AskF5 Knowledge Base
- Home
- Supported Products
- BIG-IP APM / VE
- BIG-IP APM version 11.1.0
Applies To:
Show Versions
Release Note: BIG-IP APM version 11.1.0
Original Publication Date: 05/14/2012
Summary:
This release note documents the version 11.1.0 release of BIG-IP Access Policy Manager.
You can apply the software upgrade to systems running software versions 10.x. For a list of supported platforms, see SOL9412: The BIG-IP release matrix. For information about which platforms support which module combinations, see SOL10288: BIG-IP software and platform support matrix.
Contents:
- User documentation for this release
- New in 11.1.0
- New in 11.0.0
- Supported high availability configuration for Access Policy Manager
- Installation overview
- Installation checklist
- Installing the software
- Post-installation tasks
- Installation tips
- Upgrading from earlier versions
- Fixes in 11.0.0
- Fixes in 11.1.0
- Known issues
- Contacting F5 Networks
- Legal notices
Supported hardware
You can apply the software upgrade to systems running software versions 10.x. For a list of supported platforms, see SOL9412: The BIG-IP release matrix. For information about which platforms support which module combinations, see SOL10288: BIG-IP software and platform support matrix.
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP APM / VE 11.1.0 Documentation page.
New in 11.1.0
Access Policy Manager Clustering
This release adds support for running Access Policy Manager on a chassis platform and in a virtualized Clustered Multi-Processing (vCMP) environment. Access Policy Manager features work in the same fashion when clustered as not with the following caveat. Upon tunnel reconnect due to a blade going down on a chassis platform, flows inside the tunnel are not preserved; users need to reconnect their applications after an underlying tunnel goes down.
XenApp/XenDesktop Support Enhancements
- Eliminating the need for XenApp Services Sites
- Simplifying configuration and number of boxes required
Other enhancements:
- Provides enhanced support on challenge events in 2-factor authentication when using a Citrix Receiver. Specifically, Access Policy Manager can gracefully handle requests for RSA new PIN codes and AD password expiration.
- Enables the Webtop to display folders of published apps, mapping what has been shown on the XenApp server.
- Provides session reliability support for ICA connections: In case of a network problem between the Citrix client and the XenApp server, the application on XenApp Server continues to run and XenApp server buffers the ICA traffic until the client reconnects. The user’s session does not go into a disconnected state as long as the XenApp Server is buffering data for the user. After the connection is restored, XenApp Server flushes the buffered ICA data to the client and the session continues. Access Policy Manager sits between the Citrix client and the XenApp server and interprets and proxies these ICA communications. This feature improves user experience.
- Supports multi-Stream ICA: BIG-IP Access Policy Manager is first on the market with support for multi-stream ICA. This feature allows for true network-based Quality of Service (QoS) to the ICA/HDX protocol in XenDesktop 5.5 and XenApp 6.5. It is a mechanism to prioritize network traffic, helping to ensure that the most important data gets through the network as quickly as possible.
Windows Credential Manager Integration
This feature integrates with the Windows Credential Manager such that when a user hits ctrl-alt-del, the actual Windows boot process is halted so that the Edge Client can establish a network access tunnel before resuming it. This allows admins to configure new Windows machines to force a password expiration the very first time a laptop/workstation is used regardless of whether it is on a local net or remote.Linux standalone client
This client can be downloaded from Access Policy Manager and installed on Linux endpoints. This is a command-line client (unlike the Windows or Mac edge clients) but supports endpoint inspection and auto-updates. It provides a simple CLI interface with commands such as Connect, Disconnect, Auto-connect.
New Packaging
Edge Gateway VEs
- F5-BIG-EGW-VE-200M targets the small enterprise; includes support for 100 concurrent users in the base package; supports 500 maximum concurrent users; limits aggregate throughput to 200Mbps
- F5-BIG-EGW-VE-1G targets the medium enterprise; includes support for 300 concurrent users in the base package; supports 2500 maximum concurrent users; limits throughput to 1Gbps
- F5-BIG-EGW-VE-LAB
APM 1600 standalone: Unlike other Access Policy Manager modules, this platform can be used without Local Traffic Manager. It includes support for 500 concurrent users in the base package.
