APM Cookbook: On-Demand VPN for iOS Devices
Overview
I’ve been using On-Demand VPN for a number of years as it’s a secure and easy way to access applications while on the road with the added benefit of conserving device battery life when idle.
On-Demand VPN is a simple concept. You define a domain or list of domains in the “Connect On Demand” settings. The Edge Client looks at the DNS requests made by the App (e.g Safari) and when the FQDN matches one of the defined domains, it fires up the VPN in the background and authenticates using a X.509 Client Certificate.
On-Demand VPN requires the installation of a X.509 Client Certificate on the iOS device, which can be provisioned using a number of tools. This article will not go into these tools, but I will give you a few ideas how to get the X.509 certificate on the device. Some of the methods I have used in the past:
- Mobile Device Management (MDM) configured to use Simple Certificate Enrollment Protocol (SCEP)
- iPhone Configuration Utility (iPCU)
- Email the .p12 or .pfx file
When using X.509 Client Certificates, I highly recommend adding the User Principal Name (UPN), e.g. test.user@f5.demo to the Subject Alternative Name (SAN) extension. This allows APM to identify the user of the device and can be used for:
- Single Sign On (SSO) using Kerberos or SAML
- Active Directory / LDAP queries to determine group membership etc.
- Logging and Reporting
In a large scale environment I recommend using MDM, SCEP, Certificate Authority (CA) and an OCSP Responder to verify the revocation status. This article will cover how to configure the APM to authenticate the user and establish the VPN tunnel automatically using the On-Demand feature.
My Example
In my working example, I have a pre-configured CA called “CA1” joined to the domain “f5.demo”. The iOS device has the client certificate (Test User) installed with a UPN “test.user@f5.demo” in the SAN extension. This certificate has been issued by CA1 and is trusted by the iOS device. I have also installed the F5 Edge Client via the App Store.
Step 1 – Import the SSL Certificates
1.1 Import the SSL Certificate/Key that will be used for SSL VPN connection
System >> File Management >> SSL Certificate List
Please follow SOL14620: Managing SSL certificates for BIG-IP systems
My configuration looks like this:
1.2 Import Certificate Authority Certificate that is signing the Client Certificates
Repeat Step 1.1 but this time you need to import the CA Certificate (without the Key) that is signing the User Certificates. It should look something similar to this:
Step 2 – Create a Client SSL Profile
Local Traffic >> Profiles >> SSL >> Client >> “Create”
Supply the following:
- Name: vpn.f5.demo_ssl_profile
- Parent Profile: clientssl
- Certificate: vpn.f5.demo
- Key: vpn.f5.demo
- Trusted Certificate Authorities: CA1
Select “Finished” to save.
Step 3 – Create the APM Configuration
In this example I will use an On-Demand Certificate Authentication to validate the client certificate and some TCL to extract the UPN from the SAN extension. After successful authentication, a VPN tunnel is then assigned and established. You can expand on this configuration by adding an OCSP Responder to check if the certificate has been revoked. Simply modify the Names, IP addresses, DNS etc. to suit your environment.
3.1 Create a Webtop
Access Policy >> Webtop >> Webtop List >> “Create”
Supply the following:
- Name: vpn_webtop
- Type: Full
Select “Finished” to save.
3.2 Create a Connectivity Profile
Access Policy >> Secure Connectivity >> Connectivity Profile >> “Create”
Supply the following:
- Name: vpn_cp
- Parent Profile: connectivity
Select “Finished” to save.
3.3 Create a Lease Pool
Access Policy >> Network Access >> Lease Pools >> IPv4 Lease Pools >> “Create”
Supply the following:
- Name: vpn_lease_pool_10.123.123.0
- Start IP Adddress: 10.123.123.1
- End IP Address: 10.123.123.254
- Select “Add”
Select “Finished” to save.
3.4 Create a Network Access
Access Policy >> Network Access >> Network Access List >> “Create”
Supply the following:
- Name: vpn_na
- Caption: SSL VPN
Select “Update” to save.
Under “Network Settings”.
Supply the following:
- IPV4 Lease Pool: vpn_lease_pool_10.123.123.0
- Traffic Options: Use split tunneling for traffic (select appropriate option for your environment)
- IP Address: 10.0.0.0
- Mask: 255.0.0.0
- Select “Add”
Select “Update” to save.
Under “DNS/Hosts”
Supply the following:
- IPV4 Primary Name Server: 10.10.20.1
- DNS Default Domain Suffix: f5.demo
Select “Update” to save.
3.5 Create an Access Policy
We can now bring it all together using the Visual Policy Editor (VPE).
Access Policy >> Access Profiles >> Access Profile List >> “Create”
Supply the following:
- Name: vpn.f5.demo_ap
- Languages: English (en)
- Use the default settings for all other settings.
Select “Finished” to save.
3.6 Edit the Access Policy in the VPE
Access Policy >> Access Profiles >> Access Profile List >> “Edit” (vpn.f5.demo_ap)
On the fallback branch after the Start object, add an On-Demand Cert Auth object.
