configuration guide for big-ip access policy manager

Configuration Guide for BIG-IP®

Access Policy Manager™

version 10.2

MAN-0309-01

Product VersionThis manual applies to product version 10.2 of the BIG-IP® Access Policy Manager™ product.

Publication DateThis manual was published on May 4, 2010.

Legal Notices

CopyrightCopyright 2007-2010, F5 Networks, Inc. All rights reserved.

F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any time without notice.

TrademarksF5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, Access Policy Manager, APM, Acopia, Acopia Networks, Application Accelerator, Ask F5, Application Security Manager, ASM, ARX, Data Guard, Enterprise Manager, EM, FirePass, FreedomFabric, Global Traffic Manager, GTM, iControl, Intelligent Browser Referencing, Internet Control Architecture, IP Application Switch, iRules, Link Controller, LC, Local Traffic Manager, LTM, Message Security Module, MSM, NetCelera, OneConnect, Packet Velocity, Protocol Security Module, PSM, SSL Accelerator, SYN Check, Traffic Management Operating System, TMOS, TrafficShield, Transparent Data Reduction, uRoam, VIPRION, WANJet, WAN Optimization Module, WOM, WebAccelerator, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written consent.

PatentsThis product protected by U.S. Patents 6,505,230, 7,114,180, and 7,349,391. Other patents may be pending.

Export Regulation NoticeThis product may include cryptographic software. Under the Export Administration Act, the United States government may consider it a criminal offense to export this product from the United States.

RF Interference WarningThis is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures.

FCC ComplianceThis equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This unit generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will be required to take whatever measures may be required to correct the interference.

Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules.

Configuration Guide for BIG-IP® Access Policy Manager™ i

Canadian Regulatory ComplianceThis Class A digital apparatus complies with Canadian ICES-003.

Standards ComplianceThis product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information Technology products at the time of manufacture.

AcknowledgmentsThis product includes software developed by Bill Paul.

This product includes software developed by Jonathan Stone.

This product includes software developed by Manuel Bouyer.

This product includes software developed by Paul Richards.

This product includes software developed by the NetBSD Foundation, Inc. and its contributors.

This product includes software developed by the Politecnico di Torino, and its contributors.

This product includes software developed by the Swedish Institute of Computer Science and its contributors.

This product includes software developed by the University of California, Berkeley and its contributors.

This product includes software developed by the Computer Systems Engineering Group at the Lawrence Berkeley Laboratory.

This product includes software developed by Christopher G. Demetriou for the NetBSD Project.

This product includes software developed by Adam Glass.

This product includes software developed by Christian E. Hopps.

This product includes software developed by Dean Huxley.

This product includes software developed by John Kohl.

This product includes software developed by Paul Kranenburg.

This product includes software developed by Terrence R. Lambert.

This product includes software developed by Philip A. Nelson.

This product includes software developed by Herb Peyerl.

This product includes software developed by Jochen Pohl for the NetBSD Project.

This product includes software developed by Chris Provenzano.

This product includes software developed by Theo de Raadt.

This product includes software developed by David Muir Sharnoff.

This product includes software developed by SigmaSoft, Th. Lockert.

This product includes software developed for the NetBSD Project by Jason R. Thorpe.

This product includes software developed by Jason R. Thorpe for And Communications, http://www.and.com.

This product includes software developed for the NetBSD Project by Frank Van der Linden.

This product includes software developed for the NetBSD Project by John M. Vinopal.

This product includes software developed by Christos Zoulas.

This product includes software developed by the University of Vermont and State Agricultural College and Garrett A. Wollman.

In the following statement, “This software” refers to the Mitsumi CD-ROM driver: This software was developed by Holger Veit and Brian Moore for use with “386BSD” and similar operating systems. “Similar operating systems” includes mainly non-profit oriented systems for research and education, including but not restricted to “NetBSD,” “FreeBSD,” “Mach” (by CMU).

This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/).

This product includes software licensed from Richard H. Porter under the GNU Library General Public License (© 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html.

This product includes the standard version of Perl software licensed under the Perl Artistic License (© 1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current standard version of Perl at http://www.perl.com.

This product includes software developed by Jared Minch.

ii

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).

This product includes cryptographic software written by Eric Young ([email protected]).

This product contains software based on oprofile, which is protected under the GNU Public License.

This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html) and licensed under the GNU General Public License.

This product contains software licensed from Dr. Brian Gladman under the GNU General Public License (GPL).

This product includes software developed by the Apache Software Foundation (http://www.apache.org/).

This product includes Hypersonic SQL.

This product contains software developed by the Regents of the University of California, Sun Microsystems, Inc., Scriptics Corporation, and others.

This product includes software developed by the Internet Software Consortium.

This product includes software developed by Nominum, Inc. (http://www.nominum.com).

This product contains software developed by Broadcom Corporation, which is protected under the GNU General Public License.

Configuration Guide for BIG-IP® Access Policy Manager™ iii

Table of Contents

Table of Contents

1Introducing BIG-IP Access Policy Manager

Introducing the BIG-IP system .....................................................................................................1-1BIG-IP Local Traffic Manager ..............................................................................................1-1

Overview of the BIG-IP Access Policy Manager ......................................................................1-2Introducing Access Policy Manager features ...................................................................1-2

Understanding BIG-IP Access Policy Manager access types .................................................1-4Working with network access ............................................................................................1-6Working with web applications ..........................................................................................1-8Working with web application access management ................................................... 1-10

Using access profiles and policies ............................................................................................. 1-13Using authentication in access policies .......................................................................... 1-14

Using the Configuration utility .................................................................................................. 1-16Overview of components of the Configuration utility ............................................... 1-17

Getting started with BIG-IP Access Policy Manager ............................................................ 1-18Using Access Policy Manager configuration wizards .................................................. 1-18Following the recommended configuration path ......................................................... 1-22Possible configuration scenarios ...................................................................................... 1-23

Finding help and technical support resources ....................................................................... 1-24Finding the Access Policy Manager software version number ................................. 1-24

2Configuring Network Access

Introducing network access ..........................................................................................................2-1Reviewing network access features ...................................................................................2-1

Configuring network access settings ..........................................................................................2-4Setting up network access ...................................................................................................2-5Setting DNS and hosts options ..........................................................................................2-9Mapping drives with network access ............................................................................. 2-10Launching applications with network access connections ........................................ 2-11

Using lease pools .......................................................................................................................... 2-13Configuring traffic control ......................................................................................................... 2-15

3Configuring Web Applications

Introducing web applications ........................................................................................................3-1Introducing web applications features and operation ...................................................3-1Introducing web applications support ...............................................................................3-2Understanding proxy and cache functionality .................................................................3-4Understanding web application resource items .............................................................3-4

Configuring web applications on Access Policy Manager ......................................................3-7Configuring a rewrite profile ..................................................................................................... 3-10

4Configuring Web Application Access Management

Introducing web application access management ....................................................................4-1Understanding how web application access management works ...............................4-1

Reviewing web application access management options .......................................................4-2Setting timeouts for web application access policy management ...............................4-2Understanding other web application access management considerations .............4-3

Configuring web application access management ....................................................................4-4

Configuration Guide for BIG-IP® Access Policy Manager™ 1

Table of Contents

5Configuring Resources

Understanding resources ..............................................................................................................5-1Using access control lists ..............................................................................................................5-2

Creating access control lists ...............................................................................................5-2Access control list examples ...............................................................................................5-5

Using webtops .................................................................................................................................5-8

6Understanding Access Policies

Introducing access policies ............................................................................................................6-1Understanding access policy items .............................................................................................6-2

Understanding the access policy start point ....................................................................6-2Understanding access policy actions .................................................................................6-2

Understanding access policy branch rules .................................................................................6-6Viewing rules ...........................................................................................................................6-7Predefined rules .....................................................................................................................6-8

Understanding access policy branches .................................................................................... 6-10Understanding access policy macros ....................................................................................... 6-11

Introducing macro terminals ............................................................................................ 6-12Introducing access policy endings ............................................................................................ 6-14

Understanding the allow ending ...................................................................................... 6-14Understanding the deny ending ....................................................................................... 6-14Understanding the redirect ending ................................................................................. 6-15

Understanding session variables ............................................................................................... 6-16Using session variables ....................................................................................................... 6-17

7Creating Access Profiles and Access Policies

Creating an access profile .............................................................................................................7-1Understanding access profile settings ...............................................................................7-1Understanding configuration settings ................................................................................7-2Creating an access profile ....................................................................................................7-2Applying an access policy .....................................................................................................7-3Customizing access profile languages ................................................................................7-3

Creating an access policy ..............................................................................................................7-5Starting the visual policy editor ..........................................................................................7-5Configuring a basic access policy ........................................................................................7-6Opening an access policy .....................................................................................................7-7Adding actions to an access policy ....................................................................................7-7Using policy endings ..............................................................................................................7-8Applying an access policy configuration ......................................................................... 7-12

Understanding available actions and categories .................................................................... 7-13Understanding general purpose checks ......................................................................... 7-13Understanding authentication actions ............................................................................ 7-13Understanding client-side checks .................................................................................... 7-13Understanding client-side actions ................................................................................... 7-14Understanding server-side checks .................................................................................. 7-14

Configuring macros ..................................................................................................................... 7-15Using predefined macro templates ................................................................................. 7-17Using the empty macro template .................................................................................... 7-17Using the AD auth and resources macro template .................................................... 7-17Using the AD auth query and resources macro template ........................................ 7-18Using the LDAP auth and resources macro template ............................................... 7-19

2

Table of Contents

Using the LDAP auth query and resources macro template .................................... 7-20Using the RADIUS and resources macro template .................................................... 7-21Using the SecurID and resources macro template ..................................................... 7-22Using the Windows AV and FW macro template ...................................................... 7-23Using the client classification and prelogon checks macro template ...................... 7-25

Backing up and importing access profiles ............................................................................... 7-27

8Configuring General Purpose Access Policy Actions

Introducing general purpose actions ..........................................................................................8-1Configuring general purpose actions in an access policy .......................................................8-3

Adding and customizing a logon page ...............................................................................8-3Adding an external logon page ...........................................................................................8-7Assigning resources ...............................................................................................................8-9Assigning variables .............................................................................................................. 8-10Adding a virtual keyboard to the logon screen ........................................................... 8-13Adding SSO credential mapping ...................................................................................... 8-14Selecting a route domain ................................................................................................... 8-15Adding access policy logging ............................................................................................. 8-16Adding a message box ....................................................................................................... 8-17Adding a decision box ........................................................................................................ 8-18Adding an iRule event ........................................................................................................ 8-19

9Configuring Client Side Checks and Client Side Actions

Understanding client-side checks ................................................................................................9-1Setting up antivirus check .............................................................................................................9-2

Checking antivirus with the antivirus check access policy item ..................................9-2Example: Using antivirus check ...........................................................................................9-3

Setting up file check ........................................................................................................................9-6Checking for a file with the file check access policy item ............................................9-6Example: Using file check .....................................................................................................9-8

Setting up a machine cert auth check ...................................................................................... 9-10Understanding machine cert auth check options ........................................................ 9-10Checking a machine certificate with the machine cert access policy item ............ 9-12Example: Using machine cert auth check ...................................................................... 9-13

Setting up firewall check ............................................................................................................. 9-14Setting up the firewall check action ................................................................................ 9-14Example: Using firewall check .......................................................................................... 9-15

Setting up process check ............................................................................................................ 9-17Setting up process check access policy item ................................................................ 9-17Example: Using process check ......................................................................................... 9-17

Setting up registry check ............................................................................................................ 9-19Expression syntax ............................................................................................................... 9-19Setting up the registry check action ............................................................................... 9-20Example: Using registry check ......................................................................................... 9-20

Verifying Windows information ............................................................................................... 9-22Setting up Windows info action ...................................................................................... 9-22Example: Using Windows info check ............................................................................. 9-23

Understanding client-side actions ............................................................................................ 9-25Setting up cache and session control ...................................................................................... 9-26

Setting up the cache and session control access policy item ................................... 9-26Example: Using cache and session control .................................................................... 9-27

Setting up protected workspace .............................................................................................. 9-30


Table of Contents

Setting up the protected workspace access policy item ........................................... 9-30Example: Using protected workspace ............................................................................ 9-31

Assigning a Windows group policy template ......................................................................... 9-34Understanding Windows group policy templates ....................................................... 9-34Using predefined Windows group policy templates ................................................... 9-34Understanding the regulatory templates ....................................................................... 9-37Working with Windows group policy templates ........................................................ 9-38Setting up the Windows group policy access policy item ......................................... 9-39Example: Using Windows group policy templates ...................................................... 9-40

10Configuring Server Side Checks

Introducing server-side checks ................................................................................................. 10-1Preparing for clients that cannot use client checks .................................................... 10-1Checking the landing URI of a client .............................................................................. 10-1

Configuring client OS check ...................................................................................................... 10-2Setting up the client OS check ......................................................................................... 10-2Example: Using client OS check ...................................................................................... 10-3

Configuring UI mode check ....................................................................................................... 10-5Understanding ActiveSync connections ......................................................................... 10-5Setting up the UI mode access policy item ................................................................... 10-6Example: Using UI mode check ....................................................................................... 10-6

Configuring client-side check capability .................................................................................. 10-9Setting up the client-side check capability access policy item .................................. 10-9Example: Using client-side check capability action .................................................... 10-10

Checking a landing URI with the landing URI check .......................................................... 10-12Setting up the landing URI access policy item ............................................................ 10-12Example: Using landing URI check ................................................................................ 10-12

11Configuring Authentication Using AAA Servers

Understanding authentication with Access Policy Manager ............................................... 11-2Understanding authentication types: for Active Directory and LDAP ................... 11-2

Understanding different RADIUS operation modes ............................................................ 11-4RADIUS authentication ..................................................................................................... 11-4RADIUS accounting ............................................................................................................ 11-5RADIUS authentication and accounting ........................................................................ 11-8

Setting up Access Policy Manager for RADIUS authentication and authorization ....... 11-8Setting up RADIUS authentication and authorization access policy action item . 11-9

Configuring Access Policy Manager for RADIUS accounting .......................................... 11-14Setting up RADIUS accounting access policy action item ....................................... 11-14

Configuring Access Policy Manager for RADIUS authentication and accounting ....... 11-16Setting up a RADIUS authenticating and accounting access policy action item . 11-16

Setting up Access Policy Manager for RSA Native SecurID for authentication and authorization ............................................................................................................................... 11-17

Adding the Access Policy Manager as an agent host to an RSA Native SecurID authentication server ....................................................................................................... 11-18Configuring the Access Policy Manager to use the RSA Native SecurID authentication server ................................................................................................................................... 11-19Setting up RSA Native SecurID authentication and authorization access policy action item ...................................................................................................................................... 11-21Using RSA Native SecurID session variables for access policy rules .................... 11-21

Setting up Access Policy Manager for LDAP authentication and authorization .......... 11-23Setting up an LDAP server ............................................................................................. 11-23

4

Table of Contents

Configuring LDAP access policy action item for authentication ........................... 11-24Configuring LDAP query policy action item ............................................................... 11-26Using LDAP session variables for access policy rules .............................................. 11-27Example: Using LDAP query and LDAP authentication to authenticate and authorize users ..................................................................................................................................... 11-29Troubleshooting LDAP authentication/query ............................................................ 11-30

Setting up Access Policy Manager for Windows Active Directory authentication and authorization ............................................................................................................................... 11-32

Configuring Access Policy Manager to set up an Active Directory for authentication .............................................................................................................................................. 11-32Configuring Access Policy Manager to access the Active Directory for authentication .............................................................................................................................................. 11-34Configuring Access Policy Manager to access the Active Directory action item for query .................................................................................................................................... 11-35Using Active Directory session variables for access policy rules .......................... 11-36Troubleshooting Active Directory authentication/query ........................................ 11-37Example: Authenticating and authorizing users with Active Directory query and authentication .................................................................................................................... 11-39

Understanding nested groups ................................................................................................. 11-40Setting up Access Policy Manager for HTTP authentication ........................................... 11-41

HTTP basic authentication ............................................................................................. 11-41HTTPS basic authentication ........................................................................................... 11-42HTTP NTLM authentication .......................................................................................... 11-44HTTP form-based authentication .................................................................................. 11-44

Setting up Access Policy Manager for Oracle Access Manager ...................................... 11-47Setting up Access Policy Manager for AAA high availability ............................................ 11-48

Setting up RADIUS high availability authentication and accounting servers ....... 11-48Setting up Active Directory high availability servers ................................................ 11-51Setting up LDAP high availability servers .................................................................... 11-56

12Introducing On-Demand Certificate Authentication

Controlling SSL traffic ................................................................................................................. 12-1Understanding SSL profiles ........................................................................................................ 12-1Introducing SSL server certificates .......................................................................................... 12-2Introducing SSL On-Demand Certificates .............................................................................. 12-2Understanding On-Demand certificate authentication ....................................................... 12-3

Client certificate inspection .............................................................................................. 12-3On-Demand certificate authentication agent ............................................................... 12-4

Configuring client SSL profiles .................................................................................................. 12-8Importing a certificate and the corresponding key ..................................................... 12-8Configuring a clientssl profile ........................................................................................... 12-8

Using On-Demand Certificates to authenticate users ...................................................... 12-10Validating certificate revocation status ................................................................................. 12-11

Understanding CRLs ........................................................................................................ 12-11Understanding OCSP ....................................................................................................... 12-12Configuring an OCSP responder object ...................................................................... 12-13Creating an SSL OCSP profile ....................................................................................... 12-14

Using CRLDP .............................................................................................................................. 12-15Configuring a CRLDP server object ............................................................................. 12-15Configuring a CRLDP configuration object ................................................................ 12-15Creating a CRLDP profile ............................................................................................... 12-16


Table of Contents

13Introducing Single Sign-On

Introducing Single Sign-On (SSO) with credential caching and proxying ........................ 13-1Introducing Single Sign-On configuration objects ....................................................... 13-1

About credential caching ............................................................................................................ 13-4Configuring credential caching mapping agent ............................................................. 13-4

About credential proxying ......................................................................................................... 13-5Configuring credential proxying using HTTP basic authentication method .......... 13-5Configuring credential proxying using HTTP form-based authentication method .................................................................................................................................................. 13-6Configuring credential proxying using NTLM v1 authentication method ............. 13-7Configuring credential proxying using NTLM v2 authentication method ............. 13-8

About External Access Management ....................................................................................... 13-9Configuring OAM authentication method .................................................................... 13-9

Common use cases for Single Sign-On deployment .......................................................... 13-14Using Single Sign-On for LTM pool members ............................................................ 13-14Using Single Sign-On for web application access over network access tunnel .. 13-15Configuring web applications for single-sign on ........................................................ 13-18

14Configuring Virtual Servers

Introducing virtual servers with Access Policy Manager .................................................... 14-1Configuring virtual servers for access policies ...................................................................... 14-2

Creating a virtual server for DTLS ................................................................................. 14-3Configuring a local traffic virtual server with an access policy .......................................... 14-4

15Customizing Access Policy Manager Features

Setting up access profile customization .................................................................................. 15-1Understanding endpoint security message customization ........................................ 15-2Customizing error messages for the logon process ................................................... 15-4Understanding framework installation customization options ................................. 15-8Understanding logon page style customization options ............................................ 15-9Understanding logout components .............................................................................. 15-13

Customizing a webtop .............................................................................................................. 15-14Understanding webtop customization fields .............................................................. 15-14

Customizing the BIG-IP Edge Client ...................................................................................... 15-22Reviewing client customization settings ...................................................................... 15-22

Introducing advanced access policy customization ............................................................ 15-24Example: Using advanced access policy customization to modify a specific profile ................................................................................................................................................ 15-24

16Advanced Topics in Access Policies

Setting up a logon page to collect user credentials ............................................................. 16-1Understanding the logon page action ............................................................................. 16-1

Example: Using a customized logon page to collect user credentials .............................. 16-5Using multiple authentication methods .................................................................................. 16-8

Client certificate two-factor authentication ................................................................. 16-8Example: Using client certificate authentication with Active Directory ......................... 16-9

Configuring the client certificate two factor authentication with Active Directory example ................................................................................................................................. 16-9

Configuring policy routing ....................................................................................................... 16-11

6

Table of Contents

Setting up route domain selection in an access policy ............................................. 16-11Example: Directing users to different route domains ....................................................... 16-13

Configuring the policy routing example ...................................................................... 16-13Using advanced access policy rules ........................................................................................ 16-17

Understanding advanced access policy rule situations ............................................. 16-17Writing advanced access policy rules ........................................................................... 16-18Using a Tcl expression or program as an advanced access policy rule ................ 16-18Understanding advanced access policy rule limitations ........................................... 16-19Editing advanced access policy rules ............................................................................. 16-19

Example: Checking that all present antivirus packages are active on the client system ......................................................................................................................................................... 16-23

Writing the example code .............................................................................................. 16-23Using this example ............................................................................................................ 16-23

Example: Using a certificate field for logon name .............................................................. 16-25Writing the example code .............................................................................................. 16-25Using this example ............................................................................................................ 16-25

17Logging and Reporting

Understanding logging ................................................................................................................. 17-1Introducing logging features ............................................................................................. 17-1Understanding log content ............................................................................................... 17-2

Understanding log types ............................................................................................................. 17-4Logging system events ....................................................................................................... 17-4Auditing configuration changes ........................................................................................ 17-4

Setting log levels ........................................................................................................................... 17-6Setting log levels for auditing events .............................................................................. 17-7

Understanding reports ................................................................................................................ 17-9Displaying reports for current sessions ........................................................................ 17-9Terminating user sessions ............................................................................................... 17-10Displaying reports for all sessions ................................................................................ 17-10Using scripts to view reports ......................................................................................... 17-11

Viewing statistics ........................................................................................................................ 17-13Session statistics ................................................................................................................ 17-13Access policy result statistics ......................................................................................... 17-14Agent type statistics ......................................................................................................... 17-15Global profile access statistics ....................................................................................... 17-18PPP global statistics .......................................................................................................... 17-19Session info (access info) statistics ................................................................................ 17-19

Monitoring system and user information ............................................................................. 17-21Viewing the Access Policy Manager dashboard ......................................................... 17-21

18Configuring SNMP

Introducing SNMP administration ............................................................................................ 18-1Reviewing an industry-standard SNMP implementation ............................................ 18-1Reviewing the Access Policy Manager system SNMP implementation ................... 18-1Summarizing SNMP configuration on the Access Policy Manager system ............ 18-2

Configuring the SNMP agent ..................................................................................................... 18-3Configuring client access ................................................................................................... 18-3Controlling access to SNMP data ................................................................................... 18-5Configuring traps ................................................................................................................ 18-7

Working with SNMP MIB files .................................................................................................. 18-9Downloading SNMP MIB files ........................................................................................ 18-10


Table of Contents

Understanding the enterprise MIB files ....................................................................... 18-10Collecting performance data ................................................................................................... 18-14

Collecting data on memory use .................................................................................... 18-15Collecting data on active connections ......................................................................... 18-15Collecting data on new connections ............................................................................ 18-16Collecting data on throughput ....................................................................................... 18-17Collecting data on HTTP requests ............................................................................... 18-17Collecting data on RAM Cache utilization .................................................................. 18-18Collecting data on CPU use ........................................................................................... 18-18Collecting data on SSL transactions per second ....................................................... 18-20Additional commands used for SNMP ......................................................................... 18-20

AConfiguring BIG-IP Access Policy Manager clients

Understanding the BIG-IP Edge client .......................................................................................A-1Introducing BIG-IP Edge Client™ features .....................................................................A-1Understanding client components on Windows systems ...........................................A-2

Configuring connectivity profiles ................................................................................................A-4Understanding connectivity profile compression settings ...........................................A-4Configuring connectivity profile client settings ..............................................................A-5Configuring connectivity profile mobile client settings ................................................A-8Downloading client components .......................................................................................A-8Customizing client download packages ...........................................................................A-9Using the component installer package to preinstall client components ..............A-11Downloading the FullArmor GPAnywhere for VPN component ...........................A-12

Using Macintosh and Linux clients with Access Policy Manager .......................................A-13Introducing supported network access features .........................................................A-13Configuring the starting of applications on Macintosh or Linux clients .................A-13Installing the client on Macintosh and Linux systems .................................................A-14

Establishing client connections ..................................................................................................A-16Installing the BIG-IP Edge Client™ for Windows .......................................................A-16Connecting with the BIG-IP Edge Client .......................................................................A-16Viewing standalone client traffic and statistics .............................................................A-17

Using the client troubleshooting utility ...................................................................................A-20

BAccess Policy Example

Introducing the example access policy ...................................................................................... B-1Example: Assigning resource groups based on Active Directory attributes .................... B-2

Configuring resources ......................................................................................................... B-2Configuring the network access resources .................................................................... B-4Configuring the access profile, macro, and access policy ............................................ B-6

CSession Variables

Introducing session variables .......................................................................................................C-1Introducing Tcl ...............................................................................................................................C-2

Standard operators ...............................................................................................................C-2Session variables reference ..........................................................................................................C-4

Special purpose user session variables .......................................................................... C-10Network access resource variable attributes ...................................................................... C-12

8

Table of Contents

DUsing Access iRule Events

Introducing iRules ..........................................................................................................................D-1What is an iRule? ..................................................................................................................D-1Basic iRule elements .............................................................................................................D-2

Understanding ACCESS iRules ...................................................................................................D-4ACCESS_SESSION_STARTED ..........................................................................................D-4ACCESS_POLICY_COMPLETED .....................................................................................D-5ACCESS_ACL_ALLOWED ................................................................................................D-5ACCESS_ACL_DENIED .....................................................................................................D-5Using ACCESS_ACL_DENIED ..........................................................................................D-5ACCESS_SESSION_CLOSED ............................................................................................D-6ACCESS_POLICY_AGENT_EVENT ................................................................................D-6

Understanding ACCESS iRule Commands ...............................................................................D-7ACCESS::disable ....................................................................................................................D-7ACCESS::session commands ..............................................................................................D-7ACCESS::policy commands .................................................................................................D-8

ETroubleshooting

Introducing troubleshooting .........................................................................................................E-1Example: Changing log levels ........................................................................................................E-1Example: Understanding log messages for endpoint security check failures ....................E-2Example: Understanding log messages for authentication failures ......................................E-4Example: Using the adminreporting utility ................................................................................E-5Example: Understanding the logging action utility in the visual policy editor ...................E-6Example: Viewing logging history ................................................................................................E-7Introducing Access Policy Manager log messages ...................................................................E-8Introducing Kerberos error messages .................................................................................... E-21

Glossary

Index


Table of Contents

10

1

Introducing BIG-IP Access Policy Manager

• Introducing the BIG-IP system

• Overview of the BIG-IP Access Policy Manager

• Understanding BIG-IP Access Policy Manager access types

• Using access profiles and policies

• Using the Configuration utility

• Getting started with BIG-IP Access Policy Manager

• Finding help and technical support resources


Introducing the BIG-IP systemThe BIG-IP® system is a port-based, multilayer switch that supports virtual local area network (VLAN) technology. Because hosts within a VLAN can communicate at the data-link layer (Layer 2), a BIG-IP system reduces the need for routers and IP routing on the network. This in turn reduces equipment costs and boosts overall network performance. At the same time, the BIG-IP system’s multilayer capabilities enable the system to process traffic at other OSI layers. The BIG-IP system can perform IP routing at Layer 3, as well as manage TCP, UDP, and other application traffic at Layers 4 through 7. The following modules provide comprehensive traffic management and security for many traffic types. The modules are fully integrated to provide efficient solutions to meet any network, traffic management, and security needs.

BIG-IP Local Traffic ManagerBIG-IP® Local Traffic Manager™ includes features that help make the most of network resources. Using the powerful Configuration utility, you can customize the way that the BIG-IP system processes specific types of protocol and application traffic. By using features such as virtual servers, pools, and profiles, you ensure that traffic passing through the BIG-IP system is processed quickly and efficiently, while meeting all of your security needs. For more information, see the Configuration Guide for BIG-IP® Local Traffic Manager™.

Configuration Guide for BIG-IP® Access Policy Manager™ 1 - 1

Chapter 1

Overview of the BIG-IP Access Policy ManagerThe F5 Networks® BIG-IP® Access Policy Manager™ is a software component of the BIG-IP hardware platform that provides your users with secured connections to Local Traffic Manager virtual servers, specific web applications, or the entire corporate network. By leveraging standard web browsers and security technology, the Access Policy Manager enables your corporation or organization to provide users access to various internal resources easily and cost-effectively, with no special software or configuration on the user’s system.

Introducing Access Policy Manager features All Access Policy Manager models include the following features:

◆ Standard Web browser supportAccess Policy Managers can be used with most standard browsers supporting secure HTTP (also known as HTTPS). These include Internet

Explorer®, Safari™, and Firefox®.

◆ PrivacyThe Access Policy Manager supports common encryption technologies, including RC4, Triple DES, and AES. It uses standard SSL encryption from the client browser to the Access Policy Manager.

◆ AuthenticationThe Access Policy Manager can perform authentication, authorization, and accounting (AAA), using standard AAA methods, including LDAP directories, Microsoft® Active Directory® and Microsoft Windows® Domain servers, RADIUS servers, and HTTP authentication. The Access Policy Manager supports native RSA SecurID authentication. In addition, the controller can use signed client digital certificates to authenticate devices.

◆ Client-side checksThe Access Policy Manager provides a broad set of client-side checks such as client integrity checking, browser cache cleaner, secure virtual keyboard, and support for a large number of antivirus and firewall packages.

◆ Visual policy editorTo facilitate access policy definition, the Access Policy Manager provides a built-in policy editor that is graphically based, which eases management and supports a visual audit of security access policies.

◆ AdministrationThe Access Policy Manager provides a web-based Configuration utility. The Configuration utility includes tools for managing the Access Policy Manager, configuring secure access, creating and assigning resources, certificate generation and installation, and customization of the remote client user interface.

1 - 2


◆ Web application access managementWith Access Policy Manager, you can configure authentication and access control for a web application behind a local traffic virtual server. Using web application access management, you create an access policy for a new or existing local traffic virtual server to provide authentication, access control, and endpoint security for the web application.

◆ Network accessWith Access Policy Manager, you can configure a network access VPN connection for remote access. Using network access, you create an access policy and local traffic virtual server so end users can establish a full VPN connection to internal network resources.

◆ Web application accessWith the Access Policy Manager you can configure a remote access connection to one or more internal web applications. Using web applications, you create an access policy and local traffic virtual server so end users can access internal web applications through a single external virtual server. Use this if you need to provide secure extranet access to internal web applications without creating a full VPN connection.

◆ Audit trailThe Access Policy Manager provides audit tools including full-session audit trails, drill-down session queries, and customizable reports and queries.

◆ High availabilityYou can configure Access Policy Managers to fail over to standby controllers, ensuring availability for users.

◆ ScalabilityAccess Policy Manager integrates with BIG-IP system to support large-scale, high-performance deployments, providing universal, secure access for remote, wireless, and internal network users.

◆ BIG-IP system moduleThe Access Policy Manager runs as a module of the BIG-IP system. This integration provides a uniform framework that enables users to leverage access policy features with other BIG-IP modules, such as Web Accelerator, and Application Security Manager.

◆ Client supportThe Access Policy Manager includes web client support for many different systems, including Macintosh® and Linux®.

◆ BIG-IP Edge Client Access Policy Manager is compatible with the BIG-IP Edge Client, a standalone secure client with robust connection features.


Chapter 1

Understanding BIG-IP Access Policy Manager access types

Access Policy Manager can be configured to provide three types of access:

• network access

• web applications

• web application access management

You use each type of access for a different system scenario. Access Policy Manager provides a set of objects that you can define to provide access to your users through different access methods. You configure Access Policy Manager connections differently for each access type. On the next page, Figure 1.1 shows the configuration of an Access Policy Manager access type. Each access type has common elements and differences. The following table lists the configuration elements that you use to configure each access policy type.

Configuration item Network access Web applicationsWeb application access management

Virtual server Created specifically for network access

Created specifically for web applications connection

Can use existing local traffic manager virtual server, or create a specific one with the wizard

Local traffic pool No No Yes, required with at least one member

Access profile and access policy

Yes Yes Yes

Connectivity profile

Yes No No

Rewrite profile No Yes No

Network access resource

Yes No No

Web applications resource

No Yes No

Authentication Yes, optional Yes, optional Yes, optional

ACLs Yes, optional Yes, optional Yes, optional

Client checks Yes, optional Yes, optional Yes, optional

Webtop Yes, optional Yes, optional No

Table 1.1 Configuration elements for Access Policy Manager access types

1 - 4


Figure 1.1 shows the configuration flow for the three types of access on Access Policy Manager.

Figure 1.1 Configuration objects in Access Policy Manager

A client system can only connect using one of these configuration types at a time. However, you can configure multiple access types, and Access Policy Manager can dynamically determine the access type to provide during the access policy process, after the session starts.

Sections following describe each access type and scenario.


Chapter 1

Working with network access Network access provides a full encrypted VPN tunnel from the client system to back end servers. Network access virtually puts the client machine inside the company network, so that clients perform operations exactly as if they sat within the corporate LAN. The administrator can configure access control lists that restrict access over the tunnel. Network access can provide connections that are always available to supported clients. Typically, you use full network access as the deployment method for client computers that are from well-known or trusted sources, such as company-provided laptops.

Understanding a basic network access scenarioThis basic network access configuration assigns a webtop and a connection to network access clients, and uses access control lists (ACLs) to control the resources and protocols a user can work with. This network access connection specifies no authentication.

In this access scenario, you define the following objects:

• a connectivity profile

• a network access webtop

• a lease pool

• a network access resource

• one or more ACLs

• an access profile and an access policy that assigns the network access resource, network access webtop, and the ACLs

• a virtual server that specifies particular network access settings, including the connectivity profile and access profile

The objects that define this simple network access scenario are related as shown in Figure 1.2, following.

1 - 6


Figure 1.2 Basic network access configuration object flow

The access policy for this scenario is very simple, and contains only one item: a resource assign action that assigns the network access resource, the network access webtop, and any ACLs. The access policy is shown in Figure 1.3. An example resource assign action for this policy is shown in Figure 1.4.


Chapter 1

Figure 1.3 Basic network access configuration access policy

Figure 1.4 Resource assign action configured for network access and an ACL

Working with web applicationsWeb applications connections configure a remote access connection to one or more internal web applications. With this access type, users can access internal web applications through a single external virtual server. The web applications access type provides secure interaction with proprietary and standard web applications, using link rewriting technology. Typically, you use Web applications on less trusted devices, or when full network access is not supported on a particular type of device. Use this if you need to provide secure extranet access to internal web applications without creating a full VPN connection.

Understanding a basic web applications access scenarioThis basic web applications configuration assigns a webtop and web applications resource for use by a remote access user. This web applications configuration specifies no authentication.


• a web applications webtop

• a web applications resource

1 - 8


• an access profile and an access policy that assigns the web applications resource and the web applications webtop

• a virtual server that specifies particular web applications settings, including the rewrite profile and the access profile

The objects that define this simple web applications scenario are related as shown in Figure 1.5.

Figure 1.5 Basic web applications configuration object flow


Chapter 1

The access policy for this scenario is very simple, and contains only one item: a resource assign action that assigns the web applications resource and the web applications webtop. This access policy, as it appears in the visual policy editor, is shown in the Figure 1.6. An example resource assign action for this policy is shown in Figure 1.7.

Figure 1.6 Basic web applications configuration access policy

Figure 1.7 Resource assign action configured for web applications and an ACL

Working with web application access managementWeb application access management provides client-side security, authentication services, and access control to Local Traffic Manager virtual servers that load balance web applications. Typically, you use web application access management to secure access to applications from a client system that is within a corporate environment.

1 - 10


Understanding a basic web application access management scenarioThis basic web application access management configuration provides access control to a local traffic virtual server, and specifies client-specific ACLs. This web application access management access policy specifies no authentication.


• a Local Traffic Manager virtual server with a configured pool

• an access profile and an access policy. The access profile is then selected in the Local Traffic Manager virtual server

The objects that define this simple web application access management scenario are related as shown in Figure 1.8.

Figure 1.8 Basic web application access management object flow

The access policy for this scenario contains a start point, a resource assign action, and an allow ending. You assign one or more ACLs to the access policy with the resource assign action, and by doing so you control access to


Chapter 1

the local traffic management virtual server. For a web application access management connection, no network access or web applications resource is assigned, and no webtop is assigned. This access policy appears in the visual policy editor as shown in Figure 1.9. An example resource assign action for this policy, with only an ACL assigned, is shown in Figure 1.10.

Figure 1.9 Basic web application access management policy with ACLs

Figure 1.10 Resource assign action for web application access management, configured for an ACL only

1 - 12


Using access profiles and policiesAccess policies are configured visually in the visual policy editor. In the visual policy editor, all access policies start with a start point, and every access policy has at least one rule branch. All access policies have one or more endings. A successful ending is an allow ending, and an unsuccessful ending is a deny ending. Between the start and the end point are access policy items, which define the behavior of the access policy. The access policy is similar to a flow chart, where you read flow of a user policy from left to right.

The simplest successful web application access management access policy has a start point, one or more ACLs, and an allow ending. This scenario, described in the section Understanding a basic web application access management scenario, on page 1-11, provides access control features for a local traffic virtual server.

The simplest network access or web applications access policy includes a start point and an allow ending, and includes a resource assign action that assigns a network access or web applications resource and a webtop. When a user connects with this access policy, the user is assigned a network access or web applications resource and a webtop by the resource assign action. The user then goes to an allow policy ending, and network access or web applications access is assigned to the user. Two such scenarios are described in the previous sections, Understanding a basic network access scenario, on page 1-6, and Understanding a basic web applications access scenario, on page 1-8.

However, you typically check for client integrity, and require authentication to access resources, so a more typical access policy is shown in Figure 1.11. This access policy contains one or more client-side checks, such as antivirus, firewall, or operating system checks, a logon page and authentication action, and a resource assignment action, followed by at least one allow ending, and deny endings for non-successful rule branches. The resource assignment action is used to assign either network access or web applications resources and respective webtops, and any ACLs that apply to the connection. For a web application access management connection, you can assign ACLs with the resource assignment action, but you do not assign a webtop or network access or web application resources.

Figure 1.11 A typical access policy in the visual policy editor


Chapter 1

The basic access policy in Figure 1.11 includes actions that have successful and fallback rule branches (Antivirus Check, Firewall Check, Active Directory authentication), and actions that have single rule branches (Logon Page and Resource Assign).

You select an access profile in a virtual server definition, and the access policy associated with that access profile starts when a client connects to the virtual server. Access Policy Manager creates a blank access policy for every access profile. You can configure the access policy to dynamically assign objects to the user when the session starts, to determine the resources a user connects to, and to perform authentication and check client integrity. You can add logic and functionality to the access policy using configurable access policy items, and configure branches that change the flow of the policy. You can specify a web application or network access resource and webtop for the user as well.

For more information on access policy structure and configuration, see Chapter 6, Understanding Access Policies, and Chapter 7, Creating Access Profiles and Access Policies.

Using authentication in access policiesYou can add authentication to an access policy using AAA servers (Authentication, Authorization, and Accounting) or client certificates.

Typically, you add two access policy items to add server authentication: a logon page action, and a AAA server action. Add the logon page action before the AAA server action. The logon page action presents a user with a logon page with customizable fields and text. The user enters credentials (for example, a logon name and password), and these credentials are then passed to the AAA server selected in the AAA server action. If a user is successfully authenticated, that user continues on the successful branch. A user who is not successfully authenticated continues on the fallback branch.

Figure 1.12 shows an access policy for web application access management that includes authentication. This access policy includes only two items: a logon page action, and an Active Directory authentication action. This policy requires a user to authenticate successfully to Active Directory to connect to a local traffic virtual server, which is load-balancing applications.

Figure 1.12 Simple access policy for web application access management

1 - 14


Assigning authentication in an access policyYou can add authentication to any access policy or any branch in an access policy. You can even add multiple authentication types, so, for example, a user who fails Active Directory authentication might then attempt RADIUS authentication. You can configure multiple types of authentication, for example, requiring users to authenticate with a certificate and with a AAA server. For more information on authentication methods and scenarios, see Chapter 11, Configuring Authentication Using AAA Servers, and Chapter 12, Introducing On-Demand Certificate Authentication.


Chapter 1

Using the Configuration utility The Configuration utility is the browser-based graphical user interface for the BIG-IP system. In the Configuration utility, the navigation pane main tab provides access to the access policy configuration objects, as well as the network, system, and local traffic configuration objects. The Help tab contains context-sensitive online help for each screen.

Figure 1.13 shows the Access Policy section of the navigation pane expanded.

Figure 1.13 Access policy items in the Configuration utility navigation pane

1 - 16


Overview of components of the Configuration utilityThe Configuration utility contains the following components:

◆ The identification and messages areaThe identification and messages area of the Configuration utility is the screen region that is above the navigation pane, the menu bar, and the body. In this area, you find the system identification, including the host name, and management IP address. This area is also where certain system messages display, for example Apply Access Policy, which appears when you need to activate an access policy.

◆ The navigation paneThe navigation pane, on the left side of the screen, contains the Main tab, the Help tab, and, the About tab. The Main tab provides links to the major configuration objects. The Help tab provides context-sensitive help for each screen in the Configuration utility. The About tab provides a quick way to view commonly used configuration objects.

◆ The menu barThe menu bar, which is below the identification and messages area, and above the body, provides links to the additional configuration objects within each major object.

◆ The bodyThe body is the screen area where the configuration settings display.


Chapter 1

Getting started with BIG-IP Access Policy ManagerThe Access Policy Manager is a multi-featured appliance whose interface allows configuration from any location. To initially set up the secure access connections for users, you can follow different choices in your approach. We recommend setting up a basic working policy, using the Access Policy Manager connection wizards. To set up connections with the wizards, review the section Using Access Policy Manager configuration wizards, following. You can follow the guidelines in Following the recommended configuration path section to set up Access Policy Manager, or you can elect to travel your own path, choosing from the options described in Possible configuration scenarios, on page 1-23.

Using Access Policy Manager configuration wizardsWith the Access Policy Manager wizards, you can quickly configure any of the three access types with a simple working configuration. After you configure a connection with the wizard, you can go back and edit the configuration to further customize the access policy.

To access Access Policy Manager wizards, in the navigation pane, expand Templates and Wizards, and click Device Wizards. The Device Wizards screen opens.

The following wizards are available.

• Network Access Setup Wizard for Remote Access - Configures a working VPN connection. Typically, this allows users outside your network to connect to specified networks, and use their applications and network sites as if they are physically on the network.

• Web Applications Setup Wizard for Remote Access - Configures access to specific web applications for remote users. Typically, this allows users outside the network to connect to specified web applications, such as Outlook Web Access or Sharepoint, without allowing full access to the entire network.

• Web Application Access Management for Local Traffic Virtual Server - Configures access to a local traffic virtual server managing web applications. Typically, this allows you to control access to the applications managed by the local traffic virtual server, using the features provided in the access policy. As an example, you can configure AAA server authentication, endpoint security, and other system checks before you allow access to the local traffic virtual server. You can configure this access type for an existing local traffic virtual server, or you can configure the virtual server with the wizard.

Note

The system includes online help for every screen in the wizard. To view the online help, click the Help tab in the navigation pane.

1 - 18


Using the network access wizardFollow the steps and instructions in the wizard to configure and deploy a working network access connection. Note the following configuration items.

• The Policy Name specifies the name of the access policy to be created, and is used as the naming prefix for other objects configured with the access policy. Later, when you look for items created with the wizard, they are named with this prefix. For example, if you specify the prefix mytest, the access policy name is mytest_ap, and the virtual server is named mytest_vs. This name must be unique, and not already in use on the system.

• When you select the client side check option Enable Antivirus Check in Access Policy, the wizard adds a basic antivirus client-side check to the access policy. You can later refine this client-side check to verify a particular antivirus product, check the date of the virus database, and more. You can also add other client-side checks to the access policy. For more information, see Chapter 9, Configuring Client Side Checks and Client Side Actions.

• You can configure authentication with the wizard, or select No Authentication to create an access policy without authentication. After you select an authentication type, you can view online help for the authentication configuration options by clicking the Help tab in the navigation pane.

• Lease pools are a configuration requirement for network access connections. Each connection is assigned an IP address from the lease pool. You must configure a lease pool with as many IP addresses as connected users you expect to host.

• Client settings can be configured for the connection with the wizard. We strongly recommend you read Chapter 2, Configuring Network Access, and use the online help, if you plan to use settings other than the default values.

• DNS hosts for network access are required for your users to have functioning name resolution and Windows networking on your internal network. Specify a primary name server at a minimum. If you are using Microsoft networking features on your network, specify a primary WINS server.

• Specify a host name for the virtual server. In most cases, you do not specify a network when creating this virtual server. Allow the redirect server to be created; this eliminates the simple connection issue that users encounter when they do not type https before the virtual server host name.

• When you review the configuration, you can use the Previous and Next buttons to go back and edit the configuration before you click Finish. After you click Finish, the system creates and applies network access objects. You can still edit any item associated with the access profile from the Access Profile page (Access Policy : Access Profiles : name of access profile). You can edit the virtual server on the Virtual Server page (Local Traffic : Virtual Servers : name of virtual server).


Chapter 1

Using the web applications wizardFollow the steps and instructions in the wizard to configure and deploy a working web applications access policy. Note the following configuration items.




• Specify the internal web application start URI. This specifies the URI of the first page that a user sees after passing the access policy. For example, http://myintranet.siterequest.com or http://myintranet/start.html).

• Specify a host name for the virtual server. In most cases, you do not specify a network when creating this virtual server. Allow the redirect server to be created; this eliminates the simple connection issue that users encounter when they do not type https before the virtual server host name.

• When you review the configuration, you can use the Previous and Next buttons to go back and edit the configuration before you click Finish. After you click Finish, the system creates and applies web application objects. You can still edit any item associated with the access profile from the Access Profile page (Access Policy : Access Profiles : name of access profile). You can edit the virtual server on the Virtual Server page (Local Traffic : Virtual Servers : name of virtual server).

1 - 20


Using the web application access management wizardFollow the steps and instructions in the wizard to configure and deploy a working web application access management access policy. Note the following configuration items.

• On the first screen of the wizard, you have the option to continue the wizard and either use an existing virtual server or create a new virtual server with basic settings. Alternatively, you can cancel the wizard and create a virtual server manually, then later restart the wizard and select that virtual server in the configuration.




• If you are creating a virtual server in the wizard, specify a host name for the virtual server. In most cases, you do not specify a network when creating this virtual server. Allow the redirect server to be created; this eliminates the simple connection issue that users encounter when they do not type https before the virtual server host name.

• Specify a pool member IP address. This specifies the IP address for a new member of a default local traffic pool. When you create the virtual server, the wizard defines a new default pool with one member, defined by this IP address.

• When you review the configuration, you can use the Previous and Next buttons to go back and edit the configuration before you click Finish. After you click Finish, the system creates and applies virtual server objects. You can still edit any item associated with the access profile from the Access Profile page (Access Policy : Access Profiles : name of access profile). You can edit the virtual server on the Virtual Server page (Local Traffic : Virtual Servers : name of virtual server).


Chapter 1

Following the recommended configuration pathIf you are new to the Access Policy Manager, you can follow the path outlined in this section. This recommended path is designed to guide you through the most common operations, and includes references to other sections with related functionality.

◆ Determine client-system security requirements.For more information, see Understanding client-side checks, on page 9-1.

◆ Identify the authentication mechanism.The Access Policy Manager supports external authentication. You can select from a number of authentication methods, depending on the security setup you employ. These include Active Directory, RADIUS, LDAP, and certificate-based security.

• If you are not sure which type of authentication you want, review Understanding authentication with Access Policy Manager, on page 11-2.

• If you already have an authentication mechanism in place and you want to use it for verifying user identity, you can read more in Chapter 11, Configuring Authentication Using AAA Servers, and Chapter 12, Introducing On-Demand Certificate Authentication.

◆ Configure network access resources with the applications and functionality you want to provide, or create web application resources for your users. For web application access management applications, you do not create web applications or network access resources or webtops.For more information, you can review the content in Chapter 2, Configuring Network Access, Chapter 3, Configuring Web Applications, or Chapter 4, Configuring Web Application Access Management.

◆ Create ACLs for users. For more information, see Chapter 5, Configuring Resources.

◆ Create an access profile and access policy that you can associate with your virtual server, to give your clients secure access. For more information, see Chapter 7, Creating Access Profiles and Access Policies.

◆ Assign resources to users.For more information, see Assigning resources, on page 8-9.

◆ Test user connectivity.This is a good place to stop and test to make sure that users can connect to the Access Policy Manager. To do so, open a new browser window and log on using a logon account that you know exists.

◆ Create client SSL profiles for users. For more information, see Configuring client SSL profiles, on page 12-8.

◆ Define your virtual server. See Chapter 14, Configuring Virtual Servers.

◆ Create advanced access policies, for more complex secure access scenarios.For more information, you can review the content in Chapter 16, Advanced Topics in Access Policies, and in the BIG-IP Module Interoperability Implementations Guide.

1 - 22


◆ Read sample how-to scenarios.For more information, see Appendix B, Access Policy Example.

Possible configuration scenariosThere are several ways you can begin the configuration process.

◆ To authenticate users from an authentication serverIf you have an authentication mechanism in place and you want to use it to verify user identity, you can read more in Chapter 11, Configuring Authentication Using AAA Servers.

◆ To gather information from client systemsIf you want to specify requirements for client systems to determine authentication (whether to grant user access) and authorization (which resources to grant access to), you can read more in Chapter 9, Configuring Client Side Checks and Client Side Actions.

◆ To configure the resources, applications, and functionality you want to provideIf you prefer to start with the resources, applications, and functionality that you want to provide to your users, you can read more in Chapter 5, Configuring Resources, Chapter 2, Configuring Network Access, and Chapter 3, Configuring Web Applications.

◆ To learn about logging with the Access Policy ManagerIf you want to get a head start on understanding the ongoing operations and logging functionality provided with the Access Policy Manager, review content in Chapter 17, Logging and Reporting.

◆ To set up certificates on the serverIf you are ready to set up and install server certificates for the Access Policy Manager, read more in Chapter 12, Introducing On-Demand Certificate Authentication.

◆ To see access policy examplesIf you want exposure to sample policies with step-by-step examples, see Appendix B, Access Policy Example, and Chapter 16, Advanced Topics in Access Policies.


Chapter 1

Finding help and technical support resourcesYou can find additional technical documentation about the Access Policy Manager using the following resources:

◆ The BIG-IP® Systems: Getting Started Guide describes how to initially set up, configure, and license your BIG-IP system. Before you set up the Access Policy Manager for the first time, we recommend that you read this guide in its entirety to become familiar with the product features, and the procedures for provisioning and licensing features.

◆ Release notesRelease notes containing the latest information for the current version of the Access Policy Manager are available on the F5 Networks Technical Support web site, https://support.f5.com. This site includes release notes for current and previous versions of the Access Policy Manager.

◆ Online help for Access Policy Manager featuresYou can find help online for all screens on the Configuration utility. To open the context-sensitive help in the Configuration utility, click the Help tab in the left navigation pane. To get help on a screen in the visual policy editor, click the Help button.

◆ F5 Networks Technical Support web siteThe F5® Networks Technical Support web site, https://support.f5.com, provides the latest technical notes, answers to frequently asked questions, release notes and release note updates, and the Ask F5SM Knowledge Base. You can also find all the guides in PDF format.

Finding the Access Policy Manager software version numberWhen you work with F5 Networks Technical Support, you might need to have the version number of the Access Policy Manager software that is running on your platform. You can find the software version number in the Configuration utility. Expand System in the navigation bar, then click Configuration. The Device General properties screen presents the host name, software version number, and other information. The following is an example of the Properties and Operations table.

Host Name apm.siterequest.com

Chassis Serial Number bip012345s

Version BIG-IP 10.1.0 Build 1400.0 Final

Table 1.2 Properties and Operations table listing the version number

1 - 24

2

Configuring Network Access

• Introducing network access

• Configuring network access settings

• Using lease pools

• Configuring traffic control


Introducing network accessThe BIG-IP® Access Policy Manager™ network access feature provides secure access to corporate applications and data using a standard web browser, or the BIG-IP Edge Client™. Using network access, employees, partners, and customers can have access to corporate resources securely, from any location.

The Access Policy Manager’s network access feature provides users with the functionality of a traditional IPsec VPN client. Unlike IPsec, however, network access does not require any pre-installed software or configuration on the remote user’s computer. It is also much more robust than IPsec VPN against router and firewall incompatibilities.

Users connected through network access have equivalent functionality to those users directly connected to the LAN. You can use access policies to control access to network access. For information about access policies, see Chapter 7, Creating Access Profiles and Access Policies.

Reviewing network access featuresNetwork access provides the following features.

◆ Full access from any clientProvides Windows®, Macintosh®, Linux®, and Windows Mobile users with access to the complete set of IP-based applications, network resources, and intranet files available, as if they were working at their desktop in the office.

◆ Split tunneling of trafficProvides control over exactly what traffic is sent over the network access connection to the internal network and which is not. This feature provides better client application performance by allowing connections to the public Internet to go directly to the destination, rather than being routed down the tunnel and then out to the public Internet.

◆ Client checkingDetects operating system and browser versions, antivirus and firewall software, registry settings, processes, and checks files during logon to ensure the client configuration meets the organization’s security policy for remote access.

◆ Compression of transferred dataUtilizes GZIP compression to compress traffic before it is encrypted, reducing the number of bytes transferred between the Access Policy Manager and the client system, improving performance.

◆ Routing table monitoringMonitors changes made in the client's IP routing table during a network access connection. You can configure this feature to halt the connection if the routing table changes, helping prevent possible information leaks. This feature applies to Windows clients only.


Chapter 2

◆ Session inactivity detectionCloses network access connections after a period below an inactivity threshold that you can configure. This feature helps prevent security breaches.

◆ Automatic applications startStarts a client application automatically after establishing the network access connection. This feature simplifies user access to specific applications or sites.

◆ Automatic drive mappingConnects the user to a specific drive on the intranet. This feature simplifies user access to files.Note: automatic drive mapping is available only for Windows clients.

◆ Connection-based ACLsFilters network traffic by controlling whether packets are allowed, discarded, or rejected, based on criteria specified. For example, connections can be filtered by Layer 4 properties like source and destination IP address and port, protocol (TCP or UDP), and Layer 7 properties like scheme, host name, and paths. ACLs also support auditing capabilities with logging. ACLs allow groups of users or access policy users to have access to full client-server application support without opening up the entire network to each user.

◆ Dynamic IP address assignmentAssigns client endpoint IP addresses dynamically from a configured pool of addresses. IP addresses can also be assigned with an external AAA server attribute.

◆ Traffic classification, prioritization, and markingProvides the ability to classify and prioritize traffic to ensure levels of service to users with defined characteristics.

Understanding how network access worksNetwork access implements a point-to-point network connection over SSL. This is a secure solution that works well with firewalls and proxy servers. Network access gives remote users access to all applications and network resources.

Network access settings specify IP address pools that the Access Policy Manager uses to assign IP addresses to a client computer’s virtual network adapter. When the end user opens the address of the Access Policy Manager in his web browser, the browser opens an SSL connection to the Access Policy Manager. The user can then log on to the Access Policy Manager. You can see a visual representation of how network access works in Figure 2.1, following.

2 - 2


Figure 2.1 Network access process


Chapter 2

Configuring network access settingsYou configure a network access resource to allow your users access to your local network over a secure VPN connection.

To create a network access resource

1. On the Main tab of the navigation pane, expand Access Policy, and click Network Access.The Network Access Resource List screen opens.

2. Click Create.The New Resource screen opens.

3. In the Name box, type a name for the network access resource.

4. Configure the general settings for the network access resource.For detailed information on these settings, see Configuring general network access server settings, on page 2-5.

5. Configure the client settings for the network access resource.For detailed information on these settings, see Configuring settings on network access clients, on page 2-6.

6. Click Finished to save the network access resource.The Network Access Properties screen opens, and you can configure the properties for the network access resource.

To configure network access properties


2. Click a network access resource on the resource list. The Network Access Properties screen opens. This screen also opens immediately after you create a new network access resource.

3. Configure the properties for the network access resource on the Properties tab. For detailed information on these settings, see Setting up network access, on page 2-5.

4. Configure the DNS and host settings for the network access resource on the DNS/Hosts tab. For detailed information on these settings, see Setting DNS and hosts options, on page 2-9.

5. Configure drive mappings for the network access resource on the Drive Mappings tab. For detailed information on these settings, see Mapping drives with network access, on page 2-10.

2 - 4


6. Configure applications to launch for the network access resource on the Launch Applications tab. For detailed information on these settings, see Launching applications with network access connections, on page 2-11.

Setting up network accessYou use options on the Network Access Properties screen to configure general tunnel information, tunneling and network settings, proxy settings for the client, and IP address assignment. You can also configure client behavior, map network drives, and set applications to start when network access connects.

Setting general propertiesGeneral properties include the name and a description of the network access connection.

• NameSpecifies a name for the connections. This is the name the end user sees in the Network Connections control panel in Windows.

• DescriptionA description of the network access connection. This is informational only.

Configuring general network access server settingsGeneral settings are settings that configure the network access connection on the server side, and are not specific to each client.

• Basic/AdvancedBasic view hides the SNAT Pool and Timeout settings. Select Advanced to display these options for configuration.

• Lease PoolLease pools allow you to specify a collection of IP addresses as a single object, and associate that object with a network access resource. This allows a network access connection to be automatically assigned an unallocated IP address to use for the client IP address. Select a lease pool here to assign a lease pool to the network access resource.

• CompressionThis setting compresses all VPN traffic between the network access client and the Access Policy Manager. Select GZIP Compression to compress traffic between the client and the Access Policy Manager. The default is No Compression. Compression is not active when the network access connection is configured for DTLS.

• SNAT PoolYou can select whether to use SNAT auto mapping or a specific SNAT pool. When a client starts a network access connection, it receives a dynamic IP address assignment to use for the PPP tunnel connection. The


Chapter 2

connection usually receives the next IP address available from the lease pool, or is assigned an address with another method.

Once the client gets an IP address, that IP address is typically what the end device sees. For example, if a network access client is dynamically assigned the address 10.1.1.1 from the lease pool, and the SNAT Pool setting is None, when the user connects to an internal server; the source address seen by the internal server is 10.1.1.1.

In the same situation, if the SNAT Pool setting is Automap, the address seen by the internal server is the internal address of the Access Policy Manager. For many client-server applications, SNAT Automap is adequate. However, it is not supported by Microsoft® networking, and SNAT automapping may not be sufficient for network access connections with large numbers of client users.

For these more advanced situations, you can create an SNAT pool, then select the name of the SNAT pool from SNAT Pool list.

• By default, SNAT automapping is enabled. With SNAT Automapping enabled, active FTP connections fail, so you can only use passive FTP. To use active FTP, you must use a routed configuration.

• If you select None, make sure that your back-end servers are configured to route responses back to the device. If you must use active FTP, set the SNAT Pool option to None.

For more information on SNAT Automapping, see the Configuration Guide for BIG-IP® Local Traffic Manager™.

• Session Update ThresholdDisplays the session update threshold. The session update threshold defines, in bytes per second, the criterion for updating the session. If the average bitrate falls below the threshold, the session is considered inactive, and the session is ended according to the inactivity timeout settings defined in the access profile.

• Session Update WindowDisplays, in seconds, the period over which the bitrate is to be averaged. The session update window is used with the session update threshold to define when the session is inactive. If the average bit rate exceeds the session update threshold, the session is updated, and if it is below the threshold, it is not updated. If the session is not updated within the time specified for the inactivity timeout, the session expires. Important: If you set the bitrate threshold to zero, session update timeouts are not applied.

Configuring settings on network access clientsClient settings govern specific configuration items on the network access client system.

◆ Basic/AdvancedBasic view shows only Traffic Options (split tunneling), Client Side Security options, Allow Local Subnet options, and Client Options. By

2 - 6


default, the option Force all traffic through tunnel is enabled. Basic view also shows settings for LAN Address Space and DNS Address Space if you select Use split tunneling for traffic. You must select the Advanced view to configure DTLS mode, specify a client traffic classifier, or specify an exclude address space with split tunneling.

◆ Use split tunneling for trafficDirects through the network access tunnel all network traffic that is destined for the LAN, specifically, the address specified in the LAN address space box. A tunnel is a secure connection between computers or networks over a public network. When you configure split tunneling, the Access Policy Manager directs all other traffic out of the local network connection. You can configure the LAN address space, the DNS address space, and the Exclude address space (in Advanced mode only), when you enable split tunneling.

• LAN address spaceProvides a list of addresses or address/mask pairs describing the target LAN. When you use split tunneling, only the traffic to these addresses and network segments goes through the tunnel configured for network access. You can add multiple address spaces and network masks to the list in their respective boxes, one at a time.

• DNS address spaceProvides a list of names describing the target LAN DNS addresses. This box appears only if you use split tunneling.You can add multiple address spaces to the list, one at a time.

• Exclude address spaceSpecifies addresses for traffic that is not forced through the tunnel, when you use split tunneling. Use this to exclude an address or range of addresses from the LAN address space.

◆ Force all traffic through tunnelRoutes all traffic (including traffic to the local subnet) through the tunnel. In this case, there is no local subnet. Users cannot access local resources, such as their printers at home, until they disconnect from network access. This is useful if you want to limit access to certain sites while the user is connected through the network access connection.

◆ Allow Local SubnetCheck this box to permit local subnet access and local access to any host or subnet in routes that you have specified in the client routing table. If you select this option, clients cannot use the integrated IP filtering engine.

◆ Client Side SecurityUse these settings to configure options for the client on the tunneled network. The settings available are:

• Prohibit routing table changes during Network Access connectionThis option terminates client connections when the client’s IP routing table changes during a network access session.


Chapter 2

• Integrated IP filtering engineSelect this option to protect the VPN from outside traffic (traffic generated by network devices on the client’s LAN) and to ensure that the VPN traffic is not leaking traffic to the client's LAN.

• Allow access to local DHCP serverCheck this box if you want to allow clients to obtain renewed IP addresses from their local DHCP servers when their DHCP leases expire. This is used when the option Integrated IP filtering engine is enabled.

◆ Client Traffic ClassifierSpecifies a client traffic classifier to perform client traffic control. For more information, see Configuring traffic control, on page 2-15.

◆ Client OptionsUse these settings to configure Microsoft Networking options for the client.

• Client for Microsoft NetworksSelect this option to allow the client PC to access remote resources over a VPN connection. For example, the user can access shared network drives on the remote network.

• File and printer sharing for Microsoft NetworksSelect this option to allow remote hosts to access shared resources on the client system over the VPN connection. For example, users on the remote network can access files on the client’s computer.

◆ Provide client certificate on Network Access connection when requested If client certificates are required to establish an SSL connection, this option must always be enabled. However, you can disable this option if the client certificates are requested only in an SSL session. If the client certificates are requested, but not required, to establish the SSL connection, the client is not configured to send client certificates.

◆ Reconnect To DomainSelect the check box Synchronize with Active Directory policies on connection establishment to synchronize the client with the Active Directory network policies when the connection is established. This option, when checked, enables a second check box, Execute logoff scripts on connection termination. Select this check box to run logoff scripts configured on the Active Directory domain when the connection is terminated.

◆ Client Interface SpeedType the interface rate to display for secured client connections in bytes per second. The default rate is 100000000 bits per second. The rate you specify in this box is for display only, and does not affect the actual speed of the network access connection.

◆ DTLSSelect this option to use Datagram Transport Level Security with the network access connection. This option uses UDP as the transport to provide better throughput for latency-sensitive applications like VoIP or

2 - 8


streaming video, especially with lossy connections. If the port used by DTLS is blocked by an intermediate firewall or gateway, or not available, the connection automatically falls back to TLS or SSL.

If you enable the DTLS option, you must configure another virtual server for DTLS with the same IP address as the TCP virtual server to which a user connects to start the Access Policy Manager session. See Creating a virtual server for DTLS, on page 14-3, for more information.

• DTLS PortType the port number that the network access resource uses for secure UDP traffic with DTLS. The default port is 4433.

◆ Client proxy settingsDirects network access clients to work through the specified proxy server on the remote network. This option requires the client computer to have Internet Explorer 5.0 or later installed. These options are available only when using the Advanced setting, when you select the Client proxy settings option.

• Client Proxy Uses HTTP for Proxy Autoconfig ScriptSome applications, like Citrix MetaFrame, can not use the client proxy autoconfig script when the browser attempts to use the file:// prefix to locate it. Select this option to specify that the browser use http:// to locate the proxy autoconfig file, instead of file://.

• Client Proxy Autoconfig ScriptContains the URL of the proxy-autoconfiguration script.

• Client Proxy Address and Client Proxy PortContains the address and port number of the proxy server you want network access clients to use to connect to the Internet.

• Bypass Proxy For Local AddressesIndicates whether you want to use the proxy server for all local (intranet) addresses.

• Client Proxy Exclusion ListContains the Web addresses that do not need to be accessed through the proxy server. You can use wild card characters to match domain and host names or addresses. For example, you could specify www.*.com, 128.*, 240.*, *., mygroup.*, *x*, and so on. You can add each item separately.

Setting DNS and hosts optionsSelect the DNS/Hosts tab when you want to set parameters for DNS configuration, and for static host names.

The screen presents options for specifying the following settings:

◆ Primary and Secondary Name ServersRepresents the IP addresses of the DNS server that network access assigns to the remote user. These should represent DNS server or servers that the internal company network uses.


Chapter 2

◆ Primary and Secondary WIN ServersRepresents the IP addresses of the WINS server to be conveyed to the remote access point. These are needed for Microsoft Networking to function fully. For fully functioning Microsoft network share browsing, you should configure the network access connection to use an SNAT pool. For more information, see Configuring network access settings, on page 2-4.

◆ DNS Default Domain SuffixRepresents the DNS suffix to use on the client computer. If you do not specify a default domain suffix, network access uses the first suffix from the Access Policy Manager server DNS setting.

◆ Static HostsHere you can add, edit, and delete static host names. With static hosts, you can configure a list of static hosts for the network access client to use. The static hosts you configure modify a client computer’s local hosts table and override the configured DNS server, so you should use them only when you need to augment or override the existing DNS. You can also use static hosts when the client machine is locked down, and the DNS relay service is installed, to provide host resolution.

For this file-change operation, users on Windows platforms must have local administrative rights to modify the hosts file during the connection, or the administrator must change the attributes of the hosts file to allow non-administrative modification, or the system must have the DNS Relay service installed.Static hosts are supported on Windows clients only.

Mapping drives with network accessUse the Drive Mappings tab to map network drives when a network access connection is established. You can set options for specifying the UNC path to the network share, and the preferred drive letter to use for drive mapping, and you can add a description. If the drive letter is in use, the user is allowed to select any free drive letter.

Using drive mappings options, you can specify network shares to be mapped automatically on the client computer whenever a user logs on. Because the Access Policy Manager does not verify the accuracy of a path, you must make sure that the path is correct.

Important

Drive mapping is supported only for clients with Windows operating systems.

Troubleshooting drive mapping failuresAfter establishing a network access connection, Windows needs a varying length of time before it can start using WINS for NetBIOS name resolution (depending on network speed and other factors, usually about one minute). During this time, the drive-mapping operation can fail and provide the

2 - 10


message: The network resource type is not correct. If the UNC path is configured with the NetBIOS name, you may get the message: The network path was not found.

If drive mapping fails, try the following corrections:

• Use an IP addresses instead of NetBIOS namesFor example, specify \\192.168.191.1\share instead of \\server\share.

• Use fully qualified DNS namesFor example, specify \\server.domain.com\share instead of \\server\share.

• Check the default domain suffixMake sure that the Access Policy Manager is configured with the proper DNS suffixes.

• Try the operation againAdvise users to retry mapping. Subsequent mapping attempts usually succeed after a 30 to 40-second delay. To retry, have the user click the Relaunch button in the user's network access popup window. The relaunch option is available only with the web client, not with the BIG-IP Edge Client.

Launching applications with network access connectionsUse the Launch Applications tab to set options for configuring network access to start client-side applications. This feature is particularly useful for network access clients who connect to application servers for which they have a client-side component on their computers. For example, it is common to configure network access connections for directly accessing an internal Exchange server. In this case, when the client makes a network access connection, it automatically starts an Outlook client on the connecting computer. This makes access easier for the end user.

You can specify different applications for Windows, Macintosh, and UNIX remote systems.

Specifying application paths and parametersOn the Launch Applications screen, under General Properties, check the Display warning before launching applications box to display a warning to the network access user before any applications start.

You can configure multiple applications to launch by adding applications to the application list. For each application you configure, specify the complete path in the Application Path box and any application parameters in the Parameters box, and select the target operating system from the Operating System list. The following examples contain strings for the Application Path and Parameters boxes.

This example starts Internet Explorer pointed at an internal web server.

• Application Path:iexplore


Chapter 2

• Parameters:http://internal_application.siterequest.com

This example starts the Microsoft Terminal Server client against an internal terminal server.

• Application Path:%SystemRoot%\System32\mstsc.exe

• Parameters:/v:internalterminalserver.siterequest.com /f

Running domain scriptsFor certain client systems, you can automatically run domain logon scripts after establishing a network access connection. The client systems must meet the following requirements:

• The system is running Microsoft Windows 2000, Windows XP, or later.

• The remote user’s computer is a member of the specified domain.

• The user is logged on to Windows using domain credentials cached on the local client computer.

The following example illustrates how to start a domain logon script:

• Application Path:logon

• Parameters:\\domain_controller_ip_address %username% or domain_name %username%

The domain_name entry represents the target domain name, and the domain_controller_ip_address entry represents the IP address of the domain controller.

2 - 12


Using lease poolsA lease pool specifies a collection of IP addresses as a single object. You can use a lease pool to associate that collection of IP addresses with a network access resource. Use a lease pool with a network access connection to automatically assign an unallocated IP address to a network access client.

To create a lease pool

1. On the Main tab of the navigation pane, expand Access Policy, use the cursor to point to Network Access, and click Lease Pools.The Lease Pool List screen opens.

2. Click the Create button.The New Lease Pool screen opens.

3. In the Name box, type a name for the lease pool.The initial character for a lease pool name must be a letter, followed by either another letter, a number, a period, an underscore, or a dash. Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None.

4. Add IP addresses to the lease pool.

• To add a single IP address, in the Member List area, select IP Address for the type. In the IP Address box, type the IP address, and click the Add button.

• To add a range of IP addresses, in the Member List area, select IP Address Range for the type. In the Start IP Address box, type the first IP address, and in the End IP Address box, type the last IP address. Click the Add button.

• To delete an IP address or IP address range, select the IP address or IP address range in the member list, and click the Delete button.

5. When you have finished adding IP addresses to the list, click the Finished button.You can click the Repeat button to create and save the lease pool, then immediately create another lease pool with the same members, and a blank name.

To edit or delete a lease pool

1. On the Main tab of the navigation pane, expand Access Policy, hover over Network Access, and click Lease Pools.The Lease Pool List screen opens.

2. In the Name column, click the name of the lease pool to edit.The Lease Pool Properties screen opens.

3. Add or remove IP addresses for the lease pool.

• To add a single IP address, in the Member List area, select IP Address for the type. In the IP Address box, type the IP address, and click the Add button.


