Applies To:

Show Versions Show Versions

Release Note: BIG-IP APM 11.0.0
Release Note

Original Publication Date: 01/04/2012


This release note documents the version 11.0.0 release of BIG-IP Access Policy Manager. You can apply the software upgrade to software versions 10.x on multiple platforms, as defined in SOL10288: BIG-IP software and platform support matrix.


- User documentation for this release
- New in 11.0.0
- Installation overview
     - Installation checklist
     - Installing the software
     - Post-installation tasks
     - Installation tips
- Upgrading from earlier versions
- Fixes in 11.0.0
- Known issues
- Contacting F5 Networks
- Legal notices

Summary Access Policy Manager 11.0.0

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP APM / VE 11.0.0 Documentation page.

New in 11.0.0

Application Tunnels

This release provides application tunnels to a single application on a remote user's desktop without the security risk of opening a full network access tunnel.

Optimized Network Access Tunnels

With this feature, you can layer full network access tunnels with optimized tunnels for Windows clients.

Remote Desktops

This release provides a hosted remote desktop connection, from a specific remote desktop application to the remote user's desktop, without the security risk of opening a full network access tunnel. Remote desktop is supported for Citrix XenApp server and Microsoft RDP clients.

Kerberos Protocol Translation

With this feature, APM is able to authenticate the user with Active Directory, and then receive a Kerberos ticket on the user's behalf, allowing secure access to the Application server and offloading SSL negotiation from the app server. This feature also makes SSL offload for Smart Card authentication possible.

Kerberos Single Sign-On

With this feature, a user can automatically sign onto backend applications and services that are part of a Kerberos realm, for seamless authentication after the user completes an access policy using a supported authentication scheme.

Oracle Access Manager (OAM) integration

With this release, you can design access policies and manage policy-based access services for Oracle applications on an Oracle Access Manager server from one location.

Flash Patching

In Portal Access, HTML-formatted fields in Flash content are patched by the APM rewrite engine. When rendering an application through the Access Policy Manager, the rewrite engine rewrites the Flash content to render links properly.

Dynamic webtops

The dynamic webtop displays a list of network resources, which include applications, network access and remote desktops, available to a user after authentication. The content of the webtop is dynamic in the sense that only resources for which the user is authorized are displayed to the user. The webtop is customizable based on a user’s identity, context, and group membership.

Reporting system

With the new reporting system, you can generate customized, granular reporting for analysis and troubleshooting purposes. You can generate reports based on many parameters, for example, access failures, users, resources accessed, group usage, or geolocation.

Machine info inspection

The machine info client check allows administrators to examine the security posture of a device, including attributes such as MAC address, CPU ID and HDD ID. The access policy can compare information collected by the machine info check to an allowed list of hardware devices or configurations, then add the result to the access policy. This enables the access policy administrator to identify IT-controlled assets.

Client Type inspector

The client type inspector replaces the UI mode inspector, and includes new branches for the BIG-IP Edge Client, iOS, and Android devices.

Dynamic ACLs

BIG-IP Access Policy Manager can load ACLs from an external authentication database (Active Directory, RADIUS, or LDAP) and apply them dynamically. This allows for a single policy per user, no matter which Access Policy Manager the user is connecting to.

Edge Client for MacOS

The optional BIG-IP Edge Client can be delivered by browser or as a standalone application. Its functionality is identical to the Windows version (though Windows provides more client side checks), in a native MacOS interface. The Edge Client for MacOS is supported on Mac 10.5.x and later, and supports 64-bit OSes.

Adaptive Compression

Compression in resources now compresses downstream data to the client using the best available compression codec, based on network conditions and compressibility of the data.

Installation overview

This document lists very basic steps for installing the software. BIG-IP System: Upgrading Active/Standby Systems and BIG-IP System: Upgrading Active-Active Systems contain details and step-by-step instructions for completing an upgrade.

Installation checklist

Before you begin:

  • Update/reactivate your system license, if needed, to ensure that you have a valid service check date.
  • Ensure that your system is running version 10.0.0 or later and is using the volumes formatting scheme.
  • Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
  • Configure a management port.
  • Set the console and system baud rate to 19200, if it is not already.
  • Log on as an administrator using the management port of the system you want to upgrade.
  • Boot into an installation location other than the target for the installation.
  • Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
  • Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
  • Turn off mirroring.
  • If you are running WAN Optimization Manager, set provisioning to Minimum.

