Manual Chapter : Defining Access Policy Items

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 13.0.1, 13.0.0
Manual Chapter

About access policy item configuration

An access policy item is a small action, or rule, that serves a specific purpose in an access policy. Access policy items are all added to the access policy in the same way; but in most cases, each access policy item must be configured individually. In Access Policy Manager®, an access policy item is one of five types.

Item type Configuration details Examples
Blank item This type of access policy item has no explicit configuration on the configuration page, and can be configured to verify a wide range of conditions with Expression screens.
  • General Purpose: Empty action
  • Endpoint Security (Client-Side): Machine Info
Preconfigured branch rule item This type of access policy item has no explicit configuration on the configuration page, and a preconfigured set of rules on the Branch Rules page.
  • Endpoint Security (Server-Side): IP Reputation
  • Endpoint Security (Client-Side): Windows Info
Properties page configuration item This type of access policy has all standard configuration options on the configuration page, to verify the required information, prompt for information, or another action.
  • General Purpose: Logon Page action
  • Endpoint Security (Client-Side): Antivirus
Assignment item An assignment action allows configuration on the configuration page, and contains a list of available resources of a certain type, and allows you to select one or multiple resources to assign. Some resource assignment actions, such as Webtop, Links and Sections Assign, allow you to assign multiple items of different types. Advanced Resource Assign is a special case that allows you to select and assign multiple resources of different types at once.
  • Assignment: Pool Assign
  • Assignment: Webtop, Links and Sections Assign
Mapping assignment item A mapping assignment action allows you to assign one variable or resource to the value of another variable or resource. This kind of assign action includes the assignment of resources or variables on a separate page, linked from the main screen.
  • Assignment: AD Group Resource Assign
  • Assignment: Variable Assign

Adding a blank access policy item to an access policy

Before you start this task, configure an access profile.
Configure a blank item to configure one of several actions that has no explicit configuration defined.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Select a blank action:
    Option Description
    Endpoint Security (Client-Side) > Machine Info Collects machine info, and checks it against established values.
    General Purpose > Empty An empty action that you can configure with any allowed checks.
    A properties screen opens.
  5. Click the Branch Rules tab.
    The Branch Rules screen opens.
  6. Click the Add Branch Rule button.
    New Name and Expression settings display.
  7. Click the change link in the Expression area.
    A popup screen opens.
  8. Click Add Expression.
    New properties display.
  9. For each expression you add, select an agent from the Agent Sel. list, a condition from the Condition list, and configure any details.
    See the reference information for each action for more details.
  10. Click Add Expression to add the expression to the list.
  11. Add more expressions to the check as required. You can add expressions as either AND or OR conditions.
  12. Click Finished.
    The popup screen closes.
  13. Click Save.
    The properties screen closes and the policy displays.
The access policy is configured with the empty action you have configured.
Click the Apply Access Policy link to apply and activate your changes to this access policy.
Note: To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Adding an access policy item with preconfigured branch rules

Before you start this task, configure an access profile.
Configure an access policy with preconfigured branch rules to add preconfigured settings and branches to an access policy.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Select an action with preconfigured branch rules, and click Add Item:
    Option Description
    Endpoint Security (Server-Side) > Client for MS Exchange Checks that the system is a client for Microsoft Exchange.
    Endpoint Security (Server-Side) > Client OS Provides branches based on the result of an operating system check on the client.
    Endpoint Security (Server-Side) > Client Type Provides branches based on the result of an client type check.
    Endpoint Security (Server-Side) > Client-Side Capability Checks whether the client can run client side checks and provides positive and fallback branches.
    Endpoint Security (Server-Side) > Date Time Provides branches based on a certain date or time.
    Endpoint Security (Server-Side) > IP Geolocation Match Provides branches based on a specific geographic origin for the client.
    Endpoint Security (Server-Side) > IP Reputation Checks the client IP against an IP reputation database.
    Endpoint Security (Server-Side) > Jailbroken or Rooted Device Detection Provides branches based on whether the device appears to be jailbroken or rooted.
    Endpoint Security (Server-Side) > Landing URI Provides branches based on a specific landing URI.
    Endpoint Security (Server-Side) > License Provides branches based on the available global APM licenses.
    Endpoint Security (Client-Side) > Windows Info Provides branches based on specific Windows information, such as operating system type and patch level.
    A properties screen opens.
  5. Click the Branch Rules tab.
    The Branch Rules screen opens.
  6. View the preconfigured branch rules.
    You can make changes to the branch rules, or close the item.
  7. Click Save.
    The properties screen closes and the policy displays.
The access policy is saved with the action you have configured.
Click the Apply Access Policy link to apply and activate your changes to this access policy.
Note: To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Adding an access policy item with configurable properties

