Manual Chapter : Creating an Access Policy for Network Access

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Manual Chapter

Creating an Access Policy for Network Access

About access profiles

In the BIG-IP® Access Policy Manager®, an access profile is the profile that you select in a virtual server definition to establish a secured session. You can also configure an access profile to provide access control and security features to a local traffic virtual server hosting web applications.

The access profile contains:

  • Access policy timeout and concurrent user settings
  • Accepted language and default language settings
  • Single Sign-On information and domain cookie information for the session
  • Customization settings for the access profile
  • The access policy for the profile

About access policies for network access

Define an access policy for network access in order to provide access control conditions that you want users to satisfy, before they can connect to internal resources. For a network access policy, you need to configure a minimum of a resource assign action that assigns a network access resource.

Creating an access profile

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. Click Create.
    The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: An access profile name must be unique among all access profile and any per-request policy names.
  4. From the Profile Type list, select SSL-VPN.
    Additional settings display.
  5. From the Profile Scope list, retain the default value or select another.
    • Profile: Gives a user access only to resources that are behind the same access profile. This is the default value.
    • Virtual Server: Gives a user access only to resources that are behind the same virtual server.
    • Global: Gives a user access to resources behind any access profile that has global scope.
  6. To configure timeout and session settings, select the Custom check box.
  7. In the Inactivity Timeout field, type the number of seconds that should pass before the access policy times out. Type 0 to set no timeout.
    If there is no activity (defined by the Session Update Threshold and Session Update Window settings in the Network Access configuration) between the client and server within the specified threshold time, the system closes the current session.
  8. In the Access Policy Timeout field, type the number of seconds that should pass before the access profile times out because of inactivity.
    Type 0 to set no timeout.
  9. In the Maximum Session Timeout field, type the maximum number of seconds the session can exist.
    Type 0 to set no timeout.
  10. In the Max Concurrent Users field, type the maximum number of users that can use this access profile at the same time.
    Type 0 to set no maximum.
  11. In the Max Sessions Per User field, type the maximum number of concurrent sessions that one user can start.
    Type 0 to set no maximum.
  12. In the Max In Progress Sessions Per Client IP field, type the maximum number of concurrent sessions that one client IP address can support.
    Type 0 to set no maximum.
  13. Select the Restrict to Single Client IP check box to restrict the current session to a single IP address.
    This setting associates the session ID with the IP address.
    Upon a request to the session, if the IP address has changed the request is redirected to a logout page, the session ID is deleted, and a log entry is written to indicate that a session hijacking attempt was detected. If such a redirect is not possible, the request is denied and the same events occur.
  14. To configure logout URIs, in the Configurations area, type each logout URI in the URI field, and then click Add.
  15. In the Logout URI Timeout field, type the delay in seconds before logout occurs for the customized logout URIs defined in the Logout URI Include list.
  16. To configure SSO:
    • For users to log in to multiple domains using one SSO configuration, skip the settings in the SSO Across Authentication Domains (Single Domain mode) area. You can configure SSO for multiple domains only after you finish the initial access profile configuration.
    • For users to log in to a single domain using an SSO configuration, configure settings in the SSO Across Authentication Domains (Single Domain mode) area, or you can configure SSO settings after you finish the initial access profile configuration.
  17. In the Domain Cookie field, specify a domain cookie, if the application access control connection uses a cookie.
  18. In the Cookie Options setting, specify whether to use a secure cookie.
    • If the policy requires a secure cookie, select the Secure check box to add the secure keyword to the session cookie.
    • If you are configuring an LTM access scenario that uses an HTTPS virtual server to authenticate the user and then sends the user to an existing HTTP virtual server to use applications, clear this check box.
  19. If the access policy requires a persistent cookie, in the Cookie Options setting, select the Persistent check box.
    This sets cookies if the session does not have a webtop. When the session is first established, session cookies are not marked as persistent; but when the first response is sent to the client after the access policy completes successfully, the cookies are marked persistent. Persistent cookies are updated for the expiration timeout every 60 seconds. The timeout is equal to session inactivity timeout. If the session inactivity timeout is overwritten in the access policy, the overwritten value will be used to set the persistent cookie expiration.
  20. From the SSO Configurations list, select an SSO configuration.
  21. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  22. Click Finished.
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.
To add an SSO configuration for multiple domains, click SSO / Auth Domains on the menu bar. To provide functionality with an access profile, you must configure the access policy. The default access policy for a profile denies all traffic and contains no actions. Click Edit in the Access Policy column to edit the access policy.