APM on VIPRIONs: Support for APM on VIPRION is provided as an add-on SKU to the VIPRION chassis. There is one add-APM SKU for each chassis model. The format will be similar to appliance add-APM SKUs, with support for 500 concurrent users (for the entire chassis) in the base package and a maximum limit that assumes a fully populated chassis.
IPv6
With this release Access Policy Manager supports IPv6, enabling connectivity between IPv4 and IPv6 networks. Administrators can configure network access lists per supported IP version, IPV4 or IPV4&IPV6 and then configure lease pools and LAN address spaces for IPv4 only or for both IPv4 and IPv6.
This table provides a summary of IPv6 support for various authentication methods:| Authentication Type | IPv6 Support | Configuration Notes |
|---|---|---|
| AD Auth | Supported |
|
| AD Query | Supported using layered virtuals |
|
| LDAP Auth and Query | Supported via the pool option | Admin needs to use the pool option for using IPv6 with LDAP. |
| RADIUS Auth and Acct | Supported via the pool option | Admin needs to use the pool option for using IPv6 with RADIUS. |
| OCSP | Not supported | |
| CRLDP | Supported via the pool option | Admin needs to use the pool option for using IPv6 with CRLDP. |
| TACACS+ | Supported | TACACS+ server can be configured with IPv6 address. |
| SecurID | Not tested/supported | IPv6 support for SecurID is supported in Authentication Manager 7.1 for Windows 2008. However, this is not tested. |
| Kerberos | Supported | |
| HTTP | Supported | Start URI can be configured with IPv6 address. |
| Access Type | Supported Feature or Client | Caveat |
|---|---|---|
| Network | IPv6 VPN | To use an IPv6 tunnel, both an IPv6 tunnel and an IPv4 tunnel must run to the client system simultaneously. On the server side, configure the network access resource with both IPv4 and IPv6 lease pools and set the supported IP version to IPv4&IPv6. Note: IPv6 VPN is not supported for Android and Windows Mobile.
|
| Android | No IPv6 VPN support. | |
| Linux | Linux and Linux client CLI are supported. | |
|
|
|
| Windows 7 |
|
|
| Windows mobile | No IPv6 VPN support. | |
| Application | Application tunnel | Accessing IPv6 resources with a static application tunnel is not supported. |
| Portal | IPv6 web applications | To support portal access to IPv6 web applications, configure the portal access using either an IPv6 address or a host name. (Host name resolves to both IPv4 and IPv6 addresses.) Note: The DNS configuration on the APM machine includes an option to specify the IP address family preference; this setting controls which address type to use when the hostname configured in the portal access resource resolves to both IPv4 and IPv6 address types. By default, the setting is empty and the default IP address family preference is IPv4. When the hostname resolves to both IPv4 and IPv6 addresses, APM picks the IPv4 address.
To enable IPv6 preference in 11.1 (so that when the hostname resolves to both IPv4 and IPv6 addresses, APM picks the IPv6 address), you must use a tmsh command, as shown here. root@(bigipsys)(cfg-sync Standalone)(Active)(/Common)(tmos.sys.dns)# modify include "options inet6" Warning: Do not use the include option without assistance from the F5 Technical Support team. The system does not validate the commands issued using the include option. If you use this option incorrectly, you put the functionality of the system at risk.
|
Logging and Reporting
With this release: For logging, both scalability and performance are enhanced. As a result, report performance is also enhanced. For reporting, when configuring a custom report, available report fields are now organized for selection by: user, resources, sessions, and access policy.
New in 11.0.0
Application Tunnels
This release provides application tunnels to a single application on a remote user's desktop without the security risk of opening a full network access tunnel.
Optimized Network Access Tunnels
With this feature, you can layer full network access tunnels with optimized tunnels for Windows clients.
Remote Desktops
This release provides a hosted remote desktop connection, from a specific remote desktop application to the remote user's desktop, without the security risk of opening a full network access tunnel. Remote desktop is supported for Citrix XenApp server and Microsoft RDP clients.
