Release Notes :
APM Client 7.1.8
Applies To:
Show Versions
Updated Date: 07/07/2020
Summary:
Version 7.1.8 of the Edge Client is now available on downloads.f5.com.
Applies To: BIG-IP APM 16.0.0, 15.1.0, 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0
Contents:
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the following pages:
Features and enhancements in 7.1.8
- Always Connected Mode for macOS
- Edge Client now supports Always Connected mode for macOS. You can now use the same policies you used for Windows Edge Client Always Connected mode.
Fixes in 7.1.8
The following issues have been fixed in this release.
| ID Number | Description |
|---|---|
| 681956 | Previously, if you disconnected from the VPN while there was no connectivity on a statically-configured network adapter, and then if the network connectivity was restored to that adapter, the default route was not restored. With this release, the Edge Client restores the default route on the disconnected interface. |
| 699970 | Previously, the Edge Client's system tray menu did not show up on the macOS High Sierra when some other application like the Microsoft Word was in full-screen mode. On exiting full-screen mode, the menu could be seen again. This issue has been fixed and now the menu shows up correctly. |
| 718208 | Previously, when using Firefox v52 ESR to install SVPN client, the SVPN client kept prompting to enter SUDO credentials. This issue has been fixed, and now you can successfully install the SVPN client using SUDO. |
| 722911 | Previously, for macOS, the customized logon page or the authorization page was bigger than what the Edge Client main console window could accommodate. As a result, the authorization page was not completely visible, and the scrollbars were hidden. With this release, you can configure the Edge Client to use a window detached from the main console window for authorization. To do this, add a new configuration variable to the config.f5c file. The example shows a <DETACHED_AUTH_WINDOW> variable is added. Example:<PROFILE> .. <UI> <CUSTOMIZE> <DETACHED_AUTH_WINDOW>YES</DETACHED_AUTH_WINDOW> <LANGUAGE> </LANGUAGE> </CUSTOMIZE> </UI> </PROFILE> With this configuration, the authentication page will always be shown in a new window and will allow you to log in to the Edge Client. |
| 726015 | Previously, when VPN was established, and the DNS relay proxy was running on Windows 10, the DNS resolution did not work for queries made to the IPv6 DNS server. Now, the DNS resolution for queries made to an IPv6 DNS server works without any issues. |
| 737362 | This fixes CVE-2018-5547 (https://support.f5.com/csp/article/K10015187). The logon integration component of APM window client prior to version 7.1.7.1 runs under the system account. This module displayed a certificate UI dialog box that contained the link to certificate policy. By clicking this link, an unprivileged user could open an additional dialog box and get access to the Windows Explorer, which could be used to get Administrator privileges. |
| 737441 | Previously, the SVPN log file on Mac and Linux was not created with the expected access restrictions, and an unprivileged user could get ownership of the file owned by root. Now, the log file is created with the desired restrictions, and this issue is resolved. |
| 737443 | Previously, the policyserver log file on Mac and Linux was not created with the expected access restrictions, and an unprivileged user could get ownership of the file owned by root. Now, the log file is created with the desired restrictions, and this issue is resolved. |
| 738704 | Previously, for connecting to APM server configured with untrusted SSL certificate, the Windows Logon integration / Custom dial-up entry displayed a security warning by default and asked users for confirmation. Now with this release, any connection to the APM server configured with untrusted SSL certificate is denied. To override this default, perform these steps:
|
| 739094 | This fixes CVE-2018-5546 (https://support.f5.com/csp/article/K54431371). The SVPN and policy server components of the F5 BIG-IP APM client prior to version 7.1.7.1 for Linux and macOS ran as a privileged process and could allow an unprivileged user to get ownership of files owned by root on the local client host. |
| 739144 | Previously, the Execute logoff scripts on connection termination option in Network Access did not work when VPN connection was closed. Now, this issue is resolved as changes in the APM client allow it to wait until domain log off script execution completes before closing the VPN connection. |
| 743021 | Previously on macOS, the Edge Client did not handle return code ENOBUFS, and this resulted in DTLS connection interruption in heavy load conditions. macOS returns error code ENOBUFS when the output queue for a network interface is full. This issue is fixed now, and the DTLS connection is no longer interrupted. |
| 743276 | Previously, the Edge Client installer with Always Connected mode gave errors while installing the Stonewall service on Windows 7. Now, this issue is fixed, and the Edge Client and accompanying components are installed successfully. |
| 744028 | Previously, when using macOS X, if the user logged on to VPN using the Edge Client, and changed the password, then the Edge Client had to be restarted to use the updated password. With this release, this issue no longer exists, and the Edge Client accepts the new password and doesn't have to restart. |
| 744035 | This fixes CVE-2018-15332 (https://support.f5.com/csp/article/K12130880). The SVPN component of the F5 BIG-IP APM client prior to version 7.1.7.1 for Linux and macOS ran as a privileged process and could allow an unprivileged user to get ownership of files owned by root on the local client host. |
| 745498 | This fixes the network access functionality break caused by the Windows 10 October 2018 update (https://support.f5.com/csp/article/K18448121). On a Windows 10 device with October 2018 update, when the APM network access is configured to use split tunneling, all the network requests from the client PC to destinations outside of the VPN tunnel failed. |
