F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP Access Policy Manager: SAML Configuration
  3. Common Elements for the Visual Policy Editor in Access Policy Manager
Manual Chapter : Common Elements for the Visual Policy Editor in Access Policy Manager

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.1, 15.0.0
Manual Chapter

Common Elements for the Visual Policy Editor in Access Policy Manager

  1. On a policy branch, click the
    (+)
     icon to add an item to the policy.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  2. On a policy branch, click the
    (+)
     icon to add an item to the policy.
  3. On a policy branch, click the
    (+)
     icon to add an item to the policy.
    Repeat this action from the visual policy editor whenever you want to add an item to the policy.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  4. On the fallback branch after the previous action, click the
    (+)
     icon to add an item to the policy.
    A popup screen opens.
  5. On the Successful branch after the previous action, click the
    (+)
     icon.
    A popup screen opens.
  6. On a policy branch, click the
    (+)
     icon.
  7. On the menu bar, click
    Access Policy
    .
    Access policy settings display.
  8. Click the
    X
     symbol on a policy item to delete the item from the policy.
  9. Click the
    Save
     button to save changes to the access policy item.
  10. Click
    Save
    .
    The properties screen closes and the policy displays.
  11. Click an
    ending
     on a policy branch to change the ending type.
  12. Click
    Add Item
    .
    A properties screen opens.
  13. Make any changes that you require to the properties and click
    Save
    .
    The properties screen closes and the policy displays.
  14. Select an option to delete the item from the policy, and then click the
    Delete
     button.
    Connect previous node to
    branch_name
     branch
    Connects the input branch of the policy item you delete to the specified output branch rule. This option removes the policy item, but preserves the branch that you specify, so policy items you have configured on the specified branch are preserved.
    Delete all branches
    Deletes all branches originating from the policy item you delete. This option removes the policy item, and does not preserve any branch rules configured on any of its output branches follow it.
  15. Change the Successful rule branch from
    Deny
     to
    Allow
    , and then click the
    Save
     button.
  16. To grant access at the end of any branch, change the ending from
    Deny
     to
    Allow
    :
    1. Click
      Deny
      .
      The default branch ending is
      Deny
      .
      A popup screen opens.
    2. Select
      Allow
       and click
      Save
      .
      The popup screen closes. The
      Allow
       ending displays on the branch.
  17. Select the Authentication tab.
    The tab displays a list of authentication actions.
  18. To verify user identity by client IP address:
    1. Click the Authentication tab.
    2. Select
      Transparent Identity Import
      .
    3. Click
      Add Item
      .
    Transparent Identity Import imports user identity information from an IF-MAP server and assesses whether the IP address is associated with a known user.
    A Properties screen opens.
  19. On the
    Associated
     branch of the Transparent Identity Import item, add any other actions that you want to perform before allowing access.
    For example, get more information about the user by adding an LDAP query. Based on the result of the query, assign resources by adding Resource Assignment or Advanced Resource Assignment items.
  20. Select
    OCSP Auth
    , and then click
    Add item.
    A properties popup screen opens.
  21. From the
    OCSP Responder
     list, select an OCSP responder.
  22. On the Assignment tab, select the
    Resource Assign
     agent, and then click
    Add Item
    .
    The Resource Assignment screen opens.
  23. Next to each type of resource that you want assign (
    Network Access
    ,
    Portal Access
    ,
    App Tunnel
    ,
    Remote Desktop
    , or
    SAML
    ), click the
    Add/Delete
     link, and select from available resources.
  24. Next to the
    App Tunnel
     setting, click the
    Add/Delete
     link, and select the application tunnel to assign.
  25. On the Assignment tab, select the
    Advanced Resource Assign
     agent, and then click
    Add Item
    .
    The Resource Assignment screen opens.
  26. On the Assignment tab, select
    SSO Credential Mapping
     and click
    Add Item
    .
    A properties screen opens.
