F5 Recommended Practices for BIG-IP and AirWatch MDM Integration F5 Networks, Inc.
F5 Recommended Practices for BIG-IP and AirWatch MDM Integration
F5 Networks, Inc.
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
2Copyright F5 Networks Inc.
Contents
Introduction 4
Purpose 5
Requirements 6
Prerequisites 6
AirWatch 6
F5 BIG-IP 6
Network Topology 7
Big-IP Configuration 7
Remote Access Wizard 7
SSL Certificate and Key 14
SSL Client Profile 14
Virtual Server Advanced Configuration 15
Access Policy Manager - Visual Policy Editor 16
Basic AirWatch Access Policy Flow 16
BIG-IP ActiveSync Proxy 19
Login and Authentication Verification 19
Air Watch Configuration 21
AirWatch Console Access 21
Child Organization Group Creation 22
User Group Creation 23
Smart Group Creation 23
AirWatch and F5 Integration 24
AirWatch Certificate Authority 26
VPN Profiles 26
Base VPN Profile 26
On-Demand Certificate Authority VPN Access Profile 32
Copy the Access Policy 38
On-Demand Certificate Authority Macro 38
Variable Assign Object 39
Advanced Resource Assign Macro 41
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
3Copyright F5 Networks Inc.
SSL Client Certificate Modification 42
Virtual Server Access Policy assignment 43
Per-App VPN Profile 44
Copy the Access Policy 46
Conclusion 47
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
4Copyright F5 Networks Inc.
IntroductionThe F5 BIG-IP Access Policy Manager (APM) allows for the consolidation of multiple access gateways
(mobile application management, virtual desktop infrastructure, Microsoft Active Sync Proxy, and
others) into a single unified access gateway.
You can begin your deployment with a single access gateway use case or with multiple access
gateway use cases. In either scenario, F5’s tight integration with technology alliance partners allows
for validated configurations to ensure compatibility. While this recommended practices guide is
specific to integrating F5 BIG-IP APM with AirWatch MDM, you may reference our VDI access gateway
solutions here:
VMware Horizon View:
https://f5.com/solutions/deployment-guides/vmware-horizon-view-optimized-solution-big-ip-v114-apm
Citrix XenApp/XenDesktop:
https://f5.com/solutions/deployment-guides/citrix-xenapp-or-xendesktop-release-candidate-big
Microsoft Remote Desktop Services:
http://www.f5.com/pdf/deployment-guides/f5-microsoft-remote-desktop-services-dg.pdf
For VMware Horizon View, administrators may use BIG-IP APM as a PCoIP proxy for remote access
use cases. This greatly increases not only Horizon View security, but also scale and performance.
Many more F5 BIG-IP APM use cases may be referenced here:
https://f5.com/solutions/deployment-guides/tag/access%20policy%20manager
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
5Copyright F5 Networks Inc.
PurposeWith F5 BIG-IP APM, you may provide AirWatch mobile users unmatched secure remote access,
performance, and availability. This document outlines the configuration details required to integrate F5
BIG-IP APM with AirWatch mobile device management (MDM). The steps are a series of
recommended practices to follow in order to build an integrated solution. As with any system
deployment, the steps are examples and the deployed environment may not exactly match these
examples.
After completing this guide, you will be able to:
• Use the F5 BIG-IP APM as an AirWatch access gateway.
• Use the iOS BIG-IP Edge Client for Per-App VPN access with iOS 7 or later.
Please reference the latest iOS BIG-IP Edge Client configuration guide here:
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/related/apm-
edgeclientios-2-0-4.html
• Authenticate AirWatch MDM users via the BIG-IP APM.
• Initiate on-demand VPN tunnels by domain query.
• Use BIG-IP APM as a Microsoft Active Sync Proxy for Android and iOS email synchronization.
• Manage AirWatch MDM devices through the BIG-IP APM access gateway.
