version 10.2
MAN-0309-01
Product Version
This manual applies to product version 10.2 of the BIG-IP® Access Policy Manager® product.
Publication Date
This manual was originally published on May 4, 2010.
Revision A was published on April 4, 2014.
Legal Notices
Copyright
Copyright 2007-2014, F5 Networks, Inc. All rights reserved.
F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5
assumes no responsibility for the use of this information, nor any infringement of patents or other rights of
third parties which may result from its use. No license is granted by implication or otherwise under any
patent, copyright, or other intellectual property right of F5 except as specifically described by applicable
user licenses. F5 reserves the right to change specifications at any time without notice.
Trademarks
AAM, Access Policy Manager, Advanced Client Authentication, Advanced Firewall Manager, Advanced
Routing, AFM, Application Acceleration Manager, Application Security Manager, APM, ARX, AskF5,
ASM, BIG-IP, BIG-IQ, Cloud Extender, CloudFucious, Cloud Manager, Clustered Multiprocessing, CMP,
COHESION, Data Manager, DevCentral, DevCentral [DESIGN], DNS Express, DSC, DSI, Edge Client,
Edge Gateway, Edge Portal, ELEVATE, EM, Enterprise Manager, ENGAGE, F5, F5 [DESIGN], F5
Certified [DESIGN], F5 Networks, F5 SalesXchange [DESIGN], F5 Synthesis, f5 Synthesis, F5 Synthesis
[DESIGN], F5 TechXchange [DESIGN], Fast Application Proxy, Fast Cache, FirePass, Global Traffic
Manager, GTM, GUARDIAN, iApps, IBR, Intelligent Browser Referencing, Intelligent Compression,
IPv6 Gateway, iControl, iHealth, iQuery, iRules, iRules OnDemand, iSession, L7 Rate Shaping, LC, Link
Controller, Local Traffic Manager, LTM, LineRate, LineRate Systems [DESIGN], LROS, LTM, Message
Security Manager, MobileSafe, MSM, OneConnect, Packet Velocity, PEM, Policy Enforcement Manager,
Protocol Security Manager, PSM, Real Traffic Policy Builder, SalesXchange, ScaleN, Signalling Delivery
Controller, SDC, SSL Acceleration, Software Designed Applications Services, SDAC (except in Japan),
StrongBox, SuperVIP, SYN Check, TCP Express, TDR, TechXchange, TMOS, TotALL, Traffic
Management Operating System, Traffix Systems, Traffix Systems [DESIGN], Transparent Data
Reduction, UNITY, VAULT, vCMP, VE F5 [DESIGN], Versafe, Versafe [DESIGN], VIPRION, Virtual
Clustered Multiprocessing, WebSafe, and ZoneRunner, are trademarks or service marks of F5 Networks,
Inc., in the U.S. and other countries, and may not be used without F5's express written consent.
All other product and company names herein may be trademarks of their respective owners.
Patents
This product protected by U.S. Patents 6,505,230, 7,114,180, and 7,349,391. Other patents may be
pending.
RF Interference Warning
This is a Class A product. In a domestic environment this product may cause radio interference, in which
case the user may be required to take adequate measures.
Standards Compliance
This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to
Information Technology products at the time of manufacture.
Acknowledgments
This product includes software developed by Bill Paul.
This product includes software developed by Jonathan Stone.
This product includes software developed by Manuel Bouyer.
This product includes software developed by Paul Richards.
This product includes software developed by the NetBSD Foundation, Inc. and its contributors.
This product includes software developed by the Politecnico di Torino, and its contributors.
This product includes software developed by the Swedish Institute of Computer Science and its
contributors.
This product includes software developed by the University of California, Berkeley and its contributors.
This product includes software developed by the Computer Systems Engineering Group at the Lawrence
Berkeley Laboratory.
This product includes software developed by Christopher G. Demetriou for the NetBSD Project.
This product includes software developed by Adam Glass.
This product includes software developed by Christian E. Hopps.
This product includes software developed by Dean Huxley.
This product includes software developed by John Kohl.
This product includes software developed by Paul Kranenburg.
This product includes software developed by Terrence R. Lambert.
This product includes software developed by Philip A. Nelson.
This product includes software developed by Herb Peyerl.
This product includes software developed by Jochen Pohl for the NetBSD Project.
This product includes software developed by Chris Provenzano.
This product includes software developed by Theo de Raadt.
This product includes software developed by David Muir Sharnoff.
This product includes software developed by SigmaSoft, Th. Lockert.
This product includes software developed for the NetBSD Project by Jason R. Thorpe.
This product includes software developed by Jason R. Thorpe for And Communications,
http://www.and.com.
This product includes software developed for the NetBSD Project by Frank Van der Linden.
This product includes software developed for the NetBSD Project by John M. Vinopal.
This product includes software developed by Christos Zoulas.
This product includes software developed by the University of Vermont and State Agricultural College and
Garrett A. Wollman.
ii
In the following statement, “This software” refers to the Mitsumi CD-ROM driver: This software was
developed by Holger Veit and Brian Moore for use with “386BSD” and similar operating systems.
“Similar operating systems” includes mainly non-profit oriented systems for research and education,
including but not restricted to “NetBSD,” “FreeBSD,” “Mach” (by CMU).
This product includes software developed by the Apache Group for use in the Apache HTTP server project
(http://www.apache.org/).
This product includes software licensed from Richard H. Porter under the GNU Library General Public
License (© 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html.
This product includes the standard version of Perl software licensed under the Perl Artistic License (©
1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current
standard version of Perl at http://www.perl.com.
This product includes software developed by Jared Minch.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product contains software based on oprofile, which is protected under the GNU Public License.
This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html)
and licensed under the GNU General Public License.
This product contains software licensed from Dr. Brian Gladman under the GNU General Public License
(GPL).
This product includes software developed by the Apache Software Foundation (http://www.apache.org/).
This product includes Hypersonic SQL.
This product contains software developed by the Regents of the University of California, Sun
Microsystems, Inc., Scriptics Corporation, and others.
This product includes software developed by the Internet Software Consortium.
This product includes software developed by Nominum, Inc. (http://www.nominum.com).
This product contains software developed by Broadcom Corporation, which is protected under the GNU
General Public License.
1
Introducing BIG-IP Access Policy Manager
Introducing the BIG-IP system .....................................................................................................1-1
BIG-IP Local Traffic Manager ..............................................................................................1-1
Overview of the BIG-IP Access Policy Manager ......................................................................1-2
Introducing Access Policy Manager features ...................................................................1-2
Understanding BIG-IP Access Policy Manager access types .................................................1-4
Working with network access ............................................................................................1-6
Working with web applications ..........................................................................................1-8
Working with web application access management ................................................... 1-10
Using access profiles and policies ............................................................................................. 1-13
Using authentication in access policies .......................................................................... 1-14
Using the Configuration utility .................................................................................................. 1-16
Overview of components of the Configuration utility ............................................... 1-17
Getting started with BIG-IP Access Policy Manager ............................................................ 1-18
Using Access Policy Manager configuration wizards .................................................. 1-18
Following the recommended configuration path ......................................................... 1-22
Possible configuration scenarios ...................................................................................... 1-23
Finding help and technical support resources ....................................................................... 1-24
Finding the Access Policy Manager software version number ................................. 1-24
2
Configuring Network Access
Introducing network access ..........................................................................................................2-1
Reviewing network access features ...................................................................................2-1
Configuring network access settings ..........................................................................................2-4
Setting up network access ...................................................................................................2-5
Setting DNS and hosts options ..........................................................................................2-9
Mapping drives with network access ............................................................................. 2-10
Launching applications with network access connections ........................................ 2-11
Using lease pools .......................................................................................................................... 2-13
Configuring traffic control ......................................................................................................... 2-15
3
Configuring Web Applications
Introducing web applications ........................................................................................................3-1
Introducing web applications features and operation ...................................................3-1
Introducing web applications support ...............................................................................3-2
Understanding proxy and cache functionality .................................................................3-4
Understanding web application resource items .............................................................3-4
Configuring web applications on Access Policy Manager ......................................................3-7
Configuring a rewrite profile ..................................................................................................... 3-10
4
Configuring Web Application Access Management
Introducing web application access management ....................................................................4-1
Understanding how web application access management works ...............................4-1
Reviewing web application access management options .......................................................4-2
Setting timeouts for web application access policy management ...............................4-2
Understanding other web application access management considerations .............4-3
Configuring web application access management ....................................................................4-4
5
Configuring Resources
Understanding resources ..............................................................................................................5-1
Using access control lists ..............................................................................................................5-2
Creating access control lists ...............................................................................................5-2
Access control list examples ...............................................................................................5-5
Using webtops .................................................................................................................................5-8
6
Understanding Access Policies
Introducing access policies ............................................................................................................6-1
Understanding access policy items .............................................................................................6-2
Understanding the access policy start point ....................................................................6-2
Understanding access policy actions .................................................................................6-2
Understanding access policy branch rules .................................................................................6-6
Viewing rules ...........................................................................................................................6-7
Predefined rules .....................................................................................................................6-8
Understanding access policy branches .................................................................................... 6-10
Understanding access policy macros ....................................................................................... 6-11
Introducing macro terminals ............................................................................................ 6-12
Introducing access policy endings ............................................................................................ 6-14
Understanding the allow ending ...................................................................................... 6-14
Understanding the deny ending ....................................................................................... 6-14
Understanding the redirect ending ................................................................................. 6-15
Understanding session variables ............................................................................................... 6-16
Using session variables ....................................................................................................... 6-17
7
Creating Access Profiles and Access Policies
Creating an access profile .............................................................................................................7-1
Understanding access profile settings ...............................................................................7-1
Understanding configuration settings ................................................................................7-2
Creating an access profile ....................................................................................................7-2
Applying an access policy .....................................................................................................7-3
Customizing access profile languages ................................................................................7-3
Creating an access policy ..............................................................................................................7-5
Starting the visual policy editor ..........................................................................................7-5
Configuring a basic access policy ........................................................................................7-6
Opening an access policy .....................................................................................................7-7
Adding actions to an access policy ....................................................................................7-7
Using policy endings ..............................................................................................................7-8
Applying an access policy configuration ......................................................................... 7-12
Understanding available actions and categories .................................................................... 7-13
Understanding general purpose checks ......................................................................... 7-13
Understanding authentication actions ............................................................................ 7-13
Understanding client-side checks .................................................................................... 7-13
Understanding client-side actions ................................................................................... 7-14
Understanding server-side checks .................................................................................. 7-14
Configuring macros ..................................................................................................................... 7-15
Using predefined macro templates ................................................................................. 7-17
Using the empty macro template .................................................................................... 7-17
Using the AD auth and resources macro template .................................................... 7-17
Using the AD auth query and resources macro template ........................................ 7-18
Using the LDAP auth and resources macro template ............................................... 7-19
2
Table of Contents
Using the LDAP auth query and resources macro template .................................... 7-20
Using the RADIUS and resources macro template .................................................... 7-21
Using the SecurID and resources macro template ..................................................... 7-22
Using the Windows AV and FW macro template ...................................................... 7-23
Using the client classification and prelogon checks macro template ...................... 7-25
Backing up and importing access profiles ............................................................................... 7-27
8
Configuring General Purpose Access Policy Actions
Introducing general purpose actions ..........................................................................................8-1
Configuring general purpose actions in an access policy .......................................................8-3
Adding and customizing a logon page ...............................................................................8-3
Adding an external logon page ...........................................................................................8-7
Assigning resources ...............................................................................................................8-9
Assigning variables .............................................................................................................. 8-10
Adding a virtual keyboard to the logon screen ........................................................... 8-13
Adding SSO credential mapping ...................................................................................... 8-14
Selecting a route domain ................................................................................................... 8-15
Adding access policy logging ............................................................................................. 8-16
Adding a message box ....................................................................................................... 8-17
Adding a decision box ........................................................................................................ 8-18
Adding an iRule event ........................................................................................................ 8-19
9
Configuring Client-Side Checks and Client Side Actions
Understanding client-side checks ................................................................................................9-1
Setting up antivirus check .............................................................................................................9-2
Checking antivirus with the antivirus check access policy item ..................................9-2
Example: Using antivirus check ...........................................................................................9-3
Setting up file check ........................................................................................................................9-6
Checking for a file with the file check access policy item ............................................9-6
Example: Using file check .....................................................................................................9-8
Setting up a machine cert auth check ...................................................................................... 9-10
Understanding machine cert auth check options ........................................................ 9-10
Checking a machine certificate with the machine cert access policy item ............ 9-12
Example: Using machine cert auth check ...................................................................... 9-13
Setting up firewall check ............................................................................................................. 9-14
Setting up the firewall check action ................................................................................ 9-14
Example: Using firewall check .......................................................................................... 9-15
Setting up process check ............................................................................................................ 9-17
Setting up process check access policy item ................................................................ 9-17
Example: Using process check ......................................................................................... 9-17
Setting up registry check ............................................................................................................ 9-19
Expression syntax ............................................................................................................... 9-19
Setting up the registry check action ............................................................................... 9-20
Example: Using registry check ......................................................................................... 9-20
Verifying Windows information ............................................................................................... 9-22
Setting up Windows info action ...................................................................................... 9-22
Example: Using Windows info check ............................................................................. 9-23
Understanding client-side actions ............................................................................................ 9-25
Setting up cache and session control ...................................................................................... 9-26
Setting up the cache and session control access policy item ................................... 9-26
Example: Using cache and session control .................................................................... 9-27
Setting up protected workspace .............................................................................................. 9-30
10
Configuring Server-Side Checks
Introducing server-side checks ................................................................................................. 10-1
Preparing for clients that cannot use client checks .................................................... 10-1
Checking the landing URI of a client .............................................................................. 10-1
Configuring client OS check ...................................................................................................... 10-2
Setting up the client OS check ......................................................................................... 10-2
Example: Using client OS check ...................................................................................... 10-3
Configuring UI mode check ....................................................................................................... 10-5
Understanding ActiveSync connections ......................................................................... 10-5
Setting up the UI mode access policy item ................................................................... 10-6
Example: Using UI mode check ....................................................................................... 10-6
Configuring client-side check capability .................................................................................. 10-9
Setting up the client-side check capability access policy item .................................. 10-9
Example: Using client-side check capability action .................................................... 10-10
Checking a landing URI with the landing URI check .......................................................... 10-12
Setting up the landing URI access policy item ............................................................ 10-12
Example: Using landing URI check ................................................................................ 10-12
11
Configuring Authentication Using AAA Servers
Understanding authentication with Access Policy Manager ............................................... 11-2
Understanding authentication types: for Active Directory and LDAP ................... 11-2
Understanding different RADIUS operation modes ............................................................ 11-4
RADIUS authentication ..................................................................................................... 11-4
RADIUS accounting ............................................................................................................ 11-5
RADIUS authentication and accounting ........................................................................ 11-8
Setting up Access Policy Manager for RADIUS authentication and authorization ....... 11-8
Setting up RADIUS authentication and authorization access policy action item . 11-9
Configuring Access Policy Manager for RADIUS accounting .......................................... 11-14
Setting up RADIUS accounting access policy action item ....................................... 11-14
Configuring Access Policy Manager for RADIUS authentication and accounting ....... 11-16
Setting up a RADIUS authenticating and accounting access policy action item . 11-16
Setting up Access Policy Manager for RSA Native SecurID for authentication and
authorization ............................................................................................................................... 11-17
Adding the Access Policy Manager as an agent host to an RSA Native SecurID
authentication server ....................................................................................................... 11-18
Configuring the Access Policy Manager to use the RSA Native SecurID authentication
server ................................................................................................................................... 11-19
Setting up RSA Native SecurID authentication and authorization access policy action
item ...................................................................................................................................... 11-20
Using RSA Native SecurID session variables for access policy rules .................... 11-21
Setting up Access Policy Manager for LDAP authentication and authorization .......... 11-22
Setting up an LDAP server ............................................................................................. 11-22
4
Table of Contents
Configuring LDAP access policy action item for authentication ........................... 11-23
Configuring LDAP query policy action item ............................................................... 11-26
Using LDAP session variables for access policy rules .............................................. 11-26
Example: Using LDAP query and LDAP authentication to authenticate and authorize
users ..................................................................................................................................... 11-28
Troubleshooting LDAP authentication/query ............................................................ 11-29
Setting up Access Policy Manager for Windows Active Directory authentication and
authorization ............................................................................................................................... 11-32
Configuring Access Policy Manager to set up an Active Directory for authentication
11-32
Configuring Access Policy Manager to access the Active Directory for authentication
11-33
Configuring Access Policy Manager to access the Active Directory action item for
query .................................................................................................................................... 11-35
Using Active Directory session variables for access policy rules .......................... 11-36
Troubleshooting Active Directory authentication/query ........................................ 11-37
Example: Authenticating and authorizing users with Active Directory query and
authentication .................................................................................................................... 11-38
Understanding nested groups ................................................................................................. 11-39
Setting up Access Policy Manager for HTTP authentication ........................................... 11-41
HTTP basic authentication ............................................................................................. 11-41
HTTPS basic authentication ........................................................................................... 11-42
HTTP NTLM authentication .......................................................................................... 11-44
HTTP form-based authentication .................................................................................. 11-44
Setting up Access Policy Manager for Oracle Access Manager ...................................... 11-46
Setting up Access Policy Manager for AAA high availability ............................................ 11-47
Setting up RADIUS high availability authentication and accounting servers ....... 11-47
Setting up LDAP high availability servers for authentication and query .............. 11-50
12
Introducing On-Demand Certificate Authentication
Controlling SSL traffic ................................................................................................................. 12-1
Understanding SSL profiles ........................................................................................................ 12-1
Introducing SSL server certificates .......................................................................................... 12-2
Introducing SSL On-Demand Certificates .............................................................................. 12-2
Understanding On-Demand certificate authentication ....................................................... 12-3
Client certificate inspection .............................................................................................. 12-3
On-Demand certificate authentication agent ............................................................... 12-4
Configuring client SSL profiles .................................................................................................. 12-8
Importing a certificate and the corresponding key ..................................................... 12-8
Configuring a clientssl profile ........................................................................................... 12-8
Using On-Demand Certificates to authenticate users ...................................................... 12-10
Validating certificate revocation status ................................................................................. 12-11
Understanding CRLs ........................................................................................................ 12-11
Understanding OCSP ....................................................................................................... 12-12
Configuring an OCSP responder object ...................................................................... 12-13
Creating an SSL OCSP profile ....................................................................................... 12-14
Using CRLDP .............................................................................................................................. 12-15
Configuring a CRLDP server object ............................................................................. 12-15
Configuring a CRLDP configuration object ................................................................ 12-15
Creating a CRLDP profile ............................................................................................... 12-16
13
Introducing Single Sign-On
Introducing Single Sign-On (SSO) with credential caching and proxying ........................ 13-1
Introducing Single Sign-On configuration objects ....................................................... 13-1
About credential caching ............................................................................................................ 13-4
Configuring credential caching mapping agent ............................................................. 13-4
About credential proxying ......................................................................................................... 13-5
Configuring credential proxying using HTTP basic authentication method .......... 13-5
Configuring credential proxying using HTTP form-based authentication method .......
