Original Publication Date: 10/14/2011
This release note documents the version 10.2.1 release of the Access Policy Manager. To review the features introduced by this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to systems running versions 10.1 or later. For information about installing the software, refer to Installing the software.
Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to SOL8986: F5 software lifecycle policy.
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP APM / VE 10.2.1 Documentation page.
The minimum system requirements for this release are:
Note: You cannot run this software on a CompactFlashÂ® media drive; you must use the system's hard drive.
You can work with the BIG-IP system Configuration utility using the following browsers:
We recommend that you leave the browser cache options at the default settings, and disable pop-up blockers and other browser add-ons or plug-ins. For more information about supported browsers, refer to the BIG-IP® Access Policy Manager Client Compatibility Matrix version 10.2.1.
This release supports the following platforms:
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
Note: The hardware and software for each unit in a redundant system configuration must match.
[ Top ]
This section lists only the very basic steps for installing the BIG-IP software, which includes the Access Policy Manager Module. The BIG-IP® Systems: Getting Started Guide contains details and step-by-step instructions for completing an installation. F5 Networks recommends that you consult the getting started guide for all installation operations.
If the software is already installed on your hardware platform, refer to the Configuration Guide for BIG-IP® Access Policy Manager.
The steps in this guide assume that:
Installation consists of the following steps.
After the installation finishes, you must complete the following steps before the system can pass traffic.
Each of these steps is explained in detail in the BIG-IP® Systems: Getting Started Guide, and F5 Networks recommends that you refer to the guide to ensure successful completion of the installation process.
The upgrade process installs the software on the inactive installation location that you specify. This process usually lasts between three and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
You can check the status of an active installation operation by running the command b software status, or by consulting the status page of the Configuration utility from Systems:Configuration:Device:General.
If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.
This release includes the following new features and fixes.
BIG-IP Access Policy Manager now available on BIG-IP Local Traffic Manager Virtual Edition (VE)
With BIG-IP® Local Traffic Manager Virtual Edition (VE), you can take your application delivery network virtual. You get the agility you need to create a mobile, scalable, and adaptable infrastructure for virtualized applications. With this release, you can license and provision BIG-IP® Access Policy Managerâ„¢ on your BIP-IP® Local Traffic Manageâ„¢ VE, providing all the benefits of Access Policy Manager â„¢ in a completely virtualized environment.
BIG-IP Access Policy Manager Licensing
Prior to this release, session limits were based on the concurrent user license limit only. With this release, the appliance session limit is displayed in the license page, and is set at the maximum limit for the appliance. In other words, you now have two limits: the concurrent user license count and the application session limit. Sessions can be consumed by setting up the local application access, while for each remote access connect ( network access or portal access), users will have one concurrent user level license and one session.
Note: The number of sessions available is specific to the capabilities of the platform, and therefore is unrelated to licensing.
The log file will clearly indicate the number of concurrent users licensed and the maximum number of sessions available. For example:
Oct 12 21:40:19 local/tmm notice tmm: 01490510:5: 00000000: Initializing Access with max global concurrent access session LICENSE limit: 10000
Oct 12 21:40:19 local/tmm notice tmm: 01490523:5: 00000000: Initializing Access with max global concurrent connectivity session LICENSE limit: 500
The License page will indicate the number of concurrent users licensed and the number of maximum sessions allowed. For example:
Access Policy Manager, 500CCU, 2500Access (C5211092-4187358)
Support for Simple mode at the Transport security level
We now support simple mode, which is a transport security level between Oracle components and associated Webgates. It works by performing SSLv3/TLSv1.0 secure transport between Oracle components using dynamically generated session keys.
Oracle Access Manager (OAM) authentication and authorization actions and agent
You can now pass user profile information for the user who requested the resource to other applications, or to redirect the user's browser to another site. You can add an agent to your access policy, as you would similar to other AAA agents, to validate the user's access right.
Native deferred APM logon support for protected resources
In this release, the native support of this feature was added. With this feature, the user will not be challenged by the APM logon page until they actually attempt to access OAM's protected web resources.
Backward compatibility support to existing Oracle pre-fabricated Webgates
In this release, you no longer need to disable or remove existing Oracle Webgates when you deploy OAM SSO integrations with APM Access Gate. However, we still recommend that you disable or remove existing Oracle Webgates after you deploy APM Access Gate to avoid performance impact.
Support for External logon authentication scheme
In this release, you can use your own authentication challenge method. The external method is used with Oracle Access Manager for Authorization only, where you would have in place a satisfactory method for authenticating users but would also like to use OAM's authorization services.
OAM SSO Global logout through Access Policy Manager
In this release, when you logout of Access Policy Manager, the OAM session will also terminated automatically. .