Kerberos Protocol Translation
With this feature, APM is able to authenticate the user with Active Directory, and then receive a Kerberos ticket on the user's behalf, allowing secure access to the Application server and offloading SSL negotiation from the app server. This feature also makes SSL offload for Smart Card authentication possible.
Kerberos Single Sign-On
With this feature, a user can automatically sign onto backend applications and services that are part of a Kerberos realm, for seamless authentication after the user completes an access policy using a supported authentication scheme.
Oracle Access Manager (OAM) integration
With this release, you can design access policies and manage policy-based access services for Oracle applications on an Oracle Access Manager server from one location.
Flash Patching
In Portal Access, HTML-formatted fields in Flash content are patched by the APM rewrite engine. When rendering an application through the Access Policy Manager, the rewrite engine rewrites the Flash content to render links properly.
Dynamic webtops
The dynamic webtop displays a list of network resources, which include applications, network access and remote desktops, available to a user after authentication. The content of the webtop is dynamic in the sense that only resources for which the user is authorized are displayed to the user. The webtop is customizable based on a user’s identity, context, and group membership.
Reporting system
With the new reporting system, you can generate customized, granular reporting for analysis and troubleshooting purposes. You can generate reports based on many parameters, for example, access failures, users, resources accessed, group usage, or geolocation.
Machine info inspection
The machine info client check allows administrators to examine the security posture of a device, including attributes such as MAC address, CPU ID and HDD ID. The access policy can compare information collected by the machine info check to an allowed list of hardware devices or configurations, then add the result to the access policy. This enables the access policy administrator to identify IT-controlled assets.
Client Type inspector
The client type inspector replaces the UI mode inspector, and includes new branches for the BIG-IP Edge Client, iOS, and Android devices.
Dynamic ACLs
BIG-IP Access Policy Manager can load ACLs from an external authentication database (Active Directory, RADIUS, or LDAP) and apply them dynamically. This allows for a single policy per user, no matter which Access Policy Manager the user is connecting to.
Edge Client for MacOS
The optional BIG-IP Edge Client can be delivered by browser or as a standalone application. Its functionality is identical to the Windows version (though Windows provides more client side checks), in a native MacOS interface. The Edge Client for MacOS is supported on Mac 10.5.x and later, and supports 64-bit OSes.
Adaptive Compression
Compression in resources now compresses downstream data to the client using the best available compression codec, based on network conditions and compressibility of the data.
Supported high availability configuration for Access Policy Manager
Installation overview
This document lists very basic steps for installing the software. BIG-IP System: Upgrading Active/Standby Systems and BIG-IP System: Upgrading Active-Active Systems contain details and step-by-step instructions for completing an upgrade.
Installation checklist
Before you begin:
- Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
- Ensure that your system is running version 10.0.0 or later and is using the volumes formatting scheme.
- Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
- Configure a management port.
- Set the console and system baud rate to 19200, if it is not already.
- Log on as an administrator using the management port of the system you want to upgrade.
- Boot into an installation location other than the target for the installation.
- Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
- Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
- Turn off mirroring.
- If you are running WAN Optimization Manager, set provisioning to Minimum.
Installing the software
To install the software, use one of the methods described here.
| Install method | Command |
|---|---|
| Format for volumes, migrate source configuration to destination | image2disk --format=volumes <downloaded_filename.iso> |
| Format for volumes, preserve destination configuration (for fully 10.x environments) | image2disk --nomoveconfig --format=volumes <downloaded_filename.iso> |
| Install without formatting (not for first-time 10.x installation) | bigpipe software desired HD.<n.n> version 10.x build <nnnn.n>.iso product BIG-IP |
| Format for partitions (for mixed 9.x and 10.x environments) | image2disk --format=partitions <downloaded_filename.iso> |
| Install from the browser-based Configuration utility | Use the Software Management screens in a web browser. |
Post-installation tasks
This document lists very basic steps for installing the software. BIG-IP System: Upgrading Active/Standby Systems and BIG-IP System: Upgrading Active-Active Systems contain details and step-by-step instructions for completing an upgrade.
- Ensure the system rebooted to the new installation location.
- Log on to the browser-based Configuration utility.
- Run the Setup utility.
