Updated Date: 09/28/2011
This release note documents the version 10.1 release of the BIG-IP Access Policy Manager™. To review the features introduced by this release, see New features and fixes in this release. For information about installing the software, refer to Installing the software.
Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to Solution 8986, F5 Networks software lifecycle policy, which is available on the AskF5 web site.
In addition to these release notes, the following user documentation is relevant to this release.
The following BIG-IP system documentation is also relevant to this release:
You can find the product documentation and the solutions database on the AskF5 web site.
The minimum system requirements for this release are:
Important: You cannot run this software on a BIG-IP 1500 platform with 768 MB RAM. You must upgrade to 1 GB RAM.
Note: You cannot run this software on a CompactFlash® media drive; you must use the system's hard drive.
You can work with the BIG-IP system Configuration utility using the following browsers:
Note that we recommend that you leave the browser cache options at the default settings, and disable popup blockers and other browser add-ons or plug-ins. For more information on supported browser, refer to the BIG IP® Access Policy Manager™ Compatibility Matrix version 10.1.
This release supports the following platforms:
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
Note: The hardware and software for each unit in a redundant system configuration must match.
[ Top ]
This section lists only the very basic steps for installing the BIG-IP software, which includes the WAN Optimization Module. The BIG-IP® Systems: Getting Started Guide contains details and step-by-step instructions for completing an installation. F5 Networks recommends that you consult the getting started guide for all installation operations.
If the software is already installed on your hardware platform, refer to the Configuration Guide for BIG-IP® Access Policy Manager™ .
The steps in this guide assume that:
Installation consists of the following steps.
After the installation finishes, you must complete the following steps before the system can pass traffic.
Each of these steps is covered in detail in the BIG-IP® Systems: Getting Started Guide, and F5 Networks recommends that you refer to the guide to ensure successful completion of the installation process.
The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
You can check the status of an active installation operation by running the command b software status.
If installation fails, you can view the log file. For image2disk installations, the system logs messages to the file you specify using the --t option. For other installations, the system stores the installation log file as /var/log/liveinstall.log.
This release includes the following new features and fixes.
BIG-IP Access Policy Manager evaluation licensing (time-limited) on BIG-IP Local Traffic Manager
In BIG-IP Local Traffic Manager™ v10.1, the customer can provision BIG-IP Access Policy Manager™ evaluation module for a limited period of time to test web application access management. .
Module interoperability: BIG-IP Local Traffic Manager and Access Policy Manager
The Access Policy Manager module runs on various TMOS™ platforms: 3600, 3900, 6900, and 8900. This allows interoperability with Local Traffic Manager, which provides web access management and application availability support on BIG-IP systems.
Cluster multi processing with Access Policy Manager
With cluster multi processing (CMP) enabled, Access Policy Manager delivers performance and scalability. CMP is unique to BIG-IP Local Traffic Manager versions 9.4 and later. CMP creates separate instances of the TMM for each processor on the system. This behavior increases performance and accelerates traffic handling since there are multiple TMM instances handling traffic. When a virtual server is enabled, the CMP feature is automatically enabled. With BIG-IP version 10.0 and higher, the following enhancements are available.
CMP remains enabled when running BIG-IP system modules such as Access Policy Manager and Application Security Manager™.
CMP supports the use of all persistence options.
CMP supports the use of read-only global variables within iRules.
BIG-IP v10.1 release delivers advanced routing capabilities using the Access Policy Manager advanced visual policy editor. Access Policy Manager delivers the ability to make a dynamic assignment to a routing policy. This allows you to direct traffic to specific virtual servers, and/or VLANs based upon the policy.
This feature allows administrators to configure system timeouts in a number of ways.
Health check monitor for RADIUS accounting
You can monitor the health of your RADIUS authentication server to stay user up-to-date on any changes transpiring, and also enable high availability.
L7 Access Control List (ACL) for strong access control
With the L7 access control list (ACL), a user is authorized using dynamically assigned Layer 4 and Layer 7 ACLs on a session. Both L4 and L7 ACLs are supported based on endpoint posture as a policy enforcement point.
Export and import access policies
With this option, administrators can easily implement existing policies by exporting and importing access policies.
Active Directory support for Microsoft Active Directory
This support of Active Directory™ integrates with a wide range of user directory and authentication servers and services, including Microsoft Active Directory, providing you access enforcement for lookup and nested directories.