13-6
Configuring credential proxying using NTLM v1 authentication method ............. 13-7
Configuring credential proxying using NTLM v2 authentication method ............. 13-8
About External Access Management ....................................................................................... 13-9
Configuring OAM authentication method .................................................................... 13-9
Common use cases for Single Sign-On deployment .......................................................... 13-14
Using Single Sign-On for LTM pool members ............................................................ 13-14
Using Single Sign-On for web application access over network access tunnel .. 13-15
Configuring web applications for single-sign on ........................................................ 13-18
14
Configuring Virtual Servers
Introducing virtual servers with Access Policy Manager .................................................... 14-1
Configuring virtual servers for access policies ...................................................................... 14-2
Creating a virtual server for DTLS ................................................................................. 14-3
Configuring a local traffic virtual server with an access policy .......................................... 14-4
15
Customizing Access Policy Manager Features
Setting up access profile customization .................................................................................. 15-1
Understanding endpoint security message customization ........................................ 15-2
Customizing error messages for the logon process ................................................... 15-4
Understanding framework installation customization options ................................. 15-8
Understanding logon page style customization options ............................................ 15-9
Understanding logout components .............................................................................. 15-13
Customizing a webtop .............................................................................................................. 15-14
Understanding webtop customization fields .............................................................. 15-14
Customizing the BIG-IP Edge Client ...................................................................................... 15-22
Reviewing client customization settings ...................................................................... 15-22
Introducing advanced access policy customization ............................................................ 15-24
Example: Using advanced access policy customization to modify a specific profile .....
15-24
16
Advanced Topics in Access Policies
Setting up a logon page to collect user credentials ............................................................. 16-1
Understanding the logon page action ............................................................................. 16-1
Example: Using a customized logon page to collect user credentials .............................. 16-5
Using multiple authentication methods .................................................................................. 16-8
Client certificate two-factor authentication ................................................................. 16-8
Example: Using client certificate authentication with Active Directory ......................... 16-9
Configuring the client certificate two factor authentication with Active Directory
example ................................................................................................................................. 16-9
Configuring policy routing ....................................................................................................... 16-11
6
Table of Contents
17
Logging and Reporting
Understanding logging ................................................................................................................. 17-1
Introducing logging features ............................................................................................. 17-1
Understanding log content ............................................................................................... 17-2
Understanding log types ............................................................................................................. 17-4
Logging system events ....................................................................................................... 17-4
Auditing configuration changes ........................................................................................ 17-4
Setting log levels ........................................................................................................................... 17-6
Setting log levels for auditing events .............................................................................. 17-7
Understanding reports ................................................................................................................ 17-9
Displaying reports for current sessions ........................................................................ 17-9
Terminating user sessions ............................................................................................... 17-10
Displaying reports for all sessions ................................................................................ 17-10
Using scripts to view reports ......................................................................................... 17-11
Viewing statistics ........................................................................................................................ 17-13
Monitoring system and user information ............................................................................. 17-14
Viewing the Access Policy Manager dashboard ......................................................... 17-14
18
Configuring SNMP
Introducing SNMP administration ............................................................................................ 18-1
Reviewing an industry-standard SNMP implementation ............................................ 18-1
Reviewing the Access Policy Manager system SNMP implementation ................... 18-1
Summarizing SNMP configuration on the Access Policy Manager system ............ 18-2
Configuring the SNMP agent ..................................................................................................... 18-3
Configuring client access ................................................................................................... 18-3
Controlling access to SNMP data ................................................................................... 18-5
Configuring traps ................................................................................................................ 18-7
Working with SNMP MIB files .................................................................................................. 18-9
Downloading SNMP MIB files ........................................................................................ 18-10
Understanding the enterprise MIB files ....................................................................... 18-10
Collecting performance data ................................................................................................... 18-14
Collecting data on memory use .................................................................................... 18-15
Collecting data on active connections ......................................................................... 18-15
Collecting data on new connections ............................................................................ 18-16
Collecting data on throughput ....................................................................................... 18-17
A
Configuring BIG-IP Access Policy Manager clients
Understanding the BIG-IP Edge Client ......................................................................................A-1
Introducing BIG-IP Edge Client features .........................................................................A-1
Understanding client components on Windows systems ...........................................A-2
Configuring connectivity profiles ................................................................................................A-4
Understanding connectivity profile compression settings ...........................................A-4
Configuring connectivity profile client settings ..............................................................A-5
Configuring connectivity profile mobile client settings ................................................A-7
Downloading client components .......................................................................................A-8
Customizing client download packages ...........................................................................A-9
Using the component installer package to preinstall client components ..............A-11
Downloading the FullArmor GPAnywhere for VPN component ...........................A-12
Using Macintosh and Linux clients with Access Policy Manager .......................................A-13
Introducing supported network access features .........................................................A-13
Configuring the starting of applications on Macintosh or Linux clients .................A-13
Installing the client on Macintosh and Linux systems .................................................A-14
Establishing client connections ..................................................................................................A-16
Installing the BIG-IP Edge Client for Windows ............................................................A-16
Connecting with the BIG-IP Edge Client .......................................................................A-16
Viewing standalone client traffic and statistics .............................................................A-17
Using the client troubleshooting utility ...................................................................................A-20
B
Access Policy Example
Introducing the example access policy ...................................................................................... B-1
Example: Assigning resource groups based on Active Directory attributes .................... B-2
Configuring resources ......................................................................................................... B-2
Configuring the network access resources .................................................................... B-4
Configuring the access profile, macro, and access policy ............................................ B-6
C
Session Variables
Introducing session variables .......................................................................................................C-1
Introducing Tcl ...............................................................................................................................C-2
Standard operators ...............................................................................................................C-2
Session variables reference ..........................................................................................................C-4
Special purpose user session variables .......................................................................... C-12
Network access resource variable attributes ...................................................................... C-14
D
Using Access iRule Events
Introducing iRules ..........................................................................................................................D-1
What is an iRule? ..................................................................................................................D-1
Basic iRule elements .............................................................................................................D-2
Understanding ACCESS iRules ...................................................................................................D-4
ACCESS_SESSION_STARTED ..........................................................................................D-4
8
Table of Contents
ACCESS_POLICY_COMPLETED .....................................................................................D-5
ACCESS_ACL_ALLOWED ................................................................................................D-5
ACCESS_ACL_DENIED .....................................................................................................D-5
Using ACCESS_ACL_DENIED ..........................................................................................D-5
ACCESS_SESSION_CLOSED ............................................................................................D-6
ACCESS_POLICY_AGENT_EVENT ................................................................................D-6
Understanding ACCESS iRule Commands ...............................................................................D-7
ACCESS::disable ....................................................................................................................D-7
ACCESS::session commands ..............................................................................................D-7
ACCESS::policy commands .................................................................................................D-8
E
Troubleshooting
Introducing troubleshooting .........................................................................................................E-1
Example: Changing log levels ........................................................................................................E-1
Example: Understanding log messages for endpoint security check failures ....................E-2
Example: Understanding log messages for authentication failures ......................................E-4
Example: Using the adminreporting utility ................................................................................E-5
Example: Understanding the logging action utility in the visual policy editor ...................E-6
Example: Viewing logging history ................................................................................................E-7
Introducing Access Policy Manager log messages ...................................................................E-8
Introducing Kerberos error messages .................................................................................... E-21
Glossary
Index
10
1
Introducing BIG-IP Access Policy Manager
1-2
Introducing BIG-IP Access Policy Manager
You use each type of access for a different system scenario. Access Policy
Manager provides a set of objects that you can define to provide access to
your users through different access methods. You configure Access Policy
Manager connections differently for each access type. On the next page,
Figure 1.1 shows the configuration of an Access Policy Manager access
type. Each access type has common elements and differences. The following
table lists the configuration elements that you use to configure each access
policy type.
Virtual server Created specifically for Created specifically for web Can use existing local traffic
network access applications connection manager virtual server, or
create a specific one with the
wizard
Connectivity Yes No No
profile
Table 1.1 Configuration elements for Access Policy Manager access types
1-4
Introducing BIG-IP Access Policy Manager
Figure 1.1 shows the configuration flow for the three types of access on
Access Policy Manager.
A client system can only connect using one of these configuration types at a
time. However, you can configure multiple access types, and Access Policy
Manager can dynamically determine the access type to provide during the
access policy process, after the session starts.
Sections following describe each access type and scenario.
The objects that define this simple network access scenario are related as
shown in Figure 1.2, following.
1-6
Introducing BIG-IP Access Policy Manager
The access policy for this scenario is very simple, and contains only one
item: a resource assign action that assigns the network access resource, the
network access webtop, and any ACLs. The access policy is shown in
Figure 1.3. An example resource assign action for this policy is shown in
Figure 1.4.
Figure 1.4 Resource assign action configured for network access and an ACL
1-8
Introducing BIG-IP Access Policy Manager
• an access profile and an access policy that assigns the web applications
resource and the web applications webtop
• a virtual server that specifies particular web applications settings,
including the rewrite profile and the access profile
The objects that define this simple web applications scenario are related as
shown in Figure 1.5.
The access policy for this scenario is very simple, and contains only one
item: a resource assign action that assigns the web applications resource and
the web applications webtop. This access policy, as it appears in the visual
policy editor, is shown in the Figure 1.6. An example resource assign action
for this policy is shown in Figure 1.7.
Figure 1.7 Resource assign action configured for web applications and an ACL
1 - 10
Introducing BIG-IP Access Policy Manager
The access policy for this scenario contains a start point, a resource assign
action, and an allow ending. You assign one or more ACLs to the access
policy with the resource assign action, and by doing so you control access to
the local traffic management virtual server. For a web application access
management connection, no network access or web applications resource is
assigned, and no webtop is assigned. This access policy appears in the visual
policy editor as shown in Figure 1.9. An example resource assign action for
this policy, with only an ACL assigned, is shown in Figure 1.10.
Figure 1.9 Basic web application access management policy with ACLs
Figure 1.10 Resource assign action for web application access management, configured for an ACL only
1 - 12
Introducing BIG-IP Access Policy Manager
The basic access policy in Figure 1.11 includes actions that have successful
and fallback rule branches (Antivirus Check, Firewall Check, Active
Directory authentication), and actions that have single rule branches
(Logon Page and Resource Assign).
You select an access profile in a virtual server definition, and the access
policy associated with that access profile starts when a client connects to the
virtual server. Access Policy Manager creates a blank access policy for
every access profile. You can configure the access policy to dynamically
assign objects to the user when the session starts, to determine the resources
a user connects to, and to perform authentication and check client integrity.
You can add logic and functionality to the access policy using configurable
access policy items, and configure branches that change the flow of the
policy. You can specify a web application or network access resource and
webtop for the user as well.
For more information on access policy structure and configuration, see
Chapter 6, Understanding Access Policies, and Chapter 7, Creating Access
Profiles and Access Policies.
Figure 1.12 Simple access policy for web application access management
1 - 14
Introducing BIG-IP Access Policy Manager
1 - 16
Introducing BIG-IP Access Policy Manager
Note
The system includes online help for every screen in the wizard. To view the
online help, click the Help tab in the navigation pane.
1 - 18
Introducing BIG-IP Access Policy Manager
1 - 20
Introducing BIG-IP Access Policy Manager
1 - 22
Introducing BIG-IP Access Policy Manager
Table 1.2 Properties and Operations table listing the version number
1 - 24
2
Configuring Network Access
2-2
Configuring Network Access
2-4
Configuring Network Access
Once the client gets an IP address, that IP address is typically what the
end device sees. For example, if a network access client is dynamically
assigned the address 10.1.1.1 from the lease pool, and the SNAT Pool
setting is None, when the user connects to an internal server; the source
address seen by the internal server is 10.1.1.1.
In the same situation, if the SNAT Pool setting is Automap, the address
seen by the internal server is the internal address of the Access Policy
Manager. For many client-server applications, SNAT Automap is
adequate. However, it is not supported by Microsoft® networking, and
SNAT automapping may not be sufficient for network access
connections with large numbers of client users.
For these more advanced situations, you can create an SNAT pool, then
select the name of the SNAT pool from SNAT Pool list.
• By default, SNAT automapping is enabled. With SNAT Automapping
enabled, active FTP connections fail, so you can only use passive
FTP. To use active FTP, you must use a routed configuration.
• If you select None, make sure that your back-end servers are
configured to route responses back to the device. If you must use
active FTP, set the SNAT Pool option to None.
For more information on SNAT Automapping, see the Configuration
Guide for BIG-IP® Local Traffic Manager™.
• Session Update Threshold
Defines the average byte rate that either ingress or egress tunnel traffic
must exceed, in order for the tunnel to update a session. If the average
byte rate falls below the specified threshold, the system applies the
inactivity timeout, which is defined in the Access Profile, to the session.
• Session Update Window
Defines the value that the system uses to calculate the EMA (Exponential
Moving Average) byte rate of ingress and egress tunnel traffic.
2-6
Configuring Network Access
the Access Policy Manager directs all other traffic out of the local
network connection. You can configure the LAN address space, the DNS
address space, and the Exclude address space (in Advanced mode only),
when you enable split tunneling.
• LAN address space
Provides a list of addresses or address/mask pairs describing the target
LAN. When you use split tunneling, only the traffic to these addresses
and network segments goes through the tunnel configured for network
access. You can add multiple address spaces and network masks to
the list in their respective boxes, one at a time.
• DNS address space
Provides a list of names describing the target LAN DNS addresses.
This box appears only if you use split tunneling.
You can add multiple address spaces to the list, one at a time.
• Exclude address space
Specifies addresses for traffic that is not forced through the tunnel,
when you use split tunneling. Use this to exclude an address or range
of addresses from the LAN address space.
◆ Force all traffic through tunnel
Routes all traffic (including traffic to the local subnet) through the
tunnel. In this case, there is no local subnet. Users cannot access local
resources, such as their printers at home, until they disconnect from
network access. This is useful if you want to limit access to certain sites
while the user is connected through the network access connection.
◆ Allow Local Subnet
Check this box to permit local subnet access and local access to any host
or subnet in routes that you have specified in the client routing table. If
you select this option, clients cannot use the integrated IP filtering
engine.
◆ Client Side Security
Use these settings to configure options for the client on the tunneled
network. The settings available are:
• Prohibit routing table changes during Network Access connection
This option terminates client connections when the client’s IP routing
table changes during a network access session.
• Integrated IP filtering engine
Select this option to protect the VPN from outside traffic (traffic
generated by network devices on the client’s LAN) and to ensure that
the VPN traffic is not leaking traffic to the client's LAN.
• Allow access to local DHCP server
Check this box if you want to allow clients to obtain renewed IP
addresses from their local DHCP servers when their DHCP leases
expire. This is used when the option Integrated IP filtering engine is
enabled.
◆ Client Traffic Classifier
Specifies a client traffic classifier to perform client traffic control. For
more information, see Configuring traffic control, on page 2-15.
◆ Client Options
Use these settings to configure Microsoft Networking options for the
client.
• Client for Microsoft Networks
Select this option to allow the client PC to access remote resources
over a VPN connection. For example, the user can access shared
network drives on the remote network.
• File and printer sharing for Microsoft Networks
Select this option to allow remote hosts to access shared resources on
the client system over the VPN connection. For example, users on the
remote network can access files on the client’s computer.
◆ Provide client certificate on Network Access connection when
requested
If client certificates are required to establish an SSL connection, this
option must always be enabled. However, you can disable this option if
the client certificates are requested only in an SSL session. If the client
certificates are requested, but not required, to establish the SSL
connection, the client is not configured to send client certificates.
◆ Reconnect To Domain
Select the check box Synchronize with Active Directory policies on
connection establishment to synchronize the client with the Active
Directory network policies when the connection is established. This
option, when checked, enables a second check box, Execute logoff
scripts on connection termination. Select this check box to run logoff
scripts configured on the Active Directory domain when the connection
is terminated.
◆ Client Interface Speed
Type the interface rate to display for secured client connections in bytes
per second. The default rate is 100000000 bits per second. The rate you
specify in this box is for display only, and does not affect the actual
speed of the network access connection.
◆ DTLS
Select this option to use Datagram Transport Level Security with the
network access connection. This option uses UDP as the transport to
provide better throughput for latency-sensitive applications like VoIP or
streaming video, especially with lossy connections. If the port used by
DTLS is blocked by an intermediate firewall or gateway, or not
available, the connection automatically falls back to TLS or SSL.
If you enable the DTLS option, you must configure another virtual server
for DTLS with the same IP address as the TCP virtual server to which a
user connects to start the Access Policy Manager session. See Creating a
virtual server for DTLS, on page 14-3, for more information.
• DTLS Port
Type the port number that the network access resource uses for secure
UDP traffic with DTLS. The default port is 4433.
◆ Client proxy settings
Directs network access clients to work through the specified proxy server
on the remote network. This option requires the client computer to have
2-8
Configuring Network Access
Internet Explorer 5.0 or later installed. These options are available only
when using the Advanced setting, when you select the Client proxy
settings option.
• Client Proxy Uses HTTP for Proxy Autoconfig Script
Some applications, like Citrix MetaFrame, can not use the client
proxy autoconfig script when the browser attempts to use the file://
prefix to locate it. Select this option to specify that the browser use
http:// to locate the proxy autoconfig file, instead of file://.
• Client Proxy Autoconfig Script
Contains the URL of the proxy-autoconfiguration script.
• Client Proxy Address and Client Proxy Port
Contains the address and port number of the proxy server you want
network access clients to use to connect to the Internet.
• Bypass Proxy For Local Addresses
Indicates whether you want to use the proxy server for all local
(intranet) addresses.
• Client Proxy Exclusion List
Contains the Web addresses that do not need to be accessed through
the proxy server. You can use wild card characters to match domain
and host names or addresses. For example, you could specify
www.*.com, 128.*, 240.*, *., mygroup.*, *x*, and so on. You can
add each item separately.
table and override the configured DNS server, so you should use them
only when you need to augment or override the existing DNS. You can
also use static hosts when the client machine is locked down, and the
DNS relay service is installed, to provide host resolution.
For this file-change operation, users on Windows platforms must have
local administrative rights to modify the hosts file during the connection,
or the administrator must change the attributes of the hosts file to allow
non-administrative modification, or the system must have the DNS Relay
service installed.
Static hosts are supported on Windows clients only.
Important
Drive mapping is supported only for clients with Windows operating
systems.
