Manual Chapter : Access Policies

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.0.0
Manual Chapter

Access Policies

About per-session and per-request policies

Access in BIG-IQ Centralized Management provides two types of policies.
Per-session policy
The per-session policy runs when a client initiates a session. Depending on the actions you include in the access policy, it can authenticate the user and perform other actions that populate session variables with data for use throughout the session.
Per-request policy
After a session starts, a
per-request policy
runs each time the client makes an HTTP or HTTPS request. A per-request policy can include a subroutine, which starts a subsession. Multiple subsessions can exist at one time.
One per-session policy and one per-request policy are specified in a virtual server.

About access policies

In an access policy, you define the criteria for granting access to various servers, applications, and other resources on your network. An access policy can be either a per-session policy or a per-request policy. You create an access policy by creating an access profile, which automatically creates a blank access policy. Every access profile has an access policy associated with it. You configure that access policy through the access profile, using the Visual Policy Editor.

View an access policy

After you've imported a device, you can view the access policies that are configured on it. An access policy is either a per-session policy or a per-request policy. In either case, an access policy is made up of policy items, such as Start, Logon, Deny, and macros. A
macro
is a sub-policy with a beginning, one or more policy items, and one or more endings.
These policies are deployed to all the devices in the Access group. You can view the properties of the actions and the flow of actions in the policy.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. On the left, expand
    Profiles / Policies
    , click
    Access Profiles (Per-Session Policies) (Shared)
    or
    Per-Request Policies(Shared)
    .
    A new screen opens, showing a list of access policies associated with this Access group.
  4. Select an access policy.
    The VPE screen opens.
  5. Use the vertical and horizontal scrollbars to move to another section of the policy.
  6. To save your changes, click the
    Save
    button.
  7. To close the screen, click the
    Close
    button.

