Applies To:

Show Versions Show Versions

Archived Manual Chapter: Using the Secure Access Client
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

This article has been archived, and is no longer maintained.

The BIG-IP® Secure Access Manager downloads components to the end users computer at initial logon. The downloaded client components enable the various features of the Secure Access Manager functionality. This download occurs automatically for those systems that support software installation. For clients that do not support such automatic software installation, you can configure and distribute a secure access client package, configured to meet the needs of the client systems you support.
The type of control downloaded differs depending on the users operating system. For proper functionality, the controls require certain conditions:
For Microsoft® Windows®-based computers, the requirements are:
For Apple® Macintosh® (OS X only) and Linux®-based systems, the user must have Superuser authority, or the user must supply the administrative password at the time of initial installation.
Secure Access Manager includes automatic installation support for Windows clients, so you can use the Secure Access Manager for secure remote access.
Installing and running a Secure Access Manager component on Windows-based systems requires certain user rights. Table A.1, following, contains a list of the user plugins, and shows the user rights required to download and install the associated components. Preinstalling components provides seamless upgrade for clients after you upgrade the Secure Access Manager. For information about preinstalling components, see Using MSI to preinstall client components.
You can also use the Component Installer feature to provide completely transparent installation and upgrading of components, regardless of what rights under which the user is running. For more information about the Component Installer, see Using the Component Installer service.
For client systems that have the plugins pre-installed using the MSI package, the requirements are the same. In cases in which user rights are insufficient, although the system cannot download the update, the previously installed component still works.
You can use the Component Installer service to provide completely transparent installation and upgrading of components, regardless of the rights under which the user is working. For more information about the Component Installer, see Using the Component Installer service
For client systems that have the components pre-installed using the MSI package, the requirements are the same. In cases in which user rights are insufficient, although the system cannot download the update, the previously installed component still works.
Your security policy may prohibit granting users the power user rights needed to install ActiveX components, or your browser security policy may prohibit downloading active elements. For these reasons, you might prefer to preinstall components on your users Windows systems.
You can use the BIG-IP Secure Access Manager Welcome screen to configure and download a Microsoft Installer Package (MSI) containing the Windows controls needed for the various Secure Access Manager functions. You can also configure the MSI installer to download a package that runs with elevated privileges so that it can install the components for users with lesser privileges. For information about configuring the MSI installer to run with elevated privileges, see the documentation for your operating system.
This is valid only for Windows-based installations. There is no MSI functionality for installing on client systems running other operating systems.
Client Download Wizard.
Click this link to configure a download package with the options you need to govern Windows logon integration and functionality of the standalone Windows client.
Create a Component Installer Package for Windows.
Download the Secure Access Client for Windows Mobile 5.0 device (ARM processor).
Download the Secure Access Client for Pocket PC 2003 (ARM processor).
Download the Secure Access Client for Pocket PC 2003 (x86 processor).
On the Download Client Components screen that you access from the Client Download Wizard link, you can specify client options that govern Windows logon integration and functionality of the standalone Windows client.
Web Secure Access Client for Windows
Select this option to download software that a client can use to access the Secure Access Manager from a web browser.
Standalone Secure Access Client for Windows
Select this option to download a separate application that a client can use to access the Secure Access Manager.
Dialup Entry / Windows Logon Integration
Select this option to download a dialup networking entry called network access. This dialup networking entry allows users to connect to the network access connection from the Windows logon prompt, even before they log on to the local computer. One feature this option allows is that a user can authenticate to the corporate network before the user logs on to his computer.
Endpoint Security for Windows
Select this option to download the plugins that do endpoint inspection on a client machine.
Component Installer Service for Windows
Select this option to download an installer service that allows the Secure Access Manager to install components on a client computer even if the client does not have rights to install software. For example, use this to allow a user with limited rights to install from the Secure Access Manager, when typically the user cannot.
Servers
Specifies the servers that you want to package in the client downloads. The servers you add here appear as connection options in the client software.
1.
On the Main tab of the navigation pane, expand Overview, and click Welcome.
