Manual Chapter : Manage Access Groups

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 7.1.0
Manual Chapter

Manage Access Groups

How do I start to centrally manage APM configurations from BIG-IQ?

Here is an overview of your first steps for setting up an Access Policy Manager® (APM®) configuration once, and then being able to deploy that configuration from the BIG-IQ system to other BIG-IP devices.
Step 1. Add the BIG-IP device from the
BIG-IP Devices
tab on the BIG-IQ system. You enter the IP address and credentials of the BIG-IP device you're adding, and associate it with a cluster (if applicable).
Step 2. Manage the APM configuration by adding to the existing Access group or creating a new Access group. You can create an Access group with or without a device.
For more information, refer to the
BIG-IQ Centralized Management: Device
guide.

What is the best way to create an Access group?

You can create an Access group in either of two ways. Use whichever you prefer, based on your requirements.
  • In the Configuration tab, create an Access group without attaching a device.
  • In the Configuration tab, create an Access group by attaching a device.

Add devices to the BIG-IQ inventory without importing services

Before you can add BIG-IP devices to BIG-IQ Centralized Management:
  • The BIG-IP device must be located in your network and running a compatible software version. Refer to K14592 for more information.
  • The BIG-IP management address must be open (typically this is on port 22 and 443), or any alternative IP address. Ports 22 and 443 and the management IP address are open by default on BIG-IQ.
  • If you are adding a BIG-IP device provisioned with the ASM service that is part of a DSC cluster, that device must also be a member of a sync-only device group, and ASM synchronization must be enabled for the device group. Without these DSC group settings, deploying changes to the ASM device can cause the cluster to get out of sync. For details on configuring these groups, refer to
    Creating a Sync-Only device group
    and
    Synchronizing an ASM-enabled device group
    in the
    Automatically Synchronizing Application Security Configurations
    article on
    support.f5.com
    .
A BIG-IP device running versions 10.2.0 - 11.5.0 is considered a
legacy device
, and cannot be added to the BIG-IQ system's inventory for management. If you were managing a legacy device in a previous version of BIG-IQ and upgrade, the legacy device displays as impaired with a yellow triangle next to it in the BIG-IP Devices inventory. To manage it, you must upgrade it to version 11.5.0 or later. For instructions, refer to the section titled,
Upgrading a Legacy Device
.
You add BIG-IP devices to the BIG-IQ system inventory as the first step to managing them.
For BIG-IP devices with ASM services, you can only add five devices at a time.
You cannot add multiple BIG-IP devices with SSLO services. You must add those BIG-IP devices individually. After you import a BIG-IP device with SSLO services, make future configuration changes only from BIG-IQ. If you make a change to the SSLO service configuration directly on the BIG-IP device, you cannot re-discover or re-import that device.
  1. At the top of the screen, click
    Devices
    .
  2. Click the
    Add Device(s)
    button.
  3. For
    IP Address
    , type the IPv4 or IPv6 address of the device.
  4. In the
    Port
    box, type the management port for this BIG-IP device.
    The port number must be between 4 and 65535. In many cases, it's the default port 443.
    Chrome and Safari browsers don't allow access to web applications running on port 65535. So if you use port 65535 as the management port, you won't be able to access the BIG-IP device's interface from BIG-IQ when using Chrome or Safari. You can still discover and manage BIG-IP devices that are using port 65535.
  5. To add this device to a new cluster:
    If a device is not a member of a Sync-Failover group that you configured to support an Active-Standby configuration for APM, do not add it to a cluster.
    If the device is the first member of a Sync-Failover group that you have added to the BIG-IQ system, add it to a new cluster. It does not matter whether this device is the Active or the Standby member of the group.
    1. From the
      Cluster Display Name
      list, select
      Create New
      , and then type a new name for this new cluster.
      A cluster name must be unique on the BIG-IQ system. It does not need to match the name of the Sync-Failover group on the BIG-IP device. However, ensuring some similarity between the names might be useful to you, because when you add the second member of the group, you must add it to the same cluster.
    2. Select an option from the
      Deployment Settings
      :
    • Initiate BIG-IP DSC sync when deploying configuration changes (Recommended)
      Select this option to prompt BIG-IQ to start the DSC synchronization process so that any configuration change made to this device is synchronized with other members of the DSC. This option makes sure all members of the DSC have the most current configuration.
    • Ignore BIG-IP DSC sync when deploying configuration changes
      Select this option to have BIG-IQ deploy any configuration changes for this device to all cluster members. Use this option only if this device is not configured in a DSC Sync-Failover device group, or if any members of the cluster are disabled.
  6. To add this device to an existing cluster:
    If the device is the second member of a Sync-Failover group that you have added to the BIG-IQ system, add the device to the existing cluster for that Sync-Failover group.
    1. From the
      Cluster Display Name
      list, select
      Use Existing
      , and then select the cluster from the list.
    2. Select an option from the
      Deployment Settings
      :
    • Initiate BIG-IP DSC sync when deploying configuration changes (Recommended)
      Select this option to prompt BIG-IQ to push any configuration changes to this device to other members of the DSC. This option makes sure all members of the DSC have the most current configuration.
    • Ignore BIG-IP DSC sync when deploying configuration changes
      Select this option to have BIG-IQ deploy any configuration changes for this device to all cluster members. Use this option only if this device is not configured in a DSC Sync-Failover device group, or if any members of the cluster are disabled.
  7. Click the
    Add
    button at the bottom of the screen.
    When complete, a popup screen displays a status and options to discover device service configurations immediately.
  8. To discover configurations for APM and LTM now, select
    Access Policy Manager (APM)
    , and the
    Local Traffic Manager (LTM)
    check box is selected automatically; click
    Discover
    .
    You can discover service configurations now or do it later.
    BIG-IQ discovers the configurations for the APM and LTM services.

