Applies To:
Show Versions
BIG-IP APM
- 13.0.0
Summary:
This release note documents the version 13.0.0 release of BIG-IP Access Policy Manager (APM).
Contents:
- Platform support
- Configuration utility browser support
- APM client browser support
- Compatibility of BIG-IQ products with BIG-IP releases
- User documentation for this release
- Evaluation support
- Fixes, behavior changes, and known issues
- New in 13.0.0
- Supported high availability configuration for Access Policy Manager
- Installation overview
- Upgrading from earlier versions
- Upgrading from earlier versions of APM
- Contacting F5 Networks
- Legal notices
Platform support
This version of the software is supported on the following platforms:
| Platform name | Platform ID |
|---|---|
| BIG-IP 6900 FIPS | D104 |
| BIG-IP 11000 | E101 |
| BIG-IP 11050, 11050 NEBS | E102 |
| BIG-IP 2000 Series (2000s, 2200s) | C112 |
| BIG-IP 4000 Series (4000s, 4200v) | C113 |
| BIG-IP 5000 Series (5000s, 5050s, 5200v, 5250v) | C109 |
| BIG-IP 7000 Series (7000s, 7050s, 7055, 7200v, 7250v, 7255) | D110 |
| BIG-IP 10050 Series (10150s-NEBS, 10350v (AC), 10350v-NEBS, 10350v-FIPS) | D112 |
| BIG-IP 10000 Series (10000s, 10050s, 10055, 10200v, 10250v, 10255) | D113 |
| BIG-IP 12000 Series (12250v) | D111 |
| BIG-IP i2000 Series (i2600, i2800) | C117 |
| BIG-IP i4000 Series (i4600, i4800) | C115 |
| BIG-IP i5000 Series (i5600, i5800) | C119 |
| BIG-IP i7000 Series (i7600, i7800) | C118 |
| BIG-IP i10000 Series (i10600, i10800) | C116 |
| VIPRION B2100 Blade | A109 |
| VIPRION B2150 Blade | A113 |
| VIPRION B2250 Blade | A112 |
| VIPRION B4300, B4340N Blade | A108, A110 |
| VIPRION B4450 Blade | A114 |
| VIPRION C2200 Chassis | D114 |
| VIPRION C2400 Chassis | F100 |
| VIPRION C4480, C4480N Chassis | J102, J103 |
| VIPRION C4800, C4800N Chassis | S100, S101 |
| Virtual Edition (VE) | Z100 |
| vCMP Guest | Z101 |
These platforms support various licensable combinations of product modules. This section provides general guidelines for module support.
Most of the support guidelines relate to memory. The following list applies for all memory levels:
- vCMP supported platforms
- VIPRION B2100, B2150, B2250, B4200
- VIPRION B4300 blade in the C4480(J102) and the C4800(S100)
- VIPRION B4450 blade in the C4480(J102) and C4800(S100)
- BIG-IP 5200v, 5250v, 7200v, 7250v, 10200v, 10250v, 10350v, 12250v
- BIG-IP i5800, i7800, i10800
Memory: 12 GB or more
All licensable module-combinations may be run on platforms with 12 GB or more of memory, and on VE and vCMP guests provisioned with 12 GB or more of memory. Note that this does not mean that all modules may be simultaneously provisioned on all platforms with 12 GB or more of memory. The BIG-IP license for the platform determines which combination of modules are available for provisioning.
Memory: 8 GB
The following guidelines apply to the BIG-IP 2000s, 2200s, 6900 platforms and to VE guests configured with 8 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus does not fit in this category.)
- No more than three modules should be provisioned together.
- On the 2000s and 2200s, Application Acceleration Manager (AAM) can be provisioned with only one other module.
- To use Access Policy Manager (APM) and Secure Web Gateway (SWG) modules together on platforms with exactly 8 GB of memory, Local Traffic Manager (LTM) provisioning must be set to None.
Memory: Less than 8 GB and more than 4 GB
The following guidelines apply to platforms, and to VE and vCMP guests provisioned with less than 8 GB and more than 4 GB of memory. (A vCMP guest provisioned with 8 GB of memory has less than 8 GB of memory actually available and thus fits in this category.)
- No more than three modules (not including AAM) should be provisioned together.
- Application Acceleration Manager (AAM) cannot be provisioned with any other module; AAM can only be provisioned standalone.
- Analytics (AVR) counts towards the two module-combination limit (for platforms with less than 6.25 GB of memory).
Memory: 4 GB or less (VE only)
The following guidelines apply to VE instances provisioned with 4 GB or less of memory.
- No more than two modules may be configured together.