OAM Support for Anonymous Authentication
We now support anonymous authentication, one of Oracle Access Manager's authentication schemes, which allows users to access Oracle Access Manager-specific URLs that you do not want to protect with the access system.
Support of BIG-IP Edge client for the Mac
We now support BIG-IP Edge standalone client on the Mac. The supported features include, endpoint security, location awareness, auto-connect mode, smart connection, customization, and much more.
This release includes the following fixes.
RADIUS authentication secret (ID 222566)
In the previous release, if the RADIUS authentication secret was longer than 30 characters, RADIUS authentication failed. This is no longer the case and you can now type in more than 30 characters for your RADIUS authentication secret.
Windows Group Policy template installer (ID 225458)
Previously, users must manually remove the currently installed Group Policy template package to install a new version, using Add/Remove Programs in the WindowsÂ® Control Panel.You no longer need to perform this step to install a new version of the group policy template package.
Client Troubleshooting Utility (ID 294432)
Previously, when a user installs all client components, then checks the installation with the Client Troubleshooting Utility, the Network Access component urvpndrv.sys displayed as not installed, and Network Access components displayed as not correctly installed. This has been fixed.
Copy link with partitions (ID 342333)
Previously, the copy link appeared when you created access policies in non-common partitions. Now, the copy link is available for access policies only from common partitions.
[ Top ]
The following items are known issues in the current release.
Web applications rewrite engine trace functionality (ID 131304)
For this release, the web applications rewrite trace functionality is not yet documented.
Windows Vista protected mode with UAC, temp folder, and protected workspace (ID 222108)
Currently, if a Vista system has the %temp% variable changed from the default location to another location, and protected mode and UAC are enabled, the system cannot start protected workspace. To enable protected workspace on such a system, the user must be added to the discretionary ACL for the new %temp% directory location, and granted permission to change permissions.
Download client with Internet Explorer (ID 223132 )
Currently, when a client downloads the BIG-IP Edge Client for WindowsÂ® with the Internet Explorer browser, and attempts to run the installation from the download dialog, the application name is presented as form.exe instead of BIGIPEdgeClient.exe. To see the correct name, save the file first, then start the installation manually.
Outlook 2007 and Protected Workspace (ID 223343)
In this version, when a user attempts to use MicrosoftÂ® OutlookÂ® 2007 from within a protected workspace session, various display and feature problems occur.
Microsoft Office Communicator and web applications (ID 223712)
In this version, during a web applications session, when a user logs out of Microsoft Office Communicator, then attempts to log on again, the logon request fails.
Session database and redundancy systems (ID 223951)
There is a high probability that some sessions may be lost or incorrectly shown in the session reports after failover, when you configure the Redundancy State Preference option for BIG-IP running Access Policy Manager.
Misaligned text in warning message on Mac (ID 224357)
In this version, when a user makes a connection to an Access Policy Manager virtual server that uses a self-signed certificate, on some Mac OSÂ® versions, the warning message appears with misaligned text.
InstallerControl, Internet Explorer 8, and Windows XP (ID 224512)
In this version, when a user installs the web client on Internet Explorer 8 on WindowsÂ® XP, using the Internet Explorer information bar, the InstallerControl always installs for all users on the machine. All other components can be installed either per user or per machine.
Log SNAT message (ID 224724)
In this version, the message Failed to retrieve SNAT from session appears in /var/log/ltm. This error message appears when a session has set up successfully, but SNAT has not yet been set up.
Network access and default route domain (ID 224851)
In this version, when an administrator creates a network access resource in a partition with a default route domain that is not 0, DNS, WINS, and other settings fail to work.
Mac OS clients and antivirus database timE (ID 225100)
When a Mac OSÂ® client attempts to complete an antivirus check, and the administrator has configured the database age to be two days or less, the client fails the antivirus check, because database age is incorrectly calculated by the Mac OS antivirus component. As a workaround, in the antivirus check, the administrator can set the DB Age Not Older Than (days) box to 3.
NTLMv2 and Windows Server 2008 (ID 225149)
In this version, Access Policy Manager single sign-on (SSO) NTLMv2 does not work in MicrosoftÂ® WindowsÂ® ServerÂ® 2008. There is no workaround for this issue in this release.
Oracle OAM service restart (ID 225184)
Currently, when an administrator makes a change to the Oracle OAM server configuration and clicks Update, a warning message appears that the service must restart. However, when the administrator click OK, the service does not restart. To force a restart, the administrator can make another change to the server configuration, then change the value back, or from the command line, run the command bigstart restart eam.
Oracle OAM Redirect URL issue (ID 225555)
If the OAM administrator enters a Redirect URL for authentication or authorization failures, for example, and improperly puts a few spaces there (for example, " "), this may cause the OAM module to crash. The work around is to be sure that Redirect URLs are defined within OAM and are configured properly.
