Manual Chapter : Viewing and Editing the Access Configuration

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.2.0
Manual Chapter

Finding a device-specific resource

In BIG-IQ® Centralized Management Access, you can find a device-specific resource by searching for it in the search field, or under the specific device to which it belongs.
  1. To search for a resource among the shared resources, click the question mark at the top right of the screen.
  2. In the Search field, type all or part of the name of the object, and press Enter.
    The Search screen displays each shared object type, with the number of matching resources it has found, marked in parentheses. For example, ACCESS PROFILES (1), PORTAL ACCESS (0), and so on.
  3. To search among device-specific resources, expand the Access group name, click the name of a device, then use the Filter field to sort the resources.
  4. If you do not know the name of the resource you want to find, to find it you must browse through the shared resource types and device-specific resource types for the devices.

Editing a device-specific resource

In BIG-IQ® Access, you can update the properties of a device-specific resource in the working configuration.
  1. At the top of the screen, select Configuration, then expand ACCESSand click Access Groups .
  2. In the Access Groups screen, click the name of an Access group.
    The screen displays a list of resource types.
  3. Expand the resource types and select the particular type of resource that you want to change.
    A screen displays a list of resources displays.
  4. Click the name of the resource that you want to edit.
    The properties screen for that resource opens.
  5. Edit the resource properties.
    Note: Click the question mark (?) icon for help on each property.
  6. Click Save.
The change is distributed to the BIG-IP® device when you deploy the configuration.

Sharing a device-specific resource

In BIG-IQ® Access, you can make a device-specific resource act like a shared resource.
Note: When you make a device-specific resource shared, the resource takes the properties defined for it on the source device
  1. At the top of the screen, select Configuration, then expand ACCESSand click Access Groups .
  2. Select an existing Access group.
  3. Select the type of resource that you want to change.
    The screen displays a list of resources of that type on the right.
  4. From the list, select the check box for the resource that you want to make shared.
  5. Click Mark Shared.
    The resource no longer displays on the list of device-specific resources.
You can now find the resource on the Shared resources list.

What local traffic objects does Access support?

In BIG-IQ® Centralized Management, you can associate various local traffic objects without manually configuring the objects in individual BIG-IP® devices before deploying the Access configuration on these devices. You must create these objects in either the BIG-IQ local traffic component or in BIG-IP local traffic. :

  • Virtual Server
    • You can configure sections of a virtual server specific to BIG-IQ system in the BIG-IQ system. This includes configuring Access profiles, connectivity profiles, per-request policies, VDI profiles, enabling App Tunnels, enabling OAM support, and PingAccessProfile.
    • You can configure the SAML artifact resolution service with the virtual server for each BIG-IP device in BIG-IQ Access.
  • SSL Certificate and SSL Key
    • On the BIG-IP device, you can export the certificate and key files for each CERT and KEY object, and manually import them to the same object in BIG-IQ system.
    • On the BIG-IP device, you can configure SAML, SAML IdP Connector, and OCSP Respond with SSL Cert and SSL Key.
    • You can configure OamAccessGate for each device with SSL Key and Cert in BIG-IQ system.
  • Net Tunnels Fec
    • You can create the connectivity profile on a BIG-IP device with a Fec profile.
  • Route Domains
    • You can create route domains for each BIG-IP device in BIG-IQ system.
    • You can configure the Route Domain Selection Agent for each BIG-IP device in BIG-IQ system by editing the Access policy.
  • iRules
    • You can create iRules® in BIG-IP Access, and configure them in the virtual server.
    • If you are using iRules in an OAuth server, create the iRule first, then associate the OAuth server in the BIG-IP device.
  • DNS Resolver
    • You can create DNS resolvers in either the BIG-IP device or BIG-IQ system.
    • The best practice is to create the DNS resolver in the BIG-IP device, then associate the DNS resolver with the OAuth server.
  • SSL Client Profile and HTTP Profile
    • You can create either profile in BIG-IQ system, and configure it in the local traffic virtual server.
  • Server SSL Profile
    • You can create this in either the BIG-IP device or in BIG-IQ system.
    • The best practice is to create the server SSL profile in the BIG-IP device, and associate it with the SAML IdP connector.
    • You can configure LDAP and Endpoint Management systems with a server SSL profile in either the BIG-IP device or in BIG-IQ system.
  • Rewrite Profile and Classification Profile
    • You must create these in the BIG-IP device.
    • You can associate both these profiles with the local traffic virtual server in the BIG-IQ system.
    • You can associate the rewrite profile in portal mode with the Access group virtual server in the BIG-IQ system.

