Manual Chapter :
Defining Access Policy Items
Applies To:
Show VersionsBIG-IP APM
- 14.0.1, 14.0.0
Defining Access Policy Items
About access policy
item configuration
An access policy item is a small action, or rule, that serves a specific
purpose in an access policy. Access policy items are all added to the access policy in the
same way; but in most cases, each access policy item must be configured individually. In
Access Policy Manager, an access policy item
is one of five types.
Item type | Configuration details | Examples |
---|---|---|
Blank item | This type of access policy item has no explicit
configuration on the configuration page, and can be configured to verify a wide
range of conditions with Expression screens. |
|
Preconfigured branch rule item | This type of access policy item has no explicit
configuration on the configuration page, and a preconfigured set of rules on
the Branch Rules page. |
|
Properties page configuration item | This type of access policy has all standard
configuration options on the configuration page, to verify the required
information, prompt for information, or another action. |
|
Assignment item | An assignment action allows configuration on the
configuration page, and contains a list of available resources of a certain
type, and allows you to select one or multiple resources to assign. Some
resource assignment actions, such as Webtop, Links and Sections Assign, allow
you to assign multiple items of different types. Advanced Resource Assign is a
special case that allows you to select and assign multiple resources of
different types at once. |
|
Mapping assignment item | A mapping assignment action allows you to assign one
variable or resource to the value of another variable or resource. This kind of
assign action includes the assignment of resources or variables on a separate
page, linked from the main screen. |
|
When naming VPE objects, APM
removes special characters such as exclamation marks, equal signs, and brackets before
saving the objects. The following characters are allowed: ( ) - _ + [ ].
Adding a blank access policy item to an access policy
Before you start this task, configure an access profile.
Configure a blank item to configure one of several
actions that has no explicit configuration defined.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- In the Per-Session Policy column, click theEditlink for the access profile you want to configure.The visual policy editor opens the access policy in a separate screen.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- Select a blank action:Collects machine info, and checks it against established values.An empty action that you can configure with any allowed checks.A properties screen opens.
- Click the Branch Rules tab.The Branch Rules screen opens.
- Click theAdd Branch Rulebutton.NewNameandExpressionsettings display.
- Click thechangelink in the Expression area.A popup screen opens.
- ClickAdd Expression.New properties display.
- For each expression you add, select an agent from theAgent Sel.list, a condition from theConditionlist, and configure any details.See the reference information for each action for more details.
- ClickAdd Expressionto add the expression to the list.
- Add more expressions to the check as required. You can add expressions as eitherANDorORconditions.
- ClickFinished.The popup screen closes.
- ClickSave.The properties screen closes and the policy displays.
The access policy is configured with the empty action you have configured.
Click the
Apply Access
Policy
link to apply and activate your changes to this access policy.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.
Adding an access
policy item with preconfigured branch rules
Before you start this task, configure an access profile.
Configure an access policy with preconfigured
branch rules to add preconfigured settings and branches to an access policy.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- In the Per-Session Policy column, click theEditlink for the access profile you want to configure.The visual policy editor opens the access policy in a separate screen.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- Select an action with preconfigured branch rules, and clickAdd Item:Checks that the system is a client for Microsoft Exchange.Provides branches based on the result of an operating system check on the client.Provides branches based on the result of an client type check.Checks whether the client can run client side checks and provides positive and fallback branches.Provides branches based on a certain date or time.Provides branches based on a specific geographic origin for the client.Checks the client IP against an IP reputation database.Provides branches based on whether the device appears to be jailbroken or rooted.Provides branches based on a specific landing URI.Provides branches based on the available global APM licenses.Provides branches based on specific Windows information, such as operating system type and patch level.A properties screen opens.
- Click the Branch Rules tab.The Branch Rules screen opens.
- View the preconfigured branch rules.You can make changes to the branch rules, or close the item.
- ClickSave.The properties screen closes and the policy displays.
The access policy is saved with the action you have configured.
Click the
Apply Access
Policy
link to apply and activate your changes to this access policy.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.
Adding an access
policy item with configurable properties
Before you start this task, configure an access profile.
