Manual Chapter : Connectivity and VPN

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 8.0.0
Manual Chapter

Connectivity and VPN

About connectivity profiles and Network Access

A connectivity profile defines connectivity and client settings for a Network Access session.
A connectivity profile contains:
  • Compression settings for network access connections and application tunnels
  • Citrix client settings
  • Virtual servers and DNS-location awareness settings for BIG-IP Edge Client® for Windows, Mac, and Linux
  • Password caching settings for BIG-IP Edge Client for Windows, Mac, and mobile clients
  • Settings for mobile clients
A connectivity profile is also associated with customizable client download packages for Edge Client for Windows and Edge Client for Mac.

About connectivity profiles and traffic handling

If a connectivity profile is assigned to a virtual server, it creates a secure connectivity (tunnel) interface. Traffic that is allowed through the tunnel is matched against any virtual servers enabled on the tunnel interface. If a matching virtual server is found, the traffic goes to the virtual server before going out to the network. Network access, portal access, iSession, and mobile app tunnel traffic are allowed through the tunnel and the same traffic handling is applied to all of them.

Connectivity profiles

Configuring general settings for connectivity profiles

From within BIG-IQ, you can configure each of the following groups of settings in a connectivity profile.
  1. From the
    Configuration
    tab, select
    ACCESS
    Access Groups
    and then create or select an Access group, and under
    CONNECTIVITY/VPN
    , select
    Connectivity
    , and select
    Profiles
    .
  2. The screen displays the network access resources (either the shared or the device-specific) in the working configuration for the Access group.
    • To view the properties of the profile, click its name in the table.
    • To locate a profile, search for it by name in the search bar.
    • To create a new profile, click the
      Create
      button.
    • To to download the Client Package, click
      Customize Package
      .A screen opens displaying the link to the BIG-IP system and download instructions.
    • To delete a profile, select the check box next to the profile and click the
      Delete
      button. You can delete more than one profile by selecting the check box next to multiple profiles. However, you cannot delete a hosted content file that is referenced by a virtual server.
  3. Select
    Create
    or select an existing profile to configure a connectivity profile.
  4. Type a name for this profile. Avoid using global reserved words such as all, delete, disable, enable, help, list, show, or None. You cannot change the name if you are editing an existing connectivity profile.
  5. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  6. Type a description for this profile.
  7. From the
    Parent Profile
    drop down list, select an exist profile.
  8. For
    FEC Profile
    , select a forward error correcting (FEC) profile from the list.
  9. For
    Compression Buffer Size
    , type the number of bytes for the size of the output buffers containing compressed data. The default is
    4096
    .
  10. For
    gzip Compression Level
    , select from the list the degree to which the system compresses the content. Higher compression levels cause the compression process to be slower and the result to be more compressed. The default compression level is
    6 - Optimal Compression (Recommended)
    , which provides a balance between level of compression and CPU processing time.
  11. For
    gzip Memory Level (KiloBytes)
    , select from the list the number of kilobytes of memory that the system uses for internal compression buffers when compressing data. You can select a value between
    1
    and
    256
    .
  12. For
    gzip Window Size (KiloBytes)
    , select from the list the number of kilobytes in the window size that the system uses when compressing data. You can select a value between
    1
    and
    128
    .
  13. Enable
    CPU Saver
    to specify that the system monitors the percentage of CPU usage and adjusts compression rates automatically when the CPU usage reaches either the high value or the low value.
  14. For
    High
    , type the percentage of CPU usage at which the system starts automatically decreasing the amount of content being compressed, as well as the amount of compression which the system is applying.
  15. For
    Low
    , type the percentage of CPU usage at which the system resumes content compression at the user-defined rates.
  16. Click
    Save
    .
  17. Enable
    Compression
    to specify the available compression codecs for server-to-client connections. The server compares the available compression types configured here, with the available compression types on the client, and chooses the most effective mutual compression setting.
  18. For
    Adaptive Compression
    , specify whether to enable to disable adaptive compression between the client and the server.
  19. For
    Deflate Level
    , specify the compression level for deflate compression. Higher numbers compress more, at the cost of more processing time.
  20. For
    Available Codecs
    , enable or disable one or more of the following choices:
    • lzo
      - Specifies LZO compression. LZO compression offers a balance between CPU resources and compression ratio, compressing more than Deflate compression, but with less CPU resources than Bzip2.
    • deflate
      - Specifies deflate compression. Deflate compression uses the least CPU resources, but compresses the least effectively.
    • bzip2
      - Specifies Bzip2 compression. Bzip2 compression uses the most CPU resources, but compresses the most effectively.
  21. For
    Citrix Client Bundle
    , select a bundle from the list. A Citrix client bundle provides an installable Citrix Receiver client. The default parent connectivity profile includes a default Citrix client bundle.
  22. Click
    Save & Close
    .

