Solving Secure Mobile Access with F5 and iOS 7 Per app VPN - Part 1
Overview As an F5 engineer out in the field I’m fortunate in the fact that I get to talk with customers about their projects and security concerns. While it probably would not surprise you to learn that Mobility is a key project for many organizations what does surprise me is how many are still using a layer-3 VPN approach on mobile devices. The major problem with this design is that once the VPN is established any application on the mobile platform can now access the corporate network. As we hear more and more about malware on mobile devices it is critical to start protecting corporate infrastructure by limiting access to corporate applications only. With iOS 7 Apple introduced a great way to accomplish this with their Per app VPN. Per app VPN allows iOS to control which applications have access to the VPN tunnel. This gives organizations the ability to designate which applications are corporate apps and treat everything else as personal. Per app VPN also works in Safari with a per-tab level of granularity. So I can have one tab open watching who the Houston Texan’s take in the first round draft (Johnny Manziel of course) and a second tab that is securely connected to my corporate SharePoint site. To take advantage of the iOS Per app VPN functionality Apple requires an Enterprise Mobile Management (EMM) solution to configure the mobile device and an Enterprise VPN solution like F5’s Access Policy Manager. So, if you’re anything like me you’ve scrolled past this text and straight to the pictures below because you need to deploy this ASAP right? We’ll here we go… Configuration The iOS Per app VPN uses F5’s APM SOCKS Proxy functionality so we'll need TMOS 11.4 or higher installed on the BIG-IP and Edge Client 2.0 or higher installed on the mobile device. 1. Create a new Application Policy Profile and select your default language. 2. Customize the Profile's Visual Policy Builder by adding a Client Cert Inspection object and set the successful branch to Allow 3. Create a new LTM Client SSL Profile: set Client Certificate to request set Trusted Certificate Authority to the CA that signed the certificate installed on the iOS device. 4. Create a new LTM Virtual Server: Add your customer Client SSL profile Select your Access Profile Select the default Connectivity Profile of create a custom connectivity profile with default settings Click the VDI & Java Support box to enable SOCKS proxy capabilities User Experience So What does the end result look like? In the example below I tested the Safari per-tab capabilities by clicking the F5 shortcut icon and seamlessly had access to my test web server. Next Steps In Part 2we will walk through how I configured AirWatch to perform the user experience demonstration.
How to setup F5 LTM to allow powershell commands through VIP to exchange servers for Airwatch
We have recently purchased F5 LTM to loadbalance MS Exchange 2010. Used Iapp to set it up and it works great. Now we are looking to deploy Airwatch for mobile devices and Airwatch needs to use powershell to talk to the exchange servers. I have been searching high and low and don't seem to see what I need to configure for powershell through VIP. We are using same URL structure as email vip, example https://exch01.com/owa (works) https://excho1.com/powershell (doesn't work). Any tips,trick, or config help would be greatly appreciated. Thanks!!
iRule to restrict activesync traffic to particular IPs but allow all other Exchange traffic
Hi All, I am currently working on an MDM project, in which we are moving to AirWatch to proxy all Active Sync traffic. In order to force all users to use Airwatch for all ActiveSync, we need to be able to drop all ActiveSync Traffic on our Exchange CAS Pool. As we are currently on Exchange 2013, virtually all traffic goes via https_443, hence we need to be able to drop only ActiveSync traffic that is not coming from our two AirWatch Servers but allow all other traffic (ie OWA, RPC, AutoDiscovery, etc..) Below is a sample of code I have created to hopefully achieve this, would this work? and any recommendations? when HTTP_REQUEST { log local0. "Client IP: [IP::client_addr]" log local0. "URI: [HTTP::uri]" if {string tolower [HTTP::uri] contains "/Microsoft-Server-ActiveSync*" and not ([class match [IP::client_addr] equals Airwatch_SEG_Servers]) } { log local0. "dropped connection" reject } else { pool EXCHANGE_2013_https_int_pool } } I have a Data Group called Airwatch_SEG_Servers containing the IPs of my two Airwatch Servers which will proxy the ActiveSync Traffic Thanks in Advance, Monty
Airwatch Admin Console
I have a particular situation where the Airwatch admin may not use the Airwatch Admin Console for more than 5 minutes. When he returns and begins clicking around in the application it takes him back to a sign on screen. I have created a new TCP profile and changed the idle timeout to 1800 seconds, and they say they have changed it to that on the servers as well. But he continues to have the issue. I did a Wireshark capture and it appears that at 4.5 minutes the client begins a FIN/ACK process, tearing down the connection. So, my assumption was that this was something set by a cookie or otherwise from the application. However, when they use a hostfile and point it directly at the server they do not have the timeout issue. I am using source address persistence, my custom TCP profile, and the pool is in an active/passive situation by the request of the Airwatch SE. Any ideas on what could be the issue or further ways to troubleshoot? Thanks JimiOS and Android F5 Edge Client enrolled in MDM - prevent ability for manually created profiles
Hi all, Hoping to get some help or advise..... I have a client who we are setting up in AirWatch and deploying F5 VPN Edge Client to devices (Android and iOS). Authentication with F5 APM is via user certificate, issued from NDES server via AirWatch. We have configured for per-app vpn use. Once device is enrolled and VPN policy installed on to device, we have found that it is possible for an end user to create an additional profile in client, using same certificate that was issued via AirWatch, thus enabling an end user to create a secondary profile and then have whole device vpn into their infrastructure. We would like to prevent this from happening - ability for whole device to vpn into their infrastructure. Is there a way to either: - Prevent end user from creating their own profiles in F5 Edge client - Prevent end user, when creating their own profiles, to create additional profile using certificate in configured profile - Prevent whole device from vpn'ing into infrastructure and only accept per-app vpn connections Or am I going about this completely the wrong way. Thanking the community in advanced. Cheers, Tina.APM : is VMware Workspace One supported as an Endpoint Management System?
Hello, In the past, we added our on-premises Airwatch server in the Endpoint Management Systems list. We used this feature to check if the smartphones connecting to the VPN were properly enrolled. We used this feature only for a few users. We migrated to VMware Workspace One in SaaS mode but we forgot about this feature. Is VMware Workspace One supported as an Endpoint Management System? Could F5 APM connect to WSO API? When adding our WSO instance as Airwatch, we got a "General configuration error". Thank you Thomas
