Installing the F5 FirePass VPN Client on Ubuntu 10.04 AMD64

Disclaimer: I am not a FirePass administrator; only an end-user and have no other relationship with F5. There may be better methods to address this issue; please comment if you know of one.

See also: f5vpn-login.py, described here, and brought to my attention by sh4k3sph3r3. A CLI FirePass client is quite likely a better solution than separate browser instances, etc.

Preliminaries: Although the F5 FirePass SSL VPN product supports Linux, as best as I can tell, that support is somewhat limited: My understanding is that they officially claim support for 32-bit installs only, and they do not appear to track new distribution releases particularly aggressively. F5 has also been somewhat slow in supporting new browser versions: They announced support for Firefox 3 on October 6, 2008, nearly four months after its release and with only two months to go before Firefox 2 was end-of-lifed. For Firefox 3.6 support, a comment on the post linked above states that you need to request a special hot fix from F5 (which my site has not applied). There is no Google Chrome support that I am aware of.

Further, F5’s automated client installation tools have unfortunately never worked for me on Linux, even when the architecture and browser are in their support matrix. The manual download instruction links are also broken on the FirePass install I connect to.

Solution: Install a dedicated, 32-bit version of Firefox in a supported version; create a single-purpose Firefox profile for VPN use. Add the FirePass client to that browser and the operating system.

For the Firefox install, follow the “Manual Installation” instructions from the Ubuntu Community Documentation site. Install version 3.5 if your site does not have the hotfix mentioned above.

Be sure to create a new Firefox profile in your account for use with the FirePass; however, I recommend modifying the script in the Ubuntu documentation to automatically take you to your FirePass site (https://firepass.example.com/ for the purposes of this post):

#!/bin/bash
exec "$HOME/firefox/firefox" -P mozilla-build https://firepass.example.com/

Next, download the client components from your F5 site; again, assuming firepass.example.com, retrieve and save:

https://firepass.example.com/vdesk/vpn/nogzip/downloads.php/linux/np_F5_SSL_VPN.so

and

https://firepass.example.com/vdesk/vpn/nogzip/downloads.php/linux/SSLVpn.tgz

Move np_F5_SSL_VPN.so to the plugins directory of the new Firefox installation – ~/firefox/plugins if following the Ubuntu documentation. Based on file layout, it appears that F5 intended for you to extract SSLVpn.tgz at the root of your file system. Instead of following this bad practice, in scratch space and as root, extract the SSLVpn.tgz tarball and manually move the files into place:

cp SSLVpn.tgz /tmp
cd /tmp
sudo tar -xvpzf SSLVpn.tgz
# inspect extracted files here...
cd /usr/local/lib
mkdir -p F5Networks/SSLVPN
cd /tmp/usr/local/lib/F5Networks/SSLVPN
cp -Rp etc svpn var /usr/local/lib/F5Networks/SSLVPN

Using the bash script above, you should now be able to launch your purpose-built FirePass browser installation and have it “just work” for Network Access. Good luck!

Advertisements

14 comments

  1. Erik

    Alas, that didn’t work. It seemed to get me further than before, but I got a pile of “connection dropped” messages & had to kill the new installation of Firefox.

    The reason may have nothing to do with your tutorial (thanks for writing it!), but instead be due to some additional security that our network team has laid on. As a group, they *really* don’t like to make it easy for developers to get any work done.

  2. Andy

    @Erik Sorry to hear it didn’t work – let me know if there’s anything I might help with. Alternatively, if you discover whatever extra steps are necessary to make it work, I’d be grateful if you could post them in a comment here.

  3. Alex

    Hi, just wondered if you had any idea of how to install this VPN client to be used on the command-line, instead of just through a browser? I have to do some administration on a remote network through a firepass VPN from a Linux box…

    Have you had any contact with F5? I wonder how their support is?

    Thanks,
    Alex

  4. Andy

    @Alex I haven’t tried figuring a way to run the VPN client on the command line (although that would be appealing); I assume the crux would be passing authentication parameters.

    Ultimately, two processes appear to be started by the VPN client: “/usr/local/lib/F5Networks/SSLVPN/svpn” and “/usr/sbin/pppd call FirePass”; using lsof I don’t see anything they have open that’s particularly unexpected, but I don’t know how to start them appropriately. /etc/ppp/peers/FirePass appears to be dynamically created with connection-specific configuration information.

    I’ve never personally had any contact with F5.

  5. Andy

    @sh4k3sph3r3 – Sorry it took me so long to approve your comment. It had (sadly, wrongly) been filtered into spam.

  6. Stuart

    Thanks for the info! Worked for me with a slight modification. Shouldn’t the last line of the script be the following?

    cp -Rp etc svpn var /usr/local/lib/F5Networks/SSLVPN

    Again – thanks for the info! It was just what I was looking for!

  7. Jim

    FYI, I was able to connect using Firefox 3.6.13 and Ubuntu 10.10 64 bit – after a fresh install with no problem.. I started looking for how to do this, and then realized I didn’t need to…AWESOME šŸ™‚ I just visited the VPN site, filled in my credentials and was able to connect after installing a firefox addon and restarting firefox… much easier – looks like my network has installed everything, not sure if others will have the same luck..

  8. Andy

    @Jim – Makes me happy to hear that F5 is getting a little more current in their Linux/Firefox support. (My friendly neighborhood FirePass doesn’t have the 3.6.13 update yet, it seems.) But – that said – I haven’t looked back after switching to the CLI client mentioned above:

    http://fuhm.net/software/f5vpn-login/

  9. malaiwah

    Hi Andy,

    Are you still using this script? Before trying to update it to support later versions of FirePass (now BIG-IP Edge Client), I just wanted to see if you knew this script was updated since 2010…

    • Andy

      Hi @malaiwah,

      I am still using the script, although I suspect the VPN system I’m connecting to is back-revved…

      -Andy