Applies To:

Show Versions Show Versions

Manual Chapter: Configuring BIG-IP Access Policy Manager
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

The BIG-IP® Access Policy Manager® includes automatic installation support for Windows clients, so you can use the Access Policy Manager for secure remote access. Access Policy Manager downloads components to the end users computer at initial logon. The downloaded client components enable the various features of the Access Policy Manager functionality. This download occurs automatically for those systems that support software installation. For clients that do not support such automatic software installation, you can configure and distribute the BIG-IP® Edge Client®, configured to meet the needs of the client systems you support.
The type of control downloaded differs depending on the users operating system. For proper functionality, the controls require certain conditions:
For Microsoft® Windows®-based computers, the requirements are:
Access policy sessions other than network access tunnels do not require administrative access. All client-side checks and actions, except the Windows group policy action, can be run without administrative rights.
For Apple® Macintosh® (OS X only) and Linux®-based systems, the user must have Superuser authority, or the user must supply the administrative password at the time of initial installation.
The BIG-IP® Edge Client® includes several features that are not available in the web client. These features are especially useful for roaming users; that is, users who take a laptop from one place to another, and wish to remain connected to the corporate or company network as much as possible.
The BIG-IP® Edge Client® provides a location awareness feature. Using location awareness, the client connects automatically only when it is not on a specified network. The administrator specifies the networks that are considered in-network, by adding DNS suffixes to the client installer download package. With a location aware client enabled, a user with a corporate laptop can go from a corporate office, with a secured wireless or wired network connection, to an offsite location with a public wireless network connection, and maintain a seamless connection to allowed corporate resources.
The BIG-IP® Edge Client® provides an automatic reconnection feature. This feature attempts to automatically reconnect the users computer to corporate network resources whenever the client connection is dropped or ended prematurely.
Installing and running a Access Policy Manager® component on Windows-based systems requires certain user rights. Table A.1, following, contains a list of the user plugins, and shows the user rights required to download and install the associated components. Preinstalling components provides seamless upgrade for clients after you upgrade the Access Policy Manager. For information about preinstalling components, see Using the component installer package to preinstall client components.
You can also use the Component Installer feature to provide completely transparent installation and upgrading of components, regardless of what rights under which the user is running. For more information about the Component Installer, see Using the component installer package to preinstall client components.
For client systems that have the components pre-installed using the MSI package, the requirements are the same. In cases in which user rights are insufficient, although the system cannot download the update, the previously installed component still works.
You use connectivity profiles to customize client settings and to create and download client installer packages that include these custom settings. The options and settings in a connectivity profile are client-specific, and not related to the server settings for a secure connection. When you create a connectivity profile, that profile is stored on the BIG-IP system; however, the client settings apply only to connections made through one of the downloaded components.
Note: Compression settings for the client are not configurable. Compression on the client can be enabled or disabled in the network access resource settings for the connection, but the compression levels cannot be configured. The settings in the client profile for compression settings apply only to server-side compression.
You can customize compression settings in a connectivity profile, to enhance client network access tunnel performance. These settings affect how BIG-IP system CPU and memory are utilized. The following settings are supported:
Compression Buffer Size
Specifies the size of the output buffers containing compressed data.
gzip Compression Level
Specifies the degree to which the system compresses the content. Higher compression levels cause the compression process to be slower. The default compression level is 6, which provides a higher amount of compression at the expense of more CPU processing time. You can also select compression level 1, the lowest amount of compression you can select, which requires the least processing time, or 9, the highest level of compression you can select, which requires the most processing time. You can also select Other, then type a number between 1 and 9, or type 0 to disable compression. If you disable compression in the network access resource configuration, compression is disabled regardless of the compression level setting.
gzip Memory Level
Specifies the number of kilobytes of memory that the system uses for internal compression buffers when compressing data. You can select a value between 1 and 256.
gzip Window Size
Specifies the number of kilobytes in the window size that the system uses when compressing data. You can select a value between 1 and 128.
CPU Saver
Specifies, when enabled, that the system monitors the percentage of CPU usage and disables compression automatically when the CPU usage reaches the CPU Saver High Threshold and re-enabled compression when theCPU usage reaches the CPU Saver Low Threshold.
CPU Saver High Threshold
Specifies the percentage of CPU usage at which the system disables compression.
