Updated Date: 10/14/2011
This release note documents the version 10.2.0 release of the Access Policy Manager. To review the features introduced by this release, see New features and fixes in this release. For existing customers, you can apply the software upgrade to systems running versions 10.1 or later. For information about installing the software, refer to Installing the software.
Note: F5 offers general availability releases and general sustaining releases. For detailed information on our policies, refer to Solution 8986, F5 software lifecycle policy, which is available on the AskF5 web site, http://support.f5.com.
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP APM / VE 10.2.0 Documentation page.
The minimum system requirements for this release are:
Note: You cannot run this software on a CompactFlash® media drive; you must use the system's hard drive.
You can work with the BIG-IP system Configuration utility using the following browsers:
Note that we recommend that you leave the browser cache options at the default settings, and disable popup blockers and other browser add-ons or plug-ins. For more information on supported browser, refer to the BIG IP® Access Policy Manager™ Client Compatibility Matrix version 10.2.
This release supports the following platforms:
If you are unsure which platform you have, look at the sticker on the back of the chassis to find the platform number.
Note: The hardware and software for each unit in a redundant system configuration must match.
[ Top ]
This section lists only the very basic steps for installing the BIG-IP software, which includes the Access Policy Manager Module. The BIG-IP® Systems: Getting Started Guide contains details and step-by-step instructions for completing an installation. F5 Networks recommends that you consult the getting started guide for all installation operations.
If the software is already installed on your hardware platform, refer to the Configuration Guide for BIG-IP® Access Policy Manager™ .
The steps in this guide assume that:
Installation consists of the following steps.
After the installation finishes, you must complete the following steps before the system can pass traffic.
Each of these steps is covered in detail in the BIG-IP® Systems: Getting Started Guide, and F5 Networks recommends that you refer to the guide to ensure successful completion of the installation process.
The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
You can check the status of an active installation operation by running the command b software status.
If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.
This release includes the following new features and fixes.
BIG-IP Access Policy Manager on BIG-IP Local Traffic Manager
You can provision a free ten-concurrent-connection license of the BIG-IP Access Policy Manager™ module for web application access management. The BIG-IP Access Policy Manager is a software component of the BIG-IP hardware platform that provides your users with secured connection to Local Traffic Manager™ virtual servers, specific web applications, or the entire corporate network. For provisioning details, see BIG-IP® Systems: Getting Started Guide .
Oracle Access Gate integration
Oracle Access Manager is now supported by Access Policy Manager. Administrators no longer need to deploy Oracle Access Manager Webgate plugins to application servers, or deploy an authentication proxy tier, to use Oracle Access Manager. Web application user authentication and authorization access control can now be enforced on the BIG-IP system, while Oracle Access Manager is configured at the access policy.
Windows logon credential reuse
To streamline the end-user experience, the BIG-IP Edge Client™ can now cache and reuse credentials from the Windows® logon. This feature is controlled through policy set by the administrator on the Access Policy Manager. This feature requires the installation of the Windows logon reuse service on client machines, which is configured in the client connectivity profile.
Access Policy Manager now supports the syncing of email, calendar, and contacts with Microsoft® Exchange on mobile devices such as the Apple® iPhone® Microsoft's ActiveSync protocol. Microsoft ActiveSync connections can now be detected and branched in an access policy, so users can synchronize ActiveSync items like mail and calendars. This feature uses a preconfigured ActiveSync iRule that is implemented on the virtual server. Administrators can branch for ActiveSync clients using the UI Mode server side check.
IP Geolocation Match action
You can now more easily use IP Geolocation in access policies. The previous version of Access Policy Manager required a custom iRule to access the geolocation database. Now, the new IP Geolocation Match action simplifies the functionality, making it easier for administrators to include IP geolocation in access policies.
Client-side installation and runtime rights
Client-side installation and runtime right requirements have been reduced. Now, administrative rights are required only for installation of the Windows Group Policy action, and for installation of the VPN driver for network access connections. You can find a summary of the new client installation rights in the New Features Guide for BIG-IP®.
