Applies To:

Show Versions Show Versions

Release Note: APM Client 7.1.8
Release Note

Original Publication Date: 01/29/2019

Summary:

Version 7.1.8 of the Edge Client is now available on downloads.f5.com.

Contents:

- User documentation for this release
     - Features and enhancements in 7.1.8
     - Fixes in 7.1.8
     - Known issues in 7.1.8
- Contacting F5 Networks
- Legal notices

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the following pages:

Features and enhancements in 7.1.8

Always Connected Mode for macOS
Edge Client now supports Always Connected mode for macOS. You can now use the same policies you used for Windows Edge Client Always Connected mode.

Fixes in 7.1.8

The following issues have been fixed in this release.

ID Number Description
681956 Previously, if you disconnected from the VPN while there was no connectivity on a statically-configured network adapter, and then if the network connectivity was restored to that adapter, the default route was not restored. With this release, the Edge Client restores the default route on the disconnected interface.
699970 Previously, the Edge Client's system tray menu did not show up on the macOS High Sierra when some other application like the Microsoft Word was in full-screen mode. On exiting full-screen mode, the menu could be seen again. This issue has been fixed and now the menu shows up correctly.
718208 Previously, when using Firefox v52 ESR to install SVPN client, the SVPN client kept prompting to enter SUDO credentials. This issue has been fixed, and now you can successfully install the SVPN client using SUDO.
722911 Previously, for macOS, the customized logon page or the authorization page was bigger than what the Edge Client main console window could accommodate. As a result, the authorization page was not completely visible, and the scrollbars were hidden.

With this release, you can configure the Edge Client to use a window detached from the main console window for authorization. To do this, add a new configuration variable to the config.f5c file. The example shows a <DETACHED_AUTH_WINDOW> variable is added.

Example:
  <PROFILE>
 ..
 <UI>
   <CUSTOMIZE>
     <DETACHED_AUTH_WINDOW>YES</DETACHED_AUTH_WINDOW>
     <LANGUAGE> </LANGUAGE>     
   </CUSTOMIZE>
 </UI>
 </PROFILE>

With this configuration, the authentication page will always be shown in a new window and will allow you to log in to the Edge Client.

726015 Previously, when VPN was established, and the DNS relay proxy was running on Windows 10, the DNS resolution did not work for queries made to the IPv6 DNS server. Now, the DNS resolution for queries made to an IPv6 DNS server works without any issues.
737362 This fixes CVE-2018-5547 (https://support.f5.com/csp/article/K10015187). The logon integration component of APM window client prior to version 7.1.7.1 runs under the system account. This module displayed a certificate UI dialog box that contained the link to certificate policy. By clicking this link, an unprivileged user could open an additional dialog box and get access to the Windows Explorer, which could be used to get Administrator privileges.
737441 Previously, the SVPN log file on Mac and Linux was not created with the expected access restrictions, and an unprivileged user could get ownership of the file owned by root. Now, the log file is created with the desired restrictions, and this issue is resolved.
737443 Previously, the policyserver log file on Mac and Linux was not created with the expected access restrictions, and an unprivileged user could get ownership of the file owned by root. Now, the log file is created with the desired restrictions, and this issue is resolved.
738704 Previously, for connecting to APM server configured with untrusted SSL certificate, the Windows Logon integration / Custom dial-up entry displayed a security warning by default and asked users for confirmation. Now with this release, any connection to the APM server configured with untrusted SSL certificate is denied. To override this default, perform these steps:
  1. In Registry Editor, locate the following registry folder:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\F5 Networks\RemoteAccess

  2. Set the following registry key:

    "AskAboutUntrustedSSLCert"=dword:00000001

739094 This fixes CVE-2018-5546 (https://support.f5.com/csp/article/K54431371). The SVPN and policy server components of the F5 BIG-IP APM client prior to version 7.1.7.1 for Linux and macOS ran as a privileged process and could allow an unprivileged user to get ownership of files owned by root on the local client host.
739144 Previously, the Execute logoff scripts on connection termination option in Network Access did not work when VPN connection was closed. Now, this issue is resolved as changes in the APM client allow it to wait until domain log off script execution completes before closing the VPN connection.
743021 Previously on macOS, the Edge Client did not handle return code ENOBUFS, and this resulted in DTLS connection interruption in heavy load conditions. macOS returns error code ENOBUFS when the output queue for a network interface is full. This issue is fixed now, and the DTLS connection is no longer interrupted.
743276 Previously, the Edge Client installer with Always Connected mode gave errors while installing the Stonewall service on Windows 7. Now, this issue is fixed, and the Edge Client and accompanying components are installed successfully.
744028 Previously, when using macOS X, if the user logged on to VPN using the Edge Client, and changed the password, then the Edge Client had to be restarted to use the updated password. With this release, this issue no longer exists, and the Edge Client accepts the new password and doesn't have to restart.
744035 This fixes CVE-2018-15332 (https://support.f5.com/csp/article/K12130880). The SVPN component of the F5 BIG-IP APM client prior to version 7.1.7.1 for Linux and macOS ran as a privileged process and could allow an unprivileged user to get ownership of files owned by root on the local client host.
745498 This fixes the network access functionality break caused by the Windows 10 October 2018 update (https://support.f5.com/csp/article/K18448121). On a Windows 10 device with October 2018 update, when the APM network access is configured to use split tunneling, all the network requests from the client PC to destinations outside of the VPN tunnel failed.
747739 Previously, after auto-upgrade, checks could not be performed on macOS as the Policy Server could not verify the signature on Edge Client installation. Now, with auto-upgrade, the old custom.css file is removed, and this issue is fixed.
749925 Previously, the Edge Client with Always Connected mode could not fetch the captive portal's logon page. With this release, the issue is resolved, and the Edge Client shows the logon page for authorization in the captive portal.
750649 Previously, with the Windows Logon Integration, the network logon using dial-up connection failed with Connecting - Error 1471: Unable to finish the requested operation because the specified process is not a GUI process error message and VPN could not be established. This issue has been resolved.
753683 Previously, in Always Connected mode, the Edge Client's re-connection with the captive portal through WiFi took longer than usual as Edge Client kept trying to connect and reconnect even when there was no connectivity to DNS or internet. This issue has been resolved and now when there is an error detecting the captive portal, Edge Client retries it again after a scheduled time. You can also restart Edge Client process to ensure re-connection.
754197 Previously, when the VPN is connected, and the DNS relay proxy is not running, the UAC (User Account Control) prompt for F5 network access helper did not pop-up in the foreground but flashed and blinked in the task bar. You had to manually click it to set focus and bring it on the top. Now, this issue has been resolved, and the UAC prompt for F5 Network Access Helper is shown in the foreground for the user to click and accept/deny it.
754201 Previously, with Windows Logon integration, the network logon using dial-up connection failed with an invalid handle error and VPN could not be established. This issue has been resolved.

