Original Publication Date: 04/16/2015
The Inbox F5 VPN Client is built into Microsoft Windows 8.1 and Windows RT clients. It supports F5 VPN with BIG-IP Access Policy Manager (APM).
After you configure a VPN profile on your device for Inbox F5 VPN Client, select it from Network Connections.
This table specifies parameters that are specific to Inbox F5 VPN Client; the client supports these parameters in addition to other parameters that are available for VPN profiles. When you configure a VPN profile from PC Settings on your client, it takes the default values displayed in the table. These parameters are also available for configuring a VPN profile using Powershell commands.
|port||number||443||Port to connect to VPN server (Access Policy Manager).|
|landing-uri||text||Landing URI to use for authentication (APM).|
|ssl-encryption||boolean||true||If set to false, SSL encryption is not used.|
|authenticate-retries||number||3||Maximum number of attempts to prompt for credentials when authentication fails.|
|log-level||default, minimum, info, debug||default||Specifies maximum level for log entries.|
|client-certificate||string||Specifies issuer of client certificate being used for authentication.|
|optimize-for-low-cost-network||boolean||false||If set to true, client tries to reconnect to cheapest available network connection.|
|single-sign-on-credential||boolean||true||If set to true, client tries to use VPN credentials to connect to Windows File Shares.|
The AddVpnConnection Powershell command supports a CustomConfiguration property that you can use to specify F5 parameters for a VPN profile. The input for the command is in XML format; the schema is available in the XML Schema: F5-specific configuration parameters section of this document. For help customizing a VPN profile, refer to the Examples: VPN profile configuration section.
|Add-VpnConnection||Add a VPN profile.|
|Get-VpnConnection||View configured VPN profiles.|
|Remove-VpnConnection||Delete a VPN profile.|
Use the Get-Help command in Powershell to view command syntax. For example, type Get-Help Add-VpnConnection.
These examples show how to specify F5 parameters for a VPN profile using Powershell commands and the CustomConfiguration property.
This example shows how to create a VPN profile that uses a certificate issued by Site Request, Inc. for second-factor authentication. The certificate must already be installed on the client device. Inbox F5 VPN Client can read the certificate from certificate storage on the device or from a smart card inserted into the device.
This example shows how to create a VPN profile using port 444 to connect to the BIG-IP system.$xml = "<f5-vpn-conf><port>444</port></f5-vpn-conf>"
This example shows how to create a VPN profile using the landing URI to connect to the BIG-IP system.$xml = "<f5-vpn-conf><landing-uri>test</landing-uri></f5-vpn-conf>"
This example shows how you can configure multiple servers for VPN connection. Inbox F5 VPN Client attempts to reach each server in the list until it successfully authenticates the user.$VPNConnectionName = "Global VPN"
When you select an app or resource that needs access through Windows Inbox VPN, such as a company intranet site, Windows 8.1 can automatically prompt you to sign in with one click. For command syntax, open Powershell and type Get-Help for these commands:
This is the schema for the CustomConfiguration property of the AddVpnConnection Powershell command.
|XML schema example||Example syntax|
|Multifactor authentication with client certificate||<f5-vpn-conf><client-certificate><issuer>Snake Oil</issuer></client-certificate></f5-vpn-conf>|
|Client certificate authentication only||<f5-vpn-conf><prompt-for-credentials>false</prompt-for-credentials><client-certificate><issuer>Snake Oil Ltd</issuer></client-certificate></f5-vpn-conf>|
|Connecting to an APM server over port 80, no SSL encryption, for debugging purposes only||<f5-vpn-conf><port>80<ssl-encryption></ssl-encryption></f5-vpn-conf>|
On Access Policy Manager (APM), you need to configure an access policy for Inbox F5 VPN Client.
Additionally, you need a standard network access configuration. For more information, refer to BIG-IP Access Policy Manager Network Access Configuration on the AskF5 website at http://support.f5.com.
Your access policy can collect this type of information for authentication purposes:
In the access policy, use the Client Cert access policy item. (The On-Demand Cert Auth access policy item is not supported.)
In the client SSL profile for the virtual server, select request for the Client Certificate property.
You can detect whether the Inbox F5 VPN Client is in use to ensure that your access policy branches run supported access policy items only.
In addition to detecting the client, you might want to differentiate between Microsoft Windows 8.1 and Windows RT operating systems.
For additional information, refer to the AskF5 web site (http://support.f5.com) for documentation specific to the version of Access Policy Manager that you are using.
|Release Note for BIG-IP APM||New features and known issues.|
|BIG-IP Access Policy Manager Network Access Configuration||How to configure network access.|
|Configuration Guide for BIG-IP Access Policy Manager||Access profiles, access policies, visual policy editor.|
For additional information, please visit http://www.f5.com.
You can find additional support resources and technical documentation through a variety of sources.
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5 is your storehouse for thousands of solutions to help you manage your F5 products more effectively. Whether you want to search the knowledge base periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.