Applies To:

Show Versions Show Versions

Manual Chapter: Configuring Resources
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

With BIG-IP® Access Policy Manager®, you use resources to provide secure connection functionality to users. With Access Policy Manager, you configure a resource to allow access to a web application or a network access connection, or you configure an access control list to allow or deny access to clients with a network access, web applications, or LTM access policies.
You use access control lists (ACLs), network access, portal access, app tunnels, and remote desktop resources along with webtops to provide functionality to clients. For an LTM access policy, you assign ACLs, but you do not assign any other resources. You use ACLs to define allowed and disallowed networks, hosts, and protocols for users. With all resource-based policies, you can assign a full webtop to provide useful links to users who connect. You assign ACLs and webtops dynamically in an access policy, using one of several the resource assign action.
In this chapter you can learn how to use ACLs and webtops. To configure network access resources, see the BIG-IP Access Policy Manager Network Access Guide. To configure portal access, see the BIG-IP Access Policy Manager Portal Access Guide. To configure app tunnels and remote desktops, see the BIG-IP Access Policy Manager Application Access Guide.
You use access control lists, or ACLs, to restrict user access to specified host and port combinations.
For an ACL to have an effect on traffic, at least one access control entry must be configured. In an access control entry, the only item that is required is the action. When you configure an ACL with an entry with only an action defined, that action becomes the default access control action for all traffic to which the ACL is applied.
ACL entries can work on OSI Layer 4, the protocol layer, OSI Layer 7, the application layer, or both. When you first create an access control entry, you can select whether the entry is for Layer 4, Layer 7, or for both.
You can use a Layer 4 or Layer 7 ACL with network access, web applications, or LTM access connections, with the following configuration notes.
With network access, you can use a Layer 7 ACL that is configured to provide access control for port 80 HTTP connections. However, if you want to provide access control for anything that is not on port 80, you must create a second virtual server, configured with the IP address to which the ACL entry applies, and the default access profile, access.
For HTTPS network access connections, you can use Layer 7 ACL entries only if the virtual server has the private key of the backend server.
If you assign no ACLs to an access policy, the default behavior allows access. To restrict resources to only those you specify in an ACL, add an ACL entry configured to reject all connections at the end of the ACL entry list. The access policy will then reject any connection not matched by a previous entry.
The order you specify for ACLs and ACL entries determines their priority. Access Policy Manager tests ACLs and ACL entries in order, based on their priority in the respective list. Access Policy Manager test ACLs assigned only to the current session. You can reorder ACL entries and ACLs.
You assign ACLs dynamically in the access policy with the full resource assign action or with the ACL assign action, so ACLs apply only to clients who reach that action in the access policy. See To assign an access control list with the full resource assign action, for more information.
Note: ACLs are not enforced on network traffic initiated from the server. Use SNAT automap or SNAT pool options in the network access configuration if you do not want servers to be able to initiate a connection to any client.
1.
On the Main tab of the navigation pane, expand Access Policy, and click ACLs.
The ACLs screen opens.
2.
Click Create.
The New ACL screen opens.
3.
In the Name field, type a name for the access control list.
4.
From the Type list, select Static.
5.
In the Description field, you can add an optional description of the access control list.
6.
From the ACL Order list, you can optionally determine in what order to add the new ACL.
Select After to add the ACL after a specific ACL, that you can then select.
Select Specify to type the specific number of the ACL in the list.
Select Last to add the ACL at the last position in the list.
7.
Click the Create button.
The ACL Properties screen opens.
8.
In the Access Control Entries area, click Add to add an entry to the access control list.
The New Access Control Entry screen appears.
9.
From the Type list, select whether this is a Layer 4 (L4), Layer 7 (L7), or Layer 4 + Layer 7 (L4+L7) access control entry.
10.
From the Action list, select the action for the access control entry.
If you are creating a default access control list, complete this step, then skip to the last step in this procedure.
Actions for the access control list entry are:
Allow - Permit the traffic.
Continue - Skip checking against the remaining ACL entries in this ACL, and continue evaluation at the next ACL.
Discard - Drop the packet silently.
Reject - Drop the packet and send a TCP RST message on TCP flows or proper ICMP messages on UDP flows. Silently drop the packet on other protocols.
Note: If HTTP traffic matches a Layer 4 ACL, a TCP RST message is sent. The ACL Deny page is sent when traffic is matched and denied on a Layer 7 ACL.
11.
In the Source IP Address field, type the source IP address.
