Manual Chapter :
Manage Access Groups
Applies To:
Show VersionsBIG-IQ Centralized Management
- 8.3.0, 8.2.0, 8.1.0, 8.0.0, 7.1.0
Manage Access Groups
How do I start to centrally manage APM configurations from BIG-IQ?
Here is an overview of your first steps for setting up an Access Policy Manager® (APM®) configuration once, and then being able to deploy that configuration from the BIG-IQ system to other BIG-IP devices.
Step 1. Add the BIG-IP device from the
BIG-IP Devices
tab on the BIG-IQ system. Enter the IP address and credentials of the BIG-IP device you're adding, and associate it with a cluster (if applicable).This workflow may differ depending on several factors. For more information, refer to the
BIG-IQ Centralized Management: Device
guide.Step 2. Manage the APM configuration by adding to the existing Access group or creating a new Access group. You can create an Access group with or without a device.
Create an Access group
You create an Access group from the Configuration tab to start managing the Access configuration for a device or a group of BIG-IP devices. Using Access groups, you can create Access policies to manage the authentication and connectivity of all users attempting to access your network or applications.
You can create an Access group in either of two ways. Use whichever you prefer, based on your requirements.
- In the Configuration tab, create an Access group without attaching a device.
- In the Configuration tab, create an Access group by attaching a device.
When you create an Access group, the service configurations for the devices are imported.
You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
- At the top of the screen, selectConfiguration, then on the left side of the screen, click .
- Click theCreatebutton.The New Access Group screen opens.
- In theNamefield, type a name for the Access group.
- From theDevicelist, select the device to be the source of the shared configuration for other devices in the group. Conversely, selectNoneto create an Access group without a device.
- From theDevice Versionlist, select the BIG-IP version associated with the device.The list displays the BIG-IP versions supported by the BIG-IP system. You can edit this option only if you did not select a device for this Access group. If you selected a device, the system automatically populates this option and disables editing.
- ForSupports SWG, click the check box to create an Access group that manages devices with SWG data.You can edit this option only if you did not select a device for this Access group. If you selected a device, the system automatically populates this option and disables editing.
- ClickCreate.The Access Groups screen opens. Progress information displays in the Status column.
Add a device to an Access group
Before you start, you must have at least one device with the APM service discovered. You must also have imported the LTM service configuration from the device before you can add that device to an Access group.
You add a device to an Access group so you can manage its configuration from Access. When you add a device to an existing Access group, its device-specific configuration resources are imported into Access. A device can belong to only one Access group.
- At the top of the screen, selectConfiguration, then on the left side of the screen, click .
- Click the name of the Access group you want to add a device to.The General Properties screen for the access group displays.
- ClickAdd Device.The Add Device popup screen displays.
- ForDevice, select the device from the menu.
- (Optional) To create a snapshot of the existing configuration, forSnapshot, select the check boxCreate a snapshot of the current configuration before importing. BIG-IQ Security uses snapshots to protect the working-configuration set of the Security module. Thus, at any time, you can back up, restore, and deploy the BIG-IQ working configuration to a specific configuration state, or deploy a specific set of working configuration edits back to a BIG-IP device. You can also compare one snapshot to another, or compare a snapshot to the BIG-IQ working configuration.
- ClickAdd.The popup screen closes, displaying the Access Groups screen. The new device displays under the Devices list.
Reimport an Access group configuration or device-specific configuration
Before you begin reimporting a configuration from a BIG-IP, you must have an existing Access group.
Some objects that are available for configuration on your BIG-IP devices with APM provisioned may only be managed from BIG-IQ and will be displayed as read-only in Access groups in BIG-IQ. In these instances, you will need to make configurations on the managed BIG-IP device and re-import the APM service to BIG-IQ.
If you make any changes to an Access group on a managed BIG-IP device, you can reimport a shared Access group configuration or a device-specific configuration from any device in an Access group. This reduces the need to manually edit the configuration by hand.
You can initiate the reimport process from the Access groups screen or from the Devices tab.
- At the top of the screen, selectConfiguration, then on the left side of the screen, click .
- Click the name of the Access Group that contains the device you want to reimport the configuration for.The General Properties screen opens.
- Select the check box next to the device you want to re-import the configuration for and click theReimportbutton.
- For theConfiguration Typeoption, select whether you want to import aShared Access Group and Device Specific configurationor just aDevice specific configuration.