64-bit Protected Workspace
The protected workspace access policy item now runs on 64-bit Windows® clients running in 64-bit mode.
This release includes the following fixes.
Active Directory servers and password resets (CR128612)
Previously, when two different Active Directory servers had the same domain name specified, password change operations failed on Active Directory authentication clients. Now, these password change operations succeed.
Single Sign-On form-based authentication and Oracle OAM (CR129850-1)
Previously, Single Sign-On with form-based authentication did not authenticate with Oracle OAM. Now, Oracle OAM is supported for Single Sign-On applications.
Microsoft SharePoint and web applications (CR131835)
Previously, when a user connected to SharePoint through a web applications connection, some features in SharePoint, including Picture Manager and Explorer View, become unresponsive. Now, these features work in SharePoint with a web applications connection.
Web applications and large includes (CR132555, CR132555-1)
Previously, when a user attempted to connect to a web application session in which the web applications engine rewrote links in an HTML page that contained <style> or <script> includes containing more than 8K of data, the web application was not displayed or did not function correctly. Now, rewritten HTML pages with more than 8K of includes display correctly.
Access policy wizards and SecurID authentication (CR132861)
Previously, when you created an access profile with SecurID authentication with the access policy wizard, SecurID authentication failed. Now, SecurID authentication succeeds when you create an access profile with the wizard.
Web applications and non-Internet Explorer browsers (CR133859-1)
Virtualized files and protected workspace (CR134025)
In previous versions, files that were virtualized in the protected workspace session were not deleted when a user logged on to a system or booted a system with certain reduced privileges. Now, previously virtualized files are deleted on system boot or user log on.
Protected workspace description (CR134028)
Previously, the Configuration Guide and online help for the protected workspace access policy item did not make clear that executable files are not encrypted in a protected workspace session. Now, this information is included.
SecurID AAA server definition (CR134247)
Previously, when defining a AAA SecurID server, it was not clear that the Source IP Address had to be an existing Self IP address, and had to match the host name in the SecurID configuration file. Now, the setting is renamed, and the administrator can select an existing Self IP address from a list, or specify a new IP address.
Protected workspace and executable file headers (CR134522)
Previously, the protected workspace environment did not check the header content of files with executable file names (for example EXE, DLL, IME, and CPL files), so files could be renamed as executables, then extracted unencrypted after a protected workspace session. Now, protected workspace checks that files named as executables are actually executable files, and encrypts them if they are not.
Network Access and HTTP client autoconfig script (CR135694, CR79045-1)
In previous versions, some applications, like Citrix MetaFrame, did not correctly use client proxy autoconfig scripts when the file:// prefix was used to locate the proxy autoconfig script. Now, the option Client Proxy Uses HTTP for Proxy Autoconfig Script is available in the client proxy settings to enable applications like this to work correctly.
Windows file check and Japanese file names (CR136263-1)
In previous versions, the Windows® file check action failed when checking file names with Japanese characters. Now, the Windows file check action can successfully check files with Japanese characters.
PowerPoint and protected workspace (CR136883)
Previously, users could not save Microsoft PowerPoint version 97-2003 files from a protected workspace session. Now, users can save PowerPoint files in protected workspace.
Auto launch and protected workspace (CR136947)
Previously, in some instances, Network Access auto launch applications did not start in protected workspace sessions. Now, autolaunch applications do start automatically in a protected workspace session.
Protected workspace and session close (CR136998)
In previous versions, protected workspace sessions did not end when the network access session stopped. Now, a protected workspace session ends when the network access session ends.
AD and LDAP Query user attributes do not convert properly (CR137015, CR137015-1)
In the previous release, if the Active Directory or LDAP user’s Groups contained non-printable characters, the session variable encodes the entire memberOf attribute to Hex. Now, the session variable memberOf only displays Hex for the particular groups with non-printable characters.
Lease pool and route domain other than 0 (CR137226, CR631098-1)
Previously, you could not create a network access lease pool in a partition other than the common partition that had a specific non-0 route domain. Now, you can create a lease pool in a partition with a route domain assigned.
