Exit

User Guide

• F5 Access Overview
• Configuring the Client
• Connecting to a Server
• Starting a connection from a URL
• Creating a server from a URL
• Managing certificates
• Trusting a root CA certificate
• Viewing Statistics
• Viewing Diagnostics
• Emailing Logs
• Supported Features in F5 Access

Back Exit

F5 Access Overview

F5 Access for iOS provides a secure VPN connection to your internal networks, behind a BIG-IP^® Access Policy Manager^™ or a BIG-IP^® Edge Gateway^™. With full network access, you can make RDP, SSH, and other types of connections to internal servers, in addition to internal web sites and applications.

To define a configuration, you need this information:

• An address to an Access Policy Manager or Secure Gateway server, for access to your network.
  This address is supplied in a Configuration. These Configurations appear on the app home screen or on the Configurations screen, depending on the device. An active connection is identified with a blue checkmark. VPN connection entries are configured on your device manually, or automatically configured by your enterprise administrator. This address is configured in a connection entry.
  Connection entries are listed on the F5 Access home screen. The active connection entry is identified on the F5 Access home screen or in the Connections list. VPN configurations are configured on your device manually, or automatically configured by your administrator.
• Authentication information to successfully complete your connection. This will be in the form of a username and password you must remember, or it will be contained in a digital certificate that has been configured on your device. For some VPN connections, both authentication methods may be required. Digital certificates are configured on your device manually, or automatically configured by your device administrator.

On the home screen, next to Configuration, click Add New to specify a new configuration.

To choose an existing configuration, click Settings, and select a configuration, or click Add Configuration to add a new configuration.

You will not be able to create a configuration if your device is managed by a Mobile Device Manager (MDM), and the MDM administrator prohibits it.

Note: Please allow notifications. Notifications for this app are required for app functionality. To enable notifications, in the Settings app, go to F5 Access > Notifications, and enable the Allow Notifications setting.

Back Exit

Configure the Client

• Adding a configuration
• VPN on demand connections

Back Exit

Add Configuration

Click Add New on the home screen, or click Add Configuration on the Settings screen to add a VPN configuration. In the Server field, type the fully qualified domain name of a BIG-IP^® Access Policy Manager^™or a BIG-IP^® Edge Gateway^™.
Type a name for this server in the Description field to describe it in the list of configurations.

Note: You must add a server description.

Note: You can use an IPv6 server address in the Server field, if such a configuration is enabled on the server.

Click Save to save the configuration and return to the Settings screen.

Note: The first time you save a configuration, you must click Allow to allow the configuration to be created, or authenticate with a passcode or Touch ID, if required by your device. This is not required when you create further configurations.

Use the following options to further customize the server configuration.

• Web Logon - Select this option to enable a browser web page for logon instead of a username and password dialog. The web page for web logon presents you with administrator-defined fields necessary for authentication. Username and password fields are not available at configuration time, but might become available after you connect, based on your administrator's settings.
• Use Certificate - When you enable this option, you can click the Certificate field to select a client certificate from the list of installed certificates. You must install a client certificate on your iOS device to use a certificate in the configuration. If no certificate is installed, the Certificate field displays No certificates found. See Managing Certificates for more information.
  
• Username - Type the username in this field.
• Password - Optionally type the password in this field. The password is stored on the client only if the server configuration allows password caching. Otherwise, the client will ask you for the password every time you log on.
  Note: If you use the Connect on Demand feature, and you use a username and password in addition to the client certificate, your server must allow saving of the client password.

Back Exit

Connect on Demand

Use the Connect on Demand feature to automatically start a network access client connection when you attempt to connect to a specific domain. You can also specify domains for which the VPN should not connect, and domains that should start a VPN tunnel only if necessary.

Connect on demand can be used with the following authentication options, or no authentication.

• Username and password
• Certificate only
• Certificate, username and password
• External logon page
• Multi-factor authentication

Note: Client Certificates can be installed in the following ways:

• Import directly using a URL link or with a share extension.
• Deploy with a VPN configuration by an MDM service or mobile configuration profile.

