Manual Chapter : Configuring Access Profiles for Portal Access

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.0.1, 16.0.0, 15.1.0
Manual Chapter

Configuring Access Profiles for Portal Access

Creating an access profile

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click
    Create
    .
    The New Profile screen opens.
  3. In the
    Name
    field, type a name for the access profile.
    A access profile name must be unique among all access profile and any per-request policy names.
  4. From the
    Profile Type
    list, select
    SSL-VPN
    .
    Additional settings display.
  5. From the
    Profile Scope
    list, retain the default value or select another.
    • Profile
      : Gives a user access only to resources that are behind the same access profile. This is the default value.
    • Virtual Server
      : Gives a user access only to resources that are behind the same virtual server.
    • Global
      : Gives a user access to resources behind any access profile that has global scope.
  6. For
    Customization Type
    , select
    Modern
    .
    You can also use
    Standard
    but
    Modern
    customization is simpler and provides better compatibility for modern cross-platform and cross-device applications.
  7. To configure timeout and session settings, select the
    Custom
    check box.
  8. In the
    Inactivity Timeout
    field, type the number of seconds that should pass before the access policy times out. Type
    0
    to set no timeout.
    If there is no activity (defined by the
    Session Update Threshold
    and
    Session Update Window
    settings in the Network Access configuration) between the client and server within the specified threshold time, the system closes the current session.
  9. In the
    Access Policy Timeout
    field, type the number of seconds that should pass before the access profile times out because of inactivity.
    Type
    0
    to set no timeout.
  10. In the
    Maximum Session Timeout
    field, type the maximum number of seconds the session can exist.
    Type
    0
    to set no timeout.
  11. In the
    Max Concurrent Users
    field, type the maximum number of users that can use this access profile at the same time.
    Type
    0
    to set no maximum.
  12. In the
    Max Sessions Per User
    field, type the maximum number of concurrent sessions that one user can start.
    Type
    0
    to set no maximum.
    Only a user in the administrator, application editor, manager, or resource administrator role has access to this field.
  13. In the
    Max In Progress Sessions Per Client IP
    field, type the maximum number of concurrent sessions that can be in progress for a client IP address.
    When setting this value, take into account whether users will come from a NAT-ed or proxied client address and, if so, consider increasing the value accordingly. The default value is 128.
    Only a user in the administrator, application editor, manager, or resource administrator role has access to this field.
    F5 does not recommend setting this value to
    0
    (unlimited).
  14. Select the
    Restrict to Single Client IP
    check box to restrict the current session to a single IP address.
    This setting associates the session ID with the IP address.
    Only a user in the administrator, application editor, manager, or resource administrator role has access to this field.
    Upon a request to the session, if the IP address has changed the request is redirected to a logout page, the session ID is deleted, and a log entry is written to indicate that a session hijacking attempt was detected. If such a redirect is not possible, the request is denied and the same events occur.
  15. To configure logout URIs, in the Configurations area, type each logout URI in the
    URI
    field, and then click
    Add
    .
  16. In the
    Logout URI Timeout
    field, type the delay in seconds before logout occurs for the customized logout URIs defined in the
    Logout URI Include
    list.
  17. To configure SSO:
    • For users to log in to multiple domains using one SSO configuration, skip the settings in the SSO Across Authentication Domains (Single Domain mode) area. You can configure SSO for multiple domains only after you finish the initial access profile configuration.
    • For users to log in to a single domain using an SSO configuration, configure settings in the SSO Across Authentication Domains (Single Domain mode) area, or you can configure SSO settings after you finish the initial access profile configuration.
  18. In the
    Domain Cookie
    field, specify a domain cookie, if the application access control connection uses a cookie.
  19. In the
    Cookie Options
    setting, specify whether to use a secure cookie.
    • If the policy requires a secure cookie, select the
      Secure
      check box to add the
      secure
      keyword to the session cookie.
    • If you are configuring an LTM access scenario that uses an HTTPS virtual server to authenticate the user and then sends the user to an existing HTTP virtual server to use applications, clear this check box.
  20. If the access policy requires a persistent cookie, in the
    Cookie Options
    setting, select the
    Persistent
    check box.
    This sets cookies if the session does not have a webtop. When the session is first established, session cookies are not marked as persistent; but when the first response is sent to the client after the access policy completes successfully, the cookies are marked persistent. Persistent cookies are updated for the expiration timeout every 60 seconds. The timeout is equal to session inactivity timeout. If the session inactivity timeout is overwritten in the access policy, the overwritten value will be used to set the persistent cookie expiration.
  21. From the
    SSO Configurations
    list, select an SSO configuration.
  22. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  23. Click
    Finished
    .
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.
To add an SSO configuration for multiple domains, click
SSO / Auth Domains
on the menu bar. To provide functionality with an access profile, you must configure the access policy. The default access policy for a profile denies all traffic and contains no actions. Click
Edit
in the
Access Policy
column to edit the access policy.

