Memory: 12 GB or more

All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory.

Memory: 8 GB

The following guidelines apply to the BIG-IP 2000s, 2200s, 3900, 6900 platforms, to the VIPRION B4100 and B4100N platforms, and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)

• No more than three modules should be provisioned together.
• On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
• Note that Global Traffic Manager (GTM) and Link Controller (LC) do not count toward the module-combination limit.

Memory: Less than 8 GB and more than 4 GB

The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category).

• No more than three modules (not including AAM) should be provisioned together.
• Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
• Note that GTM and LC do not count toward the module-combination limit.
• Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).

Memory: 4 GB or less

The following guidelines apply to the BIG-IP 1600 and 3600 platforms, and to VE and vCMP guests provisioned with 4 GB or less of memory.

• No more than two modules may be configured together.
• AAM should not be provisioned, except as Dedicated.

VIPRION and vCMP caching and deduplication requirements

Application Acceleration Manager (AAM) supports the following functionality when configuring vCMP and VIPRION platforms.

• AAM does not support disk-based caching functionality on vCMP platforms. AAM requires memory-based caching when configuring it to run on vCMP platforms.
• AAM supports disk-based caching functionality on VIPRION chassis or blades.
• AAM does not support deduplication functionality on vCMP platforms, or VIPRION chassis or blades.

vCMP memory provisioning calculations

The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory - 3 GB) x (cpus_assigned_to_guest / total_cpus).

As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.

Machine Info action retrieves MAC addresses for Linux and Mac systems

You can now use the Machine Info action (formerly, Windows Machine Info action) to retrieve the first and second network adapter MAC addresses for Linux, Mac, and Windows clients. The Machine Info action can retrieve additional machine information for Windows systems that you could retrieve using the Windows Machine Info action in earlier releases.

Maximized Enterprise Application Delivery Value

Good

Provides intelligent local traffic management for increased operational efficiency and peak network performance of applications.

Better

Good plus enhanced network security, global server load balancing, and advanced application delivery optimization.

Best

Better plus advanced access management and total application security. Delivers the ultimate in security, performance, and availability for your applications and network.

VMware View native proxy

Helps collapse visual desktop infrastructure (VDI) deployments for VMware with consolidated traffic management and authentication with context-based secure access.

Initiating Access Policy from iRules

Recurring endpoint checks

• Allows for post-admission periodic endpoint inspections.
• Reduces the risk of malware infecting endpoints and the network after access is granted.

Always-on and locked client

• Enables BIG-IP Edge Client, once installed, to be always-on and locked.
• Increases security, forcing users to authenticate every time the client is unlocked.

Citrix traffic shaping

• Provides bandwidth control for Citrix ICA traffic.

Local user database support

• Provides a user authentication service for APM.
• Enables APM to enforce user lockout for external AAA servers.

HTML profile

• Supports rule-based patching of HTML, such as content insertion, tag modification/removal, and comment removal.
• Triggers HTML iRule events when matching specific tags or comments defined by rules.
• HTML iRules.

Rewrite profile (URI translation)

Hosted content

• Supports upload of executable files, scripts, text, HTML, CSS files, and image files to APM.
• Enables file-serving of hosted content from a webtop link, or from a portal access link.

Visual policy editor enhancements

• Enables search for action items when adding them.
• Displays action items to add to a policy by category.
• Enables swapping of policy branches.

AD and LDAP group resource assign

• Enables creation of domain user group names in APM to mirror Active Directory and LDAP group names.
• Enables resource assignment to the APM groups.
• Enables resource assignment to a user's session from every group to which the user belongs.

Endpoint security (client-side) check enhancements

• Supports anti-spyware, patch management, peer-to-peer, Windows hard disk encryption, Windows health agent software checks (in addition to antivirus and firewall software checks).

• Enables updates to the supported software through BIG-IP system EPSEC releases.

Microsoft Exchange profile

• New application access configuration screens streamline and simplify BIG-IP system configuration for various Microsoft services.
• Removes requirement for user-configured iRules.

Per client connectivity profiles

Provides new configuration screens that separate configuration items per target operating system for BIG-IP Edge Client customization.

SAML

• Supports Single Logout (SLO) using POST binding.

• Supports encryption for SAML attributes and subject.

Access Policy Sync

You can now synchronize access policies, including the resources used in them, across Sync-Only device groups. Certain resources are by default location-specific. You can choose to create them as-is or resolve them on the target system.

