Manual Chapter : Smart Card Authentication for VMware View Clients

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Manual Chapter

Smart Card Authentication for VMware View Clients

About APM configurations that support VMware smart card use

Access Policy Manager® (APM®) supports smart card SSO for VMware Horizon View 6.2 or later. APM also supports smart card authentication for VMware Horizon View 6.2 and other supported versions.

For the supported versions of VMware Horizon View, see BIG-IP® APM® Client Compatibility Matrix on the AskF5™ web site located at http://support.f5.com/.

To configure APM for smart card SSO, see Overview: Supporting smart card SSO for VMWare View in BIG-IP® Access Policy Manager®: Third-Party Integration on the AskF5™ web site located at http://support.f5.com/.

To configure APM for smart card authentication, see Overview: Supporting smart card authentication for VMWare View in BIG-IP® Access Policy Manager®: Third-Party Integration on the AskF5™ web site located at http://support.f5.com/.

Overview: Supporting smart card SSO for VMware View

On a BIG-IP® system configured as a SAML Identity Provider (IdP), Access Policy Manager® can support smart card single-sign on (SSO) to a VMware View Horizon Server.

The configuration uses SSL client certificate validation mechanisms. For a successful configuration, use these instructions and the settings specified in them.

Note: F5® supports this configuration only for use with VMware View Horizon Server version 6.2 or later.

Task summary

About standalone View Client on the webtop and smart card SSO

With Access Policy Manager® (APM®) configured to support smart card SSO for VMware Horizon View server, if you launch the standalone VMware View Client from the Access Policy Manager® (APM®) webtop, the VMware Horizon View server prompts for a PIN. This is expected behavior.

About Horizon HTML5 Client and smart card authentication

VMware Horizon HTML5 Client does not support smart card redirection. If a user authenticates to Access Policy Manager® with a smart card and then launches an HTML5 desktop, a screen prompts the user for domain credentials. The user cannot use the smart card and must supply credentials to log in to the desktop.

About virtual servers required for View Client traffic

A VMware View Client makes connections to support different types of traffic between it and a View Connection Server. For Access Policy Manager ® to support these connections, it requires two virtual servers that share the same destination IP address. One virtual server processes HTTPS traffic and performs authentication for the View Client. An addition virtual server processes PC over IP (PCoIP) traffic.

Creating a client SSL profile for certificate inspection

Before you start this task, import the CA certificate for VMware View Horizon server to the BIG-IP® system certificate store.
You create a custom client SSL profile to request an SSL certificate from the client at the start of the session. This enables a Client Cert Inspection item in an access policy to check whether a valid certificate was presented.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client profile list screen opens.
  2. Click Create.
    The New Server SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, select clientssl.
    The default settings for the profile specify a 10-second SSL handshake timeout. Some users with smart cards cannot authenticate within that time. You can increase the timeout if this is the case at your site.
  5. From the Configuration list, select Advanced.
  6. If you have VMware View clients on Mac OS X, disable TLS 1.2 in the Options List area:
    1. In the Available Options list, select No TLS 1.2.
    2. Click Enable.
  7. If you change the values for the Cache Size or the Cache Timeout setting, do not specify a value of zero (0) for either setting.
    When these values are 0, the client must supply a PIN on each browser page refresh.
  8. Scroll down to Handshake Timeout and select the Custom check box.
    Additional settings become available.
  9. To limit the timeout to a number of seconds, select Specify from the list, and type the desired number in the seconds field.
    In the list, the value Indefinite specifies that the system continue trying to establish a connection for an unlimited time. If you select Indefinite, the seconds field is no longer available.
  10. Scroll down to the Client Authentication area.
  11. Select the Custom check box for Client Authentication.
    The settings become available.
  12. From the Client Certificate list, select request.
    Do not select require.
  13. From the Trusted Certificate Authorities and Advertised Certificate Authorities, select the certificates you imported previously.
  14. Click Finished.

Creating a virtual server for a BIG-IP (as SAML IdP) system

Specify a host virtual server to use as the SAML Identity Provider (IdP).
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address/Mask field, type the IP address for a host virtual server.
    This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
  5. In the Service Port field, type 443 or select HTTPS from the list.
  6. For the HTTP Profile setting, verify that the default HTTP profile, http, is selected.
  7. For the SSL Profile (Client) setting, from the Available list, select the name of the Client SSL profile you previously created, and using the Move button, move the name to the Selected list.
  8. For the SSL Profile (Server) setting, select pcoip-default-serverssl.
  9. From the Source Address Translation list, select Auto Map.
  10. Click Finished.
The virtual server for the BIG-IP® system configured as an IdP now appears on the Virtual Server List. The virtual server destination is available for use in the SAML IdP service configuration.

