F5 Networks, Inc. F5 Recommended Practices for BIG-IP and AirWatch MDM Integration
Contents Introduction 4 Purpose 5 Requirements 6 Prerequisites 6 AirWatch 6 F5 BIG-IP 6 Network Topology 7 Big-IP Configuration 7 Remote Access Wizard 7 SSL Certificate and Key 14 SSL Client Profile 14 Virtual Server Advanced Configuration 15 Access Policy Manager - Visual Policy Editor 16 Basic AirWatch Access Policy Flow 16 BIG-IP ActiveSync Proxy 19 Login and Authentication Verification 19 Air Watch Configuration 21 AirWatch Console Access 21 Child Organization Group Creation 22 User Group Creation 23 Smart Group Creation 23 AirWatch and F5 Integration 24 AirWatch Certificate Authority 26 VPN Profiles 26 Base VPN Profile 26 On-Demand Certificate Authority VPN Access Profile 32 Copy the Access Policy 38 On-Demand Certificate Authority Macro 38 Variable Assign Object 39 Advanced Resource Assign Macro 41 2
SSL Client Certificate Modification 42 Virtual Server Access Policy assignment 43 Per-App VPN Profile 44 Copy the Access Policy 46 Conclusion 47 3
Introduction The F5 BIG-IP Access Policy Manager (APM) allows for the consolidation of multiple access gateways (mobile application management, virtual desktop infrastructure, Microsoft Active Sync Proxy, and others) into a single unified access gateway. You can begin your deployment with a single access gateway use case or with multiple access gateway use cases. In either scenario, F5 s tight integration with technology alliance partners allows for validated configurations to ensure compatibility. While this recommended practices guide is specific to integrating F5 BIG-IP APM with AirWatch MDM, you may reference our VDI access gateway solutions here: VMware Horizon View: https://f5.com/solutions/deployment-guides/vmware-horizon-view-optimized-solution-big-ip-v114-apm Citrix XenApp/XenDesktop: https://f5.com/solutions/deployment-guides/citrix-xenapp-or-xendesktop-release-candidate-big Microsoft Remote Desktop Services: http://www.f5.com/pdf/deployment-guides/f5-microsoft-remote-desktop-services-dg.pdf For VMware Horizon View, administrators may use BIG-IP APM as a PCoIP proxy for remote access use cases. This greatly increases not only Horizon View security, but also scale and performance. Many more F5 BIG-IP APM use cases may be referenced here: https://f5.com/solutions/deployment-guides/tag/access%20policy%20manager 4
Purpose With F5 BIG-IP APM, you may provide AirWatch mobile users unmatched secure remote access, performance, and availability. This document outlines the configuration details required to integrate F5 BIG-IP APM with AirWatch mobile device management (MDM). The steps are a series of recommended practices to follow in order to build an integrated solution. As with any system deployment, the steps are examples and the deployed environment may not exactly match these examples. After completing this guide, you will be able to: Use the F5 BIG-IP APM as an AirWatch access gateway. Use the ios BIG-IP Edge Client for Per-App VPN access with ios 7 or later. Please reference the latest ios BIG-IP Edge Client configuration guide here: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/related/apmedgeclientios-2-0-4.html Authenticate AirWatch MDM users via the BIG-IP APM. Initiate on-demand VPN tunnels by domain query. Use BIG-IP APM as a Microsoft Active Sync Proxy for Android and ios email synchronization. Manage AirWatch MDM devices through the BIG-IP APM access gateway. This recommended- practices guide will enable you to: 1. Configure an APM access policy (network access, authentication, webtop, and session variables). 2. Create a certificate authority (CA), client certificates, and associated BIG-IP ClientSSL Profile. 3. Configure a BIG-IP virtual server and associate the APM access policy and SSL profile. 4. Configure multiple custom access policies for three (3) AirWatch remote access use cases: a. A VPN profile for all ios and Android network traffic b. A VPN On-Demand Profile c. A Per-App VPN profile 5. Configure required AirWatch groups and profiles. 6. Configure AirWatch for F5 integration. 7. Configure required AirWatch groups and profiles. 8. Enter AirWatch credential sources. 5
