Software Release Date: 05/18/2008
Updated Date: 05/04/2009
This release note documents the 8.0 feature release of the BIG-IP® Secure Access Manager. To review the features introduced in this release, see New features in this release. For information about installing the software, please refer to Installing the software.
Note: F5 now offers both feature releases and maintenance releases. For more information on our release policies, please see Description of the F5 Networks software version number formats.
In addition to these release notes, the following user documentation is relevant to this release.
You can find the product documentation and the solutions database on the BIG-IP Secure Access Manager site.
The minimum system requirements for this release are:
The following supported Linux platforms require workstations with libc version 2 and later, Kernel support for PPP interfaces (loadable module or static) and the pppd program in the correct directory (typically /usr/sbin or /usr/bin). As listed in the release notes, F5 Networks qualifies all Linux distributions, and supports them if they fit minimum requirements. Please note that we do not support 64-bit Linux clients.
The supported browsers for remote access through the Secure Access Manager are:
Warning: Make sure you have the latest security patches installed. Otherwise, unexpected errors may occur when you try to install plug-ins.
This release supports the following platforms:
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
This release supports a variety of antivirus and firewall software. To use antivirus and firewall software inspectors with a pre-logon sequence check, you might need to reactive your license. To view supported antivirus and firewall software, click one of the following links.
The software comes pre-installed on the factory-shipped units. For more information on installation, refer to the BIG-IP® Secure Access Manager™ Getting Started Guide.
This release includes the following new features.
New TMOS architecture
BIG-IP® Secure Access Manager leverages the unique TMOS™ architecture to offer industry leading scalability and performance, supporting up to a maximum of 25,000 concurrent users for network access per appliance. Please note that the maximum concurrent user count is dependent on the configuration of the 4300 platform.
Network Access mode
You can access a broad range of applications, including both client/server and web-based applications using network access. Support for network access includes the following operating systems: Windows® Vista™, Windows® XP™, and Windows® Mobile™ 5 and 6, Linux client OS, and Mac® OS X 10.3, 10.4, and 10.5. Additionally, Secure Access Manager supports common encryption technologies, including RC4, Triple DES, and AES using standard SSL encryption between the client browser and Secure Access Manager.
Single access platform
A single platform will support all your secure access needs, including remote, and wireless and internet LANs. Secure Access Manager is capable of securing the endpoint, the network, and the application by providing and enforcing granular access control, visibility, and auditing at unprecedented levels of performance.
End to end policy definition
The visual policy editor (VPE) provides a unified and powerful tool for the definition and management of access policies. The visual policy editor allows full control over authentication, authorization and resource management. This is a feature unique to F5.
Reporting, logging, monitoring, and troubleshooting tools
Reporting, logging, monitoring and troubleshooting tools are available to track and monitor events on your Secure Access Manager. For reporting and logging, you can use the logging action in the access policy profile to troubleshoot and find the root cause for end-user failure on endpoint security, authentication, client certificate checks, and many other type of failures. Additionally, you can view daily logon history and current user session variable dumps.
Support for iRules™ is available. You can use iRules to perform sophisticated access control list (ACL) manipulation where you can create a mapping of Active Directory® or RADIUS group attribute to particular ACL names using an iRules TCL array.
Endpoint integrity checks
Endpoint integrity check allows user access based on trusted level of client devices.
Support for multiple authentication methods
Secure Access Manager supports a wide range of authentication, including AD, LDAP, RADIUS, two-factor authentication such as RSA (using RADIUS), and client certificates.
Secure Access Manager provides the flexibility of combining multiple authentication methods, for example, two-factor plus AD authentication, in any order using the visual policy editor.
Access Control Lists (ACLs)
Secure Access Manager provides advanced access control capabilities with Access Control Lists (ACLs) and Access Control Entries (ACEs) for managing traffic terminated from Secure Connectivity VPN tunnels. We support Layer 4 access control list to restrict network access to selected applications based on IP address/subnet and port ranges.
Client integrity checker
This feature ensures compliance with your enterprise security policy to protect from malware on client devices. Additionally, this release provides built-in support for checking over 100+ AV and personal firewalls, processes, OS types and OS patch levels, registry, files and client certificates.
Cache cleaner prevents accidental leakage of information such as temporary files, and browse history on client devices.
Quick Setup wizard
With the Quick Setup wizard you can configure secure access by providing a quick way to set up all the required elements or attributes together through a series of wizards and screens.
The high availability feature allows traffic processing to continue in the event that a Secure Access Manager system becomes unavailable and fails over to a standby unit. As a result of high availability, users experience no interruption of service.
Secure Access Manager provide a way to remotely manage your Secure Access Manager on the network. We support the following versions: SNMPv1, SNMPv2c, and SNMPv3.
You can create administrative partitions for local traffic-management objects, such as virtual servers and pools, and then provide to BIG-IP system administrators access to individual partitions. User accounts can reside either locally on the BIG-IP system, or remotely, on a separate authentication server, such as a Lightweight Directory Access Protocol (LDAP), Active Directory, or Remote Authentication Dial-in User Services (RADIUS) servers.
