Applies To:

Show Versions Show Versions

Archived Manual Chapter: Creating Access Profiles and Access Policies
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

This article has been archived, and is no longer maintained.

In the BIG-IP® Secure Access Manager, an access profile is the profile that you select in a virtual server definition to use that virtual server for secure access.
1.
On the Main tab of the navigation pane, expand Access Control, then click Access Profiles.
The Access Profiles screen opens.
2.
Click Create.
The New Access Profile screen opens.
3.
In the Name box, type a name for the access profile.
The Access Profile Properties screen appears.
4.
From the Parent Profile list, select a parent profile for the access profile.
An access profile inherits the settings for Inactivity Timeout, Access Policy Timeout, and Max Concurrent Users from the parent profile. These are the only settings an access profile inherits from the parent profile.
5.
To change settings for Inactivity Timeout, Access Policy Timeout, and Max Concurrent Users, click the Custom check box, then type numbers for the settings you want to change.
7.
Click Finished when the configuration is complete.
Typically, clients have one or more languages specified in their browser as the default language. The Secure Access Manager detects this string, compares it with the languages configured in the access profile, and presents customized pages and messages in the user-specified language, if that language exists in the access profile. If the user-specified language does not exist in the access profile, the user sees pages in the default language.
In the access profile, you can configure the list of accepted languages in which the Secure Access Manager provides messages and customized elements. You can also select a default language for the access profile. The default language is used to provide messages and customized elements to users whose browsers are not identified with a language that is on the list of accepted languages.
There are several other places in Secure Access Manager where you can customize languages. To configure these language settings, see the following tasks and pages:
1.
On the Main tab of the navigation pane, expand Access Control, then click Access Profiles.
The Access Profiles screen appears.
To add a language string to the list of accepted languages, in the Language Settings area, in the String box, type the string for the language, and click Add.
To edit a language string, from the Accepted Languages list, select the string and click Edit.
To delete a language string, from the Accepted Languages list, select the string and click Delete.
To set the default language, from the Default Language list, select the language.
4.
Click Update to update the language settings.
In an access policy, you define the criteria for granting access to various servers, applications, and other resources on your network.
You create an access policy by creating an access profile, which automatically creates a blank access policy. Every access profile has an access policy associated with it. You configure that access policy through the access profile.
To view and edit the access policy associated with an access profile, you use the visual policy editor, a browser-based editor for access policies. The visual policy editor opens in a different tab or in a different window from the main Configuration utility, depending on your browser settings.
1.
On the Main tab of the navigation pane, expand Access Control and click Access Profiles.
The Access Profiles screen opens.
2.
In the Access Policy column click Edit for the access policy you want to edit.
The visual policy editor opens in a new window or new tab, depending on your browser settings. If this is a new access policy, an unconfigured policy appears.
In the visual policy editor, policy rule branches follow each policy action. Typically, an action is followed by both a successful rule branch and a fallback rule branch. Some actions, like the Logon action, are followed by only one rule branch. Some actions are followed by multiple rule branches. In actions where there is only one result rule branch, that result is labeled Fallback. In actions where there is a failed result and a successful result, the visual policy editor labels the successful rule branch Successful and the failed rule branch Fallback. Some actions have multiple result rule branches, and no successful branch.
For example, the Client OS action in Figure 5.1 has multiple rule branches, and each rule branch is named for the operating system to which the rule branch corresponds, with a fallback branch for any client operating system that does not match a specific rule branch. This allows you to assign actions to any rule branch, and separate endings to any rule branch.
Click the plus sign on the rule branch where you want to add the action. When you place your cursor over the plus sign, it turns blue to indicate that you can click it.
Assign resources. For more information, see Assigning resource groups to users.
Note that you must assign a resource group that contains a network access resource, or the access policy will not function.
1.
On the Main tab of the navigation pane, expand Access Control and select Access Profiles.
The Access Profiles screen opens.
2.
Click Edit in the Access Policy column of the access policy you want to edit.
The visual policy editor opens, displaying the access policy.
When you first open a new access policy in the visual policy editor, the configuration includes only a start point, a fallback rule branch, and a default ending.
1.
On the Main tab of the navigation pane, expand Access Control and click Access Profiles.
The Access Profiles screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
6.
Click Add Item to add the action to the access policy.
