Technical Articles
F5 SMEs share good practice.
cancel
Showing results for 
Search instead for 
Did you mean: 
Smithy
Cirrostratus
Cirrostratus

Overview

I’ve been using On-Demand VPN for a number of years as it’s a secure and easy way to access applications while on the road with the added benefit of conserving device battery life when idle.

On-Demand VPN is a simple concept. You define a domain or list of domains in the “Connect On Demand” settings. The Edge Client looks at the DNS requests made by the App (e.g Safari) and when the FQDN matches one of the defined domains, it fires up the VPN in the background and authenticates using a X.509 Client Certificate.

On-Demand VPN requires the installation of a X.509 Client Certificate on the iOS device, which can be provisioned using a number of tools. This article will not go into these tools, but I will give you a few ideas how to get the X.509 certificate on the device. Some of the methods I have used in the past:

  • Mobile Device Management (MDM) configured to use Simple Certificate Enrollment Protocol (SCEP)
  • iPhone Configuration Utility (iPCU)
  • Email the .p12 or .pfx file

When using X.509 Client Certificates, I highly recommend adding the User Principal Name (UPN), e.g. test.user@f5.demo to the Subject Alternative Name (SAN) extension. This allows APM to identify the user of the device and can be used for:

  • Single Sign On (SSO) using Kerberos or SAML
  • Active Directory / LDAP queries to determine group membership etc.
  • Logging and Reporting

In a large scale environment I recommend using MDM, SCEP, Certificate Authority (CA) and an OCSP Responder to verify the revocation status. This article will cover how to configure the APM to authenticate the user and establish the VPN tunnel automatically using the On-Demand feature.

My Example

In my working example, I have a pre-configured CA called “CA1” joined to the domain “f5.demo”. The iOS device has the client certificate (Test User) installed with a UPN “test.user@f5.demo” in the SAN extension. This certificate has been issued by CA1 and is trusted by the iOS device. I have also installed the F5 Edge Client via the App Store.

Step 1 – Import the SSL Certificates

1.1 Import the SSL Certificate/Key that will be used for SSL VPN connection

System >> File Management >> SSL Certificate List

Please follow SOL14620: Managing SSL certificates for BIG-IP systems

My configuration looks like this:

0151T000003d6DtQAI.png

1.2 Import Certificate Authority Certificate that is signing the Client Certificates

Repeat Step 1.1 but this time you need to import the CA Certificate (without the Key) that is signing the User Certificates. It should look something similar to this:

0151T000003d6DuQAI.png

Step 2 – Create a Client SSL Profile

Local Traffic >> Profiles >> SSL >> Client >> “Create”

Supply the following:

  • Name: vpn.f5.demo_ssl_profile
  • Parent Profile: clientssl
  • Certificate: vpn.f5.demo
  • Key: vpn.f5.demo
  • Trusted Certificate Authorities: CA1

Select “Finished” to save.

0151T000003d6DvQAI.png

0151T000003d6DwQAI.png

Step 3 – Create the APM Configuration

In this example I will use an On-Demand Certificate Authentication to validate the client certificate and some TCL to extract the UPN from the SAN extension. After successful authentication, a VPN tunnel is then assigned and established. You can expand on this configuration by adding an OCSP Responder to check if the certificate has been revoked. Simply modify the Names, IP addresses, DNS etc. to suit your environment.

3.1 Create a Webtop

Access Policy >> Webtop >> Webtop List >> “Create”

Supply the following:

  • Name: vpn_webtop
  • Type: Full

Select “Finished” to save.

0151T000003d6DxQAI.png

3.2 Create a Connectivity Profile

Access Policy >> Secure Connectivity >> Connectivity Profile >> “Create”

Supply the following:

  • Name: vpn_cp
  • Parent Profile: connectivity

Select “Finished” to save.

