With BIG-IP
® Access Policy Manager
®, you use resources to provide secure connection functionality to users. With Access Policy Manager, you configure a resource to allow access to a web application or a network access connection, or you configure an access control list to allow or deny access to clients with network access, web applications, or web access management policies.
You use access control lists (ACLs), network access, portal access, app tunnels, and remote desktop resources along with webtops to provide the functionality to clients. For a web-access management policy, you assign ACLs, but you do not assign any other resources. You use ACLs to define allowed and disallowed networks, hosts, and protocols for users. With all resource-based policies, you can assign a full webtop to provide useful links to users who connect. You assign ACLs and webtops dynamically in an access policy, using one of several resource assign actions.
In this chapter, you can learn how to use ACLs and webtops. To configure network access resources, see the
BIG-IP® Access Policy Manager® Network Access Guide. To configure portal access, see the
BIG-IP® Access Policy Manager® Portal Access Guide. To configure app tunnels and remote desktops, see the
BIG-IP® Access Policy Manager® Application Access Guide.
Using access control lists
You use
access control lists, or ACLs, to restrict user access to a specified host and port combinations.
For an ACL to have an effect on traffic, at least one access control entry must be configured. In an access control entry, the only item that is required is the action. When you configure an ACL with an entry with only an action defined, that action becomes the default access control action for all traffic to which the ACL is applied.
ACL entries can work on OSI Layer 4, the protocol layer, OSI Layer 7, the application layer, or both. When you first create an access control entry, you can select whether the entry is for Layer 4, Layer 7, or for both.
You can use a Layer 7 ACL configured with network access to provide access control for port 80 HTTP connections. However, if you want to provide access control for anything that is not on port 80, you must create a second virtual server, configured with the IP address to which the ACL entry applies and the default access profile, access.
For HTTPS network access connections, you can use Layer 7 ACL entries only if the virtual server has the back-end server's private key.
The second virtual server, usually called a layered virtual server, overrides APM internal virtual servers' processing causing ACLs applied to the Network Access tunnel access policy to be invalid for manually created layered virtual servers. To apply these ACLs, you may require some extra steps. For details, refer to the following links:
If you assign no ACLs to an access policy, the default behavior allows access. To restrict resources to only those you specify in an ACL, add an ACL entry configured to reject all connections at the end of the ACL entry list. The access policy will then reject any connection not matched by a previous entry.
The order you specify for ACLs and ACL entries determines their priority. Access Policy Manager tests ACLs and ACL entries in order, based on their priority in the respective list. Access Policy Manager tests ACLs assigned only to the current session. You can reorder ACL entries and ACLs.
You assign ACLs dynamically in the access policy with the advanced resource assign action or with the ACL assign action, so ACLs apply only to clients that reach that action in the access policy. See
To assign an access control list with the advanced resource assign action, for more information.
Note: ACLs are not enforced on network traffic initiated from the server. Use SNAT automap or SNAT pool options in the network access configuration if you do not want servers to be able to initiate a connection to any client.
Creating static access control lists
You create a static access control list to provide or deny access to network resources.
To create a static access control list
1.
|
On the Main tab of the navigation pane, expand Access Policy, and click ACLs.
The ACLs screen opens. |
2.
|
Click Create.
The New ACL screen opens. |
3.
|
In the Name field, type a name for the access control list. |
4.
|
From the Type list, select Static. |
5.
|
In the Description field, you can add an optional description of the access control list. |
6.
|
From the ACL Order list, you can optionally determine in what order to add the new ACL. |
|
Select After to add the ACL after a specific ACL, that you can then select. |
|
Select Specify to type the specific number of the ACL in the list. |
|
Select Last to add the ACL at the last position in the list. |
7.
|
Click the Create button.
The ACL Properties screen opens. |
8.
|
In the Access Control Entries area, click Add to add an entry to the access control list.
The New Access Control Entry screen appears. |
9.
|
From the Type list, select whether this is a Layer 4 ( L4), Layer 7 ( L7), or Layer 4 + Layer 7 ( L4+L7) access control entry. |
10.
|
From the Action list, select the action for the access control entry.
If you are creating a default access control list, complete this step, then skip to the last step in this procedure.
Actions for the access control list entry are: |
|
Allow - Permit the traffic.
|
|
Continue - Skip checking against the remaining ACL entries in this ACL, and continue evaluation at the next ACL.
|
|
Discard - Drop the packet silently.
|
|
Reject - Drop the packet and send a TCP RST message on TCP flows or proper ICMP messages on UDP flows. Silently drop the packet on other protocols.
