Technical Articles
F5 SMEs share good practice.
Showing results for 
Search instead for 
Did you mean: 
F5 Employee
F5 Employee

The recent announcements that web browsers will be removing plugin support means that customers will no longer be able to provide Network Access resources to their end users via the APM web top.  Instead customers will require their end users to install the Edge Client for their Network Access connections. This poses a problem to customers who require that their end users have the ability to manually choose which Network Access resource they will connect to. Currently (as of this article’s posting date) the Edge Client does not have the ability for end users to select from multiple Network Access resources.  Instead end users will automatically connect to only one Network Access resource based on which resource was provisioned first.  See AskF5 solution SOL15326 for more information (

I have created a customized way to provide end users the ability to select which Network Access resource to connect to within the Edge Client.  This customization is pretty straightforward and can be further customized to fit the needs of your organization.  I have tried to make this solution flexible and easy to implement but if you have any questions or need any help with adapting it to your organization please comment below.

NOTE: There are limitations on this workaround compared to the full browser web top.

- To change between Network Access resources you must disconnect and reconnect which requires re-authentication.
- Using the iOS Edge Client you must select “Web Logon”.

- This solution assumes that all of the AD Groups for VPN access are in a dedicated OU.  You can work around this implementation if you need to but these instructions assume all AD groups in “OU=VPN,DC=fr,DC=del,DC=corp” have a corresponding Network Access resource configured and mapped in the VPE.
- The name of the AD group will be the name listed on the dropdown list that end users select from.  This means you SHOULD have meaningful group names for end users to select from.  Spaces in the group name for better formatting is allowed.
- I have only tested this on Windows 7.
- These instructions are written for TMOS build version 11.6.0


NOTE: I wrote a new article to cover using LocalDB Auth instead of AD Auth.


Overall View of Config:

Here I will show screen captures of the config with a little bit of a description of each section and below I will give step by step instructions to configure.



The VPE is pretty straight forward.  We start with a standard “Logon Page” with username and password, we then do an “AD Auth” and if successful we go to “AD Query”.  The following object is the “Client Type” which determines if the user is connecting from the “Edge Client” or “Browser”.  We only need this customization on the “Edge Client” path.  The browser resource assign is a standard assign that we are all familiar with.  This is all pretty standard at this point.

The next object is a Variable Assign where we will set a custom variable (session.custom.searchou) to make it where you don’t need to modify the javascript code.  This string will be removed from the full DN to make the dropdown list easier to read so it needs to start with a comma as the full DN for a group is “CN=VEND1-QA,OU=VPN,DC=fr,DC=del,DC=corp”.


After the Variable Assign we have another “Logon Page” VPE Event labeled “VPN Decision – LP”.  This is the place where the end user will make the decision on which Network Access resource they want to access.  This page we configure a “select” box with the post and session variable names of “group_name” with the value of “value=>value”.  This will be overwritten later but we need it as a placeholder.  I also modified the Form Header, Field Label and Logon Button Label.


Last we have an “Advanced Resource Assign” to provision the access.  Here we check to see what the value of “session.logon.last.group_name” and to make sure the user is a member of the group (this is a security check to make sure they are allowed access).  In the screen shot below the group mapping is listed in entries 1 through 4 and in entry 5 we have the webtop assign which everybody gets.


The only other piece to this is a customized page which will be applied to the second logon page.  I will provide the full page you can use to replace the current one as an attachment below.  The screenshot is here to show you the custom code.  This is just basic JavaScript to take the list of groups you are a member of and clean it up, split it into an array, then check to see which groups are in the VPN OU.  If the groups is in the VPN OU then we will do a little bit more formatting on the string before we eventually append it to the “dynamicInput” element we will also create on the page.


I hope this configure will help with any deployments you need and gives you an idea of how flexible and powerful APM can be for your organization.

If you have any questions about the changes to the file and the JavaScript please ask in the comments below.


Steps to Configure:

I am going to assume that you are familiar with APM and the VPE so I will not go into great detail on most of these steps.  If you need clarification on any step please let me know.

1. Create a new Access Policy

2. Open the VPE and configure the following Actions (see the screenshot above for placement of each action).

3. Add a Logon Page Action: This is a standard logon page with a username and password box.

4. Add an AD Auth Action: This is a standard AD Auth pointed to an existing AD AAA Object.

5. Add an AD Query Action: This is a standard AD Query pointed to an existing AD AAA Object.  Make sure to enable "Fetch Primary Group" and that the AD AAA Object has an admin account configured.

