Manual Chapter :
Common Elements for the Visual Policy
Editor in Access Policy Manager
Applies To:
Show VersionsBIG-IP APM
- 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
Common Elements for the Visual Policy
Editor in Access Policy Manager
- On a policy branch, click the(+)icon to add an item to the policy.A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
- On a policy branch, click the(+)icon to add an item to the policy.
- On a policy branch, click the(+)icon to add an item to the policy.Repeat this action from the visual policy editor whenever you want to add an item to the policy.A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
- On the fallback branch after the previous action, click the(+)icon to add an item to the policy.A popup screen opens.
- On the Successful branch after the previous action, click the(+)icon.A popup screen opens.
- On a policy branch, click the(+)icon.
- On the menu bar, clickAccess Policy.Access policy settings display.
- Click theXsymbol on a policy item to delete the item from the policy.
- Click theSavebutton to save changes to the access policy item.
- ClickSave.The properties screen closes and the policy displays.
- Click anendingon a policy branch to change the ending type.
- ClickAdd Item.A properties screen opens.
- Make any changes that you require to the properties and clickSave.The properties screen closes and the policy displays.
- Select an option to delete the item from the policy, and then click theDeletebutton.Connect previous node tobranch_namebranchConnects the input branch of the policy item you delete to the specified output branch rule. This option removes the policy item, but preserves the branch that you specify, so policy items you have configured on the specified branch are preserved.Delete all branchesDeletes all branches originating from the policy item you delete. This option removes the policy item, and does not preserve any branch rules configured on any of its output branches follow it.
- Change the Successful rule branch fromDenytoAllow, and then click theSavebutton.
- To grant access at the end of any branch, change the ending fromDenytoAllow:
- ClickDeny.The default branch ending isDeny.A popup screen opens.
- SelectAllowand clickSave.The popup screen closes. TheAllowending displays on the branch.
- Select the Authentication tab.The tab displays a list of authentication actions.
- To verify user identity by client IP address:
- Click the Authentication tab.
- SelectTransparent Identity Import.
- ClickAdd Item.
Transparent Identity Import imports user identity information from an IF-MAP server and assesses whether the IP address is associated with a known user.A Properties screen opens. - On theAssociatedbranch of the Transparent Identity Import item, add any other actions that you want to perform before allowing access.For example, get more information about the user by adding an LDAP query. Based on the result of the query, assign resources by adding Resource Assignment or Advanced Resource Assignment items.
- SelectOCSP Auth, and then clickAdd item.A properties popup screen opens.
- From theOCSP Responderlist, select an OCSP responder.
- On the Assignment tab, select theResource Assignagent, and then clickAdd Item.The Resource Assignment screen opens.
- Next to each type of resource that you want assign (Network Access,Portal Access,App Tunnel,Remote Desktop, orSAML), click theAdd/Deletelink, and select from available resources.
- Next to theApp Tunnelsetting, click theAdd/Deletelink, and select the application tunnel to assign.
- Next to theWebtop,Webtop Links, andWebtop Sectionslinks, click theAdd/Deletelink, and select the webtop, webtop links, and webtop sections to assign.You can only assign one webtop, though you can assign multiple webtop links and sections.
- On the Assignment tab, select theAdvanced Resource Assignagent, and then clickAdd Item.The Resource Assignment screen opens.
- On the Assignment tab, selectSSO Credential Mappingand clickAdd Item.A properties screen opens.
- On the Assignment tab, selectVariable Assignand clickAdd Item.A properties screen opens.
- On the Assignment tab, select theWebtop, Links and Sections Assignagent and clickAdd Item.The Webtop, Links and Sections Assignment screen opens.
- Click thechangelink in the Expression area.A popup screen opens.
- On the Simple tab of the Expression popup screen, click theXsymbol next to an expression to delete that expression.
- In theNamefield, type a name for the policy item.This name is displayed in the action field for the policy.
- In theNamefield, replace the default name by typing a new name over it.The default name is Branch Rulenwherenis a number. The name appears on the branch in the policy and so should be descriptive.