RSA SecurID authentication fails with error (CR137479-1)
In the previous release, RSA SecurID authentication failed due to an error caused by the boost_resource_error exception. Now, RSA SecurID authenticates successfully despite the “Couldn’t read from socket” error.
RSA SecurID authentication intermittently fails in RSA cluster deployment (CR137544, C628203-3)
In the previous release, RSA SecurID authentication fails with clustering because Access Policy Manager only supported one node in a cluster RSA SecurID. Now, multiple nodes are supported RSA SecurID and authentication no longer fails in a cluster environment.
Partition access rights for SuperAdmins (CR137594, CR137594-1)
In the previous release, SuperAdmins working in other partitions were not able to add new items to an access policy and unable to edit or use each object in the visual policy editor. Now, SuperAdmins working in other partitions can add access policy items.
Second session variable in AD Query agent is not rendered (CR137746, C631630-1)
Previously, if you created an access policy that uses AD Query and a search expression that utilizes two variables, only the first session variable expanded. To workaround this issue, you had to use nested AD queries to query the last name and then the first name, for example. Now, you no longer have to apply the workaround because all sessionVars in a string is replaced, and not just the first one.
Unassigned lease pool address fails to release (CR137855, CR137855-1)
In the previous release, the mechanism of refreshing the lease pool IP addressed that was assigned to a Network Access tunnel failed. Now, because the lease pool IP address timeout has increased twice the session idle timeout, this no longer fails.
The following items are known issues in the current release.
Cached passwords in Edge Client (337922)
When the administrator configures password caching on the Edge Client through the connectivity profile, the cached password is not always automatically submitted. If the user starts the client, the Edge Client always prompts for a username and password combination for the first connection to a particular server. If the client starts with the /autolaunch flag, for example, after logging out and logging back in to Windows, then there is no prompt and cached credentials are automatically submitted. If the user switches to another server, that server prompts for credentials for the connection, even if cached credentials exist.
Character length limitation in access policy (CR87823)
You cannot enter more than 35 characters when you create a name for your access policy. Doing so causes an exception error to occur.
Windows mobile and registry keys (CR99557-1)
Currently, after uninstalling the F5 client software from a Windows® Mobile 5 or 6 device, the registry keys HKEY_LOCAL_MACHINE\ExtModems\'F5 SSL VPN and HKEY_LOCAL_MACHINE\Drivers\BuiltIn\F5SSLVPNCom remain on the device.
Outlook 2003, Cached Exchange Mode, and protected workspace (CR111020)
Currently, when a user uses Outlook 2003 in a protected workspace session, Outlook creates a new storage file for the session. When the user exits, an error message appears, and the user must dismiss the error to close Outlook. When the user restarts Outlook, if Cached Exchange Mode is enabled, any draft emails created in the protected workspace session are restored. If Cached Exchange Mode is not enabled, any draft emails created in the protected workspace session are lost.
Windows error message (CR112627)
Occasionally, when a user attempts to connect with network access, the error Status: the remote computer did not respond. for further assistance, click more info or search help and support center for this error number appears. The error message is not helpful; however, this is a Windows® system error. The error can be safely ignored.
Windows Vista protected mode with UAC, temp folder, and protected workspace (CR112810)
Currently, if a Vista system has the %temp% variable changed from the default location to another location, and protected mode and UAC are enabled, the system cannot start protected workspace. To enable protected workspace on such a system, the user must be added to the discretionary ACL for the new %temp% directory location, and granted permission to change permissions.
Network access variable assignment (CR114339, CR129477, CR129492)
Currently, when you attempt to add an access policy variable assign action, configured to assign the network access configuration variable dns, wins, or static_host to a AAA attribute, the variable is not assigned.
Windows Vista and Windows 7 upgrade (CR116914)
Currently, after a client installs all components, then upgrades from Windows® Vista™ to Windows 7®, network access components are not corrected with the upgrade, and the client cannot connect. The client can reinstall all client components to resolve this issue.
