Manual Chapter :
Configuring Routing for Access Policies
Applies To:
Show VersionsBIG-IP APM
- 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Configuring Routing for Access Policies
Overview: Selecting a route domain for a session (example)
A
route domain
is a BIG-IP system object that represents a
particular network configuration. Route domains provide the capability to segment network
traffic, and define separate routing paths for different network objects and applications. You
can create an access policy that assigns users to different route domains using the Route Domain
and SNAT Selection action based on whatever criteria you determine appropriate. You might use policy routing in a situation such as this: your company has switched from RADIUS
authentication to Active Directory authentication, but has not yet completed the full transition.
Because of the state of the authentication changeover, you would like your legacy RADIUS users to
pass through to a portal access connection on a separate router, instead of allowing full access
to your network.
This implementation provides configuration steps for this example.
Task summary
Creating a route domain on the BIG-IP system
Before you create a route domain:
- Ensure that an external and an internal VLAN exist on the BIG-IP system.
- Verify that you have set the current partition on the system to the partition in which you want the route domain to reside.
You can create a route domain on BIG-IP system to segment (isolate) traffic on your
network. Route domains are useful for multi-tenant configurations.
- On the Main tab, click.The Route Domain List screen opens.
- ClickCreate.The New Route Domain screen opens.
- In theNamefield, type a name for the route domain.This name must be unique within the administrative partition in which the route domain resides.
- In theIDfield, type an ID number for the route domain.This ID must be unique on the BIG-IP system; that is, no other route domain on the system can have this ID.An example of a route domain ID is1.
- For theParent Namesetting, retain the default value.
- For theVLANssetting, from theAvailablelist, select a VLAN name and move it to theMemberslist.Select the VLAN that processes the application traffic relevant to this route domain.Configuring this setting ensures that the BIG-IP system immediately associates any self IP addresses pertaining to the selected VLANs with this route domain.
- ClickFinished.The system displays a list of route domains on the BIG-IP system.
You now have another route domain on the BIG-IP system.
Create an access profile
You create an access profile to provide the access policy configuration for a
virtual server that establishes a secured session.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- ClickCreate.The New Profile screen opens.
- In theNamefield, type a name for the access profile.A access profile name must be unique among all access profile and any per-request policy names.
- From theProfile Typelist, select one these options:
- LTM-APM: Select for a web access management configuration.
- SSL-VPN: Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
- ALL: Select to support LTM-APM and SSL-VPN access types.
- SSO: Select to configure matching virtual servers for Single Sign-On (SSO).No access policy is associated with this type of access profile
- RDG-RAP: Select to validate connections to hosts behind APM when APM acts as a gateway for RDP clients.
- SWG - Explicit: Select to configure access using Secure Web Gateway explicit forward proxy.
- SWG - Transparent: Select to configure access using Secure Web Gateway transparent forward proxy.
- System Authentication: Select to configure administrator access to the BIG-IP system (when using APM as a pluggable authentication module).
- Identity Service: Used internally to provide identity service for a supported integration. Only APM creates this type of profile.You can edit Identity Service profile properties.
Depending on licensing, you might not see all of these profile types.Additional settings display. - From theProfile Scopelist, select one these options to define user scope:
- Profile: Access to resources behind the profile.
- Virtual Server: Access to resources behind the virtual server.
- Global: Access to resources behind any access profile with global scope.
- Named: Access for SSL Orchestrator users to resources behind any access profile with global scope.
- Public: Access to resources that are behind the same access profile when the Named scope has configured the session and is checked based on the value and string configured in the Named scope field.
- In the Language Settings area, add and remove accepted languages, and set the default language.A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
- ClickFinished.
The access
profile displays in the Access Profiles List. Default-log-setting is assigned to the
access profile.
Verify log settings for the access profile
Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Log settings are configured in the
area of the product. They enable and disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations. - On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- Click the name of the access profile that you want to edit.The properties screen opens.
- On the menu bar, clickLogs.The access profile log settings display.
- Move log settings between theAvailableandSelectedlists.You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.Logging is disabled when theSelectedlist is empty.
