Manual Chapter : Manage Access Groups

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.0.0, 6.1.0, 6.0.1
Manual Chapter

Manage Access Groups

How do I start to centrally manage APM configurations from BIG-IQ?

Here is an overview of your first steps for setting up an Access Policy Manager® (APM®) configuration once, and then being able to deploy that configuration from the BIG-IQ® system to other BIG-IP® devices.

Step 1. Add the BIG-IP device to the inventory list on the BIG-IQ system. You enter the IP address and credentials of the BIG-IP device you're adding, and associate it with a cluster (if applicable).

Step 2. Manage the APM configuration by adding to the existing Access group or creating a new Access group. You can create an Access group with or without a device.

Note: For more information, refer to the BIG-IQ Centralized Management: Device guide.

What is the best way to create an Access group?

You can create an Access group in either of two ways. Use whichever you prefer, based on your requirements.

  • In the Configuration tab, create an Access group without attaching a device.
  • In the Configuration tab, create an Access group by attaching a device.

Add devices to the BIG-IQ inventory

Before you can add BIG-IP devices to the BIG-IQ inventory:

  • The BIG-IP device must be located in your network and running a compatible software version. Refer to https://support.f5.com/csp/article/K14592 for more information.
  • The management address of the BIG-IP device must be open (typically this is port 22 and 443), or any alternative IP address used to add the BIG-IP device to the BIG-IQ inventory. Ports 22 and 443 and the management IP address are open by default on BIG-IQ.
Note: A BIG-IP device running versions 10.2.0 - 11.5.0 is considered a legacy device, and cannot be discovered from BIG-IQ version 5.2. If you were managing a legacy device in a previous version of BIG-IQ and upgraded to version 5.2, the legacy device displays as impaired with a yellow triangle next to it in the BIG-IP Devices inventory. To manage it, you must upgrade it to version 11.5.0 or later. For instructions, refer to the section titled, Upgrading a Legacy Device.
Note: Access supports BIG-IP system software version 12.1 and 13.0 only.
You add BIG-IP devices to the BIG-IQ system inventory as the first step to managing them.
  1. At the top of the screen, click Devices.
  2. Click the Add Device button.
  3. In the IP Address field, type the IPv4 or IPv6 address of the device.
  4. In the User Name and Password fields, type the user name and password for the device.
  5. To add this device to a new cluster:
    Important: If a device is not a member of a Sync-Failover group that you configured to support an Active-Standby configuration for APM, do not add it to a cluster.
    If the device is the first member of a Sync-Failover group that you have added to the BIG-IQ system, add it to a new cluster. It does not matter whether this device is the Active or the Standby member of the group.
    1. From the Cluster Display Name list, select Create New, and then type a new name for this new cluster.
      A cluster name must be unique on the BIG-IQ system. It does not need to match the name of the Sync-Failover group on the BIG-IP device. However, ensuring some similarity between the names might be useful to you, because when you add the second member of the group, you must add it to the same cluster.
    2. Select an option from the Deployment Settings:
    • Initiate BIG-IP DSC sync when deploying configuration changes (Recommended) Select this option to prompt BIG-IQ to start the DSC synchronization process so that any configuration change made to this device is synchronized with other members of the DSC. This option makes sure all members of the DSC have the most current configuration.
    • Ignore BIG-IP DSC sync when deploying configuration changes Select this option to have BIG-IQ deploy any configuration changes for this device to all cluster members. Use this option only if this device is not configured in a DSC Sync-Failover device group, or if any members of the cluster are disabled.
  6. To add this device to an existing cluster:
    If the device is the second member of a Sync-Failover group that you have added to the BIG-IQ system, add the device to the existing cluster for that Sync-Failover group.
    1. From the Cluster Display Name list, select Use Existing, and then select the cluster from the list.
    2. Select an option from the Deployment Settings:
    • Initiate BIG-IP DSC sync when deploying configuration changes (Recommended) Select this option to prompt BIG-IQ to push any configuration changes to this device to other members of the DSC. This option makes sure all members of the DSC have the most current configuration.
    • Ignore BIG-IP DSC sync when deploying configuration changes Select this option to have BIG-IQ deploy any configuration changes for this device to all cluster members. Use this option only if this device is not configured in a DSC Sync-Failover device group, or if any members of the cluster are disabled.
  7. Click the Add button at the bottom of the screen.
    The BIG-IQ system opens communication to the BIG-IP device, and checks the BIG-IP device framework.
    Note: The BIG-IQ system can properly manage a BIG-IP device only if the BIG-IP device is running a compatible version of the REST framework.
  8. Click the Add button at the bottom of the screen.
    When complete, a popup screen displays a status and options to discover device service configurations immediately.
  9. To discover configurations for APM and LTM now, select Access Policy Manager (APM), and the Local Traffic Manager (LTM) check box is selected automatically; click Discover.
    You can discover service configurations now or do it later.
    BIG-IQ discovers the configurations for the APM and LTM services.
BIG-IQ displays a discovering message in the Services column of the inventory list.