- Click the Branch Rules tab to edit a branch rule.
- Click the Branch Rules tab.The Branch Rules screen opens.
- Click theAdd Branch Rulebutton.NewNameandExpressionsettings display.
- Click the Advanced tab.Use this tab to enter Tcl expressions.A text input field displays.
- ClickFinished.The popup screen closes.
- Click theAdd Branch Rulebutton to add a branch rule.Select a rule from theInsert Beforelist to add the new rule in a specific order.
- Click theAdd New Macrobutton to add a macro from a template to the Add Item popup screen.
- Click theEdit Endingsbutton to create and edit policy endings.
- Click theApply Access Policylink to apply and activate the changes to the policy.
- ClickAdd new entryto add an entry to the list. To add the entry at a specific place in the list, select the item number before which the new item should appear, from theInsert Beforelist.A new line is a added to the list of entries.
- ClickAdd new entryto add another entry to the list. To add the entry at a specific place in the list, select the item number before which the new item should appear, from theInsert Beforelist.A new line is added to the list of entries.
- ClickAdd new entry.A new line is added to the list of entries.
- Click theXnext to an entry in the list to remove that entry.
- SelectSaveto save any changes and return to the policy.
- Populate the property fields, referring to online help for more information, selectSaveto save any changes and return to the visual policy editor.
- On the Endpoint Security (Server-Side) tab, selectClient Type, and then clickAdd Item.The Client Type action identifies clients and enables branching based on the client type.A properties screen opens.
- Typegeoin the search field, selectIP Geolocation Matchfrom the results list, and then clickAdd Item.The default setting for the IP geolocation match policy item is to check that the country code for the IP address isUS.A properties screen opens.
- ClickAdd new entry.AnEmptyentry displays.
- Click theAdd/Deletelink below the entry.The screen changes to display resources that you can add and delete.
- Click theAdd/Deletelink below the entry.The screen changes to display resources on multiple tabs.
- FromGeneral Purpose, selectCitrix Smart Accessand clickAdd Item.The Variable Assign: Citrix Smart Access properties screen opens.
- Type the name of a Citrix SmartAccess filter in the open row under Assignment.A filter can be any string. Filters are not hardcoded, but must match filters that are configured in the XenApp server for application access control or a user policy.In the XenApp server, you must specifyAPMas the Access Gateway farm when you configure filters.
- To add another filter, clickAdd entryand type the name of a Citrix filter in the open row under Assignment.
- When you are done adding filters, clickSaveto return to the visual policy editor.
- ClickAdd new entry.Anemptyentry displays in the Assignment table.
- Click thechangelink next to the empty entry.A dialog box, where you can enter a variable and an expression, opens.
- ClickFinishedto save the variable and expression and return to the Variable Assign action popup screen.
- On the Assignment tab, selectAdvanced Resource Assignand clickAdd Item.The properties screen opens.
- Select the Remote Desktop tab.A list of remote desktop resources is displayed.
- Select a remote desktop resource and clickUpdate.The properties screen opens whereRemote Desktopand the name of the selected resource are displayed.
- Select the Webtop tab.A list of webtops is displayed.
- Select a webtop and clickUpdate.The screen changes to display properties, and the name of the selected webtop is displayed.
- On the Webtop tab, select a full webtop.
- On the Static ACL tab, select an ACL that rejects all connections.Adding an ACL that is last in order and rejects all connections keeps users from accessing any host and port combinations other than those to which they have been explicitly allowed access by the other ACLs assigned to the policy.
- Select any other resources that you want to assign to the policy.If you assign a Network Access resource to the policy, be sure to also assign an ACL that allows access to the resources that you want users to have. Otherwise, the ACL that rejects all connections blocks access.If you assign a Portal Access resource to the policy, be sure to also assign an ACL that allows access to all parts of the web sites specified in the start URI or hosted content fields of the Portal Access configuration. Otherwise, the ACL that rejects all connections blocks access.