- Provision the modules.
- Convert any bigpipe scripts to tmsh. (Version 11.0.0 does not support the bigpipe utility.)
Installation tips
- The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
- You can view a list of the image2disk utility options by running the command image2disk --help.
- You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
- If installation fails, you can view the log file. For image2disk installations, the system logs messages to the file you specify using the --t option. For other installations, the system stores the installation log file as /var/log/liveinstall.log.
Upgrading from earlier versions
Your upgrade process differs depending on the version of software you are currently running. Software version 10.x introduced the ability to run multiple modules based on platform. The number and type of modules that can be run simultaneously is strictly enforced through licensing. For more information, see SOL10288: BIG-IP software and platform support matrix.
Upgrading from version 10.x
When you upgrade from version 10.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.
Upgrading from versions earlier than 10.x
You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.x software. For details about upgrading to those versions, see the release notes for the associated release.
Fixes in 11.0.0
The current release includes the fixes and enhancements from previous releases and the fixes that were distributed in SOL12729: Overview of BIG-IP version 10.2.1 HF1, SOL12778: Overview of BIG-IP version 10.2.1 HF2, and SOL12816: Overview of BIG-IP version 10.2.1 HF3.
| ID Number | Description |
|---|---|
| 225512 | Previously, Access Policy Manager clients that started network access tunnels that ended up on different Traffic Management Microkernels (TMMs) could not communicate. Now, such clients can communicate. |
| 225870 | Previously, a rare condition could cause a crash in the system when APM tried to connect or reconnect a network access tunnel. We have corrected this. |
| 226423 | Previously, Access Policy Manager's active sessions graph erroneously reported a maximum value when active sessions existed and a failover event occurred. Now, this issue no longer occurs. |
| 336284 | Previously, network access tunnels on a system that failed over could not restart after the failover because the lease pool was not created. Now the lease pool is created and network access tunnels fail over correctly. |
| 339171 | Previously, when an administrator created a AAA server with the web interface, some legal characters could not be used in the AAA server name. Now the name field accepts all legal characters. |
| 339951 | Previously, Access Policy Manager HTTP 404 Not Found errors could not be configured. Now, the message for these errors is configurable as part of the logout group. |
| 341377 | The following new iRule commands have been introduced to allow the use of multiple SSO profiles and make them selectable based on user-defined criteria:
|
| 344713 | Previously, WebSSO crashed when the HTTP header dictionary was invalidated and refreshed. Now this no longer occurs. |
| 346047 | Previously, the documentation for portal access described a patching method (No patching) that is no longer supported. The patching method is no longer described. |
| 347568 | In portal access, JavaScript rewriting has been enhanced to better handle SVG elements. |
| 348742 | Previously, the Client OS action in Access Policy Manager did not support Microsoft Internet Explorer 9. The Client OS action now supports clients identifying themselves as Internet Explorer 9. |
| 349490 | Previously, when you configured an access policy using HTTP form-based authentication, the username and password were sent to the authentication server in POST variables, even if a username and password were not specified in the server configuration, resulting in authentication failures. Now the username and password are sent only when specified. |
| 351757 | In a previous release, when the admin configured client power management settings in Network Access network properties, those power management settings were ignored by Windows Vista and Windows 7 clients. Now, Windows Vista and Windows 7 clients use the Network Access power management settings. |
| 351895 | Previously, when you created multiple Active Directory AAA servers, or changed the realm on multiple Active Directory server, several default_realm entries were erroneously added to the /etc/krb5.conf configuration file, causing authentication errors. Now, only one default_realm entry is added to the configuration file. |
| 354748 | Previously, when you configured portal access for a backend server with the same host name as the Access Policy Manager virtual server, portal access failed to rewrite some links. Now, portal access rewrites links correctly when the backend web server has the same host name as the virtual server. |
| 358873 | Previously, when a Portal Access connection was made to an SAP Netweaver backend server, some JavaScript Function() calls were not correctly handled, resulting in errors on the client. Now, NetWeaver JavaScript functions are handled correctly by Portal Access. |
| 359330 | Previously, when you configured an Access Policy Manager LTM Access connection with at least one pool member, and source IP persistence or persistent cookies enabled, some connection errors occurred with certain web servers. Now, this configuration works correctly. |
