Manual Chapter :
Overview of Portal Access
Applies To:
Show VersionsBIG-IP APM
- 17.1.0
Overview of Portal Access
Overview: What is portal access?
Portal access allows end users access to internal web applications with a web browser from
outside the network. With portal access, the BIG-IP
Access Policy Manager® communicates with back-end servers, and rewrites
links in application web pages so that further requests from the client browser are directed back
to the Access Policy Manager server. With portal access, the client computer requires no
specialized client software other than a web browser.
Portal access provides clients with secure access to internal web servers, such as Microsoft
OutlookWeb Access (OWA), Microsoft SharePoint, and IBM Domino Web Access. Using portal access
functionality, you can also provide access to most web-based applications and internal web
servers.
Portal access differs from network access, which provides direct access from the client to the
internal network. Network access does not manipulate or analyze the content being passed between
the client and the internal network. The portal access configuration gives the administrator both
refined control over the applications that a user can access through Access Policy Manager, and
content inspection for the application data. The other advantage of portal access is security.
Even if a workstation might not meet requirements for security for full network access, such a
workstation can be passed by the access policy to certain required web applications, without
allowing full network access. In a portal access policy, the client computer itself never
communicates directly with the end-point application. That means that all communication is
inspected at a very high level, and any attacks originating on the client computer fail because
the attack cannot navigate through the links that have been rewritten by the portal access
engine.
About portal access configuration elements
A portal access configuration requires several elements:
- A portal access resource including one or more portal access resource items
- An access profile
- An access policy that assigns both:
- A portal access resource
- A portal access or full webtop
- A rewrite profile (you can use the default rewrite profile)
- A connectivity profile
- A virtual server that assigns the access profile and a rewrite profile
Portal access elements are summarized in this diagram.
Understanding portal access patching
Portal access patches, or rewrites, links in web content. Portal access rewrites
links in complex Java, JavaScript, Flash, CSS, and HTML content. In full patching mode, Access Policy Manager retrieves content from back-end servers and rewrites links in that content so it
can be presented to a web browser, as if the content originated from the Access Policy Manager.
Portal access rewrites content to make intranet targets resolvable, no matter what the intranet
host is.
Understanding full patching mode
In
full patching mode
, you can select one or more of the following content types in which
portal access rewrites links.Patching content type |
Description |
---|---|
HTML patching |
Rewrites links in HTML content to redirect to the Access Policy Manager. |
JavaScript patching |
Rewrites link content in JavaScript code to redirect requests to the Access Policy Manager. |
CSS patching |
Rewrites links to CSS files, and within CSS content, to redirect to the Access Policy Manager. |
Flash patching |
Rewrites links in Flash movies and objects to redirect requests to the Access Policy
Manager. |
Java patching |
Rewrites link content in Java code to redirect requests to the Access Policy Manager.
Access Policy Manager can also relay and handle any socket connections required by a patched
Java applet. |
Understanding minimal patching mode
In
minimal patching mode
, portal access allows only minimum rewriting of web application
content. Minimal patching mode is useful for troubleshooting, or when full portal access patching fails
with a file or site.In minimal patching mode, only HTML and CSS content is patched.
To use minimal patching, the following conditions must be met:
- You must create a local traffic pool for the application server or servers, and select it as the default pool in the virtual server definition.
- You must add a portal access resource item to the portal access resource, and configure it with host*, and port0(or any). In addition, the path /* must be specified in the resource item.
- You must configure the schemeany, nothttporhttps.
- Minimal patching does not use a webtop, and will fail if one is assigned. For this reason, you must disable thePublish on webtopoption, and you can not assign a webtop to the minimal patching access policy branch.
In minimal patching mode, if your web application sets cookies, the cookie domain must match the
virtual server domain.