- ClickAdd Expression.The expression displays.
- ClickAdd Expression.New properties display.
- Typevarin the search field, selectVariable Assignfrom the results list, and then clickAdd Item.The Variable Assign properties screen opens.
- On the Endpoint Security (Server-Side) tab, selectClient for MS Exchangeand clickAdd Itemto add the action to the policy.The Client for MS Exchange action popup screen opens.
- On the Logon tab, selectLogon Pageand click theAdd Itembutton.The Logon Page Agent properties screen opens.
- Make any changes that you require to the logon page properties and clickSave.The properties screen closes and the policy displays.
- Add one or more authentication checks on the fallback branch after theLogon Pageaction.Select the authentication checks that are appropriate for application access at your site.
- Click theClosebutton to close the visual policy editor.
- Add any other branches and actions that you need to complete the policy.
- Complete the policy:
- Add any additional policy items you require.
- Change the ending fromDenytoAllowon any access policy branch on which you want to grant access.
- On the Assignment tab, select theAD Group Resource Assignagent, and then clickAdd Item.The AD Group Resource Assign screen opens, displaying a blank entry in the Groups area.
- On the Assignment tab, select theLDAP Group Resource Assignagent, and then clickAdd Item.The LDAP Group Resource Assign screen opens.
- In the Groups area, click theeditlink for the entry that you want to update.A popup screen opens to the Groups tab.
- If you need to add a group, in theNew Groupfield, type the name of a group that exists on the server and clickAdd group manually.When the access policy runs, this action queries the group names using thememberOfattribute in the directory.The group displays in the list on the Groups tab.
- Select at least one group.
- Repeat these steps for each type of resource that you require.The screen displays one tab for each resource type.
- Click a tab.
- Select the resources that you want to assign to the selected groups.
Typical resource assignment rules apply. For example, you can assign multiple webtop links to a group, but you can assign only one webtop. - After you assign items, click theUpdatebutton.TheAD Group Resource Assignscreen opens, and shows the current assignments as an entry in the Groups table.
- Click theUpdatebutton.TheLDAP Group Resource Assignscreen opens, and displays the groups and resources in the entry in the Groups table.
- To identify a user transparently using information provided by a Secure Web Gateway (SWG) user identification agent, perform these steps:For this step of the access policy to succeed, you must have installed and configured either the F5 DC Agent or the F5 Logon Agent. Either agent is supported on a BIG-IP system with an SWG subscription only.
- On a policy branch, click the plus symbol(+)to add an item to the policy.
- From the Authentication tab, selectTransparent Identity Importand clickAdd Item.The transparent identity import access policy item searches the database in the IF-MAP server for the client source IP address. By default, this access policy item has two branches: associated and fallback.A properties screen opens.
- ClickSave.The visual policy editor opens.
- Add any additional access policy items to the fallback or associated branches.For example, you might add Kerberos authentication on the fallback branch.
- Assign an SWG scheme to the policy:Scheme assignment is mandatory.
- Click the(+)icon anywhere in the policy to add a new action item.
- On the Assignment tab, selectSWG Scheme Assignand clickAdd Item.A properties screen opens.
- To display the available schemes, click theAdd/Deletelink.
- Select one scheme and clickSave.The properties screen closes and the policy displays.
- On the Authentication tab, selectAD Auth.A properties screen displays.
- From theServerlist, select a server.
- To support Citrix Receiver clients, you must setMax Logon Attemptsto 1.
- On the Authentication tab, selectLocalDB Auth.A properties screen displays.
- From theLocalDB Instancelist, select a local user database.
- From theMax Logon Attempts Allowedlist, select a number from 1 to 5.This defaults to 3. If user fails to log in after this number of tries, the user is locked out.
- Typelocalin the search field.Search is not case-sensitive.A list of matching actions is displayed.
- SelectLocal Databaseand clickAdd Item.A properties screen displays.
- Add aLocal Databaseaction.A properties screen for the action opens.
- In theUser Namefield, retain the default session variable or type another variable name or a user name.
