Manual Chapter : Common Elements for the Access Profile in Access Policy Manager

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 15.0.0, 14.1.0
Manual Chapter

Common Elements for the Access Profile in Access Policy Manager

  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click
    Create
    .
    The New Profile screen opens.
  3. Select the
    Custom
    check box for
    Settings
    .
  4. In the
    Name
    field, type a name for the access profile.
    A access profile name must be unique among all access profile and any per-request policy names.
  5. In the
    Name
    field, type a name for the access profile.
    An access profile name must be unique among all per-session profile and per-request policy names.
  6. From the
    Profile Type
    list, select one these options:
    • LTM-APM
      : Select for a web access management configuration.
    • SSL-VPN
      : Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
    • ALL
      : Select to support LTM-APM and SSL-VPN access types.
    • SSO
      : Select to configure matching virtual servers for Single Sign-On (SSO).
      No access policy is associated with this type of access profile
    • RDG-RAP
      : Select to validate connections to hosts behind APM when APM acts as a gateway for RDP clients.
    • SWG - Explicit
      : Select to configure access using Secure Web Gateway explicit forward proxy.
    • SWG - Transparent
      : Select to configure access using Secure Web Gateway transparent forward proxy.
    • System Authentication
      : Select to configure administrator access to the BIG-IP system (when using APM as a pluggable authentication module).
    • Identity Service
      : Used internally to provide identity service for a supported integration. Only APM creates this type of profile.
      You can edit Identity Service profile properties.
    Depending on licensing, you might not see all of these profile types.
    Additional settings display.
  7. From the
    Profile Type
    list, select one of these options.
    • LTM-APM
      : Select for a web access management configuration.
    • SSL-VPN
      : Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
    • ALL
      : Select to support LTM-APM and SSL-VPN access types.
    Additional settings display.
  8. From the
    Profile Type
    list, select
    All
    .
    Additional settings display.
  9. From the
    Profile Type
    list, select
    SSL-VPN
    .
    Additional settings display.
  10. From the
    Profile Type
    list, select
    LTM-APM
    .
    Additional settings display.
  11. From the
    Profile Scope
    list, retain the default value or select another.
    • Profile
      : Gives a user access only to resources that are behind the same access profile. This is the default value.
    • Virtual Server
      : Gives a user access only to resources that are behind the same virtual server.
    • Global
      : Gives a user access to resources behind any access profile that has global scope.
  12. For
    Settings
    , select the
    Custom
    check box.
    The settings become available to edit.
  13. In the Configurations area for the
    User Identification Method
    field, retain the default setting,
    IP Address
    .
  14. In the Configurations area for the
    User Identification Method
    list, select one of these methods:
    • IP Address
      : Select this method only in an environment where a client IP address is unique and can be trusted.
    • Credentials
      : Select this method to identify users using NTLM authentication.
  15. To use NTLM authentication before a session starts, from the
    NTLM Auth Configuration
    list select a configuration.
    For NTLM authentication to work, you must also enable the
    Captive Portals
    setting and specify an IP address in the
    Primary Authentication URI
    field for the virtual server that you configure for the captive portal.
    In the case of a shared machine, an IP address might already be associated with a user or a session. Using NTLM authentication ensures that the system can associate the IP address with the correct session (new or existing) or with a new user each time a user logs on to the shared machine.
  16. In the Configurations area for the
    User Identification Method
    list, select one of these methods.
    • IP Address
      : Select this method only in an environment where a client IP address is unique and can be trusted.
    • HTTP
      : Select to identify the client using HTTP.
  17. To direct users to a captive portal, for
    Captive Portal
    select
    Enabled
    and, in the
    Primary Authentication URI
    field, type the URI.
    You might specify the URI of your primary authentication server if you use single sign-on across multiple domains. Users can then access multiple back-end applications from multiple domains and hosts without needing to re-enter their credentials, because the user session is stored on the primary domain.
    For example, you might type
    https://logon.siterequest.com
    in the field.
  18. To change from using the default-log-settings that APM automatically adds to the access profile, you can do this.:
    Logging occurs for a session only when a log setting is specified for the access profile.
    1. Click the name of the access profile.
      The Properties screen opens.
    2. On the menu bar, click
      Logs
      .
      The General Properties screen opens.
    3. In the Log Settings area, move log settings from the
      Available
      list to the
      Selected
      list.
    4. Click
      Update
      .
    You can configure log settings in the
    Access
    Overview
    Event Log
    Settings
    area of the product.
  19. Click
    Finished
    .
  20. Click the name of the access profile for which you want to edit the access policy.
    The properties screen opens for the profile you want to edit.
  21. Click the name of the access profile that you want to edit.
    The properties screen opens.
  22. Scroll down to the Configurations area.
