Applies To:

Show Versions Show Versions

Manual Chapter: Configuring Access Profiles for Portal Access
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Creating an access profile

You create an access profile to provide the access policy configuration for a virtual server that is establishing a secured session.
  1. On the Main tab, click Access Policy > Access Profiles . The Access Profiles List screen opens.
  2. Click Create. The New Profile screen opens.
  3. Type a name for the access profile. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.
  4. To configure timeout and session settings, select the Custom check box at the far right.
  5. In the Inactivity Timeout field, type the number of seconds that should pass before the access policy times out. Type 0 to set no timeout. If there is no activity (defined by the Session Update Threshold and Session Update Window settings in the Network Access configuration) between the client and server within the specified threshold time, the system closes the current session.
  6. In the Access Policy Timeout field, type the number of seconds that should pass before the access profile times out because of inactivity. Type 0 to set no timeout. You must select the associated Custom check box before you can configure this setting.
  7. In the Maximum Session Timeout field, type the maximum number of seconds the session can exist. Type 0 to set no timeout. You must select the associated Custom check box before you can configure this setting.
  8. In the Max Concurrent Users field, type the maximum number of users that can use this access profile at the same time. Type 0 to set no maximum. You must select the associated Custom check box before you can configure this setting.
  9. In the Max Sessions Per User field, type the maximum number of concurrent sessions that one user can start. Type 0 to set no maximum. You must select the associated Custom check box before you can configure this setting.
  10. To configure logout URIs, in the Configurations area, type each logout URI in the URI field, and then click Add.
  11. In the Logout URI Timeout field, type the delay in seconds before logout occurs for the customized logout URIs defined in the Logout URI Include list.
  12. In the SSO across Authentication Domains area, use the Domain Mode setting to select whether users log on to a single domain or multiple domains.
  13. If you selected Multiple Domains, then in the Primary Authentication URI field, type the primary URI for authentication.
  14. If the policy requires a secure cookie, select the Secure check box in the Cookie Options area. Enable this setting to add the secure keyword to the session cookie. If you are configuring an LTM access scenario where you are using an HTTPS virtual server to authenticate the user, and then sending the user to an existing HTTP virtual server to use applications, clear this check box.
  15. If the access policy requires a persistent cookie, select the Persistent check box in the Cookie Options area. This sets cookies if the session does not have a webtop. When the session is first established, session cookies are not marked as persistent, but when the first response is sent to the client after the access policy completes successfully, the cookies are marked persistent. Persistent cookies are updated for the expiration timeout every 60 seconds. The timeout is equal to session inactivity timeout. If the session inactivity timeout is overwritten in the access policy, the overwritten value will be used to set the persistent cookie expiration.
  16. From the SSO Configuration list, select the SSO configuration.
  17. In the Domain Cookie field, specify a domain cookie, if required.
  18. In the Language Settings area, add and remove accepted languages, and set the default language. You must add at least one language to configure the access profile. A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  19. Click Finished.
The access profile appears in the Access Profiles List.
To provide functionality with an access profile, you must configure the access policy. The default access policy for a profile denies all traffic and contains no actions. Click Edit in the Access Policy column to edit the access policy.

Configuring an access policy

You configure an access policy to provide authentication, endpoint checks, and resources to an access profile.
  1. On the Main tab, click Access Policy > Access Profiles . The Access Profiles List screen opens.
  2. Click the name of the access policy you want to edit.
  3. On the menu bar, click Access Policy.
  4. For the Visual Policy Editor setting, click the Edit access policy for Profile "policy_name" link.
  5. Add actions to the policy to provide functionality. End allowed branches of the access policy with an Allow ending. End branches that are not allowed access with a Denied ending.