For more information about configuring BIG-IQ local traffic objects, refer to the online help, and to the guide, F5 BIG-IQ Centralized Management: Local Traffic & Network.

Editing a virtual server

You must create a virtual server in BIG-IP LTM. The created virtual servers are listed in the Access group for the corresponding Access group devices. You must manually configure a virtual server for each device in the Access group. During deployment, you must deploy the Access-specific virtual server properties.
A virtual server is an LTM resource that you can configure in BIG-IQ Access.
  1. At the top of the screen, select Configuration, then expand ACCESSand click Access Groups .
  2. In the Access Groups screen, click the name of an Access group.
    The screen displays a list of resource types.
  3. Expand the resource types and select the particular type of resource that you want to change.
    A screen displays a list of resources displays.
  4. Click Virtual Server.
    The Virtual Server (Device-specific) screen displays on the right.
  5. Select an existing virtual server to edit.
    A new screen displays.
  6. Type a description.
  7. From the Access Profile list, select a profile for managing secure access.
  8. From the Connectivity Profile list, select a profile for managing specific connection options for a secure access connection.
  9. From the Per Request Policy list, select an already configured per-request policy.
  10. From the Per Request Policy list, select a VDI profile for use when you want to provide connections to virtual desktop resources.
  11. For Application Tunnels(Java & Per App VPN), select the check box to support connections from Java applications or to support a SOCKS tunnel from an iOS mobile device that initiates per-app VPN.
  12. For OAM Support, select the check box to provide native integration with the OAM server for authentication and authorizatio.
  13. From the PingAccess Profile list, select an already configured Ping Access Profile for authentication with a Ping Access policy server.
  14. From the Rewrite Profile list, select a rewrite profile to rewrite web application data or to perform URI translation with the reverse proxy.
You have configured a virtual server.

Where are local traffic objects supported in Access?

This table describes the relationship between local traffic objects and APM objects. Specifically, this explains which local traffic objects are used in which Access objects.

Table 1. Local Traffic objects are supported in which Access objects?
LTM Object Access Object
Virtual server
  • Artifact Resolution Service
  • OAM Access gate
SSL Key
  • SAML
  • SAML IDP connector
  • OAM Access gate
  • OCSP Responder
SSL Cert
  • SAML
  • SAML IdP connector
  • OAM Access gate
  • OCSP Responder
SNAT Pool
  • Network Access
  • RouteDomain Selection Agent
Server SSL Profile
  • Endpoint management system
  • LDAP
  • SAML IdP connector
Net Tunnels Fec
  • Connectivity Profile
Route Domain
  • Route domain selection agent
iRules
  • iRule Event Agent
  • OAuth Server
DNS Resolver
  • OAuth Server
ReWrite Profile
  • Portal access
LogPublisher
  • Access log settings
  • Classification profile
Preset
  • Classification profile

Returning a shared resource to device-specific resources

If you made a device-specific resource into a shared resource, you can return it to device-specific resources and configure its properties for each device in the Access group.
Note: Device-specific resources are a system-defined subset of shared resources. Not all shared resources can be made device-specific.
  1. At the top of the screen, select Configuration, then expand ACCESSand click Access Groups .
  2. Select an existing Access group.
  3. Select the type of resource that you want to change.
    The screen displays a list of resources of that type on the right.
  4. From the list, select the resource that you want to return to its device-specific state.
  5. Click Make Device Specific.
    The resource no longer displays on the list of shared resources.
The resource is now located with the device in Device-specific resources.
You can now change the resource properties to meet the device-specific requirements that you have.

Viewing an access policy

After you've imported a device, you can view the access policies that are configured on it. An access policy is either a per-session policy or a per-request policy. In either case, an access policy is made up of policy items, such as Start, Logon, Deny, and macros. A macro is a sub-policy with a beginning, one or more policy items, and one or more endings.
Note: These policies are deployed to all the devices in the Access group. You can view the flow of actions in the policy, but not the properties of the actions.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then expand ACCESSand click Access Groups .
  3. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  4. On the left, expand Profiles / Policies, click Access Profiles (Per-Session Policies) (Shared) or Per-Request Policies(Shared).
    A new screen opens, showing a list of access policies associated with this Access group.
  5. Select an access policy.
    The VPE screen opens.
  6. (Optional) To move to another section of a large access policy more quickly than scrolling allows:
    • For Windows, hold the right mouse button down and drag the mouse.
    • For macOS, hold down the command key while dragging the mouse.
  7. To close the screen, click Close.