0151T000003d6DyQAI.png

3.3 Create a Lease Pool

Access Policy >> Network Access >> Lease Pools >> IPv4 Lease Pools >> “Create”

Supply the following:

  • Name: vpn_lease_pool_10.123.123.0
  • Start IP Adddress: 10.123.123.1
  • End IP Address: 10.123.123.254
  • Select “Add”

Select “Finished” to save.

0151T000003d6DzQAI.png

3.4 Create a Network Access

Access Policy >> Network Access >> Network Access List >> “Create”

Supply the following:

  • Name: vpn_na
  • Caption: SSL VPN

Select “Update” to save.

0151T000003d6E0QAI.png

Under “Network Settings”.

Supply the following:

  • IPV4 Lease Pool: vpn_lease_pool_10.123.123.0
  • Traffic Options: Use split tunneling for traffic (select appropriate option for your environment)
    • IP Address: 10.0.0.0
    • Mask: 255.0.0.0
  • Select “Add”

Select “Update” to save.

0151T000003d6E1QAI.png 

Under “DNS/Hosts”

Supply the following:

  • IPV4 Primary Name Server: 10.10.20.1
  • DNS Default Domain Suffix: f5.demo

Select “Update” to save.

0151T000003d6E2QAI.png

3.5 Create an Access Policy

We can now bring it all together using the Visual Policy Editor (VPE).

Access Policy >> Access Profiles >> Access Profile List >> “Create”

Supply the following:

  • Name: vpn.f5.demo_ap
  • Languages: English (en)
  • Use the default settings for all other settings.

Select “Finished” to save.

0151T000003d6E3QAI.png

0151T000003d6E4QAI.png

3.6 Edit the Access Policy in the VPE

Access Policy >> Access Profiles >> Access Profile List >> “Edit” (vpn.f5.demo_ap)

On the fallback branch after the Start object, add an On-Demand Cert Auth object.

  • Leave the defaults and “Save”.

0151T000003d6E5QAI.png

On the Successful branch after the On-Demand Cert Auth object, add a Variable Assign object.

Supply the following:

  • Name: Extract UPN
  • Add the following variable assignments by selecting “Add new entry” >> “change”.

Variable Assignment 1:

  • Custom Variable (Unsecure): session.logon.last.domain
  • Custom Expression:

    set upn [mcget {session.logon.last.upn}];

    if {[string first "@" $upn] >= 0} {
      return [string range $upn [expr { [string first "@" $upn] + 1 } ] end ];
      } else {
      return "";
    }

Variable Assignment 2:

  • Custom Variable (Unsecure): session.logon.last.username
  • Custom Expression:

    set upn [mcget {session.logon.last.upn}];

    if {[string first "@" $upn] >= 0} {
      return [string range $upn 0 [expr { [string first "@" $upn] - 1 } ] ];
      } else {
      return $upn;
    }

Variable Assignment 3:

  • Custom Variable (Unsecure): session.logon.last.upn
  • Custom Expression:

    set e_fields [split [mcget {session.ssl.cert.x509extension}] "\n"];

    foreach qq $e_fields {
      if {[string first "othername:UPN" $qq] >= 0} {
      return [string range $qq [expr { [string first "<" $qq] + 1 } ] [expr { [string first ">" $qq] - 1 } ] ];
      }
    }

    return "";

Select “Finished”, then “Save” when your done.

0151T000003d6E6QAI.png

The VPE should look similar to this:

0151T000003d6E7QAI.png

On the fallback branch after the Extract UPN object, add a Full Resource Assign object.

Supply the following:

  • Name: SSL VPN
  • Select “Add new entry” >> “Add/Delete”
  • Add the Webtop: /Common/vpn_webtop (from step 3.1)
  • Add the Network Access: /Common/vpn_na (from step 3.4)

Select “Update” then “Save”.

0151T000003d6E8QAI.png

On the fallback branch after the SSL VPN object, change Deny ending to Allow. The finished policy should look similar to this:

0151T000003d6E9QAI.png

Step 4 – Create the Virtual Server for SSL VPN

In this step, you need to create a HTTPS Virtual Server (VS) for the Edge Client to establish the connection. I also recommend creating a DTLS VS in addition to the HTTPS VS. This configuration is well documented in the APM Manual and I will not go through the DTLS VS creation.

