Manual Chapter : Common Elements for the Visual Policy Editor in Access Policy Manager

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 14.0.0
Manual Chapter

Common Elements for the Visual Policy Editor in Access Policy Manager

  1. On a policy branch, click the
    (+)
    icon to add an item to the policy.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  2. On a policy branch, click the
    (+)
    icon to add an item to the policy.
  3. On a policy branch, click the
    (+)
    icon to add an item to the policy.
    Repeat this action from the visual policy editor whenever you want to add an item to the policy.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  4. On the fallback branch after the previous action, click the
    (+)
    icon to add an item to the policy.
    A popup screen opens.
  5. On the Successful branch after the previous action, click the
    (+)
    icon.
    A popup screen opens.
  6. On a policy branch, click the
    (+)
    icon.
  7. On the menu bar, click
    Access Policy
    .
    Access policy settings display.
  8. Click the
    X
    symbol on a policy item to delete the item from the policy.
  9. Click the
    Save
    button to save changes to the access policy item.
  10. Click
    Save
    .
    The properties screen closes and the policy displays.
  11. Click an
    ending
    on a policy branch to change the ending type.
  12. Click
    Add Item
    .
    A properties screen opens.
  13. Make any changes that you require to the properties and click
    Save
    .
    The properties screen closes and the policy displays.
  14. Select an option to delete the item from the policy, and then click the
    Delete
    button.
    Connect previous node to
    branch_name
    branch
    Connects the input branch of the policy item you delete to the specified output branch rule. This option removes the policy item, but preserves the branch that you specify, so policy items you have configured on the specified branch are preserved.
    Delete all branches
    Deletes all branches originating from the policy item you delete. This option removes the policy item, and does not preserve any branch rules configured on any of its output branches follow it.
  15. Change the Successful rule branch from
    Deny
    to
    Allow
    , and then click the
    Save
    button.
  16. To grant access at the end of any branch, change the ending from
    Deny
    to
    Allow
    :
    1. Click
      Deny
      .
      The default branch ending is
      Deny
      .
      A popup screen opens.
    2. Select
      Allow
      and click
      Save
      .
      The popup screen closes. The
      Allow
      ending displays on the branch.
  17. Select the Authentication tab.
    The tab displays a list of authentication actions.
  18. To verify user identity by client IP address:
    1. Click the Authentication tab.
    2. Select
      Transparent Identity Import
      .
    3. Click
      Add Item
      .
    Transparent Identity Import imports user identity information from an IF-MAP server and assesses whether the IP address is associated with a known user.
    A Properties screen opens.
  19. On the
    Associated
    branch of the Transparent Identity Import item, add any other actions that you want to perform before allowing access.
    For example, get more information about the user by adding an LDAP query. Based on the result of the query, assign resources by adding Resource Assignment or Advanced Resource Assignment items.
  20. Select
    OCSP Auth
    , and then click
    Add item.
    A properties popup screen opens.
  21. From the
    OCSP Responder
    list, select an OCSP responder.
  22. On the Assignment tab, select the
    Resource Assign
    agent, and then click
    Add Item
    .
    The Resource Assignment screen opens.
  23. Next to each type of resource that you want assign (
    Network Access
    ,
    Portal Access
    ,
    App Tunnel
    ,
    Remote Desktop
    , or
    SAML
    ), click the
    Add/Delete
    link, and select from available resources.
  24. Next to the
    App Tunnel
    setting, click the
    Add/Delete
    link, and select the application tunnel to assign.
  25. On the Assignment tab, select the
    Advanced Resource Assign
    agent, and then click
    Add Item
    .
    The Resource Assignment screen opens.
  26. On the Assignment tab, select
    SSO Credential Mapping
    and click
    Add Item
    .
    A properties screen opens.
  27. On the Assignment tab, select
    Variable Assign
    and click
    Add Item
    .
    A properties screen opens.