About the access policy display

When you view an access policy in BIG-IQ® Access, the items in the policy are of a constant size. If an access policy item name is unusually long and does not include spaces, the name of the policy item will be truncated.

Editing an access policy

You can edit an existing access policy using the BIG-IQ® Access Visual Policy Editor (VPE) if the policy items are action, ending, or macro calls. Although Start and In are policy items, you cannot edit them. You can undo any edited actions, and if you cancel an editing session before saving, the Policy Editor makes no changes to the policy. However, some actions or objects cannot be undone or discarded. These include the following:
  • Creating a per-session policy macro.
  • Creating a per-request policy macro, subroutine, or subroutine macro.
  • Creating new endings or terminals
  • Deleting endings or terminals.
  • Changing macros or subroutine properties.
  • Updating the policy ending.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then expand ACCESSand click Access Groups .
  3. Click the name of the Access group that interests you.
    A new screen displays the Access group properties.
  4. On the left, expand Profiles / Policies, and click Access Profiles (Per-Session Policies) (Shared) or Per-Request Policies(Shared).
    A new screen opens, showing a list of access policies associated with this Access group.
  5. Select an access policy.
    The VPE screen opens.
  6. Modify the policy by clicking the diagram to insert new items, modify existing items, delete items, or change endings.

    Undo returns you to the access policy before your most recent change.

    Redo allows you to redo an action you have undone.

    Revert returns the access policy to the state before you made any changes to the policy.

  7. Click Save.
    Saving the policy saves all changes in the policy diagram, including all workflows and modified macros. You can also discard pending changes and macros by clicking Discard.

Editing a policy item

You can edit an existing policy item using the BIG-IQ® Access Visual Policy Editor (VPE).
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then expand ACCESSand click Access Groups .
  3. Click the name of the Access group that interests you.
    A new screen displays the Access group properties.
  4. On the left, expand Profiles / Policies, and click Access Profiles (Per-Session Policies) (Shared) or Per-Request Policies(Shared).
    A new screen opens, showing a list of access policies associated with this Access group.
  5. Select an access policy.
    The VPE screen opens.
  6. Move your mouse over a policy branch, depicted by the blue line.
    An add icon (+) displays.
  7. Click the (+) icon.
    The Item Insertion Selection popup screen opens.
  8. From the selection list on the left, select the type of policy item.
    Example: Logon, or Authentication.
    The screen displays a list of policy items on the right.
  9. From either the Caption or Description list, select a policy item.
    Another popup screen with properties and branch rules opens.
  10. On the Properties tab, modify or fill in the fields.
  11. To add a new branch rule or select an existing rule from the list, on the Branch Rules tab, click Add.
  12. Click either Simple or Advanced, and modify the branch rule.
  13. Click Save.
The policy item displays in the VPE at the location on the policy branch where you clicked the add icon (+).

About timeouts and crashes

During an editing session, if you remain inactive for a prolonged period of time, the session times out. Other times, the browser might freeze. In either case, you might have to prematurely terminate an editing session without a chance to save your changes. However, regardless of why you had to terminate a session, BIG-IQ® Access saves a draft of the policy and saves any unsaved macro when you make a modification. The next time you log in, locate the policy, and open the editing screen. The system notifies you that an unsaved draft exists, and prompts you to select whether you want to continue editing the draft or start over.

The system saves the change history in the draft, so actions such as Undo and Redo work for all changes you make before the session was interrupted. Lastly, if someone else was the previous editor, you can see the user and the time of the last edit. This allows you to choose whether or not to resume that person's editing session.

What is a macro sub-policy?

A macro is a sub-policy with a beginning, one or more policy items, and one or more endings. You can create or edit a macro as you would a policy. In a policy, a macro-call in the workflow represents the macro. When you insert a macro-call in a policy or another macro, it displays as a node in the workflow diagram. Typically, you use a macro in multiple branches of the workflow.

