Applies To:Show Versions
- 15.0.1, 15.0.0
Configuring Web Access
Overview: Configuring APM for web access management
About ways to time out a web access management session
- The Windows Cache and Session Control access policy item
- Terminates a user session when it detects that the browser screen has closed. You can also configure it to provide inactivity timeouts for the user session using the Terminate session on user inactivity setting.
- Maximum Session Timeout access profile setting
- Provides an absolute limit for the duration of the access policy connection, regardless of user activity. To ensure that a user session closes after a certain number of seconds, configure this setting.
- Inactivity Timeout access profile setting
- Terminates the session after there is no traffic flow for a specified number of seconds..Depending on the application, you might not want to set this to a very short duration, because many applications cache user typing and generate no traffic for an extended period. In this scenario, a session can time out while the application is still in use, but the content of the user input is not relayed back to the server.
Creating a pool of web servers
- On the Main tab, click.The Pool List screen opens.
- ClickCreate.The New Pool screen opens.
- In theNamefield, type a unique name for the pool.
- In the Resources area, for theNew Memberssetting, add to the pool the application servers that host the web application:
- Type an IP address in theAddressfield.
- In theService Portfield, type a port number (for example, type80for the HTTP service), or select a service name from the list.
Creating an access profile
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- ClickCreate.The New Profile screen opens.
- In theNamefield, type a name for the access profile.A access profile name must be unique among all access profile and any per-request policy names.
- From theProfile Typelist, selectSSL-VPN.Additional settings display.
- From theProfile Scopelist, retain the default value or select another.
- Profile: Gives a user access only to resources that are behind the same access profile. This is the default value.
- Virtual Server: Gives a user access only to resources that are behind the same virtual server.
- Global: Gives a user access to resources behind any access profile that has global scope.
- To configure timeout and session settings, select theCustomcheck box.
- In theInactivity Timeoutfield, type the number of seconds that should pass before the access policy times out. Type0to set no timeout.If there is no activity (defined by theSession Update ThresholdandSession Update Windowsettings in the Network Access configuration) between the client and server within the specified threshold time, the system closes the current session.
- In theAccess Policy Timeoutfield, type the number of seconds that should pass before the access profile times out because of inactivity.Type0to set no timeout.
- In theMaximum Session Timeoutfield, type the maximum number of seconds the session can exist.Type0to set no timeout.
- In theMax Concurrent Usersfield, type the maximum number of users that can use this access profile at the same time.Type0to set no maximum.
- In theMax Sessions Per Userfield, type the maximum number of concurrent sessions that one user can start.Type0to set no maximum.Only a user in the administrator, application editor, manager, or resource administrator role has access to this field.
- In theMax In Progress Sessions Per Client IPfield, type the maximum number of concurrent sessions that can be in progress for a client IP address.When setting this value, take into account whether users will come from a NAT-ed or proxied client address and, if so, consider increasing the value accordingly. The default value is 128.Only a user in the administrator, application editor, manager, or resource administrator role has access to this field.F5 does not recommend setting this value to0(unlimited).
- Select theRestrict to Single Client IPcheck box to restrict the current session to a single IP address.This setting associates the session ID with the IP address.Only a user in the administrator, application editor, manager, or resource administrator role has access to this field.Upon a request to the session, if the IP address has changed the request is redirected to a logout page, the session ID is deleted, and a log entry is written to indicate that a session hijacking attempt was detected. If such a redirect is not possible, the request is denied and the same events occur.
- To configure logout URIs, in the Configurations area, type each logout URI in theURIfield, and then clickAdd.
- In theLogout URI Timeoutfield, type the delay in seconds before logout occurs for the customized logout URIs defined in theLogout URI Includelist.
- To configure SSO:
- For users to log in to multiple domains using one SSO configuration, skip the settings in the SSO Across Authentication Domains (Single Domain mode) area. You can configure SSO for multiple domains only after you finish the initial access profile configuration.
- For users to log in to a single domain using an SSO configuration, configure settings in the SSO Across Authentication Domains (Single Domain mode) area, or you can configure SSO settings after you finish the initial access profile configuration.
- In theDomain Cookiefield, specify a domain cookie, if the application access control connection uses a cookie.
- In theCookie Optionssetting, specify whether to use a secure cookie.
- If the policy requires a secure cookie, select theSecurecheck box to add thesecurekeyword to the session cookie.
- If you are configuring an LTM access scenario that uses an HTTPS virtual server to authenticate the user and then sends the user to an existing HTTP virtual server to use applications, clear this check box.
- If the access policy requires a persistent cookie, in theCookie Optionssetting, select thePersistentcheck box.This sets cookies if the session does not have a webtop. When the session is first established, session cookies are not marked as persistent; but when the first response is sent to the client after the access policy completes successfully, the cookies are marked persistent. Persistent cookies are updated for the expiration timeout every 60 seconds. The timeout is equal to session inactivity timeout. If the session inactivity timeout is overwritten in the access policy, the overwritten value will be used to set the persistent cookie expiration.
- From theSSO Configurationslist, select an SSO configuration.
- In the Language Settings area, add and remove accepted languages, and set the default language.A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
Creating an access policy for web access management
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- In the Per-Session Policy column, click theEditlink for the access profile you want to configure.The visual policy editor opens the access policy in a separate screen.
- On a policy branch, click the(+)icon to add an item to the policy.A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
- On the Logon tab, selectLogon Pageand click theAdd Itembutton.The Logon Page Agent properties screen opens.
- Make any changes that you require to the logon page properties and clickSave.The properties screen closes and the policy displays.
- On a policy branch, click the(+)icon to add an item to the policy.Repeat this action from the visual policy editor whenever you want to add an item to the policy.A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
- From the Authentication tab, select an authentication item.
- Configure the properties for the authentication item and clickSavewhen you are done.You can configure multiple authentication items in an access policy.You have now configured a basic access policy.
- Add endpoint security checks or other items that you require to the access policy.Optionally, you can assign a pool of web servers in the access policy using the Pool Assign action; if you do, this pool takes precedence over the pool you assign to the virtual server configuration.You can add aWindows Cache and Session Controlitem to configure a way to terminate the session.
- To grant access at the end of any branch, change the ending fromDenytoAllow:
- ClickDeny.The default branch ending isDeny.A popup screen opens.
- SelectAllowand clickSave.The popup screen closes. TheAllowending displays on the branch.
- Click theApply Access Policylink to apply and activate the changes to the policy.
Creating a virtual server
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Addressfield, type the IP address for a host virtual server.This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
- In theService Portfield, type80(for HTTP) or443(for HTTPS), or selectHTTPorHTTPSfrom the list.
- For theHTTP Profilesetting, verify that the default HTTP profile,http, is selected.
- For theSSL Profile (Client)setting, select a client SSL profile.If the web server uses SSL, the client should use SSL.
- For theSSL Profile (Server)setting, select an SSL server profile.If the web server uses SSL, the virtual server should use SSL.
- In the Content Rewrite area, retain the default settings.The web access management access type eliminates the need for content rewriting. The default values for theRewrite Profileand theHTML Profilesettings areNone.
- In the Access Policy area, from theAccess Profilelist, select the access profile you configured previously.Retain the default values for other settings in the Access Policy area.
- From theHTTP Compression Profilelist, selecthttpcompression.You can use compression to provide a better end user experience, particularly where there is limited bandwidth or high latency between the virtual server and the client.
- In the Resources area of the screen, from theDefault Poollist, select the relevant pool name.