2 - 10
Configuring Network Access
This example starts the Microsoft Terminal Server client against an internal
terminal server.
• Application Path:
%SystemRoot%\System32\mstsc.exe
• Parameters:
/v:internalterminalserver.siterequest.com /f
2 - 12
Configuring Network Access
2 - 14
Configuring Network Access
2 - 16
Configuring Network Access
2 - 18
3
Configuring Web Applications
Figure 3.1 The web applications functionality of the Access Policy Manager
3-2
Configuring Web Applications
Note
In minimal patching mode, if your web application sets cookies, the cookie
domain must match the virtual server domain.
Note
If your web application does not use SSL, do not configure the virtual server
with the Server SSL profile serverssl.
3-4
Configuring Web Applications
when accessing pages that contain large Java classes or other large
elements (images, scripts, and so on), but not when accessing pages that
reference Java packages (.jar files), class archives (.zip files), or
compressed images (.jpg, .png, and Compressed TIFF files).
For iNotes and other Java-based web mail packages, enabling
compression vastly improves the speed in which pages are loaded.
Note
Note
In any caching scenario, Access Policy Manager caches only those objects
that the remote server designates can be cached.
• Default - Takes the client cache settings from the rewrite profile. In the
rewrite profile, you can specify a client caching option - CSS and
JavaScript, CSS, Images and JavaScript, No Cache or Cache All. If
you configure a client cache setting other than Default in the web
application resource item, that setting overrides the cache setting in the
rewrite profile.
• Cache All - Caches everything that can be cached, including CSS,
images, JavaScript, and XML. Provides the fastest client performance
and the lowest security.
To allow your clients to download and save attachments, use the Cache
All setting.
For example, to make sure Outlook Web Access 2007 attachments can
be downloaded, configure the web application resource URI
/owa/attachment* with the Cache All setting.
• No Cache - Caches nothing. This provides the slowest client
performance and is the most secure.
3-6
Configuring Web Applications
Some of your custom web applications will work with web applications
without you having to make changes to the applications.
If you have a specific web application that requires additional configuration
to work through web applications, you can generally use Network Access.
Network Access provides a direct connection to the internal network, and
does not require proxy-based changes or modification of web application
content. If you cannot use web applications or Network Access to solve
access issues, you can try the minimal patching feature. For more
information about this feature, see Understanding minimal patching mode,
on page 3-3.
3-8
Configuring Web Applications
13. From the Client Cache list, select the client caching option.
See Understanding web application caching, on page 3-5, for more
information.
14. If you are using an SSO configuration for Single Sign On, from the
SSO Configuration list, select the SSO configuration.
15. Select whether to enable the Session Update and Home Tab
options with the associated check boxes.
16. From the Log list, select the logging level.
17. When you are finished, click Update.
The Web Application Properties screen opens.
3 - 10
4
Configuring Web Application Access
Management
Note
Currently, you can configure access only to web applications with web
application access management.
4-2
Configuring Web Application Access Management
Important
When you create an access policy, the policy cannot include a network
access or web applications resource or webtop.
4-4
Configuring Web Application Access Management
To select a pool
1. On the Main tab of the navigation pane, expand Local Traffic, and
click Virtual Servers.
The Virtual Server List screen opens
2. Click the name of the virtual server.
The Virtual Server Properties screen opens.
3. Click the Resources tab.
4. From the Default Pool list, select the local traffic pool.
5. Click Update.
4-6
5
Configuring Resources
• Understanding resources
• Using webtops
Configuring Resources
Understanding resources
With BIG-IP® Access Policy Manager®, you use resources to provide secure
connection functionality to users. With Access Policy Manager, you
configure a resource to allow access to a web application or a network
access connection, or you configure an access control list to allow or deny
access to clients with a network access, web applications, or web application
access management access policies.
You use access control lists (ACLs), network access or web applications
resources, and webtops to provide functionality to clients. For a web
application access management policy, you can assign ACLs, but you
cannot assign any other resources. You use ACLs to define allowed and
disallowed networks, hosts, and protocols for users. With web applications
access policies, you use webtops to provide a web page with useful links to
users who connect. You assign ACLs and webtops dynamically in an access
policy, using the resource assign action.
A network access resource represents a single secure connection that
provides an on-network type of experience to an end user. You can define
many network access resources on the Access Policy Manager, but each
connection uses only one network access resource. To connect a user
securely with a network access connection, you must assign a network
access resource to an access policy and a network access webtop, using the
resource assign action. A network access connection does not manipulate or
analyze the content being passed between the client and the internal
network.
A web application resource provides web browser access to one or more
specific internal web applications. With web applications, the Access Policy
Manager communicates with back-end servers, and rewrites the links in the
response so that all the links in the response content specify the virtual
server as the host. This method of access differs from a connection
configured for network access, which provide a secured tunnel from the
client to the internal network.
In this chapter you can learn how to use ACLs and webtops. To configure
network access resources, see Chapter 2, Configuring Network Access. To
configure web applications, see Chapter 3, Configuring Web Applications.
To configure web application access management, see Chapter 4,
Configuring Web Application Access Management.
Note
ACLs are not enforced on network traffic initiated from the server. Use
SNAT automap or SNAT pool options in the network access configuration if
you do not want servers to be able to initiate a connection to any client.
5-2
Configuring Resources
12. For the Source Port setting, select Port or Port Range.
This setting specifies whether the access control list entry applies to
a single port or a range of ports.
13. In the Port box or the Start Port and End Port boxes, specify the
port or port ranges to which the access control list entry applies.
To simplify this choice, you can select from the list of common
applications, to the right of the Port box, to add the typical port or
ports for that protocol.
14. In the Destination IP Address box, type the IP address to which the
ACL controls access.
15. In the Destination Mask box, type the network mask for the
destination IP address.
16. For the Destination Ports setting, select Port or Port Range.
This setting specifies whether the access control list entry applies to
a single port or a range of ports.
17. In the Port box or the Start Port and End Port boxes, specify the
port or port ranges to which the access control list entry applies.
To simplify this choice, you can select from the list of common
applications, to the right of the Port box, to add the typical port or
ports for that protocol.
18. From the Scheme list, select the URI scheme for the ACL entry.
You can select http, https, or any.
Any matches either HTTP or HTTPS traffic.
19. In the Host Name box, type a host to which the ACL applies.
The Host Name box supports shell glob matching. For example,
you can use the asterisk wildcard (*) to search for zero or more
characters, and the question mark wildcard (?) to search for a single
character. For example, the host entry *.siterequest.com matches
siterequest.com with any prefix. This entry matches
www.siterequest.com, mail.siterequest.com,
finance.siterequest.com, and any others with the same pattern.
The ? matches only the single character represented by the question
mark, so n?t.siterequest.com matches the hosts
net.siterequest.com and not.siterequest.com, but not
neet.siterequest.com, nt.siterequrest.com, or
note.siterequest.com.
20. In the Paths box, type the path or paths to which the ACL applies.
You can separate multiple paths with spaces, for example,
/news /finance. The Paths box supports shell glob matching. You
can use the wildcard characters * and question marks (?) to
represent single or multiple characters. You can also type a specific
URI, for example, /finance/content/earnings.asp, or a specific
extension, for example, *.jsp.
21. From the Protocol list, select the protocol to which the ACL
applies.
5-4
Configuring Resources
22. From the Log list, select the log level for this access control entry.
When events of this type occur, the server records a log message.
Options are:
• None - log nothing.
• Packet - log the matched packet.
23. Click Finished.
5-6
Configuring Resources
Using webtops
When a user is allowed access by an access policy, that user is typically
assigned a webtop. A webtop is the successful end point for a web
applications or network access connection. A web applications webtop also
provides a customizable screen for the user that includes links for working
with the web applications, and displays messages relating to the connection.
You assign a webtop to the user session in a resource assign action in the
access policy. Make sure that you assign the correct webtop type; a network
access webtop must be assigned with a network access resource, and a web
applications webtop must be assigned with a web applications resource.
Many settings for the webtop can be customized. To customize webtop
settings, see Customizing a webtop, on page 15-14.
To create a webtop
1. On the Main tab of the navigation pane, expand Access Policy, then
click Webtops.
The Webtop List screen opens.
2. Click Create.
The New Webtop screen opens.
3. In the Name box, type the name for the webtop.
4. From the Type list, select whether the webtop is a network access or
a web applications webtop.
If you selected a network access webtop, select whether to
automatically minimize the webtop to the system tray, by selecting
or clearing the Minimize To Tray check box.
If you selected a web applications webtop, in the Web Application
start URI box, type the URI for the web application.
5. Click Finished to complete the configuration.
To assign a webtop
1. On the Main tab of the navigation pane, expand Access Policy, then
click Access Profiles.
The Access Profiles List screen opens.
2. In the profile list, find the access policy you want to edit, then click
Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab,
depending on your browser settings.
3. On a rule branch of the access policy, click the plus sign ( ) to
add an action.
The Add Item popup screen opens.
4. If general purpose actions are not expanded, click the plus sign
( ) next to General Purpose.
5. Select Resource Assign, and click Add Item.
The Resource Assign action popup screen opens.
5-8
Configuring Resources
5 - 10
6
Understanding Access Policies
Figure 6.2 Two actions, one unconfigured, in the visual policy editor
6-2
Understanding Access Policies
General Purpose Logon Page Adds a logon page to the access policy. You can customize
the messages and link text on the logon page, and create
custom messages for different languages.
External Logon Page Adds an external logon page to the access policy. Used with
an external logon server like CSE’s SECUREMATRIX®.
Virtual Keyboard Displays a virtual keyboard on the logon screen when the
user clicks in the Password box.
SSO Credential Mapping Configures credential caching to use with single sign-on
(SSO) for web applications.
Message Box Adds a message box that can be used to post a message to
the user.
Decision Box Adds a decision box that provides two options for the
access policy.
Empty A blank action from which you can create your own action.
Client Cert Inspection If the Client SSL profile is configured to request the client
certificate during the SSL handshake, checks the client
certificate received during the SSL handshake.
On-Demand Cert Auth Prompts users for a client certificate if they take a certain
branch in the access policy.
Client Side Checks Antivirus Check Checks for antivirus software on the client computer. Can
check for antivirus software on Windows, Mac OS, and
Linux clients.
Firewall Check Checks for firewall software on the client computer. Can
check for firewall software on Windows, Mac OS, and Linux
clients.
(Windows, Linux, Mac) File Checks for a specific file on the client computer. File check
Check is available as three different actions for Windows, Mac OS,
and Linux computers.
Windows Info Checks for the version of Windows and for Windows
updates on the client computer.
(Windows, Linux, Mac) Checks for running processes on the client computer.
Process Check Process check is available as three different actions for
Windows, Mac OS, and Linux computers.
Client Side Actions Cache and Session Cleans and removes browser cache, and optionally cleans
Control form entries, passwords, dial-up entries, and sets timeouts
for the access policy.
6-4
Understanding Access Policies
Server Side Checks UI Mode Detects the browser of client type the client is using. This
provides three rule branches in your access policy:
Full Browser
The rule branch the access policy takes if the client is using
a web browser, or the BIG-IP® Edge Client®.
Standalone Client
The rule branch the access policy takes if the client is using
a standalone legacy SSL VPN client. This rule branch is
used only if the standalone client is running in Legacy
Mode. If the BIG-IP Edge Client is used, the Full Browser
rule branch is matched.
Fallback
The rule branch the access policy takes if the client is not
using one of the listed clients.
Client-Side Check Checks whether the client supports JavaScript and supports
Capability either ActiveX controls or Netscape plug-ins. If a client can
support JavaScript and one of these control types, it can run
client-side checks. See Preparing for clients that cannot use
client checks, on page 10-1.
Landing URI Checks the landing URI that the client has used to start the
current session.
6-6
Understanding Access Policies
Viewing rules
To view a predefined branch rule, you must first add an action to the access
policy. The following example describes how to add a predefined action
(client cert result) to an access policy, then how to view the underlying rule.
Note
You cannot view the predefined branch rules for every action.
Predefined rules
When you configure an action, it creates a predefined rule. To further refine
or customize a rule, you can use the expression builder to build a rule from a
list of agents and conditions.
You can edit a rule on the Rules tab by clicking change. You can edit rules
in a rule builder on the Simple tab. You use this rule builder to choose from
a simplified set of rules and automatically compile the Tcl syntax. You can
also use the Advanced tab to edit the rule directly, using Tcl. Visual
examples of the two editing methods are shown in Figure 6.5.
6-8
Understanding Access Policies
6 - 10
Understanding Access Policies
Macro definitions, macro terminals, and macrocalls are defined for each
access policy. Macros you create in one policy do not appear, and cannot be
used, in another access policy.
Unlike other access policy actions, when you click a macrocall in the access
policy, the macro definition is displayed below the access policy in the
macros section, and not in a popup screen, as shown in Figure 6.8.
6 - 12
Understanding Access Policies
To make macros easier to use, you can assign the macro terminals
descriptive names and specific colors with the visual policy editor. When
you add a macro to your access policy, the terminals from the macro become
branches, and the branches take the names of their terminals.
For example, you can configure a macro with four terminals:
• AV success
• AV failure
• File check success
• File check failure
After you add the macrocall to your access policy, the macrocall appears as
a single access policy item, with four terminals that appear as four branches,
named for the terminals. See Figure 6.9.
Note
You can make changes to the actions in a macro after you have added the
macrocall to an access policy. However, you cannot delete terminals after a
macrocall has been added to an access policy or another macro. For this
reason, we recommend that you configure macro terminals before you add a
macrocall to the access policy.
Note
You must assign a valid network access or web application resource and a
webtop for your users, unless you are using the access policy to control
access to a local traffic virtual server, in a web application access
management scenario.
6 - 14
Understanding Access Policies
Note
You must type the redirect URL with the leading http:// or https://.
6 - 16
Understanding Access Policies
6 - 18
7
Creating Access Profiles and Access Policies
• Configuring macros
7-2
Creating Access Profiles and Access Policies
After you apply the access policy, the Access Profiles list screen is
displayed.
In the access profile, you can configure the list of accepted languages in
which the Access Policy Manager provides messages and customized
elements. You can also select a default language for the access profile. The
default language is used to provide messages and customized elements to
users whose browsers are not identified with a language that is on the list of
accepted languages.
Though you can specify any custom language strings, most browsers present
standard language strings. To see a list of these language strings, refer to
http://www.iana.org/assignments/language-subtag-registry.
There are several other places in Access Policy Manager where you can
customize settings for different languages. To configure these language
settings, see the following tasks and pages:
• Customizing the Deny access policy ending, on page 7-11
• Customizing access profile languages, on page 7-3
Note
7-4
Creating Access Profiles and Access Policies
You can also open an access policy from the Access Profiles List screen by
clicking the access profile name, then clicking the Access Policy tab, then
clicking the Edit link.
Note
7-6
Creating Access Profiles and Access Policies
◆ Add general purpose actions, client side checks, and server side checks,
as needed. For more information, see Adding actions to an access policy,
on page 7-7, Understanding client-side checks, on page 7-13, and
Understanding server-side checks, on page 7-14.
◆ Add authentication. For more information, see Understanding
authentication actions, on page 7-13.
◆ Assign resources. For more information, see Assigning resources, on
page 8-9.
Note that you must assign a resource group that contains a network
access resource, or the access policy will not function.
◆ Finish the access policy. For more information, see Applying an access
policy configuration, on page 7-12.
7-8
Creating Access Profiles and Access Policies
7 - 10
Creating Access Profiles and Access Policies
Setting Description
Error Title Specifies the text that indicates that the session
could not start.
New Session Text Specifies the text that precedes the link a user
clicks to start a new session.
New Session Link Specifies the text label for the hypertext link to
start a new session, such as click here. This link
immediately follows the New Session Text.
Setting Description
ACL denied page Specifies the title text for a page that appears
title when access is denied by an ACL.
ACL Denied Page Specifies the text that appears when access to a
Reject Message page or site is denied due to an ACL restriction.
ACL Denied Page Specifies the link text that the user can click to
Return Link return to the previous page. This is displayed
Message when a user reaches the ACL denied page.
6. Click Save.
7 - 12
Creating Access Profiles and Access Policies
7 - 14
Creating Access Profiles and Access Policies
Configuring macros
A macro is a group of reusable checks. Using the visual policy editor, you
configure macros in the same way that you configure access policies. The
difference is that you do not configure access policy endings, but instead
you configure terminals for a macro.
To create a macro
1. On the Main tab of the navigation pane, expand Access Policy, then
click Access Profiles.
The Access Profiles List screen opens.
2. In the profile list, find the access policy you want to edit, then click
Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab,
depending on your browser settings.
3. Click the Add New Macro button.
The Add New Macro popup screen opens.
4. Select the macro template.
The macro templates are described in the Using predefined macro
templates, on page 7-17.
5. In the Name box, type a name for the macro.
This is the name by which the macro appears in the Add Action
popup screen.
6. Click Save.
7. To expand the macro, click the plus sign ( ) next to the macro
name.
8. To edit an action, click the action name.
Edits you make to the actions in a macro are applied to the actions
in an access policy, after you add the macrocall to the access policy.
9. Add and remove actions from the macro in the same way you add
and remove actions from access policies.
10. When you finish customizing an action, click Save.
5. To change the color of the ending for better visual clarity in your
access policies, click the Dropper , select a color, and click
Update.
6. If you want to set a default terminal, click the Set Default tab, and
select the default terminal.
7. If you want to delete a terminal, click the (x) next to the terminal
name.
To delete a macro
Click the (x) button at the right of the screen next to the macro name. You
can delete a macro only if it is not in use.
7 - 16
Creating Access Profiles and Access Policies
Tip
If you open these macro definitions to view them, you can better understand
how the macros are configured. Each macro definition includes instructions
on how to add and open the macro template.
4. To expand the macro, click the (plus) next to the macro name.
5. To edit an action, click the action name.
In the macro display, the action popup screen opens.
• To customize the Active Directory action, see Configuring
Access Policy Manager to access the Active Directory for
authentication, on page 11-33.
• To customize the resource assign action, see Assigning resources,
on page 8-9.
• To customize the logon page action, see To customize the logon
page action, on page 16-2
6. When you finish customizing an action, click Save.
7. To add this macro to the access policy, see To add a macrocall to an
access policy, on page 7-16.
7 - 18
Creating Access Profiles and Access Policies
4. To expand the macro, click the (plus) next to the macro name.
5. To edit an action, click the action name.
The action popup screen opens.
• To customize the Active Directory actions, see Configuring
Access Policy Manager to access the Active Directory for
authentication, on page 11-33 and Configuring Access Policy
Manager to access the Active Directory action item for query, on
page 11-35.
• To customize the resource assign action, see Assigning resources,
on page 8-9.
