F5 APM Syslog-NG parser
Hello everybody, I use the VPN big-ip Edge client F5 and I would like to generate a log with all theses session variables "session.ldap.last.attr.userPrincipalName + session.check_machinecert.last.cert.subject + session.assigned.clientip". My problem is that the "session.assigned.clientip" isn't populate in the session variable so I can't use a log message to make a custom log with all of theses values. So my question is , is it possible to parse theses logs with syslog-ng and concatenate all the syslog trame with the session ID ? and forward the log concatenated to an another syslog instance ? Don't know if my question is very undertandable ? Regards, MiguelBig-Ip Edge Client specials characters problems
Hello, I have installed the big-ip edge client version 7.2.4.5 with APM modern and I have some problem with specials characters in FRENCH as shown on the screenshot. What do I need to do ? I tried to modify the text on the general customization but I got an script error after that. Regards, Miguel CamposEdgeClient Version Display Mismatch
We observe there is a mismatch to the EdgeClient version displayed on the Application and on the Windows control panel programs. For example: On the EdgeClient application of v7240, it displays full version details. But on the same windows machine under control panel - Programs, it does not display the exact same version of EdgeClient. Is this a expected behaviour or an issue.Big-IP Edge client installation fails on Windows 11
Hello Team, I'm having an issue within installation of Edge Client on Windows 11 Both versions 7244 and 7245 fails with the same error during installation " Unable to load driver on this device. F5Fltdrv.sys A security setting prevents this driver from loading. You must adjust your settings to load this driver" Any idea what might be the problem? The issue is not present on Windows 10. Best Regards,
Deploy BIG-IP Edge Client (iOS) with configuration string
Greetings all, I'm very new to F5 (only responsible for deploying Edge Client with MDM) and need some basic assistance. Are there any more examples available for Configuration XML strings used to deploy the Edge Client via MDM and VPP to iOS devices with connection settings already established? Specifically we are utilizing JAMF as our MDM. Apps can be given configuration settings in their deployment. I was attempting to use the below string but I'm getting an error - 'Incorrect Format'. Help is appreciated. Thanks! We are using user name and password for authentication, and it is an SSL appliance. IPv4 UserDefinedName The Name of our connection VPN AuthName $USERNAME RemoteAddress our F5 Address OnDemandMatchAppEnabled VPNSubType [com.f5.F5-Edge-Client.vpnplugin](//com.f5.F5-Edge-Client.vpnplugin) VPNType VPN
Machine Certificate Check - why does it fail?
Hi, I am trying to implement machine certificate check for Edge Client users. The machine certificate is stored in the default MY store and I assume I have configured the APM action correctly with: MY / LocalMachine / CA Bundle / YES to right elevation prompts. The connection fails always on machine certificate check with these entries in APM log: debug /Common/ap_edge_client:Common:4d76a881: MachineCert agent: ENTER Function executeInstance info /Common/ap_edge_client:Common:4d76a881: Executed agent '/Common/empty_act_machinecert_auth_ag', return value 0 info /Common/ap_edge_client:Common:4d76a881: Following rule 'fallback' from item 'Machine Cert Auth' to item 'Log F' info /Common/ap_edge_client:Common:4d76a881: Session variable 'session.check_machinecert./Common/empty_act_machinecert_auth_ag.result' set to '-2' info /Common/ap_edge_client:Common:4d76a881: Session variable 'session.check_machinecert.last.result' set to '-2' Edge client log file contains these entries: 0,2018-08-09,11:04:34:936,APPCTRL,7384,8484,Starting pending session ID: 4d76a881 48,2018-08-09,11:04:35:431,APPCTRL,7384,8484,URL: https:///my.policy 48,2018-08-09,11:04:36:330,APPCTRL,7384,8484,Cookie MRHSession not set 1,2018-08-09,11:04:36:498,APPCTRL,7384,8484,Authentication failure 1,2018-08-09,11:04:36:498,APPCTRL,7384,8484,Authentication failed - redirect (0x80070005) 0,2018-08-09,11:04:36:498,APPCTRL,7384,8484,Failed to establish session 4d76a881 I set the logging levels for this APM policy to debug for everything, but still none of the logs tell me what could be causing the problems. Is it my VPE action setting, is it perhaps something with CA, or the client rights? How should I identify the root cause here? What more can I do more to troubleshoot beside trying every possible set of settings in the APM machine certificate check action? Any help really appreciated! thx.Prevent BIG-IP Edge Client VPN Driver to roll back (or forward) during PPP/RAS errors
