BIG-IP Edge Client 2.0.2 for Android
Earlier this week F5 released our BIG-IP Edge Client for Android with support for the new Amazon Kindle Fire HD. You can grab it off Amazon instantly for your Android device. By supporting BIG-IP Edge Client on Kindle Fire products, F5 is helping businesses secure personal devices connecting to the corporate network, and helping end users be more productive so it’s perfect for BYOD deployments. The BIG-IP® Edge Client™ for all Android 4.x (Ice Cream Sandwich) or later devices secures and accelerates mobile device access to enterprise networks and applications using SSL VPN and optimization technologies. Access is provided as part of an enterprise deployment of F5 BIG-IP® Access Policy Manager™, Edge Gateway™, or FirePass™ SSL-VPN solutions. BIG-IP® Edge Client™ for all Android 4.x (Ice Cream Sandwich) Devices Features: Provides accelerated mobile access when used with F5 BIG-IP® Edge Gateway Automatically roams between networks to stay connected on the go Full Layer 3 network access to all your enterprise applications and files Supports multi-factor authentication with client certificate You can use a custom URL scheme to create Edge Client configurations, start and stop Edge Client BEFORE YOU DOWNLOAD OR USE THIS APPLICATION YOU MUST AGREE TO THE EULA HERE: http://www.f5.com/apps/android-help-portal/eula.html BEFORE YOU CONTACT F5 SUPPORT, PLEASE SEE: http://support.f5.com/kb/en-us/solutions/public/2000/600/sol2633.html If you have an iOS device, you can get the F5 BIG-IP Edge Client for Apple iOS which supports the iPhone, iPad and iPod Touch. We are also working on a Windows 8 client which will be ready for the Win8 general availability. ps Resources F5 BIG-IP Edge Client Samsung F5 BIG-IP Edge Client Rooted F5 BIG-IP Edge Client F5 BIG-IP Edge Portal for Apple iOS F5 BIG-IP Edge Client for Apple iOS F5 BIG-IP Edge apps for Android Securing iPhone and iPad Access to Corporate Web Applications – F5 Technical Brief Audio Tech Brief - Secure iPhone Access to Corporate Web Applications iDo Declare: iPhone with BIG-IP Technorati Tags: F5, infrastructure 2.0, integration, cloud connect, Pete Silva, security, business, education,technology, application delivery, ipad, cloud, context-aware,infrastructure 2.0, iPhone, web, internet, security,hardware, audio, whitepaper, apple, iTunes
An invalid or expired certificate was presented by the server
Hi Guys! So we are building a per-app VPN setup using Intune för iOS (iPADOS) units and we pushed out F5 Access app along with Intune F5 Access App which is then configured using F5 Access VPN profile using authentication with certificate which is pushed out to the device from internal CA using connector. Certificates for device is installed fine along side with root and intermediate, the profile in F5 Access app has all the settings correct and the certificate is listed. On server side we also configured everything with access policy for iOS, we have added certificate for root and intermediate for trust and everything looks as it should but we seem to have missed something and are unable to initiate a VPN connection, the device attempts to start a VPN tunnel but failes to do so with error "An invalid or expired certificate was presented by the server" What are we missing? Something with the ceritficates? a setting on device? something on server we missed adding the trust? 2021-05-11,15:36:54:112, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:435, startTunnel(options:completionHandler:), ------------------------------------------------------------ 2021-05-11,15:36:54:112, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:436, startTunnel(options:completionHandler:), Release Version: 3.0.7 2021-05-11,15:36:54:112, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:437, startTunnel(options:completionHandler:), Bundle Version: 3.0.7.402 2021-05-11,15:36:54:113, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:438, startTunnel(options:completionHandler:), Build Date: Mon Sep9 12:13:19 PDT 2019 2021-05-11,15:36:54:113, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:439, startTunnel(options:completionHandler:), Build