Chapter 2

• To add a range of IP addresses, in the Member List area, select IP Address Range for the type. In the Start IP Address box, type the first IP address, and in the End IP Address box, type the last IP address. Click the Add button.

• To delete an IP address or IP address range, select the IP address or IP address range in the member list, and click the Delete button.

4. To save the lease pool, click the Update button.

5. To delete the lease pool, click the Delete button, then click OK on the dialog that appears.

To assign a lease pool to a network access resource

1. On the Main tab of the navigation pane, expand Access Policy and click Network Access.The Network Access Resource List screen opens.

2. In the Name column, click the name of the network access resource to which you want to assign the lease pool.The Network Access Properties screen opens.

3. In the General Settings area, from the Lease Pool list, select the lease pool to assign.

4. When you are finished, click the Update button.

2 - 14


Configuring traffic controlUsed together, traffic classifiers and client rate classes provide traffic shaping features on secure access connections. You configure a client traffic classifier, which defines source and destination IP addresses or networks, and can also define a protocol. The client traffic classifier is then associated with one or more client rate classes, which define base and peak rates for traffic to which it applies, and other traffic shaping features. A client traffic classifier is assigned in a network access resource.

Client rate class features include:

• Base Rate - Specifies the base data rate defined for the client rate class. You can select the units for this number from the list. Options include bps (bits per second), Kbps (kilobits per second), Mbps (megabits per second), or Gbps (gigabits per second).

• Ceiling Rate - Specifies the peak data rate defined for the client rate class. You can select the units for this number from the list: Options include bps (bits per second), Kbps (kilobits per second), Mbps (megabits per second), or Gbps (gigabits per second).

• Burst Size - Specifies the amount of traffic that is allowed to reach the peak rate defined for the traffic rate class. You can select the units for this number from the list: Options include bytes, Kilobytes, Megabytes, or Gigabytes.

• DSCP - If you select Override, you can specify an optional DSCP code for the client rate class. DSCP is a way of classifying traffic for Quality of Service. Traffic is classified using six-bit values, and then routers on the network interpret the traffic priority based on their configurations and prioritize traffic for QoS accordingly.

• Service Type - Specifies the service type in use for the client rate class. The following service types are available.

• Best Effort - Specifies that Windows traffic control creates a flow for this client traffic class, and traffic on the flow is handled with the same priority as other Best Effort traffic.

• Controlled Load - Specifies that traffic control transmits a very high percentage of packets for this client rate class to its intended receivers. Packet loss for this service type closely approximates the basic packet error rate of the transmission medium. Transmission delay for a very high percentage of the delivered packets does not greatly exceed the minimum transit delay experienced by any successfully delivered packet.

• Guaranteed - Guarantees that datagrams arrive within the guaranteed delivery time and are not discarded due to queue overflows, provided the flow's traffic stays within its specified traffic parameters. This service type is intended for applications that require guaranteed packet delivery.

• Mode - Displays the traffic shaping mode in use for the client rate class. The following modes are available.


Chapter 2

• Shape - Delays packets submitted for transmission until they conform to the specified traffic profile.

• Discard - Discards packets that do not conform to the specified traffic control profile.

• Borrow - Allows traffic on the client rate class to borrow resources from other flows that are temporarily idle. Traffic that borrows resources is marked as nonconforming, and receives a lower priority.

After you configure a client rate class using the procedure in To configure traffic shaping with a client rate class, on page 2-16, you define a client traffic classifier, in which you select that client rate class, using the procedure To create a client traffic classifier, on page 2-17. Next, you assign the client traffic classifier to a network access resource. The client rate class rate shaping features are then applied to traffic that matches the criteria defined in the client traffic classifier filter.

To configure traffic shaping with a client rate class

1. On the Main tab of the navigation pane, expand Access Policy, use the cursor to point to Network Access, point to Client Traffic Control, and click Client Rate Classes.The Client Rate Class List screen opens.

2. Click Create.The New client rate class screen opens.

3. In the Name box, type the name for the new client rate class.

4. In the Base Rate box, type the base rate for the client rate class. Select the units for the base rate from the list (bps, Kbps, Mbps, or Gbps).The base rate is the minimum rate available to the traffic you specify.

5. In the Peak Rate box, type the peak rate for the client rate class. Select the units for the peak rate from the list (bps, Kbps, Mbps, or Gbps).The peak rate is the maximum rate available to the traffic you specify.

6. (Optional) If you are using a differential services network, you can specify the DSCP value with which to mark this traffic in the DSCP box.

7. From the Mode list, select the traffic shaping mode.

8. From the Interface list, select the interface on which the client rate class will operate.

9. Click Finished when you are done.

2 - 16


To create a client traffic classifier

1. On the Main tab of the navigation pane, expand Access Policy, use the cursor to point to Network Access, point to Client Traffic Control, and click Client Traffic Classifiers.The Client Traffic Classifier List screen opens.

2. Click Create.The New Client Traffic Classifier screen opens.

3. In the Name box, type the name for the new client traffic classifier.

4. Click Create to create the client traffic classifier.The Client Traffic Classifier List screen opens.

5. Click the name of the client traffic classifier you just created.The Client Traffic Classifier Properties screen opens.

6. Under a rules section, click Add to add a client traffic classifier entry.You add rules to only the interfaces on the client computer for which you must shape traffic. You can apply rules to the virtual adapter (Virtual Network Access Interface), local physical adapters (Local Physical Interfaces), or all adapters (Virtual Network Access and Local Physical Interfaces).

7. From the Client Rate Class list, select the client rate class to which this client traffic classifier entry applies.

8. From the Protocol list, select TCP, UDP, or All Protocols.

9. In the Destination Address area, select the type of destination address (Any, Host, or Network), then provide required details: if you selected Host, in the Address box, type the IP address. If you selected Network, in the Address box, type the network address, and in the Mask box, type the network mask.

10. In the Destination port box, type a port number, or select an application from the list. To apply the client traffic classifier to all ports, select All Ports.

11. In the Source Address area, select the type of source address (Any, Host, or Network), then provide required details: if you selected Host, in the Address box, type the IP address. If you selected Network, in the Address box, type the network address, and in the Mask box, type the network mask.This area appears only if you select Advanced.

12. In the Source port box, type a port number, or select an application from the list. To apply the client traffic classifier to all ports, select All Ports.This box appears only if you select Advanced.

13. Click Finished when you are done.


Chapter 2

2 - 18

3

Configuring Web Applications

• Introducing web applications

• Configuring web applications on Access Policy Manager

• Configuring a rewrite profile


Introducing web applicationsWeb applications access enables end users to access internal web applications, like iNotes or Outlook Web Access, with a web browser from outside the network. With web applications, the BIG-IP® Access Policy Manager™ communicates with back-end servers, and rewrites the links in the web page so that further requests from the client browser come back to the Access Policy Manager. The advantage is that the client computer requires no client software other than a browser application.

Web applications access provides clients with secure access to internal web servers, such as Microsoft® Outlook® Web Access (OWA), Microsoft SharePoint®, and IBM® Domino® Web Access (also known as Lotus® iNotes®). Using Web applications functionality, you can also provide access to most web-based applications and internal web servers. The rewriting engine also supports rewriting complex JavaScript™. You can use features such as the web cache, minimal content rewriting mode, and others, to help refine compatibility and tune performance.

This method of access differs from connections configured for network access, which provide direct access from the client to the internal network. Network Access does not manipulate or analyze the content being passed between the client and the internal network. The web applications configuration gives the administrator both refined control over the applications that a user can access through Access Policy Manager, and content inspection for the application data.

The other advantage of web applications access is security. Even if a workstation might not meet requirements for security for full Network Access, such a workstation can be passed by the access policy to certain required web applications, without allowing full network access.

In a web applications access policy, the client computer itself never communicates directly with the end-point application. That means that all communication is inspected at a very high level, and any attacks originating on the client computer fail because the attack cannot navigate through the links that have been rewritten by the web applications engine.

Introducing web applications features and operationWeb applications access policies provide secure access to intranet web applications. The application being accessed and the protocol being supported (HTTP and HTTPS) dictate how web applications features operate. Figure 3.1 shows the process that a web applications connection follows.


Chapter 3

Figure 3.1 The web applications functionality of the Access Policy Manager

Introducing web applications supportYou can use web applications to provide unified, secure access for one or more LAN internal web applications. The Access Policy Manager provides additional functionality to secure connections from client machines, such as public kiosks or PDAs, to ensure the security necessary to allow access to these web applications with a web browser.

Understanding full patching modeIn full patching mode, Access Policy Manager primarily retrieves content from backend servers and rewrites content so it can be presented to a web browser, as if the content originated from the Access Policy Manager. The Access Policy Manager portal rewrites content for two reasons:

• To make intranet targets resolvable, no matter what the intranet host is, the request must go through the Access Policy Manager.

• To make all requests resolvable by the Access Policy Manager, Access Policy Manager unambiguously decides where to proxy the request.

3 - 2


In the web applications rewriting implementation, the string /f5-w-<mangled scheme://host:port> is prefixed to every HTML link or dynamic URL. This provides the required multiplexing behavior on a single Access Policy Manager.

For example, assume content from a server contains:

***<a href=http://server.company.com/link.htm>Click Here</a>

Access Policy Manager rewrites the code as:

***<a href=https://apm.company.com/f5-w-a5c4...>Click Here</a>

In addition to URLs, the Access Policy Manager handles cookies on the server to provide client features, but they are not passed to the client.

Understanding minimal patching modeYou can use the minimal patching feature to allow only minimal rewriting of your web application content.

To use minimal patching, the following conditions must be met:

• The web application must reside on a single server. The Access Policy Manager cannot process URLs for multiple servers when minimal patching is enabled.

• You must create a Local Traffic pool for that server, and select it as the default pool in the virtual server definition.

• You must configure the web application with host * and port 0 (or any).

• You must configure the scheme any, not http or https.

In minimal patching mode, only HTML and CSS content is patched.

Note

In minimal patching mode, if your web application sets cookies, the cookie domain must match the virtual server domain.

Note

If your web application does not use SSL, do not configure the virtual server with the Server SSL profile serverssl.

You can configure minimal patching for two modes:

◆ Scheme PatchingSpecifies a method of patching that replaces all HTTP scheme addresses with HTTPS scheme addresses.

◆ Host PatchingSpecifies a method of patching where a host or multiple hosts, typically the actual application server host name, is replaced with another host, the Access Policy Manager virtual server. You can specify multiple hosts separated with spaces for host search strings. The host replace string must be the Access Policy Manager virtual server IP address or fully qualified domain name (FQDN).


Chapter 3

Understanding proxy and cache functionalityYou can use the Access Policy Manager web applications feature for the following operations:

• Rewrite of complex HTML, JavaScript, and CSS content

• Dynamic cache of rewritten content

• Minimal scheme and host patching

The Access Policy Manager uses a high-performance, full-content rewrite engine to handle complex HTML, JavaScript, and CSS. You can also enable a built in dynamic cache, so that the Access Policy Manager does not have to repeatedly rewrite content for static objects such as HTML, JavaScript, and style sheets.

Understanding web application resource itemsWeb application resource items are actual web applications that you add to a web applications configuration. The web application resource list allows you to specify several web applications using IP addresses, host names, or networks, and then to group these resources under a common web application name. It is also possible to configure every web application individually, with only one item on the web application resource list. Each web application resource item specifies the web application location information, and properties for the web application. While the web application configuration specifies the overall patching method for a web application access policy, for each separate web application resource item you can specify a web location, and properties for compression, caching, SSO (single sign-on), session timeout, Home tab usage, and logging.

Understanding web application headersIn a web application resource item in Advanced view, you can configure headers to send to the application server. Headers are sent as name-value pairs. To add a header, type the header name and value in the boxes next to the Header section, and click the Add button.

Understanding web application compressionYou can define compression functionality for a web applications resource item on the Web Applications Resource Item Properties screen.

The following options are available for Compression:

• No CompressionWeb application generated content is not compressed. This requires increased bandwidth, and one result is slower load times for some application types. However, it also results in less usage of system resources.

• GZIP CompressionUses the gzip compression utility to substantially reduce the size of generated content. The most noticeable improvement in speed occurs

3 - 4


when accessing pages that contain large Java classes or other large elements (images, scripts, and so on), but not when accessing pages that reference Java packages (.jar files), class archives (.zip files), or compressed images (.jpg, .png, and Compressed TIFF files).

For iNotes and other Java-based web mail packages, enabling compression vastly improves the speed in which pages are loaded.

Note

To enable compression, configure the web applications virtual server HTTP profile with compression enabled.

Understanding web application cachingYou can define client-side caching functionality for a web applications resource item on the Web Applications Resource Item Properties screen. To access the screen, in the navigation pane, expand Access Policy, click Web Applications, and click a resource item.

The following options are available for Client Cache:

Note

In any caching scenario, Access Policy Manager caches only those objects that the remote server designates can be cached.

• Default - Takes the client cache settings from the rewrite profile. In the rewrite profile, you can specify a client caching option - CSS and JavaScript, CSS, Images and JavaScript, No Cache or Cache All. If you configure a client cache setting other than Default in the web application resource item, that setting overrides the cache setting in the rewrite profile.

• Cache All - Caches everything that can be cached, including CSS, images, JavaScript, and XML. Provides the fastest client performance and the lowest security.To allow your clients to download and save attachments, use the Cache All setting. For example, to make sure Outlook Web Access 2007 attachments can be downloaded, configure the web application resource URI /owa/attachment* with the Cache All setting.

• No Cache - Caches nothing. This provides the slowest client performance and is the most secure.

Allowing sessions to time outTo allow sessions to time out based on the timeout settings in the access profile, use this option. To enable the session timeout for a web application resource, select the Session Timeout check box in the advanced resource item properties. To disable the session timeout for a web application resource item, clear the check box.


Chapter 3

Configuring Home tab insertionThe Access Policy Manager inserts a small amount of JavaScript into HTML pages that generates the hometab. The hometab displays the Home and Logout navigation links, and the Address bar, where a user can enter a URI to access the web application. To enable the Home tab on a web application page, select the Home Tab check box in the advanced resource item properties. Pages generated without the Home Tab JavaScript contain no Home or Logout links. The Home tab can be fully customized. See Reviewing web applications hometab settings, on page 15-19.

3 - 6


Configuring web applications on Access Policy Manager

You can configure the Access Policy Manager to provide access to web applications without requiring client configuration changes or software downloads. Typically, you use web applications access when your users only require access to specific internal web portal-based applications, and do not require full Network Access. The Access Policy Manager provides security by rewriting URLs and other links in the original HTML document, CSS, and JavaScript content.

F5 Networks has tested the following web applications to ensure that the Access Policy Manager handles them without requiring andy reconfiguration.

• Microsoft® Outlook Web Access 2003 and 2007

• Microsoft® SharePoint 2003, 2007

• IBM Lotus Domino Web Access 7.x and 8.0

Some of your custom web applications will work with web applications without you having to make changes to the applications.

If you have a specific web application that requires additional configuration to work through web applications, you can generally use Network Access. Network Access provides a direct connection to the internal network, and does not require proxy-based changes or modification of web application content. If you cannot use web applications or Network Access to solve access issues, you can try the minimal patching feature. For more information about this feature, see Understanding minimal patching mode, on page 3-3.

To configure a web application

1. From the navigation pane, expand Access Policy and click Web Applications.The Web Applications Resource List screen opens.


3. In the Name box, type a name for the web application.

4. In the Configuration section, select whether to match case for paths.

5. From the Patching Type list, select the patching type for the web application. For full and minimal patching types, you can select or clear specific patching methods.

6. If you selected host patching with the minimal patching method, type a host search string, or multiple host search strings separated with spaces, and the host replace string, which must be the Access Policy Manager virtual server IP address or FQDN.


Chapter 3

7. If your application is behind a proxy server, to specify a proxy host and port, select Advanced for the configuration, and type the proxy host and proxy port.

8. Click the Create button to create the web application.The Web Applications Properties screen opens.

To configure a web application resource item

1. From the navigation pane, expand Access Policy and click Web Applications.The Web Applications Resource List screen opens.

2. Click the name of the web application to which you want to add a resource item.The Web Applications Properties screen opens.

3. In the Resource Items area, click Add.The New Resource Item screen opens.

4. In the New Resource Item section, select Basic or Advanced.Advanced allows you to add Headers.

5. For the Destination setting, select the type of destination (Host Name, IP Address, or Network).Important: The type of destination must match the destination address your users will specify to connect to the web application. For example, users cannot connect using a host name if you specify an IP address for the web application.

6. Type the host name, IP address, or network address and mask in the boxes provided.

7. In the Port box, type the port number. To allow all ports, type 0, or select Any from the Scheme list.

8. From the Scheme list, select the scheme (HTTP or HTTPS), or select any for both.

9. In the Paths box, type the path to the application. This is the URI, including the leading slash. For example, /webapp/webapp.aspx. You can specify multiple paths by separating them with spaces, and use * and ? wildcard characters.

10. If you select Advanced, you can add headers. In the Name and Value boxes in the Headers section, type the name and value pair for each header, and click Add.

11. In the Resource Item Properties section, select Basic or Advanced.Advanced allows you to enable or disable Session Timeout and the Home Tab.

12. From the Compression list, select the compression option.

3 - 8


13. From the Client Cache list, select the client caching option. See Understanding web application caching, on page 3-5, for more information.

14. If you are using an SSO configuration for Single Sign On, from the SSO Configuration list, select the SSO configuration.

15. Select whether to enable the Session Update and Home Tab options with the associated check boxes.

16. From the Log list, select the logging level.

17. When you are finished, click Update.The Web Application Properties screen opens.


Chapter 3

Configuring a rewrite profileA rewrite profile defines client caching settings for a virtual server. You can configure a rewrite profile and select the rewrite profile when you configure the virtual server for a web applications access policy. Alternatively, you can use the default rewrite profile, rewrite.

The rewrite profile provides four options for client caching. When a web application resource item’s Client Cache setting is set to Default, the caching option configured in the rewrite profile is used. If the Client Cache option is configured for any other setting, the web application resource item configuration overwrites the setting in the rewrite profile.

The following options are available in the rewrite profile:

• CSS and JavaScript - caches CSS and JavaScript. This is the default rewrite caching configuration, and provides a balance between performance and security.

• CSS, Images and JavaScript - Caches CSS, images, and JavaScript. This provides faster client performance but is slightly less secure because of cached images in the client browser cache.

• No Cache - Caches nothing. This provides the slowest client performance and is the most secure.

• Cache All - Caches everything that can be cached, including CSS, images, JavaScript, and XML. Provides the fastest client performance and the lowest security.

To create a rewrite profile

1. From the main navigation pane, expand Access Policy, and click Rewrite Profiles.The Rewrite Profile List screen opens.

2. Click Create.The New Profile screen opens.

3. In the Name box, type a name for the rewrite profile.

4. (Optional) From the Parent Profile list, select a parent profile. The new rewrite profile inherits the Client Caching Type setting from the parent profile.

5. (Optional) Next to Settings select the Custom check box to change the Client Caching Type.

6. From the Client Caching Type list, select the caching option.

7. Click Finished.

To assign the rewrite profile to a virtual server, see Configuring virtual servers for access policies, on page 14-2.

3 - 10

4

Configuring Web Application Access Management

• Introducing web application access management

• Reviewing web application access management options

• Configuring web application access management


Introducing web application access managementThe BIG-IP® Access Policy Manager™ provides various methods to pass user traffic and control access to applications by creating traffic tunnels using network access or allowing access to specific web applications.

However, the flexibility of Access Policy Manager provides another method to perform access control to web applications configured as local traffic pool members. This method of access is referred to as web application access management.

When used with BIG-IP® Local Traffic Manager™, Access Policy Manager provides access policy features only.

For more information on BIG-IP® Local Traffic Manager features, refer to the Configuration Guide for BIG-IP® Local Traffic Manager™.

Understanding how web application access management worksWeb application access management provides users the ability to access their web applications, through a web browser, without the use of tunnels or specific resources. In this scenario the user is authenticated and checked by the access policy in Access Policy Manager, without defining a resource or webtop. For example, you can have a configuration with ACLs, security checks, and authentication.

Note

Currently, you can configure access only to web applications with web application access management.

Through this method of access control, the Access Policy Manager communicates with backend web servers, forwarding requests from the client to web servers within a local traffic pool.

In a typical web application access connection, access occurs through a rewriting engine that rewrites links and URLs to and from the client. Web application access management eliminates the need for content rewriting, allowing access to the configured local traffic pool after the user passes through the access policy checks.

In cases where you want additional security to your web applications where the access occurs on your local environment, we highly recommended that you use Access Policy Manager with Local Traffic Manager to achieve this.


Chapter 4

Reviewing web application access management options

There are some web application access management configuration options you may want to consider before setting up this method for web application access.

• Front-end SSLThe decision to either use or not use SSL should be dictated by the level of security required. Applications that do any form of authentication where passwords are transmitted in the clear, or where any information between the client and the virtual server must be secured, should use SSL. Additionally, where SSL is used by the backend web servers, it is best to configure SSL by the virtual server.

• HTTP profile compressionYou can enable compression on the HTTP profile used by the virtual server. Use compression to provide a better end user experience, particularly where there is limited bandwidth or high latency between the virtual server and the client.

Setting timeouts for web application access policy managementThe web application access management access type does not have logout mechanism, so you must configure a custom timeout option from the following choices. Web application access management timeouts are set due to user inactivity.

The following timeout mechanisms are available:

• Cache and session control access policy item - The cache and session control access policy item terminates a user session when it detects that the browser window is closed.You can also use the cache and session control action in an access policy, to provide inactivity timeouts to the user session. Use the Terminate session on user inactivity setting to configure the timeout for a web application access management session. The cache and session control action is supported on Windows browsers only.For configuration information, see Setting up cache and session control, on page 9-26.

• Access Profile properties. You can configure a timeout in the access profile.

• The Maximum Session Timeout setting provides an absolute limit for the duration of the access policy connection, regardless of user activity. If you want to ensure that a user session is closed after a certain period of time, configure this setting. Note that this setting is configured in seconds.

• The Inactivity Timeout setting terminates the session if there is no traffic flow in the specified amount of time. Note that this setting is configured in seconds. Depending on the application, you may not

4 - 2


want to set the inactivity timeout to a very short duration, as many applications may cache user typing, and generate no traffic for an extended period. In this scenario, a session may time out when the application is still in use, but the content of the user input is not relayed back to the server.For configuration information, see Understanding access profile settings, on page 7-1.

Understanding other web application access management considerations

You must consider the following configuration items when configuring web application access management.

• SSL matchingSSL should be used consistently on the virtual server, as it is used with the web server. In other words, if the web server uses SSL, the virtual server should use SSL.

• Multi-host serviceWhen you implement a service with multiple hosts, access through the virtual server for new requests causes the load balancing algorithm for the associated member pool to select a new server. This can cause problems if persistence to a particular host is required.


Chapter 4

Configuring web application access managementConfiguring for web application access management requires that you configure both the BIG-IP® Local Traffic Manager and Access Policy Manager.

When you configure for this method of access, you create a virtual server that has one or more pool members and HTTP servers, and you attach an access policy to that virtual server. This access policy optionally provides endpoint security, authentication, and access control lists. Nodes and pools that represent the web applications associate with this virtual server.

Important

When you create an access policy, the policy cannot include a network access or web applications resource or webtop.

Configuring for web application access management requires these basic steps:

• Create an access profile

• Create nodes that represent the web servers

• Add nodes to the pool

• Create a virtual server

To create an access profile

1. On the Main tab of the navigation pane, expand Access Policy, and click Access Profiles.The Access Profile screen opens.

2. Click the Create button.The New Access Profiles screen opens.

3. Specify the information for all the required parameters.

4. Add any checks and actions required to the access policy. You can assign an ACL with the resource assign action, but do not assign a webtop or a web applications or network access resource.

To create nodes that represent web servers

1. On the Main tab of the navigation pane, expand Local Traffic, and click Nodes.

2. Click Create.

3. Enter an address for the node.

4. Repeat and create additional nodes for every web servers you want to represent.

5. Click Finished.

4 - 4


To add nodes to a pool

1. On the Main tab of the navigation pane, expand Local Traffic, and click Pools.

2. Click Create.

3. For each node created, add them to the pool as New Members.

4. Click Finished.

To create a virtual server

1. On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.

2. Click Create.

3. Type the name and address of the virtual server.

4. Select a service port

5. Select the HTTP Profile from the available options.The default profile, http, is usually sufficient, unless additional configuration options are needed.

6. Select the SSL profile (Client) setting.A client SSL profile is only required if you want to enable SSL from the client to the virtual server.

7. Select the SSL profile (Server) setting.A server SSL profile is only required if the pool members require SSL.

8. From the Access Profile list, select an access profile you created for web application access management.

9. Click Finished.

To select a pool

1. On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.The Virtual Server List screen opens

2. Click the name of the virtual server.The Virtual Server Properties screen opens.

3. Click the Resources tab.

4. From the Default Pool list, select the local traffic pool.

5. Click Update.


Chapter 4

4 - 6

5

Configuring Resources

• Understanding resources

• Using access control lists

• Using webtops


Understanding resourcesWith BIG-IP® Access Policy Manager™, you use resources to provide secure connection functionality to users. With Access Policy Manager, you configure a resource to allow access to a web application or a network access connection, or you configure an access control list to allow or deny access to clients with a network access, web applications, or web application access management access policies.

You use access control lists (ACLs), network access or web applications resources, and webtops to provide functionality to clients. For a web application access management policy, you can assign ACLs, but you cannot assign any other resources. You use ACLs to define allowed and disallowed networks, hosts, and protocols for users. With web applications access policies, you use webtops to provide a web page with useful links to users who connect. You assign ACLs and webtops dynamically in an access policy, using the resource assign action.

A network access resource represents a single secure connection that provides an on-network type of experience to an end user. You can define many network access resources on the Access Policy Manager, but each connection uses only one network access resource. To connect a user securely with a network access connection, you must assign a network access resource to an access policy and a network access webtop, using the resource assign action. A network access connection does not manipulate or analyze the content being passed between the client and the internal network.

A web application resource provides web browser access to one or more specific internal web applications. With web applications, the Access Policy Manager communicates with back-end servers, and rewrites the links in the response so that all the links in the response content specify the virtual server as the host. This method of access differs from a connection configured for network access, which provide a secured tunnel from the client to the internal network.

In this chapter you can learn how to use ACLs and webtops. To configure network access resources, see Chapter 2, Configuring Network Access. To configure web applications, see Chapter 3, Configuring Web Applications. To configure web application access management, see Chapter 4, Configuring Web Application Access Management.


Chapter 5

Using access control listsYou use access control lists, or ACLs, to restrict user access to specified host and port combinations.

For an ACL to have an effect on traffic, at least one access control entry must be configured. In an access control entry, the only item that is required is the action. When you configure an ACL with an entry with only an action defined, that action becomes the default access control action for all traffic to which the ACL is applied.

ACL entries can work on OSI Layer 4, the protocol layer, OSI Layer 7, the application layer, or both. When you first create an access control entry, you can select whether the entry is for Layer 4, Layer 7, or for both.

You can use a Layer 4 or Layer 7 ACL with network access, web applications, or web application access management connections, with the following configuration notes.

• With network access, you can use a Layer 7 ACL that is configured to provide access control for port 80 HTTP connections. However, if you want to provide access control for anything that is not on port 80, you must create a second virtual server, configured with the IP address to which the ACL entry applies, and the default access profile, access.

• For HTTPS network access connections, you can use Layer 7 ACL entries only if the virtual server has the private key of the backend server.

• If you assign no ACLs to an access policy, the default behavior allows access. To restrict resources to only those you specify in an ACL, add an ACL entry configured to reject all connections at the end of the ACL entry list. The access policy will then reject any connection not matched by a previous entry.

The order you specify for ACLs and ACL entries determines their priority. Access Policy Manager tests ACLs and ACL entries in order, based on their priority in the respective list. Access Policy Manager test ACLs assigned only to the current session. You can reorder ACL entries and ACLs.

You assign ACLs dynamically in the access policy with the resource assign action, so ACLs apply only to clients who reach that action in the access policy. See To assign an access control list, on page 5-5, for more information.

Note

ACLs are not enforced on network traffic initiated from the server. Use SNAT automap or SNAT pool options in the network access configuration if you do not want servers to be able to initiate a connection to any client.

Creating access control listsYou create an access control list to provide or deny access to network resources.

5 - 2


To create an access control list

1. On the Main tab of the navigation pane, expand Access Policy, and click ACLs.The ACLs screen opens.

2. Click Create.The New ACL screen opens.

3. In the Name box, type a name for the access control list.

4. In the Description box, you can add an optional description of the access control list.

5. From the Order list, you can optionally determine in what order to add the new ACL.

• Select After to add the ACL after a specific ACL, that you can then select.

• Select Specify to type the specific number of the ACL in the list.

• Select Last to add the ACL at the last position in the list.

6. Click the Create button.The ACL Properties screen opens.

7. In the Access Control Entries area, click Add to add an entry to the access control list. The New Access Control Entry screen appears.

8. From the Type list, select whether this is a Layer 4 (L4), Layer 7 (L7), or Layer 4 + Layer 7 (L4+L7) access control entry.

9. From the Action list, select the action for the access control entry.If you are creating a default access control list, complete this step, then skip to the last step in this procedure.Actions for the access control list entry are:

• Allow - Permit the traffic.

• Continue - Skip checking against the remaining ACL entries in this ACL, and continue evaluation at the next ACL.

• Discard - Drop the packet silently.

• Reject - Drop the packet and send a TCP RST message on TCP flows or proper ICMP messages on UDP flows. Silently drop the packet on other protocols.Note: If HTTP traffic matches a Layer 4 ACL, a TCP RST message is sent. The ACL Deny page is sent when traffic is matched and denied on a Layer 7 ACL.

10. In the Source IP Address box, type the source IP address.This specifies the IP address to which the access control list entry applies.

11. In the Source Mask box, type the network mask for the source IP address. This specifies the network mask for the source IP address to which the access control list entry applies.


Chapter 5

12. For the Source Port setting, select Port or Port Range. This setting specifies whether the access control list entry applies to a single port or a range of ports.

13. In the Port box or the Start Port and End Port boxes, specify the port or port ranges to which the access control list entry applies.To simplify this choice, you can select from the list of common applications, to the right of the Port box, to add the typical port or ports for that protocol.

14. In the Destination IP Address box, type the IP address to which the ACL controls access.

15. In the Destination Mask box, type the network mask for the destination IP address.

16. For the Destination Ports setting, select Port or Port Range. This setting specifies whether the access control list entry applies to a single port or a range of ports.

17. In the Port box or the Start Port and End Port boxes, specify the port or port ranges to which the access control list entry applies.To simplify this choice, you can select from the list of common applications, to the right of the Port box, to add the typical port or ports for that protocol.

18. From the Scheme list, select the URI scheme for the ACL entry.You can select http, https, or any. Any matches either HTTP or HTTPS traffic.

19. In the Host Name box, type a host to which the ACL applies.

The Host Name box supports shell glob matching. For example, you can use the asterisk wildcard (*) to search for zero or more characters, and the question mark wildcard (?) to search for a single character. For example, the host entry *.siterequest.com matches siterequest.com with any prefix. This entry matches www.siterequest.com, mail.siterequest.com, finance.siterequest.com, and any others with the same pattern.

The ? matches only the single character represented by the question mark, so n?t.siterequest.com matches the hosts net.siterequest.com and not.siterequest.com, but not neet.siterequest.com, nt.siterequrest.com, or note.siterequest.com.

20. In the Paths box, type the path or paths to which the ACL applies.You can separate multiple paths with spaces, for example, /news /finance. The Paths box supports shell glob matching. You can use the wildcard characters * and question marks (?) to represent single or multiple characters. You can also type a specific URI, for example, /finance/content/earnings.asp, or a specific extension, for example, *.jsp.

21. From the Protocol list, select the protocol to which the ACL applies.

5 - 4


22. From the Log list, select the log level for this access control entry.

When events of this type occur, the server records a log message. Options are:

• None - log nothing.

• Packet - log the matched packet.

23. Click Finished.

To assign an access control list

1. On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.The Access Profiles List screen opens.

2. In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column. The visual policy editor opens in a new window or new tab, depending on your browser settings.

3. On a rule branch of the access policy, click the plus sign ( ) to add an action.The Add Item popup screen opens.

4. If general purpose actions are not expanded, click the plus sign ( ) next to General Purpose.

5. Select Resource Assign, and click Add Item.The Resource Assign action popup screen opens.

6. Click Add new entry.A new resource assign entry appears in the popup screen.

7. To add one or more ACLs, click the Add/Delete ACLs link, then select the check boxes for ACLs you want to assign, and clear the check boxes for ACLs you do not want to assign.ACL assignment is optional.

8. Click Update to return to the Resource Assign popup screen.

9. Click Save to save the action.

Access control list examplesThe following examples show how to use ACLs to prevent access to servers, or to allow only certain types of traffic to access servers.

Example: Reject all connections to a specific networkIn this ACL example, all connections to a specific network at 192.168.112.0/24 are rejected.


Chapter 5

To configure an ACL to reject all connections to a specific network

1. To create the access control list, follow the instructions at To create an access control list, on page 5-3.

2. Configure the access control entries as follows.

• Source IP Address - 0.0.0.0 (note that when you leave an IP address entry blank, the result is the same as typing the address 0.0.0.0).

• Source Mask - 0.0.0.0

• Source Ports - All Ports

• Destination IP address - 192.168.112.0

• Destination Mask - 255.255.255.0

• Destination Ports - All Ports

• Protocol - All Protocols

• Action - Reject

3. Click Finished.

Example: Allow SSH access to a specific hostIn this ACL example, SSH connections are allowed to the internal host at 192.168.112.9.

To configure an ACL to allow SSH connections

1. To create the access control list, follow the instructions at To create an access control list, on page 5-3.


• Source IP Address - 0.0.0.0





• Destination Ports - Port 22 (or select SSH)

• Protocol - TCP

• Action - Allow

3. Click Finished.

Example: Reject connections to specific file typesIn this ACL example, all connections that attempt to open files with the extensions DOC, EXE, and TXT are rejected.

5 - 6


To configure an ACL to reject connections to specific file types

1. To create the access control list, follow the instructions at To create an access control list, on page 5-3. Create a Layer4 + Layer7 ACL.


• Source IP Address - 0.0.0.0





• Destination Ports - All Ports

• Scheme - http

• Paths - *.doc *.exe *.txt

• Protocol - All Protocols

• Action - Reject

3. Click Finished.


Chapter 5

Using webtopsWhen a user is allowed access by an access policy, that user is typically assigned a webtop. A webtop is the successful end point for a web applications or network access connection. A web applications webtop also provides a customizable screen for the user that includes links for working with the web applications, and displays messages relating to the connection.

You assign a webtop to the user session in a resource assign action in the access policy. Make sure that you assign the correct webtop type; a network access webtop must be assigned with a network access resource, and a web applications webtop must be assigned with a web applications resource.

Many settings for the webtop can be customized. To customize webtop settings, see Customizing a webtop, on page 15-14.

To create a webtop

1. On the Main tab of the navigation pane, expand Access Policy, then click Webtops.The Webtop List screen opens.

2. Click Create. The New Webtop screen opens.

3. In the Name box, type the name for the webtop.

4. From the Type list, select whether the webtop is a network access or a web applications webtop.If you selected a network access webtop, select whether to automatically minimize the webtop to the system tray, by selecting or clearing the Minimize To Tray check box. If you selected a web applications webtop, in the Web Application start URI box, type the URI for the web application.

5. Click Finished to complete the configuration.

To assign a webtop






5 - 8



7. To specify a webtop for the connection, click the Set Webtop link, and select a webtop to assign.




Chapter 5

5 - 10

6

Understanding Access Policies

• Introducing access policies

• Understanding access policy items

• Understanding access policy branch rules

• Understanding access policy branches

• Understanding access policy macros

• Introducing access policy endings

• Understanding session variables


Introducing access policiesIn an access policy, you define the criteria for granting access to various servers, applications, and other resources on your network.

Using an access policy, you can define a sequence of checks to enforce the required level of security on a user’s system, before the user is granted access to servers, applications, and other resources on your network.

An access policy can also include authentication checks, to authenticate a user before the user is granted access to the network resources.

With an access policy you can perform four basic tasks:

◆ Collect information about the client systemYou can use the access policy to collect and evaluate information about client computers. For example, you can check that the user is operating from a company-issued computer, what antivirus software is present on the machine, what operating system the computer is running, and other aspects of the client configuration. This is accomplished using both client-side checks and server-side checks in the access policy.

◆ Use the authentication action to verify client security against external authentication serversThe access policy allows you to check and evaluate authentication against an external authentication database or a certificate, to make sure the client system recognizes the user.

◆ Retrieve user’s rights and attributesYou can use the access policy to retrieve extended information from authentication servers including LDAP or Microsoft Active Directory® attributes, and use the information retrieved to assign different resources.

◆ Grant access to resourcesWith the access policy, you assign a network access resource after the client is authenticated.


Chapter 6

Understanding access policy itemsAn access policy is made up of five kinds of access policy items. These are:

• A start point

• One or more actions

• Branches

• Macros and macrocalls

• One or more endings

Understanding the access policy start pointEvery access policy begins at a start point. In the visual policy editor, this is a green rectangle with an angled right side, labeled Start, that has one fallback branch connected to it. You build the access policy starting on this fallback branch.

Figure 6.1 An access policy Start point

Understanding access policy actions An action performs a specific function in an access policy. These functions include client checks, authentication checks, and other access policy functions.

In the visual policy editor, the action appears as a rectangle surrounded by a single line in the access policy, with one branch entering it on the left, and one or more branches exiting on the right. If the action requires configuration, a red asterisk appears to the left of the action, and the name of the action appears in italics. In Figure 6.2, the RADIUS action is properly configured, and the resource assign action requires configuration.

Figure 6.2 Two actions, one unconfigured, in the visual policy editor

6 - 2


Understanding available actionsThe Access Policy Manager includes a number of pre-defined actions. You can see the available actions in the visual policy editor when you click the

Add Item button , which is activated by positioning the cursor along the action’s rule branch. The Add Item popup screen opens as a floating popup screen on top of the visual policy editor.

Table 6.1 lists all the actions available in Access Policy Manager, in the order in which they appear in the Add Item popup screen, and describes what they can do.

Category Action Description

General Purpose Logon Page Adds a logon page to the access policy. You can customize the messages and link text on the logon page, and create custom messages for different languages.

External Logon Page Adds an external logon page to the access policy. Used with

an external logon server like CSE’s SECUREMATRIX®.

Resource Assign Assigns ACLs, a network access or web applications resource, and a webtop to the access policy.

Variable Assign Assigns one or more variables to the access policy.

Virtual Keyboard Displays a virtual keyboard on the logon screen when the user clicks in the Password box.

SSO Credential Mapping Configures credential caching to use with single sign-on (SSO) for web applications.

Route Domain Selection Selects a route domain for policy-based routing.

Logging Adds a logging agent that logs the specified session variables to the system logs.

Message Box Adds a message box that can be used to post a message to the user.

Decision Box Adds a decision box that provides two options for the access policy.

iRule Event Adds an iRule event to the access policy.

Empty A blank action from which you can create your own action.

Authentication AD Auth Adds Active Directory authentication to the access policy.

AD Query Adds an Active Directory query to the access policy.

Client Cert Inspection If the Client SSL profile is configured to request the client certificate during the SSL handshake, checks the client certificate received during the SSL handshake.

Table 6.1 Available actions in Access Policy Manager


Chapter 6

Authentication (continued)

HTTP Auth Adds HTTP authentication to the access policy.

LDAP Auth Adds LDAP authentication to the access policy.

LDAP Query Adds an LDAP query to the access policy.

On-Demand Cert Auth Prompts users for a client certificate if they take a certain branch in the access policy.

RADIUS Auth Adds RADIUS authentication to the access policy.

RADIUS Acct Adds RADIUS accounting to the access policy.

RSA SecurID Adds RSA SecurID two-factor authentication to the access policy.

Client Side Checks Antivirus Check Checks for antivirus software on the client computer. Can check for antivirus software on Windows, Mac OS, and Linux clients.

Firewall Check Checks for firewall software on the client computer. Can check for firewall software on Windows, Mac OS, and Linux clients.

(Windows, Linux, Mac) File Check

Checks for a specific file on the client computer. File check is available as three different actions for Windows, Mac OS, and Linux computers.

Machine Cert Auth Checks for the presence of a machine certificate.

Windows Info Checks for the version of Windows and for Windows updates on the client computer.

(Windows, Linux, Mac) Process Check

Checks for running processes on the client computer. Process check is available as three different actions for Windows, Mac OS, and Linux computers.

Registry Check Checks for specific values in the Windows registry.

Client Side Actions Cache and Session Control

Cleans and removes browser cache, and optionally cleans form entries, passwords, dial-up entries, and sets timeouts for the access policy.

Protected Workspace Provides a secure computing environment with a temporary desktop and profile that is removed after logout.. For use with public computers or in other situations where higher security is required.

Windows Group Policy Temporarily configures the Windows environment with a group policy. Windows Group Policy is an optional add-on that is enabled by FullArmor’s GPAnywhere product.



6 - 4


Server Side Checks UI Mode Detects the browser of client type the client is using. This provides three rule branches in your access policy:

Full BrowserThe rule branch the access policy takes if the client is using

a web browser, or the BIG-IP® Edge Client™.

Standalone ClientThe rule branch the access policy takes if the client is using a standalone legacy SSL VPN client. This rule branch is used only if the standalone client is running in Legacy Mode. If the BIG-IP Edge Client is used, the Full Browser rule branch is matched.

FallbackThe rule branch the access policy takes if the client is not using one of the listed clients.

Client-Side Check Capability

Checks whether the client supports JavaScript and supports either ActiveX controls or Netscape plug-ins. If a client can support JavaScript and one of these control types, it can run client-side checks. See Preparing for clients that cannot use client checks, on page 10-1.

Client OS Detects the operating system of the remote client. Access Policy Manager detects this using information from the HTTP header.

Landing URI Checks the landing URI that the client has used to start the current session.




Chapter 6

Understanding access policy branch rulesA branch rule evaluates the result of an access policy action, findings about a client system, or other access policy item. The outcome of the evaluation of a branch rule grants or denies access, or continues on to the next action. The order of branch rules in an access policy determines the flow of action.

In an access policy, you use actions for which a set of branch rules are already defined. You can add branch rules to an action, or create new branch rules to test for a specific condition. You can use empty actions to create custom actions, and add your own branch rules to them. The ending is the last branch rule applied. Figure 6.3, on page 6-7, shows the flow of a branch rule-checking operation.

By default, if the user’s system does not meet the access policy requirements, the Access Policy Manager™ denies the user access. You can change this outcome by changing the access policy ending, and by modifying branch rules to check for different criteria.

A branch rule uses data from variables returned by actions to determine user access criteria. For more information about session variables, see Understanding session variables, on page 6-16.

When you create a new action, the visual policy editor automatically creates a set of branch rules. The last rule in this set is the fallback branch rule. It cannot be moved. It governs all cases that do not satisfy a preceding branch rule.

Figure 6.3 shows the internal process of an action.

6 - 6


Figure 6.3 Internal process of an action

Viewing rules To view a predefined branch rule, you must first add an action to the access policy. The following example describes how to add a predefined action (client cert result) to an access policy, then how to view the underlying rule.

Note

You cannot view the predefined branch rules for every action.

To add a client cert inspection action and view the rule




Chapter 6

3. On a branch of the access policy, click the plus sign [ ] to add an action.The Add Item popup screen opens.

4. If the Authentication category is not expanded, click the plus sign [ ] to expand it.

5. Select Client Cert Inspection and click Add Item to add the action to the access policy.The Client Cert Result action popup screen opens.

6. Click the Branch Rules tab.Under the Name Successful, you see the text Expression: Client Certificate is valid, and then a link to change the expression.

7. Click change.The Expression popup screen opens.

8. Click the Advanced tab.

9. The rule expression for the client cert result action is displayed, as in Figure 6.4:

expr { [mcget {session.ssl.cert.valid}] == "0" }

To configure the action, see the action description in Understanding available actions and categories, on page 7-13.

Figure 6.4 A rule displayed in an access policy action

Predefined rulesWhen you configure an action, it creates a predefined rule. To further refine or customize a rule, you can use the expression builder to build a rule from a list of agents and conditions.

You can edit a rule on the Rules tab by clicking change. You can edit rules in a rule builder on the Simple tab. You use this rule builder to choose from a simplified set of rules and automatically compile the Tcl syntax. You can also use the Advanced tab to edit the rule directly, using Tcl. Visual examples of the two editing methods are shown in Figure 6.5.

6 - 8


Figure 6.5 Simple (top) and Advanced (bottom) rule editing


Chapter 6

Understanding access policy branchesIn the visual policy editor, you connect access policy items to other items with branches. A branch represents one of following three things:

◆ The result of the evaluation of an access policy ruleMost actions have branches that represent the evaluation of rules. These branches might be called Successful, or they might have a more descriptive name. In many cases, a rule branch is a positive result to the evaluation of an action (for example, Active Directory authentication has passed). A rule branch can also be an informational response to the evaluation of an action (for example, client operating system is Windows Vista®).

◆ An outgoing terminal from an access policy macroWhen you configure an access policy macro, the rule branches inside the access policy macro have endings called terminals. These terminals do not function like access policy endings, but instead, become branches in the access policy to which the macrocall is added, which represent the outcomes of actions inside the macrocall.

◆ A fallback ruleA fallback rule is typically a negative response, if the action has successful branches. Some fallback rules are the result of the action returning no match or a failure for the access policy check. Fallback rules are also the result of actions that have no positive or negative result. For example, the logon page action has no positive or negative result, because it sends only a logon page to the client, so the result branch of a logon page is always a fallback rule branch.

Figure 6.6 An action with multiple branches

6 - 10


Understanding access policy macrosA macro is a collection of actions that you can configure to provide common access policy functions. You can create a macro for any action or series of actions in an access policy. You can also create macros that contain macrocalls to other macros (nested macros).

After you create a macro, you place it in the access policy by adding an item called a macrocall to your policy. A macrocall is an action that performs the functions defined in a macro. In the visual policy editor, a macrocall appears in an access policy, or in a macro definition, as a single rectangular item, surrounded by a double line, with one or more outgoing macro terminal branches, called terminals, as shown in Figure 6.7

Figure 6.7 A macrocall in an access policy

Macro definitions, macro terminals, and macrocalls are defined for each access policy. Macros you create in one policy do not appear, and cannot be used, in another access policy.

Unlike other access policy actions, when you click a macrocall in the access policy, the macro definition is displayed below the access policy in the macros section, and not in a popup screen, as shown in Figure 6.8.


Chapter 6

Figure 6.8 A macro expanded below an access policy

The BIG-IP® Access Policy Manager™ includes several predefined macro templates. For example, BIG-IP Access Policy Manager includes macro templates for six authentication methods, and for a Windows antivirus and firewall check. For the definitions and configuration information for these included macro templates, see Configuring macros, on page 7-15.

Introducing macro terminalsA macro does not have endings, as does an access policy. Instead, a macro contains one or more end points called terminals. Terminals are the macro branches that are the result of the actions you add to the macro. The access policy uses the macro terminals after you insert a macrocall into an access policy. A macro can have many terminals. You can use terminals as you use access policy endings within the macro configuration.

Macro terminals are common shared endpoints for the access policy macro item. After you add a macro to the access policy using a macrocall, each macro terminal defined in the macro appears as a separate shared output. For example, if you configure four macro terminals, and use those terminals ten times in the macro definition, when you add the macrocall access policy item to the access policy, only four outputs appear from the access policy item. For an example of a macro with multiple terminals used many times in the configuration, see Using the client classification and prelogon checks macro template, on page 7-25.

To make macros easier to use, you can assign the macro terminals descriptive names and specific colors with the visual policy editor. When you add a macro to your access policy, the terminals from the macro become branches, and the branches take the names of their terminals.

6 - 12


For example, you can configure a macro with four terminals:

• AV success

• AV failure

• File check success

• File check failure

After you add the macrocall to your access policy, the macrocall appears as a single access policy item, with four terminals that appear as four branches, named for the terminals. See Figure 6.9.

Figure 6.9 A macrocall with four macro terminal branches in an access policy

Note

You can make changes to the actions in a macro after you have added the macrocall to an access policy. However, you cannot delete terminals after a macrocall has been added to an access policy or another macro. For this reason, we recommend that you configure macro terminals before you add a macrocall to the access policy.


Chapter 6

Introducing access policy endingsAccess policy endings indicate the final outcome of a branch of the access policy. The Access Policy Manager provides the following endings: Allowed, Deny, and Redirect. In the visual policy editor, endings appear as a rectangle with a cut-out left edge.

Figure 6.10 Access policy endings

Understanding the allow endingIn an access policy, the allow ending is a successful ending that allows the connection defined by the access policy branch. Configure your access policies so that only users who meet your security criteria reach an allow ending. The allow ending performs final validation of assigned resources, the webtop, and any resources added to the access policy branch, and allows the session to start.

Note

You must assign a valid network access or web application resource and a webtop for your users, unless you are using the access policy to control access to a local traffic virtual server, in a web application access management scenario.

Understanding the deny endingIn an access policy, the deny ending denies the user access to the resource, and ends the user’s session. After the user reaches a deny ending, all the session information collected during access policy operation is deleted from the client. You can use this ending at the ends of failed rule branches. When a user reaches a deny ending, the user sees an access denied error message web page.

6 - 14


Understanding the redirect endingIn an access policy, the redirect ending sends the user to a URL that you specify. Use this ending when the result of a certain access policy outcome does not result in a webtop ending, but you want to send the user to another internal or external URL. For example, you might send a user to the web site for an antivirus vendor, if an antivirus action determines that the user’s virus definitions are older than the access policy allows.

To close the Access Policy Manager session after the redirect, select the Close session after redirect check box.

Note

You must type the redirect URL with the leading http:// or https://.


Chapter 6

Understanding session variablesThe rules in access policies use the values that the actions return in session variables. During access policy operation, the Access Policy Manager collects various information about the system that is attempting access. This information is organized in a hierarchical arrangement and is stored as the user’s session data.

Session variables are variables that allow the access policy to access user’s session data. The name of a session variable consists of multiple hierarchical nodes separated by periods (.).

The Access Policy Manager names session variables in the following manner:

session.ad.<username>.queryresult = query result (0 = failed, 1=passed)

session.ad.<username>.authresult = authentication result (0 = failed, 1=passed)

session.ad.<username>.attr.<attr_name> = the name of an attribute retrieved during the Active Directory query. Each retrieved attribute is converted to a separate session variable. Note that attributes assigned to a user on the AAA server are specific to that server, and not to Access Policy Manager.

Figure 6.11 shows how Access Policy Manager names session variables.

6 - 16


Figure 6.11 Session variable naming scheme

Using session variablesYou can use session variables to customize access rules or to define your own access policy rules. You can assign users specific resources based on session variables, using the resource assign action.

You can use session variables to configure rules in access policies. You can use the values of session variables to provide different outcomes for policies. For more information on how to use session variables, see Assigning variables, on page 8-10, and Using advanced access policy rules, on page 16-17. For a complete listing of available session variables, see Appendix C, Session Variables. You can view all session variables for a session at Reports > Current Sessions. Click a session name to view the session variables for the session.


Chapter 6

6 - 18

7

Creating Access Profiles and Access Policies

• Creating an access profile

• Creating an access policy

• Understanding available actions and categories

• Configuring macros

• Backing up and importing access profiles


Creating an access profileIn the BIG-IP® Access Policy Manager™, an access profile is the profile that you select in a virtual server definition to establish a secured connection to a resource. You can also configure an access profile to provide access control and security features to a local traffic virtual server hosting web applications.

The access profile contains:

• Access policy timeout and concurrent user settings

• Accepted language and default language settings

• Single Sign-On information and domain cookie information for the session

• Customization settings for the access profileTo customize these settings, see Setting up access profile customization, on page 15-1.

• The access policy for the profile

Understanding access profile settingsOn the Access Profile Properties screen, you use the Settings section to configure timeout and session settings. You must select the Custom check box to configure settings for this section.

• Inactivity Timeout - Specifies the inactivity timeout for the connection, in minutes. If there is no activity between the client and server within the specified threshold time, the system closes the current session. By default, the threshold is 0, which specifies that as long as a connection is established, the inactivity timeout is disabled. However, if an inactivity timeout value is set, when server traffic exceeds the specified threshold, the inactivity timeout is reset.In addition, for web applications, you can customize the timing for the warning message to appear for the user prior to session timeout by using the Session Timeout Guard Time setting in the webtop customization settings. The user can click a link inside the message window to reset inactivity timeout.

• Access Policy Timeout - This is designed to keep malicious users from creating a DOS attack on your Secure Access Manager. The timeout requires that a user, who has followed through on a redirect, must reach the webtop before the timeout expires. The default value is 300 seconds.

• Maximum Session Timeout - Specifies the maximum lifetime of one session, in minutes. The maximum lifetime is between the time a session is created, to when the session terminates. By default, it is set to 0, which means no limit. When you configure this setting, there is no way to extend the session lifetime, and the user must logout and then log back in to the server, when needed.


Chapter 7

• Max Concurrent Users - Specifies the number of sessions per access profile. The default value is 0, which represents unlimited sessions. Please note that this field is read-only for application editors. All other administrative roles can modify this field.

• Max Sessions Per User - Specifies the number of sessions per user. The default value is 0, which represents unlimited sessions. Please note that this field is read-only for application editors. All other administrative roles can modify this field.

Understanding configuration settingsOn the Access Profile Properties screen, you use the Configurations section to set Single Sign-On, cookie behavior, and logout behavior, with the following settings:

• SSO Configuration - To add an SSO configuration for Single Sign-On, select the configuration from the list.

• Domain Cookie - Specifies a domain cookie to use with a web application access management connection. If you specify a domain cookie, then the line domain=specified_domain is added to the MRHsession cookie. By default, the Secure Cookie option is enabled. This adds the secure keyword to the session cookie. If you are configuring a web application access management scenario with an HTTPS virtual server for authentication, and using an HTTP local traffic virtual server for applications, clear this check box.

• Logout URI Include - Specifies a list of logoff URIs that the access profile looks for in order to terminate the access policy session. You use this feature with HTTP applications. In the URI box, type a logoff URI to add, then click the Add button. In the Logout URI Timeout box, type the seconds to delay before the session is is terminated and the logout URI is followed.

Creating an access profile

To create an access profile


2. Click Create. The New Access Profile screen opens.

3. In the Name box, type a name for the access profile.The Access Profile Properties screen appears.

7 - 2


4. To change settings for Inactivity Timeout, Access Policy Timeout, Maximum Session Timeout, and Max Concurrent Users, select the Custom check box, then type numbers for the settings you want to change.

5. To select a Single Sign On (SSO) configuration for the access policy, from the SSO Configuration list, select the SSO configuration.

6. (Optional) In the Domain Cookie box, type the domain cookie.

7. Select the Secure Cookie check box to add the secure keyword to the domain cookie.If the access policy is configured for an HTTP virtual server, clear this check box.

8. Configure the language settings for the access profile. See Customizing access profile languages, following, for more information.

9. Click Finished when the configuration is complete.

Applying an access policyAfter you create or change an access policy, the link Apply Access Policy appears in yellow at the top left of the BIG-IP Configuration utility screen. You must click this link to activate the access policy for use in your configuration.

To apply access policies

1. Click the Apply Access Policy link. The Apply Access Policy screen appears, showing a list of access policies that have been changed.

2. Select the check boxes for one or more access policies to apply, and click the Apply Access Policy button.By default, all access policies that are new or changed are selected.

After you apply the access policy, the Access Profiles list screen is displayed.

Customizing access profile languagesTypically, the client’s web browser has language preferences configured, which lists display languages in order of preference. Access Policy Manager detects this order, compares it with the languages configured in the access profile, and presents customized pages and messages in the user-specified language, if that language exists in the access profile. If the user-specified language does not exist in the access profile, the user sees pages in the access profile default language.


Chapter 7

In the access profile, you can configure the list of accepted languages in which the Access Policy Manager provides messages and customized elements. You can also select a default language for the access profile. The default language is used to provide messages and customized elements to users whose browsers are not identified with a language that is on the list of accepted languages.

Though you can specify any custom language strings, most browsers present standard language strings. To see a list of these language strings, refer tohttp://www.iana.org/assignments/language-subtag-registry.

There are several other places in Access Policy Manager where you can customize settings for different languages. To configure these language settings, see the following tasks and pages:

• Customizing the Deny access policy ending, on page 7-10

• Customizing access profile languages, on page 7-3

Note

If you customize messages, you must customize the same messages separately for each accepted language. Otherwise, default messages will appear for any accepted language for which you have not customized messages. It is recommended that if you customize messages for a specific accepted language, you remove all other languages from the accepted language list.

To customize access profile languages

1. On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.The Access Profiles List screen appears.

2. In the Access Profiles List, click the name of the access profile you want to edit.

3. Configure the access profile language options as follows:

• To add a language string to the list of accepted languages, in the Language Settings area, in the String box, type the string for the language, and click Add.

• To edit a language string, from the Accepted Languages list, select the string and click Edit.

• To delete a language string, from the Accepted Languages list, select the string and click Delete.

• To set the default language, from the Default Language list, select the language.

4. Click Update to update the language settings.

7 - 4

http://www.iana.org/assignments/language-subtag-registry


Creating an access policyIn an access policy, you define the criteria for granting access to various servers, applications, and other resources on your network.

You create an access policy by creating an access profile, which automatically creates a blank access policy. Every access profile has an access policy associated with it. You configure that access policy through the access profile.

Starting the visual policy editorTo view and edit the access policy associated with an access profile, you use the visual policy editor, a browser-based editor for access policies.

To start the visual policy editor

1. On the Main tab of the navigation pane, expand Access Policy and click Access Profiles.The Access Profiles List screen opens.

2. In the Access Policy column click Edit for the access policy you want to edit.The visual policy editor opens in a new window or new tab, depending on your browser settings. You can right-click and select to open in a new tab or new window, if you want to choose the destination. If this is a new access policy, an unconfigured policy appears.

You can also open an access policy from the Access Profiles List screen by clicking the access profile name, then clicking the Access Policy tab, then clicking the Edit link.

Using branch rulesIn the visual policy editor, policy branch rules follow each policy action. Typically, an action is followed by both a successful branch rule and a fallback branch rule. Some actions, like the Logon action, are followed by only one branch rule. Some actions are followed by multiple branch rules. In actions where there is only one result branch rule, that result is labeled Fallback. In actions where there is a failed result and a successful result, the visual policy editor labels the successful branch rule Successful and the failed branch rule Fallback. Some actions have multiple result branch rules, and no successful branch.

For example, the Client OS action in Figure 7.1 has multiple branch rules, and each branch rule is named for the operating system to which the branch rule corresponds, with a fallback branch for any client operating system that does not match a specific branch rule. This allows you to assign actions to any branch rule, and separate endings to any branch rule.


Chapter 7

Figure 7.1 Policy actions with various result branch rules

To add actions to a branch rule

Click the plus sign on the branch rule where you want to add the action. When you place your cursor over the plus sign, it turns blue and appears

between parentheses [ ] to indicate that you can click it.

Configuring a basic access policyTo configure a basic access policy, you need to complete the following tasks.

◆ Create an access policy. For more information, see Opening an access policy.

◆ Add general purpose actions, client side checks, and server side checks, as needed. For more information, see Adding actions to an access policy, on page 7-7, Understanding client-side checks, on page 7-13, and Understanding server-side checks, on page 7-14.

◆ Add authentication. For more information, see Understanding authentication actions, on page 7-13.

◆ Assign resources. For more information, see Assigning resources, on page 8-9.Note that you must assign a resource group that contains a network access resource, or the access policy will not function.

7 - 6


◆ Finish the access policy. For more information, see Applying an access policy configuration, on page 7-12.

Opening an access policyWhen you create an access profile, the system automatically creates an associated, blank access policy.

To open an access policy

1. On the Main tab of the navigation pane, expand Access Policy and select Access Profiles.The Access Profiles List screen opens.

2. Click Edit in the Access Policy column of the access policy you want to edit.The visual policy editor opens, displaying the access policy.

Figure 7.2 A new, unconfigured access policy

Adding actions to an access policyWhen you first open a new access policy in the visual policy editor, the configuration includes only a start point, a fallback branch rule, and a default ending.

To add an action to an access policy




Chapter 7

3. On a branch rule of the access policy, click the plus sign ( ) to add an action.The Add Item popup screen opens.

4. If the action category you want to add is not expanded, click the plus sign ( ) next to the action type.

5. Select an action to add to the access policy by clicking the option.See the full list of action categories and actions at Understanding available actions and categories, on page 7-13.

6. Click Add Item to add the action to the access policy.The action popup screen opens.To configure the action, see the action description in Understanding available actions and categories, on page 7-13.

Using policy endingsAccess policy endings are the end result of a branch rule in an access policy. With access policy endings, you can give users access to the network access connection, deny access to users, or redirect users to another URL.

There are three types of endings:

• AllowStarts the SSL VPN session and loads the network access or web applications webtop for the user.

• DenyDisallows the SSL VPN session and shows the user a Logon Denied web page.

• RedirectTransfers the user to the URL specified in the ending configuration.

Configuring access policy endingsIn the visual policy editor, you can create and delete access policy endings, change any ending in the access policy to another ending, customize endings, and set a default ending.

To create an access policy ending



3. Near the top of the visual policy editor, click the Edit Endings button.The Edit popup screen opens.

7 - 8


4. At the upper left, click the Add Ending button.The new ending appears, highlighted in blue. See Figure 7.3.

5. In the Name box, type a name for the new ending.

6. Select the type of ending (webtop, logon denied, or redirect).

• AllowSpecifies that the user has access to the network access connection or web application, as defined in the access profile and access policy.

• Redirect Specifies a URL to which the access policy redirects the user. Type the redirect URL in the box provided.

• DenySpecifies the user is not allowed access to the network access resource, and presents a Denied page. To customize the Denied page, see Customizing the Deny access policy ending, on page 7-10.

7. To change the color of the ending for better visual clarity in your access policies, click the color square , select a color, and click

Update.

8. Click Save.

Figure 7.3 The edit endings dialog, showing a new ending

To change an access policy ending



Chapter 7


3. Click an access policy ending.The Select Ending popup screen opens.

4. On the Select Ending popup screen, select an ending for the branch rule.

5. Click Save.

To set a default access policy ending



3. Click the Edit Endings button. The Endings popup screen opens.

4. Click the Set Default tab.

5. Select the default access policy ending you want to use, and click Save.

Customizing the Deny access policy endingThe Deny access policy ending provides several customized messages that you can configure for the access policy. These include text messages for the logout screen. You can also configure these messages for different languages that you have defined for the access policy.

To customize the Deny access policy ending


2. In the profile list, find the access policy you want to edit, then click Edit in the corresponding Access Policy column. The visual policy editor opens in a new window or new tab, depending on your browser settings.

3. Click the Edit Endings button.The Endings popup screen opens.

7 - 10


4. On the Deny ending you want to customize, click the plus sign ( ) next to Customization.The popup screen displays additional setting options.

5. Customize the text for the logon denied settings by typing the text in the corresponding boxes.

6. Click Save.

Setting Description

Language Specifies the language for which you are configuring Deny messages.

Success Title This message is not currently used.

Success Message This message is not currently used.

Thank You Message

Specifies a thank you message displayed for network access users after logout.

Error Title Specifies the text that indicates that the session could not start.

Error Message Specifies a more specific error message that follows the error title, which indicates that a problem may have occurred during access policy evaluation.

New Session Text Specifies the text that precedes the link a user clicks to start a new session.

New Session Link Specifies the text label for the hypertext link to start a new session, such as click here. This link immediately follows the New Session Text.

Session ID Title Specifies the text that precedes the session number when an error occurs.

ACL denied page title

Specifies the title text for a page that appears when access is denied by an ACL.

ACL Denied Page Reject Message

Specifies the text that appears when access to a page or site is denied due to an ACL restriction.

ACL Denied Page Return Link Message

Specifies the link text that the user can click to return to the previous page. This is displayed when a user reaches the ACL denied page.


Chapter 7

Applying an access policy configurationTo complete the configuration of any access policy, and make the access policy active on the server, click the Apply Access Policy link at the top of the screen.

7 - 12


Understanding available actions and categoriesWhen you configure access policies, you select actions from the five categories that the visual policy editor lists in the Add Item popup screen.

• General Purpose

• Authentication

• Client Side Checks

• Client Side Actions

• Server-Side Checks

In addition, a sixth category, labeled Macrocalls, appears in the Add Item popup screen if you configure one or more macros in the access policy.

Understanding general purpose checksGeneral purpose checks are used for general policy actions, like logon pages, and assignment of resources, variables, and VLANs. General purpose checks also include structural actions that can be used to further refine the flow of access policies.

For more information on configuring general purpose actions, see Chapter 8, Configuring General Purpose Access Policy Actions.

Understanding authentication actionsAuthentication actions are used to add authentication with an authentication server or with a client certificate. Microsoft® Active Directory® and LDAP authentication actions can also be used to perform queries of the Active Directory or LDAP databases.

For more information on configuring authentication actions, see Chapter 11, Configuring Authentication Using AAA Servers, and Chapter 12, Introducing On-Demand Certificate Authentication.

Understanding client-side checksClient-side checks are checks that occur on the client computer, which are performed by ActiveX or other browser plugins. See the macro description Using the Windows AV and FW macro template, on page 7-23, for an example that uses client-side checks. See Figure 7.4, following, for an example of how these appear in the visual policy editor.


Chapter 7

Figure 7.4 Client-side checks in an access policy

For more information on configuring client-side checks, see Chapter 9, Configuring Client Side Checks and Client Side Actions.

Understanding client-side actionsClient-side actions start a particular software state on the client. The Access Policy Manager uses information configured in the client-side actions to install software that configures the system. The systems are returned to their previous states after the secure access session ends.

For more information on configuring client-side actions, see Chapter 9, Configuring Client Side Checks and Client Side Actions.

Understanding server-side checksServer-side checks occur on the Access Policy Manager server. The Access Policy Manager inspects the request headers from the client to determine UI mode and the Client operating system. A server-side check can also be used to determine whether a client has the ability to run client-side checks.

For more information on configuring server-side checks, see Chapter 10, Configuring Server Side Checks.

7 - 14


Configuring macrosA macro is a group of reusable checks. Using the visual policy editor, you configure macros in the same way that you configure access policies. The difference is that you do not configure access policy endings, but instead you configure terminals for a macro.

To create a macro


2. In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.The visual policy editor opens in a new window or new tab, depending on your browser settings.

3. Click the Add New Macro button. The Add New Macro popup screen opens.

4. Select the macro template. The macro templates are described in the Using predefined macro templates, on page 7-17.

5. In the Name box, type a name for the macro. This is the name by which the macro appears in the Add Action popup screen.

6. Click Save.

7. To expand the macro, click the plus sign ( ) next to the macro name.

8. To edit an action, click the action name. Edits you make to the actions in a macro are applied to the actions in an access policy, after you add the macrocall to the access policy.

9. Add and remove actions from the macro in the same way you add and remove actions from access policies.

10. When you finish customizing an action, click Save.

To configure macro terminals

1. In the visual policy editor, click the plus sign ( ) next to the macro name to expand the macro for which you want to edit terminals.

2. Click Edit Terminals.The Edit Terminals popup screen opens.

3. To add a terminal, click Add Terminal.

4. Type a name for the terminal.


Chapter 7

5. To change the color of the ending for better visual clarity in your

access policies, click the Dropper , select a color, and click

Update.

6. If you want to set a default terminal, click the Set Default tab, and select the default terminal.

7. If you want to delete a terminal, click the (x) next to the terminal name.

To add a macrocall to an access policy



3. On a branch rule of the access policy, click the plus sign ( ) to add an action.The Add Action popup screen opens.

4. If Macrocalls is not expanded, click the plus sign ( ) next to Macrocalls.

5. Select a macro you defined previously and click Add Item. The macrocall is added to the access policy. You can edit the macro items in the macro definition as required.

To delete a macro

Click the (x) button at the right of the screen next to the macro name. You can delete a macro only if it is not in use.

7 - 16


Using predefined macro templatesYou can use predefined macro templates to create macros that you can use in your policies. To use the predefined macro templates, refer to the following descriptions.

• Using the empty macro template, on page 7-17

• Using the AD auth and resources macro template, on page 7-17

• Using the AD auth query and resources macro template, on page 7-18

• Using the LDAP auth and resources macro template, on page 7-19

• Using the LDAP auth query and resources macro template, on page 7-20

• Using the RADIUS and resources macro template, on page 7-21

• Using the SecurID and resources macro template, on page 7-22

• Using the Windows AV and FW macro template, on page 7-23

Tip

If you open these macro definitions to view them, you can better understand how the macros are configured. Each macro definition includes instructions on how to add and open the macro template.

Using the empty macro templateYou can use the empty macro template to add an unconfigured macro template that includes only a start point and an end point to the access policy. Use this as a starting point to configure a new macro for an access policy.

Using the AD auth and resources macro templateThe AD auth and resources macro template is a preconfigured macro template that adds Active Directory authentication to your access policy.

This macro template includes:

• a start point (In)

• a logon page action

• an Active Directory authentication action

• a resource assign action, that follows a successful Active Directory authentication

• successful and failure terminals


Chapter 7

Configuring the AD Auth and resources macro templateIn this macro template, you must configure both the Active Directory action and the resource assign action. You can optionally customize the logon page action with custom messages, and localized messages for different languages.

To add and customize the AD auth and resources macro

1. In the visual policy editor, click the Add New Macro button.The Macro Template popup screen opens.

2. Select the macro template AD Auth and resources.

3. Click Save.The popup screen closes.

4. To expand the macro, click the (plus) next to the macro name.

5. To edit an action, click the action name. In the macro display, the action popup screen opens.

• To customize the Active Directory action, see Configuring Access Policy Manager to access the Active Directory for authentication, on page 11-34.

• To customize the resource assign action, see Assigning resources, on page 8-9.

• To customize the logon page action, see To customize the logon page action, on page 16-2


7. To add this macro to the access policy, see To add a macrocall to an access policy, on page 7-16.

Using the AD auth query and resources macro templateThe AD auth query and resources macro template is a predefined macro template that adds an Active Directory query and Active Directory authentication to your access policy.




• an Active Directory authentication action

• an Active Directory query action

• a resource assign action, that follows a successful Active Directory authentication


7 - 18


Configuring the AD auth query and resources macro templateIn this macro template, you must configure the Active Directory query and auth actions and the resource assign action. You can optionally customize the logon page action with custom messages, and localized messages for different languages.

To add and customize the AD auth query and resources macro


2. Select the macro template AD auth query and resources.



5. To edit an action, click the action name. The action popup screen opens.

• To customize the Active Directory actions, see Configuring Access Policy Manager to access the Active Directory for authentication, on page 11-34 and Configuring Access Policy Manager to access the Active Directory action item for query, on page 11-35.





Using the LDAP auth and resources macro templateThe LDAP auth and resources macro template is a preconfigured macro template that adds LDAP authentication and resources to your access policy.

This macro includes:



• an LDAP authentication action

• a resource assign action that follows a successful LDAP authentication



Chapter 7

Configuring the LDAP auth and resources macro templateIn this macro template, you must configure both the LDAP action and the resource assign action. You can optionally customize the logon page action with custom messages, and localized messages for different languages.