Endpoint security customization
Administrators can completely customize an entire logon page to best suit their existing corporate website portals. You can customize a broad range of options from simple naming of fields from CSS style sheets (containing metadata for certain styles that describes look and formatting) to HTML coding. Administrators can customize logon page through the Configuration Utility, or from the command line interface to upload custom pages, for enhanced user experience.
RSA SecurID support
BIG-IP Access Policy Manager integrates with a wide range of user directory and authentication servers and services, including RSA SecurID, which provides access enforcement. Access Policy Manager supports RSA SecurID natively, enabling a form of two-factor authentication for added security.
Single Sign-on with Credential caching/proxying
With simplified access to web applications, Access Policy Manager makes it easy for users to sign in for all applications because the system caches and proxies the credentials to access backend systems, approved sites, and applications, on behalf of the user.
Rewrite engine- web application access
Access Policy Manager delivers out-of-the-box web application support for accessing the internal applications from outside the corporate network without any client components installed.
AAA server high availability
Access Policy Manager provides support for AAA server high availability. Utilizing TMOS when communicating with authentication servers, Access Policy Manager interacts with the AAA server, such as Microsoft Active Directory, and with databases and directories containing user information.
Landing URI variable support
Access Policy Manager provides centralized L7 (URL and URI-based) access control services. For instance, a landing page URI that is equal to a SharePoint address follows one specific access policy, while a landing page URI that is equal to a corporate application login page follows another access policy.
Access control support
With this support, you can attach an access policy directly to a Local Traffic Manager virtual server for access control.
DNS cache/proxy support
In order to speed up application access, Access Policy Manager offers dynamic server-side and DNS caching for increased web application (reverse proxy) performance and faster page download times.
Dynamic Data Compression support for BIG-IP Edge Client Network Access
With Dynamic Data Compression support for the BIG-IP Edge Client™, Access Policy Manager enables application acceleration with adaptable compression.
Virtual keyboard support
For additional password security, Access Policy Manager offers a virtual keyboard which enables secure password entry from the mouse instead of the keyboard.
RADIUS accounting support allows user session information to be sent to the RADIUS accounting server using RADIUS accounting start, stop , and interim messages.
External logon page support
You can leverage this feature to provide an external logon page or support a logon page that sends the user’s credentials back to Access Policy Manager for network access. Administrators can support an external logon page, collect credentials, and also receive a post back to Access Policy Manger for user access.
Machine certificate support
Access Policy Manager integrates with a wide range of user directory and authentication servers and services including support for machine certificates. Access Policy Manager can check for the presence of a Windows® machine certificate during user logon. Based on the presence of a valid certificate, Access Policy Manager can support access to a broader range of applications. Access Policy Manager can use machine certificates as a form of two-factor authentication, and prohibits all network access for users without a valid certificate.
Protected workspace support and encryption for Access Policy Manager
You can configure Access Policy Manager to automatically switch users of Windows 7 (32-bit), XP™, and Vista™, to a protected workspace that is encrypted for their remote access session. In a protected workspace mode, the user cannot write files to locations outside the protected workspace; the temporary folders and all of their contents are deleted at the end of the session.
BIG-IP Edge Client
BIG-IP Access Policy Manager uses the new BIG-IP Edge Client for Smart Connect client access while roaming. Auto-connect, connect and disconnect, including server and traffic statuses, are provided in the Edge Client simple-mode. A detailed drop-down graph shows traffic output and input, as well as additional details that provide connection status, routing table, IP configurations, and more.
The standalone and browser-based clients are designed to easily see the information routing table by clicking a link or tab.
Client side traffic shaping for Windows
Client side traffic shaping can prioritize traffic from Windows clients to improve operation of bandwidth sensitive applications.
Smart Connect: location awareness
Location awareness determines whether to turn on the VPN based on the zone where a user is located. This is particularly useful while roaming.
If a user loses a VPN connection, the BIG IP Edge Client automatically reconnects the user with VPN.
Dynamic profiling for standalone client
As the BIG-IP Edge Client profiles user traffic dynamically, every time a user connects to a VPN, Access Policy Manager can pull the most recent access details synchronizing user access.
Mac and Linux endpoint security
Macintosh and Linux checks are supported with an added layer of endpoint inspection that enhances web access management and protects customers from accidental data loss.
Group policy support with Group Policy Anywhere integration
You can have custom templates with Group Policy Anywhere feature to simplify the creation of group policies for many different groups, allowing access to specific applications. The group policy feature is available from a Group Policy Anywhere integration in Access Policy Manager. The feature and integration provide an exclusive mechanism to apply and enforce group policies on client systems that are not part of the network domain. Access policies, in the form of templates, restrict user authority and access while enforcing compliance with PCI, HIPAA, and GLBA.