Configure a connectivity profile for Edge Client for Windows

A connectivity profile automatically contains settings for BIG-IP Edge Client for Windows clients. Configure the settings to fit your APM deployment.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of an Access group.
    A new screen displays the group's properties.
  3. Expand
    Connectivity / VPN
    and click
    Connectivity
    Profiles
    .
  4. Select the connectivity profile that you want to update from the list.
    The Edit Connectivity Profile screen opens and displays General Settings.
  5. Select
    Win/Mac Edge Settings
    in the left pane.
    Settings for the Windows Edge Client display in the right pane.
  6. Set Edge Client OAuth Settings:
    1. To configure OAuth settings for Edge Client, select the OAuth provider from the
      Provider
      list. If you select
      None
      , OAuth configuration is disabled.
    2. Enter a value in the
      Client ID
      field. The OAuth client identifier is not a secret and is exposed by the BIG-IP APM virtual server. Leaving this field blank will disable an OAuth configuration.
    3. In the
      Scopes
      field, enter the scopes that will be requested by the client. The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings defined by the authorization server. When using multiple strings, the order does not matter.
    4. Optionally, enter a value in the field Complete Redirection URI an optional URI for OAuth client to be directed to when authentication completes or fails ("You can close this tab" page). The default APM page is used if you do not enter a value for
      Complete Redirection URI
      . The URI should start with "https://", "http://" or "/".
  7. Set Edge Client action settings:
    1. Retain the default (selected) or clear the
      Save Servers Upon Exit
      check box.
      Specifies whether Edge Client maintains a list of recently used user-entered APM servers. Edge Client always lists the servers that are defined in the connectivity profile, and sorts them by most recent access, whether this option is selected or not.
    2. To enable the client to try to use the Windows logon session for an APM session also, select the
      Reuse Windows Logon Session
      check box.
      This is cleared by default.
    3. To enable the client to try to use the credentials that they typed for Windows logon in an APM session also, select the
      Reuse Windows Logon Credentials
      check box.
      This is cleared by default.
      To support this option, you must also include the
      User Logon Credentials Access Service
      in the Windows client package for this connectivity profile and you must ensure that the access policy includes an uncustomized
      Logon Page
      action.
  8. To support automatic reconnection without the need to provide credentials again, allow password caching.
    1. Select the
      Allow Password Caching
      check box.
      This check box is cleared by default.
      The remaining settings on the screen become available.
    2. From the
      Save Password Method
      list, select
      disk
      or
      memory
      .
      If you select
      disk
      , Edge Client caches the user's password (in encrypted form) securely on the disk where it is persisted even after the system is restarted or Edge Client is restarted.
      If you select
      memory
      ,  Edge Client caches the user's password within the BIG-IP Edge Client application for automatic reconnection purposes.
      If you select
      memory
      , the
      Password Cache Expiration (minutes)
      field displays with a default value of 240.
    3. If the
      Password Cache Expiration (minutes)
      field displays, retain the default value or type the number of minutes to save the password in memory.
  9. To enable automatic download and update of client packages, from the
    Component Update
    list, select
    yes
    (default).
    If you select
    yes
    , APM updates Edge Client software automatically on the client system when newer versions are available. This option applies to updates for theses components only: BIG-IP Edge Client, component installer service, DNS relay proxy service, and user logon credentials access service.
  10. Specify DNS suffixes that are considered to be in the local network.
    Providing a list of DNS suffixes for the download package enables Edge Client to support the autoconnect option. With
    Auto-Connect
    selected, Edge Client uses the DNS suffixes to automatically connect when a client is not on the local network (not on the list) and automatically disconnect when the client is on the local network.
    1. From the left pane of the popup screen, select
      Location DNS List
      .
      Location DNS list information is displayed in the right pane.
    2. Click
      Add
      .
      An update row becomes available.
    3. Type a name and click
      Update
      .
      Type a DNS suffix that conforms to the rules specified for the local network.
      The new row displays at the top of the table.
    4. Continue to add DNS names and when you are done, click
      OK
      .
  11. To save your changes, click
    Save & Close
    .
You have now configured the security settings for BIG-IP Edge Client for Windows clients.

Configure a connectivity profile for Edge Client for Mac

A connectivity profile automatically contains settings for BIG-IP Edge Client for Mac clients. Configure the settings to fit your APM deployment.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of an Access group.
    A new screen displays the group's properties.
  3. Expand
    Connectivity / VPN
    and click
    Connectivity
    Profiles
    .
  4. Select the connectivity profile that you want to update from the list.
    The Edit Connectivity Profile screen opens and displays General Settings.
  5. Select
    Win/Mac Edge Settings
    in the left pane.
    Settings for the Mac Edge Client display in the right pane.
  6. Set Edge Client OAuth Settings:
    1. To configure OAuth settings for Edge Client, select the OAuth provider from the
      Provider
      list. If you select
      None
      , OAuth configuration is disabled.
    2. Enter a value in the
      Client ID
      field. The OAuth client identifier is not a secret and is exposed by the BIG-IP APM virtual server. Leaving this field blank will disable an OAuth configuration.
    3. In the
      Scopes
      field, enter the scopes that will be requested by the client. The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings defined by the authorization server. When using multiple strings, the order does not matter.
    4. Optionally, enter a value in the field Complete Redirection URI an optional URI for OAuth client to be directed to when authentication completes or fails ("You can close this tab" page). The default APM page is used if you do not enter a value for
      Complete Redirection URI
      . The URI should start with "https://", "http://" or "/".
  7. Set Edge Client action settings:
    1. Retain the default (selected) or clear the
      Save Servers Upon Exit
      check box.
      Specifies whether Edge Client maintains a list of recently used user-entered APM servers. Edge Client always lists the servers that are defined in the connectivity profile, and sorts them by most recent access, whether this option is selected or not.
    2. To enable the client to try to use the Mac logon session for an APM session also, select the
      Reuse Mac Logon Session
      check box. To enable the to try to use the Windows logon session for an APM session, select
      This is cleared by default.
    3. To enable the client to try to use the credentials that they typed for Mac logon in an APM session also, select the
      Reuse Mac Logon Credentials
      check box. To do
      This is cleared by default.
      To support this option, you must also include the
      User Logon Credentials Access Service
      in the Mac client package for this connectivity profile and you must ensure that the access policy includes an uncustomized
      Logon Page
      action.
  8. To support automatic reconnection without the need to provide credentials again, allow password caching.
    1. Select the
      Allow Password Caching
      check box.
      This check box is cleared by default.
      The remaining settings on the screen become available.
    2. From the
      Save Password Method
      list, select
      disk
      or
      memory
      .
      If you select
      disk
      , Edge Client caches the user's password (in encrypted form) securely on the disk where it is persisted even after the system is restarted or Edge Client is restarted.
      If you select
      memory
      ,  Edge Client caches the user's password within the BIG-IP Edge Client application for automatic reconnection purposes.
      If you select
      memory
      , the
      Password Cache Expiration (minutes)
      field displays with a default value of 240.
    3. If the
      Password Cache Expiration (minutes)
      field displays, retain the default value or type the number of minutes to save the password in memory.
  9. To enable automatic download and update of client packages, from the
    Component Update
    list, select
    yes
    (default).
    If you select
    yes
    , APM updates Edge Client software automatically on the client system when newer versions are available. This option applies to updates for theses components only: BIG-IP Edge Client, component installer service, DNS relay proxy service, and user logon credentials access service.
  10. Specify DNS suffixes that are considered to be in the local network.
    Providing a list of DNS suffixes for the download package enables Edge Client to support the autoconnect option. With
    Auto-Connect
    selected, Edge Client uses the DNS suffixes to automatically connect when a client is not on the local network (not on the list) and automatically disconnect when the client is on the local network.
    1. From the left pane of the popup screen, select
      Location DNS List
      .
      Location DNS list information is displayed in the right pane.
    2. Click
      Add
      .
      An update row becomes available.
    3. Type a name and click
      Update
      .
      Type a DNS suffix that conforms to the rules specified for the local network.
      The new row displays at the top of the table.
    4. Continue to add DNS names and when you are done, click
      OK
      .
  11. To save your changes, click the
    Save & Close
    button at the bottom of the screen.
You have now configured the security settings for BIG-IP Edge Client for Mac clients.

