Manual Chapter : Configuring Web Access Management

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.4.1, 11.4.0
Manual Chapter
The BIG-IP® Access Policy Manager® provides various methods to pass user traffic and control access to applications by creating traffic tunnels using network access or allowing access to specific web applications.
However, the flexibility of Access Policy Manager provides another method to perform access control to web applications configured as local traffic pool members. This method of access is referred to as web access management.
When used with BIG-IP® Local Traffic Manager, Access Policy Manager provides access policy features only.
For more information on BIG-IP® Local Traffic Manager features, refer to BIG-IP® Local Traffic Manager: Concepts.
Web access management provides users the ability to access web applications, through a web browser, without the use of tunnels or specific resources. In this scenario the user is authenticated and checked by the access policy in Access Policy Manager, without defining a resource or webtop. For example, you can have a configuration with ACLs, security checks, and authentication.
Through this method of access control, the Access Policy Manager communicates with backend web servers, forwarding requests from the client to web servers within a local traffic pool.
In a typical web access management connection, access occurs through a rewriting engine that rewrites links and URLs to and from the client. Web access management eliminates the need for content rewriting, allowing access to the configured local traffic pool after the user passes through the access policy checks.
In cases where you want additional security to your web applications where the access occurs on your local environment, we highly recommended that you use Access Policy Manager with Local Traffic Manager to achieve this.
There are some web access management configuration options you may want to consider before setting up this method for web access management.
Front-end SSL
The decision to either use or not use SSL should be dictated by the level of security required. Applications that perform any form of authentication where passwords are transmitted openly, or where any information between the client and the virtual server must be secured, should use SSL. Additionally, where SSL is used by the backend web servers, it is best to configure SSL by the virtual server.
HTTP profile compression
You can enable compression on the HTTP profile used by the virtual server. Use compression to provide a better end user experience, particularly where there is limited bandwidth or high latency between the virtual server and the client.
The web access management type does not have a logout mechanism, so you must configure a custom timeout option from the following choices. Web access management timeouts are set due to user inactivity.
Cache and session control access policy item - The cache and session control access policy item terminates a user session when it detects that the browser window is closed. You can also use the cache and session control action in an access policy, to provide inactivity timeouts to the user session. Use the Terminate session on user inactivity setting to configure the timeout for a web access management session. The cache and session control action is supported on Windows browsers only.
For configuration information, see Setting up Windows cache and session control.
Access Profile properties. You can configure a timeout in the access profile.
The Maximum Session Timeout setting provides an absolute limit for the duration of the access policy connection, regardless of user activity. If you want to ensure that a user session is closed after a certain period of time, configure this setting. Note that this setting is configured in seconds.
The Inactivity Timeout setting terminates the session if there is no traffic flow in the specified amount of time. Note that this setting is configured in seconds. Depending on the application, you may not want to set the inactivity timeout to a very short duration, as many applications may cache user typing, and generate no traffic for an extended period. In this scenario, a session may time out when the application is still in use, but the content of the user input is not relayed back to the server.
For configuration information, see Understanding access profile settings.
SSL matching
SSL should be used consistently on the virtual server, as it is used with the web server. In other words, if the web server uses SSL, the virtual server should use SSL.
Multi-host service
When you implement a service with multiple hosts, access through the virtual server for new requests causes the load balancing algorithm for the associated member pool to select a new server. This can cause problems if persistence to a particular host is required.
Configuring for web access management requires that you configure both the BIG-IP® Local Traffic Manager and Access Policy Manager.
When you configure for this method of access, you create a virtual server that has one or more pool members and HTTP servers, and you attach an access policy to that virtual server. This access policy optionally provides endpoint security, authentication, and access control lists. Nodes and pools that represent the web applications associate with this virtual server.
Important: When you create an access policy, the policy cannot include a network access or portal access resource or webtop.
1.
On the Main tab of the navigation pane, expand Access Policy, and click Access Profiles.
The Access Profile screen opens.
2.
Click the Create button.
The New Access Profiles screen opens.
4.
Add any checks and actions required to the access policy. You can assign an ACL with the resource assign action, but do not assign a webtop or a portal access or network access resource.
1.
2.
Click Create.
5.
Click Finished.
To add nodes to a pool
1.
2.
Click Create.
4.
Click Finished.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
2.
Click Create.
5.
Select the HTTP Profile from the available options.
The default profile, http, is usually sufficient, unless additional configuration options are needed.
6.
Select the SSL profile (Client) setting.
A client SSL profile is only required if you want to enable SSL from the client to the virtual server.
7.
Select the SSL profile (Server) setting.
A server SSL profile is only required if the pool members require SSL.
8.
From the Access Profile list, select an access profile you created for web access management.
9.
Click Finished.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
The Virtual Server List screen opens
2.
Click the name of the virtual server.
The Virtual Server Properties screen opens.
4.
From the Default Pool list, select the local traffic pool.
5.
Click Update.