Reconnect to domain
When a user in the corporate environment was last connected to a domain, the Access Policy Manager operates to reconnect the VPN user to that domain. In particular, upon reconnection, the user is given login scripts, drive mappings, GPO synchronization, a logon to the domain controller, and much more.
Windows Mobile package customization
We support and allow customization for Windows® mobile devices using integration with Windows® Mobile applications.
BIG-IP Edge Client logging
The BIG-IP Edge Client provides a new set of connection details, including the logging of client-side standard and extended logging. You can filter the logs for the event types required such as errors, warnings, or information for various modules. You can export logs in a TXT format and save them for troubleshooting purposes.
BIG-IP Access Policy Dashboard
Administrators can quickly view the BIG-IP Access Policy Dashboard for real-time understanding of access health. They can view the default template of active sessions, network access throughput, new sessions, and network access connections in an easily viewable pane. Optionally, administrators can create customized views using the Dashboard Windows Chooser with drag and drop selections onto the window pane with the type of statistics desired for fast comprehension health sessions .
The following items are known issues in the current release.
Character length limitation in access policy (CR87823)
You cannot enter more than 35 characters when you create a name for your access policy. Doing so causes an exception error to occur.
Windows mobile and registry keys (CR99557-1)
Currently, after uninstalling the F5 client software from a Windows® Mobile 5 or 6 device, the registry keys HKEY_LOCAL_MACHINE\ExtModems\'F5 SSL VPN and HKEY_LOCAL_MACHINE\Drivers\BuiltIn\F5SSLVPNCom remain on the device.
Outlook 2003, Cached Exchange Mode, and protected workspace (CR111020)
Currently, when a user uses Outlook 2003 in a protected workspace session, Outlook creates a new storage file for the session. When the user exits, an error message appears, and the user must dismiss the error to close Outlook. When the user restarts Outlook, if Cached Exchange Mode is enabled, any draft emails created in the protected workspace session are restored. If Cached Exchange Mode is not enabled, any draft emails created in the protected workspace session are lost.
Windows error message (CR112627)
Occasionally, when a user attempts to connect with network access, the error Status: the remote computer did not respond. for further assistance, click more info or search help and support center for this error number appears. The error message is not helpful; however, this is a Windows® system error.
Windows Vista protected mode with UAC, temp folder, and protected workspace (CR112810)
Currently, if a Vista system has the %temp% variable changed from the default location to another location, and protected mode and UAC are enabled, the system cannot start in protected workspace. To enable protected workspace on such a system, the user must be added to the discretionary ACL for the new %temp% directory location, and granted permission to change permissions.
Network access variable assignment (CR114339, CR129477, CR129492)
Currently, when you attempt to add an access policy variable assign action, configured to assign the network access configuration variable dns, wins, or static_host to a AAA attribute, the variable is not assigned.
Windows Vista and Windows 7 upgrade (CR116914)
Currently, after a client installs all components, then upgrades from Windows® Vista™ to Windows 7®, network access components are not corrected with the upgrade, and the client cannot connect. The client can reinstall all client components to resolve this issue.
Antivirus check, Vista UAC, and trusted sites list (CR119609)
Now, when a client runs Windows® Vista™ with UAC enabled, the access policy antivirus check item cannot check for database age or engine version for ClamWin antivirus. The client must add the virtual server to the Trusted Sites list in Windows® for this check to work.
RADIUS authentication secret (CR121333)
Now, if the RADIUS authentication secret is longer than 30 characters, RADIUS authentication fails.
FirePass servers with BIG-IP Edge Client (CR123992)
Now, when a BIG-IP Edge Client™ user connects to a FirePass controller, and the FirePass policy contains an antivirus check with the option Ask user to scan running process for viruses enabled, the BIG-IP Edge Client™ does not inform the user that their attention is required, when the client is minimized to the tray.
BIG-IP Local Traffic Manager and network access wizard (CR127350)
On a BIG-IP Local Traffic Manager system with the BIG-IP Access Policy Manager™ module, when you start the network access wizard, the error The child access profile (wizard-network-access) must have a valid access policy is logged; however, the wizard completes successfully.
Download client with Internet Explorer (CR127841)
Currently, when a client downloads the BIG-IP Edge Client for Windows® with the Internet Explorer browser, and attempts to run the installation from the download dialog, the application name is presented as form.exe instead of BIGIPEdgeClient.exe. To see the correct name, save the file first, then start the installation manually.