Type: CM 2021-05-11,15:36:54:113, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:440, startTunnel(options:completionHandler:), Changelist: 3134102 2021-05-11,15:36:54:114, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:441, startTunnel(options:completionHandler:), Locale: English (Sweden) 2021-05-11,15:36:54:114, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:442, startTunnel(options:completionHandler:), ------------------------------------------------------------ 2021-05-11,15:36:54:117, 537,21259[com.apple.NSXPCConnection.user.endpoint],PacketTunnel, 48, PacketTunnelProvider.swift:451, startTunnel(options:completionHandler:), Connection Parameters: Optional("serverAddress: https://ourserver.adress.com, password: , ignorePassword: false, passwordExpirationTimeStamp: -1, passwordReference: not-set, passwordExpired: false, identityReference: set, postLaunchUrl: , webLogon: false, launchedByUriScheme: false, vpnScope: device, startType: manual, deviceIdentity: assignedId: ,instanceId: ,udid: ,macAddress: ,serialNumber: ") 2021-05-11,15:36:54:229, 537,21259[com.apple.NSURLSession-delegate],PacketTunnel, 1, AsyncURLRequest.swift:186, urlSession(_:didReceive:completionHandler:), Server certificate can not be trusted. 2021-05-11,15:36:54:233, 537,21259[com.apple.NSURLSession-delegate],PacketTunnel, 1, ProfileDownloadOperation.swift:94, main(), Profile download failed: sslInvalidServerCertificate 2021-05-11,15:36:54:236, 537,10507[com.apple.root.default-qos],PacketTunnel, 1, SessionManager.swift:127, logon(connectionParams:completionHandler:), Failed to download Profile Settings...Error:sslInvalidServerCertificate 2021-05-11,15:36:54:237, 537,10507[com.apple.root.default-qos],PacketTunnel, 1, PacketTunnelProvider.swift:527, startTunnel(options:completionHandler:), Failed to logon Error Domain=f5PacketTunnelProvider Code=0 "An invalid or expired certificate was presented by the server" UserInfo={NSLocalizedFailureReason=Error Domain=PacketTunnel.AsyncURLRequestError Code=5 "An invalid or expired certificate was presented by the server", NSLocalizedDescription=An invalid or expired certificate was presented by the server} 2021-05-11,15:36:54:238, 537,10507[com.apple.root.default-qos],PacketTunnel, 1, PacketTunnelProvider.swift:383, displayMessageIfUIVisible, An invalid or expired certificate was presented by the server Any thoughts be much appreciated! Thanks in advance Alex
APM Cookbook: On-Demand VPN for iOS Devices
Overview I’ve been using On-Demand VPN for a number of years as it’s a secure and easy way to access applications while on the road with the added benefit of conserving device battery life when idle. On-Demand VPN is a simple concept. You define a domain or list of domains in the “Connect On Demand” settings. The Edge Client looks at the DNS requests made by the App (e.g Safari) and when the FQDN matches one of the defined domains, it fires up the VPN in the background and authenticates using a X.509 Client Certificate. On-Demand VPN requires the installation of a X.509 Client Certificate on the iOS device, which can be provisioned using a number of tools. This article will not go into these tools, but I will give you a few ideas how to get the X.509 certificate on the device. Some of the methods I have used in the past: Mobile Device Management (MDM) configured to use Simple Certificate Enrollment Protocol (SCEP) iPhone Configuration Utility (iPCU) Email the .p12 or .pfx file When using X.509 Client Certificates, I highly recommend adding the User Principal Name (UPN), e.g. test.user@f5.demo to the Subject Alternative Name (SAN) extension. This allows APM to identify the user of the device and can be used for: Single Sign On (SSO) using Kerberos or SAML Active Directory / LDAP queries to determine group membership etc. Logging and Reporting In a large scale environment I recommend using MDM, SCEP, Certificate Authority (CA) and an OCSP Responder to verify the revocation status. This article will cover how to configure the APM to authenticate the user and establish the VPN tunnel