To add and customize the LDAP auth and resources macro


2. Select the macro template LDAP auth and resources.




• To customize the LDAP action, see Configuring LDAP access policy action item for authentication, on page 11-24.





Using the LDAP auth query and resources macro templateThe LDAP auth query and resources macro template is a preconfigured macro template that adds LDAP authentication and an LDAP query to your access policy.




• an LDAP authentication action

• an LDAP query action

• a resource assign action, that follows a successful LDAP query


7 - 20


Configuring the LDAP auth query and resources macroIn this macro template, you must configure the LDAP query action, the LDAP auth action, and the resource assign action. You can optionally customize the logon page action with custom messages, and localized messages for different languages.

To add and customize the LDAP auth query and resources macro


2. Select the macro template LDAP auth query and resources.




• To customize the LDAP actions, see Configuring LDAP query policy action item, on page 11-26 and Configuring LDAP access policy action item for authentication, on page 11-24.





Using the RADIUS and resources macro templateThe RADIUS and resources macro template is a preconfigured macro template that adds RADIUS authentication and resources to your access policy.




• a RADIUS authentication action

• a resource assign action, that follows successful RADIUS authentication



Chapter 7

Configuring the RADIUS and resources macroIn this macro, you must configure both the RADIUS action and the resource assign action. You can optionally customize the logon page action with custom messages, and localized messages for different languages.

To add and customize the RADIUS and resources macro


2. Select the macro template RADIUS and resources.




• To customize the RADIUS action, see Setting up RADIUS authentication and authorization access policy action item, on page 11-9.

• To customize the RADIUS action for authentication with RSA SecurID over RADIUS, see Configuring RSA SecurID using RADIUS, on page 11-12.





Using the SecurID and resources macro templateThe SecurID and resources macro template is a preconfigured macro template that adds SecurID authentication to your access policy.




• an SecurID authentication action

• a resource assign action, that follows a successful SecurID authentication


7 - 22


Configuring the SecurID and resources macro templateIn this macro template, you must configure both the SecurID action and the resource assign action. You can optionally customize the logon page action with custom messages, and localized messages for different languages.

To add and customize the SecurID and resources macro


2. Select the macro template SecurID and resources.



5. To edit an action, click the action name. In the macro display, the action popup screen opens.

• To customize the SecurID action, see Setting up RSA Native SecurID authentication and authorization access policy action item, on page 11-21.




To add this macro to the access policy, see To add a macrocall to an access policy, on page 7-16.

Using the Windows AV and FW macro templateThe Windows AV and FW macro template adds UI Mode, Client OS, Windows information, antivirus, firewall, and logging actions to your access policy. This macro template includes the following elements:

• A start point (In)

• A server-side UI mode action. This action checks whether the server identifies the client as using the full browser or a standalone client in legacy mode, or something else. In the default macro configuration, only the full browser mode is passed to a successful branch rule, and all other results go to failed branch rules.

• A server-side Client OS action. This action checks for the presence of one of seven operating systems. If the operating system is Windows XP, the user is passed to a successful branch rule. All other operating systems go to failed branch rules.


Chapter 7

• A client-side Windows information action, that checks for the existence of Windows XP Service Pack 2 or Service Pack 3. The fallback branch for this action includes a logging action that logs any Windows Info failure.

• A client-side antivirus check action. This action is in the default state, so it checks that any supported antivirus is enabled on the client system. You can configure this further to check for a specific supported antivirus solution, and for other antivirus parameters. The fallback branch for this action includes a logging action that logs any antivirus failure.

• A client-side firewall check action. This action is in the default state, so it checks that any supported firewall is enabled on the client system. You can configure this further to check for a specific supported firewall solution and version. The fallback branch for this action includes a logging action that logs any firewall failure.

• One successful and several failure terminals.

Configuring the Windows AV and FW macro templateIn this macro template, you must configure both the firewall check and antivirus check actions. You can optionally customize other actions to allow, for example, other operating systems, UI modes, service packs, or hotfixes.

To add and customize the Windows AV and FW macro


2. Select the macro template Windows AV and FW.



5. To edit an action, click the action name.The action popup screen opens.

• To customize the UI Mode action, see Setting up the UI mode access policy item, on page 10-6.

• To customize the Client OS action, see Setting up the client OS check, on page 10-2.

• To customize the Windows information action, see Setting up Windows info action, on page 9-22.

• To customize the antivirus check action, see Checking antivirus with the antivirus check access policy item, on page 9-2.

• To customize the firewall check action, see Setting up the firewall check action, on page 9-14.

• To customize logging actions, see Adding access policy logging, on page 8-16.


7 - 24



Using the client classification and prelogon checks macro templateThe client classification and prelogon checks macro template adds a number of checks to your access policy, for the purpose of client classification and operating system identification. This macro template includes the following elements:

• A start point (In)

• A client-side check capability action. This action checks whether the client can process JavaScript and either ActiveX or Netscape plugins. In the default macro configuration, only the full client-side check capability result is passed to a successful branch rule, and all other results go to failed branch rules.

• A server-side Client OS action. This action checks for the presence of one of eight operating systems. In this macro, the action is customized to send Windows 2000 and later clients to one branch, and Mac and Linux clients to another branch. All other clients are sent to the fallback branch, which leads to a failure ending.

• Two antivirus check actions, one for Windows, and one for Mac and Linux. The fallback branch for each antivirus action includes a logging action that logs any antivirus failure.

• Five UI mode actions, one each on the successful and fallback branches of each antivirus check action. These actions check whether the client is using a full browser (or the BIG-IP® Edge Client™), a legacy standalone client, or something else. Each UI mode action performs a different function depending on the position in the access policy.

• A protected workspace action. This puts a Windows client that successfully passes all checks into a protected workspace session.

• Four separate terminals, as follows:

• Full NA - Specifies that the client has passed checks sufficient to allow full network access.

• Web Application - Specifies that the client has passed checks sufficient to allow web applications access.

• Limited NA - Specifies that the client has passed sufficient checks to have limited network access. This terminal is connected only to the standalone client branch that is connected to the fallback branch of the client-side check capability action. This branch applies to clients using legacy standalone clients.

• Failure - Specifies that the client has not passed sufficient checks to make a connection.


Chapter 7

Configuring the client classification and prelogon checks macro templateIn this macro template, you can configure the antivirus action. You can optionally customize other actions.

To add and customize the client classification and prelogon checks macro


2. Select the macro template Client Classification and Prelogon checks.



5. To edit an action, click the action name.The action popup screen opens.

• To customize the Client-Side Check Capability action, see Setting up the client-side check capability access policy item, on page 10-9.

• To customize the Client OS action, see Setting up the client OS check, on page 10-2.

• To customize UI Mode actions, see Setting up the UI mode access policy item, on page 10-6.

• To customize antivirus check actions, see Checking antivirus with the antivirus check access policy item, on page 9-2.

• To customize logging actions, see Adding access policy logging, on page 8-16.

• To customize the protected workspace action, see Setting up the protected workspace access policy item, on page 9-30.



7 - 26


Backing up and importing access profilesYou can back up any access profile, and later restore that access profile, or import it to another Access Policy Manager. Backup profiles are saved as files with the extension conf.

When you import a backup profile, you select a conf file. You also specify an Import Prefix. The import prefix is prepended to the access policy name when it is added to the configuration.

Important

The import prefix you specify must begin with a letter, and the import prefix name can include only letters, numbers, and the underscore ( _ ) character.

To back up an access profile


2. Locate the access profile you want to back up. In the Backup Profile column, click the Backup link.You are prompted to open or save a conf file.

3. Specify a location and save the file.

To import an access profile


2. Click the Import button.The Import Profile screen opens.

3. In the Import Prefix box, type the import prefix to prepend to the imported access policy name.

4. Next to the Config File Upload box, click Browse.

5. Select a conf file to import and click the Open button.The file is imported to the system.


Chapter 7

7 - 28

8

Configuring General Purpose Access Policy Actions

• Introducing general purpose actions

• Configuring general purpose actions in an access policy


Introducing general purpose actionsIn BIG-IP® Access Policy Manager™, you configure access policies with general purpose actions in the visual policy editor. Use general purpose actions to add logon pages, assign resources, variables, and route domains. General purpose actions also include structural actions that you can use to further refine the flow of access policies. The general purpose actions appear in the Add Item popup screen in the order that follows.

• Logon page Adds a logon page to the access policy. You can add a number of customized fields, including password fields or other flexible fields. You can also customize messages and links on the logon page, and create custom messages for different languages.

• External logon pageAdds an external logon page to the access policy. This can be used with an external logon server to provide an external logon page for the access policy.

• Resource assign Assigns resources to the access policy. With this action, you can add ACLs, set the network access resource, add or remove web application resources, and set the webtop for an access policy. You must assign a network access resource or a web applications resource for either access type to function when the user reaches an allowed ending. You must also assign a webtop with a network access connection. Web application access management (access to a local traffic virtual server) does not require a resource assign action; however, you can assign ACLs dynamically to any access type of connection with the resource assign action.

• Variable assignAssigns one or more variables to the access policy. Use this to modify configuration variables or session variables assigned to a session.

• Virtual KeyboardDisplays a pop up window in the user’s browser, which provides a virtual keyboard that allows the user to enter sensitive information such as passwords, while preventing snooping from keyboard loggers and other similar attacks.

• SSO Credential MappingAssigns an agent that allows you to map single sign-on credentials, which can be used to automatically submit user credentials to different backend servers.

• Route Domain selectionSelects a route domain object for policy-based routing. Route domains allow for highly configurable and complex VLAN routing. For more information on route domains, see the TMOS® Management Guide for BIG-IP® Systems.

• LoggingAdds a logging agent that logs the specified session variables to the system logs.


Chapter 8

• Message boxAdds a message box that posts a message to the user. To continue, the user must click a link for which you provide the text. The user then proceeds on the same rule branch in the access policy.

• Decision boxAdds a decision box that provides two options to the user for the access policy. You can then configure separate actions on the two branches, depending on user selections.

• iRule eventAdds an iRule event to the access policy.

• Empty actionAdds a blank action from which you can create your own action.

8 - 2


Configuring general purpose actions in an access policy

In the visual policy editor, you can add and configure general purpose actions to customize your access policy. You can add a logon page, assign resources and variables, select a route domain for policy-based routing, add logging of specific session variables, or add messages and provide decisions in access policies or access policy macros. The general purpose action tasks you can do include:

• Adding and customizing a logon page, following

• Adding an external logon page, on page 8-7

• Assigning resources, on page 8-9

• Assigning variables, on page 8-10

• Adding a virtual keyboard to the logon screen, on page 8-13

• Adding SSO credential mapping, on page 8-14

• Selecting a route domain, on page 8-15

• Adding access policy logging, on page 8-16

• Adding a message box, on page 8-17

• Adding a decision box, on page 8-18

• Adding an iRule event, on page 8-19

Adding and customizing a logon pageYou can customize the logon page with custom fields and text for different sections of the logon form. On the logon page you can also localize text messages for different languages. The logon page displays up to five logon page agents that can be fully customized. You can define a logon page agent with the following elements:

• Type - Specifies the type of logon page agent. You can specify any agent to be text, password, or none.

• A text agent type displays a text field, and shows the text that is typed in that field.

• A password agent type displays an input field, but displays the typed text input as asterisks.

• A none agent type specifies that the field is not displayed on the logon page.

• Post Variable Name - Specifies the variable name that is prepended to the data typed in the text field. For example, the POST variable username sends the user name input omaas as the POST string username=omaas.


Chapter 8

• Session Variable Name - Specifies the session variable name that the server uses to store the data typed in the text field. For example, the session variable username stores the username input omaas as the session variable string session.logon.last.username=omaas.

• Read Only - Specifies whether the logon page agent is read-only, and always used in the logon process as specified. You can use this to add logon POST variables or session variables that you want to submit from the logon page for every session that uses this access policy. You can use a read only logon page field to populate a field with a value from a session variable. For example, you can use the On-Demand Certificate agent to extract the CN (typically the user name) field from a certificate, then you can assign that variable to session.logon.last.username. In the logon page action, you can specify session.logon.last.username as the session variable for a read only logon page field that you configure. When Access Policy Manager displays the logon page, this field is populated with the information from the certificate CN field (typically the user name).

Figure 8.1 shows some items that can be customized with the logon page action.

Figure 8.1 Items that you can customize with the logon page action

To add and customize a logon page action


8 - 4





5. Select Logon Page and click Add Item.The Logon page action popup screen opens.

6. In the Logon Page Agent section, enable the fields you want to display on the logon page. By default, a text field for user name, and a password field for the password are enabled and displayed.You can specify up to three more fields to display, or customize the ones enabled.

7. From the Language list, select the language for which you want to customize messages.The four default languages include English (en), Japanese (ja), simplified Chinese (zh-tw), and traditional Chinese (zh-cn). You can specify more languages in the Access Profile properties Language Settings section.

8. Customize the logon page elements:

• Form Header TextSpecifies the text that appears at the top of the logon box.

• Logon Page Input Field # (1-5) - These fields specify the text that is displayed on the logon page for each of the logon page agents, defined in the Logon Page Agent screen area.

• Save Password CheckboxSpecifies the text that appears adjacent to the check box that allows users to save their passwords in the logon form. This field is used only in the secure access client, and not in the web client.

• Logon ButtonSpecifies the text that appears on the logon button, which a user clicks to post the defined logon agents.

• Front ImageSpecifies an image file to display on the logon page. Click Browse to select a file from the file system. Click Show image or Hide Image to show or hide the currently selected image file. Click Revert to Default Image to discard any customization and use the default logon page image.

• New Password PromptSpecifies the prompt displayed when a new Active Directory password is requested.


Chapter 8

• Verify Password PromptSpecifies the prompt displayed to confirm the new password when a new Active Directory password is requested.

• Password and Password Verification do not MatchSpecifies the prompt displayed when the new Active Directory password and verification password do not match.

9. Click Save when the fields are customized.

8 - 6


Adding an external logon pageYou can add a link to an external logon page to use for logon credentials. This can be used with an external solution to provide robust logon credentials to the access policy.

When the user reaches the external logon page action, the following occurs.

• The access policy manager sends an HTML page containing JavasScript code that redirects users to the external server.

• The client submits a post_url variable. This post variable is used by the external application to return a value to the access policy. When the user completes authentication on the external server, the external server posts back to the URL specified in this variable, to continue the session.

The value of post_url is in the format:http(or https)://<Access_Policy_Manager_URI>/my.policy. The <Access_Policy_Manager_URI> is the URI visible to the user, taken from the HTTP Host header value sent by the browser.

HTML content sample for external logon page submissionFigure 8.2 shows the content of a sample submission to an external logon server from the external logon page action.

<html>

<body>

<FORM name=external_data_post_cls method=post action=”action=””>

<input type=hidden name=client_data value=”SecurityDevice”>

<input type=hidden name=post_url value=”https://IP_address_of_virtual/my.policy”>

</FORM>

<script>

document.external_data_post_cls.action = unescape(“https://external_server_IP_address/loginform2.1.php”);

document.external_data_post_cls.submit();

</script>

</body>

</html>

Figure 8.2 External logon page submission sample


Chapter 8

Sample request from external logon page to virtual serverAfter the external logon server validates the user, the external server must return the user to the URL specified in post_url, and must post the username and password variables, which are then used by Access Policy Manager to validate the user, as shown in Figure 8.3.

To add an external logon page action





5. Select External Logon Page and click Add Item.The External Logon page action popup screen opens.

6. In the External Logon Server URI box, type the external logon page URI.

7. Click Save when you are finished.

POST /my.policy HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/x-silverlight, */*

Referer: https://external_server_IP_address/loginform2.1.php

Accept-Language: en,zh-tw;q=0.8,zh-cn;q=0.5,ja;q=0.3

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Host: virtual_server_IP_address

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: LastMRH_Session=733e8a16; MRHSession=254dbb61dcfb45db80e026f3733e8a16

username=1031ntg0x&password=71xu1zjoj

Figure 8.3 External logon page request to Access Policy Manager virtual server

8 - 8


Assigning resourcesYou assign access control lists, a network access or web application resource, and a webtop to the access policy. Each of these resources contains configuration items. You must assign a network access or web applications resource for a working network access connection or web applications access policy. You can also assign webtops for network access or web applications with the resource assign action. For a web application access management connection, you do not assign a resource or a webtop. You assign ACLs to all access types with the resource assign action.

To add a resource assign action







7. To add one or more ACLs, click the Add/Delete ACLs link, then select the check boxes for ACLs you want to assign, and clear the check boxes for ACLs you do not want to assign.ACL assignment is optional.


9. To specify that this is a network access connection, click the Set Network Access Resource link, and select a network access resource to assign.A working network access connection must specify a network access resource and a network access webtop.


11. To specify that this is a web applications connection, click the Add/Delete Application Resources link, and select a web applications resource to assign.A working web applications connection must specify a web applications resource.



Chapter 8

13. To specify a webtop for the connection, click the Set Webtop link, and select a webtop to assign.

• For a network access connection, specify a network access webtop.

• For a web applications connection, specify a web applications webtop.



Assigning variables You use the variable assign action to assign configuration variable, a predefined session variable, or a custom variable resource variable to a AAA server attribute or to a custom expression. This allows you, for example, to assign a custom lease pool for a network access resource, based on the path in an access policy.

After the procedure for how to use the variable assign action, this section includes two simple examples. For an example scenario that uses the variable assign action with a Tcl expression to provide more advanced functionality, see Using advanced access policy rules, on page 16-17.

For a list of the configuration variables you can assign with the variable assign action, and the accepted formats for replacement values, see Network access resource variable attributes, on page C-12.

To add a variable assign action





5. Select Variable Assign and click Add Item.The Variable Assign action popup screen opens.

6. Click Add new entry.

7. Under Assignment, click change. The Variable Assignment popup screen opens.

8 - 10


8. In the left pane of the Variable Assignment popup screen, select the variable to assign.You can select Custom Variable and type the custom variable name in the box, or you can select Predefined Session Variable and select the type, name, and property from the current configuration.

9. In the right pane of the Variable Assignment popup screen, select the value to assign the variable.You can select AAA Attribute and select the agent type, attribute type, and attribute name, or you can select Custom Expression and type a custom expression in the box.

10. Click Finished when you have assigned the variable.


Example: Overwriting a lease pool with a AAA server attributeIn this example, you assign a lease pool to the network access client by using the custom attribute myAttribute from the Microsoft® Active Directory® server. Access Policy Manager gets the value of myAttribute from the Active Directory server, and replaces the network access resource value for leasepool_name with the value of myAttribute. For example, if you assigned myAttribute a value of leasepool1 on the Active Directory server, the network access resource, after the variable assign action, would assign the lease pool leasepool1 to the user.

Note

To use this example, you must have a lease pool defined on the Access Policy Manager, and the name of that lease pool must be defined as the user attribute, myAttribute, on the Active Directory server.

To overwrite a lease pool with a AAA server attribute







Chapter 8


7. Under Assignment, next to empty, click change. The Variable Assignment popup screen opens.

8. In the left pane, select Configuration Variable.

9. From the Type list, select Network Access.

10. From the Name list, select a network access resource.

11. From the Property list, select leasepool_name.

12. In the right pane, select AAA Attribute.

13. From the Agent Type list, select AD.

14. From the Attribute Type list, select Use user’s attribute.

15. In the AD Attribute Name box, type myAttribute.

16. Click Finished.


When a user reaches this action in the access policy, Access Policy Manager gets the value for myAttribute from the user’s AAA attributes, and replaces the lease pool defined in the network access resource with this value.

Example: Overwriting a lease pool with a custom expressionIn this example, you assign a lease pool to the network access client by replacing the network access resource value for leasepool_name with the value of a custom expression. Access Policy Manager evaluates the custom expression, and replaces the network access resource value for leasepool_name with the value of the custom expression. In this example, the access policy replaces the lease pool with an existing lease pool, called leasepool1, on the Access Policy Manager. The value you use for the custom expression is a simple string.

To overwrite a lease pool with a AAA server attribute





8 - 12




7. Under Assignment, next to empty, click change. The Variable Assignment popup screen opens.

8. In the left pane, select Configuration Variable.

9. From the Type list, select Network Access.

10. From the Name list, select a network access resource.

11. From the Property list, select leasepool_name.

12. In the right pane, select Custom Expression.

13. In the Custom Expression box, type “leasepool1” (including the quotes).

14. Click Finished.


When a user reaches this action in the access policy, Access Policy Manager evaluates the custom expression, in this case, a simple string with the lease pool name, and replaces the lease pool defined in the network access resource with this value.

Adding a virtual keyboard to the logon screenYou can add a virtual keyboard to the logon screen to prevent password characters from being typed on the physical keyboard. When you add the virtual keyboard action, the virtual keyboard appears on the logon screen when a user clicks in the password field, as shown in Figure 8.4. Users then type the password by clicking the characters on the virtual keyboard, instead of typing them on the physical keyboard.

A virtual keyboard action applies to all logon page actions that follow it in the access policy.

Figure 8.4 Virtual keyboard on the logon screen


Chapter 8

To add a virtual keyboard action




Note: Add the virtual keyboard in front of a logon page action with which you want to virtual keyboard to be used.


5. Select Virtual keyboard and click Add Item.The Virtual keyboard action popup screen opens.

6. From the Virtual Keyboard list, select Enabled to enable the virtual keyboard, or Disabled to disable the virtual keyboard.

7. From the Move Keyboard After Every Keystroke list, select Enabled to move the virtual keyboard after the user clicks each keystroke, or Disabled to not move the virtual keyboard after each keystroke.This option can further obscure the password that you type with the virtual keyboard.

8. From the Allow Manual Input list, select Enabled to allow the user to type the password with the physical keyboard or the virtual keyboard. Select Disabled to allow the user to type the password only with the virtual keyboard.

9. Click Save when the fields are customized.

Adding SSO credential mappingYou add the SSO credential mapping action to enable users to forward stored user names and passwords to applications and servers automatically, without having to input credentials repeatedly. This allows single sign-on (SSO) functionality for secure access users.

As different applications and resources support different authentication mechanisms, the single sign-on system may be required to store and translate credentials that differ from the user name and password that a user inputs on the logon page. The SSO credential mapping action allows for credentials to be retrieved from the logon page, or in another way for both the user name and the password.

8 - 14


Understanding SSO token user name cachingThe secure access server can cache the user name for use with single sign-on (SSO) applications in the enterprise. When configuring credential caching and mapping, the administrator can define the cached credentials for the SSO Token Username by selecting one of the following:

• Username from logon page - Retrieves and caches the user name that is entered on the secure access logon page.

• sAMAccountName from Active Directory - Looks up the user’s value for sAMAccountName in Active Directory, retrieves the value, and caches it for use as the user name.

• sAMAccountName from LDAP Directory - Looks up the user’s value for sAMAccountName in the LDAP Directory, retrieves the value, and caches it for use as the user name. This can only be used when the session is configured to access Active Directory over LDAP.

• Custom - Allows you to retrieve a custom value from a session variable.

Understanding SSO token password cachingThe secure access server can cache the password for use with single sign-on applications in the enterprise. When configuring credential caching and mapping, the administrator can define the cached credentials for the SSO Token Password by selecting one of the following:

• Password from logon page - Retrieves and caches the password that is entered on the secure access logon page.

• Custom - Allows you to retrieve a custom value from a session variable.

For information on how to configure SSO with credential caching and proxying, refer to Chapter 13, Introducing Single Sign-On.

Selecting a route domainYou select a route domain to use route domain-based policy routing. Add this action on a branch of the access policy when you want to send the user to a different route domain, based on the outcomes of previous branches in the access policy.

To add a route domain selection action




Chapter 8



5. Select Route Domain Selection and click Add Item. The Route Domain Selection action popup screen opens.

6. From the Route Domain ID list, select a route domain ID to use with this access policy.

The route domain must be already defined on the Access Policy Manager. For more information, see Configuring policy routing, on page 16-11.

Adding access policy loggingUse access policy logging to write the values of specific session variables or session variable categories to the system logs. You can use this action to trace the session variables that are created for a specific category, or in a specific branch.

One use for access policy logging is to trace the variables created from AAA server attributes. The Access Policy Manager creates session variables for all AAA server attributes, so the session variables that are created in a session are specific to the configuration of the AAA server. As an example, to determine the session variables created from RADIUS attributes, you can set the logging action to log all RADIUS variables, by selecting RADIUS from the Session Variables category list.

To add a logging action





5. Select Logging and click Add Item.The logging action popup screen opens.


7. Select a category of session variables to write to the log.

8 - 16


• If you select a predefined category, all session variables for that session variable category are logged using wildcards. For example, for Active Directory, the session variables session.ad.last.* are logged.

• If you select the Custom, category, you can type a session variable or session variable category to log in the Session Variables box.

8. To log more session variables, or session variable categories, click Add new entry.

9. When you have finished, click Save to save the action.

Adding a message boxYou can add a message box anywhere in an access policy. A message box has no effect on the user’s access to the network or the access policy checks. It is used solely to present a message to the user, and to prompt the user to click a link to continue. You might use a message box to warn a user that he is going to a quarantine network, or that the client certificate failed to authenticate, or any other time you want to tell the user a message about the results of a rule branch in the access policy.

To add a message





5. Select Message Box and click Add Item.The Message Box action popup screen opens.

6. From the Language list, select the language for the message.

7. In the Message box, type the message to the user. You can use HTML tags for formatting, as in the example:<font color=red> Please click the link below to continue. </font>

8. In the Link box, type the text that the user must click to continue.This text appears as a link the user can click to continue.

9. Click Save.


Chapter 8

Adding a decision boxYou can add a decision box anywhere in an access policy. You use a decision box to present two options to the user. These options are presented as link text, preceded by images. You might use a decision box when a user fails an endpoint security check, or when a user fails to authenticate. In these cases, one branch can provide an option to allow the user to continue onto a quarantine network that provides only limited access to a segregated subnet. The other branch can provide an option to log out, and present the user with a logon denied ending. Another use of the second option branch is to allow the user to continue to a redirect ending that takes the user to a helpful URL, for example, to the web site of an antivirus vendor to download virus database updates.

To add a decision box action




4. Select the language to customize for the decision box.

5. In the Message box, type a message to the user. You can use HTML tags for formatting, as in the example:<font color=red> Please choose one of the following two options below. </font>

6. From the Field 1 image list, select the image for field one. This image precedes the text you type in the next step.

7. In the Option 1 box, type the text for option 1. This text appears to the user as the first clickable link.

8. From the Field 2 image list, select the image to use for option 2. Note that option 2 is the fallback rule branch of the access policy action. This image precedes the text you type in the next step.

9. In the Option 2 box, type the text for option 2. Note that option 2 is the fallback rule branch of the access policy action.This text appears to the user as the second clickable link.

10. Click Save.

8 - 18


Adding an iRule eventYou can add an iRule event anywhere in an access policy. You use an iRule event to add iRule processing to an access policy at a specific point.

For a list of supported iRule events, see Appendix D, Using Access iRule Events.

Note

iRule event access policy items must be processed and completed before the access policy can continue.

To add an iRule event action




4. Select iRule event and click Add Item.The Custom iRule Event Agent popup screen opens.

5. In the ID box, type the iRule event you want to insert.

6. Click Save.


Chapter 8

8 - 20

9

Configuring Client Side Checks and Client Side Actions

• Understanding client-side checks

• Setting up antivirus check

• Setting up file check

• Setting up a machine cert auth check

• Setting up firewall check

• Setting up process check

• Setting up registry check

• Verifying Windows information

• Understanding client-side actions

• Setting up cache and session control

• Setting up protected workspace

• Assigning a Windows group policy template


Understanding client-side checksIn BIG-IP® Access Policy Manager™ access policies, you use client-side checks to collect and verify system information. In the visual policy editor, you can use the information collected by client-side checks in an access policy, to enforce a specific security level before granting access to network resources. You can also use this information to perform remediation and protect your network resources. The Access Policy Manager provides these checks as a set of access policy actions that you can use to construct an access policy to evaluate client systems.

Access Policy Manager uses ActiveX controls or browser plug-ins to collect information about client systems. For those clients that do not support browser add-ons or that do not allow browser software installation, the client-side security process can inspect HTTP headers to gather information on the client operating system, including the client operating system and browser type. You can check that a client supports client-side checks with the client-side check capability action. If a client does not support client-side checks, that client can follow a different access policy branch.

While Access Policy Manager provides checks for many client devices, some client-side checks may not be supported on all supported operating systems.

The Access Policy Manager supports the following client-side checks.

• Antivirus checkChecks information about installed Windows, Macintosh, or Linux antivirus software, including vendor, version, state (enabled or disabled), and virus database age. For details, refer to Setting up antivirus check, on page 9-2.

• Firewall checkChecks information about installed Windows, Macintosh, or Linux firewalls, including vendor, state (enabled or disabled), and version. For details, refer to Setting up firewall check, on page 9-14.

• File checkChecks for the presence or absence of Windows, Macintosh, or Linux files based on specific file. For details, refer to Setting up file check, on page 9-6.

• Machine cert authChecks the client system for an installed machine certificate. For details, refer to Setting up file check, on page 9-6.

• Windows infoChecks the version information for the Windows operating system, such as version and hotfix information from the remote system. For details, refer to Verifying Windows information, on page 9-22.

• Process checkChecks for running Windows, Macintosh, or Linux processes. For details, refer to Setting up process check, on page 9-17.

• Registry checkChecks the Windows registry for keys and values that you specify. For details, refer to Setting up registry check, on page 9-19.


Chapter 9

Setting up antivirus checkYou use the antivirus check action to check for antivirus software on the client computer. You can configure the antivirus check action to search for antivirus software from a set of available antivirus vendors, or for specific antivirus applications. In addition, the antivirus check can determine the specific version of the software, the specific virus database version, the age of the virus database, and whether the antivirus software is enabled.

When you configure the antivirus action with multiple antivirus types, the antivirus types work as logical OR operators. If one antivirus type you specify matches the software on the client computer, the action passes, regardless of other antivirus conditions that are specified in the action.

Checking antivirus with the antivirus check access policy itemUse the antivirus check action to assure that clients who connect to secure resources are using an approved and up-to-date antivirus solution.

To add an antivirus check action



3. On a branch of the access policy, click the plus sign ( ) to add an action.The Add Item popup screen opens.

4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Checks.

5. Select Antivirus Check and click Add Item to add the action to the access policy.The Antivirus Check action popup screen opens.

6. Configure the antivirus entry.

a) From the Antivirus ID list, select the antivirus vendor. Select Any to allow the access policy to pass with any antivirus. In this list, Windows-specific firewalls are marked with the prefix [Win], Macintosh-specific firewalls are marked with the prefix [Mac], and Linux-specific firewalls are marked with the prefix [Lin].

b) From the State list, select a state for the antivirus. Select Enabled to specify that the selected antivirus (or any antivirus) is running on the computer. Select Unspecified to verify the presence of the antivirus software, but not the state.

9 - 2


c) If you require a specific virus software engine version (for example, 5200.2000), in the Version box, type the version number. Note that this check does not allow for later versions, so if you check for a specific version, a later version will fail.

d) If you require a specific virus database version (for example, 4.931.00), in the Database Version box, type a database version. Note that this check does not allow for later versions, so if you specify a check for a specific version, a later version will fail.

e) If you require that the virus database not be older than a certain age, in the DB Age Not Older Than (days) box, type the database age in days. Be sure to use settings that are compatible with your software. Some antivirus services provide updates frequently, every few days; some antivirus services update only every week or less.

7. To add another antivirus type to the action, click Add New Entry, and repeat step 6.

8. Click Save to complete the configuration.

Example: Using antivirus checkIn this example, the administrator adds support for two popular corporate antivirus solutions: McAfee on Windows, and Symantec on Mac and Linux platforms. The administrator specifies that any of these antivirus solutions must be running, with virus databases no older than 7 days, for the client computers to pass the condition successfully.

Note

This is not a complete example. For the example to work, you must assign an Allow ending to successful branches. You can assign a network access or web applications resource using the resource assign action, along with associated webtops. For a web application access management connection, you need not assign resources. This example is configured starting with an empty access policy.

To configure the example action





Chapter 9


5. Select Antivirus Check and click Add Item to add the action to the access policy.The Antivirus Check action popup screen opens.

6. Configure McAfee for Windows:

a) From the Antivirus ID list, select [win/mac/linux] McAfee, Inc.

b) From the State list, select Enabled.

c) In the DB Age Not Older Than (days) box, Type 7.

7. Click Add new entry to add an antivirus entry to the action. Note that new entries are added above previously configured entries, by default.

8. Configure Symantec for Macintosh:

a) From the Antivirus ID list, select [mac] Symantec Corp.


c) In the DB Age Not Older Than (days) box, type 7.

9. Click Add new entry to add an antivirus entry to the action. Note that new entries are added above previously configured entries, by default.

10. Configure Symantec for Linux:

a) From the Antivirus ID list, select [win/linux] Symantec Corp.


c) In the DB Age Not Older Than (days) box, Type 7.

The configured action appears as shown in Figure 9.1.

11. Click Save to save the access policy.

9 - 4


Figure 9.1 Antivirus check action example


Chapter 9

Setting up file checkYou use the file check action for Windows, Macintosh, or Linux to verify the presence of one or more files on a client system. On all supported platforms, the file check action can verify one or more file properties, including the file name, size, date, and MD5 checksum. In addition, the Windows version of the file check action can verify version and signer information.

If a file with the described properties exists, the client is passed to the successful branch. If the file does not exist, or a file exists but one or more properties are not correct, the client is passed to the fallback branch.

Checking for a file with the file check access policy itemAdd a file check action to an access policy in a situation where verifying the presence of a certain file can increase confidence in the security of the client system.

To add a file check action





5. Select the file check action for your platform:

• For Windows, select Windows File Check and click Add Item to add the action to the access policy.

• For Macintosh, select Mac File Check and click Add Item to add the action to the access policy.

• For Linux, select Linux File Check and click Add Item to add the action to the access policy.

The File Check action popup screen opens.

6. Click Add new entry to add a file entry to the action.

7. Configure the entry.

a) In the FileName box, type the name for the file you want to check.Note that this is the only setting that is required.

9 - 6


b) If you want to verify that the MD5 checksum matches, in the MD5 box, type or paste the MD5 checksum.

c) If you require an exact size for the file, in the Size box, type the size in bytes.Note that if you type a 0 in this box, no file size check occurs. To check for a 0-byte file, you must instead type the MD5 checksum in the MD5 box. The MD5 checksum for a 0-byte file is always d41d8cd98f00b204e9800998ecf8427e.

d) If you want to specify the file creation date, in the Date box, type the file creation date. The default date of 1970-01-01 00:00:00 is the same as specifying no date. You can determine the file creation date by right-clicking the file in Windows, and selecting Properties. The file creation date must be translated to a 24-hour clock, if your system is not on 24-hour time. For example, you would type the file creation dateWednesday, February 27, 2008, 1:23:37 PM in this box as 2008-02-27 13:23:37. The file creation date is set in UTC, or Greenwich Mean Time (GMT), so the server and client timezones are not the same as the file time, and you must adjust the file time you specify accordingly.

e) For Windows file check only, if you require that the file be signed, in the Signer box, type the signer.

f) For Windows file check only, in the Version box, type the version of the file, if you want to specify a version, or greater than or less than a version of the file.

g) For Windows file check only, from the Version Comparison list, select the version comparison operator. Select = if you want the file to be the exact version you specify, select < if you want the checked file version to be greater than the version number you specify, and select > if you want the checked file version to be less than the version number you specify.

8. To add another file to the action, repeat steps 6-7.



Chapter 9

Example: Using file check In this example, the administrator adds a Windows file check action, with the requirement that a system file, wininet.dll, be present on the client system. The file must be version 6.0.2900.2904, be 658,432 bytes in size, and have an MD5 checksum of 38ab7a56f566d9aaad31812494944824.

Note







5. Select Windows File Check and click Add Item to add the action to the access policy.The File Check action popup screen opens.

6. Click Add new entry to add a file entry to the action.

7. Configure the entry:

• In the File Name box, type wininet.dll.

• In the MD5 box, type the MD5 checksum 38ab7a56f566d9aaad31812494944824.Many MD5 checksum utilities include a copy function to simplify this step.

• In the Size box, type 658432.

• In the Version box, type 6.0.2900.2904.

• From the Version Comparison list, select =.



9 - 8


Figure 9.2 Windows file check action example


Chapter 9

Setting up a machine cert auth checkYou use the machine certificate authentication check action to check for the presence of a machine certificate on the client computer. You can configure the action to check for a certificate in a specific location, and to require matches with particular certificate fields to pass.

Understanding machine cert auth check optionsThe machine cert auth check can be configured with a number of options. These options are listed below:

• Certificate Store NameSpecifies the certificate store name that the action attempts to match. The certificate store can be a system store with a predefined name like MY, or a user-defined name. The store name can contain alphanumeric characters. The default store name is MY.

• Certificate Store LocationSpecifies the type and location of the store that contains the certificate, either the local machine or the current user. The store locations are in the following registry locations:

• LocalMachine - searches in HKEY_LOCAL_MACHINE for the machine certificate.

• CurrentUser - searches in HKEY_CURRENT_USER for the machine certificate.

• CA ProfileSpecifies the certificate authority profile for the machine certificate. To configure a certificate authority, on the navigation pane, expand Local Traffic, click Profiles, from the SSL menu select Certificate Authority, and click Create.

• OCSP ResponderSpecifies the Online Certificate Status Protocol responder configured to provide certificate status. The OCSP responder is used to check the status of the machine certificate configured in the machine cert auth check action.

• Certificate Match RuleSpecifies how the machine cert auth check action identifies the certificate. The following match rules are supported:

• SubjectCN Match FQDN - Specifies that the common name in the machine certificate matches the computer’s fully qualified domain name (FQDN).

• SubjectAltName Match FQDN - Specifies that the content extracted from the Subject Alternative Name field, using a specified regular expression, must match the computer’s FQDN. When this option is selected, the SubjectAltName box appears. This box is required for the SubjectAltName match value only. The regular expression is used to extract content from the first subgroup matched in the Subject Alternative Name, and then to compare the

9 - 10


extracted content with the machine’s FQDN.

Note that the order of RDNs is the same as is displayed; the required separator is a comma ( , ). Subcases for regex extraction follow:

Partial extraction. For example, ".*DNS Name=([^,]+).*" or ".*Other Name:Principal Name=([^,]+).*".For a regular expression '.*DNS Name=([^,]+).*', the value of the DNS Name field is extracted for matching.

Whole extraction. Leave this field empty or use "(.*)", in order to allow the entire SubjectAltName content to be extracted for matching.

• Any - Specifies that the first certificate in the specified certificate store is sent to the server for further validation. Any other certificates are ignored.

• Issuer - Specifies that the content from the Issuer field matches the pattern specified by the regular expression.When this option is selected, the Issuer box appears. This box is required for the Issuer match, as well as Issuer and Serial Number match. The regular expression is used to match the Issuer’s content against the specified pattern.

Note that the order of RDNs is the same as is displayed; the required separator is a comma ( , ).

Subcases for the regex match are as follows:

Partial match. For example, "CN=.*, OU=FP, O=F5, L=San Jose, S=CA, C=US"

Exact Match. For example, "CN=Root, OU=FP, O=F5, L=San Jose, S=CA, C=US"

• Issuer and Serial Number - Specifies that the content from the Issuer field matches the pattern specified by the regular expression, and that the serial number precisely matches your input.When this option is selected, the Issuer box appears. This box is required for the Issuer match, as well as Issuer and Serial Number match. The regular expression is used to match the Issuer’s content against the specified pattern.When this option is selected, the Serial Number box appears. The serial number must be an exact match (for example, the hex string must be typed in the same order as it is displayed by OpenSSL and Windows cert tools). For example, 0102030405060708090a.


Chapter 9

• Save Certificate in a session variableSelect Enabled to save the complete encrypted text of the machine certificate in a session variable, session.windows_check_machinecert.<name>.cert.

Checking a machine certificate with the machine cert access policy item

Use the machine cert auth check action to check for the existence of fields in a machine cert, to ensure that client systems comply with your security policy.

To add a machine cert auth check action





5. Select Machine Cert Auth and click Add Item to add the action to the access policy.The Machine Cert Auth action popup screen opens.

6. In the Certificate Store Name box, type the certificate store name, or use the provided value, MY.

7. From the Certificate Store Location list, select the certificate store registry location.

8. From the CA Profile list, select the certificate authority.

9. From the OCSP Responder list, select an OCSP responder, if required, or None.

10. From the Certificate Match Rule list, select the desired certificate match rule, and enter values in any related boxes that appear. See Understanding machine cert auth check options, on page 9-10, for more information.

11. From the Save Certificate in a session variable list, select Enabled to save the certificate in a session variable, or Disabled to not save the certificate as a session variable.


9 - 12


Example: Using machine cert auth checkIn this example, the machine certificate checks the fully qualified domain name for www.siterequest.com against the Subject Alternative Name field.

Note







5. Select Machine Cert Auth and click Add Item to add the action to the access policy.The Machine Cert Auth action popup screen opens.

6. From the Certificate Match Rule list, select SubjectAltName match FQDN.

7. In the Subject Alternative Name box, type *.siterequest.com.

8. Leave all other settings at their default values.



Chapter 9

Setting up firewall checkThe firewall check action is used to check for firewall software on the client computer. The action can be configured to check for available firewall, or specific firewall vendors. In addition, the firewall check can determine whether the firewall software is enabled, and verify the version of the software.

When you configure the firewall action with multiple firewall types, the firewall types work as logical OR operators. If one firewall you specify matches the software on the client computer, the action passes, regardless of other firewall conditions that are specified in the action.

Setting up the firewall check actionUse the firewall check action to check for the existence of files that can ensure that client systems comply with your security policy.

To add a firewall check action





5. Select Firewall Check and click Add Item to add the action to the access policy.The Firewall Check action popup screen opens.

6. Click Add new entry to add a firewall entry to the action.


• From the Firewall ID list, select a firewall, or select Any to allow the access policy to pass with any supported firewall.In this list, Windows-specific firewalls are marked with the prefix [Windows], Macintosh-specific firewalls are marked with the prefix [Mac], and Linux-specific firewalls are marked with the prefix [Linux].

• From the State list, select the state to allow for the firewall. Select Enabled to specify that the selected firewall (or any firewall) is running on the computer. Select Unspecified to verify the presence of the firewall software, but not the state.

9 - 14


• If you require a specific firewall software version, in the Version box, type a version number.

8. To add another firewall type to the action, repeat steps 6-7.


Example: Using firewall checkIn this example, the administrator adds support for two popular firewall solution vendors: Microsoft’s built-in Windows Firewall, Apple Computer’s built-in Mac OS X Firewall, and the Linux IPTables firewall. The administrator specifies that one of these firewall solutions must be running.

Note







5. Select Firewall Check and click Add Item to add the action to the access policy.The Firewall Check action popup screen opens.


7. Configure Microsoft:

• From the Firewall ID list, select [win] Microsoft Corp. (MSWindowsFW).

• From the State list, select Enabled.


9. Configure Apple Computer:


Chapter 9

• From the Firewall ID list, select [mac] Apple Computer, Inc.



11. Configure iptables:

• From the Firewall ID list, select [linux] IPTables.




Figure 9.3 Firewall check action example

9 - 16


Setting up process check With the process check action, you can verify that one or more particular processes are or are not running.

You use the process check action with a Boolean expression to check for processes that are running on the client system.

The Boolean expressions you specify can use the wildcards * and ?, parentheses ( ) to combine values, and the logical operators AND, OR, and NOT.

Setting up process check access policy itemYou can add process checks for Windows, Linux, or Mac clients.

To add a process check action


2. In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column.The visual policy editor opens in a new window or new tab, depending on your browser settings.



5. Select the Process Check for the operating system you are checking, and click Add Item to add the action to the access policy.The Process Check action popup screen opens.

6. In the Expression box, type the expression.


Example: Using process check In this example, you use the process check action to determine the presence of the running Windows processes winlogon.exe and GoogleDesktop.exe. You also determine that no process with gator in the name is running.

Note

This is not a complete example. For the example to work, you must assign an Allow ending to successful branches. You can assign a network access or web applications resource using the resource assign action, along with


Chapter 9

associated webtops. For a web application access management connection, you need not assign resources. This example is configured starting with an empty access policy.

To add the example action





5. Select Windows Process Check and click Add Item to add the action to the access policy.The Process Check action popup screen opens.

6. In the Expression box, type the process check expression as follows:

(winlogon.exe AND GoogleDesktop.exe) AND NOT gator*



Figure 9.4 Process check action example

9 - 18


Setting up registry checkYou can set up the registry check action or verify the existence or absence of certain keys and values in the Windows system registry database. Both key values or Boolean expressions evaluate the existence or absence of registry entries.

Expression syntaxSyntax for registry checker expressions is as follows:

"key" comparison_operator data

"key" ISPR

"key"."value" comparison_operator data

"key"."value" ISPR

• “key” Represents a path in the Windows registry.

• “value”Represents the name of the value.

• comparison_operatorRepresents one of the comparison operators (< <= > >= != =) or ISPR. ISPR is used to verify that a key or value is present.For equality use =. The operator == is not valid here.

• dataRepresents the content to compare against.

Note

Quotation marks (“") are required around key and value arguments. Quotation marks are used in data if the content contains spaces, commas, slashes, tabs, or other delimiters. If quotation marks exist as part of the registry path or value name, they should be doubled (use two sets of quotation marks). data is treated as a version number if it is entered in the format “d.d[.d][.d]” or “d,d[,d][,d]” (where d is a number), and as a date if it is entered in the format “mm/dd/yyyy”.

Specifying registry valuesFollowing are examples of registry strings that you can use in the Registry Check action.

• "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\XP"Checks for the presence of the specified path in the registry.

• "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer.Version">= "6.0.2900.2180"Checks that the Internet Explorer version is greater than or equal to the value specified.


Chapter 9

• "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InternetExplorer.Version" >= "5.0.2800.0" AND "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InternetExplorer.Version" <= "6.0.2900.0"Checks for the presence of Internet Explorer. With this registry check, the Internet Explorer version must be greater than or equal to 5.0.2800.0, and less than or equal to 6.0.2900.0.

Setting up the registry check actionThe registry check action verifies that one or more particular registry checks exist, or do not exist, and confirms that the registry values are supported.

To add a registry check action





5. Select Registry Check and click Add Item to add the action to the access policy.The Registry Check action popup screen opens.

6. In the Expression box, type the registry check expression.


Example: Using registry checkThis example uses the registry checker to check for the presence of a Google Desktop resource DLL.



9 - 20





5. Select Registry Check and click Add Item to add the action to the access policy.The Registry Check action popup screen opens.

6. In the Expression box, type:"HKEY_LOCAL_MACHINE\Software\Google\Google Desktop.ResourceDLL"



Figure 9.5 Registry check action example


Chapter 9

Verifying Windows informationYou use the Windows info check action to verify the presence of Windows operating system versions, Windows patches, or Windows updates.

Setting up Windows info actionUse the Windows info action to determine if the user is using the correct version of Windows, has applied specific patches or updates to Windows, or meets other Windows requirements.

To add a Windows info action





5. Select Windows Info and click Add Item to add the action to the access policy.The Windows Info action popup screen opens.

6. Click the Rules tab.

7. Click the Add Rule button.

8. In the Name box, type a name for the rule.

9. Next to Expression: Empty, click change.The Add Expression popup screen opens.

10. Click the Add Expression button.

11. From the Agent Sel. list, select Windows Info.

12. From the Condition list, select Windows platform or Windows update.

• If you selected Windows platform, from the Windows Platform is list, select the Windows version.

• If you selected Windows update, in the Windows patch box, type the update name. The format for this can be a KB patch or a Windows service pack, for example KB869074 or SP2.


9 - 22


Example: Using Windows info checkFor this example, you add a Windows info check action that contains rules that check for Windows XP and Service Pack 2.

Note


To add the example action





5. Select Windows Info and click Add Item to add the action to the access policy.The Windows Info action popup screen opens.


7. Click Add Rule.

8. Type the name XP SP2 for the rule.

9. Next to Expression: Empty, click change.The Expression popup screen opens.

10. Click the Add Expression button. The popup screen displays new information.


12. From the Condition list, select Windows platform.

13. From the Windows Platform is list, select Windows XP.

14. Click the Add Expression button.

15. To add the next expression, next to AND, click Add Expression.The popup screen displays new information.



Chapter 9

17. From the Condition list, select Windows update.

18. From the Windows Platform is list, select Windows XP.

19. In the Windows Patch box, type SP2.

20. Click the Add Expression button.The Expression popup screen shows the expression configured as shown in Figure 9.6.

To view the rule you have created, click the Advanced tab. You see the expressionexpr { [mcget {session.windows_info_os.last.platform}] == “WinXP” && [mcget {session.windows_info_os.last.updates}] contains “SP2” }

21. Click Finished.


Figure 9.6 Windows information action expression example

9 - 24


Understanding client-side actionsYou use client-side actions to start a particular software state on the client. The Access Policy Manager uses information configured in the client-side actions to install software that configures the system. The systems return to their previous states after the secure access session ends.

The following client-side actions are available.

• Cache and session control checkLoads a cache and session control access policy item that removes all session-specific information from the client’s browser after logout or session termination. Cache and session control also allows you to configure session inactivity timeouts, clean up saved form information and passwords, and remove some other information from a Windows system. For details, refer to Setting up cache and session control, on page 9-26.

• Protected workspace Protected Workspace configures a temporary Windows user workspace for the secure access session that prevents external access, and deletes any files created before leaving the protected area. For details, refer to Setting up protected workspace, on page 9-30.

• Windows Group PolicyThe Windows group policy action assigns a Windows group policy template to an access policy in a network access session. Once assigned to a successful session, the Windows group policy reconfigures the client system’s configuration to conform to the selected policy template. Using Windows group policy templates, you can make configuration changes to client systems that exist for the duration of the network access session. After the network access session is terminated, all Windows group policy changes are rolled back, and the client system reverts to its previous state. For details, refer to Assigning a Windows group policy template, on page 9-34.

Note

Windows group policy is an optional feature that requires an additional license.


Chapter 9

Setting up cache and session control Use the cache and session control action to provide a higher level of security to systems that are logged on to your network. The cache and session control agent deletes browser cache and other session-related information, and can be configured to clean various settings from the user’s system after a session is closed.

In an access policy, the cache and session control action is considered successful when the browser add-on starts successfully on the client computer. A failure indicates that the cache and session control action was unable to start.

Note

You can use the cache and session control action to clean cache and related session information from the Internet Explorer browser only. The action does not clear browser cache and session-related items from Firefox, Safari, or any other browser. However, other items you configure in the action are cleaned on all Windows systems.

Note

Cache and Session Control is not compatible with Protected Workspace. You should not use a Protected Workspace action in a session that includes the Cache and Session Control action.

Setting up the cache and session control access policy itemAdd a cache and session control action anywhere in the access policy, as long as it is used on a branch for Windows clients.

To add a cache and session control action





5. Select Cache and Session Control and click Add Item to add the action to the access policy.The Cache and Session Control action popup screen opens.

9 - 26



• For the option Clean forms and passwords autocomplete data option, select Enabled or Disabled.Enabled removes autocomplete data from web forms, and deletes saved passwords from the system after the user logs out.

• For the option Empty Recycle Bin, select Enabled or Disabled. Enabled ensures that the Recycle Bin is emptied on the system after the user logs out.

• For the option Force session termination if the browser or Webtop is closed, select Enabled or Disabled. Enabled forces the session to close when the user closes the web browser or the network access webtop.

• For the option Remove dial-up entries used by Network Access client, select Enabled or Disabled. Enabled removes the VPN connection from the user’s Network Connections Dial-up Networking folder.

• From the Terminate session on user inactivity list, select a setting in minutes or hours to force the session to close if the user is inactive for the specified time. Select Custom to specify a custom setting, in seconds. Select Disabled to not terminate the session on user inactivity. User inactivity is the period of time during which the user has not input any data using the keyboard or mouse on the client system. This is not traffic inactivity over the VPN.

• From the Lock workstation on user inactivity list, select a setting in minutes or hours to force the user’s workstation to lock if the user is inactive for the specified time. Select Custom to specify a custom setting, in seconds. Select Disabled to not lock the user’s workstation because of user inactivity. User inactivity is the period of time during which the user has not input any data using the keyboard or mouse on the client system. This is not traffic inactivity over the VPN.


Example: Using cache and session controlIn this example, the administrator adds a cache and session control that removes stored passwords and autocomplete data, forces the user to log out if the Webtop or browser is closed, locks the workstation after 5 minutes of inactivity, and closes any session that is inactive after 30 minutes. All other settings are left disabled.

Note



Chapter 9






4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Actions.

5. Select Cache and Session Control, and click Add Item to add the action to the access policy.The Cache and Session Control action popup screen opens.


• For the option Clean forms and passwords autocomplete data, select Enabled.

• For the option Force session termination if the browser or Webtop is closed, select Enabled.

• From the Terminate session on user inactivity list, select 30 minutes to force the session to close after 30 minutes of inactivity.

• From the Lock workstation on user inactivity list, select 5 minutes to lock the user’s workstation after 5 minutes of inactivity.

The completed policy appears as shown in Figure 9.7.


9 - 28


‘

Figure 9.7 Cache and session control action example


Chapter 9

Setting up protected workspaceProtected workspace configures a temporary Windows user workspace for the secure access session that prevents external access, and deletes any files created before leaving the protected area. The protected workspace allows you to restrict end users from printing and saving files on a client accessing the Access Policy Manager. Protected workspace reduces the risk of unintentional or accidental information leaks, but does not eliminate it. For example, EXE, DLL, and IME files are not encrypted. It restricts users to a temporary workspace on the remote system, which is newly created at the beginning of each new session. This workspace contains temporary Desktop and My Documents folders. In protected mode, the user cannot unintentionally or accidentally write files to locations outside the temporary folders. The protected workspace control deletes the temporary workspace and all of the folder contents at the end of the session.

Note

Cache and Session Control is not compatible with Protected Workspace. You should not use a Protected Workspace action in a session that includes the Cache and Session Control action.

Note

You cannot assign a Windows group policy template after a session is in the protected workspace. To use Windows group policies with protected workspace, you must place the Windows group policy action before the protected workspace action in the access policy.

Setting up the protected workspace access policy itemUse the protected workspace action to assure that clients who connect to network access are placed in a protected workspace for the duration of the session.

To add a protected workspace action





9 - 30


5. Select Protected Workspace and click Add Item to add the action to the access policy.The Protected Workspace action popup screen opens.

6. Configure the protected workspace.

• Enable or disable the option to Close Google Desktop Search when the user starts the protected workspace session. Note that selecting Enabled in this option is more secure.

• Enable or disable the option to Allow user to temporarily switch from Protected Workspace when the user is in the protected workspace session.

• Enable or disable the option to Allow user to use printers.

• Select the option for the setting Allow write access to USB flash drives. In addition to the Disabled option and the option to allow write access to All USB flash drives, this setting provides a third option, Only IronKey Secure Flash Drives, which allows a user to write only to specialized, highly secured flash drives created by IronKey, Inc.

• Enable or disable the option to Allow user to burn CDs.

7. If you want to allow protected workspace users to have write access to a specific server, click the Add new entry button and type the name of the server. To add more servers, repeat this step. To remove a server, click the X button next to the name of the server.


Example: Using protected workspaceIn this example, the administrator adds protected workspace to an access policy branch. The security policy is very strict, so the only option allowed is for a user to write to an IronKey USB flash drive, and a server called Quarantine.

Note





Chapter 9




5. Select Protected Workspace and click Add Item to add the action to the access policy.The Protected Workspace action popup screen opens.

6. Configure the action as follows:

• From the Close Google Desktop Search list, select Enabled.

• From the Allow user to temporarily switch from Protected Workspace list, select Disabled.

• From the Allow user to use printers list, select Disabled.

• From the Allow write access to USB flash drives list, select Only IronKey Secure Flash Drives.

• From the Allow user to burn CDs list, select Disabled.

7. Click Add new entry to add a server to which a user can write. In the box that appears, type Quarantine.Note that new entries are added above previously configured entries, by default.



9 - 32


Figure 9.8 Protected workspace action example


Chapter 9

Assigning a Windows group policy templateThe Windows group policy action allows you to assign a Windows group policy, which changes security settings for the Windows client environment for the duration of the network access session.

To use Windows group policy functionality, you must purchase a separate license for the feature.

Note

You cannot assign a Windows group policy template after a session is in the protected workspace. To use Windows group policies with protected workspace, you must place the Windows group policy action before the protected workspace action in the access policy.

Understanding Windows group policy templatesWindows group policy templates allow you to configure and assign group policies for Windows machines dynamically per user session in the access policy. Using Windows group policy templates, you can make configuration changes to client systems that exist for the duration of a network access or web applications session. The system applies Windows group policy changes after the Windows group policy check is successful, and before resources are assigned. After the user terminates the session, all Windows group policy changes are rolled back, and the client system reverts to its previous state.

You can use predefined Windows group policy templates with Access Policy Manager. To define your own Windows group policy templates, you must purchase a license for the GPAnywhere product from Full Armor.

Using predefined Windows group policy templatesTable 9.1 lists the predefined Windows group policy templates included with Access Policy Manager, and their functional descriptions.

Template Description

EC Domain XPSP2 Desktops Template

Microsoft Enterprise Client Policy for desktops and laptops. This is a moderate policy, balancing security and usability.

Firewall Settings Template Access Policy Manager settings for enabling the user’s firewall. This policy is used to ensure that the user’s Microsoft firewall is configured and running.

GLBA Template Based on the Gramm-Leach-Bliley GLBA standard. This policy is used for desktop and laptops to help prevent access to unauthorized information.

Table 9.1 Predefined Windows group policy templates

9 - 34


Using the EC and SSLF templatesThe Enterprise Client (EC) and Specialized Security—Limited Functionality (SSLF) templates are based on Microsoft security profiles for Enterprise Client and Specialized Security—Limited Functionality environments.

Microsoft uses the EC and SSLF environment classifications as the basis for making recommendations on how to configure a variety of server, workstation, and laptop settings. The EC Domain Template is applicable to most enterprise environments. It balances security with usability concerns. The Group Policy settings suggested for users in EC Domain-classified environments focus on addressing the basics at a moderate level, so it is not intrusive to the user.

Examples of settings that are applied as part of the EC Domain Template are:

• Disabling automatic saving of passwords in Internet Explorer

• Requiring that the user re-enter the password after a system suspend

The SSLF Domain Template is applicable to environments where concerns about security are paramount. In such an environment, some usability is sacrificed in order to further secure the systems. The Group Policy settings suggested for users in SSLF Domain-classified environments expand upon the settings recommended for the EC Domain.

Examples of settings that are applied as part of the SSLF Domain Template are:

• Disabling user access to the IE Security settings.

HIPAA Template Based on the HIPAA (Health Insurance Portability and Accounting Act) standard. This policy is used for desktop and laptops to help prevent access to unauthorized information.

Highly Managed Template Microsoft Common Usage (high) for desktops and laptops. This policy is used in managed environments and provides high restrictions on user access to devices, configuration, and applications.

Lightly Managed Template Microsoft Common Usage (light) for desktops and laptops. This policy is used in managed environments, and provides light restrictions on user access to devices, configuration, and applications.

PCI Template Based on the PCI (Payment Card Industry) standard. This policy is used for desktop and laptops to help prevent access to unauthorized information.

SSLF Domain Template Microsoft Specialized Security (Limited Functionality) for desktops and laptops. This is a more focused security policy, with greater restrictions on configuration access.

Terminal Services Taskstation Template

Terminal Services for client terminal services. This policy is used in environments where the primary use is terminal services.

Template Description

Table 9.1 Predefined Windows group policy templates


Chapter 9

• Disabling user access to system tools such as the registry editor.

Additional information can be found in the Windows Server® 2003 security section at:

http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/s3sgch01.mspx

Using the Microsoft common scenario templates Microsoft common scenarios classify client machines into categories such as mobile, multi-user, app-station, task-station, or kiosk. These scenarios are intended to provide common starting scenarios for group policy management.

Understanding the managed templatesThe highly- and lightly-managed templates are based on Microsoft Common Scenarios. To standardize the implementation of the scenarios, Microsoft defined the highly-managed and lightly-managed Group Policy settings as the base set of settings on top of which the scenarios would be implemented.

Both the lightly-managed and highly-managed policies are intended for use with devices that work in a centrally managed environment. As such, both templates restrict the options to which a user has access. The distinction between the two is a matter of degree.

In the case of the lightly-managed template, the users retain some ability to customize their desktop environment. Examples of settings that are applied as part of the lightly-managed template are:

• Enabling user access only to the Desktop Control Panel applet

• Prohibiting access to the Add/Remove Programs Windows Components page

In the case of the highly-managed template, the user is given very little leeway to customize the desktop environment. Examples of settings that are applied as part of the highly-managed template are:

• Prohibiting access to the Control Panel

• Denying access to Add/Remove Programs

• Prohibiting adding printers

For additional information, read Implementing Common Desktop Management Scenarios at: http://technet.microsoft.com/en-us/library/cc758145(WS.10).aspx

Understanding the terminal services task station templateThe terminal services task station template is specific to terminal server users. It prevents users from reverting back to the default security policy but more importantly, it controls which file types (.exe, .bat, and .msi) can be used. While there are no restrictions on shortcuts (.lnk), restrictions are placed on the actual path of executables.

9 - 36

http://www.microsoft.com/technet/security/prodtech/windowsserver2003/w2003hg/s3sgch01.mspx

http://technet.microsoft.com/en-us/library/cc758145(WS.10).aspx


Understanding the firewall settings templateThe firewall settings template enables a user’s firewall. This policy is used to ensure that the user’s Microsoft firewall is configured and running. If the Microsoft Windows Firewall is not enabled, group policy starts it.

Understanding the regulatory templatesThe final three pre-configured templates help address certain regulatory requirements. They are all based on a basic security policy with their own nuances.

Understanding the GLBA templateGramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act, enabled investment banks to merge with commercial banks and permitted insurance services to merge with securities companies. As part of this act, privacy policies are required to protect sensitive information from security threats. With GLBA, financial institutions must inform consumers, through a privacy notice, how the company collects, stores, shares, and safeguards the data. Compliance with the GLBA is mandatory for any financial services company.

Examples of settings that are applied as part of the GLBA template:

• Disabling CD-ROM and floppy drive access

• Digitally signing all communications, if available

• Prohibiting the user from modifying any certificate settings

• Prohibiting access to the Advanced Settings menu in Network Connections

Understanding the HIPPA templateThe Health Insurance Portability and Accountability Act (HIPAA) protects people with continued health insurance coverage if they lose or change jobs, and also establishes guidelines for the exchange of patient data, including electronic transmission. There are privacy rules for the use and disclosure of this patient information.

Examples of settings that are applied as part of the HIPAA template:

• Restricting CD-ROM access to locally logged-on users only.

• Prohibiting access to the Advanced Settings menu in Network Connections.

• Locking the workstation if the smartcard is removed.

• Clearing virtual memory.

Understanding the PCI templateThe Payment Card Industry Data Security Standard (PCI DSS) was designed by the major credit card companies as a guideline for any organizations that process credit card transactions. Like GLBA and HIPAA,


Chapter 9

it establishes procedures for processing, storing, and transmitting sensitive data, and offers some protection against security vulnerabilities that may expose that information. Companies using PCI must also go through an outside audit to validate their compliance. There are 12 requirements within 6 major areas of concern: network security monitoring, network security testing, protecting cardholder data, vulnerability management, access control, and policy maintenance. You can find the specifics of PCI DSS at:

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Examples of settings that are applied as part of the PCI template:

• Suspend session after 15 minutes of inactivity.

• Restrict anonymous access to Named Shares.

• Disable Advanced Settings in Internet Explorer.

Working with Windows group policy templatesIn addition to the preinstalled group policy templates explained above, you can add custom group policy templates, you can download templates installed on the Access Policy Manager, and you can view the configuration of installed templates.

To add a Windows group policy template to the Access Policy Manager

1. On the Main tab of the navigation pane, expand Access Policy.

2. Hover your mouse pointer over Access Profiles, and click the Windows Group Policy link that appears.The Windows Group Policy List screen opens.

3. Click Create. The New Windows Group Policy screen opens.

4. In the Name box, type a name for the group policy.

5. In the Description box, type an optional description of the group policy. This description appears on the Windows Group Policy List screen, in the Description column.

6. In the Configuration File box, click Browse to locate the file. Configuration files are created by the FullArmor GPAnywhere product, and are Windows executable files with an EXE extension.

7. Click Finished when the configuration is complete.

To download a Windows group policy template



9 - 38

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml


3. Click the group policy template that you want to download. The template Properties screen opens.

4. Next to Configuration File, click the Download link.The web browser pops up a save file dialog.

5. Click the Save button to save the file.

To view a Windows group policy template



3. Click the group policy template that you want to download. The template Properties screen opens.

4. Next to Configuration Details, click the View link.The web browser pops up a save file dialog.

5. Save the file.

Setting up the Windows group policy access policy itemUse the Windows group policy action to assure that clients who connect to network access have their computers configured to conform to the security policy required for the duration of the session.

To add a Windows group policy action





5. Select Windows group policy and click Add Item to add the action to the access policy.The Windows group policy action popup screen opens.

6. From the Windows group policy list, select the group policy to apply to client computers.You can add your own group policy templates that you create with


Chapter 9

the FullArmor GPAnywhere add-on. For more information on group policy templates, see Understanding Windows group policy templates, on page 9-34.


Example: Using Windows group policy templatesIn this example, the administrator adds the predefined Gramm-Leach-Bliley Act (GLBA) Windows group policy template to clients that connect through this branch on the access policy. The Gramm-Leach-Bliley Act requires financial institutions to inform consumers, through a privacy notice, how the company collects, stores, shares, and safeguards the data. GLBA is mandatory for any financial services company.

Note







5. Select Windows Group Policy and click Add Item to add the action to the access policy.The Windows group policy action popup screen opens.

6. From the Windows Group Policy list, select _GLBA_Template.



9 - 40


Figure 9.9 Windows group policy action example


Chapter 9

9 - 42

10

Configuring Server Side Checks

• Introducing server-side checks

• Configuring client OS check

• Configuring UI mode check

• Configuring client-side check capability

• Checking a landing URI with the landing URI check


Introducing server-side checksIn addition to client-side checks, the BIG-IP® Secure Access Manager™ provides server-side checks. When the access policy is processed, server-side checks allow the server to check clients and make policy decisions based on information that a client presents to the server. For example, the UI mode check presents a query to find out what type of client is connecting, and routes the client to the different policy branches (for full browser clients, standalone clients, or neither) based on the results of the query.

Preparing for clients that cannot use client checksThe administrator can configure an access policy to provide access for non-Windows clients, or clients that do not have the ability to install browser add-ons. To do this, the administrator adds a client-side check capability action at the start of the access policy, and then adds the client-side checks only on the Full access policy branch.

Checking the landing URI of a clientThe landing URI action checks the landing URI the client entered to reach the access policy. The landing URI is the actual landing address after the domain name; for example, for an Outlook Web Access connection at http://www.siterequest.com/owa, the landing URI is /owa. The landing URI action provides a separate rule branch for each configured URI, and a fallback branch is provided for URIs that do not conform. For details, refer to Checking a landing URI with the landing URI check, on page 10-12.


Chapter 10

Configuring client OS checkThe client OS check allows you to check the operating system the client is using. The default client OS check includes eight rule branches. Seven of these rule branches correspond to the operating systems specified in the name of the rule. If, while running the access policy, Access Policy Manager detects the operating system on the client as one of the specified operating systems, the access policy uses that rule branch. The access policy uses the fallback rule branch when it detects any other operating system. These are the operating system rule branches:

• Windows 7®

• Windows Vista®

• Windows XP®

• Windows 2000®

• Windows Mobile®

• Linux®

• Mac OS®

Setting up the client OS checkWe recommend that you use the client OS check at the beginning of an access policy, so you can build access policies using the separate operating system branches for functionality specific to those operating systems.

To add a client OS action




4. If server-side check actions are not expanded, click the plus sign ( ) next to Server Side Checks.

5. Select Client OS and click Add Item to add the action to the access policy.The Client OS action popup screen opens.


7. To activate the access policy, click the Apply Access Policy link at the top of the visual policy editor screen.

10 - 2


Example: Using client OS checkIn this example, you add the client OS check to an access policy, and only the Windows 7, Windows Vista, and Windows XP branches are assigned allowed endings.

Note


To add the example client OS check action





5. Select Client OS and click Add Item to add the action to the access policy.The Client OS action popup screen opens.

6. Click Save.

7. On the Windows 7, Windows XP and Windows Vista branches following the client OS action, configure allowed endings. Configure logon denied endings for all other branches.To configure endings, see Configuring access policy endings, on page 7-8.




Chapter 10

Figure 10.1 Client OS access policy example

10 - 4


Configuring UI mode checkYou can use the UI mode check to determine whether the client is using a full browser, the standalone client, or another client to access the Access Policy Manager. The default UI mode check includes three branches:

• A Full Browser branch, which indicates that the user is connecting with a Windows web browser or with the standalone client in web browser mode.

• A Standalone Client branch, which indicates that the user is connecting with the standalone client, and not in full browser mode.

• An ActiveSync Client branch, which indicates that the user is connecting with an ActiveSync connection. ActiveSync is by definition a clientless connection, though this branch is calld ActiveSync Client.

• A Fallback branch, which indicates that the user is connecting with another method.

Understanding ActiveSync connectionsAn ActiveSync client is not a typical web browser, and Access Policy Manager has the following restrictions on ActiveSync policies.

• The ActiveSync branch cannot provide responses that require additional user input, except for the logon page.

• Authentication retries are not attempted.

• You must assign a logon page action to the access policy. The logon page action will automatically works in clientless mode.

ActiveSync devices support only the following actions, and you should not use other actions on an ActiveSync branch:

• Active Directory Authentication

• Acrive Directory Query

• Client Certificate Inspection

• HTTP Authentication

• LDAP Authentication

• LDAP Query

• RADIUS Authentication

• RADIUS Accounting

• RSA SecurID Authentication

• UI Mode check

• Client-Side Check Capability

• Client OS

• Landing URI

• IP Geolocation Match


Chapter 10

The following actions are not supported on ActiveSync clients:

• On-Demand Certificate Authentication

• any client side check

• any client side action

Setting up the UI mode access policy itemWe recommend that you use the UI mode check as one of the first checks in your access policy. You can then configure the Full Browser branch with all of the checks that you require for your fully capable clients, while also providing access policy branches for other clients.

To add a UI mode action





5. Select UI Mode and click Add Item to add the action to the access policy. The UI Mode action popup screen opens.



Example: Using UI mode checkIn this example, you add a UI mode check, then add a cache and session control endpoint security check to the Full Browser branch.

Note


10 - 6



To add the example UI mode check action





5. Select UI Mode and click Add Item to add the action to the access policy. The UI Mode action popup screen opens.

6. Click Save.

7. On the Full Browser branch following the UI Mode action, click the plus sign ( ).The Add Item popup screen opens.


9. Select Cache and Session Control and click Add Item.The cache and session control action popup screen opens.

10. Click Save.

11. On the Standalone Client branch following the UI mode action, and the Successful branch following the cache and session control action, configure Allow endings.