• To customize the logon page action, see To customize the logon
page action, on page 16-2
6. When you finish customizing an action, click Save.
7. To add this macro to the access policy, see To add a macrocall to an
access policy, on page 7-16.
4. To expand the macro, click the (plus) next to the macro name.
5. To edit an action, click the action name.
The action popup screen opens.
• To customize the LDAP action, see Configuring LDAP access
policy action item for authentication, on page 11-23.
• To customize the resource assign action, see Assigning resources,
on page 8-9.
• To customize the logon page action, see To customize the logon
page action, on page 16-2
6. When you finish customizing an action, click Save.
7. To add this macro to the access policy, see To add a macrocall to an
access policy, on page 7-16.
7 - 20
Creating Access Profiles and Access Policies
4. To expand the macro, click the (plus) next to the macro name.
5. To edit an action, click the action name.
The action popup screen opens.
• To customize the LDAP actions, see Configuring LDAP query
policy action item, on page 11-26 and Configuring LDAP access
policy action item for authentication, on page 11-23.
• To customize the resource assign action, see Assigning resources,
on page 8-9.
• To customize the logon page action, see To customize the logon
page action, on page 16-2
6. When you finish customizing an action, click Save.
7. To add this macro to the access policy, see To add a macrocall to an
access policy, on page 7-16.
4. To expand the macro, click the (plus) next to the macro name.
5. To edit an action, click the action name.
The action popup screen opens.
• To customize the RADIUS action, see Setting up RADIUS
authentication and authorization access policy action item, on
page 11-9.
• To customize the RADIUS action for authentication with RSA
SecurID over RADIUS, see Configuring RSA SecurID using
RADIUS, on page 11-12.
• To customize the resource assign action, see Assigning resources,
on page 8-9.
• To customize the logon page action, see To customize the logon
page action, on page 16-2
6. When you finish customizing an action, click Save.
7. To add this macro to the access policy, see To add a macrocall to an
access policy, on page 7-16.
7 - 22
Creating Access Profiles and Access Policies
4. To expand the macro, click the (plus) next to the macro name.
5. To edit an action, click the action name.
In the macro display, the action popup screen opens.
• To customize the SecurID action, see Setting up RSA Native
SecurID authentication and authorization access policy action
item, on page 11-20.
• To customize the resource assign action, see Assigning resources,
on page 8-9.
• To customize the logon page action, see To customize the logon
page action, on page 16-2
6. When you finish customizing an action, click Save.
To add this macro to the access policy, see To add a macrocall to an access
policy, on page 7-16.
4. To expand the macro, click the (plus) next to the macro name.
5. To edit an action, click the action name.
The action popup screen opens.
• To customize the UI Mode action, see Setting up the UI mode
access policy item, on page 10-6.
• To customize the Client OS action, see Setting up the client OS
check, on page 10-2.
• To customize the Windows information action, see Setting up
Windows info action, on page 9-22.
• To customize the antivirus check action, see Checking antivirus
with the antivirus check access policy item, on page 9-2.
• To customize the firewall check action, see Setting up the firewall
check action, on page 9-14.
• To customize logging actions, see Adding access policy logging,
on page 8-16.
6. When you finish customizing an action, click Save.
7 - 24
Creating Access Profiles and Access Policies
4. To expand the macro, click the (plus) next to the macro name.
5. To edit an action, click the action name.
The action popup screen opens.
• To customize the Client-Side Check Capability action, see
Setting up the client-side check capability access policy item, on
page 10-9.
• To customize the Client OS action, see Setting up the client OS
check, on page 10-2.
• To customize UI Mode actions, see Setting up the UI mode
access policy item, on page 10-6.
• To customize antivirus check actions, see Checking antivirus
with the antivirus check access policy item, on page 9-2.
• To customize logging actions, see Adding access policy logging,
on page 8-16.
• To customize the protected workspace action, see Setting up the
protected workspace access policy item, on page 9-30.
6. When you finish customizing an action, click Save.
7. To add this macro to the access policy, see To add a macrocall to an
access policy, on page 7-16.
7 - 26
Creating Access Profiles and Access Policies
Important
The import prefix you specify must begin with a letter, and the import prefix
name can include only letters, numbers, and the underscore ( _ ) character.
7 - 28
8
Configuring General Purpose Access Policy
Actions
• Message box
Adds a message box that posts a message to the user. To continue, the
user must click a link for which you provide the text. The user then
proceeds on the same rule branch in the access policy.
• Decision box
Adds a decision box that provides two options to the user for the access
policy. You can then configure separate actions on the two branches,
depending on user selections.
• iRule event
Adds an iRule event to the access policy.
• Empty action
Adds a blank action from which you can create your own action.
8-2
Configuring General Purpose Access Policy Actions
• Session Variable Name - Specifies the session variable name that the
server uses to store the data typed in the text field. For example, the
session variable username stores the username input omaas as the
session variable string session.logon.last.username=omaas.
• Read Only - Specifies whether the logon page agent is read-only, and
always used in the logon process as specified. You can use this to add
logon POST variables or session variables that you want to submit from
the logon page for every session that uses this access policy. You can use
a read only logon page field to populate a field with a value from a
session variable.
For example, you can use the On-Demand Certificate agent to extract the
CN (typically the user name) field from a certificate, then you can assign
that variable to session.logon.last.username. In the logon page action,
you can specify session.logon.last.username as the session variable for
a read only logon page field that you configure. When Access Policy
Manager displays the logon page, this field is populated with the
information from the certificate CN field (typically the user name).
Figure 8.1 shows some items that can be customized with the logon page
action.
Figure 8.1 Items that you can customize with the logon page action
8-4
Configuring General Purpose Access Policy Actions
2. In the profile list, find the access policy you want to edit, then click
Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab,
depending on your browser settings.
3. On a rule branch of the access policy, click the plus sign ( ) to
add an action.
The Add Item popup screen opens.
4. If general purpose actions are not expanded, click the plus sign
( ) next to General Purpose.
5. Select Logon Page and click Add Item.
The Logon page action popup screen opens.
6. In the Logon Page Agent section, enable the fields you want to
display on the logon page.
By default, a text field for user name, and a password field for the
password are enabled and displayed.You can specify up to three
more fields to display, or customize the ones enabled.
7. From the Language list, select the language for which you want to
customize messages.
The four default languages include English (en), Japanese (ja),
simplified Chinese (zh-tw), and traditional Chinese (zh-cn). You
can specify more languages in the Access Profile properties
Language Settings section.
8. Customize the logon page elements:
• Form Header Text
Specifies the text that appears at the top of the logon box.
• Logon Page Input Field # (1-5) - These fields specify the text
that is displayed on the logon page for each of the logon page
agents, defined in the Logon Page Agent screen area.
• Save Password Checkbox
Specifies the text that appears adjacent to the check box that
allows users to save their passwords in the logon form. This field
is used only in the secure access client, and not in the web client.
• Logon Button
Specifies the text that appears on the logon button, which a user
clicks to post the defined logon agents.
• Front Image
Specifies an image file to display on the logon page.
Click Browse to select a file from the file system. Click Show
image or Hide Image to show or hide the currently selected
image file. Click Revert to Default Image to discard any
customization and use the default logon page image.
• New Password Prompt
Specifies the prompt displayed when a new Active Directory
password is requested.
8-6
Configuring General Purpose Access Policy Actions
<html>
<body>
<FORM name=external_data_post_cls method=post action=”action=””>
<input type=hidden name=client_data value=”SecurityDevice”>
<input type=hidden name=post_url value=”https://IP_address_of_virtual/my.policy”>
</FORM>
<script>
document.external_data_post_cls.action = unescape(“https://external_server_IP_address/loginform2.1.php”);
document.external_data_post_cls.submit();
</script>
</body>
</html>
Figure 8.3 External logon page request to Access Policy Manager virtual server
Assigning resources
You assign access control lists, a network access or web application
resource, and a webtop to the access policy. Each of these resources
contains configuration items. You must assign a network access or web
applications resource for a working network access connection or web
applications access policy. You can also assign webtops for network access
8-8
Configuring General Purpose Access Policy Actions
or web applications with the resource assign action. For a web application
access management connection, you do not assign a resource or a webtop.
You assign ACLs to all access types with the resource assign action.
Assigning variables
You use the variable assign action to assign configuration variable, a
predefined session variable, or a custom variable resource variable to a
AAA server attribute or to a custom expression. This allows you, for
example, to assign a custom lease pool for a network access resource, based
on the path in an access policy.
After the procedure for how to use the variable assign action, this section
includes two simple examples. For an example scenario that uses the
variable assign action with a Tcl expression to provide more advanced
functionality, see Using advanced access policy rules, on page 16-17.
For a list of the configuration variables you can assign with the variable
assign action, and the accepted formats for replacement values, see Network
access resource variable attributes, on page C-14.
8 - 10
Configuring General Purpose Access Policy Actions
Note
To use this example, you must have a lease pool defined on the Access
Policy Manager, and the name of that lease pool must be defined as the user
attribute, myAttribute, on the Active Directory server.
When a user reaches this action in the access policy, Access Policy Manager
gets the value for myAttribute from the user’s AAA attributes, and replaces
the lease pool defined in the network access resource with this value.
8 - 12
Configuring General Purpose Access Policy Actions
When a user reaches this action in the access policy, Access Policy Manager
evaluates the custom expression, in this case, a simple string with the lease
pool name, and replaces the lease pool defined in the network access
resource with this value.
2. In the profile list, find the access policy you want to edit, then click
Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab,
depending on your browser settings.
3. On a rule branch of the access policy, click the plus sign ( ) to
add an action.
The Add Item popup screen opens.
Note: Add the virtual keyboard in front of a logon page action with
which you want to virtual keyboard to be used.
4. If general purpose actions are not expanded, click the plus sign
( ) next to General Purpose.
5. Select Virtual keyboard and click Add Item.
The Virtual keyboard action popup screen opens.
6. From the Virtual Keyboard list, select Enabled to enable the
virtual keyboard, or Disabled to disable the virtual keyboard.
7. From the Move Keyboard After Every Keystroke list, select
Enabled to move the virtual keyboard after the user clicks each
keystroke, or Disabled to not move the virtual keyboard after each
keystroke.
This option can further obscure the password that you type with the
virtual keyboard.
8. From the Allow Manual Input list, select Enabled to allow the
user to type the password with the physical keyboard or the virtual
keyboard. Select Disabled to allow the user to type the password
only with the virtual keyboard.
9. Click Save when the fields are customized.
8 - 14
Configuring General Purpose Access Policy Actions
• Username from logon page - Retrieves and caches the user name that is
entered on the secure access logon page.
• sAMAccountName from Active Directory - Looks up the user’s value
for sAMAccountName in Active Directory, retrieves the value, and
caches it for use as the user name.
• sAMAccountName from LDAP Directory - Looks up the user’s value
for sAMAccountName in the LDAP Directory, retrieves the value, and
caches it for use as the user name. This can only be used when the
session is configured to access Active Directory over LDAP.
• Custom - Allows you to retrieve a custom value from a session variable.
8 - 16
Configuring General Purpose Access Policy Actions
To add a message
1. On the Main tab of the navigation pane, expand Access Policy, then
click Access Profiles.
The Access Profiles List screen opens.
2. In the profile list, find the access policy you want to edit, then click
Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab,
depending on your browser settings.
3. On a rule branch of the access policy, click the plus sign ( ) to
add an action.
The Add Item popup screen opens.
4. If general purpose actions are not expanded, click the plus sign
( ) next to General Purpose.
5. Select Message Box and click Add Item.
The Message Box action popup screen opens.
6. From the Language list, select the language for the message.
7. In the Message box, type the message to the user. You can use
HTML tags for formatting, as in the example:
<font color=red> Please click the link below to continue. </font>
8. In the Link box, type the text that the user must click to continue.
This text appears as a link the user can click to continue.
9. Click Save.
8 - 18
Configuring General Purpose Access Policy Actions
For a list of supported iRule events, see Appendix D, Using Access iRule
Events.
Note
iRule event access policy items must be processed and completed before the
access policy can continue.
8 - 20
9
Configuring Client-Side Checks and Client
Side Actions
9-2
Configuring Client-Side Checks and Client Side Actions
Note
This is not a complete example. For the example to work, you must assign
an Allow ending to successful branches. You can assign a network access or
web applications resource using the resource assign action, along with
associated webtops. For a web application access management connection,
you need not assign resources. This example is configured starting with an
empty access policy.
4. If client-side check actions are not expanded, click the plus sign
( ) next to Client Side Checks.
5. Select Antivirus Check and click Add Item to add the action to the
access policy.
The Antivirus Check action popup screen opens.
6. Configure McAfee for Windows:
a) From the Antivirus ID list, select [win/mac/linux] McAfee, Inc.
b) From the State list, select Enabled.
c) In the DB Age Not Older Than (days) box, Type 7.
7. Click Add new entry to add an antivirus entry to the action.
Note that new entries are added above previously configured
entries, by default.
8. Configure Symantec for Macintosh:
a) From the Antivirus ID list, select [mac] Symantec Corp.
b) From the State list, select Enabled.
c) In the DB Age Not Older Than (days) box, type 7.
9. Click Add new entry to add an antivirus entry to the action.
Note that new entries are added above previously configured
entries, by default.
10. Configure Symantec for Linux:
a) From the Antivirus ID list, select [win/linux] Symantec Corp.
b) From the State list, select Enabled.
c) In the DB Age Not Older Than (days) box, Type 7.
The configured action appears as shown in Figure 9.1.
11. Click Save to save the access policy.
9-4
Configuring Client-Side Checks and Client Side Actions
Checking for a file with the file check access policy item
Add a file check action to an access policy in a situation where verifying the
presence of a certain file can increase confidence in the security of the client
system.
9-6
Configuring Client-Side Checks and Client Side Actions
Note
This is not a complete example. For the example to work, you must assign
an Allow ending to successful branches. You can assign a network access or
web applications resource using the resource assign action, along with
associated webtops. For a web application access management connection,
you need not assign resources. This example is configured starting with an
empty access policy.
9-8
Configuring Client-Side Checks and Client Side Actions
9 - 10
Configuring Client-Side Checks and Client Side Actions
Note that the order of RDNs is the same as is displayed; the required
separator is a comma ( , ). Subcases for regex extraction follow:
Note that the order of RDNs is the same as is displayed; the required
separator is a comma ( , ).
9 - 12
Configuring Client-Side Checks and Client Side Actions
Note
This is not a complete example. For the example to work, you must assign
an Allow ending to successful branches. You can assign a network access or
web applications resource using the resource assign action, along with
associated webtops. For a web application access management connection,
you need not assign resources. This example is configured starting with an
empty access policy.
9 - 14
Configuring Client-Side Checks and Client Side Actions
Note
This is not a complete example. For the example to work, you must assign
an Allow ending to successful branches. You can assign a network access or
web applications resource using the resource assign action, along with
associated webtops. For a web application access management connection,
you need not assign resources. This example is configured starting with an
empty access policy.
9 - 16
Configuring Client-Side Checks and Client Side Actions
Note
This is not a complete example. For the example to work, you must assign
an Allow ending to successful branches. You can assign a network access or
web applications resource using the resource assign action, along with
9 - 18
Configuring Client-Side Checks and Client Side Actions
Expression syntax
Syntax for registry checker expressions is as follows:
"key" comparison_operator data
"key" ISPR
"key"."value" comparison_operator data
"key"."value" ISPR
• “key”
Represents a path in the Windows registry.
• “value”
Represents the name of the value.
• comparison_operator
Represents one of the comparison operators (< <= > >= != =) or
ISPR. ISPR is used to verify that a key or value is present.
For equality use =. The operator == is not valid here.
• data
Represents the content to compare against.
Note
Quotation marks (“") are required around key and value arguments.
Quotation marks are used in data if the content contains spaces, commas,
slashes, tabs, or other delimiters. If quotation marks exist as part of the
registry path or value name, they should be doubled (use two sets of
quotation marks). data is treated as a version number if it is entered in the
format “d.d[.d][.d]” or “d,d[,d][,d]” (where d is a number), and as a date if
it is entered in the format “mm/dd/yyyy”.
• "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InternetExplorer.
Version" >= "5.0.2800.0" AND
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
InternetExplorer.Version" <= "6.0.2900.0"
Checks for the presence of Internet Explorer. With this registry check,
the Internet Explorer version must be greater than or equal to 5.0.2800.0,
and less than or equal to 6.0.2900.0.
9 - 20
Configuring Client-Side Checks and Client Side Actions
2. In the profile list, find the access policy you want to edit, then click
Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab,
depending on your browser settings.
3. On a branch of the access policy, click the plus sign ( ) to add an
action.
The Add Item popup screen opens.
4. If client-side check actions are not expanded, click the plus sign
( ) next to Client Side Checks.
5. Select Registry Check and click Add Item to add the action to the
access policy.
The Registry Check action popup screen opens.
6. In the Expression box, type:
"HKEY_LOCAL_MACHINE\Software\Google\Google
Desktop.ResourceDLL"
The configured action appears as shown in Figure 9.5.
7. Click Save to complete the configuration.
9 - 22
Configuring Client-Side Checks and Client Side Actions
Note
This is not a complete example. For the example to work, you must assign
an Allow ending to successful branches. You can assign a network access or
web applications resource using the resource assign action, along with
associated webtops. For a web application access management connection,
you need not assign resources. This example is configured starting with an
empty access policy.
9 - 24
Configuring Client-Side Checks and Client Side Actions
Note
Note
You can use the cache and session control action to clean cache and related
session information from the Internet Explorer browser only. The action
does not clear browser cache and session-related items from Firefox, Safari,
or any other browser. However, other items you configure in the action are
cleaned on all Windows systems.
Note
9 - 26
Configuring Client-Side Checks and Client Side Actions
Note
This is not a complete example. For the example to work, you must assign
an Allow ending to successful branches. You can assign a network access or
web applications resource using the resource assign action, along with
9 - 28
Configuring Client-Side Checks and Client Side Actions
Note
Note
You cannot assign a Windows group policy template after a session is in the
protected workspace. To use Windows group policies with protected
workspace, you must place the Windows group policy action before the
protected workspace action in the access policy.
9 - 30
Configuring Client-Side Checks and Client Side Actions
5. Select Protected Workspace and click Add Item to add the action
to the access policy.
The Protected Workspace action popup screen opens.
6. Configure the protected workspace.
• Enable or disable the option to Close Google Desktop Search
when the user starts the protected workspace session.
Note that selecting Enabled in this option is more secure.
• Enable or disable the option to Allow user to temporarily
switch from Protected Workspace when the user is in the
protected workspace session.
• Enable or disable the option to Allow user to use printers.
