Applies To:

Show Versions Show Versions

Manual Chapter: Introducing BIG-IP Access Policy Manager
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

The BIG-IP® system is a port-based, multilayer switch that supports virtual local area network (VLAN) technology. Because hosts within a VLAN can communicate at the data-link layer (Layer 2), a BIG-IP system reduces the need for routers and IP routing on the network. This in turn reduces equipment costs and boosts overall network performance. At the same time, the BIG-IP systems multilayer capabilities enable the system to process traffic at other OSI layers. The BIG-IP system can perform IP routing at Layer 3, as well as manage TCP, UDP, and other application traffic at Layers 4 through 7. The following modules provide comprehensive traffic management and security for many traffic types. The modules are fully integrated to provide efficient solutions to meet any network, traffic management, and security needs.
BIG-IP® Local Traffic Manager includes features that help make the most of network resources. Using the powerful Configuration utility, you can customize the way that the BIG-IP system processes specific types of protocol and application traffic. By using features such as virtual servers, pools, and profiles, you ensure that traffic passing through the BIG-IP system is processed quickly and efficiently, while meeting all of your security needs. For more information, see the Configuration Guide for BIG-IP® Local Traffic Manager.
The F5 Networks® BIG-IP® Access Policy Manager is a software component of the BIG-IP hardware platform that provides your users with secured connections to Local Traffic Manager virtual servers, specific web applications, or the entire corporate network. By leveraging standard web browsers and security technology, the Access Policy Manager enables your corporation or organization to provide users access to various internal resources easily and cost-effectively, with no special software or configuration on the users system.
Standard Web browser support
Access Policy Managers can be used with most standard browsers supporting secure HTTP (also known as HTTPS). These include Internet Explorer®, Safari, and Firefox®.
Privacy
The Access Policy Manager supports common encryption technologies, including RC4, Triple DES, and AES. It uses standard SSL encryption from the client browser to the Access Policy Manager.
Authentication
The Access Policy Manager can perform authentication, authorization, and accounting (AAA), using standard AAA methods, including LDAP directories, Microsoft® Active Directory® and Microsoft Windows® Domain servers, RADIUS servers, and HTTP authentication. The Access Policy Manager supports native RSA SecurID authentication. In addition, the controller can use signed client digital certificates to authenticate devices.
Client-side checks
The Access Policy Manager provides a broad set of client-side checks such as client integrity checking, browser cache cleaner, secure virtual keyboard, and support for a large number of antivirus and firewall packages.
Visual policy editor
To facilitate access policy definition, the Access Policy Manager provides a built-in policy editor that is graphically based, which eases management and supports a visual audit of security access policies.
Administration
The Access Policy Manager provides a web-based Configuration utility. The Configuration utility includes tools for managing the Access Policy Manager, configuring secure access, creating and assigning resources, certificate generation and installation, and customization of the remote client user interface.
Web application access management
With Access Policy Manager, you can configure authentication and access control for a web application behind a local traffic virtual server. Using web application access management, you create an access policy for a new or existing local traffic virtual server to provide authentication, access control, and endpoint security for the web application.
Network access
With Access Policy Manager, you can configure a network access VPN connection for remote access. Using network access, you create an access policy and local traffic virtual server so end users can establish a full VPN connection to internal network resources.
Web application access
With the Access Policy Manager you can configure a remote access connection to one or more internal web applications. Using web applications, you create an access policy and local traffic virtual server so end users can access internal web applications through a single external virtual server. Use this if you need to provide secure extranet access to internal web applications without creating a full VPN connection.
Audit trail
The Access Policy Manager provides audit tools including full-session audit trails, drill-down session queries, and customizable reports and queries.
High availability
You can configure Access Policy Managers to fail over to standby controllers, ensuring availability for users.
Scalability
Access Policy Manager integrates with BIG-IP system to support large-scale, high-performance deployments, providing universal, secure access for remote, wireless, and internal network users.
BIG-IP system module
The Access Policy Manager runs as a module of the BIG-IP system. This integration provides a uniform framework that enables users to leverage access policy features with other BIG-IP modules, such as Web Accelerator, and Application Security Manager.
Client support
The Access Policy Manager includes web client support for many different systems, including Macintosh® and Linux®.
BIG-IP Edge Client
Access Policy Manager is compatible with the BIG-IP Edge Client, a standalone secure client with robust connection features.
You use each type of access for a different system scenario. Access Policy Manager provides a set of objects that you can define to provide access to your users through different access methods. You configure Access Policy Manager connections differently for each access type. On the next page, Figure 1.1 shows the configuration of an Access Policy Manager access type. Each access type has common elements and differences. The following table lists the configuration elements that you use to configure each access policy type.
