Applies To:
Show VersionsBIG-IQ Centralized Management
- 5.4.0
Working with device-specific resources
Find, edit, and share device-specific resources with the Access module of BIG-IQ® Centralized Management.
Finding a device-specific resource
Editing a device-specific resource
Sharing a device-specific resource
Returning a shared resource to device-specific resources
What local traffic objects does Access support?
In BIG-IQ® Centralized Management, you can associate various local traffic objects without manually configuring the objects in individual BIG-IP® devices before deploying the Access configuration on these devices. You must create these objects in either the BIG-IQ local traffic component or in BIG-IP local traffic. :
- Virtual Server
- You can configure sections of a virtual server specific to BIG-IQ system in the BIG-IQ system. This includes configuring Access profiles, connectivity profiles, per-request policies, VDI profiles, enabling App Tunnels, enabling OAM support, and PingAccessProfile.
- You can configure the SAML artifact resolution service with the virtual server for each BIG-IP device in BIG-IQ Access.
- SSL Certificate and SSL Key
- On the BIG-IP device, you can export the certificate and key files for each CERT and KEY object, and manually import them to the same object in BIG-IQ system.
- On the BIG-IP device, you can configure SAML, SAML IdP Connector, and OCSP Respond with SSL Cert and SSL Key.
- You can configure OamAccessGate for each device with SSL Key and Cert in BIG-IQ system.
- Net Tunnels Fec
- You can create the connectivity profile on a BIG-IP device with a Fec profile.
- NetTunnels Fec MUST be associated with Connectivity Profile in BIG-IQ, and deployed to other devices in Access Group.
- Route Domains
- You can create route domains for each BIG-IP device in BIG-IQ system.
- You can configure the Route Domain Selection Agent for each BIG-IP device in BIG-IQ system by editing the Access policy.
- iRules
- You can create iRules® in BIG-IP Access, and configure them in the virtual server.
- If you are using iRules in an OAuth server, create the iRule first, then associate the OAuth server in the BIG-IP device.
- DNS Resolver
- You can create DNS resolvers in either the BIG-IP device or BIG-IQ system.
- The best practice is to create the DNS resolver in the BIG-IP device, then associate the DNS resolver with the OAuth server.
- SSL Client Profile and HTTP Profile
- You can create either profile in BIG-IQ system, and configure it in the local traffic virtual server.
- Server SSL Profile
- You can create this in either the BIG-IP device or in BIG-IQ system.
- The best practice is to create the server SSL profile in the BIG-IP device, and associate it with the SAML IdP connector.
- You can configure LDAP and Endpoint Management systems with a server SSL profile in either the BIG-IP device or in BIG-IQ system.
- Rewrite Profile and Classification
Profile
- You must create these in the BIG-IP device.
- You can associate both these profiles with the local traffic virtual server in the BIG-IQ system.
- You can associate the rewrite profile in portal mode with the Access group virtual server in the BIG-IQ system.
- Import SSL Keys and Certs
- These are used in SAML configurations, SAML IdP connectors, OAM access gates, and OCSP responders.
- CA Profile
- This is used in MachineCertAuthAgent.
- Configure CA Profile in BIG-IP, import, and deploy to other devices in Access Group.
- Associate CA Profile in "Machine Cert Auth" Agent either in BIG-IP or in BIG-IQ.
- SMTP Server
- This is used in email agents.
- Configure SMTP Server, and associate with Email Agent in policy in BIG-IP, import, and deploy to other devices in Access Group.
- If you add the email agent to the access policy in BIG-IQ, create the SMTP Server in BIG-IQ if one does not exists and then choose it in the email agent.
For more information about configuring BIG-IQ local traffic objects, refer to the online help, and to the guide, F5 BIG-IQ Centralized Management: Local Traffic & Network.
Editing a virtual server
Where are local traffic objects supported in Access?
This table describes the relationship between local traffic objects and APM objects. Specifically, this explains which local traffic objects are used in which Access objects.
LTM Object | Access Object |
---|---|
Virtual server |
|
SSL Key |
|
SSL Cert |
|
SNAT Pool |
|
Server SSL Profile |
|
Net Tunnels Fec |
|
Route Domain |
|
iRules |
|
DNS Resolver |
|
ReWrite Profile |
|
LogPublisher |
|
Preset |
|
About access policies
In an access policy, you define the criteria for granting access to various servers, applications, and other resources on your network. An access policy can be either a per-session policy or a per-request policy. You create an access policy by creating an access profile, which automatically creates a blank access policy. Every access profile has an access policy associated with it. You configure an access policy through the access profile, using the Visual Policy Editor.
