Manual Chapter : Manage Access Groups

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.3.0, 8.2.0, 8.1.0, 8.0.0, 7.1.0
Manual Chapter

Manage Access Groups

How do I start to centrally manage APM configurations from BIG-IQ?

Here is an overview of your first steps for setting up an Access Policy Manager® (APM®) configuration once, and then being able to deploy that configuration from the BIG-IQ system to other BIG-IP devices.
Step 1. Add the BIG-IP device from the
BIG-IP Devices
tab on the BIG-IQ system. Enter the IP address and credentials of the BIG-IP device you're adding, and associate it with a cluster (if applicable).
This workflow may differ depending on several factors. For more information, refer to the
BIG-IQ Centralized Management: Device
guide.
Step 2. Manage the APM configuration by adding to the existing Access group or creating a new Access group. You can create an Access group with or without a device.

Create an Access group

You create an Access group from the Configuration tab to start managing the Access configuration for a device or a group of BIG-IP devices. Using Access groups, you can create Access policies to manage the authentication and connectivity of all users attempting to access your network or applications.
You can create an Access group in either of two ways. Use whichever you prefer, based on your requirements.
  • In the Configuration tab, create an Access group without attaching a device.
  • In the Configuration tab, create an Access group by attaching a device.
When you create an Access group, the service configurations for the devices are imported.
You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the
    Create
    button.
    The New Access Group screen opens.
  3. In the
    Name
    field, type a name for the Access group.
  4. From the
    Device
    list, select the device to be the source of the shared configuration for other devices in the group. Conversely, select
    None
    to create an Access group without a device.
  5. From the
    Device Version
    list, select the BIG-IP version associated with the device.
    The list displays the BIG-IP versions supported by the BIG-IP system. You can edit this option only if you did not select a device for this Access group. If you selected a device, the system automatically populates this option and disables editing.
  6. For
    Supports SWG
    , click the check box to create an Access group that manages devices with SWG data.
    You can edit this option only if you did not select a device for this Access group. If you selected a device, the system automatically populates this option and disables editing.
  7. Click
    Create
    .
    The Access Groups screen opens. Progress information displays in the Status column.

Add a device to an Access group

Before you start, you must have at least one device with the APM service discovered. You must also have imported the LTM service configuration from the device before you can add that device to an Access group.
You add a device to an Access group so you can manage its configuration from Access. When you add a device to an existing Access group, its device-specific configuration resources are imported into Access. A device can belong to only one Access group.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of the Access group you want to add a device to.
    The General Properties screen for the access group displays.
  3. Click
    Add Device
    .
    The Add Device popup screen displays.
  4. For
    Device
    , select the device from the menu.
  5. (Optional) To create a snapshot of the existing configuration, for
    Snapshot
    , select the check box
    Create a snapshot of the current configuration before importing
    . BIG-IQ Security uses snapshots to protect the working-configuration set of the Security module. Thus, at any time, you can back up, restore, and deploy the BIG-IQ working configuration to a specific configuration state, or deploy a specific set of working configuration edits back to a BIG-IP device. You can also compare one snapshot to another, or compare a snapshot to the BIG-IQ working configuration.
  6. Click
    Add
    .
    The popup screen closes, displaying the Access Groups screen. The new device displays under the Devices list.

Reimport an Access group configuration or device-specific configuration

Before you begin reimporting a configuration from a BIG-IP, you must have an existing Access group.
Some objects that are available for configuration on your BIG-IP devices with APM provisioned may only be managed from BIG-IQ and will be displayed as read-only in Access groups in BIG-IQ. In these instances, you will need to make configurations on the managed BIG-IP device and re-import the APM service to BIG-IQ.
If you make any changes to an Access group on a managed BIG-IP device, you can reimport a shared Access group configuration or a device-specific configuration from any device in an Access group. This reduces the need to manually edit the configuration by hand.
You can initiate the reimport process from the Access groups screen or from the Devices tab.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of the Access Group that contains the device you want to reimport the configuration for.
    The General Properties screen opens.
  3. Select the check box next to the device you want to re-import the configuration for and click the
    Reimport
    button.
  4. For the
    Configuration Type
    option, select whether you want to import a
    Shared Access Group and Device Specific configuration
    or just a
    Device specific configuration
    .
  5. (Optional) For the
    Snapshot
    option, select whether you want to create a snapshot of the current configuration before importing. BIG-IQ Security uses snapshots to protect the working-configuration set of the Security module. Thus, at any time, you can back up, restore, and deploy the BIG-IQ working configuration to a specific configuration state, or deploy a specific set of working configuration edits back to a BIG-IP device. You can also compare one snapshot to another, or compare a snapshot to the BIG-IQ working configuration.Click Add.T
  6. Click
    Reimport
    .
Once you have reimported your configuration from BIG-IP, your configuration between BIG-IP and BIG-IQ should be consistent.