The action popup screen opens.
To configure the action, see the action description in Understanding available actions and categories.
Access policy endings are the end result of a rule branch in an access policy. With access policy endings, you can give users access to the network access connection, deny access to users, or redirect users to another URL.
Webtop
Starts the SSL VPN session and loads the network access webtop for the user.
Logon Denied
Disallows the SSL VPN session and shows the user a Logon Denied web page.
Redirect
Transfers the user to the URL specified in the ending configuration.
In the visual policy editor, you can create and delete access policy endings, change any ending in the access policy to another ending, customize endings, and set a default ending.
1.
On the Main tab of the navigation pane, expand Access Control, then click Access Profiles.
The Access Profiles screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
Near the top of the visual policy editor, click the Edit Endings button.
The Edit popup screen opens.
4.
At the upper left, click the Add Ending button.
The new ending appears, highlighted in blue. See Figure 5.3.
5.
In the Name box, type a name for the new ending.
Webtop
Specifies that the user has access to the network access policy as defined in the access profile and access policy.
Redirect
Specifies a URL to which the access policy redirects the user. Type the redirect URL in the box provided.
Logon denied
Specifies the user is not allowed access to the network access resource, and presents a Logon Denied page. To customize the Logon Denied page, see Customizing the Logon Denied access policy ending.
7.
To change the color of the ending for better visual clarity in your access policies, click the Dropper , select a color, and click Update.
8.
Click Save.
1.
On the Main tab of the navigation pane, expand Access Control, then click Access Profiles.
The Access Profiles screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
Click an access policy ending.
The Select Ending popup screen opens.
5.
Click Save.
1.
On the Main tab of the navigation pane, expand Access Control, then click Access Profiles.
The Access Profiles screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
Click the Edit Endings button.
The Endings popup screen opens.
The Logon Denied access policy ending provides several customized messages that you can configure for the access policy. These include text messages for the logout screen. You can also configure these messages for different languages that you have defined for the access policy.
1.
On the Main tab of the navigation pane, expand Access Control, then click Access Profiles.
The Access Profiles screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the corresponding Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
Click the Edit Endings button.
The Endings popup screen opens.
4.
On the Logon Denied ending you want to customize, click the plus sign () next to Customization.
The popup screen displays additional setting options.
Success Title
Specifies the text displayed when a session is finished.
Success Message
Specifies the text displayed when the user logs out successfully.
Thank You Message
Specifies a thank you message displayed for network access users after logout.
Error Title
Specifies the text that indicates that the session could not start.
Error Message
Specifies a more specific error message that follows the error title, which indicates that a problem may have occurred during access policy evaluation.
New Session Text
Specifies the text that precedes the link a user clicks to start a new session.
New Session Link
Specifies the text label for the hypertext link to start a new session, such as click here. This link immediately follows the New Session Text.
Session ID Title
Specifies the text that precedes the session number when an error occurs.
6.
Click Save.
To complete the configuration of any access policy, and make the access policy active on the server, click the Activate Access Policy link at the top of the screen.
When you configure access policies, you select actions from the four main categories that the visual policy editor lists in the Add Item popup screen.
In addition, a fifth category, labeled Macrocalls, appears in the Add Item popup screen if you configure one or more macros in the access policy.
General purpose checks are used for general policy actions, like logon pages, and assignment of resources, variables, and VLANs. General purpose checks also include structural actions that can be used to further refine the flow of access policies.
Logon page
Adds a logon page to the access policy. You can customize the messages and link text on the logon page, and create custom messages for different languages.
Resource assign
Assigns an access control list (ACL), a resource group, or both to the access policy. A resource group includes a network access resource, which can include traffic settings, a lease pool, an ACL, DNS and host settings, drive mappings, and applications to start.
Variable assign
Assigns one or more variables to the access policy.
VLAN selection
Selects a VLAN Gateway for policy-based routing.
Logging
Adds a logging agent that logs the specified session variables to the system logs.
Message box
Adds a message box that can be used to post a message to the user.
Decision box
Adds a decision box that provides two options for the access policy.
Empty action
A blank action from which you can create your own action.
Client-side checks are checks that occur on the client computer, which are performed by ActiveX or other browser plugins. See the macro description Using the Windows AV and FW macro template, for an example that uses client-side checks. See Figure 5.4, following, for an example of how these appear in the visual policy editor.