automatically using the On-Demand feature. My Example In my working example, I have a pre-configured CA called “CA1” joined to the domain “f5.demo”. The iOS device has the client certificate (Test User) installed with a UPN “test.user@f5.demo” in the SAN extension. This certificate has been issued by CA1 and is trusted by the iOS device. I have also installed the F5 Edge Client via the App Store. Step 1 – Import the SSL Certificates 1.1 Import the SSL Certificate/Key that will be used for SSL VPN connection System >> File Management >> SSL Certificate List Please follow SOL14620: Managing SSL certificates for BIG-IP systems My configuration looks like this: 1.2 Import Certificate Authority Certificate that is signing the Client Certificates Repeat Step 1.1 but this time you need to import the CA Certificate (without the Key) that is signing the User Certificates. It should look something similar to this: Step 2 – Create a Client SSL Profile Local Traffic >> Profiles >> SSL >> Client >> “Create” Supply the following: Name: vpn.f5.demo_ssl_profile Parent Profile: clientssl Certificate: vpn.f5.demo Key: vpn.f5.demo Trusted Certificate Authorities: CA1 Select “Finished” to save. Step 3 – Create the APM Configuration In this example I will use an On-Demand Certificate Authentication to validate the client certificate and some TCL to extract the UPN from the SAN extension. After successful authentication, a VPN tunnel is then assigned and established. You can expand on this configuration by adding an OCSP Responder to check if the certificate has been revoked. Simply modify the Names, IP addresses, DNS etc. to suit your environment. 3.1 Create a Webtop Access Policy >> Webtop >> Webtop List >> “Create” Supply the following: Name: vpn_webtop Type: Full Select “Finished” to save. 3.2 Create a Connectivity Profile Access Policy >> Secure Connectivity >> Connectivity Profile >> “Create” Supply the following: Name: vpn_cp Parent Profile: connectivity Select “Finished” to save. 3.3 Create a Lease Pool Access Policy >> Network Access >> Lease Pools >> IPv4 Lease Pools >> “Create” Supply the following: Name: vpn_lease_pool_10.123.123.0 Start IP Adddress: 10.123.123.1 End IP Address: 10.123.123.254 Select “Add” Select “Finished” to save. 3.4 Create a Network Access Access Policy >> Network Access >> Network Access List >> “Create” Supply the following: Name: vpn_na Caption: SSL VPN Select “Update” to save. Under “Network Settings”. Supply the following: IPV4 Lease Pool: vpn_lease_pool_10.123.123.0 Traffic Options: Use split tunneling for traffic (select appropriate option for your environment) IP Address: 10.0.0.0 Mask: 255.0.0.0 Select “Add” Select “Update” to save. Under “DNS/Hosts” Supply the following: IPV4 Primary Name Server: 10.10.20.1 DNS Default Domain Suffix: f5.demo Select “Update” to save. 3.5 Create an Access Policy We can now bring it all together using the Visual Policy Editor (VPE). Access Policy >> Access Profiles >> Access Profile List >> “Create” Supply the following: Name: vpn.f5.demo_ap Languages: English (en) Use the default settings for all other settings. Select “Finished” to save. 3.6 Edit the Access Policy in the VPE Access Policy >> Access Profiles >> Access Profile List >> “Edit” (vpn.f5.demo_ap) On the fallback branch after the Start object, add anOn-Demand Cert Auth object. Leave the defaults and “Save”. On the Successful branch after the On-Demand Cert Auth object, add a Variable Assign object. Supply the following: Name: Extract UPN Add the following variable assignments by selecting “Add new entry” >> “change”. Variable Assignment 1: Custom Variable (Unsecure): session.logon.last.domain Custom Expression: set upn [mcget {session.logon.last.upn}]; if {[string first "@" $upn] >= 0} { return [string range $upn [expr { [string first "@" $upn] + 1 } ] end ]; } else { return ""; } Variable Assignment 2: Custom Variable (Unsecure): session.logon.last.username Custom Expression: set upn [mcget {session.logon.last.upn}]; if {[string first "@" $upn] >= 0} { return [string range $upn 0 [expr { [string first "@" $upn] - 1 } ] ]; } else { return $upn; } Variable Assignment 3: Custom Variable (Unsecure): session.logon.last.upn Custom Expression: set e_fields [split [mcget {session.ssl.cert.x509extension}] "\n"]; foreach qq $e_fields { if {[string first "othername:UPN" $qq] >= 0} { return [string range $qq [expr { [string first "<" $qq] + 1 } ] [expr { [string first ">" $qq] - 1 } ] ]; } } return ""; Select “Finished”, then “Save” when your done. The VPE should look similar to this: On the fallback branch after the Extract UPN object, add a Full Resource Assign object. Supply the following: Name: SSL VPN Select “Add new entry” >> “Add/Delete” Add the Webtop: /Common/vpn_webtop (from step 3.1) Add the Network Access: /Common/vpn_na (from step 3.4) Select “Update” then “Save”. On the fallback branch after the SSL VPN object, change Deny ending to Allow. The finished policy should look similar to this: Step 4 – Create the Virtual Server for SSL VPN In this step, you need to create a HTTPS Virtual Server (VS) for the Edge Client to establish the connection. I also recommend creating a DTLS VS in addition to the HTTPS VS. This configuration is well documented in the APM Manual and I will not go through the DTLS VS creation. 4.1 Create the HTTP VS Local Traffic >> Virtual Servers >> Virtual Server List >> “Create” Supply the following: Name: vpn.f5.demo_https_vs Destination: 10.10.20.100 Service Port: HTTPS HTTP Profile: http SSL Profile (Client): vpn.f5.demo_ssl_profile (from step 2) SNAT Pool: Auto Map Access Profile: vpn.f5.demo_ap (from step 3.5) Connectivity Profile: vpn_cp (from step 3.2) Select “Finished" to save. Step 5 – Configure the Edge Client on the iOS device and Test 5.1 Create a new Edge Client Configuration Open the Edge Client and select “Settings” then “Add Configuration…” Supply the following: Description: On Demand VPN Server: vpn.f5.demo Use Certificate: On Certificate: Test User Connect On Demand: On Select Domain List Add Domain… In my example: demo.vpn Don’t forget to Save 5.2 Test Open Safari and access a URL that will cause the VPN trigger. In my example http://intranet.demo.vpn, a Sharepoint site. The VPN will start up when it sees the DNS query for intranet.demo.vpn and the data will flow across the VPN as per the Network Access settings. Conclusion On-Demand VPN with APM is a simple way to enable the workforce by providing a secure and easy to use remote access solution while out of the office.
iOS Receiver w/APM & StoreFront 1.2
Hi, I'm having some issues using APM as a replacement for Citrix Access Gateway. I have followed the VDI 1.1.0RC2 deployment guide, and have a config that works in Safari, but not using native Receiver. We're using two factor, domain and token (non-RSA). I've manually created a Receiver profile using https:///Citrix//PNAgent/config.xml, which matches the Legacy Support URL in StoreFront. Other settings are Access Gateway, Enterprise Edition, Security Token = on, Domain + Security Token. I get an error 'Could not Log On. The address given did not provide a valid App list...'. I did a packet capture and I can see an initial GET to the full URL (/Citrix//PNAgent/config.xml) along with a 200 back but subsequent GETs use the default (/Citrix/PNAgent/config.xml), these will be 302d back to the correct URL, but are always followed by a POST to /Citrix/PNAgent/enum.aspx, which 404s. I'm not sure if I am missing something to rewrite the contents of the config.xml file, or to manually specify it somewhere (or if my Receiver config is even correct!). I have created an iRule Data Group as the doc indicates, using APM_Citrix_ConfigXML, with String = , Value = /Citrix//PNAgent/config/xml. This doesn't seem to influence the behaviour in any way. Note: the doco says to use the Store WEB URL as the value, which seems wrong to me, the config.xml path makes more sense.. Anyway, any help or pointers would be greatly appreciated, version info below, thanks! Versions: iPad 2 6.1.3 Receiver 5.8.2 LTM/APM 11.4 HF3 Storefront 1.2.0.31
Multipath TCP (MPTCP)