Before you start this task, configure an access profile.
Configure an access policy with configurable properties to check for specific items or policies.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Select an action with configurable properties, then click Add Item:
    Option Description
    Logon > External Logon Page Presents an external logon page for the client.
    Logon > HTTP 401 Response Provides a custom HTTP 401 logon page.
    Logon > HTTP 407 Response Provides a custom HTTP 407 logon page.
    Logon > Logon Page Provides a custom logon page that you can configure entirely from the properties screen.
    Logon > Virtual Keyboard Provides a configurable virtual keyboard for logon information entry.
    Logon > VMware View Logon Page Provides a custom logon page for VMware View.
    Endpoint Security (Client-Side) > Anti-Spyware Checks that the client is running specified anti-spyware software.
    Endpoint Security (Client-Side) > Antivirus Checks that the client is running specified antivirus software.
    Endpoint Security (Client-Side) > Firewall Checks that the client is running specified firewall software.
    Endpoint Security (Client-Side) > Hard Disk Encryption Checks that the client hard disk is encrypted.
    Endpoint Security (Client-Side) > Linux File Allows a check for a specific file with specified properties on a Linux system.
    Endpoint Security (Client-Side) > Linux Process Allows a check for a specific process on Linux systems.
    Endpoint Security (Client-Side) > Mac File Allows a check for a specific file with specified properties on Windows systems.
    Endpoint Security (Client-Side) > Mac Process Allows a check for a specific process on Windows systems.
    Endpoint Security (Client-Side) > Machine Cert Auth Allows a check for a machine certificate.
    Endpoint Security (Client-Side) > Patch Management Allows a check for patches to specific files.
    Endpoint Security (Client-Side) > Peer-to-peer Allows a check for peer to peer software on a system.
    Endpoint Security (Client-Side) > Windows Cache and Session Control Allows you to configure Windows clients to clean certain items after the session closes.
    Endpoint Security (Client-Side) > Windows File Allows a check for a specific file with specified properties on Windows systems.
    Endpoint Security (Client-Side) > Windows Health Agent Allows a check for a health agent on Windows systems.
    Endpoint Security (Client-Side) > Windows Process Allows a check for a specific process on Windows systems.
    Endpoint Security (Client-Side) > Windows Protected Workspace Allows configuration of a protected workspace in Windows.
    Endpoint Security (Client-Side) > Windows Registry Allows a check for a specific registry value in Windows.
    General Purpose > Decision Box Allows configuration of a choice of two branches for the user, with custom text describing each choice.
    General Purpose > Email Sends an email, when reached in the access policy.
    General Purpose > iRule Event Allows configuration of a choice of two branches for the user, with custom text describing each choice.
    General Purpose > Local Database Allows you to add entries to a local database.
    General Purpose > Logging Allows you to log a session variable result.
    General Purpose > Message Box Shows a message, and requires the user to click to continue.
    A properties screen opens.
  5. Configure the properties for the item.
  6. Click Save.
    The properties screen closes and the policy displays.
The access policy is configured with the empty action you have configured.
Click the Apply Access Policy link to apply and activate your changes to this access policy.
Note: To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Adding an access policy assignment item

Before you can add an access policy assignment item, you need to configure an access profile.
Configure an access policy with an assignment action to assign a resource, local traffic pool, ACL, profile, or other item. Each assignment action works differently and assigns different items.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Select an assignment action, then click Add Item:
    Option Description
    Assignment > ACL Assign Assigns an ACL to the access policy branch.
    Assignment > Advanced Resource Assign Directly assigns all types of resources.
    Assignment > BWC Policy Assigns a Bandwidth Controller policy to an access policy branch.
    Assignment > Citrix Smart Access Assigns a Citrix Smart Access filter to an access policy branch.
    Assignment > Dynamic ACL Assigns a dynamic ACL to an access policy branch.
    Assignment > Resource Assign Allows you to assign connection resources, remote desktops, and SAML resources.
    Assignment > Route Domain and SNAT Selection Allows you to assign a route domain, SNAT, and SNAT pool to an access policy branch.
    Assignment > SSO Credential Mapping Allows you to assign attributes for the SSO username and password.
    Assignment > Webtop, Links and Sections Assign Allows you to assign a webtop, webtop links, and webtop sections to an access policy branch.
    A properties screen opens.
  5. Configure the properties for the item.
  6. Click Save.
    The properties screen closes and the policy displays.
The access policy is configured with the assignment action you have configured.
Click the Apply Access Policy link to apply and activate your changes to this access policy.
Note: To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.

Adding an access policy mapping item

Before you start this task, configure an access profile.
Configure an access policy with a mapping action to map resources or variables of one type to another type or value. Each mapping action works differently and assigns different items.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the Edit link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Select a mapping action, then click Add Item:
    Option Description
    Assignment > AD Group Resource Assign Maps resources from an Active Directory group to access policy resources.
    Assignment > LDAP Group Resource Assign Maps resources from an LDAP group to access policy resources.
    Assignment > Variable Assign Allows you to assign predefined or custom variables to attributes, values, text, or expressions.
    A properties screen opens.
  5. For the Variable assign action, click the Add new entry button.
    The AD and LDAP Group Assign actions already include an entry.
  6. Click the Edit link.
  7. Configure the settings for the assign action.
    For the AD or LDAP group resource assign action, type the name of the group, then click Add group manually.
  8. Configure the mapping items.
    Refer to the specific documentation for each item to map items.
  9. Click Save.
    The properties screen closes and the policy displays.
The access policy is configured with the assignment action you have configured.
Click the Apply Access Policy link to apply and activate your changes to this access policy.
Note: To ensure that logging is configured to meet your requirements, verify the log settings for the access profile.