Remove a device from an Access group

You can remove a device from an Access group if you no longer want to manage the Access configuration for the device, or if you want to add the device to a different Access group. You can remove all devices from an Access group, leave it empty, and then add new devices later.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of the Access group that contains the device you want to delete.
    The properties screen for that group opens, listing the devices in the Access group.
  3. Select the check box next to the device you want to remove and click the
    Remove
    button.
    A confirmation popup screen opens.
  4. Confirm that you want to remove the device.
    The device no longer displays in the Access group. You are no longer managing APM service configuration that was on the device you removed.
Before you add the device to another Access group, you must discover the APM service configuration on the device.

Remove an Access group

You can remove an Access group that you previously created.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Select the check box next to the Access group you want to remove and click the Delete button.
  3. Click
    OK
    to confirm.

Create an Access group from the Devices tab

Before you can create an Access group, you must discover at least one device. You must import the LTM service configuration from a device before you can add that device to an Access group within the device management workflow process.
You can create an Access group to start managing the Access configuration for a group of devices.
When you create an Access group, the service configurations for the devices are imported.
You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
  1. At the top of the screen, click
    Devices
    BIG-IP CLUSTERS
    Access Groups
    .
    The Access Groups screen opens.
  2. Click the
    Create
    button.
    The New Access Group screen opens.
  3. In the
    Name
    field, type a name for the Access group.
  4. From the
    Device
    list, select the device to be the source of the shared configuration for other devices in the group.
    You must create an Access group with a device attached.
  5. For
    Supports SWG
    , select the check box to create an Access group that manages devices with Secure Web Gateway (SWG) data.
    You can edit this option only if you did not select a device for this Access group. If you selected a device, the system automatically populates this option and disables editing.
  6. Click
    Create
    .
    The Access Groups screen opens. Progress information displays in the Status column.

Discover the LTM and APM service configurations

Before you can import configurations from a device, you must first discover that device. To prepare to create an Access configuration on the BIG-IQ system, you must discover the Local Traffic Manager (LTM) service configuration, and then discover the Access Policy Manager (APM) service configuration as APM is dependent upon a discovered LTM service.
  1. At the top of the screen, click
    Devices
    .
  2. Navigate to the
    BIG-IP DEVICES
    tab and select the name of the device you want to discover the service configuration from.
  3. On the left, click
    Services
    .
  4. For Local Traffic Manager (LTM), click
    Discover
    .
    You must wait for discovery to complete before you continue. If you have previously discovered LTM for this device, the button will read
    Re-discover
    .
  5. For Access Policy Manager (APM), click
    Discover
    .
    If you have previously discovered APM for this device, the button will read
    Re-discover
    .
Once you have finished the discovery process, you may import the configuration.

Import the LTM service configuration

You must discover a service configuration before you can import it.
Before you can import the Access Policy Manager (APM) service configuration from a discovered device, you must import the Local Traffic Manager (LTM) service configuration.
You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
  1. At the top of the screen, click
    Devices
    .
  2. Click the name of the device you want to import the service configuration from.
  3. On the left, click
    Services
    .
  4. For Local Traffic Manager (LTM), select the
    Create a snapshot of the current configuration before importing
    check box to save a copy of the device's current configuration.
    You're not required to create a snapshot, but it is a good idea in case you have to revert to the previous configuration for any reason.
  5. For Local Traffic Manager (LTM), click
    Import
    .
    The LTM Import screen opens.
  6. Click
    Proceed to Import
    .
The LTM service configuration is imported. Click the back arrow to return to the previous screen.

Import the APM configuration into an Access group

You must discover a service configuration before you can import it.
You import Access Policy Manager (APM) configuration objects from a device to manage the device configuration from the BIG-IQ system. As part of the import process, you select an Access group.
You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
  1. At the top of the screen, click
    Devices
    .
  2. Click the name of the device you want to import the service configuration from.
  3. On the left, click
    Services
    .
  4. For Access Policy (APM), select the
    Create a snapshot of the current configuration before importing.
    check box to save a copy of the device's current configuration.
    You're not required to create a snapshot, but it is a good idea in case you have to revert to the previous configuration for any reason.
  5. For Access Policy (APM), click
    Import
    .
  6. On the Add to Access Group popup screen, specify either a new or existing Access group:
    • Select
      Create New
      , in the
      Name
      field type a name, and click
      Add
      .
    • Select
      Add to existing
      , select a name from the
      Name
      list, and click
      Add
      .
    You must add both members of an HA pair to the same Access group.
The APM service configuration is imported.