• Select the option for the setting Allow write access to USB flash
drives. In addition to the Disabled option and the option to allow
write access to All USB flash drives, this setting provides a third
option, Only IronKey Secure Flash Drives, which allows a user
to write only to specialized, highly secured flash drives created
by IronKey, Inc.
• Enable or disable the option to Allow user to burn CDs.
7. If you want to allow protected workspace users to have write access
to a specific server, click the Add new entry button and type the
name of the server.
To add more servers, repeat this step. To remove a server, click the
X button next to the name of the server.
8. Click Save to complete the configuration.
Note
This is not a complete example. For the example to work, you must assign
an Allow ending to successful branches. You can assign a network access or
web applications resource using the resource assign action, along with
associated webtops. For a web application access management connection,
you need not assign resources. This example is configured starting with an
empty access policy.
2. In the profile list, find the access policy you want to edit, then click
Edit in the Access Policy column.
The visual policy editor opens in a new window or new tab,
depending on your browser settings.
3. On a branch of the access policy, click the plus sign ( ) to add an
action.
The Add Item popup screen opens.
4. If client-side check actions are not expanded, click the plus sign
( ) next to Client Side Actions.
5. Select Protected Workspace and click Add Item to add the action
to the access policy.
The Protected Workspace action popup screen opens.
6. Configure the action as follows:
• From the Close Google Desktop Search list, select Enabled.
• From the Allow user to temporarily switch from Protected
Workspace list, select Disabled.
• From the Allow user to use printers list, select Disabled.
• From the Allow write access to USB flash drives list, select
Only IronKey Secure Flash Drives.
• From the Allow user to burn CDs list, select Disabled.
7. Click Add new entry to add a server to which a user can write.
In the box that appears, type Quarantine.
Note that new entries are added above previously configured
entries, by default.
The configured action appears as shown in Figure 9.8.
8. Click Save to save the access policy.
9 - 32
Configuring Client-Side Checks and Client Side Actions
Note
You cannot assign a Windows group policy template after a session is in the
protected workspace. To use Windows group policies with protected
workspace, you must place the Windows group policy action before the
protected workspace action in the access policy.
Template Description
EC Domain XPSP2 Desktops Microsoft Enterprise Client Policy for desktops and laptops. This is a moderate
Template policy, balancing security and usability.
Firewall Settings Template Access Policy Manager settings for enabling the user’s firewall. This policy is
used to ensure that the user’s Microsoft firewall is configured and running.
GLBA Template Based on the Gramm-Leach-Bliley GLBA standard. This policy is used for
desktop and laptops to help prevent access to unauthorized information.
9 - 34
Configuring Client-Side Checks and Client Side Actions
Template Description
HIPAA Template Based on the HIPAA (Health Insurance Portability and Accounting Act)
standard. This policy is used for desktop and laptops to help prevent access to
unauthorized information.
Highly Managed Template Microsoft Common Usage (high) for desktops and laptops. This policy is used
in managed environments and provides high restrictions on user access to
devices, configuration, and applications.
Lightly Managed Template Microsoft Common Usage (light) for desktops and laptops. This policy is used in
managed environments, and provides light restrictions on user access to
devices, configuration, and applications.
PCI Template Based on the PCI (Payment Card Industry) standard. This policy is used for
desktop and laptops to help prevent access to unauthorized information.
SSLF Domain Template Microsoft Specialized Security (Limited Functionality) for desktops and laptops.
This is a more focused security policy, with greater restrictions on configuration
access.
Terminal Services Taskstation Terminal Services for client terminal services. This policy is used in
Template environments where the primary use is terminal services.
9 - 36
Configuring Client-Side Checks and Client Side Actions
9 - 38
Configuring Client-Side Checks and Client Side Actions
Note
This is not a complete example. For the example to work, you must assign
an Allow ending to successful branches. You can assign a network access or
web applications resource using the resource assign action, along with
associated webtops. For a web application access management connection,
you need not assign resources. This example is configured starting with an
empty access policy.
9 - 40
Configuring Client-Side Checks and Client Side Actions
9 - 42
10
Configuring Server-Side Checks
10 - 2
Configuring Server-Side Checks
Note
This is not a complete example. For the example to work, you must assign
an Allow ending to successful branches. You can assign a network access or
web applications resource using the resource assign action, along with
associated webtops. For a web application access management connection,
you need not assign resources. This example is configured starting with an
empty access policy.
Note
The Windows RT branch, shown in figure 10.1, is available only when you
have the appropriate Access Policy Manager® 10.2.4 hotfix installed. To
determine hotfix requirements, refer to the BIG-IP APM Client
Compatibility Matrix for APM 10.2.4 on the AskF5™ web site at
http://support.f5.com.
10 - 4
Configuring Server-Side Checks
Note
This is not a complete example. For the example to work, you must assign
an Allow ending to successful branches. You can assign a network access or
web applications resource using the resource assign action, along with
10 - 6
Configuring Server-Side Checks
10 - 8
Configuring Server-Side Checks
Note
This is not a complete example. For the example to work, you must assign
an Allow ending to successful branches. You can assign a network access or
web applications resource using the resource assign action, along with
associated webtops. For a web application access management connection,
you need not assign resources. This example is configured starting with an
empty access policy.
10 - 10
Configuring Server-Side Checks
13. To activate the access policy, click the Apply Access Policy link at
the top of the visual policy editor screen.
10 - 12
Configuring Server-Side Checks
example, you add a resource assign action after the landing URI check for
the URI /owa. For a complete working scenario, assign a web applications
resource for Outlook Web Access with this resource assign action.
Note
This example does not detail how to create and assign web application
resources. For detailed instructions, see Configuring web applications on
Access Policy Manager, on page 3-7, and Assigning resources, on page 8-8.
10 - 14
11
Configuring Authentication Using AAA
Servers
The Auth and Query methods are independent of each other, and you do
not necessarily need to have them configured within the same access policy.
However, as an administrator, you must make a decision on which type of
policy item you would like to add to your access policy. For instance, if you
added AD Auth to your policy, you cannot change it later to AD Query
unless you go into your access policy and delete the AD Auth item
completely from your policy.
For more information on how to configure the Auth and Query methods for
either LDAP or Active Directory, refer to Configuring LDAP access policy
action item for authentication, on page 11-23, Configuring LDAP query
policy action item, on page 11-26, Configuring Access Policy Manager to
access the Active Directory for authentication, on page 11-33, and
11 - 2
Configuring Authentication Using AAA Servers
Important
To use a specific authentication method, you must have at your site a server
that supports the scheme.
RADIUS authentication
RADIUS authentication allows you to authenticate and authorize your users
to access their resources through a RADIUS server that you configure on the
Access Policy Manager. For more information on how to set up
authentication using a RADIUS server, refer to Setting up RADIUS
authentication and authorization access policy action item, on page 11-9.
The following tasks provide information on how to set up your RADIUS
server. You can also leverage user information, in the form of attributes, to
allow users access to various network resources.
Important
Be sure that the RADIUS server is configured to recognize the Access Policy
Manager as a client. Use the same shared secret in both the RADIUS server
configuration and in the Access Policy Manager configuration.
RADIUS attributes
The table, following, lists the specific RADIUS authentication attributes that
the Access Policy Manager sends with RADIUS requests.
Attribute Purpose
11 - 4
Configuring Authentication Using AAA Servers
Attribute Purpose
RADIUS accounting
You can report user session information to an external RADIUS accounting
server. If you select this mode only, the system assumes that you have set up
another type of authentication method to authenticate and authorize your
users to access their resources. For more information on how to set up
RADIUS accounting, refer to To configure RADIUS accounting, on page
11-14.
The Access Policy Manager operates as a client of the external RADIUS
accounting server, and is responsible for retrieving user information. It
sends accounting messages indicating when the network access is initiated
or terminated, by sending the RADIUS accounting start and stop messages.
However, the RADIUS accounting start message does not mean the actual
network access will be successfully established. If a user logs in, but the
network tunnel fails to establish, the user is not presented with a logon
denied page. Instead, the user either sees an error message on the webtop
and must manually log out, or is automatically logged out of a session. In
either case, the accounting stop message is sent when the user is logged out
and the session terminates.
RADIUS accounting works in the following ways:
• When a user logs on to the Access Policy Manager, the system sends
session start information to the RADIUS accounting server. Session start
information consists of the RADIUS username, the RADIUS sessionid of
the user’s session, and a RADIUS accounting status start message,
indicating that the session has started.
• When the user terminates the session by logging off the Access Policy
Manager, the system sends session end information to the RADIUS
accounting server. The session end information includes the RADIUS
username, the RADIUS sessionid, and the RADIUS accounting status
stop message, indicating that the session has ended. Also included in this
stop message is the RADIUS service duration, which represents the total
time the user session was active.
Attribute Purpose
11 - 6
Configuring Authentication Using AAA Servers
Attribute Purpose
If the user does not log off, but simply closes the web browser window, the
Access Policy Manager sends the RADIUS stop message when the user’s
session times out.
RADIUS accounting messages are sent asynchronously. The Access Policy
Manager stores the user’s sessions start and end information in its database,
and sends them to the RADIUS accounting server.
Important
Be sure to configure your RADIUS accounting server to recognize the
Access Policy Manager as a client. Refer to your external server’s user
manual for more information how to do perform this task.
If you use the Timeout setting, you must use also the Retries
setting. If these settings are enabled, the Access Policy Manager
attempts to reach the AAA server within the specified timeframe in
seconds. If the server does not respond, the Access Policy Manager
retries the authentication attempt, depending on how many retries
you specify.
11 - 8
Configuring Authentication Using AAA Servers
session.RADIUS.last.result Provides the result of the RADIUS authentication. The available values
are:
0:Failed
1:Passed
11 - 10
Configuring Authentication Using AAA Servers
You can add your own custom rules using the session variables. For
example, you can create your own custom rules when you want different
users assigned to different network resources. For more information on how
to add custom access policy rules, refer to Chapter 5, Creating Access
Profiles and Access Policies.
Authentication failed due to timeout Check that the Access Policy Manager is configured as a client on the
RADIUS server.
You may have encountered a general network connection problem.
Authentication failed due to Check that the shared secret on the RADIUS is valid.
RADIUS access reject Check that the user credentials are entered correctly.
Table 11.6 General steps to test and ensure successful RADIUS authentication
check the RADIUS Server • Confirm that the Access Policy Manager is registered as a
RADIUS client.
Configuration
Note: Since the Access Policy Manager makes requests from the
self IP address to the RADIUS server for authentication requests,
the address of the self-IP address should be registered as a
RADIUS client.
• Check the RADIUS logs and check for any errors.
Table 11.6 General steps to test and ensure successful RADIUS authentication
• 16 digit passcode
Passcode
• 4 digit passcode
11 - 12
Configuring Authentication Using AAA Servers
The RADIUS server is inactive Even if the RADIUS server has been started from the SecurID options
window on the Windows SecurID server, the server may not be active.
In the Windows Services Manager, make sure that the server is set to start
each time the server boots, and is currently running. RSA SecurID
authentication using RADIUS takes place on a different port than the native
securid authentication.
The SecurID is configured While using RSA SecurID over RADIUS, the SecurID server is a client of
incorrectly for RADIUS itself. The RADIUS service functions as a standalone process, and if the
authentication SecurID server is not set up as a client of itself, it rejects the Access Policy
Manager authentication request and does not store anything in the logs.
No response from the RSA SecurID Check that the RSA SecurID is configured properly.
server To facilitate communication between the Access Policy Manager and the
RSA SecurID, an Agent Host record must be added to the RSA
Authentication Manager database. For an example on how to add an agent
host, refer to Adding the Access Policy Manager as an agent host to an RSA
Native SecurID authentication server, on page 11-18.
The Agent Host record identifies the Access Policy Manager within its
database and contains information about communication and encryption.
To create the Agent Host record, you need the following information.
• Host name
• IP addresses for all network interfaces
• RADIUS secret (Click Assign/Change Encryption Key to input the secret.
This RADIUS secret must match the corresponding RADIUS secret on the
Access Policy Manager).
When adding the Agent Host record, you should configure the Access Policy
Manager as a communication server. This setting is used by the RSA
Authentication Manager to determine how communication with the Access
Policy Manager will occur.
11 - 14
Configuring Authentication Using AAA Servers
4. For the Visual Policy Editor setting, click the link Edit Access
Policy for Profile "<name of policy>" to start the visual policy
editor.
The visual policy editor opens in a new window or new tab,
depending on your browser settings.
5. Click the small plus sign [+] where you want to add the new access
policy action item.
A properties screen opens.
6. Under Authentication, select RADIUS Acct and click Add item.
The RADIUS Auth object popup opens in the visual policy editor.
7. On the Properties tab, select the name of your RADIUS accounting
server from the AAA Server list, and click Save.
8. Click Activate Access Policy to save your configuration.
The AAA server is added to the access policy, and is now a part of
the overall authentication process.
The RADIUS access policy action automatically creates the session
variables, as shown in Table 11.9.
session.RADIUS.last.acctresult Provides the result of the RADIUS accounting. The available values are:
0:Failed
1:Passed
Accounting failed due to timeout Check that the Access Policy Manager is configured as a client on the
RADIUS server.
You may have encountered a general network connection problem.
Accounting failed due to RADIUS Check that the shared secret on the RADIUS is valid.
access reject Check that the user credentials are entered correctly.
11 - 16
Configuring Authentication Using AAA Servers
Note
11 - 18
Configuring Authentication Using AAA Servers
12. Click the Agent Host tab, and select the Generate Configuration
Files item.
The Generate Configuration File screen opens.
13. Select the One Agent Host option, and then select from the list the
Access Policy Manager agent host you just configured.
14. Save the agent host configuration file onto your local system.
15. Click OK.
16. Add users who are authorized to use the Access Policy Manager.
For more information on how to do this, refer your RSA Native
SecurID authentication server administrator guide.
6. Click Finish.
The new RSA server is added.
Important
You must rename the configuration file to sdconf.rec and copy it to the
Access Policy Manager before you can use the command line interface
commands to configure RSA Native SecurID. Then, you add the SecurID
server as you would add any AAA server. Remember that the server name
must be the directory name to which the configuration file was copied to.
11 - 20
Configuring Authentication Using AAA Servers
Using RSA Native SecurID session variables for access policy rules
You can authorize your users with user information provided by the RSA
Native SecurID authentication server in the form of attributes. These
attributes, converted into session variables, can be used to create rules. For
more information on session variables and how to use them to create your
rules, refer to Appendix C, Session Variables.
The RSA Native SecurID access policy action automatically creates the
session variables, as shown in Table 11.12.
session.securid.last.result Provides the result of the RSA Native SecurID authentication. The
available values are:
0:Failed
1:Passed
You can add your own custom rules using the session variables. For
example, you can create your own custom rules when you want different
users assigned to different network resources. For more information on how
to add custom access policy rules, refer to Chapter 7, Creating Access
Profiles and Access Policies.
11 - 22
Configuring Authentication Using AAA Servers
4. Click Finish.
The new LDAP server is added to the AAA Server List.
Note
If your LDAP directory allows anonymous query, you do not need to specify
an administrative account or password in the required fields. Either specify
credentials of any LDAP account that allows querying this part of the LDAP
directory, or create a new LDAP account for Access Policy Manager.
11 - 24
Configuring Authentication Using AAA Servers
11 - 26
Configuring Authentication Using AAA Servers
session.ldap.last.authresult Provides the result of LDAP authentication/query. The available values are:
session.ldap.last.queryresult 0:Failed
1:Passed
session.ldap.last.attr.$attr_name $attr_name is a value that represents the user’s attributes received during
LDAP authentication/query. Each attribute is converted to separate session
variables.
session.ldap.last.errmsg Useful for troubleshooting. This contains the last error message generated
for LDAP.
Example:
aad2a221.session.ldap.last.errmsg
Note
This is an example of how to update the default rule. Alternatively, you can
change both the expression type and value and add other rules.
11 - 28
Configuring Authentication Using AAA Servers
Tip
Make sure that your log level is set to the appropriate level. The default log
level is notice. Refer to Chapter 17, Logging and Reporting, for more
information on how to use the logging feature.
Additionally, you can look into the session reports for information on users’
logon attempts. In the navigation pane, expand Access Policy, choose
Reports, and click the active session ID to see all the session variables.
Confirm network connectivity • Access the Access Policy Manager through the command line
interface and check your connectivity by pinging the LDAP server
using the host entry in the AAA Server box.
• Confirm that the LDAP port 389 is not blocked between the
Access Policy Manager and the LDAP server.
Table 11.15 General steps to test and ensure successful LDAP authentication
11 - 30
Configuring Authentication Using AAA Servers
Check the LDAP Server Configuration • Verify that the administrative credentials are correct on the
LDAP server, and that they match the credentials used by the
AAA entry.
Capture a tcpdump • Take a tcpdump from the Access Policy Manager when
authentication attempts are made. For example, %tcpdump-i 1.1
-s /tmp/dump. You must first determine what interface the self-IP
is on. The tcpdump records indicate activities between the Access
Policy Manager and the authentication server.
• Run the authentication test. After authentication fails, stop the
tcpdump, and download the tcpdump to a client system, and use
an analyzer to troubleshoot.
Table 11.15 General steps to test and ensure successful LDAP authentication
11 - 32
Configuring Authentication Using AAA Servers
Tip
Although it is not required, you can enter the admin name and password
during this initial configuration, although this will only apply to AD query.
If the password change fails, it is likely that the Active Directory server
rejected it because the password did not meet the minimum requirements
such as password length.
Note
By default, users are given only one attempt to reset their password.
However, an administrator can configure the max logon attempt allowed of
the authentication agent to a value larger than 1, which gives users multiple
opportunities to reset their passwords.
11 - 34
Configuring Authentication Using AAA Servers
Tip
Both DNS forward and reverse lookup of the domain name processes should
work properly to ensure that the domain name resolves to the IP address of
the domain controller, and the reverse address resolves to the domain name.
session.ad.last.attr.$attr_name $attr_name is a value that represents the user’s attributes received from
the Active Directory server. Each attribute is converted to separate session
variables.
session.ad.last.attr.group.$attr_name $attr_name is a value that represents the user’s group attributes received
from the Active Directory server. Each attribute is converted to separate
session variables.
11 - 36
Configuring Authentication Using AAA Servers
Tip
Make sure that your log level is set to the appropriate level. The default log
level is notice. Refer to Chapter 17, Logging and Reporting, for more
information on how to use the logging feature.
Additionally, you can look into the session reports for information on user's
logon attempts. In the navigation pane, expand Access Policy, click
Reports and on the screen, click the active session ID to see all the session
variables.
Domain controller reply did not This error occurs when the principal/domain name does not match with the
match expectations, (-1765328237) domain controller server’s database. For example, if the actual domain is
°SALES.MYCOMPANY.COM", and the administrator specifies STRESS as
the domain, then the krb5.conf file displays the following,
default_realm = SALES
SALES = {
domain controller = <domain controller server>
admin = <admin server>
So, when the administrate tries to authenticate with useraccount@SALES,
the krb5 library notices that the principal name SALES differs from the
actual one in the server database.