This recommended- practices guide will enable you to:
1. Configure an APM access policy (network access, authentication, webtop, and session
variables).
2. Create a certificate authority (CA), client certificates, and associated BIG-IP ClientSSL Profile.
3. Configure a BIG-IP virtual server and associate the APM access policy and SSL profile.
4. Configure multiple custom access policies for three (3) AirWatch remote access use cases:
a. A VPN profile for all iOS and Android network traffic
b. A VPN On-Demand Profile
c. A Per-App VPN profile
5. Configure required AirWatch groups and profiles.
6. Configure AirWatch for F5 integration.
7. Configure required AirWatch groups and profiles.
8. Enter AirWatch credential sources.
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
6Copyright F5 Networks Inc.
RequirementsThis section covers various requirements for this guide. These include prerequisites, product licensing,
software, and/or hardware requirements.
PrerequisitesThe following prerequisites need to be addressed prior to implementing this guide. This solution
utilizes the following ancillary infrastructure:
• An authentication server
• An email server
• An application server
• An NTP time server
• Globally Routable IP addresses
• Mobile device(s) with network access (iOS and Android devices only)
• Internet access
• Administrator login credentials
• SSL Certificate and Key (please reference F5 solution article SOL14499 for how to create a
certificate authority and client certificates)
AirWatch• AirWatch service cloud subscription and AirWatch cloud account are required
Note: This recommended practices guide was formulated on a cloud-based AirWatch
deployment. The recommended practices in this document may apply to AirWatch on-
premises deployments but have not been tested.
F5 BIG-IP• Either a physical or a virtual instance of BIG-IP is required.
• This guide is based on BIG-IP software release 11.5.0.
• This solution relies on F5 Access Policy Manager (APM) and requires an APM software license.
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
7Copyright F5 Networks Inc.
Network Topology
Figure 1: Logical Network Topology
Big-IP ConfigurationThis section covers the steps required to be performed within the BIG-IP web configuration utility.
Remote Access WizardThe BIG-IP configuration utility wizard will assist you in creating a remote access configuration using
Access Policy Manager (APM). Log in to the BIG-IP and select Wizards->Device Wizards from the
left menu bar. Select Network Access Setup Wizard for Remote Access and click Next.
Figure 2: Network Access Setup Wizard Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
8Copyright F5 Networks Inc.
Enter a Policy Name and Caption. The Default Language, Full Webtop, and Client Side Checks
fields are optional. Then click Next to continue.
Figure 3: Network Access Policy Name and Details
Select Create New or Use Existing in the Authentication Options field. Select the Authentication
Server type from the list. Then click Next to continue.
Figure 4: Authentication Server Type Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
9Copyright F5 Networks Inc.
The Authentication Server settings need to be defined. In this example we choose an Active Directory
Authentication method. Enter a Domain Name. In this example, a Direct connection to the Primary
Domain Controller is chosen. Enter an IP Address, Admin Name, and Password for the Active
Directory Domain. Then click Next to continue.
Figure 5: Active Directory Server Details
A lease pool is a pool of available IP addresses that BIG-IP will assign to remote clients for network
access. The size of this pool needs to be large enough to provide enough address space for the total
concurrent connections licensed by APM. In this example, an address space of 20 IP addresses is
defined. Select a Supported IP Version, and a Start and End IP Address. Select Add to move the
address range to the Member List. Click Next to continue.
Figure 6: IPv4 Lease Pool Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
10Copyright F5 Networks Inc.
The client settings should be set according to the deployment scenario requirements. In this example,
all traffic will be forced through the SSL VPN tunnel. Select Force all traffic through tunnel. Then
click Next to continue.
Figure 7: Traffic Option Client Details
Primary and Secondary Name Servers need to be specified. Enter a Primary and Secondary
Name Server and the Default Domain Suffix.
Figure 8: DNS Server Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
11Copyright F5 Networks Inc.