  27. On the Assignment tab, select
    Variable Assign
     and click
    Add Item
    .
    A properties screen opens.
  28. On the Simple tab of the Expression popup screen, click the
    X
     symbol next to an expression to delete that expression.
  29. In the
    Name
     field, type a name for the policy item.
    This name is displayed in the action field for the policy.
  30. In the
    Name
     field, replace the default name by typing a new name over it.
    The default name is Branch Rule
    n
     where
    n
     is a number. The name appears on the branch in the policy and so should be descriptive.
  31. Click the Branch Rules tab to edit a branch rule.
  32. Click the Branch Rules tab.
    The Branch Rules screen opens.
  33. Click the
    Add Branch Rule
     button.
    New
    Name
     and
    Expression
     settings display.
  34. Click the Advanced tab.
    Use this tab to enter Tcl expressions.
    A text input field displays.
  35. Click
    Finished
    .
    The popup screen closes.
  36. Click the
    Add Branch Rule
     button to add a branch rule.
    Select a rule from the
    Insert Before
    list to add the new rule in a specific order.
  37. Click the
    Add New Macro
     button to add a macro from a template to the Add Item popup screen.
  38. Click the
    Edit Endings
     button to create and edit policy endings.
  39. Click
    Add new entry
     to add an entry to the list. To add the entry at a specific place in the list, select the item number before which the new item should appear, from the
    Insert Before
     list.
    A new line is a added to the list of entries.
  40. Click
    Add new entry
     to add another entry to the list. To add the entry at a specific place in the list, select the item number before which the new item should appear, from the
    Insert Before
     list.
    A new line is added to the list of entries.
  41. Click
    Add new entry
    .
    A new line is added to the list of entries.
  42. Click the
    X
     next to an entry in the list to remove that entry.
  43. Select
    Save
     to save any changes and return to the policy.
  44. Populate the property fields, referring to online help for more information, select
    Save
     to save any changes and return to the visual policy editor.
  45. On the Endpoint Security (Server-Side) tab, select
    Client Type
    , and then click
    Add Item
    .
    The Client Type action identifies clients and enables branching based on the client type.
    A properties screen opens.
  46. Type
    geo
     in the search field, select
    IP Geolocation Match
     from the results list, and then click
    Add Item
    .
    The default setting for the IP geolocation match policy item is to check that the country code for the IP address is
    US
    .
    A properties screen opens.
  47. Click
    Add new entry
    .
    An
    Empty
     entry displays.
  48. Click the
    Add/Delete
     link below the entry.
    The screen changes to display resources that you can add and delete.
  49. Click the
    Add/Delete
     link below the entry.
    The screen changes to display resources on multiple tabs.
  50. From
    General Purpose
    , select
    Citrix Smart Access
     and click
    Add Item
    .
    The Variable Assign: Citrix Smart Access properties screen opens.
  51. Type the name of a Citrix SmartAccess filter in the open row under Assignment.
    A filter can be any string. Filters are not hardcoded, but must match filters that are configured in the XenApp server for application access control or a user policy.
    In the XenApp server, you must specify
    APM
     as the Access Gateway farm when you configure filters.
  52. To add another filter, click
    Add entry
     and type the name of a Citrix filter in the open row under Assignment.
  53. When you are done adding filters, click
    Save
     to return to the visual policy editor.
  54. Click
    Add new entry
    .
    An
    empty
     entry displays in the Assignment table.
  55. Click the
    change
     link next to the empty entry.
    A dialog box, where you can enter a variable and an expression, opens.
  56. Click
    Finished
     to save the variable and expression and return to the Variable Assign action popup screen.
  57. On the Assignment tab, select
    Advanced Resource Assign
     and click
    Add Item
    .
    The properties screen opens.
  58. Select the Remote Desktop tab.
    A list of remote desktop resources is displayed.
  59. Select a remote desktop resource and click
    Update
    .
    The properties screen opens where
    Remote Desktop
     and the name of the selected resource are displayed.
