AskF5 | Manual Chapter: Configuring LTM Access

Applies To:

Show Versions

Manual Chapter: Configuring LTM Access

Table of Contents | << Previous Chapter | Next Chapter >>

Configuring LTM Access

Introducing LTM access

Reviewing LTM access options

Configuring LTM access

Introducing LTM access

The BIG-IP® Access Policy Manager provides various methods to pass user traffic and control access to applications by creating traffic tunnels using network access or allowing access to specific web applications.

However, the flexibility of Access Policy Manager provides another method to perform access control to web applications configured as local traffic pool members. This method of access is referred to as LTM access.

When used with BIG-IP® Local Traffic Manager, Access Policy Manager provides access policy features only.

For more information on BIG-IP® Local Traffic Manager features, refer to the Configuration Guide for BIG-IP® Local Traffic Manager.

Understanding how LTM access works

LTM access provides users the ability to access their web applications, through a web browser, without the use of tunnels or specific resources. In this scenario the user is authenticated and checked by the access policy in Access Policy Manager, without defining a resource or webtop. For example, you can have a configuration with ACLs, security checks, and authentication.

Note: Currently, you can configure access only to web applications with LTM access.

Through this method of access control, the Access Policy Manager communicates with backend web servers, forwarding requests from the client to web servers within a local traffic pool.

In a typical web application access connection, access occurs through a rewriting engine that rewrites links and URLs to and from the client. LTM access eliminates the need for content rewriting, allowing access to the configured local traffic pool after the user passes through the access policy checks.

In cases where you want additional security to your web applications where the access occurs on your local environment, we highly recommended that you use Access Policy Manager with Local Traffic Manager to achieve this.

Reviewing LTM access options

There are some LTM access configuration options you may want to consider before setting up this method for web application access.

Front-end SSL
The decision to either use or not use SSL should be dictated by the level of security required. Applications that do any form of authentication where passwords are transmitted in the clear, or where any information between the client and the virtual server must be secured, should use SSL. Additionally, where SSL is used by the backend web servers, it is best to configure SSL by the virtual server.

HTTP profile compression
You can enable compression on the HTTP profile used by the virtual server. Use compression to provide a better end user experience, particularly where there is limited bandwidth or high latency between the virtual server and the client.

Setting timeouts for web application access policy management

The LTM access type does not have logout mechanism, so you must configure a custom timeout option from the following choices. LTM access timeouts are set due to user inactivity.

The following timeout mechanisms are available:

Cache and session control access policy item - The cache and session control access policy item terminates a user session when it detects that the browser window is closed.You can also use the cache and session control action in an access policy, to provide inactivity timeouts to the user session. Use the Terminate session on user inactivity setting to configure the timeout for an LTM access session. The cache and session control action is supported on Windows browsers only.
For configuration information, see Setting up cache and session control.

Access Profile properties. You can configure a timeout in the access profile.

The Maximum Session Timeout setting provides an absolute limit for the duration of the access policy connection, regardless of user activity. If you want to ensure that a user session is closed after a certain period of time, configure this setting. Note that this setting is configured in seconds.

The Inactivity Timeout setting terminates the session if there is no traffic flow in the specified amount of time. Note that this setting is configured in seconds. Depending on the application, you may not want to set the inactivity timeout to a very short duration, as many applications may cache user typing, and generate no traffic for an extended period. In this scenario, a session may time out when the application is still in use, but the content of the user input is not relayed back to the server.
For configuration information, see Understanding access profile settings.

Understanding other LTM access considerations

You must consider the following configuration items when configuring LTM access.

SSL matching
SSL should be used consistently on the virtual server, as it is used with the web server. In other words, if the web server uses SSL, the virtual server should use SSL.

Multi-host service
When you implement a service with multiple hosts, access through the virtual server for new requests causes the load balancing algorithm for the associated member pool to select a new server. This can cause problems if persistence to a particular host is required.

Configuring LTM access

Configuring for LTM access requires that you configure both the BIG-IP® Local Traffic Manager and Access Policy Manager.

When you configure for this method of access, you create a virtual server that has one or more pool members and HTTP servers, and you attach an access policy to that virtual server. This access policy optionally provides endpoint security, authentication, and access control lists. Nodes and pools that represent the web applications associate with this virtual server.

Important: When you create an access policy, the policy cannot include a network access or portal access resource or webtop.

Configuring for LTM access requires these basic steps:

Create an access profile

Create nodes that represent the web servers

Add nodes to the pool

Create a virtual server

To create an access profile

1.	On the Main tab of the navigation pane, expand Access Policy, and click Access Profiles. The Access Profile screen opens.

2.	Click the Create button. The New Access Profiles screen opens.

3.	Specify the information for all the required parameters.

4.	Add any checks and actions required to the access policy. You can assign an ACL with the resource assign action, but do not assign a webtop or a portal access or network access resource.

To create nodes that represent web servers

1.	On the Main tab of the navigation pane, expand Local Traffic, and click Nodes.

2.	Click Create.

3.	Enter an address for the node.

4.	Repeat and create additional nodes for every web servers you want to represent.

5.	Click Finished.

To add nodes to a pool

1.	On the Main tab of the navigation pane, expand Local Traffic, and click Pools.

2.	Click Create.

3.	For each node created, add them to the pool as New Members.

4.	Click Finished.

To create a virtual server

1.	On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.

2.	Click Create.

3.	Type the name and address of the virtual server.

4.	Select a service port

5.	Select the HTTP Profile from the available options. The default profile, http, is usually sufficient, unless additional configuration options are needed.

6.	Select the SSL profile (Client) setting. A client SSL profile is only required if you want to enable SSL from the client to the virtual server.

7.	Select the SSL profile (Server) setting. A server SSL profile is only required if the pool members require SSL.

8.	From the Access Profile list, select an access profile you created for LTM access.

9.	Click Finished.

To select a pool

1.	On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers. The Virtual Server List screen opens

2.	Click the name of the virtual server. The Virtual Server Properties screen opens.

3.	Click the Resources tab.

4.	From the Default Pool list, select the local traffic pool.

5.	Click Update.

Table of Contents | << Previous Chapter | Next Chapter >>

Applies To:

BIG-IP APM

Was this resource helpful in solving your issue?

Additional Comments (optional)

About F5

Education

F5 Sites

Support Tasks

Connect with us