Manual Chapter : BIG-IP Edge Client for Windows Installation and Configuration

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

About installation choices for BIG-IP Edge Client on Windows

The BIG-IP® Access Policy Manager includes automatic installation support for Windows clients. Access Policy Manager (APM) downloads components to the end user's computer at initial login. These downloaded client components enable the various features of the Access Policy Manager functionality.

This download occurs automatically for those systems that support software installation. For clients that do not support automatic software installation, you can configure and distribute the BIG-IP Edge Client, configured to meet the needs of the client systems you support.

The requirements for automatic installation differ depending on whether the Windows client initiates a session from a browser, or instead starts a network access tunnel.

  • To automatically install a control from a browser session, the controls require certain conditions:
    • The user must have ActiveX enabled if the browser is Internet Explorer.
    • If the browser is not Internet Explorer, the user must allow software installation.
  • If the client starts a network access tunnel, one of the following must be true:
    • The client has Administrator privileges on the client system.
    • The client control is already installed on the system.
    • The Component Installer Package for Windows has been installed on the system.

Access policy sessions other than network access tunnels do not require administrative access. All client-side checks and actions can run without administrative rights.

Overview: Configuring APM for BIG-IP Edge Client for Windows

To use the BIG-IP Edge Client for Windows, you must configure settings for the BIG-IP Edge Client for Windows in a connectivity profile on Access Policy Manager (APM). The connectivity profile for Windows includes Win/Mac Edge Client settings including:

  • The list of servers to display on the BIG-IP Edge Client
  • DNS settings for location-awareness for mobile clients, such as laptops that roam.

A Windows client package is attached to the connectivity profile. APM can use it for automatic installation on Windows systems. You can customize the Windows client package. You can also download and distribute it.

Task summary

About location awareness

The BIG-IP Edge Client provides a location awareness feature. Using location awareness, the client connects automatically only when it is not on a specified network. You can specify the networks that are considered in-network by adding DNS suffixes to the connectivity profile.

Customizing a connectivity profile for BIG-IP Edge Clients for Windows

You must create a connectivity profile before you start this task.
A connectivity profile automatically contains settings for BIG-IP Edge Client for Windows. You update the settings to specify how to handle password caching and component updates, to specify the servers to display on the clients, and to supply DNS names to support location awareness.
  1. On the Main tab, click Access Policy > Secure Connectivity. A list of connectivity profiles displays.
  2. Select the connectivity profile that you want to update and click Edit Profile. The Edit Connectivity Profile popup screen opens and displays General Settings.
  3. From the left pane of the popup screen, select Win/Mac Edge Client. Edge Client action and password caching settings display in the right pane.
  4. Set Edge Client action settings:
    1. Optional: Retain the default (selected) or clear the Save Servers Upon Exit check box. Specifies whether the BIG-IP Edge Client maintains a list of recently used Access Policy Manager servers. The BIG-IP Edge Client always lists the servers defined in the connectivity profile, and sorts the list of servers by most recent access, whether this option is selected or not. However, the BIG-IP Edge Client lists user-entered servers only if this option is selected.
    2. Optional: Select the Reuse Windows Logon Session check box. When selected, the client tries to use the Windows login session for the APM session also. This is cleared by default.
    3. Select the Reuse Windows Logon Credentials check box. When selected, the client tries to use the credentials that were typed for Windows login to start the APM session.
      Note: To use this option, you must also include the User Logon Credentials Access Service in the customized Windows client package for this connectivity profile.
  5. Set password caching settings for enhanced security:
    1. Optional: Select the Allow Password Caching check box. This check box is cleared by default. The remaining settings on the screen become available.
    2. Optional: From the Save Password Method list, select disk or memory. If you select disk, an encrypted password is saved on disk and cached when the system reboots or when the BIG-IP Edge Client is restarted. If you select memory,  the BIG-IP Edge Client caches the user's password within the BIG-IP Edge Client application for automatic reconnection purposes. If you select memory, the Password Cache Expiration (minutes) field displays with a default value of 240.
    3. If the Password Cache Expiration (minutes) field displays, retain the default value or type the number of minutes to save the password in memory.
  6. From the Component Update list, select yes (default), no, or prompt. If you select yes, APM updates the BIG-IP Edge Client software automatically on the Windows client when newer versions are available. This option applies to updates for the BIG-IP Edge Client, but not to other client components. When updating the other client components, prompts are controlled by your browser security settings, the publisher of the update package, and the presence of the F5 Networks Component Installer Service.
  7. From the left pane of the popup screen, select Server List. A table displays in the right pane.
  8. Specify the servers that you want defined in the client downloads. The servers you add here appear as connection options in the BIG-IP Edge Client.
    1. Click Add. A table row becomes available for update.
    2. You must type a host name in the Host Name field. Typing an alias in the Alias field is optional.
    3. Click Update. The new row is added at the top of the table.
    4. Continue to add servers, and when you are done, click OK.
  9. From the left pane of the popup screen, select Location DNS List. Location DNS list information is displayed in the right pane.
  10. Specify DNS suffixes that are considered to be in the local network. DNS suffixes specified here conform to the rules specified for the local network. When the BIG-IP Edge Client is configured to use the option Auto-Connect, the client connects when the systems DNS suffix is not one defined on this list. When the client DNS suffix does appear on this list, the client automatically disconnects. If you do not specify any DNS suffixes, the option  Auto-Connect  does not appear in the downloaded client.
    1. Click Add. An update row becomes available.
    2. Type a name and click Update. The new row displays at the top of the table.
    3. Continue to add DNS names and when you are done, click OK.
  11. Click OK. The popup screen closes, and the Connectivity Profile List displays.
The connectivity profile appears in the list.
To provide functionality with a connectivity profile, you must add the connectivity profile to a virtual server.