If you (like some of my customers) want to have the BIG-IP Edge Client packaged and distributed as a software package within your corporate infrastructure and therefore have switched off automatic component updates in your connectivity profiles, you might still get the covpn64.sys file upgraded or downgraded to the same version as the one installed on the BIG-IP APM server. Background We discovered that on some Windows clients the file covpn64.sys file got a newer/older timestamp in and started to investigate what caused this. The conclusion was that sometimes after hibernation or sleep, the Edge Client is unable to open the VPN interface and therefore tries to reinstall the driver. However, instead of using a local copy of the CAB file where the covpn64.sys file resides, it downloads it from the APM server regardless of if the version on the server and client match each other or not. In normal circumstances when you have automatic upgrades on the clients, this might not be a problem, however when you need to have full control on which version is being used on each connected client, this behavior can be a bit of a problem. Removing the Installer Component? Now you might be thinking, hey… Why don't you just remove the Component Installer module from the Edge Client and you won't have this issue. Well the simple answer to this is the fact that the Component Installer module is not only used to install/upgrade the client. In fact, it seems like it's also used when performing the Machine Check Info from the Access Policy when authenticating the user. So by removing the Component Installer module result in other issues. The Solution/workaround The Solution I came up with is to store each version of the urxvpn.cab file in an IFile and then use an iRule to deliver the correct version whenever a client tries to fetch the file for reinstallation. What's needed? In order to make this work we need to Grab a copy of urxvpn.cab from each version of the client Create an IFile for each of these versions Install iRule Attach iRule to the Virtual Server that is running the Access Policy Fetching the file from the apmclients ISOs For every version of the APM client that is available within your organization a corresponding iFile needs to be created. To create the iFiles automatically you can do the following on the APM server. Login to the CLI console with SSH Make sure you are in bash by typing bash Create temporary directories mkdir /tmp/apm-urxvpn mkdir /tmp/apm-iso Run the following (still in bash not TMSH) on the BIG-IP APM server to automatically extract the urxvpn.cab file from each installed image and save them in the folder /tmp/apm-urxvpn. for c in /shared/apm/images/apmclients-* do version="$(echo "$c" | awk -F. \ '{gsub(".*apmclients-","");printf "%04d.%04d.%04d.%04d", $1, $2, $3, $4}')" && \ (mount -o ro $c /tmp/apm-iso cp /tmp/apm-iso/sam/www/webtop/public/download/urxvpn.cab \ /tmp/apm-urxvpn/URXVPN.CAB-$version umount /tmp/apm-iso) done Check the files copied ls -al /tmp/apm-urxvpn Import each file either with tmsh or with GUI. We will cover how to import with tmsh below. If you prefer to do it with the GUI, more information abour how to do it can be found in K13423 You can use the following script to automatically import all files cd /tmp/apm-uxrvpn for f in URXVPN.CAB-* do printf "create sys file ifile $f source-path file:$(pwd)/$f\ncreate ltm ifile $f file-name $f\n" | tmsh done Save the new configuration tmsh -c “save sys config” Time to create the iRule when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST { set uri [HTTP::uri] set ua [HTTP::header "User-Agent"] if {$uri starts_with "/vdesk" || $uri starts_with "/pre"} { set version "" regexp -- {EdgeClient/(\d{4}\.\d{4}\.\d{4}\.\d{4})} $ua var version if {$version != ""} { table set -subtable vpn_client_ip_to_versions [IP::client_addr] $version 86400 86400 } else { log local0.debug "Unable to parse version from: $ua for IP: [IP::client_addr] URI: $uri" } } elseif {$uri == "/public/download/urxvpn.cab"} { set version "" regexp -- {EdgeClient/(\d{4}\.\d{4}\.\d{4}\.\d{4})} $ua var version if {$version == ""} { log local0.warning "Unable to parse version from: $ua, will search session table" set version [table lookup -subtable vpn_client_ip_to_versions [IP::client_addr]] log local0.warning "Version in table: $version" } if {$version == ""} { log local0.warning "Unable to find version session table" HTTP::respond 404 content "Missing version in request" "Content-Type" "text/plain" } else { set out "" catch { set out [ifile get "/Common/URXVPN.CAB-$version"] } if {$out == ""} { log local0.error "Didn't find urxvpn.cab file for Edge Client version: $version" HTTP::respond 404 content "Unable to find requested file for version $version\n" "Content-Type" "text/plain" } else { HTTP::respond 200 content $out "Content-Type" "application/vnd.ms-cab-compressed" } } } } Add the iRule to the APM Virtual Server Known Limitations If multiple clients with different versions of the Edge Client are behind the same IP address, they might download the wrong version. This is due to the fact that the client doesn't present the version when the request for the file urxvpn.cab reaches the iRule. This is why the iRule tries to store IP addresses based on the source IP address of other requests related to the VPN. More information about this problem can be found in K000132735Stop Edge Client auto prompt for re-login, after tunnel time-out
Many of our remote users keep their tunnels up and let them self time-out. After a Time-out, the tunnel is disconnected and the edge client will auto prompt for username and password credentials using the popup login page. Can I prevent auto popup of the login page after time-out, as in it would just disconnect the tunnel (just like clicking disconnect) ?