  23. On the menu bar, click
    Logs
    .
    The access profile log settings display.
  24. Move log settings between the
    Available
    and
    Selected
    lists.
    You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.
    Logging is disabled when the
    Selected
    list is empty.
  25. Click
    Update
    .
  26. In the Per-Session Policy column, click the
    Edit
    link.
    The visual policy editor opens the access policy in a separate screen.
  27. On the menu bar, click
    Access Policy
    .
    The Per-Request Policies screen opens.
  28. On the menu bar, click
    Access Policy
    .
  29. On the menu bar, click
    Properties
    .
  30. Click the Rules tab.
    The General Properties screen opens.
  31. Click the
    (+)
    icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  32. This is a dummy step to enable the use of substeps.
    1. Click the
      (+)
      icon anywhere in your access profile to add a new action item.
      A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  33. Click
    Add Item
    .
    The screen is not active while the visual policy editor creates the action. The screen closes and a Properties screen opens.
  34. Click
    Apply Access Policy
    to save your configuration.
  35. In the
    Inactivity Timeout
    field, type the number of seconds that should pass before the access policy times out. Type
    0
    to set no timeout.
    If there is no activity (defined by the
    Session Update Threshold
    and
    Session Update Window
    settings in the Network Access configuration) between the client and server within the specified threshold time, the system closes the current session.
  36. In the
    Access Policy Timeout
    field, type the number of seconds that should pass before the access profile times out because of inactivity.
    Type
    0
    to set no timeout.
  37. In the
    Maximum Session Timeout
    field, type the maximum number of seconds the session can exist.
    Type
    0
    to set no timeout.
  38. In the
    Max Concurrent Users
    field, type the maximum number of users that can use this access profile at the same time.
    Type
    0
    to set no maximum.
  39. In the
    Max In Progress Sessions Per Client IP
    field, type the maximum number of concurrent sessions that can be in progress for a client IP address.
    When setting this value, take into account whether users will come from a NAT-ed or proxied client address and, if so, consider increasing the value accordingly. The default value is 128.
    Only a user in the administrator, application editor, manager, or resource administrator role has access to this field.
    F5 does not recommend setting this value to
    0
    (unlimited).
  40. Select the
    Restrict to Single Client IP
    check box to restrict the current session to a single IP address.
    This setting associates the session ID with the IP address.
    Only a user in the administrator, application editor, manager, or resource administrator role has access to this field.
    Upon a request to the session, if the IP address has changed the request is redirected to a logout page, the session ID is deleted, and a log entry is written to indicate that a session hijacking attempt was detected. If such a redirect is not possible, the request is denied and the same events occur.
  41. In the
    Max Sessions Per User
    field, type the maximum number of concurrent sessions that one user can start.
    Type
    0
    to set no maximum.
    Only a user in the administrator, application editor, manager, or resource administrator role has access to this field.
  42. To configure logout URIs, in the Configurations area, type each logout URI in the
    URI
    field, and then click
    Add
    .
  43. In the
    Logout URI Timeout
    field, type the delay in seconds before logout occurs for the customized logout URIs defined in the
    Logout URI Include
    list.
  44. To configure SSO:
    • For users to log in to multiple domains using one SSO configuration, skip the settings in the SSO Across Authentication Domains (Single Domain mode) area. You can configure SSO for multiple domains only after you finish the initial access profile configuration.
    • For users to log in to a single domain using an SSO configuration, configure settings in the SSO Across Authentication Domains (Single Domain mode) area, or you can configure SSO settings after you finish the initial access profile configuration.
  45. Click
    SSO / Auth Domains
    on the menu bar.
    The SSO Across Authentication Domains screen opens.
  46. For Domain Mode, select
    Single Domain
    or
    Multiple Domains
    .
    Depending on this setting, users can log in to a single domain or multiple domains with this SSO configuration.
    The screen refreshes to display appropriate fields.
  47. If you selected
    Multiple Domains
    , then in the
    Primary Authentication URI
    field, type the primary URI for authentication.
  48. From the
    SSO Configurations
    list, select an SSO configuration.
  49. In the Configurations area from the
    Exchange
    list, select an Exchange profile.
    Exchange profiles specify any SSO configurations for Microsoft Exchange services, such as Autodiscover, Outlook Anywhere, and so on. The configuration in the Exchange profile is used for Microsoft Exchange clients regardless of any SSO configuration you select from the
    SSO Configuration
    list in this access profile.
  50. In the Configurations area from the
    Exchange
    list, select an Exchange profile that specifies an NTLM Auth configuration.
    The configuration in the Exchange profile is used for Microsoft Exchange clients regardless of any SSO configuration you select from the
    SSO Configuration
    list in this access profile.
  51. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.
To apply this access policy to network traffic, add the access profile to a virtual server.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.