Verify log settings for the access profile

Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Log settings are configured in the
Access
Overview
Event Log
Settings
area of the product. They enable and disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile that you want to edit.
    The properties screen opens.
  3. On the menu bar, click
    Logs
    .
    The access profile log settings display.
  4. Move log settings between the
    Available
    and
    Selected
    lists.
    You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.
    Logging is disabled when the
    Selected
    list is empty.
  5. Click
    Update
    .
An access profile is in effect when it is assigned to a virtual server.

Configuring an access policy

You configure an access policy to provide authentication, endpoint checks, and resources for an access profile. This procedure configures a simple access policy that adds a logon page, gets user credentials, submits them to an authentication type of your choice, then allows authenticated users, and denies others.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile you want to edit.
  3. On the menu bar, click
    Access Policy
    .
  4. For the
    Visual Policy Editor
    setting, click the
    Edit access policy for Profile
    policy_name
    link.
    The visual policy editor opens the access policy in a separate window or tab.
  5. Click the
    (+)
    icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  6. On the Logon tab, select
    Logon Page
    and click the
    Add Item
    button.
    The Logon Page Agent properties screen opens.
  7. Click
    Save
    .
    The Access Policy screen reopens.
  8. On the rule branch, click the plus sign
    (+)
    between
    Logon Page
    and
    Deny
    .
  9. Set up the appropriate authentication and client-side checks required for application access at your company, and click
    Add Item
    .
  10. Change the Successful rule branch from
    Deny
    to
    Allow
    and click the
    Save
    button.
  11. If needed, configure further actions on the successful and fallback rule branches of this access policy item, and save the changes.
  12. At the top of the screen, click the
    Apply Access Policy
    link to apply and activate your changes to this access policy.
  13. Click the
    Close
    button to close the visual policy editor.
To apply this access policy to network traffic, add the access profile to a virtual server.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Assign resources to a user