If your web application does not use SSL, do not configure the virtual server with
the Server SSL profile
serverssl
.Patching mode |
Description |
---|---|
Scheme patching |
Specifies a method of patching that replaces all HTTP scheme addresses with HTTPS scheme
addresses. |
Host Patching |
Specifies a method of patching where one or multiple hosts (typically the actual application
server host name) are replaced with another host, the Access Policy Manager
virtual server. You can specify multiple hosts separated with spaces for host search strings. The host
replace string must be the Access Policy Manager virtual server IP address or fully qualified domain
name (FQDN). |
Additional resources and documentation for BIG-IP Access Policy Manager
You can access all of the BIG-IP system documentation from
the AskF5 Knowledge Base located at
https://support.f5.com/
.Document |
Description |
---|---|
BIG-IP
Access Policy Manager: Application Access |
This guide contains information for an administrator to configure application
tunnels for secure, application-level TCP/IP connections from the client to the
network. |
BIG-IP Access Policy Manager:
Authentication Essentials |
This guide contains information to help an administrator understand authentication concepts, such as AAA server, SSL certificate, local user database, and so on. |
BIG-IP Access Policy Manager:
Authentication Methods |
This guide contains information describes different types of authentication, including Active Directory, LDAP and LDAPS, RSA SecurID, RADIUS, OCSP, CRLDP, Certificate, TACACS+, and so on. |
BIG-IP Access Policy Manager:
OAuth Concepts and Configuration |
This guide describes OAuth concepts and explains how to configure the system to use OAuth authorization servers, resource servers, and other examples. |
BIG-IP Access Policy Manager:
SAML Configuration |
This guide introduces SAML concepts and provides several examples using APM as a SAML IdP, as a SAML service provider, and others. |
BIG-IP Access Policy Manager:
Single Sign-On Concepts and Configuration |
This guide describes how to configure different types of single sign-on methods, such as HTTP basic, HTTP forms-based, NTLMV1, NTLMV2, Kerberos, OAuth Bearer. |
BIG-IP
Access Policy Manager: Customization |
This guide provides information about using the APM customization tool to provide
users with a personalized experience for access policy screens, and errors. An
administrator can apply your organization's brand images and colors, change messages
and errors for local languages, and change the layout of user pages and screens.
|
BIG-IP
Access Policy Manager: Edge Client and Application
Configuration |
This guide contains information for an administrator to
configure the BIG-IP system for browser-based access with the web client as well as
for access using BIG-IP Edge Client and F5 Access Apps. It also includes information
about how to configure or obtain client packages and install them for BIG-IP Edge
Client for Windows, Mac, and Linux, and Edge Client command-line interface for Linux. |
BIG-IP
Access Policy Manager: Implementations |
This guide contains implementations for synchronizing access policies across
BIG-IP systems, hosting content on a BIG-IP system, maintaining OPSWAT libraries,
configuring dynamic ACLs, web access management, and configuring an access policy for
routing. |
BIG-IP
Access Policy Manager: Network Access |
This guide contains information for an administrator to configure APM Network
Access to provide secure access to corporate applications and data using a standard
web browser. |
BIG-IP
Access Policy Manager: Portal Access |
This guide contains information about how to configure APM Portal Access. In
Portal Access, APM communicates with back-end servers, rewrites links in application
web pages, and directs additional requests from clients back to APM. |
BIG-IP
Access Policy Manager: Secure Web Gateway |
This guide contains information to help an administrator configure Secure Web
Gateway (SWG) explicit or transparent forward proxy and apply URL categorization and
filtering to Internet traffic from your enterprise. |
BIG-IP
Access Policy Manager: Third-Party Integration |
This guide contains information about integrating third-party products with
Access Policy Manager (APM). It includes implementations for
integration with VMware Horizon View, Oracle Access Manager, Citrix Web Interface
site, and so on. |
BIG-IP
Access Policy Manager: Visual Policy Editor |
This guide contains information about how to use the visual policy editor to
configure access policies. |
Release notes |
Release notes contain information about the current software release, including a
list of associated documentation, a summary of new features, enhancements, fixes,
known issues, and available workarounds. |
KB articles |
Knowledge base articles are responses and resolutions to known issues, additional configuration instructions, and how-to information. |