AskF5 Knowledge Base

 Click here to view the PDF

Applies To:

Show Versions Show Versions
Manual: Configuration Guide for BIG-IP Access Policy Manager
Manual

Original Publication Date: 01/30/2012

Legal Notices
Introducing BIG-IP Access Policy Manager
Introducing the BIG-IP system
BIG-IP Local Traffic Manager
Overview of the BIG-IP Access Policy Manager
Introducing Access Policy Manager features
Understanding BIG-IP Access Policy Manager access types
Working with network access
Working with portal access
Working with application access
Working with LTM access
Using access profiles and policies
Using authentication in access policies
Using the Configuration utility
Overview of components of the Configuration utility
Getting started with BIG-IP Access Policy Manager
Using Access Policy Manager configuration wizards
Following the recommended configuration path
Possible configuration scenarios
Finding help and technical support resources
Finding the Access Policy Manager software version number
Configuring LTM Access
Introducing LTM access
Understanding how LTM access works
Reviewing LTM access options
Setting timeouts for web application access policy management
Understanding other LTM access considerations
Configuring LTM access
Configuring Resources
Understanding resources
Using access control lists
Creating static access control lists
Access control list examples
Configuring dynamic ACLs
Understanding dynamic ACLS
Understanding the F5 ACL format
Understanding the Cisco ACL format
Creating a dynamic ACL container
Adding a dynamic ACL to an access policy
Using webtops
Using AD query with IPv6
Understanding Access Policies
Introducing access policies
Understanding access policy items
Understanding the access policy start point
Understanding access policy actions
Understanding access policy branch rules
Viewing rules
Predefined rules
Understanding access policy branches
Understanding access policy macros
Introducing macro terminals
Introducing access policy endings
Understanding the allow ending
Understanding the deny ending
Understanding the redirect ending
Understanding session variables
Using session variables
Creating Access Profiles and Access Policies
Creating an access profile
Understanding access profile settings
Understanding configuration settings
Understanding Single-Sign On settings
Creating an access profile
Applying an access policy
Customizing access profile languages
Creating an access policy
Starting the visual policy editor
Configuring a basic access policy
Opening an access policy
Adding actions to an access policy
Using policy endings
Applying an access policy configuration
Understanding available actions and categories
Understanding general purpose checks
Understanding authentication actions
Understanding client-side checks
Understanding client-side actions
Understanding server-side checks
Configuring macros
Using predefined macro templates
Using the empty macro template
Using the AD auth and resources macro template
Using the AD auth query and resources macro template
Using the LDAP auth and resources macro template
Using the LDAP auth query and resources macro template
Using the RADIUS and resources macro template
Using the SecurID and resources macro template
Using the Windows AV and FW macro template
Using the client classification and prelogon checks macro template
Exporting and importing access profiles
Configuring General Purpose Access Policy Actions
Introducing general purpose actions
Configuring general purpose actions in an access policy
Adding and customizing a logon page
Adding an HTTP 401 response page
Adding an external logon page
Assigning resources
Assigning variables
Adding a virtual keyboard to the logon screen
Adding SSO credential mapping
Filtering access with Citrix SmartAccess filters
Selecting a route domain
Adding access policy logging
Adding a message box
Adding a decision box
Adding a dynamic ACL
Adding an iRule event
Configuring Client Side Checks and Client Side Actions
Understanding client-side checks
Verifying antivirus software
Checking antivirus with the antivirus check access policy item
Example: Using antivirus check
Verifying a firewall
Setting up the firewall check action
Example: Using firewall check
Checking for a file
Checking for a file with the file check access policy item
Example: Using file check
Checking a machine certificate
Understanding machine cert auth check options
Checking a machine certificate with the machine cert access policy item
Example: Using machine cert auth check
Verifying Windows information
Setting up Windows info action
Example: Using Windows info check
Checking machine information
Example: Using machine info check
Checking processes
Setting up the process check access policy item
Example: Using process check
Setting up registry check
Expression syntax
Setting up the registry check action
Example: Using registry check
Client Side Actions
Understanding client-side actions
Setting up cache and session control
Setting up the cache and session control access policy item
Example: Using cache and session control
Setting up protected workspace
Setting up the protected workspace access policy item
Example: Using protected workspace
Assigning a Windows group policy template
Understanding Windows group policy templates
Using predefined Windows group policy templates
Understanding the regulatory templates
Working with Windows group policy templates
Setting up the Windows group policy access policy item
Example: Using Windows group policy templates
Configuring Server Side Checks
Introducing server-side checks
Preparing for clients that cannot use client checks
Checking the landing URI of a client
Configuring client OS check
Setting up the client OS check
Example: Using client OS check
Configuring client type check
Setting up the client type access policy item
Example: Using client type check
Checking for client-side check capability
Setting up the client-side check capability access policy item
Example: Using client-side check capability action
Checking a landing URI with the landing URI check
Setting up the landing URI access policy item
Example: Using landing URI check