- AAM should not be provisioned, except as Dedicated.
- ASM can be provisioned with this amount of memory, but a sizing exercise should be performed to ensure that it does not hit capacity issues.
vCMP memory provisioning calculations
The amount of memory provisioned to a vCMP guest is calculated using the following formula: (platform_memory- 3 GB) x (cpus_assigned_to_guest / total_cpus).
As an example, for the B2100 with two guests, provisioned memory calculates as: (16-3) x (2/4) ~= 6.5 GB.
- BIG-IP LTM standalone only
- BIG-IP GTM standalone only
- BIG-IP LTM and GTM combination only
Configuration utility browser support
The BIG-IP Configuration Utility supports these browsers and versions:
- Microsoft Internet Explorer 11.x
- Mozilla Firefox v40, or later
- Google Chrome v44, or later
APM client browser support
For a list of browser versions that the Access Policy Manager client supports, refer to the BIG-IP APM Client Compatibility Matrix.
Compatibility of BIG-IQ products with BIG-IP releases
K14592: Compatibility of BIG-IQ products with BIG-IP releases provides a summary of version compatibility for specific features between the BIG-IQ system and BIG-IP releases.
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the BIG-IP APM / VE 13.0.0 Documentation page.
Evaluation support
If you have an evaluation license for BIG-IP APM VE, note that it does not include support for Oracle Access Manager.
Fixes, behavior changes, and known issues
For a comprehensive list of fixes, behavior changes, and known issues for this release, refer to the BIG-IP 13.0.0 Release Information page.
New in 13.0.0
Endpoint Check and Network Access for Chrome Browser, Firefox, and Edge Browser
F5 Access Policy Manager can now support the ability to enforce endpoint checks and enable network access (including VPN) from Chrome Browser, Firefox, and Edge Browser, without the need for browser plug-ins. Endpoint Check and Microsoft Internet Explorer and Apple Safari will keep the use of browser plug-ins.
OAuth 2.0 Authorization Server, Resource Server and Client
F5 Access Policy Manager now supports the OAuth 2.0 federation framework, in addition to SAML. This protocol is popular for use cases such as using social media identity providers, protecting APIs, or to standardize on a protocol used by IDaaS providers or on-premises. APM is capable of protecting and providing authorization service integration using OAuth, without having to change existing applications protected by APM.
Ping Identity: PingAccess Policy Enforcement Point
F5 Access Policy Manager can now provide infrastructure consolidation and scaling for PingAccess. APM implements Ping Identity’s Policy Agent protocol, removing the need to install and manage agents on apps, or to deploy Ping Identity’s gateway. The implementation provides high scaling and can be enabled together with LTM, ASM, etc, providing further network infrastructure simplification. Policy Administration and Policy Decision stay with PingAccess, making the integration seamless and the overall solution simpler to manage.
APM Integration with VMware Horizon Access Portal/Identity Manager
F5 Access Policy Manager is now integrated with VMware’s vIDM component of the Workspace ONE suite. APM provides protection for applications that use Kerberos or header base authentication, integrating with Workspace ONE and thus providing a seamless Single Sign On experience for the end user in a hybrid world of SaaS and on-premises application.
Launch native RDP client from APM webtop without F5 client component code
RDP resources can now be configured to launch native RDP clients on Windows or Mac OS X. Previously, F5 client component code (ActiveX control or Java applet) was required on the user's desktop. This feature addresses recent changes in some browsers such as Firefox and Chrome or Microsoft Edge to drop support for Java and Active-X plug-ins.
Microsoft RemoteApps published on APM Webtop and in native RDP client
RDP resources can now be configured to fetch desktops and applications (RemoteApps) from Microsoft RD Web Access server. Resources can be accessed through APM Webtop or native RDP client on Windows and Mac OS X.
Step-up Authentication
The new URL branching agent enables branching on a URL (URI) without requiring configuration of URL categories. This simplifies the entry point to specifying URLs for which to run step-up authentication. Variable assign agent and logging is available to add to per-request policy subroutines. Also, new authentication methods are supported as part of step-up authentication – RADIUS authentication (for Multifactor solution use with DUO Security, RSA SecurID, and so on.), HTTP Authentication, local database authentication, and certificate based authentication with OCSP and CRLDP for certificate validation.
Forward Proxy Chaining
The BIG-IP system supports forward proxy chaining which enables connection to a next hop proxy server. When configured to act as an explicit or as a transparent forward proxy, brings these abilities to forward proxy chaining:
- Offload authentication from and support authentication to the next hop on the client's behalf.
- Support single sign-on to the next hop and to resources at the next hop.
- Select different proxy servers for different requests.
