F5 Recommended Practices for BIG-IP and AirWatch · PDF fileF5 Recommended Practices for...

F5 Recommended Practices for BIG-IP and AirWatch MDM Integration

F5 Networks, Inc.

F5 BIG-IP and AirWatch MDM Integration Recommended Practices

2Copyright F5 Networks Inc.

Contents

Introduction 4

Purpose 5

Requirements 6

Prerequisites 6

AirWatch 6

F5 BIG-IP 6

Network Topology 7

Big-IP Configuration 7

Remote Access Wizard 7

SSL Certificate and Key 14

SSL Client Profile 14

Virtual Server Advanced Configuration 15

Access Policy Manager - Visual Policy Editor 16

Basic AirWatch Access Policy Flow 16

BIG-IP ActiveSync Proxy 19

Login and Authentication Verification 19

Air Watch Configuration 21

AirWatch Console Access 21

Child Organization Group Creation 22

User Group Creation 23

Smart Group Creation 23

AirWatch and F5 Integration 24

AirWatch Certificate Authority 26

VPN Profiles 26

Base VPN Profile 26

On-Demand Certificate Authority VPN Access Profile 32

Copy the Access Policy 38

On-Demand Certificate Authority Macro 38

Variable Assign Object 39

Advanced Resource Assign Macro 41



SSL Client Certificate Modification 42

Virtual Server Access Policy assignment 43

Per-App VPN Profile 44

Copy the Access Policy 46

Conclusion 47



IntroductionThe F5 BIG-IP Access Policy Manager (APM) allows for the consolidation of multiple access gateways

(mobile application management, virtual desktop infrastructure, Microsoft Active Sync Proxy, and

others) into a single unified access gateway.

You can begin your deployment with a single access gateway use case or with multiple access

gateway use cases. In either scenario, F5’s tight integration with technology alliance partners allows

for validated configurations to ensure compatibility. While this recommended practices guide is

specific to integrating F5 BIG-IP APM with AirWatch MDM, you may reference our VDI access gateway

solutions here:

VMware Horizon View:

https://f5.com/solutions/deployment-guides/vmware-horizon-view-optimized-solution-big-ip-v114-apm

Citrix XenApp/XenDesktop:

https://f5.com/solutions/deployment-guides/citrix-xenapp-or-xendesktop-release-candidate-big

Microsoft Remote Desktop Services:

http://www.f5.com/pdf/deployment-guides/f5-microsoft-remote-desktop-services-dg.pdf

For VMware Horizon View, administrators may use BIG-IP APM as a PCoIP proxy for remote access

use cases. This greatly increases not only Horizon View security, but also scale and performance.

Many more F5 BIG-IP APM use cases may be referenced here:

https://f5.com/solutions/deployment-guides/tag/access%20policy%20manager



PurposeWith F5 BIG-IP APM, you may provide AirWatch mobile users unmatched secure remote access,

performance, and availability. This document outlines the configuration details required to integrate F5

BIG-IP APM with AirWatch mobile device management (MDM). The steps are a series of

recommended practices to follow in order to build an integrated solution. As with any system

deployment, the steps are examples and the deployed environment may not exactly match these

examples.

After completing this guide, you will be able to:

• Use the F5 BIG-IP APM as an AirWatch access gateway.

• Use the iOS BIG-IP Edge Client for Per-App VPN access with iOS 7 or later.

Please reference the latest iOS BIG-IP Edge Client configuration guide here:

https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/related/apm-

edgeclientios-2-0-4.html

• Authenticate AirWatch MDM users via the BIG-IP APM.

• Initiate on-demand VPN tunnels by domain query.

• Use BIG-IP APM as a Microsoft Active Sync Proxy for Android and iOS email synchronization.

• Manage AirWatch MDM devices through the BIG-IP APM access gateway.

This recommended- practices guide will enable you to:

1. Configure an APM access policy (network access, authentication, webtop, and session

variables).