12. Configure logon denied endings for all other branches.To configure endings, see Configuring access policy endings, on page 7-8.The completed policy appears as shown in Figure 10.2.



Chapter 10

Figure 10.2 UI mode access policy example

10 - 8


Configuring client-side check capabilityYou can use the client-side check capability action to determine whether the client has the ability to run client-side checks. The default endpoint check capability action includes two branches:

• A Full branch, which indicates that the user is connecting with a client that has full client-side check support.

• A Fallback branch, which indicates that the user is connecting with a client that does not fully support client-side checks.

Setting up the client-side check capability access policy itemWe recommend that you use the client-side check capability action as one of the first checks in your access policy. You can then configure the Full branch with all of the endpoint security checks that you require for your endpoint-security capable clients, while also providing access policy branches for other clients.

To add a client-side check capability action





5. Select Client-Side Check Capability and click Add Item to add the action to the access policy. The Client-Side Check Capability action popup screen opens.




Chapter 10

Example: Using client-side check capability actionIn this example, you add a client-side check capability action, then add an antivirus client-side check to the Full branch.

Note


To add the example client-side check capability action





5. Select Client-Side Check Capability and click Add Item to add the action to the access policy. The Client-Side Check Capability action popup screen opens.

6. Click Save.

7. On the Full branch following the Client-Side Check Capability action, click the plus sign ( ).The Add Item popup screen opens.


9. Select Antivirus check and click Add Item.The antivirus check action popup screen opens.

10. Click Save.

11. On the Successful branch following the Antivirus action, configure an Allow ending.

12. Configure logon denied endings for all other branches.To configure endings, see Configuring access policy endings, on page 7-8.The completed policy appears as shown in Figure 10.3.

10 - 10



Figure 10.3 Client-side check capability access policy example


Chapter 10

Checking a landing URI with the landing URI checkYou can use the Landing URI check to check the landing URI with which the user has accessed the access policy. The default Landing URI check includes two branches:

• A Landing URI branch, which indicates the landing URI for which the policy should check, and evaluates as true if the specified landing URI is reached.

• A Fallback branch, which indicates that the user is connecting with a different landing URI.

Setting up the landing URI access policy itemWe recommend that you use the landing URI check to determine the landing URI that the user typed to connect to the Access Policy Manager.

To add a landing URI action





5. Select landing URI and click Add Item to add the action to the access policy. The Landing URI action popup screen opens.



Example: Using landing URI checkIn this example, your Outlook Web Access address is http://www.siterequest.com/owa. You add a landing URI check that checks for the landing URI /owa, the typical landing URI for an Outlook Web Access connection. If the access policy finds this URI, you can then add a resource assign action on the successful policy branch. In this

10 - 12


example, you add a resource assign action after the landing URI check for the URI /owa. For a complete working scenario, assign a web applications resource for Outlook Web Access with this resource assign action.

Note

This example does not detail how to create and assign web application resources. For detailed instructions, see Configuring web applications on Access Policy Manager, on page 3-7, and Assigning resources, on page 8-9.

To add the example UI mode check action





5. Select Landing URI and click Add Item to add the action to the access policy. The Landing URI action popup screen opens.

6. In the Name box, type OWA.

7. Click the Rules tab.The Rules for the action popup screen are displayed. The predefined rule for this action is Expression: Landing URI is /uri1.

8. Next to Expression: Landing URI is /uri1, click the change link.The expression builder popup screen opens.

9. In the Landing URI is box, type /owa.On the OWA branch, add a resource assign action and configure it for Outlook Web Access, if you have an Outlook Web Access server and resources.

• To configure the web application, see Configuring web applications on Access Policy Manager, on page 3-7

• To assign the resource, see Assigning resources, on page 8-9.


10. Click Save.



Chapter 10

Figure 10.4 Landing URI access policy example

10 - 14

11

Configuring Authentication Using AAA Servers

• Understanding authentication with Access Policy Manager

• Understanding different RADIUS operation modes

• Setting up Access Policy Manager for RADIUS authentication and authorization

• Configuring Access Policy Manager for RADIUS accounting

• Configuring Access Policy Manager for RADIUS authentication and accounting

• Setting up Access Policy Manager for RSA Native SecurID for authentication and authorization

• Setting up Access Policy Manager for LDAP authentication and authorization

• Setting up Access Policy Manager for Windows Active Directory authentication and authorization

• Understanding nested groups


• Setting up Access Policy Manager for HTTP authentication

• Setting up Access Policy Manager for Oracle Access Manager

• Setting up Access Policy Manager for AAA high availability


Chapter 11

Understanding authentication with Access Policy Manager

Authentication is the process of verifying the identity of a user logging on to a network. In a typical authentication process, a system requires that users provide logon information such as user name and password. The system then checks those credentials against information maintained remotely or locally on a server or in a database.

Authorization is the process of enabling users with access to resources, applications, and network shares.

Accounting is the process of reporting user session information, as well as updating the external RADIUS accounting server.

The BIG-IP® Access Policy Manager uses the concept of access policies to authenticate and authorize users on the system. For more information on access policies, refer to Chapter 7, Creating Access Profiles and Access Policies.

The stringent nature of the authentication mechanism you use for the Access Policy Manager should match the authentication level for your local network. That is, you should use standards for the Access Policy Manager authentication that are equally as high as you use for your local network.

To set up authentication, log on to the Configuration utility and on the navigation pane, expand Access Policy, and click AAA Servers.

Understanding authentication types: for Active Directory and LDAP

There are two types of authentication that pertain to Active Directory and LDAP authentications, and they use two separate access policy items.

• Auth: This means authentication only. In this case, the Access Policy Manager just verifies user’s credentials against an external server.

• Query: This means the Access Policy Manager queries the external server for additional information about the user.

The Auth and Query methods are independent of each other, and you do not necessarily need to have them configured within the same access policy.

However, as an administrator, you must make a decision on which type of policy item you would like to add to your access policy. For instance, if you added AD Auth to your policy, you cannot change it later to AD Query unless you go into your access policy and delete the AD Auth item completely from your policy.

For more information on how to configure the Auth and Query methods for either LDAP or Active Directory, refer to Configuring LDAP access policy action item for authentication, on page 11-24, Configuring LDAP query policy action item, on page 11-26, Configuring Access Policy Manager to

11 - 2


access the Active Directory for authentication, on page 11-34, and Configuring Access Policy Manager to access the Active Directory action item for query, on page 11-35

Important

To use a specific authentication method, you must have at your site a server that supports the scheme.

You can set up authentication using any combination of the following methods.

• RADIUS serverUses the server at your site that supports authentication using the RADIUS protocol. For more information on this method, see RADIUS authentication, on page 11-4.

• LDAP serverUses the server at your site that supports authentication using LDAP. For more information on this method, see Setting up Access Policy Manager for LDAP authentication and authorization, on page 11-23.

• Microsoft® Active Directory®

Uses the server at your site that supports Kerberos authentication against a Windows® 2000® or later server. For more information on this method, see Setting up Access Policy Manager for Windows Active Directory authentication and authorization, on page 11-32.

• HTTP authenticationUses external web-based authentication servers to validate user logons and passwords, and to control user access to specific network resources. For more information on this method, see Setting up Access Policy Manager for HTTP authentication, on page 11-41.

• RSA SecurID over RADIUSUses the RADIUS protocol for authentication. To use RSA SecurID over RADIUS, you must select RADIUS as the authentication method. For more information on this method, refer to Configuring RSA SecurID using RADIUS, on page 11-12.

• RSA Native SecurID Uses the RSA Native SecurID protocol for authentication. To use RSA Native SecurID, you must have an authentication server set up, and you must select SecurID as the authentication method. For more information on this method, refer to Setting up Access Policy Manager for RSA Native SecurID for authentication and authorization, on page 11-17.


Chapter 11

Understanding different RADIUS operation modesThe Access Policy Manager provides you with three modes of operation for RADIUS. You can use a RADIUS server to authenticate your users, retrieve user session information using a RADIUS accounting server, or perform both actions within a single access policy.

The three operation modes for RADIUS are:

• RADIUS authentication

• RADIUS accounting

• RADIUS authentication and accounting

RADIUS authenticationRADIUS authentication allows you to authenticate and authorize your users to access their resources through a RADIUS server that you configure on the Access Policy Manager. For more information on how to set up authentication using a RADIUS server, refer to Setting up RADIUS authentication and authorization access policy action item, on page 11-9.

The following tasks provide information on how to set up your RADIUS server. You can also leverage user information, in the form of attributes, to allow users access to various network resources.

Important

Be sure that the RADIUS server is configured to recognize the Access Policy Manager as a client. Use the same shared secret in both the RADIUS server configuration and in the Access Policy Manager configuration.

Setting up RADIUS authentication and authorization involves the following tasks:

• Setting up a RADIUS server

• Setting up RADIUS access policy action items

RADIUS attributesThe table, following, lists the specific RADIUS authentication attributes that the Access Policy Manager sends with RADIUS requests.

Attribute Purpose

User-Name Indicates the name of the user to be authenticated.

User-Password Indicates the password of the user to be authenticated.

NAS-IP-Address Indicates the identifying IP Address of the NAS.

Table 11.1 List of RADIUS attributes

11 - 4


RADIUS accountingYou can report user session information to an external RADIUS accounting server. If you select this mode only, the system assumes that you have set up another type of authentication method to authenticate and authorize your users to access their resources. For more information on how to set up RADIUS accounting, refer to To configure RADIUS accounting, on page 11-14.

The Access Policy Manager operates as a client of the external RADIUS accounting server, and is responsible for retrieving user information. It sends accounting messages indicating when the network access is initiated or terminated, by sending the RADIUS accounting start and stop messages. However, the RADIUS accounting start message does not mean the actual network access will be successfully established. If a user logs in, but the network tunnel fails to establish, the user is not presented with a logon denied page. Instead, the user either sees an error message on the webtop and must manually log out, or is automatically logged out of a session. In either case, the accounting stop message is sent when the user is logged out and the session terminates.

RADIUS accounting works in the following ways:

• When a user logs on to the Access Policy Manager, the system sends session start information to the RADIUS accounting server. Session start information consists of the RADIUS username, the RADIUS sessionid of the user’s session, and a RADIUS accounting status start message, indicating that the session has started.

• When the user terminates the session by logging off the Access Policy Manager, the system sends session end information to the RADIUS accounting server. The session end information includes the RADIUS username, the RADIUS sessionid, and the RADIUS accounting status stop message, indicating that the session has ended. Also included in this stop message is the RADIUS service duration, which represents the total time the user session was active.

Service-Type Indicates the type of service the user has requested.

NAS-Port Indicates the physical port number of the NAS which is authenticating the user.

Attribute Purpose

Table 11.1 List of RADIUS attributes


Chapter 11

RADIUS accounting attributesThe tables 11.2 and 11.3 list specific RADIUS accounting attributes that the Access Policy Manager sends for RADIUS Accounting-Request (start message) and RADIUS Accounting-Request (stop message).

Attribute Purpose

User-name The name of the authenticated user.

Acct-Session-Id A unique accounting ID to make it easy to match start and stop records in a log file. It is essentially a user’s session ID.

Acct-Status-Type Indicates whether the accounting-request marks the beginning of the user service (Start) or the end (Stop).

Acct-Authentic Indicates how the user was authenticated, whether by RADIUS, the NAS itself, or by another remote authentication protocol.


Nas-IP-Address Identifies the IP address of the NAS that is requesting authentication of the user. The administrator can enter this address on the AAA RADIUS server configuration page.

NAS-Port The physical port number of the NAS that is authenticating the user. It is always set to 0.

Tunnel-Client-Endpoint Contains the IP address of the initiator end of the tunnel.

Class Administrators can make resource assignments using this attribute.

Table 11.2 List of start message attributes

11 - 6


Attributes for stop messages include the following values:

Table 11.3 List of stop message attributes

If the user does not log off, but simply closes the web browser window, the Access Policy Manager sends the RADIUS stop message when the user’s session times out.

RADIUS accounting messages are sent asynchronously. The Access Policy Manager stores the user’s sessions start and end information in its database, and sends them to the RADIUS accounting server.

Important

Be sure to configure your RADIUS accounting server to recognize the Access Policy Manager as a client. Refer to your external server’s user manual for more information how to do perform this task.

Attribute Purpose

Acct-Terminate-Cause Indicates how the session was terminated. Access Policy Manage supports three values for this attribute:

User Request

Session Timeout

Admin Reset

Acct-Session-Id A unique accounting ID to make it easy to match start and stop records in a log file. It is essentially a user’s session ID.

Acct-Status-Type Indicates whether the accounting-request marks the beginning of the user service (Start) or the end (Stop).

Acct-Session-Time: Indicates the number of seconds the user has received service for.


Framed-IP-Address Indicates the address configured for the user.

Acct-Input-Octets Indicates the number of octets received from the port over the course of the service provided.

Acct-Output-Octets Indicates the number of octets sent to the port in the course of delivering the service provided.


Chapter 11

RADIUS authentication and accountingYou can perform both RADIUS authentication and accounting actions. Keep in mind that if you select this mode, the RADIUS server and the RADIUS accounting server must run on different service ports, and that the Access Policy does not send RADIUS accounting information to the RADIUS accounting server unless the user has been authorized by the RADIUS server.

Setting up Access Policy Manager for RADIUS authentication and authorization

The first task in setting up a RADIUS authentication is to configure the RADIUS server.

To set up a RADIUS server

1. In the navigation pane, expand Access Policy, and click the [+] sign next to the AAA Servers to add a new server. The New Server General Properties screen opens.

2. Type a name for your AAA server and select RADIUS from the Type list.The screen refreshes to provide additional settings specific to the RADIUS Type.

3. In the Configuration section, select the Mode type.

4. Enter the information in the required fields. You can find details for each setting in the online help.This adds the new RADIUS server is to the AAA Server List.

If you use the Timeout setting, you must use also the Retries setting. If these settings are enabled, the Access Policy Manager attempts to reach the AAA server within the specified timeframe in seconds. If the server does not respond, the Access Policy Manager retries the authentication attempt, depending on how many retries you specify.

11 - 8


Setting up RADIUS authentication and authorization access policy action item

To complete the authentication process, you must add the RADIUS server to an access policy as an action item.

To add the RADIUS server as an access policy action item

1. In the navigation pane, expand Access Policy, and click Access Profiles.The Access Profiles List screen opens.

2. On the Access Profiles list screen, click the name of your profile.The Properties screen opens.

3. On the menu bar, click Access Policy.The Access Policy screen opens.

4. For the Visual Policy Editor setting, click the link Edit Access Policy for Profile "<name of policy>" to start the visual policy editor.The visual policy editor opens in a new window or new tab, depending on your browser settings.

5. Click the small plus sign [+] where you want to add the new access policy action item.A properties screen opens.

6. Under Authentication, select RADIUS Auth and click Add item.The RADIUS Auth object popup opens in the visual policy editor.

7. On the Properties tab, select the name of your RADIUS server from the AAA Server list, and click Save.

8. Click Activate Access Policy to save your configuration.The AAA server is added to the access policy, and is now a part of the overall authentication process.


Chapter 11

Using RADIUS session variables for access policy rules You can authorize your users with user information provided by the RADIUS server in the form of attributes. These attributes, converted into session variables, can be used to create rules. For more information on session variables and how to use them to create your rules, refer to Appendix C, Session Variables.

The RADIUS access policy action automatically creates the session variables, as shown in Table 11.1.

To view RADIUS session variables

1. In the navigation pane, expand Access Policy, and click Reports.The Reports screen opens.

2. Click an active session ID.The Properties screen opens.

3. Scroll down the list of session variables until you see the RADIUS session variables.

Using RADIUS authentication default rulesThe Access Policy Manager provides two default rules for the RADIUS authentication access policy action. You use these rules to organize your users into two categories:

• Authenticated Users: These users were authenticated successfully and are able to access their webtop.

• Users fails Authentication: These users failed authentication and are directed to the logon denied page.

Session Variable Description

session.RADIUS.last.result Provides the result of the RADIUS authentication. The available values are:0:Failed1:Passed

session.RADIUS.last.attr.$attr_name $attr_name is a value that represents the user’s attributes received during RADIUS authentication. Each attribute is converted to separate session variables.

session.RADIUS.last.errmsg Displays the error message for the last logon. If session.RADIUS.last.result is set to 0, then session.RADIUS.last.errmsg may be useful for troubleshooting purposes.

Example:

c76a50c0.session.RADIUS.last.errmsg 13 Access-Reject

Table 11.4 RADIUS session variables

11 - 10


You can add your own custom rules using the session variables. For example, you can create your own custom rules when you want different users assigned to different network resources. For more information on how to add custom access policy rules, refer to Chapter 5, Creating Access Profiles and Access Policies.

Troubleshooting RADIUS authentication access policy actionYou may run into problems with RADIUS authentication in some instances. Follow these tips to try to resolve any issues you may encounter. Additionally, you can view specific error messages concerning authentication in the /var/log/apm file. Or from the navigation pane, expand System, click Logs, and on the menu bar, click Access Policy.

Additional troubleshooting tips for RADIUS authenticationRefer to Table 11.6, following, for steps on how to ensure that a connection is successfully made between the Access Policy Manager and your authentication server, and that your authentication method is working properly.

Possible errors Possible explanations and corrective actions

Authentication failed due to timeout Check that the Access Policy Manager is configured as a client on the RADIUS server.You may have encountered a general network connection problem.

Authentication failed due to RADIUS access reject

Check that the shared secret on the RADIUS is valid.Check that the user credentials are entered correctly.

Table 11.5 Possible RADIUS server errors

You should Steps to Take

Check to see if your access policy is attempting to perform authentication

• Refer to the message boxes in your access policy to display information on what the access policy is attempting to do.• Refer to /var/log/apm to view authentication attempts by the access policy. Note: Make sure that your log level is set to the appropriate level. The default log level is notice. Refer to Chapter 17, Logging and Reporting, for more information on how to use the logging feature.

Confirm network connectivity • Access the Access Policy Manager through the command line interface and check your connectivity by pinging the RADIUS server using the host entry in the AAA Server box.• Confirm that the RADIUS port 1812 is not blocked between the Access Policy Manager and the RADIUS server.

Table 11.6 General steps to test and ensure successful RADIUS authentication


Chapter 11

Configuring RSA SecurID using RADIUS

To set up RSA SecurID over RADIUS, follow the same steps you did to set up a RADIUS access policy action, as described in Setting up RADIUS authentication and authorization access policy action item, on page 11-9. Access Policy Manager supports the following RSA SecurID feature checklist over RADIUS protocol, as shown in the table, following.

check the RADIUS Server Configuration

• Confirm that the Access Policy Manager is registered as a RADIUS client. Note: Since the Access Policy Manager makes requests from the self IP address to the RADIUS server for authentication requests, the address of the self-IP address should be registered as a RADIUS client.

• Check the RADIUS logs and check for any errors.

capture a TCP dump • Take a TCP dump from the Access Policy Manager when authentication attempts are made. For example, %TCP dump-i 1.1 -s /tmp/dump. You must first determine what interface the self-IP address is on. These TCP dumps indicate activities between the Access Policy Manager and the authentication server. • Run the authentication test. After authentication fails, stop the TCP dump, download the TCP dump records to a client system, and use an analyzer to troubleshoot.

Important: If you decide to escalate the issue to customer support, you must provide a capture of the TCP dump when you encounter authentication issues that you cannot otherwise resolve on your own.

RSA SecurID checklist Associated items

New PIN mode • Force authentication after new PIN generated• System generated PIN• User-defined (4-8 alpha-numeric)• User-defined (5-7 numeric)• User selectable• Deny 4 and 8 digit PIN• Deny alpha-numeric PIN

Passcode • 16 digit passcode• 4 digit passcode

Next Token Mode • Next token mode

Table 11.7 RSA SecurID feature checklist over RADIUS protocol


Table 11.6 General steps to test and ensure successful RADIUS authentication

11 - 12


Troubleshooting RSA SecurID on Windows using RADIUS configuration

If you are having difficulty authenticating using RSA SecurID over RADIUS on the authentication server that is running RSA SecurID server, you can view specific error messages concerning authentication in the /var/log/apm file. Or from the navigation pane, expand System, click Logs, and on the menu bar, click Access Policy.

Additionally, refer to the following table for possible corrective actions based on the errors received.


The RADIUS server is inactive Even if the RADIUS server has been started from the SecurID options window on the Windows SecurID server, the server may not be active.In the Windows Services Manager, make sure that the server is set to start each time the server boots, and is currently running. RSA SecurID authentication using RADIUS takes place on a different port than the native securid authentication.

The SecurID is configured incorrectly for RADIUS authentication

While using RSA SecurID over RADIUS, the SecurID server is a client of itself. The RADIUS service functions as a standalone process, and if the SecurID server is not set up as a client of itself, it rejects the Access Policy Manager authentication request and does not store anything in the logs.

No response from the RSA SecurID server

Check that the RSA SecurID is configured properly.To facilitate communication between the Access Policy Manager and the RSA SecurID, an Agent Host record must be added to the RSA Authentication Manager database. For an example on how to add an agent host, refer to Adding the Access Policy Manager as an agent host to an RSA Native SecurID authentication server, on page 11-18.

The Agent Host record identifies the Access Policy Manager within its database and contains information about communication and encryption.

To create the Agent Host record, you need the following information.

• Host name

• IP addresses for all network interfaces

• RADIUS secret (Click Assign/Change Encryption Key to input the secret. This RADIUS secret must match the corresponding RADIUS secret on the Access Policy Manager).

When adding the Agent Host record, you should configure the Access Policy Manager as a communication server. This setting is used by the RSA Authentication Manager to determine how communication with the Access Policy Manager will occur.

Table 11.8 RSA SecurID troubleshooting tips


Chapter 11

Configuring Access Policy Manager for RADIUS accounting

To configure RADIUS accounting


2. In the Name box, type the name for your AAA server.

3. In the Type box, select the RADIUS option as your AAA server type.The screen refreshes to show configuration options for RADIUS.

4. In the Configuration section, select the Accounting mode.The screen displays additional settings.

5. For Accounting Host, type the IP address of your RADIUS accounting server.

6. In the Accounting Service Port box, type the service port for your Accounting server. The default is 1813.

7. For Secret, type the shared secret value or string used by both the RADIUS server configuration and the Access Policy Manager configuration.

8. In the Confirmed Secret, box re-type the shared secret value or string.

9. Click Finished

Setting up RADIUS accounting access policy action itemTo complete configuring the RADIUS accounting process, you must add the RADIUS accounting server to an access policy as an action item.

To add the RADIUS accounting server as an access policy action item


2. On the Access Profiles list screen, click the name of your profile.The General Properties screen opens.


11 - 14




6. Under Authentication, select RADIUS ACCT and click Add item.The RADIUS Auth object popup opens in the visual policy editor.

7. On the Properties tab, select the name of your RADIUS accounting server from the AAA Server list, and click Save.

8. Click Activate Access Policy to save your configuration.The AAA server is added to the access policy, and is now a part of the overall authentication process.

The RADIUS access policy action automatically creates the session variables, as shown in Table 11.9.

Troubleshooting RADIUS accounting access policy actionYou may run into problems with RADIUS accounting in some instances. Follow the tips in table 11.10 to try to resolve any issues you may encounter. Additionally, you can view specific error messages concerning authentication in the /var/log/apm file. Or from the navigation pane, expand System, click Logs, and on the menu bar, click Access Policy.


session.RADIUS.last.acctresult Provides the result of the RADIUS accounting. The available values are:0:Failed1:Passed

session.RADIUS.last.acct.$acct_attr_name

$acct_attr_name is a value that represents the user’s accounting information attributes.

Table 11.9 RADIUS accounting session variables


Accounting failed due to timeout Check that the Access Policy Manager is configured as a client on the RADIUS server.You may have encountered a general network connection problem.

Accounting failed due to RADIUS access reject

Check that the shared secret on the RADIUS is valid.Check that the user credentials are entered correctly.

Table 11.10 Possible RADIUS accounting server errors


Chapter 11

Configuring Access Policy Manager for RADIUS authentication and accounting

To configure RADIUS authentication and accounting


2. Type a name for your AAA server, and select RADIUS from the Type list.The screen refreshes to provide additional settings specific to the RADIUS Type.

3. In the Configuration section, select Auth & Accounting mode.

4. Fill in the required fields. You can find details for each setting in the online help.

Setting up a RADIUS authenticating and accounting access policy action item

To complete the authentication and accounting process, you must add the RADIUS authentication and accounting server to an access policy as an action item.

To add the RADIUS authentication and accounting server as an access policy action item





5. Click the small plus sign [+] where you want to add the new access policy action item.A properties screen opens in the visual policy editor.

6. Under Authentication, select RADIUS Auth and click Add item.The RADIUS Auth object popup opens.

11 - 16


7. Now select RADIUS Acct and click Add item.The RADIUS authentication and accounting objects popup opens in the visual policy editor.


9. Click Activate Access Policy to save your configuration.The RADIUS authentication and accounting server is added to the access policy, and is now a part of the overall authentication process.

Setting up Access Policy Manager for RSA Native SecurID for authentication and authorization

RSA Native SecurID is a two-factor authentication mechanism developed by RSA®, the Security Division of EMC. This mechanism of authentication is based on a user PIN code and a token provided to the user.

A token is a piece of hardware or software assigned to a computer that generates an authentication code at fixed intervals using a built-in clock and the card’s seed.

The Access Policy Manager supports the following RSA Native SecurID feature checklist.

Setting up RSA Native SecurID authentication and authorization involves the following tasks:

• Add the Access Policy Manager as an agent host to an RSA Native SecurID authentication server

• Configure the Access Policy Manager to use the RSA Native SecurID authentication server

RSA SecurID checklist Associated items

New PIN mode • Force authentication after new PIN generated• System generated PIN• User-defined (4-8 alpha-numeric)• User-defined (5-7 numeric)• User-selectable• Deny 4 and 8 digit PIN• Deny alpha-numeric PIN

Passcode • 16 digit passcode• 4 digit passcode

Next Token Mode • Next token mode

Table 11.11 RSA SecurID feature checklist over RADIUS protocol


Chapter 11

• Set up an RSA Native SecurID authentication access policy action item

Note

Please refer to your RSA SecurID Implementation Guide for information on how to set up your RSA Native SecurID authentication server.

Adding the Access Policy Manager as an agent host to an RSA Native SecurID authentication server

To enable communications between the Access Policy Manager and an RSA Native SecurID authentication server, you must add the Access Policy Manager as an agent host to the authentication server. The agent host record identifies the Access Policy Manager within the server authentication database, and includes information about communication and encryption.

To add the Access Policy Manager as an agent host to an RSA Native SecurID authentication server

1. On the administrative interface of your RSA Native SecurID authentication server, click the Agent Host tab, and select the Add Agent item.

2. In the Name box, specify a name for identifying the Access Policy Manager agent host configuration.This may or may not be a DNS-resolvable name. This name can be different from the FQDN configured on the Access Policy Manager.

3. In the Network Address box, type the IP address used by the Access Policy Manager while communicating with the RSA Native SecurID authentication server. This address must be the source IP address present in the IP packets received by the RSA Native SecurID authentication server from the Access Policy Manager.

4. From the Agent Type list, select UNIX agent.

5. For Encryption Type, select DES.

6. Verify that the Node Secret Created check box is cleared, if it is currently checked.

7. Check the Open to All Locally Known Users check box.

8. Check the Search Other Realms for Known Users check box.

9. Click the Requires Name Lock check box.

10. Clear any selection from the check boxes Enable Offline Authentication, Enable Windows Password Integration, and Create Verifiable Authentication.

11. Click OK.

11 - 18


12. Click the Agent Host tab, and select the Generate Configuration Files item.The Generate Configuration File screen opens.

13. Select the One Agent Host option, and then select from the list the Access Policy Manager agent host you just configured.

14. Save the agent host configuration file onto your local system.

15. Click OK.

16. Add users who are authorized to use the Access Policy Manager.For more information on how to do this, refer your RSA Native SecurID authentication server administrator guide.

Configuring the Access Policy Manager to use the RSA Native SecurID authentication server

After you add the Access Policy Manager as an agent host to your RSA Native SecurID authentication server, you can configure the Access Policy Manager to use the authentication server as part of your authentication process.

To configure the Access Policy Manager to use the RSA Native SecurID authentication server


2. In the Name box, type the name for your AAA server.

3. In the Type box, select the SecurID option as your AAA server type.The screen refreshes to show configure options for SecurID.

4. In the Configuration section, for the Agent Host IP Address (must match the IP address in SecurID Configuration File), if there is a NAT device in the network path between the Access Policy Manager and the RSA SecurID server, type the address as translated by the NAT device. Otherwise, select the IP address from among those configured on the Access Policy Manager. In all cases, this IP address must match the SourceIP address in the IP packets received by the RSA SecurID server.

5. For the Configuration File, browse to upload the sdconf.rec file from your authentication server.Consult your RSA Authentication Manager administrator to obtain this file.


Chapter 11

6. Click Finish.The new RSA server is added.

Important

You must rename the configuration file to sdconf.rec and copy it to the Access Policy Manager before you can use the command line interface commands to configure RSA Native SecurID. Then, you add the SecurID server as you would add any AAA server. Remember that the server name must be the directory name to which the configuration file was copied to.

11 - 20


Setting up RSA Native SecurID authentication and authorization access policy action item

To complete the authentication process, you must add the RSA Native SecurID authentication server to an access policy as an action item.

To add the RSA Native SecurID authentication server as an access policy action item






6. Under Authentication, select SecurID and click Add item.The RADIUS Auth object popup opens in the visual policy editor.


8. Click Activate Access Policy to save your configuration.The SecurID server is added to the access policy, and is now a part of the overall authentication process.

Using RSA Native SecurID session variables for access policy rules You can authorize your users with user information provided by the RSA Native SecurID authentication server in the form of attributes. These attributes, converted into session variables, can be used to create rules. For more information on session variables and how to use them to create your rules, refer to Appendix C, Session Variables.

The RSA Native SecurID access policy action automatically creates the session variables, as shown in Table 11.12.


Chapter 11

To view RSA Native SecurID session variables


2. Click an active session ID.The Properties screen opens.

3. Scroll down the list of session variables until you see the RSA Native SecurID session variables.

Using RSA Native SecurID authentication default rulesThe Access Policy Manager provides two default rules for the RSA Native SecurID access policy action. You use these rules to organize your users into the following two categories:

• RSA SecurID passed: These users were authenticated successfully and are able to access their webtop.

• RSA SecurID not passed: These users failed authentication and are directed to the logon denied page.

You can add your own custom rules using the session variables. For example, you can create your own custom rules when you want different users assigned to different network resources. For more information on how to add custom access policy rules, refer to Chapter 7, Creating Access Profiles and Access Policies.

Troubleshooting RSA Native SecurID access policy itemYou may run into problems with RSA Native SecurID authentication in some instances. You can view specific error messages concerning authentication in the /var/log/apm file. Or from the navigation pane, expand System, click Logs, and on the menu bar, click Access Policy.


session.securid.last.result Provides the result of the RSA Native SecurID authentication. The available values are:0:Failed1:Passed

session.securid.last.attr.$attr_name $attr_name is a value that represents the user’s attributes received during RSA Native SecurID authentication. Each attribute is converted to separate session variables.

Table 11.12 RSA Native SecurID session variables

11 - 22


Setting up Access Policy Manager for LDAP authentication and authorization

The Access Policy Manager can authenticate using any LDAP database, including a Windows Active Directory.

You can use an LDAP-protocol-based directory, including an Active Directory, to authenticate users. In this case, you do not store user information on the Access Policy Manager. Instead, you obtain it from the LDAP entry.

Setting up LDAP authentication and authorization involves the following tasks:

• Set up an LDAP server

• Configure an LDAP authentication access policy action item

• Configure an LDAP Query access policy action item

Setting up an LDAP serverThe first task in setting up an LDAP authentication is to set up an LDAP server.

To set up an LDAP server


2. Type a name for your AAA server and select RADIUS from the Type list.The screen refreshes to provide additional settings specific to the LDAP Type.

3. Fill in the required fields. You can find details for each setting in the online help. For Admin DN, enter the value in this format: CN=administrator,CN=users,DC=sales,DC=mycompany,DC=com.

4. Click Finish. The new LDAP server is added to the AAA Server List.

Note

If your LDAP directory allows anonymous query, you do not need to specify an administrative account or password in the required fields. Either specify credentials of any LDAP account that allows querying this part of the LDAP directory, or create a new LDAP account for Access Policy Manager.


Chapter 11

Configuring LDAP access policy action item for authenticationTo use LDAP authentication, you must specify the authentication type as LDAP Auth from the visual policy editor. Additionally, you need specific information from your LDAP server administrator.

To configure LDAP for authentication


2. In the Access Profiles list screen, click the name of your profile.The Properties screen opens.




6. Under Authentication, select LDAP Auth, and click Add item.The LDAP object popup opens in the visual policy editor.

7. On the Properties tab, select the name of your LDAP server from the AAA Server list, and click Save.

8. Specify information for the SearchFilter and SearchDN settings. For more information about these settings, refer to Specifying SearchFilter and SearchDN settings, on page 11-25.

9. Specify information for the UserDN setting.This step is required only if you do not use the SearchDN setting with the SearchFilter setting. For more information about the UserDN setting, refer to Specifying UserDN setting, on page 11-25.

10. Enable the Show Extended Error option. This displays comprehensive error messages generated by the authentication server to display on the user’s Logon page. We recommend enabling this setting only in a testing or debugging environment. Otherwise, your system might be vulnerable to malicious attacks.

11. Specify the Max Logon Attempt Allowed setting.This gives the users an opportunity to re-enter their user credentials if their first attempt to log on fails.

• Set this value to be greater than 1, and a logon page reappears for the user after a log on failure.

11 - 24


• Set this value to 1, and no logon retry is allowed. The available range is 1-5, with 3 set as the default value.

12. Click Activate Access Policy to save your configuration.The SecurID server is added to the access policy, and is now a part of the overall authentication process.

Specifying SearchFilter and SearchDN settingsThe Access Policy Manager queries the LDAP server using SearchDN and SearchFilter. If it finds a matching user entry, it uses the returned DN value and the user-entered password to bind to the LDAP directory. If the bind succeeds, the authentication succeeds, that is, the user is validated. If the bind fails, the authentication fails.

Depending on the LDAP structure, a Search base DN would be similar to the following string:dc=sales, dc=mycompany, dc=comIn an LDAP structure, a Search filter would be similar to the following string: APMAccountName=%{session.logon.last.username}.

By default, all user attributes are loaded if the administrator does not specify any required attributes. However, if the administrator specifies certain user attributes, then only those specified attributes are loaded, which improves performance on the LDAP server.

Specifying UserDN settingThe Access Policy Manager attempts to bind with the LDAP server using the supplied DN and user-entered password. If the bind succeeds, that is, authentication succeeds, the user is validated. If the bind fails, the authentication fails.This value is a fully qualified DN of the user with rights to run the query.We recommend specifying this value in lowercase and without spaces for compatibility with some specific LDAP servers. The specific content of this string depends on your directory layout. For example, in an LDAP structure, a typical UserDN for query would be similar to the following string: cn=%{session.logon.last.username}, cn=users, dc=sales, dc=com.

Access Policy Manager supports using session variables in the SearchFilter, SearchDN, and UserDN fields. For example, if you want to use the user’s CN from the user’s SSL certificate as input in one of these fields, you can use the session variable session.ssl.cert.last.cn in place of session.logon.last.username. Refer to Appendix C, Session Variables, for more information.


Chapter 11

Configuring LDAP query policy action itemTo complete the authentication process, you must add the LDAP server to an access policy as an action item.

To add LDAP query as an access policy action item






6. Under Authentication, select LDAP Query, and click Add item.The LDAP object popup opens in the visual policy editor.

7. On the Properties tab, select the name of your LDAP server from the AAA Server list, and click Save.

8. Specify information for the SearchFilter and SearchDN settings. For more information about these settings, refer to Specifying SearchFilter and SearchDN settings, on page 11-25.

9. Enable the Fetch Nested Groups option.For more information on nested groups, refer to Understanding nested groups, on page 11-40.

10. Enable the Required Attributes (optional) .By default, all user attributes are loaded if you do not specify any required attributes. However, if you specify certain required attributes, then only those specified attributes are retrieved from the LDAP server, which will improves system performance.

11. Click Activate Access Policy to save your configuration.The LDAP server is added to the access policy, and is now part of the overall authentication process.

11 - 26


Using LDAP session variables for access policy rules You can authorize your users with user information provided by the LDAP server in the form of attributes. For each attribute, the system creates a session variable automatically. For more information on session variables, refer to Appendix C, Session Variables.

The LDAP access policy action automatically creates the session variables, shown in Table 11.13.

To view LDAP session variables


2. Click an active session ID.The Session Summary screen opens.

3. Scroll down the list of session variables until you see the LDAP session variables.

Using LDAP authentication default rulesThe Access Policy Manager provides two default rules for the LDAP authentication access policy action. You use these rules to organize your users into two categories:

• Authenticated Users: These users were authenticated successfully and are able to access their webtop.

• Users fails Authentication: These users failed authentication and are directed to the logon denied page.

To view these default rules, refer to Example: Using LDAP query and LDAP authentication to authenticate and authorize users, on page 11-29.

Session Variable for LDAP Authentication and Query Description

session.ldap.last.authresultsession.ldap.last.queryresult

Provides the result of LDAP authentication/query. The available values are:0:Failed1:Passed

session.ldap.last.attr.$attr_name $attr_name is a value that represents the user’s attributes received during LDAP authentication/query. Each attribute is converted to separate session variables.

session.ldap.last.errmsg Useful for troubleshooting. This contains the last error message generated for LDAP.

Example:

aad2a221.session.ldap.last.errmsg

Table 11.13 LDAP authentication and query session variables


Chapter 11

You can add your own custom rules using the session variables, as previously described. For instance, you can create your own custom rule to assign different network resources to users. For more information on how to add custom access policy rules, refer to Chapter 7, Creating Access Profiles and Access Policies.

Using LDAP query default ruleAlthough there is an existing default rule for LDAP query called User Group Membership, this default rule works only for LDAP authentication. You need to make modifications to this default rule for it to work properly with LDAP query. You do this by renaming the rule to LDAP query has passed.

To change the default rule to work for LDAP query


2. Click the Edit link next to the profile you want to edit.The visual policy editor opens.

3. On the visual policy editor screen, click the LDAP Query access policy action item.The Properties screen of the visual policy editor opens.


5. On the Rules screen, click the x button located on the right side to delete the existing default rule called LDAP auth has passed.

6. Click Add Rule, and type a name for your new LDAP query rule, such as LDAP query has passed.

7. For the Expression setting, click the change link.A pop-up screen opens

8. Click Add expression.

9. For the Agent Sel setting, select LDAP query from the list.

10. For the Condition setting, select User’s Primary Group ID from the list, and type the correct value in the box.

11. Click Add Expression, and click Save.

12. Click Finish.Your new LDAP query default rule is now added to your access policy.

11 - 28


Example: Using LDAP query and LDAP authentication to authenticate and authorize users

Figure 11.1 is an example of an access policy with all the elements associated to authenticate and authorize your users with LDAP query and LDAP authentication. Notice that the objects were added to the access policy as part of the authentication process.

Case 1: Default rules for LDAP authentication and queryFigure 11.1, following, displays an example of default rules created for both LDAP authentication and query.

Figure 11.1 Customized rule for LDAP query

Case 2: Customized rule for LDAP queryUpon successful authentication, the system retrieves a user group using LDAP query. Resources are assigned to users if the user group has access to the network access resources. Additionally, users are directed to the webtop ending.

In the figure following, the rule for LDAP query was changed from default rule to check for user’s group attribute. For an example on how to change access policy rules and create your own access policy rules, refer to Chapter 16, Advanced Topics in Access Policies.

Figure 11.2 Authenticating against an external LDAP server


Chapter 11

Troubleshooting LDAP authentication/queryTo troubleshoot LDAP authentication or query issues, you can view specific error messages in the /var/log/apm file. Or from the navigation pane, expand Systems, click Logs, and on the menu bar, click Access Policy.

Tip

Make sure that your log level is set to the appropriate level. The default log level is notice. Refer to Chapter 17, Logging and Reporting, for more information on how to use the logging feature.

Additionally, you can look into the session reports for information on users’ logon attempts. In the navigation pane, expand Access Policy, choose Reports, and click the active session ID to see all the session variables.

Additional troubleshooting tips for LDAP authenticationRefer to Table 11.15 for steps on how to ensure that a connection is successfully made between the Access Policy Manager and your authentication server, and that your authentication method is working properly.


LDAP Auth Failed • User name or password does not match records.• No LDAP server is associated with the LDAP Auth agent.• The target LDAP server host/port information associated with the LDAP Auth agent may be invalid.• The target LDAP service may be not accessible.

LDAP Query Failed • The specified administrative credential is incorrect.• If no administrative credential is specified, then the user name or password does not match.• No LDAP server is associated with the LDAP Query agent.• The target LDAP server host/port information associated with the LDAP Query agent may be invalid.• The target LDAP service may be not accessible.• If the LDAP Query is successfully, then check whether the LDAP Query Rules are properly configured.

Table 11.14 Possible LDAP authentication server errors

11 - 30



Check that your access policy is attempting to perform authentication

• Refer to the message boxes in your access policy to display information on what the access policy is attempting to do.• Refer to /var/log/apm file to view authentication attempts by the access policy. Note: Make sure that your log level is set to the appropriate level. The default log level is notice. Refer to Chapter 17, Logging and Reporting, for more information on how to use the logging feature.

Confirm network connectivity • Access the Access Policy Manager through the command line interface and check your connectivity by pinging the LDAP server using the host entry in the AAA Server box.• Confirm that the LDAP port 389 is not blocked between the Access Policy Manager and the LDAP server.

Check the LDAP Server Configuration • Verify that the administrative credentials are correct on the LDAP server, and that they match the credentials used by the AAA entry.

Note: A good test is to use full administrative credentials with all rights. If that works, you can use less powerful credentials for verification.

Capture a TCP dump • Take a TCP dump from the Access Policy Manager when authentication attempts are made. For example, %tcpdump-i 1.1 -s /tmp/dump. You must first determine what interface the self-IP is on. These TCP dumps indicate activities between the Access Policy Manager and the authentication server. • Run the authentication test. After authentication fails, stop the TCP dump, and download the TCP dump to a client system, and use an analyzer to troubleshoot.


Table 11.15 General steps to test and ensure successful LDAP authentication


Chapter 11

Setting up Access Policy Manager for Windows Active Directory authentication and authorization

Setting up Windows Active Directory authentication and authorization involves the following tasks:

• Configure Access Policy Manager to set up an Active Directory server for authentication

• Configure Access Policy Manager to access Active Directory authentication policy action item

• Configure Access Policy Manager to access Active Directory query policy action item

Configuring Access Policy Manager to set up an Active Directory for authentication

The first task for setting up Active Directory authentication is to set up an Active Directory server.

We highly recommend that you configure an NTP Server. The reason is that the time on your Access Policy Manager and the time on your domain controller need to be within 5 minutes of each other. Otherwise, authentication will fail. In the navigation pane, expand System, click General Properties, and from the Device menu, choose NTP.

Remember also that you need to configure a DNS server that is aware of your Active Directory domain. In the navigation pane, expand System, click General Properties, and from the Device menu, choose DNS.

If you do not have an NTP server, find the time on your domain controller, and set the time on the Access Policy Manager to be within 5 minutes of that time using the date command. To enter a new date/time, type the command: date MMDDHHmmYYYY, where:MM is the numerical monthDD is the numerical dayHH is the numerical hour (24-hour clock)mm is the numerical minuteYYYY is the numerical year.So if your domain controller says it is November 7, 2007 8:24a.m., you would type:date 110708242007

11 - 32


To set up an Active Directory server


2. Type a name for your AAA server and select Active Directory from the Type list.The screen refreshes to provide additional settings specific to the Active Directory Type.

3. Fill in the required fields. You can find details for each setting in the online help.This adds the new Active Directory server is to the AAA Server List.

Tip

Although it is not required, you can enter the admin name and password during this initial configuration, although this will only apply to AD query.

Active Directory password managementAccess Policy Manager supports password management for Active Directory authentication. This works in the following order:

• Access Policy Manager uses the client’s user name and password to authenticate against the Active Directory server on behalf of the client.

• If the client’s user password on the Active Directory server has expired, Access Policy Manager returns a new logon page back to the client, requesting that the client change its password.

• After the client submits the new password, Access Policy Manager attempts to change the password on the Active Directory server.

• If this is successful, the client’s authentication is validated.

If the password change fails, it is likely that the Active Directory server rejected it because the password did not meet the minimum requirements such as password length.

Note

By default, users are given only one attempt to reset their password. However, an administrator can configure the max logon attempt allowed of the authentication agent to a value larger than 1, which gives users multiple opportunities to reset their passwords.


Chapter 11

Configuring Access Policy Manager to access the Active Directory for authentication

To use Active Directory authentication, you must specify the authentication type as AD Auth in the visual policy editor. Additionally, you need specific information from your Active Directory server administrator.

To configure Access Policy Manager to access the Active Directory policy action item for authentication






6. Under Authentication, select AD Auth, and click Add item.The Active Directory object popup opens in the visual policy editor.

7. Specify information for the UserPrincipalName setting.This allows the administrator to enforce the user to enter the username in the UPN naming style, and to use the domain name from the user-specified UPN for authentication. For example, user@domain.

8. Enable the Show Extended Error option. This displays comprehensive error messages generated by the authentication server to display on the user’s Logon page. We recommend enabling this setting only in a testing or debugging environment. Otherwise, your system might be vulnerable to malicious attacks.

9. Specify the Max Logon Attempt Allowed setting.This gives the users an opportunity to re-enter their user credentials if their first attempt to log on fails.

• Set this value to be greater than 1, and a logon page reappears for the user after a log on failure.

• Set this value to 1, and no logon retry is allowed. The available range is 1-5, with 3 set as the default value.

11 - 34


10. Click Activate Access Policy to save your configuration.The Active Directory server is added to the access policy, and is now a part of the overall authentication process.

Configuring Access Policy Manager to access the Active Directory action item for query

To use Active Directory query, you must specify the authentication type as Query and then use the appropriate Active Directory server.

This feature queries the appropriate part of the directory tree structure (specified by the search base, or container, DN) to find a user within that directory.

To configure Access Policy Manager to access Active Directory action item for query






6. Under Authentication, select AD Query, and click Add item.The LDAP object popup opens in the visual policy editor.

7. On the Properties tab, select the name of your Active Directory server from the AAA Server list, and click Save.

8. Specify information for the SearchFilter setting. For more information about these settings, refer to Specifying SearchFilter and SearchDN settings, on page 11-25.

9. Enable the Fetch Primary Group option. This adds the user’s primary group settings to the memberOf session variable. Additionally, sub-groups from the user’s primary group are added to the memberOf session variable if the nested group feature variable is enabled. For example, user@domain.


Chapter 11

10. Enable the UserPrincipalName option.This allows the administrator to enforce the user to enter their username in the UPN naming style, and to use the domain name from the user-specified UPN for authentication. For example, user@domain

11. Enable the Fetch Nested Groups option.For more information on nested groups, refer to Understanding nested groups, on page 11-40.

12. Enable the Required Attributes (optional).By default, all user attributes are loaded if you do not specify any required attributes. However, if you specify certain required attributes, then only those specified attributes are retrieved from the LDAP server, which will improves system performance.

13. Click Activate Access Policy to save your configuration.The LDAP server is added to the access policy, and is now part of the overall authentication process.

Tip

Both DNS forward and reverse lookup of the domain name processes should work properly to ensure that the domain name resolves to the IP address of the domain controller, and the reverse address resolves to the domain name.

Using Active Directory session variables for access policy rules You can authorize your users with user information provided by the Active Directory server in the form of attributes. For each attribute, the system automatically creates a session variable. For more information on session variables, refer to Appendix C, Session Variables.

The Active Directory access policy action automatically creates the session variables, as shown in table 11.16.

Session Variable for Active Directory Authentication and Query Description

session.ad.last.authresultsession.ad.last.queryresult

Provides the result of Active Directory authentication/query. The available values are:0:Failed1:Passed

Table 11.16 Active Directory authentication and query session variables

11 - 36


To view Active Directory session variables


2. Click an active session ID.The Session Summary screen opens.

3. Scroll down the list of session variables until you see the Active Directory session variables.

Troubleshooting Active Directory authentication/queryTo troubleshoot Active Directory authentication or query issues, you can view specific error messages in the /var/log/apm file. Or from the navigation pane, expand System, click Logs, and on the menu bar, click Access Policy.

Tip

Make sure that your log level is set to the appropriate level. The default log level is notice. Refer to Chapter 17, Logging and Reporting, for more information on how to use the logging feature.

session.ad.last.attr.$attr_name $attr_name is a value that represents the user’s attributes received from the Active Directory server. Each attribute is converted to separate session variables.

session.ad.last.attr.group.$attr_name $attr_name is a value that represents the user’s group attributes received from the Active Directory server. Each attribute is converted to separate session variables.

Session Variable for Active Directory Authentication and Query Description

Table 11.16 Active Directory authentication and query session variables


Chapter 11

Additionally, you can look into the session reports for information on user's logon attempts. In the navigation pane, expand Access Policy, click Reports and on the screen, click the active session ID to see all the session variables.

Additional troubleshooting tips for Active Directory authenticationRefer to Table 11.18 for steps on how to ensure that a connection is successfully made between the Access Policy Manager and your authentication server, and that your authentication method is working properly


Domain controller reply did not match expectations, (-1765328237)

This error occurs when the principal/domain name does not match with the domain controller server’s database. For example, if the actual domain is °SALES.MYCOMPANY.COM", and the administrator specifies STRESS as the domain, then the krb5.conf file displays the following,

default_realm = SALES

SALES = {

domain controller = <domain controller server>

admin = <admin server>

So, when the administrate tries to authenticate with useraccount@SALES, the krb5 library notices that the principal name SALES differs from the actual one in the server database.

Table 11.17 Possible Active Directory server errors


Check to see if your access policy is attempting to perform authentication

• Refer to the message boxes in your access policy to display information on what the access policy is attempting to do.• Refer to the /var/log/apm file to view authentication attempts by the access policy. Note: Make sure that your log level is set to the appropriate level. The default log level is notice. Refer to Chapter 17, Logging and Reporting, for more information on how to use the logging feature.

Confirm network connectivity • Access the Access Policy Manager through the command line interface and check your connectivity by pinging the Active Directory server using the host entry in the AAA Server.• Confirm that the Active Directory port 88 or 389 is not blocked between the Access Policy Manager, and the Active Directory server.

Table 11.18 General steps to test and ensure successful Active Directory authentication

11 - 38


Example: Authenticating and authorizing users with Active Directory query and authentication

Figure 11.3 is an example of an access policy with all the elements associated to authenticate and authorize your users with Active Directory query and Active Directory authentication. Notice that the objects were added to the access policy as part of the authentication process.

Figure 11.3 Example of authenticating and authorizing users with Active Directory query and authentication

Check the Active Directory Server Configuration

• Confirm that the Active Directory server name can be resolved to the correct IP address, and that the reverse name resolution (IP address to name) is also possible.• Confirm that the Active Directory server and the Access Policy Manager have the correct time setting configured.

Note: Since Active Directory is sensitive to time settings, we suggest that NTP be used to set the correct time on the Access Policy Manager.

Capture a TCP dump • Take a TCP dump from the Access Policy Manager when authentication attempts are made. For example, use the command %tcpdump-i 1.1 -s /tmp/dump. You must first determine what interface the self IP address is on. These TCP dumps indicate activities between the Access Policy Manager and the authentication server. • Run the authentication test. After authentication fails, stop the TCP dump, and download the TCP dump to a client system and use an analyzer to troubleshoot.



Table 11.18 General steps to test and ensure successful Active Directory authentication


Chapter 11

Understanding nested groupsThe nested group feature is used to identify all groups that the user belongs to. Access Policy Manager stores all such groups in the memberOf session variable. For example, if user1 is a member of group 1 and group 2, and group 1 is a member of group 3 and group 4, then user1 belongs to all of these groups. In addition, group 3 and group 4 privileges are nested by user1 through group 1.

If the nested group feature is disabled on the Access Policy Manager, then the memberOf session variable contains only groups the user belongs to directly, for instance, group 1 and group 2.

If the nested group feature is enabled on the Access Policy Manager, then the memberOf session variable contains all groups the users belongs to, which include group 1, group 2, group 3, and group 4.

Note

The nested groups feature works slightly differently for both LDAP and Active Directory. If you want to use nested groups for Active Directory query, you can also use it in conjunction with, or independently from, Fetch Group Attribute.

The table, following, displays the results of your Active Directory query if nested groups is used in conjunction with Fetch Group Attributes.

Fetch Nested Group Fetch Group Attributes Active Directory Query Results

On On This setting queries all groups the user belongs to. This includes the user’s memberOf groups which include the user’s primary group, and groups nested through all membersOf groups.

Off On This setting queries the user’s memberOf groups plus the primaryGroupDN. However, it does not query any nested groups.

On Off This setting queries the user’s memberOf groups, including the nested groups through the memberOf groups. However, the primaryGroupDN is not queried.

Off Off This setting queries the user’s memberOf group only. This means that only the groups with which users are directly associated are queried.

Table 11.19 Active Directory nested groups query results

11 - 40


Setting up Access Policy Manager for HTTP authentication

You configure Access Policy Manager to use an external, web-based authentication server if you choose to use the HTTP basic authentication method. This authentication method uses external web-based authentication servers to validate user logons IDs and passwords.

Access Policy Manager supports the following HTTP authentication methods:

• HTTP basic authentication

• HTTPS basic authentication

• HTTP NTLM authentication

• HTTP form-based authentication

HTTP basic authenticationBasic authentication requires a valid URL resource. The URL resource must respond with a challenge to a non-authenticated request, and the basic authentication method supports authentication over both HTTP and HTTPS protocols.

Note

F5 Networks strongly recommends using HTTPS because basic authentication passes user credentials as clear text. However, to support HTTPS authentication, Access Policy Manager must be set up and configured through a layered virtual. For more information, refer to HTTPS basic authentication, on page 11-42

To configure Access Policy Manager to use an external server for HTTP basic authentication

1. In the navigation pane, expand Access Policy, and click the [+] sign next to the AAA Servers to add a new server. The AAA Server screen opens.

2. Type a name for your AAA server and select HTTP from the Type list.The screen refreshes to provide additional settings specific to the HTTP Type.

3. For the Auth Type setting, select Basic/NTLM.The screen refreshes to display only the option that is specific to HTTP

4. In the Start URL box, type the complete URL that returns the logon form.

5. Click Finished.


Chapter 11

You can test the URL by logging on with valid and invalid credentials to make sure your external authentication server issues a challenge when invalid credentials are entered.

HTTPS basic authenticationTo support HTTPS basic authentication, you must configure Access Policy Manager through a layered virtual server.

This configuration involves the following tasks:

• Create a AAA server for the HTTPS server, and create an access profile using the HTTP agent.

• Create a new node for the HTTPS server that performs the HTTPS authentication.

• Create a new pool using the node you created.

• Create a new virtual server for HTTPS which will perform authentication, and assign the access policy to the virtual server.

Note

HTTPS basic authentication applies to all HTTP authentication methods.

To create a AAA server for the HTTPS server

You must remember to replace HTTPS with HTTP IP addresses.


2. Type a name for your AAA server, and select HTTP from the Type list.

3. For the Auth Type setting, select Basic/NTLM.

4. In the Start URI setting, type in your URI resource, such as http://plum.tree.lab2.sp.companynet.com/.

5. Click Finished.

To create an access profile using the HTTP agent

1. In the navigation pane, expand Access Policy, and click Access Profiles.The Access Profiles List opens.

2. Locate the access policy you just created, and click the Edit link.The visual policy editor screen opens in a separate browser.

3. Add the HTTP agent to your access policy, and make sure you select the virtual HTTP server you created. This is important so that the HTTPS traffic goes through the virtual server.

11 - 42


4. Click Save, and then click Apply Access Policy to save your changes.

To create a new node for the server that performs the HTTPS authentication

1. In the navigation pane, expand Local Traffic, and click Nodes.The Node List screen opens.

2. Click Create.The New Node screen opens.

3. Type in the IP address of your server and click Finished.The new node is created.

To create a new pool for the node

1. In the navigation pane, expand Local Traffic, and click Pools.The Pool List screen opens.

2. Click Create.The New Pool screen opens.

3. In the Name box, type a name of your pool.

4. In the Address under Resources, type in the IP address, and select https from the list. The service port should automatically display port 443.

5. Click Add to add the external HTTP authentication server in the New Members box.

6. Clicked Finished.

To create a virtual server for HTTPS server

1. In the navigation pane, expand Local Traffic, and click Virtual Server List.The Virtual Server List screen opens.

2. Click Create.The New Virtual Server screen opens.

3. Type in a Name, Destination, and Service port. The destination address is the virtual server IP address used as the external HTTPS authentication server in HTTPS server configuration. The service port should be 80.

4. From the SSL Profile (Server) list, select serverssl.This ensures that there is an SSL connection between the HTTP virtual server and the external HTTPS server.

5. In the Resources area, from the Default Pool list, make sure to select the name of the pool you previously created.

6. Under the virtual server resource (Load Balancing: Default Pool) select the pool you created for the HTTPS server.


Chapter 11

7. In the navigation pane, click Local Traffic, point to Virtual Servers, and choose Virtual Address List.

8. Select the new server’s IP address from the list.The Configuration screen opens.

9. Clear the ARP check box to disable ARP for the new virtual server.

10. Assign the access policy to the new virtual server.

HTTP NTLM authenticationNTLM employs a challenge-response mechanism for authentication, where clients are able to prove their identities without sending a password to the server.

To configure Access Policy Manager to use an external server for HTTP NTLM authentication


2. Type a name for your server.

3. For the Type setting, select HTTP from the list.The General Properties screen opens

4. For the Auth Type setting, select Basic/NTLM.

5. For the Start URL setting, type the complete URL that returns the logon form. Make sure to include the protocol (HTTP or HTTPS), server, and port.

6. Click Finished.

HTTP form-based authenticationWhen the system detects the starting URL match or the logon form page, the cached user’s identity is leveraged in order to construct and send the HTTP form-based post request on behalf of the user.

To configure Access Policy Manager to use an external server for HTTP form-based authentication


2. Type a name for your server.

3. For the Type setting, select HTTP.

4. For the Auth type setting, select Form Based.

11 - 44


5. For the Form Method setting, select either GET or POST. By default, the form method value is POST. If you specify GET, then the authentication request is converted as HTTP GET.

6. For the Form Action setting, type the complete destination URL use for authentication.

7. In the Form Parameter for both User Name and Password, type the parameter names and password used by the form you are sending the POST request to. An example of a user name is USER, and a password example is PASSWORD.

8. In the Hidden Form Parameters/Values box, type the hidden form parameters required by the authentication server logon form at our location. For more information on how to determine hidden parameters and values, refer to Determining the hidden parameters, following.

9. In the Number Of Redirects To Follow box, type the number of pages away from the landing page the request should travel before failing.

10. In the Successful Logon Detection Match Type box, choose the method your authenticating server uses, and specify the option definition. For example, if you select the By Presence Of A Specific Cookie option, the next field changes to Cookie Name. As an example, enter a cookie name, such as SMSESSION.

11. The Success Logon Detection Value setting populates to whatever method you selected for the Successful Logon Detection Type setting.

Determining the hidden parametersOne of the requirements to set up HTTP form-based authentication is to provide hidden form parameters and values, as indicated in Step 8 above.

The hidden parameters and values are required by the authentication server logon form at your location.

To determine the hidden parameters

1. In a separate browser session, log on to the authentication server.

2. Display the source code of the logon screen.

3. Find all hidden input parameters by searching for the string type=hidden.

4. Type the name and value of each hidden parameter in the text box, in the format NAME VALUE, using a separate line for each parameter.For example:SMAUTHREASON- 0SMAGENTNAME


Chapter 11

$SM$K36kRZMqrZGtQof83Lsss6NdinGFhuoOAUmTkUffmhFUhmA%2bHwBxZja%3d TARGET http://sales.example.comSMENC ISO-8858-1SMLOCALE US-ENPOSTPRESERVATIONDATA

11 - 46


Setting up Access Policy Manager for Oracle Access Manager

You configure Access Policy Manager to use Oracle Access Manager (OAM) server for authentication and authorization to eliminate the need of deploying a WebGate proxy in front of each application. In addition, you can achieve SSO functionality for HTTP/HTTPS requests passing through a virtual to a backend web application. For more information on how to configure OAM as the SSO method type, refer to chapter 13 About External Access Management.

We support the following authentication methods through the OAM server:

• Basic authentication

• Form-based authentication

• Certificate-based authentication

The first task in setting up for OAM authentication is to configure the OAM server.

To set up a AAA OAM server


2. Type a name for your AAA server and select OAM from the Type list.The screen refreshes to provide additional settings specific to the OAM Type.

Enter the information in the required fields. You can find details for each setting in the online help.This adds the new OAM server is to the AAA Server List.

Note

You cannot create more than one OAM server object.


Chapter 11

Setting up Access Policy Manager for AAA high availability

AAA high availability involves using multiple, duplicate servers to handle authentication.

The Access Policy Manager supports access policies configured for RADIUS, LDAP, or Active Directory.

Generally, if the BIG-IP system loses connectivity to the authentication server, new authentications will fail. (Existing sessions are unaffected as long as they do not attempt to re-authenticate.).

AAA High Availability provides a mechanism to alleviate the problem. It allows you to configure multiple authentication servers to process the requests. If one goes down or loses connectivity, the others can resume authentication requests, and new sessions can be established, as usual.

Configuring AAA high availability requires the following tasks.

• Set up server pools. These contain the server addresses that are used in AAA high availability.

• Set up dummy virtual servers. These servers serve as the front-end address for the backend servers.

• Attach the server pool to the virtual server.

• Set up an AAA server object using the dummy virtual server for the server address. This object appears in your access policy.

These tasks apply to all types of authentication servers that Access Policy Manager supports, which includes RADIUS, LDAP, and Active Directory.

Setting up RADIUS high availability authentication and accounting servers

You can set up AAA high availability for RADIUS and accounting services to ensure that services to the Access Policy Manager are not affected if one of the AAA servers goes down for any reason.

To set up server pools



3. Type a descriptive name for your pool. For example, RADIUSAuthenticationPool.

11 - 48


4. For the Health Monitors setting, select gateway_icmp, and click the more button (<< ) to add it to the Active list.This lets the BIG-IP system know when the servers are active or inactive.

5. Optionally, in the Resources area, enable the Priority Group Activation by selecting Less than from the list.

6. For the New Members setting, in the Address box, type in the IP address for your RADIUS server, the Service Port (1812), and a Priority level.

7. Repeat steps 1-6 for each RADIUS server you wish to add, and then click the Add button. Each IP address of the RADIUS server should appear in the New Members table.

8. Click Finished.

Important

You will need to add a second server pool for RADIUS accounting. You add this the same way as the authentication pool. However, instead of using port 1812, use port 1813 since that is the default RADIUS accounting port.

To set up a dummy virtual server

1. In the navigation pane, expand Local Traffic, and click Virtual Servers.The Virtual Server screen opens.


3. In the Name box, type in a name for your dummy virtual server.

4. In the Configuration list, select Advanced.More options appear on screen.

5. In the General Properties area, in the Address box, type a loopback address. We recommend that you use an unroutable IP address.

6. In the Service Port box, type port 1812, which is the default port for RADIUS servers.

7. From the Protocal list, select UDP.

8. Leave all other settings at the defaults, and click Finished.

To attach the server pool to the virtual server

1. From the navigation pane, expand Local Traffic and click Virtual Servers.

2. Re-open the virtual server you created, by clicking the name of the virtual server.


Chapter 11

3. On the menu bar, click the Resources tab.

4. For Default Pool, select the server pool you created.

5. Click Update to save your information.

Important

You will need to create a second virtual server, using the same procedure for RADIUS accounting. Remember to use port 1813.

To set up a AAA server object


2. Click Create.The New Server screen opens.

3. In the Name box, type a name for your RADIUS server.

4. For the Type setting, select RADIUS.

5. In the Configuration area, for the Mode setting, select Auth & Accounting.

6. Enter the dummy virtual host and port information for both authentication and accounting.

7. Enter the Secret information and confirm it. This needs to be the same on both servers. Additionally, both servers must have the self-IP address of the device as permitted by NAS.


RADIUS AAA high availability testingTo effectively test that AAA high availability works for RADIUS, you should have two RADIUS servers that are accessible, where you can remove one of them from the network.

To test a RADIUS AAA high availability

1. Begin a TCPDump on the Access Policy Manager device, using a protocol analyzer, and scanning for packets destined for port 1812.

2. Log into the virtual server with both servers active.

3. Verify using the TCP dump that the requests are being sent to the higher priority server.

4. Log out of the virtual server.

5. Disable the higher-priority server.

6. Log into the virtual server again.

11 - 50


7. Verify that the request is being sent to the other server.

8. Log out again, re-enabling the server, and try one more time to verify that the new requests are being sent to the high priority server again.

Setting up Active Directory high availability serversYou can set up AAA high availability servers for Active Directory authentication or query. These high availability servers must serve the same domain. Ideally, the servers should belong to the same server farm, with one being the backup for the other server. However, they can also be both primary servers that server the domain. For that particular setup, users must be updated on each system individually.

Setting up Active Directory authentication high availability serversSetting up Active Directory authentication high availability servers requires the following tasks.

• Configure for both server 389 (LDAP) and 88 (Kerberos) ports by creating a separate virtual and pool for each port. An alternative step is to create a single virtual server with a single pool and assign all ports to the virtual.

• Ensure the BIG-IP system can resolve the name for reverse queries.

• Reference your virtual server in the AAA Server definition.


1. In the navigation pane, expand Local Traffic, and click Pools.The Pool screen opens.

2. Click Create.The New Pool List screen opens.

3. Type a descriptive name for your pool. For example, LDAPAuthenticationPool.

4. For Health Monitors, select gateway_icmp, and click the more button (<<) to add it to the Active list.This lets the BIG-IP system know when the servers are active or inactive.

5. Optionally, under the Resources area, enable Priority Group Activation by selecting Less than from the list.

6. For the New Members setting:

• In the Address box, type in the IP address for your Active Directory server.

• For the Service Port type, 389 or 88.

• Type a Priority level.


Chapter 11

7. Repeat steps 1-6 for each Active Directory server you wish to add, and then click the Add button. Each IP address of the Active Directory server should appear in the New Members list.

8. Click Finished.

To set up dummy virtual servers

1. In the navigation pane, expand Local Traffic and click Virtual Servers.The Virtual Server List screen opens.


3. In the Name box, type in a name for your dummy virtual server.

4. For Configuration, select Advanced.More options appear on screen.

5. For the Destination setting, under General Properties, in the Address box, enter a loopback address. We recommend that you use an unroutable IP address.

6. In the Service Port box, type port 389 or 88.

7. Leave all other settings and values as defaults, and click Finished.

To set up AAA server object

For Active Directory, you need to add the virtual server name to the Access Policy Manager’s /etc/hosts file in order for it to resolve correctly. For example:

192.168.1.50 myvirtual.mydomain.com.

This should point to the dummy virtual server IP address, and is used for reverse DNS resolution.


2. In the Name box, type in a name for your Active Directory server.

3. For Type, select Active Directory.

4. In the Domain Controller box, enter the KDS hostname (as defined in the /etc/hosts file), and type the name of the domain in the Domain Name box.

5. Type the Admin Name and type and verify the Admin Password.These must be identical on both servers.


11 - 52


Setting up Active Directory query high availability serversSetting up Active Directory query high availability servers is more involved because of limitations imposed by the Active Directory server.




3. Type a descriptive name for your pool. For example, ActiveDirectoryQueryPool.

4. For Health Monitors, select tcp and click the more button (<< ) to add it to the Active list.This lets the BIG-IP system know when the servers are active or inactive.

5. Optionally, in the Resources area, enable Priority Group Activation by selecting Less than from the list.


• In the Address box, type in the IP address for your LDAP server.

• For the Service Port type, 389 (for LDAP) or 88 (for Kerberos).

• Set Priority level to *All Services.

7. Repeat steps 1-6 for each Active Directory server you wish to add, and then click the Add button. Each IP address of the Active Directory server should appear in the New Members list.

8. Click Finished.


1. In the navigation pane, expand Local Traffic and click Virtual Servers.The Virtual Server List screen opens.


3. In the Name box, type a name for your dummy virtual server.

4. For Configuration, select Advanced.More options appear on screen.


6. In the Service Port box, type port 389 or 88.



Chapter 11


1. In the navigation pane, expand Local Traffic and click Virtual Servers.The Virtual Server List screen opens

2. Re-open the virtual server you created by clicking the name of the virtual.

3. On the menu bar, click Resources.




For Active Directory, you need to add the virtual server name to the Access Policy Manager’s /etc/hosts file in order for it to resolve correctly. This should point to the dummy virtual server IP address, and is used for reverse DNS resolution.

1. In the navigation pane, expand Access Policy, and click AAA Servers.The AAA Servers screen opens.


3. In the Name box, type a name for your Active Directory server.

4. For Type, select Active Directory.

5. In the Domain Controller box, type the KDS host name (as defined in the /etc/hosts file), and the name of the domain in the Domain Name box.

In addition to adding an entry to the /etc/hosts file, you must supply the following information to your DNS server.

• An address (A) record for your virtual server.

• A reverse-DNS (PTR) record for your virtual server.

• Service Location (SRV) records for TCP for Kerberos and LDAP pointing to your virtual server.

• Service Location (SRV(records) for UDP for Kerberos, LDAP, and Kerberos-master (port 88) pointing to your virtual server.

6. Enter the Admin Name, and enter and verify the Admin Password.These must be identical on both servers.


11 - 54


To host the Active Directory service

You must make sure that all of your Active Directory servers recognize that your virtual server is hosting the Active Directory service. You do this by adding a service principal name entry on each of the authentication servers using Microsoft’s setspn utility.

1. Download the setspn utility from Microsoft’s website.This is a separate download for Windows 2000 Server, but a part of the Windows Server 2003 Support Tools for Windows 2003 Server.

2. Once the utility is installed, open a command-line prompt.

3. Change the Resource Kit directory (C:\Program Files\Resource Kit) to the following:

setspn -A LDAP/<virtual address> <machine name>

So, if you are configuring your Active Directory server as testauth1, and you are adding an entry for your virtual server as myvirtual.mydomain.com, you run the following command:

setspn -A LDAP/myvirtual.mydomain.com testauth1

4. To view the new entry, run the following command:

setspn -L testauth1

One of the entries shows Active Directory as being registered for your virtual server on the server. Add entries on each of your authentication servers, and Active Directory query should work successfully.


Chapter 11

Active Directory AAA high availability testingTo effectively test that AAA high availability works for Active Directory, you should have two Active Directory servers that are accessible, where you can remove one of them from the network.

To test Active Directory AAA high availability

1. Begin a TCP dump on the Access Policy Manager device, using a protocol analyzer, and scanning for packets destined for port 389.

2. Log into the virtual server with both servers active.

3. Verify using the TCP dump that the requests are being sent to the higher priority server.

4. Log off of the virtual server.




8. Log out again, re-enable the server, and try one more time to verify that the new requests are being sent to the high priority server.

