
- Certificate: Test User
- Connect On Demand: On
- Select Domain List
- Add Domain…
- In my example: demo.vpn
- Don’t forget to Save
5.2 Test
Open Safari and access a URL that will cause the VPN trigger. In my example http://intranet.demo.vpn, a Sharepoint site. The VPN will start up when it sees the DNS query for intranet.demo.vpn and the data will flow across the VPN as per the Network Access settings.
Conclusion
On-Demand VPN with APM is a simple way to enable the workforce by providing a secure and easy to use remote access solution while out of the office.
- Maarten_BrugmanNimbostratus
Hi Brett (or colleague), useful cookbook! In the per-app VPN setup, can I specify somewhere which apps can access the VPN tunnel? I want only the apps that I specify, to be able to access a specific endpoint. If not, any app can access internal endpoints, and this is a security risk.
- pradeepkumar020Nimbostratushai brett, ... this is very helpful.... but i have one doubt..... by the scenario which you explained above, all the users who is having certificate issued by the same CA which we kept in trusted CA can access the resources right ??? Is there any scenario like even all users having cerificates issued by same CA, cant use resource ... i mean only particular users can access the resources by using the details in cerificate....
- Toby_Garcia_146AltostratusFound a TCL syntax error in the ‘Variable Assignment 3’ iRule, used to populate session.logon.last.upn. It worked properly in 11.4.1, but stopped working after upgrading to 11.6.0. There is a missing semicolon between the final curly brace and return. Here's the corrected expression: set e_fields [split [mcget {session.ssl.cert.x509extension}] "\n"]; foreach qq $e_fields { if {[string first "othername:UPN" $qq] >= 0} { return [string range $qq [expr { [string first "<" $qq] + 1 } ] [expr { [string first ">" $qq] - 1 } ] ]; } }; return "";
- Robell_Pontes_7Nimbostratusreally useful stuff. Thanks