Original Publication Date: 08/23/2018
In August 2018, Apple posted the release of F5 Access Legacy for iOS version 2.1.2. Users should download this new version from the app store.
There are no features and enhancements in 2.1.2.
|734703||The name of the app is changed from "F5 Access" to "F5 Access Legacy".|
|741524||F5 Access Legacy 2.1.2 iOS requires web logon connections to meet App Transport Security (ATS) requirements. ATS requires that beginning with iOS 9 apps no longer be allowed to initiate insecure plain text HTTP connections or TLS connections that don't comply with stricter requirements.
The app will not be allowed to initiate plaintext HTTP connections and will be required to use HTTPS with the strongest TLS configuration (TLS 1.2 and PFS cipher suites). TLS connections require compliance with best practices: TLSv1.2 with forward secrecy, no known-insecure cryptographic primitives (RC4 encryption, SHA-1 certificate signatures), and key size requirements (2048 bits for RSA, 256 bits for EC).
For more information on ATS: https://forums.developer.apple.com/thread/6767
The following cyphers are supported:
There are no behavior changes in 2.1.1.
|442442||The VPN On-Demand features in iOS6 had an option to Always connect based on DNS suffixes. Due to changes in iOS, this was not available after iOS 6. In order to enable always connect with VPN on demand on iOS 7 and later, F5 Access for iOS must be configured with Connect on Demand, and a profile needs to be sent to the device.
The following sample code demonstrates how OnDemandRules can be used to mimic the AlwaysConnect behavior. OnDemandRules is an array of dictionaries. The idea behind this snippet is to use OnDemandRules to specify ConnectIfNeeded if "www.f5.com" cannot be resolved by the DNS server (10.1.1.1). OnDemandMatchDomainsAlways is still specified for backward compatibility so that the same profile can be used for both iOS 6 (which doesn't understand EvaluateConnection) and iOS 7 and later.<key>VPN</key> <dict> <key>OnDemandEnabled</key> <integer>1</integer> <key>OnDemandMatchDomainsAlways</key> <array> <string>www.f5.com</string> </array> <key>OnDemandRules</key> <array> <dict> <key>Action</key> <string>EvaluateConnection</string> <key>ActionParameters</key> <array> <dict> <key>DomainAction</key> <string>ConnectIfNeeded</string> <key>Domains</key> <array> <string>www.f5.com</string> </array> <key>RequiredDNSServers</key> <array> <string>10.1.1.1</string> </array> </dict> </array> </dict> </array> <key>AuthName</key> <string/> <key>RemoteAddress</key> <string>example.siterequest.com</string> <key>AuthenticationMethod</key> <string>Certificate</string> <key>PayloadCertificateUUID</key> <string>b2c00533-88d2-4c03-be1b-3c1d4264245e</string> </dict>
|511513||F5 Access for iOS now supports redirect to external webpage when using the web logon. Previously F5 Access assumed all navigation within web view went to a valid APM (including cases of being redirected to another instance of APM). In allowed case of SAML Auth and Extenal Logon Page it required the control to be passed back to APM before logon could be completer. Now this restriction is removed.|
|591629||iOS 9 introduces some changes in the triggering logic for per-app VPN that might affect the end-user experience. The changes are as follows.
|592703||In iOS 9 and later, when an app is started as result of an action in another app (for example, by using a URL-scheme) a "Back to..." link is displayed on the top left corner, showing the app name that initiated the action. This affects F5 Access Lite mode. For example, when an app invokes F5 Access in Lite mode, an action is performed, and F5 Access opens the calling app again, the user sees a "Back to F5 Access" link at the top left of the screen. Tapping on the link will open F5 Access in regular mode instead of Lite mode.|
|611899||See behavior change description in this bug|
|612163||Sometimes when F5 Access is disconnected and reconnected in a short period of time, the client displays the "Connecting" status when the VPN tunnel is already established.|
The following are known issues that affect the user experience when F5 Access Legacy is used on an iOS device. These issues may be addressed in the future by F5 or Apple.
When a user navigates to a site using the short form hostname, and the fully qualified hostname has been specified in the VPN proxy bypass list, on iOS 9 the proxy will not be used, and on iOS 10 the proxy will be used.