Setting up LDAP high availability serversYou can set up AAA high availability for LDAP servers. These servers must serve the same domain. Ideally, the servers should belong to the same server farm, with one being the backup for the other server. However, they can also be both primary servers that serve the domain. For that particular setup, users must be updated on each system individually.




3. Type a descriptive name for your pool. For example, LDAPAuthenticationPool.

4. For the Health Monitors setting, select gateway_icmp from the Available list, and click the more button (<< ) to add it to the Active list.This lets the BIG-IP system know when the servers are active or inactive.

5. Optionally, under the Resources area, enable Priority Group Activation by selecting Less than from the list.


• In the Address box, type in the IP address for your LDAP server.

11 - 56


• For the Service Port type, 389 (for Active Directory) or 88 (for Kerberos).

• Set Priority level.

7. Repeat steps 1-6 for each LDAP server you wish to add, and then click the Add button. Each IP address of the LDAP server should appear in the New Members list.

8. Click Finished.


1. In the navigation pane, expand Local Traffic, and click Virtual Servers.The Virtual Server screen opens.


3. In the Name box, type a name for your dummy virtual server.

4. FromConfiguration, select Advanced.More options appear on screen.


6. In the Service Port box, type port 389, which is the default port for LDAP servers.



1. In the navigation pane, expand Local Traffic and click Virtual Servers.

2. Re-open the virtual you created by clicking the name of the virtual server.

3. On the menu bar, click Resources.




1. In the navigation pane, expand Access Policy, and click AAA servers.The AAA Servers screen opens.



Chapter 11

3. In the Name box, type a name for your LDAP server.

4. From the Type list, select LDAP.

5. Type the Admin DN, and type and verify the Admin Password.These must be identical on both servers.


LDAP AAA high availability testingTo effectively test that AAA high availability works for LDAP, you should have two LDAP servers that are accessible, where you can remove one of them from the network.

To test LDAP AAA high availability

1. Begin a TCP dump on the Access Policy Manager device, using a protocol analyzer, and scanning for packets destined for port 389.

2. Log into the virtual with both servers active.

3. Verify with the TCP dump that the requests are being sent to the higher priority server.

4. Log out of the virtual server.




8. Log out again, re-enable the server, and try one more time to verify that the new requests are being sent to the high priority server.

11 - 58

12

Introducing On-Demand Certificate Authentication

• Controlling SSL traffic

• Understanding SSL profiles

• Introducing SSL On-Demand Certificates

• Introducing SSL On-Demand Certificates

• Understanding On-Demand certificate authentication

• Configuring client SSL profiles

• Using On-Demand Certificates to authenticate users

• Validating certificate revocation status

• Understanding OCSP


Controlling SSL trafficOne of the primary ways that you can control SSL network traffic is by configuring a client or server SSL profile. This chapter provides information on any features specific to Access Policy Manager™ that you are required to configure to manage the client side, and ensure that your On-Demand Certificate is set up properly for validation and authentication.

For more detailed information about managing SSL traffic, refer to the Configuration Guide for BIG-IP®Local Traffic Manager™ available on https://support.f5.com.

Understanding SSL profilesA profile is a group of settings with values that determine the way that the Access Policy Manager system handles application-specific network traffic. One type of traffic that a profile can manage is SSL traffic. The most basic functions of an SSL profile are to offload the certificate validation and verification tasks, as well as data encryption and decryption, from your targeted web servers. The two types of SSL profiles are:

• Client ProfilesClient Profiles allow the BIG-IP® system to handle authentication and encryption tasks for any SSL connection coming into a Access Policy Manager system from a client system. You implement this type of profile by using the default clientssl profile, or by creating a custom profile based on the default clientssl profile. For more information on how to set up an SSL profile for a client, refer to Configuring client SSL profiles, on page 12-8.

• Server Profiles.Server Profiles allow the BIG-IP® system to handle encryption tasks for any SSL connection being sent from a Access Policy Manager to a target server. An SSL server profile is able to act as client by presenting certificate credentials to a server when authentication of the Access Policy Manager system is required. You implement this type of profile by using the default serverssl profile, or by creating a custom profile based on the default serverssl profile. For more information on how configure an SSL profile for a server, refer to the Configuration Guide for BIG-IP® Local Traffic Manager™ available on the Ask F5SM web site, https://support.f5.com.


Chapter 12

Introducing SSL server certificatesThe SSL (Secure Sockets Layer) protocol uses the certificate to establish a secure connection. A valid SSL server certificate, also known as a security certificate, is necessary for establishing secure HTTPS connections. An SSL server certificate identifies your server to any connecting client browser. The certificate contains information identifying the server, and the organization it was issued to, as well as an expiration date. Most browsers that support SSL connections have internal lists of Certificate Authorities (CAs), and automatically accept certificates issued by these organizations. If there is an error, some browsers display security warnings; other browsers, notably those found on wireless devices such as PDAs or smart phones, might refuse a connection.

For more detailed information about how to set up server certificates, refer to the Configuration Guide for BIG-IP® Local Traffic Manager™ available on the Ask F5SM web site, https://support.f5.com.

Introducing SSL On-Demand CertificatesWhen a client makes an HTTPS request, the Access Policy Manager system can perform the On-Demand Certificate verification task that is normally performed by the target server.

When a client presents a certificate to the Access Policy Manager system, the system uses a trusted CA file to determine the Certificate Authorities that it can trust. By using this file, the Access Policy Manager attempts to verify a client certificate. When you create an SSL client profile, as described in Configuring client SSL profiles, on page 12-8, the Access Policy Manager automatically creates a default client trusted CA file.

For more detailed information about server and client side certificates, refer to the Configuration Guide for BIG-IP® Local Traffic Manager™ on https://support.f5.com.

12 - 2


Understanding On-Demand certificate authenticationThe Access Policy Manager provides two types of certificate agents for On-Demand certificate authentication. Depending on your preference, you can select either agent to set up On-Demand certificate authentication verification to be used within your access policy.

• Client certificate inspection agent

• On-Demand Certificate Authentication agent

Client certificate inspectionThis Client certificate inspection agent checks the result of the On-Demand certificate authentication previously authenticated by the clientssl profile. It does not, however, negotiate an SSL session.

F5 Networks recommend that you use the client certificate inspection agent in cases where the On-Demand certificate authentication is required as part of the initial SSL handshake, and only if it is necessary to validate the On-Demand certificate authentication as part of running the access policy.

The following example shows a client certificate inspection agent being used as part of an access policy.

• The certificate mode Request setting in the clientssl profile prompts the system to send a On-Demand certificate authentication request to the user.

• Once the user provides a valid certificate, the access policy is started by the system, and the system provides the logon page (the first item in the access policy). Note that the opening of the logon page agent is not affected by the result of the On-Demand certificate authentication process.

• The RADIUS authorization agent (the second item in the access policy) authenticates the user

• The client certificate inspection starts upon successful authentication.

• The client certificate inspection agent checks the result of the On-Demand certificate authentication that was performed at the beginning, for instance, before the logon page agent.

• The default rule that comes with the client cert result agent checks the value of the session variable session.ssl.cert.valid to determine the success or failure of the authentication process. Upon successful authentication, the access policy assigns the resource R1 to the user and reaches the allow ending. Otherwise, the access policy assigns the resource R2 to the user.

To use this agent, set the certification mode in the clientssl profile to Request. Setting this mode sends a certificate request to the client. In this case, the SSL profile always grants access, regardless of the status or


Chapter 12

absence of the certificate. Granting access is not dependent on whether a certificate is present, nor does connection terminate if a certificate is not received.

Note

When the certificate authentication mode is set to Require on the New Client SSL Profile screen, the user must provide a valid client certificate. Otherwise, the connection is not allowed. The recommended option for the client cert result agent is Request.

On-Demand certificate authentication agent The On-Demand certificate authentication agent performs an SSL re-handshake and validates the received certificate. To use this agent, the certification authentication mode in the clientssl handling mode should be set to Ignored on the Client SSL Profile screen. The system disregards the On-Demand certificate request and does not use it in the initial SSL handshake as part of your access policy.

We recommend that you use this agent in cases where both the On-Demand certificate authentication and validation need to be performed in the middle of an access policy process.

The following example shows a On-Demand certificate agent being used as part of the access policy.

• When the user connects to the system, the Ignored setting for the certificate mode in the clientssl profile does not prompt a request to the user for a certificate, but instead the access policy process starts by providing the Logon page to the user.

• After the user enters his credentials, the RADIUS authentication agent starts.

• Upon successful authentication, the access policy runs the decision box action called Client Cert Installed or Not, which prompts the user to indicate whether he has a On-Demand Certificate installed.

• If the user selects Yes, then the On-Demand certificate agent runs.

• The On-Demand certificate agent then re-negotiates the SSL connection by sending a certificate request to the user, which prompts a certificate window to open.

• Once the user provides a valid certificate, the On-Demand certificate agent starts running the access policy rule which checks the result of the On-Demand certificate authentication. The default rule that comes with the On-Demand certificate authentication agent checks the value of the session variable session.ssl.cert.valid to determine whether authentication was a success.

Note: The On-Demand certificate authentication takes place after the logon page, RADIUS authentication, and the decision box agent, and not at the beginning of the initial SSL handshake, as done for the client certificate result agent.

12 - 4


• If the access policy rule in the On-Demand certificate agent detects that the validation was a success, then the access policy assigns the resource R1 to the user, and takes the user to the allow ending. Otherwise, the user is denied access.

On-Demand certificate authentication modesThe On-Demand certificate authentication agent re-negotiates the SSL connection by sending a certificate request to the user, which prompts a certificate window to open.

Once the user provides a valid certificate, the On-Demand certificate agent starts running the access policy rule which checks the result of the certificate authentication. The default rule that comes with the On-Demand certificate authentication agent checks the value of the session variable session.ssl.cert.valid to determine whether authentication was a success.

There are two authentication modes for the On-Demand certificate authentication agent.

• Request: With this mode, the system requests a valid certificate from the client, but the connection does not terminate if the client does not provide a valid certificate. Instead, this action takes the fallback route in the access policy. This is the default option.

• Require: With this mode, the system requires that a client provides a valid certificate. If the client does not provide a valid certificate, the connection terminates and the client browser stops responding.

Figure 12.1 shows an example of an access policy that displays the On-Demand Cert Auth agent with the two authentication modes. The iPhone or iPod User check is created using the UI Mode check, and determines whether the client is using an iPhone or iPod, or the browser. If the user agent string (shown in Figure 12.2) indicates that the client is an iPhone or iPod user, then the On-Demand Cert Auth- Require authentication mode is executed. Otherwise, On-Demand Cert Auth – Request is executed.

Figure 12.1 On-Demand authentication agent example


Chapter 12

Figure 12.2 iPhone/iPod user string example

Adding the On-Demand Certificate into your access policyAfter you create a clientssl profile, you can add an On-Demand certificate authentication in your access policy. This action requires that the client has a valid certificate on its machine before it runs the On-Demand certificate authentication. F5 Networks highly recommended that a Decision Box agent precede the On-Demand certificate authentication agent in the visual policy editor so that the user has the option of indicating whether he has a valid certificate. If a valid certificate is not available, and indicated as such in the Decision Box agent, the system bypasses the client certificate validation process and proceeds to the next step in the verification process.

Note

If you want to authenticate the client with a valid certificate at the beginning of the initial SSL handshake of your access policy, then you should select Request from the Client SSL Profile screen when you set up your client SSL profile.

To add an On-Demand certificate authentication check agent to an access policy

1. Select an access policy or create a new one.

2. On the navigation pane, expand Access Policy, and select Access Profiles.The Access Profile screen opens.

3. Click the access policy and select Edit.The visual policy editor screen opens.

4. Under Predefined Actions, and in the Authentication settings, select On-Demand Cert Auth.

5. Click Add Item.A Properties screen opens.

12 - 6


6. From the Auth Mode option, select either Request or Required. The default is Request.

7. Click Save.The system adds the On-Demand Certificate authentication agent to your access policy.

Note

If your access policy is configured with an On-Demand certificate authentication action, the user's browser must have a valid certificate. Otherwise, your browser may stop responding because the client failed to provide a valid certificate. To avoid running into this problem, we highly recommend you use the Decision box agent in your access profile so that the users are given an option to specify whether or not they have a valid certificate.


Chapter 12

Configuring client SSL profilesThe Access Policy Manager system provides a simple way to configure your client SSL profile so that you can include the certificate authentication process in your access policy.

To ensure that your client profile is set up correctly, you must perform these tasks, sequentially.

• Importing a certificate and the corresponding key

• Configuring the clientssl profile

• Adding an On-Demand Certificate agent into your access policy

Importing a certificate and the corresponding keyThe first task in configuring a client SSL profile is to import a certificate and the corresponding key (issued by your organization CA).

To import a certificate and a key

1. In the navigation pane, expand Local Traffic and click SSL Certificates.The SSL Cert screen opens.

2. Click the Import button.The SSL Certificate/Key Source screen opens.

3. Select an Import Type from the list, type the required parameters into the boxes, and click the Import button.The screen refreshes to show settings specific to the type you selected.

Configuring a clientssl profileThe next task is to configure a clientssl profile.

To configure the clientssl profile

1. In the navigation pane, expand Local Traffic and click Profiles.The HTTP Profiles screen opens.

2. From the SSL menu, choose Client.The Client SSL Profiles screen opens.

3. At the upper right, click Create.A New Client SSL Profile screen opens.

4. In the Name box, type a name for your clientssl profile.

5. In Configuration, select Advanced from the list.

6. Check the Custom box.

12 - 8


7. For the Trusted Certificate Authorities setting, select your trusted certificate authority.

8. For the Ciphers setting, type in a NATIVE cipher to support the On-Demand Client Certificate check. The list of supported NATIVE cipher includes the following:

• RC4-MD5

• RC4-SHA

• AES128-SHA

• AES256-SHA

• DES-CBC3-SHA

• DES-CBC-SHA

• EXP1024-RC4-MD5

• EXP1024-RC4-SHA

• EXP1024-DES-CBC-SHA

• EXP-RC4-MD5

• EXP-DES-CBC-SHA

• NULL-MD5

• NULL-SHA

9. In the Client Authentication area, check the Custom box. You can select from the four options available,Your choice depends on the type of agent you want to use in your access policy as part of On-Demand Certificate validation. However, we recommend that you select either Ignore for On-Demand Certificate Authentication or Request for client certificate result agent

10. Click Finished. Your clientssl profile is now created.


Chapter 12

Using On-Demand Certificates to authenticate users There are several tasks required for using On-Demand Certificate actions:

• Install the client root certificate on the Access Policy Manager.

• Add the On-Demand Cert Authentication in the access policy.

• Instruct users how to download and install the On-Demand Certificate on their computers. You can also email the On-Demand Certificates to users.

• Use CRL and OCSP to check the status of the received On-Demand Certificates at run time.

The Access Policy Manager can then request and validate the user’s On-Demand Certificate as part of the access policy.

12 - 10


Validating certificate revocation statusAccess Policy Manager supports three ways to validate certificate revocation status:

• CRLs

• OCSP

• CRLDP

For more detailed information on configuration and setup, refer to the Configuration Guide for BIG-IP® Local Traffic Manager™ on https://support.f5.com.

Understanding CRLsA certificate revocation list (CRL) is a list of revoked (invalid) certificates. The CRL describes the reason for the revoked status of the certificate, and provides the certificate’s issue date and originator. The list also notes its next update.

When a user with a revoked On-Demand Certificate attempts to log on to the Access Policy Manager, the system allows or denies access based on the CRL configured in the sslclient profile.

A CRL is one of three common methods for maintaining valid, certificate-based access to servers in a network. CRLDP is an industry-standard protocol designed to manage SSL certificates revocation on a network or system. The main limitation of CRL is that the current state of the CRL requires frequent updates. Whereas, OCSP checks certificate status in real time. You can read more about OCSP in Understanding OCSP, following.

The CRL is a PEM-formatted file containing a list of revoked certificate attached to the client SSL profile. Make sure the CRL file is kept up-to-date. You must manually install the CRL file to the /config/ssl/ssl.crl directory since this is not an automatic process.

To attach a PEM-formatted CRL file to a client SSL profile.

1. In the navigation pane, expand Local Traffic, and click Profiles. The HTTP Profiles screen opens.

2. From the SSL menu, choose Client.The Client SSL Profiles screen opens.

3. In the Client Authentication area, in the Certification Revocation List (CRL) box, type the name of your CRL file, which was previously imported in /config/ssl/ssl.crl/.

4. Click Update.Your CRL file is now attached to the client SSL profile.


Chapter 12

Note that if you have multiple CRL files, you cannot aggregate them into one master file. You must point to the individual file (in PEM format) if you want to retrieve CRL information.

Note

You should not configure CRL updates if you are using the Access Policy Manager to generate and issue On-Demand Certificates to users (using either a self-signed client root CA certificate, or a client root CA certificate from a trusted CA). In this case the Access Policy Manager manages CRLs internally.

Converting DER files to PEM file formatThe Access Policy Manager system supports CRL files only in PEM format. However, you can convert non-PEM file format, such as DER, by using a few CLI commands.

To convert a DER file to PEM format

1. Use SSH to access the Access Policy Manager system.

2. Run the command crl -inform DEM -outform PEM -in CRL.crl -out CRL.PEM.You have successfully converted your input CRL file, CRL.crl in DER format to output CRL file, CRLpem in PEM format.

Understanding OCSPThe Online Certificate Status Protocol (OCSP) enables applications to determine the revocation status of a certificate. OCSP provides more timely revocation information than is possible using CRLs, and may also be used to obtain additional status information. An OCSP client, in this case the Access Policy Manager, acts as the client, and issues a status request to an OCSP responder, and suspends acceptance of that certificate until the responder provides a response.

The Access Policy Manager supports OCSP validation of On-Demand Certificates.

Note

Do not use On-Demand Certificate OCSP if you are using the Access Policy Manager to generate/issue On-Demand Certificates to users (using either a self-signed client root CA certificate, or a client root CA certificate issued by a trusted CA). In this case, the Access Policy Manager is managing CRLs internally.

12 - 12


Setting up OCSP requires these tasks:

• Configuring an OCSP responder object

• Creating an SSL OCSP profile

• Binding the SSL OCSP profile to a virtual server

Configuring an OCSP responder objectTo work with OCSP, you first must create an OCSP responder object.

To configure an OCSP responder object

1. In the navigation pane, expand Local Traffic, and click Profiles.The HTTP Profiles screen opens.

2. From the Authentication menu, choose OCSP Responders.The OCSP Responders screen opens.

3. At the upper right, click Create.A General Properties screen opens.

4. Type in a name for your OCSP profile. The name should not contain capital letters (which generates an error).This screen refreshes to display additional parameters specific to your selection.

5. In the URL setting, type the URL for your external OCSP responder.A separate OCSP responder object must be created for each OCSP server.

6. Specify a Certificate Authority File.

7. Click Finished.


Chapter 12

Creating an SSL OCSP profileYou must create an SSL OCSP profile in order for OCSP to work properly.

To create an SSL OCSP profile


2. From the Authentication menu, choose Profiles.The Authentication Profiles screen opens.

3. At the upper right, click Create.The New Authentication Profile screen opens.

4. Type in a name for your OCSP profile server, and select SSL OCSP from the Type list.

5. Click Finished.This creates the SSL OCSP profile.

Binding the SSL OCSP profile to a virtual serverThe last step in setting up OCSP is to include the created OCSP profile in the authentication profile settings of the virtual server.

To bind the OCSP to a virtual server

1. In the navigation pane, expand Local Traffic, and click Virtual Servers. The General Properties screen opens.

2. From the Configuration list, select Advanced.

3. For Authentication Profiles settings, from the Available box, select the SSL OCSP profile you want to bind to the virtual server.

4. Click the move button (<<) to move the SSL OCSP profile to the Enabled box.

5. Click Update.

12 - 14


Using CRLDPCRLDP stands for Certificate Revocation List Distribution Point. CRLDP checks the revocation status of an SSL certificate as part of authenticating that certificate. CRL distribution points are used to distribute certificate revocation information across a network. A distribution point is a URI or directory name specified in an SSL certificate that identifies how the server obtains CRL information. In addition, distribution points can be used in conjunction with CRLs to configure certificate authorization using any number of LDAP servers.

In setting up CRLDP, you complete the following tasks:

• Configuring a CRLDP server object

• Configuring a CRDLP configuration object

• Creating a CRLDP profile

• Binding the CRLDP profile to a virtual server.

Configuring a CRLDP server objectWhen you set up a CRLDP server object, you include details such as the CRLDP server IP address, a port for the CRLDP authentication traffic, and the LDAP base DN for certificates that specify the CRL distribution point in directory name format. The base DN is used when the value of the X.509 v3 attribute CRLDP is of type dirName. In this case, the Access Policy Manager attempts to match the value of the CRLDP attribute to the base DN value.

To configure a CRLDP Server object


2. From the Authentication menu, choose CRLDP Responders.The CRLDP Responders screen opens.

3. At the upper right, click Create.The General Properties screen opens.

4. Fill in all the details for this screenRefer to the online help for specific details on each settings.

5. Click Finished.This creates a CRLDP Server object.

Configuring a CRLDP configuration objectWhen you configure a CRLDP configuration object, you include details about the CRLDP servers which allow you to use the On-Demand Certificate issuer to extract the CRLDP.


Chapter 12

To configure a CRLDP configuration object


1. From the Authentication menu, choose Configurations.The Authentication Configurations screen opens.

2. At the upper right, click Create.The General Properties screen opens.

3. In the Name box, type in a name for your CRLDP configuration object.

4. From the Type list, select CRDLP. Additional configuration parameters appear.

5. Specify your CRLDP server and click Finished.This creates the CRLDP configuration object.

Creating a CRLDP profileTo use CRDLP, you must create a CRLDP profile and reference the CRLDP configuration object.

To create a CRLDP profile

1. In the navigation pane, expand Local Traffic, and click Profiles.The HTTP Profiles screen opens

2. From the Authentication menu, choose Profiles. The Authentication Profiles screen opens.

3. At the upper right, click Create.

4. In the Name box, type in a name for your CRLDP profile.

5. From the Type list, select CRLDP.Additional configuration parameters become available.

6. Enable all the custom check boxes and configure all settings.Refer to the online help for specific details on each settings.

7. Click Finished.This creates the CRLDP profile.

Binding the CRLDP profile to a virtual serverThe last step in setting up CRDLP is to include the CRLDP profile in the authentication profile settings of the virtual server.

To bind the CRDLP profile to a virtual server

1. In the navigation pane, expand Local Traffic, and click Virtual Servers. The Virtual Server List screen opens.

12 - 16


2. From the list of virtual servers, click the name of the server you want to bind the CRDLP profile.The Properties screen opens.

3. From the Configuration setting, select Advanced.

4. From the Available box, for the Authentication Profiles, select the CRLDP profile you want to bind to the virtual server.

5. Click the move button (<<) to move the SSL OCSP profile to the Enabled box.

6. Click Update.The CRLDP Profile is now associated with your virtual server.


Chapter 12

12 - 18

13

Introducing Single Sign-On

• Introducing Single Sign-On (SSO) with credential caching and proxying

• About credential caching

• About credential proxying

• About External Access Management

• Common use cases for Single Sign-On deployment


Introducing Single Sign-On (SSO) with credential caching and proxying

Access Policy Manager™ provides a Single Sign-On (SSO) feature which leverages the credential caching and credential proxying technology. Credential caching and proxying is a two-phase security approach that allows your users to enter their credential once to access their secured web applications.

By leveraging this technology, users request access to the secured back-end web server. Once that occurs, Access Policy Manager creates a user session and collects the user identity based on the access policy. Upon successful completion of the access policy, the user identity is saved (cached), in a session database. Lastly, the WebSSO plugin retrieves (proxies) the cached user credentials and authenticates the user based on the configured authentication method.

The single sign-on (SSO) feature provides the following benefits:

• Eliminates the need to administer and maintain multiple user logons

• Eliminates the need for users to enter their credentials multiple times

Introducing Single Sign-On configuration objectsAccess Policy Manager supports four SSO methods. Each method contains a number of attributes that you need to configure properly to support SSO.

Note

If you misconfigure SSO objects for one of the authentication methods, HTTP Basic, NTLMv1, NTLMv2, or OAM, SSO is disabled for all authentication methods when you access a resource with the misconfigured SSO object. However, HTTP Form-based method is not affected as a result of the misconfigured object. Additionally, SSO is disabled for the current user session only, while all other users remain unaffected.

General SSO object attributesThese general object attributes apply to all SSO methods. In the navigation pane, expand Access Policy, choose SSO Configuration, and click Create.

• SSO method: This defines the authentication method for your SSO configuration object. You can select from the following values: HTTP basic, HTTP Form Based, HTTP NTLMv1, HTTP NTLMv2,or OAM.

• Username Source: This defines the source session variable name of the user name for SSO authentication. By default, it is the user name session variable session.sso.token.last.username.

• Password Source: This defines the source session variable name of the password for SSO authentication. By default, it is the password session variable session.sso.token.last.password.


Chapter 13

• Username Conversion: This converts PREWIN2k/UPN username input format to the format you want to use for SSO. For example, convert domain\username or username@domain to username.

For HTTP Basic. NTLM v1, NTLM v2, and OAM authentication methods, there are no additional attributes required.

HTTP form-based SSO object attributesThese additional object attributes apply specifically to HTTP Form-Based SSO method. In the navigation pane, expand Access Policy, choose SSO Configuration, and click Create. Select Form Based from the SSO Method setting.

• Start URI: Defines the start URI value. If the HTTP request URI matched with the start URI value, the HTTP Form-Based authentication is performed for SSO. Multiple start URI values can be specified in multiple lines for this attribute.You can specify one "*" in the value for wildcard matching.

• Pass Through: Enable this check box to authenticate successfully for OAM form based authentication. By checking this box, the authentication request is passed through to the back end server and WebSSO retrieves the cookies from the response. WebSSO will then attach this cookie to the POST request with credentials and completes the authentication process. This is a required field.

• Form Method: Defines the method of the HTTP Form-Based authentication for SSO. The options are GET or POST. By default, the form method value is set to POST. However, if GET is specified, the SSO authentication is converted as HTTP GET request.

• Form Action: Defines the form action URL used for HTTP authentication request for SSO. For example, /access/oblix/apps/webgate/bin/webgate.dll. If you do not specify a value for this attribute, the original request URL is used for SSO authentication.

• Form Parameter For User Name: Defines the parameter name of the logon user name. For example, if the HTTP server expects the user name in the form of userid=, then userid is specified as the attribute value.

• Form Parameter for Password: Defines the parameter name of the logon password. For example, if the HTTP server expects the password in the form of pass=, then pass is specified as the attribute value.

• Hidden Form Parameters/Values: Defines the hidden form parameters required by the authentication server logon form at your location. Hidden parameters must be entered, like this:

param1 value1

param2 value2

Parameter’s name and value are separated by a space, and not by an equal sign. Each parameter starts on a new line. For more information on hidden parameters, refer to Determining the hidden parameters, on page 11-45

13 - 2


• Successful Logon Detection Match Type: Defines the success detection type that your authentication server uses. You can select one of the following:

• By Resulting Redirect URL: If selected, specifies that the authentication success condition is determined by examining the redirect URL from the HTTP response.You can specify multiple values for this option.

• By Presence Of Specific Cookie: If selected, specifies that the authentication success condition is determined by examining the cookie value from the response. This options only uses one defined value.

• Successful Logon Detection Match Value: Defines the value used by the specific success detection type.

Assigning SSO configuration objectsOnce you create an SSO object, you must apply the object to an access profile or a web application object in order to successfully deploy SSO in your configuration.

Assigning an SSO object to an access profile

1. In the navigation pane, expand Access Policy, and click Access Profiles.

2. Select an existing access profile or create a new one.

3. On the access profiles properties page, under Configurations, select your SSO object from the SSO Configuration list.

4. Click Update.

5. On the same screen, select Access Policy to associate your SSO object to your access profile.The General Properties screen opens.

6. Click Edit Access Policy for Profile "name of your profile.”The visual policy editor opens in a separate browser.

7. On the access policy, click the [+] sign after your authentication server object(s), to open the Predefined Actions screen.

8. Under General Purpose, select SSO Credential Mapping, and click Add Item.

9. The SSO object is now part of your overall authentication process.

Note

Access Policy Manager supports the following formats from the username field on the logon page in order to authenticate to the back-end server: domain\username and username@domain.


Chapter 13

About credential cachingAccess Policy Manager supports the following SSO methods for credential caching:

• HTTP Basic AuthWith this method, the SSO plugin uses the cached user identity and sends the request with the authorization header. This header contains the token Basic and the base64-encoded of the user name, colon, and the password.

• HTTP Form-Based AuthWith this method, upon detection of the start URL match, the SSO plugin uses the cached user identity to construct and send the HTTP form-based post request on behalf of the user.

• HTTP NTLM Auth v1 With this method, NTLM employs a challenge-response mechanism for authentication, where the users can prove their identities without sending a password to the server.

• HTTP NTLM Auth v2 With this method, NTLM employs a challenge-response mechanism for authentication, where the users can prove their identities without sending a password to the server. This version of NTLM has been updated from version 1.

• Oracle Access Manager (OAM)With this method, the SSO plug-in integrates a custom Access Gate for web access. The Access Policy Manager acts as an OAM Policy Enforcement Point (PEP).

Configuring credential caching mapping agentOnce you create an SSO configuration object and associate it with your access policy as described in the section Assigning SSO configuration objects, you must add the SSO credential mapping agent to an access profile. This step ensures that your access policy includes the mapping agent element to authenticate and authorize your users using single sign-on.

To configure SSO credential mapping agent

1. In the navigation pane, click Access Policy, and select Access Profiles.The Profile List screen opens.

2. Select an access profile from the list in which you want to add the SSO credential mapping agent.

3. Under Configurations, select an SSO object from SSO Configuration list.

4. Click Update.

5. Select the Access Policy tab.

13 - 4


6. Click Edit Access Policy for Profile <name of your profile>.The visual policy editor screen opens in a different browser window.

7. Click the small plus sign where you want to add the new access policy action item.A properties screen opens.

8. Under General Purpose, select SSO Credential Mapping, and click Add Item.The Variable Assign: SSO Credential Mapping screen opens.

9. For the SSO Token Username and SSO Token Password settings, select where you want to retrieve user name and password from, and click Save. Otherwise, select Custom to enter a different user name and password.The SSO Credential Mapping agent is added to your access policy as part of the overall authentication process.

About credential proxyingAccess Policy Manager creates a user session and collects the user identity based on the access policy. Upon successful completion of the access policy, the user identity is cached in a session database. Then, the WebSSO plugin retrieves the cached user credentials and authenticates the user based on the configured authentication method

Configuring credential proxying using HTTP basic authentication method

With this method, the SSO plugin uses the cached user identity and sends the request with the authorization header. This header contains the token Basic and the base64-encoded of the user name, colon, and the password.

To configure credential proxying using HTTP Basic authentication

1. In the navigation pane, expand Access Policy, and select SSO Configurations.The SSO Config list screen opens.

2. Click Create.The General Properties screen opens.

3. From the SSO method, select HTTP Basic.

4. Under Configuration, specify the username and password you want cached for single sign-on.


Chapter 13

5. Click Finished.You are now ready to configure your access profile with the appropriate access policy.

To configure the access profile using SSO

1. In the navigation pane, expand Access Policy.The Profile List screen opens.

2. Select an access profile by clicking on Edit to launch the visual policy editor.

3. Configure your access profile with the appropriate access policy, for example, SSO Credential Mapping.

4. Click Apply Access Policy.You are now ready to associate the SSO object to your access profile. Refer to Assigning SSO configuration objects for instructions.

Configuring credential proxying using HTTP form-based authentication method

With this method, upon detection of the start URL match, the SSO plugin uses the cached user identity to construct and send the HTTP form-based post request on behalf of the user.

To configure credential proxying using HTTP basic authentication



3. From the SSO method, select HTTP Form Based.

4. Under Configuration, specify all your parameters. Refer to the section HTTP form-based SSO object attributes, on page 13-2 for more information on the parameters specific to HTTP Form Based.





13 - 6




Configuring credential proxying using NTLM v1 authentication method

With this method, NTLM employs a challenge-response mechanism for authentication, where the users can prove their identities without sending a password to the server.

To configure credential proxying using NTLM v1



3. From the SSO method, select NTLM v1.

4. Under Configuration, specify all your parameters. Refer to the online help for specific information on each parameter.








Chapter 13

Configuring credential proxying using NTLM v2 authentication method

With this method, NTLM employs a challenge-response mechanism for authentication, where the users can prove their identities without sending a password to the server. This version of NTLM has been updated from version 1.

To configure credential proxying using NTLM v2



3. From the SSO method, select NTLM v2.

4. Under Configuration, specify all your parameters. Refer to the online help for specific information on each parameter.







13 - 8


About External Access ManagementVarious enterprises have existing web access management systems to provide access management and SSO to their various web applications, such as Oracle Access Manager (OAM).

Access Policy Manager provides native integration with the OAM server for authentication and authorization to eliminate the need to deploy a WebGate proxy in front of each web application, or agent on each web application. In addition, you can acheive SSO functionality with OAM for HTTP/HTTPS requests passing through a virtual to the web application.

This integration between Access Policy Manager and OAM simplifies deployment and improves performance for existing web application access management infrastructures.

The example in Figure 13.1 shows the integration between Access Policy Manager and the OAM server, where Access Policy Manager is deployed in front of protected web applications and integrates with the OAM Access Gate SDK. The OAM server is where you store and evaluate policies for users access requests, and acts as the decision point for authorization while the Access Gate on Access Policy Manager is responsible for enforcing OAM policies for web access management.

Figure 13.1 Example of BIG-IP Access Policy Manager and OAM deployment

Configuring OAM authentication methodYou can achieve SSO functionality for OAM with HTTP/HTTPS requests passing through a virtual to a backend web application. Specifying the OAM as the SSO method eliminates the need to deploy Oracle’s WebGate proxies in front of application servers, and the result is an increase in performance.

Access Policy Manager supports the following authentication methods through the OAM server:


Chapter 13

• Basic authentication

• Form-based authentication

• Certificate-based authentication

Note

F5 Networks currently supports OAM 10gR4 (Oracle Access Manager 10.1.4.0.1) and later.

Note

For information on integration between Access Policy Manager and Oracle Access Manager, refer to the Deployment Guide available on AskF5.com at https://support.AskF5.com.

The following tasks are required to successfully configure Access Policy Manager for OAM integration with SSO capability.

• Configure the Access Server and Access Gate through Oracle’s administration user interface

• Create nodes for the backend web server

• Create a pool for Local Traffic Manager

• Create a AAA OAM server

• Configure the SSO object with the EAM method type as OAM.

• Configure the access profile using SSO and associate the SSO object to the access profile

• Create a virtual server and associate the access profile to the virtual server

• Assign the default pool to the virtual server

To configure the Access Server and Access Gate

1. Configure the Access Server and Access Gate through the Oracle Access administrative user interface. For detailed steps, refer to the Oracle Access Manager Access Administration Guide provided when you purchased your Oracle Access Manager.

To create a node for the web server

1. In the navigation pane, expand Local Traffic, and select Nodes.The Node List screen opens.

2. From General Properties, type the address of the web server.

3. Click Finished.The new node is now added to the Node List.

4. Repeat the steps above and create a node for every backend web servers.

13 - 10


To create a pool for Local Traffic Manager

1. In the navigation pane, expand Local Traffic, and select Pools.The Pool List screen opens.


3. In the Name box, type a name for our pool, and click Finished.The new pool is now added to the Pool List.

To create a AAA OAM server


2. Type a name for your AAA server and select Oracle Access Manager from the Type list.The screen refreshes to provide additional settings specific to the OAM Type.

3. Under Configuration, for Access Server Name, type in the access server name.This is the name of the access server that was added to the OAM server using Oracle’s administration user interface.

4. For Access Server Hostname, type in the access server machine’s host name.

5. For Access Server Port, type in the port number. This is an optional field.

6. For Access Gate Name, type in the name for the Access Gate. This is the name of the access server added to the OAM server.

7. In the Password box, type in the password for the Access Gate.

8. Click Finished.This adds the new OAM server to the AAA Server List.

Note

You cannot create more than one OAM server object.

To configure the SSO object with the EAM method type as OAM



3. From the SSO method, select the authentication method you want to use with OAM.


Chapter 13

4. Under SSO Method Configuration, specify the username and password you want cached for single sign-on.

5. Under External Access Management, select the Oracle Access Management to specify the Access Management Method.

6. For Oracle Access Management Server, select the Oracle Access Management server you created previously.


To configure the access profile and associate the SSO object to the access profile




4. Click Apply Access Policy.You are now ready to associate the SSO object to your access profile.

To create a virtual server and associate the access profile to the virtual server

1. In the navigation pane, expand Local Traffic, and select Virtual Servers.The Virtual Server List screen opens.

2. From the Access Profile under Access Policy, select your access profile you want to associate to your virtual server.

3. Click Update.You access profile is now associated to your virtual server.

To assign a default pool to the virtual server

1. In the navigation pane, expand Local Traffic, and select Virtual Servers.The Virtual Server List screen opens.

2. Select your access profile you created from the Virtual Server List.

3. Select the Resources menu.

4. From the Default Pool box, assign the pool you created for OAM.

13 - 12


5. Click UpdateYou successfully configured Access Policy Manager for OAM as the SSO method.


Chapter 13

Common use cases for Single Sign-On deploymentYou have the flexibility to deploy Single Sign-On in a variety of ways, depending on your needs within your networking environment. This section provides common uses cases in which you can deploy Single Sign-On.

• Through BIG-IP Local Traffic Manager

• Through a network access tunnel with layered virtuals

• Through web applications

Using Single Sign-On for LTM pool membersYou can deploy SSO with Local Traffic Manager™ pool members.

The following are requirements to successfully deploy SSO for Local Traffic Manager:

• A virtual server already configured on Local Traffic Manager.

• An SSO object

• An access policy with the SSO object associated to it.

To configure an access policy

Before you proceed, you should have a virtual server already configured for Local Traffic Manager. For more information on how to set this up, refer to the Configuration Guide for BIG-IP® Local Traffic Manager™ available on https://support.f5.com.

Also, you should have an SSO method configured. Refer to General SSO object attributes on page 13-2, and Assigning SSO configuration objects on page 13-5, for more information.



3. Type a name for your access policy.

4. Leave all other settings as the default. Ensure that the SSO Configuration specifies None.

5. Click Finished.The system adds the new access policy to the Access Profile list.

6. From the Access Profiles List, click the new access policy you just created.The Properties page opens.


8. Click Edit Access Policy for Profile <"name">.The visual policy editor opens.

13 - 14


9. Add your objects to the access policy.

Once you added your SSO object to your access policy, bind your access policy to your Local Traffic Manager virtual server.

Using Single Sign-On for web application access over network access tunnel

You can configure your network access to support SSO through a layered virtual server. This allows your users full network access to multiple web services without requiring them to enter their credential multiple times.

The following are requirements to deploy SSO for network access:

• One HTTP virtual server for network access.

• One or more HTTP layered virtual servers corresponding to the backend protected web services that requires authentication and SSO support.

Note

To ensure that traffic is handled only by the network access for each layered virtual server, you need to select the network access tunnel option from the VLANs list. For more information, refer to the steps in To configure a layered virtual server for your web service, on page 13-17.

To configure network access

1. In the navigation pane, expand Access Policy, and click Network Access.The Network Access Resource List screen opens.


3. In the Name box, type a name for the network access resource.

4. Configure the General Settings for the network access resource.See Configuring general network access server settings, on page 2-5, for more information, or refer to the online help.

5. Configure the Client Settings for the network access resource.See Configuring settings on network access clients, on page 2-6, for more information, or refer to the online help.

6. Click Finished to save the network access resource.The Network Access configuration screen opens, and you can configure the properties for the network access resource.

To configure network access properties



Chapter 13

2. Click a network access resource on the Resource List. The Network Access editing screen opens. This screen also opens immediately after you create a new network access resource.

3. Configure the Properties for the network access resource on the Properties tab. See Setting up network access, on page 2-5, for more information.

4. Configure the DNS and hosts for the network access resource on the DNS/Hosts tab. See Setting DNS and hosts options, on page 2-9, for more information, or refer to the online help.

5. Configure drive mappings for the network access resource on the Drive Mappings tab. See Mapping drives with network access, on page 2-10, for more information, or refer to the online help.

6. Configure applications to launch for the network access resource on the Launch Applications tab. See Launching applications with network access connections, on page 2-11, for more information, or refer to the online help.

Note

If you use split tunneling for network traffic, you must properly configure LAN address space setting so that traffic for the web services passes to the network access tunnel. For more information on how to configure LAN address space, see To configure network access properties, on page 2-4.

To configure an access policy profile

Once you configure for network access, the next step is to configure an access policy profile to manage your network access.



3. Type a name for your access policy.

4. Leave all other settings as the default. Ensure that the SSO Configuration field specifies None.

5. Click Finished.The new access policy is now added to the Access Profile list.

6. From the Access Profiles list, click the new access policy you just created.The Properties page opens.


8. Click Edit Access Policy for Profile <"name">.The visual policy editor opens.

13 - 16


9. Add your objects to the access policy.

To create an HTTP virtual server for the network access

Once you have created and configured your access policy profile to manager your network access, the next step is to create a virtual server with which the network access associates your access policy.

1. On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.The Virtual Server List screen opens.


3. Specify the Name, Destination, and Service port.

4. Specify both SSL (Client) and SSL Profile (Server).

5. For SNAT Pool, change the default from None to Auto Map.

6. Under Access Profile, select the policy you created in Access Policy.

7. Click Finished.

After you have configured your network access, created an access policy profile, and created an HTTP virtual server for your network access, the user is able to logon to Access Policy Manager and has full access to all of their web services. However, in order to eliminate the need for users to enter credentials multiple times to access each web service, you must follow the additional steps below.

To configure a layered virtual server for your web service

Important

Before you proceed to create a layered virtual server for your web service, make sure to create an SSO object and select a preferred SSO method for your object. For more information on how to create an SSO object, refer to General SSO object attributes, on page 13-2.

1. In the navigation pane, expand Access Policy, and click Access Profiles.The Access Profile screen opens.

2. Create an access profile with a dummy default access policy.

3. From the Access Profiles list screen for your access profile, make sure to select the SSO object that you created and want to associate with this access profile in SSO Configuration.

4. Click Update.Now, you need to associate a layered HTTP virtual server for your web service to the virtual server for network access.


Chapter 13


6. Select the layered virtual server you created for your web service.The General Properties screen opens.

7. From VLAN and Tunnel Traffic, select network access tunnel to ensure that the layered virtual server sends traffic from the network traffic to the network access tunnel interface.

8. Associate the dummy access profile you created by selecting it from the list.

Important

Make sure that both Address Translation and Port Translation settings remain cleared. You can find these settings by selecting the Advanced option for Configuration.

9. Click Update.For every web service you want to add, you must follow the steps in creating an HTTP virtual server for network access, and configuring a layered virtual server for your web service.

Your users are now able to access multiple web services without having to enter their credential multiple times.

Configuring web applications for single-sign onYou can configure single sign-on for users to access their web applications and eliminate the need for them to enter their credential multiple times. You can add, modify, or delete your SSO configuration object at any time.

You can assign an SSO object as part of the web application resource item. If you do not configure an SSO object at that level, you can use the SSO object at the access profile level instead.

To configure web applications for single sign-on

1. In the navigation pane, expand Access Policy and click SSO Configurations.The New SSO Configuration screen opens.

2. From the SSO Method list, select an SSO method.Additional fields may appear depending on your selection.

3. Type a name for the SSO object.

4. Under Configuration, configure the settings. For detailed information about each setting, refer to the online help.

13 - 18


5. Click Finished.The SSO object is now added to the SSO list.Please note that these objects come in the form of session variables.

6. In the navigation pane, expand Access Profiles, and select an access profile you want the SSO configuration object assigned to.

7. Click the Properties tab.The General Properties screen opens.

8. Under Configurations, in the SSO Configuration field, select your SSO configuration object.

9. Click Finished.The SSO configuration object is now assigned to your access profile.

To assign an SSO object to a web application resource item

1. In the navigation pane, expand Access Policy and click Web Application.The Resource List opens.

2. Click the name of your Web Application.The Properties page opens.

3. Under Resource Item, add your web application resource item or click an existing one.The Properties Page opens.

4. Under Resource Item Properties, from the SSO Configuration list, select your SSO configuration.

5. Click Update.

Viewing log messagesTo view log messages for OAM generated by the system, on the Navigation pane, expand Access Policy, select Reports, and click Current Sessions.


Chapter 13

13 - 20

14

Configuring Virtual Servers

• Introducing virtual servers with Access Policy Manager

• Configuring virtual servers for access policies

• Configuring a local traffic virtual server with an access policy


Introducing virtual servers with Access Policy Manager

With BIG-IP® Access Policy Manager™, you configure virtual servers with particular configurations for network access connections or web application access. For web application access management, you configure an existing Local Traffic Manager™ virtual server to use an access policy, or you can create a new virtual server for this purpose. The IP address assigned to a virtual server is the one that is typically exposed to the Internet for SSL VPN services.

When creating a virtual server, specify that the virtual server is a host virtual server for Access Policy Manager, and not a network virtual server. (For more information on host and network virtual servers, see the Configuring Virtual Servers chapter in the Configuration Guide for BIG-IP® Local Traffic Manager™.) In either case, you need only configure a few settings: a unique name for the virtual server, a destination address, and a service port.

Important

When you create a virtual server, the BIG-IP system places the virtual server into your current administrative partition. For information on partitions, see the TMOS® Management Guide for BIG-IP® Systems.

For production deployment of your configuration, you should either edit the clientssl profile to use your imported certificate and key, or create a new profile based on the clientssl profile that uses your own certificate and key. For more information, see Configuring a clientssl profile, on page 12-8. For initial evaluation of Access Policy Manager, you may select the default clientssl profile in the SSL Profile (Client) list. This default profile does not contain a valid SSL server certificate, but it can be used for initial Access Policy Manager evaluation and testing.


Chapter 14

Configuring virtual servers for access policiesYou create a virtual server to provide a portal for user logons to Access Policy Manager resources. At a minimum, you must create one virtual server on which your users can log on.

To create a virtual server for a secure connection



3. In the Name box, type a name for the virtual server.

4. In the Destination area, select host.

5. In the Address box, type the virtual server host IP address.

6. From the Service Port list, select HTTPS.

7. From the HTTP Profile list, select http.

8. From the SSL Profile (Client) list, select the client SSL profile to use with this virtual server.

9. If your web application server is using HTTPS services, from the SSL Profile (Server) list, select the server SSL profile to use with this virtual server.

10. For a web applications virtual server, from the SNAT Pool list, select Auto Map.

11. From the Access Profile list, select the access profile to associate with this virtual server.You must create this access profile before you define the virtual server. There is no default access profile available.

12. For a network access connection only, from the Connectivity Profile list, select the connectivity profile to associate with this virtual server.There is no default connectivity profile, so you must create a connectivity profile before you can select one from this list.

13. If you are creating a virtual server to use with web applications, from the Rewrite Profile list, select the rewrite profile. You can select a rewrite profile with a network access configuration.

14. If you are configuring an access policy for use with Microsoft™ ActiveSync, add the ActiveSync iRule. In the Resources section, next to iRules, select _sys_APM_activesync in the Available list, and click the << button to move the iRule to the Enabled list.

14 - 2


15. If you are creating a virtual server to use with a web application in minimal patching mode, from the Default pool list, select the local traffic pool for this application.


Creating a virtual server for DTLSTo configure DTLS mode for a network access connection, you must configure a virtual server specifically for use with DTLS. This DTLS virtual server must have the same IP address as the TCP (HTTPS) virtual server to which a user connects to start an Access Policy Manager session. The network access resource assigned by the access policy on the TCP virtual server sharing the same address must be configured with the DTLS option selected. After the Access Policy Manager session is established, the network access tunnel is started using the DTLS virtual server, on the same IP address.

For more information, see Configuring settings on network access clients, on page 2-6.

To create a virtual server for use with DTLS



3. In the Name box, type a name for the virtual server.

4. In the Destination area, select host for the type of virtual server

5. In the Address box, type the virtual server host IP address. This is the same IP address as the TCP virtual server to which your users connect.

6. In the Service Port box, type the port number that you specified in the Network Access resource configuration, in the DTLS Port box.By default, the DTLS port is 4433.

7. In the Configuration area, from the Protocol list, select UDP.

8. From the Connectivity Profile list, select the connectivity profile associated with this virtual server. This profile specifies client connection behavior and configuration.

9. From the SSL Profile (Client) list, select the client SSL profile to use with this virtual server.



Chapter 14

Configuring a local traffic virtual server with an access policy

To configure virtual servers for web application access management, you must configure both the BIG-IP® Local Traffic Manager™ and Access Policy Manager.

When you configure for this method of access, you create a virtual server that has one or more pool members and HTTP servers, and you attach an access policy to that virtual server. For more details, see Chapter 4, Configuring Web Application Access Management.

To create a virtual server for web application access management

1. On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.

2. Click Create.

3. Type the name and address of the virtual server.

4. Select a service port

5. Select the HTTP Profile from the available options.The default profile, http, is usually sufficient, unless additional configuration options are needed.

6. Select the SSL profile (Client) setting.A client SSL profile is only required if you want to enable SSL from the client to the virtual server.

7. Select the SSL profile (Server) setting.A server SSL profile is only required if the pool members require SSL.

8. From the Access Profile list, select an access profile you created for web application access management.

9. Click Finished.

10. The Virtual Server List screen opens.

11. Click the Resources tab.

12. From the Default Pool list, select a default pool. To configure and create local traffic pools, see the Configuration Guide for BIG-IP® Local Traffic Manager™.

13. Click Update.

14 - 4

15

Customizing Access Policy Manager Features

• Setting up access profile customization

• Customizing a webtop

• Customizing the BIG-IP Edge Client

• Introducing advanced access policy customization


Setting up access profile customization In an access profile you can customize the logon page components, as well as many other aspects of logon page behavior. You can customize access profile settings to provide users with a more branded or localized experience for the logon page and for error messages.

In an access profile, you can customize the following settings:

• Endpoint security messages (eps) for the endpoint security actions in the access policy. For more information see Understanding endpoint security message customization, on page 15-2.

• Error messages (errormap) for the logon process and access policy. For more information see Customizing error messages for the logon process, on page 15-4.

• Browser messages and formatting for screens displayed when the access policy is starting (framework installation). For more information see Understanding framework installation customization options, on page 15-8.

• Full logon page CSS customization (general_ui). For more information see Understanding logon page style customization options, on page 15-9.

• Logout page messages (logout). For more information see Understanding logout components, on page 15-13.

In addition, when customizing access profile settings, you can select the language for which you are customizing.

Note

If you customize messages, you must customize the same messages separately for each accepted language. Otherwise, default messages will appear for any accepted language for which you have not customized messages. It is recommended that if you customize messages for a specific accepted language, you remove all other languages from the accepted language list. You can add and remove languages from the accepted language list in the access profile.

To customize the access profile

1. On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles.The Access Profiles Profile List screen opens.

2. Click the name of the profile to customize.The Access Profiles Properties screen opens.

3. Click the Customization tab.The Access Profile Customization screen opens.

4. Under Customization Lookup, from the Customization Type list, select the element you want to customize.

5. From the Language list, select the language for which you want to customize the access profile.


Chapter 15

6. Click the Find Customization button.The screen refreshes to show the selected customization information.

7. Configure the customization for the selected customization type.

8. To restore the default setting for a customization, click the Restore button next to the setting. To restore all defaults for a customization category, click the Restore All Defaults button.

9. Click Update.

Understanding endpoint security message customizationYou can customize the endpoint security messages that appear when the client or browser processes endpoint security checks. To display endpoint security messages on the Customization page, from the Customization Type list select eps, from the Language list select the language for which you want to customize messages, then click Find Customization.

You can customize the following endpoint security messages:

Message Description

Antivirus check message Specifies the message displayed while the antivirus check action is checking the system.

File check message Specifies the message displayed while the file check action is checking the system.

Firewall check message Specifies the message displayed while the firewall check action is checking the system.

Windows machine certificate check message

Specifies the message displayed while the Windows machine certificate check action is checking the system.

Process check message Specifies the message displayed while the process check action is checking the system.

Windows Registry check message Specifies the message displayed while the registry check action is checking the system.

Windows Group Policy action message Specifies the message displayed while the Windows group policy action is configuring the system.

Windows Info check message Specifies the message displayed while the Windows information check action is checking the system.

Windows Protected Workspace action message

Specifies the message displayed while the Protected Workspace action is starting the protected workspace.

Windows Protected Workspace logon: short message

Specifies the message displayed on the client when protected workspace resumes the logon procedure after starting.

Table 15.1 Endpoint security customization messages

15 - 2


Windows Protected Workspace continuing: extended message

Specifies the message displayed when the protected workspace starts, and the system requires some time to display the protected workspace.

Windows Protected Workspace continue link

Specifies the link text specified that the user can click to continue without starting protected workspace.

Windows Protected Workspace started: close browser message

Specifies the message displayed when protected workspace has successfully started,

Checking client message Specifies the message displayed when the system is checking the client for an unspecified action.

Installing message (appended to other messages)

Specifies the message displayed while the client is installing software.

Downloading message (appended to other messages)

Specifies the message displayed while the client is downloading software components.

New browser window required message Specifies the message displayed when browser settings have changed, and the user must open a new browser window to continue.

Continue link Specifies the link text that the user clicks to continue after opening a new browser window.

Continue without endpoint inspection message

Specifies the messages displayed when client-side security checks fail. You can specify link text to cancel and link text to continue. The continue link allows the client to continue on the fallback branch.

Cache and session control ActiveX loading message

Specifies the message displayed when the cache and session control ActiveX control is loading and the user may be prompted to allow cache and session control installation.

Cache and session control ActiveX missing message

Specifies the text displayed when the client requires ActiveX to start the cache and session control plug-in, and ActiveX is not available or enabled.

Cache and session control continue link Specifies the link text that the user clicks to continue when the cache and session control plug-in cannot load.

Cache and session control blocked popup message

Specifies the message displayed when a popup blocker is enabled. The message includes information on how to allow popups from the BIG-IP device.Note: We recommend that you use an HTML editor to edit the HTML code for this box. The code appears unformatted and without line breaks in the box.

Cache and session control failure message

Specifies the message displayed when the cache and session control plug-in fails to start. The message includes information on possible causes.Note: We recommend that you use an HTML editor to edit the HTML code for this box. The code appears unformatted and without line breaks in the box.

Message Description



Chapter 15

Customizing error messages for the logon processYou can customize the error messages that appear when the client or browser encounters errors while processing the logon page or running access policy sessions. To display error messages on the Customization page, from the Customization Type list select errormap, then from the Language list select the language for which you want to customize error messages, and then click Find Customization.

Error messages are separated into categories, for easier configuration.

Reviewing general error messagesThe following error messages occur for general access policy errors.

Cache and session control loading message

Specifies the text displayed while the cache and session control plug-in starts.Note: We recommend that you use an HTML editor to edit the HTML code for this box. The code appears unformatted and without line breaks in the box.

Virtual keyboard label Specifies the label for the virtual keyboard.

Virtual keyboard hide keyboard link Specifies the link text that the user clicks to hide the virtual keyboard.

Message Description

Request error Specifies the error displayed when there is a malformed request or there is another problem with a request.

Invalid Network Access resource Specifies the error displayed when the access profile cannot find a valid Network Access resource.

Client IP address changed Specifies the error displayed if the client IP address changes while the session is in progress.

Unsupported User-Agent Specifies the error displayed when the browser user agent is not supported in the policy.

User limit reached Specifies the error displayed when the resource cannot be assigned because the limit on the number of sessions has been reached.

Terminated Session Specifies the error displayed when the session is terminated by the server.

Server in maintenance mode Specifies the error displayed when a session cannot start because the server is performing maintenance.

Access denied by ACL Specifies the error displayed when an ACL entry denies access.

Table 15.2 General error customization messages

Message Description


15 - 4


Reviewing AAA error messagesThe following error messages occur for AAA access policy errors.

System is not licensed Specifies the error displayed when a session cannot start because the system is not licensed.

Session ID is not found Specifies the error displayed when cookies are disabled, and this causes the session ID to be unavailable in the request.

Invalid Session ID Specifies the error displayed when the Session ID is not correct. This may occur because the session has timed out.

Message Description

Incorrect username or password Specifies the text displayed when the user name or password is incorrect.

Incorrect RADIUS username or password with extended error

Specifies the text displayed when the RADIUS user name or password is incorrect, and includes the error message from the RADIUS component.

RADIUS challenge failure Specifies the text displayed when a RADIUS challenge fails.

RADIUS challenge failure with extended error

Specifies the text displayed when a RADIUS challenge fails, and includes the error message from the RADIUS component.

Incorrect LDAP username or password with extended error

Specifies the text displayed when the LDAP user name or password is incorrect, and includes the error message from the LDAP component.

Incorrect AD username or password with extended error

Specifies the text displayed when the Active Directory user name or password is incorrect, and includes the error message from the Active Directory component.

AD domain password expired Specifies the text displayed when the Active Directory domain password has expired.

AD domain password expired with extended error

Specifies the text displayed when the Active Directory password has expired, and includes the error message from the Active Directory component.

AD domain password change failure Specifies the text displayed when the attempt to change the Active Directory password failed.

AD domain password change failure with extended error

Specifies the text displayed when the attempt to change the Active Directory password failed, and includes the error message from the Active Directory component.

Table 15.3 AAA error customization messages

Message Description

Table 15.2 General error customization messages


Chapter 15

SecurID logon failure with retry Specifies the text displayed when the RSA SecurID logon or password is incorrect.

SecurID logon failure with retry with extended error

Specifies the text displayed when the RSA SecurID logon or password is incorrect, and includes the error message from the SecurID component.

Message Description

Table 15.3 AAA error customization messages

15 - 6


Reviewing installation error messagesThe following error messages occur for software installation in access policies.

• ActiveX is not allowed or unsupported Specifies the error displayed when the access policy attempts to load an ActiveX control in Microsoft Internet Explorer, and ActiveX is not enabled.

• Installation failure Specifies the error displayed when installation of a browser component fails.

Reviewing resource error messagesThe following error messages occur for resources in access policies

Message Description

Webtop required Specifies the error text displayed when a webtop is required, but not assigned.

Incorrect resource assigned (Network Access)

Specifies the error text displayed when a resource assign action is configured to assign a web application webtop with a network access resource. Webtop and resource types must match.

Incorrect resource assigned (Web Application)

Specifies the error text displayed when a resource assign action is configured to assign a network access webtop with a web application resource.

Missing Network Access resource

Specifies the error text displayed when a network access webtop is configured with no network access resource. Webtop and resource types must match.

More than one Network Access resource

Specifies the error text displayed when more than one network access resource is assigned to an access policy branch.

Network Access and Web Application resources assigned

Specifies the error text displayed when both network access and web applications resources are assigned to an access policy branch.

Web Application resources have inconsistent patching methods

Specifies the error text displayed when multiple web applications are assigned to an access policy branch, with different patching methods. All web application resources assigned to an access policy branch must use the same patching method.

Resource does not exist Specifies the error text displayed when the assigned resource does not exist.

Webtop does not exist Specifies the error text displayed when the assigned webtop does not exist.

ACL does not exist Specifies the error text displayed when the assigned ACL does not exist.

Inconsistent host replacement string

Specifies the error text displayed when web application resources configured in Minimal Patching mode contain inconsistent host replace strings.

Invalid Web Application start URI Specifies the error text displayed when the web application webtop has an invalid start URI.

Table 15.4 Resource error customization messages


Chapter 15

Understanding other error messagesThe following error message occurs for an unknown reason in access policies.

• Unknown errorSpecifies the text displayed when an unknown error occurs.

Understanding framework installation customization optionsYou can customize the layout and content of components that appear on the logon page when the access policy is starting, by customizing the framework installation. To display the framework installation content on the Customization page, from the Customization Type list select framework installation, from the Language list select the language for which you want to customize the framework, then click Find Customization.

Note

We recommend that you use an HTML editor to edit the HTML code for the framework installation. The code appears unformatted and without line breaks in the boxes.

You can customize the following framework installation settings:

Setting Description

ActiveX install options screen Specifies the page text and links that prompt a user to install a new ActiveX browser component. This screen appears for Windows Internet Explorer users only.

Browser plugin install with manual install options screen

Specifies the page text and links that prompt a user to install a new browser plug-in component. This screen provides manual download and installation options. This screen appears for most operating systems and browsers.

Browser plug-in install with manual install options screen (Linux)

Specifies the page text and links that prompt a user to install a new browser plug-in component. This screen provides manual download and installation options. This screen appears for Linux operating systems and browsers.

Allow browser plugin install screen

Specifies the page text and links displayed when the user's browser does not currently allow software installation. This page contains information about how to enable software installation, and links to continue to install plug-ins or to continue without installing the browser plug-ins.

Allow browser plugin install screen (Linux)

Specifies the page text and links displayed when the user's browser does not currently allow software installation.This page contains information about how to enable software installation, and links to continue to install plug-ins or to continue without installing the browser plug-ins. This screen appears for Linux operating systems and browsers.

Java applet install screen Specifies the text that appears on a page with a Java applet to install a new browser plugin. This page appears only on non-Windows systems.

Table 15.5 Framework installation customization options

15 - 8


Understanding logon page style customization optionsYou can customize the styles (CSS) for the logon page. To display these elements on the Customization page, from the Customization Type list select general_ui, from the Language list select the language for which you want to customize the framework, then click Find Customization.

Styles you can customize are separated into categories to simplify your configuration.

Reviewing general page style settingsYou can customize the following settings for the general logon page style.

Java applet install started screen Specifies the page text and links that appear when the Java applet is installing software. This page appears only on non-Windows systems.

Java applet install started screen on Safari browser

Specifies the page text and links that appear when the Java applet is installing software. This page appears only on Macintosh systems with the Safari web browser.

Java applet install failure screen Specifies the page text and links that appear when the installation of software with a Java applet fails. This page allows the user options to restart the session, download and manually install the software, or continue without installing software. This page appears only on non-Windows systems.

Setting Description

Page width (px or %) Specifies the width of the full page in the browser as a percentage. For example, 75%.

Page alignment Allows you to select the page alignment graphically.

Page background color Specifies the background color of the page, in hexadecimal format. For example, red is #FF0000. The default is white (#FFFFF).

Table 15.6 General logon page style settings

Setting Description

Table 15.5 Framework installation customization options


Chapter 15

Reviewing font settingsYou can customize the following settings for the logon page fonts.

Reviewing page header settingsYou can customize the following settings for the logon page header.

Understanding page footer settingsYou can customize the following settings for the logon page footer.

• Footer font size (px) - Specifies the text size for the footer text, in pixels. For example, 12px.

• Footer text - Specifies the text message in the form footer.

Setting Description

Font family (comma-separated) Specifies the font family, for example, Arial, Helvetica, sans-serif.

Headline font size (px) Specifies the font size for headline elements, in pixels (px). For example, 24px.

Text font size (px) Specifies the font size for body text elements in pixels (px). For example, 12px.

Table 15.7 Logon page font style settings

Setting Description

Header background color Specifies the background color of the page header area, in hexadecimal format. For example, red is #FF0000. The default is white (#FFFFFF).

Header left image Specifies the image that is displayed on the left side of the header. Click Browse to select a local file. Click the View/Hide link to show or hide the specified graphical element.

Header right image Specifies the image that is displayed on the right side of the header. Click Browse to select a local file. Click the View/Hide link to show or hide the specified graphical element.

Table 15.8 Logon page header settings

15 - 10


Understanding layout settingsYou can customize the following settings for the logon page layout.

Understanding image settingsYou can customize the following settings for logon page images.

Setting Description

Page layout Allows you to specify the page layout graphically.

Main table background color Specifies the background color of the main table, which includes the logon form and image cells. This color is specified in hexadecimal format. For example, red is #FF0000. The default is white (#FFFFFF).

Form cell width (px or %) Specifies the width of the table cell allotted for the logon form, in pixels or as a percentage. For example, 50% or 350px.Note that page width as a whole, of which this value is a portion, is defined with the Page Width setting.

Image cell width Specifies the width of the table cell allotted for the logon page image, in pixels or as a percentage. For example, 50% or 350px.Note that page width as a whole, of which this value is a portion, is defined with the Page Width setting.

Table 15.9 Logon page layout settings

Setting Description

Side image alignment Allows you to specify how the image aligns within the image cell graphically.

Default image - Specifies the default image displayed when a logon page is returned to the user. Click Browse to select an image. Click the View/Hide link to show or hide the specified graphical element.The initial logon page image is not specified here. You can specify the initial logon page image in the logon page action in the access policy.

Image top margin (px) Specifies the margin between the top of the image cell and the image, in pixels. For example, 30px.

Image left margin (px) Specifies the margin between the left side of the image cell and the image, in pixels. For example, 15px.

Image right margin Specifies the margin between the right side of the image cell and the image, in pixels. For example, 40px.

Table 15.10 Logon page image settings


Chapter 15

Understanding form settingsYou can customize the following settings for the logon page forms.

Understanding form element settingsYou can customize the following settings for logon page form elements.

Setting Description

Form alignment Allows you to graphically specify how the logon form is aligned within the logon cell.

Form width (px or %) Specifies the width of the logon form, in pixels, or as a percentage of the logon form cell. For example, 300px or 85%.

Form height (px, %, or auto) Specifies the height of the logon form, in pixels, as a percentage of the logon form cell, or automatically, based on the contents of the cell. For example, 600px, 50%, or auto.

Form background color Specifies the background color of the logon form, in hexadecimal format. For example, red is #FF0000. The default is light gray (#EEEEEE).

Form top margin (px) Specifies the margin between the top of the logon form and the top of the logon form cell, in pixels. For example, 30px.

Form left margin (px) Specifies the margin between the left side of the logon form and the logon form cell, in pixels. For example, 30px.

Form right margin (px) Specifies the margin between the right side of the logon form and the logon form cell, in pixels. For example, 30px.

Table 15.11 Logon page form settings

Setting Description

Header alignment Allows you to graphically specify how the logon form is aligned within the logon cell.

Label position Allows you to graphically specify where logon form labels are placed relative to form boxes.

Label alignment Allows you to graphically specify how text labels for form boxes align.

Field alignment Allows you to graphically specify how form boxes align.

Label width (%) Specifies the width of text labels, relative to the width of the form cell, as a percentage. For example, 50%.

Field width (%) Specifies the width of text boxes, relative to the width of the form cell, specified as a percentage. For example, 50%.

Table 15.12 Logon page form element settings

15 - 12


Understanding other settingsYou can customize the following settings for other elements on the logon page.

Understanding logout componentsYou can customize logout components. Logout components are messages that are displayed when a user cannot log on because of an access policy error, or when the user logs off successfully. These messages can be customized with logout customization. Options for customizing logout messages include text for several purposes:

Setting Description

JavaScript disabled warning Specifies the text displayed when JavaScript is not enabled, on platforms and browsers that require it.

New session text Specifies the text displayed before the new session link.

New session link Specifies the text displayed as a link to start a new session.

Table 15.13 Other logon page settings

Setting Description

Success Title Specifies the text displayed when a session is finished.

Success Message Specifies the text displayed when the user logs out successfully.

Thank you Message Specifies a thank you message displayed for network access users after logout.

Error Title Specifies text that indicates that the session could not start.

Error Message Provides a more specific error message that follows the error title, which indicates that a problem may have occurred during access policy evaluation.

New Session Text Specifies text that precedes the link a user clicks to start a new session.

New Session Link Specifies the text label for the hypertext link to start a new session, such as click here. This link follows the New Session Text.

Session ID Title Specifies the text that precedes the session number when an error occurs.

ACL Denied Page Reject Message Specifies the message displayed when the user attempts to access a page to which access is specifically denied by an access control list.

ACL Denied Page Return Link Message Specifies the link text on the ACL Denied page that the user can click to return to the previous page.

Table 15.14 Logout components


Chapter 15

Customizing a webtopYou can customize the appearance of a webtop, including the language of the webtop, the layout of the webtop screen, the messages displayed when starting and closing the connection, and any error messages.

A webtop must be assigned to an access profile to see and customize the webtop for the languages assigned to the access profile. If you customize a webtop that is not assigned to any access profile, you can customize the default set of languages only.

To customize a webtop

1. On the Main tab of the navigation pane, expand Access Policy, then click Webtops.The Webtop List screen opens.

2. Click the name of the webtop to customize.The Webtop Properties screen appears.

3. Click the Customization tab.The Webtop Customization screen appears.

4. From the Language list, select the language for which you want to customize settings.

5. Click the Find Customization button.The screen displays customization settings.

6. Configure customization settings for the webtop.

7. When you have finished, click Update.

Understanding webtop customization fieldsYou can customize fields for the following webtop sections and items.

Reviewing form and message settingsYou can customize the following settings for forms and messages on the webtop.

Setting Description

Toolbar text Specifies the text that appears in the webtop toolbar.

Main webtop form Specifies the code that creates the main logon form. We recommend that you edit this code in an HTML editor to make the layout easier to view. The main logon form is created from dynamic elements that you can configure on this screen.Do not add manual line breaks to the webtop form; this causes errors. Use the <br> tag to add a line break to the code.

Table 15.15 Webtop form and message settings

15 - 14


Request local credentials during linux installation

Specifies the code that creates a local credentials request screen. This is required for Linux systems only. We recommend that you edit this code in an HTML editor to make the layout easier to view.Do not add manual line breaks to the webtop form; this causes errors. Use the <br> tag to add a line break to the code.

Initialization message Specifies the message displayed on the logon screen when the logon sequence is initializing.

Installation message Specifies the message displayed on the logon screen when the logon sequence is installing software.

Loading message Specifies the message displayed on the logon screen when the logon sequence is starting installed software.

Queued message Specifies the message displayed on the logon screen when the client is queued to make a connection.

Connecting message Specifies the message displayed on the logon screen when the client is connecting.

Reconnecting message Specifies the message displayed on the logon screen when the client is reconnecting.

Connected message Specifies the message displayed on the logon screen when the client is connected.

Disconnected message Specifies the message displayed on the logon screen when the client is disconnected.

Failed message Specifies the message displayed on the logon screen when the connection fails.

Connection dropped error message

Specifies the message displayed when an error occurs, and the connection is dropped. Check the log files for more specific information.

Routing table change caused disconnect error message

Specifies the error displayed when a change to the client routing table causes the session to stop and the client to be disconnected.

Disconnected due to configuration error message

Specifies the error displayed when a configuration error causes the session to stop and the client to be disconnected.

Network Access client internal error message

Specifies the message displayed when an internal client error occurs and causes the network access session to fail. Check the log files for more specific information.

Connection closed by server error message

Specifies the error message displayed when an error occurs on the server, and causes the session to fail. Check the log files for more specific information.

F5 plug-in not installed or incompatible plug-in error message

Specifies the error message displayed when the F5 plug-in is not installed or is incompatible with the current server. This error occurs on Macintosh and Linux clients only.

Setting Description



Chapter 15

Reviewing show and hide settingsYou can customize the following settings for showing and hiding elements on the webtop.

Plugin installation incomplete error message

Specifies the message displayed when the F5 plugin is not installed correctly. This error occurs on Linux clients only.

Connection failed to start error message

Specifies the message displayed when the connection cannot start. Check the log files for more specific information.