The Welcome screen opens.
2.
Under the Client Components area of the screen, click Client Download Wizard.
The Download Client Components screen opens.
4.
In the Servers area, specify the network access servers you want to make available to clients. Type the IP address or domain name of a network access server you want to make available, and click the Add button.
The client package you specified is downloaded to your local system. You can install this downloaded package onto client computers, or you can copy the packages to a shared location so that individual users can complete their own installation.
You can use the Component Installer service to install and upgrade client-side Secure Access Manager components for all kinds of user accounts, regardless of the rights under which the user is working. This component is especially useful for installing and upgrading client-side components when the user has insufficient rights to install or upgrade the components directly.
You must use an account that has administrative rights to initially install the Component Installer on the client computer as a part of Client Components Package (MSI). Once installed and running, the Component Installer automatically installs and upgrades client-side Secure Access Manager components. It can also update itself.
The Component Installer requires that the installation or upgrade packages be signed using the F5 Networks certificate or another trusted certificate. By default, F5 Networks signs all components using the F5 Networks certificate.
Using the standalone client, users can access your corporate network without using a web browser. The client gives users seamless access to the network access connection.
The Secure Access Manager includes network access support for remote Macintosh and Linux clients, so you can use Secure Access Manager for secure remote access in mixed-platform environments. As with the Windows platform support, you do not need to preinstall or preconfigure any client software when using Secure Access Manager with Macintosh and Linux systems, if the client systems allow installation of the required browser components.
All of the primary network access features are supported on Macintosh and Linux clients. Secure Access Manager does not support Drive Mappings or client checks on Macintosh and Linux systems.
IP address filtering with connection-based ACLs, giving you the ability to restrict groups of users to specific addresses, ranges of addresses, and ports.
Application launching.
You must configure the starting of remote client applications based on the operating system on the remote computers. You can configure all other features independent of the remote client operating systems. For details, see Configuring the starting of applications on Macintosh or Linux clients.
OS X
version
Java version
Linux
version
Auto install
Debian® 3.1r0
TurboLinux® Desktop 10
The launch application feature specifies a client application that starts when the client begins a network access session. You can use this feature when you have remote clients who routinely use network access to connect to an application server, such as a mail server.
1.
In the navigation pane, expand Secure Connectivity and click Network Access.
The Network Access Resources screen opens.
3.
4.
In the Application Path box, type the path of the application.
For example:
For Linux, type /usr/bin/mozilla.
5.
In the Parameters box, type any parameters you want to include.
For example:
For Macintosh, type /Applications/ie.app http://www.f5.com.
For Linux, type http://www.f5.com.
6.
From the OS list, select an option.
7.
Click Add to add the configuration.
When remote users with resource assigned make a network access connection, the application you configured starts automatically.
The first time a remote user starts network access, the Secure Access Manager downloads a client component. This client component is designed to be self-installing and self-configuring, but the users browser must have Java enabled on Macintosh systems, or have Mozilla or FireFox to install a plugin on Linux systems.
If the browser does not support this requirement, the Secure Access Manager prompts the user to download the controller client component from the controller and install it manually.
Important: The remote user must have superuser authority, or must be able to supply an administrative password in order to successfully install the network access client.
Both Macintosh and Linux systems must also include PPP support (this is most often the case). When the user runs the network access client and makes a connection for the first time, the client detects the presence of pppd (the point-to-point protocol daemon), and determines whether the user has the necessary permissions to run it. If pppd is not present, or if the user does not have permissions needed to run the daemon, the connection fails.
Note: If you have a firewall enabled on your Linux system, you need to enable access on IP address 127.0.0.1 port 44444.
Users can initiate connections through network access from Windows, Linux, and Macintosh OS X systems, by connecting to the virtual server address using various browsers, or by starting the Secure Access client. They can also use network access from Windows mobile versions on PDAs.
For a list of browsers that network access supports, see Using Macintosh clients, and Using Linux clients. For a complete list of the clients that the Secure Access Manager supports, see the most current version of the release notes.
Important: When the user clicks a configured network access link, a small window opens. It must remain open for the entire duration of the network access session. If the user closes the window, it terminates the connection.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)