Add a device to an Access group from the Devices tab

Before you add a BIG-IP APM device, you must discover at least one device with the APM service. You must also import the LTM service configuration from the device before you can add that device to an Access group.
You can add a device to an Access group so you that you can manage its configuration from Access. When you add a device to an existing Access group, its device-specific configuration resources are imported into Access. A device can only belong to one Access group.
  1. At the top of the screen, click
    Devices
    .
  2. On the left, click
    BIG-IP DEVICES
    .
  3. Click the
    Add Device(s)
    button.
  4. For
    IP Address
    , type the IPv4 or IPv6 address of the device.
  5. In the
    Port
    box, type the management port for this BIG-IP device.
    The port number must be between 4 and 65535. In many cases, it's the default port 443.
    Chrome and Safari browsers don't allow access to web applications running on port 65535. So if you use port 65535 as the management port, you won't be able to access the BIG-IP device's interface from BIG-IQ when using Chrome or Safari. You can still discover and manage BIG-IP devices that are using port 65535.
  6. If this device is part of a DSC group, for the
    Cluster Display Name
    setting, specify how to handle it:
    • For an existing DSC group, select
      Use Existing
      from the list, and then select the name of the DSC group from the next list.
    • To create a new DSC group, select
      Create New
      from the list, and type a name in the field.
    For BIG-IQ to properly associate the devices in the same DSC group, the
    Cluster Display Name
    must be the same for all members in a group.
    There can be up to eight members in a DSC group.
    For BIG-IP devices with ASM services, you can only add five devices at a time. If the BIG-IP device(s) provisioned with ASM is part of a DSC cluster, that device must also be a member of a sync-only device group, and ASM synchronization must be enabled for the device group. Without these DSC group settings, deploying changes to the ASM device can cause the cluster to get out of sync. For more information see K12200102, or the ASM Implementations chapter
    Automatically Synchronizing Application Security Configurations
    on
    support.f5.com
    .
  7. If this device is configured in a DSC group or you are creating a new DSC group, for the
    Cluster Properties
    , specify how to handle it:
    • Initiate BIG-IP DSC sync when deploying configuration changes (Recommended)
      : Select this option if you want this device to automatically synchronize configuration changes with other members in the DSC.
    • Allow deployment when DSC configured devices have changes pending ( Not Recommended)
      : Select this option if you want to deploy changes to this device even if there are changes pending for devices in the DSC group.
      This option is not recommended, because it can lead to unpredictable results.
    • Ignore BIG-IP DSC sync when deploying configuration changes
      : Select this option if you want to manually synchronize configurations changes between members in the DSC group.
  8. Click the
    Add
    button at the bottom of the screen.
    The BIG-IQ system opens communication to the BIG-IP device, and checks the BIG-IP device framework.
    The BIG-IQ system can properly manage a BIG-IP device only if the BIG-IP device is running a compatible version of the REST framework.
  9. If a framework upgrade is required, in the popup window, in the
    Root User Name
    and
    Root Password
    fields, type the root user name and password for the BIG-IP device, and click
    Continue
    .
  10. To centrally manage this device's configurations for licensed services, select the check box next to each service you want to discover.
    You can select other service configurations after you add the BIG-IP device to the inventory.
  11. Click the
    Add
    button at the bottom of the screen.

Working with default service templates for Access

The BIG-IQ system ships with a set of Access-specific default service templates that you can use as starting points to allow authentication and access control for web applications behind local traffic virtual servers. You can clone these service templates and edit the cloned templates to add access security to your applications.
You currently cannot deploy service templates with Amazon Web Services (AWS).
The table shows the included default service templates.
Service Template
Description
Default-f5-HTTPS-offload-lb-Access-AD-Authentication-template
For load balancing an HTTPS application on port 443 with SSL offloading on BIG-IP device, and securing application Access using AD authentication.
Default-f5-HTTPS-offload-lb-Access-LDAP-Authentication-template
For load balancing an HTTPS application on port 443 with SSL offloading on BIG-IP device and securing application Access using LDAP authentication.
Default-f5-HTTPS-offload-lb-Access-RADIUS-Authentication-template
For load balancing an HTTPS application on port 443 with SSL offloading on BIG-IP device and securing application Access using RADIUS authentication.
As a prerequisite for working with these service templates, you must have an Access group configured to manage the Service Scaling Group devices.
Follow these tasks to create a new service template using a default service template for access.
  1. Clone an access policy from the default-access-group to the Access group associated with the Service Scaling Group.
  2. Edit the resources associated with the cloned access policy.
  3. Make the cloned policy available in templates.
  4. In the Service Catalog, clone the default associated service template.
  5. Associate the cloned Access Policy with the cloned service template and publish the service template.
  6. Deploy the application using the customized cloned template.
  7. To enable Access statistics, enable the remote logging configuration at
    Monitoring
    Dashboard
    Access
    Remote Logging
    .