CPU Saver Low Threshold
Specifies the percentage of CPU usage at which the system resumes content compression at the user-defined rates.
1.
On the Main tab of the navigation pane, expand Access Policy, and click Connectivity Profiles.
The Connectivity Profiles list screen opens.
2.
Click Create.
The New Profile screen opens.
3.
In the Name box, type a name for the connectivity profile.
4.
From the Parent Profile list, select a parent profile.
The connectivity profile inherits any custom properties from the parent profile.
5.
To configure compression settings, select the Custom check box next to Compression.
In the connectivity profile, you can define client behavior for the BIG-IP® Edge Client®. The settings you specify are saved in the connectivity profile. You can create different connectivity profiles to provide separate connection properties for users or groups of users. The following options are available.
Virtual Servers
Specifies the servers that you want to define in the client downloads. The servers you add here appear as connection options in the BIG-IP Edge client.
Network Location Awareness
Specifies DNS suffixes that are considered to be "in the local network." DNS suffixes specified here are considered to be local network suffixes, and conform to the rules specified for the local network. When the BIG-IP Edge Client is configured to use the option Auto-Connect, the client connects when the systems DNS suffix is not one defined on this list. When the client DNS suffix does appear on this list, the client automatically disconnects. If you do not specify any DNS suffixes, the option Auto-Connect does not appear in the downloaded client.
Maintain History
Specifies whether the BIG-IP Edge Client maintains a list of recently used Access Policy Manager servers. The BIG-IP Edge Client always lists the servers defined in the connectivity profile, and sorts the list of servers by most recent access, whether this option is selected or not. However, the BIG-IP Edge Client lists user-entered servers only if this option is selected.
Use Windows Logon Credentials
Specifies that the BIG-IP Edge Client attempts to log on using the same credentials that were typed for Windows logon to start the Access Policy Manager session. To use this option, you must include the User Logon Credentials Access Service for Windows in the download package, specified on the Components Download tab, on the BIG-IP Edge Client for Windows link.The User Logon Credential Access Service for Windows stores the users Windows logon and password in an encrypted file that persists for the duration of the Access Policy Manager session.
Enable User Password Caching
Specifies whether the BIG-IP Edge Client can cache the user password, either on the disk or in memory.
Allow user to save encrypted password on disk
When this option is enabled, a Save password checkbox appears on the logon page. If the user selects the Save password checkbox, the users password is encrypted on disk, and cached when the system reboots or when the BIG-IP Edge Client is restarted. This option is only available if the Maintain History option is enabled.
Cache password within application for x minutes
When this option is enabled, the BIG-IP Edge Client caches a users password within the BIG-IP Edge Client application for automatic reconnection purposes. You can specify an expiration time, to indicate how long the cached password should remain valid. A value of 0 means there is no password cache time limit. Even if this option is enabled, the user is required to enter credentials after a server change, a manual client disconnect, or a BIG-IP Edge Client restart.
Automatically update components
Specifies that client components are automatically updated on the client when newer versions are available on the server.
This option applies to updates for the BIG-IP Edge Client, but not to other client components. When updating the other client components, prompts are controlled by your browser security settings, the publisher of the update package and the presence of the F5 Networks Component Installer Service.
Prompt user before installing updates
Specifies that the user is notified and prompted to continue or cancel before a newer version of a client component is installed by the server.
This option applies to updates for the BIG-IP Edge Client, but not to other client components. When updating the other client components, prompts are controlled by your browser security settings, the publisher of the update package and the presence of the F5® Networks Component Installer Service.
Do not perform component updates
Prevents client components from being automatically updated when newer versions appear on the server. This applies to both BIG-IP Edge Client updates, and updates to client components.
Enforce session settings (do not allow users to change session settings)
When this option is enabled, a user cannot change the session settings (history, password caching, and component update settings) when connected to a Access Policy Manager server. If this option is not enabled, the session settings configured in the connectivity profile are not enforced, and current user preferences are used instead.
You can configure client settings for a connectivity profile, and then create a custom client download package that includes the specified connectivity settings.
1.
On the Main tab of the navigation pane, expand Access Policy, and click Connectivity Profiles.
The Connectivity Profiles list screen opens.
3.
Click Client Configuration.