| 359530 | Previously, when a user accessed a SharePoint 2007 site through portal access, the rewrite engine used the wrong parser to patch some URLs incorrectly, causing connection errors and failures. Now, the rewrite engine for SharePoint 2007 sites uses the correct parser. |
| 365107 | Previously, when the Access Policy Manager received an HTTP 100 continue response from a backend server, the system could fail or experience instability. The system no longer fails or becomes unstable in this scenario. |
Fixes in 11.1.0
| ID Number | Description |
|---|---|
| 248018, 354427 | Now, multiple Network Access resources can be assigned to a user session at one time, and displayed on the dynamic webtop. A user can only start one Network Access session, however. |
| 307017 | Network Access tunnels running on Mac now use the client system's proxy settings. |
| 350161 | Upon exit, protected workspace now attempts to clean up the system paging file and RAM to prevent information leaks. |
| 353010 | APM session cookies now support the HttpOnly attribute for certain security settings. This attribute is supported in LTM+APM mode, and cannot be used with client-side endpoint checks. |
| 355549 | Previously the SSO credential mapping agent added unnecessary braces { } around the expression. Now these braces are not added. |
| 360374 | Mac OS X 10.7 is now supported for Network Access connections. |
| 360442 | Network Access now supports two-factor authentication with Windows Logon Integration. This feature added two options for the Network Access client: Enable Full Pre-logon Sequence and Reuse Winlogon Session. |
| 363034 | The Z parameter in the /myvpn request on iOS, Mac and Linux clients previously required a special iRule. Now the Z parameter is supported without an iRule. |
| 363724 | Previously in access policies, the logging agent had to be configured explicitly with "session.client.unique_id. Now, the logging agent "session.client.*" can be configured with the wildcard asterisk, to allow logging of all UUIDs. |
| 364684 | An issue with logout URIs building up on the system was fixed. |
| 364853 | The webtop-type last is no longer listed as a supported option in the command line interface. |
| 364936 | Previously, in some circumstances the Logon Page action could not be customized in the Visual Policy Editor. This is now fixed. |
| 365096 | ACCESS_POLICY_AGENT_EVENT now probperly starts in clientless mode. |
| 365175 | Import of access policies that include objects that were created in the non-common partition now succeeds. |
| 365347 | After the BIG-IP box restarted, in some circumstances, users could not establish new sessions and received TCP RST messages. In /var/log/apm, the following error appeared: Access policy configuration version: configuration-id in use by user session was not found. This issue is now fixed. |
| 365349 | Previously, if an app tunnel was configured with multiple addresses to the same destination but different ports, and the DNS Relay Proxy was not enabled, only the first address/port combination would be reachable. This was corrected by enabling the DNS Relay automatically. |
| 365597 | Previously, custom reports with a very large database could consume up to 40% of the CPU. This issue has been fixed. |
| 365662 | In the Customization tool preview page, macro ending page nodes, which cannot be previewed, have been removed from the preview tree nodes. |
| 365882 | The Installer control setup file that controls all installable components was previously unsigned and caused warning messages on some systems. The setup file is now signed by F5. |
| 365948 | In a protected workspace session, if a webtop was configured with the Minimize to tray option enabled, the webtop was correctly minimized to the system tray, but if the user restored it from the system tray by double clicking, the protected workspace session closed. This has been fixed. |
| 366190 | Access policy inactivity timeouts sometimes failed in a previous version, when the Cache and Session Control action was enabled. Access policy inactivity timeouts now work properly. |
| 367070 | When an access policy manager session was stopped by the system administrator or expired, the Citrix Receiver attempted to reconnect until the window was closed by the user. This has been fixed. |
| 367512 | The administrator is no longer prompted to select the SSL server profile when configuring an LDAP server in direct mode. |
| 367726 | Citrix applications can now be started from the dynamic webtop on Internet Explorer 9. |
| 367850 | Previously, the Network Access status window remained active after a session was terminated by the administrator, or expired due to timeout. This has been fixed. |
| 368488 | All roles above operator can now manage sessions. |
| 369248 | The network access web client now supports proxy autoconfig (PAC) scripts located on HTTP or HTTPS servers, in addition to locally stored PAC files. |
| 369407 | In a previous release, access policies created using the Access Policy Manager wizards did not allow the choice of the dynamic webtop, and labeled the Full Resource Assign action incorrectly. These issues have been fixed. |
Known issues
This release contains the following known issues.