Create an access profile and per-session policy

You must create a access profile and its accompanying per-session policy before you can configure it in the visual policy editor.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of an Access group you would like to add an access profile to.
    A new screen displays the group's properties.
  3. On the left, expand
    Profiles / Policies
    and click
    Per-Session Policies
    .
    The Per-Session Policies (Shared) screen opens, displaying a list of access policies associated with this Access group.
  4. Click
    Create
    .
    The New Access Policy screen opens.
  5. Select
    Basic
    or
    Advanced
    .
  6. In the
    Name
    field, type a name for the access profile.
    A access profile name must be unique among all access profile and any per-request policy names.
  7. From the
    Profile Type
    list, select one these options:
    • LTM-APM
      : Select for a web access management configuration.
    • SSL-VPN
      : Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
    • ALL
      : Select to support LTM-APM and SSL-VPN access types.
    • SSO
      : Select to configure matching virtual servers for Single Sign-On (SSO).
      No access policy is associated with this type of access profile
    • RDG-RAP
      : Select to validate connections to hosts behind APM when APM acts as a gateway for RDP clients.
    • SWG - Explicit
      : Select to configure access using Secure Web Gateway explicit forward proxy.
    • SWG - Transparent
      : Select to configure access using Secure Web Gateway transparent forward proxy.
    • System Authentication
      : Select to configure administrator access to the BIG-IP system (when using APM as a pluggable authentication module).
    • Identity Service
      : Used internally to provide identity service for a supported integration. Only APM creates this type of profile.
      You can edit Identity Service profile properties.
    Depending on licensing, you might not see all of these profile types.
    Additional settings display.
  8. From the
    Scope
    list, retain the default value or select another.
    • Profile
      : Gives a user access only to resources that are behind the same per-session profile. This is the default value.
    • Virtual Server
      : Gives a user access only to resources that are behind the same virtual server.
    • Global
      : Gives a user access to resources behind any per-session profile that has global scope.
  9. In the Language Settings area, add and remove accepted languages, and set the default language. This setting does not display if the profile type is RDG-RAP.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  10. Settings
  11. If you select
    Advanced
    in the
    General
    list, select the appropriate profile type, and the
    Settings
    section is available, expand
    Settings
    .
  12. In the
    Inactivity Timeout
    field, type the inactivity timeout for the connection, in seconds. If there is no activity (defined by the
    Session Update Threshold
    and
    Session Update Window
    settings in the Network Access configuration) between the client and server within the specified threshold time, the system closes the current session. By default, the timeout is 900 seconds. However, if an inactivity timeout value is set, when server traffic exceeds the specified threshold, the inactivity timeout is reset. To disable the inactivity timeout, set the
    Inactivity Timeout
    to 0.
    If you disable the inactivity timeout, a session can only be terminated by user logout, maximum session timeout, or administrator termination.
  13. In the
    Access Policy Timeout
    field, enter the duration of the policy timeout. This means that the various security checks contained within the policy (endpoint security checks, authentication checks, and so on) must execute completely within the specified time duration. By default, the timeout is 300 seconds.
  14. In the
    Maximum Session Timeout
    field, type the maximum lifetime of one session, in seconds.
    The maximum lifetime is between the time a session is created, to when the session terminates. By default, it is set to
    604800
    seconds (one week). If you set this to 0 (zero), it means no limit.
  15. In the
    Minimum Authentication Failure Delay
    field, type the minimum number of seconds to delay before displaying an error after authentication failure. APM inserts a random number of seconds of delay after authentication failure that varies between the value in this setting and the value in the
    Maximum Authentication Failure Delay
    setting. APM defaults to 2 seconds. The delay affects the following authentication types: Active Directory, HTTP, Kerberos, LDAP, local user database, one-time password verification, Oracle Access Manager, RADIUS, SecurID, and TACACS+.
  16. In the
    Maximum Authentication Failure Delay
    field, type the maximum number of seconds of delay before displaying an error after authentication failure. The default is 5 seconds.
    Set this value to no more than one-half the value of the Access Policy Timeout setting and no more than 65 seconds greater than the value of the Minimum Authentication Failure Delay setting.
  17. In the
    Max Concurrent Users
    field, type the number of sessions per access profile. The default value is
    0
    , which represents unlimited sessions.
    Only superAdmins have access to this field. No other admin roles will be able to modify this field.
  18. In the
    Max Sessions Per User
    field, type the number of sessions that a user can simultaneously have active. The default value is
    0
    . Please note that only superAdmins and application editors have access to this field. No other admin roles will be able to modify this field.
    • 0
      = no limit to the number of sessions that a user can have active.
    • 1-1000
      = the limit is enforced.
    • 1001
      = the configuration will fail the input is greater than 1000.
  19. In the
    Max in Progress sessions Per Client IP
    field, type the maximum number of sessions that can be in progress for a client IP address. The default value is 128. Please note that only superAdmins have access to this field. No other admin roles will be able to modify this field. Setting this value to 0 (unlimited) is not recommended.
  20. Select the
    Restrict to Single Client IP
    option to limit a session to a single IP address. Please note that only superAdmins and Application Editors have access to this field. No other admin roles will be able to modify this field.
  21. Select the
    Use HTTP Status 503 for Error Pages
    option to have BIG-IQ send HTTP response code 503 for error pages to clients.
    By default, this option is not selected and BIG-IQ sends HTTP response code 200.
  22. Select
    Webtop Redirect on Root URI
    to redirect the client to the webtop UI when the client accesses the root URI during a session that has a webtop resource assigned.
    If you do not enable this option, BIG-IQ forwards the request when the client accesses the root URI during a validated session with a webtop resource assigned.
  23. Configurations
  24. If you selected
    Advanced
    in the
    General
    list, select the appropriate profile type, and in the
    Configurations
    section, expand
    Configurations
    .
  25. For
    Logout URI Include
    , add one or more logoff URIs that the access profile searches in order to terminate the Access Policy Manager session. This option is used with HTTP applications.
  26. In the
    Logout URI Timeout (in seconds)
    field, type the timeout used to delay logout for the customized logout URIs defined in the logout URI Include list.
  27. From the
    Microsoft Exchange
    list, select a Microsoft Exchange profile. This profile is defined in the application access area of the Configuration utility.
    The default value is
    None
    .
  28. From the
    User Identification Method
    list, select how to identify users. The list includes methods specified by the
    Profile Type
    .
  29. From the
    Oauth Profile
    list, select an OAuth profile configuration, defined in the Federation area in Access.
  30. SSO Across Authentication Domains (Single Domain)
  31. If you selected
    Advanced
    in the
    General
    list, select the appropriate profile type, and expand the
    SSO Across Authentication Domains (Single Domain)
    section.
  32. In the
    Domain Cookie
    field, type the name of the domain in which the cookie will be used for access.
  33. For
    Cookie Options
    , select one of the following options:
    • Select
      Secure
      to add the secure keyword to the session cookie.
    • Select
      Persistent
      for a web access management session only is used for an LTM-BIG-IQ access profile type.
    • Select
      HTTP only
      to include an HTTPOnly flag in a Set-Cookie HTTP response header if the session is HTTP only.
    • Select
      Samesite
      to enforce same-site usage and prevent the session cookie from being included with cross-site requests.
      You can set the attribute to
      Strict
      to only include the cookie with requests originating from the same site as the cookie;
      Lax
      to include the cookie with same-site requests and with top-level cross-site navigations that use a safe HTTP method; and
      None
      to not enforce same-site origin. If the latter option is selected, requests must follow the HTTPS protocol, and
      Secure
      is automatically selected and cannot be altered.
  34. From the
    SSO Configuration
    list, select the SSO configuration you want applied to the domain.
  35. Log Settings
  36. If you select
    Advanced
    in the
    General
    list, select the appropriate profile type and expand the
    Log Settings
    section.
  37. For
    Log Settings
    , from the
    Available
    list, move log settings that you want to active to the
    Active
    list.
  38. Click
    Save & Close
    .
The policy name appears on the Per-Session Policies (Shared) screen.