- To support APM On-Demand certificate authentication, type the name of a NATIVE cipher in theCiphersfield.The list of supported NATIVE ciphers includes these:
- RC4-MD5
- RC4-SHA
- AES128-SHA
- AES256-SHA
- DES-CBC3-SHA
- DES-CBC-SHA
- EXP1024-RC4-MD5
- EXP1024-RC4-SHA
- EXP1024-DES-CBC-SHA
- EXP-RC4-MD5
- EXP-DES-CBC-SHA
- NULL-MD5
- NULL-SHA
- If you specified an NTLM Auth configuration in the access profile, verify that authentication succeeded.
- On the Authentication tab, selectNTLM Auth Result.
- ClickAdd Item.A properties popup screen opens.
- ClickSave.The properties screen closes. The policy displays.
- To supply LDAP group information for use in the per-request policy, add an LDAP Query item anywhere in the policy and configure its properties:
- From theServerlist, select an AAA LDAP server.An LDAP Query uses SSL connections when you select an LDAP AAA server that is configured for LDAPS.
- Specify theSearchDN, andSearchFiltersettings.SearchDN is the base DN from which the search is done.
- ClickSave.
This item populates thesession.ldap.last.attr.memberOfsession variable. - To supply Active Directory groups for use in the per-request policy, add an AD Query item anywhere in the policy and configure its properties:
- From theServerlist, select an AAA AD server.
- Select theFetch Primary Groupcheck box.The value of the primary user group populates thesession.ad.last.attr.primaryGroupIDsession variable.
- ClickSave.
- To supply RADIUS class attributes for use in the per-request policy, add a RADIUS Auth item anywhere in the policy and configure its properties:
- From theServerlist, select an AAA RADIUS server.
- ClickSave.
This item populates thesession.radius.last.attr.classsession variable. - To supply local database groups for use in the per-request policy, add a Local Database item anywhere in the policy and configure its properties:
- From theLocalDB Instancelist, select a local user database.
- In theUser Namefield, retain the default session variable.
- ClickAdd new entryA new line is added to the list of entries with the Action set toReadand other default settings.
- In the Destination columnSession Variablefield, typesession.localdb.groups.If you type a name other thansession.localdb.groups, note it. You will need it when you configure the per-request access policy.
- In the Source column from theDB Propertylist, selectgroups.
- ClickSave.
This item populates thesession.localdb.groupssession variable. - On theAuthenticationtab, selectOAuth Client.
- From theServerlist, select an OAuth server.Only OAuth servers configured withModeset toClientorClient + Resource Serverdisplay.
- From theServerlist, select an OAuth server.Only OAuth servers configured withModeset toResource ServerorClient + Resource Serverdisplay.
- From theGrant Typelist, select one of these options:
- Authorization code- Redirects the user to the external server to authenticate. The user is redirected back to APM with an authorization code. APM uses the authorization code to request an access token
- Password- Requests an access token from the external server by using the user's credentials (username and password). If this method is configured, the user must provide their external credentials to APM; to make this happen you must insert a logon page before the OAuth Client item in the access or the per-request policy.
If you selectAuthorization code, theRedirection URIfield displays. - Select requests to make to the OAuth server:Requests are configured in thearea of the product.
- Authentication Redirect Request- Specifies an auth-redirect-request type request, which redirects a user to an OAuth server. Displays whenGrant Typeis set toAuthorization code.
- Token Request- Specifies a token-request type of request.
- Refresh Token Request- Specifies a token-refresh-request type of request.
- Validate Token Request- Specifies a validation-scopes-request type of request, which can get a list of scopes for the token and get data for the scopes.
- If theRedirection URIfield displays, retain the default value (https://%{session.server.network.name}/oauth/client/redirect) or type a URI that points back to the APM client.If you type a URI, you must retain this path/oauth/client/redirect. Only change the host name portion of the URI.The OAuth server uses the URI to send the user back to APM.