Antivirus check
Checks for antivirus software on the client computer.
Browser cache cleaner
Clears the browser cache after the session is closed, and enables you to configure other items to clear, including form entries, passwords, dial-up networking entries. Also sets session timeouts under some conditions.
File check
Checks for a specific file on the client computer.
Firewall check
Checks for firewall software on the client computer.
Process check
Checks for a specific running process on the client computer.
Registry check
Checks for a specific registry value on the client computer.
Windows information
Checks for the version of Windows and for Windows updates on the client computer.
Server-side checks occur on the server. The Secure Access Manager inspects the request headers from the client to determine UI mode and the Client operating system.
UI mode
Detects the browser or client type the client is using. This action provides three rule branches in your access policy:
Full Browser
The rule branch the access policy takes if the client is using a full web browser or the standalone client in web browser mode.
Standalone Client
The rule branch the access policy takes if the client is using a standalone (installed) SSL VPN client. This rule branch is only used if the standalone client is running in legacy mode. If the standalone client is used, but the client is not running in legacy mode, the Full Browser rule branch is used. This branch is not used if the client is not running Windows, and does not support client-side checks. See Appendix A, Using the Secure Access Client, for more information.
Fallback
The rule branch the access policy takes if the client is not using one of the listed clients.
Client OS
The client OS action detects the operating system of the remote client. Secure Access Manager gets this information from HTTP headers. This action provides seven rule branches in your access policy:
Windows XP®
The client is using the Windows XP operating system.
Windows 2000®
The client is using the Windows 2000 operating system.
Windows Vista®
The client is using the Windows Vista operating system.
Windows Mobile®
The client is using the Windows Mobile operating system.
Linux®
The client is using a Linux variant operating system.
Mac OS®
The client is using the Mac OS operating system.
Fallback
The rule branch the access policy takes if the client is not using one of the listed operating systems.
Authentication actions are used to add authentication with an authentication server or with a client certificate. Microsoft® Active Directory® and LDAP authentication actions can also be used to perform queries of the Active Directory or LDAP databases.
Active Directory
Use this action to add Active Directory authentication or an Active Directory query to the access policy.
Client cert
Use this action if you want to prompt your users for client certificate if they take a certain branch in the access policy.
Client cert result
Allows you to check the result of the SSL handshake from the Client SSL profile on the Secure Access Manager system. For this check to return a positive result, the Client SSL profile must be configured to request the client certificate. This differs from the client cert check, which prompts the user for an SSL certificate.
LDAP
Use this action to add LDAP authentication or an LDAP query to the access policy.
RADIUS
Use this action to add RADIUS authentication to the access policy.
Using the visual policy editor, you configure macros in the same way that you configure access policies. The difference is that you do not configure access policy endings, but instead you configure terminals for a macro.
1.
On the Main tab of the navigation pane, expand Access Control, then click Access Profiles.
The Access Profiles screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
Click the Add New Macro button.
The Add New Macro popup screen opens.
4.
Select the macro template.
The macro templates are described in the Using predefined macro templates.
5.
In the Name box, type a name for the macro.
This is the name by which the macro appears in the Add Action popup screen.
6.
Click Save.
8.
To edit an action, click the action name.
Edits you make to the actions in a macro are applied to the actions in an access policy, after you add the macrocall to the access policy.
9.
1.
In the visual policy editor, click the plus sign () next to the macro name to expand the macro for which you want to edit terminals.
2.
Click Edit Terminals.
The Edit Terminals popup screen opens.
3.
5.
To change the color of the ending for better visual clarity in your access policies, click the Dropper , select a color, and click Update.
6.
If you want to set a default terminal, click the Set Default tab, and select the default terminal.
7.
1.
On the Main tab of the navigation pane, expand Access Control, then click Access Profiles.
The Access Profiles screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Action popup screen opens.
4.
If Macrocalls is not expanded, click the plus sign () next to Macrocalls.
5.
Select a macro you defined previously and click Add Item.
The macrocall is added to the access policy. You can edit the macro items in the macro definition as required.
Click the (x) button at the right of the screen next to the macro name. You can delete a macro only if it is not in use.