- (Optional) For theSnapshotoption, select whether you want to create a snapshot of the current configuration before importing. BIG-IQ Security uses snapshots to protect the working-configuration set of the Security module. Thus, at any time, you can back up, restore, and deploy the BIG-IQ working configuration to a specific configuration state, or deploy a specific set of working configuration edits back to a BIG-IP device. You can also compare one snapshot to another, or compare a snapshot to the BIG-IQ working configuration.Click Add.T
- ClickReimport.
Once you have reimported your configuration from BIG-IP, your configuration between BIG-IP and BIG-IQ should be consistent.
Remove a device from an Access group
You can remove a device from an Access group if you no longer want to manage the Access configuration for the device, or if you want to add the device to a different Access group. You can remove all devices from an Access group, leave it empty, and then add new devices later.
- At the top of the screen, selectConfiguration, then on the left side of the screen, click .
- Click the name of the Access group that contains the device you want to delete.The properties screen for that group opens, listing the devices in the Access group.
- Select the check box next to the device you want to remove and click theRemovebutton.A confirmation popup screen opens.
- Confirm that you want to remove the device.The device no longer displays in the Access group. You are no longer managing APM service configuration that was on the device you removed.
Before you add the device to another Access group, you must discover the APM service configuration on the device.
Remove an Access group
You can remove an Access group that you previously created.
- At the top of the screen, selectConfiguration, then on the left side of the screen, click .
- Select the check box next to the Access group you want to remove and click the Delete button.
- ClickOKto confirm.
Create an Access group from the Devices tab
Before you can create an Access group, you must discover at least one device. You must import the LTM service configuration from a device before you can add that device to an Access group within the device management workflow process.
You can create an Access group to start managing the Access configuration for a group of devices.
When you create an Access group, the service configurations for the devices are imported.
You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
- At the top of the screen, click.The Access Groups screen opens.
- Click theCreatebutton.The New Access Group screen opens.
- In theNamefield, type a name for the Access group.
- From theDevicelist, select the device to be the source of the shared configuration for other devices in the group.You must create an Access group with a device attached.
- ForSupports SWG, select the check box to create an Access group that manages devices with Secure Web Gateway (SWG) data.You can edit this option only if you did not select a device for this Access group. If you selected a device, the system automatically populates this option and disables editing.
- ClickCreate.The Access Groups screen opens. Progress information displays in the Status column.
Discover the LTM and APM service configurations
Before you can import configurations from a device, you must first discover that device. To prepare to create an Access configuration on the BIG-IQ system, you must discover the Local Traffic Manager (LTM) service configuration, and then discover the Access Policy Manager (APM) service configuration as APM is dependent upon a discovered LTM service.
- At the top of the screen, clickDevices.
- Navigate to theBIG-IP DEVICEStab and select the name of the device you want to discover the service configuration from.
- On the left, clickServices.
- For Local Traffic Manager (LTM), clickDiscover.You must wait for discovery to complete before you continue. If you have previously discovered LTM for this device, the button will readRe-discover.
- For Access Policy Manager (APM), clickDiscover.If you have previously discovered APM for this device, the button will readRe-discover.
Once you have finished the discovery process, you may import the configuration.
Import the LTM service configuration
You must discover a service configuration before you can import it.
Before you can import the Access Policy Manager (APM) service configuration from a discovered device, you must import the Local Traffic Manager (LTM) service configuration.
You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
- At the top of the screen, clickDevices.
- Click the name of the device you want to import the service configuration from.
- On the left, clickServices.
- For Local Traffic Manager (LTM), select theCreate a snapshot of the current configuration before importingcheck box to save a copy of the device's current configuration.You're not required to create a snapshot, but it is a good idea in case you have to revert to the previous configuration for any reason.
- For Local Traffic Manager (LTM), clickImport.The LTM Import screen opens.
- ClickProceed to Import.
The LTM service configuration is imported. Click the back arrow to return to the previous screen.
Import the APM configuration into an Access group
You must discover a service configuration before you can import it.
You import Access Policy Manager (APM) configuration objects from a device to manage the device configuration from the BIG-IQ system. As part of the import process, you select an Access group.
You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
- At the top of the screen, clickDevices.
- Click the name of the device you want to import the service configuration from.
- On the left, clickServices.
