Manual Chapter : Web Access Management and SWG

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 12.0.0
Manual Chapter

Web Access Management and SWG

Overview: Protecting internal resources on a per-request basis

In a configuration that controls traffic and requests directed to your internal servers, using Access Policy Manager® (APM®) with Local Traffic Manager® provides additional security. APM communicates with backend web servers, forwarding requests from the client to web servers within a local traffic pool. APM allows access to the local traffic pool only after the user passes through an access policy that typically contains authentication actions, endpoint security checks, and ACLs.

Adding a per-request policy to this configuration introduces the ability to respond to each client request using a subset of per-request policy items.

This implementation is meant for APM and LTM™ configured in reverse proxy mode. Proxy mode is specified in the http profile associated with the virtual server.

Note: The default http profile specifies reverse proxy mode.

Complete these tasks before you start:

  • Configure any URL filters that you want to use.
  • Configure a per-request policy.
  • Have a web access management configuration set up.

Per-request policy items for APM and LTM reverse proxy

The table specifies Secure Web Gateway (SWG) support for per-request policy items in an APM® and LTM®reverse proxy configuration.

Per-request policy item Supported with APM and LTM in reverse proxy
Protocol Lookup No
SSL Intercept Set No
SSL Bypass Set No
Response Analytics No
Application Lookup No
Application Filter Assign No
Category Lookup Yes, provided that the input type is not subject.cn
URL Filter Assign Yes
HTTP Headers Yes
Logging Yes
Dynamic Date Time Yes
AD Group Lookup Yes
LDAP Group Lookup Yes
LocalDB Group Lookup Yes
RADIUS Class Lookup Yes

Adding a per-request policy to the virtual server

Before you can perform this task, you must create a per-request policy using Access Policy Manager® (APM®).

You associate a per-request policy with the virtual server so that, after the session is established, APM can apply it to URL requests as they are made.

  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server that manages access for the web application you are securing.
  3. In the Access Policy area, from the Per-Request Policy list, select the per-request policy that you configured earlier.
  4. Click Update.
The per-request policy is now associated with the virtual server.
If your configuration includes another virtual server (for access using another protocol), add the per-request policy to it also.

Overview: Configuring APM for web access management

Access Policy Manager® (APM®) web access management provides the ability to access web applications through a web browser without the use of tunnels or specific resources. With this type of access, APM communicates with backend web servers, forwarding requests from the client to web servers within a local traffic pool.

In a typical web access management connection, access occurs through a rewriting engine that rewrites links and URLs to and from the client. APM web access management eliminates the need for content rewriting, allowing access to the configured local traffic pool after the user passes through the access policy checks.

Task summary

To support APM web access management connections, you need a pool of web application servers, an access profile and access policy, and a virtual server.

Task list

About ways to time out a web access management session

The web access management access type does not have a logout mechanism; as a result configuring a timeout is important. Access Policy Manager® (APM®) provides these options.

The Windows Cache and Session Control access policy item
Terminates a user session when it detects that the browser screen has closed. You can also configure it to provide inactivity timeouts for the user session using the Terminate session on user inactivity setting.
Maximum Session Timeout access profile setting
Provides an absolute limit for the duration of the access policy connection, regardless of user activity. To ensure that a user session closes after a certain number of seconds, configure this setting.
Inactivity Timeout access profile setting
Terminates the session after there is no traffic flow for a specified number of seconds.
Note: Depending on the application, you might not want to set this to a very short duration, because many applications cache user typing and generate no traffic for an extended period. In this scenario, a session can time out while the application is still in use, but the content of the user input is not relayed back to the server.
.

Creating a pool

You can create a pool of servers for Access Policy Manager® (APM®) to perform access control for web application servers configured as local traffic pool members.
Important: When you implement a service with multiple hosts, access through the virtual server for new requests causes the load balancing algorithm for the associated member pool to select a new server. This can cause problems if persistence to a particular host is required.
Note: When you add web servers as members of the pool, select the HTTPS service if the web server uses SSL, to maintain consistency between APM and the web servers.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. In the Resources area, for the New Members setting, add to the pool the application servers that host the web application:
    1. Type an IP address in the Address field.
    2. In the Service Port field, type a port number (for example, type 80 for the HTTP service), or select a service name from the list.
    3. Click Add.
  5. Click Finished.
The new pool appears in the Pools list.

Creating an access profile

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session. In the access profile, you can also specify a timeout to use to terminate a web access management connection
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. Click Create.
    The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: An access profile name must be unique among all access profile and any per-request policy names.
  4. From the Profile Type list, select LTM-APM.
    With this type selected, when you configure the access policy, only access policy items that are applicable for web access management are displayed.
  5. In the Inactivity Timeout field, type the number of seconds that should pass before the access policy times out. Type 0 to set no timeout.
    The web access management connection type does not provide a logout mechanism. You should configure at least one timeout for the connection, either in this access profile, or by including the Windows Cache and Session Control item in the access policy and configuring a timeout in it.
  6. In the Maximum Session Timeout field, type the maximum number of seconds the session can exist.
    Type 0 to set no timeout.
  7. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  8. Click Finished.
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.

Verifying log settings for the access profile

Confirm that the correct log settings are selected for the access profile to ensure that events are logged as you intend.
Note: Log settings are configured in the Access Policy Event Logs area of the product. They enable and disable logging for access system and URL request filtering events. Log settings also specify log publishers that send log messages to specified destinations.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. Click the name of the access profile that you want to edit.
    The properties screen opens.
  3. On the menu bar, click Logs.
    The access profile log settings display.
  4. Move log settings between the Available and Selected lists.
    You can assign up to three log settings that enable access system logging to an access profile. You can assign additional log settings to an access profile provided that they enable logging for URl request logging only.
    Note: Logging is disabled when the Selected list is empty.
  5. Click Update.
An access profile is in effect when it is assigned to a virtual server.

Creating an access policy for web access management

You create an access policy to specify, at a minimum, logon and authentication. You can add other items to the policy to direct traffic and grant or deny access appropriately, increasing your security.
Note: In an access policy for web access management, you do not need to assign resources, such as, webtops, portal access or network access resources, application access tunnels, or remote desktops.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. On an access policy branch, click the (+) icon to add an item to the access policy.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  4. On the Logon tab, select Logon Page and click the Add Item button.
    The Logon Page Agent properties screen opens.
  5. Make any changes that you require to the logon page properties and click Save.
    The properties screen closes and the visual policy editor displays.
  6. On an access policy branch, click the (+) icon to add an item to the access policy.
    Repeat this action from the visual policy editor whenever you want to add an item to the access policy.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  7. From the Authentication tab, select an authentication item.
  8. Configure the properties for the authentication item and click Save when you are done.
    You can configure multiple authentication items in an access policy.
    You have now configured a basic access policy.
  9. Add endpoint security checks or other items that you require to the access policy.
    Optionally, you can assign a pool of web servers in the access policy using the Pool Assign action; if you do, this pool takes precedence over the pool you assign to the virtual server configuration.
    Note: You can add a Windows Cache and Session Control item to configure a way to terminate the session.
  10. To grant access at the end of any branch, change the ending from Deny to Allow:
    1. Click Deny.
      The default branch ending is Deny.
      A popup screen opens.
    2. Select Allow and click Save.
      The popup screen closes. The Allow ending displays on the branch.
  11. Click the Apply Access Policy link to apply and activate the changes to the access policy.
This creates an access policy that is appropriate for web access management connections.
To apply this access policy to network traffic, add the access profile to a virtual server.
Note: To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Creating a virtual server

This task creates a standard, host type of virtual server for application traffic. A host type of virtual server listens for traffic destined for the specified destination IP address and service. Using this virtual server, Access Policy Manager® (APM®) can provide access control for web applications on web servers in a local traffic pool without using tunnels or specific resources.
Note: By default, the health monitor is set to none and the load balancing method is set to Round Robin. You can add a health monitor or select an alternative load balancing method for this virtual server.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address for a host virtual server.
    This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
  5. In the Service Port field, type 80 (for HTTP) or 443 (for HTTPS), or select HTTP or HTTPS from the list.
  6. For the HTTP Profile setting, verify that the default HTTP profile, http, is selected.
  7. Optional: For the SSL Profile (Client) setting, select a client SSL profile.
    If the web server uses SSL, the client should use SSL.
  8. Optional: For the SSL Profile (Server) setting, select an SSL server profile.
    If the web server uses SSL, the virtual server should use SSL.
  9. In the Content Rewrite area, retain the default settings.
    The web access management access type eliminates the need for content rewriting. The default values for the Rewrite Profile and the HTML Profile settings are None.
  10. In the Access Policy area, from the Access Profile list, select the access profile you configured previously.
    Retain the default values for other settings in the Access Policy area.
  11. Optional: From the HTTP Compression Profile list, select httpcompression.
    You can use compression to provide a better end user experience, particularly where there is limited bandwidth or high latency between the virtual server and the client.
  12. In the Resources area of the screen, from the Default Pool list, select the relevant pool name.
  13. Click Finished.
You have a virtual server that supports web access management connections.