Technical Articles
F5 SMEs share good practice.
cancel
Showing results for 
Search instead for 
Did you mean: 
Cody_Green
F5 Employee
F5 Employee

Overview

As an F5 engineer out in the field I’m fortunate in the fact that I get to talk with customers about their projects and security concerns.  While it probably would not surprise you to learn that Mobility is a key project for many organizations what does surprise me is how many are still using a layer-3 VPN approach on mobile devices.  The major problem with this design is that once the VPN is established any application on the mobile platform can now access the corporate network.  As we hear more and more about malware on mobile devices it is critical to start protecting corporate infrastructure by limiting access to corporate applications only.


With iOS 7 Apple introduced a great way to accomplish this with their Per app VPN.  Per app VPN allows iOS to control which applications have access to the VPN tunnel.  This gives organizations the ability to designate which applications are corporate apps and treat everything else as personal.  Per app VPN also works in Safari with a per-tab level of granularity.  So I can have one tab open watching who the Houston Texan’s take in the first round draft (Johnny Manziel of course) and a second tab that is securely connected to my corporate SharePoint site.


To take advantage of the iOS Per app VPN functionality Apple requires an Enterprise Mobile Management (EMM) solution to configure the mobile device and an Enterprise VPN solution like F5’s Access Policy Manager.  So, if you’re anything like me you’ve scrolled past this text and straight to the pictures below because you need to deploy this ASAP right?  We’ll here we go…

Configuration

The iOS Per app VPN uses F5’s APM SOCKS Proxy functionality so we'll need TMOS 11.4 or higher installed on the BIG-IP and Edge Client 2.0 or higher installed on the mobile device. 

1. Create a new Application Policy Profile and select your default language.

0151T000003d674QAA.jpg

 

 

 

 

 

 

 

 

2. Customize the Profile's Visual Policy Builder by adding a Client Cert Inspection object and set the successful branch to Allow

0151T000003d675QAA.jpg

 

 

 

 

3. Create a new LTM Client SSL Profile:

  • set Client Certificate to request
  • set Trusted Certificate Authority to the CA that signed the certificate installed on the iOS device.

0151T000003d676QAA.jpg

 

 

 

 

 

 

 

4. Create a new LTM Virtual Server:

  • Add your customer Client SSL profile
  • Select your Access Profile
  • Select the default Connectivity Profile of create a custom connectivity profile with default settings
  • Click the VDI & Java Support box to enable SOCKS proxy capabilities

0151T000003d677QAA.jpg

 

 

 

 

 

 

 

 

User Experience

So What does the end result look like?  In the example below I tested the Safari per-tab capabilities by clicking the F5 shortcut icon and seamlessly had access to my test web server.

0151T000003d678QAA.png 0151T000003d679QAA.jpg

 

 

 

 

 

 

 

 

 

Next Steps

In Part 2 we will walk through how I configured AirWatch to perform the user experience demonstration.

Comments
brad_11480
Nimbostratus
Nimbostratus
Thanks for this timely article. I am tasked with supporting a per-app using the APM and have been struggling to get it to work . Right now the MDM (MobileIron) is looking at the setup to see if it is correct.

 

I checked your examples against what I have and it seems to align fairly well. Now the service that the IOS device is connecting to using this, is the web resource behind the virtual server, correct? Or can it connect to a different service (not hosted on a F5 LTM) through this per-app tunnel?

 

 

Also my certificate check is slightly different, But the check is successful, so I assume this is valid.
Cody_Green
F5 Employee
F5 Employee
From my testing only the Client Cert Inspection object in the VPE worked. Any yes, as long as the F5 can access the internal web resource and the F5 can resolve the internal DNS entry you should be good to go.
Louis_Goulet_16
Nimbostratus
Nimbostratus
Hi Cody,

 

outside of the APm and LTM licences, do we need other specific licencing to get the IOS 7 Per apps VPN working on an f5?

 

 

if yes, is it a per user based licence?

 

 

If I take the example of one app activating a Per-aps VPN and at the same time we have Safari being connected on a corporate sharepoint using another per-apps VPN conenctions, so both connections would be active at the same time?

 

 

thanks a lot

 

Cody_Green
F5 Employee
F5 Employee
Louis,

 

 

Only an APM license is required for the IOS Per app VPN so if you have LTM and APM licensing you're good to go. As for your example, yes both apps would have access as long as they're connecting to the same APM.
whswhswhs124_98
Nimbostratus
Nimbostratus
'
Israel_Wagner_1
Nimbostratus
Nimbostratus
Hi Cody, Do we have F5 per app vpn solution for Android as well? Thank you
willie_aames_18
Nimbostratus
Nimbostratus
what vpn client you are trying to config? gts vpn? http://www.bestvpnservice.com/gtsvpn/
Louis_Goulet_16
Nimbostratus
Nimbostratus
Hi Cody, Did the Per App Vpn configuration of the f5 changed a lot since Apple is on IOS 9 now (using lates F5 edge client on IOS9.3.2)? where could I find a newer example? Thanks Louis Goulet
TSSRShot
Nimbostratus
Nimbostratus

Can anyone help me find the best way to integrate this with an iOS WebDAV client connecting to SharePoint? Currently, we use Cert Based Auth to SharePoint which redirects to STS. However, If I could combine the steps of the VPN CBA and use APM to SSO to SharePoint it would take all of the logic off of the client app.

 

MikeDavis_13988
Nimbostratus
Nimbostratus

Hi @TSSRShot

 

for iOS issues, i can refer you an app that is very useful for any iOS third party app installer. you can install it at this website for free!

 

Version history
Last update:
‎04-Apr-2014 11:31
Updated by:
Contributors