Create an Access group

You create an Access group to start managing the Access configuration for a group of BIG-IP devices.
When you create an Access group, the service configurations for the devices are imported.
You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the
    Create
    button.
    The New Access Group screen opens.
  3. In the
    Name
    field, type a name for the Access group.
  4. From the
    Device
    list, select the device to be the source of the shared configuration for other devices in the group. Conversely, select
    None
    to create an Access group without a device.
  5. From the
    Device Version
    list, select the BIG-IP version associated with the device.
    The list displays the BIG-IP versions supported by the BIG-IP system. You can edit this option only if you did not select a device for this Access group. If you selected a device, the system automatically populates this option and disables editing.
  6. For
    Supports SWG
    , click the check box to create an Access group that manages devices with SWG data.
    You can edit this option only if you did not select a device for this Access group. If you selected a device, the system automatically populates this option and disables editing.
  7. Click
    Create
    .
    The Access Groups screen opens. Progress information displays in the Status column.

Add a device to an Access group

Before you start, you must have at least one device with the APM service discovered. You must also have imported the LTM service configuration from the device before you can add that device to an Access group.
You add a device to an Access group so you can manage its configuration from Access. When you add a device to an existing Access group, its device-specific configuration resources are imported into Access. A device can only belong to one Access group.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of the Access group you want to change.
    The General Properties screen for the access group displays, listing the devices in the Access group.
  3. Click
    Add Device
    .
    The Add Device popup screen displays.
  4. For
    Device
    , select the device from the menu.
  5. (Optional) To create a snapshot of the existing configuration, for
    Snapshot
    , select the check box
    Create a snapshot of the current configuration before importing
    .
  6. Click
    Add
    .
    The popup screen closes, displaying the Access Groups screen. The new device displays under the Devices list.

Reimport an Access group configuration or device-specific configuration

Before you begin reimporting a configuration from a BIG-IP, you must have an existing Access group.
You can reimport a shared Access group configuration or a device-specific configuration from any device in an Access group. This reduces the need to manually edit the configuration by hand.
You can an reimport from the Access groups UI screen.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click
    Reimport
    .
  3. For the
    Configuration Type
    option, Select whether you want to import a
    Shared Access Group and Device Specific configuration
    or just a
    Device specific configuration
    .
  4. (Optional) For the
    Snapshot
    option, select whether you want to create a snapshot of the current configuration before importing.
  5. Click
    Reimport
    .
You now have reimported an existing configuration.

Remove a device from an Access group

You can remove a device from an Access group if you no longer want to manage the Access configuration for the device, or if you want to add the device to a different Access group. An Access group can exist in the BIG-IQ system without any devices. You can remove all devices from an Access group, leave it empty, and then add new devices later.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of the Access group you want to change.
    The properties screen for that group opens, listing the devices in the Access group.
  3. Select the check box for the device you want to remove and click
    Remove
    .
    A confirmation popup screen opens.
  4. Confirm that you want to remove the device.
    The device no longer displays in the Access group. The APM service configuration on the device is no longer managed.
Before you can see new data from the device in Access reports or add the device to another Access group, you must discover the APM service configuration on the device.