Note: If HTTP traffic matches a Layer 4 ACL, a TCP RST message is sent. The ACL Deny page is sent when traffic is matched and denied on a Layer 7 ACL.
|
11.
|
In the Source IP Address field, type the source IP address.
This specifies the IP address to which the access control list entry applies. |
12.
|
In the Source Mask field, type the network mask for the source IP address.
This specifies the network mask for the source IP address to which the access control list entry applies. |
13.
|
For the Source Port setting, select Port or Port Range.
This setting specifies whether the access control list entry applies to a single port or a range of ports. |
14.
|
In the Port field or the Start Port and End Port fields, specify the port or port ranges to which the access control list entry applies.
To simplify this choice, you can select from the list of common applications to the right of the Port field, to add the typical port or ports for that protocol. |
15.
|
In the Destination IP Address field, type the IP address to which the ACL controls access. |
16.
|
In the Destination Mask field, type the network mask for the destination IP address. |
17.
|
For the Destination Ports setting, select Port or Port Range.
This setting specifies whether the access control list entry applies to a single port or a range of ports. |
18.
|
In the Port field or the Start Port and End Port fields, specify the port or port ranges to which the access control list entry applies.
To simplify this choice, you can select from the list of common applications to the right of the Port field, to add the typical port or ports for that protocol. |
19.
|
From the Scheme list, select the URI scheme for the ACL entry.
You can select http, https, or any.
Any matches either HTTP or HTTPS traffic. |
20.
|
In the Host Name field, type a host to which the ACL applies. |
The
Host Name field supports shell glob matching. For example, you can use the asterisk wildcard (
*) to search for zero or more characters, and the question mark wildcard (
?) to search for a single character. For example, the host entry
*.siterequest.com matches
siterequest.com with any prefix. This entry matches
www.siterequest.com,
mail.siterequest.com,
finance.siterequest.com, and any others with the same pattern.
The
? matches only the single character represented by the question mark, so
n?t.siterequest.com matches the hosts
net.siterequest.com and
not.siterequest.com, but not
neet.siterequest.com,
nt.siterequrest.com, or
note.siterequest.com.
21.
|
In the Paths field, type the path or paths to which the ACL applies.
You can separate multiple paths with spaces, for example,
/news /finance. The Paths field supports shell glob matching. You can use the wildcard characters * and question marks ( ?) to represent single or multiple characters. You can also type a specific URI, for example, /finance/content/earnings.asp, or a specific extension, for example, *.jsp. |
22.
|
From the Protocol list, select the protocol to which the ACL applies. |
23.
|
From the Log list, select the log level for this access control entry. |
When events of this type occur, the server records a log message. Options are:
|
Packet - log the matched packet.
|
To assign an access control list with the advanced resource assign action
1.
|
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens. |
2.
|
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings. |
3.
|
On a rule branch of the access policy, click the plus sign (  ) to add an action.
The Add Item popup screen opens. |
4.
|
On the Assignment tab, select Advanced Resource Assign, and click Add Item.
The Advanced Resource Assign action popup screen opens. |
5.
|
Click Add new entry.
A new resource assign entry appears in the popup screen. |
6.
|
To add one or more ACLs, click the Add/Delete link, select the Static ACLs tab from the menu bar, then select the check fields for ACLs you want to assign, and clear the check fields for ACLs you do not want to assign.
ACL assignment is optional. |
7.
|
Click Update to return to the Resource Assign popup screen. |
8.
|
Click Save to save the action. |
To assign an access control list with the ACL assign action
1.
|
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens. |
2.
|
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings. |
3.
|
On a rule branch of the access policy, click the plus sign ( ) to add an action.
The Add Item popup screen opens. |
4.
|
On the Assignment tab, select ACL Assign, and click Add Item.
The ACL Assign action popup screen opens. |
5.
|
To add one or more ACLs, click the Add/Delete link, then select the check boxes for ACLs you want to assign, and clear the check boxes for ACLs you do not want to assign.
ACL assignment is optional. |
6.
|
Click Save to save the action. |
Access control list examples
The following examples show how to use ACLs to prevent access to servers, or to allow only certain types of traffic to access servers.
Example: Reject all connections to a specific network
In this ACL example, all connections to a specific network at
192.168.112.0/24 are rejected.
To configure an ACL to reject all connections to a specific network
2.
|
Configure the access control entries as follows. |
|
Source IP Address - 0.0.0.0 (note that when you leave an IP address entry blank, the result is the same as typing the address 0.0.0.0).
|
|
Destination IP address - 192.168.112.0
|
|
Destination Mask - 255.255.255.0
|
|
Destination Ports - All Ports
|
Example: Allow SSH access to a specific host
In this ACL example, SSH connections are allowed to the internal host at
192.168.112.9.