Requirements This section covers various requirements for this guide. These include prerequisites, product licensing, software, and/or hardware requirements. Prerequisites The following prerequisites need to be addressed prior to implementing this guide. This solution utilizes the following ancillary infrastructure: An authentication server An email server An application server An NTP time server Globally Routable IP addresses Mobile device(s) with network access (ios and Android devices only) Internet access Administrator login credentials SSL Certificate and Key (please reference F5 solution article SOL14499 for how to create a certificate authority and client certificates) AirWatch AirWatch service cloud subscription and AirWatch cloud account are required Note: This recommended practices guide was formulated on a cloud-based AirWatch deployment. The recommended practices in this document may apply to AirWatch onpremises deployments but have not been tested. F5 BIG-IP Either a physical or a virtual instance of BIG-IP is required. This guide is based on BIG-IP software release 11.5.0. This solution relies on F5 Access Policy Manager (APM) and requires an APM software license. 6
Network Topology Figure 1: Logical Network Topology Big-IP Configuration This section covers the steps required to be performed within the BIG-IP web configuration utility. Remote Access Wizard The BIG-IP configuration utility wizard will assist you in creating a remote access configuration using Access Policy Manager (APM). Log in to the BIG-IP and select Wizards->Device Wizards from the left menu bar. Select Network Access Setup Wizard for Remote Access and click Next. Figure 2: Network Access Setup Wizard Details 7
Enter a Policy Name and Caption. The Default Language, Full Webtop, and Client Side Checks fields are optional. Then click Next to continue. Figure 3: Network Access Policy Name and Details Select Create New or Use Existing in the Authentication Options field. Select the Authentication Server type from the list. Then click Next to continue. Figure 4: Authentication Server Type Details 8
The Authentication Server settings need to be defined. In this example we choose an Active Directory Authentication method. Enter a Domain Name. In this example, a Direct connection to the Primary Domain Controller is chosen. Enter an IP Address, Admin Name, and Password for the Active Directory Domain. Then click Next to continue. Figure 5: Active Directory Server Details A lease pool is a pool of available IP addresses that BIG-IP will assign to remote clients for network access. The size of this pool needs to be large enough to provide enough address space for the total concurrent connections licensed by APM. In this example, an address space of 20 IP addresses is defined. Select a Supported IP Version, and a Start and End IP Address. Select Add to move the address range to the Member List. Click Next to continue. Figure 6: IPv4 Lease Pool Details 9
The client settings should be set according to the deployment scenario requirements. In this example, all traffic will be forced through the SSL VPN tunnel. Select Force all traffic through tunnel. Then click Next to continue. Figure 7: Traffic Option Client Details Primary and Secondary Name Servers need to be specified. Enter a Primary and Secondary Name Server and the Default Domain Suffix. Figure 8: DNS Server Details 10
An optional step is to add Static Host entries. These are static host names to IP address assignments that BIG-IP can use to resolve remote access client requests. In this example, two static hosts are added. Host entries for an email server and an application server are input. If this is required, enter a Host Name and an IP Address and then select Add to include these entries in the list. Click Next to continue. Figure 9: Static Host Details Finally, the Virtual Server IP Address needs to be defined. A Redirect Server will also be created, which will redirect client requests to the HTTPS virtual server. Enter an IP Address that is globally routable and resolvable by DNS. Click Next to continue. Figure 10: Virtual Server IP Address Details 11
The wizard will display a list of all the configuration values entered. Review the list. Click Next to continue or Previous to correct any configuration mistakes. Figure 11: Access Wizard Confirmation Details 12
The Setup Summary is displayed. Figure 12: Access Wizard Setup Details The wizard will address most of the configuration tasks necessary. The next sections will address the ones that haven t been addressed. 13