  60. Select the Webtop tab.
    A list of webtops is displayed.
  61. Select a webtop and click
    Update
    .
    The screen changes to display properties, and the name of the selected webtop is displayed.
  62. On the Webtop tab, select a full webtop.
  63. On the Static ACL tab, select an ACL that rejects all connections.
    Adding an ACL that is last in order and rejects all connections keeps users from accessing any host and port combinations other than those to which they have been explicitly allowed access by the other ACLs assigned to the policy.
  64. Select any other resources that you want to assign to the policy.
    If you assign a Network Access resource to the policy, be sure to also assign an ACL that allows access to the resources that you want users to have. Otherwise, the ACL that rejects all connections blocks access.
    If you assign a Portal Access resource to the policy, be sure to also assign an ACL that allows access to all parts of the web sites specified in the start URI or hosted content fields of the Portal Access configuration. Otherwise, the ACL that rejects all connections blocks access.
  65. Click
    Add Expression
    .
    The expression displays.
  66. Click
    Add Expression
    .
    New properties display.
  67. Type
    var
     in the search field, select
    Variable Assign
     from the results list, and then click
    Add Item
    .
    The Variable Assign properties screen opens.
  68. On the Endpoint Security (Server-Side) tab, select
    Client for MS Exchange
     and click
    Add Item
     to add the action to the policy.
    The Client for MS Exchange action popup screen opens.
  69. On the Logon tab, select
    Logon Page
     and click the
    Add Item
     button.
    The Logon Page Agent properties screen opens.
  70. Make any changes that you require to the logon page properties and click
    Save
    .
    The properties screen closes and the policy displays.
  71. Add one or more authentication checks on the fallback branch after the
    Logon Page
     action.
    Select the authentication checks that are appropriate for application access at your site.
  72. Click the
    Close
     button to close the visual policy editor.
  73. Add any other branches and actions that you need to complete the policy.
  74. Complete the policy:
    1. Add any additional policy items you require.
    2. Change the ending from
      Deny
       to
      Allow
       on any access policy branch on which you want to grant access.
  75. On the Assignment tab, select the
    AD Group Resource Assign
     agent, and then click
    Add Item
    .
    The AD Group Resource Assign screen opens, displaying a blank entry in the Groups area.
  76. On the Assignment tab, select the
    LDAP Group Resource Assign
     agent, and then click
    Add Item
    .
    The LDAP Group Resource Assign screen opens.
  77. In the Groups area, click the
    edit
     link for the entry that you want to update.
    A popup screen opens to the Groups tab.
  78. If you need to add a group, in the
    New Group
     field, type the name of a group that exists on the server and click
    Add group manually
    .
    When the access policy runs, this action queries the group names using the
    memberOf
     attribute in the directory.
    The group displays in the list on the Groups tab.
  79. Select at least one group.
  80. Repeat these steps for each type of resource that you require.
    The screen displays one tab for each resource type.
    1. Click a tab.
    2. Select the resources that you want to assign to the selected groups.
    Typical resource assignment rules apply. For example, you can assign multiple webtop links to a group, but you can assign only one webtop.
  81. After you assign items, click the
    Update
     button.
    The
    AD Group Resource Assign
     screen opens, and shows the current assignments as an entry in the Groups table.
  82. Click the
    Update
     button.
    The
    LDAP Group Resource Assign
     screen opens, and displays the groups and resources in the entry in the Groups table.
  83. To identify a user transparently using information provided by a Secure Web Gateway (SWG) user identification agent, perform these steps:
    For this step of the access policy to succeed, you must have installed and configured either the F5 DC Agent or the F5 Logon Agent. Either agent is supported on a BIG-IP system with an SWG subscription only.
    1. On a policy branch, click the plus symbol
      (+)
       to add an item to the policy.
    2. From the Authentication tab, select
      Transparent Identity Import
       and click
      Add Item
      .