To use this feature, set the Connect on Demand switch to On. Click the Domain List field to specify domains, add domains, and click Done when you are finished. Actions are applied to all matching addresses. Addresses are compared using simple string matching. For example ".siterequest.com" matches www.siterequest.com and server.siterequest.com, but not www.mysiterequest.com. However, the domain "siterequest.com" with no initial period, matches all these domains.
You can specify domains for the following VPN actions.

• Never Connect - Does not start a VPN connection for addresses that match the specified domain, even if the VPN is active.
• Connect if Needed - Starts a VPN connection for addresses that match the specified domain only after a failed DNS lookup occurs.

Back Exit

Connect to a server

After you add a configuration, you can connect to the server.

At the bottom of F5 Access screen, click Connection. A configuration description is shown. Slide the Connection switch to connect to this configuration.

To select another configuration, click the Configuration field. The Settings screen is displayed. Select the desired configuration, and click Connection again at the bottom of the screen to return to the connection screen. After you connect, you can click Status to view tunnel details.

To disconnect from a server, at the bottom of F5 Access screen, click Connection. Slide the Connection switch off to disconnect from the displayed configuration.

Back Exit

Connect and disconnect with a URL

You can connect to, and disconnect from a server by typing a URL into your browser. You can connect either to a server at a specified URL or to a predefined server configuration.

URL connections use the following parameters.

Note: You can use an IPv6 server address for the server parameter, if such a configuration is enabled on the server.

f5access://{start|stop}?[parameter1=value1&
parameter2=value2...]

The syntax to start and disconnect from a URL follows.

• For a start operation, either the name or server parameter must be present in the URL.
• If the name parameter is specified, then F5 Access looks for the name in the list of existing configuration entries.
• If the server parameter is specified, then the name parameter is set to the same value as the server. A new configuration is created if a configuration with that name does not exist. If the specified configuration already exists, the other parameters specified in the URL are merged with the existing configuration. The result of this merged configuration is used only for the current, active connection, and does not persist.
• The username can be specified with the parameter username.
• The password can be specified with the parameter password.
• A post-launch URL can be specified with the parameter postlaunch_url.
• When the username is specified without a password, then an authentication prompt is displayed.
• If a name is specified with other parameters, such as server, username, or password, those parameters override what is specified in the configuration.
• logon_mode (optional) - Specifies whether the logon mode is the standard logon (native) or web logon (web). The default logon mode is native.
• When the password parameter is specified, it is used as a one-time password and not saved in the configuration.
• If there is already an active connection, a prompt appears to warn the user that the existing connection must be stopped before the new connection can start.
• The connection uses a client certificate if it is specified in the existing configuration.

Note:Special characters in parameters must be URL-encoded.

See URL Connection Examples for example usage of these parameters.

Back Exit

URL Connection Examples

• connecting to an existing configuration called MYVPN:
  f5access://start?name=MYVPN
• connecting to an existing configuration called MYVPN and including the server URL myvpn.siterequest.com:
  f5access://start?name=MYVPN&
  server=myvpn.siterequest.com
• connecting to a specific server called myvpn.siterequest.com:
  f5access://start?server=myvpn.siterequest.com
• connecting to an existing configuration called MYVPN and including the username smith and the password passw0rd:
  f5access://start?name=MYVPN&username=
  smith&password=passw0rd
• Starting a connection to a configuration called MYVPN and specifying the post-launch URL jump://?host=10.10.1.10&username=smith:
  f5access://start?name=MYVPN
  &postlaunch_url=jump%3A%2F%2F%3Fhost
  %3D10.10.1.10%26username%3Dsmith
• Stopping a connection:
  f5access://stop

Back Exit

Creating a server from a URL

Use the following URL and parameters to create a server:

f5access://create?server=server_address[&parameter1=
value1&parameter2=value2...]

The parameters are specified as follows:

• server (required) - server address is a DNS name.
• name (optional) - description of the configuration.
• username (optional) - logon user name.
• password (optional) - logon user password.
• domain_never (optional) - Comma-separated list of match pattern(s) for the Never connect domain list.
• domain_ifneeded (optional) - Comma-separated list of match pattern(s) for the Connect if needed domain list.
• logon_mode (optional) - Specifies whether the logon mode is the standard logon (native)or web logon (web). The default logon mode is native.

Note: Connect on Demand is enabled when valid values for domain_ifneeded or domain_never are specified.