Antivirus check, Vista UAC, and trusted sites list (CR119609)
Now, when a client runs Windows® Vista™ with UAC enabled, the access policy antivirus check item cannot check for database age or engine version for ClamWin antivirus. The client must add the virtual server to the Trusted Sites list in Windows® for this check to work.
RADIUS authentication secret (CR121333)
If the RADIUS authentication secret is longer than 30 characters, RADIUS authentication fails.
BIG-IP Local Traffic Manager and network access wizard (CR127350)
On a BIG-IP Local Traffic Manager system with the BIG-IP Access Policy Manager™ module, when you start the network access wizard, the error The child access profile (wizard-network-access) must have a valid access policy is logged; however, the wizard completes successfully.
Download client with Internet Explorer (CR127841)
Currently, when a client downloads the BIG-IP Edge Client for Windows® with the Internet Explorer browser, and attempts to run the installation from the download dialog, the application name is presented as form.exe instead of BIGIPEdgeClient.exe. To see the correct name, save the file first, then start the installation manually.
Outlook 2007 and Protected Workspace (CR129110)
In this version, when a user attempts to use Microsoft® Outlook® 2007 from within a protected workspace session, various display and feature problems occur.
Application editor role and access policies (CR130064)
Currently, an admin user with the application editor role cannot edit access policies, unless the bigpipe shell option for terminal access is enabled for the user.
Webtop links on Safari (CR130190)
Currently, a user must allow popups in the Safari web browser to use the links on the network access webtop.
Safari browser and required SSL certificate (CR130209)
If the option to require a client certificate is enabled in the client SSL profile for an access policy virtual server, and a user attempts to connect with the Safari web browser, pop-up screens with the message Safari wants to sign using key PrivateKey in your keychain are displayed repeatedly during prelogon checks.
Certificates, client ssl profile, and Linux or Mac clients (CR130211, CR130212)
Currently, when the client ssl profile associated with an access policy is configured to require a client certificate, endpoint checks for Mac and Linux systems fail. As a workaround, configure the client ssl profile to request and not require a client certificate.
Network access and Firefox tabs (CR130603)
Currently, if a user starts a network access session in a Firefox tab, and network access is configured to minimize the client to the system tray, the Firefox window with all tabs is minimized to the tray and the other tabs in use are not accessible. As a workaround, users can start network access connections in a separate Firefox window.
Windows group policy templates (CR130670)
In this release, when viewing details for some Windows® group policy templates, the details for some settings cannot be expanded and viewed.
iRule with "/" for URI (CR130741)
Currently, when creating an iRule to match a URI of / and then trigger an ACCESS:: disable iRule event, an error is received by the client system when attempting to connect.
RADIUS accounting and web applications session (CR131229)
Currently, when a RADIUS accounting action is used in an access policy with a web applications session and webtop assigned, the STOP message is not received by the RADIUS accounting server when the session ends.
Web applications rewrite engine trace functionality (CR131304)
For this release, the web applications rewrite trace functionality is not yet documented.
Microsoft Office Communicator and web applications (CR131410)
In this version, during a web applications session, when a user logs out of Microsoft Office Communicator, then attempts to log on again, the logon request fails.
Limited user and FirePass client components (CR132241)
Currently, when a limited user with FirePass version 6.0.2 client components attempts to connect to an Access Policy Manager version 10.1 server that requires endpoint checks, if both the FirePass and Access Policy Manager sessions have the Don't perform component updates option selected, the user is sent to the logout page. This user must be granted administrative rights to connect.
Hometab and minimal patching (CR132787)
Currently, when a web applications connection is configured for minimal patching, and the hometab is included, the URL box on the hometab can return incorrect URLs. As workarounds, you can configure the hometab to remove the URL box in minimal patching mode, or you can not include the hometab.
Session database and redundancy systems (CR132976)
There is a high probability that some sessions may be lost or incorrectly shown in the session reports after failover, when you configure the Redundancy State Preference option for BIG-IP running Access Policy Manager.