- For Access Policy (APM), select theCreate a snapshot of the current configuration before importing.check box to save a copy of the device's current configuration.You're not required to create a snapshot, but it is a good idea in case you have to revert to the previous configuration for any reason.
- For Access Policy (APM), clickImport.
- On the Add to Access Group popup screen, specify either a new or existing Access group:
- SelectCreate New, in theNamefield type a name, and clickAdd.
- SelectAdd to existing, select a name from theNamelist, and clickAdd.
You must add both members of an HA pair to the same Access group.
The APM service configuration is imported.
Add a device to an Access group from the Devices tab
Before you add a BIG-IP APM device, you must discover at least one device with the APM service. You must also import the LTM service configuration from the device before you can add that device to an Access group.
You can add a device to an Access group so you that you can manage its configuration from Access. When you add a device to an existing Access group, its device-specific configuration resources are imported into Access. A device can only belong to one Access group.
- At the top of the screen, clickDevices.
- On the left, clickBIG-IP DEVICES.
- Click theAdd Device(s)button.
- ForIP Address, type the IPv4 or IPv6 address of the device.
- In thePortbox, type the management port for this BIG-IP device.The port number must be between 4 and 65535. In many cases, it's the default port 443.Chrome and Safari browsers don't allow access to web applications running on port 65535. So if you use port 65535 as the management port, you won't be able to access the BIG-IP device's interface from BIG-IQ when using Chrome or Safari. You can still discover and manage BIG-IP devices that are using port 65535.
- If this device is part of a DSC group, for theCluster Display Namesetting, specify how to handle it:
- For an existing DSC group, selectUse Existingfrom the list, and then select the name of the DSC group from the next list.
- To create a new DSC group, selectCreate Newfrom the list, and type a name in the field.
For BIG-IQ to properly associate the devices in the same DSC group, theCluster Display Namemust be the same for all members in a group.There can be up to eight members in a DSC group.For BIG-IP devices with ASM services, you can only add five devices at a time. If the BIG-IP device(s) provisioned with ASM is part of a DSC cluster, that device must also be a member of a sync-only device group, and ASM synchronization must be enabled for the device group. Without these DSC group settings, deploying changes to the ASM device can cause the cluster to get out of sync. For more information see K12200102, or the ASM Implementations chapterAutomatically Synchronizing Application Security Configurationsonsupport.f5.com. - If this device is configured in a DSC group or you are creating a new DSC group, for theCluster Properties, specify how to handle it:
- Initiate BIG-IP DSC sync when deploying configuration changes (Recommended): Select this option if you want this device to automatically synchronize configuration changes with other members in the DSC.
- Allow deployment when DSC configured devices have changes pending ( Not Recommended): Select this option if you want to deploy changes to this device even if there are changes pending for devices in the DSC group.This option is not recommended, because it can lead to unpredictable results.
- Ignore BIG-IP DSC sync when deploying configuration changes: Select this option if you want to manually synchronize configurations changes between members in the DSC group.
- Click theAddbutton at the bottom of the screen.The BIG-IQ system opens communication to the BIG-IP device, and checks the BIG-IP device framework.The BIG-IQ system can properly manage a BIG-IP device only if the BIG-IP device is running a compatible version of the REST framework.
- If a framework upgrade is required, in the popup window, in theRoot User NameandRoot Passwordfields, type the root user name and password for the BIG-IP device, and clickContinue.
- To centrally manage this device's configurations for licensed services, select the check box next to each service you want to discover.You can select other service configurations after you add the BIG-IP device to the inventory.
- Click theAddbutton at the bottom of the screen.
Working with default service templates for Access
The BIG-IQ system ships with a set of Access-specific default service templates that you can use as starting points to allow authentication and access control for web applications behind local traffic virtual servers. You can clone these service templates and edit the cloned templates to add access security to your applications.
You currently cannot deploy service templates with Amazon Web Services (AWS).
The table shows the included default service templates.
Service Template | Description |
---|---|
Default-f5-HTTPS-offload-lb-Access-AD-Authentication-template | For load balancing an HTTPS application on port 443 with SSL offloading on BIG-IP device, and securing application Access using AD authentication. |
Default-f5-HTTPS-offload-lb-Access-LDAP-Authentication-template | For load balancing an HTTPS application on port 443 with SSL offloading on BIG-IP device and securing application Access using LDAP authentication. |
Default-f5-HTTPS-offload-lb-Access-RADIUS-Authentication-template | For load balancing an HTTPS application on port 443 with SSL offloading on BIG-IP device and securing application Access using RADIUS authentication. |
Follow these tasks to create a new service template using a default service template for access.