Before you can assign resources to a user, you must have created an access profile.
You can add the advanced resource assign action to an access policy to add a network access resource, portal access resources, application tunnel resources, SAML resources, and remote desktop resources to an access policy branch. You can also assign ACLs, webtops, webtop links, and webtop sections with the advanced resource assign action.
Do not assign a webtop for a portal access connection configured for minimal patching mode; this configuration does not work.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile for which you want to edit the access policy.
    The properties screen opens for the profile you want to edit.
  3. On the menu bar, click
    Access Policy
    .
  4. In the General Properties area, click the
    Edit Access Policy for Profile
    profile_name
    link.
    The visual policy editor opens the access policy in a separate screen.
  5. On a policy branch, click the
    (+)
    icon to add an item to the policy.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  6. On the Assignment tab, select
    Advanced Resource Assign
    and click the
    Add Item
    button.
    The Advanced Resource Assign popup screen opens.
  7. In the
    Name
    field, type a name for the policy item.
    This name is displayed in the action field for the policy.
  8. Click the
    Add new entry
    button.
    A new resource line is added to the list.
  9. To assign resources, in the Expression area, click the
    Add/Delete
    link.
    The Resource Assignment popup screen opens.
  10. Assign resources to the access policy using the available tabs.
    Tab
    Description
    Static ACLs
    Allows you to select one or more ACLs defined on the system. Each ACL you select is assigned to the access policy branch on which this resource assign action operates.
    Network Access
    Allows you to select a single network access resource from the system. You can select only one network access resource. The network access resource you select is assigned to the access policy branch on which this resource assign action operates.
    Portal Access
    Allows you to select one or more portal access resources from the system. The portal access resources you select are assigned to the access policy branch on which this resource assign action operates.
    App Tunnel
    Allows you to select one or more application tunnel resources from the system. The application tunnel resources you select are assigned to the access policy branch on which this resource assign action operates.
    Remote Desktop
    Allows you to select one or more remote desktop (terminal server) resources from the system. The remote desktop resources you select are assigned to the access policy branch on which this resource assign action operates.
    SAML
    Allows you to select one or more SAML resources from the system. The SAML resources you select are assigned to the access policy branch on which this resource assign action operates. Select a full webtop to display SAML resources.
    Webtop
    Allows you to select a webtop from the system. The webtop resource you select is assigned to the access policy branch on which this resource assign action operates. You can select a webtop that matches the resource type, or a full webtop.
    Webtop Links
    Allows you to select links to pages and applications defined on the system to display on the full webtop. A full webtop must be assigned to display webtop links.
    Webtop Sections
    Allows you to select one or more sections into which to organize the selected resources on the webtop. A full webtop must be assigned to display webtop sections.
    Static Pool
    Allows you to dynamically assign a predefined LTM pool to a session. This value takes precedence over any existing assigned pool attached to the virtual server. The static pool you select is assigned to the access policy branch on which this resource assign action operates.
    You can also search for a resource by name in the current tab or all tabs.
  11. Click the
    Save
    button to save changes to the access policy item.
You can now configure further actions on the successful and fallback rule branches of this access policy item.
Click the
Apply Access Policy
link to apply and activate your changes to this access policy.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Adding connection resources to an access policy

Before you can add connection resources to an access policy, you must have an access profile created.
You add the resource assign action to an access policy to add a network access resource, portal access resources, application tunnel resources, and remote desktop resources to an access policy branch.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile for which you want to edit the access policy.
    The properties screen opens for the profile you want to edit.
  3. On the menu bar, click
    Access Policy
    .
  4. In the General Properties area, click the
    Edit Access Policy for Profile
    profile_name
    link.
    The visual policy editor opens the access policy in a separate screen.
  5. On a policy branch, click the
    (+)
    icon to add an item to the policy.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  6. On the Assignment tab, select
    Resource Assign
    and click the
    Add Item
    button.
    This opens the Resource Assignment popup screen.
  7. In the
    Name
    field, type a name for the policy item.
    This name is displayed in the action field for the policy.
  8. On the Resource Assign screen, next to the type of resource you want to add, click the
    Add/Delete
    link.
    This expands the screen to display options for the resource you selected.
  9. To assign resources, select the options you want.
  10. Assign resources using the heading options on the screen.
    Network Access
    Allows you to select a single network access resource from the system. You can select only one network access resource. The network access resource you select is assigned to the access policy branch on which this resource assign action operates.
    Portal Access
    Allows you to select one or more portal access resources from the system. The portal access resources you select are assigned to the access policy branch on which this resource assign action operates.
    App Tunnel
    Allows you to select one or more application tunnel resources from the system. The application tunnel resources you select are assigned to the access policy branch on which this resource assign action operates.
    Remote Desktop
    Allows you to select one or more remote desktop (terminal server) resources from the system. The remote desktop resources you select are assigned to the access policy branch on which this resource assign action operates.
    SAML
    Allows you to select one or more SAML resources from the system. The SAML resources you select are assigned to the access policy branch on which this resource assign action operates.
  11. Click the
    Save
    button to save changes to the access policy item.
You can now configure further actions on the successful and fallback rule branches of this access policy item. To assign a webtop, webtop links, and webtop sections, add the Webtop, Links and Sections Assign action after this action.
Click the
Apply Access Policy
link to apply and activate your changes to this access policy.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Add a webtop, links, and sections to an access policy

