Manual Chapter : Changes in Virtual Servers with F5 Access

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.1, 15.0.0, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.6, 12.1.5, 12.1.3, 11.6.5, 11.6.4, 11.6.3, 11.5.10, 11.5.7
Manual Chapter

Changes in Virtual Servers with F5 Access

Virtual server changes for F5 Access

HTTP virtual server changes

If you currently use an HTTP virtual server, the connection to such a server is no longer supported due to Apple Transport Security (ATS) changes. Reconfigure the virtual server to use HTTPS.

HTTPS virtual servers and Apple Transport Security (F5 Access 3.x and 2.1.2 and later)

Because of Apple Transport Security changes, HTTPS requires the strongest TLS configuration (TLS 1.2 and PFS cipher suites). You may need to change the server certificate and the cipher settings in the clientssl profile to meet security requirements. All authentication ndpoints should comply with Apple's ATS requirements and use HTTPS TLS connections that comply with the following best practices:

  • Use HTTPS with the strongest TLS configuration (TLSv1.2 with perfect forward secrecy cipher suites)
  • Avoid using known-insecure cryptographic primitives (RC4 encryption and SHA-1 certificate signatures)
  • Enforce key size requirements (2048 bits for RSA and 256 bits for EC)
  • This includes the BIG-IP APM Client SSL profile and any external federated authentication providers (SAML IdP, Identity Provider or OAuth AS, Authorization Server).

The following cipher suites are supported:

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Virtual servers with Per-App VPN

If you use a virtual server for Per-App VPN connections, the Application Tunnels (Java & Per-App VPN) option is no longer required for Per-App VPN connections. However, this option does not need to be disabled. You can leave this setting enabled if you support both 2.1.x and 3.x clients on the same virtual server.