The Client Configuration screen opens.
4.
In the Virtual Servers area, specify the network access servers you want to make available to clients. Type the IP address or domain name of a network access server you want to make available, and click the Add button.
5.
In the DNS Suffixes area, specify the DNS suffixes that define the local network for the client computer. For example, if your users are on the local network, with no secure access connection required, when they are on the domains home.siterequest.com and office.siterequest.net, specify the DNS suffixes siterequest.com and siterequest.net. You can specify DNS suffixes with a wildcard in the first position, for example, *.siterequest.com.
7.
Select whether to Enforce session settings.
Virtual Server
Specifies the virtual server URL to which the Windows Mobile client connects.
Work URL Exceptions List
Specifies URLs that the Windows Mobile client can access through the secure connection. Type URLs or IP addresses in this box. You can use wildcards to specify addresses. For example, *.siterequest.com, files.siterequest.com, 192.168.10.1, and 192.168.* are all valid entries.
You can configure mobile client settings for a connectivity profile, and then create a custom client download package that includes the specified connectivity settings.
1.
On the Main tab of the navigation pane, expand Access Policy, and click Connectivity Profiles.
The Connectivity Profiles list screen opens.
3.
Click Mobile Client Configuration.
The Mobile Client Configuration screen opens.
4.
In the Virtual Server box, specify the Access Policy Manager server you want to make available to mobile clients. Type the IP address or domain name of the Access Policy Manager server.
5.
In the Work URL Exceptions List, specify the URLs of the servers and networks that you want to access through the network connection. The Work URL exception list tells Internet Explorer on Windows Mobile those addresses for which a Network Access connection is required. So, when you type in the address in Internet Explorer, the BIG-IP® Edge Client® will establish the Network Access connection automatically. For example, if your users need a Network Access connection to access internal servers like office.siterequest.com and mail.siterequest.com, specify the work URL exception*.siterequest.com.
Do not specify *.* as a wildcard address. You also should not add an address pattern that matches the virtual server.
Big-IP Edge Client for Windows
Click this link to configure a customized download package with the options you need to govern Windows logon integration and other functionality of the standalone Windows client. In the custom installer package, you can choose packages to install, specify Access Policy Manager servers, and define DNS suffixes that specify whether your computer is on a local network or not. For more information, see Customizing client download packages.
Big-IP Edge Client for Macintosh
Click this link to configure a download package for Macintosh. In the custom installer package, you can choose whether the client launches automatically after user log in. For more information, see Customizing client download packages.
Download the BIG-IP Edge Client for Windows Mobile 5.0 and higher (ARM processor). Click this link to download the BIG-IP® Edge Client® for Windows Mobile 5.0 or later devices with an ARM processor. For more information, see Configuring connectivity profile mobile client settings.
Download the BIG-IP Edge Client for Pocket PC 2003 (ARM processor). Click this link to download the BIG-IP Edge Client for PocketPC 2003 devices with an ARM processor. For more information, see Configuring connectivity profile mobile client settings.
Download the BIG-IP Edge Client for Pocket PC 2003 (x86 processor). Click this link to download the BIG-IP Edge Client for PocketPC 2003 devices with an x86 processor. For more information, see Configuring connectivity profile mobile client settings.
On the Customized Package screen that you access from the BIG-IP Edge Client for Windows or BIG-IP Edge Client for Macintosh link, you can specify features that govern Windows logon integration and functionality of the standalone Windows client, or the autolaunch option for the Macintosh client.
Web BIG-IP Edge Client for Windows
Select this option to download software that a client can use to access the Access Policy Manager from a web browser.
Standalone BIG-IP Edge Client for Windows
Select this option to download a separate application that a client can use to access the Access Policy Manager.
Dialup Entry / Windows Logon Integration
Select this option to download a dialup networking entry for the secure access connection. This dialup networking entry allows users to connect to the secure access connection from the Windows logon prompt, even before they log on to the local computer. One feature this option allows is that a user can authenticate to the corporate network before the user logs on to his computer.
Endpoint Security for Windows
Select this option to download the plugins that do endpoint inspection on a client machine.
Component Installer Service for Windows
Select this option to download an installer service that allows the Access Policy Manager to install components on a client computer even if the client does not have rights to install software. For example, use this to allow a user with limited rights to install from the Access Policy Manager, when typically the user cannot.
