The BIG-IP® Access Policy Manager® includes automatic installation support for Windows clients. Access Policy Manager (APM®) downloads components to the end user's computer at initial login. These downloaded client components enable the various features of the Access Policy Manager functionality.
This download occurs automatically for those systems that support software installation. For clients that do not support automatic software installation, you can configure and distribute the BIG-IP Edge Client®, configured to meet the needs of the client systems you support.
The requirements for automatic installation differ depending on whether the Windows client initiates a session from a browser, or instead starts a network access tunnel.
Access policy sessions other than network access tunnels do not require administrative access. All client-side checks and actions, except the Windows group policy action, can run without administrative rights.
To use the BIG-IP® Edge Client® for Windows, you must configure settings for the BIG-IP Edge Client for Windows in a connectivity profile on Access Policy Manager® (APM). The connectivity profile for Windows includes Win/Mac Edge Client settings including:
The BIG-IP® Edge Client™ provides a location awareness feature. Using location awareness, the client connects automatically only when it is not on a specified network. You can specify the networks that are considered in-network by adding DNS suffixes to the connectivity profile.
Installing and running a BIG-IP® APM® component on Windows-based systems require certain user rights. Pre-installing components provides a seamless upgrade for clients after you upgrade the BIG-IP® Access Policy Manager®.
You can also use the Component Installer feature to provide completely transparent installation and upgrading of components, regardless of the rights you are running under. Your security policy may prohibit granting users the power-user rights needed to install ActiveX components, or your browser security policy may prohibit downloading active elements. For these reasons, you might prefer to pre-install components on your users Windows systems.
You can use the Clients Download screen to download the Component Installer Package containing the Windows components needed for the various Access Policy Manager functions. You can use the Component Installer service to install and upgrade client-side Access Policy Manager components for all kinds of user accounts, regardless of the rights under which the user is working.
This component is especially useful for installing and upgrading client-side components when the user has insufficient rights to install or upgrade the components directly. For information about configuring the MSI installer to run with elevated privileges, see the documentation for your operating system. You must use an account that has administrative rights to initially install the Component Installer on the client computer as a part of Client Components Package (MSI). Once installed and running, the Component Installer automatically installs and upgrades client-side Access Policy Manager components. It can also update itself. The Component Installer requires that the installation or upgrade packages be signed using the F5 Networks certificate or another trusted certificate. By default, F5 Networks signs all components using the F5 Networks certificate.
This table lists user rights required to use endpoint security components on Windows clients from a network access tunnel.
|Access Policy Manager plugin||Guest rights||User rights||Power User rights||Administrator rights|
|Windows File||No supported||Supported||Supported||Supported|
|Machine Cert||No supported||Supported||Supported||Supported|
|Windows information||No supported||Supported||Supported||Supported|
|Windows Process||No supported||Supported||Supported||Supported|
|Hard Disk Encryption||Supported||Supported||Supported||Supported|
|Windows Cache and Session Control||Supported||Supported||Supported||Supported|
This table lists user rights required on Windows clients to use actions other than endpoint security client checks from a network access tunnel.
|Access Policy Manager component||User rights||Power User rights||Admin rights|
|Client Cert Inspection||Supported||Supported||Supported|
|On-Demand Cert Auth||Supported||Supported||Supported|
|Active Directory (auth or query)||Supported||Supported||Supported|
|LDAP (auth or query)||Supported||Supported||Supported|
|RADIUS (auth or accounting)||Supported||Supported||Supported|
This download enables the FullArmor GPAnywhere management tool for VPN integration with Windows clients. You can use this tool to create Group Policy templates, which you can then use to apply Group Policy to computers outside of an Active Directory domain. With VPN, you can distribute Group Policy Object templates through SSL VPN.
Access Policy Manager® provides a client troubleshooting utility for BIG-IP® Edge Client® on Windows. Clients can use the client troubleshooting utility on Windows systems to check the availability and version information for Windows client components, and run Network Access diagnostic tests.