Table 11.18 General steps to test and ensure successful Active Directory authentication
11 - 38
Configuring Authentication Using AAA Servers
Figure 11.3 Example of authenticating and authorizing users with Active Directory query and
authentication
Note
The nested groups feature works slightly differently for both LDAP and
Active Directory. If you want to use nested groups for Active Directory
query, you can also use it in conjunction with, or independently from, Fetch
Group Attribute.
The table, following, displays the results of your Active Directory query if
nested groups is used in conjunction with Fetch Group Attributes.
Fetch Nested
Group Fetch Primary Group Active Directory Query Results
On On This setting queries all groups the user belongs to. This includes
the user’s memberOf groups which include the user’s primary
group, and groups nested through all membersOf groups.
Off On This setting queries the user’s memberOf groups plus the
primaryGroupDN. However, it does not query any nested
groups.
On Off This setting queries the user’s memberOf groups, including the
nested groups through the memberOf groups. However, the
primaryGroupDN is not queried.
Off Off This setting queries the user’s memberOf group only. This means
that only the groups with which users are directly associated are
queried.
11 - 40
Configuring Authentication Using AAA Servers
Note
You can test the URL by logging on with valid and invalid credentials to
make sure your external authentication server issues a challenge when
invalid credentials are entered.
Note
11 - 42
Configuring Authentication Using AAA Servers
4. Click Save, and then click Apply Access Policy to save your
changes.
11 - 44
Configuring Authentication Using AAA Servers
$SM$K36kRZMqrZGtQof83Lsss6NdinGFhuoOAUmTkUffmhFUhm
A%2bHwBxZja%3d TARGET http://sales.example.com
SMENC ISO-8858-1
SMLOCALE US-EN
POSTPRESERVATIONDATA
11 - 46
Configuring Authentication Using AAA Servers
Important
You will need to add a second server pool for RADIUS accounting. You add
this the same way as the authentication pool. However, instead of using port
1812, use port 1813 since that is the default RADIUS accounting port.
11 - 48
Configuring Authentication Using AAA Servers
Important
You will need to create a second virtual server, using the same procedure
for RADIUS accounting. Remember to use port 1813.
11 - 50
Configuring Authentication Using AAA Servers
11 - 52
Configuring Authentication Using AAA Servers
8. Enter information in any other required fields. You can find details
for each setting in the online help.
9. Click Activate Access Policy to save your configuration.
11 - 54
12
Introducing On-Demand Certificate Authentication
• Understanding OCSP
Introducing On-Demand Certificate Authentication
12 - 2
Introducing On-Demand Certificate Authentication
Note
When the certificate authentication mode is set to Require on the New Client
SSL Profile screen, the user must provide a valid client certificate.
Otherwise, the connection is not allowed. The recommended option for the
client cert result agent is Request.
12 - 4
Introducing On-Demand Certificate Authentication
• If the access policy rule in the On-Demand certificate agent detects that
the validation was a success, then the access policy assigns the resource
R1 to the user, and takes the user to the allow ending. Otherwise, the user
is denied access.
Note
If you want to authenticate the client with a valid certificate at the beginning
of the initial SSL handshake of your access policy, then you should select
Request from the Client SSL Profile screen when you set up your client SSL
profile.
12 - 6
Introducing On-Demand Certificate Authentication
Note
12 - 8
Introducing On-Demand Certificate Authentication
12 - 10
Introducing On-Demand Certificate Authentication
Understanding CRLs
A certificate revocation list (CRL) is a list of revoked (invalid) certificates.
The CRL describes the reason for the revoked status of the certificate, and
provides the certificate’s issue date and originator. The list also notes its
next update.
When a user with a revoked On-Demand Certificate attempts to log on to
the Access Policy Manager, the system allows or denies access based on the
CRL configured in the sslclient profile.
A CRL is one of three common methods for maintaining valid,
certificate-based access to servers in a network. CRLDP is an
industry-standard protocol designed to manage SSL certificates revocation
on a network or system. The main limitation of CRL is that the current state
of the CRL requires frequent updates. Whereas, OCSP checks certificate
status in real time. You can read more about OCSP in Understanding OCSP,
following.
The CRL is a PEM-formatted file containing a list of revoked certificate
attached to the client SSL profile. Make sure the CRL file is kept up-to-date.
You must manually install the CRL file to the /config/ssl/ssl.crl directory
since this is not an automatic process.
Note that if you have multiple CRL files, you cannot aggregate them into
one master file. You must point to the individual file (in PEM format) if you
want to retrieve CRL information.
Note
You should not configure CRL updates if you are using the Access Policy
Manager to generate and issue On-Demand Certificates to users (using
either a self-signed client root CA certificate, or a client root CA certificate
from a trusted CA). In this case the Access Policy Manager manages CRLs
internally.
Understanding OCSP
The Online Certificate Status Protocol (OCSP) enables applications to
determine the revocation status of a certificate. OCSP provides more timely
revocation information than is possible using CRLs, and may also be used to
obtain additional status information. An OCSP client, in this case the Access
Policy Manager, acts as the client, and issues a status request to an OCSP
responder, and suspends acceptance of that certificate until the responder
provides a response.
The Access Policy Manager supports OCSP validation of On-Demand
Certificates.
Note
Do not use On-Demand Certificate OCSP if you are using the Access Policy
Manager to generate/issue On-Demand Certificates to users (using either a
self-signed client root CA certificate, or a client root CA certificate issued
by a trusted CA). In this case, the Access Policy Manager is managing CRLs
internally.
12 - 12
Introducing On-Demand Certificate Authentication
12 - 14
Introducing On-Demand Certificate Authentication
Using CRLDP
CRLDP stands for Certificate Revocation List Distribution Point. CRLDP
checks the revocation status of an SSL certificate as part of authenticating
that certificate. CRL distribution points are used to distribute certificate
revocation information across a network. A distribution point is a URI or
directory name specified in an SSL certificate that identifies how the server
obtains CRL information. In addition, distribution points can be used in
conjunction with CRLs to configure certificate authorization using any
number of LDAP servers.
In setting up CRLDP, you complete the following tasks:
• Configuring a CRLDP server object
• Configuring a CRDLP configuration object
• Creating a CRLDP profile
• Binding the CRLDP profile to a virtual server.
12 - 16
Introducing On-Demand Certificate Authentication
2. From the list of virtual servers, click the name of the server you
want to bind the CRDLP profile.
The Properties screen opens.
3. From the Configuration setting, select Advanced.
4. From the Available box, for the Authentication Profiles, select the
CRLDP profile you want to bind to the virtual server.
5. Click the move button (<<) to move the SSL OCSP profile to the
Enabled box.
6. Click Update.
The CRLDP Profile is now associated with your virtual server.
12 - 18
13
Introducing Single Sign-On
Note
13 - 2
Introducing Single Sign-On
Note
Access Policy Manager supports the following formats from the username
field on the logon page in order to authenticate to the back-end server:
domain\username and username@domain.
13 - 4
Introducing Single Sign-On
5. Click Finished.
You are now ready to configure your access profile with the
appropriate access policy.
13 - 6
Introducing Single Sign-On
3. Configure your access profile with the appropriate access policy, for
example, SSO Credential Mapping.
4. Click Apply Access Policy.
You are now ready to associate the SSO object to your access
profile. Refer to Assigning SSO configuration objects for
instructions.
13 - 8
Introducing Single Sign-On
Figure 13.1 Example of BIG-IP Access Policy Manager and OAM deployment
• Basic authentication
• Form-based authentication
• Certificate-based authentication
Note
Note
13 - 10
Introducing Single Sign-On
Note
13 - 12
Introducing Single Sign-On
5. Click Update
You successfully configured Access Policy Manager for OAM as
the SSO method.
13 - 14
Introducing Single Sign-On
Note
To ensure that traffic is handled only by the network access for each layered
virtual server, you need to select the network access tunnel option from the
VLANs list. For more information, refer to the steps in To configure a
layered virtual server for your web service, on page 13-17.
Note
If you use split tunneling for network traffic, you must properly configure
LAN address space setting so that traffic for the web services passes to the
network access tunnel. For more information on how to configure LAN
address space, see To configure network access properties, on page 2-4.
13 - 16
Introducing Single Sign-On
Important
Before you proceed to create a layered virtual server for your web service,
make sure to create an SSO object and select a preferred SSO method for
your object. For more information on how to create an SSO object, refer to
General SSO object attributes, on page 13-2.
5. On the Main tab of the navigation pane, expand Local Traffic, and
click Virtual Servers.
The Virtual Server List screen opens.
6. Select the layered virtual server you created for your web service.
The General Properties screen opens.
7. From VLAN and Tunnel Traffic, select network access tunnel to
ensure that the layered virtual server sends traffic from the network
traffic to the network access tunnel interface.
8. Associate the dummy access profile you created by selecting it from
the list.
Important
Make sure that both Address Translation and Port Translation settings
remain cleared. You can find these settings by selecting the Advanced
option for Configuration.
9. Click Update.
For every web service you want to add, you must follow the steps in
creating an HTTP virtual server for network access, and
configuring a layered virtual server for your web service.
Your users are now able to access multiple web services without having to
enter their credential multiple times.
13 - 18
Introducing Single Sign-On
5. Click Finished.
The SSO object is now added to the SSO list.Please note that these
objects come in the form of session variables.
6. In the navigation pane, expand Access Profiles, and select an access
profile you want the SSO configuration object assigned to.
7. Click the Properties tab.
The General Properties screen opens.
8. Under Configurations, in the SSO Configuration field, select your
SSO configuration object.
9. Click Finished.
The SSO configuration object is now assigned to your access
profile.
13 - 20
14
Configuring Virtual Servers
Important
When you create a virtual server, the BIG-IP system places the virtual
server into your current administrative partition. For information on
partitions, see the TMOS® Management Guide for BIG-IP® Systems.
For production deployment of your configuration, you should either edit the
clientssl profile to use your imported certificate and key, or create a new
profile based on the clientssl profile that uses your own certificate and key.
For more information, see Configuring a clientssl profile, on page 12-8. For
initial evaluation of Access Policy Manager, you may select the default
clientssl profile in the SSL Profile (Client) list. This default profile does not
contain a valid SSL server certificate, but it can be used for initial Access
Policy Manager evaluation and testing.
14 - 2
Configuring Virtual Servers
15. If you are creating a virtual server to use with a web application in
minimal patching mode, from the Default pool list, select the local
traffic pool for this application.
16. Click Finished to complete the configuration.
14 - 4
15
Customizing Access Policy Manager
Features
• Customizing a webtop
In addition, when customizing access profile settings, you can select the
language for which you are customizing.
Note
Message Description
Antivirus check message Specifies the message displayed while the antivirus check action is
checking the system.
File check message Specifies the message displayed while the file check action is
checking the system.
Firewall check message Specifies the message displayed while the firewall check action is
checking the system.
Windows machine certificate check Specifies the message displayed while the Windows machine
message certificate check action is checking the system.
Process check message Specifies the message displayed while the process check action is
checking the system.
Windows Registry check message Specifies the message displayed while the registry check action is
checking the system.
Windows Group Policy action message Specifies the message displayed while the Windows group policy
action is configuring the system.
Windows Info check message Specifies the message displayed while the Windows information
check action is checking the system.
Windows Protected Workspace action Specifies the message displayed while the Protected Workspace
message action is starting the protected workspace.
Windows Protected Workspace logon: Specifies the message displayed on the client when protected
short message workspace resumes the logon procedure after starting.
15 - 2
Customizing Access Policy Manager Features
Message Description
Windows Protected Workspace Specifies the message displayed when the protected workspace
continuing: extended message starts, and the system requires some time to display the protected
workspace.
Windows Protected Workspace continue Specifies the link text specified that the user can click to continue
link without starting protected workspace.
Windows Protected Workspace started: Specifies the message displayed when protected workspace has
close browser message successfully started,
Checking client message Specifies the message displayed when the system is checking the
client for an unspecified action.
Installing message (appended to other Specifies the message displayed while the client is installing software.
messages)
Downloading message (appended to Specifies the message displayed while the client is downloading
other messages) software components.
New browser window required message Specifies the message displayed when browser settings have
changed, and the user must open a new browser window to continue.
Continue link Specifies the link text that the user clicks to continue after opening a
new browser window.
Continue without endpoint inspection Specifies the messages displayed when client-side security checks
message fail. You can specify link text to cancel and link text to continue. The
continue link allows the client to continue on the fallback branch.
Cache and session control ActiveX Specifies the message displayed when the cache and session control
loading message ActiveX control is loading and the user may be prompted to allow
cache and session control installation.
Cache and session control ActiveX Specifies the text displayed when the client requires ActiveX to start
missing message the cache and session control plug-in, and ActiveX is not available or
enabled.
Cache and session control continue link Specifies the link text that the user clicks to continue when the cache
and session control plug-in cannot load.
Cache and session control blocked popup Specifies the message displayed when a popup blocker is enabled.
message The message includes information on how to allow popups from the
BIG-IP device.
Note: We recommend that you use an HTML editor to edit the HTML
code for this box. The code appears unformatted and without line
breaks in the box.
Cache and session control failure Specifies the message displayed when the cache and session control
message plug-in fails to start. The message includes information on possible
causes.
Note: We recommend that you use an HTML editor to edit the HTML
code for this box. The code appears unformatted and without line
breaks in the box.
Message Description
Cache and session control loading Specifies the text displayed while the cache and session control
message plug-in starts.
Note: We recommend that you use an HTML editor to edit the HTML
code for this box. The code appears unformatted and without line
breaks in the box.
Virtual keyboard label Specifies the label for the virtual keyboard.
Virtual keyboard hide keyboard link Specifies the link text that the user clicks to hide the virtual keyboard.
Message Description
Request error Specifies the error displayed when there is a malformed request or there is
another problem with a request.
Invalid Network Access resource Specifies the error displayed when the access profile cannot find a valid
Network Access resource.
Client IP address changed Specifies the error displayed if the client IP address changes while the session
is in progress.
Unsupported User-Agent Specifies the error displayed when the browser user agent is not supported in
the policy.
User limit reached Specifies the error displayed when the resource cannot be assigned because
the limit on the number of sessions has been reached.
Terminated Session Specifies the error displayed when the session is terminated by the server.
Server in maintenance mode Specifies the error displayed when a session cannot start because the server
is performing maintenance.
Access denied by ACL Specifies the error displayed when an ACL entry denies access.
15 - 4
Customizing Access Policy Manager Features
Message Description
System is not licensed Specifies the error displayed when a session cannot start because the system
is not licensed.
Session ID is not found Specifies the error displayed when cookies are disabled, and this causes the
session ID to be unavailable in the request.
Invalid Session ID Specifies the error displayed when the Session ID is not correct. This may
occur because the session has timed out.
Message Description
Incorrect username or password Specifies the text displayed when the user name or password is
incorrect.
Incorrect RADIUS username or password Specifies the text displayed when the RADIUS user name or
with extended error password is incorrect, and includes the error message from the
RADIUS component.
RADIUS challenge failure Specifies the text displayed when a RADIUS challenge fails.
RADIUS challenge failure with extended Specifies the text displayed when a RADIUS challenge fails, and
error includes the error message from the RADIUS component.
Incorrect LDAP username or password with Specifies the text displayed when the LDAP user name or password
extended error is incorrect, and includes the error message from the LDAP
component.
Incorrect AD username or password with Specifies the text displayed when the Active Directory user name or
extended error password is incorrect, and includes the error message from the
Active Directory component.
AD domain password expired Specifies the text displayed when the Active Directory domain
password has expired.
AD domain password expired with extended Specifies the text displayed when the Active Directory password
error has expired, and includes the error message from the Active
Directory component.
AD domain password change failure Specifies the text displayed when the attempt to change the Active
Directory password failed.
AD domain password change failure with Specifies the text displayed when the attempt to change the Active
extended error Directory password failed, and includes the error message from the
Active Directory component.
Message Description
SecurID logon failure with retry Specifies the text displayed when the RSA SecurID logon or
password is incorrect.
SecurID logon failure with retry with Specifies the text displayed when the RSA SecurID logon or
extended error password is incorrect, and includes the error message from the
SecurID component.
15 - 6
Customizing Access Policy Manager Features
Message Description
Webtop required Specifies the error text displayed when a webtop is required, but not assigned.
Incorrect resource assigned Specifies the error text displayed when a resource assign action is configured
(Network Access) to assign a web application webtop with a network access resource. Webtop
and resource types must match.
Incorrect resource assigned Specifies the error text displayed when a resource assign action is configured
(Web Application) to assign a network access webtop with a web application resource.
Missing Network Access Specifies the error text displayed when a network access webtop is configured
resource with no network access resource. Webtop and resource types must match.
More than one Network Access Specifies the error text displayed when more than one network access resource
resource is assigned to an access policy branch.
Network Access and Web Specifies the error text displayed when both network access and web
Application resources assigned applications resources are assigned to an access policy branch.
Web Application resources have Specifies the error text displayed when multiple web applications are assigned
inconsistent patching methods to an access policy branch, with different patching methods. All web application
resources assigned to an access policy branch must use the same patching
method.
Resource does not exist Specifies the error text displayed when the assigned resource does not exist.
Webtop does not exist Specifies the error text displayed when the assigned webtop does not exist.
ACL does not exist Specifies the error text displayed when the assigned ACL does not exist.
Inconsistent host replacement Specifies the error text displayed when web application resources configured in
string Minimal Patching mode contain inconsistent host replace strings.
Invalid Web Application start URI Specifies the error text displayed when the web application webtop has an
invalid start URI.
Note
We recommend that you use an HTML editor to edit the HTML code for the
framework installation. The code appears unformatted and without line
breaks in the boxes.
Setting Description
ActiveX install options screen Specifies the page text and links that prompt a user to install a new ActiveX
browser component. This screen appears for Windows Internet Explorer users
only.
Browser plugin install with Specifies the page text and links that prompt a user to install a new browser
manual install options screen plug-in component. This screen provides manual download and installation
options. This screen appears for most operating systems and browsers.
Browser plug-in install with Specifies the page text and links that prompt a user to install a new browser
manual install options screen plug-in component. This screen provides manual download and installation
(Linux) options. This screen appears for Linux operating systems and browsers.
Allow browser plugin install Specifies the page text and links displayed when the user's browser does not
screen currently allow software installation. This page contains information about how
to enable software installation, and links to continue to install plug-ins or to
continue without installing the browser plug-ins.