  28. On the Simple tab of the Expression popup screen, click the
    X
    symbol next to an expression to delete that expression.
  29. In the
    Name
    field, type a name for the policy item.
    This name is displayed in the action field for the policy.
  30. In the
    Name
    field, replace the default name by typing a new name over it.
    The default name is Branch Rule
    n
    where
    n
    is a number. The name appears on the branch in the policy and so should be descriptive.
  31. Click the Branch Rules tab to edit a branch rule.
  32. Click the Branch Rules tab.
    The Branch Rules screen opens.
  33. Click the
    Add Branch Rule
    button.
    New
    Name
    and
    Expression
    settings display.
  34. Click the Advanced tab.
    Use this tab to enter Tcl expressions.
    A text input field displays.
  35. Click
    Finished
    .
    The popup screen closes.
  36. Click the
    Add Branch Rule
    button to add a branch rule.
    Select a rule from the
    Insert Before
    list to add the new rule in a specific order.
  37. Click the
    Add New Macro
    button to add a macro from a template to the Add Item popup screen.
  38. Click the
    Edit Endings
    button to create and edit policy endings.
  39. Click
    Add new entry
    to add an entry to the list. To add the entry at a specific place in the list, select the item number before which the new item should appear, from the
    Insert Before
    list.
    A new line is a added to the list of entries.
  40. Click
    Add new entry
    to add another entry to the list. To add the entry at a specific place in the list, select the item number before which the new item should appear, from the
    Insert Before
    list.
    A new line is added to the list of entries.
  41. Click
    Add new entry
    .
    A new line is added to the list of entries.
  42. Click the
    X
    next to an entry in the list to remove that entry.
  43. Select
    Save
    to save any changes and return to the policy.
  44. Populate the property fields, referring to online help for more information, select
    Save
    to save any changes and return to the visual policy editor.
  45. On the Endpoint Security (Server-Side) tab, select
    Client Type
    , and then click
    Add Item
    .
    The Client Type action identifies clients and enables branching based on the client type.
    A properties screen opens.
  46. Type
    geo
    in the search field, select
    IP Geolocation Match
    from the results list, and then click
    Add Item
    .
    The default setting for the IP geolocation match policy item is to check that the country code for the IP address is
    US
    .
    A properties screen opens.
  47. Click
    Add new entry
    .
    An
    Empty
    entry displays.
  48. Click the
    Add/Delete
    link below the entry.
    The screen changes to display resources that you can add and delete.
  49. Click the
    Add/Delete
    link below the entry.
    The screen changes to display resources on multiple tabs.
  50. From
    General Purpose
    , select
    Citrix Smart Access
    and click
    Add Item
    .
    The Variable Assign: Citrix Smart Access properties screen opens.
  51. Type the name of a Citrix SmartAccess filter in the open row under Assignment.
    A filter can be any string. Filters are not hardcoded, but must match filters that are configured in the XenApp server for application access control or a user policy.
    In the XenApp server, you must specify
    APM
    as the Access Gateway farm when you configure filters.
  52. To add another filter, click
    Add entry
    and type the name of a Citrix filter in the open row under Assignment.
  53. When you are done adding filters, click
    Save
    to return to the visual policy editor.
  54. Click
    Add new entry
    .
    An
    empty
    entry displays in the Assignment table.
  55. Click the
    change
    link next to the empty entry.
    A dialog box, where you can enter a variable and an expression, opens.
  56. Click
    Finished
    to save the variable and expression and return to the Variable Assign action popup screen.
  57. On the Assignment tab, select
    Advanced Resource Assign
    and click
    Add Item
    .
    The properties screen opens.
  58. Select the Remote Desktop tab.
    A list of remote desktop resources is displayed.
  59. Select a remote desktop resource and click
    Update
    .
    The properties screen opens where
    Remote Desktop
    and the name of the selected resource are displayed.
  60. Select the Webtop tab.
    A list of webtops is displayed.