Remove an Access group

You can remove an Access group that you previously created.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Select the check box next to an existing Access group.
    The
    Remove
    button becomes available and a message displays.
  3. In the Remove Access Group Configuration? message window, click
    OK
    .
You have removed an Access group from your BIG-IQ system.

Create an Access group from the Devices tab

Before you can create an Access group, you must discover at least one device. You must import the LTM service configuration from a device before you can add that device to an Access group
You can create an Access group to start managing the Access configuration for a group of devices.
When you create an Access group, the service configurations for the devices are imported.
You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
  1. At the top of the screen, click
    Devices
    BIG-IP CLUSTERS
    Access Groups
    .
    The Access Groups screen opens.
  2. Click the
    Create
    button.
    The New Access Group screen opens.
  3. In the
    Name
    field, type a name for the Access group.
  4. From the
    Device
    list, select the device to be the source of the shared configuration for other devices in the group.
    You must create an Access group with a device attached.
  5. For
    Supports SWG
    , select the check box to create an Access group that manages devices with Secure Web Gateway (SWG) data.
    You can edit this option only if you did not select a device for this Access group. If you selected a device, the system automatically populates this option and disables editing.
  6. Click
    Create
    .
    The Access Groups screen opens. Progress information displays in the Status column.

Discover the LTM and APM service configurations

Before you can import configurations from a device, you must first discover that device. To prepare to create an Access configuration on the BIG-IQ system, you must discover the Local Traffic Manager (LTM) service configuration, and then discover the Access Policy Manager (APM) service configuration as APM is dependent upon a discovered LTM service.
  1. At the top of the screen, click
    Devices
    .
  2. Navigate to the
    BIG-IP DEVICES
    tab and select the name of the device you want to discover the service configuration from.
  3. On the left, click
    Services
    .
  4. For Local Traffic Manager (LTM), click
    Discover
    .
    You must wait for discovery to complete before you continue. If you have previously discovered LTM for this device, the button will read
    Re-discover
    .
  5. For Access Policy Manager (APM), click
    Discover
    .
    If you have previously discovered APM for this device, the button will read
    Re-discover
    .
Once you have finished the discovery process, you may import the configuration.

Import the LTM service configuration

You must discover a service configuration before you can import it.
Before you can import the Access Policy Manager (APM) service configuration from a discovered device, you must import the Local Traffic Manager (LTM) service configuration.
You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
  1. At the top of the screen, click
    Devices
    .
  2. Click the name of the device you want to import the service configuration from.
  3. On the left, click
    Services
    .
  4. For Local Traffic Manager (LTM), select the
    Create a snapshot of the current configuration before importing
    check box to save a copy of the device's current configuration.
    You're not required to create a snapshot, but it is a good idea in case you have to revert to the previous configuration for any reason.
  5. For Local Traffic Manager (LTM), click
    Import
    .
    The LTM Import screen opens.
  6. Click
    Proceed to Import
    .
The LTM service configuration is imported. Click the back arrow to return to the previous screen.

Import the APM configuration into an Access group

You must discover a service configuration before you can import it.
You import Access Policy Manager (APM) configuration objects from a device to manage the device configuration from the BIG-IQ system. As part of the import process, you select an Access group.
You, or any other BIG-IQ system user, cannot perform any tasks on the BIG-IQ system while it is importing a service configuration. Large configurations can take a while to import, so let other BIG-IQ users know before you start this task.
  1. Click the name of the device you want to import the service configuration from.
  2. On the left, click
    Services
    .
  3. For Access Policy (APM), select the
    Create a snapshot of the current configuration before importing.
    check box to save a copy of the device's current configuration.
    You're not required to create a snapshot, but it is a good idea in case you have to revert to the previous configuration for any reason.
  4. For Access Policy (APM), click
    Import
    .
  5. On the Add to Access Group popup screen, specify either a new or existing Access group:
    • Select
      Create New
      , in the
      Name
      field type a name, and click
      Add
      .
    • Select
      Add to existing
      , select a name from the
      Name
      list, and click
      Add
      .
    You must add both members of an HA pair to the same Access group.
The APM service configuration is imported.