4.1 Create the HTTP VS

Local Traffic >> Virtual Servers >> Virtual Server List >> “Create”

Supply the following:

  • Name: vpn.f5.demo_https_vs
  • Destination: 10.10.20.100
  • Service Port: HTTPS
  • HTTP Profile: http
  • SSL Profile (Client): vpn.f5.demo_ssl_profile (from step 2)
  • SNAT Pool: Auto Map
  • Access Profile: vpn.f5.demo_ap (from step 3.5)
  • Connectivity Profile: vpn_cp (from step 3.2)

Select “Finished" to save.

0151T000003d6EAQAY.png

0151T000003d6EBQAY.png

Step 5 – Configure the Edge Client on the iOS device and Test

5.1 Create a new Edge Client Configuration

  • Open the Edge Client and select “Settings” then “Add Configuration…”
  • Supply the following:
    • Description: On Demand VPN
    • Server: vpn.f5.demo
    • Use Certificate: On
    • Certificate: Test User
    • Connect On Demand: On
  • Select Domain List
  • Add Domain…
    • In my example: demo.vpn
  • Don’t forget to Save

0151T000003d6ECQAY.png

0151T000003d6EDQAY.png

5.2 Test

Open Safari and access a URL that will cause the VPN trigger. In my example http://intranet.demo.vpn, a Sharepoint site. The VPN will start up when it sees the DNS query for intranet.demo.vpn and the data will flow across the VPN as per the Network Access settings.

0151T000003d6EEQAY.png

0151T000003d6EFQAY.png

Conclusion

On-Demand VPN with APM is a simple way to enable the workforce by providing a secure and easy to use remote access solution while out of the office.

Comments
Robell_Pontes_7
Nimbostratus
Nimbostratus
really useful stuff. Thanks
Toby_Garcia_146
Altostratus
Altostratus
Found a TCL syntax error in the ‘Variable Assignment 3’ iRule, used to populate session.logon.last.upn. It worked properly in 11.4.1, but stopped working after upgrading to 11.6.0. There is a missing semicolon between the final curly brace and return. Here's the corrected expression: set e_fields [split [mcget {session.ssl.cert.x509extension}] "\n"]; foreach qq $e_fields { if {[string first "othername:UPN" $qq] >= 0} { return [string range $qq [expr { [string first "<" $qq] + 1 } ] [expr { [string first ">" $qq] - 1 } ] ]; } }; return "";
pradeepkumar020
Nimbostratus
Nimbostratus
hai brett, ... this is very helpful.... but i have one doubt..... by the scenario which you explained above, all the users who is having certificate issued by the same CA which we kept in trusted CA can access the resources right ??? Is there any scenario like even all users having cerificates issued by same CA, cant use resource ... i mean only particular users can access the resources by using the details in cerificate....
Maarten_Brugman
Nimbostratus
Nimbostratus

Hi Brett (or colleague), useful cookbook! In the per-app VPN setup, can I specify somewhere which apps can access the VPN tunnel? I want only the apps that I specify, to be able to access a specific endpoint. If not, any app can access internal endpoints, and this is a security risk.

 

brad_11480
Nimbostratus
Nimbostratus

Is there a way to keep the VPN always on once it fires up??

 

Basically want it to fire up on demand but once it is setup it should not go away even if the application goes idle..

 

This is now using the Access VPN that replaced the Edge for iOS.

 

thanks so much.

 

Smithy
Cirrostratus
Cirrostratus
Smithy
Cirrostratus
Cirrostratus

Hi Brad,

 

On the APM side, you would need to change the Inactivity Timeout: If there is no activity (defined by the Session Update Threshold and Session Update Window settings in the Network Access configuration) between the client and server within the specified threshold time, the system closes the current session. By default, the timeout is 900 seconds. However, if an inactivity timeout value is set, when server traffic exceeds the specified threshold, the inactivity timeout is reset. To disable the inactivity timeout, set the Inactivity Timeout to 0.