Configure a connectivity profile for Edge Client for Android

A connectivity profile automatically contains settings for BIG-IP Edge Client for Android clients. You should configure the settings to fit your APM deployment.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of an Access group.
    A new screen displays the group's properties.
  3. Expand
    Connectivity / VPN
    and click
    Connectivity
    Profiles
    .
  4. Select the connectivity profile that you want to update from the list.
    The Edit Connectivity Profile screen opens and displays General Settings.
  5. Select
    Mobile Client Settings
    in the left pane.
    Settings for the Android Edge Client display in the right pane.
  6. To enable users to save their passwords for reconnection purposes within a specified time period, select the
    Allow Password Caching
    check box.
    The additional fields in the area become available.
  7. For
    Save Password Method
    , specify how to perform password caching:
    • To allow the user to save the encrypted password on the device without a time limit, select
      disk
      .
    • To specify that the user password is cached in the application on the user's device for a configurable period of time, select
      memory
      .
    If you select
    memory
    , the
    Password Cache Expiration (minutes)
    field becomes available.
  8. If the
    Password Cache Expiration (minutes)
    field displays, type the number of minutes you want the password to be cached in memory.
  9. To enhance security on the client, retain the selection of the
    Enforce Device Lock
    check box (or clear the check box).
    This check box is selected by default. Edge Portal® and Edge Client support password locking, but do not support pattern locking. If you clear this check box, the remaining settings in the area become unavailable.
  10. For
    Device Lock Method
    , retain the default
    numeric
    , or select a different method from the list.
  11. For
    Minimum Passcode Length
    , retain the default
    4
    , or type a different passcode length.
  12. For
    Maximum Inactivity Time (minutes)
    , retain the default
    5
    , or type a different number of minutes.
  13. To force the app to use a selected logon mode and prevent users from changing it:
    1. Select the
      Enforce Logon Mode
      check box.
    2. From the
      Logon Method
      list, select
      web
      or
      native
      .
    Support for this feature will be announced in release notes for the individual Mobile and App Store apps (BIG-IP Edge Client for iOS, Edge Client for Android, F5 Access for Chrome OS, Edge Portal for iOS, and Edge Portal for Android). Check the release notes for the Apps to determine whether it is supported.
  14. To save your changes, click the
    Save & Close
    button at the bottom of the screen.
You have now configured the security settings for BIG-IP Edge Client for Android clients.

Configure a connectivity profile for Edge Portal for Android

A connectivity profile automatically contains settings for BIG-IP Edge Portal for Android clients. You should configure the settings to fit your APM deployment.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of an Access group.
    A new screen displays the group's properties.
  3. Expand
    Connectivity / VPN
    and click
    Connectivity
    Profiles
    .
  4. Select the connectivity profile that you want to update from the list.
    The Edit Connectivity Profile screen opens and displays General Settings.
  5. Select
    Mobile Client Settings
    in the left pane.
    Settings for the Android Edge Portal display in the right pane.
  6. To enable users to save their passwords for reconnection purposes within a specified time period, select the
    Allow Password Caching
    check box.
    The additional fields in the area become available.
  7. For
    Save Password Method
    , specify how to perform password caching:
    • To allow the user to save the encrypted password on the device without a time limit, select
      disk
      .
    • To specify that the user password is cached in the application on the user's device for a configurable period of time, select
      memory
      .
    If you select
    memory
    , the
    Password Cache Expiration (minutes)
    field becomes available.
  8. If the
    Password Cache Expiration (minutes)
    field displays, type the number of minutes you want the password to be cached in memory.
  9. To enhance security on the client, retain the selection of the
    Enforce Device Lock
    check box (or clear the check box).
    This check box is selected by default. Edge Portal® and Edge Client support password locking, but do not support pattern locking. If you clear this check box, the remaining settings in the area become unavailable.
  10. For
    Device Lock Method
    , retain the default
    numeric
    , or select a different method from the list.
  11. For
    Minimum Passcode Length
    , retain the default
    4
    , or type a different passcode length.
  12. For
    Maximum Inactivity Time (minutes)
    , retain the default
    5
    , or type a different number of minutes.
  13. To force the app to use a selected logon mode and prevent users from changing it:
    1. Select the
      Enforce Logon Mode
      check box.
    2. From the
      Logon Method
      list, select
      web
      or
      native
      .
    Support for this feature will be announced in release notes for the individual Mobile and App Store apps (BIG-IP Edge Client for iOS, Edge Client for Android, F5 Access for Chrome OS, Edge Portal for iOS, and Edge Portal for Android). Check the release notes for the Apps to determine whether it is supported.
  14. To save your changes, click the
    Save & Close
    button at the bottom of the screen.
You have now configured the security settings for BIG-IP Edge Portal for Android clients.