Access profile settings

You can configure the following settings in an access profile.

Setting Value Description and defaults
Name Text Specifies the name of the access profile.
Inactivity Timeout Number of seconds, or 0 Specifies the inactivity timeout for the connection. If there is no activity between the client and server within the specified threshold time, the system closes the current session. By default, the threshold is 0, which specifies that as long as a connection is established, the inactivity timeout is inactive. However, if an inactivity timeout value is set, when server traffic exceeds the specified threshold, the inactivity timeout is reset.
Access Policy Timeout Number of seconds, or 0 Designed to keep malicious users from creating a denial-of-service (DoS) attack on your server. The timeout requires that a user, who has followed through on a redirect, must reach the webtop before the timeout expires. The default value is 300 seconds.
Maximum Session Timeout Number of seconds, or 0 The maximum lifetime is from the time a session is created, to when the session terminates. By default, it is set to 0, which means no limit. When you configure a maximum session timeout setting other than 0, there is no way to extend the session lifetime, and the user must log out and then log back in to the server when the session expires.
Max Concurrent Users Number of users, or 0 The number of sessions allowed at one time for this access profile. The default value is 0 which specifies unlimited sessions.
Max Sessions Per User Number between 1 and 1000, or 0 Specifies the number of sessions for one user that can be active concurrently. The default value is 0, which specifies unlimited sessions. You can set a limit from 1-1000. Values higher than 1000 cause the access profile to fail.
Note: Only superAdmins and application editors have access to this field. No other admin roles can modify this field.
Max In Progress Sessions Per Client IP Number 0 or greater Specifies the maximum number of sessions that can be in progress for a client IP address. When setting this value, take into account whether users will come from a NAT-ed or proxied client address and, if so, consider increasing the value accordingly. The default value is 0 which represents unlimited sessions.
Note: Only superAdmins and application editors have access to this field. No other admin roles can modify this field.
Restrict to Single Client IP Selected or cleared When selected, limits a session to a single IP address.
Note: Only superAdmins and application editors have access to this field. No other admin roles can modify this field.
Logout URI Include One or more URIs Specifies a list of URIs to include in the access profile to initiate session logout.
Logout URI Timeout Logout delay URI in seconds Specifies the time delay before the logout occurs, using the logout URIs defined in the logout URI include list.
SSO Authentication Across Domains (Single Domain mode) or SSO / Auth Domains: Domain Cookie A domain cookie If you specify a domain cookie, then the line domain=specified_domain is added to the MRHsession cookie.
SSO / Auth Domains: Domain Mode Single Domain or Multiple Domains Select Single Domain to apply your SSO configuration to a single domain. Select Multiple Domain to apply your SSO configuration across multiple domains. This is useful in cases where you want to allow your users a single Access Policy Manager® (APM®) login session and apply it across multiple Local Traffic Manager™ or APM virtual servers, front-ending different domains.
Important: All virtual servers must be on one single BIG-IP® system in order to apply SSO configurations across multiple domains.
SSO / Auth Domains: Primary Authentication URI URI The URI of your primary authentication server, for example https://logon.siterequest.com. This is required if you use SSO across multiple domains. You provide this URI so your users can access multiple back-end applications from multiple domains and hosts without requiring them to re-enter their credentials, because the user session is stored on the primary domain.
Cookie Options: Secure Enable or disable check box Enabled, this setting specifies to add the secure keyword to the session cookie. If you are configuring an application access control scenario where you are using an HTTPS virtual server to authenticate the user, and then sending the user to an existing HTTP virtual server to use applications, clear this check box.
Cookie Options: Persistent Enable or disable check box Enabled, this setting specifies to set cookies if the session does not have a webtop. When the session is first established, session cookies are not marked as persistent, but when the first response is sent to the client after the access policy completes successfully, the cookies are marked persistent.
Note: Persistent cookies are updated for the expiration timeout every 60 seconds. The timeout is equal to the session inactivity timeout. If the session inactivity timeout is overwritten in the access policy, the overwritten value is used to set the persistent cookie expiration.
Cookie Options: HTTP only  

HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Use the HttpOnly flag when generating a cookie to help mitigate the risk of a client-side script accessing the protected cookie, if the browser supports HttpOnly.

When this option is enabled, only the web access management type of access (an LTM virtual server with an access policy) is supported.

SSO Authentication Across Domains (Single Domain mode) or SSO / Auth Domains SSO Configuration Predefined SSO configuration SSO configurations contain settings to configure single sign-on with an access profile. Select the SSO configuration from the list that you want applied to your domain.
SSO / Auth Domains: Authentication Domains Multiple If you specify multiple domains, populate this area with hosts or domains. Each host or domain can have a separate SSO config, and you can set persistent or secure cookies. Click Add to add each host you configure.
Accepted Languages Language strings Adds a built-in or customized language to the list of accepted languages. Accepted languages can be customized separately and can present customized messages and screens to users, if the user's default browser language is one of the accepted languages. Select a language from the Factory Builtin Languages list and click the Move button (<<) to add it to the Accepted Languages list. Select a language from the Additional Languages list and click Add to add it to the Accepted Languages list.
Factory Builtin Languages Languages in a predefined list Lists the predefined languages on the Access Policy Manager system, which can be added to the Accepted Languages list. Predefined languages include customized messages and fields for common appearance items, as opposed to Additional Languages, which must be separately customized.
Additional Languages Languages in a predefined list Lists additional languages that can be added to the Accepted Languages list, and customized on the Access Policy Manager system. These languages are populated with English messages and fields and must be individually customized using the Customization menu, as opposed to Factory Builtin Languages, which are already customized.

Verifying log settings for the access profile

Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Note: Log settings are configured in the Access Policy Event Logs area of the product. They enable and disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. Click the name of the access profile that you want to edit.
    The properties screen opens.
  3. On the menu bar, click Logs.
    The access profile log settings display.
  4. Move log settings between the Available and Selected lists.
    You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.
    Note: Logging is disabled when the Selected list is empty.
  5. Click Update.
An access profile is in effect when it is assigned to a virtual server.

Adding network access to an access policy

Before you assign a network access resource to an access policy, you must:
  • Create a network access resource.
  • Create an access profile.
  • Define a network access webtop or a full webtop.
When you assign a network access resource to an access policy branch, a user who successfully completed the branch rule (which includes that access policy item) starts a network access tunnel.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. Click the name of the access profile for which you want to edit the access policy.
    The properties screen opens for the profile you want to edit.
  3. On the menu bar, click Access Policy.
    The Access Policy screen opens.
  4. In the General Properties area, click the Edit Access Policy for Profile profile_name link.
    The visual policy editor opens the access policy in a separate screen.
  5. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  6. Select one of the following resource assignment actions and click Add.
    Option Description
    Resource Assign Select the Resource Assign action to add a network access resource only. Resource Assign does not allow you to add a webtop or ACLs. If you want to add ACLs, a webtop, or webtop links after you add a Resource Assign action, you can add them with the individual actions ACL Assign and Webtop, Links and Sections Assign.
    Note: Webtop sections are for use with a full webtop only.
    Advanced Resource Assign Select the Advanced Resource Assign action to add network access resources, and optionally add a webtop, webtop links, webtop sections, and one or more ACLs.
  7. Select the resource or resources to add.
    • If you added an Advanced Resource Assign action, on the Resource Assignment screen, click Add New Entry, then click Add/Delete, and select and add resources from the tabs, then click Update.
    • If you added a Resource Assign action, next to Network Access Resources, click Add/Delete.
    If you add a full webtop and multiple network access resources, Auto launch can be enabled for only one network access resource. (With Auto launch enabled, a network access resource starts automatically when the user reaches the webtop.)
  8. Click Save.
  9. Click Apply Access Policy to save your configuration.
A network access tunnel is assigned to the access policy. You may also assign a network access or full webtop. On the full webtop, users can click the link for a network access resource to start the network access tunnel, or a network access tunnel (that is configured with Auto launch enabled) can start automatically.
After you complete the access policy, you must define a connectivity profile. In the virtual server definition, you must select the access policy and connectivity profile.

