Applies To:
Show VersionsBIG-IP APM
- 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Creating an Access Policy for Network Access
About access profiles
In the BIG-IP® Access Policy Manager®, an access profile is the profile that you select in a virtual server definition to establish a secured session. You can also configure an access profile to provide access control and security features to a local traffic virtual server hosting web applications.
The access profile contains:
- Access policy timeout and concurrent user settings
- Accepted language and default language settings
- Single Sign-On information and domain cookie information for the session
- Customization settings for the access profile
- The access policy for the profile
About access policies for network access
Define an access policy for network access in order to provide access control conditions that you want users to satisfy, before they can connect to internal resources. For a network access policy, you need to configure a minimum of a resource assign action that assigns a network access resource.
Creating an access profile
Access profile settings
You can configure the following settings in an access profile.
Setting | Value | Description and defaults |
---|---|---|
Name | Text | Specifies the name of the access profile. |
Inactivity Timeout | Number of seconds, or 0 | Specifies the inactivity timeout for the connection. If there is no activity between the client and server within the specified threshold time, the system closes the current session. By default, the threshold is 0, which specifies that as long as a connection is established, the inactivity timeout is inactive. However, if an inactivity timeout value is set, when server traffic exceeds the specified threshold, the inactivity timeout is reset. |
Access Policy Timeout | Number of seconds, or 0 | Designed to keep malicious users from creating a denial-of-service (DoS) attack on your server. The timeout requires that a user, who has followed through on a redirect, must reach the webtop before the timeout expires. The default value is 300 seconds. |
Maximum Session Timeout | Number of seconds, or 0 | The maximum lifetime is from the time a session is created, to when the session terminates. By default, it is set to 0, which means no limit. When you configure a maximum session timeout setting other than 0, there is no way to extend the session lifetime, and the user must log out and then log back in to the server when the session expires. |
Max Concurrent Users | Number of users, or 0 | The number of sessions allowed at one time for this access profile. The default value is 0 which specifies unlimited sessions. |
Max Sessions Per User | Number between 1 and 1000, or 0 | Specifies the number of sessions for one user that can be active concurrently. The
default value is 0, which specifies unlimited sessions. You can set a
limit from 1-1000. Values higher than
1000 cause the access profile to fail.
Note: Only
superAdmins and application editors have access to this field. No other admin roles can modify
this field.
|
Max In Progress Sessions Per Client IP | Number 0 or greater | Specifies the maximum number of sessions that can be in progress for a client IP
address. When setting this value, take into account whether users will come from a NAT-ed or
proxied client address and, if so, consider increasing the value accordingly. The default value
is 0 which represents unlimited sessions.
Note: Only
superAdmins and application editors have access to this field. No other admin roles can modify
this field.
|
Restrict to Single Client IP | Selected or cleared | When selected, limits a session to a single IP address.
Note: Only
superAdmins and application editors have access to this field. No other admin roles can modify
this field.
|
Logout URI Include | One or more URIs | Specifies a list of URIs to include in the access profile to initiate session logout. |
Logout URI Timeout | Logout delay URI in seconds | Specifies the time delay before the logout occurs, using the logout URIs defined in the logout URI include list. |
SSO Authentication Across Domains (Single Domain mode) or SSO / Auth Domains: Domain Cookie | A domain cookie | If you specify a domain cookie, then the line domain=specified_domain is added to the MRHsession cookie. |
SSO / Auth Domains: Domain Mode | Single Domain or Multiple Domains | Select Single Domain to apply your SSO configuration to a
single domain. Select Multiple Domain to apply your SSO configuration
across multiple domains. This is useful in cases where you want to allow your users a single
Access Policy Manager® (APM®) login session and
apply it across multiple Local Traffic Manager™ or APM virtual servers,
front-ending different domains.
Important: All virtual servers must be on one
single BIG-IP® system in order to apply SSO configurations across
multiple domains.
|
SSO / Auth Domains: Primary Authentication URI | URI | The URI of your primary authentication server, for example https://logon.siterequest.com. This is required if you use SSO across multiple domains. You provide this URI so your users can access multiple back-end applications from multiple domains and hosts without requiring them to re-enter their credentials, because the user session is stored on the primary domain. |
Cookie Options: Secure | Enable or disable check box | Enabled, this setting specifies to add the secure keyword to the session cookie. If you are configuring an application access control scenario where you are using an HTTPS virtual server to authenticate the user, and then sending the user to an existing HTTP virtual server to use applications, clear this check box. |
Cookie Options: Persistent | Enable or disable check box | Enabled, this setting specifies to set cookies if the session does not have a webtop.
When the session is first established, session cookies are not marked as persistent, but when
the first response is sent to the client after the access policy completes successfully, the
cookies are marked persistent.
Note: Persistent cookies are updated for the
expiration timeout every 60 seconds. The timeout is equal to the session inactivity timeout.
If the session inactivity timeout is overwritten in the access policy, the overwritten value
is used to set the persistent cookie expiration.
|
Cookie Options: HTTP only |
HttpOnly is an additional flag included in a Set-Cookie HTTP response header. Use the HttpOnly flag when generating a cookie to help mitigate the risk of a client-side script accessing the protected cookie, if the browser supports HttpOnly. When this option is enabled, only the web access management type of access (an LTM virtual server with an access policy) is supported. |
|
SSO Authentication Across Domains (Single Domain mode) or SSO / Auth Domains SSO Configuration | Predefined SSO configuration | SSO configurations contain settings to configure single sign-on with an access profile. Select the SSO configuration from the list that you want applied to your domain. |
SSO / Auth Domains: Authentication Domains | Multiple | If you specify multiple domains, populate this area with hosts or domains. Each host or domain can have a separate SSO config, and you can set persistent or secure cookies. Click Add to add each host you configure. |
Accepted Languages | Language strings | Adds a built-in or customized language to the list of accepted languages. Accepted languages can be customized separately and can present customized messages and screens to users, if the user's default browser language is one of the accepted languages. Select a language from the Factory Builtin Languages list and click the Move button (<<) to add it to the Accepted Languages list. Select a language from the Additional Languages list and click Add to add it to the Accepted Languages list. |
Factory Builtin Languages | Languages in a predefined list | Lists the predefined languages on the Access Policy Manager system, which can be added to the Accepted Languages list. Predefined languages include customized messages and fields for common appearance items, as opposed to Additional Languages, which must be separately customized. |
Additional Languages | Languages in a predefined list | Lists additional languages that can be added to the Accepted Languages list, and customized on the Access Policy Manager system. These languages are populated with English messages and fields and must be individually customized using the Customization menu, as opposed to Factory Builtin Languages, which are already customized. |
Verifying log settings for the access profile
Adding network access to an access policy
- Create a network access resource.
- Create an access profile.
- Define a network access webtop or a full webtop.
Overview: Assigning a DNS server dynamically for network access
When you configure DNS servers for a network access resource, you must specify IP addresses. You do not have the option to enter a session variable instead. You can still assign a DNS server dynamically to a network access tunnel if you do so from the access policy using the Variable Assign agent.
Task summary
About maximum expression size for visual policy editor
The maximum size for an expression in the visual policy editor is 64 KB. The visual policy editor cannot save an expression that exceeds this limit.