Macros are specific to an access policy. You cannot create a macro if there are pending changes to the access policy. You can also create special macros. These have the same workflow as the base macro type. However, you can only use subroutines in per-request policies and subroutine macros in subroutines.

Creating a macro sub-policy

You can create a macro sub-policy by using the Access visual policy editor.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then expand ACCESSand click Access Groups .
  3. Click the name of the Access group that interests you.
    A new screen displays the Access group's properties.
  4. On the left, expand Profiles / Policies, and click Access Profiles (Per-Session Policies) (Shared) or Per-Request Policies(Shared).
    A new screen opens, showing a list of access policies associated with this Access group.
  5. Select an access policy.
    The VPE screen opens.
  6. At the lower left, ensure that Macros shows on the drop-down menu.
    Macros should be the default option. Macros always appear in the lower area of the VPE screen. This is where you edit them. You can change the properties of a macro in Edit Properties and manage macro terminals (endings) in Edit Terminals. You cannot modify properties or terminals that have pending changes.
  7. Click New.
    The Create New popup screen opens.
  8. From the Template drop-down list, select an existing template or an empty macro.
  9. In the Caption field, type a name for the macro.
  10. Click OK.
    The macro template displays in the VPE screen.
After creating a macro, you can edit the macro sub-policy by inserting actions or macros in the branches, or by selecting either the default ending or different endings.

Adding an action item or macro-call to a sub-policy

You can modify an existing sub-policy by adding additional action items and macro-calls. When modifying a sub-policy, such as a macro, all diagram operations, insertions, deletions, modifications, and branch swaps are the same from the sub-policy and the main Access policy.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then expand ACCESSand click Access Groups .
  3. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  4. On the left, expand Profiles/Policies, and click Access Profiles (Per-Session Policies) (Shared) or Per-Request Policies(Shared).
    A new screen opens, showing a list of access policies associated with this Access group.
  5. Select an access policy.
    The VPE screen opens. The existing macro displays under the Macro sub-window.
  6. Select the macro that you want to modify.
    The macro policy displays with actions and branches.
  7. Hover your cursor over a branch line between two items.
    An add icon (+) displays.
  8. Click the icon +.
    The Item Insertion Selection popup screen opens.
  9. From the Caption list, select a policy item.
    A new screen opens.
  10. Fill in the relevant parameters and fields.
  11. Click Branch Rules.
  12. Click Add.
    The Branch Rules popup section displays more settings.
  13. On the left, select either Simple or Advanced to create a branch rule configuration.
  14. Fill in the relevant parameters and fields.
  15. Click OK.
    The new branch rule displays in the Branch Rules screen.
  16. Click Save.
The Access policy now includes the new action item.

Creating an ending policy item

Every branch in a workflow has one of three ending policy items: Deny, Redirect, or Allow. Macro endings are called terminals. As with action items, you can create, modify, or delete endings. You must include at least one ending for a policy or a macro, with one ending as the default. The default ending cannot be deleted. If you delete an ending that is in-use, the ending changes to the default ending.
Note: Creating an ending policy item can only be done if there are no pending changes to the policy flows.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then expand ACCESSand click Access Groups .
  3. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  4. On the left, expand Profiles/Policies, and click Access Profiles (Per-Session Policies) (Shared) or Per-Request Policies(Shared).
    A new screen opens, showing a list of access policies associated with this Access group.
  5. Select an Access policy.
    The VPE screen opens.
  6. At the top of the screen, click Edit Endings.
    The Manage Policy Endings popup screen opens.
  7. Click New.
    The popup screen displays New Ending settings.
  8. In the Name field, type a name for this policy ending.
  9. In the Color field, select a color that the Policy Editor displays to represent this policy ending.
  10. For the Type setting, select one of the options:
    • Success if the policy branch ends in success.
    • Fail if the policy branch ends in failure.
    • Redirect if the policy branch redirects to a new URL, and then type a valid URL in the URL field.
  11. Click Save.
  12. Click Close.
You have created a new policy ending.