SSL Certificate and Key This solution requires that an SSL certificate and key pair be imported to BIG-IP. These configuration procedures are beyond the scope of this document but can be referenced in F5 solution article SOL14499. These procedures can be used to create a certificate authority (CA) and client certificates and provide instructions for importation to BIG-IP. It is important that you generate the required certificate and key pair before continuing to the next section. SSL Client Profile An SSL Client Profile must be bound to the HTTPS virtual server created in the previous section. Follow the configuration procedures to create an SSL Client Profile: Navigate to Local Traffic- >Profiles->SSL->Client and select Create. Enter a Name. Scroll down to the Client Authentication section. Check the Custom boxes for Client Certificate and choose Require. Check the Custom boxes for Trusted Certificate Authorities and Advertised Certificate Authorities and select the certificate that was imported from the previous section. Figure 13: SSL Client Profile Details 14
Virtual Server Advanced Configuration Some virtual server parameters below will require modifications: Select the External VLAN from the Available list and click the << button to move it to the Selected column. This is a security feature that prevents VLAN misuse. Figure 14: External VLAN Selection Set the virtual server to use the SSL Client profile created in the previous section. Select the SSL Profile from the Available column and click the << button to move it to the Selected column. Click the >> button on the clientssl default profile from the Selected column to move it to the Available column. Figure 15: SSL Client Profile Details Check Enabled for VDI and Java Support. Figure 16: Enable VDI and Java Support Details 15
Access Policy Manager - Visual Policy Editor The F5 BIG-IP Access Policy Manager (APM) Visual Policy Editor (VPE) is a subordinate user interface (UI) that resides within the BIG-IP APM web configuration utility to assist with building access policies. Depending on the deployment scenario, it may be necessary to alter the access policy. Follow these procedures to configure the VPE: Basic AirWatch Access Policy Flow Access the current access policy by navigating to Access Policy->Access Profiles->Access Profiles List. The list of access policies is displayed. Figure 17: Access Policy Details Click on the Edit hyperlink from the F5_AirWatch_Policy policy row. The VPE is displayed. The current policy should look like the following: Figure 18: Access Policy Flow for Basic AirWatch Policy Details Note: Each of the hyperlink items in blue unscored text can be modified to address the deployment requirements. The next few sections will detail some of these basic access policy settings. 16
Logon Page Macro From Figure 18 above, click on the hyperlink labeled Logon Page. This will display the Logon page Properties tab. The top portion of the page details the parameters that will be presented to the user. Figure 19: Logon Page Agent Details The lower portion of the page contains the customizations parameters available. Figure 20: Logon Page Customization Details Modify these values to satisfy site specific deployment requirements. Select Cancel or Save to return to the VPE. 17
AD Auth Macro From figure 18 above, click on the hyperlink labeled AD Auth to display the Authentication page Properties tab. Figure 21: AD Authentication Configuration Details Modify these values to satisfy site specific deployment requirements. Select Cancel or Save to return to the VPE. Resource Assign Macro From figure 18 above, click on the hyperlink labeled Resource Assign to display the Resource Properties tab. Figure 22: Resource Assignment Configuration Details Modify these values to satisfy site-specific deployment requirements. Select Cancel or Save to return to the VPE. Click the Close button when you re finished. Note: It is recommended to take these access policy options into consideration when deploying AirWatch VPN Profiles. 18
BIG-IP ActiveSync Proxy F5 BIG-IP APM s Microsoft ActiveSync proxy enables native email application integration for both Android and ios devices. These configuration procedures are beyond the scope of this document. To configure BIG-IP APM as a Microsoft ActiveSync proxy, please see the deployment guide and according iapp. Login and Authentication Verification You should now be able to test the APM Access Policy from a PC client. This tests the integration of the BIG-IP APM with respective authentication servers. From a PC client, test that the APM logon prompt is properly displayed. Open a Web Browser and enter the fully-qualified domain name (FQDN) or IP address of the APM-protected Virtual Server. The Secure Logon page is displayed. Enter a valid username and password and select Logon to continue. Figure 23: APM Logon Details 19