About per-session and per-request policies
Access in BIG-IQ® Centralized Management provides two types of policies.
- Per-session policy
- The per-session policy runs when a client initiates a session. Depending on the actions you include in the access policy, it can authenticate the user and perform other actions that populate session variables with data for use throughout the session.
- Per-request policy
- After a session starts, a per-request policy runs each time the client makes an HTTP or HTTPS request. A per-request policy can include a subroutine, which starts a subsession. Multiple subsessions can exist at one time.
One per-session policy and one per-request policy are specified in a virtual server.
Viewing an access policy
Create an access profile and per-session policy
Create a per-request policy
Editing an access policy
- Creating a per-session policy macro.
- Creating a per-request policy macro, subroutine, or subroutine macro.
- Creating new endings or terminals
- Deleting endings or terminals.
- Changing macros or subroutine properties.
- Modifying any policy ending or macro terminal.
These actions can't be undone and also can't be undone if there are any pending diagram changes.
Adding a policy item
Adding an action item or macro-call to a policy
Swapping policy branches
About timeouts and crashes
During an editing session, if you remain inactive for a prolonged period of time, the session times out. Other times, the browser might freeze. In either case, you might have to prematurely terminate an editing session without a chance to save your changes. However, regardless of why you had to terminate a session, BIG-IQ® Centralized Management saves a draft of the policy and saves any unsaved macro when you make a modification. The next time you log in, locate the policy, and open the editing screen. The system notifies you that an unsaved draft exists, and prompts you to select whether you want to continue editing the draft or start over.
The system saves the change history in the draft, so actions such as Undo and Redo work for all changes you make before the session was interrupted. Lastly, if someone else was the previous editor, you can see the user and the time of the last edit. This allows you to choose whether or not to resume that person's editing session.
Per-Session and per-request policy comparison
The table summarizes per-session policy and per-request policy similarities and differences.
Feature | Per-Session policy | Per-request policy |
---|---|---|
Supports macros | Yes | Yes |
Requires that users click an Apply Access Policy link to go into effect. | Yes | No |
When run | At session start. | After session is created, on every request. |
Policy ending types | Allow, Deny, Redirect; endings apply to the session. | Allow, Redirect, Reject; endings apply to URL requests processed in the per-request policy. A Reject ending triggers the Deny ending in the access policy. |
Supports variables | Creates session variables that are available throughout a session. | Reads available session variables. Creates per-flow variables that are available only while the per-request policy runs. |
About access policy endings
An ending provides a result for an access policy branch. An ending for an access policy branch is one of three types.
- Allow
- Starts the SSL VPN session and loads assigned resources and a webtop, if assigned, for the user. Typically, you assign this when the user passes specific checks.
- Deny
- Disallows the SSL VPN session and shows the user an access denied web page. Typically, you assign this when the user does not have access to resources, or fails authentication. Alternatively after a session starts, shows a URL filter denied web page after a per-session policy rejects a request for a URL.
- Redirect
- Redirects the client to the URL specified in the ending configuration. You can define a redirect URL for each redirect ending. Typically, you can assign a redirect when the user requires remediation, or a separate resource. For example, a user who fails the antivirus check because virus definitions are out of date can be redirected to the software manufacturer's site to get an antivirus update.
What is a terminal?
A terminal is a sub-policy ending in an access policy. Differing from a policy ending, terminals do not have types and you can re-order them. The order of a terminal in a sub-policy determines the order of the branches in the macro-calls. Similar to policy endings, you can't create, change, or delete a terminal if there are pending changes in the policy.
Creating a policy ending
Editing a policy ending
Deleting a policy ending
About editing conflicts
- Contact the other editor.
- Try again another time.
- Take over the original user's session. You can then choose to save or discard the original user's changes or continue editing.
What is a macro sub-policy?
A macro is a sub-policy with a beginning, one or more policy items, and one or more endings. You can create or edit a macro as you would a policy. In a policy, a macro-call in the workflow represents the macro. When you insert a macro-call in a policy or another macro, it displays as a node in the workflow diagram. Typically, you use a macro in multiple branches of the workflow.
Macros are specific to an access policy. You cannot create a macro if there are pending changes to the access policy. You can also create special macros. These have the same workflow as the base macro type. However, you can only use subroutines in per-request policies and subroutine macros in subroutines.
Creating a macro sub-policy
Managing Configuration Snapshots
What is snapshot management?
Comparing snapshots
You can compare two snapshots, or compare a snapshot to the configuration on the BIG-IQ® Centralized Management system to view their differences.