Misaligned text in warning message on Mac (CR135659)
In this version, when a user makes a connection to an Access Policy Manager virtual server that uses a self-signed certificate, on some Mac OS® versions, the warning message appears with misaligned text.
InstallerControl, Internet Explorer 8, and Windows XP (CR136620)
In this version, when a user installs the web client on Internet Explorer 8 on Windows® XP, using the Internet Explorer information bar, the InstallerControl always installs for all users on the machine. All other components can be installed either per user or per machine.
Log SNAT message (CR137454)
In this version, the message Failed to retrieve SNAT from session appears in /var/log/ltm. This error message appears when a session has set up successfully, but SNAT has not yet been set up.
Resource assign action and multiple expressions (CR137523)
In this version, when you assign a resource to an access policy with the resource assign action, and add a resource assign entry with an expression, if you then add another resource assign entry, the same expression as the previous entry is automatically added.
Network access and default route domain (CR137853-1)
In this version, when an administrator creates a network access resource in a partition with a default route domain that is not 0, DNS, WINS, and other settings fail to work.
Windows logon credential reuse service (CR138449-1)
When a client with Windows® Vista or Windows® 7 is configured to use the Windows credential reuse logon service with the BIG-IP Edge Client™, and the user logs on with the logon format logon@domain (instead of domain\logon), the Windows logon credential reuse service fails to authenticate.
Mac OS clients and antivirus database time (CR138547)
When a Mac OS® client attempts to complete an antivirus check, and the administrator has configured the database age to be two days or less, the client fails the antivirus check, because database age is incorrectly calculated by the Mac OS antivirus component. As a workaround, in the antivirus check, the administrator can set the DB Age Not Older Than (days) box to 3.
NTLMv2 and Windows Server 2008 (CR138652-1)
In this version, Access Policy Manager single sign-on (SSO) NTLMv2 does not work in Microsoft® Windows® Server® 2008. There is no workaround for this issue in this release.
Oracle OAM service restart (CR138732)
Currently, when an administrator makes a change to the Oracle OAM server configuration and clicks Update, a warning message appears that the service must restart. However, when the administrator click OK, the service does not restart. To force a restart, the administrator can make another change to the server configuration, then change the value back, or from the command line, run the command bigstart restart eam.
Oracle OAM cookies issue (CR139671)
The ObSSOCookie is not cleared from the web browser and they were not invalidated when the APM user session is terminated. To be sure that the ObSSOCookie clears, an i-rule should be constructed such that upon finding a URL that corresponds to a logout event, the ObSSOCookie is deleted from the client.
Oracle OAM Redirect URL issue (CR139672)
If the OAM administrator enters a Redirect URL for authentication or authorization failures, for example, and improperly puts a few spaces there (for example, “ “), this may cause the OAM module to crash. The work around is to be sure that Redirect URLs are defined within OAM and are configured properly.
Client Troubleshooting Utility (CR139335-1)
In this version, when a user installs all client components, then checks the installation with the Client Troubleshooting Utility, the Network Access component urvpndrv.sys displays as not installed, and Network Access components display as not correctly installed. The components are, however, correctly installed.
Windows Group Policy templates (CR139426)
Currently, when Windows Group Policy templates are changed on the Access Policy Manager, the templates are not automatically updated on a user's web client. To automatically update Windows Group Policy components, a user must clear the web browser cache.
Windows Group Policy template installer (CR139430)
Users must manually remove the currently installed Group Policy template package, to install a new version, using Add/Remove Programs in the Windows® Control Panel.
Active Directory query and case sensitive Admin Name (CR139481)
Active Directory queries to an Active Directory server where the Admin Name is specified in a different case on the Active Directory server than on the Access Policy Manager fail. When an Active Directory AAA server is created, make sure the Admin Name is specified in the same case as the account on the server. If you upgrade the system, check the Active Directory Admin Name against the configuration on the Access Policy Manager.
For additional information, please visit http://www.f5.com.