      The transparent identity import access policy item searches the database in the IF-MAP server for the client source IP address. By default, this access policy item has two branches: associated and fallback.
      A properties screen opens.
    3. Click
      Save
      .
      The visual policy editor opens.
    4. Add any additional access policy items to the fallback or associated branches.
      For example, you might add Kerberos authentication on the fallback branch.
  84. Assign an SWG scheme to the policy:
    Scheme assignment is mandatory.
    1. Click the
      (+)
       icon anywhere in the policy to add a new action item.
    2. On the Assignment tab, select
      SWG Scheme Assign
       and click
      Add Item
      .
      A properties screen opens.
    1. To display the available schemes, click the
      Add/Delete
       link.
    2. Select one scheme and click
      Save
      .
      The properties screen closes and the policy displays.
  85. On the Authentication tab, select
    AD Auth
    .
    A properties screen displays.
  86. From the
    Server
     list, select a server.
  87. To support Citrix Receiver clients, you must set
    Max Logon Attempts
     to 1.
  88. On the Authentication tab, select
    LocalDB Auth
    .
    A properties screen displays.
  89. From the
    LocalDB Instance
     list, select a local user database.
  90. From the
    Max Logon Attempts Allowed
     list, select a number from 1 to 5.
    This defaults to 3. If user fails to log in after this number of tries, the user is locked out.
  91. Type
    local
     in the search field.
    Search is not case-sensitive.
    A list of matching actions is displayed.
  92. Select
    Local Database
     and click
    Add Item
    .
    A properties screen displays.
  93. Add a
    Local Database
     action.
    A properties screen for the action opens.
  94. In the
    User Name
     field, retain the default session variable or type another variable name or a user name.
  95. To support APM On-Demand certificate authentication, type the name of a NATIVE cipher in the
    Ciphers
     field.
    The list of supported NATIVE ciphers includes these:
    • RC4-MD5
    • RC4-SHA
    • AES128-SHA
    • AES256-SHA
    • DES-CBC3-SHA
    • DES-CBC-SHA
    • EXP1024-RC4-MD5
    • EXP1024-RC4-SHA
    • EXP1024-DES-CBC-SHA
    • EXP-RC4-MD5
    • EXP-DES-CBC-SHA
    • NULL-MD5
    • NULL-SHA
  96. If you specified an NTLM Auth configuration in the access profile, verify that authentication succeeded.
    1. On the Authentication tab, select
      NTLM Auth Result
      .
    2. Click
      Add Item
      .
      A properties popup screen opens.
    3. Click
      Save
      .
      The properties screen closes. The policy displays.
  97. To supply LDAP group information for use in the per-request policy, add an LDAP Query item anywhere in the policy and configure its properties:
    1. From the
      Server
       list, select an AAA LDAP server.
      An LDAP Query uses SSL connections when you select an LDAP AAA server that is configured for LDAPS.
    2. Specify the
      SearchDN
      , and
      SearchFilter
       settings.
      SearchDN is the base DN from which the search is done.
    3. Click
      Save
      .
    This item populates the
    session.ldap.last.attr.memberOf
     session variable.
  98. To supply Active Directory groups for use in the per-request policy, add an AD Query item anywhere in the policy and configure its properties:
    1. From the
      Server
       list, select an AAA AD server.
    2. Select the
      Fetch Primary Group
       check box.
      The value of the primary user group populates the
      session.ad.last.attr.primaryGroupID
       session variable.
    3. Click
      Save
      .
  99. To supply RADIUS class attributes for use in the per-request policy, add a RADIUS Auth item anywhere in the policy and configure its properties:
    1. From the
      Server
       list, select an AAA RADIUS server.
    2. Click
      Save
      .
    This item populates the
    session.radius.last.attr.class
     session variable.
  100. To supply local database groups for use in the per-request policy, add a Local Database item anywhere in the policy and configure its properties:
    1. From the
      LocalDB Instance
       list, select a local user database.