This specifies the IP address to which the access control list entry applies.
12.
In the Source Mask field, type the network mask for the source IP address.
This specifies the network mask for the source IP address to which the access control list entry applies.
13.
For the Source Port setting, select Port or Port Range.
This setting specifies whether the access control list entry applies to a single port or a range of ports.
14.
In the Port field or the Start Port and End Port fields, specify the port or port ranges to which the access control list entry applies.
To simplify this choice, you can select from the list of common applications, to the right of the Port field, to add the typical port or ports for that protocol.
15.
In the Destination IP Address field, type the IP address to which the ACL controls access.
16.
In the Destination Mask field, type the network mask for the destination IP address.
17.
For the Destination Ports setting, select Port or Port Range.
This setting specifies whether the access control list entry applies to a single port or a range of ports.
18.
In the Port field or the Start Port and End Port fields, specify the port or port ranges to which the access control list entry applies.
To simplify this choice, you can select from the list of common applications, to the right of the Port field, to add the typical port or ports for that protocol.
19.
From the Scheme list, select the URI scheme for the ACL entry.
You can select http, https, or any.
Any matches either HTTP or HTTPS traffic.
20.
In the Host Name field, type a host to which the ACL applies.
The Host Name field supports shell glob matching. For example, you can use the asterisk wildcard (*) to search for zero or more characters, and the question mark wildcard (?) to search for a single character. For example, the host entry *.siterequest.com matches siterequest.com with any prefix. This entry matches www.siterequest.com, mail.siterequest.com, finance.siterequest.com, and any others with the same pattern.
The ? matches only the single character represented by the question mark, so n?t.siterequest.com matches the hosts net.siterequest.com and not.siterequest.com, but not neet.siterequest.com, nt.siterequrest.com, or note.siterequest.com.
21.
In the Paths field, type the path or paths to which the ACL applies.
You can separate multiple paths with spaces, for example,
/news /finance. The Paths field supports shell glob matching. You can use the wildcard characters * and question marks (?) to represent single or multiple characters. You can also type a specific URI, for example, /finance/content/earnings.asp, or a specific extension, for example, *.jsp.
22.
From the Protocol list, select the protocol to which the ACL applies.
23.
From the Log list, select the log level for this access control entry.
None - log nothing.
Packet - log the matched packet.
24.
Click Finished.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select Full Resource Assign, and click Add Item.
The Full Resource Assign action popup screen opens.
6.
Click Add new entry.
A new resource assign entry appears in the popup screen.
7.
To add one or more ACLs, click the Add/Delete link, select Static ACLs tab from the menu bar, then select the check fields for ACLs you want to assign, and clear the check fields for ACLs you do not want to assign.
ACL assignment is optional.
8.
Click Update to return to the Resource Assign popup screen.
9.
Click Save to save the action.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select Acl Assign, and click Add Item.
The ACL Assign action popup screen opens.
6.
To add one or more ACLs, click the Add/Delete link, then select the check boxes for ACLs you want to assign, and clear the check boxes for ACLs you do not want to assign.
ACL assignment is optional.
1.
Click Save to save the action.
The following examples show how to use ACLs to prevent access to servers, or to allow only certain types of traffic to access servers.
Source IP Address - 0.0.0.0 (note that when you leave an IP address entry blank, the result is the same as typing the address 0.0.0.0).
Source Mask - 0.0.0.0
Source Ports - All Ports
Destination IP address - 192.168.112.0
Destination Mask - 255.255.255.0
Destination Ports - All Ports
Protocol - All Protocols
Action - Reject
3.
Click Finished.
Source Mask - 0.0.0.0
Source Ports - All Ports
Destination IP address - 192.168.112.9
Destination Mask - 255.255.255.255
Destination Ports - Port 22 (or select SSH)
Protocol - TCP
Action - Allow
3.
Click Finished.
Source Mask - 0.0.0.0
Source Ports - All Ports
Destination Ports - All Ports
Scheme - http
Paths - *.doc *.exe *.txt
Protocol - All Protocols
Action - Reject
3.
Click Finished.
You can add a dynamic ACL anywhere in an access policy before the resources are assigned. To add a dynamic ACL, you must complete several steps first.
A dynamic ACL is an ACL that is stored in an LDAP, RADIUS, or Active Directory server. Because the dynamic ACL is associated with the user directory, ACLs can be assigned specifically per the user session.