Configure an access policy with configurable
properties to check for specific items or policies.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- In the Per-Session Policy column, click theEditlink for the access profile you want to configure.The visual policy editor opens the access policy in a separate screen.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- Select an action with configurable properties, then clickAdd Item:Presents an external logon page for the client.Provides a custom HTTP 401 logon page.Provides a custom HTTP 407 logon page.Provides a custom logon page that you can configure entirely from the properties screen.Provides a configurable virtual keyboard for logon information entry.Provides a custom logon page for VMware View.Checks that the client is running specified anti-spyware software.Checks that the client is running specified antivirus software.Checks that the client is running specified firewall software.Checks that the client hard disk is encrypted.Allows a check for a specific file with specified properties on a Linux system.Allows a check for a specific process on Linux systems.Allows a check for a specific file with specified properties on a Mac.Allows a check for a specific process on a Mac.Allows a check for a machine certificate.Allows a check for patches to specific files.Allows a check for peer to peer software on a system.Allows you to configure Windows clients to clean certain items after the session closes.Allows a check for a specific file with specified properties on Windows systems.Allows a check for a health agent on Windows systems.Allows a check for a specific process on Windows systems.Allows configuration of a protected workspace in Windows.Allows a check for a specific registry value in Windows.Allows configuration of a choice of two branches for the user, with custom text describing each choice.Sends an email, when reached in the access policy.Allows configuration of a choice of two branches for the user, with custom text describing each choice.Allows you to add entries to a local database.Allows you to log a session variable result.Shows a message, and requires the user to click to continue.A properties screen opens.
- Configure the properties for the item.
- ClickSave.The properties screen closes and the policy displays.
The access policy is configured with the empty action you have configured.
Click the
Apply Access
Policy
link to apply and activate your changes to this access policy.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.
Adding an access
policy assignment item
Before you can add an access policy assignment item, you need to configure an access
profile.
Configure an access policy with an assignment
action to assign a resource, local traffic pool, ACL, profile, or other item. Each
assignment action works differently and assigns different items.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- In the Per-Session Policy column, click theEditlink for the access profile you want to configure.The visual policy editor opens the access policy in a separate screen.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- Select an assignment action, then clickAdd Item:Assigns an ACL to the access policy branch.Directly assigns all types of resources.Assigns a Bandwidth Controller policy to an access policy branch.Assigns a Citrix Smart Access filter to an access policy branch.Assigns a dynamic ACL to an access policy branch.Allows you to assign connection resources, remote desktops, and SAML resources.Allows you to assign a route domain, SNAT, and SNAT pool to an access policy branch.Allows you to assign attributes for the SSO username and password.Allows you to assign a webtop, webtop links, and webtop sections to an access policy branch.A properties screen opens.
- Configure the properties for the item.
- ClickSave.The properties screen closes and the policy displays.
The access policy is configured with the
assignment action you have configured.
Click the
Apply Access
Policy
link to apply and activate your changes to this access policy.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.
Adding an access policy mapping item
Before you start this task, configure an access profile.
Configure an access policy with a mapping action to map resources or variables of
one type to another type or value. Each mapping action works differently and assigns
different items.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- In the Per-Session Policy column, click theEditlink for the access profile you want to configure.The visual policy editor opens the access policy in a separate screen.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- Select a mapping action, then clickAdd Item:Maps resources from an Active Directory group to access policy resources.Maps resources from an LDAP group to access policy resources.Allows you to assign predefined or custom variables to attributes, values, text, or expressions.A properties screen opens.
- For the Variable assign action, click theAdd new entrybutton.The AD and LDAP Group Assign actions already include an entry.
- Click theEditlink.
- Configure the settings for the assign action.For the AD or LDAP group resource assign action, type the name of the group, then clickAdd group manually.
- Configure the mapping items.Refer to the specific documentation for each item to map items.
- ClickSave.The properties screen closes and the policy displays.
The access policy is configured with the assignment action you have configured.
Click the
Apply Access
Policy
link to apply and activate your changes to this access policy.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.