Create an Access group from the Configuration tab

You create an Access group to start managing the Access configuration for a group of BIG-IP devices.
Note: When you create an Access group, the service configurations for the devices are imported.
Important: You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the Create button.
    The New Access Group screen opens.
  3. In the Name field, type a name for the Access group.
  4. From the Device list, select the device to be the source of the shared configuration for other devices in the group. Conversely, select None to create an Access group without a device.
  5. From the Device Version list, select the BIG-IP version associated with the device.
    The list displays the BIG-IP versions supported by the BIG-IP system. You can edit this option only if you did not select a device for this Access group. If you selected a device, the system automatically populates this option and disables editing.
  6. For Supports SWG, click the check box to create an Access group that manages devices with SWG data.
    You can edit this option only if you did not select a device for this Access group. If you selected a device, the system automatically populates this option and disables editing.
  7. Click Create.
    The Access Groups screen opens. Progress information displays in the Status column.

Add a device to an Access group from the Configuration tab

Before you start, you must have at least one device with the APM service discovered. You must also have imported the LTM service configuration from the device before you can add that device to an Access group.
You add a device to an Access group so you can manage its configuration from Access. When you add a device to an existing Access group, its device-specific configuration resources are imported into Access. A device can only belong to one Access group.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the name of the Access group you want to change.
    The General Properties screen for the access group displays, listing the devices in the Access group.
  3. Click Add Device.
    The Add Device popup screen displays.
  4. For Device, select the device from the menu.
  5. (Optional) To create a snapshot of the existing configuration, for Snapshot, select the check box Create a snapshot of the current configuration before importing.
  6. Click Add.
    The popup screen closes, displaying the Access Groups screen. The new device displays under the Devices list.

Reimport an Access group configuration or device-specific configuration

You must have an existing Access group.
You can reimport a shared Access group configuration or a device-specific configuration from any device in an Access group. This reduces the need to manually edit the configuration by hand.
Note: You can an reimport from the Access groups UI screen.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click Reimport.
  3. For the Configuration Type option, Select whether you want to import a Shared Access Group and Device Specific configuration or just a Device specific configuration.
  4. (Optional) For the Snapshot option, select whether you want to create a snapshot of the current configuration before importing.
  5. Click Reimport.
You now have reimported an existing configuration.

Remove a device from an Access group

You remove a device from an Access group if you no longer want to manage the Access configuration for the device, or if you want to add the device to a different Access group. An Access group can exist in the BIG-IQ system without any devices. You can remove all devices from an Access group, leave it empty, and then add new devices later.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the name of the Access group you want to change.
    The properties screen for that group opens, listing the devices in the Access group.
  3. Select the check box for the device you want to remove and click Remove.
    A confirmation popup screen opens.
  4. Confirm that you want to remove the device.
    The device no longer displays in the Access group. The APM service configuration on the device is no longer managed.
Before you can see new data from the device in Access reports or add the device to another Access group, you must discover the APM service configuration on the device.