2. Create a certificate authority (CA), client certificates, and associated BIG-IP ClientSSL Profile.

3. Configure a BIG-IP virtual server and associate the APM access policy and SSL profile.

4. Configure multiple custom access policies for three (3) AirWatch remote access use cases:

a. A VPN profile for all iOS and Android network traffic

b. A VPN On-Demand Profile

c. A Per-App VPN profile

5. Configure required AirWatch groups and profiles.

6. Configure AirWatch for F5 integration.

7. Configure required AirWatch groups and profiles.

8. Enter AirWatch credential sources.



RequirementsThis section covers various requirements for this guide. These include prerequisites, product licensing,

software, and/or hardware requirements.

PrerequisitesThe following prerequisites need to be addressed prior to implementing this guide. This solution

utilizes the following ancillary infrastructure:

• An authentication server

• An email server

• An application server

• An NTP time server

• Globally Routable IP addresses

• Mobile device(s) with network access (iOS and Android devices only)

• Internet access

• Administrator login credentials

• SSL Certificate and Key (please reference F5 solution article SOL14499 for how to create a

certificate authority and client certificates)

AirWatch• AirWatch service cloud subscription and AirWatch cloud account are required

Note: This recommended practices guide was formulated on a cloud-based AirWatch

deployment. The recommended practices in this document may apply to AirWatch on-

premises deployments but have not been tested.

F5 BIG-IP• Either a physical or a virtual instance of BIG-IP is required.

• This guide is based on BIG-IP software release 11.5.0.

• This solution relies on F5 Access Policy Manager (APM) and requires an APM software license.



Network Topology

Figure 1: Logical Network Topology

Big-IP ConfigurationThis section covers the steps required to be performed within the BIG-IP web configuration utility.

Remote Access WizardThe BIG-IP configuration utility wizard will assist you in creating a remote access configuration using

Access Policy Manager (APM). Log in to the BIG-IP and select Wizards->Device Wizards from the

left menu bar. Select Network Access Setup Wizard for Remote Access and click Next.

Figure 2: Network Access Setup Wizard Details



Enter a Policy Name and Caption. The Default Language, Full Webtop, and Client Side Checks

fields are optional. Then click Next to continue.

Figure 3: Network Access Policy Name and Details

Select Create New or Use Existing in the Authentication Options field. Select the Authentication

Server type from the list. Then click Next to continue.

Figure 4: Authentication Server Type Details



The Authentication Server settings need to be defined. In this example we choose an Active Directory

Authentication method. Enter a Domain Name. In this example, a Direct connection to the Primary

Domain Controller is chosen. Enter an IP Address, Admin Name, and Password for the Active

Directory Domain. Then click Next to continue.

Figure 5: Active Directory Server Details

A lease pool is a pool of available IP addresses that BIG-IP will assign to remote clients for network

access. The size of this pool needs to be large enough to provide enough address space for the total

concurrent connections licensed by APM. In this example, an address space of 20 IP addresses is

defined. Select a Supported IP Version, and a Start and End IP Address. Select Add to move the

address range to the Member List. Click Next to continue.

Figure 6: IPv4 Lease Pool Details



The client settings should be set according to the deployment scenario requirements. In this example,

all traffic will be forced through the SSL VPN tunnel. Select Force all traffic through tunnel. Then

click Next to continue.

Figure 7: Traffic Option Client Details

Primary and Secondary Name Servers need to be specified. Enter a Primary and Secondary

Name Server and the Default Domain Suffix.

Figure 8: DNS Server Details



An optional step is to add Static Host entries. These are static host names to IP address assignments

that BIG-IP can use to resolve remote access client requests. In this example, two static hosts are

added. Host entries for an email server and an application server are input. If this is required, enter a

Host Name and an IP Address and then select Add to include these entries in the list. Click Next to

continue.

Figure 9: Static Host Details

Finally, the Virtual Server IP Address needs to be defined. A Redirect Server will also be created,

which will redirect client requests to the HTTPS virtual server. Enter an IP Address that is globally

routable and resolvable by DNS. Click Next to continue.

Figure 10: Virtual Server IP Address Details



The wizard will display a list of all the configuration values entered. Review the list. Click Next to

continue or Previous to correct any configuration mistakes.

Figure 11: Access Wizard Confirmation Details



The Setup Summary is displayed.