Clone an access policy from the default-access-group

Before you can clone policies, you must have an Access group configured for your Service Scaling Group.
Do not edit Access policies or configurations in the default Access group.
You clone a default access policy to create a starting point for defining access policies for an Access group.
Do not edit default Access policy templates. Clone a policy, then make any required edits in the cloned policy.
  1. Click
    Configuration
    ACCESS
    Access Groups
    .
    The Access Groups screen opens.
  2. Click
    default-access-group
    .
    The default-access-group General Properties screen opens.
  3. On the left, click
    Per-Session Policies
    .
    The Per-Session Policies (Shared) screen opens.
  4. Select the check box next to an access policy to clone, and click
    More
    Clone
    .
  5. In the Clone Policy dialog box that opens, select the target Access group, and select whether to reuse existing objects from the target Access group, then click
    Clone
    .
  6. Check the target Access group to see that the target policy has been cloned.
Now you can edit the Access policy, and the related objects created to support it on the target Access group.

Review and edit resources associated with an access policy

When you clone an access policy, the associated resources are also cloned. You can review and edit these resources, if necessary, on the target Access group.
  1. Click
    Configuration
    ACCESS
    Access Groups
    .
    The Access Groups screen opens.
  2. Click the name of the Access group to which you cloned the access policy.
    The properties screen for that group opens.
  3. Review the associated resources, and edit as necessary.

Resources associated with a cloned access policy

When you clone an access policy from the default access group, the system creates these resources. Edit these resources from the access group (
Configuration
ACCESS
Access Groups
). If needed, review and edit these resources on the target access group.
Resources created by the active directory authentication policy
Resource
Details
Path
default_ad_auth_policy_aaa_srvr
The Active Directory server information for the access policy.
AUTHENTICATION
Active Directory
Active Directory
default_ad_auth_policy_sso
The SSO configuration for the access policy.
Single Sign-On
SSO Summary
default-log-setting
Log settings for the AD auth policy.
EVENT LOGS SETTINGS
Resources created by the LDAP authentication policy
Resource
Details
Path
default_ldap_auth_policy_aaa_srvr
The LDAP authentication server information for the access policy.
AUTHENTICATION
LDAP
default_ldap_auth_policy_sso
The SSO configuration for the access policy.
Single Sign-On
SSO Summary
default-log-setting
Log settings for the LDAP auth policy.
EVENT LOGS SETTINGS
Resources created by the RADIUS authentication policy
Resource
Details
Path
default_radius_auth_policy_aaa_srvr
The RADIUS authentication server information for the access policy.
AUTHENTICATION
RADIUS
default_radius_auth_policy_sso
The SSO configuration for the access policy.
Single Sign-On
SSO Summary
default-log-setting
Log settings for the RADIUS auth policy.
EVENT LOGS SETTINGS

Make an access policy available in templates

You can make an access policy available in templates, so that you can select it in a service template, and apply the settings from that policy to devices in a Service Scaling Group.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of the Access group.
    A new screen displays the Access group properties.
  3. On the left, expand
    Access Policies
    , and click
    Per-Session Policies
    .
    A new screen opens, showing a list of access policies associated with this Access group.
  4. Select the check box next to the access policy.
  5. Click
    More
    Make Available in Templates
    .
    A dialog box informs you that the policy is published.
  6. Click
    Close
    .

Clone the service template

You clone a default service template to create a new service template that has the same characteristics as an existing template, that you can modify.
  1. Click
    Applications
    SERVICE CATALOG
    .
    The Service Catalog screen opens.
  2. Select the check box next to the name of the service template you want to clone.
    For example, if you want to clone a service template for LDAP authentication, select
    Default-f5-HTTPS-offload-lb-Access-LDAP-Authentication-template
    .
  3. Click
    More
    Clone
    .
  4. In the dialog box that opens, type the name for the cloned service template, then click
    Clone
    .
    The Edit Template screen opens.
  5. Make any changes required to the service template.
  6. On the left, click
    SECURITY POLICIES
    .
  7. Scroll down to Access, select the
    Access Group
    from which you want to use access policies.
    Select the Access group to which you cloned default access policies, or in which you created new access policies for this service template.
  8. In the Virtual Server area, for the virtual server providing the access service, from the
    Type
    list select
    Access Profile
    .
  9. From the
    APM Policy/Profile
    list select the access policy you created.
    Do not associate an APM policy or profile with the redirect virtual server.
  10. Click
    Save & Close
    .
    The Service Catalog screen opens.
  11. Select the check box next to the service template you created, and click
    Publish
    .
The service template is saved and published.
You can now use the published template to create applications.