SAML support

You can configure a BIG-IP system as a SAML identity provider (IdP) or as a SAML service provider (SP). You can federate a group of BIG-IP systems with one acting as an IdP and others acting as SPs. APM supports both IdP- and SP-initiated connections depending on the configuration that you choose to implement. APM provides IdP discovery for SP-initiated connections to a BIG-IP system that acts as a SAML SP.

NTLM Authentication from the network edge for Outlook Anywhere clients

Access Policy Manager supports Microsoft Exchange clients that are configured to use NTLM and HTTP Basic protocols independently. Typically, mobile devices use HTTP Basic authentication, while Outlook Anywhere clients can use both NTLM and HTTP Basic authentication. To determine whether a client uses NTLM or HTTP Basic authentication, APM supplies an iRule that makes the determination and enforces the use of one or the other. After a client authenticates with NTLM, APM supports single sign-on with the back-end application or server using Kerberos constrained delegation (KCD).

Native SMS/E-Mail passcode two-factor support

Access Policy Manager supplies an OTP Generate action that generates a one-time, time-sensitive password and an OTP Verify action that verifies that a user entered the correct password before that password expired. The visual policy editor also includes new macro templates:

• AD auth query OTP by email and resources - Template for sending an OTP over email.
• AD query auth OTP by HTTP and resources - Template for sending an OTP using the HTTP Auth agent.

IP Reputation

IP intelligence is a separately licensed feature that you can enable on the BIG-IP system. The IP intelligence database includes IP addresses that might be malicious, categorized according to why they are considered untrustworthy. You can check IP reputation from an access policy with the new IP Reputation action. IP reputation is now also included in APM session reports, and a new report, Bad IP Reputation Sessions, is available.

Access policy macro loops

You can set a Maximum Macro Loop Count for a macro now. If you set it to greater than 1, a Loop branch follows the macro in the access policy; a Loop terminal becomes available for you to choose. A macro exits to the Loop branch after it runs a loop (specified with a Loop terminal) for the maximum number of times without breaking out of the loop.

New action items in access policies

• Date Time - Checks the date or the time to enable time-based access.
• License Check - Enables license-based access. Checks number of remaining licenses against an absolute value or checks the percentage of licenses remaining against a threshold. You can run a license check for access licenses, connectivity licenses, and concurrent users.
• IP Reputation - Checks whether an IP address is good (no reputation) or bad with respect to the IP intelligence database, if you have licensed and enabled it.
• SAML Auth - Authenticates users against an external SAML identity provider when you configure the BIG-IP system as a SAML service provider.
• IP Subnet Match - Checks whether the client IP address matches an IP subnet.
• NTLM Auth Result Check - Checks the result of NTLM authentication.
  Note: Use this action only in conjunction with a configuration specified in the BIG-IP Access Policy Manager Authentication guide.

Other new features

• APM now supports Java-based Application Tunnels on non-Windows endpoints.
• You can configure the Logon page action to add a CAPTCHA to a login page. Access Policy Manager CAPTCHA support is based on the API that the Google reCAPTCHA service provides. You can use any CAPTCHA service with a compatible API.

Secure access features

• Java applet patching

  With Java Applet Patching enabled, BIG-IP APM can patch server-side Java applets in real-time. The clients that run the patched Java applet connect back through the BIG-IP system using SSL in an authenticated APM session. Patched Java applet code is stored in RAM cache, eliminating the need to rewrite every time.

  Note: If the applet contains encrypted JAR files, the BIG-IP system cannot rewrite the applet.
• Java RDP support for Linux, Mac, and Windows

  A Java RDP client now supports Mac, Linux and Windows clients, providing a cross-platform method to access remote desktops using the RDP protocol over a non-L3 tunnel.

• Google Chrome browser support

  BIG-IP APM supports the Google Chrome browser. For the latest supported browser versions, refer to the BIG-IP APM Client Compatibility Matrix.

• Custom parameter fields for terminals

  You can now set custom parameters for remote desktops. These parameters affect the rendering of certain features for both the Citrix and RDP terminal resource types.

• Pool assignment agent

  In the Visual Policy Editor, you can configure a new agent, Pool Assign, which assigns an LTM pool to a session dynamically.

• High availability for Active Directory

  Support for high availability for Active Directory authentication had been added; this includes the ability to define an Active Directory pool.

• Session ID Rotation

  To improve security, part of the session ID is rotated on each response while an access policy is executing.