Active Directory servers and password resets (CR128612)
Currently, when two different Active Directory servers have the same domain name specified, password change operations fail on Active Directory authentication clients.
Outlook 2007 and protected workspace (CR129110)
Currently, Outlook 2007 fails with an error about a corrupt OST file, when the client is using Cached Exchange Mode in the protected workspace. Disable Cached Exchange Mode for clients that must run in protected workspace.
Single Sign-On form-based authentication and Oracle OAM (CR129850-1)
Currently, Single Sign-On with form-based authentication does not authenticate with Oracle OAM.
Application editor role and access policies (CR130064)
Currently, an admin user with the application editor role cannot edit access policies, unless the bigpipe shell option for terminal access is enabled for the user.
Webtop links on Safari (CR130190)
Currently, a user must allow popups in the Safari web browser to use the links on the network access webtop.
Safari browser and required SSL certificate (CR130209)
If the option to require a client certificate is enabled in the client SSL profile for an access policy virtual server, and a user attempts to connect with the Safari web browser, pop-up screens with the message Safari wants to sign using key PrivateKey in your keychain are displayed repeatedly during prelogon checks.
Certificates, client ssl profile, and Linux or Mac clients (CR130211, CR130212)
Currently, when the client ssl profile associated with an access policy is configured to require a client certificate, endpoint checks for mac and linux systems fail. As a workaround, configure the client ssl profile to request and not require a client certificate.
4300 platform (CR130299)
Currently, you cannot provision Access Policy Manager on a 4300 platform.
Network access and Firefox tabs (CR130603)
Currently, if a user starts a network access session in a Firefox tab, and network access is configured to minimize the client to the system tray, the Firefox window with all tabs is minimized to the tray and the other tabs in use are not accessible. As a workaround, users can start network access connections in a separate Firefox window.
Windows group policy templates (CR130670)
In this release, when viewing details for some Windows® group policy templates, the details for some settings cannot be expanded and viewed.
iRule with "/" for URI (CR130741)
Currently, when creating an iRule to match a URI of / and then trigger an ACCESS:: disable iRule event, an error is received by the client system when attempting to connect.
RADIUS accounting and web applications session (CR131229)
Currently, when a RADIUS accounting action is used in an access policy with a web applications session and webtop assigned, the STOP message is not received by the RADIUS accounting server when the session ends.
Microsoft SharePoint and web applications (CR131835)
Currently, when a user connects to SharePoint through a web applications connection, some features in SharePoint, including Picture Manager and Explorer View, can become unresponsive.
Firefox, Windows Vista, and web client installation (CR132130)
Currently, if a Windows® Vista™ user attempts to install the web client software in the Firefox browser, and the user did not start Firefox with the Run as administrator option, the client installation fails. As a workaround, the user should right-click the Firefox icon and select Run as administrator to start the application, or preinstall the client components before connecting with Firefox.
On-demand client certificate (CR132180)
Currently, on-demand client certificate authentication is not supported in access policies, although it is described in the documentation and present in the product.
Limited user and FirePass client components (CR132241)
Currently, when a limited user with FirePass version 6.0.2 client components attempts to connect to an Access Policy Manager version 10.1 server that requires endpoint checks, if both the FirePass and Access Policy Manager sessions have the Don't perform component updates option selected, the user is sent to the logout page. This user must be granted administrative rights to connect.
Web applications and large includes (CR132555)
Currently, when a user attempts to connect to a web application session in which the web applications engine must rewrite links in an HTML page that contains <style> or <script> includes containing more than 8K of data, the web application might not be displayed or function correctly.
Hometab and minimal patching (CR132787)
Currently, when a web applications connection is configured for minimal patching, and the hometab is included, the URL box on the hometab can return incorrect URLs. As workarounds, you can configure the hometab to remove the URL box in minimal patching mode, or you can not include the hometab.
Access policy wizards and SecurID authentication (CR132861)
Currently, when you create an access profile with SecurID authentication with the access policy wizard, SecurID authentication fails. As a workaround:
Session database and redundancy systems (CR132976)
There is a high probability that some sessions may be lost or incorrectly shown in the session reports after failover, when you configure the Redundancy State Preference option for BIG-IP running Access Policy Manager.
APM limited mode (APM Lite) (CR133051)
Provisioning will display APM Lite, and you can even set it to Limited. However, you will not be able to license it nor will it be functional.
For additional information, please visit http://www.f5.com.