Adding full resources to an access policy

Before you start this task, you must create an access profile.
Add the full resource assign action to an access policy to add a network access resource, portal access resources, application tunnel resources, and remote desktop resources to an access policy branch. You can also assign ACLs, webtops, and webtop links with the full resource assign action.
  1. On the Main tab, click Access Policy > Access Profiles . The Access Profiles List screen opens.
  2. On the Access Profiles List screen, click the name of the access profile for which you want to edit the access policy. The Access Profile properties screen opens for the profile you want to edit.
  3. On the menu bar, click Access Policy. The Access Policy screen opens.
  4. Click Edit Access Policy for Profile profile_name. The visual policy editor opens the access policy in a separate window or tab.
  5. On an access policy branch, click the plus symbol (+) to add an item to the access policy.
  6. From the General Purpose section, select Full Resource Assign and click the Add Item button. The Full Resource Assign popup screen opens.
  7. In the Name box, type a name for the access policy item. This name is displayed in the action box in the access policy.
  8. Click the Add new entry button. A new resource line is added to the list .
  9. To assign resources, below Expression, click the Add/Delete link. The Resource Assignment popup screen opens.
  10. Assign resources using the tabs as follows.
    Tab Description
    Static ACLs Allows you to select one or more ACLs defined on the system. Each ACL you select is assigned to the access policy branch on which this resource assign action operates.
    Network Access Resources Allows you to select a single network access resource from the system. You can select only one network access resource. The network access resource you select is assigned to the access policy branch on which this resource assign action operates.
    Portal Access Resources Allows you to select one or more portal access resources from the system. The portal access resources you select are assigned to the access policy branch on which this resource assign action operates.
    App Tunnel Resources Allows you to select one or more application tunnel resources from the system. The application tunnel resources you select are assigned to the access policy branch on which this resource assign action operates.
    Remote Desktop Resources Allows you to select one or more remote desktop (terminal server) resources from the system. The remote desktop resources you select are assigned to the access policy branch on which this resource assign action operates.
    Webtop Links Allows you to select links to pages and applications defined on the system to display on the full webtop. A full webtop must be assigned to display webtop links.
    Webtop Allows you to select a webtop from the system. The webtop resource you select is assigned to the access policy branch on which this resource assign action operates. You can select a webtop that matches the resource type, or a full webtop.
  11. Click the Save button to save changes to the access policy item.
You can now configure further actions on the successful and fallback rule branches of this access policy item.
Click the Apply Access Policy link to apply and activate your changes to this access policy.

Adding connection resources to an access policy

Before you start this task, you must create an access profile.
Add the resource assign action to an access policy to add a network access resource, portal access resources, application tunnel resources, and remote desktop resources to an access policy branch.
  1. On the Main tab, click Access Policy > Access Profiles . The Access Profiles List screen opens.
  2. On the Access Profiles List screen, click the name of the access profile for which you want to edit the access policy. The Access Profile properties screen opens for the profile you want to edit.
  3. On the menu bar, click Access Policy. The Access Policy screen opens.
  4. Click Edit Access Policy for Profile profile_name. The visual policy editor opens the access policy in a separate window or tab.
  5. On an access policy branch, click the plus symbol (+) to add an item to the access policy.
  6. From the General Purpose section, select Resource Assign and click the Add Item button. This opens the Resource Assignment popup window.
  7. In the Name box, type a name for the access policy item. This name is displayed in the action box in the access policy.
  8. On the Resource Assign screen, next to the type of resource you want to add, click the Add/Delete link.
  9. To assign resources, select the options you want.
  10. Assign resources using the tabs.
    Option Description
    Network Access Resources Allows you to select a single network access resource from the system. You can select only one network access resource. The network access resource you select is assigned to the access policy branch on which this resource assign action operates.
    Portal Access Resources Allows you to select one or more portal access resources from the system. The portal access resources you select are assigned to the access policy branch on which this resource assign action operates.
    App Tunnel Resources Allows you to select one or more application tunnel resources from the system. The application tunnel resources you select are assigned to the access policy branch on which this resource assign action operates.
    Remote Desktop Resources Allows you to select one or more remote desktop (terminal server) resources from the system. The remote desktop resources you select are assigned to the access policy branch on which this resource assign action operates.
  11. Click the Save button to save changes to the access policy item.
You can now configure further actions on the successful and fallback rule branches of this access policy item. To assign a webtop and webtop links, add the Webtop and Links Assign action after this action.
Click the Apply Access Policy link to apply and activate your changes to this access policy.
Adding a webtop and webtop links to an access policy
Before you start this task, you must create an access profile.
Add the webtop and webtop links assign action to an access policy to add a webtop and webtop links to an access policy branch. Webtop links are displayed on a full webtop.
  1. On the Main tab, click Access Policy > Access Profiles . The Access Profiles List screen opens.
  2. On the Access Profiles List screen, click the name of the access profile for which you want to edit the access policy. The Access Profile properties screen opens for the profile you want to edit.
  3. On the menu bar, click Access Policy. The Access Policy screen opens.
  4. Click Edit Access Policy for Profile profile_name. The visual policy editor opens the access policy in a separate window or tab.
  5. On an access policy branch, click the plus symbol (+) to add an item to the access policy.
  6. From the General Purpose section, select Webtop and Links Assign and click the Add Item button. This adds the action to the access policy, and opens a popup assignment screen.
  7. In the Name box, type a name for the access policy item. This name is displayed in the action box in the access policy.
  8. On the Webtop & Webtop Links Assignment screen, next to the type of resource you want to add, click the Add/Delete link. Available resources are listed.
  9. To assign resources, select the options you want. .
  10. Click the Save button to save changes to the access policy item.
You can now configure further actions on the successful and fallback rule branches of this access policy item.
Click the Apply Access Policy link to apply and activate your changes to this access policy.

