Original Publication Date: 10/14/2011
This release note documents the version 10.2.2 release of the Access Policy Manager. To review the features introduced by this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to systems running versions 10.1 or later. For information about installing the software, refer to Installing the software.
Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to SOL8986: F5 software lifecycle policy.
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP APM / VE 10.2.2 Documentation page.
The minimum system requirements for this release are:
Note: You cannot run this software on a CompactFlash® media drive; you must use the system's hard drive.
You can work with the BIG-IP system Configuration utility using the following browsers:
We recommend that you leave the browser cache options at the default settings, and disable pop-up blockers and other browser add-ons or plug-ins. For more information about supported browsers, refer to the BIG-IP® Access Policy Manager™ Client Compatibility Matrix version 10.2.2.
You can apply the software upgrade to software versions 9.6.x and 10.x on multiple platforms, as defined in SOL10288: BIG-IP software and platform support matrix.
[ Top ]
This section lists only the very basic steps for installing the BIG-IP software, which includes the Access Policy Manager Module. The BIG-IP® Systems: Getting Started Guide contains details and step-by-step instructions for completing an installation. F5 Networks recommends that you consult the getting started guide for all installation operations.
If the software is already installed on your hardware platform, refer to the Configuration Guide for BIG-IP® Access Policy Manager™ .
The steps in this guide assume that:
Installation consists of the following steps.
After the installation finishes, you must complete the following steps before the system can pass traffic.
Each of these steps is explained in detail in the BIG-IP® Systems: Getting Started Guide, and F5 Networks recommends that you refer to the guide to ensure successful completion of the installation process.
The upgrade process installs the software on the inactive installation location that you specify. This process usually lasts between three and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
You can check the status of an active installation operation by running the command b software status, or by consulting the status page of the Configuration utility from Systems:Configuration:Device:General.
If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.
This release includes the following new features and fixes.
Integration with BIG-IP EdgeClient app for iOS (version 1.0.1)
This release provides integration with the BIG-IP® EdgeClienttm app for iOS devices, which supports secure web proxies and allows auto-launch apps upon connecting. This release also includes improved user interface design for application access as well as endpoint inspection results (such as UDID, MAC address, and device type and version) that you can use to integrate with an MDM service, perform logging, employ device whitelists and blacklists, and so forth.
Support for automatically launching applications on the BIG-IP Edge Client app for Apple iOS
The ability to launch applications on the iOS device was incorporated into the BIG-IP Edge Client in version 1.0.1.
This version of Acess Policy Manager now supports this feature with the Big-IP Edge Client.
This release includes the following fixes.
Log SNAT message (ID 224724)
Previously, the message Failed to retrieve SNAT from session appeared in /var/log/ltm. This error message appeared when a session was set up successfully, but SNAT had not yet been set up. This issue is resolved in this release.
Network access and default route domain (ID 224851)
In the previous version, when an administrator creates a network access resource in a partition with a default route domain that is not 0, DNS, WINS, and other settings failed to work. This issue is resolved.
Windows Group Policy templates (ID 225456)
When Windows Group Policy templates are changed on the Access Policy Manager, the templates now automatically update on a user's web client.
UNIX and network access (ID 340681)
Previously, on UNIX-based clients when a client connects to a network access tunnel, applications would not start properly. This issue is resolved and application now start properly.
[Linux] Network Access does not re-established connection (ID 340757)
In the previous release, if you configured network access and enabled the Force all traffic through tunnel option and then uplugged your ethernet cable, network access did not re-establish a connection when you re-plugged the cable. This issue is resolved.
Outlook Web Access, Firefox, and form-based authentication (ID 341230)
Previously, when connecting to an Outlook Web Access 2010 server through web applications with Firefox 3.6 and later, authentication intermittently failed. This issue is resolved.
SSO combined with HTTP basic and OAM fails (ID 341351)
In the previous release, if you combined Single-Sign On with an SSO method (such as HTTP basic authentication), and then configured OAM, it failed. This issue is resolved.
Client traffic classifiers and route domains (ID 341413)
Previously, you could not create rules for Client Traffic Classifiers for non-common partition with route domains. This issue is resolved.
FullArmor GPAnywhere version 3, Client Troubleshooting Utility, and logs (ID 342364)
In previous versions, the Client Troubleshooting Utility did not collect logs for FullArmor GPAnywhere version 3. This issue is resolved.