An optional step is to add Static Host entries. These are static host names to IP address assignments
that BIG-IP can use to resolve remote access client requests. In this example, two static hosts are
added. Host entries for an email server and an application server are input. If this is required, enter a
Host Name and an IP Address and then select Add to include these entries in the list. Click Next to
continue.
Figure 9: Static Host Details
Finally, the Virtual Server IP Address needs to be defined. A Redirect Server will also be created,
which will redirect client requests to the HTTPS virtual server. Enter an IP Address that is globally
routable and resolvable by DNS. Click Next to continue.
Figure 10: Virtual Server IP Address Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
12Copyright F5 Networks Inc.
The wizard will display a list of all the configuration values entered. Review the list. Click Next to
continue or Previous to correct any configuration mistakes.
Figure 11: Access Wizard Confirmation Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
13Copyright F5 Networks Inc.
The Setup Summary is displayed.
Figure 12: Access Wizard Setup Details
The wizard will address most of the configuration tasks necessary. The next sections will address the
ones that haven’t been addressed.
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
14Copyright F5 Networks Inc.
SSL Certificate and KeyThis solution requires that an SSL certificate and key pair be imported to BIG-IP. These configuration
procedures are beyond the scope of this document but can be referenced in F5 solution article
SOL14499. These procedures can be used to create a certificate authority (CA) and client certificates
and provide instructions for importation to BIG-IP.
It is important that you generate the required certificate and key pair before continuing to
the next section.
SSL Client ProfileAn SSL Client Profile must be bound to the HTTPS virtual server created in the previous section.
Follow the configuration procedures to create an SSL Client Profile: Navigate to Local Traffic-
>Profiles->SSL->Client and select Create. Enter a Name. Scroll down to the Client Authentication
section. Check the Custom boxes for Client Certificate and choose Require. Check the Custom
boxes for Trusted Certificate Authorities and Advertised Certificate Authorities and select the
certificate that was imported from the previous section.
Figure 13: SSL Client Profile Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
15Copyright F5 Networks Inc.
Virtual Server Advanced ConfigurationSome virtual server parameters below will require modifications:
Select the External VLAN from the Available list and click the << button to move it to the Selected
column. This is a security feature that prevents VLAN misuse.
Figure 14: External VLAN Selection
Set the virtual server to use the SSL Client profile created in the previous section. Select the SSL
Profile from the Available column and click the << button to move it to the Selected column. Click the >> button on the clientssl default profile from the Selected column to move it to the Available
column.
Figure 15: SSL Client Profile Details
Check Enabled for VDI and Java Support.
Figure 16: Enable VDI and Java Support Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
16Copyright F5 Networks Inc.
Access Policy Manager - Visual Policy EditorThe F5 BIG-IP Access Policy Manager (APM) Visual Policy Editor (VPE) is a subordinate user interface
(UI) that resides within the BIG-IP APM web configuration utility to assist with building access policies.
Depending on the deployment scenario, it may be necessary to alter the access policy. Follow these
procedures to configure the VPE:
Basic AirWatch Access Policy Flow
Access the current access policy by navigating to Access Policy->Access Profiles->Access
Profiles List. The list of access policies is displayed.
Figure 17: Access Policy Details
Click on the Edit hyperlink from the F5_AirWatch_Policy policy row. The VPE is displayed. The
current policy should look like the following:
Figure 18: Access Policy Flow for Basic AirWatch Policy Details
Note: Each of the hyperlink items in blue unscored text can be modified to address the
deployment requirements.
The next few sections will detail some of these basic access policy settings.
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
17Copyright F5 Networks Inc.
Logon Page Macro
From Figure 18 above, click on the hyperlink labeled Logon Page. This will display the Logon page
Properties tab.
The top portion of the page details the parameters that will be presented to the user.
Figure 19: Logon Page Agent Details
The lower portion of the page contains the customizations parameters available.
Figure 20: Logon Page Customization Details
Modify these values to satisfy site specific deployment requirements. Select Cancel or Save to return
to the VPE.
