Applies To:
Show VersionsBIG-IP APM
- 12.0.0
Web Access Management and SWG
Overview: Protecting internal resources on a per-request basis
In a configuration that controls traffic and requests directed to your internal servers, using Access Policy Manager® (APM®) with Local Traffic Manager® provides additional security. APM communicates with backend web servers, forwarding requests from the client to web servers within a local traffic pool. APM allows access to the local traffic pool only after the user passes through an access policy that typically contains authentication actions, endpoint security checks, and ACLs.
Adding a per-request policy to this configuration introduces the ability to respond to each client request using a subset of per-request policy items.
This implementation is meant for APM and LTM™ configured in reverse proxy mode. Proxy mode is specified in the http profile associated with the virtual server.
Complete these tasks before you start:
- Configure any URL filters that you want to use.
- Configure a per-request policy.
- Have a web access management configuration set up.
Per-request policy items for APM and LTM reverse proxy
The table specifies Secure Web Gateway (SWG) support for per-request policy items in an APM® and LTM®reverse proxy configuration.
Per-request policy item | Supported with APM and LTM in reverse proxy |
---|---|
Protocol Lookup | No |
SSL Intercept Set | No |
SSL Bypass Set | No |
Response Analytics | No |
Application Lookup | No |
Application Filter Assign | No |
Category Lookup | Yes, provided that the input type is not subject.cn |
URL Filter Assign | Yes |
HTTP Headers | Yes |
Logging | Yes |
Dynamic Date Time | Yes |
AD Group Lookup | Yes |
LDAP Group Lookup | Yes |
LocalDB Group Lookup | Yes |
RADIUS Class Lookup | Yes |
Adding a per-request policy to the virtual server
You associate a per-request policy with the virtual server so that, after the session is established, APM can apply it to URL requests as they are made.
Overview: Configuring APM for web access management
Access Policy Manager® (APM®) web access management provides the ability to access web applications through a web browser without the use of tunnels or specific resources. With this type of access, APM communicates with backend web servers, forwarding requests from the client to web servers within a local traffic pool.
In a typical web access management connection, access occurs through a rewriting engine that rewrites links and URLs to and from the client. APM web access management eliminates the need for content rewriting, allowing access to the configured local traffic pool after the user passes through the access policy checks.
Task summary
To support APM web access management connections, you need a pool of web application servers, an access profile and access policy, and a virtual server.
Task list
About ways to time out a web access management session
The web access management access type does not have a logout mechanism; as a result configuring a timeout is important. Access Policy Manager® (APM®) provides these options.
- The Windows Cache and Session Control access policy item
- Terminates a user session when it detects that the browser screen has closed. You can also configure it to provide inactivity timeouts for the user session using the Terminate session on user inactivity setting.
- Maximum Session Timeout access profile setting
- Provides an absolute limit for the duration of the access policy connection, regardless of user activity. To ensure that a user session closes after a certain number of seconds, configure this setting.
- Inactivity Timeout access profile setting
- Terminates the session after there is no traffic flow for a specified number of seconds.
Note: Depending on the application, you might not want to set this to a very short duration, because many applications cache user typing and generate no traffic for an extended period. In this scenario, a session can time out while the application is still in use, but the content of the user input is not relayed back to the server..