Manageability and optimization features

• Improved OPSWAT package management

  To scan for antivirus products on the end client, F5 uses a library from OPSWAT. The library provides the administrator with a consistent API to use against various antivirus products. When an antivirus vendor updates their code base and, in response, OPSWAT updates the library, F5 verifies the library and posts a hotfix. This improvement enables you to apply the hotfix to multiple BIG-IP systems more quickly, by uploading the file to a single BIG-IP system manually and then syncing the file to all devices in a device group.

• Form-based SSO improvements

  With BIG-IP APM 11.2, in addition to collecting, caching, and proxying user credentials to multiple backend systems using Kerberos, NTLM, and form-based SSO, there is a second method of achieving form-based SSO. This new form-based client-initiated SSO method works by detecting logon request pages from the client application and then parsing the server response for a logon form. Then APM inserts JavaScript that sets the form’s logon name and password placeholder (or token) to match the user’s and perform auto submit. When the client submits this form, APM replaces the password token with the user’s actual credentials and then submits this to the backend application. If the server returns any errors, the form-based client-initiated SSO mechanism disables SSO for that application to preserve connectivity to that application for other users.

• Mesh Data Deduplication

  A new version of Symmetric Data Deduplication, SDD v3, is optimized for performance in hub and spoke or mesh deployments involving multiple sites.

Usability enhancements

• Captive Portal Detection in Edge Client

  BIG-IP Edge Client now automatically detects whether the user is behind a captive portal, such as those at hotels and airports, and waits until the user completes sign in to the portal.

• Citrix Xenapp server non-default ports

  APM now supports Citrix XenApp server configured with ICA/CGP services on ports other than the default ports (1494 for ICA and 2598 for CGP).

Access Policy Manager Clustering

This release adds support for running Access Policy Manager on a chassis platform and in a virtualized Clustered Multi-Processing (vCMP) environment. Access Policy Manager features work in the same fashion when clustered as not with the following caveat. Upon tunnel reconnect due to a blade going down on a chassis platform, flows inside the tunnel are not preserved; users need to reconnect their applications after an underlying tunnel goes down.

XenApp/XenDesktop Support Enhancements

Other enhancements:

• Provides enhanced support on challenge events in 2-factor authentication when using a Citrix Receiver. Specifically, Access Policy Manager can gracefully handle requests for RSA new PIN codes and AD password expiration.
• Enables the Webtop to display folders of published apps, mapping what has been shown on the XenApp server.
• Provides session reliability support for ICA connections: In case of a network problem between the Citrix client and the XenApp server, the application on XenApp Server continues to run and XenApp server buffers the ICA traffic until the client reconnects. The user’s session does not go into a disconnected state as long as the XenApp Server is buffering data for the user. After the connection is restored, XenApp Server flushes the buffered ICA data to the client and the session continues. Access Policy Manager sits between the Citrix client and the XenApp server and interprets and proxies these ICA communications. This feature improves user experience.
• Supports multi-Stream ICA: BIG-IP Access Policy Manager is first on the market with support for multi-stream ICA. This feature allows for true network-based Quality of Service (QoS) to the ICA/HDX protocol in XenDesktop 5.5 and XenApp 6.5. It is a mechanism to prioritize network traffic, helping to ensure that the most important data gets through the network as quickly as possible.

Windows Credential Manager Integration

Linux standalone client

This client can be downloaded from Access Policy Manager and installed on Linux endpoints. This is a command-line client (unlike the Windows or Mac edge clients) but supports endpoint inspection and auto-updates. It provides a simple CLI interface with commands such as Connect, Disconnect, Auto-connect.

New Packaging

Edge Gateway VEs

• F5-BIG-EGW-VE-200M targets the small enterprise; includes support for 100 concurrent users in the base package; supports 500 maximum concurrent users; limits aggregate throughput to 200Mbps
• F5-BIG-EGW-VE-1G targets the medium enterprise; includes support for 300 concurrent users in the base package; supports 2500 maximum concurrent users; limits throughput to 1Gbps
• F5-BIG-EGW-VE-LAB

APM 1600 standalone: Unlike other Access Policy Manager modules, this platform can be used without Local Traffic Manager. It includes support for 500 concurrent users in the base package.

APM on VIPRIONs: Support for APM on VIPRION is provided as an add-on SKU to the VIPRION chassis. There is one add-APM SKU for each chassis model. The format will be similar to appliance add-APM SKUs, with support for 500 concurrent users (for the entire chassis) in the base package and a maximum limit that assumes a fully populated chassis.