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
18Copyright F5 Networks Inc.
AD Auth Macro
From figure 18 above, click on the hyperlink labeled AD Auth to display the Authentication page
Properties tab.
Figure 21: AD Authentication Configuration Details
Modify these values to satisfy site specific deployment requirements. Select Cancel or Save to return
to the VPE.
Resource Assign Macro
From figure 18 above, click on the hyperlink labeled Resource Assign to display the Resource
Properties tab.
Figure 22: Resource Assignment Configuration Details
Modify these values to satisfy site-specific deployment requirements. Select Cancel or Save to return
to the VPE. Click the Close button when you’re finished.
Note: It is recommended to take these access policy options into consideration when
deploying AirWatch VPN Profiles.
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
19Copyright F5 Networks Inc.
BIG-IP ActiveSync Proxy
F5 BIG-IP APM’s Microsoft ActiveSync proxy enables native email application integration for both
Android and iOS devices. These configuration procedures are beyond the scope of this document. To
configure BIG-IP APM as a Microsoft ActiveSync proxy, please see the deployment guide and
according iApp.
Login and Authentication VerificationYou should now be able to test the APM Access Policy from a PC client. This tests the integration of
the BIG-IP APM with respective authentication servers.
From a PC client, test that the APM logon prompt is properly displayed. Open a Web Browser and
enter the fully-qualified domain name (FQDN) or IP address of the APM-protected Virtual Server. The
Secure Logon page is displayed. Enter a valid username and password and select Logon to continue.
Figure 23: APM Logon Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
20Copyright F5 Networks Inc.
If this is the first time you’re logging onto the APM-Protected Virtual Server, you may have to install
browser plugins. If this is the case, follow these instructions:
Figure 24: Browser Plugin Notification Details
Once the test client can properly authenticate and obtain privileges, Mobile Device Management
(MDM) can be configured.
If the client is unable to authenticate, review the APM log files in the BIG-IP command line interface
(CLI) at /var/log/apm.
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
21Copyright F5 Networks Inc.
Air Watch ConfigurationThis section covers the steps required for MDM configuration via the AirWatch administration console
(herein referred to as the AirWatch console).
AirWatch Console AccessThe AirWatch console is the management interface to configure AirWatch MDM. Log in to the
AirWatch Console. The console dashboard is displayed.
Figure 25: AirWatch Console Dashboard Details
The console is laid out with tabs on the far-left column that expose sub tabs to the right of these tabs.
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
22Copyright F5 Networks Inc.
Child Organization Group CreationAn organization group is a simple way to manage VPN profiles and devices. It allows for configuration
settings that adhere to deployment requirements to be set at the organization level and be applied by
default. Within the AirWatch console, select the Groups & Settings icon on the left. Expand the
Groups, Organization Groups, Organization Group Details menu tree.
Figure 26: AirWatch Organization Group Creation Details
Note: You’ll need the Group ID for future reference while performing additional configuration
steps.
Enter a Name for the group and a Group ID, and then click Save. Be sure to choose this group from
the upper-left tab.
Figure 27: Organization Group Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
23Copyright F5 Networks Inc.
User Group CreationAdd a new user group by selecting Groups & Settings->Groups->User Groups, and then click on
the Add hyperlink. Enter the Name for the group and click Save to continue.
Figure 28: New User Group Details
Click Save when finished.
Smart Group CreationAdd a new smart group by selecting Groups & Settings->Groups->Smart Groups, and then click
on the Add Smart Group hyperlink. Enter the Name for the smart group at the top-right of the screen.
Select only the Organization Group and User Group previously created.
Figure 29: New Smart Group Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
24Copyright F5 Networks Inc.
Click Save when finished.
AirWatch and F5 IntegrationTo enable the F5 integration, perform the following steps. Navigate to Group & Settings->All
Settings and select the System tab in the left-hand column. The System tab menu selections are
displayed. Expand the Enterprise Integration menu item and select Enterprise Integration
Services.