DNS Relay Proxy Service for Windows
Select this option to download the DNS relay proxy service to the client. This allows a client system to run the DNS relay proxy service and conform to the Access Policy Managers DNS Relay Proxy Service configuration.
Traffic Control Service for Windows
Select this options to download the traffic control service. This allows a client system to use the traffic control rules defined in the server to govern secure access traffic on the client.
User Logon Credentials Access Service for Window
Select this option to download a service that allows the user to log on with cached Windows credentials. The service allows you to set the session option Use Windows Logon Credentials, which configures sessions to request the Windows logon credentials from the BIG-IP® Edge Client® when the Access Policy Manager session starts. The User Logon Credential Access Service for Windows stores the users Windows logon and password in an encrypted file that persists for the duration of the Access Policy Manager session.
Auto launch BIG-IP Edge Client after Windows Logon (Windows)
and
Auto launch BIG-IP Edge Client after User Log In (Macintosh)
Select this option to start the BIG-IP Edge Client after the user logs on to Windows or the Mac OS.
Add virtual server list to trusted sites
Select this option to add the virtual servers (specified in the Virtual Servers list on the Client Configuration tab) to the Windows Trusted sites list, the first time this client starts. Virtual servers added to the Trusted sites list with this option remain on the trusted sites list indefinitely. This works with the User Logon Credentials Access Service for Windows to provide seamless logon with the BIG-IP Edge Client, if Access Policy Manager accepts the same credentials that your users use to log on to Windows.
1.
On the Main tab of the navigation pane, expand Access Policy, and click Connectivity Profiles.
The Connectivity Profiles List screen opens.
2.
Click the connectivity profile for which you want to download the client.
The Connectivity Profile Properties screen opens.
3.
Click the Components Download tab.
The BIG-IP Edge Client Components screen opens.
4.
Click the BIG-IP Edge Client for Windows or BIG-IP Edge Client for Macintosh link.
The Customized Package screen opens.
The client package you specified is downloaded to your local system. You can install this downloaded package onto client computers, or you can copy the packages to a shared location so that individual users can complete their own installation.
Your security policy may prohibit granting users the power user rights needed to install ActiveX components, or your browser security policy may prohibit downloading active elements. For these reasons, you might prefer to preinstall components on your users Windows systems.
You can use the Components Download screen to download the Component Installer Package containing the Windows components needed for the various Access Policy Manager functions. You can use the Component Installer service to install and upgrade client-side Access Policy Manager components for all kinds of user accounts, regardless of the rights under which the user is working. This component is especially useful for installing and upgrading client-side components when the user has insufficient rights to install or upgrade the components directly. For information about configuring the MSI installer to run with elevated privileges, see the documentation for your operating system.
This is valid only for Windows-based installations. There is no MSI functionality for installing on client systems running other operating systems.
You must use an account that has administrative rights to initially install the Component Installer on the client computer as a part of Client Components Package (MSI). Once installed and running, the Component Installer automatically installs and upgrades client-side Access Policy Manager components. It can also update itself.
The Component Installer requires that the installation or upgrade packages be signed using the F5 Networks certificate or another trusted certificate. By default, F5 Networks signs all components using the F5 Networks certificate.
1.
On the Main tab of the navigation pane, expand Overview, and click Welcome.
The Welcome screen opens.
1.
In the Downloads section, click the Component Installer Package for Windows link to download the MSI installer.
You are prompted to save the installer package BIGIPComponentInstaller.msi.
From the Components Download screen, you can download an installer that enables FullArmor GPAnywhere integration with clients.
1.
On the Main tab of the navigation pane, expand Overview, and click Welcome.
The Welcome screen opens.
1.
In the Downloads section, click the FullArmor GPAnywhere for VPN link to download the MSI installer.
You are prompted to save the installer package GPAnywhere.msi.
The Access Policy Manager includes network access support for remote Macintosh and Linux clients, so you can use Access Policy Manager for secure remote access in mixed-platform environments. As with the Windows platform support, you do not need to preinstall or preconfigure any client software when using Access Policy Manager with Macintosh and Linux systems, if the client systems allow installation of the required browser components. However, you can install the standalone BIG-IP® Edge Client® for Macintosh from the link on the Components Download screen.