The access policy extracts the dynamic ACL from a field on the AD, RADIUS, or LDAP server. When the extraction happens, the access policy Dynamic ACL action takes the variable in the specified format, and converts it to an ACL that is applied to the access policy branch.
Access Policy Manager supports ACLs in an F5 ACL format, and in a subset of the Cisco ACL format. You specify the F5 ACL in an attribute field in an Active Directory, RADIUS, or LDAP server, and then specify that attribute in the Dynamic ACL action.
The dynamic ACL action specifies an action that the ACL takes on traffic that matches the ACL context. Available actions are:
allow - allows the specified traffic
reject - rejects the specified traffic and sends a TCP RST code to the initiator
discard - silently drops the packets
continue - skips checking against the remaining ACL entries in this ACL, and continues evaluation at the next ACL
log - enables default logging for the ACL
log-packet - writes packet-level logs to the packet filter log file
log-verbose - writes verbose logs
log-summary - writes summary logs
log-config - writes configuration logs to the configuration log file
ip - IP protocol traffic
http - HTTP protocol traffic. Requires that you specify an HTTP or HTTPS URL in the ACL definition
udp - UDP traffic only
tcp - TCP traffic only
In the F5 ACL format, the addresses are the last item specified in the ACL definition. Addresses are specified in a pair separated by a space. The access policy attempts to match the first address in the pair against the host, and the second address in the pair against the destination. Addresses can be:
any[/mask][:port] - matches any host or IP address, with an optional subnet mask or a port. (for example,
{ allow tcp any 1.2.3.4 }
allows TCP traffic between any host and the destination IP address 1.2.3.4.
{ allow tcp any/8 1.2.3.4 }
allows TCP traffic between any host within the subnet 255.0.0.0 and the destination IP address 1.2.3.4.
{ allow tcp any/8:8000 1.2.3.4 }
allows TCP traffic between any host within the subnet 255.0.0.0 on port 8000 and the destination IP address 1.2.3.4.
IP address[/mask][:port] - matches a specific IP address, with an optional subnet mask or a port. For example,
{ allow 1.1.1.1 1.2.3.4 }
allows TCP traffic between the host IP address 1.1.1.1 and the destination IP address 1.2.3.4.
{ allow 1.1.1.0/16 1.2.3.4 }
allows TCP traffic between host IP addresses on the network 1.1.1.0 with the subnet mask 255.255.0.0 and the destination IP address 1.2.3.4.
{ allow 1.1.1.1:22 1.2.3.4 }
allows TCP traffic between the host IP address 1.1.1.1 on port 22 and the destination IP address 1.2.3.4.
The following example shows how to specify an IP protocol address in F5 ACL format. The context word ip is followed with an address pair specification, optionally preceded by an IP protocol number.
The following examples show how to specify a TCP or UDP protocol address in F5 ACL format. The context word tcp or udp is followed with an address pair specification.
The following examples show how to specify an HTTP protocol address in F5 ACL format. The context word tcp or udp is followed with a host address, a destination address, and a URL. The URL specification supports wildcards with glob matching.
You can use the Cisco ACL format to specify dynamic ACLs. Cisco format attributes are stored in a RADIUS server in Cisco AV-Pairs. In the access policy, you specify the Cisco option in the Dynamic ACL action, and the attribute session.radius.last.attr.vendor-specific.1.9.1 is configured automatically.
The ACL is specified at http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml.
You can also specify the prefix
ip:inacl#X=
where X is an integer number which is used as rule identifier.
The log and log-input keyword has been mapped with F5 log-packet format.
The following keywords are not currently supported: tos, established, time-range, dynamic, and precedence.
For IP protocol, the following specification is supported.
{deny|permit} protocol source source-wildcard destination destination-wildcard [log|log-input]
For example
ip:inacl#10=permit ip any any log
For TCP protocol, the following specification is supported.
{deny|permit} tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [log|log-input]
For example
ip:inacl#10=permit tcp any host 10.168.12.100 log
For UDP protocol, the following specification is supported.
{deny|permit} udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [log|log-input]
For example
deny udp any any log
1.
On the Main tab of the navigation pane, expand Access Policy, and click ACLs.
The ACLs screen opens.
2.
Click Create.
The New ACL screen opens.
3.
In the Name field, type a name for the access control list.
4.
From the Type list, select Dynamic.
5.
In the Description field, you can add an optional description of the access control list.
6.
From the ACL Order list, you can optionally determine in what order to add the new ACL.
Select After to add the ACL after a specific ACL, that you can then select.