    2. In the
      User Name
       field, retain the default session variable.
    3. Click
      Add new entry
      A new line is added to the list of entries with the Action set to
      Read
       and other default settings.
    4. In the Destination column
      Session Variable
       field, type
      session.localdb.groups
      .
      If you type a name other than
      session.localdb.groups
      , note it. You will need it when you configure the per-request access policy.
    5. In the Source column from the
      DB Property
       list, select
      groups
      .
    6. Click
      Save
      .
    This item populates the
    session.localdb.groups
     session variable.
  101. On the
    Authentication
     tab, select
    OAuth Client
    .
  102. From the
    Server
     list, select an OAuth server.
    Only OAuth servers configured with
    Mode
     set to
    Client
     or
    Client + Resource Server
     display.
  103. From the
    Server
     list, select an OAuth server.
    Only OAuth servers configured with
    Mode
     set to
    Resource Server
     or
    Client + Resource Server
     display.
  104. From the
    Grant Type
     list, select one of these options:
    • Authorization code
       - Redirects the user to the external server to authenticate. The user is redirected back to APM with an authorization code. APM uses the authorization code to request an access token
    • Password
       - Requests an access token from the external server by using the user's credentials (username and password). If this method is configured, the user must provide their external credentials to APM; to make this happen you must insert a logon page before the OAuth Client item in the access or the per-request policy.
    If you select
    Authorization code
    , the
    Redirection URI
     field displays.
  105. Select requests to make to the OAuth server:
    Requests are configured in the
    Access
    Federation
    OAuth Client / Resource Server
    Requests
     area of the product.
    • Authentication Redirect Request
       - Specifies an auth-redirect-request type request, which redirects a user to an OAuth server. Displays when
      Grant Type
       is set to
      Authorization code
      .
    • Token Request
       - Specifies a token-request type of request.
    • Refresh Token Request
       - Specifies a token-refresh-request type of request.
    • Validate Token Request
       - Specifies a validation-scopes-request type of request, which can get a list of scopes for the token and get data for the scopes.
  106. If the
    Redirection URI
     field displays, retain the default value (
    https://%{session.server.network.name}/oauth/client/redirect
    ) or type a URI that points back to the APM client.
    If you type a URI, you must retain this path
    /oauth/client/redirect
    . Only change the host name portion of the URI.
    The OAuth server uses the URI to send the user back to APM.
  107. In the
    Scope
     field, type one or more scopes separated by spaces.
    Each time you add another OAuth Client agent to a policy, you must include the scopes (for example,
    email photos
    ) that were requested in the previous instance of the OAuth Client and append any additional scopes (for example, contacts) to the list (for example,
    email photos contacts
    ).
    Read the OAuth provider documentation to learn the names of the scopes that they support and the URIs where you can obtain the data.
  108. On the
    Authentication
     tab, select
    OAuth Scope
    .
  109. To get a list of scopes associated with an access token, from the
    Scopes Request
     list, select a request to send to the OAuth provider.
    The list displays validation-scopes-request types.
    If F5 (APM) is the OAuth provider, select
    F5ScopesRequest
    .
    Requests are configured in the
    Federation
    OAuth Client / Resource Server
    Requests
     area of the product.
  110. To add requests for scope data (for example, to request a user's email address or profile), perform these steps:
    1. Click
      Add new entry
      .
      A new line is added to the list of entries.
    2. In the
      Scope Name
       field, type the name of a scope that the OAuth provider supports.
      The scope must be associated with the access token. (The user must have granted permission for this scope.)
      For example, some OAuth providers support scopes named
      email
       or
      profile
      .
    3. From the
      Request
       list, select a request.
      The list includes scope-data-request types. Select one that you configured to meet the requirements of the specific OAuth provider.
  111. Click
    Save
    .
    The Properties screen closes. The newly added item displays in the policy.
  112. If you selected
    Password
     from the
    Grant Type
     list, you must insert a logon page agent to precede the OAuth Client agent.