For example, suppose that in a network, ab-100.lab.siterequest.com is on the proxy bypass list, and the DNS suffix lab.siterequest.com is defined. When an F5 Access user tries to access the site using the address lab-100, the proxy is used on the iOS 10 client, but the proxy is not used on the iOS 9 client. On both iOS 9 and 10, the proxy is bypassed when the full address lab-100.lab.siterequest.com is used to access the site.
|504919||F5 Access does not resolve the BIG-IP APM hostname each time it reconnects after the connection is broken. This limits the use of load balancing with BIG-IP DNS as it keeps using the same IP address for the connection.|
|518576||After a user triggers VPN On Demand, when attempting to reach a domain that ends in .local, Safari displays the error message: Safari could not open the page because the server stopped responding. Such connections continue to fail until the user refreshes the web page.|
|521817||Currently the PAVPN (Per App VPN) plugin only supports DNS RR types A and PTR. For Kerberos protocol and subsequently KDC auto-discovery for SSO with PAVPN, the PAVPN plugin needs to support DNS RR type SRV User Device VPN.|
|557905||On iOS 9, if a managed app is being updated while Per-App VPN is active, the updated app might not make use of the active session until the active session is expired and a new one is created. As a workaround, wait until the current session expires, and restart the updated app.|
|559388||Users may find that after upgrading to iOS Edge Client version 2.0.6 and higher or F5 Access for iOS version 2.1.0 and higher that the VPN client requires the end user to accept the End User License Agreement before the Edge Client or F5 Access can be used. Prior to EULA acceptance, the functions of F5 Access are not available. To use the client, the user must accept the User Agreement. After doing this, the VPN will function normally.|
|563714||It is not possible to configure Network Access proxy settings on iOS devices using the Network Access proxy resource variable attributes in the BIG-IP APM Visual Policy Editor.|
|573169||When using Safari to trigger VPN-on-Demand connection on iOS 9, for the first time Safari will return an error saying Safari cannot open the page because the network connection was lost, although the tunnel itself is correctly triggered and established and the VPN icon is displayed on the status bar. Refreshing the pages immediately results in successful load and displaying the page. Any subsequent requests from Safari runs as expected.|
|582315||First initial connection which triggers VPN on demand fails when proxy configuration is used in Network Access Resource. User needs to reestablish connection :refresh page in safari or reconnect in other apps.|
|585731||To save the client username and password in web logon mode on iOS Edge Client 2.0.6 or later or Android Edge Client 2.0.8 or later, the APM server must be at version 12.0 or later.|
|587775||iOS may frequently sleep/wakeup VPN plugin in sleep mode of device and sending DNS queries. This causes APM session keeps alive for long time. The DNS queries are sent every from 10 seconds to a few minutes. The issue was reported to Apple to confirm.|
|591017||This issue affects configurations where the server with a proxy autoconfig script is only reachable when the VPN tunnel for the configuration is established. In this scenario, if a proxy autoconfig script is specified and Connect on Demand is enabled (with any domains added) then F5 Access downloads the proxy autoconfig script with a significant delay of up to a minute or more. If Connect on Demand is disabled, the proxy autoconfig script is downloaded and applied successfully. This issue is not known to affect iOS versions prior to version 9. As a workaround, the user should wait for a minute or more after the tunnel is established for the proxy autoconfig script to be downloaded and applied.|
|591501||iOS9 does not respect 'On Demand Disconnect Timeout' for per-app-VPN tunnel when it's triggered by Safari domain. Session will be deleted after inactivity timeout, not after on-demand disconnect timeout as it has to. if per-app-VPN connection is triggered by provisioned application, then session will be deleted correctly after on-demand disconnect timeout.|
|591535||For iOS 8 and 9 it is known that a first attempt to load a web page fails if (1) the request match a Per-App VPN Safari domain list and (2) the admin had previously killed the session for that Per-App VPN on BIG-IP. The Per-App VPN is not triggered at all on iOS 8 and for iOS 9 it is triggered but the page load fails. The issue is not applied for iOS 10.|
|596581||Prior to iOS 10 when uninstalling F5 Access any certificate installed in the system gets corrupted if it is selected in any VPN configuration within F5 Access. As result the certificate is visible in Settings > General > Profile but its contents appear to be empty and it is not available to be selected in F5 Access VPN configuration after reinstalling F5 Access. As a workaround, on iOS 9 or earlier, before uninstalling F5 Access deselect the certificate and save for every existing configuration in F5 Access.|