Windows Group Policy templates (ID 225456)
Currently, when Windows Group Policy templates are changed on the Access Policy Manager, the templates are not automatically updated on a user's web client. To automatically update Windows Group Policy components, a user must clear the web browser cache.
Active Directory query and case sensitive Admin Name (ID 225477)
Active Directory queries to an Active Directory server where the Admin Name is specified in a different case on the Active Directory server than on the Access Policy Manager fail. When an Active Directory AAA server is created, make sure the Admin Name is specified in the same case as the account on the server. If you upgrade the system, check the Active Directory Admin Name against the configuration on the Access Policy Manager.
Outlook 2003, Cached Exchange Mode, and protected workspace (ID 306821)
Currently, when a user uses Outlook 2003 in a protected workspace session, Outlook creates a new storage file for the session. When the user exits, an error message appears, and the user must dismiss the error to close Outlook. When the user restarts Outlook, if Cached Exchange Mode is enabled, any draft emails created in the protected workspace session are restored. If Cached Exchange Mode is not enabled, any draft emails created in the protected workspace session are lost.
Network access variable assignment (ID 306851, ID 306976, ID 306977)
Currently, when you attempt to add an access policy variable assign action, configured to assign the network access configuration variable dns, wins, or static_host to a AAA attribute, the variable is not assigned.
Windows Vista and Windows 7 upgrade (ID 306872)
Currently, after a client installs all components, then upgrades from WindowsÂ® Vistaâ„¢ to Windows 7Â®, network access components are not corrected with the upgrade, and the client cannot connect. The client can reinstall all client components to resolve this issue.
Antivirus check, Vista UAC, and trusted sites list (ID 306906)
when a client runs WindowsÂ® Vistaâ„¢ with UAC enabled, the access policy antivirus check item cannot check for database age or engine version for ClamWin antivirus. The client must add the virtual server to the Trusted Sites list in WindowsÂ® for this check to work.
Windows error message (ID 306830)
Occasionally, when a user attempts to connect with network access, the error Status: the remote computer did not respond. for further assistance, click more info or search help and support center for this error number appears. The error message is not helpful; however, this is a WindowsÂ® system error. The error can be safely ignored.
BIG-IP Local Traffic Manager and network access wizard (ID 306971)
On a BIG-IP Local Traffic Manager system with the BIG-IP Access Policy Managerâ„¢ module, when you start the network access wizard, the error The child access profile (wizard-network-access) must have a valid access policy is logged; however, the wizard completes successfully.
Application editor role and access policies (ID 306984)
Currently, an admin user with the application editor role cannot edit access policies, unless the bigpipe shell option for terminal access is enabled for the user.
Webtop links on Safari (ID 306987)
Currently, a user must allow popups in the Safari web browser to use the links on the network access webtop.
Safari browser and required SSL certificate (ID 306989)
If the option to require a client certificate is enabled in the client SSL profile for an access policy virtual server, and a user attempts to connect with the Safari web browser, pop-up screens with the message Safari wants to sign using key PrivateKey in your keychain are displayed repeatedly during prelogon checks.
Certificates, client ssl profile, and Linux or Mac clients (ID 306990, ID 306991)
Currently, when the client ssl profile associated with an access policy is configured to require a client certificate, endpoint checks for Mac and Linux systems fail. As a workaround, configure the client ssl profile to request and not require a client certificate.
Network access and Firefox tabs (ID 306999)
Currently, if a user starts a network access session in a Firefox tab, and network access is configured to minimize the client to the system tray, the Firefox window with all tabs is minimized to the tray and the other tabs in use are not accessible. As a workaround, users can start network access connections in a separate Firefox window.
Windows group policy templates (ID 307004)
In this release, when viewing details for some WindowsÂ® group policy templates, the details for some settings cannot be expanded and viewed.
iRule with "/" for URI (ID 307007)
Currently, when creating an iRule to match a URI of / and then trigger an ACCESS:: disable iRule event, an error is received by the client system when attempting to connect.
RADIUS accounting and web applications session (ID 307011)
Currently, when a RADIUS accounting action is used in an access policy with a web applications session and webtop assigned, the STOP message is not received by the RADIUS accounting server when the session ends.
Limited user and FirePass client components (ID 307028)
Currently, when a limited user with FirePass version 6.0.2 client components attempts to connect to an Access Policy Manager version 10.1 server that requires endpoint checks, if both the FirePass and Access Policy Manager sessions have the Don't perform component updates option selected, the user is sent to the logout page. This user must be granted administrative rights to connect.
(Hometab and minimal patching (ID 307031)
Currently, when a web applications connection is configured for minimal patching, and the hometab is included, the URL box on the hometab can return incorrect URLs. As workarounds, you can configure the hometab to remove the URL box in minimal patching mode, or you can not include the hometab.