6. Add a Client Type Action: This is a normal Client Type Action with three branches.  Edge Client, Full or Mobile Browser and fallback.

7. Add a Variable Assign Action along the Edge Client Branch: In this variable assign enter the following into the assignment.

Custom Variable = session.custom.searchou
Custom Expression = expr { ",OU=VPN,DC=fr,DC=del,DC=corp" }

8. Add a Logon Page Action: I labeled this “VPN Decision – LP”

In input 1 configure the following:
Type: select
Post Variable Name: group_name
Session Variable Name: group_name
Values:   Value: value   Text: value
Read Only: No

Leave input 2 – 5 as type of “none”.

Modify the following in the bottom Customization section:
Form Header Text: Please select which network you want to access.
Logon Page Input Field #1: Select Network
Logon Button: Continue

9. Add an Advanced Resource Assign Action: Create the following entries.  You will need to enter the expression below in the Advanced Tab.

Expression: expr { [mcget {session.logon.last.group_name}] == "Vendor A Prod" && [mcget {}] contains "CN=Vendor A Prod,OU=VPN,DC=fr,DC=del,DC=corp" }
Assignment:   Network Access: /Common/Vendor_A_Prod (this is a network access resource configured with all appropriate settings for the group assigned)

Expression: expr { [mcget {session.logon.last.group_name}] == "VEND2-DEV" && [mcget {}] contains "CN=VEND2-DEV,OU=VPN,DC=fr,DC=del,DC=corp" }
Assignment:   Network Access: /Common/vend2-dev

Expression: expr { [mcget {session.logon.last.group_name}] == "VEND1-PROD" && [mcget {}] contains "CN=VEND1-PROD,OU=VPN,DC=fr,DC=del,DC=corp" }
Assignment:   Network Access: /Common/vend1-prod

Expression: expr { [mcget {session.logon.last.group_name}] == "VEND1-QA" && [mcget {}] contains "CN=VEND1-QA,OU=VPN,DC=fr,DC=del,DC=corp" }
Assignment:   Network Access: /Common/vend1-qa

Expression: Empty
Assignment:   Webtop: /Common/full_wt (this is just a full webtop object)

10. Add an Advanced Resource Assign on the browser branch of the Client Type Action: I labeled this one “Advanced Resource Assign – Browser”.  This is a standard resource assign where you will need to map a group to a resource.  The only difference between this assign and the previous assign is the expression doesn’t need to check for the value of the session.logon.last.group_name variable as this variable will not exist on the browser branch.

11. Now that we have the Access Policy Create and the VPE configured the next step is to go into advanced customization and replace the for the second logon page labeled “VPN Decision – LP”.

To modify the page we need to go to Access Policy > Customization > Advanced.

12. Expand the folder tree to get to the page.  Customization Settings > Access Profiles > /Common/edge_client_select > Access Policy > Logon Pages > VPN Decision – LP >


13. Click on the and on the right side of the screen select all text and replace with the code at the following link.

14. Click “Save Draft” in upper right hand corner

15. Click “Save” in the tool bar.

16. Apply the Access Policy

17. Attach the Access Policy to a Virtual Server

18. Test your access.



I hope this helps!