Installing the software

F5 offers several installation methods. Choose the method that best suits your environment.
Warning: Do not use the --nomoveconfig option described in the following table on systems with existing, running installations of Application Security Manager. Doing so removes all content from the associated database. Instead, ensure that the configuration on the source installation location matches the one on the destination. To do so, save the UCS configuration on the location you want to preserve, and apply that configuration to the destination before or after the installation operation.

To install the software, use one of the methods described here.

Install method Command
Format for volumes, migrate source configuration to destination image2disk --format=volumes <downloaded_filename.iso>
Format for volumes, preserve destination configuration (for fully 10.x environments) image2disk --nomoveconfig --format=volumes <downloaded_filename.iso>
Install without formatting (not for first-time 10.x installation) bigpipe software desired HD.<n.n> version 10.x build <nnnn.n>.iso product BIG-IP
Format for partitions (for mixed 9.x and 10.x environments) image2disk --format=partitions <downloaded_filename.iso>
Install from the browser-based Configuration utility Use the Software Management screens in a web browser.

Post-installation tasks

This document lists very basic steps for installing the software. BIG-IP System: Upgrading Active/Standby Systems and BIG-IP System: Upgrading Active-Active Systems contain details and step-by-step instructions for completing an upgrade.

After the installation finishes, you must complete the following steps before the system can pass traffic.
  1. Ensure the system rebooted to the new installation location.
  2. Log on to the browser-based Configuration utility.
  3. Run the Setup utility.
  4. Provision the modules.
  5. Convert any bigpipe scripts to tmsh. (Version 11.0.0 does not support the bigpipe utility.)

Installation tips

  • The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
  • You can view a list of the image2disk utility options by running the command image2disk --help.
  • You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
  • If installation fails, you can view the log file. For image2disk installations, the system logs messages to the file you specify using the --t option. For other installations, the system stores the installation log file as /var/log/liveinstall.log.

Upgrading from earlier versions

Your upgrade process differs depending on the version of software you are currently running. Software version 10.x introduced the ability to run multiple modules based on platform. The number and type of modules that can be run simultaneously is strictly enforced through licensing. For more information, see SOL10288: BIG-IP software and platform support matrix.

Warning: Do not use the 10.x installation methods (the Software Management screens, the b software or tmsh sys software commands, or the image2disk utility) to install/downgrade to 9.x software or operate on partitions. Depending on the operations you perform, doing so might render the system unusable. If you need to downgrade from version 10.x to version 9.x, use the image2disk utility to format the system for partitions, and then use a version 9.x installation method described in the version 9.x release notes to install the version 9.x software.

Upgrading from version 10.x

When you upgrade from version 10.x software, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.

Upgrading from versions earlier than 10.x

You cannot roll forward a configuration directly to this version from BIG-IP version 4.x, or from BIG-IP versions 9.0.x through 9.6.x. You must be running version 10.x software. For details about upgrading to those versions, see the release notes for the associated release.

Fixes in 11.0.0

The current release includes the fixes and enhancements from previous releases and the fixes that were distributed in SOL12729: Overview of BIG-IP version 10.2.1 HF1, SOL12778: Overview of BIG-IP version 10.2.1 HF2, and SOL12816: Overview of BIG-IP version 10.2.1 HF3.

