Applies To:

Show Versions Show Versions

Manual Chapter: Configuring Virtual Servers
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

11
With BIG-IP® Access Policy Manager, you configure virtual servers with particular configurations for access policies. For LTM access, you configure an existing Local Traffic Manager virtual server to use an access policy, or you can create a new virtual server for this purpose. The IP address assigned to a virtual server is the one that is typically exposed to the Internet for SSL VPN services.
When creating a virtual server, specify that the virtual server is a host virtual server for Access Policy Manager, and not a network virtual server. (For more information on host and network virtual servers, see the Configuring Virtual Servers chapter in the Configuration Guide for BIG-IP® Local Traffic Manager.) In either case, you need only configure a few settings: a unique name for the virtual server, a destination address, and a service port.
Important: When you create a virtual server, the BIG-IP system places the virtual server into your current administrative partition. For information on partitions, see the TMOS® Management Guide for BIG-IP® Systems.
For production deployment of your configuration, you should either edit the clientssl profile to use your imported certificate and key, or create a new profile based on the clientssl profile that uses your own certificate and key. For more information, see Configuring a clientssl profile. For initial evaluation of Access Policy Manager, you may select the default clientssl profile in the SSL Profile (Client) list. This default profile does not contain a valid SSL server certificate, but it can be used for initial Access Policy Manager evaluation and testing.
The SNAT settings for App Tunnels, Optimized Applications, Remote Desktops, Portal Acces, Citrix connections, and LTM+APM deployments, are applied in the access policy session, if configured. If there is no specific SNAT configuration specified, the SNAT settings from the virtual server are applied.
If the Access Policy Manager traffic hits another user defined virtual server before leaving the BIG-IP, the SNAT settings from the last user defined virtual server are used on outgoing connections.
You create a virtual server to provide a portal for user logons to Access Policy Manager resources. At a minimum, you must create one virtual server on which your users can log on.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
The Virtual Server List screen opens.
2.
Click Create.
The New Virtual Server screen opens.
3.
In the Name box, type a name for the virtual server.
4.
In the Destination area, select host.
5.
In the Address box, type the virtual server host IP address.
6.
From the Service Port list, select HTTPS.
7.
From the HTTP Profile list, select http.
8.
From the SSL Profile (Client) list, select the client SSL profile to use with this virtual server.
9.
If your web application server is using HTTPS services, from the SSL Profile (Server) list, select the server SSL profile to use with this virtual server.
10.
For a portal access virtual server, from the SNAT Pool list, select Auto Map.
See Understanding SNAT interactions for a warning about the SNAT Pool setting.
11.
If you are configuring a virtual server that will forward traffic to another server or is forwarded to by another server, from the Source Port list, select Change.
This option only appears when you select Advanced for the Configuration section.
12.
From the Access Profile list, select the access profile to associate with this virtual server.
You must create this access profile before you define the virtual server. There is no default access profile available.
13.
From the Connectivity Profile list, select the connectivity profile to associate with this virtual server.
There is no default connectivity profile, so you must create a connectivity profile before you can select one from this list.
14.
If you are creating a virtual server to use with portal access, from the Rewrite Profile list, select the rewrite profile.
You can select a rewrite profile with a network access or application access configuration.
15.
If you are configuring an access policy for use with Microsoft ActiveSync, add the ActiveSync iRule. In the Resources section, next to iRules, select _sys_APM_activesync in the Available list, and click the << button to move the iRule to the Enabled list.
16.
If you are creating a virtual server to use with portal access in minimal patching mode, from the Default pool list, select the local traffic pool for this application.
17.
Click Finished to complete the configuration.
To configure DTLS mode for a network access connection, you must configure a virtual server specifically for use with DTLS. This DTLS virtual server must have the same IP address as the TCP (HTTPS) virtual server to which a user connects to start an Access Policy Manager session. The network access resource assigned by the access policy on the TCP virtual server sharing the same address must be configured with the DTLS option selected. After the Access Policy Manager session is established, the network access tunnel is started using the DTLS virtual server, on the same IP address.
For more information, see the BIG-IP® Access Policy Manager® Network Access Guide.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
The Virtual Server List screen opens.
2.
Click Create.
The New Virtual Server screen opens.
3.
In the Name box, type a name for the virtual server.
4.
In the Destination area, select host for the type of virtual server
5.
In the Address box, type the virtual server host IP address.
This is the same IP address as the TCP virtual server to which your users connect.
6.
In the Service Port box, type the port number that you specified in the Network Access resource configuration, in the DTLS Port box.
By default, the DTLS port is 4433.
7.
In the Configuration area, from the Protocol list, select UDP.
8.
If you are configuring a virtual server that will forward traffic to another server or is forwarded to by another server, from the Source Port list, select Change.
This option only appears when you select Advanced for the Configuration section.
9.
From the Connectivity Profile list, select the connectivity profile associated with this virtual server.
This profile specifies client connection behavior and configuration.
10.
From the SSL Profile (Client) list, select the client SSL profile to use with this virtual server.
The system autmatically uses DTLS hardware acceleration, if supported by the hardware. To set the system to disable DTLS hardware acceleration, see Configuring a client SSL profile to disable DTLS acceleration.
11.
Click Finished to complete the configuration.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Profiles > SSL > Client.
The SSL Client Profiles screen opens.
2.
Click the SSL client profile you want to edit.
The Client SSL Profile Properties screen appears.
3.
Next to Configuration, select Advanced.
4.
Click the Custom check box.
5.
7.
Click Update.
To configure virtual servers for LTM access, you must configure both the BIG-IP® Local Traffic Manager and Access Policy Manager.
When you configure for this method of access, you create a virtual server that has one or more pool members and HTTP servers, and you attach an access policy to that virtual server. For more details, see Chapter 2, Configuring LTM Access.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
2.
Click Create.
5.
Select the HTTP Profile from the available options.
The default profile, http, is usually sufficient, unless additional configuration options are needed.
6.
Select the SSL profile (Client) setting.
A client SSL profile is only required if you want to enable SSL from the client to the virtual server.
7.
Select the SSL profile (Server) setting.
A server SSL profile is only required if the pool members require SSL.
8.
If you are configuring a virtual server that will forward traffic to another server or is forwarded to by another server, from the Source Port list, select Change.
This option only appears when you select Advanced for the Configuration section.
9.
From the Access Profile list, select an access profile you created for LTM access.
10.
Click Finished.
13.
From the Default Pool list, select a default pool.
To configure and create local traffic pools, see the Configuration Guide for BIG-IP® Local Traffic Manager.
14.
Click Update.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)