Applies To:

Show Versions Show Versions

Manual Chapter: Configuring Resources
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

With BIG-IP® Access Policy Manager®, you use resources to provide secure connection functionality to users. With Access Policy Manager, you configure a resource to allow access to a web application or a network access connection, or you configure an access control list to allow or deny access to clients with a network access, web applications, or web application access management access policies.
You use access control lists (ACLs), network access or web applications resources, and webtops to provide functionality to clients. For a web application access management policy, you can assign ACLs, but you cannot assign any other resources. You use ACLs to define allowed and disallowed networks, hosts, and protocols for users. With web applications access policies, you use webtops to provide a web page with useful links to users who connect. You assign ACLs and webtops dynamically in an access policy, using the resource assign action.
A network access resource represents a single secure connection that provides an on-network type of experience to an end user. You can define many network access resources on the Access Policy Manager, but each connection uses only one network access resource. To connect a user securely with a network access connection, you must assign a network access resource to an access policy and a network access webtop, using the resource assign action. A network access connection does not manipulate or analyze the content being passed between the client and the internal network.
A web application resource provides web browser access to one or more specific internal web applications. With web applications, the Access Policy Manager communicates with back-end servers, and rewrites the links in the response so that all the links in the response content specify the virtual server as the host. This method of access differs from a connection configured for network access, which provide a secured tunnel from the client to the internal network.
In this chapter you can learn how to use ACLs and webtops. To configure network access resources, see Chapter 2, Configuring Network Access. To configure web applications, see Chapter 3, Configuring Web Applications. To configure web application access management, see Chapter 4, Configuring Web Application Access Management.
You use access control lists, or ACLs, to restrict user access to specified host and port combinations.
For an ACL to have an effect on traffic, at least one access control entry must be configured. In an access control entry, the only item that is required is the action. When you configure an ACL with an entry with only an action defined, that action becomes the default access control action for all traffic to which the ACL is applied.
ACL entries can work on OSI Layer 4, the protocol layer, OSI Layer 7, the application layer, or both. When you first create an access control entry, you can select whether the entry is for Layer 4, Layer 7, or for both.
You can use a Layer 4 or Layer 7 ACL with network access, web applications, or web application access management connections, with the following configuration notes.
With network access, you can use a Layer 7 ACL that is configured to provide access control for port 80 HTTP connections. However, if you want to provide access control for anything that is not on port 80, you must create a second virtual server, configured with the IP address to which the ACL entry applies, and the default access profile, access.
For HTTPS network access connections, you can use Layer 7 ACL entries only if the virtual server has the private key of the backend server.
If you assign no ACLs to an access policy, the default behavior allows access. To restrict resources to only those you specify in an ACL, add an ACL entry configured to reject all connections at the end of the ACL entry list. The access policy will then reject any connection not matched by a previous entry.
The order you specify for ACLs and ACL entries determines their priority. Access Policy Manager tests ACLs and ACL entries in order, based on their priority in the respective list. Access Policy Manager test ACLs assigned only to the current session. You can reorder ACL entries and ACLs.
You assign ACLs dynamically in the access policy with the resource assign action, so ACLs apply only to clients who reach that action in the access policy. See To assign an access control list, for more information.
Note: ACLs are not enforced on network traffic initiated from the server. Use SNAT automap or SNAT pool options in the network access configuration if you do not want servers to be able to initiate a connection to any client.
1.
On the Main tab of the navigation pane, expand Access Policy, and click ACLs.
The ACLs screen opens.
2.
Click Create.
The New ACL screen opens.
3.
In the Name box, type a name for the access control list.
4.
In the Description box, you can add an optional description of the access control list.
5.
From the Order list, you can optionally determine in what order to add the new ACL.
Select After to add the ACL after a specific ACL, that you can then select.
Select Specify to type the specific number of the ACL in the list.
Select Last to add the ACL at the last position in the list.
6.
Click the Create button.
The ACL Properties screen opens.
7.
In the Access Control Entries area, click Add to add an entry to the access control list.
The New Access Control Entry screen appears.
8.
From the Type list, select whether this is a Layer 4 (L4), Layer 7 (L7), or Layer 4 + Layer 7 (L4+L7) access control entry.
9.
From the Action list, select the action for the access control entry.
If you are creating a default access control list, complete this step, then skip to the last step in this procedure.
Actions for the access control list entry are:
Allow - Permit the traffic.
Continue - Skip checking against the remaining ACL entries in this ACL, and continue evaluation at the next ACL.
Discard - Drop the packet silently.
Reject - Drop the packet and send a TCP RST message on TCP flows or proper ICMP messages on UDP flows. Silently drop the packet on other protocols.
Note: If HTTP traffic matches a Layer 4 ACL, a TCP RST message is sent. The ACL Deny page is sent when traffic is matched and denied on a Layer 7 ACL.