ID Number Description
225512 Previously, Access Policy Manager clients that started network access tunnels that ended up on different Traffic Management Microkernels (TMMs) could not communicate. Now, such clients can communicate.
225870 Previously, a rare condition could cause a crash in the system when APM tried to connect or reconnect a network access tunnel. We have corrected this.
226423 Previously, Access Policy Manager's active sessions graph erroneously reported a maximum value when active sessions existed and a failover event occurred. Now, this issue no longer occurs.
336284 Previously, network access tunnels on a system that failed over could not restart after the failover because the lease pool was not created. Now the lease pool is created and network access tunnels fail over correctly.
339171 Previously, when an administrator created a AAA server with the web interface, some legal characters could not be used in the AAA server name. Now the name field accepts all legal characters.
339951 Previously, Access Policy Manager HTTP 404 Not Found errors could not be configured. Now, the message for these errors is configurable as part of the logout group.
341377 The following new iRule commands have been introduced to allow the use of multiple SSO profiles and make them selectable based on user-defined criteria:
  • WEBSSO::enable
  • WEBSSO::disable
  • WEBSSO::select sso_profile_name
You can use these iRule commands in the following event contexts: ACCESS_ACL_ALLOWED, HTTP_REQUEST, HTTP_REQUEST_DATA. More information is available on F5 DevCentral.
344713 Previously, WebSSO crashed when the HTTP header dictionary was invalidated and refreshed. Now this no longer occurs.
346047 Previously, the documentation for portal access described a patching method (No patching) that is no longer supported. The patching method is no longer described.
347568 In portal access, JavaScript rewriting has been enhanced to better handle SVG elements.
348742 Previously, the Client OS action in Access Policy Manager did not support Microsoft Internet Explorer 9. The Client OS action now supports clients identifying themselves as Internet Explorer 9.
349490 Previously, when you configured an access policy using HTTP form-based authentication, the username and password were sent to the authentication server in POST variables, even if a username and password were not specified in the server configuration, resulting in authentication failures. Now the username and password are sent only when specified.
351757 In a previous release, when the admin configured client power management settings in Network Access network properties, those power management settings were ignored by Windows Vista and Windows 7 clients. Now, Windows Vista and Windows 7 clients use the Network Access power management settings.
351895 Previously, when you created multiple Active Directory AAA servers, or changed the realm on multiple Active Directory server, several default_realm entries were erroneously added to the /etc/krb5.conf configuration file, causing authentication errors. Now, only one default_realm entry is added to the configuration file.
354748 Previously, when you configured portal access for a backend server with the same host name as the Access Policy Manager virtual server, portal access failed to rewrite some links. Now, portal access rewrites links correctly when the backend web server has the same host name as the virtual server.
358873 Previously, when a Portal Access connection was made to an SAP Netweaver backend server, some JavaScript Function() calls were not correctly handled, resulting in errors on the client. Now, NetWeaver JavaScript functions are handled correctly by Portal Access.
359330 Previously, when you configured an Access Policy Manager LTM Access connection with at least one pool member, and source IP persistence or persistent cookies enabled, some connection errors occurred with certain web servers. Now, this configuration works correctly.
359530 Previously, when a user accessed a SharePoint 2007 site through portal access, the rewrite engine used the wrong parser to patch some URLs incorrectly, causing connection errors and failures. Now, the rewrite engine for SharePoint 2007 sites uses the correct parser.
365107 Previously, when the Access Policy Manager received an HTTP 100 continue response from a backend server, the system could fail or experience instability. The system no longer fails or becomes unstable in this scenario.

Known issues

This release contains the following known issues.

ID 224076 Systems secured with some secure keystroke programs cannot enter Protected Workspace.
ID 306851 When assigning a Network Access DNS server with the variable assign action from an Active Directory attribute, the variable assignment fails. The following workaround assigns the DNS servers in the variable assign action. agent variable assign policy_name_act_variable_assign_ag { variables { { varname "config.connectivity_resource_network_access.network_access_resource_name.dns" expression "expr { \"<dns><dns_primary>ip_address</dns_primary><dns_secondary>ip_address</dns_secondary></dns>\" }" } } }
ID 306976 When assigning a Network Access WINS server with the variable assign action from an Active Directory attribute, the variable assignment fails. The following workaround assigns the WINS servers in the variable assign action. agent variable assign policy_name_act_variable_assign_ag { variables { { varname "config.connectivity_resource_network_access.network_access_resource_name.wins" expression "expr { \"<wins><wins_primary>ip_address</wins_primary><wins_secondary>ip_address</wins_secondary></wins>\" }" } } }
307028 When a limited user with FirePass version 6.0.2 client components attempts to connect to an Access Policy Manager version 11 server that requires endpoint checks, if both the FirePass and Access Policy Manager sessions have the Don't perform component updates option selected, the user is sent to the logout page. This user must be granted administrative rights to connect.
ID 346743 Currently, when you create an Oracle Access Manager (OAM) AAA server object, Cert Transport Security Mode is not supported.
ID 354427 In this release, multiple network access resources cannot be assigned to a full webtop.
ID 354890

In this release, you cannot use NAS-IP as a source IP of the Radius Authentication request client.