#mobile #webperf #IOS7 Two! Two connections at the same time, ah ah ah... Long ago, when the web was young, we (as in the industry) figured out how to multiplex TCP (and later HTTP which we now call message steering) in order to dramatically improve application performance while simultaneously reducing load on servers. Yes, you could more with less. It was all pretty exciting stuff. Now, at long last, we're seeing the inverse come to life on the client side in the form of Multipath TCP (MPTCP) or, if you prefer a more technically sounding term to confuse your friends and family: inverse multiplexing. While the geeks among us (you know who you are) have always known how to use both the wired and wireless interfaces on our clients, it's never been something that had real advantages when it comes to web performance. There was no standard way of using both connections at the same time and really, there was very little advantage. Seriously,if you're wired up to at least a 100Mbps full duplex LAN do you really need a half-duplex wireless connection to improve your performance? No. But in the case of mobile devices, the answer is a resounding yes - yes I do. Because 2 halves make a whole, right? Okay, maybe not, but it's certainly a whole lot closer. THE MAGIC of MULTIPLEXING Most mobile devices enable you to connect over both wireless radio (mobile) network and a wireless LAN network. Most of the time you're probably using both at the same time without conscious thought. It just does what it does, as long as it's configured and connected. What it doesn't do, however, is enable an application to use both connections at the same time to connect up to an application. Your application can often use either one, but it is limited to using just one at a time. Unless you're using an MPTCP-enabled device. TCP is built on the notion of a single connection between 2 hosts. MPTCP discards that notion and enables a device to seamlessly switch between and/or simultaneously send a TCP connection over multiple interfaces. Basically, MPTCP splits up a TCP connection into subflows, and is able to (based on the device) dynamically route messages across either of those subflows. This is, you're thinking, perfect for HTTP exchanges which often require a significant number of "sub-requests" for a client to retrieve all the objects required for an given web page/application. Exactly. You're sending (and one hopes receiving) data twice as fast. Which on a mobile device is likely to be very noticeable. The problem is (and you knew there was one, didn't you?) that both the client and the host need to "speak" MPTCP to realize its potential benefits with respect to application performance. There aren't a whole lot of implementations at the moment, though one of those being iOS7 is certain impetus for hosts (the server side of all those apps) to get refitted for MPTCP. Of course, that's unlikely, isn't it? If you're in the cloud, are your hosts MPTCP ready? If you're not in the cloud, is your own infrastructure MPTCP ready? Like SPDY before it (and there's an interesting scenario - running MPTCP over SPDY) these kinds of protocol enhancements require support on both the client and the server and generally speaking, while organizations want to be able to leverage the improvements in performance (or efficiency or security) they can't justify a forklift upgrade and the ensuing disruption to get there. Further complicating potential adoption is limited support. Though Apple certainly holds a significant share of the mobile market, it's not the only player and MPTCP is only supported by iOS7 - an upgrade that hasn't been exactly cheered as the greatest thing since sliced bread by the market in general. Whether MPTCP will gain momentum as iOS7 continues to roll out and other players adopt (and that is not necessarily a given) will be determined not only by application developers desiring (or perhaps demanding) support but by whether or not organizations are able to rapidly roll out support on their end without completely replacing their entire infrastructure. A very good (and fairly technical) article on MPTCP and IOS7 from ArsTechnica. And of course your day wouldn't be complete unless I pointed out the MPTCP RFC.