| 747739 | Previously, after auto-upgrade, checks could not be performed on macOS as the Policy Server could not verify the signature on Edge Client installation. Now, with auto-upgrade, the old custom.css file is removed, and this issue is fixed. |
| 749925 | Previously, the Edge Client with Always Connected mode could not fetch the captive portal's logon page. With this release, the issue is resolved, and the Edge Client shows the logon page for authorization in the captive portal. |
| 750649 | Previously, with the Windows Logon Integration, the network logon using dial-up connection failed with Connecting - Error 1471: Unable to finish the requested operation because the specified process is not a GUI process error message and VPN could not be established. This issue has been resolved. |
| 753683 | Previously, in Always Connected mode, the Edge Client's re-connection with the captive portal through WiFi took longer than usual as Edge Client kept trying to connect and reconnect even when there was no connectivity to DNS or internet. This issue has been resolved and now when there is an error detecting the captive portal, Edge Client retries it again after the scheduled time. You can also restart the Edge Client process to ensure re-connection. |
| 754197 | Previously, when the VPN is connected, and the DNS relay proxy is not running, the UAC (User Account Control) prompt for F5 network access helper did not pop-up in the foreground but flashed and blinked in the taskbar. You had to manually click it to set focus and bring it on the top. Now, this issue has been resolved, and the UAC prompt for F5 Network Access Helper is shown in the foreground for the user to click and accept/deny it. |
| 754201 | Previously, with Windows Logon integration, the network logon using dial-up connection failed with an invalid handle error and VPN could not be established. This issue has been resolved. |
Known issues in 7.1.8
The following are known issues in this release.
| ID Number | Description |
|---|---|
| 681023 | F5 endpoint inspection and F5 VPN applications are not upgraded automatically on OpenSUSE42.3 and SUSE Enterprise Desktop 12 SP2. As a workaround, with the F5 EPI or F5 VPN, download the linux_f5epi.tgz or linux_f5vpn.tgz in the platform's download folder.
|
| 681281 | On Fedora 26, after disconnecting from the VPN, the default route is not restored. As a workaround, disable and re-enable the network adapter. |
| 683819 | When the Edge Client is installed using the command-line interface (CLI) or Msiexec these configuration parameters are not installed properly:
|
| 700770 | With Always Connected mode, when hosts and IP addresses are added to the exclusion list in the registry manually after the client is installed, they are deleted after the client is uninstalled. As a workaround, on reinstalling the client, add the exclusions again. |
| 703874 | If the VPN is connected and disconnected repeatedly, a user may fail to log on. Logon is retried automatically and eventually succeeds. |
| 708922 | Client-side proxy configuration is ignored after the VPN is established if the proxy configuration is deployed using DHCP option 252. As a workaround, configure client-side proxy information in IE configuration. |
| 714043 | NPAPI inspection host plug-in on macOS does not work with the latest Endpoint Security (EPSEC) update image because the policy server is not a part of the OESIS package as it is bundled with individual applications. There is no workaround at this time. |
| 745315 | Edge Client for macOS does not save the username and password in always connected mode if the username for the server changes after the initial login or if the user connects to a different server. The user has to enter the username and password each time to connect using the new username or to connect to the newly selected server. This issue exists even after having the Save password to disk option enabled. |
| 745969 | In always connected mode, VPN is not established if the Edge Client version 7.1.5 or earlier auto-updates to version 7.1.6 or later. This occurs because the Edge Client version 7.1.6 and above are signed with a new certificate, but the Stonewall service does not get updated with the auto-update and remains signed with an old certificate. Workaround 1: Uninstall the previous version of Edge Client (7.1.5 or earlier), and then install the Edge Client version 7.1.6 or later instead of an auto-update. Workaround 2: Import the new certificate into the F5FirepassRoot store of the local computer.
|
| 753793 | The customized logo on the Edge Client logon page for macOS is not displayed. |
Contacting F5 Networks
| Phone - North America: | 1-888-882-7535 or (206) 272-6500 |
| Phone - Outside North America, Universal Toll-Free: | +800 11 ASK 4 F5 or (800 11275 435) |
| Fax: | See Regional Support for your area. |
| Web: | https://support.f5.com/csp/home |
| Email: | support@f5.com |
For additional information, please visit http://www.f5.com.
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
- The F5 Networks Technical Support web site: https://f5.com/support
- The AskF5 web site: https://support.f5.com/csp/home
- The F5 DevCentral web site: https://devcentral.f5.com/
- AskF5 Publication Preference Center: https://interact.f5.com/AskF5-SubscriptionCenter.html
F5 Networks Technical Support
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5
AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
F5 DevCentral
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
AskF5 Publication Preference Center
To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.
- TechNews Weekly eNewsletters: Up-to-date information about product and hotfix releases, new and updated articles, and new feature notices.
- TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
- Security Alerts: Timely security updates and ASM attack signature updates from F5.