Connection already established error message

Specifies the message displayed when a connection is already established.

New BIG-IP Edge Client available message

Specifies the message displayed when a newer version of the BIG-IP Edge client plugin is available for download from the server.

Secure connection stopped message

Specifies the message displayed when the secure connection is stopped by the client. Check the log files for more specific information.

Connection to server could not start error message

Specifies the error message displayed when the client cannot make a connection to the server. Check the log files for more specific information.

pppd daemon did not start error message (mac/linux)

Specifies the error message displayed when the pppd daemon cannot start. This error occurs on Macintosh and Linux clients only.

Installation error pppd daemon not found in /usr/sbin directory (mac/linux)

Specifies the error message displayed when the pppd daemon cannot start. This error occurs on Macintosh and Linux clients only.

Downloading progress bar (caption)

Specifies the caption displayed above the progress bar when client components are downloading.

Setting Description

Disable logging link Specifies the link text to disable logging.

Show label in table caption Specifies the text on the webtop screen that the user clicks to show a table caption.

Hide label in table caption Specifies the text on the webtop screen that the user clicks to hide a table caption.

Show log file link Specifies the text on the secure access screen that the user clicks to show the log file.

Show routing table link Specifies the text on the webtop screen that the user clicks to show the routing table.

Table 15.16 Webtop show and hide settings

Setting Description


15 - 16


Understanding logout and relaunch settingsYou can customize the following settings for logging off and restarting applications on the webtop.

• Logout link - Specifies the link text on the webtop screen that the user clicks to log out.

• Relaunch applications link - Specifies the link text on the webtop screen that the user clicks to restart the applications that are defined in the network access launch applications section.

Reviewing activity section settingsYou can customize the following settings for the activity section on the webtop.

Show IP address configuration link Specifies the text on the webtop screen that the user clicks to show the IP address configuration.

Status element - Specifies the text on the webtop screen that heads the status section.

Setting Description

Activity section caption Specifies the caption for the section that shows client and server activity.

Activity section data caption Specifies the text label for the data element in the activity section.

Activity received section caption Specifies the text label for the activity section that appears next to the received data number.

Activity sent section caption Specifies the text label for the activity section that appears next to the sent data number.

Activity compression section caption Specifies the text label for the compression element in the activity section.

Activity section received data compression element

Specifies the text label for the activity section that appears next to the received data compression percentage.

Activity section sent data compression element

Specifies the text label for the activity section that appears next to the sent data compression percentage.

Details section caption Specifies the caption for the section that shows details.

Table 15.17 Webtop activity section settings

Setting Description

Table 15.16 Webtop show and hide settings


Chapter 15

Understanding new session settingsYou can customize the following settings for new sessions on the webtop.

• New session text - Specifies the text that precedes the new session link.

• New session link - Specifies the link text on the webtop screen that the user clicks to start a new session.

Reviewing web applications session timeout settingsWeb application timeouts cause special behavior on the web application webtop screen. When the session reaches the session timeout guard time, Access Policy Manager displays a session timeout warning, and dims the screen behind the warning. Depending on the type of timeout, the user sees different choices. You can use the following options to customize and configure session timeout options.

Setting Description

Session timeout dimmed opacity percentage Specifies the opacity of the background that appears behind the session timeout warning pop-up screen.

Session timeout guard time Specifies the number of seconds before timeout that the session timeout warning pop-up screen appears.

Session timeout 'inactivity timeout' background color

Specifies the hexadecimal color value of the background that appears behind the session timeout warning pop-up screen, when the timeout occurs because the session is inactive.

Session timeout 'maximum session timeout' background color

Specifies the hexadecimal color value of the background that appears behind the session timeout warning pop-up screen, when the timeout occurs because the session has reached the maximum timeout.

Session timeout action choices message Specifies the message presented above the user actions that are available in the inactivity timeout and maximum timeout pop-up screens.

Session timeout continue session link Specifies the link text presented in the inactivity timeout pop-up screen that the user clicks to continue the session.

Session timeout return to session link Specifies the link text presented in the maximum session timeout pop-up screen that the user clicks to return to the session.

Session timeout return to session without further maximum timeout reminders link

Specifies the link text presented in the maximum session timeout pop-up screen that the user clicks to return to the session and turn off any further session expiration warnings.

Session timeout terminate session link Specifies the link text presented in both the maximum session timeout and inactivity timeout pop-up screens that the user clicks to end the session.

Table 15.18 Session timeout settings

15 - 18


Reviewing web applications hometab settingsWeb applications connections include an optional hometab, which provides buttons and links for working with web applications and a URL bar. You can customize and configure the hometab with the following options.

Session timeout dialog background color Specifies the background color of both session timeout pop-up screens.

Session timeout dialog x-size in pixels Specifies the width of both session timeout pop-up screens, in pixels.

Session timeout dialog y-size in pixel Specifies the height of both session timeout pop-up screens, in pixels.

Session timeout expired message Specifies the text that precedes the amount of time until the session expires in both session timeout pop-up screens.

Session timeout 'inactivity timeout' message Specifies the text heading on the session timeout warning pop-up screen, when the timeout occurs because the session is idle.

Session timeout 'maximum session timeout' message

Specifies the text heading on the session timeout warning pop-up screen, when the timeout occurs because the maximum duration for the session has been reached.

Setting Description

Hometab - Background color Specifies the hexadecimal background color value for the hometab.

Hometab - Link color Specifies the hexadecimal link text color value for the hometab.

Hometab - Data entry color Specifies the hexadecimal color value for the data entry area on the hometab.

Hometab - Font size Specifies the font size used on the hometab, in pixels.

Hometab - Background image Specifies the background image used on the hometab. This image is tiled on the hometab. Click the View/Hide link to show or hide the specified graphical element.

Hometab - Left/Right side image Specifies the background image used on the left and right sides of the hometab. Click the View/Hide link to show or hide the specified graphical element.

Hometab - Shrink image Specifies the image used to reduce the hometab. Click the View/Hide link to show or hide the specified graphical element.

Hometab - Shrink image text Specifies the text next to the hometab shrink image.

Table 15.19 Hometab customization settings

Setting Description

Table 15.18 Session timeout settings


Chapter 15

Hometab - Reduced toolbar image

Specifies the image that represents the hometab when it is reduced. Click the View/Hide link to show or hide the specified graphical element.

Hometab - Reduced toolbar Specifies the text that is displayed to expand the reduced hometab.

Hometab - Field separator image Specifies the image that is used to separate elements on the hometab. Click the View/Hide link to show or hide the specified graphical element.

Hometab - Open in same window image

Specifies the image that the user clicks to open the specified URL in the current window. Click the View/Hide link to show or hide the specified graphical element.

Hometab - Open in same window image text

Specifies the alt text for the image that the user clicks to open the specified URL in the current window.

Hometab - Open in new window image

Specifies the image that the user clicks to open the specified URL in a new window. Click the View/Hide link to show or hide the specified graphical element.

Hometab - Open in new window image text

Specifies the alt text for the image that the user clicks to open the specified URL in a new window.

Hometab - Home image Specifies the image for the link that the user clicks to go to the web applications home screen. Click the View/Hide link to show or hide the specified graphical element.

Hometab - Home link text Specifies the text for the link that the user clicks to go to the web applications home screen.

Hometab - Home image text Specifies the alt text for the link image that the user clicks to go to the web applications home screen.

Hometab - Logout image Specifies the image for the link that the user clicks to log out of the web applications connection. Click the View/Hide link to show or hide the specified graphical element.

Hometab - Logout link text Specifies the text for the link that the user clicks to log out of the web applications connection.

Setting Description


15 - 20


Hometab - Logout image text Specifies the alt text for the image that the user clicks to log out of the web applications connection.

Hometab - Set of elements to be displayed

This is a comma-separated list of all the elements displayed on the hometab. The hometab is arranged in the order in which you specify these elements. Elements can be used more than once. The default specification is:

shrink,divider,url,divider,home_text,home_image,divider,logout_text,logout_image.

You can specify the following elements for the home tab:

• shrink - Specifies the hometab shrink element.• divider - Specifies a hometab field separator element.• url -Specifies the hometab URL box element.• home_text - Specifies the home link text element.• home_image - Specifies the home image element.• logout_text - Specifies the logout link text element.• logout_image - Specifies the logout image text element.

Setting Description



Chapter 15

Customizing the BIG-IP Edge ClientIn a connectivity profile, you can customize the appearance of the BIG-IP® Edge Client™ and the web client. The settings you specify are saved with the connectivity profile, and applied when you and your users download the client package.

To customize the client in the connectivity profile

1. On the Main tab of the navigation pane, expand Access Policy, and click Connectivity Profiles. The Connectivity Profiles list screen opens.

2. Click the name of the connectivity profile you want to edit. The Properties screen opens.

3. Click Client Customization.The Client Customization screen opens.

4. From the Language list, select the language for which you want to customize settings.

5. Click the Find Customization button.The screen displays customization settings.

6. Configure customization settings for the client. You can restore any setting to its default by clicking the Restore button next to the setting.

7. When you have finished, click Update. You can restore all settings to their defaults by clicking the Restore All Defaults button.

Reviewing client customization settingsYou can customize the following BIG-IP® Edge Client™ settings:

Setting Description

Banner Color Specifies the background color for the banner area at the top of the client screen. This color is specified with a hexadecimal value.

Banner Text Color Specifies the text color for the messages at the top of the client screen. This color is specified with a hexadecimal value.

Application Name Specifies the name for the application, displayed in the toolbar.

Logo Specifies a logo file to show in the banner area at the top of the client screen. Logo files can be PNG, GIF, BMP, or JPG files up to 96x48 pixels in size. A logo file can also be an icon (ICO) file up to 48x48 pixels in size.Click Browse to select a custom logo file. Click View/Hide to view the current selected logo. The default logo is the F5 red ball.

Table 15.20 BIG-IP Edge Client customization settings

15 - 22


Tray Icon Set Specifies the set of icons to display in the system tray when the client is in use. Select F5 to show the F5 red ball in the system tray. Select Generic to show a set of unbranded icons.

About text Specifies the copyright text displayed when the user selects About from the BIG-IP Edge Client™ menu. The default text is Copyright (C) 2004-2009 F5 Networks, Inc.

About link Specifies the link text displayed below the copyright when the user selects About from the

BIG-IP® Edge Client™ menu. The default link text is http://www.f5.com.

Setting Description

Table 15.20 BIG-IP Edge Client customization settings


Chapter 15

Introducing advanced access policy customizationBIG-IP® Access Policy Manager provides a few generic end-user web pages such as logon and logoff pages. You can localize and customize these pages using the standard customization feature available in the Configuration utility. For example, you can customize or replace all text messages and images on these pages with your own defined messages. However, you cannot modify the page style and page framework using this feature, and you cannot add images to these pages. To overcome this limitation of normal customization, you can use the advanced customization feature to provide a set of your own customized pages, which can then seamlessly serve requests to the Access Policy Manager.

The purpose of this appendix is to provide examples and procedures of how you can maximize this feature through the command line interface. When you complete the tasks, you will have a working version of the functionality used in the scenario.

Important

Although flexible, this feature is intended for advanced users. Therefore, you should carefully study the template files before using advanced customization.

Example: Using advanced access policy customization to modify a specific profile

For this example, you should already have configured an access policy on your system. For more information on how to create an access policy, refer to Chapter 7, Creating Access Profiles and Access Policies.

For this example, you perform the following tasks:

• Run the advCustHelp utility to generate instructions for advanced customization.

• Reference image files.

• Add an additional image to the header page.

• Activate the configuration.

Running the advCustHelp utility to generate instructions for advanced customization

After you have an access policy configured, the Access Policy Manager default pages are ready to serve requests using the instructions generated by the advCustHelp utility. Using the instructions, you can provide your own pages for an existing profile through advanced customization.

15 - 24


To access the advCustHelp utility

1. At the UNIX command prompt, type /usr/bin/advCustHelp <profile_access_name>.

2. Use a profile that you have created.The advCustHelp utility generates the instructions shown in Figure 15.1.

The instruction file shown in Figure 15.1 lists all the file names used to leverage the advanced customization feature. Additionally, it provides instructions on where to include the images, and how to link to these images in the web page.

.

Referencing image filesThis task requires that you reference the image file in the appropriate directory.

To reference the image files

1. Save the required images to the following location: /config/customization/advanced/images/myProfile.The name of the image must be in this format: [0-9][0-9].(gif|ping|jpg|jpeg|]

2. From the advanced customization files, ensure that the image links appear like this: /public/advanced/images/myProfiles/image[0-9][0-9]For example, image00.jpg.

[root@bigip6401mgmt:Active] config # advCustHelp myProfileProfile Name : myProfile The list of advanced customization files are /config/customization/advanced/logout/myProfile_logout/logout_en.inc /config/customization/advanced/logout/myProfile_logout/logout_ja.inc /config/customization/advanced/logout/myProfile_logout/logout_zh-cn.inc /config/customization/advanced/logout/myProfile_logout/logout_zh-tw.inc /config/customization/advanced/header/myProfile_header/header_en.inc /config/customization/advanced/header/myProfile_header/header_ja.inc /config/customization/advanced/header/myProfile_header/header_zh-cn.inc /config/customization/advanced/header/myProfile_header/header_zh-tw.inc /config/customization/advanced/footer/myProfile_footer/footer_en.inc /config/customization/advanced/footer/myProfile_footer/footer_ja.inc /config/customization/advanced/footer/myProfile_footer/footer_zh-cn.inc /config/customization/advanced/footer/myProfile_footer/footer_zh-tw.inc /config/customization/advanced/logon/myProfile_act_logon_page_ag/logon_en.inc /config/customization/advanced/logon/myProfile_act_logon_page_ag/logon_ja.inc /config/customization/advanced/logon/myProfile_act_logon_page_ag/logon_zh-cn.inc /config/customization/advanced/logon/myProfile_act_logon_page_ag/logon_zh-tw.inc /config/customization/advanced/logout/myProfile_end_denied_ag/logout_en.inc /config/customization/advanced/logout/myProfile_end_denied_ag/logout_ja.inc /config/customization/advanced/logout/myProfile_end_denied_ag/logout_zh-cn.inc /config/customization/advanced/logout/myProfile_end_denied_ag/logout_zh-tw.inc

Figure 15.1 Instructions file generated by the advCustHelp utility


Chapter 15

Adding an additional image to the header pageYou can use the header pages to further modify or customize the web pages by adding additional images.

You will be using a series of existing templates to create your custom pages. These templates are actual copies of the generic pages used by Access Policy Manager. We recommend that you leverage these existing templates to create your own pages.

Viewing and understanding sample header pages

1. At the UNIX command prompt, type:cd /config/customization/advanced/header/myProfile_header and press Enter.

2. At the UNIX command prompt, type ls.The following header pages are available: tmp_header.inc tmp_header_en.inc tmp_header_ja.inc tmp_header_zh-cn.inc tmp_header_zh-tw.inc.

3. Select a header page, and press Enter.

The sample header page (available in different languages) includes two images: logo and banner.You can replace these images with your own images.

To add an additional image to the header page

1. At the UNIX command prompt, create the following directory by typing mkdir/config/customization/advanced/images/myProfile.

2. Provide a name for your image, such as image00.png.

3. At the UNIX command prompt, type: /config/customization/advanced/header/myProfile_header

15 - 26

For the purpose of this example, we are using English as the language of choice, so make sure you use the tmp_header_en.inc template. The HTML code that you display should be properly formatted for easier readability, as shown below.

4. Copy the template tmp_header_en.inc to header_en.inc.You can now use any text editor, such as vi, to modify the content of the file.

</style><![endif]--><table id="top_banner" border="0" cellpadding="0" cellspacing="0" width="100%" height="80"><tr bgcolor='#738495'><td><img border="0" src='/public/images/my/flogo.png'></td><td valign="middle" align="right"><img border="0" src='/public/images/my/fbanner.png'></td></tr>

</table>

Chapter 15

5. After you have edited the file, the system should display code. The page is now ready to be used. You need to notify the Access Policy Manager system that the new page is ready, and you need to clear the old pages from the cache.

Activating the configurationOnce you have gone through the previous steps, you must activate your configuration so that the new pages display correctly.

To activate your configuration

1. At the UNIX command prompt, type % b customization group myProfile_header action update.

2. At the UNIX command prompt, type % b profile access myProfile generation action increment, or from the Configuration utility, you can click activate access policy from the profile you created.The system displays the modified header page.

[root@bigip6401mgmt:Active] myProfile_header # more header_en.inc <table id="top_banner" border="0" cellpadding="0" cellspacing="0" width="100%" height="80"> <tr bgcolor='#738495'> <td><img border="0" src='/public/images/my/flogo.png'></td> <td valign="middle" align="center"><img border="0" src='/public/advanced/images/myProfile/image00.jpg'></td> <td valign="middle" align="right"><img border="0" src='/public/images/my/fbanner.png'></td>

</tr>

Figure 15.2 Actual HTML code to display new header file

15 - 28

16

Advanced Topics in Access Policies

• Setting up a logon page to collect user credentials

• Example: Using a customized logon page to collect user credentials

• Using multiple authentication methods

• Example: Using client certificate authentication with Active Directory

• Configuring policy routing

• Example: Directing users to different route domains

• Using advanced access policy rules

• Example: Checking that all present antivirus packages are active on the client system

• Example: Using a certificate field for logon name


Setting up a logon page to collect user credentialsIn most applications, a logon page is used to present user name and password prompts to a user, to collect the credentials the user enters, and to forward those credentials on to an authentication method. In BIG-IP® Access Policy Manager, you use the visual policy editor to assign a logon page in an access policy. This section describes the logon action, and how to customize the page presented by the logon action.

Understanding the logon page actionThe logon page customization elements include the information that appears between the header and the footer. You customize this information using the Logon Page action in the access policy configuration. The default English logon page configuration appears in Figure 16.1.


Chapter 16

Figure 16.1 Default logon page action configuration

To customize the logon page action

1. On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles. The Access Profiles List screen opens.


16 - 2




5. Select Logon Page and click Add Item.The Logon Page configuration popup screen opens.

6. Select the language you want to customize.

7. Customize the logon page agents:

For each Logon Page Agent you are using, customize the type of logon page agent. For each agent you can specify a Post Variable Name, Session Variable Name, and whether the agent is Read Only.See Adding and customizing a logon page, on page 8-3, for more information.

8. Customize the elements in the Customization section.

• Form Header Text - Specifies the text that appears at the top of the login box.

• Logon Page Input Field # (1-5) - These fields specify the text that is displayed on the logon page for each of the logon page agents, defined in the Logon Page Agent screen area.

• Save Password Checkbox- Specifies the text that appears adjacent to the check box that allows users to save their passwords in the logon form. This field is used only in the secure access client, and not in the web client.

• Logon Button - Specifies the text that appears on the logon button, which a user clicks to post the defined logon agents.

• Front Image - Specifies an image file to display on the logon page. Click Browse to select a file from the file system. Click Show image or Hide Image to show or hide the currently selected image file. Click Revert to Default Image to discard any customization and use the default logon page image.

• New Password Prompt - Specifies the prompt displayed when a new Active Directory password is requested.

• Verify Password Prompt - Specifies the prompt displayed to confirm the new password when a new Active Directory password is requested.

• Pasword and Password Verification do not Match - Specifies the prompt displayed to confirm the new password when a new Active Directory password is requested.

9. Click Save when the settings are customized.


Chapter 16

To customize the logout messages

1. On the Main tab of the navigation pane, expand Access Policy, and click Access Profiles.The Access Profiles List screen opens.

2. Click the name of an access profile.The Access Profiles Properties screen opens.

3. Click the Customization tab.The Customization screen opens.

4. From the Customization Type list, select logout.

5. From the Language list, select the language for which you want to customize the logout page.

6. Click the Find Customization button.The screen refreshes to show the logout customization information.

7. Type the customization settings in the boxes. For more information, see Understanding logout components, on page 15-13.

8. Click Update.

To customize error messages


2. Click the name of an access profile.The Access Profiles Properties screen opens.

3. Click the Customization tab.The Customization screen opens.

4. From the Customization Type list, select errormap.

5. From the Language list, select the language for which you want to customize the error messages.

6. Click the Find Customization button.The screen refreshes to show the error message customization information.

7. Type the customization settings in the boxes. For more information, see Customizing error messages for the logon process, on page 15-4.

8. Click Update.

16 - 4


Example: Using a customized logon page to collect user credentials

In this example, a logon page action is added to an access policy. The logon page action presents the logon information to a user who attempts to start a network access connection. In this example, the English language logon page is customized with several fields for the fictitious company Bogon Networks, Inc. In addition, the user name, password, and logon fields are customized, and the footer message is changed.

To add a logon page action


2. Click Create. The New Access Profile screen opens.

3. In the Name box, Type BogonNet1, then click Finished.The Access Profile Properties screen opens.

4. Click the Access Policy tab, then click Edit Access Policy for Profile “BogonNet1”.The visual policy editor opens in a new window or new tab, depending on your browser settings.

5. Click the plus sign ( ) to add an action.The Add Item popup screen opens.


7. Select Logon Page and click Add Item.The Logon Page action popup screen opens.

8. From the Language list, select en to customize the logon page for English.

9. In the Form Header Text box, type Secure Logon <br> for Bogon Networks, Inc.

10. In the Logon Page Input Field #1 box, type User ID:.

11. In the Logon Page Input Field #2 box, type Passcode:.

12. In the Logon Button box, type LOGON.The final configuration is shown in Figure 16.2, following.

13. Click Save.

14. Click Apply Access Policy.

15. Close the browser tab or window and return to the Access Policy screen.


Chapter 16

Figure 16.2 Logon Page action customization example popup screen

To customize the logon page footer

Note

Typically you configure the logon page by adding your own custom logo and graphics. To simplify this example, the header box is left as the default with the F5 graphics and background color.

1. On the Access Policy screen, click the Customization tab.

2. From the Customization Type list, select general UI.

3. From the Language list, select en.

4. Click Find Customization.

16 - 6


5. Under Page Footer Settings, in the Footer Text box, type For use by employees of Bogon Networks, Inc., and subsidiaries.<br>Copyright © 2009 Bogon Networks, Inc.<br>All rights reserved.

6. Click Update.



Chapter 16

Using multiple authentication methodsIn an access policy you can use multiple authentication methods by adding multiple authentication actions. With multiple authentication methods, you can add two-factor authentication to your access policy. You can also use multiple authentication methods to assign different resources or route users differently depending on the authentication method.

Client certificate two-factor authenticationYou can use two or more authentication methods in an access policy. This example uses a client certificate for authentication, followed by Microsoft® Active Directory® authentication. The Active Directory action uses the authentication information collected in the logon page action that precedes it. After the user is authenticated, the access policy assigns resources with the resource assign action, and the user is allowed access.

The configuration for this access policy is described in the section following.

16 - 8


Example: Using client certificate authentication with Active Directory

In this example, a user who logs on to the network must have both a valid client certificate, and an account on the Microsoft Active Directory® server. The following shows the sequence of events that occur in this example.

• The access policy first verifies the user’s operating system is Windows Vista®, Windows XP, or Windows 7. This step is optional.

• The user’s client certificate is trusted.

• If the user’s certificate check action passes successfully, the user sees a logon page. If the user’s certificate action does not pass successfully, the user sees a logon denied page.

• On the logon page, the user inputs credentials, and the access policy tests these credentials against Active Directory.

• If the Active Directory check succeeds, the Access Policy Manager assigns resources to the user, and the user is assigned a connection and can begin working with network resources. The user also sees a webtop, if one is assigned.

Configuring the client certificate two factor authentication with Active Directory example

This example provides a guide to the tasks involved in the configuration of this access policy. Note that this is not a step-by-step procedure, but a list of procedures, with references to the tasks that you must perform to complete the example.

To configure the access policy

1. (Optional) Add the Client OS action. See Setting up the client OS check, on page 10-2. Configure the Client OS access policy item with one rule that specifies the Client OS is Windows Vista, Windows XP, or Windows 7. Delete the other rules. You can optionally rename the Client OS access policy item.

2. Add the Client Cert Auth action on the successful rule branch of the access policy. See Adding the On-Demand Certificate into your access policy, on page 12-6.

3. Add the Logon Page action to the successful rule branch of the access policy. See Adding and customizing a logon page, on page 8-3.


Chapter 16

4. Add the Active Directory auth action to the successful rule branch of the access policy.See Configuring Access Policy Manager to access the Active Directory for authentication, on page 11-34.

5. Add the resource assign action to the successful rule branch of the access policy. The resource assign action must set a network access resource. You can optionally assign ACLs, and a network access webtop. See Assigning resources, on page 8-9.

6. Change the ending of the successful branch of the access policy to an Allowed ending. See Using policy endings, on page 7-8.

7. Click Apply Access Policy to start the access policy.

16 - 10


Configuring policy routingYou can use policy routing in a number of different scenarios to provide users access to different network segments or resources. For example, you might create a route domain that connects unauthenticated users on a publicly available wireless segment only to the external web, while denying access to internal network resources. To create this configuration, you can use a route domain selection action in the access policy on the fallback rule branch of an authentication action, to send failed logons to a separate route domain from the internal network.

Access Policy Manager uses route domain objects to provide access to routing features in access policies. The BIG-IP system supports the ability to configure multiple route domains. A route domain is a BIG-IP system object that represents a particular network configuration. After creating a route domain, you can associate various BIG-IP system objects with the domain: unique VLANs, routing table entries such as a default gateway and static routes, self IP addresses, virtual servers, and pool members.

Route domains provide the capability to segment network traffic, and define separate routing paths for different network objects and applications. Because route domains segment the network traffic, they also provide the capability to have separate IP networks on the same unit, where each route domain uses the same IPv4 address space. Using routing domains, you can assign the same IP address or subnet to more than one device on a network, as long as each instance of the IP address resides in a separate routing domain.

To configure policy routing, you must configure a route domain. For more information on configuring route domains, see the TMOS™ Management Guide for BIG-IP® Systems.

Setting up route domain selection in an access policyOnce you have defined a route domain, you can route users to the route domain in the access policy, using the route domain selection action.

To add a route domain selection action





Chapter 16


5. Select Route Domain Selection and click Add Item to add the action to the access policy.The Route Domain Selection action popup screen opens.

6. From the Route Domain ID list, select the route domain ID.


16 - 12


Example: Directing users to different route domainsIn this example, your company has switched from RADIUS authentication to Active Directory authentication, but has not yet completed the full transition. Because of the state of the authentication changeover, you would like your legacy RADIUS users to pass through to a web applications connection on a separate router, instead of allowing full access to your network.

This example requires you to configure:

• A route domain.

• An access profile.

• An access policy that contains a logon page, an Active Directory Authentication action, a RADIUS authentication action, two resource assign actions, and a route domain selection action.

Configuring the policy routing exampleTo configure this example, you must define a route domain and create an access policy that references that route domain. To keep the access policy generic enough for any implementation, the example does not specify names or addresses for the Active Directory server or the RADIUS server to use with the authentication action. The example also does not specify the web applications or network access resources to use with the resource assign actions. You can create the access policy without configuring these actions, and add your own servers and resources.

To configure the route domain

1. On the Main tab of the navigation pane, expand Network, and click Route Domains.The Route Domain List screen appears.

2. Click the Create button.The New Route Domain screen opens.

3. In the ID box, type 1 for the ID for the new route domain.

4. In the VLANs section, from the Available list, select an available VLAN and click the << button to move the VLAN to the Members list.

5. Click Finished.

To create the routing access profile


2. Click the Create button.The New Profile screen opens.


Chapter 16

3. In the Name box, type a name for the access profile, for example, PolicyRouteTest.

4. Click Finished.The Access Policy screen appears.

Continue on to configure the access policy.


1. On the access policy screen, click the link, Edit Access Policy for Profile.The visual policy editor opens in a new window or new tab, depending on your browser settings.

2. On the fallback branch of the access policy, click the plus sign ( ) to add an action.The Add Item popup screen opens.


4. Select the Logon Page action, and click Add Item.The Logon Page action popup screen opens.

5. Click Save to save and close the action.

6. Click the plus sign ( ) on the fallback branch after the logon page action. The Add Item popup screen opens.

7. If authentication actions are not expanded, click the plus sign ( ) next to Authentication.

8. Select AD Auth, and click Add Item.The Active Directory Authentication action popup screen opens.

9. From the Server list, select an Active Directory server.If you do not have an Active Directory server, you can leave the action unconfigured for the purposes of the example.


11. On the successful branch following the Active Directory action, click the plus sign ( ) to add an action.The Add Item popup screen opens.


13. Select the Resource Assign action, and click Add Item.The Resource Assign action popup screen opens.

14. Click the Add new entry button.

15. Click the Set Network Access Resource link, select a network access resource to assign to clients who successfully authenticate with Active Directory, and click the Update button.

16 - 14


16. Optionally, click the Set Webtop link, and select a network access webtop to assign to clients who successfully authenticate with Active Directory, then click the Update button.


18. On the fallback branch following the Active Directory action, click the plus sign ( ) to add an action.The Add Item popup screen opens.

19. If authentication actions are not expanded, click the plus sign ( ) next to Authentication.

20. Select the RADIUS Auth action, and click Add Item.The RADIUS authentication action popup screen opens.

21. From the AAA Server list, select a RADIUS server.If you do not have a RADIUS server, you can leave the action unconfigured for the purposes of the example.


23. On the successful branch following the RADIUS action, click the plus sign ( ) to add an action.The Add Item popup screen opens.


25. Select the Route Domain Selection action, and click Add Item.The Route Domain Selection action popup screen opens.

26. From the Route Domain ID list, select 1. This assigns the route domain gateway you defined earlier to clients who successfully authenticate to the RADIUS server.


28. On the successful branch following the route domain selection action, click the plus sign ( ) to add an action.The Add Item popup screen opens.


30. Select the Resource Assign action, and click Add Item.The Resource Assign action popup screen opens.


32. Click the Set Network Access Resource link, select a network access resource to assign to clients who successfully authenticate with RADIUS, and click the Update button.

33. Optionally, click the Set Webtop link, and select a network access webtop to assign to clients who successfully authenticate with Active Directory, then click the Update button.


Chapter 16

Note that you can assign the same network access resource to both types of clients, and because a different route domain is specifies in the route domain selection action, the clients will still reach separate routers.


35. Click the endings following the two resource assign actions, and change them both to allow endings, by selecting Allow and clicking Save.

16 - 16


Using advanced access policy rulesYou can use advanced rules in an access policy to provide customized functionality to users. This functionality is useful when the default access policy rules and the rules created with the expression builder do not provide functionality you require.

When you write an expression in the Advanced tab of the rule popup screen, a non-zero return value typically causes the rule to be evaluated as true or successful, and the access policy follows the corresponding rule branch. The return value of 0 causes the rule to be evaluated as false, and the rule follows the corresponding branch, or a fallback branch.

Understanding advanced access policy rule situationsYou can use advanced access policy rules in four situations in the visual policy editor.

◆ You can use an advanced access policy rule to make flexible decisions after an access policy action completes. To do this, you add the advanced access policy rule on the Advanced tab in the Expression popup screen of an action. In this scenario, if the value returned by the expression is not zero, the rule is evaluated as true, and the access policy runs and follows the corresponding rule branch. If the value returned by the expression is zero, the rule is evaluated as false, and the access policy follows the branch assigned to the negative response (typically a fallback branch).

◆ You can use an advanced access policy rule to add flexibility when assigning resources to users. To do this, you add the advanced access policy rule on the Advanced tab in the Expression popup screen of the resource assign action.In this scenario, if the value returned by the expression is not zero, the resource assignment rule is evaluated true, and the corresponding resource or ACL is assigned to the user. If the value returned by the expression is zero, the resource assignment rule is evaluated as false, and the resource or ACL is not assigned.

◆ You can use an advanced access policy rule to add flexibility by creating a custom session variable, and then assigning the session variable in other advanced access policy rules. To do this, you use the custom variable and custom expression options in the variable assign action.In this scenario, the value returned by the custom expression is assigned to the custom variable.

◆ You can use an advanced access policy rule to override the properties of an assigned network access resource. To do this, you assign a configuration variable to a custom expression, in the variable assign action.In this scenario, the value returned by the expression is used to overwrite the value of the selected property from the network access resource.


Chapter 16

Writing advanced access policy rulesAdvanced access policy rules are written in the Tcl programming language. An advance access policy rule is a Tcl program. You can use the various facilities provided by the Tcl language in advance access policy rules. For example, you can use loops (while, foreach, and so on), conditions (ifelse, switch, and more), functions (proc), and built-in Tcl commands (strings, split, for instance) as well as various Tcl operators.

For comprehensive documentation on the Tcl language, see http://www.tcl.tk/doc/.

Understanding the mcget commandIn Access Policy Manager access policies, session variables are accessed from system memory during the evaluation of an access policy rule. Access Policy Manager stores all session variables generated in a session in its memory cache. The Tcl command that gets these variables is mcget, which is an abbreviation for “get the session variable from the memory cache.”

The general syntax to access a session variable follows.

[mcget {session.ssl.cert.cn} ]

In this example, the name of the session variable, session.ssl.cert.cn, is enclosed in braces { }. The brackets [ ] that enclose the entire command are the TCL notation for command evaluation.

Using a Tcl expression or program as an advanced access policy rule

You can use a Tcl expression or a complete Tcl program as an advanced access policy rule. The return value of the expression or program is used to evaluate the access policy rule. For example, the following access policy rule uses a TCL expression to check if the Organizational Unit (OU) field of a user certificate contains the text PD.

expr { [mcget {session.ssl.cert.OU}] contains "PD" }

The return value of the expression is the return value used in the access policy rule.

Note

The Tcl language specifies that the expression begin with the syntax expr. For a complete description of the various operators and syntax allowed in a Tcl expression, see http://www.tcl.tk/man/tcl8.0/TclCmd/expr.htm.

16 - 18

http://www.tcl.tk/doc/

http://www.tcl.tk/man/tcl8.0/TclCmd/expr.htm


Understanding advanced access policy rule limitationsIn Access Policy Manager, the Tcl code entered in an action is not validated for proper Tcl syntax. If there is a Tcl syntax error in a rule, this error is not caught at configuration time, but the rule fails at session establishment time. We recommend that you test rules with an independent Tcl shell before they are configured in the access policy to avoid this.

The semicolon separator (;) is required between two consecutive Tcl statements. This is not the same as using the default newline (\n) as a separator.

Note

The name space for Access Policy Manager is shared across all rules. If you define a Tcl variable in one rule, it is accessible in another rule also. We recommend that you use a unique prefix for local variables in each rule, to avoid polluting variables from different rules.

Editing advanced access policy rulesYou write an advanced rule in one of the four situations described in Understanding advanced access policy rule situations, on page 16-17. These situations are:

• On the Advanced tab in the Expression popup screen of an action.

• On the Advanced tab in the Expression popup screen of the resource assign action.

• Using the custom variable and custom expression options in the variable assign action.

• Assigning a configuration variable to a custom expression in the variable assign action.

To write an advanced access policy rule in an action



3. Add or edit an action.The action popup screen opens.

4. Click the Branch Rules tab.

5. Next to the Expression, click change.The rule editor popup screen opens.



Chapter 16

7. In the Advanced box, type the expression.

8. When you are finished, click Finished.

9. Click Save.

In this scenario, if the value returned by the expression is not zero, the rule is evaluated as true, and the access policy continues and follows the corresponding rule branch. If the value returned by the expression is zero, the rule is evaluated as false, and the access policy follows the branch assigned to the negative response (typically a fallback branch).

To write an advanced access policy rule in the resource assign action



3. Add or edit a resource assign action.The resource assign popup screen opens.

4. Click the Add New Entry button.

5. In the Expression column, click change.The rule editor popup screen opens.


7. In the Advanced box, type the expression.


9. Click Save.

In this scenario, the expression returns a value. If the return value is not zero, the resource assignment rule is true, and the access policy assigns the corresponding resource or ACL to the user. If the return value is zero, the resource assignment rule is evaluated as false, and the access policy does not assign the resource or ACL.

16 - 20


To create a custom variable with an advanced access policy rule



3. Add or edit a variable assign action.The variable assign action popup screen opens.



6. Under Assignment, click change.The Variable Assign popup screen opens.

7. In the Custom Variable box, type the new custom variable.

8. In the Custom Expression box, type the expression.


10. Click Save.

In this scenario, the custom expression returns a value that the variable assign action then assigns to the custom variable.

To replace a configuration variable with a custom expression



3. Add or edit a variable assign action.The variable assign action popup screen opens.



6. Under Assignment, click change.The Variable Assign popup screen opens.

7. On the left side, select Configuration Variable.


Chapter 16

8. From the Name list, select the name of the network access resource in which you want to overwrite the variable.

9. From the Property list, select the network access resource property you want to overwrite with a custom expression.

10. In the Custom Expression box, type the expression.


12. Click Save.

In this scenario, the expression returns a value that overwrites the value of the selected property from the network access resource.

16 - 22


Example: Checking that all present antivirus packages are active on the client system

By default, the access policy evaluates the antivirus check successfully if any of the detected antivirus packages are present and active on the client system. In this advanced rule example, you change the antivirus check behavior so the access policy evaluates the antivirus check successfully only if all detected antivirus packages are active.

Writing the example codeThe Tcl code for this example follows.

Using this exampleTo use this example code, you must add it to an action in an access policy. This advanced rule uses an antivirus check action.

Add and edit the antivirus check action



3. To add the antivirus action, click the plus sign ( ) on an access policy branch.The Add Item popup screen opens.


set i 1; set count [mcget {session.windows_check_av.last.count} ];set minage [expr 7 * 24 * 3600];while { $i <= $count } { if { [mcget "session.windows_check_av.last.item_$i.state" ] == 0 || [mcget "session.windows_check_av.last.item_$i.db_time" ] < [expr { [mcget "session.user.starttime"] - $minage } ] } { return 0; }; set i [expr {$i + 1}]; }; return 1;

Figure 16.3 Tcl code to check that all antivirus packages are active


Chapter 16

5. Select Antivirus Check and click Add Item.The Antivirus action popup screen opens.




9. In the Advanced box, type this complete expression:

set i 1; set count [mcget {session.windows_check_av.last.count} ];set minage [expr 7 * 24 * 3600];while { $i <= $count } { if { [mcget "session.windows_check_av.last.item_$i.state" ] == 0 || [mcget "session.windows_check_av.last.item_$i.db_time" ] < [expr { [mcget "session.user.starttime"] - $minage } ] } { return 0; }; set i [expr {$i + 1}]; };

return 1;


11. Click Save.

Figure 16.4 Rule for antivirus example access policy in expression popup screen

16 - 24


Example: Using a certificate field for logon nameIn this example, the access policy parses the CommonName (CN) field from the client’s SSL certificate, and the access policy uses part of that CN as the logon name. The result of this example, if the name field for the certificate includes CN=Smith, OU=SBU,O=CompanyName,L=SanJose, ST=CA,C=US, is that the data Smith is extracted from the name field, and the access policy passes this on as the logon name. Successive actions on this branch of the access policy can then use this logon name.

You can use the variable assignment agent to assign the value from the certificate’s CN field to the value for the session variable session.logon.last.username, using the variable assignment agent.

Writing the example codeThe Tcl code for this example follows.

Using this exampleYou assign the result of this example code to a custom variable called session.logon.last.username using the variable assign action.

Add and edit the variable assign action



3. To add the variable assign action, click the plus sign ( ) on an access policy branch.The Add Item popup screen opens.


set cn_fields [split [mcget {session.ssl.cert.cn}] ","] ;

foreach field $cn_fields { if ($field contains "CN=") { set name [string range $field [expr { [string first "=" $field ] + 1} ] end ] ; return $name ; }} ;

Figure 16.5 Tcl code to extract the logon name from a certificate field


Chapter 16


6. Click the Add New Entry button.

7. Under Assignment, next to empty, click change.The variable assignment editor popup screen opens.

8. In the Custom Variable box, type session.logon.last.username.

9. In the Custom Expression box, type the complete expression:


11. Click Save.

Figure 16.6 Case study rule for Certificate CN in variable assign popup screen

set cn_fields [split [mcget {session.ssl.cert.cn}] ","] ;

foreach field $cn_fields { if ($field contains "CN=") { set name [string range $field [expr { [string first "=" $field ] + 1} ] end ] ; return $name ; }} ;

16 - 26

17

Logging and Reporting

• Understanding logging

• Understanding log types

• Setting log levels

• Understanding reports

• Viewing statistics

• Monitoring system and user information


Understanding loggingViewing and maintaining log messages is an important part of maintaining the Access Policy Manager. Log messages inform you on a regular basis of the events that are happening on the system. Some of these events pertain to general events happening within the system, while other events are specific to the Access Policy Manager, such as stopping and starting Access Policy Manager system services.

The Access Policy Manager uses syslog-ng to log events. The syslog-ng utility is an enhanced version of the standard logging utility syslog.

The type of events messages available on the Access Policy Manager are:

• Access Policy eventsAccess Policy event messages include logs pertinent to access policy, sso, network access, and web applications. To view access policy events, on the navigation pane, expand System, and click Logs

• Audit LoggingAudit event messages are those that the Access Policy Manager system logs as a result of changes made to its configuration.

For more information on other log events, refer to the BIG-IP® Configuration Guide for Local Traffic Manager™, on the Ask F5SM web site, https://support.f5.com.

Introducing logging featuresThe logging mechanism on an Access Policy Manager system includes several features designed to keep you informed of system events in the most effective way possible.

One of the primary features of logging is its ability to log different types of events, ranging from system events to access control events. Through the Access Policy Manager system auditing feature, you can even track and report changes that administrator makes to the BIG-IP® system configuration, such as adding a virtual server or changing an access policy. For more information, see Understanding log content, on page 17-2, and Understanding log types, on page 17-4.

When setting up logging on the Access Policy Manager, you can customize the logs by designating the minimum severity level, or log level, that you want the system to report when a type of event occurs. The minimum log level indicates the minimum severity level at which the system logs that type of event.

For examples of log levels, refer to Setting log levels, on page 17-6.


Chapter 17

You can also use the Configuration utility to search for a string within a log event, that is, you can filter the display of the log messages according to the string you provide. For more information, see Setting log levels, on page 17-6.

Tip

You can also configure the system to send email or to activate pager notification based on the priority of the logged event.

Note

Files are rotated daily if their size exceeds 10MB. Additionally, weekly rotations are enforced if the rotated log file is a week old, regardless whether or not the file exceed the 10MB threshold.

Understanding log contentThe logs that the system generates include several types of information. For example, all logs show a timestamp, host name, and service for each event. Some logs show a status code, while the audit log shows a user name and a transaction ID corresponding to each configuration change. All logs can contain up to two-line descriptions of each event.

Table 11-1, following, displays the categories of information contained in the logs, and the specific logs in which the information is displayed

17 - 2


.

Note

For standalone clients, once a user has logged out and then logged back in, the sessions ID will be displayed as invalid and will remain as such in the Notice logs. The user is then assigned a new session ID. This is expected behavior of the system.

Information Type Explanation Log Type

Timestamp The time and date that the system logged the event message. SystemAccess PolicyAudit

Log Level Provides log level detail for each message. Access Policy

Host The host name of the system that logged the event message. Because this is typically the host name of the local machine, the appearance of a remote host name could be of interest.

System

Service The service that generated the event. System

Status code The status code associated with the event. Note that only events logged by BIG-IP system components, and not operating system services, have status codes.

Access Policy

Session ID The ID associated with the user session. Access Policy

Description The description of the event that caused the system to log the message.

System

User Name The name of the user who made the configuration change. Audit

Transaction The identification number of the configuration change. Audit

Event Provides the description of the event so that it can be applicable to both Audit and Access policy logging.

AuditAccess Policy

Table 17.1 Log information categories and their descriptions


Chapter 17

Understanding log typesThe Access Policy Manager automatically logs two main event types:

• Access policy: Includes messages created during access policy validation, sso, network access, and web applications.

• Audit: Includes configuration changes.

Each type of event is stored in a log file, and the information stored in each log file varies depending on the event type.

• Access policy events. Messages are logged in the var/log/apm file.

• Audit events. Messages are logged in the var/log/audit file.

Logging system eventsMany events that occur on Access Policy Manager are operating system-related events, and do not specifically apply to the Access Policy Manager. The Access Policy Manager logs the messages for these events in the file /var/log/messages.

Using the Configuration utility, you can display these system messages. On the navigation pane, expand System, click Logs, and choose System. Table 17.2 shows some sample system log entries.

Table 17.2 Sample system log entries

Auditing configuration changesAudit logging is an optional feature that logs messages whenever there are changes made by the system. Such changes include the following items:

• User action

• System action

• Loading configuration data

17 - 4


The Access Policy Manager logs the messages for these auditing events in the /var/log/audit file.

Using the Configuration utility, you can display audit log messages. Table 17.3 shows some sample audit log entries. In this example, the first entry shows that user Janet enabled the audit logging feature, while the second and third entries show that user Matt designated the BIG-IP system to be a redundant system with a unit ID of 1.

By default, audit logging is disabled. For information on enabling this feature, see Setting log levels, following.

Timestamp User Name Transaction Event

Mon Feb 14 03:34:45 PST 2008 janet 79255-1 DB_VARIABLE modified:name="config.auditing"

Mon Feb 14 03:35:06 PST 2008 matt 79609-1 DB_VARIABLE modified:name="failover.isredundant"value="true"

Mon Feb 14 03:35:06 PST 2008 matt 79617-1 DB_VARIABLE modified:name="failover.unitid"value="1"

Table 17.3 Sample audit log entries


Chapter 17

Setting log levelsUsing the Configuration utility, you can set log levels on auditing events and other types of events. The minimum log level indicates the minimum severity level at which the system logs that type of event. For more information, see To set a minimum log level for local traffic events, following.

For auditing events, you can set a log level that indicates the type of event that the system logs, such as the user-initiated loading of the Access Policy Manager system configurations, or system-initiated configuration changes. For more information, see Setting log levels for auditing events, on page 17-7.

To set the log level

1. On the navigation pane, expand System, and click Logs.The Logs screen opens.

2. On the menu bar, click Options.The Logs screen changes to display the various logging options available.

3. Depending on the type of log messages you want to control, select either Access Policy Logging or Audit Logging.

4. Select the log level for the selected component, and click Update.

The log levels that you can set on certain types of events, are sequenced from highest severity to lowest severity, like this:

• Emergency

• Alert

• Critical

• Error

• Warning

• Notice

• Informational

• Debug

To set a minimum log level for local traffic events


2. On the menu bar, click Options.The screen for setting minimum log levels opens.

3. Select a minimum log level from the list.

4. Click Update.

17 - 6


To view the access policy log messages

Once you select your logging options, you can view your log levels


2. On the menu bar, click Access Policy.This displays log levels specific to access policy manager modules.

3. If you want to advance to another screen of messages, first locate the page list at the lower-right corner of the screen. You can either:

• Display the list and select a page number.

• Click the right arrow to advance to the next page of messages.

To filter log messages based on a search string


2. On the menu bar, click Access Policy.

3. In the Search box (directly above the Timestamp column), type a string, optionally using the asterisk as a wildcard character.

4. Click Search.The screen refreshes and displays only those messages containing the string you specified.

Setting log levels for auditing eventsAn optional type of logging that you can enable is audit logging. Audit logging provides options to control audit logging at the MCP level and at the BIGIP level. This logs audit messages for administrators who perform operations at the user interface level and also through command line interface.

For more information, see Auditing configuration changes, on page 17-4.

For detailed information about auditing events, refer to the BIG-IP® Configuration Guide for Local Traffic Manager, on the Ask F5SM web site, https://support.f5.com.

You can choose one of four log levels for audit logging. In this case, the log levels do not affect the severity of the log messages; instead, they affect the initiator of the audit event.

The log levels for audit logging are:

• DisableThis turns audit logging off. This is the default value.

• EnableThis causes the system to log messages for user-initiated configuration changes only.


Chapter 17

• VerboseThis causes the system to log messages for user-initiated configuration changes and any loading of configuration data.

• DebugThis causes the system to log messages for all user-initiated and system-initiated configuration changes.

To set a minimum log level for audit events

1. On the navigation pane, expand System, and click Logs.This Logs screen opens.

2. On the menu bar, click Options.This displays the screen for setting minimum log levels on local traffic events.

3. In the Audit Logging area near the bottom of the screen, select a log level from the Audit list, which includes MCP and bigpipe.

4. Click Update.

You can find additional information about logging in Logging BIG-IP Systems Events of the BIG-IP® Configuration Guide for Local Traffic Manager, on the Ask F5SM web site, https://support.f5.com.

17 - 8


Understanding reportsYou can review reports about the sessions created on the system. With Access Policy Manager, you can view either Current Sessions or All Sessions. Under Current Sessions, you can configure your settings to display according to your sessions Table 17.4 displays the information type of the report and its descriptions.

Displaying reports for current sessionsYou can display all current active sessions that are running on the system. Additionally, you can set options to update session information every few seconds, and refresh the session table at any given time.

To change your display options

1. On the navigation pane, expand Access Policy, and click Reports.

2. On the menu bar, click Current Sessions.

3. From the Auto Refresh list, select the time interval (in seconds) to refresh the session table. It is disabled by default.

4. To manually refresh the table, click Refresh Session Table.

Displaying session variables for current sessionsYou can view session variables for all current sessions.

To display session variable for current sessions

1. On the navigation pane, expand Access Policy, and click Reports.

2. On the menu bar, click Current Sessions.

3. Click the short variable name to display the full variable name.

4. Click Expand Tree to view all session variables at once.The following information is displayed for all sessions:

• Session Summary

• Session Start

• Remote Host

• Virtual Server (to which user are connected)

• Logon

• Status

• Access Policy Logs

• Session Variables tab

• Packet Filter tab

The table, following, explains the type of information displayed for each session.


Chapter 17

Terminating user sessionsYou can terminate selected user sessions that are running on the system for troubleshooting and security purposes. For example, you may find that you need to perform certain troubleshooting tasks on one or multiple user sessions. Or, you notice that there are security issues and need to terminate user sessions immediately for further investigation. Access Policy Manager provides you with the ability to terminate user sessions immediately.

To terminate user sessions

1. On the navigation pane, expand Access Policy, and click Reports.This navigates to the current session page.

2. Select one or more user sessions, and click Kill Selected Sessions.The active sessions no longer appear in the active session list.

Displaying reports for all sessionsYou can display detailed information for all active and previously terminated sessions running on the system. Each session contains a session ID that you can click to navigate to a screen which provides more detailed information for each session.

To display information on all sessions

1. On the navigation pane, expand Access Policy, and click Reports.The Report screen opens.

Information Type Explanation

Status The status of the session.

Session ID The Session ID of each session.

Logon The Logon name used to start a session

Client IP The IP address of the client machine that the user connects from.

Start Time The Start time of each session

Expiration The time at which the session is expected to time out.

Bytes In The total number of bytes received by the session.

Bytes Out The total number of bytes transmitted by the session.

Table 17.4 Reporting information types

17 - 10


2. On the menu bar, click All Sessions.A more detailed screen opens for all sessions running on the system.

3. To view detailed information per session, click a Session ID.A Session Summary screen opens.

Using scripts to view reportsIn addition to viewing the reports through the navigation pane, you can also use the command line interface and script, called adminreport.pl to view additional reports, such as acllogs, logonlogs, acllogsforsession, and saforsession.

To view additional reports and logs from the command line

1. From the command line, type adminreports.pl.

2. Depending on the type of logs you want to view, type the following in the command line:adminreports.pl -aclogsadminreports.pl -logonlogsadminreports.pl -aclogsforsession session_idadminreports.pl -saforsession session_idadminreports.pl -countadminreports.pl -start <index>adminreports.pl -end <index>

Table 17.5 lists the available command line utility commands and their descriptions.

Command Description

-aclogs This displays the access control log messages.

-logonlogs This returns logon log messages.

-aclogsforsession session_id

This returns access control logs for the given session id <sid>/.

-saforsession <sid> This returns session activity information to the given session id <sid>.

-count This returns the number of entries in access control and logon logs.

-start <index> This returns entries starting from the given <index>. The default is the first entry <index is 1>/

Table 17.5 Command line to view additional reports


Chapter 17

-end <index> This returns entries until the given <index>. The default is the last entry.

-help Prints the onscreen message.

Command Description

Table 17.5 Command line to view additional reports

17 - 12


Viewing statisticsYou can use the Access Policy Manager to view statistics for both Access Profile and Secure Connectivity. You can view the stats for any given access profile or for all access profiles (cumulative).

The following table display the type of statistics supported by Access Policy Manager. The table also includes information on whether statistic objects are accessible by command line or by SNMP.

Session statisticsSession statistics are based on user sessions.

Statistics Object Description GUI CLI SNMP

TotalActiveSessions Total number of active sessions (Pending+Validated, Validated alone)

Y Y Y

MaxActiveSessions Maximum number of active sessions since the system up-time

N Y Y

ValidatedActiveSessions Total number of active sessions completed validation Y Y Y

PendingActiveSessions Total number of active sessions on-going validation Y Y Y

Table 17.6 Session statistics


Chapter 17

Access policy result statisticsAccess policy result statistics are based on the results of access policy validation, and timeout/error conditions.


AllowSessions Total number of user sessions reached allow ending Y Y Y

DenySessions Total number of user sessions reached deny ending Y Y Y

ErrroredSessions Total number of user sessions terminated due to internal errors

Y Y Y

TimedoutSessions Total number of user sessions terminated due to timeouts Y Y Y

AllowTimedoutSessions Total number of user sessions terminated due to allow timeouts

Y Y Y

AdminTerminatedSessions Total number of user sessions terminated by Admin Y Y Y

UserLoggedoutSessions Total number of user sessions terminated due to user logout

Y Y Y

MiscTerminated Sessions Total number of user sessions terminated due to other reasons (Cache Cleaner, etc)

Y Y Y

Table 17.7 Access Policy result statistics

17 - 14


Agent type statisticsAgent type statistics are based on the APD agent types such as anti-virus check, file check, registry check, windows info, client certificate check, and RADIUS/LDAP/AD/RSA authentication checks.


DenyendingAgent Agent Y Y Y

AllowendingAgent Agent Y Y Y

RedirectendingAgent Agent Y Y Y

allowAgent Agent Y Y Y

EPSProtectedWorkspace Agent Y Y Y

EPSOsInfo Agent Y Y Y

EPSFileCheck Agent Y Y Y

EPSFwCheck Agent Y Y Y

EPSProcCheck Agent Y Y Y

EPSRegCheck Agent Y Y Y

EPSLinuxfilecheck Agent Y Y Y

EPSLinuxprocescheck Agent Y Y Y

EPSMacfilecheck Agent Y Y Y

EPSMacprocesscheck Agent Y Y Y

EPSWindowsbrowsercachecleaner

Agent Y Y Y

EPSWindowsgrouppolicy Agent Y Y Y

EPSWindowscmachinecertcheck

Agent Y Y Y

externalLogon Agent Y Y Y

variableAssign Agent Y Y Y

routeDomainSelection Agent Y Y Y

LogonpageAgent Agent Y Y Y

Table 17.8 Agent type statistics


Chapter 17

VLANAgent Agent Y Y Y

LoggingAgent Agent Y Y Y

ActiveDirectoryAgent Agent Y Y Y

LDAPAgent Agent Y Y Y

RADIUSAgent Agent Y Y Y

RADIUSAccountingAgent Agent Y Y Y

securIDAgent Agent Y Y Y

HTTPAgent Agent Y Y Y

clientcertAgent Agent Y Y Y

EPS cache cleaner Agent Y Y Y

EPS Antivirus Agent Y Y Y

ResoureAssignment Agent Y Y Y

DecisionBox Agent Y Y Y

MessageBox Agent Y Y Y


Table 17.8 Agent type statistics

17 - 16


The following statistics objects are supported for each agent type.


TotalInstances Number of instances of a specific agent type in the access policy

Y Y Y

TotalUsages Total number of times the specific agent was used Y Y Y

TotalSuccesses Total number of success conditions created/reached by the agent

Y Y Y

TotalErrors Total number of error conditions created/reached by the agent

Y Y Y

TotalSessionVariables Total number of session variables created by the agent Y Y Y

Table 17.9 Supported statistics objects for agent types


Chapter 17

Global profile access statisticsGlobal access statistics are applicable to your global settings.

Stats Object Description GUI CLI SNMP

TotalSessions The total sessions created in the system Y Y Y

TotalEstablishedSessions The total established sessions in the system Y Y Y

CurrentActiveSessions The total active user sessions in the system Y Y Y

CurrentPendingSessions The total user sessions going through access policy evaluation in the system

Y Y Y

CurrentEstablishedSessions The total user sessions that have completed access policy evaluation in the system

Y Y Y

MiscTerminatedSessons The total aggregated sessions terminated due to timeout or error (any kind).

Y Y Y

UserLoggedoutSessions The total packets transmitted by the network tunnel in the system

Y Y Y

AdminTerminatedSessions The total sessions timed out in the access policy evaluation phase and network access connection phase in the system.

Y Y Y

AllowEnding The total sessions that resulted in allow in the system Y Y Y

ResultDeny The total sessions that resulted in access deny in the system

Y Y Y

ResultRedirect The total sessions that resulted in redirect ending in the system

Y Y Y

ResultRedirectWithSession The total sessions that resulted in redirect ending with sessions in the system

Y Y Y

Table 17.10 Global Profile Access statistics

17 - 18


PPP global statisticsPPP global statistics provide cumulative statistics for all the PPP connections, such as the total number of PPP connections created, or number of bytes received/transmitted.

Session info (access info) statisticsSession statistics provide session level information for all active sessions in the system. The information includes things like display session ID, client IP, start/expiration time, byte/packet count, logon details, and session status.

Statistics Object Description GUI CLI

TotLinks The total PPP sessions in the system Y Y

CurLinks The total current PPP sessions in the system Y Y

MaxLinks The maximum PPP sessions allowed in the system Y Y

RxBytes The total number of bytes received by PPP in the system Y Y

TxBytes The total number of bytes transmitted by PPP in the system Y Y

RxFrames The total packets received by PPP in the system Y Y

TxFramess The total packets transmitted by PPP in the system Y Y

RxErrors The total number of packets with errors received by PPP in the system

Y Y

TxErrors The total number of packets with errors transmitted by PPP in the system

Y Y

Table 17.11 PPP global statistics


Access Status Status of the sessions (established, pending, unspecified) Y Y N

Logon Logon name Y Y N

Client IP The IP address of the machine in which the user is connected.

Start Time The session start time Y Y N

Expiration Time The expiration time of the session Y Y N

Table 17.12 Session info statistics


Chapter 17

RxBytes Total bytes received in the network access connection Y Y N

TxBytes Total bytes transmitted in the network access connection Y Y N

RxPackets Total packets received in the network access connection Y Y N

TxPackets Total packets transmitted in the network access connection Y Y N

ingress (raw) These determine compression ratios. Y Y N

ingress (compressed) These determine compression ratios. Y Y N

egress (raw) These determine compression ratios. Y Y N

egress (compressed) These determine compression ratios. Y Y N


Table 17.12 Session info statistics

17 - 20


Monitoring system and user informationYou can monitor overall system performance and Access Policy Manager session information. The BIG-IP® system provides a dashboard that displays system statistics graphically, showing gauges and graphs, and you can view the same statistics in a table view. You can also view user session information specific to Access Policy Manager.

You can display the BIG-IP® system main dashboard from the navigation pane. Expand Overview, and click Dashboard tab. For more information on how to monitor overall system performance for the BIG-IP® system, refer to Getting Started Guide: BIG-IP®systems.

The dashboard also includes online help for information about how to interpret statistics on each of the panels that appear on the screens. Click the question mark (?) in the upper right corner of any window to display the online help.

Viewing the Access Policy Manager dashboardIn addition to the BIG-IP® system main dashboard, you can use the Access Policy Manager dashboard to view specific Access Policy Manager users’ session-based statistics, as well as throughput data.

With the Access Policy Manager dashboard, you can view the following information in four distinct panels:

• Active and new sessions

• Network access open and new connections

• Web application cache information

• Access control list transactions

To view the dashboard, on the navigation pane, expand Access Policy, and click Dashboard.

Tip

By clicking the grid icon in the upper left corner of each window, you can display the same information in a table format.


Chapter 17

Monitoring active and new sessionsThe top left panel of the Access Policy Manager dashboard displays the total and established connections for all current active and new sessions. This panel is called Access Sessions.

There are two tabs available for this panel:

• Active Sessions: Displays the number of active sessions.

• New Sessions: Displays the number of new sessions

You can view them in either real-time, or historical time ranges. You may want to view active sessions at various times of the day to determine the peak and select the best time to perform system maintenance, for example. If you notice that the total number of sessions peaked while the total number of established sessions remain low, this may be an indication that a possible malicious attack is occurring in your network environment.

Monitoring web applications cache informationThe bottom left panel of the Access Policy Dashboard displays cache effectiveness by comparing the three available metrics. This panel is called Web Applications. There are currently no tabs available for this panel, but the metrics include:

• Client Requests: Displays the total cache requests from the client.

• Request Served from RamCache: Displays the total number of cache hits.

• Requests Missed from RamCache: Displays the total number of cache misses.

Hits and misses are derived by substracting the server responses from the client responses. A server response indicates that the requested information was not in cache.

17 - 22


Monitoring network access throughput and connectionsThe right top panel of the Access Policy dashboard displays throughput data for the amount of traffic through the network access tunnels, as well as displays open and new connections. This panel is called Network Access.

You can view throughput numbers to and from the client, as well as the overall throughput for network access traffic.

Use this panel to determine how much traffic is going through the tunnels, and how many people are generating that traffic. For example, if there are two tunnels, and those particular users are generating gigabytes of traffic, you may want to further investigate the activities on those tunnels.

This panel is also useful as a good indicator for peaked traffic to determine the best time to perform system maintenance

There are four tabs available for this panel:

• Throughput: Displays the amount of throughput for data transfers through the network access tunnels.

• Open Connections: Displays the number of open connections through the network access tunnels.

• New Connections: Displays the number of new connections through the network access tunnels.

• Compression: Displays the compression level through the network access tunnel. The Compression tab provides a gauge as well as a chart.

Monitoring access control list informationThe bottom right panel of the Access Policy Dashboard displays ACL activities.

There is one tab available for this panel:

ACL Actions: Displays the action that the access control list takes when an access control entry is encountered.


Chapter 17

17 - 24

18

Configuring SNMP

• Introducing SNMP administration

• Configuring the SNMP agent

• Working with SNMP MIB files

• Collecting performance data

Configuring SNMP

Introducing SNMP administrationSimple Network Management Protocol (SNMP) is an industry-standard protocol that gives a standard SNMP management system the ability to remotely manage a device on the network. One of the devices that an SNMP management system can manage is a Access Policy Manager system. The SNMP versions that the Access Policy Manager system supports are: SNMP v1, SNMP v2c, and SNMP v3. The Access Policy Manager system implementation of SNMP is based on a well-known SNMP package, Net-SNMP, which was formerly known as UCD-SNMP.

Reviewing an industry-standard SNMP implementationA standard SNMP implementation consists of an SNMP manager, which runs on a management system and makes requests to a device, and an SNMP agent, which runs on the managed device and fulfills those requests. SNMP device management is based on the standard management information base (MIB) known as MIB-II, as well as object IDs and MIB files.

• The MIB defines the standard objects that you can manage for a device, presenting those objects in a hierarchical, tree structure.

• Each object defined in the MIB has a unique object ID (OID), written as a series of integers. An OID indicates the location of the object within the MIB tree.

• A set of MIB files resides on both the SNMP manager system and the managed device. MIB files specify values for the data objects defined in the MIB. This set of MIB files consists of standard SNMP MIB files and enterprise MIB files. Enterprise MIB files are those MIB files that pertain to a particular company, such as F5 Networks, Inc.

Typical SNMP tasks that an SNMP manager performs include polling for data about a device, receiving notifications from a device about specific events, and modifying writable object data.

Reviewing the Access Policy Manager system SNMP implementation

To comply with the standard SNMP implementation, the Access Policy Manager system includes both an SNMP agent, a set of standard SNMP MIB files, and a set of enterprise MIB files (those that are specific to the Access Policy Manager system). The enterprise MIB files typically reside on both the Access Policy Manager system, and on the system running the SNMP manager. Fortunately, you can use the browser-based Configuration utility to download the enterprise MIB files to your SNMP manager.


Chapter 18

Using the Access Policy Manager system implementation of SNMP, the SNMP manager can perform these distinct functions:

• Poll for information (such as performance metrics).

• Receive notification of specific events that occur on the Access Policy Manager system.

• Set data for SNMP objects that have a read/write access type.

The last item in the list refers to the ability of an SNMP manager system to enable or disable various Access Policy Manager system objects such as virtual servers and nodes. Specifically, you can use SNMP to:

• Enable or disable a virtual server

• Enable or disable a virtual address

• Enable or disable a node

• Enable or disable a pool member

• Set a node to an up or down state

• Set a pool member to an up or down state

• Reset statistical data for all Access Policy Manager objects

Summarizing SNMP configuration on the Access Policy Manager system

Before an SNMP manager can manage a Access Policy Manager system remotely, you must perform a few configuration tasks on the Access Policy Manager system, using the Access Policy Manager system’s Configuration utility. After you have performed these configuration tasks, you can use standard SNMP commands on the remote manager system to manage the Access Policy Manager system.

The configuration tasks you perform are:

◆ Configuring the SNMP agentThere are a number of things you can do to configure the SNMP agent on the Access Policy Manager system. For example, you can allow client access to information that the SNMP agent collects, and you can configure the way that the SNMP agent handles SNMP traps. Traps are definitions of unsolicited notification messages that the Access Policy Manager alert system and the SNMP agent send to the SNMP manager when certain events occur.

◆ Downloading MIB filesYou can download two sets of MIB files to your remote manager system: the standard SNMP MIB files and the enterprise MIB files. From the navigation pane, expand Overview, and click Welcome. From the Welcome screen, scroll down to Downloads.

18 - 2

Configuring SNMP

Configuring the SNMP agentTo configure the SNMP agent on the Access Policy Manager system, you can use the Configuration utility. Configuring the SNMP agent means performing the following tasks:

• Configuring Access Policy Manager system informationSpecify a system contact name and the location of the Access Policy Manager system.

• Configuring client access to the SNMP agentConfigure the Access Policy Manager system to allow access to the SNMP agent from an SNMP manager system.

• Controlling access to SNMP dataAssign access levels to SNMP communities or users, to control access to SNMP data.

• Configuring TrapsEnable or disable traps and specify the destination SNMP manager system for SNMP traps.

You can use the Configuration utility to configure the following information:

• Contact InformationThe contact information is a MIB-II simple string variable defined by almost all SNMP boxes. The contact name usually contains a user name, as well as an email address.

• Machine LocationThe machine location is a MIB-II variable that almost all machines support. It is a simple string that defines the location of the machine.

To configure system information

1. On the Main tab of the navigation pane, expand System, and click SNMP.The SNMP Agent Configuration screen opens.

2. In the Global Setup area, fill in the boxes.For more information, see the online help.

3. Click Update.

Configuring client accessAn SNMP client refers to any system running the SNMP manager software for the purpose of remotely managing the Access Policy Manager system. To set up client access to the Access Policy Manager system, you specify the IP or network addresses (with netmask as required) from which the SNMP agent can accept requests. (By default, SNMP is enabled only for the Access Policy Manager system loopback interface, 127.0.0.1.)


Chapter 18

To allow client access to the SNMP agent


2. For the Client Allow List setting, select Host or Network, depending on whether the IP address you specify is a host system or a subnet.

3. Type the following information:

• In the Address box, type an IP address or network address from which the SNMP agent can accept requests.

• If you selected Network in step 2, type the netmask in the Mask box.

4. Click the Add button to add the host or network address to the list of allowed clients.

5. Click Update.

18 - 4

Configuring SNMP

Controlling access to SNMP dataTo better control access to SNMP data, you can assign an access level to an SNMP v1 or v2c community, or to an SNMP v3 user.

There is a default access level for communities, and this access level is read-only. This means that you cannot write to an individual data object that has a read/write access type until you change the default read-only access level of the community or user.

The way to modify this default access level is by using the Configuration utility to grant read/write access to either a community (for SNMP v1 and v2c) or a user (SNMP v3), for a given OID.

When you set the access level of a community or user to read/write, and an individual data object has a read-only access type, access to the object remains read-only. In short, the access level or type that is the most secure takes precedence when there is a conflict. Table 18.1 illustrates this point.

To grant community access to SNMP data (v1 or v2c only)


2. From Agent menu, choose Access (v1, v2c).The SNMP Access screen opens.

3. In the upper-right corner of the screen, click Create.The New Access Record screen opens.

4. Select the type of address to which the access record applies.

5. In the Community box, type the name of the SNMP community for which you are assigning an access level (in step 8).

6. In the Source box, type the source IP address.

7. In the OID box, type the OID for the top-most node of the SNMP tree to which the access applies.

If the access type of an object is...

And you set the access level of a community or user to...

Then access to the object is...

Read-only

Read-only Read-only

Read/write Read-only

Read/write

Read-only Read-only

Read/write Read/write

Table 18.1 Access control for SNMP data


Chapter 18

8. For the Access setting, select an access level, either Read Only or Read/Write. (This access level applies to the community name you specified in step 6.)

9. Click Finished.

To grant access to SNMP data (v3 only)


2. From Agent menu, choose Access (v3).The SNMP Access screen opens.

3. In the upper-right corner of the screen, click Create.The New Access Record screen opens.

4. In the User Name box, type a user name for which you are assigning an access level (in step 8).

5. For the Authentication setting, select a type of authentication to use, and then type and confirm the user’s password.

6. For the Privacy setting, select a privacy protocol, and then do either of the following:

• Type and confirm the user’s password.

• Check the Use Authentication Password box.

7. In the OID box, type the object identifier (OID) for the top-most node of the SNMP tree to which the access applies.

8. For the Access setting, select an access level, either Read Only or Read/Write. (This access level applies to the user name that you specified in step 5).

9. Click Finished.

WARNING

You must remember to configure both authentication and privacy settings to use SNMPv3. Otherwise, an error occurs and SNMPv3 will not work properly.

Note

SNMPv3 currently supports AuthPriv setting only. It does not support AuthNoPrivacy.

When you use the Configuration utility to assign an access level to a community or user, the utility updates the snmpd.conf file, assigning only a single access setting to the community or user. There might be times,

18 - 6

Configuring SNMP

however, when you want to configure more sophisticated access control. To do this, you must edit the /config/snmp/snmpd.conf file directly, instead of using the Configuration utility.

For example, Figure 18.1 shows a sample snmpd.conf file when you use the Configuration utility to grant read/write access to a community.

In this example, the string rocommunity identifies a community named public as having the default read only access level (indicated by the strings ro and default). This read only access level prevents any allowed SNMP manager in community public from modifying a data object, even if the object has an access type of read/write.

The string rwcommunity identifies a community named public1 as having a read/write access level (indicated by the string rw). This read/write access level allows any allowed SNMP manager in community public1 to modify a data object under the tree node.1.2.6.1.4.1.3375.2.2.10.1 (ltmVirtualServ) on the local host 127.0.0.1, if that data object has an access type of read/write.

For more information, see the man page for the snmpd.conf file.