- ClickUpdate.
An access profile is in effect when it is assigned to a virtual server.
Configuring policy
routing
To follow the steps in this example, you must have Access Policy Manager AAA server
objects created for Active Directory and RADIUS as well.
You configure an access policy similar to this one
to route users depending on whether they pass Active Directory authentication or RADIUS
authentication. This example illustrates one way to handle a company-wide transition
between one type of authentication and another, and to ensure that users get access to
the correct resources, however they authenticate.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- Click the name of the access profile for which you want to edit the access policy.The properties screen opens for the profile you want to edit.
- On the menu bar, clickAccess Policy.
- In the General Properties area, click theEdit Access Policy for Profilelink.profile_nameThe visual policy editor opens the access policy in a separate screen.
- On a policy branch, click the(+)icon to add an item to the policy.A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
- On the Logon tab, selectLogon Pageand click theAdd Itembutton.The Logon Page Agent properties screen opens.
- Make any changes that you require to the logon page properties and clickSave.The properties screen closes and the policy displays.
- On the fallback branch after the previous action, click the(+)icon to add an item to the policy.A popup screen opens.
- On the Authentication tab, selectAD Auth.A properties screen displays.
- From theServerlist, select a server.
- ClickSave.The properties screen closes and the policy displays.
- On the Successful branch after the previous action, click the(+)icon.A popup screen opens.
- Assign resources to the users that successfully authenticated with Active Directory.
- On the Assignment tab, select theAdvanced Resource Assignagent, and then clickAdd Item.The Resource Assignment window opens.
- ClickAdd new entry.AnEmptyentry displays.
- Click theAdd/Deletelink below the entry.The screen changes to display resources on multiple tabs.
- On the Network Access tab, select a network access resource.
- Optionally, on the Webtop tab, select a network access webtop.
- ClickUpdate.The popup screen closes.
- ClickSave.The properties screen closes and the policy displays.
- Click the ending that follows the Advanced Resource Assign action and change it to an allow ending, by selectingAllowand clickingSave.
- On the fallback branch after the Active Directory action, click the(+)icon to add an item to the access policy.In this case, fallback indicates failure. For users that did not pass Active Directory authentication, you can configure RADIUS authentication and select a route domain for them so that they go to a different gateway.A popup screen opens.
- Typeradiin the search field, selectRADIUS Authfrom the results, and clickAdd Item.A popup screen opens.
- From theAAA Serverlist, select a RADIUS server and clickSave.The popup screen closes and the visual policy editor displays.
- On the Successful branch after the previous action, click the(+)icon.A popup screen opens.
- On the Assignment tab, selectRoute Domain and SNAT Selectionand click theAdd Itembutton.This opens the popup screen for the action.
- From the Route Domain list, select a route domain and clickSave.The popup screen closes and the visual policy editor displays.
- On the successful branch after the route domain selection action, click the(+)icon.A popup screen opens.
- Assign resources to the users that successfully authenticated with RADIUS.
- On the Assignment tab, select theAdvanced Resource Assignagent, and then clickAdd Item.The Resource Assignment window opens.
- ClickAdd new entry.AnEmptyentry displays.
- Click theAdd/Deletelink below the entry.The screen changes to display resources on multiple tabs.
- On the Network Access tab, select a network access resource.Note that you can assign the same network access resource to clients whether they authenticate with Active Directory or RADIUS. You assigned a different route domain to the clients that successfully authenticated with RADIUS. As a result, both types of clients will reach separate routers.
- Optionally, on the Webtop tab, select a network access webtop.
- ClickUpdate.The popup screen closes.
- ClickSave.The properties screen closes and the policy displays.
- Click the ending that follows the Advanced Resource Assign action and change it to an allow ending, by selectingAllowand clickingSave.
- Click theApply Access Policylink to apply and activate the changes to the policy.
To
apply this access policy to network traffic, add the access profile to a virtual
server.
To ensure
that logging is configured to meet your requirements, verify the log settings for
the access profile.