Add a device to an Access group from the Devices tab

Before you add a BIG-IP APM device, you must discover at least one device with the APM service. You must also import the LTM service configuration from the device before you can add that device to an Access group.
You can add a device to an Access group so you that you can manage its configuration from Access. When you add a device to an existing Access group, its device-specific configuration resources are imported into Access. A device can only belong to one Access group.
  1. At the top of the screen, click
    Devices
    .
  2. On the left, click
    BIG-IP DEVICES
    .
  3. Click the
    Add Device(s)
    button.
  4. For
    IP Address
    , type the IPv4 or IPv6 address of the device.
  5. In the
    Port
    box, type the management port for this BIG-IP device.
    The port number must be between 4 and 65535. In many cases, it's the default port 443.
    Chrome and Safari browsers don't allow access to web applications running on port 65535. So if you use port 65535 as the management port, you won't be able to access the BIG-IP device's interface from BIG-IQ when using Chrome or Safari. You can still discover and manage BIG-IP devices that are using port 65535.
  6. If this device is part of a DSC group, for the
    Cluster Display Name
    setting, specify how to handle it:
    • For an existing DSC group, select
      Use Existing
      from the list, and then select the name of the DSC group from the next list.
    • To create a new DSC group, select
      Create New
      from the list, and type a name in the field.
    For BIG-IQ to properly associate the devices in the same DSC group, the
    Cluster Display Name
    must be the same for all members in a group.
    There can be up to eight members in a DSC group.
  7. If this device is configured in a DSC group or you are creating a new DSC group, for the
    Cluster Properties
    , specify how to handle it:
    • Initiate BIG-IP DSC sync when deploying configuration changes (Recommended)
      : Select this option if you want this device to automatically synchronize configuration changes with other members in the DSC.
    • Allow deployment when DSC configured devices have changes pending ( Not Recommended)
      : Select this option if you want to deploy changes to this device even if there are changes pending for devices in the DSC group.
      This option is not recommended, because it can lead to unpredictable results.
    • Ignore BIG-IP DSC sync when deploying configuration changes
      : Select this option if you want to manually synchronize configurations changes between members in the DSC group.
  8. Click the
    Add
    button at the bottom of the screen.
    The BIG-IQ system opens communication to the BIG-IP device, and checks the BIG-IP device framework.
    The BIG-IQ system can properly manage a BIG-IP device only if the BIG-IP device is running a compatible version of the REST framework.
  9. If a framework upgrade is required, in the popup window, in the
    Root User Name
    and
    Root Password
    fields, type the root user name and password for the BIG-IP device, and click
    Continue
    .
  10. To centrally manage this device's configurations for licensed services, select the check box next to each service you want to discover.
    You can select other service configurations after you add the BIG-IP device to the inventory.
  11. Click the
    Add
    button at the bottom of the screen.

Working with default service templates for Access

The BIG-IQ system ships with a set of Access-specific default service templates that you can use as starting points to allow authentication and access control for web applications behind local traffic virtual servers. You can clone these service templates and edit the cloned templates to add access security to your applications.
You currently cannot deploy service templates with Amazon Web Services (AWS).
The table shows the included default service templates.
Service Template
Description
Default-f5-HTTPS-offload-lb-Access-AD-Authentication-template
For load balancing an HTTPS application on port 443 with SSL offloading on BIG-IP device, and securing application Access using AD authentication.
Default-f5-HTTPS-offload-lb-Access-LDAP-Authentication-template
For load balancing an HTTPS application on port 443 with SSL offloading on BIG-IP device and securing application Access using LDAP authentication.
Default-f5-HTTPS-offload-lb-Access-RADIUS-Authentication-template
For load balancing an HTTPS application on port 443 with SSL offloading on BIG-IP device and securing application Access using RADIUS authentication.
As a prerequisite for working with these service templates, you must have an Access group configured to manage the Service Scaling Group devices.
Follow these tasks to create a new service template using a default service template for access.
  1. Clone an access policy from the default-access-group to the Access group associated with the Service Scaling Group.
  2. Edit the resources associated with the cloned access policy.
  3. Make the cloned policy available in templates.
  4. In the Service Catalog, clone the default associated service template.
  5. Associate the cloned Access Policy with the cloned service template and publish the service template.
  6. Deploy the application using the customized cloned template.
  7. To enable Access statistics, enable the remote logging configuration at
    Monitoring
    Dashboard
    Access
    Remote Logging
    .

