F5 Edge Client 7.2.1: Improving Security And Simplifying User Experience for Network and Web Application Access

F5 recently released a new version of the F5 Edge Client (v7.2.1). For those of you not familiar with the F5 Edge Client, it is an SSL VPN client that is used to provide access to enterprise networks for employees working from home or remote locations. It is used with BIG-IP Access Policy Manager (APM), F5’s secure, highly-scalable access management proxy solution that provides centralized access control to applications and APIs, and also enables Zero Trust application access when configured for identity aware proxy (IAP). The F5 Edge Client secures remote access for home and remote workers. F5 Edge Client is available on Apple macOS and Microsoft Windows. (F5 also offers SSL VPN clients—F5 Access clients—for Apple iOS, and Google Android, and Chrome OS platforms. F5 Access clients are available for download from the Apple App Store, Google Play Store, and Chrome Web Store, respectively.)

Older versions of F5 Edge Client supported Datagram Transport Layer Security (DTLS) version 1.0 for remote connectivity, securing, and tunneling delay-sensitive applications.

F5 Edge Client 7.2.1 now supports DTLS 1.2, which enables enterprises and government agencies and ministries to meet new compliance requirements and to stop using DTLS 1.0, which has a number of security limitations. DTLS 1.2 allows client / server applications to communicate without fear of eavesdropping, tampering, or message forgery.

Another new feature in this version allows name based split tunneling configurations to work with services that are DNS load balanced. This allows continued long-lived connections—such as those used by streaming services—even if a subsequent name resolution results in a different IP address.

Organizations deploy BIG-IP APM to provide their users—employees, contractors, and others—remote access to their networks and to provide secure remote access to enterprise applications. To reduce friction and increase agility for their users, organizations must provide seamless access to web applications as well as their network without requiring users to log in multiple times. This is especially important given the explosion in the number of users forced to work from home or remotely due to the coronavirus pandemic.

The most exciting new feature of F5 Edge Client 7.2.1 is its ability to deliver single sign-on (SSO) across web and remote access applications.

F5 Edge Client 7.2.1 uses Open Authentication (OAuth) authorization code flow to obtain an access token from an OAuth authorization server. That access token is then used to authenticate to BIG-IP APM to obtain secure remote access to an organization’s enterprise network. F5 Edge Client 7.2.1 works with any compliant OAuth authorization server and is validated with Azure AD, Okta, Google, and Ping Identity authorization servers.

By utilizing OAuth Authorization code flow, this new version of F5 Edge Client delegates authentication to a user’s external browser. Since user authentication is performed via external browser, F5 Edge Client can now support all new modern authentication methods that may be supported by an organization’s authorization servers, including:

• Password-less authentication from a registered Microsoft Windows device using biometrics, such as a fingerprint scan or facial recognition, or a PIN.
  
• 2^nd factor authenticators, such as YubiKey from Yubico, which comply with the Universal 2^nd Factor (U2F) specification. U2F devices can be enrolled through a web-based enrollment flow without requiring any client-side software or drivers.
• FIDO2 authentication from any Windows or macOS device by using third-party or built-in authenticators without requiring additional drivers or client-side software to enable these authenticators.

F5 Edge Client 7.2.1 enables enterprises to realize several benefits, such as enhanced security, improved usability and convenience, increased privacy for end users, and scalability by performing authentication in the browser and by utilizing FIDO2 authentication.

FIDO2 cryptographic login credentials never leave a user’s device and are never stored on a server. Therefore, this eliminates risks associated with phishing, all forms of password theft. and replay attacks.

Users can unlock cryptographic login credentials with simple built-in methods, such as fingerprint readers or cameras on their devices, or by leveraging easy-to-use FIDO security keys. Users can select the device that best fits their needs and complies with their organization’s policies. Also, since authentication context is maintained in the browser, a user does not need to login again when attempting to access a web application after connecting to their organization’s network using F5 Edge Client.

Because FIDO cryptographic keys are unique for each site, they cannot be used to track users across sites, enhancing user privacy. Plus, biometric data, when used, never leaves the user’s device.

Finally, FIDO 2 authenticators can be enrolled and enabled through a web-based workflow. This allows deployments to scale very easily.

BIG-IP Edge Client is available as a standalone package that can be installed on BIG-IP APM running 13.1.0 or later. For more information on the latest version of F5 Edge Client (v7.2.1), please refer to the release notes, compatibility matrix, and administration guide.