Applies To:

Show Versions Show Versions

Archived Manual Chapter: Configuring Resources
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

This article has been archived, and is no longer maintained.

With BIG-IP® Secure Access Manager, you use resources to provide secure connection functionality to users. With Secure Access Manager, you configure a network access resource to provide secure connectivity. The network access resource connects and manages the users secure connection.
You use access control lists (ACLs) and lease pools with Secure Access Manager to provide functionality to secure connection users. You use access control lists to define allowed and disallowed networks, hosts, and protocols for users. You use lease pools to provide users with IP addresses on the secured network. You can assign a single ACL and lease pool to a user in the network access resource. You can also assign more ACLs dynamically in an access policy, using the resource assign action.
A network access resource represents one secure connection. You can define many network access resources on the Secure Access Manager, but each connection uses only one network access resource. To connect a user securely with a network access connection, you must add a network access resource to a resource group, then assign the resource group to the user. A resource group can contain only a single network access resource.
Important: For a network access connection to function, you must assign a resource group that contains a single network access resource to a user in the access policy.
In this chapter you can learn how to use ACLs and lease pools, and how to configure resource groups. To configure network access resources, see Chapter 3, Configuring Network Access.
You use access control lists, or ACLs, to restrict user access to specified host and port combinations. You can assign an ACL to a network access resource statically in the network access resource definition, or dynamically within the access policy, using the resource assign action.
For an access control list to have an effect on traffic, at least one access control entry must be configured. In an access control entry, the only item that is required is the action. When you configure an access control list with an entry with only an action defined, that action becomes the default access control action for all traffic to which the ACL is applied.
All access control list entries are ordered by priority. Access control list entries are tested in order, based on their priority in the list. Only ACLs assigned to the current session are used. Access control list entries can be reordered.
You create an access control list to provide or deny access to network resources. At a minimum, you must allow access to at least one resource on your network, or the network access connection provides no functionality.
1.
On the Main tab of the navigation pane, expand Access Control, and click ACLs.
The ACLs screen opens.
2.
Click Create.
The New ACL screen opens.
3.
In the Name box, type a name for the access control list.
4.
In the Description box, you can add an optional description of the access control list.
5.
From the Order list, you can optionally determine in what order to add the new ACL.
Select After to add the ACL after a specific ACL, that you can then select.
Select Specify to type the specific number of the ACL in the list.
6.
Click the Create button.
The ACL Properties screen opens.
7.
In the Access Control Entries area, click Add to add an entry to the access control list.
The New Access Control Entry screen appears.
8.
From the Action list, select the action for the access control entry.
If you are creating a default access control list, complete this step, then skip to the last step in this procedure.