Remove an Access group

You remove an Access group that you previously created.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Select the check box next to an existing Access group.
    The Remove button becomes available and a message displays.
  3. In the Remove Access Group Configuration? message window, click OK.
You have removed an Access group from your BIG-IQ system.

Create an Access group from the Devices tab

Before you can create an Access group, you must discover at least one device. You must import the LTM service configuration from a device before you can add that device to an Access group
You create an Access group to start managing the Access configuration for a group of devices.
Note: When you create an Access group, the service configurations for the devices are imported.
Important: You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
  1. At the top of the screen, click Devices > BIG-IP CLUSTERS > Access Groups .
    The Access Groups screen opens.
  2. Click the Create button.
    The New Access Group screen opens.
  3. In the Name field, type a name for the Access group.
  4. From the Device list, select the device to be the source of the shared configuration for other devices in the group.
    You must create an Access group with a device attached.
  5. For Supports SWG, select the check box to create an Access group that manages devices with SWG data.
    You can edit this option only if you did not select a device for this Access group. If you selected a device, the system automatically populates this option and disables editing.
  6. Click Create.
    The Access Groups screen opens. Progress information displays in the Status column.

Discover the LTM and APM service configurations

Before you can import configurations from a device, you must first discover them. To prepare to create an Access configuration on the BIG-IQ system, you must discover the Local Traffic Manager (LTM) service configuration, and then discover the Access Policy Manager (APM) service configuration.
  1. At the top of the screen, click Devices.
  2. Click the name of the device you want to discover the service configuration from.
  3. On the left, click Services.
  4. For Local Traffic Manager (LTM), click Discover.
    You must wait for discovery to complete before you continue.
  5. For Access Policy Manager (APM), click Discover.

Import the LTM service configuration

You must discover a service configuration before you can import it.
Before you can import the Access Policy Manager (APM) service configuration from a discovered device, you must import the Local Traffic Manager (LTM) service configuration.
Important: You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
  1. At the top of the screen, click Devices.
  2. Click the name of the device you want to import the service configuration from.
  3. On the left, click Services.
  4. For Local Traffic Manager (LTM), select the Create a snapshot of the current configuration before importing check box to save a copy of the device's current configuration.
    You're not required to create a snapshot, but it is a good idea in case you have to revert to the previous configuration for any reason.
  5. For Local Traffic Manager (LTM), click Import.
    The LTM Import screen opens.
  6. Click Proceed to Import.
The LTM service configuration is imported. Click the back arrow to return to the previous screen.

Import the APM configuration into an Access group

You must discover a service configuration before you can import it.
You import Access Policy Manager (APM) configuration objects from a device to manage the device configuration from the BIG-IQ system. As part of the import process, you select an Access group.
Important: You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
  1. Click the name of the device you want to import the service configuration from.
  2. On the left, click Services.
  3. For Access Policy (APM), select the Create a snapshot of the current configuration before importing. check box to save a copy of the device's current configuration.
    You're not required to create a snapshot, but it is a good idea in case you have to revert to the previous configuration for any reason.
  4. For Access Policy (APM), click Import.
  5. On the Add to Access Group popup screen, specify either a new or existing Access group:
    • Select Create New, in the Name field type a name, and click Add.
    • Select Add to existing, select a name from the Name list, and click Add.
    Important: You must add both members of an HA pair to the same Access group.
The APM service configuration is imported.