You must have an access profile set up before you can add a webtop, links, and sections to an access policy.
You can add an action to an access policy to add a webtop, webtop links, and webtop sections to an access policy branch. Webtop links and webtop sections are displayed on a full webtop.
Do not assign a webtop for a portal access connection configured for minimal patching mode; this configuration does not work.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click the name of the access profile for which you want to edit the access policy.
    The properties screen opens for the profile you want to edit.
  3. On the menu bar, click
    Access Policy
    .
  4. In the General Properties area, click the
    Edit Access Policy for Profile
    profile_name
    link.
    The visual policy editor opens the access policy in a separate screen.
  5. On a policy branch, click the
    (+)
    icon to add an item to the policy.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  6. On the Assignment tab, select the
    Webtop, Links and Sections Assign
    agent and click
    Add Item
    .
    The Webtop, Links and Sections Assignment screen opens.
  7. In the
    Name
    field, type a name for the policy item.
    This name is displayed in the action field for the policy.
  8. For each type of resource that you want assign:
    1. Click the
      Add/Delete
      link next to the resource type (
      Webtop Links
      ,
      Webtop Sections
      , or
      Webtop
      ).
      Available resources are listed.
    2. Select from the list of available resources.
      Select only one webtop.
    3. Click
      Save
      .
  9. Click the
    Save
    button to save changes to the access policy item.
You can now configure further actions on the successful and fallback rule branches of this access policy item.
Click the
Apply Access Policy
link to apply and activate your changes to this access policy.
To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Access profile settings