    1. Click (
      +
      ) ahead of the
      OAuth Client
       on the policy branch.
    2. On the Logon Page tab, select
      OAuth Logon Page
       and click
      Add Item
      .
      A Properties screen displays.
    3. Click
      Save
      .
      The properties screen closes. The policy displays.
  113. Complete the policy:
    1. Add any branch rules that you need.
      By default, the
      OAuth Client
       item has a successful branch for any valid non-error JSON response it receives. However, you can add other branch rules based on authorization server response to suit your needs.
    2. Change branch endings as needed; change
      Deny
       to
      Allow
       where you want to provide access.
  114. To rename the subroutine or to update number of seconds that the subroutine has to complete its interactions with the OAuth server, perform these steps:
    1. Click
      Subroutine Settings/Rename
      .
    2. To rename the subroutine, type in the
      Name
       field.
    3. To update the timeout, type a number in the
      Subroutine Timeout (sec)
       field.
      No additional settings on this screen are applicable to the OAuth Client and OAuth Scope items.
    4. Click
      Save
      .
      The popup screen closes. The subroutine displays in the policy.
  115. To add an OpenID Connect UserInfo request to the agent, perform these steps:
    1. For
      OpenID Connect
      , select
      Enabled
      .
      Additional fields display.
    2. For
      OpenID Connect Flow Type
      , retain
      Authorization code
      , or select
      Hybrid
       and then select an entry for
      OpenID Connect Hybrid Response Type
      .
    3. For
      OpenID Connect UserInfo Request
      , select a request.
  116. This is a dummy step to support the use of substeps.
    1. On a policy branch, click the plus symbol
      (+)
       to add an item to the policy.
    2. On the Assignment tab, select the
      Advanced Resource Assign
       agent, and then click
      Add Item
      .
      The Resource Assignment window opens.
    3. Click
      Add new entry
      .
      An
      Empty
       entry displays.
    4. From the left-side list, select
      Custom Variable
       (the default), and type
      session.logon.last.password
      .
    5. From the right-side list, select
      Custom Expression
       (the default), and type
      expr { [mcget -secure {
      session.logon.last.password1
      }] }
      .
    6. Click
      Add new entry
      .
      An
      empty
       entry appears in the Assignment table.
    7. Click the
      Add/Delete
       link below the entry.
      The screen changes to display resources on multiple tabs.
    8. On the Remote Desktop tab, select the VMware View remote desktop resource that you configured previously.
      A system-defined ACL for the remote desktop resource is automatically assigned to the policy. The ACL specifies the allow action for the resource items associated with the remote desktop resource.
    9. On the Static ACL tab, select an ACL that rejects all connections.
      Adding an ACL that is last in order and rejects all connections keeps users from accessing any host and port combinations other than those to which they have been explicitly allowed access by the other ACLs assigned to the policy.
    10. On the Webtop tab, select a full webtop and click
      Update
      .
      The properties screen closes and the resources you selected are displayed.
    11. On the Webtop tab, select a full webtop.
    12. Click
      Update
      .
      The popup screen closes.
    13. Click the Branch Rules tab.
      Select a rule from the
      Insert Before
       list to add the new rule in a specific order.
    14. Click the Branch Rules tab.
    15. Click
      Add Branch Rule
      .
      A new entry with
      Name
       and
      Expression
       settings displays.
    16. In the
      Name
       field, replace the default name by typing a new name.
      The name appears on the branch in the policy.
    17. Type
      local
       in the search field.
      Search is not case-sensitive.
      A list of matching actions displays.
    18. Select
      Local Database
       and click
      Add Item
      .
      A properties screen opens.
    19. Click the
      Add Expression
       button.
      Settings are displayed.
    20. From the
      Unsecure
       list, select
      Secure
      .
    21. Click
      Finished
      .
      The popup screen closes.
    22. On the Logon tab, select
      Logon Page
       and click the
      Add Item
       button.