  61. Select a webtop and click
    Update
    .
    The screen changes to display properties, and the name of the selected webtop is displayed.
  62. On the Webtop tab, select a full webtop.
  63. On the Static ACL tab, select an ACL that rejects all connections.
    Adding an ACL that is last in order and rejects all connections keeps users from accessing any host and port combinations other than those to which they have been explicitly allowed access by the other ACLs assigned to the policy.
  64. Select any other resources that you want to assign to the policy.
    If you assign a Network Access resource to the policy, be sure to also assign an ACL that allows access to the resources that you want users to have. Otherwise, the ACL that rejects all connections blocks access.
    If you assign a Portal Access resource to the policy, be sure to also assign an ACL that allows access to all parts of the web sites specified in the start URI or hosted content fields of the Portal Access configuration. Otherwise, the ACL that rejects all connections blocks access.
  65. Click
    Add Expression
    .
    The expression displays.
  66. Click
    Add Expression
    .
    New properties display.
  67. Type
    var
    in the search field, select
    Variable Assign
    from the results list, and then click
    Add Item
    .
    The Variable Assign properties screen opens.
  68. On the Endpoint Security (Server-Side) tab, select
    Client for MS Exchange
    and click
    Add Item
    to add the action to the policy.
    The Client for MS Exchange action popup screen opens.
  69. On the Logon tab, select
    Logon Page
    and click the
    Add Item
    button.
    The Logon Page Agent properties screen opens.
  70. Make any changes that you require to the logon page properties and click
    Save
    .
    The properties screen closes and the policy displays.
  71. Add one or more authentication checks on the fallback branch after the
    Logon Page
    action.
    Select the authentication checks that are appropriate for application access at your site.
  72. Click the
    Close
    button to close the visual policy editor.
  73. Add any other branches and actions that you need to complete the policy.
  74. Complete the policy:
    1. Add any additional policy items you require.
    2. Change the ending from
      Deny
      to
      Allow
      on any access policy branch on which you want to grant access.
  75. On the Assignment tab, select the
    AD Group Resource Assign
    agent, and then click
    Add Item
    .
    The AD Group Resource Assign screen opens, displaying a blank entry in the Groups area.
  76. On the Assignment tab, select the
    LDAP Group Resource Assign
    agent, and then click
    Add Item
    .
    The LDAP Group Resource Assign screen opens.
  77. In the Groups area, click the
    edit
    link for the entry that you want to update.
    A popup screen opens to the Groups tab.
  78. If you need to add a group, in the
    New Group
    field, type the name of a group that exists on the server and click
    Add group manually
    .
    When the access policy runs, this action queries the group names using the
    memberOf
    attribute in the directory.
    The group displays in the list on the Groups tab.
  79. Select at least one group.
  80. Repeat these steps for each type of resource that you require.
    The screen displays one tab for each resource type.
    1. Click a tab.
    2. Select the resources that you want to assign to the selected groups.
    Typical resource assignment rules apply. For example, you can assign multiple webtop links to a group, but you can assign only one webtop.
  81. After you assign items, click the
    Update
    button.
    The
    AD Group Resource Assign
    screen opens, and shows the current assignments as an entry in the Groups table.
  82. Click the
    Update
    button.
    The
    LDAP Group Resource Assign
    screen opens, and displays the groups and resources in the entry in the Groups table.
  83. To identify a user transparently using information provided by a Secure Web Gateway (SWG) user identification agent, perform these steps:
    For this step of the access policy to succeed, you must have installed and configured either the F5 DC Agent or the F5 Logon Agent. Either agent is supported on a BIG-IP system with an SWG subscription only.
    1. On a policy branch, click the plus symbol
      (+)
      to add an item to the policy.
    2. From the Authentication tab, select
      Transparent Identity Import
      and click
      Add Item
      .
