Forum Discussion

SvenWil's avatar
SvenWil
Icon for Altostratus rankAltostratus
May 22, 2024

F5 VPN client + Endpoint Inspection

Hey guys,

I've got an issue that confuses me the more i look and read into it. 

The issue

We have a web portal that is externally accessible where users (after MFA authentication) can login and start a F5 VPN client to access the corporate network. Upon logon we see a message stating it wants us to download a "Endpoint Inspection client components". If we download manually it's the file "f5epi_setup.exe"

The goal is to avoid this popup for our users.

What we currently do

From our network team i get a file "BIGIPEdgeClient.exe" (latest version 72.23.0428.0523"). I extract this file and there's a MSI-file "BIGIPComponentInstaller.exe". We install this silently through SCCM. This installs, as far as i understand it the F5 VPN-client (which works fine, we do not get the same popup as above). 

The problem

I've read various support-articles: 

The more i read, the more it confuses me. Specifically: how can i avoid this popup and preinstall the EndPoint Inspection client components? What am i missing?

Thanks in advance everyone!

  • Good morning Lucas,

    And thank you. This was indeed the bit i was missing. Thanks to your info everything works out fine now. Thanks a million ;-)

    With regards,

    Sven

  • It sounds like you run Edge Client, enter connected mode, then it opens up a browser control, and then can't run the inspector ActiveX.

    I believe there is a group policy setting that can disallow webview (also knows as "browser control", "embedded IE", "mini browser") from running ActiveX, which seems like what's going on here. The setting you want to enable is "run activex controls and plug-ins".

    This should be enabled by default. Also the server URL should be in Trusted Sites.

    Here's some additional information about that:

    https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-client-configuration-11-5-0/1.html

     

     

  • This might be confusing because there are two different ways that the endpoint inspector can fire, depending on if the users are connecting with Edge Client or not.

    If you're using Edge Client to start the VPN, it has special functions that recognize and start up the EPS process by calling the library directly.

    If you're using a browser to start the VPN, the endpoint-inspection javascript code delivered to the browser tries to call a special URL scheme "f5-epi://" that should be registered to the EPI app. This is similar to how Zoom works to launch the Zoom thick app from a browser.

     

    To get that endpoint inspector installed and registered as a URL scheme, choose these options when you create the Edge Client package from the big-ip GUI:

     

    The inspector ones that should install that are "Endpoint Security", "Inspector Service", and "Web Browser Add-ons for BIG-IP Edge Client".

     

  • Hello Lucas,

    Following up on the above issue. Some users (a minority, yet to determine exact numbers) are seeing something unexpected after we upgraded some of our (test)users to the new VPN-client:

    'a browser component is needed'
    '1) Your current security settings prohibit running ActiveX controls on this page, or 2) You have blocked a publisher of one of the controls. As a result, the page might not display correctly."'


    Are these notifications something that is known? I deploy with SCCM with the command:

    "msiexec /i "BIGIPComponentInstaller.msi" ALLUSERS=1 REBOOT=REALLYSUPPRESS /q /l*v %TEMP%\F5_BIGIP_Install.log" with a created installer package as advised above. Installation runs ok on all pc's.


    'Install the addon and continue' or 'Continue without installing':

    'Permission required':

    Thanks in advance.

    With kind regards,

    Sven