Configure a connectivity profile for Edge Client for iOS

A connectivity profile automatically contains settings for BIG-IP Edge Client for iOS clients. You should configure the settings to fit your APM deployment.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of an Access group.
    A new screen displays the group's properties.
  3. Expand
    Connectivity / VPN
    and click
    Connectivity
    Profiles
    .
  4. Select the connectivity profile that you want to update from the list.
    The Edit Connectivity Profile screen opens and displays General Settings.
  5. Select
    Mobile Client Settings
    in the left pane.
    Settings for the iOS Edge Client display in the right pane.
  6. To enable users to save their passwords for reconnection purposes within a specified time period, select the
    Allow Password Caching
    check box.
    The additional fields in the area become available.
  7. To enable device authentication on the client, select
    Require Device Authentication
    .
  8. For
    Save Password Method
    , specify how to perform password caching:
    • To allow the user to save the encrypted password on the device without a time limit, select
      disk
      .
    • To specify that the user password is cached in the application on the user's device for a configurable period of time, select
      memory
      .
    If you select
    memory
    , the
    Password Cache Expiration (minutes)
    field becomes available.
  9. If the
    Password Cache Expiration (minutes)
    field displays, type the number of minutes you want the password to be cached in memory.
  10. In the
    On Demand Disconnect Timeout (minutes)
    field, retain the default
    2
    , or type a different number of minutes before VPN on demand times out.
  11. To force the app to use a selected logon mode and prevent users from changing it:
    1. Select the
      Enforce Logon Mode
      check box.
    2. From the
      Logon Method
      list, select
      web
      or
      native
      .
    Support for this feature will be announced in release notes for the individual Mobile and App Store apps (BIG-IP Edge Client for iOS, Edge Client for Android, F5 Access for Chrome OS, Edge Portal for iOS, and Edge Portal for Android). Check the release notes for the Apps to determine whether it is supported.
  12. To save your changes, click the
    Save & Close
    button at the bottom of the screen.
You have now configured the security settings for BIG-IP Edge Client for iOS clients.

Configure a connectivity profile for Edge Portal for iOS

A connectivity profile automatically contains settings for BIG-IP Edge Portal for iOS clients. You should configure the settings to fit your APM deployment.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of an Access group.
    A new screen displays the group's properties.
  3. Expand
    Connectivity / VPN
    and click
    Connectivity
    Profiles
    .
  4. Select the connectivity profile that you want to update from the list.
    The Edit Connectivity Profile screen opens and displays General Settings.
  5. Select
    Mobile Client Settings
    in the left pane.
    Settings for the iOS Edge Portal display in the right pane.
  6. To enable users to save their passwords for reconnection purposes within a specified time period, select the
    Allow Password Caching
    check box.
    The additional fields in the area become available.
  7. To enable users to save their passwords for reconnection purposes within a specified time period, select the
    Allow Password Caching
    check box.
    The additional fields in the area become available.
  8. For
    Save Password Method
    , specify how to perform password caching:
    • To allow the user to save the encrypted password on the device without a time limit, select
      disk
      .
    • To specify that the user password is cached in the application on the user's device for a configurable period of time, select
      memory
      .
    If you select
    memory
    , the
    Password Cache Expiration (minutes)
    field becomes available.
  9. If the
    Password Cache Expiration (minutes)
    field displays, type the number of minutes you want the password to be cached in memory.
  10. Specify security by keeping
    Enforce PIN Lock
    set to
    Yes
    .
    Edge Portal supports PIN locking, but does not support pattern locking.
  11. For
    Maximum Grace Period (minutes)
    , retain the default
    2
    , or type a different number of minutes.
  12. To force the app to use a selected logon mode and prevent users from changing it:
    1. Select the
      Enforce Logon Mode
      check box.
    2. From the
      Logon Method
      list, select
      web
      or
      native
      .
    Support for this feature will be announced in release notes for the individual Mobile and App Store apps (BIG-IP Edge Client for iOS, Edge Client for Android, F5 Access for Chrome OS, Edge Portal for iOS, and Edge Portal for Android). Check the release notes for the Apps to determine whether it is supported.
  13. To save your changes, click the
    Save & Close
    button at the bottom of the screen.
You have now configured the security settings for BIG-IP Edge Portal for iOS clients.

Configure a connectivity profile for F5 Access for Chrome OS

A connectivity profile automatically contains default settings for F5 Access for Chrome OS. You should configure the connectivity profile settings to fit your APM deployment.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of an Access group.
    A new screen displays the group's properties.
  3. Expand
    Connectivity / VPN
    and click
    Connectivity
    Profiles
    .
  4. Select the connectivity profile that you want to update from the list.
    The Edit Connectivity Profile screen opens and displays General Settings.
  5. Select
    Mobile Client Settings
    in the left pane.
    Settings for F5 Access for Chrome OS display in the right pane.
  6. To enable users to save their passwords for reconnection purposes within a specified time period, select the
    Allow Password Caching
    check box.
    The additional fields in the area become available.
  7. For
    Save Password Method
    , specify how to perform password caching:
    • To allow the user to save the encrypted password on the device without a time limit, select
      disk
      .
    • To specify that the user password is cached in the application on the user's device for a configurable period of time, select
      memory
      .
    If you select
    memory
    , the
    Password Cache Expiration (minutes)
    field becomes available.
  8. If the
    Password Cache Expiration (minutes)
    field displays, type the number of minutes you want the password to be cached in memory.
  9. To force the app to use a selected logon mode and prevent users from changing it:
    1. Select the
      Enforce Logon Mode
      check box.
    2. From the
      Logon Method
      list, select
      web
      or
      native
      .
    Support for this feature will be announced in release notes for the individual Mobile and App Store apps (BIG-IP Edge Client for iOS, Edge Client for Android, F5 Access for Chrome OS, Edge Portal for iOS, and Edge Portal for Android). Check the release notes for the Apps to determine whether it is supported.
  10. To save your changes, click the
    Save & Close
    button at the bottom of the screen.
You have now configured the security settings for F5 Access for Chrome OS.