Identifying Microsoft Exchange clients with the client for MS Exchange check
Understanding Microsoft Exchange connections
Setting up the MS Exchange check policy item
Example: Using client for MS Exchange check
Using IP Geolocation in an access policy
Setting up the IP geolocation match access policy item
Example: Using IP geolocation
Introducing On-Demand Certificate Authentication
Controlling SSL traffic
Understanding SSL profiles
Introducing SSL server certificates
Introducing SSL On-Demand Certificates
Understanding On-Demand certificate authentication
Client certificate inspection agent
On-Demand certificate authentication agent
Configuring client SSL profiles
Importing a certificate and the corresponding key
Configuring a clientssl profile
Using On-Demand Certificates to authenticate users
Validating certificate revocation status
Understanding CRLs
Understanding OCSP
Configuring an OCSP responder object
Creating an SSL OCSP profile
Using CRLDP
Configuring a CRLDP server object
Configuring a CRLDP configuration object
Creating a CRLDP profile
Configuring Virtual Servers
Introducing virtual servers with Access Policy Manager
Understanding SNAT interactions
Configuring virtual servers for access policies
Creating a virtual server for DTLS
Configuring a local traffic virtual server with an access policy
Advanced Topics in Access Policies
Setting up a logon page to collect user credentials
Understanding the logon page action
Example: Using a customized logon page to collect user credentials
Using multiple authentication methods
Client certificate two-factor authentication
Example: Using client certificate authentication with Active Directory
Configuring the client certificate two factor authentication with Active Directory example
Configuring policy routing
Setting up route domain selection in an access policy
Example: Directing users to different route domains
Configuring the policy routing example
Using advanced access policy rules
Understanding advanced access policy rule situations
Writing advanced access policy rules
Using a Tcl expression or program as an advanced access policy rule
Understanding advanced access policy rule limitations
Editing advanced access policy rules
Example: Checking that all present antivirus packages are active on the client system
Writing the example code
Using this example
Example: Using a certificate field for logon name
Writing the example code
Using this example
Logging and Reporting
Understanding logging
Introducing logging features
Understanding log content
Understanding log types
Logging system events
Auditing configuration changes
Setting log levels
Setting log levels for auditing events
Understanding reports
Displaying reports for all sessions
Using scripts to view reports
Monitoring system and user information
Viewing the Access Policy Manager dashboard
Configuring SNMP
Introducing SNMP administration
Reviewing an industry-standard SNMP implementation
Reviewing the Access Policy Manager system SNMP implementation
Summarizing SNMP configuration on the Access Policy Manager system
Configuring the SNMP agent
Configuring client access
Controlling access to SNMP data
Configuring traps
Working with SNMP MIB files
Downloading SNMP MIB files
Understanding the enterprise MIB files
Collecting performance data
Collecting data on memory use
Collecting data on active connections
Collecting data on new connections
Collecting data on throughput
Collecting data on HTTP requests
Collecting data on RAM Cache utilization
Collecting data on CPU use
Collecting data on active sessions
Collecting data on SSL transactions per second
Additional commands used for SNMP
Configuring BIG-IP Access Policy Manager clients
Understanding the BIG-IP Edge client
Introducing BIG-IP Edge Client™ features
Understanding client components on Windows systems
Configuring connectivity profiles
Understanding connectivity profile compression settings
Configuring connectivity profile client settings
Configuring connectivity profile mobile client settings
Downloading client components
Customizing client download packages
Using the component installer package to preinstall client components
Downloading the FullArmor GPAnywhere for VPN component
Using Macintosh and Linux clients with Access Policy Manager
Introducing supported network access features
Understanding VPN component install and log locations
Configuring the starting of applications on Macintosh or Linux clients
Installing the client on Macintosh and Linux systems
Establishing client connections
Installing the BIG-IP Edge Client™ for Windows
Installing the BIG-IP Edge Client™ for Macintosh
Connecting with the BIG-IP Edge Client
Viewing standalone client traffic and statistics
Using the Linux BIG-IP Edge command line client
Downloading and installing the command line client
Understanding Linux client commands
Info command status and error codes
Using the client troubleshooting utility
Access Policy Example
Introducing the example access policy
Example: Assigning resource groups based on Active Directory attributes
Configuring resources
Configuring the network access resources
Configuring the access profile, macro, and access policy
Session Variables
Introducing session variables
Introducing Tcl
Standard operators
Session variables reference
Special purpose user session variables
Network access resource variable attributes
Using Access iRule Events
Introducing iRules
What is an iRule?
Basic iRule elements
Understanding ACCESS iRules
ACCESS_SESSION_STARTED
ACCESS_POLICY_COMPLETED
ACCESS_ACL_ALLOWED
ACCESS_ACL_DENIED
Using ACCESS_ACL_DENIED
ACCESS_SESSION_CLOSED
ACCESS_POLICY_AGENT_EVENT
Understanding ACCESS iRule Commands
ACCESS::disable
ACCESS::session commands
ACCESS::policy commands
Troubleshooting
Introducing troubleshooting
Example: Changing log levels
Example: Understanding log messages for endpoint security check failures
Example: Understanding log messages for authentication failures
Example: Using the adminreporting utility
Example: Understanding the logging action utility in the visual policy editor
Example: Viewing logging history
Introducing Access Policy Manager log messages
Introducing Kerberos error messages