Configuring trapsOn the Access Policy Manager system, traps are definitions of unsolicited notification messages that the Access Policy Manager alert system and the SNMP agent send to the SNMP manager when certain events occur on the Access Policy Manager system. Configuring SNMP traps on a Access Policy Manager system means configuring the way that the Access Policy Manager system handles traps, as well as setting the destination for notifications that the alert system and the SNMP agent send to an SNMP manager.

The Access Policy Manager system stores traps in two specific files:

• /etc/alertd/alert.confContains default SNMP traps.

• /config/user_alert.confContains user-defined SNMP traps.

Important

Do not add or remove traps from the /etc/alertd/alert.conf file.

You use the Configuration utility to configure traps, that is, enable traps and set trap destinations. When you configure traps, the Access Policy Manager system automatically updates the alert.conf and user_alert.conf files.

rocommunity public default

rwcommunity public1 127.0.0.1 .1.3.6.1.4.1.3375.2.2.10.1

Figure 18.1 Sample access-control assignments in the snmpd.conf file


Chapter 18

Enabling traps for specific eventsYou can configure the SNMP agent on the Access Policy Manager system to send, or refrain from sending, notifications when the following events occur:

• The SNMP agent on the Access Policy Manager system stops or starts. By default, this trap is enabled.

• The Access Policy Manager system receives an authentication warning, generated when a client system attempts to access the SNMP agent. By default, this trap is disabled.

• The Access Policy Manager system receives any type of warning. By default, this trap is enabled.

To enable traps for specific events

1. On the Main tab of the navigation pane, expand System, and click SNMP.This opens the SNMP Agent Configuration screen.

2. From the Traps menu, choose Configuration.This displays the SNMP Trap Configuration screen.

3. To send traps when someone starts or stops the SNMP agent, verify that the Agent Start/Stop box is checked.

4. To send notifications when authentication warnings occur, check the Agent Authentication box.

5. To send notifications when certain warnings occur, verify that the Device box is checked.

6. Click Update.

Setting the trap destinationIn addition to enabling certain traps for certain events, you must specify the destination SNMP manager to which the Access Policy Manager system should send notifications. For SNMP versions 1 and 2c only, you specify a destination system by providing the community name to which the Access Policy Manager system belongs, the IP address of the SNMP manager, and the target port number of the SNMP manager.

Important

If you are using SNMP V3 and want to configure a trap destination, you do not use the SNMP screens within the Configuration utility. Instead, you configure the snmpd.conf file. For more information, see the man page for the snmpd.conf file.

To specify a trap destination


18 - 8

Configuring SNMP

2. From the Traps menu, choose Destination.The SNMP Destination screen opens.

3. In the upper-right corner, click Create.The New Trap Record screen opens.

4. For the Version setting, select an SNMP version number.

5. In the Community box, type the community name for the SNMP agent running on the Access Policy Manager system.

6. In the Destination box, type the IP address of the SNMP management system.

7. In the Port box, type the SNMP management system port number that is to receive the traps.

8. Click Finished.

Working with SNMP MIB filesAs described earlier, MIB files define the SNMP data objects contained in the SNMP MIB. There are two sets of MIB files that typically reside on the Access Policy Manager system and the SNMP manager system: enterprise MIB files (that is, F5-specific MIB files) and standard SNMP MIB files.

Both sets of MIB files are already present on the Access Policy Manager system, in the directory /usr/share/snmp/mibs. However, you still need to download them to your SNMP manager system. You can download these MIB files from the Welcome screen of the browser-based Configuration utility. For more information, see Downloading SNMP MIB files, following.

To make MIB-II as clear as possible, we have implemented the SNMP feature so that you use MIB-II for gathering standard Linux data only. You cannot use MIB-II to gather data that is specific to the Access Policy Manager system and instead must use the F5 enterprise MIB files. All OIDS for Access Policy Manager system data are contained in the F5 enterprise MIB files, including all interface statistics (1.3.6.1.4.1.3375.2.1.2.4 (sysNetwork.sysInterfaces)).

Note

All Access Policy Manager system statistics are defined by 64-bit counters. Thus, because only SNMP v2c supports 64-bit counters, your management system needs to use SNMP v2c to query Access Policy Manager system statistics data.


Chapter 18

Downloading SNMP MIB filesThe enterprise MIB files that you can download to the SNMP manager system are:

• F5-BIGIP-COMMON-MIB.txtThis MIB file contains common information and all notifications (traps).

• F5-BIGIP-LOCAL-MIB.txtThis is an enterprise MIB file that contains specific information for properties associated with specific Access Policy Manager system features related to local traffic manager (such as virtual servers, pools, and SNATs).

• F5-BIGIP-SYSTEM-MIB.txt. The F5-BIGIP-SYSTEM-MIB.txt MIB file includes global information on system-specific objects.

• F5-BIGIP-SAM-MIB.txt.This MIB file contains specific information for properties associated with viewing and accessing access profile and secure connectivity statistics.

To view the set of standard SNMP MIB files that you can download to the SNMP manager system, list the contents of the Access Policy Manager system directory /usr/share/snmp/mibs.

To download MIB files

1. On the navigation pane, expand Overview, and click Welcome.The Welcome screen opens

2. Scroll to the Downloads section, and locate the SNMP MIBs section.

3. Click the type of MIB files to download.The two MIB file types are F5 MIB files and Net-SNMP MIB files.

4. Follow the instructions on the screen to complete the download.

Understanding the enterprise MIB filesOnce you have downloaded all of the necessary MIB files, you should familiarize yourself with the contents of the enterprise MIBs, for purposes of managing the Access Policy Manager system and troubleshooting Access Policy Manager system events.

Note

To manage a Access Policy Manager system with SNMP, you need to use the standard set of SNMP commands. For information on SNMP commands, consult your favorite third-party SNMP documentation, or visit the web site http://net-snmp.sourceforge.net.

18 - 10

Configuring SNMP

The Access Policy Manager system includes a set of enterprise MIB files:

• F5-BIGIP-COMMON-MIB.txt

• F5-BIGIP-LOCAL-MIB.txt

• F5-BIGIP-SAM-MIB.txt

• F5-BIGIP-SYSTEM-MIB.txt

These MIB files contain information that you can use for your remote management station to poll the SNMP agent for Access Policy Manager system-specific information, receive Access Policy Manager system-specific notifications, or set Access Policy Manager system data.

Using the F5-BIGIP-COMMON-MIB.txt fileThe F5-BIGIP-COMMON-MIB.txt file is an enterprise MIB file that contains objects pertaining to any common information, as well as the F5-specific SNMP traps.

All F5-specific traps are contained within this MIB file. You can identify the traps within this MIB file by viewing the file and finding object names that show the designation NOTIFICATION-TYPE.

When an F5-specific trap sends a notification to the SNMP manager system, the SNMP manager system receives a text message describing the event or problem that has occurred.

To see all available MIB objects in this MIB file, you can view the F5-BIGIP-COMMON-MIB.txt file in the directory /usr/share/snmp/mibs on the Access Policy Manager system.

Using the F5-BIGIP-LOCAL-MIB.txt fileThe F5-BIGIP-LOCAL-MIB.txt file is an enterprise MIB file that contains information that an SNMP manager system can access for the purpose of managing local application traffic. For example, you can:

• View the maximum number of entries that a node can have open at any given time.

• Get a pool name.

• View the current active members for a load balancing pool.

• Reset pool statistics

• Get profile information such as the total number of concurrent authentication sessions.

In general, you can use this MIB file to get information on any local traffic manager object (virtual servers, pools, nodes, profiles, SNATs, health monitors, and iRules). You can also reset statistics for any of these objects.

To see all available enterprise MIB objects for local traffic manager, you can view the F5-BIGIP-LOCAL-MIB.txt file in the directory /usr/share/snmp/mibs on the Access Policy Manager system.


Chapter 18

Using the F5-BIGIP-SYSTEM-MIB.txt fileThe F5-BIGIP-SYSTEM-MIB.txt file is an enterprise MIB file that describes objects representing common system information. Examples of information in this MIB file are global statistic data, network information, and platform information. Some of the data in this MIB file is similar to that defined in MIB-II, but is not exactly the same.

Table 18.2 shows standard MIB-II objects and the F5-specific objects that approximately correspond to them.

MIB-II Category or Object F5-BIGIP-SYSTEM-MIB Object Name

MIB-II f5.bigipSystem

interfaces sysNetwork.sysInterfaces.sysInterface

sysNetwork.sysInterfaces.sysInterfaceStat

sysNetwork.sysInterfaces.sysInterfaceMediaOptions

ip sysGlobalStats.sysGlobalIpStat

ip.AddrTable sysNetwork.sysSelfIp

ip.RouteTable sysNetwork.sysRoute

ip.ipNetToMediaTable sysNetwork.sysArpNdp

icmp sysGlobalStats.sysGlobalIcmpStat

tcp sysGlobalStats.sysGlobalTcpStat

udp sysGlobalStats.sysGlobalUdpStat

transmission/dot3.dot3StatTable

transmission/dot3.dot3CollTable

sysNetwork.sysTransmission.sysDot3Stat

dot1dBridge.dot1dBase sysNetwork.sysDot1dBridge

dot1dBridge.dot1dStp sysNetwork.sysSpanningTree.sysStpBridgeStat

sysNetwork.sysSpanningTree.sysStpBridgeTreeStat

sysNetwork.sysSpanningTree.sysInterfaceStat

sysNetwork.sysSpanningTree.sysInterfaceTreeStat

dot1dBridge.dot1dTp sysGlobalAttr.VlanFDBTimeout

dot1dBridge.dot1dTpFdbTable sysNetwork.sysL2

dot1dTpPortTable sysNetwork.sysInterfaces.sysInterfaceStat

dot1dStaticTable Not supported.

ifMIB/ifMIBObjects.ifXTable sysNetwork.sysInterfaces.sysIfxStat

Table 18.2 F5-BIGIP-SYSTEM-MIB objects and their relationship to MIB-II objects

18 - 12

Configuring SNMP

To see all available enterprise MIB system objects, you can view the F5-BIGIP-SYSTEM-MIB.txt file in the directory /usr/share/snmp/mibs on the Access Policy Manager system.

Using the RMON-MIB.txt fileOne of the MIB files that the Access Policy Manager system provides is the Remote network Monitoring (RMON) MIB file, RMON-MIB.txt. This file is the standard RMON MIB file. However, the implementation of RMON on the Access Policy Manager system differs slightly from the standard RMON implementation, in these ways:

• The Access Policy Manager system implementation of RMON supports four of the nine RMON groups. The four supported RMON groups are: statistics, history, alarms, and events.

• The RMON-MIB.txt file monitors the Access Policy Manager system interfaces (that is, sysIfIndex), and not the standard Linux interfaces.

• For hardware reasons, the packet-length-specific statistics in the RMON statistics group offer combined transmission and receiving statistics only. This behavior differs from the behavior described in the definitions of the corresponding object IDs.

To understand how RMON operates for a Access Policy Manager system, you can view the RMON-MIB.txt file in the directory /usr/share/snmp/mibs on the Access Policy Manager system.

Using the F5-BIGIP-SAM-MIB fileAs mentioned earlier, this MIB file contains specific information associated with viewing and accessing access profile and secure connectivity statistics.

For a list of the type of objects used to view both access policy and secure connectivity statistics, refer to Chapter 11, Logging and Reporting.


Chapter 18

Collecting performance dataThe Configuration utility on the Access Policy Manager system displays graphs showing performance metrics for the system. However, you can also use SNMP to collect the same information.

The types of performance metrics that you can gather using SNMP are:

• Megabytes of memory being used

• Number of active connections

• Number of new connections

• Throughput in bits per second

• Number of HTTP requests

• CPU use

Each type of metric has one or more SNMP object IDs (OIDs) associated with it. To gather performance data, you specify these OIDs with the appropriate SNMP command.

For example, the following SNMP command collects data on current memory use, where public is the community name and bigip is the host name of the Access Policy Manager system:

snmpget -c public bigip sysGlobalStat.sysStatMemoryUsed.0

For some types of metrics, such as memory use, simply issuing an SNMP command with an OID gives you the information you need. For other types of metrics, the data that you collect with SNMP is not useful until you perform a calculation on it.

For example, to determine the throughput rate of client bits coming into the Access Policy Manager system, you must perform the following calculation on the data that you collect with the OID shown:

( sysStatClientBytesIn (.1.3.6.1.4.1.3375.2.1.1.2.1.3)*8 ) / time

This calculation takes the data resulting from specifying the OID sysStatClientBytesIn, multiplies the value by 8, and divides it by the elapsed time.

The following sections contain tables that list:

• The performance data that the Configuration utility displays

• The OIDs that you can use to collect the performance data

• The calculations that you must perform to interpret the performance data that you collect

Note

If an OID that is listed in any of the following sections does not show a calculation, then no calculation is required.

18 - 14

Configuring SNMP

Collecting data on memory useYou can use an SNMP command with OIDs to gather data on the number of megabytes of memory currently being used on the Access Policy Manager system. Table 18.3 shows the OIDs that you need to specify to gather data on the current memory use. To collect memory use data, you do not need to perform a calculation on the collected data.

Collecting data on active connectionsYou can use SNMP commands with various OIDs to gather data on the number of active connections on the Access Policy Manager system. Table 18.4 shows the OIDs that you need to specify to gather data on active connections. In this case, you do not need to perform any calculations on the collected data.

Performance Graph(Configuration utility) Graph Metric Required SNMP OID

Memory Used TMM Mem Usage sysStatMemoryUsed (.1.3.6.1.4.1.3375.2.1.1.2.1.45)

Host Mem Usage sysHostMemoryUsed (.1.3.6.1.4.1.3375.2.1.7.2)

Table 18.3 Required OIDs for collecting metrics on memory use

Performance Graph(Configuration utility) Graph Metrics Required SNMP OIDs

Active Connections(summary graph

Connections sysStatClientCurConns (.1.3.6.1.4.1.3375.2.1.1.2.1.8)

client sysStatClientCurConns (.1.3.6.1.4.1.3375.2.1.1.2.1.8)

Active Connections(detailed graph)

server sysStatServerCurConns (.1.3.6.1.4.1.3375.2.1.1.2.1.15)

Client Bits Out (sysStatClientBytesOut (.1.3.6.1.4.1.3375.2.1.1.2.1.5) *8 ) / time

ssl client sysClientsslStatCurConns (.1.3.6.1.4.1.3375.2.1.1.2.9.2)

ssl server sysServersslStatCurConns (.1.3.6.1.4.1.3375.2.1.1.2.10.2)

Table 18.4 Required OIDs for collecting metrics on active connections


Chapter 18

Collecting data on new connectionsYou can use SNMP commands with various OIDs to gather data on the number of new connections on the Access Policy Manager system. Table 18.5 shows the OIDs that you need to specify to gather data on new connections, along with the calculations that you must perform on the collected data.

Performance Graph(Configuration utility) Graph Metrics Required SNMP OIDs and the required calculations

New Connections(summary graph)

Client Connections sysStatClientTotConns (.1.3.6.1.4.1.3375.2.1.1.2.1.7)

Client Accepts sysTcpStatAccepts (.1.3.6.1.4.1.3375.2.1.1.2.12.6) / time

Server Connects sysTcpStatConnects (.1.3.6.1.4.1.3375.2.1.1.2.12.8) /time

Total New Connections(detailed graph)

Client Connections sysStatClientTotConns (.1.3.6.1.4.1.3375.2.1.1.2.1.7) / time

Server Connections sysStatServerTotConns (.1.3.6.1.4.1.3375.2.1.1.2.1.14) / time

New PVA Connections(detailed graph)

pva client sysStatPvaClientTotConns (.1.3.6.1.4.1.3375.2.1.1.2.1.21) / time

pva server sysStatPvaServerTotConns (.1.3.6.1.4.1.3375.2.1.1.2.1.28) / time

New SSL Connections(detailed graph)

SSL Client ( sysClientsslStatTotNativeConns (.1.3.6.1.4.1.3375.2.1.1.2.9.6) + sysClientsslStatTotCompatConns (.1.3.6.1.4.1.3375.2.1.1.2.9.9) ) / time

SSL Server ( sysServersslStatTotNativeConns (.1.3.6.1.4.1.3375.2.1.1.2.10.6) + sysServersslStatTotCompatConns (.1.3.6.1.4.1.3375.2.1.1.2.10.9) ) / time

New Accepts/Connects(detailed graph)

Client Accepts sysTcpStatAccepts (.1.3.6.1.4.1.3375.2.1.1.2.12.6) / time

Server Connects sysTcpStatConnects (.1.3.6.1.4.1.3375.2.1.1.2.12.8) / time

Table 18.5 Required OIDs for collecting metrics on new connections

18 - 16

Configuring SNMP

Collecting data on throughputYou can use SNMP commands with various OIDs to gather data on the throughput rate on the Access Policy Manager system, in terms of bits per second. Table 18.6 shows the OIDs that you need to specify to gather data on throughput rate, along with the calculations that you must perform on the collected data.

Collecting data on HTTP requestsYou can use SNMP commands with various OIDs to gather data on the number of current HTTP requests on the Access Policy Manager system, in terms of requests per second. Table 18.7 shows the OID that you need to specify to gather data on HTTP requests, along with the calculations that you must perform on the collected data.


Throughput(summary graph)

Client Bits ( (sysStatClientBytesIn (.1.3.6.1.4.1.3375.2.1.1.2.1.3) + sysStatClientBytesOut (.1.3.6.1.4.1.3375.2.1.1.2.1.5) )*8 ) / time

Server Bits ( (sysStatServerBytesIn (.1.3.6.1.4.1.3375.2.1.1.2.1.10) + sysStatServerBytesOut (.1.3.6.1.4.1.3375.2.1.1.2.1.12) )*8 /) time

Throughput(detailed graph)

Client Bits In ( sysStatClientBytesIn (.1.3.6.1.4.1.3375.2.1.1.2.1.3)*8 ) / time

Client Bits Out ( sysStatClientBytesOut (.1.3.6.1.4.1.3375.2.1.1.2.1.5) *8 ) / time

Server Bits In ( sysStatServerBytesIn (.1.3.6.1.4.1.3375.2.1.1.2.1.10)*8 ) / time

Server Bits Out ( sysStatServerBytesOut (.1.3.6.1.4.1.3375.2.1.1.2.1.12) *8 ) / time

Table 18.6 Required OIDs for collecting metrics on throughput

Performance Graph(Configuration utility) Graph Metric Required SNMP OID and the required calculation

HTTP Requests HTTP Requests sysStatHttpRequests (.1.3.6.1.4.1.3375.2.1.1.2.1.56) / time

Table 18.7 Required OIDs for collecting metrics on HTTP requests


Chapter 18

Collecting data on RAM Cache utilizationYou can use an SNMP command with various OIDs to gather data on RAM cache utilization. Table 18.8 shows the OIDs that you need to specify to gather this data.

Collecting data on CPU useYou can use SNMP commands with various OIDs to gather data on CPU use on the Access Policy Manager system. Specifically, you can gather data for two different graph metrics: TMM CPU Usage and CPU[0-n].

To gather the data for each of these metrics, you must perform some polling and calculations. First, for each metric type (for example, sysStatTmTotalCycles), you must perform two separate polls, at ten-second intervals. Then, you must calculate the delta of the two polls. Finally, you must use these delta values to perform the calculation shown in Table 18.9. The two sections following the table contain the specific procedures you use to calculate metrics for TMM CPU Usage and CPU[0-n] metric types.

Performance Graph(Configuration utility) Graph Metric Required SNMP OID

RAM Cache Utilization

Hit Rate sysHttpStatRamcacheHits (.1.3.6.1.4.1.3375.2.1.1.2.4.46) / (sysHttpStatRamcacheHits (.1.3.6.1.4.1.3375.2.1.1.2.4.46) + sysHttpStatRamcacheMisses (.1.3.6.1.4.1.3375.2.1.1.2.4.47) ) *100

Byte Rate sysHttpStatRamcacheHitBytes (.1.3.6.1.4.1.3375.2.1.1.2.4.49) / (sysHttpStatRamcacheHitBytes (.1.3.6.1.4.1.3375.2.1.1.2.4.49) + sysHttpStatRamcacheMissBytes (.1.3.6.1.4.1.3375.2.1.1.2.4.50) ) *100

Eviction Rate sysHttpStatRamcacheEvictions (.1.3.6.1.4.1.3375.2.1.1.2.4.54) / (sysHttpStatRamcacheHits (.1.3.6.1.4.1.3375.2.1.1.2.4.46) + sysHttpStatRamcacheMisses (.1.3.6.1.4.1.3375.2.1.1.2.4.47)) *100

Table 18.8 Required OIDs for collecting metrics on RAM Cache utilization

Performance Graph(Configuration utility) Graph Metric Required SNMP OIDs and the required calculation

CPU Usage CPU[0-n] (DeltaCpuUser + DeltaCpuNice + DeltaCpuSystem) / (DeltaCpuUser + DeltaCpuNice + Delta CpuIdle + DeltaCpuSystem + DeltaCpuIrq + DeltaCpuSoftirq + DeltaCpuIowait)

TMM CPU Usage (DeltaTmTotalCycles - (DeltaTmIdleCycles + DeltaTmSleepCycles) / DeltaTmTotalCycles) *100

Table 18.9 Required OIDs for collecting metrics on CPU use

18 - 18

Configuring SNMP

To calculate the CPU[0-n] metric

1. Perform two separate polls of each of the following OIDs:

• sysHostCpuUser (.1.3.6.1.4.1.3375.2.1.7.2.2.1.3)

• sysHostCpuNice (.1.3.6.1.4.1.3375.2.1.7.2.2.1.4)

• sysHostCpuSystem (.1.3.6.1.4.1.3375.2.1.7.2.2.1.5)

• sysHostCpuUser (.1.3.6.1.4.1.3375.2.1.7.2.2.1.3)

• sysHostCpuNice (.1.3.6.1.4.1.3375.2.1.7.2.2.1.4)

• sysHostCpuIdle (.1.3.6.1.4.1.3375.2.1.7.2.2.1.5)

• sysHostCpuSystem (.1.3.6.1.4.1.3375.2.1.7.2.2.1.6)

• sysHostCpuIrq (.1.3.6.1.4.1.3375.2.1.7.2.2.1.7)

• sysHostCpuSoftirq (.1.3.6.1.4.1.3375.2.1.7.2.2.1.8)

• sysHostCpuIowait (.1.3.6.1.4.1.3375.2.1.7.2.2.1.9)

Note: For each OID, perform the polls approximately ten seconds apart.

2. For each OID, calculate the delta of the values from the two polls, as shown in the following formulas. Note that in the formulas shown, values such as sysHostCpuUser2 and sysHostCpuUser1 represent the values that result from the two polls you performed in step 1 for that OID.

DeltaCpuUser = sysHostCpuUser2 - sysHostCpuUser1

DeltaCpuNice = sysHostCpuNice2 - sysHostCpuNice1

DeltaCpuSystem = sysHostCpuSystem2 - sysHostCpuSystem2

DeltaCpuIdle = sysHostCpuIdle2 - sysHostCpuIdle1

DeltaCpuIrq = sysHostCpuIrq2 - sysHostCpuIrq1

DeltaCpuSoftirq = sysHostCpuSoftirq2 - sysHostCpuSoftirq1

DeltaCpuIowait = sysHostCpuIowait2 - sysHostCpuIowait1

3. Using the resulting delta values (for example, DeltaCpuUser), calculate the CPU[0-n] metric, according to the formula shown in table 18.9.

To calculate the TMM CPU Usage metric

1. Perform two separate polls of each of the following OIDs:

• sysStatTmTotalCycles (.1.3.6.1.4.1.3375.2.1.1.2.1.41)

• sysStatTmIdleCycles (.1.3.6.1.4.1.3375.2.1.1.2.1.42)

• sysStatTmSleepCycles (.1.3.6.1.4.1.3375.2.1.1.2.1.43)

Note: For each OID, perform the polls approximately ten seconds apart.


Chapter 18

2. For each OID, calculate the delta of the values from the two polls, as shown in the following example. Note that in the formula shown, values such as sysStatTmTotalCycles2 and sysStatTmTotalCycles1 represent the values that result from the two polls you performed in step 1 for each OID.

DeltaTmTotalCycles = sysStatTmTotalCycles2 - sysStatTmTotalCycles1

DeltaTmIdleCycles = sysStatTmIdleCycles2 - sysStatTmIdleCycles1

DeltaTmSleepCycles = sysStatTmSleepCycles2 - sysStatTmSleepCycles1

3. Using the resulting delta values (for example, DeltaTmTotalCycles), calculate the TMM CPU Usage metric, according to the formula shown in table 18.9.

Collecting data on SSL transactions per secondYou can use SNMP commands with an OID to gather data on SSL performance, in terms of transactions per second. Table 18.10 shows the OID that you need to specify to gather data on SSL TPS, along with the calculation that you must perform on the collected data.

Additional commands used for SNMPYou can use the following additional SNMP commands to view various statistics, including conducting a simple SNMP walk.


SSL TPS SSL TPS sysStatClientTotConns (.1.3.6.1.4.1.3375.2.1.1.2.1.7) / time

Table 18.10 Required OIDs for collecting metrics on SSL TPS

Task Command

Performing an SNMP walk for SNMPv1

snmpwalk -c <communitystring> -v <1> <mgmtIPofSecureAccessManager> enterprises.3375.2.6


snmpwalk -c <communitystring> -v <2c> <mgmtIPofSecureAccessManager> enterprises.3375.2.6


snmpwalk -v 3 -u <username> -a MD5 -A <authPassword> enterprises.3375.2.6orsnmpwalk -v 3 <username> -x DES -X <privacy password> <mgmtIPofSecureAccessManager> enterprises.3375.2.6

Table 18.11 Additional commands to view SNMP statistics

18 - 20

Configuring SNMP

Viewing global access statistics for SNMPv1

snmpwalk -c <communitystring> -v <1> <mgmtIPofSecureAccessManager> enterprises.3375.2.6.1.2


snmpwalk -c <communitystring> -v <2c> <mgmtIPofSecureAccessManager> enterprises.3375.2.6.1.2


snmpwalk -v 3 -u <username> -a MD5 -A <authPassword> enterprises.3375.2.6.1.2orsnmpwalk -v 3 <username> -x DES -X <privacy password> <mgmtIPofSecureAccessManager> enterprises.3375.2.6.1.2

Viewing global PPP statistics for SNMPv1






Viewng profile access statistics for SNMPv1






Task Command

Table 18.11 Additional commands to view SNMP statistics


Chapter 18

18 - 22

A

Configuring BIG-IP Access Policy Manager clients

• Understanding the BIG-IP Edge client

• Configuring connectivity profiles

• Using Macintosh and Linux clients with Access Policy Manager

• Establishing client connections

• Using the client troubleshooting utility


Understanding the BIG-IP Edge clientThe BIG-IP® Access Policy Manager™ includes automatic installation support for Windows clients, so you can use the Access Policy Manager for secure remote access. Access Policy Manager downloads components to the end user’s computer at initial logon. The downloaded client components enable the various features of the Access Policy Manager functionality. This download occurs automatically for those systems that support software installation. For clients that do not support such automatic software installation, you can configure and distribute the BIG-IP® Edge Client™, configured to meet the needs of the client systems you support.

The type of control downloaded differs depending on the user’s operating system. For proper functionality, the controls require certain conditions:

For Microsoft® Windows®-based computers, the requirements are:

• The user must have ActiveX enabled if the browser is Internet Explorer.

• If the browser is not Internet Explorer, the user must allow software installation.

If the client starts a network access tunnel, one of the following must be true:

• The client has Administrator privileges on the client system.

• The client control is already installed on the system.

• The Component Installer Package for Windows has been installed on the system.

Access policy sessions other than network access tunnels do not require administrative access. All client-side checks and actions, except the Windows group policy action, can be run without administrative rights.

For Apple® Macintosh® (OS X only) and Linux®-based systems, the user must have Superuser authority, or the user must supply the administrative password at the time of initial installation.

For more information about downloading and installing the client components, see Understanding client components on Windows systems, following. For more information about the Component Installer, see Using the component installer package to preinstall client components, on page A-11.

Introducing BIG-IP Edge Client™ featuresThe BIG-IP Edge Client™ includes several features that are not available in the web client. These features are especially useful for roaming users; that is, users who take a laptop from one place to another, and wish to remain connected to the corporate or company network as much as possible.

Configuration Guide for BIG-IP® Access Policy Manager™ A - 1

Appendix A

Understanding location awarenessThe BIG-IP Edge Client™ provides a location awareness feature. Using location awareness, the client connects automatically only when it is not on a specified network. The administrator specifies the networks that are considered in-network, by adding DNS suffixes to the client installer download package. With a location aware client enabled, a user with a corporate laptop can go from a corporate office, with a secured wireless or wired network connection, to an offsite location with a public wireless network connection, and maintain a seamless connection to allowed corporate resources.

Understanding automatic reconnection

The BIG-IP Edge Client™ provides an automatic reconnection feature. This feature attempts to automatically reconnect the users computer to corporate network resources whenever the client connection is dropped or ended prematurely.

Understanding client components on Windows systemsInstalling and running a Access Policy Manager component on Windows-based systems requires certain user rights. Table A.1, following, contains a list of the user plugins, and shows the user rights required to download and install the associated components. Preinstalling components provides seamless upgrade for clients after you upgrade the Access Policy Manager. For information about preinstalling components, see Using the component installer package to preinstall client components, on page A-11.

You can also use the Component Installer feature to provide completely transparent installation and upgrading of components, regardless of what rights under which the user is running. For more information about the Component Installer, see Using the component installer package to preinstall client components, on page A-11.

The following table lists user rights required to use endpoint check components.

Access Policy Manager plugin Guest rights User rights

Power User rights

Administrator rights

Antivirus check No support OK OK OK

Firewall check No support OK OK OK

Windows File check No support OK OK OK

Machine Cert Auth No support OK OK OK

Windows information check No support OK OK OK

Table A.1 User rights requirements for endpoint checks

A - 2


The following table lists user rights required to use other access policy checks.

For client systems that have the components pre-installed using the MSI package, the requirements are the same. In cases in which user rights are insufficient, although the system cannot download the update, the previously installed component still works.

Windows Process check No support OK OK OK

Registry check No support OK OK OK

UI mode check OK OK OK OK

Client-Side Check Capability

OK OK OK OK

Client OS check OK OK OK OK

Landing URI check OK OK OK OK

Logging action OK OK OK OK

Access Policy Manager component User rights

Power User rights Admin rights

Cache and Session Control OK OK OK

Client Cert Inspection OK OK OK

On-Demand Cert Auth OK OK OK

Active Directory (auth or query) OK OK OK

HTTP Auth OK OK OK

LDAP (auth or query) OK OK OK

RADIUS (auth or accounting) OK OK OK

RSA SecurID OK OK OK

Table A.2 User rights requirements for other access policy checks

Access Policy Manager plugin Guest rights User rights

Power User rights

Administrator rights

Table A.1 User rights requirements for endpoint checks


Appendix A

Configuring connectivity profilesYou use connectivity profiles to customize client settings and to create and download client installer packages that include these custom settings. The options and settings in a connectivity profile are client-specific, and not related to the server settings for a secure connection. When you create a connectivity profile, that profile is stored on the BIG-IP system; however, the client settings apply only to connections made through one of the downloaded components.

Note

Compression settings for the client are not configurable. Compression on the client can be enabled or disabled in the network access resource settings for the connection, but the compression levels cannot be configured. The settings in the client profile for compression settings apply only to server-side compression.

Understanding connectivity profile compression settingsYou can customize compression settings in a connectivity profile, to enhance client network access tunnel performance. These settings affect how BIG-IP system CPU and memory are utilized. The following settings are supported:

• Compression Buffer SizeSpecifies the size of the output buffers containing compressed data.

• gzip Compression LevelSpecifies the degree to which the system compresses the content. Higher compression levels cause the compression process to be slower. The default compression level is 6, which provides a higher amount of compression at the expense of more CPU processing time. You can also select compression level 1, the lowest amount of compression you can select, which requires the least processing time, or 9, the highest level of compression you can select, which requires the most processing time. You can also select Other, then type a number between 1 and 9, or type 0 to disable compression. If you disable compression in the network access resource configuration, compression is disabled regardless of the compression level setting.

• gzip Memory LevelSpecifies the number of kilobytes of memory that the system uses for internal compression buffers when compressing data. You can select a value between 1 and 256.

• gzip Window SizeSpecifies the number of kilobytes in the window size that the system uses when compressing data. You can select a value between 1 and 128.

A - 4


• CPU SaverSpecifies, when enabled, that the system monitors the percentage of CPU usage and disables compression automatically when the CPU usage reaches the CPU Saver High Threshold and re-enabled compression when theCPU usage reaches the CPU Saver Low Threshold.

• CPU Saver High ThresholdSpecifies the percentage of CPU usage at which the system disables compression.

• CPU Saver Low ThresholdSpecifies the percentage of CPU usage at which the system resumes content compression at the user-defined rates.

To create a connectivity profile


2. Click Create. The New Profile screen opens.

3. In the Name box, type a name for the connectivity profile.

4. From the Parent Profile list, select a parent profile. The connectivity profile inherits any custom properties from the parent profile.

5. To configure compression settings, select the Custom check box next to Compression.


Configuring connectivity profile client settingsIn the connectivity profile, you can define client behavior for the BIG-IP Edge client. The settings you specify are saved in the connectivity profile. You can create different connectivity profiles to provide separate connection properties for users or groups of users. The following options are available.

◆ Virtual ServersSpecifies the servers that you want to define in the client downloads. The servers you add here appear as connection options in the BIG-IP Edge client.

◆ Network Location AwarenessSpecifies DNS suffixes that are considered to be "in the local network." DNS suffixes specified here are considered to be local network suffixes, and conform to the rules specified for the local network. When the BIG-IP Edge Client™ is configured to use the option Auto-Connect, the client connects when the system’s DNS suffix is not one defined on this list. When the client DNS suffix does appear on this list, the client automatically disconnects. If you do not specify any DNS suffixes, the option Auto-Connect does not appear in the downloaded client.


Appendix A

◆ Maintain HistorySpecifies whether the BIG-IP Edge Client™ maintains a list of recently used Access Policy Manager servers. The BIG-IP Edge Client™ always lists the servers defined in the connectivity profile, and sorts the list of servers by most recent access, whether this option is selected or not. However, the BIG-IP Edge Client™ lists user-entered servers only if this option is selected.

◆ Use Windows Logon CredentialsSpecifies that the BIG-IP Edge Client™ attempts to log on using the same credentials that were typed for Windows logon to start the Access Policy Manager session. To use this option, you must include the User Logon Credentials Access Service for Windows in the download package, specified on the Components Download tab, on the BIG-IP Edge Client™ for Windows link.The User Logon Credential Access Service for Windows stores the user’s Windows logon and password in an encrypted file that persists for the duration of the Access Policy Manager session.

◆ Enable User Password CachingSpecifies whether the BIG-IP Edge Client™ can cache the user password, either on the disk or in memory.

◆ Allow user to save encrypted password on diskWhen this option is enabled, a Save password checkbox appears on the logon page. If the user selects the Save password checkbox, the user’s password is encrypted on disk, and cached when the system reboots or when the BIG-IP Edge Client™ is restarted. This option is only available if the Maintain History option is enabled.

◆ Cache password within application for x minutesWhen this option is enabled, the BIG-IP Edge Client™ caches a user’s password within the BIG-IP Edge Client™ application for automatic reconnection purposes. You can specify an expiration time, to indicate how long the cached password should remain valid. A value of 0 means there is no password cache time limit. Even if this option is enabled, the user is required to enter credentials after a server change, a manual client disconnect, or a BIG-IP Edge Client™ restart.

◆ Automatically update componentsSpecifies that client components are automatically updated on the client when newer versions are available on the server.This option applies to updates for the BIG-IP Edge client, but not to other client components. When updating the other client components, prompts are controlled by your browser security settings, the publisher of the update package and the presence of the F5 Networks Component Installer Service.

◆ Prompt user before installing updatesSpecifies that the user is notified and prompted to continue or cancel before a newer version of a client component is installed by the server. This option applies to updates for the BIG-IP Edge client, but not to other client components. When updating the other client components, prompts

A - 6


are controlled by your browser security settings, the publisher of the update package and the presence of the F5 Networks Component Installer Service.

◆ Do not perform component updatesPrevents client components from being automatically updated when newer versions appear on the server. This applies to both BIG-IP Edge Client™ updates, and updates to client components.

• Enforce session settings (do not allow users to change session settings)When this option is enabled, a user cannot change the session settings (history, password caching, and component update settings) when connected to a Access Policy Manager server. If this option is not enabled, the session settings configured in the connectivity profile are not enforced, and current user preferences are used instead.

You can configure client settings for a connectivity profile, and then create a custom client download package that includes the specified connectivity settings.

To configure client settings for a connectivity profile



3. Click Client Configuration.The Client Configuration screen opens.

4. In the Virtual Servers area, specify the network access servers you want to make available to clients. Type the IP address or domain name of a network access server you want to make available, and click the Add button.

5. In the DNS Suffixes area, specify the DNS suffixes that define the local network for the client computer. For example, if your users are on the local network, with no secure access connection required, when they are on the domains home.siterequest.com and office.siterequest.net, specify the DNS suffixes siterequest.com and siterequest.net. You can specify DNS suffixes with a wildcard in the first position, for example, *.siterequest.com.

6. Select the session settings options you want to enable.

7. Select whether to Enforce session settings.

8. When you are finished, click Update.


Appendix A

Configuring connectivity profile mobile client settingsIn the connectivity profile, you can define options for Windows Mobile clients. The following options are available.

• Virtual ServerSpecifies the virtual server URL to which the Windows Mobile client connects.

• Work URL Exceptions ListSpecifies URLs that the Windows Mobile client can access through the secure connection. Type URLs or IP addresses in this box. You can use wildcards to specify addresses. For example, *.siterequest.com, files.siterequest.com, 192.168.10.1, and 192.168.* are all valid entries.

You can configure mobile client settings for a connectivity profile, and then create a custom client download package that includes the specified connectivity settings.

To configure mobile client settings for a connectivity profile



3. Click Mobile Client Configuration.The Mobile Client Configuration screen opens.

4. In the Virtual Server box, specify the Access Policy Manager server you want to make available to mobile clients. Type the IP address or domain name of the Access Policy Manager server.

5. In the Work URL Exceptions List, specify the URLs of the servers and networks that you want to access through the network connection. The Work URL exception list tells Internet Explorer on Windows Mobile those addresses for which a Network Access connection is required. So, when you type in the address in Internet Explorer, the BIG-IP Edge Client™ will establish the Network Access connection automatically. For example, if your users need a Network Access connection to access internal servers like office.siterequest.com and mail.siterequest.com, specify the work URL exception*.siterequest.com.Do not specify *.* as a wildcard address. You also should not add an address pattern that matches the virtual server.

6. When you are finished, click Update.

Downloading client componentsThe Components Download screen provides the following links:

A - 8


• Big-IP Edge Client for Windows™Click this link to configure a customized download package with the options you need to govern Windows logon integration and other functionality of the standalone Windows client. In the custom installer package, you can choose packages to install, specify Access Policy Manager servers, and define DNS suffixes that specify whether your computer is on a local network or not. For more information, see Customizing client download packages, on page A-9.

• Download the BIG-IP Edge Client™ for Windows Mobile 5.0 and higher (ARM processor). Click this link to download the BIG-IP Edge Client™ for Windows Mobile 5.0 or later devices with an ARM processor. For more information, see Configuring connectivity profile mobile client settings, on page A-8.

• Download the BIG-IP Edge Client™ for Pocket PC 2003 (ARM processor). Click this link to download the BIG-IP Edge Client™ for PocketPC 2003 devices with an ARM processor. For more information, see Configuring connectivity profile mobile client settings, on page A-8.

• Download the BIG-IP Edge Client™ for Pocket PC 2003 (x86 processor). Click this link to download the BIG-IP Edge Client™ for PocketPC 2003 devices with an x86 processor. For more information, see Configuring connectivity profile mobile client settings, on page A-8.

Customizing client download packagesOn the Components Download screen that you access from the BIG-IP Edge Client™ for Windows link, you can specify features that govern Windows logon integration and functionality of the standalone Windows client.

The following client options are available:

◆ Web BIG-IP Edge Client™ for WindowsSelect this option to download software that a client can use to access the Access Policy Manager from a web browser.

◆ Standalone BIG-IP Edge Client™ for WindowsSelect this option to download a separate application that a client can use to access the Access Policy Manager.

◆ Dialup Entry / Windows Logon IntegrationSelect this option to download a dialup networking entry for the secure access connection. This dialup networking entry allows users to connect to the secure access connection from the Windows logon prompt, even before they log on to the local computer. One feature this option allows is that a user can authenticate to the corporate network before the user logs on to his computer.

◆ Endpoint Security for WindowsSelect this option to download the plugins that do endpoint inspection on a client machine.


Appendix A

◆ Component Installer Service for WindowsSelect this option to download an installer service that allows the Access Policy Manager to install components on a client computer even if the client does not have rights to install software. For example, use this to allow a user with limited rights to install from the Access Policy Manager, when typically the user cannot.

◆ DNS Relay Proxy Service for WindowsSelect this option to download the DNS relay proxy service to the client. This allows a client system to run the DNS relay proxy service and conform to the Access Policy Manager’s DNS Relay Proxy Service configuration.

◆ Traffic Control Service for WindowsSelect this options to download the traffic control service. This allows a client system to use the traffic control rules defined in the server to govern secure access traffic on the client.

◆ User Logon Credentials Access Service for WindowSelect this option to download a service that allows the user to log on with cached Windows credentials. The service allows you to set the session option Use Windows Logon Credentials, which configures sessions to request the Windows logon credentials from the BIG-IP Edge Client™ when the Access Policy Manager session starts. The User Logon Credential Access Service for Windows stores the user’s Windows logon and password in an encrypted file that persists for the duration of the Access Policy Manager session.

◆ Auto launch BIG-IP Edge Client™ after Windows LogonSelect this option to start the BIG-IP Edge Client™ after the user logs on to Windows.

◆ Add virtual server list to trusted sitesSelect this option to add the virtual servers (specified in the Virtual Servers list on the Client Configuration tab) to the Windows Trusted sites list, the first time this client starts. Virtual servers added to the Trusted sites list with this option remain on the trusted sites list indefinitely. This works with the User Logon Credentials Access Service for Windows to provide seamless logon with the BIG-IP Edge Client™, if Access Policy Manager accepts the same credentials that your users use to log on to Windows.

To configure the client download

1. On the Main tab of the navigation pane, expand Access Policy, and click Connectivity Profiles. The Connectivity Profiles List screen opens.

2. Click the connectivity profile for which you want to download the client.The Connectivity Profile Properties screen opens.

3. Click the Components Download tab. The BIG-IP Edge Client™ Components screen opens.

4. Click the BIG-IP Edge Client™ for Windows link. The Connectivity Profile Customized Package screen opens.

A - 10


5. Select the features and options to add to the installer package.

6. When you have finished configuring the client download package, click the Download button.

The client package you specified is downloaded to your local system as the file BIGIPEdgeClient.exe. You can install this downloaded package onto client computers, or you can copy the packages to a shared location so that individual users can complete their own installation.

Using the component installer package to preinstall client components

Your security policy may prohibit granting users the power user rights needed to install ActiveX components, or your browser security policy may prohibit downloading active elements. For these reasons, you might prefer to preinstall components on your users’ Windows systems.

You can use the Components Download screen to download the Component Installer Package containing the Windows components needed for the various Access Policy Manager functions. You can use the Component Installer service to install and upgrade client-side Access Policy Manager components for all kinds of user accounts, regardless of the rights under which the user is working. This component is especially useful for installing and upgrading client-side components when the user has insufficient rights to install or upgrade the components directly. For information about configuring the MSI installer to run with elevated privileges, see the documentation for your operating system.

This is valid only for Windows-based installations. There is no MSI functionality for installing on client systems running other operating systems.

You must use an account that has administrative rights to initially install the Component Installer on the client computer as a part of Client Components Package (MSI). Once installed and running, the Component Installer automatically installs and upgrades client-side Access Policy Manager components. It can also update itself.

The Component Installer requires that the installation or upgrade packages be signed using the F5 Networks certificate or another trusted certificate. By default, F5 Networks signs all components using the F5 Networks certificate.

To download the component installer package

1. On the Main tab of the navigation pane, expand Overview, and click Welcome. The Welcome screen opens.

1. In the Downloads section, click the Component Installer Package for Windows link to download the MSI installer.You are prompted to save the installer package BIGIPComponentInstaller.msi.


Appendix A

Downloading the FullArmor GPAnywhere for VPN componentFrom the Components Download screen, you can download an installer that enables FullArmor GPAnywhere integration with clients.

To download FullArmor GPAnywhere for VPN


1. In the Downloads section, click the FullArmor GPAnywhere for VPN link to download the MSI installer.You are prompted to save the installer package GPAnywhere.msi.

A - 12


Using Macintosh and Linux clients with Access Policy Manager

The Access Policy Manager includes network access support for remote Macintosh and Linux clients, so you can use Access Policy Manager for secure remote access in mixed-platform environments. As with the Windows platform support, you do not need to preinstall or preconfigure any client software when using Access Policy Manager with Macintosh and Linux systems, if the client systems allow installation of the required browser components.

Introducing supported network access featuresAll of the primary network access features are supported on Macintosh and Linux clients. Access Policy Manager does not support Drive Mappings, and some client checks, on Macintosh and Linux systems.

For more information about network access and configuring network access features, see Chapter 2, Configuring Network Access.

Features supported on Macintosh and Linux clients include:

• Secure remote access to your internal network, with support for IP-based applications.

• Split tunneling, so only network traffic that you specify goes through the network access connection.

• IP address filtering with connection-based ACLs, giving you the ability to restrict groups of users to specific addresses, ranges of addresses, and ports.

• DNS Servers and DNS suffixes.

• Allowing local subnets, and forcing all traffic through the tunnel.

• Application launching. You must configure the starting of remote client applications based on the operating system on the remote computers. You can configure all other features independent of the remote client operating systems. For details, see Configuring the starting of applications on Macintosh or Linux clients, on page A-13.

Configuring the starting of applications on Macintosh or Linux clients

The launch application feature specifies a client application that starts when the client begins a network access session. You can use this feature when you have remote clients who routinely use network access to connect to an application server, such as a mail server.


Appendix A

To configure the application start for Macintosh and Linux

1. In the navigation pane, expand Access Policy and click Network Access. The Network Access Resources screen opens.

2. In the Name column, click the name of the network access resource you want to edit.

3. Click the Launch Applications tab near the top of the screen.The Launch Applications screen opens.

4. In the Application Path box, type the path of the application.For example:

• For Macintosh, type open.

• For Linux, type /usr/bin/mozilla.

5. In the Parameters box, type any parameters you want to include.For example:

• For Macintosh, type -a /Applications/ie.app http://www.f5.com.

• For Linux, type http://www.f5.com.

6. From the OS list, select an option.

• For Macintosh, select Mac.

• For Linux, select Unix.

7. Click Add to add the configuration.When remote users with resource assigned make a network access connection, the application you configured starts automatically.

Installing the client on Macintosh and Linux systemsThe first time a remote user starts network access, the Access Policy Manager downloads a client component. This client component is designed to be self-installing and self-configuring, but the user’s browser must have Java enabled on Macintosh systems, or have Mozilla or FireFox to install a plugin on Linux systems.

If the browser does not support this requirement, the Access Policy Manager prompts the user to download the controller client component from the controller and install it manually.

Important

The remote user must have superuser authority, or must be able to supply an administrative password in order to successfully install the network access client.

Both Macintosh and Linux systems must also include PPP support (this is most often the case). When the user runs the network access client and makes a connection for the first time, the client detects the presence of pppd

A - 14


(the point-to-point protocol daemon), and determines whether the user has the necessary permissions to run it. If pppd is not present, or if the user does not have permissions needed to run the daemon, the connection fails.

After installation, the Macintosh client must restart the browser before starting network access.

Note

If you have a firewall enabled on your Linux system, you need to enable access on IP address 127.0.0.1 port 44444.


Appendix A

Establishing client connectionsUsers can initiate connections through network access from Windows, Linux, and Macintosh OS X systems, by connecting to the virtual server address using various browsers, or by starting the BIG-IP Edge client. They can also use network access from Windows mobile versions on PDAs.

For a list of browsers that network access supports, see Configuring the starting of applications on Macintosh or Linux clients, on page A-13, and Using Macintosh and Linux clients with Access Policy Manager, on page A-13. For a complete list of the clients that the Access Policy Manager supports, see the most current version of the release notes.

Note

On Microsoft Windows platforms, the user might see a new network connection icon in the system tray.

Installing the BIG-IP Edge Client™ for WindowsUsing the BIG-IP Edge client, users can access their BIG-IP Edge connections without using a web browser. The client gives users seamless access to the network access connection.

You can provide the BIG-IP Edge Client™ to your users after you configure and download the package.

Connecting with the BIG-IP Edge ClientAfter a user installs the BIG-IP Edge Client™ for Windows, the user starts the the client by choosing Start, then All Programs, then BIG-IP Edge Client. If the client has not been configured with a list of Access Policy Manager addresses, the user is prompted for an address.

When the client first starts, the client window appears, as in Figure A.1, on page A-17.

A - 16


Figure A.1 BIG-IP Edge Client™ screen

On the BIG-IP Edge Client™ screen, the client can configure the following connection options:

• Auto-ConnectStarts a secure access connection as it is needed. This option uses the DNS suffix information defined in the connectivity profile to determine when the computer is on a defined local network. When the computer is not on a defined local network, the secure access connection starts. When the computer is on a local network, the client disconnects, but remains active in the system tray. When you open the disconnected client, the message Disconnected - Lan detected appears in the top pane of the client window, as shown in Figure A.1.

• ConnectStarts and maintains a secure access connection at all times, regardless of your computer’s network location.

• DisconnectStops an active secure access connection, and to prevent the client from connecting again. After you click this option, a secure access connection does not start again until you click one of the previous two options.

In addition, the client can click the Change Server button to change the Access Policy Manager server.

Viewing standalone client traffic and statisticsThe BIG-IP Edge Client™ provides a simple throughput graph, as well as more extended logging and statistic viewing features.


Appendix A

To view the secure access traffic throughput graph

1. If the client is minimized to the system tray, click the system tray icon.The BIG-IP Edge Client™ screen opens, as shown in Figure A.1.

2. At the bottom of the client window, click the Show Graph button.The BIG-IP Edge Client™ shows a graph of traffic throughput.

Figure A.2 BIG-IP Edge Client™ screen with traffic graph expanded

A - 18


To view secure access traffic details

1. If the client is minimized to the system tray, click the system tray icon.The BIG-IP Edge Client™ screen opens, as shown in Figure A.1.

2. At the bottom of the client window, click the View Details button.The details pop-up screen opens, as shown in the figure, following.

Figure A.3 BIG-IP Edge Client™ details screen

The Details screen provides four tabs that contain information relevant to the operation of the BIG-IP Edge client. Click each tab to view the information for that feature. The tabs are:

• Connection Details - Shows details of the current connection, including status, server, tunnel details, and the amount of traffic sent and received.

• Routing Table - Shows the current routing table for the client system.

• IP Configuration - Shows the current IP configuration for the client system. The information in this tab is the same information you see when you issue the command ipconfig /all at the Windows command prompt.

• Miscellaneous - Shows version information for the client software, the Access Policy Manager servers defined in the client, and the DNS suffixes used for network location awareness.


Appendix A

Using the client troubleshooting utilityF5 Access Policy Manager provides a client troubleshooting utility. Clients can use the troubleshooting utility on Windows systems to check the availability and version information for Windows client components, and to run Network Access diagnostic tests.

To download the client troubleshooting utility


2. In the Downloads section, click the Client Troubleshooting Utility for Windows link.

3. Save the file f5wininfo.exe.You can distribute this file to your secure access users for local client troubleshooting.

To view client components in the troubleshooting utility

1. On a client system, double-click the file f5wininfo.exe to start the client troubleshooting utility.The F5 BIG-IP Edge Components Troubleshooting window opens.

2. Explore the component categories.To see an overview of a category, click on the category label (for example, Endpoint Security). To see the particular components installed for a category, click the plus symbol to expand the category.

To generate a client troubleshooting report

1. On a client system, double-click the file f5wininfo.exe to start the client troubleshooting utility.The F5 BIG-IP Edge Components Troubleshooting window opens.

2. From the File menu, select Generate Report.The Reports dialog appears.

3. Select the type of report to generate. Select the F5 Network check box to generate a report of F5 networking components installed. Select the Network Access Diagnostic check box to generate a report of the Network Access diagnostics. Select the MS Remote Access Diagnostic Report or MS System Information Report check boxes to generate reports from these Microsoft internal components.

4. Select the format for the report. Select html to generate the report formatted as an html file, with links and basic formatiing. Select text to generate the report as plain text.

A - 20


5. To compress the resulting file, select the compressed check box.

6. Click the Save As button to save the resulting report as an html file or a text file on the file system. To view the results without saving the report, click View.

To run Network Access diagnostic tests

1. On a client system, double-click the file f5wininfo.exe to start the client troubleshooting utility.The F5BIG-IP Edge Components Troubleshooting window opens.

2. From the Tools menu, select Network Access Diagnostics.The Network Access Diagnostics window opens, and Network Access tests are run.


Appendix A

A - 22

B

Access Policy Example

• Introducing the example access policy

• Example: Assigning resource groups based on Active Directory attributes


Introducing the example access policyThe example access policy covered in this appendix is based on real-world use. You can find a description of the how-to scenario at the beginning of the section.

The example covers one step-by-step operation. For more example policies, see Chapter 16, Advanced Topics in Access Policies.

You can check your progress against screenshots provided at a number of steps. The intention is to keep you on track without overburdening you with screenshots.

When you complete the steps, you will have a working version of the functionality the scenario covers. All information you need to deploy the working model is provided, including any hints, best practices, requirements, or warnings.

Configuration Guide for BIG-IP® Access Policy Manager™ B - 1

Appendix B

Example: Assigning resource groups based on Active Directory attributes

In this example, you design an access policy that assigns different network access resources to a user, depending on the Microsoft Active Directory® primary group ID. This case study is built with a modified version of the AD Auth Query and Resources macro.

To configure this example, you should have a configured Active Directory AAA server on your system. However, you can configure the entire example without actually configuring an Active Directory server.

In this example, you configure the following:

• Two lease pools (192.168.105.1 - 192.168.105.100 and 192.168.106.100 - 192.168.106.111).

• Two ACLs, one that allows all access and one that rejects all FTP access.

• Two network access resources, each of which contains one lease pool and one ACL.

• An access profile.

• An access policy that contains:

• An Active Directory auth query and resources macro, for which you must configure actions, and to which you must add terminals.

• A logon page.

• Two Active Directory query actions. One Active Directory query checks for the primary group ID attribute with a value of 100, and one checks for the primary group ID attribute with a value of 200.

• Two resource assign actions. Both actions assign network access resources.

Configuring resourcesThis section shows how to configure the lease pools and ACLs for the example.

To configure the ACLs

1. On the Main tab of the navigation pane, expand Access Policy, and click ACLs.The ACLs screen opens.

2. Click the Create button.The New ACL screen opens.

3. In the Name box, type the name AD_ACL1.


B - 2


5. Above the Access Control Entries list, click the Add button.The New Access Control Entry screen opens.

6. From the Type list, select L4.

7. From the Action list, select Allow.

8. Click Finished.Because you did not type any IP addresses or ports, but only selected an action, this ACL is configured as a default ACL, which means this action (Allow) is applied to all connections, on all IP addresses, and all protocols.

9. On the Main tab of the navigation pane, click ACLs again.

10. Click the Create button.The New ACL screen opens.

11. In the Name box, type the name AD_ACL2.


13. Above the Access Control Entries list, click the Add button.The New Access Control Entry screen opens.

14. From the Type list, select L4.

15. In the Destination Ports area, from the Port list, select FTP.

16. From the Action list, select Reject.

17. Click Finished.Again, because you did not type any IP addresses, but only selected an action and a protocol, this ACL rejects all connections on any IP address that attempt to use port 21, the typical FTP port.

To configure the lease pools

1. On the Main tab of the navigation pane, expand Access Policy, and click Lease Pools.The Lease Pool List screen opens.

2. Click the Create button.The New Lease Pool screen opens.

3. In the Name box, type the name AD_Lease1.

4. Click the button IP Address Range.

5. In the Start IP Address box and the End IP Address box, type the start and end IP addresses for the IP address range. In this example, the start IP address is 192.168.105.1, and the end IP address is 192.168.105.100.

6. Click the Add button to add the IP addresses to the lease pool.The lease pool appears as in the Figure B.1.

7. Click the Repeat button. The New Lease Pool screen opens.


Appendix B

8. In the Name box, type the name AD_Lease2.

9. In the Member List select the existing entry (192.168.105.1 - 192.168.105.100) and click Delete.

10. In the Start IP Address box and the End IP Address box, type the start and end IP addresses for the IP address range. In this example, the start IP address is 192.168.106.100, and the end IP address is 192.168.106.111.

11. Click the Add button to add the IP addresses to the lease pool.

12. Click Finished.

Figure B.1 Lease pool example

Configuring the network access resourcesIn this task, you configure the network access resources for the case study. Each network access resource contains one lease pool.

To create the network access resources

1. On the Main tab of the navigation pane, expand Access Policy and click Network Access.The Network Access screen opens.

2. Click the Create button to create a new network access resource.The New Resource screen opens.

B - 4


3. In the Name box, type CaseStudy_NA_AD1 as the name for the network access resource.

4. From the lease pool list, select AD_Lease1.

5. Click Finished.The Properties screen for the network access resource opens.

6. On the Main tab of the navigation pane, under Access Policy, click Network Access again.The Network Access screen opens.

7. Click the Create button to create a new network access resource.The New Resource screen opens.

8. In the Name box, type CaseStudy_NA_AD2 as the name for the network access resource.

9. From the lease pool list, select AD_Lease2.

10. Click Finished.


Appendix B

Configuring the access profile, macro, and access policyIn this task, you create an access profile, and configure the access policy associated with it. The access policy contains the configuration that the user steps through when he attempts to connect.

To create the access profile


2. Click the Create button to create a new access profile.The New Profile screen opens.

3. In the Name box, type CaseStudy_AD as the name for the access profile.

4. Click Finished.

To add the macro for the access policy

1. On the CaseStudy_AD access profile screen, click the Access Policy tab.The Access Policy screen opens.

2. Click the link Edit Access Policy for Profile "CaseStudy_AD".The visual policy editor opens in a new tab or a new window, depending on your browser settings.

3. Click the Add New Macro button.The Macro Template popup screen appears.

4. From the macro template list, select AD auth query and resources.

5. Click Save.

To edit the macro to prepare for the queries

1. In the visual policy editor, click the plus sign ( ) next to the AD auth query and resources macro to expand the macro.

2. On the AD Auth action, click the x to delete it. When the Item deletion confirmation popup screen appears, click Delete.

3. On the AD Logging action, click the x to delete it. When the Item deletion confirmation popup screen appears, click Delete.

To configure the AD Query actions for the macro


B - 6


2. Click the AD Query action to view the configurationThe AD Query action popup screen opens.


4. Verify that the Name box contains Primary Group ID is 100.If this is not the name in the Name box, type the correct name.

5. Verify that the text Expression: User's Primary Group ID is 100 appears below the Name box.If the expression is not configured correctly, click the change link, make the changes, and click Finished.

6. On the Fallback rule branch connected to the AD Query action, click the plus sign ( ).The Add Item popup screen opens.

7. If the list of authentication actions is not expanded, click the plus sign ( ) next to Authentication to expand the list.

8. Select AD Query and click Add Item.The Active Directory query action popup screen opens.

9. In the Name box, type AD Query 2.


11. In the Name box, type Primary Group ID is 200.

12. Next to Expression: User’s Primary Group ID is 100, click the change link.The Expression popup screen opens.

13. In the User’s Primary Group ID is box, type 200.

14. Click Finished.

15. Click Save.

The AD Query actions appear in the macro as in the following figure.

Figure B.2 The AD auth query and resources macro after preparation, and after the second AD Query action is added


Appendix B

To configure the resource assign actions for the macro


2. On the Primary Group ID is 100 rule branch connected to the AD Query action, click the Resource Assign action.The Resource Assign action popup screen opens.

3. Click the Add new entry button.The screen changes to display a new resource assignment entry.

4. Click Set Network Access Resource.The resource assign popup screen opens.

5. On the Network Access Resource tab, select CaseStudy_NA_AD1.

6. Click the ACLs tab, select AD_ACL1, and click Update.You return to the Resource Assign action popup screen.

7. Click the Save button.The Resource Assign action popup screen closes.

8. In the macro, on the Primary Group ID is 200 rule branch connected to the AD Query 2 action, click the plus sign ( ).The Add Item popup screen opens.

9. If the list of general purpose actions is not expanded, click the plus sign ( ) next to General Purpose to expand the list.

10. Select Resource Assign and click Add Item.The Resource Assign action popup screen appears.

11. In the Name box, type Resource Assign 2.


13. Click Set Network Access Resource.The resource assign popup screen opens.

14. On the Network Access Resource tab, select CaseStudy_NA_AD2.

15. Click the ACLs tab, select AD_ACL2, and click Update.You return to the Resource Assign action popup screen.

16. Click the Save button.The Resource Assign action popup screen closes.

To edit terminals for the macro

1. In the visual policy editor, above the macro, click the Edit Terminals button.The Edit Terminals popup screen opens.

2. In the Name box for the Successful terminal, replace the name Successful with the name Group100.

3. Click the Add Terminal button.The popup screen changes to display a new terminal line.

B - 8


4. In the Name box for the new terminal, replace the name Terminal 1 with the name Group200.

5. Click the color chooser box next to Group200.

6. Select the blue color #5 to change the color of the terminal, and click Save.Note that you can choose any color for this terminal.

7. Click Save.

8. In the macro configuration, click the Failure terminal connected to the Resource Assign 2 action.The Select Terminal popup screen opens.

9. Select the Group200 terminal, and click Save.The section of the macro you just configured appears in the following figure.

Figure B.3 The resource assign actions and macro terminals in the edited macro

To complete the configuration, you must add this macro to your access policy, using the following procedure.


1. In the access policy CaseStudy_AD, above the macro that you have configured, click the plus sign ( ) on the Fallback branch.The Add Item popup screen opens.

2. If the Macrocalls section is not expanded, click the plus sign ( ) to see the Macrocalls.

3. Select the macrocall AD auth query and resources Rules: Group200, Group100, Failure, and click Add Item.

4. Set the Group100 and Group200 endings to Allow endings.


The completed access policy appears as in the following figure.


Appendix B

Figure B.4 The completed Active Directory example access policy

B - 10

C

Session Variables

• Introducing session variables

• Introducing Tcl

• Session variables reference

• Network access resource variable attributes

Session Variables

Introducing session variablesThe rules in an access policy store the values that the actions return in session variables. A session variable contains a number or string that represents a specific piece of information.

You can use the session variable strings in the visual policy editor, to customize a rule for a specific action in an access policy. For more information on configuring access policy rules with session variables, see Assigning variables, on page 8-10, and Using advanced access policy rules, on page 16-17.

When you use session variables, you typically write them in custom rules, in the Tcl language, or you use them in the variable assign action.

To see the session variables assigned to a user session,

This appendix includes three tables.

• Table C.1, Session variables for BIG-IP Access Policy Manager, contains the session variables returned by access policy actions.

• Table C.2, Special purpose user session variables, contains special purpose session variables that provide functions in a user session, but are not returned by specific access policy actions.

• Table C.3, Network access resource configuration variables and attributes, contains all the session variables generated by a network access resource, and the formats of those variables, for use with the variable assign action.

Note

When using session variables in an access policy configuration, for example, in a logging agent, a session variable may or may not exist depending on the result of the access policy process.

Configuration Guide for BIG-IP® Access Policy Manager™ C - 1

Appendix C

Introducing TclYou write rules in Tcl. Although this appendix is not an exhaustive reference for writing and using Tcl expressions, it includes some common operators and syntax rules. Tcl expressions begin with the syntax expr. For more information, see http://www.tcl.tk/man/tcl8.5/TclCmd/expr.htm.

Note

You use iRules™ on the BIG-IP system to provide functionality to the BIG-IP system components. Tcl commands specific to iRules are not available in access policy rules.

Standard operatorsYou can use Tcl standard operators with most BIG-IP® Access Policy Manager rules. You can find a full list of these operators in the Tcl online manual, at http://www.tcl.tk/man/tcl8.5/TclCmd/expr.htm.

Standard operators include:

• - + ~ ! Unary minus, unary plus, bit-wise NOT, logical NOT. None of these operators may be applied to string operands, and bit-wise NOT may be applied only to integers.

• **Exponentiation. Valid for any numeric operands.

• * / %Multiply, divide, remainder. None of these operators may be applied to string operands, and remainder may be applied only to integers. The remainder will always have the same sign as the divisor and an absolute value smaller than the divisor.

• + -Add and subtract. Valid for any numeric operands.

• << >>Left and right shift. Valid for integer operands only. A right shift always propagates the sign bit.

• < > <= >=Boolean less than, greater than, less than or equal to, and greater than or equal to. Each operator produces 1 if the condition is true, 0 otherwise. These operators may be applied to strings as well as numeric operands, in which case string comparison is used.

• == !=Boolean equal to and not equal to. Each operator produces a zero/one result. Valid for all operand types.

• eq neBoolean string equal to and string not equal to. Each operator produces a zero/one result. The operand types are interpreted only as strings.

C - 2



Session Variables

• in niList containment and negated list containment. Each operator produces a zero/one result and treats its first argument as a string and its second argument as a Tcl list. The in operator indicates whether the first argument is a member of the second argument list; the ni operator inverts the sense of the result.

• &Bit-wise AND. Valid for integer operands only.

• ^Bit-wise exclusive OR. Valid for integer operands only.

• |Bit-wise OR. Valid for integer operands only.

• &&Logical AND. Produces a 1 result if both operands are non-zero, 0 otherwise. Valid for boolean and numeric (integers or floating-point) operands only.

• ||Logical OR. Produces a 0 result if both operands are zero, 1 otherwise. Valid for boolean and numeric (integers or floating-point) operands only.

• x?y:zIf-then-else, as in C. If x evaluates to non-zero, then the result is the value of y. Otherwise the result is the value of z. The x operand must have a boolean or numeric value.

Rule operatorsA rule operator compares two operands in an expression. In addition to using the Tcl standard operators, you can use the operators listed below.

• contains - Tests if one string contains another string.

• ends_with - Tests if one string ends with another string.

• equals - Tests if one string equals another string.

• matches - Tests if one string matches another string.

• matches_regex - Tests if one string matches a regular expression.

• starts_with - Tests if one string starts_with another string.

• switch - Evaluates one of several scripts, depending on a given value.

Logical operatorsLogical operators are used to compare two values.

• and - Performs a logical "and" comparison between two values.

• not - Performs a logical "not" action on a value.

• or - Performs a logical "or" comparison between two values.


Appendix C

Session variables referenceThis table includes session variables and related reference information for each session variable that you can use with Access Policy Manager.

For a set of special purpose session variables, see Table C.2

Agent Name Type Format Description

Active Directory action

session.ad.$name.queryresult bool Result of the Active Directory query.

0 - Failed1 - Passed

session.ad.$name.authresult bool Result of the Active Directory authentication attempt.


session.ad.$name.attr.$attr_name string Users attributes retrieved during Active Directory query. Each attribute is converted to a separate session variable.

session.ad.$name.attr.group.$attr_name

string User’s group attributes retrieved during Active Directory query. Each group attribute is converted to a separate session variable.

LDAP action session.ldap.$name.authresult bool Result of the LDAP authentication attempt.

0 - Failed

1 - Passed

session.ldap.$name.attr.$attr_name string Users attributes retrieved during AD query. Each attribute is converted to a separate session variable.

session.ldap.$name.queryresult bool Result of the LDAP query.


RADIUS action session.radius.$name.authresult bool Result of the RADIUS authentication attempt.

0 - Failed

1 - Passed

session.radius.$name.attr.$attr_name string User attributes retrieved during RADIUS authentication. Each attribute is converted to a separate session variable.

Table C.1 Session variables for BIG-IP Access Policy Manager

C - 4

Session Variables

Denied Ending session.policy.result string "access_denied"

The result of the access policy. The result is the ending; for this ending, the result is access_denied.

Redirect Ending session.policy.result string "redirect" The result of the access policy. The result is the ending; for this ending, the result is redirect.

session.policy.result.redirect.url string The URL specified in the redirect, for example, "http://www.siterequest.com"

Allowed Ending session.policy.result string "allowed" The result of the access policy. The result is the ending; for this ending, the result is allowed.

session.policy.result.webtop.network_access.autolaunch

string "resname" The resource that is automatically started for a network access webtop

session.policy.result.webtop.type string "network_access"

The type of webtop resource. The webtop type can be network_access or web_application.

Antivirus check session.windows_check_av.$name.result

integer 0 - Indicates an Antivirus failure

1 - Indicates at least one Antivirus matches the criteria

session.windows_check_av.$name.item_0.db_signature

string Control string of the virus database.

session.windows_check_av.$name.item_0.db_time

integer 0 - data is not available

non-0 integer - Date of last database update (seconds since 1/1/1970)

session.windows_check_av.$name.item_0.db_version

string Antivirus database version.

session.windows_check_av.$name.item_0.features

integer 1 - Antivirus

2 - Anti-spyware

3 - Personal Firewall

4 - Application Firewall

session.windows_check_av.$name.item_0.id

string Antivirus Type ID (for example, McafeeAV)

session.windows_check_av.$name.item_0.name

string Software name




Appendix C

Antivirus check session.windows_check_av.$name.item_0.state

integer 0 - Undefined

1 - Antivirus protection is active

2 - Antivirus is not active (disabled)

session.windows_check_av.$name.item_0.ui

UI state

session.windows_check_av.$name.item_0.vendor

string Antivirus vendor

session.windows_check_av.$name.item_0.version

string Antivirus version

session.windows_check_av.$name.count

integer Number of detected antivirus

Decision box session.decision_box.last.result integer 0 - User chooses option 2 on the decision page, which corresponds to the fallback rule branch in the action

1 - User chooses option 1 on the decision page

File check session.windows_check_file.$name.item_0.exist

string True - if all files exist on the client.

session.windows_check_file.$name.item_0.result

integer Set when files on the client meet the configured attributes.

session.windows_check_file.$name.item_0.md5

string MD5 value of a checked file.

session.windows_check_file.$name.item_0.version

string The version of a checked file.

session.windows_check_file.$name.item_0.size

integer The file size, in bytes.

session.windows_check_file.$name.item_0.modified

Date the file was modified in UTC form.

session.windows_check_file.$name.item_0.signer

File signer information.

Firewall check session.windows_check_fw.$name.item_0.name

string Name of the firewall software.

session.windows_check_fw.$name.item_0.features

integer 0000 - Unknown type

0002 - Personal Firewall

0004 - Application Firewall



C - 6

Session Variables

Firewall check session.windows_check_fw.$name.item_0.state

string 1 - Firewall is active

2 - Firewall is not active (disabled)

0 - undefined

session.windows_check_fw.$name.state

integer 1 - At least one active firewall is detected

0 - No active firewalls detected

session.windows_check_fw.$name.count

integer The number of detected firewalls.

session.windows_check_fw.$name.result

integer 0 - No firewalls match the criteria.