Configure a connectivity profile for F5 Access for Mac OS

A connectivity profile automatically contains default settings for F5 Access for Mac OS. You should configure the connectivity profile settings to fit your APM deployment.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of an Access group.
    A new screen displays the group's properties.
  3. Expand
    Connectivity / VPN
    and click
    Connectivity
    Profiles
    .
  4. Select the connectivity profile that you want to update from the list.
    The Edit Connectivity Profile screen opens and displays General Settings.
  5. Select
    Mobile Client Settings
    in the left pane.
    Settings for F5 Access for Mac OS display in the right pane.
  6. To enable users to save their passwords for reconnection purposes within a specified time period, select the
    Allow Password Caching
    check box.
    The additional fields in the area become available.
  7. For
    Save Password Method
    , specify how to perform password caching:
    • To allow the user to save the encrypted password on the device without a time limit, select
      disk
      .
    • To specify that the user password is cached in the application on the user's device for a configurable period of time, select
      memory
      .
    If you select
    memory
    , the
    Password Cache Expiration (minutes)
    field becomes available.
  8. If the
    Password Cache Expiration (minutes)
    field displays, type the number of minutes you want the password to be cached in memory.
  9. To force the app to use a selected logon mode and prevent users from changing it:
    1. Select the
      Enforce Logon Mode
      check box.
    2. From the
      Logon Method
      list, select
      web
      or
      native
      .
    Support for this feature will be announced in release notes for the individual Mobile and App Store apps (BIG-IP Edge Client for iOS, Edge Client for Android, F5 Access for Chrome OS, Edge Portal for iOS, and Edge Portal for Android). Check the release notes for the Apps to determine whether it is supported.
  10. To save your changes, click the
    Save & Close
    button at the bottom of the screen.
You have now configured the security settings for F5 Access for Mac OS.

Network Access

Configuring network access lists

Follow the subsequent procedure to update the general properties of a Network Access resource within BIG-IQ.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of an Access group.
    A new screen displays the group's properties.
  3. Navigate to
    CONNECTIVITY/VPN
    Network Access (VPN)
    Network Access Lists
    .
  4. The screen displays the network access lists (either the shared or the device-specific) in the working configuration for the Access group.
    • To configure the properties of a resource, click its name in the table.
    • To locate a resource, click the search button and search for it by name.
    • To make the properties of a shared resource configurable for each device in the Access group, select the resource and then click
      Make Device-Specific
      .
    • To make a device-specific resource into a shared resource, select the resource and click
      Mark Shared
      .
    • To convert a shared resource into a device-specific resource, select the resource and click
      Mark Device-specific
      .
    • To revert the configuration of the non-source BIG-IP device to match that of the source BIG-IP device at the time of the initial import, select the resource and click
      Revert to Original
      .
    • To delete a resource, select
      Delete
      .
  5. Select
    Create
    from either
    Network Access Lists (Shared)
    or
    Network Access Lists (Device-Specific)
    . This will direct you to a page where you may configure the resource.
  6. Enter a unique
    Name
    for this network access resource.
  7. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  8. For
    Auto Launch
    , select or clear
    Enable
    . If enabled, the Network Access resource starts automatically when the user reaches the full webtop.
    When multiple Network Access resources are assigned to a full webtop, only one can have auto launch enabled.
  9. Configure customization settings for language by adding a
    Caption
    and a
    Detailed Description
    of this customization.
  10. Click the
    Save
    button.
The new network access resource will be displayed in the list of network access resources.

What is a lease pool?

A
lease pool
specifies a group of IPv4 or IPv6 IP addresses as a single object. You can use a lease pool to associate that group of IP addresses with a network access resource. When you assign a lease pool to a network access resource, network access clients are automatically assigned unallocated IP addresses from the pool during the network access session.
Network access with IPv6 alone is not supported. An IPv6 tunnel requires a simultaneous IPv4 tunnel, which is automatically established when you assign IPv4 and IPv6 lease pools, and set the version to
IPv4&IPv6
.

Create an IPv4 lease pool

Create a lease pool to provide internal network addresses for network access tunnel users in BIG-IQ.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of an Access group.
    A new screen displays the group's properties.
  3. Expand
    Connectivity / VPN
    and click
    Network Access
    IPV4 Lease Pools
    .
  4. This screen displays the IPv4 lease pools in the working configuration for the Access group.
    • To configure the properties of a resource, click its name in the table.
    • To locate a resource, click the search button and search for it by name.
    • To create a new lease pool, click the
      Create
      button.
    • To delete a lease pool, select the check box next to the lease pool and click the
      Delete
      button. You can delete more than one lease pool by selecting the check box next to multiple lease pools.
  5. Click the
    Create
    button or select an existing a lease pool for configuration.
  6. In the
    Name
    field, type a name for the resource.
  7. Add IPv4 addresses to the lease pool.
    • To add a single IP address, in the Member List area, select
      IP Address
      for the type. In the
      IP Address
      field, type the IP address.
    • To add a range of IP addresses, in the Member List area, select
      IP Address Range
      for the type. In the
      Start IP Address
      field, type the first IP address, and in the
      End IP Address
      field, type the last IP address.
  8. To save your changes, click the
    Save & Close
    button at the bottom of the screen.
A lease pool is created with the IP address or IP address range you specified.
To delete an IP address or IP address range, select the IP address or IP address range in the member list, and click the
X
button.

Create an IPv6 lease pool

Create a lease pool to provide internal network addresses for network access tunnel users in BIG-IQ.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of an Access group.
    A new screen displays the group's properties.
  3. Expand
    Connectivity / VPN
    and click
    Network Access
    IPV6 Lease Pools
    .
  4. This screen displays the IPv6 lease pools (either shared or device-specific) in the working configuration for the Access group.
    • To configure the properties of a resource, click its name in the table.
    • To locate a resource, click the search button and search for it by name.
    • To create a new lease pool, click the
      Create
      button.
    • To delete a lease pool, select the check box next to the lease pool and click the
      Delete
      button. You can delete more than one lease pool by selecting the check box next to multiple lease pools.
  5. Click the
    Create
    button or select an existing lease pool to configure.
  6. In the
    Name
    field, type a name for the resource.
  7. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  8. Add IPv4 addresses to the lease pool.
    • To add a single IP address, in the Member List area, select
      IP Address
      for the type. In the
      IP Address
      field, type the IP address.
    • To add a range of IP addresses, in the Member List area, select
      IP Address Range
      for the type. In the
      Start IP Address
      field, type the first IP address, and in the
      End IP Address
      field, type the last IP address.
  9. To save your changes, click the
    Save & Close
    button at the bottom of the screen.
A lease pool is created with the IP address or IP address range you specified.
To delete an IP address or IP address range, select the IP address or IP address range in the member list, and click the
Delete
button.