      The transparent identity import access policy item searches the database in the IF-MAP server for the client source IP address. By default, this access policy item has two branches: associated and fallback.
      A properties screen opens.
    3. Click
      Save
      .
      The visual policy editor opens.
    4. Add any additional access policy items to the fallback or associated branches.
      For example, you might add Kerberos authentication on the fallback branch.
  84. Assign an SWG scheme to the policy:
    Scheme assignment is mandatory.
    1. Click the
      (+)
      icon anywhere in the policy to add a new action item.
    2. On the Assignment tab, select
      SWG Scheme Assign
      and click
      Add Item
      .
      A properties screen opens.
    1. To display the available schemes, click the
      Add/Delete
      link.
    2. Select one scheme and click
      Save
      .
      The properties screen closes and the policy displays.
  85. On the Authentication tab, select
    AD Auth
    .
    A properties screen displays.
  86. From the
    Server
    list, select a server.
  87. To support Citrix Receiver clients, you must set
    Max Logon Attempts
    to 1.
  88. On the Authentication tab, select
    LocalDB Auth
    .
    A properties screen displays.
  89. From the
    LocalDB Instance
    list, select a local user database.
  90. From the
    Max Logon Attempts Allowed
    list, select a number from 1 to 5.
    This defaults to 3. If user fails to log in after this number of tries, the user is locked out.
  91. Type
    local
    in the search field.
    Search is not case-sensitive.
    A list of matching actions is displayed.
  92. Select
    Local Database
    and click
    Add Item
    .
    A properties screen displays.
  93. Add a
    Local Database
    action.
    A properties screen for the action opens.
  94. In the
    User Name
    field, retain the default session variable or type another variable name or a user name.
  95. To support APM On-Demand certificate authentication, type the name of a NATIVE cipher in the
    Ciphers
    field.
    The list of supported NATIVE ciphers includes these:
    • RC4-MD5
    • RC4-SHA
    • AES128-SHA
    • AES256-SHA
    • DES-CBC3-SHA
    • DES-CBC-SHA
    • EXP1024-RC4-MD5
    • EXP1024-RC4-SHA
    • EXP1024-DES-CBC-SHA
    • EXP-RC4-MD5
    • EXP-DES-CBC-SHA
    • NULL-MD5
    • NULL-SHA
  96. If you specified an NTLM Auth configuration in the access profile, verify that authentication succeeded.
    1. On the Authentication tab, select
      NTLM Auth Result
      .
    2. Click
      Add Item
      .
      A properties popup screen opens.
    3. Click
      Save
      .
      The properties screen closes. The policy displays.
  97. To supply LDAP group information for use in the per-request policy, add an LDAP Query item anywhere in the policy and configure its properties:
    1. From the
      Server
      list, select an AAA LDAP server.
      An LDAP Query uses SSL connections when you select an LDAP AAA server that is configured for LDAPS.
    2. Specify the
      SearchDN
      , and
      SearchFilter
      settings.
      SearchDN is the base DN from which the search is done.
    3. Click
      Save
      .
    This item populates the
    session.ldap.last.attr.memberOf
    session variable.
  98. To supply Active Directory groups for use in the per-request policy, add an AD Query item anywhere in the policy and configure its properties:
    1. From the
      Server
      list, select an AAA AD server.
    2. Select the
      Fetch Primary Group
      check box.
      The value of the primary user group populates the
      session.ad.last.attr.primaryGroupID
      session variable.
    3. Click
      Save
      .
  99. To supply RADIUS class attributes for use in the per-request policy, add a RADIUS Auth item anywhere in the policy and configure its properties:
    1. From the
      Server
      list, select an AAA RADIUS server.
    2. Click
      Save
      .
    This item populates the
    session.radius.last.attr.class
    session variable.
  100. To supply local database groups for use in the per-request policy, add a Local Database item anywhere in the policy and configure its properties:
    1. From the
      LocalDB Instance
      list, select a local user database.