Figure 30: System Details
It should be noted that if the Current Setting is Inherit, you will need to change it to Override by
selecting Override in order to enable enterprise integration. You may also need to change the cloud
connector and/or mobile access gateway (MAG) current setting to override. Enable the enterprise
Integration by clicking the Enable button. Enter an EIS URL. This is the FQDN that resolves to the IP
address of the BIG-IP Virtual Server.
Figure 31: EIS URL BIG-IP FQDN Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
25Copyright F5 Networks Inc.
Scroll down to the Enterprise Services section. Enable or Disable the necessary services.
Figure 32: Enterprise Services Details
Next, scroll down to the AirWatch Services. Enable the services as per deployment requirements.
Figure 33: AirWatch Services Details
Next, verify the Certificate state and Child Permissions.
Figure 34: Certificate State and Child Permissions State Details
Click Save when finished.
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
26Copyright F5 Networks Inc.
AirWatch Certificate AuthorityA CA needs to be defined. Within the AirWatch console, navigate to System->Enterprise Integration
->Certificate Authorities. Click the Add button to add a new CA. Enter a valid Name, Auth Type,
Server Hostname, Authority Name, Username, and password.
Figure 35: AirWatch Certificate Authority Details
Click Save when finished.
VPN ProfilesYou can deploy three different VPN Profile types:
• A Base VPN Profile for all iOS and Android network traffic
• A VPN On-Demand Profile that will initiate a VPN connection whenever applications navigate to
predefined domains
• A Per-App VPN Profile that specifies which applications can utilize the VPN connection
Base VPN Profile
To create a base VPN Profile for Android and iOS devices, within the AirWatch console, navigate to
Devices->Profiles->List View menu from within the left column.
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
27Copyright F5 Networks Inc.
Create New Android Profile
To create a new AirWatch profile for Android devices, within the AirWatch Console, navigate to
Devices->Profiles->List View. Click the Add button and then choose the Android icon.
Figure 36: Android Platform Detail
Enter a Name and select the Smart Group previously created for this profile.
Figure 37: Android Profile Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
28Copyright F5 Networks Inc.
Next, in the left column, select the Passcode tab and then click the Configure button. This will
display the Passcode settings that need to be applied. Select the Minimum Passcode Length value
as per deployment requirements. For this example the default values remain.
Figure 38: Passcode Details
Next, in the left column, select the Restrictions tab and then click the Configure button. This will
display the restriction settings that can be applied. Note that some values are operating system–
dependent. Apply the appropriate restrictions per deployment requirements.
Figure 39: Restriction Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
29Copyright F5 Networks Inc.
Next, in the left column, select the VPN tab and then click the Configure button. This will display the
VPN settings that need to be applied. Choose the F5 SSL Connection Type. Enter a Connection
Name for the profile; make sure the Server is the BIG-IP Virtual Server FQDN; and select {EnrollmentUser} as the Username.
Figure 40: Android VPN Profile Details
Next, in the left column, select the Exchange ActiveSync tab and then click the Configure button.
This will display the ActiveSync settings that need to be applied. Enter the Account Name and enter
the FQDN of the BIG-IP Virtual Server as the Exchange ActiveSync Host.
Figure 41: Exchange ActiveSync Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
30Copyright F5 Networks Inc.
Login Information needs to be defined. Enter a Domain. Click the + button next to User and enter {EnrollmentUser}.
Figure 42: Exchange ActiveSync Login Details
In the Settings section, in the Past Days of Mail to Sync field, enter the value the deployment
requires. In this example, Auto is selected. In the Contacts and Calendar section in this example,
Native Contacts Application is chosen for both fields.
Figure 43: Exchange ActiveSync Settings and Security Details
Click the Save & Publish button to continue.
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
31Copyright F5 Networks Inc.