To configure an ACL to allow SSH connections
2.
|
Configure the access control entries as follows. |
|
Source IP Address - 0.0.0.0
|
|
Destination IP address - 192.168.112.9
|
|
Destination Mask - 255.255.255.255
|
|
Destination Ports - Port 22 (or select SSH)
|
Example: Reject connections to specific file types
In this ACL example, all connections that attempt to open files with the extensions
DOC,
EXE, and
TXT are rejected.
To configure an ACL to reject connections to specific file types
2.
|
Configure the access control entries as follows. |
|
Source IP Address - 0.0.0.0
|
|
Destination IP address - 0.0.0.0
|
|
Destination Mask - 0.0.0.0
|
|
Destination Ports - All Ports
|
|
Paths - *.doc *.exe *.txt
|
You can add a dynamic ACL anywhere in an access policy before the resources are assigned. To add a dynamic ACL, you must complete several steps first.
Understanding dynamic ACLS
A dynamic ACL is an ACL that is stored in an LDAP, RADIUS, or Active Directory server. Because the dynamic ACL is associated with the user directory, ACLs can be assigned specifically per the user session.
The access policy extracts the dynamic ACL from a field on the AD, RADIUS, or LDAP server. When the extraction happens, the access policy Dynamic ACL action takes the variable in the specified format, and converts it to an ACL that is applied to the access policy branch.
Understanding the F5 ACL format
Access Policy Manager
® supports ACLs in an F5 ACL format, and in a subset of the Cisco ACL format. You specify the F5 ACL in an attribute field in an Active Directory, RADIUS, or LDAP server, and then specify that attribute in the Dynamic ACL action.
The F5 ACL format is specified with the following commands:
{ action [logging_options] context }
Understanding F5 ACL actions
The dynamic ACL action specifies an action that the ACL takes on traffic that matches the ACL context. Available actions are:
|
allow - allows the specified traffic
|
|
reject - rejects the specified traffic and sends a TCP RST code to the initiator
|
|
discard - silently drops the packets
|
|
continue - skips checking against the remaining ACL entries in this ACL, and continues evaluation at the next ACL
|
Understanding F5 ACL logging options
Logging options can optionally be specified after the action in the F5 ACL format:
|
log - enables default logging for the ACL
|
|
log-packet - writes packet-level logs to the packet filter log file
|
|
log-verbose - writes verbose logs
|
|
log-summary - writes summary logs
|
|
log-config - writes configuration logs to the configuration log file
|
Understanding F5 ACL context options
Context options specify protocols, addresses, networks, and ports for the ACL action.
Understanding F5 ACL protocols
Specify the protocol that the ACL matches. Options are:
|
http - HTTP protocol traffic. Requires that you specify an HTTP or HTTPS URL in the ACL definition
|
Use the examples included to specify addresses for each protocol.
Understanding F5 ACL addresses
In the F5 ACL format, the addresses are the last item specified in the ACL definition. Addresses are specified in a pair separated by a space. The access policy attempts to match the first address in the pair against the host, and the second address in the pair against the destination. Addresses can be:
|
any[/mask][:port] - matches any host or IP address, with an optional subnet mask or a port. (for example,
{ allow tcp any 1.2.3.4 }
allows TCP traffic between any host and the destination IP address 1.2.3.4.
{ allow tcp any/8 1.2.3.4 }
allows TCP traffic between any host within the subnet 255.0.0.0 and the destination IP address 1.2.3.4.
{ allow tcp any/8:8000 1.2.3.4 }
allows TCP traffic between any host within the subnet 255.0.0.0 on port 8000 and the destination IP address 1.2.3.4.
|
|
IP address[/mask][:port] - matches a specific IP address, with an optional subnet mask or a port. For example,
{ allow 1.1.1.1 1.2.3.4 }
allows TCP traffic between the host IP address 1.1.1.1 and the destination IP address 1.2.3.4.
{ allow 1.1.1.0/16 1.2.3.4 }
allows TCP traffic between host IP addresses on the network 1.1.1.0 with the subnet mask 255.255.0.0 and the destination IP address 1.2.3.4.
{ allow 1.1.1.1:22 1.2.3.4 }
allows TCP traffic between the host IP address 1.1.1.1 on port 22 and the destination IP address 1.2.3.4.
|
Specifying an F5 ACL with the IP protocol
The following example shows how to specify an IP protocol address in F5 ACL format. The context word
ip is followed with an address pair specification, optionally preceded by an IP protocol number.