IPv6

With this release Access Policy Manager supports IPv6, enabling connectivity between IPv4 and IPv6 networks. Administrators can configure network access lists per supported IP version, IPV4 or IPV4&IPV6 and then configure lease pools and LAN address spaces for IPv4 only or for both IPv4 and IPv6.

Logging and Reporting

With this release: For logging, both scalability and performance are enhanced. As a result, report performance is also enhanced. For reporting, when configuring a custom report, available report fields are now organized for selection by: user, resources, sessions, and access policy.

Application Tunnels

This release provides application tunnels to a single application on a remote user's desktop without the security risk of opening a full network access tunnel.

Optimized Network Access Tunnels

With this feature, you can layer full network access tunnels with optimized tunnels for Windows clients.

Remote Desktops

This release provides a hosted remote desktop connection, from a specific remote desktop application to the remote user's desktop, without the security risk of opening a full network access tunnel. Remote desktop is supported for Citrix XenApp server and Microsoft RDP clients.

Kerberos Protocol Translation

With this feature, APM is able to authenticate the user with Active Directory, and then receive a Kerberos ticket on the user's behalf, allowing secure access to the Application server and offloading SSL negotiation from the app server. This feature also makes SSL offload for Smart Card authentication possible.

Kerberos Single Sign-On

With this feature, a user can automatically sign onto backend applications and services that are part of a Kerberos realm, for seamless authentication after the user completes an access policy using a supported authentication scheme.

Oracle Access Manager (OAM) integration

With this release, you can design access policies and manage policy-based access services for Oracle applications on an Oracle Access Manager server from one location.

Flash Patching

In Portal Access, HTML-formatted fields in Flash content are patched by the APM rewrite engine. When rendering an application through the Access Policy Manager, the rewrite engine rewrites the Flash content to render links properly.

Dynamic webtops

The dynamic webtop displays a list of network resources, which include applications, network access and remote desktops, available to a user after authentication. The content of the webtop is dynamic in the sense that only resources for which the user is authorized are displayed to the user. The webtop is customizable based on a user’s identity, context, and group membership.

Reporting system

With the new reporting system, you can generate customized, granular reporting for analysis and troubleshooting purposes. You can generate reports based on many parameters, for example, access failures, users, resources accessed, group usage, or geolocation.

Machine info inspection

The machine info client check allows administrators to examine the security posture of a device, including attributes such as MAC address, CPU ID and HDD ID. The access policy can compare information collected by the machine info check to an allowed list of hardware devices or configurations, then add the result to the access policy. This enables the access policy administrator to identify IT-controlled assets.

Client Type inspector

The client type inspector replaces the UI mode inspector, and includes new branches for the BIG-IP Edge Client, iOS, and Android devices.

Dynamic ACLs

BIG-IP Access Policy Manager can load ACLs from an external authentication database (Active Directory, RADIUS, or LDAP) and apply them dynamically. This allows for a single policy per user, no matter which Access Policy Manager the user is connecting to.

Edge Client for MacOS

The optional BIG-IP Edge Client can be delivered by browser or as a standalone application. Its functionality is identical to the Windows version (though Windows provides more client side checks), in a native MacOS interface. The Edge Client for MacOS is supported on Mac 10.5.x and later, and supports 64-bit OSes.

Adaptive Compression

Compression in resources now compresses downstream data to the client using the best available compression codec, based on network conditions and compressibility of the data.

Upgrading from version 10.1.0 (or later) or 11.x

When you upgrade from version 10.1.0 (or later) or 11.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 10.1.0

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.1.0 software. For details about upgrading to those versions, see the release notes for the associated release.

Automatic firmware upgrades

If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.

Connectivity profiles

When upgrading from 10.x.x to 11.4.x, connectivity profiles are not fully recovered. You can work around the problem using one of these options:

Antivirus and firewall software checks in access policies

If your access policies include custom expressions that rely on session variables created by the antivirus or firewall software checks, after upgrade to 11.4.x, you must configure the antivirus or firewall software checks so that the Store information about client software in session variables property is set to Enabled. (It is disabled by default.)

If the custom expressions include multiple sub-expressions, you might need to edit the expressions.