Create iOS Profile
In this section you will create a new AirWatch profile for iOS devices. Within the AirWatch Console
navigate to Devices->Profiles->List View. Click the Add button and then choose the Apple iOS
icon. Enter a Name for this profile.
Figure 44: iOS Profile Details
Next, in the left column, select the VPN tab and click the Configure button. This will display the VPN
settings that need to be applied.
Enter the Connection Name, Type, Server, and select {EnrollmentUser} as the Account. Then
select the Per-App VPN and Connect Automatically check boxes.
Figure 45: iOS VPN Profile Details
Click the Save & Publish button to continue.
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
32Copyright F5 Networks Inc.
On-Demand Certificate Authority VPN Access Profile
This profile builds on the Base VPN Profile. The VPN On-Demand feature allows applications to
automatically initiate a VPN connection using the F5 client whenever those applications navigate to any
of the domains specified in the VPN Profile.
Create New On-Demand Android Profile
In this section you will create a new On-Demand AirWatch profile for Android devices. Within the
AirWatch console navigate to Devices->Profiles->List View, click the Add button, choose the
Android icon, and then enter a Name for this profile.
Figure 46: Android On-Demand Profile Details
Next, in the left column, select the Credentials tab, and then click the Configure button. This will
display the VPN Credentials settings that need to be applied. Select a Credential Source appropriate
for the deployment.
Figure 47: On-Demand Credential Profile Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
33Copyright F5 Networks Inc.
Next, in the left column, select the VPN tab and click the Configure button. This will display the VPN
settings that need to be applied.
Enter the Connection Type, Name, Server, and select the Username.
Figure 48: On-Demand VPN Details
Click the Save & Publish button to continue.
Create New On-Demand iOS Profile
This section contains instructions on how to create a new AirWatch profile for iOS devices. Within
the AirWatch Console, navigate to Devices->Profiles->List View, click the Add button, and then
choose the Apple iOS icon from the platform listing.
Figure 49: Platform Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
34Copyright F5 Networks Inc.
Enter a Name and select the Smart Group previously created for this profile.
Figure 50: iOS Profile Details
Next, in the left column, select the Passcode tab and then click the Configure button.
This will display the Passcode settings that need to be applied. Select the Require passcode on
device checkbox. This will display more passcode settings. For this example, additional values remain
the defaults.
Figure 51: Passcode Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
35Copyright F5 Networks Inc.
Next, in the left column, select the Restrictions tab and click the Configure button. This will display
the restriction settings that can be applied. Note that some values are operating system–
dependent. Select the checkboxes that correspond to the restrictions that the deployment requires.
Figure 52: Restriction Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
36Copyright F5 Networks Inc.
Next, in the left column, select the VPN tab and then click the Configure button. This will display the
VPN settings that need to be applied. Enter the Name of the profile; select F5 SSL as the
Connection Type; enter the FQDN of the BIG-IP Virtual Server as the Server; and select {EnrollmentUser} as the Account. Then select the Per-App VPN and Connect Automatically
checkboxes.
Within the Safari Domains, add the appropriate Domains for the deployment. User Authentication
remains the default value of Password.
Figure 53: iOS VPN Profile Details
Next, in the left column, select the Exchange ActiveSync tab and then click the Configure button.
This will display the Exchange ActiveSync settings that need to be applied. Enter a Name for this
account. Enter the FQDN of the BIG-IP Virtual Server as the Exchange ActiveSync Host.
Figure 54: Exchange ActiveSync Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
37Copyright F5 Networks Inc.
The Login Information needs to be defined. Enter a Domain. Click the + link next to Username and
enter {EnrollmentUser}.
Figure 55: Exchange ActiveSync Login Details
In the Settings and Security section, For Past Days of Mail to Sync select a value that the
deployment requires. In this example, 2 weeks is selected.
Figure 56: Exchange ActiveSync and Security Details
Click the Save & Publish button to continue.
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
38Copyright F5 Networks Inc.
BIG-IP On-Demand Certificate Authentication Access Policy
Make the following modifications within the F5 BIG-IP web configuration utility.