If this is the first time you re logging onto the APM-Protected Virtual Server, you may have to install browser plugins. If this is the case, follow these instructions: Figure 24: Browser Plugin Notification Details Once the test client can properly authenticate and obtain privileges, Mobile Device Management (MDM) can be configured. If the client is unable to authenticate, review the APM log files in the BIG-IP command line interface (CLI) at /var/log/apm. 20
Air Watch Configuration This section covers the steps required for MDM configuration via the AirWatch administration console (herein referred to as the AirWatch console). AirWatch Console Access The AirWatch console is the management interface to configure AirWatch MDM. Log in to the AirWatch Console. The console dashboard is displayed. Figure 25: AirWatch Console Dashboard Details The console is laid out with tabs on the far-left column that expose sub tabs to the right of these tabs. 21
Child Organization Group Creation An organization group is a simple way to manage VPN profiles and devices. It allows for configuration settings that adhere to deployment requirements to be set at the organization level and be applied by default. Within the AirWatch console, select the Groups & Settings icon on the left. Expand the Groups, Organization Groups, Organization Group Details menu tree. Figure 26: AirWatch Organization Group Creation Details Note: You ll need the Group ID for future reference while performing additional configuration steps. Enter a Name for the group and a Group ID, and then click Save. Be sure to choose this group from the upper-left tab. Figure 27: Organization Group Details 22
User Group Creation Add a new user group by selecting Groups & Settings->Groups->User Groups, and then click on the Add hyperlink. Enter the Name for the group and click Save to continue. Figure 28: New User Group Details Click Save when finished. Smart Group Creation Add a new smart group by selecting Groups & Settings->Groups->Smart Groups, and then click on the Add Smart Group hyperlink. Enter the Name for the smart group at the top-right of the screen. Select only the Organization Group and User Group previously created. Figure 29: New Smart Group Details 23
Click Save when finished. AirWatch and F5 Integration To enable the F5 integration, perform the following steps. Navigate to Group & Settings->All Settings and select the System tab in the left-hand column. The System tab menu selections are displayed. Expand the Enterprise Integration menu item and select Enterprise Integration Services. Figure 30: System Details It should be noted that if the Current Setting is Inherit, you will need to change it to Override by selecting Override in order to enable enterprise integration. You may also need to change the cloud connector and/or mobile access gateway (MAG) current setting to override. Enable the enterprise Integration by clicking the Enable button. Enter an EIS URL. This is the FQDN that resolves to the IP address of the BIG-IP Virtual Server. Figure 31: EIS URL BIG-IP FQDN Details 24
Scroll down to the Enterprise Services section. Enable or Disable the necessary services. Figure 32: Enterprise Services Details Next, scroll down to the AirWatch Services. Enable the services as per deployment requirements. Figure 33: AirWatch Services Details Next, verify the Certificate state and Child Permissions. Figure 34: Certificate State and Child Permissions State Details Click Save when finished. 25
AirWatch Certificate Authority A CA needs to be defined. Within the AirWatch console, navigate to System->Enterprise Integration ->Certificate Authorities. Click the Add button to add a new CA. Enter a valid Name, Auth Type, Server Hostname, Authority Name, Username, and password. Figure 35: AirWatch Certificate Authority Details Click Save when finished. VPN Profiles You can deploy three different VPN Profile types: A Base VPN Profile for all ios and Android network traffic A VPN On-Demand Profile that will initiate a VPN connection whenever applications navigate to predefined domains A Per-App VPN Profile that specifies which applications can utilize the VPN connection Base VPN Profile To create a base VPN Profile for Android and ios devices, within the AirWatch console, navigate to Devices->Profiles->List View menu from within the left column. 26
Create New Android Profile To create a new AirWatch profile for Android devices, within the AirWatch Console, navigate to Devices->Profiles->List View. Click the Add button and then choose the Android icon. Figure 36: Android Platform Detail Enter a Name and select the Smart Group previously created for this profile. Figure 37: Android Profile Details 27
