F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP Access Policy Manager: Implementations
  3. Configuring Web Access Management
Manual Chapter : Configuring Web Access Management

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Configuring Web Access Management

Overview: Configuring APM for web access management

Access Policy Manager (APM) web access management provides the ability to access web applications through a web browser without the use of tunnels or specific resources. With this type of access, APM communicates with backend web servers, forwarding requests from the client to web servers within a local traffic pool.
In a configuration that controls traffic and requests directed to your internal servers, using APM with Local Traffic Manager provides additional security. APM communicates with backend web servers, forwarding requests from the client to web servers within a local traffic pool. APM allows access to the local traffic pool only after the user passes through an access policy that typically contains authentication actions, endpoint security checks, and ACLs.

About ways to time out a web access management session

The web access management access type does not have a logout mechanism; as a result configuring a timeout is important. Access Policy Manager (APM) provides these options.
The Windows Cache and Session Control access policy item
Terminates a user session when it detects that the browser screen has closed. You can also configure it to provide inactivity timeouts for the user session using the Terminate session on user inactivity setting.
Maximum Session Timeout access profile setting
Provides an absolute limit for the duration of the access policy connection, regardless of user activity. To ensure that a user session closes after a certain number of seconds, configure this setting.
Inactivity Timeout access profile setting
Terminates the session after there is no traffic flow for a specified number of seconds.
Depending on the application, you might not want to set this to a very short duration, because many applications cache user typing and generate no traffic for an extended period. In this scenario, a session can time out while the application is still in use, but the content of the user input is not relayed back to the server.
.

Creating a pool of web servers

You can create a pool of servers for Access Policy Manager (APM) to perform access control for web application servers configured as local traffic pool members.
When you implement a service with multiple hosts, access through the virtual server for new requests causes the load balancing algorithm for the associated member pool to select a new server. This can cause problems if persistence to a particular host is required.
When you add web servers as members of the pool, select the HTTPS service if the web server uses SSL, to maintain consistency between APM and the web servers.
  1. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pool List screen opens.
  2. Click
    Create
    .
    The New Pool screen opens.
  3. In the
    Name
     field, type a unique name for the pool.
  4. In the Resources area, for the
    New Members
     setting, add to the pool the application servers that host the web application:
    1. Type an IP address in the
      Address
       field.
    2. In the
      Service Port
       field, type a port number (for example, type
      80
       for the HTTP service), or select a service name from the list.
    3. Click
      Add
      .
  5. Click
    Finished
    .
The new pool appears in the Pools list.

Creating an access profile

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click
    Create
    .
    The New Profile screen opens.
  3. In the
    Name
     field, type a name for the access profile.
    A access profile name must be unique among all access profile and any per-request policy names.
  4. From the
    Profile Type
     list, select
    SSL-VPN
    .
    Additional settings display.
  5. From the
    Profile Scope
     list, retain the default value or select another.
    • Profile
      : Gives a user access only to resources that are behind the same access profile. This is the default value.
    • Virtual Server
      : Gives a user access only to resources that are behind the same virtual server.
    • Global
      : Gives a user access to resources behind any access profile that has global scope.
  6. For
    Customization Type
    , select
    Modern
    .
    You can also use
    Standard
     but
    Modern
     customization is simpler and provides better compatibility for modern cross-platform and cross-device applications.
  7. To configure timeout and session settings, select the
    Custom
     check box.
  8. In the
    Inactivity Timeout
     field, type the number of seconds that should pass before the access policy times out. Type
    0
     to set no timeout.
    If there is no activity (defined by the
    Session Update Threshold
     and
    Session Update Window
     settings in the Network Access configuration) between the client and server within the specified threshold time, the system closes the current session.
  9. In the
    Access Policy Timeout
     field, type the number of seconds that should pass before the access profile times out because of inactivity.
    Type
    0
     to set no timeout.
  10. In the
    Maximum Session Timeout
     field, type the maximum number of seconds the session can exist.
    Type
    0
     to set no timeout.
  11. In the
    Max Concurrent Users
     field, type the maximum number of users that can use this access profile at the same time.
    Type
    0
     to set no maximum.
  12. In the
    Max Sessions Per User
     field, type the maximum number of concurrent sessions that one user can start.
    Type
    0
     to set no maximum.
    Only a user in the administrator, application editor, manager, or resource administrator role has access to this field.
  13. In the
    Max In Progress Sessions Per Client IP
     field, type the maximum number of concurrent sessions that can be in progress for a client IP address.
    When setting this value, take into account whether users will come from a NAT-ed or proxied client address and, if so, consider increasing the value accordingly. The default value is 128.
    Only a user in the administrator, application editor, manager, or resource administrator role has access to this field.
    F5 does not recommend setting this value to
    0
     (unlimited).
  14. Select the
    Restrict to Single Client IP
     check box to restrict the current session to a single IP address.
    This setting associates the session ID with the IP address.
    Only a user in the administrator, application editor, manager, or resource administrator role has access to this field.
    Upon a request to the session, if the IP address has changed the request is redirected to a logout page, the session ID is deleted, and a log entry is written to indicate that a session hijacking attempt was detected. If such a redirect is not possible, the request is denied and the same events occur.
  15. To configure logout URIs, in the Configurations area, type each logout URI in the
    URI
     field, and then click
    Add
    .
  16. In the
    Logout URI Timeout
     field, type the delay in seconds before logout occurs for the customized logout URIs defined in the
    Logout URI Include
     list.
  17. To configure SSO:
    • For users to log in to multiple domains using one SSO configuration, skip the settings in the SSO Across Authentication Domains (Single Domain mode) area. You can configure SSO for multiple domains only after you finish the initial access profile configuration.
    • For users to log in to a single domain using an SSO configuration, configure settings in the SSO Across Authentication Domains (Single Domain mode) area, or you can configure SSO settings after you finish the initial access profile configuration.
  18. In the
    Domain Cookie
     field, specify a domain cookie, if the application access control connection uses a cookie.
  19. In the
    Cookie Options
     setting, specify whether to use a secure cookie.
    • If the policy requires a secure cookie, select the
      Secure
       check box to add the
      secure
       keyword to the session cookie.
    • If you are configuring an LTM access scenario that uses an HTTPS virtual server to authenticate the user and then sends the user to an existing HTTP virtual server to use applications, clear this check box.
  20. If the access policy requires a persistent cookie, in the
    Cookie Options
     setting, select the
    Persistent
     check box.
    This sets cookies if the session does not have a webtop. When the session is first established, session cookies are not marked as persistent; but when the first response is sent to the client after the access policy completes successfully, the cookies are marked persistent. Persistent cookies are updated for the expiration timeout every 60 seconds. The timeout is equal to session inactivity timeout. If the session inactivity timeout is overwritten in the access policy, the overwritten value will be used to set the persistent cookie expiration.
  21. From the
    SSO Configurations
     list, select an SSO configuration.
  22. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  23. Click
    Finished
    .
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.
To add an SSO configuration for multiple domains, click
SSO / Auth Domains
 on the menu bar. To provide functionality with an access profile, you must configure the access policy. The default access policy for a profile denies all traffic and contains no actions. Click
Edit
 in the
Access Policy
 column to edit the access policy.