Customization of the end-user interface
Administrators can customize the end-user interface and tailor it specifically to the messages they want displayed to the users; storing them in any of the supported languages.
Windows logon integration
Users can connect to the network access connection from the Windows logon prompt, even before they log on to their local computer.
With policy routing, you can direct the network access traffic to different gateways based on the results of access policies.
Enterprise Management support
You can use Enterprise Manager to manage the device and configuration of the 4300 platform. For additional details on setting up and using Enterprise Manager, refer to the following documentation:
You can find the product documentation on the AskF5 Technical Support web site.
The following items are known issues in the current release.
Error Message is displayed incorrectly when entering some characters (CR76798)
When you create an object name for the access policy, network access, ACL, lease pool, or resource with the following characters: . */-:_?=@,&., an error message is displayed as Bad Characters. Only the following special characters are allowed: period, asterisk forward slash, dash, colon, underscore, question mark equals, at sign, comma, ampersand and space . */-:_?=@,&. Please ignore the generated error message since these characters are allowed.
The following rules apply when you enter an object name (with the exception of AAA server name):
Network traffic initiated from server to client is not enforced by ACLs (CR78086)
Access Control Lists (ACLs) are not enforced on network traffic initiated from the server. Use SNAT automap or SNAT pool options in the network access resource if you do not want servers to be able to initiate a connection to any client.
Client loses VPN tunnel connection if Prohibit routing table is enabled (CR84483)
When trying to reconnect to the system, if the options force all traffic through tunnel and prohibit routing table are both set when you create a network resource, the VPN tunnel terminates and the client can no longer reconnect. To work around this issue, do not enable the prohibit routing table changes if you are going to enable the force all traffic through tunnel option.
Character length limitation in access policy (CR87823)
You cannot enter more than 35 characters when you create a name for your access policy. Doing so causes an exception error to occur.
Do not use the same IP address for both the self IP and virtual IP addresses (CR87897)
Although the system allows this type of configuration, you should not configure the same IP address for both self IP and virtual IP address.
Double-quote characters are not properly displayed (CR 88706)
The end-user interface is not properly escaping double-quoted characters ("), which causes the user's web browser to display rather than render some of the underlying page's HTML. However, while the invalid input is improperly displayed to the user, it is not accepted as input. Some of the screen elements of the configuration utility in which you may encounter this issue include:
Session timeout change is applied immediately even though the activate access policy was not activated (CR91896)
After you change the session activity timeout, the changes should take effect only when you activate the access policy. Currently, the system applies your changes immediately, even without performing this operation.
Macro template selection does not work properly on Mac OS X v10.5.1 (CR93567)
From the visual policy editor, if you create a new macro template, and attempt to access the template again, the Select button becomes disabled and you can longer access the template.
Agent deleted through command line interface requires agent type in command (CR93650)
If you use the delete command to delete an agent through the command line interface, you must include the type of the agent as part of your command. For example, to delete a resource assignment agent, type: b agent resource assignment <AGENT_NAME> delete .
Access policy associated with non-default parent profile causes error (CR94283)
If you create an access policy from a parent profile, other than the default "access," the following error is generated: An error has occurred while trying to process your request. To work around this issue, do not associate your access profile with any parent profile other than the default.
Restart APD for changes after modifying DNS severs (CR94967-1)
You must restart APD if the DNS servers were modified. Otherwise, APD does recognize the new DNS server changes. To ensure that changes take effect, from the command line interface, type bigstart restart.
Euro sign in password fails authentication for Administrative role users fail (CR95337)
If you create a new user with administrative rights, and the password contains a € (Euro sign), authentication fails unless you remove the Euro sign from the password. To create a new user, in the Main tab of the navigation pane, expand System, and click Users.
Network access resource configuration missing certain parameters generates an error (CR95358)
Although the system allows you to configure a network access resource without defining a LAN address space (LAN address space is the only required setting when split tunneling is enabled), DNS address space, and exclude address space while the Use Split Tunneling for Traffic option is enabled, this configuration is invalid and the system generated the following error: an error occurred while configuring network access connection.
Standalone client in legacy mode does not work with client certificate agent (CR95411)
With standalone clients using legacy mode, the access policy item should not contain the client certificate item. Instead, the access policy should have the client certificate result item configured with the appropriate request settings for client authentication already configured.
Action caption in the visual policy editor cannot use the word fallback (CR95601)
If you open an access policy through the visual policy editor, and either open an existing action or create a new one, you cannot name the action to fallback. The system generates the following error message: Specified Name must begin with an alphabetic character (for example, a or A. The remainder of the name can contain only alphanumeric characters (numbers and letters), the following symbols ( + - _ ( ) [ ] ), and spaces. The workaround is to make sure not to name the action caption to Fallback since it is a reserved word.
On Windows Vista with Firefox, cache cleaner does not work properly for administrative users (CR96706-1)
Cache cleaner will not work for Windows Vista™ users with FireFox when the option, Force session termination if the browser or Webtop is closed , is disabled. To access this option, select the Browser Cache Cleaner option in the visual policy editor. A workaround is to make sure that the setting in the cache cleaner browser object in the visual policy editor is enabled. An alternative is to use Internet Explorer® with Windows Vista™.