- Leave the defaults and “Save”.
On the Successful branch after the On-Demand Cert Auth object, add a Variable Assign object.
Supply the following:
- Name: Extract UPN
- Add the following variable assignments by selecting “Add new entry” >> “change”.
Variable Assignment 1:
- Custom Variable (Unsecure): session.logon.last.domain
- Custom Expression:
set upn [mcget {session.logon.last.upn}];
if {[string first "@" $upn] >= 0} {
return [string range $upn [expr { [string first "@" $upn] + 1 } ] end ];
} else {
return "";
}
Variable Assignment 2:
- Custom Variable (Unsecure): session.logon.last.username
- Custom Expression:
set upn [mcget {session.logon.last.upn}];
if {[string first "@" $upn] >= 0} {
return [string range $upn 0 [expr { [string first "@" $upn] - 1 } ] ];
} else {
return $upn;
}
Variable Assignment 3:
- Custom Variable (Unsecure): session.logon.last.upn
- Custom Expression:
set e_fields [split [mcget {session.ssl.cert.x509extension}] "\n"];
foreach qq $e_fields {
if {[string first "othername:UPN" $qq] >= 0} {
return [string range $qq [expr { [string first "<" $qq] + 1 } ] [expr { [string first ">" $qq] - 1 } ] ];
}
}return "";
Select “Finished”, then “Save” when your done.
The VPE should look similar to this:
On the fallback branch after the Extract UPN object, add a Full Resource Assign object.
Supply the following:
- Name: SSL VPN
- Select “Add new entry” >> “Add/Delete”
- Add the Webtop: /Common/vpn_webtop (from step 3.1)
- Add the Network Access: /Common/vpn_na (from step 3.4)
Select “Update” then “Save”.
On the fallback branch after the SSL VPN object, change Deny ending to Allow. The finished policy should look similar to this:
Step 4 – Create the Virtual Server for SSL VPN
In this step, you need to create a HTTPS Virtual Server (VS) for the Edge Client to establish the connection. I also recommend creating a DTLS VS in addition to the HTTPS VS. This configuration is well documented in the APM Manual and I will not go through the DTLS VS creation.
4.1 Create the HTTP VS
Local Traffic >> Virtual Servers >> Virtual Server List >> “Create”
Supply the following:
- Name: vpn.f5.demo_https_vs
- Destination: 10.10.20.100
- Service Port: HTTPS
- HTTP Profile: http
- SSL Profile (Client): vpn.f5.demo_ssl_profile (from step 2)
- SNAT Pool: Auto Map
- Access Profile: vpn.f5.demo_ap (from step 3.5)
- Connectivity Profile: vpn_cp (from step 3.2)
Select “Finished" to save.
Step 5 – Configure the Edge Client on the iOS device and Test
5.1 Create a new Edge Client Configuration
- Open the Edge Client and select “Settings” then “Add Configuration…”
- Supply the following:
- Description: On Demand VPN
- Server: vpn.f5.demo
- Use Certificate: On
- Certificate: Test User
- Connect On Demand: On
- Select Domain List
- Add Domain…
- In my example: demo.vpn
- Don’t forget to Save
5.2 Test
Open Safari and access a URL that will cause the VPN trigger. In my example http://intranet.demo.vpn, a Sharepoint site. The VPN will start up when it sees the DNS query for intranet.demo.vpn and the data will flow across the VPN as per the Network Access settings.
Conclusion
On-Demand VPN with APM is a simple way to enable the workforce by providing a secure and easy to use remote access solution while out of the office.
- SmithyCirrostratus
Hi Johan,
I'm not sure how you've set this up, but userPrincipalName is "username@domain" format, see: https://docs.microsoft.com/en-us/windows/desktop/secauthn/user-name-formats
If the AD Query is working with sAMAccountName, great! Just use the memberOf session variable to see the groups: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-6-0/3.html
You definitely don't want to use a Logon Page as this will break everything and AD Auth is not required as the above solution is using On-Demand Cert Auth.
Cheers,
Brett
- Johan_374936Nimbostratus
Hello Brett
I´ve tried this but I still get this error in the F5 logs: AD module: query with 'userPrincipalName=(MyUPN)' failed: no matching user found with filter userPrincipalName=(MyUPN)
I dont see any atempt from the F5 BigIP to quarey the AD servers either, nothing in those loggs.
Also replaced userPrincipalName=%{session.logon.last.upn with sAMAccountName=%{session.logon.last.username} at this point the AD Query is successfull, but after that it still cant find the AD groups my user is member off.
I presume this setup requires Logon Page, AD Auth, AD Query?
- SmithyCirrostratus
Hi Johan,
If you are following the above example and the username extracted from the certificate is UPN format, add an AD Query object to the VPE and set the "SearchFilter" to "userPrincipalName=%{session.logon.last.upn}".
Then create branch rules based on the AD group membership returned or use a "AD Group Resource Assign" or "Advanced Resource Assign". Multiple options available.
Cheers,
Brett
- Johan_374936Nimbostratus
Hello
How can I use the extraced username from the cert and use it quary AD for group membership and assign resources there after?
- SmithyCirrostratus
Hi TSSRShot,
 