Next, in the left column, select the Passcode tab and then click the Configure button. This will display the Passcode settings that need to be applied. Select the Minimum Passcode Length value as per deployment requirements. For this example the default values remain. Figure 38: Passcode Details Next, in the left column, select the Restrictions tab and then click the Configure button. This will display the restriction settings that can be applied. Note that some values are operating system dependent. Apply the appropriate restrictions per deployment requirements. Figure 39: Restriction Details 28
Next, in the left column, select the VPN tab and then click the Configure button. This will display the VPN settings that need to be applied. Choose the F5 SSL Connection Type. Enter a Connection Name for the profile; make sure the Server is the BIG-IP Virtual Server FQDN; and select {EnrollmentUser} as the Username. Figure 40: Android VPN Profile Details Next, in the left column, select the Exchange ActiveSync tab and then click the Configure button. This will display the ActiveSync settings that need to be applied. Enter the Account Name and enter the FQDN of the BIG-IP Virtual Server as the Exchange ActiveSync Host. Figure 41: Exchange ActiveSync Details 29
Login Information needs to be defined. Enter a Domain. Click the + button next to User and enter {EnrollmentUser}. Figure 42: Exchange ActiveSync Login Details In the Settings section, in the Past Days of Mail to Sync field, enter the value the deployment requires. In this example, Auto is selected. In the Contacts and Calendar section in this example, Native Contacts Application is chosen for both fields. Figure 43: Exchange ActiveSync Settings and Security Details Click the Save & Publish button to continue. 30
Create ios Profile In this section you will create a new AirWatch profile for ios devices. Within the AirWatch Console navigate to Devices->Profiles->List View. Click the Add button and then choose the Apple ios icon. Enter a Name for this profile. Figure 44: ios Profile Details Next, in the left column, select the VPN tab and click the Configure button. This will display the VPN settings that need to be applied. Enter the Connection Name, Type, Server, and select {EnrollmentUser} as the Account. Then select the Per-App VPN and Connect Automatically check boxes. Figure 45: ios VPN Profile Details Click the Save & Publish button to continue. 31
On-Demand Certificate Authority VPN Access Profile This profile builds on the Base VPN Profile. The VPN On-Demand feature allows applications to automatically initiate a VPN connection using the F5 client whenever those applications navigate to any of the domains specified in the VPN Profile. Create New On-Demand Android Profile In this section you will create a new On-Demand AirWatch profile for Android devices. Within the AirWatch console navigate to Devices->Profiles->List View, click the Add button, choose the Android icon, and then enter a Name for this profile. Figure 46: Android On-Demand Profile Details Next, in the left column, select the Credentials tab, and then click the Configure button. This will display the VPN Credentials settings that need to be applied. Select a Credential Source appropriate for the deployment. Figure 47: On-Demand Credential Profile Details 32
Next, in the left column, select the VPN tab and click the Configure button. This will display the VPN settings that need to be applied. Enter the Connection Type, Name, Server, and select the Username. Figure 48: On-Demand VPN Details Click the Save & Publish button to continue. Create New On-Demand ios Profile This section contains instructions on how to create a new AirWatch profile for ios devices. Within the AirWatch Console, navigate to Devices->Profiles->List View, click the Add button, and then choose the Apple ios icon from the platform listing. Figure 49: Platform Details 33
Enter a Name and select the Smart Group previously created for this profile. Figure 50: ios Profile Details Next, in the left column, select the Passcode tab and then click the Configure button. This will display the Passcode settings that need to be applied. Select the Require passcode on device checkbox. This will display more passcode settings. For this example, additional values remain the defaults. Figure 51: Passcode Details 34
Next, in the left column, select the Restrictions tab and click the Configure button. This will display the restriction settings that can be applied. Note that some values are operating system dependent. Select the checkboxes that correspond to the restrictions that the deployment requires. Figure 52: Restriction Details 35