Active Directory query may fail when fetching group entry (CR84820)
The Active Directory® server has a maximum size limit for search operation in order to limit the number of entries that should be returned for the search. If the number of qualified search result entries exceeds the maximum size limit, an error with size limit exceed will be returned to the client. A workaround is to increase the maximum size limit of the Active Directory server. You can view the error by navigating to Systems, selecting Logs, and clicking Access Control.
Microsoft shared network files not accessible through Windows Mobile devices (CR84944-1)
If you use Microsoft Windows Mobile™ devices, you cannot access any shared network files through SSL VPN.
Active Directory authentication fails with specific characters (CR86856)
Active Directory authentication fails if the password contains the € (Euro sign) character.
System reset required after adding a new concurrent user session add-on key (CR87875)
After adding a new concurrent session add-on key, you must restart all services. From the command line interface, type bigstart restart.
Browser add-ons and Internet Explorer (CR88242)
If you have disabled browser add-ons specific to F5 Networks in Internet Explorer® , your users will not be able to connect to Secure Access Manager until the specific browser add-ons are enabled. There is currently no message indicator stating that this is a requirement on the system.
Standalone mode authentication with non-default port on virtual server (CR90357)
If you configure a non-default port on a virtual server (other than 443), the standalone client fails authentication when trying to connect in legacy logon mode. The user will see the error message: authentication failed. However, authentication will succeed in web logon mode.
Windows standalone client in Advanced Mode and expired terminated sessions (CR92366)
If the administrator either times out or terminates a session, the client closes the network access connection, but the session information does not indicate the connection as disconnected. The workaround is to either ignore the session information or use the Windows standalone client in Simple mode.
Static host feature supported on Windows only (CR93283, CR93929)
For the initial release, the static hosts feature is supported only for the Windows® operating system
Prohibited routing table. feature supported on Windows (CR93299, CR94014)
The current release supports Prohibit Routing Table feature only for the Windows® operating system.
Compression not supported or Mac or Linux (CR93302, CR95024-1)
On either a Mac® or Linux® system , the counter to show compression always displays 0%. In the navigation pane, expand Secure Connectivity, and click Network Access. Change the compression setting to GZIP compression, and click Update. Activate your access policy and then connect to the Secure Access Manager . Gzip compression is supported for Windows®only in this release.
Using Remote administrative users fail authentication with Active Directory and LDAP (CR93832)
When a user is configured with administrative rights, using Active Directory® or LDAP servers remotely causes the user to fail authentication. The workaround is that you must have local users.
On Mac OS, and Linux attempting network access through a second browser drops the first connection (CR93922, CR91641)
When using Mac® OS and Linux®, if you have one successful connection established through the VPN tunnel and you attempt to connect through another browser on the same system, the first connection will be dropped, and the second connection will be established successfully. The successful second connection is an error and should not have occurred.
Client proxy support feature supported on Windows (CR94015)
The current release supports client proxy feature only for the Windows® operating system.
profile access stats reset' command does not work properly (CR94722, CR94723)
The reset command b profile access stats reset does not currently work with or without specifying a profile name.
Load-balancing not supported (CR94698)
Do not attempt to use the load-balancing feature since it is currently not supported in this release.
In standalone mode, the Don't perform component updates option does not work properly (CR94896-1)
The standalone client has an option called Don't perform component updates. If you enable this option, some components are still updated.
Variable assignment action in the visual policy editor does not work (CR96486)
If you use the Configuration utility, Network Access screens and enable the option Force all traffic through tunnel for a policy, then you cannot override the network access property address_space_local_subnets_excluded (Allow local subnet) through the variable assignment agent in the visual policy editor will not work.
Windows Vista users get a logon denied page at first attempt (CR96689)
On Windows Vista™, if you configure an access policy to include Windows Info action, without Installer Service, the user receives a logon denied page on their first attempt to logon.
FireFox may fail on initial installation on Windows Vista (CR96731)
If you are using Windows Vista™, you must run FireFox® with administrative privileges in order to install the plugins successfully. To do this, right-click the FireFox® icon and select Run as Administrator to allow FireFox® plug-ins to install the necessary updates.
FireFox browser does not update the InstallerService correctly (CR97426)
If you are using the FireFox® browser to update your InstallerService, it fails. As a workaround, use Internet Explorer® to update your InstallerService instead.
Network access, OneConnect, and Linux clients(CR110278)
On Linux® clients with OneConnect enabled, attempting to re-establish a network access connection by opening a new browser, after initially closing a browser without logging off, will fail. As a workaround, ensure that OneConnect is disabled.
LED status on the 4300 platform (CR120661)
Although the unit is active and licensed, the status LED on the front panel stays amber.
LCD screen on the 4300 platform (CR120662)
Although the unit is active and licensed, the LCD screen displays Initializing, and remains at this state.
[ Top ]
For additional information, please visit http://www.f5.com