Solving Secure Mobile Access with F5 and iOS 7 Per app VPN - Part 1
Overview As an F5 engineer out in the field I’m fortunate in the fact that I get to talk with customers about their projects and security concerns. While it probably would not surprise you to learn that Mobility is a key project for many organizations what does surprise me is how many are still using a layer-3 VPN approach on mobile devices. The major problem with this design is that once the VPN is established any application on the mobile platform can now access the corporate network. As we hear more and more about malware on mobile devices it is critical to start protecting corporate infrastructure by limiting access to corporate applications only. With iOS 7 Apple introduced a great way to accomplish this with their Per app VPN. Per app VPN allows iOS to control which applications have access to the VPN tunnel. This gives organizations the ability to designate which applications are corporate apps and treat everything else as personal. Per app VPN also works in Safari with a per-tab level of granularity. So I can have one tab open watching who the Houston Texan’s take in the first round draft (Johnny Manziel of course) and a second tab that is securely connected to my corporate SharePoint site. To take advantage of the iOS Per app VPN functionality Apple requires an Enterprise Mobile Management (EMM) solution to configure the mobile device and an Enterprise VPN solution like F5’s Access Policy Manager. So, if you’re anything like me you’ve scrolled past this text and straight to the pictures below because you need to deploy this ASAP right? We’ll here we go… Configuration The iOS Per app VPN uses F5’s APM SOCKS Proxy functionality so we'll need TMOS 11.4 or higher installed on the BIG-IP and Edge Client 2.0 or higher installed on the mobile device. 1. Create a new Application Policy Profile and select your default language. 2. Customize the Profile's Visual Policy Builder by adding a Client Cert Inspection object and set the successful branch to Allow 3. Create a new LTM Client SSL Profile: set Client Certificate to request set Trusted Certificate Authority to the CA that signed the certificate installed on the iOS device. 4. Create a new LTM Virtual Server: Add your customer Client SSL profile Select your Access Profile Select the default Connectivity Profile of create a custom connectivity profile with default settings Click the VDI & Java Support box to enable SOCKS proxy capabilities User Experience So What does the end result look like? In the example below I tested the Safari per-tab capabilities by clicking the F5 shortcut icon and seamlessly had access to my test web server. Next Steps In Part 2we will walk through how I configured AirWatch to perform the user experience demonstration.F5 Access 2018 app shows "Unable to retrieve network access configuration" on iPhone 7 with iOS 12 (beta)
F5 Access 2018 app shows "Unable to retrieve network access configuration" on iPhone 7 with iOS 12 (beta) when we use Web Logon for authentication (for OTP codes). If we choose Native authentication (and remove the requirement for OTP), the VPN establishes just fine. On the server side, "Session deleted due to user logout request." when the user receives the error message. We're using split-tunnel VPN. A user reported getting the above error after upgrading to iOS 12 Beta and installing the F5 Access 2018 app. I have replicated this on a brand new iPhone 7 after upgrading it to iOS 12. Am suspecting this is an iOS 12 Beta bug, but it is a problem nonetheless. See below for the relevant part of the client logs. I also saw this old thread which refers to the exact same "Error 111" message on iOS as seen in the F5 Access client log: https://stackoverflow.com/questions/20454853/nsxmlparsererrordomain-111 Excerpt from client log: PacketTunnelProvider.swift, 477, startTunnel(options:completionHandler:), Session has been established VpnFavoriteListOperation.swift, 110, main(), VPN Favorites failed: Error Domain=NSXMLParserErrorDomain Code=111 "(null)" PacketTunnelProvider.swift, 484, startTunnel(options:completionHandler:), Network parameters have been received PacketTunnelProvider.swift, 487, startTunnel(options:completionHandler:), Failed to get NA settings Internal Error: VPN resource was not found PacketTunnelProvider.swift, 334, displayMessage(_:completionHandler:), Unable to retrieve network access configuration Full log: 2018-07-09,13:23:07:672, 264,7683,PacketTunnel, 48, PacketTunnelProvider.swift, 368, startTunnel(options:completionHandler:), ------------------------------------------------------------ 2018-07-09,13:23:07:684, 