Table 1.1 Configuration elements for Access Policy Manager access types
Created specifically for web applications connection
Can use existing local traffic manager virtual server, or create a specific one with the wizard
Access profile and access policy
Client checks
Yes, optional
Figure 1.1 shows the configuration flow for the three types of access on Access Policy Manager.
A client system can only connect using one of these configuration types at a time. However, you can configure multiple access types, and Access Policy Manager can dynamically determine the access type to provide during the access policy process, after the session starts.
Network access provides a full encrypted VPN tunnel from the client system to back end servers. Network access virtually puts the client machine inside the company network, so that clients perform operations exactly as if they sat within the corporate LAN. The administrator can configure access control lists that restrict access over the tunnel. Network access can provide connections that are always available to supported clients. Typically, you use full network access as the deployment method for client computers that are from well-known or trusted sources, such as company-provided laptops.
This basic network access configuration assigns a webtop and a connection to network access clients, and uses access control lists (ACLs) to control the resources and protocols a user can work with. This network access connection specifies no authentication.
a virtual server that specifies particular network access settings, including the connectivity profile and access profile
The access policy for this scenario is very simple, and contains only one item: a resource assign action that assigns the network access resource, the network access webtop, and any ACLs. The access policy is shown in Figure 1.3. An example resource assign action for this policy is shown in Figure 1.4.
Web applications connections configure a remote access connection to one or more internal web applications. With this access type, users can access internal web applications through a single external virtual server. The web applications access type provides secure interaction with proprietary and standard web applications, using link rewriting technology. Typically, you use Web applications on less trusted devices, or when full network access is not supported on a particular type of device. Use this if you need to provide secure extranet access to internal web applications without creating a full VPN connection..
This basic web applications configuration assigns a webtop and web applications resource for use by a remote access user. This web applications configuration specifies no authentication.
a virtual server that specifies particular web applications settings, including the rewrite profile and the access profile
The access policy for this scenario is very simple, and contains only one item: a resource assign action that assigns the web applications resource and the web applications webtop. This access policy, as it appears in the visual policy editor, is shown in the Figure 1.6. An example resource assign action for this policy is shown in Figure 1.7.
Web application access management provides client-side security, authentication services, and access control to Local Traffic Manager virtual servers that load balance web applications. Typically, you use web application access management to secure access to applications from a client system that is within a corporate environment.
This basic web application access management configuration provides access control to a local traffic virtual server, and specifies client-specific ACLs. This web application access management access policy specifies no authentication.
In this access scenario, you define the following objects:
The access policy for this scenario contains a start point, a resource assign action, and an allow ending. You assign one or more ACLs to the access policy with the resource assign action, and by doing so you control access to the local traffic management virtual server. For a web application access management connection, no network access or web applications resource is assigned, and no webtop is assigned. This access policy appears in the visual policy editor as shown in Figure 1.9. An example resource assign action for this policy, with only an ACL assigned, is shown in Figure 1.10.
Using access profiles and policies
Access policies are configured visually in the visual policy editor. In the visual policy editor, all access policies start with a start point, and every access policy has at least one rule branch. All access policies have one or more endings. A successful ending is an allow ending, and an unsuccessful ending is a deny ending. Between the start and the end point are access policy items, which define the behavior of the access policy. The access policy is similar to a flow chart, where you read flow of a user policy from left to right.
The simplest successful web application access management access policy has a start point, one or more ACLs, and an allow ending. This scenario, described in the section Understanding a basic web application access management scenario, provides access control features for a local traffic virtual server.
The simplest network access or web applications access policy includes a start point and an allow ending, and includes a resource assign action that assigns a network access or web applications resource and a webtop. When a user connects with this access policy, the user is assigned a network access or web applications resource and a webtop by the resource assign action. The user then goes to an allow policy ending, and network access or web applications access is assigned to the user. Two such scenarios are described in the previous sections, Understanding a basic network access scenario, and Understanding a basic web applications access scenario.
However, you typically check for client integrity, and require authentication to access resources, so a more typical access policy is shown in Figure 1.11. This access policy contains one or more client-side checks, such as antivirus, firewall, or operating system checks, a logon page and authentication action, and a resource assignment action, followed by at least one allow ending, and deny endings for non-successful rule branches. The resource assignment action is used to assign either network access or web applications resources and respective webtops, and any ACLs that apply to the connection. For a web application access management connection, you can assign ACLs with the resource assignment action, but you do not assign a webtop or network access or web application resources.
The basic access policy in Figure 1.11 includes actions that have successful and fallback rule branches (Antivirus Check, Firewall Check, Active Directory authentication), and actions that have single rule branches (Logon Page and Resource Assign).
You select an access profile in a virtual server definition, and the access policy associated with that access profile starts when a client connects to the virtual server. Access Policy Manager creates a blank access policy for every access profile. You can configure the access policy to dynamically assign objects to the user when the session starts, to determine the resources a user connects to, and to perform authentication and check client integrity. You can add logic and functionality to the access policy using configurable access policy items, and configure branches that change the flow of the policy. You can specify a web application or network access resource and webtop for the user as well.
You can add authentication to an access policy using AAA servers (Authentication, Authorization, and Accounting) or client certificates.
Typically, you add two access policy items to add server authentication: a logon page action, and a AAA server action. Add the logon page action before the AAA server action. The logon page action presents a user with a logon page with customizable fields and text. The user enters credentials (for example, a logon name and password), and these credentials are then passed to the AAA server selected in the AAA server action. If a user is successfully authenticated, that user continues on the successful branch. A user who is not successfully authenticated continues on the fallback branch.
Figure 1.12 shows an access policy for web application access management that includes authentication. This access policy includes only two items: a logon page action, and an Active Directory authentication action. This policy requires a user to authenticate successfully to Active Directory to connect to a local traffic virtual server, which is load-balancing applications.
You can add authentication to any access policy or any branch in an access policy. You can even add multiple authentication types, so, for example, a user who fails Active Directory authentication might then attempt RADIUS authentication. You can configure multiple types of authentication, for example, requiring users to authenticate with a certificate and with a AAA server. For more information on authentication methods and scenarios, see Chapter 11, Configuring Authentication Using AAA Servers, and Chapter 12, Introducing On-Demand Certificate Authentication.
The Configuration utility is the browser-based graphical user interface for the BIG-IP system. In the Configuration utility, the navigation pane main tab provides access to the access policy configuration objects, as well as the network, system, and local traffic configuration objects. The Help tab contains context-sensitive online help for each screen.
Figure 1.13 shows the Access Policy section of the navigation pane expanded.
The identification and messages area
The identification and messages area of the Configuration utility is the screen region that is above the navigation pane, the menu bar, and the body. In this area, you find the system identification, including the host name, and management IP address. This area is also where certain system messages display, for example Apply Access Policy, which appears when you need to activate an access policy.
The navigation pane
The navigation pane, on the left side of the screen, contains the Main tab, the Help tab, and, the About tab. The Main tab provides links to the major configuration objects. The Help tab provides context-sensitive help for each screen in the Configuration utility. The About tab provides a quick way to view commonly used configuration objects.
The menu bar
The menu bar, which is below the identification and messages area, and above the body, provides links to the additional configuration objects within each major object.
The body
The body is the screen area where the configuration settings display.
The Access Policy Manager is a multi-featured appliance whose interface allows configuration from any location. To initially set up the secure access connections for users, you can follow different choices in your approach. We recommend setting up a basic working policy, using the Access Policy Manager connection wizards. To set up connections with the wizards, review the section Using Access Policy Manager configuration wizards, following. You can follow the guidelines in Following the recommended configuration path section to set up Access Policy Manager, or you can elect to travel your own path, choosing from the options described in Possible configuration scenarios.
Using Access Policy Manager configuration wizards
With the Access Policy Manager wizards, you can quickly configure any of the three access types with a simple working configuration. After you configure a connection with the wizard, you can go back and edit the configuration to further customize the access policy.
To access Access Policy Manager wizards, in the navigation pane, expand Templates and Wizards, and click Device Wizards. The Device Wizards screen opens.
The following wizards are available.
Network Access Setup Wizard for Remote Access - Configures a working VPN connection. Typically, this allows users outside your network to connect to specified networks, and use their applications and network sites as if they are physically on the network.
Web Applications Setup Wizard for Remote Access - Configures access to specific web applications for remote users. Typically, this allows users outside the network to connect to specified web applications, such as Outlook Web Access or Sharepoint, without allowing full access to the entire network.
Web Application Access Management for Local Traffic Virtual Server - Configures access to a local traffic virtual server managing web applications. Typically, this allows you to control access to the applications managed by the local traffic virtual server, using the features provided in the access policy. As an example, you can configure AAA server authentication, endpoint security, and other system checks before you allow access to the local traffic virtual server. You can configure this access type for an existing local traffic virtual server, or you can configure the virtual server with the wizard.
Note: The system includes online help for every screen in the wizard. To view the online help, click the Help tab in the navigation pane.
Follow the steps and instructions in the wizard to configure and deploy a working network access connection. Note the following configuration items.
The Policy Name specifies the name of the access policy to be created, and is used as the naming prefix for other objects configured with the access policy. Later, when you look for items created with the wizard, they are named with this prefix. For example, if you specify the prefix mytest, the access policy name is mytest_ap, and the virtual server is named mytest_vs. This name must be unique, and not already in use on the system.
When you select the client side check option Enable Antivirus Check in Access Policy, the wizard adds a basic antivirus client-side check to the access policy. You can later refine this client-side check to verify a particular antivirus product, check the date of the virus database, and more. You can also add other client-side checks to the access policy. For more information, see Chapter 9, Configuring Client Side Checks and Client Side Actions.
You can configure authentication with the wizard, or select No Authentication to create an access policy without authentication. After you select an authentication type, you can view online help for the authentication configuration options by clicking the Help tab in the navigation pane.
Lease pools are a configuration requirement for network access connections. Each connection is assigned an IP address from the lease pool. You must configure a lease pool with as many IP addresses as connected users you expect to host.
Client settings can be configured for the connection with the wizard. We strongly recommend you read Chapter 2, Configuring Network Access, and use the online help, if you plan to use settings other than the default values.
DNS hosts for network access are required for your users to have functioning name resolution and Windows networking on your internal network. Specify a primary name server at a minimum. If you are using Microsoft networking features on your network, specify a primary WINS server.
Specify a host name for the virtual server. In most cases, you do not specify a network when creating this virtual server. Allow the redirect server to be created; this eliminates the simple connection issue that users encounter when they do not type https before the virtual server host name.
When you review the configuration, you can use the Previous and Next buttons to go back and edit the configuration before you click Finish. After you click Finish, the system creates and applies network access objects. You can still edit any item associated with the access profile from the Access Profile page (Access Policy : Access Profiles : name of access profile). You can edit the virtual server on the Virtual Server page (Local Traffic : Virtual Servers : name of virtual server).
Follow the steps and instructions in the wizard to configure and deploy a working web applications access policy. Note the following configuration items.
The Policy Name specifies the name of the access policy to be created, and is used as the naming prefix for other objects configured with the access policy. Later, when you look for items created with the wizard, they are named with this prefix. For example, if you specify the prefix mytest, the access policy name is mytest_ap, and the virtual server is named mytest_vs. This name must be unique, and not already in use on the system.
When you select the client side check option Enable Antivirus Check in Access Policy, the wizard adds a basic antivirus client-side check to the access policy. You can later refine this client-side check to verify a particular antivirus product, check the date of the virus database, and more. You can also add other client-side checks to the access policy. For more information, see Chapter 9, Configuring Client Side Checks and Client Side Actions.
You can configure authentication with the wizard, or select No Authentication to create an access policy without authentication. After you select an authentication type, you can view online help for the authentication configuration options by clicking the Help tab in the navigation pane.
Specify the internal web application start URI. This specifies the URI of the first page that a user sees after passing the access policy. For example, http://myintranet.siterequest.com or http://myintranet/start.html).
Specify a host name for the virtual server. In most cases, you do not specify a network when creating this virtual server. Allow the redirect server to be created; this eliminates the simple connection issue that users encounter when they do not type https before the virtual server host name.
When you review the configuration, you can use the Previous and Next buttons to go back and edit the configuration before you click Finish. After you click Finish, the system creates and applies web application objects. You can still edit any item associated with the access profile from the Access Profile page (Access Policy : Access Profiles : name of access profile). You can edit the virtual server on the Virtual Server page (Local Traffic : Virtual Servers : name of virtual server).
Follow the steps and instructions in the wizard to configure and deploy a working web application access management access policy. Note the following configuration items.
On the first screen of the wizard, you have the option to continue the wizard and either use an existing virtual server or create a new virtual server with basic settings. Alternatively, you can cancel the wizard and create a virtual server manually, then later restart the wizard and select that virtual server in the configuration.
The Policy Name specifies the name of the access policy to be created, and is used as the naming prefix for other objects configured with the access policy. Later, when you look for items created with the wizard, they are named with this prefix. For example, if you specify the prefix mytest, the access policy name is mytest_ap, and the virtual server is named mytest_vs. This name must be unique, and not already in use on the system.
When you select the client side check option Enable Antivirus Check in Access Policy, the wizard adds a basic antivirus client-side check to the access policy. You can later refine this client-side check to verify a particular antivirus product, check the date of the virus database, and more. You can also add other client-side checks to the access policy. For more information, see Chapter 9, Configuring Client Side Checks and Client Side Actions.
You can configure authentication with the wizard, or select No Authentication to create an access policy without authentication. After you select an authentication type, you can view online help for the authentication configuration options by clicking the Help tab in the navigation pane.
If you are creating a virtual server in the wizard, specify a host name for the virtual server. In most cases, you do not specify a network when creating this virtual server. Allow the redirect server to be created; this eliminates the simple connection issue that users encounter when they do not type https before the virtual server host name.
Specify a pool member IP address. This specifies the IP address for a new member of a default local traffic pool. When you create the virtual server, the wizard defines a new default pool with one member, defined by this IP address.
When you review the configuration, you can use the Previous and Next buttons to go back and edit the configuration before you click Finish. After you click Finish, the system creates and applies virtual server objects. You can still edit any item associated with the access profile from the Access Profile page (Access Policy : Access Profiles : name of access profile). You can edit the virtual server on the Virtual Server page (Local Traffic : Virtual Servers : name of virtual server).
If you are new to the Access Policy Manager, you can follow the path outlined in this section. This recommended path is designed to guide you through the most common operations, and includes references to other sections with related functionality.
Identify the authentication mechanism.
The Access Policy Manager supports external authentication. You can select from a number of authentication methods, depending on the security setup you employ. These include Active Directory, RADIUS, LDAP, and certificate-based security.
Configure network access resources with the applications and functionality you want to provide, or create web application resources for your users. For web application access management applications, you do not create web applications or network access resources or webtops.
For more information, you can review the content in Chapter 2, Configuring Network Access, Chapter 3, Configuring Web Applications, or Chapter 4, Configuring Web Application Access Management.
Create ACLs for users.
For more information, see Chapter 5, Configuring Resources.
Create an access profile and access policy that you can associate with your virtual server, to give your clients secure access.
For more information, see Chapter 7, Creating Access Profiles and Access Policies.
Test user connectivity.
This is a good place to stop and test to make sure that users can connect to the Access Policy Manager. To do so, open a new browser window and log on using a logon account that you know exists.
Create advanced access policies, for more complex secure access scenarios.
For more information, you can review the content in Chapter 16, Advanced Topics in Access Policies, and in the BIG-IP Module Interoperability Implementations Guide.
Read sample how-to scenarios.
For more information, see Appendix B, Access Policy Example.
To authenticate users from an authentication server
If you have an authentication mechanism in place and you want to use it to verify user identity, you can read more in Chapter 11, Configuring Authentication Using AAA Servers.
To gather information from client systems
If you want to specify requirements for client systems to determine authentication (whether to grant user access) and authorization (which resources to grant access to), you can read more in Chapter 9, Configuring Client Side Checks and Client Side Actions.
To configure the resources, applications, and functionality you want to provide
If you prefer to start with the resources, applications, and functionality that you want to provide to your users, you can read more in Chapter 5, Configuring Resources, Chapter 2, Configuring Network Access, and Chapter 3, Configuring Web Applications.
To learn about logging with the Access Policy Manager
If you want to get a head start on understanding the ongoing operations and logging functionality provided with the Access Policy Manager, review content in Chapter 17, Logging and Reporting.
To set up certificates on the server
If you are ready to set up and install server certificates for the Access Policy Manager, read more in Chapter 12, Introducing On-Demand Certificate Authentication.
To see access policy examples
If you want exposure to sample policies with step-by-step examples, see Appendix B, Access Policy Example, and Chapter 16, Advanced Topics in Access Policies.
The BIG-IP® Systems: Getting Started Guide describes how to initially set up, configure, and license your BIG-IP system. Before you set up the Access Policy Manager for the first time, we recommend that you read this guide in its entirety to become familiar with the product features, and the procedures for provisioning and licensing features.
Release notes
Release notes containing the latest information for the current version of the Access Policy Manager are available on the F5 Networks Technical Support web site, https://support.f5.com. This site includes release notes for current and previous versions of the Access Policy Manager.
Online help for Access Policy Manager features
You can find help online for all screens on the Configuration utility. To open the context-sensitive help in the Configuration utility, click the Help tab in the left navigation pane.
To get help on a screen in the visual policy editor, click the Help button.
F5 Networks Technical Support web site
The F5® Networks Technical Support web site, https://support.f5.com, provides the latest technical notes, answers to frequently asked questions, release notes and release note updates, and the AskF5SM Knowledge Base. You can also find all the guides in PDF format.
When you work with F5 Networks Technical Support, you might need to have the version number of the Access Policy Manager software that is running on your platform. You can find the software version number in the Configuration utility. Expand System in the navigation bar, then click Configuration. The Device General properties screen presents the host name, software version number, and other information. The following is an example of the Properties and Operations table.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)