All of the primary network access features are supported on Macintosh and Linux clients. Access Policy Manager does not support Drive Mappings, and some client checks, on Macintosh and Linux systems.
For more information about network access and configuring network access features, see the Network Access Configuration Guide.
IP address filtering with connection-based ACLs, giving you the ability to restrict groups of users to specific addresses, ranges of addresses, and ports.
Application launching.
You must configure the starting of remote client applications based on the operating system on the remote computers. You can configure all other features independent of the remote client operating systems. For details, see Configuring the starting of applications on Macintosh or Linux clients.
On MacOS and Linux clients, users or administrators can edit some settings for the logs. In the f5networks.conf located in the VPN install directory, edit the following settings to change the log level. For debugging purposes, set these values to 5.
The launch application feature specifies a client application that starts when the client begins a network access session. You can use this feature when you have remote clients who routinely use network access to connect to an application server, such as a mail server.
1.
In the navigation pane, expand Access Policy and click Network Access.
The Network Access Resources screen opens.
3.
4.
In the Application Path box, type the path of the application.
For example:
For Linux, type /usr/bin/mozilla.
5.
In the Parameters box, type any parameters you want to include.
For example:
For Macintosh, type
-a /Applications/ie.app http://www.f5.com.
For Linux, type http://www.f5.com.
6.
From the OS list, select an option.
7.
Click Add to add the configuration.
When remote users with resource assigned make a network access connection, the application you configured starts automatically.
The first time a remote user starts network access, the Access Policy Manager downloads a client component. This client component is designed to be self-installing and self-configuring, but the users browser must have Java enabled on Macintosh systems, or have Mozilla or FireFox to install a plugin on Linux systems.
If the browser does not support this requirement, the Access Policy Manager prompts the user to download the controller client component from the controller and install it manually.
Important: The remote user must have superuser authority, or must be able to supply an administrative password in order to successfully install the network access client.
Both Macintosh and Linux systems must also include PPP support (this is most often the case). When the user runs the network access client and makes a connection for the first time, the client detects the presence of pppd (the point-to-point protocol daemon), and determines whether the user has the necessary permissions to run it. If pppd is not present, or if the user does not have permissions needed to run the daemon, the connection fails.
Note: If you have a firewall enabled on your Linux system, you need to enable access on IP address 127.0.0.1 port 44444.
Users can initiate connections through network access from Windows, Linux, and Macintosh OS X systems, by connecting to the virtual server address using various browsers, or by starting the BIG-IP® Edge Client®. They can also use network access from Windows mobile versions on PDAs.
For a list of browsers that network access supports, see Configuring the starting of applications on Macintosh or Linux clients, and Using Macintosh and Linux clients with Access Policy Manager. For a complete list of the clients that the Access Policy Manager supports, see the most current version of the release notes.
Using the BIG-IP® Edge Client®, users can access their BIG-IP Edge connections without using a web browser. The client gives users seamless access to the network access connection.
Using the BIG-IP® Edge Client®, users can access their BIG-IP Edge Client connections without using a web browser. The client gives users seamless access to the network access connection.
After a user installs the BIG-IP® Edge Client® for Windows or Macintosh, the user starts the client by choosing Start, then All Programs, then BIG-IP Edge Client, or starting the BIG-IP Edge Client app. If the client has not been configured with a list of Access Policy Manager addresses, the user is prompted for an address.
Auto-Connect
Starts a secure access connection as it is needed. This option uses the DNS suffix information defined in the connectivity profile to determine when the computer is on a defined local network. When the computer is not on a defined local network, the secure access connection starts. When the computer is on a local network, the client disconnects, but remains active in the system tray. When you open the disconnected client, the message Disconnected - Lan detected appears in the top pane of the client window, as shown in Figure A.1.
Connect
Starts and maintains a secure access connection at all times, regardless of your computers network location.
Disconnect
Stops an active secure access connection, and to prevent the client from connecting again. After you click this option, a secure access connection does not start again until you click one of the previous two options.
In addition, the client can click the Change Server button to change the Access Policy Manager server.
The BIG-IP® Edge Client® provides a simple throughput graph, as well as more extended logging and statistic viewing features.
1.
If the client is minimized to the system tray, click the system tray icon.