Mac OS X, Firefox, browser and split tunneling (ID 342298)
Previously, when you configured network access on a Mac OS with split tunneling and an exclude subnet, then removed and reconnected the network cable, data was corrupted. This issue is resolved.
Network access leasepool addresses (ID 342317)
In the previous release, when network access assigned a client an IP address from the leasepool that coincided with the client IP address or client's gateway IP address, the routing table was corrupted and the system cannot establish a network access tunnel. This issue is resolved.
OAM server port (ID 342558)
Previously, in the visual policy editor, the OAM access policy item configuration was prepopulated with port numbers that may or may not have applied to the Oracle Access Manager server. This issue is resolved and the default value of 5575, as assigned by the Internet Assigned Numbers Authority (IANA), displays.
Terminated sessions displayed as active in the system (ID 343143)
In previous releases, when a user terminated their session the session continued to display as active on the current sessions screen and an error displayed when you clicked the Sessions Variable link. This issue is resolved.
Web applications and opening documents with Windows Explorer (ID 343281)
Previously, when a user browses through a web applications connection to a library of documents, then attempts to open a document with the option Actions > Open with Windows Explorer, an empty page or document launched. This issue is resolved.
Web applications and dashboard (ID 343347)
In the previous release, when an administrator viewed the chart of realtime requests for RAMCache in web applications, a flat line displayed instead of the real data. This issue is resolved.
[ Top ]
The following items are known issues in the current release:
Download client with Internet Explorer (ID 223132 )
Currently, when a client downloads the BIG-IP Edge Client for Windows® with the Internet Explorer browser, and attempts to run the installation from the download dialog, the application name is presented as form.exe instead of BIGIPEdgeClient.exe. To see the correct name, save the file first, then start the installation manually.
Outlook 2007 and Protected Workspace (ID 223343)
In this version, when a user attempts to use Microsoft® Outlook® 2007 from within a protected workspace session, various display and feature problems occur.
Misaligned text in warning message on Mac (ID 224357)
In this version, when a user makes a connection to an Access Policy Manager virtual server that uses a self-signed certificate, on some Mac OS® versions, the warning message appears with misaligned text.
InstallerControl, Internet Explorer 8, and Windows XP (ID 224512)
When a user installs the web client on Internet Explorer 8 on Windows® XP, using the Internet Explorer information bar, the InstallerControl always installs for all users on the machine. This installation is not visible to the user. All other components can be installed either per user or per machine.
Windows Vista protected mode with UAC, temp folder, and protected workspace (ID 222108)
Currently, if a Vista system has the %temp% variable changed from the default location to another location, and protected mode and UAC are enabled, the system cannot start protected workspace. To enable protected workspace on such a system, the user must be added to the discretionary ACL for the new %temp% directory location, and granted permission to change permissions.
Network Access tunnel settings, Mac clients, and static IP addresses (ID 223974)
When the network access administrator configures a network access resource with the settings Allow local subnet and Force all traffic through tunnel, and a Mac OS client changes its static IP address, the network tunnel fails.
Mac OS clients and antivirus database time (ID 225100)
When a Mac OS® client attempts to complete an antivirus check, and the administrator has configured the database age to be two days or less, the client fails the antivirus check, because database age is incorrectly calculated by the Mac OS antivirus component. As a workaround, in the antivirus check, the administrator can set the DB Age Not Older Than (days) box to 3.
Windows error message (ID 306830)
Occasionally, when a user attempts to connect with network access, the error Status: the remote computer did not respond. for further assistance, click more info or search help and support center for this error number appears. The error message is not helpful; however, this is a Windows® system error. The error can be safely ignored.
Windows Vista and Windows 7 upgrade (ID 306872)
Currently, after a client installs all components, then upgrades from Windows® Vista™ to Windows 7®, network access components are not corrected with the upgrade, and the client cannot connect. The client can reinstall all client components to resolve this issue.
Antivirus check, Vista UAC, and trusted sites list (ID 306906)
when a client runs Windows® Vista™ with UAC enabled, the access policy antivirus check item cannot check for database age or engine version for ClamWin antivirus. The client must add the virtual server to the Trusted Sites list in Windows® for this check to work.
Safari browser and required SSL certificate (ID 306989)
If the option to require a client certificate is enabled in the client SSL profile for an access policy virtual server, and a user attempts to connect with the Safari web browser, pop-up screens with the message Safari wants to sign using key PrivateKey in your keychain are displayed repeatedly during prelogon checks. To work around this issue, in the popup window, select the Always Allow option for the Safari wants to sign using PrivateKey in your keychain. Alternatively, you can change the certificate preferences (File> Get Info) and add Safari to the allow list on the Access Control tab.