See URL Server Examples for example usage of these parameters.

Back Exit

Creating a Server with a URL Examples

Create a server at edgeportal.siterequest.com
f5access://create?server=edgeportal.siterequest.com

Create a server named EdgePortal at edgeportal.siterequest.com
In this scenario, both name and server are specified, and username is absent.
f5access://create?name=EdgePortal&server=
edgeportal.siterequest.com

Create the same server with a username, password, and domains
f5access://create?name=EdgePortal
&server=edgeportal.siterequest.com
&username=edgeportal
&password=appledemo
&domain_never=abc.siterequest.com
&domain_ifneeded=intra.siterequest.com

Create the same server with a username and domains
f5access://create?name=EdgePortal
&server=edgeportal.siterequest.com
&username=edgeportal
&domain_never=abc.siterequest.com
&domain_ifneeded=intra.siterequest.com

Back Exit

View Stats

Click Statistics at the bottom of F5 Access screen to view statistics for the network access tunnel. Inbound and outbound traffic throughput and compression is graphed.

Back Exit

Trusting a CA root certificate

To trust certificates from a root certificate authority, you must install a root CA certificate to your device.

This ensures that your device will trust all certificates issued by that CA.

1. Download and open the certificate file with Safari, or open the certificate from the Mail app.
2. Go to Settings > General > About > Certificate Trust Settings, and enable the installed certificate in the Enable Full Trust for Root Certificates list.

Back Exit

Managing certificates

To manage client certificates that were imported using a URL link or with a share extension:

1. Go to Settings > Manage Certificates. The list of imported certificates is displayed.
2. To remove a certificate, swipe it in the list and click Delete.
3. To edit a certificate list, click Edit at the top right of the screen.

Import client certificate from a URL

To import a certificate (.p12 file) using a URL, go to Settings > Manage Certificates, and click Import Certificate...

The app prompts for a URL of the certificate. A password may be required if necessary.

Import client certificates with a share extension

You can use share extension to import a certificate (.p12 file) from the Mail app or other sources.

To import a certificate from the Mail app:

1. Attach the certificate to be imported to F5 Access, in the Mail app.
2. Tap and hold the attached certificate.
3. From Share options that pop up, select F5 Access from the list of apps. If F5 Access is not visible, scroll all the way to the right and click More... to enable it.
4. A password may be required if necessary. Type the password and click OK.

Back Exit

View Tunnel Details

Click the Status field after you connect on F5 Access connection screen to view tunnel details. Tunnel details are dependent on the server's network access configuration. Click Back to return to the main connection screen.

Back Exit

Viewing Diagnostics

To view diagnostics:

1. On your device, start F5 Access.
2. Click Settings.
3. Click Diagnostics.

Various system and network information is displayed for viewing, including device information, DNS servers, and routing tables. Click each category to view more information.

Back Exit

Emailing logs with F5 Access

To email the logs:

1. On your device, start F5 Access.
2. Click Settings.
3. Click Email Logs.

The logs are collected and added to an email. You can send this log to yourself or others to analyze.

Back Exit

Supported Features

Network Settings

• Split/Full tunnel (however, local subnet is always excluded from the tunnel even in full tunnel mode due to OS limitation)
• IPv4 lease pool (used to assign IPv4 address to the VPN connection)
• IPV4 LAN Address Space
• DNS Address Space
• IPV4 Exclude Address Space
• IPv6 lease pool (used to assign IPv6 address to the VPN connection)
• IPV6 LAN Address Space
• IPV6 Exclude Address Space
• DTLS
• DTLS port
• Compression
• Client Proxy Settings (only works when in full tunnel mode)
• Proxy autoconfig script
• Proxy address
• Proxy port
• Proxy exclusion

iOS F5 Access Settings

• Password Caching: Save Password Method
• Password Caching: Password Cache Expiration
• On Demand Disconnect Timeout
• Require Device Authentication
• Enforce Logon Mode

DNS/Host Settings

• IPV4 Primary Name Server
• IPV4 Secondary Name Server
• IPV6 Primary Name Server
• IPV6 Secondary Name Server
• DNS Default Domain Suffix

Launch Applications

• Display warning before launching applications
• Application list (on iOS, only support launching a single app)