| ID Number | Description |
|---|---|
| 340541 | When a user opens a Microsoft Office document in Windows XP with Office 2010 over a portal access connection to Sharepoint and the client then attempts to save the document using the Save As... command, the document is saved, but an error message appears stating that the document could not be saved. The user can safely ignore this message. |
| 348307 | Additional log messages for troubleshooting when comparing and validating authentication results should be added to the HTTP form-based authentication agent. |
| 352542 | The configuration inside of ACL entry does not support session variables. |
| 354406 | When a virtual server is configured to use a SNAT pool for doing source NAT of the traffic between the virtual and backend servers, if one of the IP addresses used in SNAT pool is self-IP, the access policy doesn't work for the virtual server. |
| 354628 | Uploading a large attachment to attach to an email message could be aborted followed by a 401 response from the server. This can happen when using Portal Access to access Outlook Web App (OWA) 2007 and using NTLM authentication without SSO configured. |
| 355981 | The CRLDP authentication agent binds anonymously to the LDAP server to retrieve CRL files. Option for a strong authentication bind is not supported. |
| 356562 | Custom reports are lost after ugprade. To work around this issue, export your custom reports before you upgrade and then reimport them after you upgrade. |
| 357296 | The HTTP authentication agent should support domain for NTLM; instead, the agent does not use domain information. |
| 360141 | Modifying an SSO Configuration Basic HTTP doesn't trigger an Access Policy update. Modifying the SSO configuration does not cause the Apply Access Policy button to show up on the Admin UI or the visual policy editor. The configuration change takes effect immediately for new sessions established after the change. Old sessions (those that were already created before the configuration change) continue to use the old SSO configuration. |
| 360248 | If two administrators (a1 and a2) simultaneously use the admin UI and one of them (say a1) deletes an image when the other (a2) is in the process of using that image, the entire transaction (set of changes made by a2 in a session before clicking on the Save button) will be aborted and the Save will fail. The user (a2) will need to restart from the last saved change and apply all changes again. |
| 360734 | When previewing pages, the Preview pane does not automatically refresh when the language is switched. To cause the page to refresh in the new language, click an item in the Preview tree pane |
| 360742 | When the logon page is customized in VPE in multiple languages, the images appear broken. To work around the issue, use the customization for customizing logon page. |
| 362200 | When customizing messages, do not use special characters. such as ', ", &, < |
| 362351 | Branch names cannot start with the word "fallback" in VPE . |
| 363188 | No spaces are allowed in aliases for virtual server |
| 363227 | In Access Policy Manager customization, common partition objects are not made read-only for managers of a partition. |
| 363415 | Rewrite will not process links starting with the "tel:" or "mailto:" schemes, so those links might not work when an application is accessed using portal access. |
| 364030 | The Hometab disappears for Domino Web Access (DWA) 8.5 through reverse proxy. The reverse proxy does not understand a DWA 8.5 'Loading' page and thereafter clobbers the home tab. |
| 364257 | When accessing Microsoft Communicator, an error occurs when a user clicks the Home button from the Conversation window (on the Home tab). The error differs depending on the browser:
|
| 365014 | If you upgrade from 10.2.X to 11.1.0 and Access Policy Manager is configured, you might run into this error: 012e0008:3: The requested command (connectivity resource) is invalid To prevent the above error during software upgrade, switchboot back to version 10.2.X and edit the 10.2.X configuration file as explained here.