    2. In the
      User Name
      field, retain the default session variable.
    3. Click
      Add new entry
      A new line is added to the list of entries with the Action set to
      Read
      and other default settings.
    4. In the Destination column
      Session Variable
      field, type
      session.localdb.groups
      .
      If you type a name other than
      session.localdb.groups
      , note it. You will need it when you configure the per-request access policy.
    5. In the Source column from the
      DB Property
      list, select
      groups
      .
    6. Click
      Save
      .
    This item populates the
    session.localdb.groups
    session variable.
  101. On the
    Authentication
    tab, select
    OAuth Client
    .
  102. From the
    Server
    list, select an OAuth server.
    Only OAuth servers configured with
    Mode
    set to
    Client
    or
    Client + Resource Server
    display.
  103. From the
    Server
    list, select an OAuth server.
    Only OAuth servers configured with
    Mode
    set to
    Resource Server
    or
    Client + Resource Server
    display.
  104. From the
    Grant Type
    list, select one of these options:
    • Authorization code
      - Redirects the user to the external server to authenticate. The user is redirected back to APM with an authorization code. APM uses the authorization code to request an access token
    • Password
      - Requests an access token from the external server by using the user's credentials (username and password). If this method is configured, the user must provide their external credentials to APM; to make this happen you must insert a logon page before the OAuth Client item in the access or the per-request policy.
    If you select
    Authorization code
    , the
    Redirection URI
    field displays.
  105. Select requests to make to the OAuth server:
    Requests are configured in the
    Access
    Federation
    OAuth Client / Resource Server
    Requests
    area of the product.
    • Authentication Redirect Request
      - Specifies an auth-redirect-request type request, which redirects a user to an OAuth server. Displays when
      Grant Type
      is set to
      Authorization code
      .
    • Token Request
      - Specifies a token-request type of request.
    • Refresh Token Request
      - Specifies a token-refresh-request type of request.
    • Validate Token Request
      - Specifies a validation-scopes-request type of request, which can get a list of scopes for the token and get data for the scopes.
  106. If the
    Redirection URI
    field displays, retain the default value (
    https://%{session.server.network.name}/oauth/client/redirect
    ) or type a URI that points back to the APM client.
    If you type a URI, you must retain this path
    /oauth/client/redirect
    . Only change the host name portion of the URI.
    The OAuth server uses the URI to send the user back to APM.
  107. In the
    Scope
    field, type one or more scopes separated by spaces.
    Each time you add another OAuth Client agent to a policy, you must include the scopes (for example,
    email photos
    ) that were requested in the previous instance of the OAuth Client and append any additional scopes (for example, contacts) to the list (for example,
    email photos contacts
    ).
    Read the OAuth provider documentation to learn the names of the scopes that they support and the URIs where you can obtain the data.
  108. On the
    Authentication
    tab, select
    OAuth Scope
    .
  109. To get a list of scopes associated with an access token, from the
    Scopes Request
    list, select a request to send to the OAuth provider.
    The list displays validation-scopes-request types.
    If F5 (APM) is the OAuth provider, select
    F5ScopesRequest
    .
    Requests are configured in the
    Federation
    OAuth Client / Resource Server
    Requests
    area of the product.
  110. To add requests for scope data (for example, to request a user's email address or profile), perform these steps:
    1. Click
      Add new entry
      .
      A new line is added to the list of entries.
    2. In the
      Scope Name
      field, type the name of a scope that the OAuth provider supports.
      The scope must be associated with the access token. (The user must have granted permission for this scope.)
      For example, some OAuth providers support scopes named
      email
      or
      profile
      .
    3. From the
      Request
      list, select a request.
      The list includes scope-data-request types. Select one that you configured to meet the requirements of the specific OAuth provider.
  111. Click
    Save
    .
    The Properties screen closes. The newly added item displays in the policy.