Select Specify to type the specific number of the ACL in the list.
Select Last to add the ACL at the last position in the list.
7.
From the Match Case for Paths list. select Yes to match case for paths, and No to ignore path case.
8.
Click the Create button.
The ACL Properties screen opens.
You need not configure the dynamic ACL container. Later, you select the dynamic ACL container in the Dynamic ACL action.
You add a dynamic ACL to an access policy, then you specify either the Cisco-AV format or the F5 ACL format, the AD, RADIUS, or LDAP attribute, and the dynamic ACL container.
Note that you must add the Dynamic ACL action after an authentication or query action, to capture the authentication variables that contain the dynamic ACL specification.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select Dynamic ACL, and click Add Item.
The Dynamic ACL action popup screen opens.
6.
7.
To use an F5 ACL from an AD, RADIUS, or LDAP directory, select Custom. To use a Cisco AV-Pair ACL from a RADIUS directory, select Cisco AV-Pair VSA.
8.
In the Source field, type the attribute from which the Dynamic ACL action extracts ACLs.
If you are using Cisco AV-Pair VSA from a RADIUS server, the field is prepopulated with session.radius.last.attr.vendor-specific.1.9.1.
9.
From the ACL list, select the dynamic ACL container.
10.
From the Format list, select the format in which the ACL is specified.
11.
To add another ACL entry, click the Add new entry button and repeat the procedure.
12.
Click Save to save the action.
When a user is allowed access by an access policy, that user is typically assigned a webtop. A webtop is the successful end point for an access policy branch. A full webtop also provides a customizable screen for the user that includes webtop links, and all resources assigned to the access policy branch, except the ACLs. You can also assign a portal access or network access webtop for those specific connection types.
You assign a webtop to the user session in a resource assign action in the access policy. Make sure that you assign the correct webtop type.
You assign a full webtop to include a network access resource, multiple portal access resources, multiple app tunnels, multiple remote desktop resources, and customizable webtop links.
Many settings for the webtop can be customized. To customize webtop settings, see the BIG-IP® Access Policy Manager® Customization Guide.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Webtops.
The Webtop List screen opens.
2.
Click Create.
The New Webtop screen opens.
3.
In the Name field, type the name for the webtop.
4.
From the Type list, select whether the webtop is a network access portal access, or full webtop.
5.
If you selected a network access or full webtop, select whether to automatically minimize the webtop to the system tray, by selecting or clearing the Minimize To Tray check box.
When you select this setting for a network access webtop, the webtop automatically minimizes to the tray. With a full webtop, the webtop minimizes to the system tray only after the network access connection is started.
6.
If you selected a portal access webtop, in the Portal Access start URI field, type the URI for the web application.
7.
Click Finished to complete the configuration.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select Full Resource Assign, and click Add Item.
The Full Resource Assign action popup screen opens.
6.
Click Add new entry.
A new resource assign entry appears in the popup screen.
7.
Click Add/Delete.
The resource assign popup screen appears.
8.
To specify a webtop for the connection, click the Webtop tab, and select a webtop to assign.
9.
Click Update to return to the Full Resource Assign popup screen.
10.
Click Save to save the action.
When an AD server is configured with an IPv6 address in the Domain controller setting, AD query does not work. However, AD query with IPv6 address has been tested with the following layered virtual server approach.
1.
In the AD server configuration, use the host name of the DC in the Domain Controller setting. Here is an example.
apm aaa active-directory /Common/AD-IPv6 {
admin-encrypted-password ".(.5(lEhJfN\\<^FaLGC0Bt8CG0KMfR\\9;coEKdIm=5@32II"
admin-name Administrator
Note: In the above example, the host name is win2008.enterprise.lab.fp.mynet.com.
2.
Update the system's global setting to include a remote host entry for the DC host name that was used in step 1 and map it to an IPv4 address as shown in this example.
sys global-settings {
gui-setup disabled
hostname bigip2mgmt.lab.fp.mynet.com
mgmt-dhcp disabled
remote-host {
/Common/abc { addr 172.31.54.99
hostname win2008.enterprise.lab.fp.mynet.com
}
}
}
/Common/fd00:ffff:ffff:fff1:912e:cdfe:c884:2607.any {
address fd00:ffff:ffff:fff1:912e:cdfe:c884:2607
}
}
}
5.
Create another layered virtual as in step 4, but for UDP traffic. (Set the protocol setting in the Virtual server configuration to UDP). See this example.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)