To work around this issue, create a forwarding-IP virtual address with the same IP and port as the AAA server, and add a SNAT pool. Follow these steps:
  1. Create a AAA server.
  2. Specify this server in your access policy.
  3. Create a SNAT pool with the NAS IP address.
  4. Create a UDP layered virtual server of type Forwarding (IP) with the SNAT pool, and disable ARP.
ID 354892

In this release, you cannot specify the source IP address of the packet when you set up your AAA server definitions.

To work around this issue, you must create a layered forwarding-IP virtual with the same IP address and port number as your AAA server.
  1. Create a SNAT pool with the IP address that you want to use as the source IP address from Local Traffic > SNATS > SNAT Pool List.
  2. Create a UDP layered virtual server of type Forwarding (IP) with the SNAT Pool you just created.
  3. Disable ARP for the layered virtual server.
ID 356562

Custom reports are not saved during a system upgrade to Access Policy Manager version 11.

To work around this issue, export your custom reports and then reimport them after you upgrade.

ID 360141 In this version, the message Apply Access Policy does not appear on the Admin UI or VPE even after modifying an SSO configuration. The configuration change takes effect immediately for new sessions established after the change. Old sessions (those that were already created before the configuration change) continue using the old SSO configuration.
ID 360248 In this release, if two administrators simultaneously use the admin UI and one of them deletes an image while the other administrator is in the process of using that image, the entire transaction will end and the Save fails. The administrator who was in the process of using that image will need to restart from the last saved change and apply all changes again.
ID 360734 In this version, when previewing pages in the Customization application, the Preview pane does not automatically refresh when switching languages. To work around this issue, click an item in the Preview tree pane to refresh the page in the new language.
ID 360742

When the logon page is customized in VPE in multiple languages, the images appear broken.

As a workaround, customize the logon page in the Customization application.

ID 362200 In this release, using special characters such as ', ", &, and < to customize messages may affect client-side functionality.
ID 362351 Currently, branch names cannot begin with the text fallback. The name must begin with an alphabetic character (for example, a or A). The remainder of the name can contain only alphanumeric characters (numbers and letters), spaces, and the following symbols: + - _ ( ) [ ] .
ID 363188 In this release, when you attempt to use tmsh to add a virtual server and an alias pair whose name includes a space, to a connectivity profile using the command tmsh modify apm profile connectivity name_of_profile add { virtual_server::virtual_server_alias_with_space }, the command fails. When you specify the server alias, you must not include any spaces in the aliases for the virtual server.
ID 364853 In this release, when you create a webtop with tmsh and specify the webtop type with the webtop-type command, the help page for webtop type shows the option last for the webtop type. This webtop type is not valid.
ID 364859 In this release, in tmsh, the man page for the SSO module when you run the command create form-based contains the parameter external-access-management, with the values [oam | none]. This feature is not supported.
ID 365246

In the Access Policy Manager Admin interface, sorting on the Portal Access List by the column Resource Items results in a general database error, and the user is not able to navigate to this page again.

As a workaround, clean the browser cookies and restart the session. You cannot sort by this column in this release.

ID 365488 The Network Access wizard fails if the administrator selects DTLS from the Configure Network Access screen. The wizard fails on the final step, after the user clicks Finish. An error message is displayed; the administrator should click Cancel. The access policy and virtual servers are created, but the administrator must configure the DTLS virtual server manually. This virtual server must have the same IP address as was specified in the wizard, and the administrator should configure a DTLS port (the default is 4433), set the protocol to UDP, select a connectivity profile, and select a client ssl profile.
ID 365597 In this release, when the user tries to run a custom report with a very large database, the report can consume a large amount of CPU resources on the server.
ID 366001 Advanced customization files are not retained when upgrading from version 10.2 to version 11. Advanced customization must be manually recreated on the new version.
ID 374781 When upgrading from version 10.2.x to 11.x with an OAM configuration, upgrade fails. To work around this issue: before you upgrade, delete the OAM configuration; after the upgrade is complete, create a new OAM configuration in 11.x.

Contacting F5 Networks

Phone: (206) 272-6888
Fax: (206) 272-6802

For additional information, please visit

Legal notices

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)