Create a per-request policy

You must create a per-request policy before you can configure it in the visual policy editor.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of an Access group.
    A new screen displays the group's properties.
  3. On the left, expand
    ACCESS POLICIES
    and click
    Per-Request Policies
    .
    The Per-Request Policies (Shared) screen opens, displaying a list of access policies associated with this Access group.
  4. Click
    Create
    .
    The per-request policy creation screen opens.
  5. In the
    Name
    field, type a name for the policy.
    A per-request policy name must be unique among all per-request policy and access profile (per-session policy) names.
  6. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  7. From the
    Incomplete Action
    setting, select an option to specify whether you want to allow or deny an incomplete session request.
  8. To add additional languages, select them from the
    Available
    list and move it to the
    Selected
    list.
  9. Click the
    Save
    button.
The policy name appears on the Per-Request Policies (Shared) screen.

Edit an access policy

You can edit an existing access policy using the Access Visual Policy Editor (VPE) if the policy items are action, ending, or macro calls. Although Start and In are policy items, you cannot edit them. You can undo any edited actions, and if you cancel an editing session before saving, the Policy Editor makes no changes to the policy. However, some actions or objects cannot be undone or discarded. These include the following:
  • Creating a per-session policy macro.
  • Creating a per-request policy macro, subroutine, or subroutine macro.
  • Creating new endings or terminals
  • Deleting endings or terminals.
  • Changing macros or subroutine properties.
  • Modifying any policy ending or macro terminal.
These actions can't be undone and also can't be undone if there are any pending diagram changes.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of the Access group that interests you.
    A new screen displays the Access group properties.
  3. On the left, expand
    Profiles / Policies
    , and click
    Access Profiles (Per-Session Policies) (Shared)
    or
    Per-Request Policies(Shared)
    .
    A new screen opens, showing a list of access policies associated with this Access group.
  4. Select an access policy.
    The VPE screen opens.
  5. Modify the policy by clicking the diagram to insert new items, modify existing items, delete items, or change endings.
    • Undo
      returns you to the access policy before your most recent change.
    • Redo
      allows you to redo an action you have undone.
    • Revert
      returns the access diagram to the state before you made any changes to the diagram.
  6. Click
    Save
    .
    Saving the policy saves all changes in the policy diagram, including all workflows and modified macros. You can also discard pending changes and macros by clicking
    Discard
    .

Add a policy item

You can add a policy item using the Access Visual Policy Editor (VPE).
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of the Access group that interests you.
    A new screen displays the Access group properties.
  3. On the left, expand
    Profiles / Policies
    , and click
    Access Profiles (Per-Session Policies) (Shared)
    or
    Per-Request Policies(Shared)
    .
    A new screen opens, showing a list of access policies associated with this Access group.
  4. Select an access policy.
    The VPE screen opens.
  5. Move your mouse over a policy branch, depicted by the blue line.
    An add icon (+) displays.
  6. Click the (+) icon.
    The Item Insertion Selection popup screen opens.
  7. From the selection list on the left, select the type of policy item.
    Example:
    Logon
    , or
    Authentication
    .
    The screen displays a list of policy items on the right.
  8. From either the
    Caption
    or
    Description
    list, select a policy item.
    Another popup screen with properties and branch rules opens.
  9. On the Properties tab, modify or fill in the fields.
  10. To add a new branch rule or select an existing rule from the list, on the Branch Rules tab, click
    Add
    .
  11. Click either
    Simple
    or
    Advanced
    , and modify the branch rule.
  12. Click the
    Save
    button.
The policy item displays in the VPE at the location on the policy branch where you clicked the add icon (+).