Overview: Assigning a DNS server dynamically for network access

When you configure DNS servers for a network access resource, you must specify IP addresses. You do not have the option to enter a session variable instead. You can still assign a DNS server dynamically to a network access tunnel if you do so from the access policy using the Variable Assign agent.

Task summary

About maximum expression size for visual policy editor

The maximum size for an expression in the visual policy editor is 64 KB. The visual policy editor cannot save an expression that exceeds this limit.

Assigning DNS servers dynamically to a network access tunnel

Before you begin, you need to have a network access configuration, including an access policy. Open the access policy for editing.
You require that DNS name servers be assigned dynamically to a network access tunnel. (For example, you might want to assign DNS name servers based on the landing URI.)
  1. On an access policy branch, click the (+) icon to add an item to the access policy.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  2. Type var in the search field, select Variable Assign from the results list, and click Add Item.
    The Variable Assign properties screen opens.
  3. Assign the addresses of the DNS name servers to custom variables so that they are available for assignment later in the policy.
    You can create custom variables for multiple DNS name servers.
    1. Click Add new entry.
      An empty entry appears in the Assignment table.
    2. Click the change link next to the empty entry.
      A dialog box opens, where you can enter a variable and an expression.
    3. From the left-side list, retain Custom Variable (the default), and type a variable name.
      For example, type session.custom.tunnel-dns-serverA .
    4. From the right-side list, select Text, and type the IP address for the DNS name server.
    5. Click Finished.
      The popup screen closes.
    6. To assign custom variables for additional DNS name servers, repeat the previous substeps.
    7. Click Save.
      The properties screen closes. The visual policy editor displays.
  4. Insert an additional Variable Assign action into the access policy at the point where the policy logic dictates the assignment of a particular DNS name server to a network access tunnel.
    After you insert the Variable Assign action, a popup properties screen displays.
  5. On the popup properties screen, create an entry to assign DNS name servers (stored in a previously created custom session variables) for the Network Access tunnel resource.
    1. Click Add new entry.
      An empty entry appears in the Assignment table.
    2. Click the change link next to the empty entry.
      A dialog box opens, where you can enter a variable and an expression.
    3. From the left-side list, retain Custom Variable (the default), and type this variable name: config.connectivity_resource_network_access. na1 .dns
      Important: You must replace na1 with the name of the network access resource that you have assigned to the access policy.
    4. From the right-side list, retain Custom Expression (the default), and type this expression: expr { "<dns_primary>[mcget session.custom.tunnel-dns-serverA]</dns_primary><dns_secondary>[mcget session.custom.tunnel-dns-serverB]</dns_secondary>" }
      Important: You must replace session.custom.tunnel-dns-serverA and session.custom.tunnel-dns-serverB with the names you used for the custom variables that you created previously.
      Note: Using the <dns> tag to enclose <dns_primary> and <dns_secondary> tags is optional and remains syntactically valid : { "<dns><dns_primary>...</dns_secondary></dns>" }.
    5. Click Finished.
      The popup screen closes.
  6. Click Save.
    The properties screen closes and the visual policy editor displays.
You added Variable Assign items to specify DNS name servers and to assign them dynamically.
Policy with Landing URI followed by 2 branches, Alpha and Beta. A Variable Assign DNS x follows each where x is A or B