So, initially we were using the PPTP to VPN with our iDevices
This worked OK, was kind of flaky though, and the biggest inconvenience was having to manually turn on the VPN. ( Too tricky for VP’s of course)
So our CIO happened on the magic term of VPN on demand. From the there the ball got rolling. Basically, when you go to a pre-defined domain it’s smart enough to fire off the VPN client for you!
I wasn’t involved completely in the install so there are some gaping holes in my knowledge, but I will try to lay out the setup as best as I can.
The F5 big-ip box is a hot rod! We are using only about 1% of its capabilities. It has a very nice visual design tool for configuring your Access Policies
We have determined why the session is not disconnecting after the Inactivity timeout expires. The edge client sends out 40 bytes of data every 30 seconds or so. For the Network Access object, the ‘Session Update Threshold’ is set to 0 by default. So the 40 bytes we send triggers and keeps the tunnel open and prevents the Inactivity Timeout from starting. With a value of 60 bytes, the tunnel on the iPhone closes after the timeout expires as expected.
Go into your GUI, Access Policy ›› Network Access : Network Access List and select the active one for your set up. Change the General Settings view to “Advanced”. You can update the “Session Update Threshold” to 50 or 60. Update and apply the policy and you should be good to go. If you need assistance with changing that value, let me know.
As mentioned above you need to set the SSO Configuration at the ‘properties tab’ of your Access Profile. Then you need to configure your network access to support SSO through a layered virtual server. This allows your users full network access to multiple web services without requiring them to enter their credential multiple times.
Manual Chapter: Introducing Single Sign-On
Open the document above and search for ‘Using Single Sign-On for web application access over network access tunnel’
I was confused by the terminology of layered virtual server, but the way I understand it is that under Local Traffic, Virtual Servers you create a ‘virtual server’ (This is more like a virtual IP??)
I used a Host type, and did all ports. I did standard, and TCP, and http.
Under VLAN and Tunnel Traffic: Client_Access_cp (the correct connectivity profile)
SNAT is set to Auto Map, then make sure Address Translation and Port Translation are not enabled.
Then under the Virtual Address List for the ip of the above ‘virtual server’ uncheck the ARP
When cleared (disabled), specifies that the system does not accept ARP requests.
So, how does it work? Download the F5 Edge Client. The guy who set us up initially used the iPhone Configuration utility to create us a vpn.mobileconfig file. This is an easy way to email the certificate to the user and have them be able to add it.
Now we need to create our own config so open up the Edge Client, press Add Configuration, give it a name, type in the Server address, click Use Cerificates ON, then you choose the certificate that came in the email. Type your username and password, select Connect On Demand and then choose in the domain list your domain, and connect as needed.
Try a quick test connect, should say Contacting, Authenticating, Negotiating, and then Connected. You will notice the little VPN symbol in the top of your screen (In wanders from the left to the right, who knows why?)
So then, if you open up Safari and surf to your Qlikview server using the domain that was indicated in the connect as needed it should fire off the VPN, go to the Qlikview server, and pass your credentials…. Magic!
Thank you for the overview! It helped me configure my setup 🙂
[…] https://michaelellerbeck.com/2012/01/12/setting-up-f5-bigip-with-vpn-on-demand-sso-single-sign-on-for… […]