Actions for the access control list entry are:
Allow - Permit the traffic.
Continue - Skip checking against the remaining ACL entries in this ACL, and continue evaluation at the next ACL.
Discard - Drop the packet silently.
Reject - Drop the packet and send a TCP RST message on TCP flows or proper ICMP messages on UDP flows. Silently drop the packet on other protocols.
9.
In the Source IP Address box, type the source IP address.
This specifies the IP address to which the access control list entry applies.
10.
In the Source Mask box, type the network mask for the source IP address.
This specifies the network mask for the source IP address to which the access control list entry applies.
11.
For the Source Port setting, select Port or Port Range.
This setting specifies whether the access control list entry applies to a single port or a range of ports.
12.
In the Port box or the Start Port and End Port boxes, specify the port or port ranges to which the access control list entry applies.
To simplify this choice, you can select from the list of common applications, to the right of the Port box, to add the typical port or ports for that protocol.
13.
In the Destination IP Address box, type the IP address to which the ACL controls access.
14.
In the Destination Mask box, type the network mask for the destination IP address.
15.
For the Destination Ports setting, select Port or Port Range.
This setting specifies whether the access control list entry applies to a single port or a range of ports.
16.
In the Port box or the Start Port and End Port boxes, specify the port or port ranges to which the access control list entry applies.
To simplify this choice, you can select from the list of common applications, to the right of the Port box, to add the typical port or ports for that protocol.
17.
From the Protocol list, select the protocol to which the ACL applies.
18.
From the Log list, select the log level for this access control entry.
None - log nothing.
Config - log the configuration for a matched entry.
Packet - log the matched packet.
Summary - log the ACL name and the entry number of the matched ACL and ACL entry.
Verbose - log everything.
19.
Click Finished.
The following examples show how to use ACLs to prevent access to servers, or to allow only certain types of traffic to access servers.
Source IP Address - 0.0.0.0 (note that when you leave an IP address entry blank, the result is the same as typing the address 0.0.0.0).
Source Mask - 0.0.0.0
Source Ports - All Ports
Destination IP address - 192.168.112.0
Destination Mask - 255.255.255.0
Destination Ports - All Ports
Protocol - All Protocols
Action - Reject
3.
Click Finished.
Source Mask - 0.0.0.0
Source Ports - All Ports
Destination IP address - 192.168.112.9
Destination Mask - 255.255.255.255
Destination Ports - Port 22 (or select SSH)
Protocol - TCP
Action - Allow
3.
Click Finished.
A lease pool specifies a collection of IP addresses as a single object. You can use a lease pool to associate that collection of IP addresses with a resource group or network access resource. Use a lease pool with a network access connection to automatically assign an unallocated IP address to a network access client.
1.
On the Main tab of the navigation pane, expand Secure Connectivity and click Lease Pools.
The Lease Pool List screen opens.
2.
Click the Create button.
The New Lease Pool screen opens.
3.
In the Name box, type a name for the lease pool.
The initial character for a lease pool name must be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.
To add a single IP address, in the Member List area, select IP Address for the type. In the IP Address box, type the IP address, and click the Add button.
To add a range of IP addresses, in the Member List area, select IP Address Range for the type. In the Start IP Address box, type the first IP address, and in the End IP Address box, type the last IP address. Click the Add button.
To delete an IP address or IP address range, select the IP address or IP address range in the member list, and click the Delete button.
5.
When you have finished adding IP addresses to the list, click the Finished button.
You can click the Repeat button to create and save the lease pool, then immediately create another lease pool with the same members, and a blank name.
1.
On the Main tab of the navigation pane, expand Secure Connectivity and click Lease Pools.
The Lease Pool List screen opens.
2.
To add a single IP address, in the Member List area, select IP Address for the type. In the IP Address box, type the IP address, and click the Add button.
To add a range of IP addresses, in the Member List area, select IP Address Range for the type. In the Start IP Address box, type the first IP address, and in the End IP Address box, type the last IP address. Click the Add button.
To delete an IP address or IP address range, select the IP address or IP address range in the member list, and click the Delete button.
5.
To delete the lease pool, click the Delete button, then click OK on the dialog that appears.
1.
On the Main tab of the navigation pane, expand Secure Connectivity and click Network Access.
The Network Access Resource List screen opens.
2.
In the Name column, click the name of the network access resource to which you want to assign the lease pool.
The Network Access Properties screen opens.
3.
In the General Settings area, from the Lease Pool list, select the lease pool to assign.
A resource group is a collection of resources, access control lists, and protection criteria that includes your company intranet servers, applications, and network shares.
You must create a resource group that contains a network access resource to give your users network access connections. You must then assign this resource group to users, with the resource assign action.
1.
On the Main tab of the navigation pane, expand Secure Connectivity, then click Resource Groups.
The Resource Group List screen opens.
2.
Click the Create button.
The Resource Group General Properties screen opens.
3.
In the Name box, type a name for the resource group.
4.
In the Manage Resources area, select a network access resource from the Available list to add to the resource group, and click the Move button (<<) to move the available group to the Active list.
Note that a resource group can only contain one network access resource.
1.
On the Main tab of the navigation pane, expand Secure Connectivity, then click Resource Groups.
The Resource Group List screen opens.
2.
In the Name list, click the name of the resource group to edit.
The Resource Group Properties screen opens.
4.
To add a resource to the group, in the Manage Resources area, select a network access resource from the Available list to add to the resource group, and click the Move button (<<) to move the available group to the Active list.
5.
To remove a resource from the group, in the Manage Resources area, select a network access resource from the Active list, and click the Move button (>>) to move the available group to the Available list.
Note that a resource group can contain only one network access resource.
1.
On the Main tab of the navigation pane, expand Secure Connectivity, then click Resource Groups.
The Resource Group List screen opens.
2.
Place a check in the box next to each resource group you want to delete, and click the Delete button.
The Confirm Delete screen opens.
3.
Click the Delete button to delete the group.
1.
On the Main tab of the navigation pane, expand Access Control, then click Access Profiles.
The Access Profiles screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
5.
Select Resource Assign and click Add Item.
The Resource Assign action popup screen opens.
6.
Click Add new entry.
7.
From the Resource Group list, select a resource group.
8.
You can optionally select an ACL from the ACL list, and you can click the change link in the Expression column to add an expression that must be evaluated before the resource group is assigned.
9.
Click Save to complete the action configuration.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)