{ allow ip 51 any 1.2.3.4 }
Specifying an F5 ACL with the TCP or UDP protocol
The following examples show how to specify a TCP or UDP protocol address in F5 ACL format. The context word
tcp or
udp is followed with an address pair specification.
{ allow tcp any 1.2.3.4 }
{ allow udp any 1.2.3.4 }
Specifying an F5 ACL with the HTTP protocol
The following examples show how to specify an HTTP protocol address in F5 ACL format. The context word
http is followed with a host address, a destination address, and a URL. The URL specification supports wildcards with glob matching.
{ allow http any 1.2.3.4 https://www.siterequest.com }
{ allow http any 1.2.3.0/24 http://*.siterequest.com/* }
{ allow http any 1.2.3.0/24 http://*.siterequest.???/* }
Understanding the Cisco ACL format
You can use the Cisco ACL format to specify dynamic ACLs. Cisco format attributes are stored in a RADIUS server in Cisco AV-Pairs. In the access policy, you specify the Cisco option in the Dynamic ACL action, and the attribute
session.radius.last.attr.vendor-specific.1.9.1 is configured automatically.
The ACL is specified at
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml.
You can also specify the prefix
ip:inacl#X=
where
X is an integer number which is used as rule identifier.
The
log and
log-input keyword has been mapped with F5
log-packet format.
The following keywords are not currently supported:
tos,
established,
time-range,
dynamic, and
precedence.
For IP protocol, the following specification is supported.
{deny|permit} protocol source source-wildcard destination destination-wildcard [log|log-input]For example
ip:inacl#10=permit ip any any logSpecifying Cisco TCP ACLs
For TCP protocol, the following specification is supported.
{deny|permit} tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [log|log-input]For example
ip:inacl#10=permit tcp any host 10.168.12.100 logSpecifying Cisco UDP ACLs
For UDP protocol, the following specification is supported.
{deny|permit} udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [log|log-input]For example
deny udp any any logCreating a dynamic ACL container
A dynamic ACL container provides an unconfigured ACL that you select in the Dynamic ACL action.
1.
|
On the Main tab of the navigation pane, expand Access Policy, and click ACLs.
The ACLs screen opens. |
2.
|
Click Create.
The New ACL screen opens. |
3.
|
In the Name field, type a name for the access control list. |
4.
|
From the Type list, select Dynamic. |
5.
|
In the Description field, you can add an optional description of the access control list. |
6.
|
From the ACL Order list, you can optionally determine in what order to add the new ACL. |
|
Select After to add the ACL after a specific ACL, that you can then select. |
|
Select Specify to type the specific number of the ACL in the list. |
|
Select Last to add the ACL at the last position in the list. |
7.
|
From the Match Case for Paths list. select Yes to match case for paths, and No to ignore path case. |
8.
|
Click the Create button.
The ACL Properties screen opens. |
You need not configure the dynamic ACL container. Later, you select the dynamic ACL container in the Dynamic ACL action.
Adding a dynamic ACL to an access policy
You add a dynamic ACL to an access policy, then you specify either the Cisco-AV format or the F5 ACL format, the AD, RADIUS, or LDAP attribute, and the dynamic ACL container.
Note that you must add the Dynamic ACL action after an authentication or query action, to capture the authentication variables that contain the dynamic ACL specification.
To assign a dynamic access control list with the Dynamic ACL action
1.
|
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens. |
2.
|
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings. |
3.
|
On a rule branch of the access policy, click the plus sign ( ) to add an action.
The Add Item popup screen opens. |
4.
|
On the Assignment tab, select Dynamic ACL, and click Add Item.
The Dynamic ACL action popup screen opens. |
5.
|
To add one or more ACLs, click the Add new entry button. |
6.
|
To use an F5 ACL from an AD, RADIUS, or LDAP directory, select Custom. To use a Cisco AV-Pair ACL from a RADIUS directory, select Cisco AV-Pair VSA. |
7.
|
In the Source field, type the attribute from which the Dynamic ACL action extracts ACLs. |
If you are using Cisco AV-Pair VSA from a RADIUS server, the field is prepopulated with
session.radius.last.attr.vendor-specific.1.9.1.
8.
|
From the ACL list, select the dynamic ACL container. |
9.
|
From the Format list, select the format in which the ACL is specified. |
10.
|
To add another ACL entry, click the Add new entry button and repeat the procedure. |
11.
|
Click Save to save the action. |
When a user is allowed access by an access policy, that user is typically assigned a webtop. A
webtop is the successful end point for an access policy branch. A full webtop also provides a customizable screen for the user that includes webtop links, and all resources assigned to the access policy branch, except the ACLs. You can also assign a portal access or network access webtop for those specific connection types.