      The Logon Page Agent properties screen opens.
    23. Make any changes that you require to logon page properties and click
      Save
      .
      The properties screen closes and the policy displays.
    24. Click
      Finished
      .
      The popup screen closes.
    25. Click
      Add Item
      .
      A popup screen opens.
    26. Click
      Save
      .
      The properties screen closes and the policy displays.
    27. On the Successful branch after the previous action, click the
      (+)
       icon.
      An Add Item screen opens, listing predefined actions that are grouped on tabs such as General Purpose, Authentication, and so on.
    28. After the SSO Credential Mapping action, click the
      (+)
       icon.
    29. Click the
      change
       link next to the empty entry.
      A dialog box opens, where you can enter a variable and an expression.
    30. On the Assignment tab, type
      var
       in the search field, select
      Variable Assign
       from the results, and click
      Add Item
      .
      Use the Variable Assign action to pass the domain name for an XML Broker so that a user is not repeatedly queried for it.
      A properties screen opens.
    31. On the Logon tab, select
      HTTP 401 Response
       and click
      Add Item
      .
      A Properties screen opens.
    32. On the Logon tab, select
      HTTP 407 Response
       and click
      Add Item
      .
      A properties screen opens.
    33. From the
      HTTP Auth Level
       list, select
      negotiate
       and click
      Save
      .
      The properties screen closes.
    34. Click the
      (+)
       icon on the
      negotiate
       branch.
      A popup screen opens.
    35. On the Authentication tab, select
      Kerberos Auth
       and click
      Add Item
      .
      A properties screen opens.
    36. From the
      AAA Server
       list, select an existing server.
    37. From the
      Request Based Auth
       list, select
      Disabled
      .
    38. On the Assignment tab, select
      SSO Credential Mapping
       and click
      Add Item
      .
      The SSO Credential Mapping screen opens.
    39. After the SSO Credential Mapping action, click the
      Deny
       ending.
      A popup screen opens.
    40. Select
      OTP Generate
       and click
      Add Item
      .
      A popup screen opens.
    41. On the Logon tab, select
      VMware View Logon Page
      , and click
      Add Item
      .
      A properties screen displays.
    42. In the
      Name
       field, change the name of the action.
    43. From
      VMware View Logon Screen Type
      , select
      Disclaimer
    44. In the Customization area from the
      Language
       list, select the language for the message.
    45. In the
      Disclaimer message
       field, type the message to display on the logon page.
    46. On the Authentication tab, click
      LocalDB Auth
      .
      A properties screen displays.
    47. From the
      LocalDB Instance
       list, select a local user database.
      Authentication fails if the user does not exist in this local user database instance.
    48. From the
      LocalDB Instance
       list, select a local user database.
    49. From the
      Max Logon Attempts Allowed
       list, select a number from 1-5.
      This defaults to 3. If user fails to log in after this number of tries, the user is locked out.
    50. Click
      Add new entry
      .
      A new line is added to the list of entries.
    51. Click
      Add new entry
      A new line is added to the list of entries with the Action set to
      Read
       and other default settings.
    52. From the
      Action
       list select
      Write
      .
      The content of the Destination and Source columns changes.
    53. In the
      User Name
       field, retain the default session variable or type another variable name or a user name.
    54. Click
      Save
      .
      The dialog box closes; the properties screen remains open.
    55. Select any other resources that you want to assign to the policy.
      If you assign a Network Access resource to the policy, be sure to also assign an ACL that allows access to the resources that you want users to have. Otherwise, the ACL that rejects all connections blocks access.
      If you assign a Portal Access resource to the policy, be sure to also assign an ACL that allows access to all parts of the web sites specified in the start URI or hosted content fields of the Portal Access configuration. Otherwise, the ACL that rejects all connections blocks access.
    The
    Max Logon Attempts Allowed
     setting specifies attempts by an external client without a Kerberos ticket to authenticate on forward proxy.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information