Access Policy Manager (APM) interacts with authentication, authorization, and accounting (AAA) servers that contain user information. APM supports these AAA servers: RADIUS (authentication and accounting), Active Directory (authentication and query), LDAP (authentication and query), CRLDP, OCSP Responder, TACACS+ (authentication and accounting), SecurID, Kerberos, and HTTP.
A typical configuration includes:
Using AAA high availability with APM, you can configure multiple authentication servers to process requests, so that if one authentication server goes down or loses connectivity, the others can resume authentication requests, and new sessions can be established. APM supports these AAA servers for high availability: RADIUS, Active Directory, LDAP, CRLDP, and TACACS+.
A typical configuration includes:
When an AAA server supports high availability, you can configure a pool for it in the AAA configuration itself. An AAA server does not load balance over a pool that is attached to a virtual server.
To use route domains for AAA authentication traffic, you must use the pool option in the AAA server configuration. When Use Pool is the selected Server Connection option, the server address field can take an IP address with route domain ( IPAddress%RouteDomain ) format. The route domain value is ignored when the AAA server is configured to connect directly to a single server.
You can add multiple authentication types to an access policy. For example, a user who fails Active Directory authentication might then attempt RADIUS authentication. Or, you might require authentication using a client certificate and then an AAA server.
You can add an authentication item anywhere in the access policy. Typically, you place authentication items somewhere after a logon item.
Access Policy Manager (APM) supports these types of certificate authentication.
Before systems on a network can authenticate one another using SSL, you must install one or more SSL certificates on the BIG-IP system. An SSL certificate is a certificate that a BIG-IP system device presents to another device on the network, for authentication purposes. An SSL certificate can be either a self-signed certificate or a trusted CA certificate.
When you install BIG-IP software, the application includes a self-signed SSL certificate named Default. A self-signed certificate is an authentication mechanism that is created and authenticated by the system on which it resides.
If your network includes one or more certificate authority (CA) servers, you can replace the self-signed certificate on each BIG-IP system with a trusted CA certificate, that is, a certificate that is signed by a third party. Authenticating BIG-IP systems using trusted CA certificates is more secure than using self-signed certificates.
To ease the task of creating certificate requests and sending them to certificate authorities for signature, the BIG-IP system provides a set of certificate management screens within the BIG-IP Configuration utility.
Access Policy Manager (APM) supports authentication against a database that you create on the BIG-IP system using the Configuration utility. You can employ a local user database for on-box authentication or to control access to external AAA servers.
A typical configuration includes:
Access Policy Manager (APM) supports guest access with one-time password generation and verification. A typical configuration includes:
Access Policy Manager (APM) supports NTLM and HTTP basic authentication for Microsoft Exchange clients and for this support requires an Exchange profile, created in the Configuration utility. Configuration requirements for NTLM and HTTP basic authentication for Microsoft Exchange clients are otherwise distinct.
You can access all of the following BIG-IP system documentation from the AskF5 Knowledge Base located at https://support.f5.com/.
|BIG-IP Access Policy Manager: Application Access||This guide contains information for an administrator to configure application tunnels for secure, application-level TCP/IP connections from the client to the network.|
|BIG-IP Access Policy Manager: Authentication and Single-Sign On||This guide contains information to help an administrator configure APM for single sign-on and for various types of authentication, such as AAA server, SAML, certificate inspection, local user database, and so on.|
|BIG-IP Access Policy Manager: Customization||This guide provides information about using the APM customization tool to provide users with a personalized experience for access policy screens, and errors. An administrator can apply your organization's brand images and colors, change messages and errors for local languages, and change the layout of user pages and screens.|
|BIG-IP Access Policy Manager: Edge Client and Application Configuration||This guide contains information for an administrator to configure the BIG-IP system for browser-based access with the web client as well as for access using BIG-IP Edge Client and BIG-IP Edge Apps. It also includes information about how to configure or obtain client packages and install them for BIG-IP Edge Client for Windows, Mac, and Linux, and Edge Client command-line interface for Linux.|
|BIG-IP Access Policy Manager: Implementations||This guide contains implementations for synchronizing access policies across BIG-IP systems, hosting content on a BIG-IP system, maintaining OPSWAT libraries, configuring dynamic ACLs, web access management, and configuring an access policy for routing.|
|BIG-IP Access Policy Manager: Network Access||This guide contains information for an administrator to configure APM Network Access to provide secure access to corporate applications and data using a standard web browser.|
|BIG-IP Access Policy Manager: Portal Access||This guide contains information about how to configure APM Portal Access. In Portal Access, APM communicates with back-end servers, rewrites links in application web pages, and directs additional requests from clients back to APM.|
|BIG-IP Access Policy Manager: Secure Web Gateway||This guide contains information to help an administrator configure Secure Web Gateway (SWG) explicit or transparent forward proxy and apply URL categorization and filtering to Internet traffic from your enterprise.|
|BIG-IP Access Policy Manager: Third-Party Integration||This guide contains information about integrating third-party products with Access Policy Manager (APM). It includes implementations for integration with VMware Horizon View, Oracle Access Manager, Citrix Web Interface site, and so on.|
|BIG-IP Access Policy Manager: Visual Policy Editor||This guide contains information about how to use the visual policy editor to configure access policies.|
|Release notes||Release notes contain information about the current software release, including a list of associated documentation, a summary of new features, enhancements, fixes, known issues, and available workarounds.|
|KB articles||Knowledge base articles are responses and resolutions to known issues, additional configuration instructions, and how-to information.|