Character length limitation in access policy (ID 307077)
You cannot enter more than 35 characters when you create a name for your access policy. Doing so causes an exception error to occur.
Windows logon credential reuse service (ID 329883)
When a client with WindowsÂ® Vista or WindowsÂ® 7 is configured to use the Windows credential reuse logon service with the BIG-IP Edge Clientâ„¢, and the user logs on with the logon format logon@domain (instead of domain\logon), the Windows logon credential reuse service fails to authenticate.
UNIX and network access (ID 340681)
On UNIX-based clients, when a client connects to a network access tunnel, applications that should start do not start.
[Linux] Network Access does not re-established connection (ID 340757)
If you configured network access and enabled the Force all traffic through tunnel option and uplug your ethernet cable, network access will not re-establish connection after you try to re-plug the cable.
Outlook Web Access, Firefox, and form-based authentication (ID 341230)
Currently, when connecting to an Outlook Web Access 2010 server through web applications with Firefox 3.6 and later, authentication fails intermittently.
SSO combined with HTTP basic and OAM fails (ID 341351)
Currently, if you combine Single-Sign On with an SSO method such as HTTP basic authentication, and you configure OAM, it fails.
Client traffic classifiers do not support route domains (ID 341413)
In this release, rules for Client Traffic Classifiers cannot be created for non-common partition with route domains.
[NA][Win] application launch parameters do not support an apostrophe (ID 341439)
If you configure a network access and include an apostrophe in the username or password,when you configure the variable assignment agent, the command line will fail once it tries to compile the variable assignment agent. The workaround is to avoid using the apostrophe when specifying the username or password.
High availability with OAM configured (ID 341856)
If you enable high availability for active/standby, and configured OAM to use a floating IP address as the secondary self-ip address, your session will not work on the secondary node once the active node becomes inactive.
SIP and Network Access (ID 342035)
In this version, a client cannot connect to an SIP server through a network access tunnel.
No error message is displayed when a logo has the wrong type of file (ID 342115)
When you upload a logo with the wrong file type from Connectivity Profiles: Client Customization, an error message should display notifying you of this error, but it does not.
Edge Client can't be installed for MacOS 10.5 (ID 342129)
MAC users must have root privileges to successfully install the Edge client .Otherwise, installation will fail.
FullArmor GPAnywhere, Client Troubleshooting Utility, and logs (ID 342364)
In this version, the Client Troubleshooting Utility does not collect logs for FullArmor GPAnywhere.
[Citrix] Connection lost after prolonged inactivity (ID 342908)
In this version, the Client Troubleshooting Utility does not collect logs for FullArmor GPAnywhere.
Web applications and multiple document upload (ID 343278)
In the current version, if you are running Citrix application, and do nothing for approximately 15-20 minutes, you may loose connectivity, and your TCP session terminates. To workaround this issue, set your idle timeout for TCP profile. Go to Local Traffic: Profiles : Protocol : TCP.
Mac OS X, Firefox, browser and split tunneling (ID 342298)
Currently, when you configure network access on a Mac OS with split tunneling and an exclude subnet, then remove and reconnect the network cable, data is corrupted.
Network access leasepool addresses (ID 342317)
Currently, when network access assigns a client an IP address from the leasepool that coincides with the client IP address or client's gateway IP address, the routing table is corrupted and the system cannot establish a network access tunnel.
OAM server default (ID 342558)
In the visual policy editor, the OAM access policy item configuration is prepopulated with port numbers that may or may not apply to the Oracle Access Manager server.
Terminated sessions displayed as active in the system (ID 343143)
After a user terminates their session, the session still displays as active when you go to Access Policy: Reports: and click Current Sessions. Additionally, if you click the Session ID link to access the session summary, and click the Session Variables link, an error message displays.
Web applications and opening documents with Windows Explorer (ID 343281)
In this version, when a user browses through a web applications connection to a library of documents, then attempts to open a document with the option Actions > Open with Windows Explorer, an empty page or document launches.
SharePoint 2007 and Web Applications (ID 343284)
In this version, when a user working with SharePoint 2007 through a web applications connection attempts to create a column in a datasheet, with the options Action > Edit in DataSheet and Settings > Create Column, then click Cancel, the web page expires.
Web applications and dashboard (ID 343347)
Currently, when an administrator views the chart of realtime requests for RamCache in web applications, a flat line is displayed instead of the real data.
Removing accepted languages and the Apply Access Policy link (ID 345915)
After you removed the accepted languages under the Language settings in your access policy and click Update, the Apply Access Policy link does not appear in the upper-left hand corner of the page. To workaround this issue, after changing the language, navigate to your list of access profiles, enable the checkbox next to the policy that you just modified, and click Apply Access Policy.
For additional information, please visit http://www.f5.com.