Figure 12: Access Wizard Setup Details

The wizard will address most of the configuration tasks necessary. The next sections will address the

ones that haven’t been addressed.



SSL Certificate and KeyThis solution requires that an SSL certificate and key pair be imported to BIG-IP. These configuration

procedures are beyond the scope of this document but can be referenced in F5 solution article

SOL14499. These procedures can be used to create a certificate authority (CA) and client certificates

and provide instructions for importation to BIG-IP.

It is important that you generate the required certificate and key pair before continuing to

the next section.

SSL Client ProfileAn SSL Client Profile must be bound to the HTTPS virtual server created in the previous section.

Follow the configuration procedures to create an SSL Client Profile: Navigate to Local Traffic-

>Profiles->SSL->Client and select Create. Enter a Name. Scroll down to the Client Authentication

section. Check the Custom boxes for Client Certificate and choose Require. Check the Custom

boxes for Trusted Certificate Authorities and Advertised Certificate Authorities and select the

certificate that was imported from the previous section.

Figure 13: SSL Client Profile Details



Virtual Server Advanced ConfigurationSome virtual server parameters below will require modifications:

Select the External VLAN from the Available list and click the << button to move it to the Selected

column. This is a security feature that prevents VLAN misuse.

Figure 14: External VLAN Selection

Set the virtual server to use the SSL Client profile created in the previous section. Select the SSL

Profile from the Available column and click the << button to move it to the Selected column. Click the >> button on the clientssl default profile from the Selected column to move it to the Available

column.


Check Enabled for VDI and Java Support.

Figure 16: Enable VDI and Java Support Details



Access Policy Manager - Visual Policy EditorThe F5 BIG-IP Access Policy Manager (APM) Visual Policy Editor (VPE) is a subordinate user interface

(UI) that resides within the BIG-IP APM web configuration utility to assist with building access policies.

Depending on the deployment scenario, it may be necessary to alter the access policy. Follow these

procedures to configure the VPE:

Basic AirWatch Access Policy Flow

Access the current access policy by navigating to Access Policy->Access Profiles->Access

Profiles List. The list of access policies is displayed.

Figure 17: Access Policy Details

Click on the Edit hyperlink from the F5_AirWatch_Policy policy row. The VPE is displayed. The

current policy should look like the following:

Figure 18: Access Policy Flow for Basic AirWatch Policy Details

Note: Each of the hyperlink items in blue unscored text can be modified to address the

deployment requirements.

The next few sections will detail some of these basic access policy settings.



Logon Page Macro

From Figure 18 above, click on the hyperlink labeled Logon Page. This will display the Logon page

Properties tab.

The top portion of the page details the parameters that will be presented to the user.

Figure 19: Logon Page Agent Details

The lower portion of the page contains the customizations parameters available.

Figure 20: Logon Page Customization Details

Modify these values to satisfy site specific deployment requirements. Select Cancel or Save to return

to the VPE.



AD Auth Macro

From figure 18 above, click on the hyperlink labeled AD Auth to display the Authentication page

Properties tab.

Figure 21: AD Authentication Configuration Details

Modify these values to satisfy site specific deployment requirements. Select Cancel or Save to return

to the VPE.

Resource Assign Macro

From figure 18 above, click on the hyperlink labeled Resource Assign to display the Resource

Properties tab.

Figure 22: Resource Assignment Configuration Details

Modify these values to satisfy site-specific deployment requirements. Select Cancel or Save to return

to the VPE. Click the Close button when you’re finished.

Note: It is recommended to take these access policy options into consideration when

deploying AirWatch VPN Profiles.



BIG-IP ActiveSync Proxy

F5 BIG-IP APM’s Microsoft ActiveSync proxy enables native email application integration for both

Android and iOS devices. These configuration procedures are beyond the scope of this document. To

configure BIG-IP APM as a Microsoft ActiveSync proxy, please see the deployment guide and

according iApp.

Login and Authentication VerificationYou should now be able to test the APM Access Policy from a PC client. This tests the integration of

the BIG-IP APM with respective authentication servers.

From a PC client, test that the APM logon prompt is properly displayed. Open a Web Browser and

enter the fully-qualified domain name (FQDN) or IP address of the APM-protected Virtual Server. The

Secure Logon page is displayed. Enter a valid username and password and select Logon to continue.

