Solving Secure Mobile Access with F5 and iOS 7 Per app VPN - Part 1
Overview
As an F5 engineer out in the field I’m fortunate in the fact that I get to talk with customers about their projects and security concerns. While it probably would not surprise you to learn that Mobility is a key project for many organizations what does surprise me is how many are still using a layer-3 VPN approach on mobile devices. The major problem with this design is that once the VPN is established any application on the mobile platform can now access the corporate network. As we hear more and more about malware on mobile devices it is critical to start protecting corporate infrastructure by limiting access to corporate applications only.
With iOS 7 Apple introduced a great way to accomplish this with their Per app VPN. Per app VPN allows iOS to control which applications have access to the VPN tunnel. This gives organizations the ability to designate which applications are corporate apps and treat everything else as personal. Per app VPN also works in Safari with a per-tab level of granularity. So I can have one tab open watching who the Houston Texan’s take in the first round draft (Johnny Manziel of course) and a second tab that is securely connected to my corporate SharePoint site.
To take advantage of the iOS Per app VPN functionality Apple requires an Enterprise Mobile Management (EMM) solution to configure the mobile device and an Enterprise VPN solution like F5’s Access Policy Manager. So, if you’re anything like me you’ve scrolled past this text and straight to the pictures below because you need to deploy this ASAP right? We’ll here we go…
Configuration
The iOS Per app VPN uses F5’s APM SOCKS Proxy functionality so we'll need TMOS 11.4 or higher installed on the BIG-IP and Edge Client 2.0 or higher installed on the mobile device.
1. Create a new Application Policy Profile and select your default language.
2. Customize the Profile's Visual Policy Builder by adding a Client Cert Inspection object and set the successful branch to Allow
3. Create a new LTM Client SSL Profile:
- set Client Certificate to request
- set Trusted Certificate Authority to the CA that signed the certificate installed on the iOS device.
4. Create a new LTM Virtual Server:
- Add your customer Client SSL profile
- Select your Access Profile
- Select the default Connectivity Profile of create a custom connectivity profile with default settings
- Click the VDI & Java Support box to enable SOCKS proxy capabilities
User Experience
So What does the end result look like? In the example below I tested the Safari per-tab capabilities by clicking the F5 shortcut icon and seamlessly had access to my test web server.
Next Steps
In Part 2 we will walk through how I configured AirWatch to perform the user experience demonstration.
Published Apr 04, 2014
Version 1.0
Cody_Green
Employee
EmployeeCody_GreenEmployee
Employee
brad_11480Nimbostratus
Thanks for this timely article. I am tasked with supporting a per-app using the APM and have been struggling to get it to work . Right now the MDM (MobileIron) is looking at the setup to see if it is correct.
I checked your examples against what I have and it seems to align fairly well. Now the service that the IOS device is connecting to using this, is the web resource behind the virtual server, correct? Or can it connect to a different service (not hosted on a F5 LTM) through this per-app tunnel?
Also my certificate check is slightly different, But the check is successful, so I assume this is valid.
Cody_GreenFrom my testing only the Client Cert Inspection object in the VPE worked. Any yes, as long as the F5 can access the internal web resource and the F5 can resolve the internal DNS entry you should be good to go.- Louis_Goulet_16Hi Cody,
outside of the APm and LTM licences, do we need other specific licencing to get the IOS 7 Per apps VPN working on an f5?
if yes, is it a per user based licence?
If I take the example of one app activating a Per-aps VPN and at the same time we have Safari being connected on a corporate sharepoint using another per-apps VPN conenctions, so both connections would be active at the same time?
thanks a lot - Cody_GreenLouis,
Only an APM license is required for the IOS Per app VPN so if you have LTM and APM licensing you're good to go. As for your example, yes both apps would have access as long as they're connecting to the same APM. 
whswhswhs124_98'
Israel_Wagner_1Hi Cody, Do we have F5 per app vpn solution for Android as well? Thank you
willie_aames_18what vpn client you are trying to config? gts vpn? http://www.bestvpnservice.com/gtsvpn/- Louis_Goulet_16Hi Cody, Did the Per App Vpn configuration of the f5 changed a lot since Apple is on IOS 9 now (using lates F5 edge client on IOS9.3.2)? where could I find a newer example? Thanks Louis Goulet
TSSRShotAltostratus
Can anyone help me find the best way to integrate this with an iOS WebDAV client connecting to SharePoint? Currently, we use Cert Based Auth to SharePoint which redirects to STS. However, If I could combine the steps of the VPN CBA and use APM to SSO to SharePoint it would take all of the logic off of the client app.
- MikeDavis_13988
Hi @TSSRShot
for iOS issues, i can refer you an app that is very useful for any iOS third party app installer. you can install it at this website for free!