About Windows client traffic shaping

Used together, client traffic classifiers and client rate classes provide client-side traffic shaping features on Windows network access client connections. You configure a
client traffic classifier
, which defines source and destination IP addresses or networks, and can also specify a protocol. The client traffic classifier is then associated with a
client rate class
, which defines base and peak rates for traffic to which it applies, and other traffic shaping features. A client traffic classifier is assigned in a network access resource.
Client traffic classifiers support IPv4 addresses only.

Configure client traffic shaping

Client rate shaping allows you to shape client-side traffic from Windows client systems, based on traffic parameters. You will need to create configurations in the following order:
  1. Create a client rate class on the managed BIG-IP device and reimport the device to BIG-IQ to add this object to an Access group.
  2. Create a client traffic classifier.
    When you create the client traffic classifier, you select the previously created client rate class.
Together, the client rate class and client traffic classifier work to provide client-side traffic control to Windows clients to which the traffic control is applied.
Select the client traffic classifier in the
Network Settings
configuration of a network access resource. The client traffic classifier is then applied to Windows clients, for client-side traffic on the VPN tunnels defined by that network access resource.

Creating a client traffic classifier

You must create at least one client rate class before you create a client traffic classifier. You select client rate classes to define rules in the client traffic classifier.
Create a client traffic classifier to define traffic control rules for the virtual and physical network interfaces on a network access tunnel.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of an Access group.
    A new screen displays the group's properties.
  3. Expand
    Connectivity / VPN
    and click
    Network Access
    Client Traffic Classifiers
    .
  4. The screen displays the client traffic classifiers (either the shared or the device-specific) in the working configuration for the Access group.
    • To configure the properties of a resource, click its name in the table.
    • To locate a resource, click the search button and search for it by name.
    • To create a classifier, click the
      Create
      button.
    • To delete a classifier, select the check box next to the classifier and click the
      Delete
      button. You can delete more than one app tunnel by selecting the check box next to multiple classifiers.
  5. Click
    Create
    .
    The New Client Traffic Classifier screen opens.
  6. In the
    Name
    box, type a name for the client traffic classifier.
  7. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  8. Click
    Save & Close
    .
  9. Click the name of the client traffic classifier you just created.
  10. Add rules for the appropriate interface.
    Rule type
    Description
    Rules for Virtual Network Access Interface
    Add a rule to this section to apply the traffic shaping control only to traffic on the virtual network access interface.
    Rules for Local Physical Interfaces
    Add a rule to this section to apply the traffic shaping control only to traffic on the client computer's local physical interfaces.
    Rules for Virtual Network Access and Local Physical Interfaces
    Add a rule to this section to apply the traffic shaping control to traffic on both the virtual Network Access interface and the client's local physical interfaces.
  11. To save your changes, click the
    Save & Close
    button at the bottom of the screen.
The new client traffic classifier will be displayed in the list of client traffic classifiers.

About client rate classes

From BIG-IQ, you may view and manage client rate classes in the working configuration for the Access group. To do so, navigate to
Configuration
ACCESS
Access Groups
. Select or create an Access group and navigate to
CONNECTIVITY / VPN
Network Access (VPN)
Client Rate Classes
.
To verify the settings of a client rate class or to add a client rate class, do so on the BIG-IP system that is linked to the device; then reimport the device to the BIG-IQ system.

About app tunnels

An
app tunnel
(application tunnel) provides secure, application-level TCP/IP connections from the client to the network. App tunnels are particularly useful for users with limited privileges who attempt to access particular web applications, as app tunnels do not require that the user has administrative privileges to install.
Additionally, optimization is available for app tunnels. With compression settings for app tunnels, you can specify the available compression codecs for client-to-server connections. The server compares the available compression types configured with the available compression types on the server, and chooses the most effective mutual compression setting. You configure compression for the server in the connectivity profile.
Because app tunnels do not require administrative rights, some features of Network Access and Optimized Application tunnels are not available with app tunnels. For example, the application tunnel cannot easily resolve domain names in applications without a client-side DNS redirector, or modification of the system hosts file.
For tunnels that access backend servers by using DNS resolution, use Optimized Application Tunnels in the Network Access menus instead. Optimized Applications require administrative rights on the local system.

Configure an app tunnel object

When you create an app tunnel object, that object becomes a simple container that holds app tunnel resources. Once you specify those resources from within the app tunnel resource, you can then assign the resource to an access policy.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of an Access group.
    A new screen displays the group's properties.
  3. Expand
    Connectivity / VPN
    and click
    App Tunnels
    .
  4. The screen displays the app tunnels (either the shared or the device-specific) in the working configuration for the Access group.
    • To create a new shared or device-specific app tunnel, click the
      Create
      button under App Tunnels (Shared) or App Tunnels (Device-specific).
    • Make a shared app tunnel device-specifc by selecting the app tunnel object you are interested in and clicking
      Make Device-Specfifc
      .
    • Make a device-specific app tunnel shared among managed devices by selecting the app tunnel object you are interested in and clicking
      Mark Shared
      .
    • To delete an app tunnel, select the check box next to the app tunnel and click the
      Delete
      button. However, you cannot delete a pinned app tunnel or an app tunnel that is referenced by an access policy.
  5. Click
    Create
    .
    The New App Tunnel screen opens.
  6. Type a name and description for your app tunnel.
  7. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  8. Although an ACL is automatically created for your application object, you can choose to determine the order of your ACL as it appears in the ACL list. Use the
    ACL Order
    list to select the placement you want.
  9. Under Default Customization Settings, type a
    Caption
    for the app tunnel.
    This caption identifies the app tunnel and enables it to appear on a full webtop.
  10. To save your changes, click the
    Save & Close
    button at the bottom of the screen.
The new app tunnel object you just created will display in the App Tunnels list.

Configuring virtual and remote desktops

Users of BIG-IQ Centralized Management can create and configure remote desktops, and can manage VDI profiles and Citrix client bundles.