Citrix client packages

The 11.4.x upgrade script cannot recover any file object with a name that includes space characters. If a Citrix client package file name includes a space, the configuration loads after upgrade, but the Citrix client package file does not function properly. To work around this problem:

1. Outside of APM, name or rename a Citrix client package without spaces in the name.
2. Use the correctly named Citrix client package.
   • To fix the problem before upgrade, replace any improperly named Citrix client package as needed.
   • To fix the problem after upgrade, upload a properly named Citrix client package and select it from the connectivity profiles.

Machine accounts for NTLM front-end authentication

Advanced customization

If you performed any advanced customization of files, you must upgrade these files manually.

Custom reports

Custom reports are lost after upgrade. To work around this issue, export your custom reports before you upgrade and then reimport them after you upgrade.

OAM configuration

When upgrading from version 10.2.x to 11.x with an OAM configuration, upgrade fails. To work around this issue: before you upgrade, delete the OAM configuration; after the upgrade is complete, create a new OAM configuration in version 11.x.

APM Windows group policy configuration

When upgrading from version 10.x.x to 11.x.x with a Windows group policy configuration, upgrade fails. To work around the problem:

1. Save the 10.x.x configuration in a UCS file, such as the _10.X_use_file, using tmsh. For example: tmsh load sys ucs the_10.X_ucs_file
2. Upgrade to 11.x.x without forwarding the configuration.
3. After the upgrade to 11.x.x completes successfully, restore the saved configuration file using tmsh. For example: tmsh load sys ucs the_10.X_ucs_file

Access policies that use session variables

If you are upgrading from 10.x, you might need to update access policies that use session variables. Version 11.x introduces the concept of partitions. A partition is added to an object name. An access policy that compares a session variable against a value would behave differently after upgrade. This example shows the difference in the value of a session variable between these versions.

• Version 10.x - session.ad.MyPolicy_act_active_directory_auth_ag.authresult
• Version 11.x - session.ad./Common/MyPolicy_act_active_directory_auth_ag.authresult

The partition, /Common, is added to the version 11.x object name.

Installing plug-ins for Google Chrome 22 on Mac OS X

Try these methods in the following order.

Safari method

Using the Safari browser, try connecting to the BIG-IP system to see whether the plugins upgrade seamlessly.

Manual plugin removal method

Try each of these steps until you succeed in removing the plugin:

• In Spotlight, type f5 sam inspection host plugin.plugin and drag and drop the plugin that is found to the Trash.
• Using terminal, go to the Internet Plugin-Ins directory using this command: cd "~/Library/Internet Plug-Ins" and remove the inspection host plugin directory rm -rf "f5 sam inspection host plugin.plugin
• In Spotlight, type F5 SSL VPN Plugin.plugin and drag and drop the document that is found to the Trash. (To verify that it is a Plugin-in document before you drag it to the trash, mouse over the document to see whether its type is Plugin-in.)
• Using terminal, go to the Internet Plugin-Ins directory using this command: cd "/Library/Internet Plug-Ins". Then remove the inspection host plugin directory using this command: sudo rm -rf "F5 SSL VPN Plugin.plugin"

Choosing a simpler Network Access popup method

1. Create a full webtop.
2. Assign the webtop in an access policy.
3. Apply the access profile to a virtual server.
4. Select Access Policy > Customization > Advanced .
5. Select Branding.
6. In the Webtop tree, locate the webtop from step 1.
7. Select Full Webtop Popup Window Settings and verify that the Show Table Switch property appears.
8. Select one of the following for the Show Table Switch setting: on (the NA popup screen displays a statistics table) or off (the NA popup screen is small and contains only a status indicator and a Disconnect button).

Upgrade issues

Application access issues

Portal access issues

Client issues

Network access

Admin issues

Authentication and SSO-related issues

Other issues

Documentation Errata

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

• The F5 Networks Technical Support web site: http://www.f5.com/support/
• The AskF5 web site: http://support.f5.com/kb/en-us.html
• The F5 DevCentral web site: http://devcentral.f5.com/
• AskF5 TechNews

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 TechNews

Weekly HTML TechNews

The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. To subscribe, click TechNews Subscription, complete the required fields, and click the Subscribe button. You will receive a confirmation. Unsubscribe at any time by clicking the Unsubscribe link at the bottom of the TechNews email.

Periodic plain text TechNews

F5 Networks sends a timely TechNews email any time a product or hotfix is released. (This information is always included in the next weekly HTML TechNews email.) To subscribe, send a blank email to technews-subscribe@lists.f5.com from the email address you are using to subscribe. Unsubscribe by sending a blank email to technews-unsubscribe@lists.f5.com.