You assign a webtop to the user session in a resource assign action in the access policy. Make sure that you assign the correct webtop type.
|
You assign a network access webtop with a network access resources only. |
|
You assign a portal access webtop with portal access resources only. |
|
You assign a full webtop to include a network access resource, multiple portal access resources, multiple app tunnels, multiple remote desktop resources, and customizable webtop links. |
Many settings for the webtop can be customized. To customize webtop settings, see the
BIG-IP® Access Policy Manager® Customization Guide.
1.
|
On the Main tab of the navigation pane, expand Access Policy, then click Webtops.
The Webtop List screen opens. |
2.
|
Click Create.
The New Webtop screen opens. |
3.
|
In the Name field, type the name for the webtop. |
4.
|
From the Type list, select whether the webtop is a network access portal access, or full webtop. |
5.
|
If you selected a network access or full webtop, select whether to automatically minimize the webtop to the system tray, by selecting or clearing the Minimize To Tray check box. |
When you select this setting for a network access webtop, the webtop automatically minimizes to the tray. With a full webtop, the webtop minimizes to the system tray only after the network access connection is started.
6.
|
If you selected a portal access webtop, in the Portal Access start URI field, type the URI for the web application. |
7.
|
Click Finished to complete the configuration. |
1.
|
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens. |
2.
|
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings. |
3.
|
On a rule branch of the access policy, click the plus sign ( ) to add an action.
The Add Item popup screen opens. |
4.
|
On the Assignment tab, select Advanced Resource Assign, and click Add Item.
The Advanced Resource Assign action popup screen opens. |
5.
|
Click Add new entry.
A new resource assign entry appears in the popup screen. |
6.
|
Click Add/Delete.
The resource assign popup screen appears. |
7.
|
To specify a webtop for the connection, click the Webtop tab, and select a webtop to assign. |
8.
|
Click Update to return to the Advanced Resource Assign popup screen. |
9.
|
Click Save to save the action. |
Note: You can also assign a webtop using the Webtop and Webtop Links Assign action. See
Assigning resources, for more information.
When an AD server is configured with an IPv6 address in the Domain controller setting, AD query does not work. However, AD query with IPv6 address has been tested with the following layered virtual server approach.
1.
|
In the AD server configuration, use the host name of the DC in the Domain Controller setting. Here is an example. |
apm aaa active-directory /Common/AD-IPv6 {
admin-encrypted-password ".(.5(lEhJfN\\<^FaLGC0Bt8CG0KMfR\\9;coEKdIm=5@32II"
admin-name Administrator domain enterprise.lab.fp.mynet.com domain-controller win2008.enterprise.lab.fp.mynet.com |
Note: In the previous example, the host name is win2008.enterprise.lab.fp.mynet.com.
2.
|
Update the system's global setting to include a remote host entry for the DC host name that was used in step 1 and map it to an IPv4 address as shown in this example. |
sys global-settings {
gui-setup disabled
hostname bigip2mgmt.lab.fp.mynet.com
mgmt-dhcp disabled
remote-host {
/Common/abc { addr 172.31.54.99
hostname win2008.enterprise.lab.fp.mynet.com
}
}
} |
3.
|
Create a pool with the DC IPv6 address as a member as shown in this example. |
ltm pool /Common/AD-IPv6-Pool { /Common/fd00:ffff:ffff:fff1:912e:cdfe:c884:2607.any {
address fd00:ffff:ffff:fff1:912e:cdfe:c884:2607 |
4.
|
Create a layered wildcard TCP virtual server as follows: |
|
Destination IP: The IPv4 address that was used in step 2, that is, 172.31.54.99 |
|
Service Port: 0 (All ports) |
|
Default Pool (in Resources): Pool created in step 3, that is, /Common/AD-IPv6-Pool |
ltm virtual /Common/bigip2.lab.fp.mynet.com-tcp { destination /Common/172.31.54.99:any pool /Common/AD-IPv6-Pool |
5.
|
Create another layered virtual as in step 4, but for UDP traffic. (Set the protocol setting in the Virtual server configuration to UDP). See this example. |
ltm virtual /Common/bigip2.lab.fp.mynet.com-udp { destination /Common/172.31.54.99:any pool /Common/AD-IPv6-Pool |
With the above configuration setting, AD query should work with a IPv6 back end DC.