- In theScopefield, type one or more scopes separated by spaces.Each time you add another OAuth Client agent to a policy, you must include the scopes (for example,email photos) that were requested in the previous instance of the OAuth Client and append any additional scopes (for example, contacts) to the list (for example,email photos contacts).Read the OAuth provider documentation to learn the names of the scopes that they support and the URIs where you can obtain the data.
- On theAuthenticationtab, selectOAuth Scope.
- To get a list of scopes associated with an access token, from theScopes Requestlist, select a request to send to the OAuth provider.The list displays validation-scopes-request types.If F5 (APM) is the OAuth provider, selectF5ScopesRequest.Requests are configured in thearea of the product.
- To add requests for scope data (for example, to request a user's email address or profile), perform these steps:
- ClickAdd new entry.A new line is added to the list of entries.
- In theScope Namefield, type the name of a scope that the OAuth provider supports.The scope must be associated with the access token. (The user must have granted permission for this scope.)For example, some OAuth providers support scopes namedemailorprofile.
- From theRequestlist, select a request.The list includes scope-data-request types. Select one that you configured to meet the requirements of the specific OAuth provider.
- ClickSave.The Properties screen closes. The newly added item displays in the policy.
- If you selectedPasswordfrom theGrant Typelist, you must insert a logon page agent to precede the OAuth Client agent.
- Click (+) ahead of theOAuth Clienton the policy branch.
- On the Logon Page tab, selectOAuth Logon Pageand clickAdd Item.A Properties screen displays.
- ClickSave.The properties screen closes. The policy displays.
- Complete the policy:
- Add any branch rules that you need.By default, theOAuth Clientitem has a successful branch for any valid non-error JSON response it receives. However, you can add other branch rules based on authorization server response to suit your needs.
- Change branch endings as needed; changeDenytoAllowwhere you want to provide access.
- To rename the subroutine or to update number of seconds that the subroutine has to complete its interactions with the OAuth server, perform these steps:
- ClickSubroutine Settings/Rename.
- To rename the subroutine, type in theNamefield.
- To update the timeout, type a number in theSubroutine Timeout (sec)field.No additional settings on this screen are applicable to the OAuth Client and OAuth Scope items.
- ClickSave.The popup screen closes. The subroutine displays in the policy.
- To add an OpenID Connect UserInfo request to the agent, perform these steps:
- ForOpenID Connect, selectEnabled.Additional fields display.
- ForOpenID Connect Flow Type, retainAuthorization code, or selectHybridand then select an entry forOpenID Connect Hybrid Response Type.
- ForOpenID Connect UserInfo Request, select a request.
- This is a dummy step to support the use of substeps.
- On a policy branch, click the plus symbol(+)to add an item to the policy.
- On the Assignment tab, select theAdvanced Resource Assignagent, and then clickAdd Item.The Resource Assignment window opens.
- ClickAdd new entry.AnEmptyentry displays.
- From the left-side list, selectCustom Variable(the default), and type.session.logon.last.password
- From the right-side list, selectCustom Expression(the default), and typeexpr { [mcget -secure {.session.logon.last.password1}] }
- ClickAdd new entry.Anemptyentry appears in the Assignment table.
- Click theAdd/Deletelink below the entry.The screen changes to display resources on multiple tabs.
- On the Remote Desktop tab, select the VMware View remote desktop resource that you configured previously.A system-defined ACL for the remote desktop resource is automatically assigned to the policy. The ACL specifies the allow action for the resource items associated with the remote desktop resource.
- On the Static ACL tab, select an ACL that rejects all connections.Adding an ACL that is last in order and rejects all connections keeps users from accessing any host and port combinations other than those to which they have been explicitly allowed access by the other ACLs assigned to the policy.
- On the Webtop tab, select a full webtop and clickUpdate.The properties screen closes and the resources you selected are displayed.
- On the Webtop tab, select a full webtop.
- ClickUpdate.The popup screen closes.
- Click the Branch Rules tab.Select a rule from theInsert Beforelist to add the new rule in a specific order.