- Clone an access policy from the default-access-group to the Access group associated with the Service Scaling Group.
- Edit the resources associated with the cloned access policy.
- Make the cloned policy available in templates.
- In the Service Catalog, clone the default associated service template.
- Associate the cloned Access Policy with the cloned service template and publish the service template.
- Deploy the application using the customized cloned template.
- To enable Access statistics, enable the remote logging configuration at.
Clone an access policy from the default-access-group
Before you can clone policies, you must have an Access group configured for your Service Scaling Group.
Do not edit Access policies or configurations in the default Access group.
You clone a default access policy to create a starting point for defining access policies for an Access group.
Do not edit default Access policy templates. Clone a policy, then make any required edits in the cloned policy.
- Click.The Access Groups screen opens.
- Clickdefault-access-group.The default-access-group General Properties screen opens.
- On the left, clickPer-Session Policies.The Per-Session Policies (Shared) screen opens.
- Select the check box next to an access policy to clone, and click.
- In the Clone Policy dialog box that opens, select the target Access group, and select whether to reuse existing objects from the target Access group, then clickClone.
- Check the target Access group to see that the target policy has been cloned.
Now you can edit the Access policy, and the related objects created to support it on the target Access group.
Review and edit resources associated with an access policy
When you clone an access policy, the associated resources are also cloned. You can review and edit these resources, if necessary, on the target Access group.
- Click.The Access Groups screen opens.
- Click the name of the Access group to which you cloned the access policy.The properties screen for that group opens.
- Review the associated resources, and edit as necessary.
Resources associated with a cloned access policy
When you clone an access policy from the default access group, the system creates these resources. Edit these resources from the access group (
). If needed, review and edit these resources on the target access group. Resource | Details | Path |
---|---|---|
default_ad_auth_policy_aaa_srvr | The Active Directory server information for the access policy. | |
default_ad_auth_policy_sso | The SSO configuration for the access policy. | |
default-log-setting | Log settings for the AD auth policy. |
Resource | Details | Path |
---|---|---|
default_ldap_auth_policy_aaa_srvr | The LDAP authentication server information for the access policy. | |
default_ldap_auth_policy_sso | The SSO configuration for the access policy. | |
default-log-setting | Log settings for the LDAP auth policy. |
Resource | Details | Path |
---|---|---|
default_radius_auth_policy_aaa_srvr | The RADIUS authentication server information for the access policy. | |
default_radius_auth_policy_sso | The SSO configuration for the access policy. | |
default-log-setting | Log settings for the RADIUS auth policy. |
Make an access policy available in templates
You can make an access policy available in templates, so that you can select it in a service template, and apply the settings from that policy to devices in a Service Scaling Group.
- At the top of the screen, selectConfiguration, then on the left side of the screen, click .
- Click the name of the Access group.A new screen displays the Access group properties.
- On the left, expandAccess Policies, and clickPer-Session Policies.A new screen opens, showing a list of access policies associated with this Access group.
- Select the check box next to the access policy.
- Click.A dialog box informs you that the policy is published.
- ClickClose.
Clone the service template
You clone a default service template to create a new service template that has the same characteristics as an existing template, that you can modify.
- Click.The Service Catalog screen opens.
- Select the check box next to the name of the service template you want to clone.For example, if you want to clone a service template for LDAP authentication, selectDefault-f5-HTTPS-offload-lb-Access-LDAP-Authentication-template.
- Click.
- In the dialog box that opens, type the name for the cloned service template, then clickClone.The Edit Template screen opens.
- Make any changes required to the service template.
- On the left, clickSECURITY POLICIES.
- Scroll down to Access, select theAccess Groupfrom which you want to use access policies.Select the Access group to which you cloned default access policies, or in which you created new access policies for this service template.
- In the Virtual Server area, for the virtual server providing the access service, from theTypelist selectAccess Profile.
- From theAPM Policy/Profilelist select the access policy you created.Do not associate an APM policy or profile with the redirect virtual server.
- ClickSave & Close.The Service Catalog screen opens.
- Select the check box next to the service template you created, and clickPublish.
The service template is saved and published.
You can now use the published template to create applications.