- Select different SSO configurations for different requests.
Enhanced iRules support for Subsessions with Per Request Policies (Example: Step-up authentication)
Now, session variables values can be set (along with get) using iRules.
Google reCAPTCHA V2 Support
Access Policy Manager supports version Google reCAPTCHA V2 to protect your application from spam and abuse. reCAPTCHA V1 is not supported on BIG-IP v13. Please see release notes on migrating to use reCAPTCHA V2 with Access Policy Manager.
Support for WebSockets for Portal Access
WebSockets on web apps can be used with Portal Access. To determine if WebSockets is being used on a web app, please ask the developer or the solutions vendor.
Enhanced F5 Access Policy Manager Menu Navigation
F5 Access Policy Manager menus have been updated to be more intuitive and enable easier configuration for various use cases of APM.
Additional Troubleshooting and Usability Change
F5 Access Policy Manager now has the ability to display session variable values from the Session Management screen. Also, the Client Downloads screen has been updated for more intuitive downloading of the BIG-IP Edge Client for Windows and MacOS for deployment.
Support For Exclusion Lists with Edge Client for Windows Always-On VPN Mode (Locked Client Mode)
A VPN exclusion list containing hosts or domains can be now be accessed by the client before VPN is established when using locked client model. Scenarios it can address are:
- Windows Integrated Client needing to access the Domain Controller at logon time
- Access to CRL and OCSP repositories for server certificate validation
- Access to third party SAML IDP solution for authentication
Enhanced SSO Configuration Tools and Consistent Logging across all APM services
F5 Access Policy Manager now supports enhanced tools to simplify SSO configuration across your internal applications that use forms-based authentication. Using the “Pass-through” mode, you can collect all the configuration data and then simply plug it into the SSO configuration to quickly setup your applications.
ACL Enhancements
Layer 4 ACLs can now be applied to an administrator-created virtual server listening on a Network Access tunnel interface (that is, a layered virtual server). In addition, ACLs are also supported for traffic between VPN tunnel clients.Dynamic RDP
An administrator can now configure a “User defined” RDP type resource that enables end users to dynamically specify the RDP resources that they want to connect to from the APM webtop.
Launch multiple Horizon View client instances from APM webtops
An end user can now launch multiple VMware Horizon View client instances, as long as they are accessing resources from different webtops. Only one VMware Horizon View client instance can be launched from each webtop.
Enhanced VDI client selection from APM Webtop
Administrators can now select and enforce the VDI client for their users on APM Webtop: native or HTML5.
- For VMware View, administrators can set the preferred client in the VMware View Policy agent in VPE.
- For Citrix, administrators can set the session variable session.citrix.preferred_client to "html5" or "native" in the Variable Assign agent in VPE.
Enhanced VDI logging
VDI events are now logged in APM logs and are available in Access Reports.
Supported high availability configuration for Access Policy Manager
Installation overview
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.
Installation checklist
Before you begin:
- Use BIG-IP iHealth to verify your configuration file. For more information, see K12878: Generating BIG-IP diagnostic data using the qkview utility.
- Update/reactivate your system or vCMP host license, if needed, to ensure that you have a valid service check date. For more information, see K7727: License activation may be required prior to a software upgrade for the BIG-IP or Enterprise Manager system.
- Ensure that your system is running version 11.x or later.
- Download the .iso file (if needed) from F5 Downloads to /shared/images on the source for the operation. (If you need to create this directory, use the exact name /shared/images.)
- Configure a management port.
- Set the console and system baud rate to 19200, if it is not already.
- Log on as an administrator using the management port of the system you want to upgrade.
- Boot into an installation location other than the target for the installation.
- Save the user configuration set (UCS) in the /var/local/ucs directory on the source installation location, and copy the UCS file to a safe place on another device.
- Log on to the standby unit, and only upgrade the active unit after the standby upgrade is satisfactory.
- Turn off mirroring.
- If you are running Application Acceleration Manager, set provisioning to Minimum.
- If you are running Policy Enforcement Manager, set provisioning to Nominal.
- If you are running Advanced Firewall Manager, set provisioning to Nominal.
Installing the software
| Installation method | Command |
|---|---|
| Install to existing volume, migrate source configuration to destination | tmsh install sys software image [image name] volume [volume name] |
| Install from the browser-based Configuration utility | Use the Software Management screens in a web browser. |
Sample installation command
The following command installs version 13.0.0 to volume 3 of the main hard drive.
tmsh install sys software image BIGIP-13.0.0.0.0.1645.iso volume HD1.3
Post-installation tasks
This document covers very basic steps for installing the software. You can find complete, step-by-step installation and upgrade instructions in BIG-IP Systems: Upgrading Software, and we strongly recommend that you reference this information to ensure successful completion of the installation process.