|
| 365583 | An IPv6 only network access configuration is not supported. The supported versions are IPv4 and IPv4&IPv6. |
| 365646 | When a blade goes down while sessions are running inside of APD on that blade, a later session that accesses the session database can lead to a failure on APD. |
| 365786 | Multiple webgates on a single BIGIP against Oracle Access Manager (OAM) 11g server is not supported; host identifier information is required for support. OAM ASDK 10.1.4.3 cannot fetch the host identifier information from the OAM 11g server; this is a known issue at Oracle support (SR 3-3909003061). |
| 366001 | If a customer has performed any advanced customization, these files will need to be upgraded manually. |
| 366420 | An IPv6 only network access configuration is not supported. The supported versions are IPv4 and IPv4&IPv6. |
| 367434 | Changing Active Directory password over IPv6 is not supported. |
| 367511 | LDAPS does not work when configured from the Access Policy Manager user interface. To work around this problem, use a layered virtual server as specified in http://support.f5.com/kb/en-us/solutions/public/11000/100/sol11199.html?sr=17063750 to configure LDAPS. |
| 367621 | Access Policy Manager does not support IPv6 for communicating with the OCSP responder. Configuring the OCSP URL with an IPv6 address or a hostname that resolves to an IPv6 address will not work. Acess Policy Manager uses OpenSSL BIO APIs to connect to the OCSP responder and these calls do not support IPv6. |
| 367917 | When using portal access to access SharePoint 2010 with Google Chrome, uploading an image via Image Library might fail with a 401 response. |
| 369657 | Help is missing for the confirmation window that gets displayed when you delete an access policy. Instead of help text, this error is displayed: HTTP Status 404 - /tmui/help/en/tmui/accessctrl/profiles/deleteconfirm.jsp. |
| 369714 | Multi-byte languages are not supported with the advanced customization editor. |
| 369780 | When you use the client to access Sharepoint 2010 and upload multiple files (), the Upload Multiple Documents dialogue does not close automatically after upload. This happens when using a combination of:
|
| 369815 | Active Directory authentication module creates incorrect log messages if Kerberos Key Distribution Center (KDC) is not accessible. The messages do not contain a username. |
| 369887 | On a MAC when Japanese language is selected during client component installation, you might see:
|
| 370363 | An HTTP 404 error occurs on downloading a graphics file from the BIG-IP system when logging in to Domino Web Access (DWA) 8.5. This issue does not block DWA functionality. |
| 371015 | On chassis platforms in some scenarios, more than one value is displayed in the Local Time column of the All Sessions report. |
| 371467 | On an HA chassis, users cannot log in if the HA Active node primary blade is rebooted. This occurs only:
|
| 371763 | A confusing error message is displayed when MSRDP is the only resource assigned with full webtop and DNS resolution fails on the MSRDP server hostname. If Application Access Resource type RDP is created with 'Host Name' without also configuring a DNS server, the resource will not be assigned to a user session and will not be displayed on full webtop. To work around this problem, configure a DNS server () on BIG-IP and make sure it is up and running. |
| 372114 | On a chassis-based system after upgrade and first reboot, if Access Policy Manager is configured, end users might very rarely be unable to log in to the virtual server. An access denied screen opens with following message: Access policy configuration has changed on gateway. Please login again to comply with new access policy configuration. To recover from this error, restart the primary blade. To do so, using the UI select and select the Reboot Blade option. |
| 372150 | Logging and Reports chapter of the Configuration Guide for Access Policy Manager 11.l is missing the following update. By default, logs are written to a MySQL database instead of being written to /var/log/apm. If you prefer to log to external syslog servers or to /var/log/apm, you can set a db variable log.access.syslog to enable that behavior. Valid values are enable and disable.
Note: You would need to set the value of log.access.syslog to enable if you were editing syslog-ng.conf to configure external syslog servers.
|
| 372183 | When network access is configured as IPv6&IPv4, a network access connection cannot be established for a Mac configured with an Asian system language. |
| 374781 | When upgrading from version 10.2.x to 11.x with an OAM configuration, upgrade fails. To work around this issue: before you upgrade, delete the OAM configuration; after the upgrade is complete, create a new OAM configuration in 11.x. |
Contacting F5 Networks
| Phone: | (206) 272-6888 |
| Fax: | (206) 272-6802 |
| Web: | http://support.f5.com |
| Email: | support@f5.com |
For additional information, please visit http://www.f5.com.