You can configure the following settings in an access profile.
Setting
Value
Description and defaults
Name
Text
Specifies the name of the access profile.
Inactivity Timeout
Number of seconds, or
0
Specifies the inactivity timeout for the connection. If there is no activity between the client and server within the specified threshold time, the system closes the current session. By default, the threshold is
0
, which specifies that as long as a connection is established, the inactivity timeout is inactive. However, if an inactivity timeout value is set, when server traffic exceeds the specified threshold, the inactivity timeout is reset.
Access Policy Timeout
Number of seconds, or
0
Designed to keep malicious users from creating a denial-of-service (DoS) attack on your server. The timeout requires that a user, who has followed through on a redirect, must reach the webtop before the timeout expires. The default value is
300
seconds.
Maximum Session Timeout
Number of seconds, or
0
The maximum lifetime is from the time a session is created, to when the session terminates. By default, it is set to
0
, which means no limit. When you configure a maximum session timeout setting other than
0
, there is no way to extend the session lifetime, and the user must log out and then log back in to the server when the session expires.
Max Concurrent Users
Number of users, or
0
The number of sessions allowed at one time for this access profile. The default value is
0
which specifies unlimited sessions.
Max Sessions Per User
Number between
1
and
1000
, or
0
Specifies the number of sessions for one user that can be active concurrently. The default value is
0
, which specifies unlimited sessions. You can set a limit from
1
-
1000
. Values higher than
1000
cause the access profile to fail.
Only users in the administrator, application editor, manager, or resource administrator roles have access to this field.
Max In Progress Sessions Per Client IP
Number greater than
0
Specifies the maximum number of sessions that can be in progress for a client IP address. When setting this value, take into account whether users will come from a NAT-ed or proxied client address and, if so, consider increasing the value accordingly. The default value is 
128
.
Only users in the administrator, application editor, manager, or resource administrator roles have access to this field.
F5® does not recommend setting this value to
0
(unlimited).
Restrict to Single Client IP
Selected or cleared
When selected, limits a session to a single IP address.
Only users in the administrator, application editor, manager, or resource administrator roles have access to this field.
Logout URI Include
One or more URIs
Specifies a list of URIs to include in the access profile to initiate session logout.
Logout URI Timeout
Logout delay URI in seconds
Specifies the time delay before the logout occurs, using the logout URIs defined in the logout URI include list.
SSO Authentication Across Domains (Single Domain mode) or SSO / Auth Domains:
Domain Cookie
A domain cookie
If you specify a domain cookie, then the line
domain=
specified_domain
is added to the
MRHsession
cookie.
SSO / Auth Domains:
Domain Mode
Single Domain
or
Multiple Domains
Select
Single Domain
to apply your SSO configuration to a single domain. Select
Multiple Domain
to apply your SSO configuration across multiple domains. This is useful in cases where you want to allow your users a single Access Policy Manager (APM) login session and apply it across multiple Local Traffic Manager or APM virtual servers, front-ending different domains.
All virtual servers must be on one single BIG-IP system in order to apply SSO configurations across multiple domains.
SSO / Auth Domains:
Primary Authentication URI
URI
The URI of your primary authentication server, for example
https://logon.siterequest.com
. This is required if you use SSO across multiple domains. You provide this URI so your users can access multiple back-end applications from multiple domains and hosts without requiring them to re-enter their credentials, because the user session is stored on the primary domain.
Cookie Options:
Secure
Enable or disable check box
Enabled, this setting specifies to add the
secure
keyword to the session cookie. If you are configuring an application access control scenario where you are using an HTTPS virtual server to authenticate the user, and then sending the user to an existing HTTP virtual server to use applications, clear this check box.
Cookie Options:
Persistent
Enable or disable check box
Enabled, this setting specifies to set cookies if the session does not have a webtop. When the session is first established, session cookies are not marked as persistent, but when the first response is sent to the client after the access policy completes successfully, the cookies are marked persistent.
Persistent cookies are updated for the expiration timeout every 60 seconds. The timeout is equal to the session inactivity timeout. If the session inactivity timeout is overwritten in the access policy, the overwritten value is used to set the persistent cookie expiration.
Cookie Options:
HTTP only
HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Use the HttpOnly flag when generating a cookie to help mitigate the risk of a client-side script accessing the protected cookie, if the browser supports HttpOnly.
When this option is enabled, only the web access management type of access (an LTM virtual server with an access policy) is supported.
SSO Authentication Across Domains (Single Domain mode) or SSO / Auth Domains
SSO Configuration
Predefined SSO configuration
SSO configurations contain settings to configure single sign-on with an access profile. Select the SSO configuration from the list that you want applied to your domain.
SSO / Auth Domains: Authentication Domains
Multiple
If you specify multiple domains, populate this area with hosts or domains. Each host or domain can have a separate SSO config, and you can set persistent or secure cookies. Click
Add
to add each host you configure.
Accepted Languages
Language strings
Adds a built-in or customized language to the list of accepted languages. Accepted languages can be customized separately and can present customized messages and screens to users, if the user's default browser language is one of the accepted languages. Select a language from the
Factory Builtin Languages
list and click the Move button (
<<
) to add it to the
Accepted Languages
list. Select a language from the
Additional Languages
list and click
Add
to add it to the
Accepted Languages
list.
Factory Builtin Languages
Languages in a predefined list
Lists the predefined languages on the Access Policy Manager system, which can be added to the
Accepted Languages
list. Predefined languages include customized messages and fields for common appearance items, as opposed to
Additional Languages
, which must be separately customized.
Additional Languages
Languages in a predefined list
Lists additional languages that can be added to the
Accepted Languages
list, and customized on the Access Policy Manager system. These languages are populated with English messages and fields and must be individually customized using the Customization menu, as opposed to
Factory Builtin Languages
, which are already customized.