- Ensure the system rebooted to the new installation location.
- Use BIG-IP iHealth to verify your configuration file. For more information, see K12878: Generating diagnostic data using the qkview utility.
- Log on to the browser-based Configuration utility.
- Run the Setup utility.
- Provision the modules.
Installation tips
- The upgrade process installs the software on the inactive installation location that you specify. This process usually takes between three minutes and seven minutes. During the upgrade process, you see messages posted on the screen. For example, you might see a prompt asking whether to upgrade the End User Diagnostics (EUD), depending on the version you have installed. To upgrade the EUD, type yes, otherwise, type no.
- You can check the status of an active installation operation by running the command watch tmsh show sys software, which runs the show sys software command every two seconds. Pressing Ctrl + C stops the watch feature.
- If installation fails, you can view the log file. The system stores the installation log file as /var/log/liveinstall.log.
Upgrading from earlier versions
Your upgrade process differs depending on the version of software you are currently running.
Upgrading from version 11.x or later
When you upgrade from version 11.x or later, you use the Software Management screens in the Configuration utility to complete these steps. To open the Software Management screens, in the navigation pane of the Configuration utility, expand System, and click Software Management. For information about using the Software Management screens, see the online help.
Upgrading from versions earlier than 11.x
You cannot roll forward a configuration directly to this version from BIG-IP version 10.x or earlier. You must be running version 11.x (or later) software. For details about upgrading from earlier versions, see the release notes for the associated release.
Automatic firmware upgrades
If this version includes new firmware for your specific hardware platform, after you install and activate this version, the system might reboot additional times to perform all necessary firmware upgrades.
Upgrading from earlier versions of APM
When you upgrade from an earlier version of Access Policy Manager (APM), you might need to resolve issues related to these configurations.
Antivirus and firewall software checks in access policies
If your access policies include custom expressions that rely on session variables created by the antivirus or firewall software checks, after upgrade to 11.4.x, you must configure the antivirus or firewall software checks so that the Store information about client software in session variables property is set to Enabled. (It is disabled by default.)
If the custom expressions include multiple sub-expressions, you might need to edit the expressions.
Kerberos SSO
Kerberos SSO does not work after upgrading from 11.3.0 to 11.4.0 and later. This happens because, starting in 11.4.0 the password is saved in encrypted form, while the password in 11.3.0 is saved as clear text. Re-enter Kerberos SSO password after upgrading from 11.3.0.
Citrix client packages
The 11.4.x upgrade script cannot recover any file object with a name that includes space characters. If a Citrix client package file name includes a space, the configuration loads after upgrade, but the Citrix client package file does not function properly. To work around this problem:
- Outside of APM, name or rename a Citrix client package without spaces in the name.
- Use the correctly named Citrix client package.
- To fix the problem before upgrade, replace any improperly named Citrix client package as needed.
- To fix the problem after upgrade, upload a properly named Citrix client package and select it from the connectivity profiles.
Machine accounts for NTLM front-end authentication
APM does not restore NLAD connections when the configuration is restored from a UCS file. After upgrading to 11.4.x, if the previous configuration was using NTLM front-end authentication, the functionality is not restored. To work around this problem, after the upgrade, manually delete the existing machine account configurations and then recreate them.Advanced customization
If you performed any advanced customization of files, you must upgrade these files manually.
Custom reports
Custom reports are lost after upgrade. To work around this issue, export your custom reports before you upgrade and then reimport them after you upgrade.
Contacting F5 Networks
| Phone - North America: | 1-888-882-7535 or (206) 272-6500 |
| Phone - Outside North America, Universal Toll-Free: | +800 11 ASK 4 F5 or (800 11275 435) |
| Fax: | See Regional Support for your area. |
| Web: | https://support.f5.com/csp/home |
| Email: | support@f5.com |
For additional information, please visit http://www.f5.com.
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
- The F5 Networks Technical Support web site: https://f5.com/support
- The AskF5 web site: https://support.f5.com/csp/home
- The F5 DevCentral web site: https://devcentral.f5.com/
- AskF5 Publication Preference Center: https://interact.f5.com/AskF5-SubscriptionCenter.html
F5 Networks Technical Support
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5
AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
F5 DevCentral
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
AskF5 Publication Preference Center
To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.
- TechNews Weekly eNewsletters: Up-to-date information about product and hotfix releases, new and updated articles, and new feature notices.
- TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
- Security Alerts: Timely security updates and ASM attack signature updates from F5.