- Click the Branch Rules tab.
- ClickAdd Branch Rule.A new entry withNameandExpressionsettings displays.
- In theNamefield, replace the default name by typing a new name.The name appears on the branch in the policy.
- Typelocalin the search field.Search is not case-sensitive.A list of matching actions displays.
- SelectLocal Databaseand clickAdd Item.A properties screen opens.
- Click thechangelink next to the Expression setting.A popup screen opens.
- Click thechangelink in the new entry.A popup screen opens.
- Click theAdd Expressionbutton.Settings are displayed.
- From theUnsecurelist, selectSecure.
- ClickFinished.The popup screen closes.
- On the Logon tab, selectLogon Pageand click theAdd Itembutton.The Logon Page Agent properties screen opens.
- Make any changes that you require to logon page properties and clickSave.The properties screen closes and the policy displays.
- ClickFinished.The popup screen closes.
- ClickAdd Item.A popup screen opens.
- ClickSave.The properties screen closes and the policy displays.
- On the Successful branch after the previous action, click the(+)icon.An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
- After the SSO Credential Mapping action, click the(+)icon.
- Click thechangelink next to the empty entry.A dialog box opens, where you can enter a variable and an expression.
- On the Assignment tab, typevarin the search field, selectVariable Assignfrom the results, and clickAdd Item.Use the Variable Assign action to pass the domain name for an XML Broker so that a user is not repeatedly queried for it.A properties screen opens.
- On the Logon tab, selectHTTP 401 Responseand clickAdd Item.A Properties screen opens.
- On the Logon tab, selectHTTP 407 Responseand clickAdd Item.A properties screen opens.
- From theHTTP Auth Levellist, selectnegotiateand clickSave.The properties screen closes.
- Click the(+)icon on thenegotiatebranch.A popup screen opens.
- On the Authentication tab, selectKerberos Authand clickAdd Item.A properties screen opens.
- From theAAA Serverlist, select an existing server.
- From theRequest Based Authlist, selectDisabled.
- On the Assignment tab, selectSSO Credential Mappingand clickAdd Item.The SSO Credential Mapping screen opens.
- After the SSO Credential Mapping action, click theDenyending.A popup screen opens.
- SelectOTP Generateand clickAdd Item.A popup screen opens.
- On the Logon tab, selectVMware View Logon Page, and clickAdd Item.A properties screen displays.
- In theNamefield, change the name of the action.
- FromVMware View Logon Screen Type, selectDisclaimer
- In the Customization area from theLanguagelist, select the language for the message.
- In theDisclaimer messagefield, type the message to display on the logon page.
- On the Authentication tab, clickLocalDB Auth.A properties screen displays.
- From theLocalDB Instancelist, select a local user database.Authentication fails if the user does not exist in this local user database instance.
- From theLocalDB Instancelist, select a local user database.
- From theMax Logon Attempts Allowedlist, select a number from 1-5.This defaults to 3. If user fails to log in after this number of tries, the user is locked out.
- ClickAdd new entry.A new line is added to the list of entries.
- ClickAdd new entryA new line is added to the list of entries with the Action set toReadand other default settings.
- From theActionlist selectWrite.The content of the Destination and Source columns changes.
- In theUser Namefield, retain the default session variable or type another variable name or a user name.
- ClickSave.The dialog box closes; the properties screen remains open.
- Select any other resources that you want to assign to the policy.If you assign a Network Access resource to the policy, be sure to also assign an ACL that allows access to the resources that you want users to have. Otherwise, the ACL that rejects all connections blocks access.If you assign a Portal Access resource to the policy, be sure to also assign an ACL that allows access to all parts of the web sites specified in the start URI or hosted content fields of the Portal Access configuration. Otherwise, the ACL that rejects all connections blocks access.
TheMax Logon Attempts Allowedsetting specifies attempts by an external client without a Kerberos ticket to authenticate on forward proxy.
Click the
Apply Access
Policy
link to apply and activate your changes to this access policy.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.