 

On the iOS side, I'm not 100% of the behaviour when the device goes to sleep, I would assume the VPN would disconnect and would require another On-Demand request to re-establish.

 

Cheers,

 

Brett

 

TSSRShot
Nimbostratus
Nimbostratus

I am having an issue where I am trying to do mostly the same thing in your article (now using F5 Access instead of F5 Edge), however, I am uncertain how to tackle the Sharepoint Part. I'm not an SSO, Claims, or STS type expert. When I do this with a browser separate from VPN I notice that I get a temporary redirect to an STS server, is it possible to do this on behalf of the user in order to allow non-certificate aware application to access SharePoint (like WebDAV for instance).

 

Thank you! and great article.

 

brad_11480
Nimbostratus
Nimbostratus

Thanks Brett. That explains it fairly well. I found another document that described the behavior when the device goes to sleep.... article K13832.. https://support.f5.com/csp/article/K13832

 

Basically it will disconnect the VPN. When the device wakes up the on-demand will resume. Which I assume means that it will remain disconnected until a reference is made to cause it to fire up.

 

But we are now running into a situation where it doesn't seem to be waiting for an 'on-demand' domain reference to occur. it will fire up as soon as the device wakes up.. but we might have a misconfiguration. What is the on-demand action if there are no domains listed in any of the three categories?? does that mean that it will fire up when active? We are finding out why the MDM didn't set the list up even though it seems to have been configured to do so-- it just isn't appearing on the device). Hoping he solution is simple, but all if this is helping us understand how this thing behaves..

 

Smithy
Cirrostratus
Cirrostratus

Hi TSSRShot,

 

STS Server? Sounds like you have ADFS performing SSO? You will need to use a Kerberos SSO configuration applied to the SSL VPN Tunnel VLAN.

 

Similar to my other article: https://devcentral.f5.com/s/articles/apm-cookbook-single-sign-on-sso-using-kerberos

 

Cheers,

 

Brett

 

Johan_374936
Nimbostratus
Nimbostratus

Hello

 

How can I use the extraced username from the cert and use it quary AD for group membership and assign resources there after?

 

Smithy
Cirrostratus
Cirrostratus

Hi Johan,

 

If you are following the above example and the username extracted from the certificate is UPN format, add an AD Query object to the VPE and set the "SearchFilter" to "userPrincipalName=%{session.logon.last.upn}".

 

Then create branch rules based on the AD group membership returned or use a "AD Group Resource Assign" or "Advanced Resource Assign". Multiple options available.

 

Cheers,

 

Brett

 

Johan_374936
Nimbostratus
Nimbostratus

Hello Brett

 

I´ve tried this but I still get this error in the F5 logs: AD module: query with 'userPrincipalName=(MyUPN)' failed: no matching user found with filter userPrincipalName=(MyUPN)

 

I dont see any atempt from the F5 BigIP to quarey the AD servers either, nothing in those loggs.

 

Also replaced userPrincipalName=%{session.logon.last.upn with sAMAccountName=%{session.logon.last.username} at this point the AD Query is successfull, but after that it still cant find the AD groups my user is member off.

 

I presume this setup requires Logon Page, AD Auth, AD Query?

 

Smithy
Cirrostratus
Cirrostratus

Hi Johan,

 

I'm not sure how you've set this up, but userPrincipalName is "username@domain" format, see: https://docs.microsoft.com/en-us/windows/desktop/secauthn/user-name-formats

 

If the AD Query is working with sAMAccountName, great! Just use the memberOf session variable to see the groups: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-o...

 

You definitely don't want to use a Logon Page as this will break everything and AD Auth is not required as the above solution is using On-Demand Cert Auth.

 

Cheers,

 

Brett

 

Version history
Last update:
‎25-Jul-2014 05:31
Updated by:
Contributors