1 - At least one firewall matches the criteria

session.windows_check_fw.$name.item_0.id

string Type ID of the firewall (for example, McAfeeFW)

session.windows_check_fw.$name.item_0.version

string The firewall software version.

Process check session.windows_check_process.$name.result

integer 0 - Failure1 - Success-1 - Invalid check expression

Registry check session.windows_check_registrys.$name.result

integer 0 - Failure1 - Success-1 - Invalid check expression

Windows info session.windows_info_os.$name.ie_version

string Stores the Internet Explorer version

session.windows_info_os.$name.ie_updates

string "¦SP2¦KB12345¦KB54321¦"

A list of installed SP and KB fixes for Internet Explorer

session.windows_info_os.$name.platform

string WinXP - Windows XP

Win2k - Windows 2000

WinNT - Windows NT4

Win95 - Windows 95

Win98 Windows 98

Win98SE - Windows 98 SE

WinME - Windows Me

Win2003 - Windows 2003

WinVI - Windows Vista

WinLH - Windows 2008




Appendix C

Windows info session.windows_info_os.$name.updates

string "¦SP2¦KB12345¦KB54321¦"

A list of installed SP and KB fixes for Windows

session.windows_info_os.$name.user string List of current windows user names

session.windows_info_os.$name.computer

string List of computer names

Resource allocation

session.assigned.resources string "resourcename1 resourcename2"

A space-delimited list of assigned resources.

session.assigned.webtop string ’webtop_name’

The name of the assigned webtop.

Client certificate authentication

session.ssl.cert.l string Location

session.ssl.cert.ou string Organizational Unit

session.ssl.cert.cn string Common Name

session.ssl.cert.valid string Certificate Result (OK or error string)

session.ssl.cert.exist integer 0 - certificate does not exist1- certificate exists

session.ssl.cert.version string Certificate version

session.ssl.cert.serial string Certificate serial number

session.ssl.cert.end string Validity end date

session.ssl.cert.start string Validity start date

session.ssl.cert.issuer string Certificate issuer

session.ssl.cert.email string Email

session.ssl.cert.c string Country

session.ssl.cert.st string State



C - 8

Session Variables

Session management

session.ui.mode enum 0 - full1 - miniHTML2 - iMode3 - XML4 - WML5 - WAP6 - PocketPC

The UI mode, as determined by HTTP headers.

session.ui.lang string "en" The language in use in the session.

session.ui.charset " The character set used in the session.

session.client.type enum "ie""firefox""standalone"

The client type as determined by HTTP headers.

session.client.version string

session.client.js bool

session.client.activex bool

session.client.plugin bool

session.client.platform string "Win""Win98""WinME""Win2k""WinXP""WinVI""Linux""MacOS""PocketPC""WinCE"

The client platform as determined by HTTP headers.




Appendix C

Special purpose user session variablesUse the following session variables with the variable assign action to customize the behavior of a user session.

Name Type Format Description

session.assigned.acls string "ACL1 ACL3 ACL5" A space-delimited list of assigned ACLs.

session.assigned.acls.sorted string "ACL1 ACL3 ACL5" A space-delimited list of assigned ACLs. This variable is created to store the list of ACLs. To modify the list of ACLs with the variable assign action or an advanced access policy rule, modify the previous session variable, session.assigned.acls.

session.assigned.clientip string xxx.xxx.xxx.xxxFor example, 192.168.12.10

The informational variable that stores the client IP address assigned by Access Policy Manager.

session.requested.clientip string xxx.xxx.xxx.xxxFor example, 192.168.12.10

To change the client IP address, modify this variable. Because session.assigned.clientip is informational only, this is the variable that allows you to modify the client IP address.

session.end string admin_terminatedlogged_outtimed_out

An informational variable that stores the reason the session was terminated.

session.assigned.leasepool string lp1 The lease pool assigned to the client session.

session.assigned.resources string "res1 res3 res5" A space-delimited list of assigned resource names. This list is generated based on the list of assigned resource groups.

session.assigned.route_domain int 1 The route domain ID number assigned to the client session.

session.assigned.uuid string As described in next column.

The informational Universally Unique Identifier for a session. A UUID is a 128-bit number, displayed as 32 hexadecimal digits in 5 groups separated by hyphens, in the form 8-4-4-4-12 for a total of 36 characters. For example, 62ea1423-7a4c-ed22-2101-45eda3a6bb01

session.user.uuid string As described in previous entry.

The Universally Unique Identifier for a session. To change the UUID stored in the informational variable session.assigned.uuid, use this variable.

Table C.2 Special purpose user session variables

C - 10

Session Variables

session.logon.last.username string "username" You can use the session user name variable with the variable assign action to replace the user name value that is passed to an authentication action in the access policy. An authentication action then authenticates with this user name value. For an example, see Example: Using a certificate field for logon name, on page 16-25.

session.logon.last.password string "password" The session password variable contains the user password that is collected in the logon page action. This variable stores the password, then sends it to the authentication server. You should not configure the variable assign action to replace this variable.

Name Type Format Description

Table C.2 Special purpose user session variables


Appendix C

Network access resource variable attributesThis table includes the variables you can access in a network access resource, and the formats and values of the variable attributes.

Use this table with the variable assign action, to correctly format the replacement attribute for an existing network access resource configuration variable.

When the session variable requires that you write replacement XML in a specific format, the XML is presented in this table as <tag>tagdata</tag>. In this example, you type both the opening <tag> and the closing </tag> elements as provided, then type the actual XML data between the opening and closing elements. For example, the following is an entry in the table.

The following is an example of replacement code you could write, based on this table entry.

Important

The result of an evaluated expression or custom expression that you use to replace a network access property must provide a value in the format described in the Attribute value format column.

<dns><dns_primary>IP Address</ dns_primary><dns_secondary>IP Address</ dns_secondary></dns>

Figure C.1 Network access resource XML formatting example

<dns><dns_primary>4.2.2.1</ dns_primary><dns_secondary>4.2.2.2/ dns_secondary></dns>

Figure C.2 Network access resource XML formatting example

Network access resource property Type Attribute value format

leasepool_name string The attribute value is the name of a leasepool that exists on Access Policy Manager

snat_type integer The attribute value is 0, 2, or 3.

0 - None (no SNAT)2 - SNAT pool (assigned with the variable snatpool_name)3 - Automap

snatpool_name string The attribute value is the name of an SNAT pool. The SNAT pool must be configured on the Access Policy Manager.

Table C.3 Network access resource configuration variables and attributes

C - 12

Session Variables

compression int The attribute value is 0 or 1.

0 = disable compression1 = enable compression

client_proxy_settings BoolStringIPAddressNumberBoolVector(String)

(see example)

The attribute is XML, formatted as follows:

< client_proxy_settings ><client_proxy>1</client_proxy><client_proxy_script>proxy_script</client_proxy_script><client_proxy_address>proxyaddress</ client_proxy_address><client_proxy_port>proxyport</client_proxy_port><client_proxy_local_bypass>1</client_proxy_local_bypass><client_proxy_exclusion_list><item>exclusion_list_item1</item><item>exclusion_list_item2</item></client_proxy_exclusion_list></client_proxy_settings>

Note that <client_proxy> should have the value 1 for the other settings to be effective, otherwise all other setting from <client_proxy_settings> will be ignored.

drive_mapping Vector (Struct) The attribute is XML, formatted as follows:

<drive_mapping><item><description> description</description><path>drive_path</path><drive>drive_letter</drive></item></drive_mapping>

Note that the drive letter range is from D to Z.

session_update_threshold int The attribute value is the session update threshold, in seconds.

session_update_window int The attribute value is the session update window, in seconds.

address_space_include_dns_name Vector (string) The attribute is XML, formatted as follows:

<address_space_include_dns_name><item><dnsname> dnsname1 </dnsname></item><item><dnsname> dnsname2 </dnsname></item></address_space_include_dns_name>

address_space_include_subnet Vector (network) The attribute value is a space-separated list of subnets. For example:192.168.30.0/255.255.255.0 172.30.11.0/255.255.255.0




Appendix C

address_space_exclude_subnet Vector(network) The attribute value is a space-separated list of subnets. For example:192.168.30.0/255.255.255.0 172.30.11.0/255.255.255.0

address_space_protect Bool The attribute value is 0 or 1.

0 = disable address space protection

1 = enable address space protection

address_space_local_subnets_excluded Bool The attribute value is 0 or 1.

0 = disable address space local subnet exclusion

1 = enable address space local subnet exclusion

address_space_dhcp_requests_excluded Bool The attribute value is 0 or 1.

0 = disable address space DHCP request exclusion

1 = enable address space DHCP request exclusion

split_tunneling Bool The attribute value is 0 or 1.

0 = disable split tunneling

1 = enable split tunneling

Note: If split_tunneling is set to 0 then you must set the following variables:

address_space_exclude_subnet = ""address_space_include_subnet = "128.0.0.0/128.0.0.0 0.0.0.0/128.0.0.0"address_space_include_dns_name = "*"

dns String The attribute is XML, formatted as follows:

<dns><dns_primary>IPAddress</ dns_primary><dns_secondary>IPAddress</ dns_secondary></dns>

dns_suffix String The DNS Default Domain Suffix. For example, siterequest.com.

wins String The attribute is XML, formatted as follows:

<wins><wins_primary >IPAddress</ wins_primary ><wins_secondary>IPAddress</ wins_secondary></wins>

static_host Vector(staticHost) The attribute is XML, formatted as follows:

<static_host><item><hostname>hostname</hostname><address>IPAddress</address></item> </static_host>



C - 14

Session Variables

client_interface_speed int The number for the client interface speed value in the network access resource, in bytes.

client_ip_filter_engine Bool The attribute value is 0 or 1.

0 = disable integrated IP filtering engine

1 = enable integrated IP filtering engine

client_power_management Bool The attribute value is 0 or 1.

0 = disable client power management

1 = enable client power management

microsoft_network_client Bool The attribute value is 0 or 1.

0 = disable the Client for Microsoft Networks option

1 = enable the Client for Microsoft Networks option

microsoft_network_server Bool The attribute value is 0 or 1.

0 = disable the File and printer sharing for Microsoft Networks option

1 = enable the File and printer sharing for Microsoft Networks option

warn_before_application_launch Bool The attribute value is 0 or 1.

0 = disable the Display warning before launching applications option

1 = enable the Display warning before launching applications option

application_launch Vector(AppLaunch) The attribute is XML, formatted as follows:

<application_launch><item><path>path</path><parameter>string</parameter><os_type>WINDOWS</os_type></item> </application_launch>

For the <os_type> value, type WINDOWS. This field is case sensitive.

Note that application launch is currently supported for Windows only.




Appendix C

provide_client_cert Bool The attribute value is 0 or 1.

0 = disable the Provide client certificate on Network Access connection when requested option

1 = enable the Provide client certificate on Network Access connection when requested option

tunnel_port_dtls int The attribute is the DTLS port, for example 4433.

Note: setting this to any number other than 0 enables DTLS in the network access resource, and sets the number you specify as the DTLS port.



C - 16

D

Using Access iRule Events

• Introducing iRules

• Understanding ACCESS iRules

• Understanding ACCESS iRule Commands


Introducing iRulesAn iRule is a powerful and flexible feature within the BIG-IP® local traffic manager system that you can use to manage your network traffic. Using syntax based on the industry-standard Tools Command Language (Tcl), the iRulesTM feature not only allows you to select pools based on header data, but also allows you to direct traffic by searching on any type of content data that you define. Thus, the iRules feature significantly enhances your ability to customize your content switching to suit your exact needs.

The remainder of this introduction presents an overview of iRules, lists the basic elements that make up an iRule, and shows some examples of how to use iRules to direct traffic to a specific destination such as a pool or a particular node.

Important

For complete and detailed information on iRules syntax, see the F5 Networks DevCentral web site, http://devcentral.f5.com. Note that iRules must conform to standard Tcl grammar rules; therefore, for more information on Tcl syntax, see http://tmml.sourceforge.net/doc/tcl/index.html.

What is an iRule?An iRule is a script that you write if you want individual connections to target a pool other than the default pool defined for a virtual server. iRules allow you to more directly specify the destinations to which you want traffic to be directed. Using iRules, you can send traffic not only to pools, but also to individual pool members, ports, or URIs.

The iRules you create can be simple or sophisticated, depending on your content-switching needs. Figure D.1 shows an example of a simple iRule.

This iRule is triggered when a client-side connection has been accepted, causing the BIG-IP system to send the packet to the pool my_pool, if the client’s address matches 10.10.10.10.

Using a feature called the Universal Inspection Engine, you can write an iRule that searches either a header of a packet, or actual packet content, and then directs the packet based on the result of that search. iRules can also direct packets based on the result of a client authentication attempt.

when CLIENT_ACCEPTED { if { [IP::addr [IP::client_addr] equals 10.10.10.10] } { pool my_pool }}

Figure D.1 Example of an iRule

Configuration Guide for BIG-IP® Access Policy Manager™ D - 1

Appendix D

iRules can direct traffic not only to specific pools, but also to individual pool members, including port numbers and URI paths, either to implement persistence or to meet specific load balancing requirements.

The syntax that you use to write iRules is based on the Tool Command Language (Tcl) programming standard. Thus, you can use many of the standard Tcl commands, plus a robust set of extensions that the BIG-IP system provides to help you further increase load balancing efficiency.

Basic iRule elementsiRules are made up of these basic elements:

• Event declarations

• Operators

• iRule commands

Event declarationsiRules are event-driven, which means that the BIG-IP system triggers an iRule based on an event that you specify in the iRule. An event declaration is the specification of an event within an iRule that causes the BIG-IP system to trigger that iRule whenever that event occurs. Examples of event declarations that can trigger an iRule are HTTP_REQUEST, which triggers an iRule whenever the system receives an HTTP request, and CLIENT_ACCCEPTED, which triggers an iRule when a client has established a connection.

Figure D.2 shows an example of an event declaration within an iRule.

For more information on iRule events, see the Configuration Guide for BIG-IP® Local Traffic Manager™.

when HTTP_REQUEST { if { [HTTP::uri] contains "aol" } { pool aol_pool } else { pool all_pool }}

Figure D.2 Example of an event declaration within an iRule

D - 2


OperatorsAn iRule operator compares two operands in an expression. In addition to using the Tcl standard operators, you can use the operators listed in Table D.1.

For example, you can use the contains operator to compare a variable operand to a constant. You do this by creating an if statement that represents the following: "If the HTTP URI contains aol, send to pool aol_pool." Figure D.2, on page D-2, shows an iRule that performs this action.

iRule commandsAn iRule command within an iRule causes the BIG-IP system to take some action, such as querying for data, manipulating data, or specifying a traffic destination. The types of commands that you can include within iRules are:

◆ Statement commandsThese commands cause actions such as selecting a traffic destination or assigning a SNAT translation address. An example of a statement command is pool <name>, which directs traffic to the named load balancing pool. For more information, see the Configuration Guide for BIG-IP® Local Traffic Manager.

◆ Commands that query or manipulate dataSome commands search for header and content data, while others perform data manipulation such as inserting headers into HTTP requests. An example of a query command is IP::remote_addr, which searches for and returns the remote IP address of a connection. An example of a data manipulation command is HTTP::header remove <name>, which removes the last occurrence of the named header from a request or response.

◆ Utility commandsThese commands are functions that are useful for parsing and manipulating content. An example of a utility command is decode_uri <string>, which decodes the named string using HTTP URI encoding and returns the result. For more information on using utility commands, see the Configuration Guide for BIG-IP® Local Traffic Manager.

Operator Syntax

Relational operators

containsmatchesequalsstarts_withends_withmatches_regex

Logical operators

notandor

Table D.1 iRule operators


Appendix D

Understanding ACCESS iRulesThis table includes session variables and related reference information for each session variable that you can use with Access Policy Manager.

Note

iRule event access policy items must be processed and completed before the access policy can continue.

ACCESS_SESSION_STARTEDThis event occurs when a new user session is created. This is triggered after creating the session context and initial session variables related to user’s source IP, browser capabilities and accepted languages.

Using ACCESS_SESSION_STARTEDThis event provides a notification that a new session is created. You can use this event to prevent a session from being created when a specific event occurs. For example, if the user is exceeding the concurrent sessions limit, or if the user does not qualify for a new session due to custom logic, you can prevent a session from starting.

You can use ACCESS::session commands to get and set various session variables. Admin can also use TCP, SSL, and HTTP iRule commands to determine various TCP, SSL, or HTTP properties of the user.

ACESS_SESSION_STARTED examplesIn this example, the system writes the browser user-agent to the log file when the session starts.

In this example, the system limits application access to the subnet 192.168.255.0 only.

when ACCESS_SESSION_STARTED { log local0.notice "APM: Received a new session from browser: [ACCESS::session data get "session.user.agent"]"}

Figure D.3 ACCESS_SESSION_STARTED example logging browser user-agent

when ACCESS_SESSION_STARTED { set user_subnet [ACCESS::session data get "session.user.clientip"] if { ($user_subnet & 0xffffff00) != "192.168.255.0" } { log local0.notice "Unauthorized subnet" ACCESS::session remove }

}

Figure D.4 ACCESS_SESSION_STARTED example limiting to a subnet

D - 4


ACCESS_POLICY_COMPLETEDThis event occurs when the access policy execution completes for a user session.

Using ACCESS_POLICY_COMPLETEDThis event provides a notification that access policy execution has completed for the user. You can use this event to perform post-access-policy work. For example, you can read and set session variables after the access policy is executed.

You can use ACCESS::policy and ACCESS::session commands to get and set various session variables. Admin can also use TCP, SSL, and HTTP iRule commands to determine various TCP, SSL, or HTTP properties of the user.

ACCESS_ACL_ALLOWEDThis event occurs when a resource request passes the access control criteria and is allowed through the ACCESS filter. This event is only triggered for resource requests and does not trigger for internal access control URIs such as my.policy.

Using ACCESS_ACL_ALLOWEDThis event notifies you that a resource request is being allowed to pass through the network. You can use this event to create custom logic that is not supported in a standard ACL.

For example, you can further limit access based on specific session variables, rate controls, or HTTP or SSL properties of the user.

You can use ACCESS::session commands to get and set session variables in this event, and ACCESS::acl commands to enforce additional ACLs.

ACCESS_ACL_DENIEDThis event occurs when a resource request fails to meet the access control criteria and is denied access.

Using ACCESS_ACL_DENIEDThis event provides notification that a resource request has been denied to pass through the network.

You can use this event to implement custom logic that is not supported in the standard ACLs. For example, you can send out a specific response, based on specific session variables, and HTTP or SSL properties of the user. This event may also be useful for logging purposes.


Appendix D

You can use ACCESS::session commands to get and set session variables in this event, and ACCESS::acl commands to enforce additional ACLs.

ACCESS_SESSION_CLOSEDThis event occurs when a user session is removed. This can occur because a user logs out, because the user session times out due to inactivity, or because the user session is terminated by an administrator.

You can use the ACCESS::session command to get session variables in this event. iRule commands which require a flow context can not be used in this event.

Using ACCESS_SESSION_CLOSEDThis event is used like ACCESS_SESSION_STARTED.

ACCESS_POLICY_AGENT_EVENTThis event allows you to insert an iRule event agent in an access policy at some point in the access policy:

On the server during access policy execution, the iRule event agent is executed and ACCESS_POLICY_AGENT_EVENT is raised in iRules.

You can get the current agent ID (using an iRule command ACCESS::policy agent_id ) to determine which iRule agent raised the event, and to do create some customized logic.

Using ACCESS_POLICY_AGENT_EVENTUse this event to execute iRule logic inside TMM at the desired point in the access policy execution. For example, if you want to do concurrent session checks for a particular AD group, insert this agent after the AD query, and once user’s group has been retrieved from AD query, check to see how many concurrent sessions exist for that user group in an iRule inside TMM.

D - 6


Understanding ACCESS iRule CommandsThe following ACCESS iRule commands are available.

ACCESS::disableThis command disables the access control enforcement for a particular request URI. The request passes through the access policy without any access control checks, except for checks that the session is valid and that the policy reaches an allow ending.

Use this event with the HTTP_REQUEST iRule event.

ACCESS::session commandsThe following commands are used with the ACCESS::session command.

ACCESS::session data getThis returns the value of session variable. Admin can read multiple session variables in the single instance of this command.

For example, ACCESS::session data get "session.user.clientip" gets the user’s client IP address.

ACCESS::session data set This sets the value of session variable to be the given . Admin can set multiple session variables in the single instance of this command.

For example, ACCESS::session data set "myown_custom_variable" "my_value" creates the custom variable myown_custom_variable, and sets it to the value my_value.

ACCESS::session removeThis deletes the user session and all associated session variables. The session is removed immediately after this command is invoked and no session variables can be accessed after this command.

ACCESS::session commands can be used only in ACCESS events.

ACCESS::session existsThis commands returns TRUE when the session with provided sid exists, and returns FALSE otherwise. This command is allowed to be executed in different events other then ACCESS events. One scenario for which you can


Appendix D

use this command is to support a nonstandard HTTP application. The iRule verifies the MRHSession cookie, and provides a customized response that instructs the client to re-authenticate, as in the following example.

ACCESS::policy commandsThe following ACCESS::policy commands are available.

ACCESS::policy agent_idThis returns the identifier for the agent raising the ACCESS_CUSTOM_EVENT.

ACCESS::policy resultReturns the result of the access policy process. The result is one of the following:

• allow

• deny

• redirect

The ACCESS::policy command can only be used in ACCESS_POLICY_COMPLETED, ACCESS_ACL_ALLOWED and ACCESS_ACL_DENIED events.

ACCESS::acl resultThis returns the result of ACL match for a particular URI in ACCESS_ACL_ALLOWED and ACCESS_ACL_DENIED events.

This result can have one of the following values

• allow

• discard

• reject

• continue

ACCESS::acl lookupThis returns the name of all the assigned ACLs for a particular session.

when HTTP_REQUEST { set apm_cookie [HTTP::cookie value MRHSession] if { $apm_cookie != "" && ! [ACCESS::session exists $apm_cookie] } { HTTP::respond 401 WWW-Authenticate "Basic realm=\"www.example.com\"" return }}

Figure D.5 ACCESS::session exists example

D - 8


ACCESS::acl eval $acl_name_listThis applies all the acls specified in acl_name_list for a particular flow/URI.

ACCESS::acl commands can only be used in ACCESS_ACL_ALLOWED and ACCESS_ACL_DENIED events.

For example, to add an additional ACL named additional_acl to a user’s request before allowing it to go through, use the following example.

when ACCESS_ACL_ALLOWED { ACCESS::acl eval "additional_acl"}

Figure D.6 ACCESS::acl eval example


Appendix D

D - 10

E

Troubleshooting

• Introducing troubleshooting

• Example: Changing log levels

• Example: Understanding log messages for endpoint security check failures

• Example: Understanding log messages for authentication failures

• Example: Using the adminreporting utility

• Example: Understanding the logging action utility in the visual policy editor

• Example: Viewing logging history

• Introducing Access Policy Manager log messages

• Introducing Kerberos error messages

Troubleshooting

Introducing troubleshootingBIG-IP® Access Policy Manager provides ways to troubleshoot issues that you may encounter from time to time. There are a number of files, utilities, and command line interfaces that you can use to pinpoint the problem areas and resolve them quickly.

This appendix provides several different examples that you can refer to in order to understand how Access Policy Manager troubleshooting tools work. Following the examples, you will find sections on Access Policy Manager log messages and Kerberos error messages.

Example: Changing log levels You can find all log messages relating to network access in the Configuration utility. On the navigation pane, expand System, click Logs, and select Access Control. However, you view ACL-related log messages in a different location: in the navigation pane, expand System, click Logs, and select Packet Filter.

There are two primary logging levels that we recommend you use to troubleshoot issues you may encounter.

• Notice. This level provides the most basic logging information about users’ attempts to establish a network connection. Within the log, you can track a user’s access by his session ID, as shown in Figure E.1.

• Informational. This level provides more in-depth logging information about user access. We recommend you use this level for analyzing access issues on user logon failures.

By default, the log level is set to Notice. This example shows you how to change the default log level to Informational.

To change the default log level

1. Open the Configuration utility.


3. On the menu bar, click Options.The Local Traffic Logging screen opens.

4. Scroll down to the Access Control Logging area; for the Access Control setting, select Informational.

5. Under Secure Connectivity, for the Network Access setting, select Informational.

6. Click Update.

Configuration Guide for BIG-IP® Access Policy Manager™ E - 1

Appendix E

.

Figure E.1 Example of a log message in the Access Control screen

Example: Understanding log messages for endpoint security check failures

For this example, disable your Microsoft Windows® firewall setting on the client operating system, for instance, Windows XP. You must set up an access policy where the client checks for anti-virus software. When you attempt to access the virtual server, your access request fails because the Windows firewall setting is disabled.

You can now examine the logs displayed on the access control log menu. The system generates a series of log messages as a result of this failure.

Tip

Make sure the log messages are displayed in chronological order, from the most recent logs to the older ones. Within the Log message screen, click TimeStamp to sort the logs based on the most recent times.

Figure E.2 displays a sample log message. The most pertinent data is highlighted in the figure, and described, following.

E - 2

Troubleshooting

Figure E.2 Example of endpoint security log message failure

The following highlighted literal strings are described:

• windows_check_fw. This is the session variable object that represents the endpoint security check on the Windows firewall. This variable is allocated if your access policy profile has a firewall action included in your endpoint security check.

• state. This is the object’s attribute that describes the status of the Windows firewall running on your client’s desktop.

• 0 value. This value means that the current state of the Windows firewall is disabled. If the value displayed is 1, the Windows firewall is then enabled.

Since the firewall check returned a result of 0, the final return value on the access policy check resulted in an access denied policy ending. Therefore, the sessionID created for your access is immediately deleted.


Appendix E

Example: Understanding log messages for authentication failures

This example shows log messages displayed if the system encounters a problem with authentication. Assuming that the user passed the endpoint security check, the logon screen appears, requesting valid credentials. For the purpose of this example, enter an invalid credential at the logon page. As a result of inputting incorrect credentials, the authentication fails on your authentication server, and you are directed to a logon denied page.

Figure E.3 displays sample log messages, showing the failure within an Microsoft Active Directory® server.

Figure E.3 Example of an authentication failure log message

The example in figure E.3 displays the highlighted response received from the Active Directory server, which states that the user name entered on the logon page does not appear to be a valid user in the Active Directory database.

E - 4

Troubleshooting

Example: Using the adminreporting utilityYou can use the adminreporting utility feature of Access Policy Manager to view logon reports.To run this utility, use SSH to log on to the system and type the following command: adminreport.pl -logon logs. This command provides a summary of logon reports based on the logs in the var/log/firepass file.

Figure E.4 displays a summary of a logon report based on logs generated to the /var/log/FirePass file. For a list of all the commands available for this utility, refer to Chapter 17, Logging and Reporting. Alternatively, you can view the same summary report by using the navigation pane. Expand Overview, and click Reports, then on the Reports screen, on the menu bar, click All Sessions.

Figure E.4 Example of logon report summary


Appendix E

Example: Understanding the logging action utility in the visual policy editor

Access Policy Manager provides a tool called logging action, within the visual policy editor. This tool lets you tailor the logging of any session variables to the access control logs, so that you can better identify and understand the cause of a user’s logon failure.

Figure E.5 displays a sample log message generated based on a logon failure. You can view this message by using the navigation pane. Expand System, click Logs, and on the menu bar, click Access Control.

Figure E.5 Example of a tailored logging message

E - 6

Troubleshooting

Example: Viewing logging historyYou can view logon history for all users.

To view history data

1. On the navigation pane, expand Overview, and click Reports.The Reports screen opens.

2. On the menu bar, click All Sessions.

Figure E.6 displays a sample report, showing logon history.

Figure E.6 Example of a log message with logon history


Appendix E

Introducing Access Policy Manager log messagesTable E.1 lists all log messages from the BIG-IP® Access Policy Manager.

Status code

Log level Message Description Troubleshooting

013c0001 ERROR 00000000: Number of ports should not exceed: <Port Count>

Specifies that the APD daemon started with the wrong parameters. This can happen only if the administrative user modifies the start scripts for APD.

Make sure that the command line arguments to the APD daemon have not been modified in the /etc/bigstart/scripts/apd file. Factory settings:-d 3 -f

013c0002 ERROR 00000000: Number of threads should not exceed: <Thread Count>



013c0003 ERROR 00000000: Couldn't create APD listener: <Listener ID>



013c0004 INFO <Session ID> Executed agent '%s', return value %d

Specifies the name of the agent that is started and the returned value. The returned value is an integer.

013c0005 NOTICE <Session ID> Following rule '%s' from item '%s' to ending '%s'

Indicates the access policy items that the user system followed to reach the specified ending. The name of the ending is ending_denied, webtop or redirect ending.

013c0006 INFO <Session ID> Following rule '%s' from item '%s' to item '%s'

Specifies the rules that are followed when the system processes the access policy.

013c0007 INFO Session variable <Session Variable Name> set to <value>

This is an informational message that the variable <Session Variable Name> is set to the value <value>, and the access policy can use it in the session.

Table E.1 BIG-IP Access Policy Manager log messages

E - 8

Troubleshooting

013c0008 NOTICE <Session ID> Connectivity resource '%s' assigned through resource group '%s'

Specifies that the resource assign action has assigned the specified connectivity resource to the session.

013c0009 NOTICE <Session ID> ACL '%s' assigned

Specifies that the resource assign action has assigned the specified ACL to the session.

013c0010 NOTICE <Session ID> Username '%s'

Specifies the user name used for the logon page.

013c0013 INFO <Session ID>: agent: Retrieving AAA server: <ServerName>

Specifies that the AAA agent is retrieving the AAA server information.

013c0014 ERROR <Session ID>: agent: No AAA server associated with <Agent Name>

Specifies that the access policy configuration is incomplete. The AAA agent specified in the log message is not associated with a valid AAA server.

Make sure a AAA Server is assigned in the AAA action <Agent Name> configuration in the access policy.

013c0015 ERROR <Session ID>: agent: Failed to decrypt <StringName> of AAA server: <Server Name>

Specifies that APD daemon failed to initialize the access policy. This error indicates that the APD daemon is unable to decrypt the administrative password for the AAA server specified in the log message. This indicates a critical system failure.

No troubleshooting information available.

013c0016 ERROR <Session ID>: agent: Unknown agent type <TypeID>

Specifies that the APD daemon failed to initialize the access policy. The access policy contains an agent of unknown type. This indicates a critical system failure.


013c0017 INFO <Session ID> AD agent: Auth (logon attempt:<Count>): authenticate with '<UserName>' <Result>

Informational. Specifies the <Result> of an Active Directory authentication attempt. The result is either failed or successful.

013c0019 INFO <Session ID> AD agent: Query: query with '<Filter>' <Result>

Informational. Specifies the <Result> of an Active Directory query attempt. The result is either failed or successful.

Status code




Appendix E

013c0021 ERROR <Session ID>: agent: ERROR: <ErrorMessage>

Specifies that one of the access policy agents encountered an error, as described by the error message, during access policy processing.


013c0022 ERROR <Session ID>: agent: EXCEPTION: <ExceptionMessage>

Specifies that one of the access policy agents encountered an error, as described by the error message, during access policy processing.


013c0042 ERROR <Session ID> <AuthType> module: ERROR: <ErrorMessage>

Specifies that a AAA server operation of the type specified in the log message failed with the error described by the error message.

<AuthType> indicates the authentication module in which the error occurred. The <ErrorMessage> contains information that can point to the cause of the error.

013c0043 ERROR <Session ID> <AuthType> module: EXCEPTION: <ExceptionMessage>

Specifies that a AAA server operation of the type specified in the log message failed with the error described by the error message.

<AuthType> indicates the authentication module in which the error occurred. The <ExceptionMessage> contains information that can point to the cause of the error.

013c0049 INFO <Session ID> LDAP agent: Auth (logon attempt:<Count>): authenticate with '<UserName>' <Result>

Provides an informational message that indicates that the LDAP authentication attempt occurred. The Result is either failed or successful.

013c0051 INFO <Session ID> LDAP agent: Query: query <Result>, dn: <DN>, filter: <Filter>

Provides an informational message that indicates that the LDAP query attempt occurred. The Result is either failed or successful.

013c0057 ERROR <Session ID> <AuthType> module: ERROR: ldap_unbind() failed, <ErrorMessage>

Specifies that the LDAP unbind operation for either

LDAP or Active Directory® failed with the error described in the error message.

<AuthType> indicates the authentication module in which the error occurred. The <ErrorMessage> for ldap_unbind() contains more information about the cause of the error.

Status code



E - 10

Troubleshooting

013c0058 INFO <Session ID> RADIUS agent: (logon attempt:<Count>) authenticate with ‘<UserName>' <Result>

Specifies an informational message that indicates that the RADIUS authentication attempt occurred. The Result is either failed or successful.

013c0059 INFO <Session ID> RADIUS agent: (logon attempt:<Count>) radius challenge response received, reply-message: <Message>

013c0070 ERROR 00000000: AD agent: ERROR: %s failed for <hostname/IPaddr>

Specifies that the Active Directory action encountered an error while trying to authenticate against the external AAA server with the host name and IP address listed in the error message.

Make sure that DNS is properly configured to resolve the forward and reverse lookup for the AAA server.

013c0075 INFO <Session ID> AD agent: Auth (logon attempt: <Count> ): password changed successfully for '<UserName>'

013c0076 INFO <Session ID> AD agent: Auth (logon attempt: <Count>): Domain password has been expired and must be changed for '<UserName>'

013c0077 INFO <Session ID> AD agent: Auth (logon attempt: <Count>): failed to change password for '<UserName>'

013c0079 NOTICE 00000000: Access policy '%s' configuration has changed. Access profile '%s' configuration changes need to be applied for the new configuration

Specifies that the access policy configuration has changed.

The modified or new configuration changes are not yet active and you must activate the access policy for the changes to take effect.

Status code




Appendix E

013c0080 ERROR 00000000: ERROR: Session db interface layer internal error: %d.

Specifies that the APD daemon failed to communicated with the session database. This indicates a critical system failure.


013c0081 ERROR <Session ID> Agent execution failed for agent: %d and access policy item: %d

Specifies that an access policy action encountered an error, described in the error message, while the access policy was processing.


013c0082 ERROR <Session ID> Invalid rule exists in access policy. Unable to find nextnode.

Specifies that the access policy configuration is not valid. One of the access policy rules is followed by an item that is not valid.


013c0083 ERROR 00000000: Request from remote client could not be received from socket. Socket error: %s

Specifies that an error occurred while the system was receiving data from the remote client during access policy processing. Indicates a critical system failure.


013c0084 ERROR <Session ID> Access Policy execution failed with error: %d

Specifies that, during access policy processing, an access policy action encountered an error, described in the error message.


013c0085 ERROR <Session ID> Response could not be sent to remote client. Socket error:%s

Specifies that an error, described in the error message, occurred while sending the data response to the remote client during access policy processing. This might occur if the remote client disconnects during access policy processing.


013c0086 ERROR <Session ID> Rule evaluation failed with error: %s

Specifies that the error described in the error message occurred while trying to evaluate an access policy rule during access policy processing.


Status code



E - 12

Troubleshooting

013c0087 ERROR <Session ID> Invalid session variable exists in rule expression.

Specifies that an error occurred while attempting to evaluate an access policy rule during access policy processing.

This error indicates that a session variable that is not valid is present in the rule expression.

Make sure that the session variable configured in the access policy rule does exist when the rule runs.

013c0088 ERROR <Session ID> Unable to find session variable used in rule expression.

Specifies that an error occurred while attempting to evaluate an access policy rule during access policy processing.

This error indicates that a session variable that is not valid is present in the rule expression.

Make sure that the session variable configured in the access policy rule does exist when the rule runs.

013c0089 ERROR 00000000: Configuration change notification received for an unknown access profile: %s

STOP Specifies that the APD has received a configuration change notification for an unknown access profile.

This indicates a critical system failure.


013c0090 ERROR 00000000: Configuration add notification received for an already existing profile: %s

Specifies that the APD has received ADD notification for an existing access profile.

This indicates a critical system failure.


013c0091 ERROR 00000000: Invalid request header received from remote client. Socket error: %s

Specifies that the response received during access policy processing from a remote client is not valid.

The log message logs the incoming HTTP request header received from the remote client.


013c0092 ERROR 00000000: Invalid POST request received from remote client. Len: %d

Specifies that the response received during access policy processing from the remote client is not valid.

The log message logs the length of the incoming HTTP POST request received from the remote client.


Status code




Appendix E

013c0093 ERROR 00000000: Request header parsing failed while processing request from remote client

Specifies that an error occurred while processing the received request from the remote client during access policy processing.


013c0094 ERROR <Session ID> Couldn't get session variable from session db. Session var: %s

Specifies that APD failed to retrieve a session variable (logged by the log message) from the session database.


013c0095 ERROR <Session ID> File Check Agent: File check failed.

Specifies that the file check action encountered an error during access policy processing.

Log and inspect the session variables for the file check action.

013c0096 NOTICE 00000000: A new access profile: %s has been initialized

Specifies that the system has initialized the specified access profile.

Access Policy Manager accepts any request received for this access profile from this point forward, and sends these requests through the associated access policy.

013c0097 NOTICE 00000000: A new access policy: %s has been initialized

Specifies that the system has initialized a new access policy.

013c0098 NOTICE 00000000: Access profile: %s has been removed.

Specifies that the system has deleted an access profile.

Access Policy Manager denies any request received for this access profile from this point forward.

013c0099 NOTICE 00000000: Access policy: %s has been removed.

Specifies that the system has deleted an access profile.

013c0100 NOTICE 00000000: Access profile: %s configuration changes need to be applied for the new configuration to take effect.

Specifies that the system has detected changes you have made to the access profile configuration.

The modified or new configuration changes are not yet active. You must activate the access policy for the new changes to take effect.

Status code



E - 14

Troubleshooting

013c0101 NOTICE 00000000: Access profile: %s configuration has been applied. Newly active generation count is: %d

Specifies that the system has started the access policy associated with the access profile.

Access Policy Manager increments the generation count by one every time an access policy is activated.

013c0102 NOTICE <Session ID> Access policy result: %s

The final result of the access policy. Valid results are Logon_Denied or Webtop

013c0103 NOTICE <Session ID> Retry Username '<UserName>'

013c0104 ERROR 00000000: <Session ID> Failed to store configuration variable (error:%d, name:'%s', value:'%s')

Specifies that APD failed to store a session variable (logged by the log message) in the session database.

The log message logs the name of the error encountered along with the variable and value of the variable.

Access Policy Manager was unable to store the session variable in the session database. Either an internal processing error or a failure in database memory allocation occurred.

013c0105 ERROR <Session ID> <AuthType> agent: No AAA server associated with <ServerName>.

Specifies that the AAA action encountered an error during access policy processing, because the AAA server information could not be located.

Make sure that the AAA Server <ServerName> exists in the bigip.conf file. This might happen when a AAA server is deleted from bigip.conf, but the AAA server is still being used by a AAA action.

013c0106 WARNING

<Session ID> AD module: WARNING: <Action> <Object> failed in <FunctionName>(): <ErrorMessage> (ErrorCode)

Specifies that the Active Directory Auth or Query action encountered an error during access policy processing.

Action has one of the values:

- query with- authentication with- change password for

Object has one of the values:

- Filter- <AdminUserName>- <UserName>

The error message is included with the source code function name.

Refer to the <ErrorMessage> text, which contains information about the cause of the error.

Status code




Appendix E

013c0107 ERROR <Session ID> AD module: ERROR: <Action> <Object> failed in <FunctionName>(): <ErrorMessage> (ErrorCode)

Specifies that the Active Directory Auth or Query action encountered an error during access policy processing.


- query with- authentication with- change password for



The error message is included with the source code function name.


013c0108 ERROR <Session ID> RADIUS module: ERROR: authentication with <UserName> failed in <FunctionName>(): <ErrorMessage> (ErrorCode)

Specifies that, during access policy processing, the RADIUS Auth action encountered an error.

The log message includes the user name and error message, along with the source code function name.


013c0109 WARNING

<Session ID> LDAP module: WARNING: <Action> <Object> failed in <FunctionName>(): <ErrorMessage> (ErrorCode)

Specifies that the LDAP Auth or Query action encountered an error during access policy processing.


- query with- authentication with



The message also includes the error message and the source code function name.


Status code



E - 16

Troubleshooting

013c0110 ERROR <Session ID> LDAP module: ERROR: <Action> <Object> failed in <FunctionName>(): <ErrorMessage> (ErrorCode)

Specifies that the LDAP Auth or Query action encountered an error during access policy processing.


- query with- authentication with



The message also includes the error message and the source code function name.


013c0112 ERROR <Session ID> EndPoint inspection data is not valid: Agent Result: %s SessionID: %s DeviceInfo: %s Token: %s Signature: %s

Specifies that an error occurred while reading the received request from the remote client during access policy processing.

The received request has invalid end-point inspection data. The log message logs various parts of the inspection data.


013c0113 NOTICE <Session ID> %s is %s Specifies the session variable name and its corresponding value.

013c0114 ERROR <Session ID> process_request(): ERROR: Profile '%s' was not found

Specifies that an error occurred while the system was reading the received request from a remote client during access policy processing.

The request received is for a profile that does not exist.

This can happen if the access profile has been deleted while the remote client is processing the access policy.


013c1002 NOTICE Access to invalid URI: (URI=<URI String>)

She system did not recognize a URI request.

Status code




Appendix E

013c1003 ERROR Attempt to access renderer externally: (URI=<URI String>)

Indicates that a client directly accessed one or more resources inside the renderer directory. This is a security violation and the system does not allow it. The system logs the corresponding URI here.

An attempt by a client to access a resource on the internal HTTP daemon or service has been detected by the system. If the user request is associated with a session ID, you can determining the client IP address from the log messages.

013c1004 NOTICE Invalid Session ID <Client Session ID> Expect (<Session ID>) (URI=<URI String>)

The incoming request did not correspond to any known session ID in the system. The corresponding URI is also logged.

013c1005 NOTICE Invalid Client IP: we have=<IP Address> client ip=<Client IP Address> (URI=<URI String>)

The client IP of the incoming request did not match that stored internally for this session.

013c1006 NOTICE Attempt to access protected resource w/o valid session (URI=<URI String>)

This log message indicates that the system received a request for a protected resource from a client with an empty session ID.

013c1007 NOTICE Request to a protected resource w/o session ID (<URI String>)

A request to a protected resource was received with an empty session ID.

013c1009 NOTICE User Agent: <User Agent Name>

013c1010 NOTICE License NOT available for user session

Specifies that the system ran out of licenses while processing user session requests. All available licenses are already in use.

013c1011 NOTICE CCA: Found a valid cert - adding it to the MEMCACHED

Specifies that a valid client certificate is received from remote client. The client certificate is stored in the session database.

013c1012 INFO Client cert result = <Result Status>

The result of the failed client cert authentication: revoked, unable to verify or another result.

Status code



E - 18

Troubleshooting

013c1013 INFO Client Cert Auth using OCSP: Status code = <Auth Status>

Logs the result of OCSP authentication.

Following are possible values:

0 : Success1 : Failure-1: Error2 : Not authenticated

Check the OCSP Responder and OCSP profile configuration settings. The reason for the failure will be listed in the access control log file.

013c1014 INFO Client Cert Auth using CRLDP: Status code = <Auth Status>

Logs the result of Client Cert Authentication using CRLDP.

Following are possible values:

0 : Success1 : Failure-1: Error2 : Not authenticated

Check the CRLDP server and CRLDP profile configuration settings. The reason for the failure will be available in the access control log file.

013c1015 WARN Received certificate has been revoked.

Specifies that the client certificate the system received from the remote client has been revoked.

013c1016 WARN Received certificate is not valid.

Specifies that the client certificate the system received from the remote client is not a valid PKI certificate.

013c1017 WARN OCSP Failure. Specifies that the client certificate the system received from the remote client could not be authenticated using OCSP. An error occurred during authentication.

Check the OCSP Responder and OCSP profile configuration settings. The reason for the failure will be available in the access control log file.

013c1018 WARN OCSP Error. Specifies that the client certificate the system received from the remote client could not be authenticated using OCSP. An error occurred during authentication.

Check the OCSP Responder and OCSP profile configuration settings. The reason for the failure will be available in the access control log file.

013c1020 NOTICE Client SSL encryption: <Cipher Version> (<Cipher Name>,<Cipher Bits Size>)

Logs the SSL cipher information for the SSL session with the remote client.

Status code




Appendix E

013c1021 NOTICE Client cert found, CN <Common Name>

Specifies that a valid client certificate was received from the remote client. Logs the Common Name (CN) field from the received certificate.

013c1022 NOTICE Redirecting to error page = <Error Code>

Specifies that an error occurred during user session processing and the user is being redirected to an error page. This page is shown to the user, and the user session is removed. The error code points to one of the customizable error messages.

013c1023 NOTICE Deleted All session variables and the session are removed from memory.

013c1024 NOTICE Redirecting to Logout page A request for the logout page was received, and the user was redirected to the logout page.

013c1025 ERROR Failed to allocate client IP address for session (<Session ID>)

There is no client IP address assigned for the network access resource for this session.

Value from the session.assigned.clientip session variable is assigned to the client IP address. Either the session variable does not exist or the Session DB failed to read the variable value.

013c1026 NOTICE failover_id <Failover ID> Each UNIT has a unique failover_id similar to the Unit ID used in High Availability.

013c1027 INFO Setting unit id <Failover ID> as part of session

Each UNIT has a unique failover_id similar to the Unit ID. This is used for High Availability.

013c1028 NOTICE Session deleted because of UNIT mismatch

Session data was deleted when failover occurred. The session is from the other UNIT and was in the middle of the access policy process.

Status code



E - 20

Troubleshooting

Introducing Kerberos error messagesTable E.2 lists common Kerberos error messages that you may encounter.

Error Message Cause

Pre-authentication failed while getting initial credentials

An invalid password was entered.

Client credentials have been revoked while getting initial credentials

The account is disabled or expired.

Client not found in Kerberos database while getting initial credentials

User account does not exist on the server.

Password incorrect while getting initial credentials

An invalid password was entered.

Password change rejected. Please try again.

A new password is rejected by the Active Directory server. For example, the current password may have been entered as the new password, or the password length is too short.

Table E.2 Common Kerberos error messages


Appendix E

E - 22

Glossary

Glossary

absolute URL

An absolute URL specifies the exact location of a file or directory on the internet.

access control list (ACL)

In Access Policy Manager, the ACL is a set of restrictions associated with a resource or favorite that defines access for users and groups.

access policy

An access policy contains steps that the client and server go through before access is granted to a connection by the Access Policy Manager. See also action, client side check, endpoint security, branch rule.

access profile

An access profile is a pre-configured group of settings that you can use to configure secure network access for an application.

action

An action is an ordered set of rules for evaluating a remote system. Each action invokes one or more inspectors. The action then uses rules to test the inspectors’ findings. In the visual policy editor, an action is depicted by a rectangle.

Active Directory

The Active Directory is a network structure supported by Windows® 2000, or later, that provides support for tracking and locating any object on a network.

advanced rules

In an access policy, advanced rules provide customized functionality. This functionality is useful when you want more functionality than is provided by the default access policy rules and the rules created with the expression builder.

allow ending

An allow ending is a successful ending for the user in the access policy.

authentication

Authentication is the process of verifying the identity of a user logging on to a network.

authentication action

Authentication actions are usedin an access policy to add an authentication check with a AAA server or with a client certificate.

Configuration Guide for BIG-IP® Access Policy Manager™ Glossary - 1

Glossary

authentication query

Authentication query seaches the appropriate part of the directory tree structure of a AAA server, such as LDAP or Active Directory, to find a user within that directory.

authorization

Authorization is the process of enabling user access to resources, applications, and network shares.

branch rule

Branch rules test the inspectors’ findings about a client system. The order of rules in a pre-logon sequence determines the flow of action.

certificate

A certificate is an online credential signed by a trusted certificate authority and used for SSL network traffic as a method of authentication.

client certificate

A client certificate enables the Access Policy Manager to verify the identity of a user’s computer, and to control access to specific resources, applications, and files.

client component

A client component is a control downloaded from the Access Policy Manager that enables the various features of Access Policy Manager functionality.

client side check

In an access policy, a client side check defines a set of actions that need to be taken in order to evaluate the client system or device.

Configuration utility

The Configuration utility is the browser-based application that you use to configure the Access Policy Manager.

decision box

In the visual policy editor, a decision box is an policy action that provides a user with two options for accessing a system.

domain name

A domain name is a unique name that is associated with one or more IP addresses. Domain names are used in URLs to identify particular Web pages. For example, in the URL http://www.siterequest.com/index.html, the domain name is siterequest.com.

Glossary - 2

Glossary

Domain Name System (DNS)

The Domain Name System (DNS) is a system that stores information associated with domain names, making it possible to convert IP addresses such as 192.168.16.8, into more easily understood names such as www.siterequest.com.

Dynamic Host Configuration Protocol (DHCP)

DHCP is a protocol for assigning dynamic IP addresses to devices on a network. With dynamic addressing, a device can be assigned a different IP address every time it connects to the network.

endpoint security

Endpoint security is a centrally managed method of monitoring and maintaining client-system security. See also client side check and resource protection.

FIPS

Federal Information Processing Standards (FIPS) are publicly announced standards developed by the U.S. Federal government for use by all (non-military) government agencies and by government contractors. The Access Policy Manager can be configured with FIPS 140-encryption hardware, which stores all certificates and private keys in the FIPS hardware.

FQDN (fully qualified domain name)

The fully qualified domain name (FQDN) is an unambiguous domain name that specifies a node’s position in the DNS tree hierarchy absolutely, for example, myfirepass.siterequest.com. See also domain name.

high availability

High availability is the process of ensuring access to resources despite any failures or loss of service in the setup. For hardware, high availability is ensured by the presence of a redundant system. See also redundant system.

hot fix

A hot fix (patch) is an intended modification to the BIG-IP Access Policy Manager.

HTTP (HyperText Transport Protocol)

HTTP is the method that is used to transfer information on the Internet and on intranets.

HTTPS (HyperText Transport Protocol [Secure]

HTTPS is secure HTTP. See also HTTP (HyperText Transport Protocol).


Glossary

inspector

An inspector is an ActiveX control or Java plug-in that gathers information about the user’s computer, evaluating factors such as the presence of viruses or antivirus software, operating system version, running processes, and others.

interface

A physical port on an F5 system is called an interface.

IP address

An IP address (Internet Protocol address) is a unique number that identifies a single device and enables it to use the Internet Protocol standard to communicate with another device on a network. See also self IP address and virtual IP address.

IPsec

IPsec (Internet Protocol Security) is a communications protocol that provides security for the network layer of the Internet without imposing requirements on applications running above it.

local traffic management

Local traffic management refers to the process of managing network traffic that comes into or goes out of a local area network (LAN), including an intranet.

name resolution

Name resolution is the process by which a name server matches a domain name request to an IP address, and sends the information to the client requesting the resolution.

NAT (Network Address Translation)

A NAT is an alias IP address that identifies a specific node managed by the Access Policy Manager system to the external network.

network access

Network access is a Access Policy Manager feature that provides secure access to corporate applications and data using a standard web browser.

network configuration

Network configuration is the process of setting up the Access Policy Manager’s web services on network interfaces. See also web service.

port

A port is a number that is associated with a specific service supported by a host.

Glossary - 4

Glossary

redundant system

Redundant system refers to a pair of units that are configured for failover. In a redundant system, there are two units, one running as the active unit and one running as the standby unit. If the active unit fails, the standby unit takes over and manages connection requests.

resource

A resource is an application, a file, or a server on your network to which you want users to have secure access.

resource protection

Resource protection is the process of using a defined protected configuration to protect a set of resources.

self IP address

A self IP address is an IP address that uniquely identifies each Access Policy Manager interface or VLAN interface. See also IP address and virtual IP address.

sequence

See access policy.

server certificate

A server certificate verifies the server’s identity to a user’s computer

session variable

A session variable contains a number or string that represents a specific piece of information about the client system, the Access Policy Manager, or another piece of information.

split tunneling

Split tunneling is a process that provides control over exactly what traffic is sent over the network access connection to the internal network.

SSL (Secure Sockets Layer)

SSL is a network communications protocol that uses public-key technology as a way to transmit data in a secure manner.

standby controller/standby unit

A standby unit in a redundant system is the unit that is always prepared to become the active unit if the active unit fails.


Glossary

strong password

A strong password is one that is difficult to detect by both humans and computer programs, which effectively protects data from unauthorized access. A strong password typically consists of a specific number of alphanumeric characters of differing case, as well as certain punctuation characters.

superuser

Superusers are users who have cross-realm access to all groups and features. A superuser creates realm administrators, upgrading them from Access Policy Manager users, and delegating full or restricted access to Access Policy Manager functionality or groups.

tunnel

A tunnel is a secure connection between computers or networks over a public network.

URI

In the Access Policy Manager context, URI means the fully-qualified domain name, followed by the path designator /<uri-specific_path>.

virtual host

In the Access Policy Manager context, a virtual host means the domain name or IP address that users specify when logging on to a web service you create on a virtual IP. See also virtual IP address.

virtual IP address

A virtual IP address is an IP address that identifies a virtual (that is, non-physical) network location. The Access Policy Manager uses virtual IP addresses for redundant systems. See also IP address, redundant system, and self IP address.

visual policy editor

The visual policy editor consists of a graphical area in which you create, view, or modify an access policy by clicking to add and delete actions and rules that are visually shown on the graph. See also access policy, action, and branch rule.

web service

A web service is a method of communication that applications written in various programming languages and running on various platforms can use to exchange data over networks, such as the Internet or an intranet.

webtop

The webtop is the user’s home page, which grants access to the network access connection.

Glossary - 6

Index

/var/log/messages directory 17-4

31581Heading2

Adding the client certificate intoyour access policy 12-6

Aa 5-8access control

to SNMP data 18-3access control entries

adding 5-3access control list

assigning 5-5access control lists

adding entries 5-3and actions 5-3and default actions 5-2and network accesscreating 5-3, 14-2, 14-3, B-2examples 5-5logging 5-5understanding 5-2

access levels, managing 18-5access policy

adding a browser cache cleaner action 9-26adding a client OS check 10-2adding a decision box 8-18adding a file check action 9-6adding a firewall check action 9-14adding a landing URI check 10-12adding a logon page 8-4adding a machine cert check action 9-12adding a macrocall 7-16adding a message 8-17adding a process check action 9-17adding a protected workspace action 9-30, 9-39adding a registry check action 9-20adding a UI mode check 10-6, 10-9adding a virtual keyboard to the logon page 8-14adding a Windows info action 9-22adding actions 7-7adding an antivirus check 9-2adding an external logon page 8-8adding an iRule event 8-19adding logging 8-16adding the macro B-6and actions 6-2and general purpose actions 8-1and internal process for an action 6-6and session variables 6-16

applying 7-3assigning a webtop 5-8assigning an ACL 5-5assigning resources 8-9assigning variables 8-10configuring for systems that cannot use client-side

checks 10-1creating 7-5logging session variables 8-16selecting a VLAN 8-15setting a default ending 7-10understanding basic configuration 7-6understanding branches 6-10understanding endings 7-8understanding rules and actions 6-6

access policy endingcreating 7-8

access policy example B-1Access Policy Manager

finding software version 1-24access profile

and browser language strings 7-4backup 7-27creating 7-2, B-6customizing 15-1customizing languages 7-4domain cookie option 7-2import 7-27secure cookie option 7-2specifying a logout URI 7-2

accountingcollecting user information 11-2overview 11-2

ACLsSee access control lists.

actionsand internal process for 6-6and pre-defined 6-3and rules 6-6using in access policies 6-2

active connection statistics 18-14, 18-15Active Directory

configuring query action B-6active FTP

and SNAT automap 2-6ActiveSync

adding to virtual server 14-2using UI Mode to create an ActiveSync branch 10-5

AD Query action B-6adminreporting utility E-5advanced access policy rules

and mcget command 16-18creating a custom variable with 16-21replacing configuration variable with custom

expression 16-21understanding situations 16-17

Configuration Guide for BIG-IP® Access Policy Manager™ Index - 1

Index

using 16-17writing 16-18writing in an action 16-19writing in resource assign action 16-20

advCustHelp utility 15-24alarm RMON group 18-13Alert log level 17-6alert system 18-7allow ending

configuring 7-9allow local subnet 2-7allowed ending

understanding 6-14an 5-5antivirus check action

understanding 9-2using 9-2

application accessand web applications 3-2

application launchconfiguring for Macintosh or Linux A-13

application-specific MIB files 18-1See also enterprise MIB files.

apply access policy 7-3Ask F5

and support 1-24assigning a webtop 5-8assigning an ACL 5-5assigning resources 8-9assigning variables 8-10audit log 17-2audit logging

and /var/log/ltm directory 17-5enabling and disabling 17-7

auditing eventsand log levels 17-7

authenticationchoosing an authentication scheme 11-2determining a method 11-3overview 11-2setting up RADIUS authentication and authorization

11-4, 11-15troubleshooting E-4

authentication actionsunderstanding 7-13

authentication warnings 18-8authorization

overview 11-2authorizaton

accessing resources 11-2

Bback up an access profile 7-27best practices

and client certificates 12-12

for certificate revocation lists 12-12for Online Certificate Status Protocol 12-12

BIG-IP alert system 18-2BIG-IP system information 18-3BIG-IP system objects, SNMP 18-2branch rules

and branches 6-10examples 6-7understanding 7-5

branches in access policies 6-10browser cache cleaner action


Ccache and compression

configuring 3-5calculations 18-14certificate revocation list

and best practices 12-12and limitation 12-11described 12-11

certificatesand Online Certificate Status Protocol 12-12overview 12-2understanding SSL server certificates 12-2

clientconfiguring settings A-7configuring to use Windows logon credentials A-6customizing appearance 15-22

client accessallowing 18-2, 18-4configuring 18-3

client certificatesand best practices 12-12and certificate revocation list updates 12-12and Online Certificate Status Protocol 12-12

client componentsdownloading A-1understanding A-1

client connectionsestablishing A-16

client download wizardunderstanding client options A-9using A-5, A-10, A-11, A-12

Client for Microsoft Networks 2-8client OS check action


client proxy settings 2-9client settings for network access 2-6client traffic classifier

creating 2-17client troubleshooting utility

downloading A-20

Index - 2

Index

clientsand adminstrative rights A-1

clients, SNMP 18-3client-side actions 7-14client-side checks 7-13

preparing for systems that cannot use 10-1understanding 9-1

collecting Windows information 9-22common operations, following recommended path 1-22communities

and access levels 18-5, 18-7and trap destinations 18-8

community access 18-5company-specific MIB files 18-1component installer

using A-11compressing traffic 2-1config variables

assigning 8-10configuration changes

auditing 17-4configuration data loads

logging 17-8configuration tasks

for SNMP agent 18-3summary for SNMP 18-2

Configuration utilityand components 1-17and identification and messages area 1-17and menu bar 1-17and navigation pane 1-17

configurationsand scenarios 1-23

connection statistics 18-14, 18-16connectivity profile

configuring client settings A-7configuring mobile client settings A-8customizing client appearance 15-22specifying Windows logon credentials A-6

contact information 18-3contact name 18-3content searching D-1content switching

customizing D-1context-sensitive online help 1-24Controlling SSL Traffic 12-1CPU use statistics 18-14, 18-18Critical log level 17-6CRL

See certificate revocation list.current sessions

displaying reports 17-9customization

for advanced user profiles 15-24restore a default setting 15-2

customizing logon page elements 15-8

customizing logon page fonts 15-9customizing logon page footer 15-9customizing logon page header 15-9

Ddata

MIB files 18-12data access control, SNMP 18-3data loads

logging 17-8data object values, SNMP 18-1data objects

in MIB files 18-9modifying 18-5, 18-7See also access levels.

Debug log level 17-6decision box action 8-18default access control actions 5-2default access levels

assigning 18-7modifying 18-5

default ending 7-10denied ending

understanding 6-14deny ending

configuring 7-9destinations, SNMP 18-7, 18-8detecting ActiveSync clients 10-5DNS

setting on remote computers 2-9understanding options 2-9

domain cookie option 7-2domain scripts

running 2-12DTLS 2-8

configuring a virtual server 14-3

Eemail, sending 17-2Emergency log level 17-6endings

and understanding 6-14, 7-8creating 7-8deny 6-14for allowed users 6-14for logon denied 7-8for redirect 6-15for webtop 7-8redirect 7-8setting default 7-10

endpoint securityand internal process for an action 6-6and rule syntax C-2troubleshooting E-2understanding rules and actions in access policies


Index

6-6enterprise MIB files

and Configuration utility 18-1content of 18-10defined 18-1downloading 18-2, 18-10

Error log level 17-6error messages

customizing 16-4logging E-8viewing Kerberos E-21

event notifications, SNMP 18-2event RMON group 18-13expr command

using 16-18External Access Management

About 13-9external logon page action

using 8-8

FF5 Technical Support, contacting 1-24F5-BIGIP-COMMON-MIB.txt file 18-10F5-BIGIP-LOCAL-MIB.txt file 18-10, 18-11F5-BIGIP-SYSTEM-MIB.txt file 18-10, 18-12fallback branch 6-10file and printer sharing option 2-8file check action


firewall check actionunderstanding 9-14using 9-14

force all traffic through tunnel option 2-7framework installation 15-8FTP

for active FTP and SNAT automap 2-6full patching

understanding 3-2

Ggeneral purpose actions

configuring 8-3understanding 8-1

global statistics data 18-12graphs, SNMP 18-14group policy

adding a template 9-38downloading a template 9-38, 9-39

Hheader searching D-1help

locating online help 1-24

history RMON group 18-13Home tab

enabling 3-6host names

in logs 17-2hosts

file 2-10setting on remote computers 2-9

HTTP request statistics 18-14, 18-17HTTPS

and network access 2-2

Iimport an access profile 7-27information collection 18-2Information log level 17-6information polling 18-2information, SNMP 18-3installing Windows client packages A-11integrated IP filtering engine 2-8interfaces

monitoring 18-13Introducing Single Sign-On with Credential Caching and Proxying 13-1Introducing SSL server certificates 12-2IP address

with DTLS and network access virtual servers 14-3IP addresses

for SNMP traps 18-8specifying 18-3

iRule command types D-3iRule elements D-2iRule event declarations D-2iRule operators D-3iRules

defined D-1viewing reference D-4

irulesunderstanding D-1

KKerberos error messages E-21

Llanding URI check

using 10-12launch applications

application paths and parameters 2-11understanding options 2-11

lease poolsassigning to a network access resource 2-14creating 2-13, 4-4, 4-5, 14-4, B-3understanding 2-13

Linux

Index - 4

Index

and supported network access features A-13configuring application launch A-13installing client on A-14

local application traffic 18-11local traffic management information 18-10log contents 17-2log levels

changing E-1defined 17-6setting 17-6

log messages E-8logging action

understanding 8-16, E-6logging session variables in an access policy 8-16logical operators C-3logical operators, listed D-3logon denied ending

customizing 7-10understanding 7-8

logon history E-7logon page

adding a virtual keyboard 8-14customizing 15-1customizing elements 15-8customizing fonts 15-9customizing footer 15-9customizing header 15-9customizing with logon page action 16-2understanding logout components 15-13

logon page actionunderstanding 16-1using 8-4

logon page fonts 15-9logon page footer 15-9logon page header 15-9logout

understanding components 15-13logout message

customizing 16-4Logout URI Include 7-2loopback interface 18-3

Mmachine cert check action


machine location 18-3Macintosh

and supported network access features A-13configuring application launch A-13

macro templatesfor AD auth and resources 7-17for AD auth query and resources 7-18for LDAP auth and resources 7-19for LDAP auth query and resources 7-20

for RADIUS and resources 7-21for SecurID and resources 7-22for Windows AV and FW 7-23

macro terminalsbranches 6-10configuring 7-15understanding 6-12

macrocallsadding to an access policy 7-16understanding 6-11

macrosadding to an access policy 7-16configuring 7-15understanding 6-11understanding terminals 6-12

management information baseSee also MIB-II MIB.See MIB.

mcget commandusing 16-18

memory use statistics 18-14, 18-15, 18-18message box action 8-17metrics collection 18-14MIB

and device management 18-1defined 18-1See also MIB-II MIB.

MIB file contents 18-10MIB file locations 18-1MIB file types 18-9MIB files

defined 18-9described 18-1downloading 18-2

MIB-II MIB 18-1MIB-II objects 18-12minimal patching

configuring 3-3minimum log levels 17-1

defined 17-6setting 17-6

mobile clientconfiguring settings A-8

NNet-SNMP 18-1network access

and allow local subnet option 2-7and client proxy settings 2-9and client settings 2-6and clients 2-1and compression 2-1and drive mapping 2-10and file and printer sharing option 2-8and functionality supported 2-1


Index

and integrated IP filtering option 2-8and launch applications options 2-11and Linux support A-13and Macintosh support A-13and Microsoft Networks client 2-8and point-to-point protocol 2-2and routing table changes option 2-7and session update threshold 2-6and session update window 2-6and split tunneling option 2-7and Web Applications 3-1configuring properties 2-4, 13-14, 13-15, 13-16,

13-17, 13-18creating 2-4creating resource 2-4establishing client connections A-16forcing all traffic through the tunnel 2-7IP addresses and DTLS 14-3overview 2-1understanding 2-2understanding general properties 2-5understanding general settings 2-5with DTLS 2-8

network access resourceassigning variable attributes C-12creating B-4

network information 18-12new connection statistics 18-14, 18-16Notice log level 17-6notification events 18-8notification messages 18-2, 18-7

See also traps.notifications, SNMP 18-11NOTIFICATION-TYPE designation 18-11

Oobject data, SNMP 18-2object ID definitions, RMON 18-13object presentation 18-1object values, SNMP 18-1OIDs 18-14Online Certificate Status Protocol

and best practices 12-12using 12-12

online help 1-24operating system-related events

logging 17-4operators D-3

Ppager notifications, activating 17-2partitions

and virtual servers 14-1performance metrics, SNMP 18-2, 18-14persistence

and iRules D-1platform information 18-12policy example B-1policy-based routing 8-15, 16-11

example 16-13port numbers 18-8pre-defined actions 6-3process check action


prohibit routing table changes 2-7protected workspace

understanding 9-25, 9-30protected workspace action

using 9-30, 9-39

Qquery commands, defined D-3

RRADIUS authentication, setting up 11-4, 11-15rate statistics 18-17, 18-20read/write access level 18-5, 18-7read-only access level 18-5, 18-7redirect ending

configuring 7-9understanding 6-15, 7-8

registry check actionand expression syntax for 9-19specifying registry values 9-19understanding 9-19using 9-20

relational operators, listed D-3release notes 1-24Remote Network Monitoring

See RMON implementationremote system management 18-3Reporting 17-9reports

displaying 17-9resource assign action

assigning a webtop 5-8assigning an ACL 5-5using 8-9

resource group example B-2resources

and access control lists 5-2configuring B-2understanding 5-1

restore default customization settings 15-2RMON groups 18-13RMON implementation 18-13RMON-MIB.txt file 18-13route domain selection action

using 16-13

Index - 6

Index

route domainsunderstanding 16-11

rule branchesadding actions 7-6

rule operators C-3rule operators, listed D-3rules

and actions in access policies 6-2and session variables 6-16and syntax elements C-2See iRules.understanding 6-6using C-2viewing predefined 6-8

Ssecure cookie option 7-2security

and client-side checks 9-1and Web Applications 3-1

server-side checks 7-14service flow

creating 2-16service names

in logs 17-2session update threshold 2-6session update window 2-6session variables

and mcget command 16-18assigning 8-10definition 6-17logging in an access policy 8-16understanding 6-16, C-1using in access policies 16-17viewing reference C-4

severity log levelsdefined 17-6setting 17-6

SNAT automapand active FTP 2-6pool 2-5

SNAT information 18-10SNAT pool setting 2-5SNMP

and syslog 18-9configuring 18-7in the Configuration utility 18-4See also SNMP managers.See SNMP agent.

SNMP agentaccess to 18-4configuring 18-2defined 18-1

SNMP client 18-3SNMP commands

for collecting statistics 18-14using 18-2, 18-10

SNMP data access control 18-3SNMP manager functions 18-2SNMP managers

as trap destinations 18-8defined 18-1

SNMP MIB filesSee MIB files.

SNMP object data 18-2SNMP tasks 18-1, 18-2SNMP traps

handling 18-2See also traps.

SNMP user access 18-6SNMP users 18-5snmpd.conf files

and access levels 18-6for trap configuration 18-8

snmpget command 18-14software version, finding 1-24split tunneling

and DNS address space 2-7and exclude address space 2-7and LAN address space 2-7defined 2-7using in network access 2-7

SSL server certificatesunderstanding 12-2

standalone secure access clientinstalling A-16using to remotely access corporate LAN A-16

standard operators C-2starting applications

from network access 2-11statement commands

defined D-3static hosts

setting on remote computers 2-10understanding 2-10

statistical data 18-12statistics

and RMON group 18-13and SNMP 18-11viewing reports 17-13

status codesin logs 17-2

successful branch 6-10support

and Ask F5 1-24contacting F5 Networks Technical Support 1-24

system data, SNMP 18-11system events

logging 17-4system information

configuring 18-3


Index

polling for 18-11system interface monitoring 18-13system location 18-3system messages

viewing 1-17system objects, SNMP 18-2system-initiated changes

logging 17-8

Ttask summary

for SNMP 18-2Tcl

and logical operators C-3and namespace sharing 16-19and rule operators C-3and standard operators C-2and validation 16-19using expr command 16-18using expression as a rule 16-18using mcget command 16-18using to write rules 16-18

Tcl syntax D-2Technical Support at F5, contacting 1-24throughput rate statistics 18-14, 18-17, 18-20timestamps

in logs 17-2Tools Command Language syntax D-2transaction IDs

in logs 17-2trap destinations

configuring 18-3setting 18-7, 18-8

trap locations 18-10, 18-11traps

configuring 18-3defined 18-2, 18-7handling 18-2identifying 18-11

tree structure 18-1troubleshooting E-1two-factor authentication

example 16-9

UUCD-SNMP 18-1UI mode check

understanding 10-5using 10-6, 10-9

UIE commands, defined D-3UIE, defined D-1Universal Inspection Engine, defined D-1user changes

logging 17-7user names

in logs 17-2users

See SNMP users.See user accounts.

using session variables 16-17, C-10

Vvariable assign action

understanding 8-10using 8-10using to replace configuration variable 16-21

version of software, finding 1-24virtual keyboard action

adding 8-14virtual server information 18-10virtual servers

and DTLS 14-3visual policy editor, starting 7-5VLAN

selecting in an access policy 16-11VLAN gateway

using with policy-based routing 16-11VLAN selection action

using 8-15, 16-11

WWarning log level 17-6warnings 18-8web application

configure a resource item 3-8Web Applications

and features 3-1and security 3-1

web applicationsand network access 3-1configuring 3-7configuring minimal patching 3-3Home tab 3-6introducing 3-1

webtop 5-8assigning 5-8creating 5-8

webtop endingunderstanding 7-8

Windows antivirus and firewall macro template 7-23Windows group policy

adding templates 9-38downloading templates 9-38, 9-39understanding 9-25, 9-34

Windows info actionunderstanding 9-22using 9-22

Windows logon credentialsinstaller service A-10specifying that client use A-6

Index - 8