Access profile settings

You can configure the following settings in an access profile.

Setting Value Description and defaults
Name A name, beginning with a letter, and containing only letters, numbers, and the underscore (_)character. Specifies the name of the access profile.
Inactivity Timeout Number of seconds, or 0. Specifies the inactivity timeout for the connection. If there is no activity between the client and server within the specified threshold time, the system closes the current session. By default, the threshold is 0, which specifies that as long as a connection is established, the inactivity timeout is inactive. However, if an inactivity timeout value is set, when server traffic exceeds the specified threshold, the inactivity timeout is reset.
Access Policy Timeout Number of seconds, or 0. Designed to keep malicious users from creating a denial-of-service (DoS) attack on your server. The timeout requires that a user, who has followed through on a redirect, must reach the webtop before the timeout expires. The default value is 300 seconds.
Maximum Session Timeout Number of seconds, or 0. The maximum lifetime is from the time a session is created, to when the session terminates. By default, it is set to 0, which means no limit. When you configure a maximum session timeout setting other than 0, there is no way to extend the session lifetime, and the user must log out and then log back in to the server when the session expires.
Max Concurrent Users Number of users, or 0. The number of sessions allowed at one time for this access profile. The default value is 0 which specifies unlimited sessions.
Max Sessions Per User Number between 1 and 1000, or 0. Specifies the number of sessions for one user that can be active concurrently. The default value is 0, which specifies unlimited sessions. You can set a limit from 1-1000. Values higher than 1000 cause the access profile to fail.
Logout URI Include One or more URIs. Specifies a list of URIs to include in the access profile to initiate session logout.
Logout URI Timeout Logout delay URI in seconds. Specifies the time delay before the logout occurs, using the logout URIs defined in the logout URI include list.
Domain Mode Single Domain or Multiple Domains Select Single Domain to apply your SSO configuration to a single domain. Select Multiple Domain to apply your SSO configuration across multiple domains. This is useful in cases where you want to allow your users a single APM login session and apply it across multiple Local Traffic Manager or Access Policy Manager virtual servers, front-ending different domains.
Note: All virtual servers must be on one single BIG-IP system in order to apply SSO configurations across multiple domains.
Primary Authentication URI URI The URI of your primary authentication server, for example https://logon.siterequest.com. This is required if you use SSO across multiple domains. You provide this URI so your users can access multiple back-end applications from multiple domains and hosts without requiring them to re-enter their credentials, because the user session is stored on the primary domain.
Cookie Options: Secure Enable or disable check box Enable this setting to add the secure keyword to the session cookie. If you are configuring an application access control scenario where you are using an HTTPS virtual server to authenticate the user, and then sending the user to an existing HTTP virtual server to use applications, clear this check box.
Cookie Options: Persistent Enable or disable check box Enable this setting to set cookies if the session does not have a webtop. When the session is first established, session cookies are not marked as persistent, but when the first response is sent to the client after the access policy completes successfully, the cookies are marked persistent.
Note: Persistent cookies are updated for the expiration timeout every 60 seconds. The timeout is equal to the session inactivity timeout. If the session inactivity timeout is overwritten in the access policy, the overwritten value is used to set the persistent cookie expiration.
SSO Configuration Predefined SSO configuration. SSO configurations contain settings to configure single sign-on with an access profile. Select the SSO configuration from the list that you want applied to your domain.
Domain Cookie A domain cookie. If you specify a domain cookie, then the line domain=specified_domain is added to the MRHsession cookie.
Configure Authentication Domains Multiple If you specify multiple domains, populate this area with hosts or domains. Each host or domain can have a separate SSO config, and you can set persistent or secure cookies. Click Add to add each host you configure.
Accepted Languages Language strings. Adds a built-in or customized language to the list of accepted languages. Accepted languages can be customized separately and can present customized messages and screens to users, if the user's default browser language is one of the accepted languages. Select a language from the Factory Builtin Languages list and click << to add it to the Accepted Languages list. Select a language from the Additional Languages list and click Add to add it to the Accepted Languages list.
Factory Builtin Languages Languages in a predefined list Lists the predefined languages on the Access Policy Manager system, which can be added to the Accepted Languages list. Predefined languages include customized messages and fields for common appearance items, as opposed to Additional Languages, which must be separately customized.
Additional Languages Languages in a predefined list Lists additional languages that can be added to the Accepted Languages list, and customized on the Access Policy Manager system. These languages are populated with English messages and fields and must be individually customized using the Customization menu, as opposed to Factory Builtin Languages, which are already customized.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)