Add a device to an Access group from the Devices tab

Before you add a BIG-IP APM device, you must discover at least one device with the APM service. You must also import the LTM service configuration from the device before you can add that device to an Access group.
You add a device to an Access group so you can manage its configuration from Access. When you add a device to an existing Access group, its device-specific configuration resources are imported into Access. A device can only belong to one Access group.
  1. At the top of the screen, click Devices.
  2. On the left, click BIG-IP DEVICES.
  3. Click the Add Device button.
  4. In the IP Address field, type the IPv4 or IPv6 address of the device.
  5. In the Port field, type the management port for this BIG-IP device.
    The port number must be between 4 and 65535. In many cases, it's the default port 443.
    Note: Chrome and Safari browsers don't allow access to web applications running on port 65535. So if you use port 65535 as the management port, you won't be able to access the BIG-IP device's interface from BIG-IQ when using Chrome or Safari. You can still discover and manage BIG-IP devices that are using port 65535.
  6. In the User Name and Password fields, type the user name and password for the device.
  7. If this device is part of a DSC pair, for the Cluster Display Name setting, specify how to handle it:
    • For an existing DSC pair, select Use Existing from the list, and then select the name of your DSC group from the next list.
    • To create a new DSC pair, select Create New from the list, and type a name in the field.
    For BIG-IQ to properly associate the two devices in the same DSC group, the Cluster Display Name must be the same for both members in a group.
    There can be only two members in a DSC group.
  8. If this device is configured in a DSC pair, for the Deployment Settings, specify how to handle it:
    • Initiate BIG-IP DSC sync when deploying configuration changes (Recommended): Select this option if this device is part of a DSC pair and you want this device to automatically synchronize configuration changes with the other member in the DSC group.
    • Ignore BIG-IP DSC sync when deploying configuration changes: Select this option if you want to manually synchronize configurations changes between the two members in the DSC group.
  9. Click the Add button at the bottom of the screen.
    The BIG-IQ system opens communication to the BIG-IP device, and checks the BIG-IP device framework.
    Note: The BIG-IQ system can properly manage a BIG-IP device only if the BIG-IP device is running a compatible version of the REST framework.
  10. If a framework upgrade is required, in the popup window, in the Root User Name and Root Password fields, type the root user name and password for the BIG-IP device, and click Continue.
  11. If, in addition to basic management tasks (like software upgrades, license management, and UCS backups), you also want to centrally manage this device's configurations for licensed services, select the check box next to each service you want to discover, and then click Continue.
    You can also select these service configurations after you add the BIG-IP device to the inventory.
  12. Click the Add button at the bottom of the screen.

Working with default service templates for Access

The BIG-IQ system ships with a set of Access-specific default service templates that you can use as starting points to allow authentication and access control for web applications behind local traffic virtual servers. You can clone these service templates and edit the cloned templates to add access security to your applications.

Restriction: You currently cannot deploy service templates with Amazon Web Services (AWS).

The table shows the included default service templates.

Service Template Description
Default-f5-HTTPS-offload-lb-Access-AD-Authentication-template For load balancing an HTTPS application on port 443 with SSL offloading on BIG-IP device, and securing application Access using AD authentication.
Default-f5-HTTPS-offload-lb-Access-LDAP-Authentication-template For load balancing an HTTPS application on port 443 with SSL offloading on BIG-IP device and securing application Access using LDAP authentication.
Default-f5-HTTPS-offload-lb-Access-RADIUS-Authentication-template For load balancing an HTTPS application on port 443 with SSL offloading on BIG-IP device and securing application Access using RADIUS authentication.
As a prerequisite for working with these service templates, you must have an Access group configured to manage the Service Scaling Group devices.
Follow these tasks to create a new service template using a default service template for access.
  1. Clone an access policy from the default-access-group to the Access group associated with the Service Scaling Group.
  2. Edit the resources associated with the cloned access policy.
  3. Make the cloned policy available in templates.
  4. In the Service Catalog, clone the default associated service template.
  5. Associate the cloned Access Policy with the cloned service template and publish the service template.
  6. Deploy the application using the customized cloned template.
  7. To enable Access statistics, enable the remote logging configuration at Monitoring > Dashboard > Access > Remote Logging .

Clone an access policy from the default-access-group

Before you can clone policies, you must have an Access group configured for your Service Scaling Group.
Important: Do not edit access policies or configurations in the default Access group.
You clone a default access policy to create a starting point for defining access policies for an Access group.
Note: Do not edit default access policy templates. Clone a policy, then make any required edits in the cloned policy.
  1. Click Configuration > ACCESS > Access Groups .
    The Access Groups screen opens.
  2. Click default-access-group.
    The default-access-group General Properties screen opens.
  3. On the left, click Per-Session Policies.
    The Per-Session Policies (Shared) screen opens.
  4. Select the check box next to an access policy to clone, and click More > Clone .
  5. In the Clone Policy dialog box that opens, select the target Access group, and select whether to reuse existing objects from the target Access group, then click Clone.
  6. Check the target Access group to see that the target policy has been cloned.
Now you can edit the access policy, and the related objects created to support it on the target access group.

