Applies To:

Show Versions Show Versions

Manual Chapter: Deploying F5 Access for Windows 10
Manual Chapter
Table of Contents   |   Next Chapter >>

Deploying F5 Access for Windows 10

Windows 10 auto-trigger VPN options

You can configure F5 Access for Windows 10 using Intune. In Windows 10, a number of features were added to auto-trigger VPN so you won’t have to manually connect when VPN is needed to access necessary resources. There are four different types of auto-trigger rules:

  • App trigger
  • Name-based trigger
  • Always On
  • Trusted network detection

Refer to VPN auto-triggered profile options for more information.

Note: In this release, the Name-based trigger and the Trusted network detection features do not work for F5 Access VPN.

Configuring Azure active directory

Add/Delete a user

Refer to How to: Add or delete users using Azure Active Directory for information on adding new users or deleting existing users from the Azure active directory.

Create a new group

Refer to How to: Create a basic group and add members using Azure Active Directory for information on creating a basic group using the Azure active directory portal.

About configuring VPN profile in Azure Intune

Virtual private networks (VPNs) give users secure remote access to the company network. Devices use a VPN connection profile to initiate a connection with the VPN server.

Creating device configuration profile

Refer to Create a device profile in Microsoft Intune for information on creating device profile in Microsoft Intune.

Configuring base VPN profile for F5 Access

To create a base VPN profile:

  1. Sign in to the Azure portal.
  2. Select All services, filter on Intune, and select Microsoft Intune.
  3. Click Device configuration > Profiles > Create profile .
  4. Type the Name and Description for the VPN profile.
  5. From the Platform list, select Windows 10 and later.
  6. From the Profile type list, select VPN.
  7. Depending on the platform you chose, the settings you can configure are different. Open configured settings.
  8. Click Base VPN to open the Base VPN settings.
  9. Enter the name for this connection. End users see this name when they browse their device for the list of available VPN connections.
  10. Add/Import one or more VPN servers that devices connect to. When you add a server, you enter the following information:
    • Description: Enter a descriptive name for the server, such as F5 VPN server.
    • IP address or FQDN: Enter the IP address or fully qualified domain name of the VPN server that devices connect to.
    • Default server: Enables this server as the default server that devices use to establish the connection. Set only one server as the default.
  11. From the Connection type list, select F5 Access.
  12. From the Authentication method list, select how you want the users to authenticate to the VPN server. Using certificates provides enhanced capabilities, such as zero-touch experience, on-demand VPN, and per-app VPN.
  13. Select Remember credentials at each logon to cache the authentication credentials.
  14. Enter Custom XMLcommands that configure the VPN connection.
  15. Click OK.
    The profile is created and appears on the profiles list.

Configuring app trigger for F5 Access

VPN profiles in Windows 10 can be configured to connect automatically on the launch of F5 Access. To configure App trigger:

  1. Sign in to the Azure portal.
  2. Select All services, filter on Intune, and select Microsoft Intune.
  3. Click Device configuration > Profiles > Apps and Traffic Rules .
  4. From the Associate WIP or apps with this VPN list, select Associated apps with this connection.
  5. The Restrict VPN connection to these apps option lets you to restrict VPN connection to apps you enter in Associated Apps table. The apps you enter automatically use the VPN connection. The type of app determines the app identifier. For a universal app, enter the package family name. To get the package family name of an app, use the Get-AppxPackage package_name powershell command on the client machine. For a desktop app, enter the file path of the app. For example, to start the VPN every time Microsoft Remote Desktop app is launched, use App identifier as C:\Program Files \WindowsApps\Microsoft.RemoteDesktop.exe.
    Note: Add associated apps in before enabling Restrict VPN connection to these apps, as the list will become read-only after enabling. Traffic rules for apps will automatically be added to the network traffic rules when you click Enable.
    Example of a PowerShell command to get Package Family Name

    Example of a PowerShell command to get package family name

  6. The Network traffic rules for this VPN connection option is not required to be setup for F5 Access.
    Apps and Traffic Rules Screen

    Apps and Traffic Rules Screen

Configuring Name-based trigger for F5 Access

You can configure a domain name-based rule so that a specific domain name triggers the VPN connection.

Refer to Name-based trigger for information on configuring name-based trigger rule.

Note: Always specify the DnsIPAddress parameter with an actual DNS Server IP address. This parameter cannot be overwritten by APM server configuration.

Configuring Always On for F5 Access

The Always On feature in Windows 10 enables the active VPN profile to connect automatically on the following triggers:

  • User sign-in
  • Network change
  • Device screen on
Refer to Name-based trigger for information on configuring Always On trigger rule.

Configuring trusted network detection for F5 Access

The Trusted Network Detection feature checks the DNS suffix on the physical interface to decide if a user is on a trusted corporate network. If the user is not on a trusted corporate network, the VPN gets triggered. Trusted network detection can be configured using the VPNv2/ProfileName/TrustedNetworkDetection setting in the VPNv2 CSP. This rule should be applied to an existing F5 Access connection.

To configure Trusted network detection:

  1. Sign in to the Azure portal.
  2. Select All services, filter on Intune, and select Microsoft Intune.
  3. Open an existing device configuration profile.
  4. From the Platform list, select Windows 10 and later.
  5. From the Profile type list, select Custom.
  6. Depending on the platform you chose, the settings you can configure are different. Open configured settings.
  7. In Custom OMA-URI Settings, select Add to create a new setting with the following information:
    • Name: Enter the same name as configured for the Base VPN profile for F5 Access. Let us assume that in our example the name configured is vpnt1.
    • Description: Optionally, enter a description for the setting.
    • OMA-URI (case sensitive): Enter OMA-URI with the profile name as ./user/Vendor/MSFT/VPNv2/vpnt1/TrustedNetworkDetection.
    • Data type: From the list, select String.
    • Value: Enter the value or file to associate with the OMA-URI. For example f5net.com.
    OMA-URI settings for trusted network detection

    OMA-URI settings for trusted network detection

  8. Click OK.

Assigning a device profile to group

After you create a profile, you can assign the profile to Azure active directory groups.

Refer to Assign user and device profiles for information on assigning a device profile in Microsoft Intune.

Table of Contents   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.

Additional Comments (optional)