10.
In the Source IP Address box, type the source IP address.
This specifies the IP address to which the access control list entry applies.
11.
In the Source Mask box, type the network mask for the source IP address.
This specifies the network mask for the source IP address to which the access control list entry applies.
12.
For the Source Port setting, select Port or Port Range.
This setting specifies whether the access control list entry applies to a single port or a range of ports.
13.
In the Port box or the Start Port and End Port boxes, specify the port or port ranges to which the access control list entry applies.
To simplify this choice, you can select from the list of common applications, to the right of the Port box, to add the typical port or ports for that protocol.
14.
In the Destination IP Address box, type the IP address to which the ACL controls access.
15.
In the Destination Mask box, type the network mask for the destination IP address.
16.
For the Destination Ports setting, select Port or Port Range.
This setting specifies whether the access control list entry applies to a single port or a range of ports.
17.
In the Port box or the Start Port and End Port boxes, specify the port or port ranges to which the access control list entry applies.
To simplify this choice, you can select from the list of common applications, to the right of the Port box, to add the typical port or ports for that protocol.
18.
From the Scheme list, select the URI scheme for the ACL entry.
You can select http, https, or any.
Any matches either HTTP or HTTPS traffic.
19.
In the Host Name box, type a host to which the ACL applies.
The Host Name box supports shell glob matching. For example, you can use the asterisk wildcard (*) to search for zero or more characters, and the question mark wildcard (?) to search for a single character. For example, the host entry *.siterequest.com matches siterequest.com with any prefix. This entry matches www.siterequest.com, mail.siterequest.com, finance.siterequest.com, and any others with the same pattern.
The ? matches only the single character represented by the question mark, so n?t.siterequest.com matches the hosts net.siterequest.com and not.siterequest.com, but not neet.siterequest.com, nt.siterequrest.com, or note.siterequest.com.
20.
In the Paths box, type the path or paths to which the ACL applies.
You can separate multiple paths with spaces, for example,
/news /finance. The Paths box supports shell glob matching. You can use the wildcard characters * and question marks (?) to represent single or multiple characters. You can also type a specific URI, for example, /finance/content/earnings.asp, or a specific extension, for example, *.jsp.
21.
From the Protocol list, select the protocol to which the ACL applies.
22.
From the Log list, select the log level for this access control entry.
None - log nothing.
Packet - log the matched packet.
23.
Click Finished.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select Resource Assign, and click Add Item.
The Resource Assign action popup screen opens.
6.
Click Add new entry.
A new resource assign entry appears in the popup screen.
7.
To add one or more ACLs, click the Add/Delete ACLs link, then select the check boxes for ACLs you want to assign, and clear the check boxes for ACLs you do not want to assign.
ACL assignment is optional.
8.
Click Update to return to the Resource Assign popup screen.
9.
Click Save to save the action.
The following examples show how to use ACLs to prevent access to servers, or to allow only certain types of traffic to access servers.
Source IP Address - 0.0.0.0 (note that when you leave an IP address entry blank, the result is the same as typing the address 0.0.0.0).
Source Mask - 0.0.0.0
Source Ports - All Ports
Destination IP address - 192.168.112.0
Destination Mask - 255.255.255.0
Destination Ports - All Ports
Protocol - All Protocols
Action - Reject
3.
Click Finished.
Source Mask - 0.0.0.0
Source Ports - All Ports
Destination IP address - 192.168.112.9
Destination Mask - 255.255.255.255
Destination Ports - Port 22 (or select SSH)
Protocol - TCP
Action - Allow
3.
Click Finished.
Source Mask - 0.0.0.0
Source Ports - All Ports
Destination Ports - All Ports
Scheme - http
Paths - *.doc *.exe *.txt
Protocol - All Protocols
Action - Reject
3.
Click Finished.
When a user is allowed access by an access policy, that user is typically assigned a webtop. A webtop is the successful end point for a web applications or network access connection. A web applications webtop also provides a customizable screen for the user that includes links for working with the web applications, and displays messages relating to the connection.
You assign a webtop to the user session in a resource assign action in the access policy. Make sure that you assign the correct webtop type; a network access webtop must be assigned with a network access resource, and a web applications webtop must be assigned with a web applications resource.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Webtops.
The Webtop List screen opens.
2.
Click Create.
The New Webtop screen opens.
3.
In the Name box, type the name for the webtop.
4.
From the Type list, select whether the webtop is a network access or a web applications webtop.
If you selected a network access webtop, select whether to automatically minimize the webtop to the system tray, by selecting or clearing the Minimize To Tray check box.
If you selected a web applications webtop, in the Web Application start URI box, type the URI for the web application.
5.
Click Finished to complete the configuration.
1.
On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.
The Access Profiles List screen opens.
2.
In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab, depending on your browser settings.
3.
On a rule branch of the access policy, click the plus sign () to add an action.
The Add Item popup screen opens.
5.
Select Resource Assign, and click Add Item.
The Resource Assign action popup screen opens.
6.
Click Add new entry.
A new resource assign entry appears in the popup screen.
7.
To specify a webtop for the connection, click the Set Webtop link, and select a webtop to assign.
8.
Click Update to return to the Resource Assign popup screen.
9.
Click Save to save the action.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)