Certificates, client ssl profile, and Linux or Mac clients (ID 306990, ID 306991)
Currently, when the client ssl profile associated with an access policy is configured to require a client certificate, endpoint checks for Mac and Linux systems fail. As a workaround, configure the client ssl profile to request and not require a client certificate.
Windows group policy templates viewed in Firefox (ID 307004)
When viewing details for some Windows® group policy templates using the Firefox browser, you cannot expand and view the details for some settings.
Limited user and FirePass client components (ID 307028)
When a limited user with FirePass version 6.0.2 client components attempts to connect to an Access Policy Manager version 10.1 server that requires endpoint checks, if both the FirePass and Access Policy Manager sessions have the Don't perform component updates option selected, the user is sent to the logout page. This user must be granted administrative rights to connect.
Localized BIG-IP Edge Client on Mac OS (ID 340406)
The BIG-IP® Edge Client™ for Mac OS systems is not yet localized for all languages.
Firefox 4 plugin installation (ID 341268)
Clients using Firefox 4 cannot install access plugins from a server over an SSL connection if the server certificate is not trusted. The current workaround is to install the plugins from a trusted SSL server using HTTPS, or to install the plugins using HTTP.
BIG-IP Edge Client on Mac OS and user accounts (ID 342129)
Mac OS users cannot install the BIG-IP® Edge Client™ under a User account. The Edge Client install requires Admin account privileges.
Mac Edge client reconnect attempts (ID 354486)
In some situations where the BIG-IP Edge Client for Mac OS should reconnect, the client displays the error Error: VPN disconnected and the client does not reconnect. In this situation, the user can click the Disconnect button in the BIG-IP Edge Client, and then click the Connect or Auto-Connect button again.
Web applications rewrite engine trace functionality (ID 131304)
For this release, the web applications rewrite trace functionality is not yet documented.
Microsoft Office Communicator and web applications (ID 223712)
In this version, during a web applications session, when a user logs out of Microsoft Office Communicator, then attempts to log on again, the logon request fails.
Web Applications with Web Accelerator and Exchange 2003 (ID 226163)
When the administrator configures an Access Policy Manager and Web Accelerator layered virtual server, clients cannot connect to Exchange 2003 through a Web Applications resource.
Outlook 2003, Cached Exchange Mode, and protected workspace (ID 306821)
Currently, when a user uses Outlook 2003 in a protected workspace session, Outlook creates a new storage file for the session. When the user exits, an error message appears, and the user must dismiss the error to close Outlook. When the user restarts Outlook, if Cached Exchange Mode is enabled, any draft emails created in the protected workspace session are restored. If Cached Exchange Mode is not enabled, any draft emails created in the protected workspace session are lost.
Hometab and minimal patching (ID 307031)
When a web applications connection is configured for minimal patching, and the hometab is included, the URL box on the hometab can return incorrect URLs. To work around this issue, configure the hometab to remove the URL box in minimal patching mode. Alternatively, disable the hometab in minimal patching mode.
SharePoint 2007 and Web Applications (ID 343284)
In this version, when a user working with SharePoint 2007 through a web applications connection attempts to create a column in a datasheet, with the options Action > Edit in DataSheet and Settings > Create Column, then click Cancel, the web page expires.
Web applications and multiple document upload (ID 343278)
In the current version, if you are running Citrix application, and do nothing for approximately 15-20 minutes, you may lose connectivity, and your TCP session terminates. To work around this issue, set your idle timeout for TCP profile. Go to Local Traffic: Profiles : Protocol : TCP.
Web app engine trace (ID 346435)
Currently, when you perform a web app engine trace with Acess Policy Manager web applications, the request body and response headers are not logged for the front end or back end.
Sharepoint 2007 picture library (ID 354793)
When a user is connected to SharePoint 2007 through Web Applications, and the user attempts to connect to the SharePoint picture library after closing the connection to the library once, an error occurs and the SharePoint Picture Manager application crashes.
[NA][Win] application launch parameters do not support an apostrophe (ID 341439)
If you configure a network access and include an apostrophe in the username or password when you configure the variable assignment agent, the command line will fail once it tries to compile the variable assignment agent. To avoid this issue, do not use an apostrophe when specifying the username or password.