  112. If you selected
    Password
    from the
    Grant Type
    list, you must insert a logon page agent to precede the OAuth Client agent.
    1. Click (
      +
      ) ahead of the
      OAuth Client
      on the policy branch.
    2. On the Logon Page tab, select
      OAuth Logon Page
      and click
      Add Item
      .
      A Properties screen displays.
    3. Click
      Save
      .
      The properties screen closes. The policy displays.
  113. Complete the policy:
    1. Add any branch rules that you need.
      By default, the
      OAuth Client
      item has a successful branch for any valid non-error JSON response it receives. However, you can add other branch rules based on authorization server response to suit your needs.
    2. Change branch endings as needed; change
      Deny
      to
      Allow
      where you want to provide access.
  114. To rename the subroutine or to update number of seconds that the subroutine has to complete its interactions with the OAuth server, perform these steps:
    1. Click
      Subroutine Settings/Rename
      .
    2. To rename the subroutine, type in the
      Name
      field.
    3. To update the timeout, type a number in the
      Subroutine Timeout (sec)
      field.
      No additional settings on this screen are applicable to the OAuth Client and OAuth Scope items.
    4. Click
      Save
      .
      The popup screen closes. The subroutine displays in the policy.
  115. To add an OpenID Connect UserInfo request to the agent, perform these steps:
    1. For
      OpenID Connect
      , select
      Enabled
      .
      Additional fields display.
    2. For
      OpenID Connect Flow Type
      , retain
      Authorization code
      , or select
      Hybrid
      and then select an entry for
      OpenID Connect Hybrid Response Type
      .
    3. For
      OpenID Connect UserInfo Request
      , select a request.
  116. This is a dummy step to support the use of substeps.
    1. On a policy branch, click the plus symbol
      (+)
      to add an item to the policy.
    2. On the Assignment tab, select the
      Advanced Resource Assign
      agent, and then click
      Add Item
      .
      The Resource Assignment window opens.
    3. Click
      Add new entry
      .
      An
      Empty
      entry displays.
    4. From the left-side list, select
      Custom Variable
      (the default), and type
      session.logon.last.password
      .
    5. From the right-side list, select
      Custom Expression
      (the default), and type
      expr { [mcget -secure {
      session.logon.last.password1
      }] }
      .
    6. Click
      Add new entry
      .
      An
      empty
      entry appears in the Assignment table.
    7. Click the
      Add/Delete
      link below the entry.
      The screen changes to display resources on multiple tabs.
    8. On the Remote Desktop tab, select the VMware View remote desktop resource that you configured previously.
      A system-defined ACL for the remote desktop resource is automatically assigned to the policy. The ACL specifies the allow action for the resource items associated with the remote desktop resource.
    9. On the Static ACL tab, select an ACL that rejects all connections.
      Adding an ACL that is last in order and rejects all connections keeps users from accessing any host and port combinations other than those to which they have been explicitly allowed access by the other ACLs assigned to the policy.
    10. On the Webtop tab, select a full webtop and click
      Update
      .
      The properties screen closes and the resources you selected are displayed.
    11. On the Webtop tab, select a full webtop.
    12. Click
      Update
      .
      The popup screen closes.
    13. Click the Branch Rules tab.
      Select a rule from the
      Insert Before
      list to add the new rule in a specific order.
    14. Click the Branch Rules tab.
    15. Click
      Add Branch Rule
      .
      A new entry with
      Name
      and
      Expression
      settings displays.
    16. In the
      Name
      field, replace the default name by typing a new name.
      The name appears on the branch in the policy.
    17. Type
      local
      in the search field.
      Search is not case-sensitive.
      A list of matching actions displays.
    18. Select
      Local Database
      and click
      Add Item
      .
      A properties screen opens.
    19. Click the
      Add Expression
      button.
      Settings are displayed.
    20. From the
      Unsecure
      list, select
      Secure
      .
    21. Click
      Finished
      .
      The popup screen closes.
