Click to view the whole screen shot. Basically, it start with a ‘Start’ then runs a Client Cert Inspection. (I believe this is where it inspects the client to see that it has the SSL certificate that we setup (We obtained a trusted cert from somewhere). The next step is to check the UI mode of the Client. Then it checks what OS your are running. Then there is a Logon Page (If I remember correctly, this is where the F5 Edge Client grabs the NT username & password. After that it hits the AD Auth module. This module is configured to use a server that was setup name ‘ActiveDirector’ setup under the Access Policy, AAA Servers with an Active Directory Type, and domain controller and other creds specified. After it’s authenticated it then caches the credentials for single sign on!! Module is called SSO Credential Mapping, and I left the settings at default. This mapping uses the SSO setting set at the Access Profile, Properties selection.  (This is really cool BTW, otherwise the CEO, VP’s etc… have to type in their password every time that connect to the qlikview server) This is configured under Access Policy, SSO Configurations. I named it SSO_IPHONE_POLICY, I used NTLMV1, I enabled Username Conversion and typed in the NTLM domain, left the rest of the settings at default. Next in the mapping is an AD Query, it once again uses the ‘ActiveDirector’ AD server, User Principal Name is Enabled, Under Branch Rules is a ‘MemberOf’ with an expression of

CN=VPN_Users,OU=Custom Groups,OU=My Groups,DC=mydomain,DC=local . This will check users attempting to connect are members of the VPN_Users AD group. Then finally if all the criteria matches it passes to a Resource Assign and then to an Allow.

There are of course a couple of other settings.

Originally when we set it up the VPN worked great, actually too great…. it would never disconnect. After contacting support this is how to fix it

As mentioned above you need to set the SSO Configuration at the ‘properties tab’ of your Access Profile. Then you need to  configure your network access to support SSO through a layered virtual server. This allows your users full network access to multiple web services without requiring them to enter their credential multiple times.

Manual Chapter: Introducing Single Sign-On

http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm_config_10_2_0/apm_config_sso.html?sr=18213209

Open the document above and search for  ‘Using Single Sign-On for web application access over network access tunnel’

I was confused by the terminology of layered virtual server, but the way I understand it is that under Local Traffic, Virtual Servers you create a ‘virtual server’ (This is more like a virtual IP??)

I used a Host type, and did all ports. I did standard, and TCP, and http.

Under VLAN and Tunnel Traffic: Client_Access_cp (the correct connectivity profile)

SNAT is set to Auto Map, then make sure Address Translation and Port Translation are not enabled.

Then under the Virtual Address List for the ip of the above ‘virtual server’ uncheck the ARP

When cleared (disabled), specifies that the system does not accept ARP requests.

So, how does it work? Download the F5 Edge Client. The guy who set us up initially used the iPhone Configuration utility to create us a vpn.mobileconfig file. This is an easy way to email the certificate to the user and have them be able to add it.

Now we need to create our own config so open up the Edge Client, press Add Configuration, give it a name, type in the Server address, click Use Cerificates ON, then you choose the certificate that came in the email. Type your username and password, select Connect On Demand and then choose in the domain list your domain, and connect as needed.

Try a quick test connect, should say Contacting, Authenticating, Negotiating, and then Connected. You will notice the little VPN symbol in the top of your screen (In wanders from the left to the right, who knows why?)