Allow browser plugin install Specifies the page text and links displayed when the user's browser does not
screen (Linux) currently allow software installation.This page contains information about how
to enable software installation, and links to continue to install plug-ins or to
continue without installing the browser plug-ins. This screen appears for Linux
operating systems and browsers.
Java applet install screen Specifies the text that appears on a page with a Java applet to install a new
browser plugin. This page appears only on non-Windows systems.
15 - 8
Customizing Access Policy Manager Features
Setting Description
Java applet install started screen Specifies the page text and links that appear when the Java applet is installing
software. This page appears only on non-Windows systems.
Java applet install started screen Specifies the page text and links that appear when the Java applet is installing
on Safari browser software. This page appears only on Macintosh systems with the Safari web
browser.
Java applet install failure screen Specifies the page text and links that appear when the installation of software
with a Java applet fails. This page allows the user options to restart the
session, download and manually install the software, or continue without
installing software. This page appears only on non-Windows systems.
Setting Description
Page width (px or %) Specifies the width of the full page in the browser as a percentage. For
example, 75%.
Page background color Specifies the background color of the page, in hexadecimal format. For
example, red is #FF0000. The default is white (#FFFFF).
Setting Description
Font family (comma-separated) Specifies the font family, for example, Arial, Helvetica, sans-serif.
Headline font size (px) Specifies the font size for headline elements, in pixels (px). For example, 24px.
Text font size (px) Specifies the font size for body text elements in pixels (px). For example, 12px.
Setting Description
Header background color Specifies the background color of the page header area, in hexadecimal format. For
example, red is #FF0000. The default is white (#FFFFFF).
Header left image Specifies the image that is displayed on the left side of the header. Click Browse to
select a local file. Click the View/Hide link to show or hide the specified graphical
element.
Header right image Specifies the image that is displayed on the right side of the header. Click Browse to
select a local file. Click the View/Hide link to show or hide the specified graphical
element.
15 - 10
Customizing Access Policy Manager Features
Setting Description
Main table background color Specifies the background color of the main table, which includes the logon form
and image cells. This color is specified in hexadecimal format. For example, red
is #FF0000. The default is white (#FFFFFF).
Form cell width (px or %) Specifies the width of the table cell allotted for the logon form, in pixels or as a
percentage. For example, 50% or 350px.
Note that page width as a whole, of which this value is a portion, is defined with
the Page Width setting.
Image cell width Specifies the width of the table cell allotted for the logon page image, in pixels or
as a percentage. For example, 50% or 350px.
Note that page width as a whole, of which this value is a portion, is defined with
the Page Width setting.
Setting Description
Side image alignment Allows you to specify how the image aligns within the image cell graphically.
Default image - Specifies the default image displayed when a logon page is returned to the user. Click
Browse to select an image. Click the View/Hide link to show or hide the specified
graphical element.
The initial logon page image is not specified here. You can specify the initial logon page
image in the logon page action in the access policy.
Image top margin (px) Specifies the margin between the top of the image cell and the image, in pixels. For
example, 30px.
Image left margin (px) Specifies the margin between the left side of the image cell and the image, in pixels. For
example, 15px.
Image right margin Specifies the margin between the right side of the image cell and the image, in pixels. For
example, 40px.
Setting Description
Form alignment Allows you to graphically specify how the logon form is aligned within the logon cell.
Form width (px or %) Specifies the width of the logon form, in pixels, or as a percentage of the logon form
cell. For example, 300px or 85%.
Form height (px, %, or auto) Specifies the height of the logon form, in pixels, as a percentage of the logon form
cell, or automatically, based on the contents of the cell. For example, 600px, 50%, or
auto.
Form background color Specifies the background color of the logon form, in hexadecimal format. For
example, red is #FF0000. The default is light gray (#EEEEEE).
Form top margin (px) Specifies the margin between the top of the logon form and the top of the logon form
cell, in pixels. For example, 30px.
Form left margin (px) Specifies the margin between the left side of the logon form and the logon form cell,
in pixels. For example, 30px.
Form right margin (px) Specifies the margin between the right side of the logon form and the logon form cell,
in pixels. For example, 30px.
Setting Description
Header alignment Allows you to graphically specify how the logon form is aligned within the logon cell.
Label position Allows you to graphically specify where logon form labels are placed relative to form
boxes.
Label alignment Allows you to graphically specify how text labels for form boxes align.
Field alignment Allows you to graphically specify how form boxes align.
Label width (%) Specifies the width of text labels, relative to the width of the form cell, as a percentage.
For example, 50%.
Field width (%) Specifies the width of text boxes, relative to the width of the form cell, specified as a
percentage. For example, 50%.
15 - 12
Customizing Access Policy Manager Features
Setting Description
JavaScript disabled warning Specifies the text displayed when JavaScript is not enabled, on platforms and
browsers that require it.
New session text Specifies the text displayed before the new session link.
New session link Specifies the text displayed as a link to start a new session.
Setting Description
Success Message Specifies the text displayed when the user logs out successfully.
Thank you Message Specifies a thank you message displayed for network access users after
logout.
Error Title Specifies text that indicates that the session could not start.
Error Message Provides a more specific error message that follows the error title, which
indicates that a problem may have occurred during access policy
evaluation.
New Session Text Specifies text that precedes the link a user clicks to start a new session.
New Session Link Specifies the text label for the hypertext link to start a new session, such
as click here. This link follows the New Session Text.
Session ID Title Specifies the text that precedes the session number when an error
occurs.
ACL Denied Page Reject Message Specifies the message displayed when the user attempts to access a
page to which access is specifically denied by an access control list.
ACL Denied Page Return Link Message Specifies the link text on the ACL Denied page that the user can click to
return to the previous page.
Customizing a webtop
You can customize the appearance of a webtop, including the language of
the webtop, the layout of the webtop screen, the messages displayed when
starting and closing the connection, and any error messages.
A webtop must be assigned to an access profile to see and customize the
webtop for the languages assigned to the access profile. If you customize a
webtop that is not assigned to any access profile, you can customize the
default set of languages only.
To customize a webtop
1. On the Main tab of the navigation pane, expand Access Policy, then
click Webtops.
The Webtop List screen opens.
2. Click the name of the webtop to customize.
The Webtop Properties screen appears.
3. Click the Customization tab.
The Webtop Customization screen appears.
4. From the Language list, select the language for which you want to
customize settings.
5. Click the Find Customization button.
The screen displays customization settings.
6. Configure customization settings for the webtop.
7. When you have finished, click Update.
Setting Description
Toolbar text Specifies the text that appears in the webtop toolbar.
Main webtop form Specifies the code that creates the main logon form. We recommend that you
edit this code in an HTML editor to make the layout easier to view. The main
logon form is created from dynamic elements that you can configure on this
screen.
Do not add manual line breaks to the webtop form; this causes errors. Use the
<br> tag to add a line break to the code.
15 - 14
Customizing Access Policy Manager Features
Setting Description
Request local credentials during Specifies the code that creates a local credentials request screen. This is
linux installation required for Linux systems only. We recommend that you edit this code in an
HTML editor to make the layout easier to view.
Do not add manual line breaks to the webtop form; this causes errors. Use the
<br> tag to add a line break to the code.
Initialization message Specifies the message displayed on the logon screen when the logon
sequence is initializing.
Installation message Specifies the message displayed on the logon screen when the logon
sequence is installing software.
Loading message Specifies the message displayed on the logon screen when the logon
sequence is starting installed software.
Queued message Specifies the message displayed on the logon screen when the client is
queued to make a connection.
Connecting message Specifies the message displayed on the logon screen when the client is
connecting.
Reconnecting message Specifies the message displayed on the logon screen when the client is
reconnecting.
Connected message Specifies the message displayed on the logon screen when the client is
connected.
Disconnected message Specifies the message displayed on the logon screen when the client is
disconnected.
Failed message Specifies the message displayed on the logon screen when the connection
fails.
Connection dropped error Specifies the message displayed when an error occurs, and the connection is
message dropped. Check the log files for more specific information.
Routing table change caused Specifies the error displayed when a change to the client routing table causes
disconnect error message the session to stop and the client to be disconnected.
Disconnected due to configuration Specifies the error displayed when a configuration error causes the session to
error message stop and the client to be disconnected.
Network Access client internal Specifies the message displayed when an internal client error occurs and
error message causes the network access session to fail. Check the log files for more
specific information.
Connection closed by server error Specifies the error message displayed when an error occurs on the server,
message and causes the session to fail. Check the log files for more specific
information.
F5 plug-in not installed or Specifies the error message displayed when the F5 plug-in is not installed or
incompatible plug-in error is incompatible with the current server. This error occurs on Macintosh and
message Linux clients only.
Setting Description
Plugin installation incomplete Specifies the message displayed when the F5 plugin is not installed correctly.
error message This error occurs on Linux clients only.
Connection failed to start error Specifies the message displayed when the connection cannot start. Check the
message log files for more specific information.
Connection already established Specifies the message displayed when a connection is already established.
error message
New BIG-IP Edge Client available Specifies the message displayed when a newer version of the BIG-IP® Edge
message
Client® plugin is available for download from the server.
Secure connection stopped Specifies the message displayed when the secure connection is stopped by
message the client. Check the log files for more specific information.
Connection to server could not Specifies the error message displayed when the client cannot make a
start error message connection to the server. Check the log files for more specific information.
pppd daemon did not start error Specifies the error message displayed when the pppd daemon cannot start.
message (mac/linux) This error occurs on Macintosh and Linux clients only.
Installation error pppd daemon not Specifies the error message displayed when the pppd daemon cannot start.
found in /usr/sbin directory This error occurs on Macintosh and Linux clients only.
(mac/linux)
Downloading progress bar Specifies the caption displayed above the progress bar when client
(caption) components are downloading.
Setting Description
Show label in table caption Specifies the text on the webtop screen that the user clicks to show a
table caption.
Hide label in table caption Specifies the text on the webtop screen that the user clicks to hide a
table caption.
Show log file link Specifies the text on the secure access screen that the user clicks to
show the log file.
Show routing table link Specifies the text on the webtop screen that the user clicks to show the
routing table.
15 - 16
Customizing Access Policy Manager Features
Setting Description
Show IP address configuration link Specifies the text on the webtop screen that the user clicks to show the
IP address configuration.
Status element - Specifies the text on the webtop screen that heads the status section.
Setting Description
Activity section caption Specifies the caption for the section that shows client and server
activity.
Activity section data caption Specifies the text label for the data element in the activity section.
Activity received section caption Specifies the text label for the activity section that appears next to the
received data number.
Activity sent section caption Specifies the text label for the activity section that appears next to the
sent data number.
Activity compression section caption Specifies the text label for the compression element in the activity
section.
Activity section received data Specifies the text label for the activity section that appears next to the
compression element received data compression percentage.
Activity section sent data compression Specifies the text label for the activity section that appears next to the
element sent data compression percentage.
Details section caption Specifies the caption for the section that shows details.
Setting Description
Session timeout dimmed opacity percentage Specifies the opacity of the background that appears behind the
session timeout warning pop-up screen.
Session timeout guard time Specifies the number of seconds before timeout that the session
timeout warning pop-up screen appears.
Session timeout 'inactivity timeout' Specifies the hexadecimal color value of the background that
background color appears behind the session timeout warning pop-up screen,
when the timeout occurs because the session is inactive.
Session timeout 'maximum session timeout' Specifies the hexadecimal color value of the background that
background color appears behind the session timeout warning pop-up screen,
when the timeout occurs because the session has reached the
maximum timeout.
Session timeout action choices message Specifies the message presented above the user actions that
are available in the inactivity timeout and maximum timeout
pop-up screens.
Session timeout continue session link Specifies the link text presented in the inactivity timeout pop-up
screen that the user clicks to continue the session.
Session timeout return to session link Specifies the link text presented in the maximum session
timeout pop-up screen that the user clicks to return to the
session.
Session timeout return to session without Specifies the link text presented in the maximum session
further maximum timeout reminders link timeout pop-up screen that the user clicks to return to the
session and turn off any further session expiration warnings.
Session timeout terminate session link Specifies the link text presented in both the maximum session
timeout and inactivity timeout pop-up screens that the user
clicks to end the session.
15 - 18
Customizing Access Policy Manager Features
Setting Description
Session timeout dialog background color Specifies the background color of both session timeout pop-up
screens.
Session timeout dialog x-size in pixels Specifies the width of both session timeout pop-up screens, in
pixels.
Session timeout dialog y-size in pixel Specifies the height of both session timeout pop-up screens, in
pixels.
Session timeout expired message Specifies the text that precedes the amount of time until the
session expires in both session timeout pop-up screens.
Session timeout 'inactivity timeout' message Specifies the text heading on the session timeout warning
pop-up screen, when the timeout occurs because the session is
idle.
Session timeout 'maximum session timeout' Specifies the text heading on the session timeout warning
message pop-up screen, when the timeout occurs because the maximum
duration for the session has been reached.
Setting Description
Hometab - Background color Specifies the hexadecimal background color value for the hometab.
Hometab - Link color Specifies the hexadecimal link text color value for the hometab.
Hometab - Data entry color Specifies the hexadecimal color value for the data entry area on the hometab.
Hometab - Font size Specifies the font size used on the hometab, in pixels.
Hometab - Background image Specifies the background image used on the hometab. This image is tiled on
the hometab. Click the View/Hide link to show or hide the specified graphical
element.
Hometab - Left/Right side image Specifies the background image used on the left and right sides of the
hometab. Click the View/Hide link to show or hide the specified graphical
element.
Hometab - Shrink image Specifies the image used to reduce the hometab. Click the View/Hide link to
show or hide the specified graphical element.
Hometab - Shrink image text Specifies the text next to the hometab shrink image.
Setting Description
Hometab - Reduced toolbar Specifies the image that represents the hometab when it is reduced. Click the
image View/Hide link to show or hide the specified graphical element.
Hometab - Reduced toolbar Specifies the text that is displayed to expand the reduced hometab.
Hometab - Field separator image Specifies the image that is used to separate elements on the hometab. Click
the View/Hide link to show or hide the specified graphical element.
Hometab - Open in same window Specifies the image that the user clicks to open the specified URL in the
image current window. Click the View/Hide link to show or hide the specified
graphical element.
Hometab - Open in same window Specifies the alt text for the image that the user clicks to open the specified
image text URL in the current window.
Hometab - Open in new window Specifies the image that the user clicks to open the specified URL in a new
image window. Click the View/Hide link to show or hide the specified graphical
element.
Hometab - Open in new window Specifies the alt text for the image that the user clicks to open the specified
image text URL in a new window.
Hometab - Home image Specifies the image for the link that the user clicks to go to the web applications
home screen. Click the View/Hide link to show or hide the specified graphical
element.
Hometab - Home link text Specifies the text for the link that the user clicks to go to the web applications
home screen.
Hometab - Home image text Specifies the alt text for the link image that the user clicks to go to the web
applications home screen.
Hometab - Logout image Specifies the image for the link that the user clicks to log out of the web
applications connection. Click the View/Hide link to show or hide the specified
graphical element.
Hometab - Logout link text Specifies the text for the link that the user clicks to log out of the web
applications connection.
15 - 20
Customizing Access Policy Manager Features
Setting Description
Hometab - Logout image text Specifies the alt text for the image that the user clicks to log out of the web
applications connection.
Hometab - Set of elements to be This is a comma-separated list of all the elements displayed on the hometab.
displayed The hometab is arranged in the order in which you specify these elements.
Elements can be used more than once. The default specification is:
shrink,divider,url,divider,home_text,home_image,divider,logout_text,
logout_image.
You can specify the following elements for the home tab:
• shrink - Specifies the hometab shrink element.
• divider - Specifies a hometab field separator element.
• url -Specifies the hometab URL box element.
• home_text - Specifies the home link text element.
• home_image - Specifies the home image element.
• logout_text - Specifies the logout link text element.
• logout_image - Specifies the logout image text element.
Setting Description
Banner Color Specifies the background color for the banner area at the top of the client screen. This
color is specified with a hexadecimal value.
Banner Text Color Specifies the text color for the messages at the top of the client screen. This color is
specified with a hexadecimal value.
Application Name Specifies the name for the application, displayed in the toolbar.
Logo Specifies a logo file to show in the banner area at the top of the client screen. Logo files
can be PNG, GIF, BMP, or JPG files up to 96x48 pixels in size. A logo file can also be an
icon (ICO) file up to 48x48 pixels in size.Click Browse to select a custom logo file. Click
View/Hide to view the current selected logo. The default logo is the F5 red ball.
15 - 22
Customizing Access Policy Manager Features
Setting Description
Tray Icon Set Specifies the set of icons to display in the system tray when the client is in use. Select F5
to show the F5 red ball in the system tray. Select Generic to show a set of unbranded
icons.
About text Specifies the copyright text displayed when the user selects About from the BIG-IP Edge
Client® menu. The default text is Copyright (C) 2004-2009 F5 Networks, Inc.
About link Specifies the link text displayed below the copyright when the user selects About from the
BIG-IP® Edge Client® menu. The default link text is http://www.f5.com.
Important
Although flexible, this feature is intended for advanced users.
Therefore, you should carefully study the template files before using
advanced customization.
15 - 24
Customizing Access Policy Manager Features
15 - 26
Customizing Access Policy Manager Features
</style>
<![endif]-->
<table id="top_banner" border="0" cellpadding="0" cellspacing="0" width="100%"
height="80">
<tr bgcolor='#738495'>
<td><img border="0" src='/public/images/my/flogo.png'><!--[if IE 6]><img border="0"
src="/public/images/my/tr.gif" class="pngfix"
style="filter:progid:DXImageTransform.Microsoft.AlphaImageLoade
r(src='/public/images/my/flogo.png',sizingMethod='auto');"><![endif]--></td>
<td valign="middle" align="right"><img border="0"
src='/public/images/my/fbanner.png'><!--[if IE 6]><img src="/public/images/my/tr.gif"
border="0" class="pngfix" style="filter:progid:DXImageTra
nsform.Microsoft.AlphaImageLoader(src='/public/images/my/fbanner.png',sizingMethod='aut
o');"><![endif]--></td>
</tr>
</table>
5. After you have edited the file, the system should display code. The
page is now ready to be used. You need to notify the Access Policy
Manager system that the new page is ready, and you need to clear
the old pages from the cache.
15 - 28
16
Advanced Topics in Access Policies
16 - 2
Advanced Topics in Access Policies
16 - 4
Advanced Topics in Access Policies
Note
Typically you configure the logon page by adding your own custom logo
and graphics. To simplify this example, the header box is left as the default
with the F5 graphics and background color.
16 - 6
Advanced Topics in Access Policies
5. Under Page Footer Settings, in the Footer Text box, type For use
by employees of Bogon Networks, Inc., and
subsidiaries.<br>Copyright © 2009 Bogon Networks,
Inc.<br>All rights reserved.