Next, in the left column, select the VPN tab and then click the Configure button. This will display the VPN settings that need to be applied. Enter the Name of the profile; select F5 SSL as the Connection Type; enter the FQDN of the BIG-IP Virtual Server as the Server; and select {EnrollmentUser} as the Account. Then select the Per-App VPN and Connect Automatically checkboxes. Within the Safari Domains, add the appropriate Domains for the deployment. User Authentication remains the default value of Password. Figure 53: ios VPN Profile Details Next, in the left column, select the Exchange ActiveSync tab and then click the Configure button. This will display the Exchange ActiveSync settings that need to be applied. Enter a Name for this account. Enter the FQDN of the BIG-IP Virtual Server as the Exchange ActiveSync Host. Figure 54: Exchange ActiveSync Details 36
The Login Information needs to be defined. Enter a Domain. Click the + link next to Username and enter {EnrollmentUser}. Figure 55: Exchange ActiveSync Login Details In the Settings and Security section, For Past Days of Mail to Sync select a value that the deployment requires. In this example, 2 weeks is selected. Figure 56: Exchange ActiveSync and Security Details Click the Save & Publish button to continue. 37
BIG-IP On-Demand Certificate Authentication Access Policy Make the following modifications within the F5 BIG-IP web configuration utility. The existing access policy can be modified or copied. These instructions will result in copying the existing policy and modifying the SSL client profile. Copy the Access Policy To copy the policy to a new name, click on the Copy hyperlink from the F5_AirWatch_Policy policy row. Enter a name for the new policy and click the Copy button. Figure 57: Access Profile Copy Details The Access policy can be edited by clicking on the Edit hyperlink. Modify the policy to match the following configuration. Figure 58: On-Demand Certificate Authentication Access Policy Details Note: Enter the details of the Certificate Authentication and Resource Assignment to meet deployment requirements. On-Demand Certificate Authority Macro Click on the hyperlink labeled On-Demand Cert Auth. Figure 59: On-Demand Certificate Authentication Details The Authentication mode is set to Request. Leave the settings at the default values and click the Save button. 38
Variable Assign Object Add a variable assign object to the policy by clicking the + symbol on the Successful branch of the On-Demand Cert Auth macro. Enter a Name; in this example it is Extract UPN. Add a new variable entry by clicking the Change hyperlink. Figure 60: On-Demand Certificate Authority VPE Macro Figure 61: Variable Assign Details Note: The name parameter specified in the three variable-assignment screen captures below is entered in the Custom Variable box (in Figure 60 above) for each variable assignment you create. Add three variable assignments as follows: Name: session.logon.last.domain Custom Expression: set upn [mcget {session.logon.last.upn}]; if {[string first @ $upn] >= 0} { return [string range $upn [expr { [string first @ $upn] + 1 } ] end ]; } else { return ; } Figure 62: Variable Assignment #1 Name: session.logon.last.username Custom Expression: set upn [mcget {session.logon.last.upn}]; if {[string first @ $upn] >= 0} { return [string range $upn 0 [expr { [string first @ $upn] - 1 } ] ]; } else { return $upn; } Figure 63: Variable Assignment #2 39
Name: session.logon.last.upn Custom Expression: set e _ fields [split [mcget {session.ssl.cert.x509extension}] \n ]; foreach qq $e _ fields { if {[string first othername:upn $qq] >= 0} { return [string range $qq [expr { [string first < $qq] + 1 } ] [expr { [string first > $qq] - 1 } ] ]; } } return ; Figure 64: Variable Assignment #3 Figure 65: Variable Assignment for Extract UPN Macro Details Note: The Extract UPN Variable Assignment dialog should now appear as shown in Figure 63. If it does not, edit each entry to match the values displayed in the graphic. Note: If you choose to cut and paste the variable name and expression, be sure to paste the copied text as plain text. Otherwise an error pertaining to the variable syntax may block saving these assignments. The next step will be to add an advanced resource assignment to the access policy. 40