Known issues in 7.1.8

The following are known issues in this release.

ID Number Description
681023 F5 endpoint inspection and F5 VPN applications are not upgraded automatically on OpenSUSE42.3 and SUSE Enterprise Desktop 12 SP2. As a workaround, with the F5 EPI or F5 VPN, download the linux_f5epi.tgz or linux_f5vpn.tgz in the platform's download folder.
  1. Untar the file. tar -xvf linux_f5epi.tgz
  2. Select the appropriate file. For example, for a 64-bit CPU select linux_f5epi.x86_64.rpm.
  3. Install the package: rpm --force -ivh linux_f5epi.x86_64.rpm, or uninstall the older component first: rpm -e f5epi or rpm -ivh linux_f5epi.x86_64.rpm.
681281 On Fedora 26, after disconnecting from the VPN, the default route is not restored. As a workaround, disable and re-enable the network adapter.
683819 When the Edge Client is installed using the command-line interface (CLI) or Msiexec these configuration parameters are not installed properly:
  • Exclusion List for the locked client
  • Auto Launch option
As a workaround, use the F5 Edge Client installer to install the client. From the CLI,this can be done with the command BIGIPEdgeClient.exe /q.
700770 With Always Connected mode, when hosts and IP addresses are added to the exclusion list in the registry manually after the client is installed, they are deleted after the client is uninstalled. As a workaround, on reinstalling the client, add the exclusions again.
703874 If the VPN is connected and disconnected repeatedly, a user may fail to log on. Logon is retried automatically, and eventually succeeds.
708922 Client side proxy configuration is ignored after VPN is established, if proxy configuration is deployed using DHCP option 252. As a workaround, configure client side proxy information in IE configuration.
714043 NPAPI inspection host plug-in on macOS does not work with the latest Endpoint Security (EPSEC) update image because the policy server is not a part of OESIS package as it is bundled with individual applications. There is no workaround at this time.
745315 Edge Client for macOS does not save the username and password in always connected mode if the username for the server changes after the initial login or if the user connects to a different server. The user has to enter the username and password each time to connect using the new username or to connect to the newly selected server. This issue exists even after having the Save password to disk option enabled.
745969 In always connected mode, VPN is not established if the Edge Client version 7.1.5 or earlier auto-updates to version 7.1.6 or later. This occurs because the Stonewall service is signed with an old certificate and does not get updated with the auto-update, while the Edge Client version 7.1.6 and above are signed with a new certificate.

Workaround 1:

Uninstall the previous version of Edge Client (7.1.5 or earlier), and then install the Edge Client version 7.1.6 or later instead of an auto-update.

Workaround 2:

Import the new certificate into the F5FirepassRoot store of the local computer.

  1. Extract the new certificate by downloading and installing Edge Client version 7.1.6 or later.
  2. Browse to the folder where the client components are installed.
  3. Right-click on any of the components (for example f5instd.exe) and select Properties > Digital Signature.
  4. Select the certificate and click Details > View Certificate > Details tab > Copy to File to save the certificate.
  5. Click Start > Run. In the Open field, type mmc.
  6. Click File > Add/Remove Snap-in.
  7. In the Add or Remove Snap-ins dialog box, double click Certificates.
  8. Click Computer account > Next > Local computer > Finish.
  9. Expand Certificates (Local Computer) and right-click on F5FirePassRoot. Click Import.
  10. In the Certificate Import Wizard, browse for the certificate saved in step 4 and click Next.
  11. Select Place all certificates in the following store: F5FirePassRoot and click Next, then click Finish.
753793 The customized logo on the Edge Client logon page for macOS is not displayed.

Contacting F5 Networks

Phone - North America: 1-888-882-7535 or (206) 272-6500
Phone - Outside North America, Universal Toll-Free: +800 11 ASK 4 F5 or (800 11275 435)
Fax: See Regional Support for your area.
Web: https://support.f5.com/csp/home
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 Publication Preference Center

To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.

  • TechNews Weekly eNewsletters: Up-to-date information about product and hotfix releases, new and updated articles, and new feature notices.
  • TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
  • Security Alerts: Timely security updates and ASM attack signature updates from F5.

Legal notices

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.

Additional Comments (optional)