Customizing the Windows client package for BIG-IP Edge Client

You must create a connectivity profile before you start this task.
You customize a Windows client package for a connectivity profile to select the components to install, and to specify settings for BIG-IP Edge Client (if you include the component), and for Dialup Settings if you need them.
  1. On the Main tab, click Access Policy > Secure Connectivity. A list of connectivity profiles displays.
  2. Select a connectivity profile.
  3. Click the Customize Package button. The Customize Windows Client Package popup screen displays with Available Components displayed. Most components are selected by default.
  4. Clear the check box for any component that you want to exclude from the package. If you clear the BIG-IP Edge Client check box, BIG-IP Edge Client is no longer available for selection in the left pane. If you clear the Dialup Entry/Windows Logon Integration check box, Dialup Settings is no longer available for selection in the left pane.
  5. Select the User Logon Credentials Access Service check box to include the software service that allows the client to store encrypted Windows logon credentials and use those credentials to log in to Access Policy Manager.
  6. Select the Machine Certificate Checker Service check box to include a service that can check the machine certificate on a client endpoint even when the user does not have admin privilege. Without this service, a user running without admin privilege cannot pass the Machine Cert Auth endpoint security check.
  7. If the BIG-IP Edge Client check box is selected, select BIG-IP Edge Client from the left pane. BIG-IP Edge Client settings display in the right pane.
    1. To add the virtual servers (from the Windows/Mac Edge Client area of the connectivity profile) to the Windows Trusted sites list the first time the client starts, retain selection of the Add virtual server to trusted sites list check box. Otherwise, clear it. Virtual servers added to the Trusted sites list with this option remain on the trusted sites list indefinitely. This works with the User Logon Credentials Access Service setting (available on the Available Components screen) to provide seamless logon with the BIG-IP Edge Client™ if Access Policy Manager accepts the same credentials that users use to log on to Windows.
    2. To automatically start the BIG-IP Edge Client™ after the user logs on to Windows, retaining selection of the Auto launch after Windows Logon check box. Otherwise, clear it.
    3. To enable the BIG-IP Edge Client to try to connect to VPN right after the user logs on to Windows and to prohibit the user from disconnecting VPN, select the Enable always connected mode check box. This setting is cleared by default. The user is prevented from accessing the Internet and the local network until a VPN connection is established.
  8. If the Dialup Settings check box is selected on the Available Components pane, select Dialup Settings from the left pane. Dialup Entry / Windows Logon Integration settings display in the right pane.
  9. If you selected Dialup Settings, configure settings in the right pane to specify how you want the user to authenticate with APM.
    Note: Users must always type a username and password to log on to Windows. Subsequently, clients must authenticate to APM.
    User authentication actions Settings and description
    View the access policy screen. (User name and password fields are prefilled.) Click Logon. Select the Enforce Access Policy in Custom Dialer check box and clear the Prompt Username and Password check box. (Runs the access policy.)
    View a logon prompt. (User name and password fields are prefilled.) Click Connect. Clear the Enforce Access Policy in Custom Dialer check box and select the Prompt Username and Password check box. (Skips the access policy.)
    None. Clear the Enforce Access Policy in Custom Dialer and Prompt Username and Password check boxes. (Skips the access policy and suppresses the logon prompt. Authenticates the user to APM.)
  10. Click Download. The screen closes and the package, BIGIPEdgeClient.exe, downloads.
The customized package, BIGIPEdgeClient.exe, is downloaded to your client. It is available for you to distribute, if needed. The customized package is downloaded to clients automatically only when the Windows/Mac Edge Client settings in the related connectivity profile allow password caching and component updates.

Downloading the Windows client package for BIG-IP Edge Client

You can download a Windows client package and distribute it to clients whose configuration does not allow an automatic download.
Note: If you have already customized a Windows client package for a connectivity profile, a customized package file, BIGIPEdgeClient.exe, was downloaded to your system. If you cannot find the package, use this procedure.
  1. On the Main tab, click Access Policy > Secure Connectivity. A list of connectivity profiles displays.
  2. Select a connectivity profile.
  3. Click the Customize Package button. The Customize Windows Client Package popup screen displays with Available Components displayed. Most components are selected by default.
  4. Click Download. The screen closes and the package, BIGIPEdgeClient.exe, downloads.
The customized package, BIGIPEdgeClient.exe, is downloaded to your client. It is available for you to distribute, if needed. The customized package is downloaded to clients automatically only when the Windows/Mac Edge Client settings in the related connectivity profile allow password caching and component updates.