STS Server? Sounds like you have ADFS performing SSO? You will need to use a Kerberos SSO configuration applied to the SSL VPN Tunnel VLAN.
 
Similar to my other article: https://devcentral.f5.com/s/articles/apm-cookbook-single-sign-on-sso-using-kerberos
 
Cheers,
 
Brett
 
- brad_11480Nimbostratus
Thanks Brett. That explains it fairly well. I found another document that described the behavior when the device goes to sleep.... article K13832.. https://support.f5.com/csp/article/K13832
Basically it will disconnect the VPN. When the device wakes up the on-demand will resume. Which I assume means that it will remain disconnected until a reference is made to cause it to fire up.
But we are now running into a situation where it doesn't seem to be waiting for an 'on-demand' domain reference to occur. it will fire up as soon as the device wakes up.. but we might have a misconfiguration. What is the on-demand action if there are no domains listed in any of the three categories?? does that mean that it will fire up when active? We are finding out why the MDM didn't set the list up even though it seems to have been configured to do so-- it just isn't appearing on the device). Hoping he solution is simple, but all if this is helping us understand how this thing behaves..
- TSSRShotAltostratus
I am having an issue where I am trying to do mostly the same thing in your article (now using F5 Access instead of F5 Edge), however, I am uncertain how to tackle the Sharepoint Part. I'm not an SSO, Claims, or STS type expert. When I do this with a browser separate from VPN I notice that I get a temporary redirect to an STS server, is it possible to do this on behalf of the user in order to allow non-certificate aware application to access SharePoint (like WebDAV for instance).
Thank you! and great article.
- SmithyCirrostratus
Hi Brad,
On the APM side, you would need to change the Inactivity Timeout: If there is no activity (defined by the Session Update Threshold and Session Update Window settings in the Network Access configuration) between the client and server within the specified threshold time, the system closes the current session. By default, the timeout is 900 seconds. However, if an inactivity timeout value is set, when server traffic exceeds the specified threshold, the inactivity timeout is reset. To disable the inactivity timeout, set the Inactivity Timeout to 0.
On the iOS side, I'm not 100% of the behaviour when the device goes to sleep, I would assume the VPN would disconnect and would require another On-Demand request to re-establish.
Cheers,
Brett
- SmithyCirrostratus
Hi Maarten,
 
Please refer to:
 
https://devcentral.f5.com/s/articles/solving-secure-mobile-access-with-f5-and-ios-7-per-app-vpn-part-1 https://devcentral.f5.com/s/articles/solving-secure-mobile-access-with-f5-and-ios-7-per-app-vpn-part-2
 
You need to configure a SOCKS proxy.
 
- brad_11480Nimbostratus
Is there a way to keep the VPN always on once it fires up??
This is now using the Access VPN that replaced the Edge for iOS.
thanks so much.