    22. On the Logon tab, select
      Logon Page
      and click the
      Add Item
      button.
      The Logon Page Agent properties screen opens.
    23. Make any changes that you require to logon page properties and click
      Save
      .
      The properties screen closes and the policy displays.
    24. Click
      Finished
      .
      The popup screen closes.
    25. Click
      Add Item
      .
      A popup screen opens.
    26. Click
      Save
      .
      The properties screen closes and the policy displays.
    27. On the Successful branch after the previous action, click the
      (+)
      icon.
      An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
    28. After the SSO Credential Mapping action, click the
      (+)
      icon.
    29. Click the
      change
      link next to the empty entry.
      A dialog box opens, where you can enter a variable and an expression.
    30. On the Assignment tab, type
      var
      in the search field, select
      Variable Assign
      from the results, and click
      Add Item
      .
      Use the Variable Assign action to pass the domain name for an XML Broker so that a user is not repeatedly queried for it.
      A properties screen opens.
    31. On the Logon tab, select
      HTTP 401 Response
      and click
      Add Item
      .
      A Properties screen opens.
    32. On the Logon tab, select
      HTTP 407 Response
      and click
      Add Item
      .
      A properties screen opens.
    33. From the
      HTTP Auth Level
      list, select
      negotiate
      and click
      Save
      .
      The properties screen closes.
    34. Click the
      (+)
      icon on the
      negotiate
      branch.
      A popup screen opens.
    35. On the Authentication tab, select
      Kerberos Auth
      and click
      Add Item
      .
      A properties screen opens.
    36. From the
      AAA Server
      list, select an existing server.
    37. From the
      Request Based Auth
      list, select
      Disabled
      .
    38. On the Assignment tab, select
      SSO Credential Mapping
      and click
      Add Item
      .
      The SSO Credential Mapping screen opens.
    39. After the SSO Credential Mapping action, click the
      Deny
      ending.
      A popup screen opens.
    40. Select
      OTP Generate
      and click
      Add Item
      .
      A popup screen opens.
    41. On the Logon tab, select
      VMware View Logon Page
      , and click
      Add Item
      .
      A properties screen displays.
    42. In the
      Name
      field, change the name of the action.
    43. From
      VMware View Logon Screen Type
      , select
      Disclaimer
    44. In the Customization area from the
      Language
      list, select the language for the message.
    45. In the
      Disclaimer message
      field, type the message to display on the logon page.
    46. On the Authentication tab, click
      LocalDB Auth
      .
      A properties screen displays.
    47. From the
      LocalDB Instance
      list, select a local user database.
      Authentication fails if the user does not exist in this local user database instance.
    48. From the
      LocalDB Instance
      list, select a local user database.
    49. From the
      Max Logon Attempts Allowed
      list, select a number from 1-5.
      This defaults to 3. If user fails to log in after this number of tries, the user is locked out.
    50. Click
      Add new entry
      .
      A new line is added to the list of entries.
    51. Click
      Add new entry
      A new line is added to the list of entries with the Action set to
      Read
      and other default settings.
    52. From the
      Action
      list select
      Write
      .
      The content of the Destination and Source columns changes.
    53. In the
      User Name
      field, retain the default session variable or type another variable name or a user name.
    54. Click
      Save
      .
      The dialog box closes; the properties screen remains open.
    55. Select any other resources that you want to assign to the policy.
      If you assign a Network Access resource to the policy, be sure to also assign an ACL that allows access to the resources that you want users to have. Otherwise, the ACL that rejects all connections blocks access.
      If you assign a Portal Access resource to the policy, be sure to also assign an ACL that allows access to all parts of the web sites specified in the start URI or hosted content fields of the Portal Access configuration. Otherwise, the ACL that rejects all connections blocks access.
    The
    Max Logon Attempts Allowed
    setting specifies attempts by an external client without a Kerberos ticket to authenticate on forward proxy.