Clone an access policy from the default-access-group

Before you can clone policies, you must have an Access group configured for your Service Scaling Group.
Do not edit Access policies or configurations in the default Access group.
You clone a default access policy to create a starting point for defining access policies for an Access group.
Do not edit default Access policy templates. Clone a policy, then make any required edits in the cloned policy.
  1. Click
    Configuration
    ACCESS
    Access Groups
    .
    The Access Groups screen opens.
  2. Click
    default-access-group
    .
    The default-access-group General Properties screen opens.
  3. On the left, click
    Per-Session Policies
    .
    The Per-Session Policies (Shared) screen opens.
  4. Select the check box next to an access policy to clone, and click
    More
    Clone
    .
  5. In the Clone Policy dialog box that opens, select the target Access group, and select whether to reuse existing objects from the target Access group, then click
    Clone
    .
  6. Check the target Access group to see that the target policy has been cloned.
Now you can edit the Access policy, and the related objects created to support it on the target Access group.

Review and edit resources associated with an access policy

When you clone an access policy, the associated resources are also cloned. You can review and edit these resources, if necessary, on the target Access group.
  1. Click
    Configuration
    ACCESS
    Access Groups
    .
    The Access Groups screen opens.
  2. Click the name of the Access group to which you cloned the access policy.
    The properties screen for that group opens.
  3. Review the associated resources, and edit as necessary.

Resources associated with a cloned access policy

When you clone an access policy from the default access group, the system creates these resources. Edit these resources from the access group (
Configuration
ACCESS
Access Groups
). If needed, review and edit these resources on the target access group.
Resources created by the active directory authentication policy
Resource
Details
Path
default_ad_auth_policy_aaa_srvr
The Active Directory server information for the access policy.
AUTHENTICATION
Active Directory
Active Directory
default_ad_auth_policy_sso
The SSO configuration for the access policy.
Single Sign-On
SSO Summary
default-log-setting
Log settings for the AD auth policy.
EVENT LOGS SETTINGS
Resources created by the LDAP authentication policy
Resource
Details
Path
default_ldap_auth_policy_aaa_srvr
The LDAP authentication server information for the access policy.
AUTHENTICATION
LDAP
default_ldap_auth_policy_sso
The SSO configuration for the access policy.
Single Sign-On
SSO Summary
default-log-setting
Log settings for the LDAP auth policy.
EVENT LOGS SETTINGS
Resources created by the RADIUS authentication policy
Resource
Details
Path
default_radius_auth_policy_aaa_srvr
The RADIUS authentication server information for the access policy.
AUTHENTICATION
RADIUS
default_radius_auth_policy_sso
The SSO configuration for the access policy.
Single Sign-On
SSO Summary
default-log-setting
Log settings for the RADIUS auth policy.
EVENT LOGS SETTINGS

Make an access policy available in templates

You can make an access policy available in templates, so that you can select it in a service template, and apply the settings from that policy to devices in a Service Scaling Group.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of the Access group.
    A new screen displays the Access group properties.
  3. On the left, expand
    Access Policies
    , and click
    Per-Session Policies
    .
    A new screen opens, showing a list of access policies associated with this Access group.
  4. Select the check box next to the access policy.
  5. Click
    More
    Make Available in Templates
    .
    A dialog box informs you that the policy is published.
  6. Click
    Close
    .

Clone the service template

You clone a default service template to create a new service template that has the same characteristics as an existing template, that you can modify.
  1. Click
    Applications
    SERVICE CATALOG
    .
    The Service Catalog screen opens.
  2. Select the check box next to the name of the service template you want to clone.
    For example, if you want to clone a service template for LDAP authentication, select
    Default-f5-HTTPS-offload-lb-Access-LDAP-Authentication-template
    .
  3. Click
    More
    Clone
    .
  4. In the dialog box that opens, type the name for the cloned service template, then click
    Clone
    .
    The Edit Template screen opens.
  5. Make any changes required to the service template.
  6. On the left, click
    SECURITY POLICIES
    .
  7. Scroll down to Access, select the
    Access Group
    from which you want to use access policies.
    Select the Access group to which you cloned default access policies, or in which you created new access policies for this service template.
  8. In the Virtual Server area, for the virtual server providing the access service, from the
    Type
    list select
    Access Profile
    .
  9. From the
    APM Policy/Profile
    list select the access policy you created.
    Do not associate an APM policy or profile with the redirect virtual server.
  10. Click
    Save & Close
    .
    The Service Catalog screen opens.
  11. Select the check box next to the service template you created, and click
    Publish
    .
The service template is saved and published.
You can now use the published template to create applications.