You can use predefined macro templates to create macros that you can use in your policies. The macros you create are listed in the visual policy editor Add Action popup screen, in the Macrocalls category. These macro templates are predefined on the Secure Access Manager, and described on the following pages.
The empty macro template (see Figure 5.5) is a blank, unconfigured macro template that includes a start point and an end point. Use this macro to add a blank template that you can configure to perform a specific need in your access policies.
The AD auth and resources macro template (see Figure 5.6) is a preconfigured macro template that adds Active Directory authentication to your access policy.
In this macro template, you must configure both the Active Directory action and the resource assign action. You can optionally customize the logon page action with custom messages, and localized messages for different languages.
1.
In the visual policy editor, click the Add New Macro button.
The Macro Template popup screen opens.
2.
Select the macro template AD Auth and resources.
3.
Click Save.
The popup screen closes.
5.
To edit an action, click the action name.
In the macro display, the action popup screen opens.
The AD auth query and resources macro template (see Figure 5.7) is a predefined macro template that adds an Active Directory query and Active Directory authentication to your access policy.
In this macro template, you must configure the Active Directory query and auth actions and the resource assign action. You can optionally customize the logon page action with custom messages, and localized messages for different languages.
1.
In the visual policy editor, click the Add New Macro button.
The Macro Template popup screen opens.
2.
Select the macro template AD auth query and resources.
3.
Click Save.
The popup screen closes.
5.
To edit an action, click the action name.
The action popup screen opens.
The LDAP auth and resources macro template (see Figure 5.8) is a preconfigured macro template that adds LDAP authentication and resources to your access policy.
In this macro template, you must configure both the LDAP action and the resource assign action. You can optionally customize the logon page action with custom messages, and localized messages for different languages.
1.
In the visual policy editor, click the Add New Macro button.
The Macro Template popup screen opens.
2.
Select the macro template LDAP auth and resources.
3.
Click Save.
The popup screen closes.
5.
To edit an action, click the action name.
The action popup screen opens.
The LDAP auth query and resources macro template (see Figure 5.9) is a preconfigured macro template that adds LDAP authentication and an LDAP query to your access policy.
In this macro template, you must configure the LDAP query action, the LDAP auth action, and the resource assign action. You can optionally customize the logon page action with custom messages, and localized messages for different languages.
1.
In the visual policy editor, click the Add New Macro button.
The Macro Template popup screen opens.
2.
Select the macro template LDAP auth query and resources.
3.
Click Save.
The popup screen closes.
5.
To edit an action, click the action name.
The action popup screen opens.
The RADIUS and resources macro template (see Figure 5.10) is a preconfigured macro template that adds RADIUS authentication and resources to your access policy.
In this macro, you must configure both the RADIUS action and the resource assign action. You can optionally customize the logon page action with custom messages, and localized messages for different languages.
1.
In the visual policy editor, click the Add New Macro button.
The Macro Template popup screen opens.
2.
Select the macro template RADIUS and resources.
3.
Click Save.
The popup screen closes.
5.
To edit an action, click the action name.
The action popup screen opens.
The Windows AV and FW macro template (see Figure 5.11) adds UI Mode, Client OS, Windows info, antivirus, and firewall checks to your access policy. This macro template includes the following elements:
A server-side UI mode action. This action checks whether the server identifies the client as using the full browser, the standalone client, or something else. In the default macro configuration, only the full browser mode is passed to a successful rule branch, and all other results go to failed rule branches.
A server-side Client OS action. This action checks for the presence of one of six operating systems. If the operating system is Windows XP, the user is passed to a successful rule branch. All other operating systems go to failed rule branches.
A client-side antivirus check action. This action is unconfigured, and must be configured to check for an antivirus solution provided by one or more antivirus vendors, or for any antivirus.
A client-side firewall check action. This check is unconfigured, and must be configured to check for a firewall solution provided by one or more firewall vendors, or for any firewall.
In this macro template, you must configure both the firewall check and antivirus check actions. You can optionally customize other actions to allow, for example, other operating systems, UI modes, service packs, or hotfixes.
1.
In the visual policy editor, click the Add New Macro button.
The Macro Template popup screen opens.
2.
Select the macro template Windows AV and FW.
3.
Click Save.
The popup screen closes.
5.
To edit an action, click the action name.
The action popup screen opens.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)