Seth Cooper

It would be great that F5 adds the possibility to select between multiple Network Access resources with the Edge Client as a built-in feature - is there a plan to do so? I have noticed that when I logon in Edge Client for a second I receive a screen with multiple NA resources before client minimizes to a tray - now just make that screen stay and options on it selectable 🙂
F5 Employee
F5 Employee
Hi! The RFE ID to have this added to the product is ID 473016. Please open a case and have your company linked with this ID and it will get more attention. This will help PD prioritize the feature and hopefully it will get built into the product sooner rather than later.
Hi Seth, I will do that (open RFE). In the meantime, thank you for this workaround. I have tried it, works like a charm. Great job!
I have a situation where I have to search two OUs in Step 7 (session.custom.searchou Variable assign). I have tried to concat two additional variables like this but it is not working: ad.searchou = expr { ",OU=VPN_AD,OU=VPN,DC=mycompany,DC=com" }change token.searchou = expr { ",OU=VPN_TOKEN,OU=VPN-grupe,DC=mycompany,DC=com" }change session.custom.searchou = expr {[concat "[mcget {ad.searchou}] [mcget {token.searchou}]"]} Can you please give advice how to achive this?
3 assigments mentioned bellow are 3 separate entries in Variable Assign object from Step 7.
F5 Employee
F5 Employee
What I would do in this situation is create the two session variables session.custom.searchou and session.custom.searchou2 and then on the logon in add a second if statement to check for the second OU. I cannot format in this comment so if you want help with the code please ask a devcentral question and post back here with the link to it so I can comment with formatting.
I'm guessing this is still an issue with being able to select between multiple network access resources? We just tried the edge client and are assigned the first resource option available. Is this something F5 will be fixing in an upcoming software release?
Oh...and Seth - WPS!!! 😉
F5 Employee
F5 Employee
Hi! This is still the only way to accomplish this today. You should open a support case and have it linked to ID 473016. The more customers are linked shows the developers how importation it is. WPS!! -Seth
Does each network resource group available have to be coded into the Advanced Resource Assign Action identified in step 9?
F5 Employee
F5 Employee
If you have a matching group you display in the dropdown box (an AD group that matches) then if you leave that group out of the resource assign the user will not get any resource assigned unless you have a default at the bottom that will match anything. Is there an issue you are trying to workaround? -Seth
Seth - I'm with your previous employer and for one VPE we have 178 restricted network groups. Do all 178 network group names have to be manually entered into the Advanced Resource Assign Action? It appears that in Step 9, you have made entries for your network groups and listed them all out, is that accurate? If that's the case and we have to identify them all in the Advanced Resource Assign Action, what is the maximum number of entries allowed within the "macro"?
Seth, This was a great help. I was able to get it working using LDAP First, We have more than the needed groups showing in the drop down select because they match the OU="",DC="",DC="". Is there a way to limit which groups show up that match that string? In testing I have about 7 groups show up but only 3 would actually work and would be set up in Advanced resource assign. Second I was able to get it working. But it would only only work when i add a Network Access object AND a webtop object. If i dont include the webtop it tells me "Configuration error. Webtop configuration is required. Webtop configuration is not necessary for App Tunnel Control, or a Portal Access connection with minimal patching configured". Any idea why this is?
F5 Employee
F5 Employee
Hi wtl1, For the first issue you will have to find way either using JavaScript (the code on the logon page) or you could even replace all that with an iRule and using a DataGroup. There are many ways to make this happen, you will need to decide on your best method. For the second issue you have to have a webtop assigned. This is why on step 9 "ENTRY 5" I assign a webtop to all users.


Recently, a customer company under deployment has designated three Network Access Resources through a single server and used the Edge Client, so I looked it up.

It was very helpful, and I shared it with you because I had a new plan while thinking about it while looking at the contents.

1. After all the authentication procedures in VPE, Logon Page was created before assigning Network Access Resources,
and the values received here were divided using Branch Rules, and each of them was connected to a different Network Access Resource.
This function worked normally, and there was no problem with the service.

2. This is more complicated than room 1, but I thought that customers who only use Edge Client use Always Connected mode (including Allow-in-Enterprise-LAN function).
The Edge Client for Windows did not support disconnecting in Always Connected mode.
Function 1 requires you to log in again every time you change the Network Access Resource, but you couldn't do it on Windows.
To address this, we have adopted a way of separating network access resources by VS so that can be allocated.
The article below is a detailed description including an example. I don't know if it'll help.

1) Create Virtual Server as many as the number of Network Access Resources
- (for internal network use)
- (for external networks)
- (for composite networks)

2) The Connectivity Profile registers all VSs registered in 1) in the Server List.

3) After all the authentication procedures were completed, the VPE created one Empty before assigning a Network Access Resource,
divided into branches using Branch Rules, and each connected a different Network Access Resource.
* The criteria is specified by the server port based on the Client.

4) 1) Perform the same settings (iRule, Connectivity, Access Profile, SSL certificate, etc.) to the VSs registered in and distinguish only the destination port.

There is no setup capture because there is no equipment to test.
But I'm sure those of you who've seen this know what I'm talking about.
It's written by a translator, but I'm writing it because I want to be of help to one person who has the same concern as me.

Best regard,

Version history
Last update:
‎26-Feb-2015 06:34
Updated by: