Applies To:

Show Versions Show Versions

Manual Chapter: Creating Access Profiles and Access Policies
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

In the BIG-IP® Access Policy Manager®, an access profile is the profile that you select in a virtual server definition to establish a secured connection to a resource. You can also configure an access profile to provide access control and security features to a local traffic virtual server hosting web applications.
On the Access Profile Properties screen, you use the Settings section to configure timeout and session settings. You must select the Custom check box to configure settings for this section.
Inactivity Timeout - Specifies the inactivity timeout for the connection, in minutes. If there is no activity between the client and server within the specified threshold time, the system closes the current session. By default, the threshold is 0, which specifies that as long as a connection is established, the inactivity timeout is disabled. However, if an inactivity timeout value is set, when server traffic exceeds the specified threshold, the inactivity timeout is reset.
In addition, for web applications, you can customize the timing for the warning message to appear for the user prior to session timeout by using the Session Timeout Guard Time setting in the webtop customization settings. The user can click a link inside the message window to reset inactivity timeout.
Access Policy Timeout - This is designed to keep malicious users from creating a DOS attack on your Secure Access Manager. The timeout requires that a user, who has followed through on a redirect, must reach the webtop before the timeout expires. The default value is 300 seconds.
Maximum Session Timeout - Specifies the maximum lifetime of one session, in minutes. The maximum lifetime is between the time a session is created, to when the session terminates. By default, it is set to 0, which means no limit. When you configure this setting, there is no way to extend the session lifetime, and the user must logout and then log back in to the server, when needed.
Max Concurrent Users - Specifies the number of sessions per access profile. The default value is 0, which represents unlimited sessions. Please note that this field is read-only for application editors. All other administrative roles can modify this field.
Max Sessions Per User - Specifies the number of sessions per user. The default value is 0, which represents unlimited sessions. Please note that this field is read-only for application editors. All other administrative roles can modify this field.
On the Access Profile Properties screen, you use the Configurations section to set Single Sign-On, cookie behavior, and logout behavior, with the following settings:
SSO Configuration - To add an SSO configuration for Single Sign-On, select the configuration from the list.
Domain Cookie - Specifies a domain cookie to use with a web application access management connection. If you specify a domain cookie, then the line domain=specified_domain is added to the MRHsession cookie.
By default, the Secure Cookie option is enabled. This adds the secure keyword to the session cookie. If you are configuring a web application access management scenario with an HTTPS virtual server for authentication, and using an HTTP local traffic virtual server for applications, clear this check box.
Logout URI Include - Specifies a list of logoff URIs that the access profile looks for in order to terminate the access policy session. You use this feature with HTTP applications. In the URI box, type a logoff URI to add, then click the Add button. In the Logout URI Timeout box, type the seconds to delay before the session is is terminated and the logout URI is followed.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
Click Create.
The New Access Profile screen opens.
3.
In the Name box, type a name for the access profile.
The Access Profile Properties screen appears.
4.
To change settings for Inactivity Timeout, Access Policy Timeout, Maximum Session Timeout, and Max Concurrent Users, select the Custom check box, then type numbers for the settings you want to change.
5.
To select a Single Sign On (SSO) configuration for the access policy, from the SSO Configuration list, select the SSO configuration.
6.
(Optional) In the Domain Cookie box, type the domain cookie.
7.
Select the Secure Cookie check box to add the secure keyword to the domain cookie.
If the access policy is configured for an HTTP virtual server, clear this check box.
9.
Click Finished when the configuration is complete.
After you create or change an access policy, the link Apply Access Policy appears in yellow at the top left of the BIG-IP Configuration utility screen. You must click this link to activate the access policy for use in your configuration.
1.
Click the Apply Access Policy link.
The Apply Access Policy screen appears, showing a list of access policies that have been changed.
2.
Select the check boxes for one or more access policies to apply, and click the Apply Access Policy button.
By default, all access policies that are new or changed are selected.

After you apply the access policy, the Access Profiles list screen is displayed.
Typically, the clients web browser has language preferences configured, which lists display languages in order of preference. Access Policy Manager detects this order, compares it with the languages configured in the access profile, and presents customized pages and messages in the user-specified language, if that language exists in the access profile. If the user-specified language does not exist in the access profile, the user sees pages in the access profile default language.
In the access profile, you can configure the list of accepted languages in which the Access Policy Manager provides messages and customized elements. You can also select a default language for the access profile. The default language is used to provide messages and customized elements to users whose browsers are not identified with a language that is on the list of accepted languages.
There are several other places in Access Policy Manager where you can customize settings for different languages. To configure these language settings, see the following tasks and pages:
Note: If you customize messages, you must customize the same messages separately for each accepted language. Otherwise, default messages will appear for any accepted language for which you have not customized messages. It is recommended that if you customize messages for a specific accepted language, you remove all other languages from the accepted language list.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen appears.
To add a language string to the list of accepted languages, in the Language Settings area, in the String box, type the string for the language, and click Add.
To edit a language string, from the Accepted Languages list, select the string and click Edit.
To delete a language string, from the Accepted Languages list, select the string and click Delete.
To set the default language, from the Default Language list, select the language.
4.
Click Update to update the language settings.
In an access policy, you define the criteria for granting access to various servers, applications, and other resources on your network.
You create an access policy by creating an access profile, which automatically creates a blank access policy. Every access profile has an access policy associated with it. You configure that access policy through the access profile.
To view and edit the access policy associated with an access profile, you use the visual policy editor, a browser-based editor for access policies.
1.
On the Main tab of the navigation pane, expand Access Policy and click Access Profiles.
The Access Profiles List screen opens.
2.
In the Access Policy column click Edit for the access policy you want to edit.
The visual policy editor opens in a new window or new tab, depending on your browser settings. You can right-click and select to open in a new tab or new window, if you want to choose the destination.
If this is a new access policy, an unconfigured policy appears.
You can also open an access policy from the Access Profiles List screen by clicking the access profile name, then clicking the Access Policy tab, then clicking the Edit link.
In the visual policy editor, policy branch rules follow each policy action. Typically, an action is followed by both a successful branch rule and a fallback branch rule. Some actions, like the Logon action, are followed by only one branch rule. Some actions are followed by multiple branch rules. In actions where there is only one result branch rule, that result is labeled Fallback. In actions where there is a failed result and a successful result, the visual policy editor labels the successful branch rule Successful and the failed branch rule Fallback. Some actions have multiple result branch rules, and no successful branch.
For example, the Client OS action in Figure 7.1 has multiple branch rules, and each branch rule is named for the operating system to which the branch rule corresponds, with a fallback branch for any client operating system that does not match a specific branch rule. This allows you to assign actions to any branch rule, and separate endings to any branch rule.
Note: An additional branch, Windows RT, not shown in figure 7.1, is available when you have the appropriate Access Policy Manager® 10.2.4 hotfix installed. To determine hotfix requirements, refer to the BIG-IP APM Client Compatibility Matrix for APM 10.2.4 on the AskF5 web site at http://support.f5.com.
Click the plus sign on the branch rule where you want to add the action. When you place your cursor over the plus sign, it turns blue and appears between parentheses [] to indicate that you can click it.
Assign resources. For more information, see Assigning resources.
Note that you must assign a resource group that contains a network access resource, or the access policy will not function.
1.
On the Main tab of the navigation pane, expand Access Policy and select Access Profiles.
The Access Profiles List screen opens.
2.
Click Edit in the Access Policy column of the access policy you want to edit.
The visual policy editor opens, displaying the access policy.
When you first open a new access policy in the visual policy editor, the configuration includes only a start point, a fallback branch rule, and a default ending.
1.
On the Main tab of the navigation pane, expand Access Policy and click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a branch rule of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
6.
Click Add Item to add the action to the access policy.
The action popup screen opens.
To configure the action, see the action description in Understanding available actions and categories.
Access policy endings are the end result of a branch rule in an access policy. With access policy endings, you can give users access to the network access connection, deny access to users, or redirect users to another URL.
Allow
Starts the SSL VPN session and loads the network access or web applications webtop for the user.
Deny
Disallows the SSL VPN session and shows the user a Logon Denied web page.
Redirect
Transfers the user to the URL specified in the ending configuration.
In the visual policy editor, you can create and delete access policy endings, change any ending in the access policy to another ending, customize endings, and set a default ending.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
Near the top of the visual policy editor, click the Edit Endings button.
The Edit popup screen opens.
4.
At the upper left, click the Add Ending button.
The new ending appears, highlighted in blue. See Figure 7.3.
5.
In the Name box, type a name for the new ending.
Allow
Specifies that the user has access to the network access connection or web application, as defined in the access profile and access policy.
Redirect
Specifies a URL to which the access policy redirects the user. Type the redirect URL in the box provided.
Deny
Specifies the user is not allowed access to the network access resource, and presents a Denied page. To customize the Denied page, see Customizing the Deny access policy ending.
7.
To change the color of the ending for better visual clarity in your access policies, click the color square , select a color, and click Update.
8.
Click Save.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
Click an access policy ending.
The Select Ending popup screen opens.
5.
Click Save.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
Click the Edit Endings button.
The Endings popup screen opens.
The Deny access policy ending provides several customized messages that you can configure for the access policy. These include text messages for the logout screen. You can also configure these messages for different languages that you have defined for the access policy.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the corresponding Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
Click the Edit Endings button.
The Endings popup screen opens.
4.
On the Deny ending you want to customize, click the plus sign () next to Customization.
The popup screen displays additional setting options.
Thank You Message
Specifies a thank you message displayed for network access users after logout.
Specifies a more specific error message that follows the error title, which indicates that a problem may have occurred during access policy evaluation.
Specifies the text label for the hypertext link to start a new session, such as click here. This link immediately follows the New Session Text.
ACL Denied Page Reject Message
Specifies the text that appears when access to a page or site is denied due to an ACL restriction.
ACL Denied Page Return Link Message
Specifies the link text that the user can click to return to the previous page. This is displayed when a user reaches the ACL denied page.
6.
Click Save.
To complete the configuration of any access policy, and make the access policy active on the server, click the Apply Access Policy link at the top of the screen.
When you configure access policies, you select actions from the five categories that the visual policy editor lists in the Add Item popup screen.
In addition, a sixth category, labeled Macrocalls, appears in the Add Item popup screen if you configure one or more macros in the access policy.
General purpose checks are used for general policy actions, like logon pages, and assignment of resources, variables, and VLANs. General purpose checks also include structural actions that can be used to further refine the flow of access policies.
Authentication actions are used to add authentication with an authentication server or with a client certificate. Microsoft® Active Directory® and LDAP authentication actions can also be used to perform queries of the Active Directory or LDAP databases.
Client-side checks are checks that occur on the client computer, which are performed by ActiveX or other browser plugins. See the macro description Using the Windows AV and FW macro template, for an example that uses client-side checks. See Figure 7.4, following, for an example of how these appear in the visual policy editor.
Client-side actions start a particular software state on the client. The Access Policy Manager uses information configured in the client-side actions to install software that configures the system. The systems are returned to their previous states after the secure access session ends.
Server-side checks occur on the Access Policy Manager server. The Access Policy Manager inspects the request headers from the client to determine UI mode and the Client operating system. A server-side check can also be used to determine whether a client has the ability to run client-side checks.
A macro is a group of reusable checks. Using the visual policy editor, you configure macros in the same way that you configure access policies. The difference is that you do not configure access policy endings, but instead you configure terminals for a macro.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
Click the Add New Macro button.
The Add New Macro popup screen opens.
4.
Select the macro template.
The macro templates are described in the Using predefined macro templates.
5.
In the Name box, type a name for the macro.
This is the name by which the macro appears in the Add Action popup screen.
6.
Click Save.
8.
To edit an action, click the action name.
Edits you make to the actions in a macro are applied to the actions in an access policy, after you add the macrocall to the access policy.
9.
1.
In the visual policy editor, click the plus sign () next to the macro name to expand the macro for which you want to edit terminals.
2.
Click Edit Terminals.
The Edit Terminals popup screen opens.
3.
5.
To change the color of the ending for better visual clarity in your access policies, click the Dropper , select a color, and click Update.
6.
If you want to set a default terminal, click the Set Default tab, and select the default terminal.
7.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a branch rule of the access policy, click the plus sign () to add an action.
The Add Action popup screen opens.
4.
If Macrocalls is not expanded, click the plus sign () next to Macrocalls.
5.
Select a macro you defined previously and click Add Item.
The macrocall is added to the access policy. You can edit the macro items in the macro definition as required.
Click the (x) button at the right of the screen next to the macro name. You can delete a macro only if it is not in use.
You can use predefined macro templates to create macros that you can use in your policies. To use the predefined macro templates, refer to the following descriptions.
Tip: If you open these macro definitions to view them, you can better understand how the macros are configured. Each macro definition includes instructions on how to add and open the macro template.
You can use the empty macro template to add an unconfigured macro template that includes only a start point and an end point to the access policy. Use this as a starting point to configure a new macro for an access policy.
The AD auth and resources macro template is a preconfigured macro template that adds Active Directory authentication to your access policy.
In this macro template, you must configure both the Active Directory action and the resource assign action. You can optionally customize the logon page action with custom messages, and localized messages for different languages.
1.
In the visual policy editor, click the Add New Macro button.
The Macro Template popup screen opens.
2.
Select the macro template AD Auth and resources.
3.
Click Save.
The popup screen closes.
5.
To edit an action, click the action name.
In the macro display, the action popup screen opens.
The AD auth query and resources macro template is a predefined macro template that adds an Active Directory query and Active Directory authentication to your access policy.
In this macro template, you must configure the Active Directory query and auth actions and the resource assign action. You can optionally customize the logon page action with custom messages, and localized messages for different languages.
1.
In the visual policy editor, click the Add New Macro button.
The Macro Template popup screen opens.
2.
Select the macro template AD auth query and resources.
3.
Click Save.
The popup screen closes.
5.
To edit an action, click the action name.
The action popup screen opens.
The LDAP auth and resources macro template is a preconfigured macro template that adds LDAP authentication and resources to your access policy.
In this macro template, you must configure both the LDAP action and the resource assign action. You can optionally customize the logon page action with custom messages, and localized messages for different languages.
1.
In the visual policy editor, click the Add New Macro button.
The Macro Template popup screen opens.
2.
Select the macro template LDAP auth and resources.
3.
Click Save.
The popup screen closes.
5.
To edit an action, click the action name.
The action popup screen opens.
The LDAP auth query and resources macro template is a preconfigured macro template that adds LDAP authentication and an LDAP query to your access policy.
In this macro template, you must configure the LDAP query action, the LDAP auth action, and the resource assign action. You can optionally customize the logon page action with custom messages, and localized messages for different languages.
1.
In the visual policy editor, click the Add New Macro button.
The Macro Template popup screen opens.
2.
Select the macro template LDAP auth query and resources.
3.
Click Save.
The popup screen closes.
5.
To edit an action, click the action name.
The action popup screen opens.
The RADIUS and resources macro template is a preconfigured macro template that adds RADIUS authentication and resources to your access policy.
In this macro, you must configure both the RADIUS action and the resource assign action. You can optionally customize the logon page action with custom messages, and localized messages for different languages.
1.
In the visual policy editor, click the Add New Macro button.
The Macro Template popup screen opens.
2.
Select the macro template RADIUS and resources.
3.
Click Save.
The popup screen closes.
5.
To edit an action, click the action name.
The action popup screen opens.
The SecurID and resources macro template is a preconfigured macro template that adds SecurID authentication to your access policy.
In this macro template, you must configure both the SecurID action and the resource assign action. You can optionally customize the logon page action with custom messages, and localized messages for different languages.
1.
In the visual policy editor, click the Add New Macro button.
The Macro Template popup screen opens.
2.
Select the macro template SecurID and resources.
3.
Click Save.
The popup screen closes.
5.
To edit an action, click the action name.
In the macro display, the action popup screen opens.
The Windows AV and FW macro template adds UI Mode, Client OS, Windows information, antivirus, firewall, and logging actions to your access policy. This macro template includes the following elements:
A server-side UI mode action. This action checks whether the server identifies the client as using the full browser or a standalone client in legacy mode, or something else. In the default macro configuration, only the full browser mode is passed to a successful branch rule, and all other results go to failed branch rules.
A server-side Client OS action. This action checks for the presence of one of seven operating systems. If the operating system is Windows XP, the user is passed to a successful branch rule. All other operating systems go to failed branch rules.
A client-side Windows information action, that checks for the existence of Windows XP Service Pack 2 or Service Pack 3. The fallback branch for this action includes a logging action that logs any Windows Info failure.
A client-side antivirus check action. This action is in the default state, so it checks that any supported antivirus is enabled on the client system. You can configure this further to check for a specific supported antivirus solution, and for other antivirus parameters. The fallback branch for this action includes a logging action that logs any antivirus failure.
A client-side firewall check action. This action is in the default state, so it checks that any supported firewall is enabled on the client system. You can configure this further to check for a specific supported firewall solution and version. The fallback branch for this action includes a logging action that logs any firewall failure.
In this macro template, you must configure both the firewall check and antivirus check actions. You can optionally customize other actions to allow, for example, other operating systems, UI modes, service packs, or hotfixes.
1.
In the visual policy editor, click the Add New Macro button.
The Macro Template popup screen opens.
2.
Select the macro template Windows AV and FW.
3.
Click Save.
The popup screen closes.
5.
To edit an action, click the action name.
The action popup screen opens.
The client classification and prelogon checks macro template adds a number of checks to your access policy, for the purpose of client classification and operating system identification. This macro template includes the following elements:
A client-side check capability action. This action checks whether the client can process JavaScript and either ActiveX or Netscape plugins. In the default macro configuration, only the full client-side check capability result is passed to a successful branch rule, and all other results go to failed branch rules.
A server-side Client OS action. This action checks for the presence of one of eight operating systems. In this macro, the action is customized to send Windows 2000 and later clients to one branch, and Mac and Linux clients to another branch. All other clients are sent to the fallback branch, which leads to a failure ending.
Two antivirus check actions, one for Windows, and one for Mac and Linux. The fallback branch for each antivirus action includes a logging action that logs any antivirus failure.
Five UI mode actions, one each on the successful and fallback branches of each antivirus check action. These actions check whether the client is using a full browser (or the BIG-IP® Edge Client®), a legacy standalone client, or something else. Each UI mode action performs a different function depending on the position in the access policy.
A protected workspace action. This puts a Windows client that successfully passes all checks into a protected workspace session.
Full NA - Specifies that the client has passed checks sufficient to allow full network access.
Web Application - Specifies that the client has passed checks sufficient to allow web applications access.
Limited NA - Specifies that the client has passed sufficient checks to have limited network access. This terminal is connected only to the standalone client branch that is connected to the fallback branch of the client-side check capability action. This branch applies to clients using legacy standalone clients.
Failure - Specifies that the client has not passed sufficient checks to make a connection.
1.
In the visual policy editor, click the Add New Macro button.
The Macro Template popup screen opens.
2.
Select the macro template Client Classification and Prelogon checks.
3.
Click Save.
The popup screen closes.
5.
To edit an action, click the action name.
The action popup screen opens.
You can back up any access profile, and later restore that access profile, or import it to another Access Policy Manager. Backup profiles are saved as files with the extension conf.
When you import a backup profile, you select a conf file. You also specify an Import Prefix. The import prefix is prepended to the access policy name when it is added to the configuration.
Important: The import prefix you specify must begin with a letter, and the import prefix name can include only letters, numbers, and the underscore ( _ ) character.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
Locate the access profile you want to back up. In the Backup Profile column, click the Backup link.
You are prompted to open or save a conf file.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
Click the Import button.
The Import Profile screen opens.
3.
In the Import Prefix box, type the import prefix to prepend to the imported access policy name.
5.
Select a conf file to import and click the Open button.
The file is imported to the system.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)