Figure 23: APM Logon Details



If this is the first time you’re logging onto the APM-Protected Virtual Server, you may have to install

browser plugins. If this is the case, follow these instructions:

Figure 24: Browser Plugin Notification Details

Once the test client can properly authenticate and obtain privileges, Mobile Device Management

(MDM) can be configured.

If the client is unable to authenticate, review the APM log files in the BIG-IP command line interface

(CLI) at /var/log/apm.



Air Watch ConfigurationThis section covers the steps required for MDM configuration via the AirWatch administration console

(herein referred to as the AirWatch console).

AirWatch Console AccessThe AirWatch console is the management interface to configure AirWatch MDM. Log in to the

AirWatch Console. The console dashboard is displayed.

Figure 25: AirWatch Console Dashboard Details

The console is laid out with tabs on the far-left column that expose sub tabs to the right of these tabs.



Child Organization Group CreationAn organization group is a simple way to manage VPN profiles and devices. It allows for configuration

settings that adhere to deployment requirements to be set at the organization level and be applied by

default. Within the AirWatch console, select the Groups & Settings icon on the left. Expand the

Groups, Organization Groups, Organization Group Details menu tree.

Figure 26: AirWatch Organization Group Creation Details

Note: You’ll need the Group ID for future reference while performing additional configuration

steps.

Enter a Name for the group and a Group ID, and then click Save. Be sure to choose this group from

the upper-left tab.

Figure 27: Organization Group Details



User Group CreationAdd a new user group by selecting Groups & Settings->Groups->User Groups, and then click on

the Add hyperlink. Enter the Name for the group and click Save to continue.

Figure 28: New User Group Details

Click Save when finished.

Smart Group CreationAdd a new smart group by selecting Groups & Settings->Groups->Smart Groups, and then click

on the Add Smart Group hyperlink. Enter the Name for the smart group at the top-right of the screen.

Select only the Organization Group and User Group previously created.

Figure 29: New Smart Group Details




AirWatch and F5 IntegrationTo enable the F5 integration, perform the following steps. Navigate to Group & Settings->All

Settings and select the System tab in the left-hand column. The System tab menu selections are

displayed. Expand the Enterprise Integration menu item and select Enterprise Integration

Services.

Figure 30: System Details

It should be noted that if the Current Setting is Inherit, you will need to change it to Override by

selecting Override in order to enable enterprise integration. You may also need to change the cloud

connector and/or mobile access gateway (MAG) current setting to override. Enable the enterprise

Integration by clicking the Enable button. Enter an EIS URL. This is the FQDN that resolves to the IP

address of the BIG-IP Virtual Server.

Figure 31: EIS URL BIG-IP FQDN Details



Scroll down to the Enterprise Services section. Enable or Disable the necessary services.

Figure 32: Enterprise Services Details

Next, scroll down to the AirWatch Services. Enable the services as per deployment requirements.

Figure 33: AirWatch Services Details

Next, verify the Certificate state and Child Permissions.

Figure 34: Certificate State and Child Permissions State Details




AirWatch Certificate AuthorityA CA needs to be defined. Within the AirWatch console, navigate to System->Enterprise Integration

->Certificate Authorities. Click the Add button to add a new CA. Enter a valid Name, Auth Type,

Server Hostname, Authority Name, Username, and password.

Figure 35: AirWatch Certificate Authority Details


VPN ProfilesYou can deploy three different VPN Profile types:

• A Base VPN Profile for all iOS and Android network traffic

• A VPN On-Demand Profile that will initiate a VPN connection whenever applications navigate to

predefined domains

• A Per-App VPN Profile that specifies which applications can utilize the VPN connection

Base VPN Profile

To create a base VPN Profile for Android and iOS devices, within the AirWatch console, navigate to

Devices->Profiles->List View menu from within the left column.



Create New Android Profile

To create a new AirWatch profile for Android devices, within the AirWatch Console, navigate to

Devices->Profiles->List View. Click the Add button and then choose the Android icon.

Figure 36: Android Platform Detail

Enter a Name and select the Smart Group previously created for this profile.