Advanced Resource Assign Macro Add an advanced resource assign object to the policy by clicking the + link on the Successful branch of the Extract UPN variable assignment macro. Enter a Name; in this example it is SSL VPN. Select the Network Access tab and choose the F5_AirWatch_Policy_na_res that was created as a part of the initial BIG-IP Access Policy Wizard configuration task previously completed. Figure 66: On-Demand Certificate Authority VPE Macro Figure 67: Network Access Resource Details Select the Webtop tab and select the F5_AirWatch_Policy_webtop that was created in the initial BIG-IP base configuration. Then click the Update button. Figure 68: Webtop Assignment Details 41
The resource assignment macro should look as follows: Figure 69: Resource Assignment Details Click the Save button to return to the policy flow diagram. The On-Demand Policy should now look as follows: Figure 70: On-Demand Policy Details SSL Client Certificate Modification When using On-Demand Certificate Authentication, client authentication is enabled with a Client certificate set. This setting needs to be changed to Ignore. Navigate to Local Traffic->Profiles- >SSL->Client. The list of SSL Profiles is displayed; Select the AW_Client_Cert profile. Figure 71: SSL Client Profile Details 42
Scroll down to the Client Authentication section and for the Client Certificate select Ignore from the drop-down list. Figure 72: Client Authentication Set to Ignore Client Certificate Click the Update button to complete the change. Virtual Server Access Policy assignment The new Access Policy needs to be applied to the Virtual Server. To do this, navigate to Local Traffic ->Virtual Servers->Virtual Server List. Figure 73: F5 Air Watch HTTPS Virtual Server Details Scroll down to the Access Policy section. Modify the Access Profile to be the new On-Demand profile. Figure 74: Virtual Server Access Profile Details Click the Update button to continue. 43
Per-App VPN Profile This profile builds on the Base VPN Profile. The Per-App VPN Profile is available in ios 7 devices. This allows the profile to specify which applications can utilize the VPN connection. These are the managed applications that are pushed to specific devices via the AirWatch Admin Console. There is a distinct difference between a per-app VPN and an on-demand VPN. With a per-app VPN, unique TCP tunnels are established per application and bind the application to the BIG-IP gateway. With an on-demand VPN, when a mobile application queries a particular domain name, a TCP/UDP tunnel is established for all device applications. Create New Per-App ios 7 Profile This section details how to create a new Per-App AirWatch profile for ios devices. Within the AirWatch Console, navigate to Devices->Profiles->List View. Then click the Add button, choose the IOS icon, and enter a Name for this profile. Figure 75: ios Per-App Profile Details 44
Next, in the left column, select the Credentials tab and click the Configure button. This will display the VPN Credentials settings that need to be applied. Select a Credential Source appropriate for the deployment. Figure 76: Per-App Credential Profile Details Next, in the left column, select the VPN tab and click the Configure button. This will display the VPN settings that need to be applied. Enter the Connection Type, Name, Server, and for the Account select {EnrollmentUser} from the drop-down list. Figure 77: Per-App VPN Details Click the Save & Publish button to continue. 45
BIG-IP Per-App Access Policy Make these modifications within the F5 BIG-IP web configuration utility. The existing policy can be modified or copied. These instructions will result in copying the existing policy, and applying the new policy to the virtual server. Copy the Access Policy To copy the policy to a new name, click on the Copy hyperlink from the F5_AirWatch_Policy policy row. Define a name for the new policy and then click the Copy button. Figure 78: Access Policy Copy Details The Access policy can be edited by clicking the Edit hyperlink. Edit the policy to match the following configuration. Delete the Resource Assignment macro item by clicking on the X link. Figure 79: Per-App Access Policy Details Note: Define the details of Certificate Authentication and Resource Assignment to meet deployment requirements. Refer to the Base VPN Access Profile settings in the Configuring BIG-IP sections above. Virtual Server Access Policy Assignment Apply the new Access Policy to the Virtual Server. Navigate to Local Traffic->Virtual Servers- >Virtual Server List. Figure 80: Virtual Server Details 46
Scroll down to the Access Policy section. Edit the Access Policy and select the new On-Demand profile from the drop-down menu. Figure 81: Virtual Server Access Profile Details Click the Update button. Conclusion This concludes the BIG-IP and AirWatch recommended practices guide. The configuration details may vary from the deployed network topology. 47