BIG-IP Local Traffic Manager and network access wizard (ID 306971)
On a BIG-IP Local Traffic Manager system with the BIG-IP Access Policy Manager™ module, when you start the network access wizard, the error The child access profile (wizard-network-access) must have a valid access policy is logged; however, the wizard completes successfully.
Network access variable assignment (ID 306851, ID 306976, ID 306977)
Currently, when you attempt to add an access policy variable assign action, configured to assign the network access configuration variable dns, wins, or static_host to a AAA attribute, the variable is not assigned.
Network access and Firefox tabs (ID 306999)
Currently, if a user starts a network access session in a Firefox tab, and network access is configured to minimize the client to the system tray, the Firefox window with all tabs is minimized to the tray and the other tabs in use are not accessible. As a workaround, users can start network access connections in a separate Firefox window.
Webtop links on Safari (ID 306987)
Currently, a user must allow popups in the Safari web browser to use the links on the network access webtop.
Network access wizard (ID 346149)
In this version, only BIG-IP Access Policy Manager users with the Admin role can see and run wizards from the Wizard menu.
NTLMv2 and Windows Server 2008 (ID 225149)
In this version, Access Policy Manager single sign-on (SSO) NTLMv2 does not work in Microsoft® Windows® Server® 2008. There is no workaround for this issue in this release.
RADIUS accounting and web applications session (ID 307011)
When a RADIUS accounting action is used in an access policy with a web applications resource and webtop assigned, the RADIUS accounting server does not receive the STOP message when the session ends.
Windows logon credential reuse service (ID 329883)
When a client with Windows® Vista or Windows® 7 is configured to use the Windows credential reuse logon service with the BIG-IP Edge Client™, and the user logs on with the logon format logon@domain (instead of domain\logon), the Windows logon credential reuse service fails to authenticate.
OBRAR protocol with Oracle Access Manager (ID 352167)
Currently, the OBRAR protocol is not supported in APM with Oracle Access Manager (OAM) integration.
Session database and redundancy systems (ID 223951)
There is a high probability that some sessions may be lost or incorrectly shown in the session reports after failover, when you configure the Redundancy State Preference option for BIG-IP running Access Policy Manager.
Oracle OAM service restart (ID 225184)
Currently, when an administrator makes a change to the Oracle OAM server configuration and clicks Update, a warning message appears that the service must restart. However, when the administrator click OK, the service does not restart. To force a restart, the administrator can make another change to the server configuration, then change the value back, or from the command line, run the command bigstart restart eam.
Oracle OAM Redirect URL issue (ID 225555)
If the OAM administrator enters a Redirect URL for authentication or authorization failures, for example, and improperly puts a few spaces there (for example, " "), this may cause the OAM module to crash. To work around this, be sure that Redirect URLs are defined within OAM and are configured properly.
Application editor role and access policies (ID 306984)
Currently, an admin user with the application editor role cannot edit access policies, unless the bigpipe shell option for terminal access is enabled for the user.
iRule with "/" for URI (ID 307007)
When you create an iRule to match a URI of / and then trigger an ACCESS:: disable iRule event, the client receives a connection error and cannot connect.
Character length limitation in access policy (ID 307077)
You cannot enter more than 35 characters when you create a name for your access policy. Doing so causes an exception error to occur.
SIP and Network Access (ID 342035)
In this version, a client cannot connect to an SIP server through a network access tunnel.
No error message is displayed when a logo has the wrong type of file (ID 342115)
When you upload a logo with the wrong file type from Connectivity Profiles: Client Customization, an error message should display notifying you of this error, but it does not.
[Citrix] Connection lost after prolonged inactivity (ID 342908)
In this version, the Client Troubleshooting Utility does not collect logs for FullArmor GPAnywhere.
Removing accepted languages and the Apply Access Policy link (ID 345915)
After you removed the accepted languages under the Language settings in your access policy and click Update, the Apply Access Policy link does not appear in the upper-left hand corner of the page. To work around this issue, after changing the language, navigate to your list of access profiles, select the checkbox next to the policy that you just modified, and click Apply Access Policy.
Restoring a backup file and customization (ID 356013)
When you attempt to restore a UCS backup file to a BIG-IP Access Policy Manager using the bigpipe shell command b config install, and the file you are restoring from includes customizations that aren't present on the current system, the customization fails to load and the default customizations are used. As a workaround, you can restore the UCS backup file from the BIG-IP web Configuration utility.
For additional information, please visit http://www.f5.com.