The existing access policy can be modified or copied. These instructions will result in copying the
existing policy and modifying the SSL client profile.
Copy the Access Policy
To copy the policy to a new name, click on the Copy hyperlink from the F5_AirWatch_Policy policy
row. Enter a name for the new policy and click the Copy button.
Figure 57: Access Profile Copy Details
The Access policy can be edited by clicking on the Edit hyperlink. Modify the policy to match the
following configuration.
Figure 58: On-Demand Certificate Authentication Access Policy Details
Note: Enter the details of the Certificate Authentication and Resource Assignment to meet
deployment requirements.
On-Demand Certificate Authority Macro
Click on the hyperlink labeled On-Demand Cert Auth.
Figure 59: On-Demand Certificate Authentication Details
The Authentication mode is set to Request. Leave the settings at the default values and click the
Save button.
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
39Copyright F5 Networks Inc.
Variable Assign Object
Add a variable assign object to the policy by clicking the + symbol on the Successful branch of the
On-Demand Cert Auth macro. Enter a Name; in this example it is Extract UPN. Add a new variable
entry by clicking the Change hyperlink.
Figure 60: On-Demand Certificate Authority VPE Macro
Figure 61: Variable Assign Details
Note: The “name” parameter specified in the three variable-assignment screen captures below
is entered in the “Custom Variable” box (in Figure 60 above) for each variable assignment you
create.
Add three variable assignments as follows:
Name: session.logon.last.domainCustom Expression:set upn [mcget {session.logon.last.upn}]; if {[string first “@” $upn] >= 0} { return [string range $upn [expr { [string first “@” $upn] + 1 } ] end ]; } else { return “”;}
Figure 62: Variable Assignment #1
Name: session.logon.last.usernameCustom Expression:set upn [mcget {session.logon.last.upn}];
if {[string first “@” $upn] >= 0} { return [string range $upn 0 [expr { [string first “@” $upn] - 1 } ] ]; } else { return $upn;}
Figure 63: Variable Assignment #2
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
40Copyright F5 Networks Inc.
Name: session.logon.last.upnCustom Expression:set e _ fields [split [mcget {session.ssl.cert.x509extension}] “\n”]; foreach qq $e _ fields { if {[string first “othername:UPN” $qq] >= 0} { return [string range $qq [expr { [string first “<” $qq] + 1 } ] [expr { [string first “>” $qq] - 1 } ] ]; }} return “”;
Figure 64: Variable Assignment #3
Figure 65: Variable Assignment for Extract UPN Macro Details
Note: The Extract UPN Variable Assignment dialog should now appear as shown in Figure 63.
If it does not, edit each entry to match the values displayed in the graphic.
Note: If you choose to cut and paste the variable name and expression, be sure to paste the
copied text as plain text. Otherwise an error pertaining to the variable syntax may block saving
these assignments.
The next step will be to add an advanced resource assignment to the access policy.
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
41Copyright F5 Networks Inc.
Advanced Resource Assign Macro
Add an advanced resource assign object to the policy by clicking the + link on the Successful
branch of the Extract UPN variable assignment macro. Enter a Name; in this example it is SSL VPN.
Select the Network Access tab and choose the F5_AirWatch_Policy_na_res that was created as a
part of the initial BIG-IP Access Policy Wizard configuration task previously completed.
Figure 66: On-Demand Certificate Authority VPE Macro
Figure 67: Network Access Resource Details
Select the Webtop tab and select the F5_AirWatch_Policy_webtop that was created in the initial
BIG-IP base configuration. Then click the Update button.
Figure 68: Webtop Assignment Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
42Copyright F5 Networks Inc.