Review and edit resources associated with an access policy

When you clone an access policy, the associated resources are also cloned. You can review and edit these resources, if necessary, on the target Access group.
  1. Click Configuration > ACCESS > Access Groups .
    The Access Groups screen opens.
  2. Click the name of the Access group to which you cloned the access policy.
    The properties screen for that group opens.
  3. Review the associated resources, and edit as necessary.

Resources associated with a cloned access policy

These tables list resources that are cloned when you clone an access policy from the default-access-group. You should review and edit these resources, if necessary, on the target access group. Edit these resources from the access group ( Configuration > ACCESS > Access Groups ).

Table 1. default_ad_auth_policy created resources
Resource Details Path
default_ad_auth_policy_aaa_srvr The Active Directory server information for the access policy. AUTHENTICATION > Active Directory > Active Directory
default_ad_auth_policy_sso The SSO configuration for the access policy. Single Sign-On > SSO Summary
default-log-setting Log settings for the AD auth policy. EVENT LOGS SETTINGS
Table 2. default_ldap_auth_policy created resources
Resource Details Path
default_ldap_auth_policy_aaa_srvr The LDAP authentication server information for the access policy. AUTHENTICATION > LDAP
default_ldap_auth_policy_sso The SSO configuration for the access policy. Single Sign-On > SSO Summary
default-log-setting Log settings for the LDAP auth policy. EVENT LOGS SETTINGS
Table 3. default_radius_auth_policy created resources
Resource Details Path
default_radius_auth_policy_aaa_srvr The RADIUS authentication server information for the access policy. AUTHENTICATION > RADIUS
default_radius_auth_policy_sso The SSO configuration for the access policy. Single Sign-On > SSO Summary
default-log-setting Log settings for the RADIUS auth policy. EVENT LOGS SETTINGS

Make an access policy available in templates

You can make an access policy available in templates, so that you can select it in a service template, and apply the settings from that policy to devices in a Service Scaling Group.
  1. At the top of the screen, select Configuration, then on the left side of the screen, click ACCESS > Access Groups .
  2. Click the name of the Access group.
    A new screen displays the Access group properties.
  3. On the left, expand Access Policies, and click Per-Session Policies.
    A new screen opens, showing a list of access policies associated with this Access group.
  4. Select the check box next to the access policy.
  5. Click More > Make Available in Templates .
    A dialog box informs you that the policy is published.
  6. Click Close.

Clone the service template

You clone a default service template to create a new service template that has the same characteristics as an existing template, that you can modify.
  1. Click Applications SERVICE CATALOG.
    The Service Catalog screen opens.
  2. Select the check box next to the name of the service template you want to clone.
    For example, if you want to clone a service template for LDAP authentication, select Default-f5-HTTPS-offload-lb-Access-LDAP-Authentication-template.
  3. Click More > Clone .
  4. In the dialog box that opens, type the name for the cloned service template, then click Clone.
    The Edit Template screen opens.
  5. Make any changes required to the service template.
  6. On the left, click SECURITY POLICIES.
  7. Scroll down to Access, select the Access Group from which you want to use access policies.
    Select the Access group to which you cloned default access policies, or in which you created new access policies for this service template.
  8. In the Virtual Server area, for the virtual server providing the access service, from the Type list select Access Profile.
  9. From the APM Policy/Profile list select the access policy you created.
    Note: Do not associate an APM policy or profile with the redirect virtual server.
  10. Click Save & Close.
    The Service Catalog screen opens.
  11. Select the check box next to the service template you created, and click Publish.
The service template is saved and published.
You can now use the published template to create applications.