The BIG-IP Edge Client screen opens, as shown in Figure A.1.
2.
At the bottom of the client window, click the Show Graph button.
The BIG-IP Edge Client shows a graph of traffic throughput.
1.
If the client is minimized to the system tray, click the system tray icon.
The BIG-IP Edge Client screen opens, as shown in Figure A.1.
2.
At the bottom of the client window, click the View Details button.
The details pop-up screen opens, as shown in the figure, following.
The Details screen provides four tabs that contain information relevant to the operation of the BIG-IP Edge Client. Click each tab to view the information for that feature. The tabs are:
Connection Details - Shows details of the current connection, including status, server, tunnel details, and the amount of traffic sent and received.
Routing Table - Shows the current routing table for the client system.
IP Configuration - Shows the current IP configuration for the client system. The information in this tab is the same information you see when you issue the command ipconfig /all at the Windows command prompt.
Miscellaneous - Shows version information for the client software, the Access Policy Manager servers defined in the client, and the DNS suffixes used for network location awareness.
Access Policy Manager includes a BIG-IP Edge command line client for Linux. You can download and deploy this client to your organizations Linux desktops. This section details download and functional information for the client.
You can download the BIG-IP Edge Linux command line client installer, as a gzipped .TAR file, and distribute it to clients for installation.
On the BIG-IP Access Policy Manager Welcome page, under Downloads, click BIG-IP Edge Command Line Client for Linux, or
in the navigation pane, click Access Policy > Secure Connectivity > Client Downloads, and click BIG-IP Edge Command Line Client for Linux, or
in the navigation pane, click Access Policy > Secure Connectivity > Connectivity Profiles, select a connectivity profile, and click BIG-IP Edge Command Line Client for Linux.
The file linux_cli.tgz is downloaded to a location you choose.
1.
Extract the file linux_cli.tgz.
Two files are extracted to the location you specify.
2.
Run the install script Install.sh, under the root account.
For example, to start a connection to the host vpn.siterequest.com, the command is:
f5fpc --start [arguments]
f5fpc -s [arguments]
Starts a VPN connection. Required the --host or -t argument at a minimum.
--host [https://]hostname[:port]
-t [https://]hostname[:port]
--user username
-u username
--password password
-p username
--userhex hex-encoded-username
-U hex-encoded-username
--passwordhex hex-encoded-password
-P hex-encoded-password
Hex value
Shell value
An uknown session ID was encountered. The user should reconnect to the server
F5 Access Policy Manager provides a client troubleshooting utility. Clients can use the troubleshooting utility on Windows systems to check the availability and version information for Windows client components, and to run Network Access diagnostic tests.
1.
On the Main tab of the navigation pane, expand Overview, and click Welcome.
The Welcome screen opens.
2.
In the Downloads section, click the Client Troubleshooting Utility for Windows link.
3.
Save the file f5wininfo.exe.
You can distribute this file to your secure access users for local client troubleshooting.
1.
On a client system, double-click the file f5wininfo.exe to start the client troubleshooting utility.
The F5 BIG-IP Edge Components Troubleshooting window opens.
2.
Explore the component categories.
To see an overview of a category, click on the category label (for example, Endpoint Security). To see the particular components installed for a category, click the plus symbol to expand the category.
1.
On a client system, double-click the file f5wininfo.exe to start the client troubleshooting utility.
The F5 BIG-IP Edge Components Troubleshooting window opens.
2.
From the File menu, select Generate Report.
The Reports dialog appears.
3.
Select the type of report to generate.
Select the F5 Network check box to generate a report of F5 networking components installed. Select the Network Access Diagnostic check box to generate a report of the Network Access diagnostics. Select the MS Remote Access Diagnostic Report or MS System Information Report check boxes to generate reports from these Microsoft internal components.
4.
Select the format for the report.
Select html to generate the report formatted as an html file, with links and basic formatiing. Select text to generate the report as plain text.
6.
Click the Save As button to save the resulting report as an html file or a text file on the file system.
To view the results without saving the report, click View.
1.
On a client system, double-click the file f5wininfo.exe to start the client troubleshooting utility.
The F5BIG-IP Edge Components Troubleshooting window opens.
2.
From the Tools menu, select Network Access Diagnostics.
The Network Access Diagnostics window opens, and Network Access tests are run.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)