Figure 37: Android Profile Details



Next, in the left column, select the Passcode tab and then click the Configure button. This will

display the Passcode settings that need to be applied. Select the Minimum Passcode Length value

as per deployment requirements. For this example the default values remain.

Figure 38: Passcode Details

Next, in the left column, select the Restrictions tab and then click the Configure button. This will

display the restriction settings that can be applied. Note that some values are operating system–

dependent. Apply the appropriate restrictions per deployment requirements.

Figure 39: Restriction Details



Next, in the left column, select the VPN tab and then click the Configure button. This will display the

VPN settings that need to be applied. Choose the F5 SSL Connection Type. Enter a Connection

Name for the profile; make sure the Server is the BIG-IP Virtual Server FQDN; and select {EnrollmentUser} as the Username.

Figure 40: Android VPN Profile Details

Next, in the left column, select the Exchange ActiveSync tab and then click the Configure button.

This will display the ActiveSync settings that need to be applied. Enter the Account Name and enter

the FQDN of the BIG-IP Virtual Server as the Exchange ActiveSync Host.

Figure 41: Exchange ActiveSync Details



Login Information needs to be defined. Enter a Domain. Click the + button next to User and enter {EnrollmentUser}.

Figure 42: Exchange ActiveSync Login Details

In the Settings section, in the Past Days of Mail to Sync field, enter the value the deployment

requires. In this example, Auto is selected. In the Contacts and Calendar section in this example,

Native Contacts Application is chosen for both fields.

Figure 43: Exchange ActiveSync Settings and Security Details

Click the Save & Publish button to continue.



Create iOS Profile

In this section you will create a new AirWatch profile for iOS devices. Within the AirWatch Console

navigate to Devices->Profiles->List View. Click the Add button and then choose the Apple iOS

icon. Enter a Name for this profile.

Figure 44: iOS Profile Details

Next, in the left column, select the VPN tab and click the Configure button. This will display the VPN

settings that need to be applied.

Enter the Connection Name, Type, Server, and select {EnrollmentUser} as the Account. Then

select the Per-App VPN and Connect Automatically check boxes.

Figure 45: iOS VPN Profile Details




On-Demand Certificate Authority VPN Access Profile

This profile builds on the Base VPN Profile. The VPN On-Demand feature allows applications to

automatically initiate a VPN connection using the F5 client whenever those applications navigate to any

of the domains specified in the VPN Profile.

Create New On-Demand Android Profile

In this section you will create a new On-Demand AirWatch profile for Android devices. Within the

AirWatch console navigate to Devices->Profiles->List View, click the Add button, choose the

Android icon, and then enter a Name for this profile.

Figure 46: Android On-Demand Profile Details

Next, in the left column, select the Credentials tab, and then click the Configure button. This will

display the VPN Credentials settings that need to be applied. Select a Credential Source appropriate

for the deployment.

Figure 47: On-Demand Credential Profile Details





Enter the Connection Type, Name, Server, and select the Username.

Figure 48: On-Demand VPN Details


Create New On-Demand iOS Profile

This section contains instructions on how to create a new AirWatch profile for iOS devices. Within

the AirWatch Console, navigate to Devices->Profiles->List View, click the Add button, and then

choose the Apple iOS icon from the platform listing.

Figure 49: Platform Details



Enter a Name and select the Smart Group previously created for this profile.

Figure 50: iOS Profile Details

Next, in the left column, select the Passcode tab and then click the Configure button.

This will display the Passcode settings that need to be applied. Select the Require passcode on

device checkbox. This will display more passcode settings. For this example, additional values remain

the defaults.

Figure 51: Passcode Details



Next, in the left column, select the Restrictions tab and click the Configure button. This will display

the restriction settings that can be applied. Note that some values are operating system–

dependent. Select the checkboxes that correspond to the restrictions that the deployment requires.

Figure 52: Restriction Details



Next, in the left column, select the VPN tab and then click the Configure button. This will display the

VPN settings that need to be applied. Enter the Name of the profile; select F5 SSL as the

Connection Type; enter the FQDN of the BIG-IP Virtual Server as the Server; and select {EnrollmentUser} as the Account. Then select the Per-App VPN and Connect Automatically

checkboxes.