Add an action item or macro-call to a policy

You can modify an existing policy or sub-policy by adding additional action items and macro-calls. When modifying a policy, such as a macro, all diagram operations, insertions, deletions, modifications, and branch swaps are the same from the policy or sub-policy.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. On the left, expand
    Profiles/Policies
    , and click
    Access Profiles (Per-Session Policies) (Shared)
    or
    Per-Request Policies (Shared)
    .
    A new screen opens, showing a list of access policies associated with this Access group.
  4. Select an access policy.
    The VPE screen opens. The macros that you can insert are in the Insertion dialog that displays when you click the + button.
  5. Hover your cursor over a branch line between two items.
    An add icon (+) displays.
  6. Click the icon
    +
    .
    The Item Insertion Selection popup screen opens.
  7. From the Item Insertion Selection screen, select a macro or an action item.
    A new screen opens if you select an action item.
  8. Fill in the relevant parameters and fields.
  9. Click
    Branch Rules
    .
  10. Click
    Add
    .
    The Branch Rules popup section displays more settings.
  11. On the left, select either
    Simple
    or
    Advanced
    to create a branch rule configuration.
  12. Fill in the relevant parameters and fields.
  13. Click
    OK
    .
    The new branch rule displays in the Branch Rules screen.
  14. Click the
    Save
    button.
    The
    Save
    button is only enabled if the form is valid.
The Access policy now includes the new action item.

Swap policy branches

When examining the policy workflow, you can swap one branch with another. You swap branches as an easy way to change the policy workflow without deleting the existing branches and creating new ones. Swapping branches does not change the order of the branch rule, only the destination of the two branches involved in the swap. When moving a branch, a highlighted bold blue line indicates that the swap is allowed. You cannot swap branches from an agent's upstream and downstream agent branches.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  3. On the left, expand
    Profiles/Policies
    , and click
    Access Profiles (Per-Session Policies)s (Shared)
    or
    Per-Request Policies(Shared)
    .
    A new screen opens, showing a list of access policies associated with this Access group.
  4. Select an access policy.
    The VPE screen opens.
  5. Click a branch and hold your mouse button.
  6. Drag the branch up or down.
    A red dotted line previews where the branch ends up.
  7. Release your mouse button.
    The VPE displays an access policy with swapped branches.
  8. Click the
    Save
    button when you are done editing the policy.

About timeouts and crashes

During an editing session, if you remain inactive for a prolonged period of time, the session times out. Other times, the browser might freeze. In either case, you might have to prematurely terminate an editing session without a chance to save your changes. However, regardless of why you had to terminate a session, BIG-IQ® Centralized Management saves a draft of the policy and saves any unsaved macro when you make a modification. The next time you log in, locate the policy, and open the editing screen. The system notifies you that an unsaved draft exists, and prompts you to select whether you want to continue editing the draft or start over.
The system saves the change history in the draft, so actions such as Undo and Redo work for all changes you make before the session was interrupted. Lastly, if someone else was the previous editor, you can see the user and the time of the last edit. This allows you to choose whether or not to resume that person's editing session.

Per-Session and per-request policy comparison

The table summarizes per-session policy and per-request policy similarities and differences.
Feature
Per-Session policy
Per-request policy
Supports macros
Yes
Yes
Requires that users click an Apply Access Policy link to go into effect.
Yes
No
When run
At session start.
After session is created, on every request.
Policy ending types
Allow, Deny, Redirect; endings apply to the session.
Allow, Redirect, Reject; endings apply to URL requests processed in the per-request policy. A Reject ending triggers the Deny ending in the access policy.
Supports variables
Creates session variables that are available throughout a session.
Reads available session variables. Creates per-flow variables that are available only while the per-request policy runs.