|601404||When the iPhone user changes the default text settings to a larger size, the UI will not be render properly.|
|611523||On iOS 10, when an F5 Access configuration requires no user intervention to start, a user can establish or stop a tunnel without unlocking the device.|
|612592||In F5 Access for iOS 10, when a connection is established and then a user moves to a wifi network that doesn't have access to the APM server, the connection status doesn't change from Connected to Reconnecting immediately. It takes about two minutes to establish the reconnecting state.|
|612629||In F5 Access for iOS 10, all F5 Access configurations are not displayed in the Notifications pane. When you slide down to see notifications, only the first 6 configurations are displayed. When you slide left to see notifications, only the first 8 configurations are displayed.|
|612767||On an iOS 10 device with F5 Access and cellular data enabled, if the virtual server for the Network Access connection becomes unavailable, F5 Access shows an error message after the timeout duration is reached, but remains in the Disconnecting state for 15-20 seconds. On iOS 9, the Disconnected state is reported immediately after the timeout.|
|612997||With F5 Access for iOS 10, a user connects to a Network Access VPN tunnel with Client Proxy settings enabled in the Network Access resource, and a Client Proxy Autoconfig Script is configured, the settings are applied when Safari is started. Safari continues to use this PAC file even when the VPN connection is reestablished. As a workaround, quit and restart Safari to get the PAC file changes.|
|615858||When an iOS 10 device uses a per-app VPN profile pushed to the device by an MDM, and the F5 Access is connected via that per-app VPN profile to the managed application, when the per-app VPN profile is removed from the MDM, the VPN icon remains active on the iOS device for 5-10 minutes.|
|618956||On iOS 9 a client proxy exclusion entry name or IP address could be specified with wildcards. For example, the entry *.lab.siterequest.com would match ab-100.lab.siterequest.com. The entry 172.29.68.* would match 172.29.68.20. In both examples, the client proxy would be bypassed. On iOS 10 client proxy exclusion list entries that are specified with wildcards do not bypass the proxy. As a workaround, create a proxy PAC file on a back-end server and push that via the Network Access resource configuration with the command client-proxy-script http://back-end-proxy-server/proxy.pac.|
|641514||From 2.1.0 we provide customer an option to ask local authentication before using cached password. However, when home screen is locked, and user connect VPN from widget screen (pull down), after local authentication, the widget screen is put to background, and based on timing, end user may observe the connection staying in contacting state for a while and then disconnect. The issue is seen more frequently in iOS 10. The workaround is pull down widget screen after local authentication popup.|
|642241||Per-App VPN status might appear to remain "Connected" even in Airplane mode. This occurs only with Per-App VPN, and affects the app appearance only.|
|643928||F5 Access does not allow adding configurations in Managed User Configurations Mode, but in case of no L3 configurations present the Today Widget would still show "Add Configuration" link. Clicking the list the user would not be able to create a configuration if in Managed User Configurations Mode anyway, an error message is shown instead|
|645069||On iOS 10: multiple attempts to establish per-app VPN are done. Canceling page load stops connection attempts.|
|741519||F5 Access Legacy 2.1.2 for iOS does not work when running on iOS 12. When launching on iOS 12, the following message is displayed:
F5 Access Legacy needs to be updated. The developer of this app needs to update it to work with iOS 12.
This is followed by a User Agreement to grant VPN access:
F5 Access must be enabled to grant VPN access to this device.
The VPN functionality will also not work with iOS 12.
As a workaround, replace the client with F5 Access 3.0.1.
There are no fixes in 2.1.2.
|666898||Previously, when attempting to authenticate using Google ID, authentication could not complete. Authentication with Google ID now succeeds.|
|Phone - North America:||1-888-882-7535 or (206) 272-6500|
|Phone - Outside North America, Universal Toll-Free:||+800 11 ASK 4 F5 or (800 11275 435)|
|Fax:||See Regional Support for your area.|
For additional information, please visit http://www.f5.com.
You can find additional support resources and technical documentation through a variety of sources.
Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.
AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.
The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.
To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.