264,7683,PacketTunnel, 48, PacketTunnelProvider.swift, 369, startTunnel(options:completionHandler:), Release Version: 3.0.0 2018-07-09,13:23:07:698, 264,7683,PacketTunnel, 48, PacketTunnelProvider.swift, 370, startTunnel(options:completionHandler:), Bundle Version: 3.0.0.224 2018-07-09,13:23:07:704, 264,7683,PacketTunnel, 48, PacketTunnelProvider.swift, 371, startTunnel(options:completionHandler:), Build Date: Fri Mar 2 13:20:26 PST 2018 2018-07-09,13:23:07:709, 264,7683,PacketTunnel, 48, PacketTunnelProvider.swift, 372, startTunnel(options:completionHandler:), Build Type: CM 2018-07-09,13:23:07:712, 264,7683,PacketTunnel, 48, PacketTunnelProvider.swift, 373, startTunnel(options:completionHandler:), Changelist: 2509912 2018-07-09,13:23:07:715, 264,7683,PacketTunnel, 48, PacketTunnelProvider.swift, 374, startTunnel(options:completionHandler:), Locale: engelsk (Norge) 2018-07-09,13:23:07:718, 264,7683,PacketTunnel, 48, PacketTunnelProvider.swift, 375, startTunnel(options:completionHandler:), ------------------------------------------------------------ 2018-07-09,13:23:07:727, 264,7683,PacketTunnel, 48, PacketTunnelProvider.swift, 382, startTunnel(options:completionHandler:), Connection Parameters: Optional("serverAddress: https://fjerntilgang.tine.no,password: ,ignorePassword: false,passwordExpirationTimeStamp: -1,passwordReference: not-set,passwordExpired: falseidentityReference: not-set,postLaunchUrl: ,webLogon: true,launchedByUriScheme: false,vpnScope: device,startType: manual,deviceIdentity: assignedId: ,instanceId: ,udid: ,macAddress: ,serialNumber: ") 2018-07-09,13:23:42:181, 264,7947,PacketTunnel, 48, PacketTunnelProvider.swift, 166, checkForConfigurationUpdate, Request update configuration with "{ "savePasswordEnabled" : false, "weblogonAutoPopulateEnabled" : true, "clearPassword" : false, "enforceWebLogon" : false, "enforceLogonMode" : false, "launchedByUriScheme" : false, "timeStamp" : -1, "logonSucceed" : true }" 2018-07-09,13:23:42:222, 264,7947,PacketTunnel, 48, PacketTunnelProvider.swift, 477, startTunnel(options:completionHandler:), Session has been established (Session ID: c47c4cf6) 2018-07-09,13:23:42:446, 264,12807,PacketTunnel, 1, VpnFavoriteListOperation.swift, 110, main(), VPN Favorites failed: Error Domain=NSXMLParserErrorDomain Code=111 "(null)" 2018-07-09,13:23:42:454, 264,12807,PacketTunnel, 48, PacketTunnelProvider.swift, 484, startTunnel(options:completionHandler:), Network parameters have been received 2018-07-09,13:23:42:459, 264,12807,PacketTunnel, 1, PacketTunnelProvider.swift, 487, startTunnel(options:completionHandler:), Failed to get NA settings Internal Error: VPN resource was not found 2018-07-09,13:23:42:487, 264,12807,PacketTunnel, 1, PacketTunnelProvider.swift, 334, displayMessage(_:completionHandler:), Unable to retrieve network access configuration
Provision IOS profile for Exchange ActiveSync with client certificate authentication
Problem this snippet solves: If you need to use client certificate authentication for ActiveSync services on IOS, you need to deploy custom profiles through a Mobile Device Management. MDM is maybe a little bit too much to achieve only this feature. The irule below provide necessary materials to provision a certificate and an exchange profile on IOS. Tested successfully on IOS 9. We use SCEP protocol for certificate enrollment. How to use this snippet: You need to define a Virtual Server and an access profile to publish ActiveSync. Then, you need to assign the irule on the Virtual Server. The certificate is retrieved using SCEP protocol on a Microsoft ADCS 2012 R2. The SCEP url should be changed in the Exchange payload. We configured APM to protect the access to this service and retrieve attributes from Active Directory but you can change the irule code to retrieve information and protect the service in a different manner. When a user reach /enroll uri with Safari browser, the provisioning process starts. /!\ I provide an IOS payload as example, but you need to modify it to fit your environment and save it as an ifile. Settings that need to be changed in the xml payload : <string>HOST.DOMAIN.COM</string> : Activesync FQDN <string>DOMAIN-Issuer-CA</string> : Issuing CA Name (if exists otherwise related code should be removed) <data>CERTIFICATE</data> : X.509 certificate in Base64 for Issuing CA <string>DOMAIN-Root-CA</string> : Root CA Name <data>CERTIFICATE</data> : X.509 certificate in Base64 for the Root CA <string>DOMAIN</string> : Organization name to be present in the user certificate <string>http://scep.domain.com/scep</string> : SCEP url External links Github : github.com/e-XpertSolutions/f5 Code : 68654 Tested this on version: 11.5