Within the Safari Domains, add the appropriate Domains for the deployment. User Authentication

remains the default value of Password.

Figure 53: iOS VPN Profile Details

Next, in the left column, select the Exchange ActiveSync tab and then click the Configure button.

This will display the Exchange ActiveSync settings that need to be applied. Enter a Name for this

account. Enter the FQDN of the BIG-IP Virtual Server as the Exchange ActiveSync Host.

Figure 54: Exchange ActiveSync Details



The Login Information needs to be defined. Enter a Domain. Click the + link next to Username and

enter {EnrollmentUser}.

Figure 55: Exchange ActiveSync Login Details

In the Settings and Security section, For Past Days of Mail to Sync select a value that the

deployment requires. In this example, 2 weeks is selected.

Figure 56: Exchange ActiveSync and Security Details




BIG-IP On-Demand Certificate Authentication Access Policy

Make the following modifications within the F5 BIG-IP web configuration utility.

The existing access policy can be modified or copied. These instructions will result in copying the

existing policy and modifying the SSL client profile.

Copy the Access Policy

To copy the policy to a new name, click on the Copy hyperlink from the F5_AirWatch_Policy policy

row. Enter a name for the new policy and click the Copy button.

Figure 57: Access Profile Copy Details

The Access policy can be edited by clicking on the Edit hyperlink. Modify the policy to match the

following configuration.

Figure 58: On-Demand Certificate Authentication Access Policy Details

Note: Enter the details of the Certificate Authentication and Resource Assignment to meet

deployment requirements.

On-Demand Certificate Authority Macro

Click on the hyperlink labeled On-Demand Cert Auth.

Figure 59: On-Demand Certificate Authentication Details

The Authentication mode is set to Request. Leave the settings at the default values and click the

Save button.



Variable Assign Object

Add a variable assign object to the policy by clicking the + symbol on the Successful branch of the

On-Demand Cert Auth macro. Enter a Name; in this example it is Extract UPN. Add a new variable

entry by clicking the Change hyperlink.

Figure 60: On-Demand Certificate Authority VPE Macro

Figure 61: Variable Assign Details

Note: The “name” parameter specified in the three variable-assignment screen captures below

is entered in the “Custom Variable” box (in Figure 60 above) for each variable assignment you

create.

Add three variable assignments as follows:

Name: session.logon.last.domainCustom Expression:set upn [mcget {session.logon.last.upn}]; if {[string first “@” $upn] >= 0} { return [string range $upn [expr { [string first “@” $upn] + 1 } ] end ]; } else { return “”;}

Figure 62: Variable Assignment #1

Name: session.logon.last.usernameCustom Expression:set upn [mcget {session.logon.last.upn}];

if {[string first “@” $upn] >= 0} { return [string range $upn 0 [expr { [string first “@” $upn] - 1 } ] ]; } else { return $upn;}




Name: session.logon.last.upnCustom Expression:set e _ fields [split [mcget {session.ssl.cert.x509extension}] “\n”]; foreach qq $e _ fields { if {[string first “othername:UPN” $qq] >= 0} { return [string range $qq [expr { [string first “<” $qq] + 1 } ] [expr { [string first “>” $qq] - 1 } ] ]; }} return “”;


Figure 65: Variable Assignment for Extract UPN Macro Details

Note: The Extract UPN Variable Assignment dialog should now appear as shown in Figure 63.

If it does not, edit each entry to match the values displayed in the graphic.

Note: If you choose to cut and paste the variable name and expression, be sure to paste the

copied text as plain text. Otherwise an error pertaining to the variable syntax may block saving

these assignments.

The next step will be to add an advanced resource assignment to the access policy.



Advanced Resource Assign Macro

Add an advanced resource assign object to the policy by clicking the + link on the Successful

branch of the Extract UPN variable assignment macro. Enter a Name; in this example it is SSL VPN.

Select the Network Access tab and choose the F5_AirWatch_Policy_na_res that was created as a

part of the initial BIG-IP Access Policy Wizard configuration task previously completed.

