NimbostratusNetwork Access and F5 BIG-IP Edge Client (Windows)
During out evaluation of the F5 (LTM/APM) we installed the BIG-IP Edge Client on around 10 mobile devices, all running Windows 8.
One of our key requirements for any VPN Access to our site is knowing that the end device is a corporate owned and controlled device. For this we have deployed a machine certificate to each end point; marked as non exportable, which prevents users exporting this certificate, and placing on another machine. Part of this approach is that our users can not have admin rights to there PC (as tools such as Mimikatz would allow this certificate to be exported), and we have Bitlocker enabled (preventing backdoor attacks).
With the above certificate, we use the f5 Machine Certificate checker as part of our APM policy; which is it can successfully access both the public and private keys (using the f5 clientside service), we then preform a virus check, and if successful, finally we check the AD username and password, before allowing network access.
This works great; and we are happy this meets our security requirements. In order to complete this, we needed to install the BIG-IP Edge Client on each end point, which was installed as an user with Admin rights and the installation was completed by right clicking, and selecting run as administrator.
At this time this was completed, we were running 11.4.0 HF1; we then completed an upgrade of the F5 to 11.4.0 HF3; when the clients next connected they were automatically upgraded - this was what we were lead to understand would happen; and was one advantage of using the F5. However, when our clients connected, the VPN connection was disconnected within about 20 seconds, with the following messages reported in the APM logs:
2013-10-30 21:46:03PPP tunnel 0x57005bbd6f00 started. 2013-10-30 21:48:37PPP tunnel 0x57005bbd6f00 closed. 2013-10-30 22:01:35\N: Session deleted due to user inactivity or errors.
The client logs show the following:
DIALER,1892,6692,Invalid RAS connection handle, 00000000 Standalone,1892,6692,Network Access Disconnected: "/Common/NA_na_res" DIALER,1892,6692,Invalid RAS connection handle, 00000000 DIALER,1892,6692,Invalid RAS connection handle, 00000000 DIALER,1892,6692,Invalid RAS connection handle, 00000000 DIALER,1892,6692,Invalid RAS connection handle, 00000000 HOST,1892,6692,Proxy is not opened Standalone,1892,6692,Received OnCloseSession Failed; Session name= f5.fdqn Standalone,1892,6692,Server is: f5.fdqn (f5) User status is: Disconnected Standalone,1892,6692,[SESSION RECONNECT (Server: f5.fdqn Attempt 0)] - Scheduled in 10 sec(s) or next network event Standalone,1892,6692,Server is: f5.fdqn (f5) User status is: Waiting to connect to server... Standalone,1892,6692,UNHANDLED EXCEPTION!!! Look for F5CORE*.dmp files. Address: 0x774efb1b. Code: 0xc0000094 - Division by zero POLICY_SERVER,3748,4540,Stop policy checks (session ID:"9816e3e18f61103531afb8f03b1cd4b4"). POLICY_SERVER,3748,4540,Poliy server session does not have active checks, signal to stop it (session ID: 9816e3e18f61103531afb8f03b1cd4b4).
This happened on 6 of our clients - which is 60% of our current install base... which in a full deployment, would make the F5 virtually impossible to upgrade. We couldn't work out a way to resolve the above issue, short of completing an full un-install and reinstall, and we made the call to complete an upgrade to 11.4.1, which our hope was the f5 would push out a new client, complete the re-install, and we would be away - still far less than ideal, but at least we can continue our trial.
The 11.4.1 did push out a new client, and the 6 devices that previously couldn't maintain a connection could.. however now the split DNS function no longer works for these clients - as soon as they connect to the VPN (which is now stable), they can access everything on the network, ns lookups work without issue for our corporate sites; however if they try an nslookup to google for example it times out. The other 4 clients remain working without issue - the difference between the 4 clients that work is the users that completed the connection to the F5 when the client upgrade was pushed down, have admin rights to there devices (IT staff).
As I say, with our current evaluation deployment, this is all manageable; but the evaluation is that, I need to consider that the 6 affected devices, with a real world deployment for us would be more like 120 devices - which would be a nightmare.
Does anyone have any pointers on what may have gone wrong here, is this typical of real world experiences of the F5 BIG-IP Client?; and is there any tricks to resolve it - short of visiting each machine and completing an un-install, reinstall?.
Finally, with the release of Windows 8.1, and a built in F5 client for Network Access, will this remove the requirement for the BIG-IP Edge Client to be installed on the end points; and what functionally would be lost by this?
Thanks David