The resource assignment macro should look as follows:
Figure 69: Resource Assignment Details
Click the Save button to return to the policy flow diagram. The On-Demand Policy should now look as
follows:
Figure 70: On-Demand Policy Details
SSL Client Certificate ModificationWhen using On-Demand Certificate Authentication, client authentication is enabled with a Client
certificate set. This setting needs to be changed to Ignore. Navigate to Local Traffic->Profiles-
>SSL->Client. The list of SSL Profiles is displayed; Select the AW_Client_Cert profile.
Figure 71: SSL Client Profile Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
43Copyright F5 Networks Inc.
Scroll down to the Client Authentication section and for the Client Certificate select Ignore from
the drop-down list.
Figure 72: Client Authentication Set to Ignore Client Certificate
Click the Update button to complete the change.
Virtual Server Access Policy assignment
The new Access Policy needs to be applied to the Virtual Server. To do this, navigate to Local Traffic
->Virtual Servers->Virtual Server List.
Figure 73: F5 Air Watch HTTPS Virtual Server Details
Scroll down to the Access Policy section. Modify the Access Profile to be the new On-Demand
profile.
Figure 74: Virtual Server Access Profile Details
Click the Update button to continue.
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
44Copyright F5 Networks Inc.
Per-App VPN Profile
This profile builds on the Base VPN Profile.
The Per-App VPN Profile is available in iOS 7 devices. This allows the profile to specify which
applications can utilize the VPN connection. These are the managed applications that are pushed to
specific devices via the AirWatch Admin Console.
There is a distinct difference between a per-app VPN and an on-demand VPN. With a per-app VPN,
unique TCP tunnels are established per application and bind the application to the BIG-IP gateway.
With an on-demand VPN, when a mobile application queries a particular domain name, a TCP/UDP
tunnel is established for all device applications.
Create New Per-App iOS 7 Profile
This section details how to create a new Per-App AirWatch profile for iOS devices. Within the
AirWatch Console, navigate to Devices->Profiles->List View. Then click the Add button, choose the
IOS icon, and enter a Name for this profile.
Figure 75: iOS Per-App Profile Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
45Copyright F5 Networks Inc.
Next, in the left column, select the Credentials tab and click the Configure button. This will display the
VPN Credentials settings that need to be applied. Select a Credential Source appropriate for the
deployment.
Figure 76: Per-App Credential Profile Details
Next, in the left column, select the VPN tab and click the Configure button. This will display the VPN
settings that need to be applied.
Enter the Connection Type, Name, Server, and for the Account select {EnrollmentUser} from the
drop-down list.
Figure 77: Per-App VPN Details
Click the Save & Publish button to continue.
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
46Copyright F5 Networks Inc.
BIG-IP Per-App Access Policy
Make these modifications within the F5 BIG-IP web configuration utility.
The existing policy can be modified or copied. These instructions will result in copying the existing
policy, and applying the new policy to the virtual server.
Copy the Access Policy
To copy the policy to a new name, click on the Copy hyperlink from the F5_AirWatch_Policy policy row.
Define a name for the new policy and then click the Copy button.
Figure 78: Access Policy Copy Details
The Access policy can be edited by clicking the Edit hyperlink. Edit the policy to match the following
configuration. Delete the Resource Assignment macro item by clicking on the X link .
Figure 79: Per-App Access Policy Details
Note: Define the details of Certificate Authentication and Resource Assignment to meet
deployment requirements. Refer to the Base VPN Access Profile settings in the Configuring
BIG-IP sections above.
Virtual Server Access Policy Assignment
Apply the new Access Policy to the Virtual Server. Navigate to Local Traffic->Virtual Servers-
>Virtual Server List.
Figure 80: Virtual Server Details
F5 BIG-IP and AirWatch MDM Integration Recommended Practices
47Copyright F5 Networks Inc.
Scroll down to the Access Policy section. Edit the Access Policy and select the new On-Demand
profile from the drop-down menu.
Figure 81: Virtual Server Access Profile Details
Click the Update button.
ConclusionThis concludes the BIG-IP and AirWatch recommended practices guide. The configuration details may
vary from the deployed network topology.