Configure a resource for remote desktops

Remote desktops allow users to access the following types of internal servers in virtual desktop sessions: Microsoft Remote Desktop servers, Citrix servers, and VMware View Connection servers. You can configure BIG-IQ so users can access internal servers in virtual desktop sessions.
Set up remote desktops by name or by their internal IP addresses, and grant or deny users the ability to set up their own favorites. Follow the subsequent procedure to determine which fields to configure.
  1. At the top of the screen, select
    Configuration
    , then on the left side of the screen, click
    ACCESS
    Access Groups
    .
  2. Click the name of an Access group.
    A new screen displays the group's properties.
  3. Expand
    Connectivity / VPN
    and click
    VDI / RDP
    Remote Desktops
    .
  4. Click
    Create
    .
    The New Remote Desktops List screen opens.
  5. In the
    Name
    field, type a name for this desktop resource.
  6. Enter a
    Partition
    . The default is
    Common
    . You can also enter a custom path to a partition you have created. Only users with access to a partition can view the objects that the partition contains. If the object resides in the
    Common
    partition, all users can access it.
  7. From the
    Type
    list, select
    Citrix
    ,
    RDP
    , or
    VMware View
    .
  8. For
    Destination
    , select a destination
    Type
    (
    Host Name
    ,
    IP Address
    , or
    Pool
    ) then specify destination servers for Citrix, Microsoft RDP, or VMware View:
    • Host Name
      - Type the host name and, in the
      Port
      field, type a port number.
      For Citrix and VMware View, the standard port is
      80
      and for Microsoft RDP, the standard port is
      3389
      .
    • IP Address
      - Type the IP address and, in the
      Port
      field, type a port number.
    • Pool
      - Select, or create and then select, a pool of Citrix XML Brokers or View Connection servers.
  9. To provide SSL capabilities between the BIG-IP system and the Citrix or the VMware View destination servers, for
    Server Side SSL
    select
    Enable
    .
  10. In
    ACL Order
    , type a number.
    This specifies the ACL order of this remote desktop resource for APM ACLs. This field is not available for configuration for Access groups managing devices running BIG-IP version 15.1 and later.
  11. To enable the system to log packets sent from any of the destination servers, from the
    Log
    list, select
    Packet
    .
  12. To enable the first application from Citrix to run automatically, select the
    Auto Launch
    check box.
  13. To open a cross-platform Java client for a Microsoft RDP connection, select the
    Java Client
    check box.
    When Java Client is enabled, Windows, Mac, and Linux clients can use RDP connections through the same connection. Also, these areas are disabled: Access to Local Resources and User Experience, and 32-bit color depth is disabled from Screen Properties.
  14. To specify custom settings that affect the rendering of certain features for Citrix or Microsoft RDP, type text in the
    Custom Parameters
    field .
    The format of the value for each terminal resource is different.
    Custom parameters example for Citrix:
    [Section1]Name1=Value1 Name2=Value2[Section2]
    Custom parameters example for Microsoft RDP:
    screen mode id:i:1use multimon:i:0desktopwidth:i:1440desktopheight:i:900session bpp:i:32
  15. Use these steps to enable Single Sign-On.
  16. To configure Single Sign-On, for
    Enable SSO
    select
    Enable
    .
  17. For RDP or VMware View remote desktop types, specify the
    Username Source
    ,
    Password Source
    , and
    Domain Source
    fields.
  18. For a Citrix remote desktop type, select from the
    SSO Method
    list and specify values for any additional fields that display.
  19. Use these steps to configure additional settings for an RDP remote desktop resource type.
  20. In the Application Properties area, to specify an
    Application to Start
    , type the full path to the application on the target server and prefix the application name with a pound (#) sign for published applications. For example, type
    #app_name
    .
  21. In the Customization Settings for English area, in the
    Caption
    field type a caption for the remote desktop resource.
  22. To save your changes, click the
    Save & Close
    button at the bottom of the screen.
The new remove desktop will be displayed in the Remote Desktops list.

About VDI profiles

From BIG-IQ, you may view and manage the virtual desktop infrastructure (VDI) profiles in the working configuration for the Access group. To do so, navigate to
Configuration
ACCESS
Access Groups
. Select or create an Access group and then navigate to
CONNECTIVITY / VPN
VDI / RDP
VDI Profiles
.
  • To verify or to change the properties of these resources, do so on the BIG-IP system that is linked to the Access group; if you make changes on the BIG-IP system, reimport the device to the BIG-IQ system.
  • To add VDI profiles, do so on the BIG-IP system that is linked to the device; then reimport the device to the BIG-IQ system.

About Citrix client bundles

From within BIG-IQ, you may view and manage Citrix client bundles in the working configuration for the Access group. To view these resources, navigate to
Configuration
ACCESS
Access Groups
. Select or create an Access group, and then navigate to
CONNECTIVITY / VPN
VDI / RDP
Citrix Client Bundles
.
  • To verify or to change the properties of these resources, do so on the BIG-IP system that is linked to the Access group; if you make changes on the BIG-IP system, reimport the device to the BIG-IQ system.
  • To add Citrix client bundles, do so on the BIG-IP system that is linked to the device; then reimport the device to the BIG-IQ system.

About Microsoft Exchange profiles

This screen displays the Microsoft Exchange profiles in the working configuration for the Access group. To verify or to change the properties of these resources, do so on the BIG-IP system that is linked to the Access group; if you make changes on the BIG-IP system, reimport the device to the BIG-IQ system. To add Microsoft Exchange profiles, do so on the BIG-IP system that is linked to the device, then reimport the device to the BIG-IQ system.
To view and manage Microsoft Exchange profiles, navigate to
Configuration
ACCESS
Access Groups
. Select or create an Access group and then navigate to
CONNECTIVITY / VPN
Microsoft Exchange
.

About portal access

Portal access allows end users access to internal web applications with a web browser from outside the network. With portal access, the BIG-IP system managed by BIG-IQ communicates with back-end servers, and rewrites links in application web pages so that further requests from the client browser are directed back to the Access Policy Manager server. With portal access, the client computer requires no specialized client software other than a web browser.
Portal access provides clients with secure access to internal web servers, such as Microsoft OutlookWeb Access (OWA), Microsoft SharePoint, and IBM Domino Web Access. Using portal access functionality, you can also provide access to most web-based applications and internal web servers.
Portal access differs from network access, which provides direct access from the client to the internal network. Network access does not manipulate or analyze the content being passed between the client and the internal network. The portal access configuration gives the administrator both refined control over the applications that a user can access through Access Policy Manager, as well as content inspection for the application data. The other advantage of portal access is security. Even if a workstation might not meet requirements for security for full network access, such a workstation can be passed by the access policy to certain required web applications, without allowing full network access. In a portal access policy, the client computer itself never communicates directly with the end-point application. That means that all communication is inspected at a very high level, and any attacks originating on the client computer fail because the attack cannot navigate through the links that have been rewritten by the portal access engine.