Verify log settings for the access profile

Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Log settings are configured in the
Access
Overview
Event Log
Settings
 area of the product. They enable and disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile that you want to edit.
    The properties screen opens.
  3. On the menu bar, click
    Logs
    .
    The access profile log settings display.
  4. Move log settings between the
    Available
     and
    Selected
     lists.
    You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.
    Logging is disabled when the
    Selected
     list is empty.
  5. Click
    Update
    .
An access profile is in effect when it is assigned to a virtual server.

Creating an access policy for web access management

You create an access policy to specify, at a minimum, logon and authentication. You can add other items to the policy to direct traffic and grant or deny access appropriately, increasing your security.
In an access policy for web access management, you do not need to assign resources, such as, webtops, portal access or network access resources, application access tunnels, or remote desktops.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    Edit
     link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. On a policy branch, click the
    (+)
     icon to add an item to the policy.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  4. On the Logon tab, select
    Logon Page
     and click the
    Add Item
     button.
    The Logon Page Agent properties screen opens.
  5. Make any changes that you require to the logon page properties and click
    Save
    .
    The properties screen closes and the policy displays.
  6. On a policy branch, click the
    (+)
     icon to add an item to the policy.
    Repeat this action from the visual policy editor whenever you want to add an item to the policy.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  7. From the Authentication tab, select an authentication item.
  8. Configure the properties for the authentication item and click
    Save
     when you are done.
    You can configure multiple authentication items in an access policy.
    You have now configured a basic access policy.
  9. Add endpoint security checks or other items that you require to the access policy.
    Optionally, you can assign a pool of web servers in the access policy using the Pool Assign action; if you do, this pool takes precedence over the pool you assign to the virtual server configuration.
    You can add a
    Windows Cache and Session Control
     item to configure a way to terminate the session.
  10. To grant access at the end of any branch, change the ending from
    Deny
     to
    Allow
    :
    1. Click
      Deny
      .
      The default branch ending is
      Deny
      .
      A popup screen opens.
    2. Select
      Allow
       and click
      Save
      .
      The popup screen closes. The
      Allow
       ending displays on the branch.
  11. Click the
    Apply Access Policy
     link to apply and activate the changes to the policy.
This creates an access policy that is appropriate for web access management connections.
To apply this access policy to network traffic, add the access profile to a virtual server.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Creating a virtual server

This task creates a standard, host type of virtual server for application traffic. A host type of virtual server listens for traffic destined for the specified destination IP address and service. Using this virtual server, Access Policy Manager® (APM®) can provide access control for web applications on web servers in a local traffic pool without using tunnels or specific resources.
By default, the health monitor is set to none and the load balancing method is set to Round Robin. You can add a health monitor or select an alternative load balancing method for this virtual server.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
     field, type a unique name for the virtual server.
  4. For the
    Destination Address/Mask
     setting, confirm that the
    Host
     button is selected, and type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
     or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
     or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
     prefix.
    The IP address you type must be available and not in the loopback network.
  5. In the
    Service Port
     field, type
    80
     (for HTTP) or
    443
     (for HTTPS), or select
    HTTP
     or
    HTTPS
     from the list.
  6. For the
    HTTP Profile (Client)
     setting, verify that the default HTTP profile,
    http
    , is selected.
  7. For the
    SSL Profile (Client)
     setting, select a client SSL profile.
    If the web server uses SSL, the client should use SSL.
  8. For the
    SSL Profile (Server)
     setting, select an SSL server profile.
    If the web server uses SSL, the virtual server should use SSL.
  9. In the Content Rewrite area, retain the default settings.
    The web access management access type eliminates the need for content rewriting. The default values for the
    Rewrite Profile
     and the
    HTML Profile
     settings are
    None
    .
  10. In the Access Policy area, from the
    Access Profile
     list, select the access profile you configured previously.
    Retain the default values for other settings in the Access Policy area.
  11. From the
    HTTP Compression Profile
     list, select
    httpcompression
    .
    You can use compression to provide a better end user experience, particularly where there is limited bandwidth or high latency between the virtual server and the client.
  12. In the Resources area of the screen, from the
    Default Pool
     list, select the relevant pool name.
  13. Click
    Finished
    .
You have a virtual server that supports web access management connections.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information