Editing an ending policy item

You can edit an ending policy item by changing the color, caption, type, and redirect URL (if the sub-policy is a Deny ending).
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then expand ACCESSand click Access Groups .
  3. On the left, click Access Groups.
    The Access Groups screen opens.
  4. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  5. On the left, expand Profiles/Policies, and click Access Profiles (Per-Session Policies) (Shared) or Per-Request Policies(Shared).
    A new screen opens, showing a list of access policies associated with this Access group.
  6. Select an access policy.
    The VPE screen opens.
  7. At the top of the screen, click Edit Endings.
    The Manage Policy Endings popup screen opens.
  8. From the list under Policy Endings, select an existing ending.
    The popup screen displays configurable fields.
  9. In the Name field, type a name for this policy ending.
  10. In the Color field, select a color that the Policy Editor displays to represent this policy ending.
  11. For the Type option, select one of the options:
    • Success if the policy branch ends in success.
    • Fail if the policy branch ends in failure.
    • Redirect if the policy branch redirects to a new URL ,and then type a valid URL in the URL field.
  12. If you are editing the Deny ending, modify the fields under Customization.
  13. Click Save.
  14. Click Close.
You have edited a policy ending.

Deleting an ending policy item

You can delete any ending policy item except for the Deny ending.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then expand ACCESSand click Access Groups .
  3. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  4. On the left, expand Profiles/Policies, click Access Profiles (Per-Session Policies) (Shared) or Per-Request Policies(Shared).
    A new screen opens, showing a list of access policies associated with this Access group.
  5. Select an access policy.
    The VPE screen opens.
  6. At the top of the screen, click Edit Endings.
    The Manage Policy Endings screen opens.
  7. From the list under Policy Endings, click the ending you want to delete.
    You cannot delete the Deny ending.
    An X button displays next to the ending.
  8. Click the X button.
    The Delete Diagram Component Confirmation popup screen opens.
  9. Click OK.
  10. Click Close.
You have deleted a policy ending.

Swapping policy branches

When examining the policy workflow, you can swap one branch with another. Swapping branches does not change the order of the branch rule, only the destination of the two branches involved in the swap. When moving a branch, a highlighted bold blue line indicates that the swap is allowed. You cannot swap branches from an agent's upstream and downstream agent branches.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then expand ACCESSand click Access Groups .
  3. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  4. On the left, expand Profiles/Policies, and click Access Profiles (Per-Session Policies)s (Shared) or Per-Request Policies(Shared).
    A new screen opens, showing a list of access policies associated with this Access group.
  5. Select an access policy.
    The VPE screen opens*.
  6. Click on a branch and hold your mouse button.
  7. Drag the branch up or down.
    A red dotted line previews where the branch ends up.
  8. Release your mouse button.
    The VPE displays an access policy with swapped branches.
  9. Click Save.

About editing conflicts

If you and other users can edit a policy, then multiple users can attempt to modify the same policy at the same time. As a result, changes made by another user can override your changes. However, in BIG-IQ® Access, if you start an editing session while another user is still editing, the system notifies you that you won't be able to make changes to the policy. The policy appears to you as read-only, and the warning message shows you who is currently editing the policy. You can then choose one of the following actions:
  • Contact the other editor.
  • Try again another time.
  • Take over the original user's session. You can then choose to save or discard the original user's changes or continue editing.
Note: When you choose a policy that has pending changes, the system displays a warning message tell you who was the last editor, and when the last edit was made. You can then choose to either resume the editing session or view the policy in read-only mode.
Note: If you choose to continue editing, the screen displays an orange line indicating that the policy has unsaved changes. The Details screen shows a summary of where the changes are.

Managing Configuration Snapshots

What is snapshot management?

You can manage configuration snapshots for the configurations you have created on the BIG-IQ® Centralized Management system. A snapshot is a backup copy of a configuration. Configuration snapshots are created manually. This type of snapshot does not include events or alerts.
Note: If an Access group version changes to a later BIG-IQ version and you attempt to restore a snapshot created during the previous version, then restoring that snapshot can cause working configuration changes that can cause a deployment failure.

Comparing snapshots

You can compare two snapshots, or compare a snapshot to the configuration on the BIG-IQ® Centralized Management system to view their differences.

  1. Under SNAPSHOT & RESTORE, select Access.
    The screen displays a list of Access snapshots that have been created on this device.
  2. Select the check box to the left of the snapshot that you want to use as the source snapshot.
  3. Click the Compare button.
    The Differences screen opens.
  4. Analyze the configuration differences between the snapshot and the comparison target. When you are finished, click Cancel to close the Differences screen, then click Close.
    The screen closes and you return to the Snapshot screen.