Figure 66: On-Demand Certificate Authority VPE Macro

Figure 67: Network Access Resource Details

Select the Webtop tab and select the F5_AirWatch_Policy_webtop that was created in the initial

BIG-IP base configuration. Then click the Update button.

Figure 68: Webtop Assignment Details



The resource assignment macro should look as follows:

Figure 69: Resource Assignment Details

Click the Save button to return to the policy flow diagram. The On-Demand Policy should now look as

follows:

Figure 70: On-Demand Policy Details

SSL Client Certificate ModificationWhen using On-Demand Certificate Authentication, client authentication is enabled with a Client

certificate set. This setting needs to be changed to Ignore. Navigate to Local Traffic->Profiles-

>SSL->Client. The list of SSL Profiles is displayed; Select the AW_Client_Cert profile.




Scroll down to the Client Authentication section and for the Client Certificate select Ignore from

the drop-down list.

Figure 72: Client Authentication Set to Ignore Client Certificate

Click the Update button to complete the change.

Virtual Server Access Policy assignment

The new Access Policy needs to be applied to the Virtual Server. To do this, navigate to Local Traffic

->Virtual Servers->Virtual Server List.

Figure 73: F5 Air Watch HTTPS Virtual Server Details

Scroll down to the Access Policy section. Modify the Access Profile to be the new On-Demand

profile.

Figure 74: Virtual Server Access Profile Details

Click the Update button to continue.



Per-App VPN Profile

This profile builds on the Base VPN Profile.

The Per-App VPN Profile is available in iOS 7 devices. This allows the profile to specify which

applications can utilize the VPN connection. These are the managed applications that are pushed to

specific devices via the AirWatch Admin Console.

There is a distinct difference between a per-app VPN and an on-demand VPN. With a per-app VPN,

unique TCP tunnels are established per application and bind the application to the BIG-IP gateway.

With an on-demand VPN, when a mobile application queries a particular domain name, a TCP/UDP

tunnel is established for all device applications.

Create New Per-App iOS 7 Profile

This section details how to create a new Per-App AirWatch profile for iOS devices. Within the

AirWatch Console, navigate to Devices->Profiles->List View. Then click the Add button, choose the

IOS icon, and enter a Name for this profile.

Figure 75: iOS Per-App Profile Details



Next, in the left column, select the Credentials tab and click the Configure button. This will display the

VPN Credentials settings that need to be applied. Select a Credential Source appropriate for the

deployment.

Figure 76: Per-App Credential Profile Details



Enter the Connection Type, Name, Server, and for the Account select {EnrollmentUser} from the

drop-down list.

Figure 77: Per-App VPN Details




BIG-IP Per-App Access Policy

Make these modifications within the F5 BIG-IP web configuration utility.

The existing policy can be modified or copied. These instructions will result in copying the existing

policy, and applying the new policy to the virtual server.

Copy the Access Policy

To copy the policy to a new name, click on the Copy hyperlink from the F5_AirWatch_Policy policy row.

Define a name for the new policy and then click the Copy button.

Figure 78: Access Policy Copy Details

The Access policy can be edited by clicking the Edit hyperlink. Edit the policy to match the following

configuration. Delete the Resource Assignment macro item by clicking on the X link .

Figure 79: Per-App Access Policy Details

Note: Define the details of Certificate Authentication and Resource Assignment to meet

deployment requirements. Refer to the Base VPN Access Profile settings in the Configuring

BIG-IP sections above.

Virtual Server Access Policy Assignment

Apply the new Access Policy to the Virtual Server. Navigate to Local Traffic->Virtual Servers-

>Virtual Server List.

Figure 80: Virtual Server Details



Scroll down to the Access Policy section. Edit the Access Policy and select the new On-Demand

profile from the drop-down menu.

Figure 81: Virtual Server Access Profile Details

Click the Update button.

ConclusionThis concludes the BIG-IP and AirWatch recommended practices guide. The configuration details may

vary from the deployed network topology.

F5 Recommended Practices for BIG-IP and AirWatch · PDF fileF5 Recommended Practices for...

Documents

Transcript of F5 Recommended Practices for BIG-IP and AirWatch · PDF fileF5 Recommended Practices for...