Configuring portal access lists

Portal access allows end users access to internal web applications with a web browser from outside the network. Use the following procedure to change portal access settings and to add, edit, delete, or change the order of web applications for the portal access resource.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Portal Access
    Portal Access Lists
    .
    The Portal Access List screen opens.
  2. The screen displays the portal access resources (either the shared or the device-specific) in the working configuration for the Access group.
    • To create a new shared or device-specific portal access list, click the
      Create
      button under Portal Access Lists (Shared) or Portal Access Lists (Device-specific).
    • To delete a portal access list, select the check box next to it and click
      Delete
      . You cannot delete a pinned portal access list or a portal access list that is referenced by an access policy.
  3. Click
    Create
    to configure a new portal access resource.
  4. In the
    ACL Order
    field, type a number that specifies the order of this portal access resource in Access Policy Manager ACL lists.
  5. Change basic configuration settings.
  6. For
    Match Case for Paths
    , select
    Yes
    to consider alphabetic case when matching paths in the portal access resource. Otherwise, select
    No
    .
  7. For
    Patching
    , select a
    Type
    and then select the content types to patch:
    • Full Patching
      - BIG-IQ replaces links in the content with links to the F5 device. Select or clear these content patching types:
      HTML Patching
      ,
      JavaScript Patching
      ,
      CSS Patching
      ,
      Flash Patching
      , and
      Java Patching
      .
    • Minimal Patching
      - BIG-IQ can replace schemes or hosts. To replace all HTTP scheme addresses with HTTPS scheme addresses, select
      Scheme Patching
      . To search for a host string and replace it with another host string, select
      Host Patching
      , then in
      Host Search Strings
      type the host string to find and in
      Host Replace Strings
      , type the replacement host string.
      With minimal patching, if the web application you are patching sets cookies, the virtual server domain must match the web application domain that is set in the cookies.
  8. To publish a link for this portal access resource on the webtop, for
    Publish on Webtop
    select the
    Enable
    check box and specify the link to publish. From the
    Link Type
    list, select:
    • Application URI
      - Type a URI in the
      Application URI
      field. (To specify an IPv6 address as the host in the URI, enclose it in square brackets: [ipv6address]. )
    • Hosted Content
      - Select a file that is hosted on the BIG-IP system from the
      Hosted File
      field.
  9. Ephemeral Authentication
  10. To attach this portal address resource to a per-session access policy associated with an Ephemeral Authentication virtual server, select the
    Ephemeral Authentication Resource
    check box.
  11. Change advanced configuration settings.
  12. To specify a proxy host and port for the portal access resource to use, from the
    Configuration
    list select
    Advanced
    and type values in the
    Proxy Host
    and
    Proxy Port
    fields.
  13. Add or edit web applications for the portal access resource.
  14. On the menu bar, select Resource Items.
  15. To add a resource item, click
    Add
    ; to edit a resource item, select it and click
    Edit
    .
    A popup screen displays.
  16. To specify links to hosted content on the BIG-IP system from
    Link Type
    , select
    Hosted Content
    and from
    Hosted File
    , select a file.
  17. To specify links to resources on another host or IP address, follow these steps:
    1. From
      Link Type
      , select
      Paths
      .
    2. For
      Destination
      , select
      Host Name
      or
      IP Address
      and type the host name or IP address.
    3. For
      Paths
      , type one or more paths separated by spaces.
      To start a portal access connection, users must either type the exact text specified in the
      Host Name
      or
      IP Address
      field, or click the link published on the webtop.
    4. From the
      Scheme
      list, select
      http
      ,
      https
      , or
      any
      , in the
      Port
      field type a number, and for
      Headers
      specify any headers required by the portal access resource item. (If
      Headers
      does not display, from
      New Resource Item
      select
      Advanced
      .)
      If you configure an HTTPS address for the portal access resource item, the virtual server must be configured to use the
      serverssl
      SSL profile.
  18. For
    Compression
    , select
    No Compression
    or
    GZIP Compression
    .
    Compression specifies that application data sent to the portal access resource item is not compressed or is compressed using GZIP compression.
  19. For
    Client Cache
    , select an option:
    • Default
      - Takes the client cache settings from the rewrite profile. (Any other option overrides the cache setting in the rewrite profile.)
    • Cache All
      - Caches everything that can be cached, including CSS, images, JavaScript, and XML. Provides the fastest client performance and the lowest security.
    • No Cache
      - Caches nothing. Provides the slowest client performance and is the most secure.
  20. To use single sign-on for the portal access resource item, select a configuration from
    SSO Configuration
    list.
  21. From the
    Resource Item Properties
    list, select
    Advanced
    to enable or disable these options:
    • Session Update
      - Some web pages that are started through portal access connections contain JavaScript code that regularly refreshes the page or sends HTTP requests, regardless of user activity or inactivity. A session that is abandoned at such a site does not time out, because it appears to be active. When disabled, the session update feature prevents these sessions from remaining active indefinitely.
    • Session Timeout
      - Enables or disables session timeouts.
    • Home Tab
      - When enabled, inserts a small amount of HTML that contains JavaScript to display the Home tab. Web application pages generated with the Home tab contain links to the Home and Logout functions and a URL bar. You can customize the appearance and configuration of the Home tab on the webtop customization page on the BIG-IP system.
  22. For
    Logs
    , select
    None
    or select
    Packet
    which logs messages to /var/log/pkfilter.
  23. Click
    Save
    . The popup screen closes.
The new portal access resource is available in the Portal Access Lists.

About rewrite profiles

From BIG-IQ, you may view and manage rewrite profiles in the working configuration for the Access group. To do so, navigate to
Configuration
CONNECTIVITY/VPN
Portal Access
Rewrite
.
  • To verify or to change the properties of these resources, do so on the BIG-IP system that is linked to the Access group; if you make changes on the BIG-IP system, reimport the device to the BIG-IQ system.