Recently ,we had requirement to allow ipad devices to connect to corporate network. This is due to the fact that ,some of the iOS apps that are being developed inhouse need to be tested with corporate network ONLY. In order to evaluate and test the app , the ipad devices need to connect to office network (corporate) . The team who does the testing are at remote site and there is no corporate network.
If you are pure MAM shop, please do note that MAM does not enforce device compliance. The reason being, you cannot enforce device configuration policies. That can only be achieved via MDM. Therefore, in order to achieve this F5 VPN setup you will need to push MDM compliance policies so that device state can be marked as compliant or non-compliant. Based on the result of compliance check F5 APM will allow VPN Access. F5 APM achieves this by reading the device status from Intune MDM.
Microsoft Intune includes many VPN settings that can be deployed to your iOS devices. These settings are used to create and configure VPN connections to your organization's network.
In this article ,we will see ,how to create VPN access profile for iOS and deploy .
Please note ,testing of VPN profile (F5 Access) requires support from Azure team because it involves the creation of web application.
Componets required :
1.Create basic device compliance policy ( as per your org)
2.VPN Access profile in Intune for F5 Access
3.Azure Web application
4.Access policy Manager (APM) in F5 Access
Componets 1) and 2) to be created by Intune Admin and 3) to be created by Azure/GA team and 4) to be created by F5/network team who manages the application.
Before we start creating VPN Access profile for iOS in intune ,please get the following information from your F5/network team.
VPN IP address / FQDN and proxy server details.
1.Create basic device compliance policy
Device compliance policies are a key feature when using Intune to protect your organization's resources .Start creating device compliance policy as per your org standards .Follow the guide to create compliance policy for iOS https://docs.microsoft.com/en-us/intune/create-compliance-policy.
2.Create VPN Access profile in Intune for F5 Access
we will now create VPN access profile for F5 Access. Following steps are for iOS profile but it should be similar for andriod OS.
Login to Azure portal (https://portal.azure.com) ,click on intune,Device Configuration, profiles,click on create profile
Short URL to do the same: https://portal.azure.com/#blade/Microsoft_Intune_DeviceSettings/DeviceConfigMainMenuViewModel/deviceConfiguration
Name: iOS_F5_VPN_Access
Platform:iOS
Profile Type:VPN
Settings: Configure
Connection Type: F5 Access
- F5 Access Legacy: Applicable to F5 Access app version 2.1 and earlier.
- F5 Access: Applicable to F5 Access app version 3.0 and later.
Connection name: SG VPN
IP address or FQDN:gw1.sg.connect.net
Authentication method (The user authenticates to the VPN server by providing a user name and password) : Username and password. You can also choose Certificates however, it will require NDES/SCEP to push certificates to the device. Certificates though is a more secure option. For the scope of this article, we are choosing username and password as we will only allow F5 to connect if the device is compliant. This is achieved via device posture check done by F5 by leveraging Intune.
Click on Agree and click Ok
Automatic configuration script: http://pac.intranet/SGPAC.pac
Click Ok
we have now created VPN profile in intune and can be deployed to users /devices who need to connect to corporate network.
3.Azure Web application:
Now we will create Azure web application . This is required for F5 APM to read Intune data such as Device status; Device GUID.
Login to Azure AD portal ,click Azure Active Directory , click on App registration. If you don't have access to this ,please reach out to your Global Admin . You need to have atleast Application Administrator role in Azure AD for this to work if not GA.
Short cut link : https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview
Click on New registration
Enter the name and choose supported account types ‘Single tenant’ .
Once the app is created ,you need to pass the following information to F5 Access team , who will use this to create the APM to allow devices to corporate network.
Application (client) ID
:
05d745da-8a7d-46d7-b935-674fafe172c2
Directory (tenant) ID
:1006705e-2664-4e6b-b1a2-c4d4ccfd1528
Client Secret: ?
From overview tab ,you can get first 2 variables and for client secret,you need to create one from certificates and secrets.
Click on certificates and secrets ,click on New client secret
You can choose the period to never expire .I will choose 2 years for now.
Click on copy. This secret key is onetime readable .If you refresh the page or change the view ,you w ill loose it and you need to re-create it again.
next is to assign the correct permissions to the API so F5 Access can read the device details from intune .
Click on API Permissions and click add permission
select intune ,click on application permission
Now ,click add permission once again and choose Microsoft Graph ,choose application permissions and follow the screenshots
Now click on graph again (this is final one) ,this time,choose delegated permissions
You will see the following screen with status : warning .
Click on Grant Admin consent .
Once it is granted, you will see the status turn to green color
we have now completed the steps required for APM (F5 Access) and pass the following information to F5 Access team.
Application (client) ID : 05d745da-8a7d-46d7-b935-674fafe172c2
Directory (tenant) ID :1006705e-2664-4e6b-b1a2-c4d4ccfd1528
Client Secret: You get it from above.
Simply creating VPN profile in intune and deploy to devices ,wont help you. Before the F5 Access allow you to connect to corporate network ,there is device posture check performed . we can configure BIG-IP Access Policy Manager to verify the mobile device posture. The verification comes from the endpoint management system before allowing access from the access policy. An endpoint management system also controls the corporate data on mobile devices. Edge Client establishes a VPN connection with APM®, and an endpoint management system ( Intune) manages and sends device details to APM .
4.Access policy Manager (APM) in F5 Access
To create APM in F5 Access ,ask your network team to follow the steps available at https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-client-configuration-7-1-6/6.html#guid-0bd12e12-8107-40ec-979d-c44779a8cc89
Once the APM is created in F5 ,you can assign the VPN access profile in intune to devices/user groups for testing.
Once the deployment is done, users should see the VPN configuration details on the device.
Ask users to install F5 Access (not legacy) from apps store and login with username and password.
we had seen issues like connection to F5 access VPN works but then it disconnect immediately. The reason for this is, F5 Access box was running old 12.xx but need to upgrade to latest version 13.x. to get this fix.
If you have any firewall to be allowed to reach internet from F5 Access box, you need to allow that as well .F5 access team will have all logs to troubleshoot further.
You should contact F5 access team for any troubleshooting.
Hope this helps!
References:
Create VPN profiles to connect to VPN servers in Intune https://docs.microsoft.com/en-us/intune/vpn-settings-configure
Configure VPN settings on iOS devices in Microsoft Intune https://docs.microsoft.com/en-us/intune/vpn-settings-ios
Configuring Access Policy Manager for MDM applications https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-client-configuration-7-1-6/6.html#guid-0bd12e12-8107-40ec-979d-c44779a8cc89