Configuring IdP service for VMware View smart card SSO

Configure a SAML Identity Provider (IdP) service for Access Policy Manager® (APM®), as a SAML IdP, to support single sign-on (SSO) authentication to VMware View Horizon server for clients with a smart card.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP .
    The BIG-IP as IdP screen displays a list of SAML IdP services.
  2. Click Create.
    The Create New IdP Service popup screen displays.
  3. In the IdP Service Name field, type a unique name for the SAML IdP service.
  4. In the IdP Entity ID field, type a unique identifier for the IdP (this BIG-IP® system).
    Typically, the ID is a URI that points to the BIG-IP virtual server that is going to act as a SAML IdP. If the entity ID is not a valid URL, the Host field is required.
    For example, type https://siterequest.com/idp, where the path points to the virtual server you use for BIG-IP system as a SAML IdP.
  5. If the IdP Entity ID field does not contain a valid URI, you must provide one in the IdP Name Settings area:
    1. From the Scheme list select https or http.
    2. In the Host field, type a host name.
      For example, type siterequest.com in the Host field.
  6. For SAML Profiles, be sure to retain the default setting (Web Browser SSO).
  7. Optional: On the left pane, select Endpoint Settings and select a service from the Artifact Resolution Service list.
    Note: APM does not use the artifact resolution service, but one must be included in the IdP metadata. If you leave the Artifact Resolution Service list blank, you can edit the IdP metadata later to add an artifact resolution service to it.
  8. On the left pane, select Assertion Settings.
    Settings display in the right pane.
    1. From the Assertion Subject Type list, select Persistent Identifier.
    2. From the Assertion Subject Value list, type the name of the custom session variable into which you stored the user principal name (UPN).
      You must type a percent sign (%) first and then enclose the session variable name in curly braces ({}).
      For example, type %{session.custom.certupn}.
    3. In the Authentication Context Class Reference field, select urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient.
      The URI reference identifies an authentication context class that describes an authentication context declaration.
    4. In the Assertion Validity (in seconds) field, type the number of seconds for which the assertion is valid.
  9. From the left pane, select SAML Attributes.
    Table headings display in the right pane.
  10. Add an unencrypted SAML attribute for the certificate:
    This is mandatory.
    1. Click Add.
      A Create New SAML Attribute popup screen displays.
    2. In the Name field, type certificate.
    3. Click Add.
      An entry field displays in the Values table.
    4. In the Values field, type %{view.broker.smartcard.cert} and click Update.
    5. Keep the Encrypt check box cleared and click OK.
      The Create New SAML Attribute popup screen closes.
  11. Add an unencrypted SAML attribute for the pin.
    This is mandatory.
    1. Click Add.
      A Create New SAML Attribute popup screen displays.
    2. In the Name field, type pin.
    3. Click Add.
      An entry field displays in the Values table.
    4. In the Values field, type %{view.broker.smartcard.pin} and click Update.
    5. Keep the Encrypt check box cleared and click OK.
      The Create New SAML Attribute popup screen closes.
  12. Optional: For a disclaimer, add an unencrypted SAML attribute.
    1. Click Add.
      A Create New SAML Attribute popup screen displays.
    2. In the Name field, type disclaimer.
    3. Click Add.
      An entry field displays in the Values table.
    4. In the Value(s) field, type false and click Update.
    5. Keep the Encrypt check box cleared and click OK.
      The Create New SAML Attribute popup screen closes.
  13. On the left pane, select Security Settings and select a certificate and a key from the BIG-IP system store to use for signing the assertion.
    1. From the Signing Key list, select the key from the BIG-IP system store.
      The default is None.
    2. From the Signing Certificate list, select the certificate from the BIG-IP system store.
      When selected, the IdP (the BIG-IP system) publishes this certificate to the service provider so the service provider can verify the assertion. None is selected by default.
  14. Click OK.
    The popup screen closes. The new IdP service appears on the list.

Exporting unsigned SAML IdP metadata from APM

You need to convey the SAML Identity Provider (IdP) metadata from Access Policy Manager® (APM®) to the external service providers that use the SAML IdP service. Exporting the IdP metadata for a SAML IdP service to a file provides you with the information that you need to do this.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP .
    The BIG-IP as IdP screen displays a list of SAML IdP services.
  2. Select a SAML IdP service from the table and click Export Metadata.
    A popup screen opens, with No selected on the Sign Metadata list.
  3. Select the Use VMware View Format check box.
  4. Select OK.
    APM downloads an XML file.
An XML file that contains IdP metadata is available.

Adding an artifact resolution service to the IdP metadata

If you did not specify an artifact resolution service when you configured the SAML Identity Provider (IdP) service, you must define an artifact resolution service in the IdP metadata XML file that you exported from Access Policy Manager® (APM®).
  1. Locate the IdP metadata XML file that you downloaded onto your system.
  2. Use a text editor to open the file.
  3. Add a line to the file that defines the service, following this example.
    <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://165.160.15.20:443/saml/idp/profile/soap/ars" index="0" isDefault="true"></ArtifactResolutionService>
  4. Save the XML file and exit the text editor.

Creating an iRule to respond with IdP metadata to a URI

You can use iRules® to respond with SAML Identity Provider (IdP) XML metadata for a particular URI.
Note: For complete and detailed information iRules syntax, see the F5® Networks DevCentral™ web site (http://devcentral.f5.com).
  1. On the Main tab, click Local Traffic > iRules .
    The iRule List screen opens, displaying any existing iRules.
  2. Click Create.
    The New iRule screen opens.
  3. In the Name field, type a unique name for the iRule.
    The full path name of the iRule cannot exceed 255 characters.
  4. In the Definition field, type the syntax for the iRule using Tool Command Language (Tcl) syntax.
    This example specifies a URI, /SAAS/API/1.0/GET/metadata/, and includes the content of the SAML IdP metadata in the response. (The example elides the metadata for brevity.)
    when HTTP_REQUEST {
    if { [HTTP::path] contains "/SAAS/API/1.0/GET/metadata/" and [HTTP::method] equals "GET" } {
        HTTP::respond 200 content {<?xml version="1.0" encoding="UTF-8" ?>
    <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="Ie662e22302a165c" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://siterequest.com/idp">
        <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
           . 
           .
           .
        </IDPSSODescriptor>
    </EntityDescriptor>}
        }
    }                    
  5. Click Finished.
    The new iRule appears in the list of iRules on the system.
You must add this iRule to the virtual server that processes the traffic from the SAML service provider (SP).

Establishing APM as a trusted SAML IdP for VMware Horizon View

From VMware View Connection Server (VCS), create a SAML Authenticator that points to APM® so that VCS can recognize APM as a trusted SAML Identity Provider (IdP).
  1. Using the VMware software that you use to administer a VCS, create a new SAML Authenticator with these properties:
    1. For SAML Authenticator, type the FQDN of your virtual server.
    2. For Metadata URL, type the URI where the VCS can get the SAML IdP metadata.
      Normally, the VCS should attempt to request the metadata and verify it.
      For example, type https://sitrerequest.com/SAAS/API/1.0/GET/metadata/, where https://siterequest.com is the virtual server for the SAML IdP service, and /SAAS/API/1.0/GET/metadata/ is the URI for which the iRule on the virtual server responds with SAML IdP metadata.
  2. To apply the changes after choosing a new SAML Authenticator, you must restart the VCS.

Importing VMware VCS metadata to create an SP connector

Obtain the VMware View Connection Server (VCS) SAML Service Provider (SP) metadata file from https://vcs-fqdn/SAML/metadata/sp.xml, where vcs-fqdn is the fully qualified domain name of the VCS. Copy the file to a location where it is available for BIG-IP® Access Policy Manager® (APM®) to import it.
Configure a SAML service provider (SP) connector so that APM can recognize a VCS as a supported consumer of SAML assertions.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP .
    The BIG-IP as IdP screen displays a list of SAML IdP services.
  2. On the menu bar, click External SP Connectors.
    A list of SAML SP connectors displays.
  3. On the Create button, click the selector arrow and select From Metadata.
    The Create New SAML Service Provider popup screen displays.
  4. For the Select File field, click Browse and browse to and select the SP metadata file that you copied from the VCS.
  5. In the Service Provider Name field, type a unique name for the SAML SP connector.
  6. Click OK.
    The popup screen closes.
  7. Verify that the security settings are correct for the newly created SP connector:
    1. Click the name of the newly created SAML SP connector.
      The Edit SAML Service Provider popup screen displays.
    2. On the left pane, select Security Settings.
    3. In the Response sent to this SP area, ensure that the Response must be signed and the Assertion must be signed check boxes are selected.
  8. Click OK.
    The popup screen closes.
The new SAML SP connector is available to bind to the SAML IdP service.

Binding a SAML IdP service to one SP connector

Bind a SAML Identity Provider (IdP) service and a SAML service provider (SP) connector so that the BIG-IP® system can provide authentication (SAML IdP service) to the external SAML service provider.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP .
    The BIG-IP as IdP screen displays a list of SAML IdP services.
  2. Select a SAML IdP service from the list.
    Select an IdP service that you configured for use with one particular SP connector only.
  3. Click Bind/Unbind SP Connectors.
    The screen displays a list of available SAML SP connectors.
  4. Select the one SAML SP connector that you want to pair with this IdP service.
  5. Select OK.
    The screen closes.
The SAML SP connector that you selected is bound to the SAML IdP service.

Configuring a VMware View resource for smart card authentication

Configure a VMware View remote desktop resource to support smart card authentication using SAML.
  1. On the Main tab, click Access Policy > Application Access > Remote Desktops > Remote Desktops List .
    The Remote Desktops list opens.
  2. Click Create.
    The New Resource screen opens.
  3. For the Type setting, select VMware View.
  4. For the Destination setting, select Pool and from the Pool Name list, select a pool of View Connection Servers that you configured previously.
  5. For the Server Side SSL setting, select the Enable check box.
    View Connection Servers must use HTTPS (default) to support smart card authentication.
  6. In the Single Sign-On area, select the Enable SSO check box.
  7. From the SSO Method list, select SAML.
  8. From the SAML Resource list, select the SAML IdP service that you configured previously.
  9. In the Customization Settings for the language_name area, type a Caption.
    The caption is the display name of the VMware View resource on the APM full webtop.
  10. Click Finished.
    All other parameters are optional.
This creates the VMware View remote desktop resource. To use it, you must assign it along with a full webtop in an access policy.

Creating an access profile

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. Click Create.
    The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: An access profile name must be unique among all access profile and any per-request policy names.
  4. From the Profile Type list, select All.
  5. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click Finished.
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.

Example: Smart card authentication required for View clients

VMware View Smart Card Logon Screen

Access policy that requires smart card authentication

1 Client Type detects a standalone VMware View Client.
2 In the properties for the agent, the VMware View Logon Screen property specifies Smart Card.
3 Macrocall to Cert Inspection and Resources.
4 Client Type detects a web-based client.
5 Macrocall to Cert Inspection and Resources.
6 Inspect certificate from the smart card. (Relies on LTM® to obtain certificate during initial SSL handshake based on specification in SSL client profile.)
7 Extracts the User Principal Name from SSL certificate information and stores it in a custom session variable.
8 Assign a full webtop and a VMware View remote desktop resource configured for SAML SSO.

Example: Smart card authentication optional for View clients

VMware View Smart Card Logon Screen

An access policy in which smart card authentication is optional for VMware View

VMware View Smart Card Logon Screen

Macros for password-based and certificate-based authentication

Example: Two-factor authentication with smart card for View clients

VMware View Smart Card Logon Screen

An access policy for two-factor authentication with smart card for VMware View

VMware View Smart Card Logon Screen

Macro for certificate-based authentication and resources

Creating an access policy for VMware View smartcard authentication

Access Policy Manager® (APM®) supports this configuration when the BIG-IP® system, configured as a SAML Identity Provider (IdP), provides authentication service that is consumed by a VMware View Connection Server (VCS), configured as a SAML service provider.
Create an access policy so that web-based and standalone VMware View clients can use a smart card for authenticating with APM.
Note: Although users of the HTML5 client can log on to APM with a smart card, when they try to connect to a VCS, they must still enter credentials.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. On the Endpoint Security (Server-Side) tab, select Client Type, and click Add Item.
    The Client Type action identifies clients and enables branching based on the client type.
    A properties screen opens.
  5. Click Save.
    The properties screen closes. The visual policy editor displays the Client Type action.
  6. To accept smart card logon from a standalone VMware View Client, add a smart card logon screen:
    Actions on the Full/Mobile branch support web-based clients, and actions on the VMware View branch support standalone VMware View clients.
    1. Add a VMware View Logon Page action to the policy.
      A properties screen opens.
    2. From the VMware View Logon Screen list, select Smart Card.
    3. Click Save.
      The properties screen closes and the visual policy editor displays.
  7. To inspect the client certificate, add the Client Cert Inspection agent to the access policy on one or more branches as appropriate.
    The agent verifies the result of the SSL handshake request that occurs at the start of the session and makes SSL certificate information available to the policy.
  8. Add an action to the access policy to obtain the User Principal Name (UPN) on one or more branches as appropriate.
    You might add a Variable Assign action and configure it to extract the UPN from the certificate information or configure an AD Query that retrieves the UPN.
  9. After successful authentication and successful retrieval of the UPN, assign resources to the session.
    1. Click the (+) sign after the previous action.
    2. Type adv in the search field, select Advanced Resource Assignment from the results, and click Add Item.
      A properties screen displays.
    3. Click Add new entry.
      A new line is added to the list of entries.
    4. Click the Add/Delete link below the entry.
      The screen changes to display resources on multiple tabs.
    5. On the Remote Desktop tab, select the VMware View remote desktop resource that you configured for SAML SSO previously.
    6. On the Webtop tab, select a full webtop and click Update.
      The properties screen closes and the resources you selected are displayed.
    7. Click Save.
      The properties screen closes and the visual policy editor displays.
  10. To grant access at the end of any branch, change the ending from Deny to Allow:
    1. Click Deny.
      The default branch ending is Deny.
      A popup screen opens.
    2. Select Allow and click Save.
      The popup screen closes. The Allow ending displays on the branch.
  11. Click Apply Access Policy.
To apply this access policy to network traffic, add the access profile to a virtual server.
Note: To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Using variable assign to extract the UPN from the SSL certificate

You must supply the User Principal Name (UPN) as the Assertion Subject Value for the SAML Identity Provider (IdP) service.
Note: This example adds a Variable Assign action to the access policy. The action uses a Tcl expression that extracts the UPN from the X509 certificate for the client and stores it in a user-defined session variable.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. On an access policy branch, click the (+) icon
    The Variable Assign action must occur after a Client Cert Inspection action runs successfully. The Variable Assign action relies on X509 information that the Client Cert Inspection action provides.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  4. Type var in the search field, select Variable Assign from the results list, and click Add Item.
    The Variable Assign properties screen opens.
  5. On the left side of the variable assign properties screen, select Custom Variable from the list and in the field, type the name of a custom session variable.
    For example, type session.custom.certupn.
    Remember the session variable name; you must use it as the assertion subject value for the IdP. You will need to enter it into the IdP service configuration later.
  6. On the right side of the variable assignment properties screen, select Custom Expression from the list and in the field, type a Tcl expression to extract the UPN from the X509 certificate as shown here.
    foreach x [split [mcget {session.ssl.cert.x509extension}] "\n"] { 
      if { [string first "othername:UPN" $x] >= 0 } { 
        return [string range $x [expr { [string first "<" $x] + 1 }] [expr { [string first ">" $x] - 1 }]]; 
      } 
    }; 
    return "";
  7. Click Save.
    The properties screen closes and the visual policy editor displays.
The Variable Assign action is added to the access policy. You probably need to configure additional actions in the access policy.

Updating the Access Policy settings and resources on the virtual server

You associate an access profile, connectivity profile, VDI profile, and an iRule with the virtual server so that Access Policy Manager® can apply them to incoming traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server that you want to update.
  3. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  4. From the Connectivity Profile list, select a connectivity profile.
  5. From the VDI Profile list, select a VDI profile.
    You can select the default profile, vdi.
  6. In the Resources area, for the iRules setting, from the Available list, select the name of the iRule that you want to assign, and move the name into the Enabled list.
  7. Click Update.
Your access policy and the iRule are now associated with the virtual server.

Configuring a UDP virtual server for PCoIP traffic

Create this virtual server to support a PC over IP (PCoIP) data channel for View Client traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address.
    Note: Type the same IP address as the one for the View Client authentication virtual server.
  5. In the Service Port field, type 4172.
  6. From the Protocol list, select UDP.
  7. From the Source Address Translation list, select Auto Map.
  8. In the Access Policy area, from the VDI Profilelist, select a VDI profile.
    You can select the default profile, vdi.
  9. Click Finished.
This virtual server is configured to support PCoIP transport protocol traffic for VMware View Clients.

Configuring virtual servers that use a private IP address

If you configured the HTTPS and UDP virtual servers with a private IP address that is not reachable from the Internet, but instead a publicly available device (typically a firewall or a router) performs NAT for it, you need to perform these steps.
You update the access policy by assigning the variable view.proxy_addr to the IP address that the client uses to reach the virtual server. Otherwise, a View Client cannot connect when the virtual servers have a private IP address.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Type var in the search field, select Variable Assign from the results list, and click Add Item.
    The Variable Assign properties screen opens.
  5. Click the change link next to the empty entry.
    A popup screen displays two panes, with Custom Variable selected on the left and Custom Expression selected on the right.
  6. In the Custom Variable field, type view.proxy_addr.
  7. In the Custom Expression field, type expr {"proxy address"} where proxy address is the IP address that the client uses to reach the virtual server.
  8. Click Finished to save the variable and expression and return to the Variable Assign action popup screen.
  9. Click Save.
    The properties screen closes and the visual policy editor displays.
  10. Click the Apply Access Policy link to apply and activate the changes to the access policy.

Overview: Supporting smart card authentication for VMware View

On a BIG-IP® system configured as a SAML Identity Provider (IdP), Access Policy Manager® (APM®) supports smart card authentication for VMware View Horizon Server browser-based clients and View Clients.

Note: Although, APM supports smart card single sign-on for VMWare Horizon View version 6.2 or later, this configuration does not support it.

The configuration uses SSL client certificate validation mechanisms. For a successful configuration, use these instructions and the settings specified in them.

Task summary

About standalone View Client and smart card authentication

With Access Policy Manager® (APM®) configured to support smart card authentication for VMware Horizon View server, the user of a standalone VMware View Client must supply a smart card PIN more than once. When the user logs on to APM, APM displays a screen that prompts for a PIN. Whenever the user launches a desktop or application, the VMware Horizon View server prompts for a PIN.

About browser-based access and smart card authentication for VMware

Access Policy Manager® (APM®) supports smart card authentication for browser-based clients of VMware View Horizon server if the access policy is configured to use certificate-based authentication. Browser-based clients use the smart card first to authenticate to APM. Then, every time the user launches a desktop or application, the user must use the smart card again to authenticate to the VMware Horizon View server.

About Horizon HTML5 Client and smart card authentication

VMware Horizon HTML5 Client does not support smart card redirection. If a user authenticates to Access Policy Manager® with a smart card and then launches an HTML5 desktop, a screen prompts the user for domain credentials. The user cannot use the smart card and must supply credentials to log in to the desktop.

About virtual servers required for View Client traffic

A VMware View Client makes connections to support different types of traffic between it and a View Connection Server. For Access Policy Manager ® to support these connections, it requires two virtual servers that share the same destination IP address. One virtual server processes HTTPS traffic and performs authentication for the View Client. An addition virtual server processes PC over IP (PCoIP) traffic.

Creating a client SSL profile for certificate inspection

Before you start this task, import the CA certificate for VMware View Horizon server to the BIG-IP® system certificate store.
You create a custom client SSL profile to request an SSL certificate from the client at the start of the session. This enables a Client Cert Inspection item in an access policy to check whether a valid certificate was presented.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client profile list screen opens.
  2. Click Create.
    The New Server SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, select clientssl.
    The default settings for the profile specify a 10-second SSL handshake timeout. Some users with smart cards cannot authenticate within that time. You can increase the timeout if this is the case at your site.
  5. From the Configuration list, select Advanced.
  6. If you have VMware View clients on Mac OS X, disable TLS 1.2 in the Options List area:
    1. In the Available Options list, select No TLS 1.2.
    2. Click Enable.
  7. If you change the values for the Cache Size or the Cache Timeout setting, do not specify a value of zero (0) for either setting.
    When these values are 0, the client must supply a PIN on each browser page refresh.
  8. Scroll down to Handshake Timeout and select the Custom check box.
    Additional settings become available.
  9. To limit the timeout to a number of seconds, select Specify from the list, and type the desired number in the seconds field.
    In the list, the value Indefinite specifies that the system continue trying to establish a connection for an unlimited time. If you select Indefinite, the seconds field is no longer available.
  10. Scroll down to the Client Authentication area.
  11. Select the Custom check box for Client Authentication.
    The settings become available.
  12. From the Client Certificate list, select request.
    Do not select require.
  13. From the Trusted Certificate Authorities and Advertised Certificate Authorities, select the certificates you imported previously.
  14. Click Finished.

Creating a virtual server for a BIG-IP (as SAML IdP) system

Specify a host virtual server to use as the SAML Identity Provider (IdP).
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address/Mask field, type the IP address for a host virtual server.
    This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
  5. In the Service Port field, type 443 or select HTTPS from the list.
  6. For the HTTP Profile setting, verify that the default HTTP profile, http, is selected.
  7. For the SSL Profile (Client) setting, from the Available list, select the name of the Client SSL profile you previously created, and using the Move button, move the name to the Selected list.
  8. For the SSL Profile (Server) setting, select pcoip-default-serverssl.
  9. From the Source Address Translation list, select Auto Map.
  10. Click Finished.
The virtual server for the BIG-IP® system configured as an IdP now appears on the Virtual Server List. The virtual server destination is available for use in the SAML IdP service configuration.

Configuring IdP service for VMware View smart card authentication

Configure a SAML Identity Provider (IdP) service for Access Policy Manager® (APM®), as a SAML IdP, to provide authentication to VMware View clients with a smart card.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP .
    The BIG-IP as IdP screen displays a list of SAML IdP services.
  2. Click Create.
    The Create New IdP Service popup screen displays.
  3. In the IdP Service Name field, type a unique name for the SAML IdP service.
  4. In the IdP Entity ID field, type a unique identifier for the IdP (this BIG-IP® system).
    Typically, the ID is a URI that points to the BIG-IP virtual server that is going to act as a SAML IdP. If the entity ID is not a valid URL, the Host field is required.
    For example, type https://siterequest.com/idp, where the path points to the virtual server you use for BIG-IP system as a SAML IdP.
  5. If the IdP Entity ID field does not contain a valid URI, you must provide one in the IdP Name Settings area:
    1. From the Scheme list select https or http.
    2. In the Host field, type a host name.
      For example, type siterequest.com in the Host field.
  6. On the left pane, select SAML Profiles and select the Enhanced Client or Proxy Profile (ECP) check box.
  7. To specify an artifact resolution service, on the left pane select Endpoint Settings and select a service from the Artifact Resolution Service list.
    Note: APM does not use the artifact resolution service, but one must be included in the IdP metadata. If you leave the Artifact Resolution Service list blank, you can edit the IdP metadata later to add an artifact resolution service to it.
  8. On the left pane, select Assertion Settings.
    The applicable settings display.
    1. From the Assertion Subject Type list, select Persistent Identifier.
    2. From the Assertion Subject Value list, type the name of the custom session variable into which you stored the user principal name (UPN).
      First, you must type a percent sign (%) and then enclose the session variable name in curly braces ({}).
      For example, type %{session.custom.certupn}.
    3. In the Authentication Context Class Reference field, select a URI reference that ends with PasswordProtectedTransport.
      The URI reference identifies an authentication context class that describes an authentication context declaration.
    4. In the Assertion Validity (in seconds) field type the number of seconds for which the assertion is valid.
  9. On the left pane, select SAML Attributes.
    1. Click Add.
      A Create New SAML Attribute popup screen displays.
    2. In the Name field, type disclaimer.
    3. Click Add.
      Entry fields display in the table.
    4. In the Value(s) field, type false and click Update.
      This value must not be encrypted.
    5. Click OK.
      The Create New SAML Attribute popup screen closes.
    The disclaimer attribute set to false is required. You can add additional attributes if needed.
  10. On the left pane, select Security Settings and select a certificate and a key from the BIG-IP system store to use for signing the assertion.
    1. From the Signing Key list, select the key from the BIG-IP system store.
      None is selected by default.
    2. From the Signing Certificate list, select the certificate from the BIG-IP system store.
      When selected, the IdP (the BIG-IP system) publishes this certificate to the service provider so the service provider can verify the assertion. None is selected by default.
  11. Click OK.
    The popup screen closes. The new IdP service appears on the list.

Exporting unsigned SAML IdP metadata from APM

You need to convey the SAML Identity Provider (IdP) metadata from Access Policy Manager® (APM®) to the external service providers that use the SAML IdP service. Exporting the IdP metadata for a SAML IdP service to a file provides you with the information that you need to do this.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP .
    The BIG-IP as IdP screen displays a list of SAML IdP services.
  2. Select a SAML IdP service from the table and click Export Metadata.
    A popup screen opens, with No selected on the Sign Metadata list.
  3. Select the Use VMware View Format check box.
  4. Select OK.
    APM downloads an XML file.
An XML file that contains IdP metadata is available.

Adding an artifact resolution service to the IdP metadata

If you did not specify an artifact resolution service when you configured the SAML Identity Provider (IdP) service, you must define an artifact resolution service in the IdP metadata XML file that you exported from Access Policy Manager® (APM®).
  1. Locate the IdP metadata XML file that you downloaded onto your system.
  2. Use a text editor to open the file.
  3. Add a line to the file that defines the service, following this example.
    <ArtifactResolutionService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://165.160.15.20:443/saml/idp/profile/soap/ars" index="0" isDefault="true"></ArtifactResolutionService>
  4. Save the XML file and exit the text editor.

Creating an iRule to respond with IdP metadata to a URI

You can use iRules® to respond with SAML Identity Provider (IdP) XML metadata for a particular URI.
Note: For complete and detailed information iRules syntax, see the F5® Networks DevCentral™ web site (http://devcentral.f5.com).
  1. On the Main tab, click Local Traffic > iRules .
    The iRule List screen opens, displaying any existing iRules.
  2. Click Create.
    The New iRule screen opens.
  3. In the Name field, type a unique name for the iRule.
    The full path name of the iRule cannot exceed 255 characters.
  4. In the Definition field, type the syntax for the iRule using Tool Command Language (Tcl) syntax.
    This example specifies a URI, /SAAS/API/1.0/GET/metadata/, and includes the content of the SAML IdP metadata in the response. (The example elides the metadata for brevity.)
    when HTTP_REQUEST {
    if { [HTTP::path] contains "/SAAS/API/1.0/GET/metadata/" and [HTTP::method] equals "GET" } {
        HTTP::respond 200 content {<?xml version="1.0" encoding="UTF-8" ?>
    <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="Ie662e22302a165c" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://siterequest.com/idp">
        <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
           . 
           .
           .
        </IDPSSODescriptor>
    </EntityDescriptor>}
        }
    }                    
  5. Click Finished.
    The new iRule appears in the list of iRules on the system.
You must add this iRule to the virtual server that processes the traffic from the SAML service provider (SP).

Establishing APM as a trusted SAML IdP for VMware Horizon View

From VMware View Connection Server (VCS), create a SAML Authenticator that points to APM® so that VCS can recognize APM as a trusted SAML Identity Provider (IdP).
  1. Using the VMware software that you use to administer a VCS, create a new SAML Authenticator with these properties:
    1. For SAML Authenticator, type the FQDN of your virtual server.
    2. For Metadata URL, type the URI where the VCS can get the SAML IdP metadata.
      Normally, the VCS should attempt to request the metadata and verify it.
      For example, type https://sitrerequest.com/SAAS/API/1.0/GET/metadata/, where https://siterequest.com is the virtual server for the SAML IdP service, and /SAAS/API/1.0/GET/metadata/ is the URI for which the iRule on the virtual server responds with SAML IdP metadata.
  2. To apply the changes after choosing a new SAML Authenticator, you must restart the VCS.

Configuring a SAML SP connector for VMware VCS

Configure a SAML service provider (SP) connector with the settings specified here, so that APM® can recognize the VMware View Connection Server (VCS) as a supported consumer of SAML assertions.
Note: If the VMware View Horizon server version is earlier than 6.2, do not import the SAML service provider metadata file from the VCS in place of performing these steps. Metadata files for earlier versions do not meet the requirements for this configuration.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP .
    The BIG-IP as IdP screen displays a list of SAML IdP services.
  2. On the menu bar, click External SP Connectors.
    A list of SAML SP connectors displays.
  3. Click Create.
    The Create New SAML SP Connector screen opens.
  4. In the Service Provider Name field, type a unique name for the SAML SP connector.
  5. In the SP Entity ID field, type a unique identifier for the service provider.
    This is usually a unique URI that represents the service provider. You should obtain this value from the service provider.
  6. Select Endpoint Settings from the left pane.
    The appropriate settings are displayed.
  7. In the Assertion Consumer Services area, specify one assertion consumer service with PAOS binding.
    1. Click Add.
      A new row displays in the table.
    2. In the Index field, type the index number, zero (0) or greater.
    3. Select the Default check box.
    4. In the Assertion Consumer Service URL field, type the URL where the IdP can send an assertion to this service provider.
    5. From the Binding list, select PAOS.
    6. Click Update.
  8. Select Security Settings from the left pane.
    1. Clear the Require Signed Authentication Request check box.
    2. Select the Response must be signed and Assertion must be signed check boxes, and then select an algorithm from the Signing Algorithm list.
  9. Click OK.
    The popup screen closes.
The new SAML SP connector is available to bind to the SAML IdP service.

Binding a SAML IdP service to one SP connector

Bind a SAML Identity Provider (IdP) service and a SAML service provider (SP) connector so that the BIG-IP® system can provide authentication (SAML IdP service) to the external SAML service provider.
  1. On the Main tab, click Access Policy > SAML > BIG-IP as IdP .
    The BIG-IP as IdP screen displays a list of SAML IdP services.
  2. Select a SAML IdP service from the list.
    Select an IdP service that you configured for use with one particular SP connector only.
  3. Click Bind/Unbind SP Connectors.
    The screen displays a list of available SAML SP connectors.
  4. Select the one SAML SP connector that you want to pair with this IdP service.
  5. Select OK.
    The screen closes.
The SAML SP connector that you selected is bound to the SAML IdP service.

Configuring a VMware View resource for smart card authentication

Configure a VMware View remote desktop resource to support smart card authentication using SAML.
  1. On the Main tab, click Access Policy > Application Access > Remote Desktops > Remote Desktops List .
    The Remote Desktops list opens.
  2. Click Create.
    The New Resource screen opens.
  3. For the Type setting, select VMware View.
  4. For the Destination setting, select Pool and from the Pool Name list, select a pool of View Connection Servers that you configured previously.
  5. For the Server Side SSL setting, select the Enable check box.
    View Connection Servers must use HTTPS (default) to support smart card authentication.
  6. In the Single Sign-On area, select the Enable SSO check box.
  7. From the SSO Method list, select SAML.
  8. From the SAML Resource list, select the SAML IdP service that you configured previously.
  9. In the Customization Settings for the language_name area, type a Caption.
    The caption is the display name of the VMware View resource on the APM full webtop.
  10. Click Finished.
    All other parameters are optional.
This creates the VMware View remote desktop resource. To use it, you must assign it along with a full webtop in an access policy.

Creating an access profile

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. Click Create.
    The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: An access profile name must be unique among all access profile and any per-request policy names.
  4. From the Profile Type list, select All.
  5. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click Finished.
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.

Example: Smart card authentication required for View clients

VMware View Smart Card Logon Screen

Access policy that requires smart card authentication

1 Client Type detects a standalone VMware View Client.
2 In the properties for the agent, the VMware View Logon Screen property specifies Smart Card.
3 Macrocall to Cert Inspection and Resources.
4 Client Type detects a web-based client.
5 Macrocall to Cert Inspection and Resources.
6 Inspect certificate from the smart card. (Relies on LTM® to obtain certificate during initial SSL handshake based on specification in SSL client profile.)
7 Extracts the User Principal Name from SSL certificate information and stores it in a custom session variable.
8 Assign a full webtop and a VMware View remote desktop resource configured for SAML SSO.

Creating an access policy for VMware View smart card authentication

Access Policy Manager® (APM®) supports this configuration when the BIG-IP® system, configured as a SAML Identity Provider (IdP), provides authentication service that is consumed by a VMware View Connection Server (VCS), configured as a SAML service provider.
Create an access policy so that web-based and standalone VMware View clients can use a smart card for authenticating with APM.
Note: Users of VMware Horizon HTML5 Client can log on to APM with a smart card, but when they try to connect to a View Connection Server they must still enter credentials.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. On the Endpoint Security (Server-Side) tab, select Client Type, and click Add Item.
    The Client Type action identifies clients and enables branching based on the client type.
    A properties screen opens.
  5. Click Save.
    The properties screen closes. The visual policy editor displays the Client Type action.
  6. To accept smart card logon from a standalone VMware View Client, add a smart card logon screen:
    Actions on the VMware View branch support standalone VMware View clients.
    1. Add a VMware View Logon Page action to the policy.
      A properties screen opens.
    2. From the VMware View Logon Screen list, select Smart Card.
    3. Click Save.
      The properties screen closes and the visual policy editor displays.
  7. To inspect the client certificate, add the Client Cert Inspection agent to the access policy on one or more branches as appropriate.
    Actions on the Client Type Full/Mobile branch support web-based clients and certificate-based access is required to support them.
    The Client Cert Inspection agent verifies the result of the SSL handshake request that occurs at the start of the session and makes SSL certificate information available to the policy.
  8. Add an action to the access policy to obtain the User Principal Name (UPN) on one or more branches as appropriate.
    You might add a Variable Assign action and configure it to extract the UPN from the certificate information or configure an AD Query that retrieves the UPN.
  9. After successful authentication and successful retrieval of the UPN, assign resources to the session.
    1. Click the (+) sign after the previous action.
    2. Type adv in the search field, select Advanced Resource Assignment from the results, and click Add Item.
      A properties screen displays.
    3. Click Add new entry.
      A new line is added to the list of entries.
    4. Click the Add/Delete link below the entry.
      The screen changes to display resources on multiple tabs.
    5. On the Remote Desktop tab, select the VMware View remote desktop resource that you configured for SAML SSO previously.
    6. On the Webtop tab, select a full webtop and click Update.
      The properties screen closes and the resources you selected are displayed.
    7. Click Save.
      The properties screen closes and the visual policy editor displays.
  10. To grant access at the end of any branch, change the ending from Deny to Allow:
    1. Click Deny.
      The default branch ending is Deny.
      A popup screen opens.
    2. Select Allow and click Save.
      The popup screen closes. The Allow ending displays on the branch.
  11. Click Apply Access Policy.
To apply this access policy to network traffic, add the access profile to a virtual server.
Note: To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Using variable assign to extract the UPN from the SSL certificate

You must supply the User Principal Name (UPN) as the Assertion Subject Value for the SAML Identity Provider (IdP) service.
Note: This example adds a Variable Assign action to the access policy. The action uses a Tcl expression that extracts the UPN from the X509 certificate for the client and stores it in a user-defined session variable.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. On an access policy branch, click the (+) icon
    The Variable Assign action must occur after a Client Cert Inspection action runs successfully. The Variable Assign action relies on X509 information that the Client Cert Inspection action provides.
    A popup screen displays actions on tabs, such as General Purpose and Authentication, and provides a search field.
  4. Type var in the search field, select Variable Assign from the results list, and click Add Item.
    The Variable Assign properties screen opens.
  5. On the left side of the variable assign properties screen, select Custom Variable from the list and in the field, type the name of a custom session variable.
    For example, type session.custom.certupn.
    Remember the session variable name; you must use it as the assertion subject value for the IdP. You will need to enter it into the IdP service configuration later.
  6. On the right side of the variable assignment properties screen, select Custom Expression from the list and in the field, type a Tcl expression to extract the UPN from the X509 certificate as shown here.
    foreach x [split [mcget {session.ssl.cert.x509extension}] "\n"] { 
      if { [string first "othername:UPN" $x] >= 0 } { 
        return [string range $x [expr { [string first "<" $x] + 1 }] [expr { [string first ">" $x] - 1 }]]; 
      } 
    }; 
    return "";
  7. Click Save.
    The properties screen closes and the visual policy editor displays.
The Variable Assign action is added to the access policy. You probably need to configure additional actions in the access policy.

Updating the Access Policy settings and resources on the virtual server

You associate an access profile, connectivity profile, VDI profile, and an iRule with the virtual server so that Access Policy Manager® can apply them to incoming traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server that you want to update.
  3. In the Access Policy area, from the Access Profile list, select the access profile that you configured earlier.
  4. From the Connectivity Profile list, select a connectivity profile.
  5. From the VDI Profile list, select a VDI profile.
    You can select the default profile, vdi.
  6. In the Resources area, for the iRules setting, from the Available list, select the name of the iRule that you want to assign, and move the name into the Enabled list.
  7. Click Update.
Your access policy and the iRule are now associated with the virtual server.

Configuring a UDP virtual server for PCoIP traffic

Create this virtual server to support a PC over IP (PCoIP) data channel for View Client traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address.
    Note: Type the same IP address as the one for the View Client authentication virtual server.
  5. In the Service Port field, type 4172.
  6. From the Protocol list, select UDP.
  7. From the Source Address Translation list, select Auto Map.
  8. In the Access Policy area, from the VDI Profilelist, select a VDI profile.
    You can select the default profile, vdi.
  9. Click Finished.
This virtual server is configured to support PCoIP transport protocol traffic for VMware View Clients.

Configuring virtual servers that use a private IP address

If you configured the HTTPS and UDP virtual servers with a private IP address that is not reachable from the Internet, but instead a publicly available device (typically a firewall or a router) performs NAT for it, you need to perform these steps.
You update the access policy by assigning the variable view.proxy_addr to the IP address that the client uses to reach the virtual server. Otherwise, a View Client cannot connect when the virtual servers have a private IP address.
  1. On the Main tab, click Access Policy > Access Profiles .
    The Access Profiles List screen opens.
  2. In the Access Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new action item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Type var in the search field, select Variable Assign from the results list, and click Add Item.
    The Variable Assign properties screen opens.
  5. Click the change link next to the empty entry.
    A popup screen displays two panes, with Custom Variable selected on the left and Custom Expression selected on the right.
  6. In the Custom Variable field, type view.proxy_addr.
  7. In the Custom Expression field, type expr {"proxy address"} where proxy address is the IP address that the client uses to reach the virtual server.
  8. Click Finished to save the variable and expression and return to the Variable Assign action popup screen.
  9. Click Save.
    The properties screen closes and the visual policy editor displays.
  10. Click the Apply Access Policy link to apply and activate the changes to the access policy.

Overview: Giving APM users time for smart card authentication

If you have configured Access Policy Manager® for smart card authentication and your users cannot enter a PIN and insert a smart card into a reader before the SSL handshake times out, they can experience problems such as browser failure or errors because the BIG-IP® system sends a TCP reset after the SSL handshake times out. You can mitigate this problem by increasing the handshake timeout in the client SSL profile.

Updating the handshake timeout in a Client SSL profile

By default, a client SSL profile provides a 10-second SSL handshake timeout. You might need to modify the timeout to give users who must authenticate using a smart card more time for the SSL handshake to complete.

  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client profile list screen opens.
  2. In the Name column, click the name of the profile you want to modify.
  3. From the Configuration list, select Advanced.
  4. Scroll down to Handshake Timeout and select the Custom check box.
    Additional settings become available.
  5. Select Specify from the list, and type the desired number in the seconds field.
    For users who must type a PIN, 20 seconds is probably a reasonable timeout. For users who must type a PIN and insert a smart card into a reader, 25 or 30 seconds should be adequate.
    Note: F5® does not recommend increasing the handshake timeout for any purpose other than client authentication.
  6. Click Update.