6. Click Update.
7. Click Apply Access Policy.
16 - 8
Advanced Topics in Access Policies
16 - 10
Advanced Topics in Access Policies
4. If general purpose actions are not expanded, click the plus sign
( ) next to General Purpose.
5. Select Route Domain Selection and click Add Item to add the
action to the access policy.
The Route Domain Selection action popup screen opens.
6. From the Route Domain ID list, select the route domain ID.
7. Click Save to complete the configuration.
16 - 12
Advanced Topics in Access Policies
3. In the Name box, type a name for the access profile, for example,
PolicyRouteTest.
4. Click Finished.
The Access Policy screen appears.
16 - 14
Advanced Topics in Access Policies
16. Optionally, click the Set Webtop link, and select a network access
webtop to assign to clients who successfully authenticate with
Active Directory, then click the Update button.
17. Click Save to save the action.
18. On the fallback branch following the Active Directory action, click
the plus sign ( ) to add an action.
The Add Item popup screen opens.
19. If authentication actions are not expanded, click the plus sign ( )
next to Authentication.
20. Select the RADIUS Auth action, and click Add Item.
The RADIUS authentication action popup screen opens.
21. From the AAA Server list, select a RADIUS server.
If you do not have a RADIUS server, you can leave the action
unconfigured for the purposes of the example.
22. Click Save to save the action.
23. On the successful branch following the RADIUS action, click the
plus sign ( ) to add an action.
The Add Item popup screen opens.
24. If general purpose actions are not expanded, click the plus sign
( ) next to General Purpose.
25. Select the Route Domain Selection action, and click Add Item.
The Route Domain Selection action popup screen opens.
26. From the Route Domain ID list, select 1.
This assigns the route domain gateway you defined earlier to clients
who successfully authenticate to the RADIUS server.
27. Click Save to save the action.
28. On the successful branch following the route domain selection
action, click the plus sign ( ) to add an action.
The Add Item popup screen opens.
29. If general purpose actions are not expanded, click the plus sign
( ) next to General Purpose.
30. Select the Resource Assign action, and click Add Item.
The Resource Assign action popup screen opens.
31. Click the Add new entry button.
32. Click the Set Network Access Resource link, select a network
access resource to assign to clients who successfully authenticate
with RADIUS, and click the Update button.
33. Optionally, click the Set Webtop link, and select a network access
webtop to assign to clients who successfully authenticate with
Active Directory, then click the Update button.
Note that you can assign the same network access resource to both
types of clients, and because a different route domain is specifies in
the route domain selection action, the clients will still reach
separate routers.
34. Click Save to save the action.
35. Click the endings following the two resource assign actions, and
change them both to allow endings, by selecting Allow and clicking
Save.
16 - 16
Advanced Topics in Access Policies
Note
The Tcl language specifies that the expression begin with the syntax expr.
For a complete description of the various operators and syntax allowed in a
Tcl expression, see http://www.tcl.tk/man/tcl8.0/TclCmd/expr.htm.
16 - 18
Advanced Topics in Access Policies
Note
The name space for Access Policy Manager is shared across all rules. If you
define a Tcl variable in one rule, it is accessible in another rule also. We
recommend that you use a unique prefix for local variables in each rule, to
avoid polluting variables from different rules.
In this scenario, if the value returned by the expression is not zero, the rule is
evaluated as true, and the access policy continues and follows the
corresponding rule branch. If the value returned by the expression is zero,
the rule is evaluated as false, and the access policy follows the branch
assigned to the negative response (typically a fallback branch).
In this scenario, the expression returns a value. If the return value is not
zero, the resource assignment rule is true, and the access policy assigns the
corresponding resource or ACL to the user. If the return value is zero, the
resource assignment rule is evaluated as false, and the access policy does not
assign the resource or ACL.
16 - 20
Advanced Topics in Access Policies
In this scenario, the custom expression returns a value that the variable
assign action then assigns to the custom variable.
8. From the Name list, select the name of the network access resource
in which you want to overwrite the variable.
9. From the Property list, select the network access resource property
you want to overwrite with a custom expression.
10. In the Custom Expression box, type the expression.
11. When you are finished, click Finished.
12. Click Save.
In this scenario, the expression returns a value that overwrites the value of
the selected property from the network access resource.
16 - 22
Advanced Topics in Access Policies
Figure 16.3 Tcl code to check that all antivirus packages are active
return 1;
16 - 24
Advanced Topics in Access Policies
Figure 16.4 Tcl code to extract the logon name from a certificate field
Figure 16.5 Case study rule for Certificate CN in variable assign popup screen
16 - 26
17
Logging and Reporting
• Understanding logging
• Understanding reports
• Viewing statistics
Understanding logging
Viewing and maintaining log messages is an important part of maintaining
the Access Policy Manager. Log messages inform you on a regular basis of
the events that are happening on the system. Some of these events pertain to
general events happening within the system, while other events are specific
to the Access Policy Manager, such as stopping and starting Access Policy
Manager system services.
The Access Policy Manager uses syslog-ng to log events. The syslog-ng
utility is an enhanced version of the standard logging utility syslog.
The type of events messages available on the Access Policy Manager are:
• Access Policy events
Access Policy event messages include logs pertinent to access policy,
sso, network access, and web applications. To view access policy events,
on the navigation pane, expand System, and click Logs
• Audit Logging
Audit event messages are those that the Access Policy Manager system
logs as a result of changes made to its configuration.
For more information on other log events, refer to the BIG-IP®
Configuration Guide for Local Traffic Manager™, on the Ask F5SM web
site, https://support.f5.com.
You can also use the Configuration utility to search for a string within a log
event, that is, you can filter the display of the log messages according to the
string you provide. For more information, see Setting log levels, on page
17-6.
Tip
You can also configure the system to send email or to activate pager
notification based on the priority of the logged event.
Note
Files are rotated daily if their size exceeds 10MB. Additionally, weekly
rotations are enforced if the rotated log file is a week old, regardless
whether or not the file exceed the 10MB threshold.
17 - 2
Logging and Reporting
Timestamp The time and date that the system logged the event message. System
Access Policy
Audit
Log Level Provides log level detail for each message. Access Policy
Host The host name of the system that logged the event message. System
Because this is typically the host name of the local machine, the
appearance of a remote host name could be of interest.
Status code The status code associated with the event. Note that only events Access Policy
logged by BIG-IP system components, and not operating system
services, have status codes.
Description The description of the event that caused the system to log the System
message.
Event Provides the description of the event so that it can be applicable Audit
to both Audit and Access policy logging. Access Policy
Note
For standalone clients, once a user has logged out and then logged back in,
the sessions ID will be displayed as invalid and will remain as such in the
Notice logs. The user is then assigned a new session ID. This is expected
behavior of the system.
Each type of event is stored in a log file, and the information stored in each
log file varies depending on the event type.
• Access policy events. Messages are logged in the var/log/apm file.
• Audit events. Messages are logged in the var/log/audit file.
17 - 4
Logging and Reporting
The Access Policy Manager logs the messages for these auditing events in
the /var/log/audit file.
Using the Configuration utility, you can display audit log messages. Table
17.3 shows some sample audit log entries. In this example, the first entry
shows that user Janet enabled the audit logging feature, while the second
and third entries show that user Matt designated the BIG-IP system to be a
redundant system with a unit ID of 1.
The log levels that you can set on certain types of events, are sequenced
from highest severity to lowest severity, like this:
• Emergency
• Alert
• Critical
• Error
• Warning
• Notice
• Informational
• Debug
17 - 6
Logging and Reporting
• Verbose
This causes the system to log messages for user-initiated configuration
changes and any loading of configuration data.
• Debug
This causes the system to log messages for all user-initiated and
system-initiated configuration changes.
17 - 8
Logging and Reporting
Understanding reports
You can review reports about the sessions created on the system. With
Access Policy Manager, you can view either Current Sessions or All
Sessions. Under Current Sessions, you can configure your settings to
display according to your sessions Table 17.4 displays the information type
of the report and its descriptions.
Client IP The IP address of the client machine that the user connects
from.
17 - 10
Logging and Reporting
Command Description
-aclogsforsession This returns access control logs for the given session id <sid>/.
session_id
-saforsession <sid> This returns session activity information to the given session id
<sid>.
-count This returns the number of entries in access control and logon
logs.
-start <index> This returns entries starting from the given <index>. The default
is the first entry <index is 1>/
Command Description
-end <index> This returns entries until the given <index>. The default is the
last entry.
17 - 12
Logging and Reporting
Viewing statistics
APM statistics are available from the APM dashboard, in APM reports, by
using SNMP, or by using tmsh from the CLI. For more information, refer to
these resources.
◆ Sections of this chapter:
• Viewing the Access Policy Manager dashboard
• Understanding reports
◆ This appendix, Configuring SNMP
◆ Traffic Management Shell (tmsh) Reference Guide, available from
askF5™ at http://support.f5.com/kb/en-us.html.
Tip
By clicking the grid icon in the upper left corner of each window, you
can display the same information in a table format.
17 - 14
Logging and Reporting
You can view them in either real-time, or historical time ranges. You may
want to view active sessions at various times of the day to determine the
peak and select the best time to perform system maintenance, for example.
If you notice that the total number of sessions peaked while the total number
of established sessions remain low, this may be an indication that a possible
malicious attack is occurring in your network environment.
Hits and misses are derived by substracting the server responses from the
client responses. A server response indicates that the requested information
was not in cache.
17 - 16
18
Configuring SNMP
Typical SNMP tasks that an SNMP manager performs include polling for
data about a device, receiving notifications from a device about specific
events, and modifying writable object data.
The last item in the list refers to the ability of an SNMP manager system to
enable or disable various Access Policy Manager system objects such as
virtual servers and nodes. Specifically, you can use SNMP to:
• Enable or disable a virtual server
• Enable or disable a virtual address
• Enable or disable a node
• Enable or disable a pool member
• Set a node to an up or down state
• Set a pool member to an up or down state
• Reset statistical data for all Access Policy Manager objects
18 - 2
Configuring SNMP
18 - 4
Configuring SNMP
Read-only Read-only
Read-only
Read/write Read-only
Read-only Read-only
Read/write
Read/write Read/write
8. For the Access setting, select an access level, either Read Only or
Read/Write. (This access level applies to the community name you
specified in step 6.)
9. Click Finished.
WARNING
You must remember to configure both authentication and privacy settings to
use SNMPv3. Otherwise, an error occurs and SNMPv3 will not work
properly.
Note
18 - 6
Configuring SNMP
Configuring traps
On the Access Policy Manager system, traps are definitions of unsolicited
notification messages that the Access Policy Manager alert system and the
SNMP agent send to the SNMP manager when certain events occur on the
Access Policy Manager system. Configuring SNMP traps on a Access
Policy Manager system means configuring the way that the Access Policy
Manager system handles traps, as well as setting the destination for
notifications that the alert system and the SNMP agent send to an SNMP
manager.
The Access Policy Manager system stores traps in two specific files:
• /etc/alertd/alert.conf
Contains default SNMP traps.
• /config/user_alert.conf
Contains user-defined SNMP traps.
Important
Do not add or remove traps from the /etc/alertd/alert.conf file.
You use the Configuration utility to configure traps, that is, enable traps and
set trap destinations. When you configure traps, the Access Policy Manager
system automatically updates the alert.conf and user_alert.conf files.
Important
If you are using SNMP V3 and want to configure a trap destination, you do
not use the SNMP screens within the Configuration utility. Instead, you
configure the snmpd.conf file. For more information, see the man page for
the snmpd.conf file.
18 - 8
Configuring SNMP
Note
All Access Policy Manager system statistics are defined by 64-bit counters.
Thus, because only SNMP v2c supports 64-bit counters, your management
system needs to use SNMP v2c to query Access Policy Manager system
statistics data.
To view the set of standard SNMP MIB files that you can download to the
SNMP manager system, list the contents of the Access Policy Manager
system directory /usr/share/snmp/mibs.
Note
To manage a Access Policy Manager system with SNMP, you need to use
the standard set of SNMP commands. For information on SNMP commands,
consult your favorite third-party SNMP documentation, or visit the web site
http://net-snmp.sourceforge.net.
18 - 10
Configuring SNMP
The Access Policy Manager system includes a set of enterprise MIB files:
• F5-BIGIP-COMMON-MIB.txt
• F5-BIGIP-LOCAL-MIB.txt
• F5-BIGIP-SAM-MIB.txt
• F5-BIGIP-SYSTEM-MIB.txt
These MIB files contain information that you can use for your remote
management station to poll the SNMP agent for Access Policy Manager
system-specific information, receive Access Policy Manager
system-specific notifications, or set Access Policy Manager system data.
In general, you can use this MIB file to get information on any local traffic
manager object (virtual servers, pools, nodes, profiles, SNATs, health
monitors, and iRules). You can also reset statistics for any of these objects.
To see all available enterprise MIB objects for local traffic manager, you
can view the F5-BIGIP-LOCAL-MIB.txt file in the directory
/usr/share/snmp/mibs on the Access Policy Manager system.
MIB-II f5.bigipSystem
interfaces sysNetwork.sysInterfaces.sysInterface
sysNetwork.sysInterfaces.sysInterfaceStat
sysNetwork.sysInterfaces.sysInterfaceMediaOptions
ip sysGlobalStats.sysGlobalIpStat
ip.AddrTable sysNetwork.sysSelfIp
ip.RouteTable sysNetwork.sysRoute
ip.ipNetToMediaTable sysNetwork.sysArpNdp
icmp sysGlobalStats.sysGlobalIcmpStat
tcp sysGlobalStats.sysGlobalTcpStat
udp sysGlobalStats.sysGlobalUdpStat
transmission/dot3.dot3StatTable sysNetwork.sysTransmission.sysDot3Stat
transmission/dot3.dot3CollTable
dot1dBridge.dot1dBase sysNetwork.sysDot1dBridge
dot1dBridge.dot1dStp sysNetwork.sysSpanningTree.sysStpBridgeStat
sysNetwork.sysSpanningTree.sysStpBridgeTreeStat
sysNetwork.sysSpanningTree.sysInterfaceStat
sysNetwork.sysSpanningTree.sysInterfaceTreeStat
dot1dBridge.dot1dTp sysGlobalAttr.VlanFDBTimeout
dot1dBridge.dot1dTpFdbTable sysNetwork.sysL2
dot1dTpPortTable sysNetwork.sysInterfaces.sysInterfaceStat
ifMIB/ifMIBObjects.ifXTable sysNetwork.sysInterfaces.sysIfxStat
18 - 12
Configuring SNMP
To see all available enterprise MIB system objects, you can view the
F5-BIGIP-SYSTEM-MIB.txt file in the directory /usr/share/snmp/mibs
on the Access Policy Manager system.
Each type of metric has one or more SNMP object IDs (OIDs) associated
with it. To gather performance data, you specify these OIDs with the
appropriate SNMP command.
For example, the following SNMP command collects data on current
memory use, where public is the community name and bigip is the host
name of the Access Policy Manager system:
snmpget -c public bigip sysGlobalStat.sysStatMemoryUsed.0
For some types of metrics, such as memory use, simply issuing an SNMP
command with an OID gives you the information you need. For other types
of metrics, the data that you collect with SNMP is not useful until you
perform a calculation on it.
For example, to determine the throughput rate of client bits coming into the
Access Policy Manager system, you must perform the following calculation
on the data that you collect with the OID shown:
( sysStatClientBytesIn (.1.3.6.1.4.1.3375.2.1.1.2.1.3)*8 ) / time
This calculation takes the data resulting from specifying the OID
sysStatClientBytesIn, multiplies the value by 8, and divides it by the
elapsed time.
The following sections contain tables that list:
• The performance data that the Configuration utility displays
• The OIDs that you can use to collect the performance data
• The calculations that you must perform to interpret the performance data
that you collect
Note
If an OID that is listed in any of the following sections does not show a
calculation, then no calculation is required.
18 - 14
Configuring SNMP
Performance Graph
(Configuration utility) Graph Metric Required SNMP OID
Performance Graph
(Configuration utility) Graph Metrics Required SNMP OIDs
Performance Graph
(Configuration utility) Graph Metrics Required SNMP OIDs and the required calculations
18 - 16
Configuring SNMP
Performance Graph
(Configuration utility) Graph Metrics Required SNMP OIDs and the required calculations
Performance Graph
(Configuration utility) Graph Metric Required SNMP OID and the required calculation
Performance Graph
(Configuration utility) Graph Metric Required SNMP OID
Table 18.8 Required OIDs for collecting metrics on RAM Cache utilization
Performance Graph
(Configuration utility) Graph Metric Required SNMP OIDs and the required calculation
18 - 18
Configuring SNMP
2. For each OID, calculate the delta of the values from the two polls, as
shown in the following example. Note that in the formula shown,
values such as sysStatTmTotalCycles2 and
sysStatTmTotalCycles1 represent the values that result from the
two polls you performed in step 1 for each OID.
DeltaTmTotalCycles = sysStatTmTotalCycles2 -
sysStatTmTotalCycles1
DeltaTmIdleCycles = sysStatTmIdleCycles2 -
sysStatTmIdleCycles1
DeltaTmSleepCycles = sysStatTmSleepCycles2 -
sysStatTmSleepCycles1
Performance Graph
(Configuration utility) Graph Metrics Required SNMP OIDs and the required calculations
Task Command
18 - 20
Configuring SNMP
Task Command
18 - 22
A
Configuring BIG-IP Access Policy Manager
clients
If the client starts a network access tunnel, one of the following must be
true:
• The client has Administrator privileges on the client system.
• The client control is already installed on the system.
• The Component Installer Package for Windows has been installed on
the system.
Access policy sessions other than network access tunnels do not require
administrative access. All client-side checks and actions, except the
Windows group policy action, can be run without administrative rights.
For Apple® Macintosh® (OS X only) and Linux®-based systems, the user
must have Superuser authority, or the user must supply the administrative
password at the time of initial installation.
For more information about downloading and installing the client
components, see Understanding client components on Windows systems,
following. For more information about the Component Installer, see Using
the component installer package to preinstall client components, on page
A-11.
A-2
Configuring BIG-IP Access Policy Manager clients
UI mode check OK OK OK OK
Client-Side Check OK OK OK OK
Capability
Client OS check OK OK OK OK
Logging action OK OK OK OK
The following table lists user rights required to use other access policy
checks.
HTTP Auth OK OK OK
RSA SecurID OK OK OK
Table A.2 User rights requirements for other access policy checks
For client systems that have the components pre-installed using the MSI
package, the requirements are the same. In cases in which user rights are
insufficient, although the system cannot download the update, the
previously installed component still works.
Note
A-4
Configuring BIG-IP Access Policy Manager clients
• CPU Saver
Specifies, when enabled, that the system monitors the percentage of CPU
usage and disables compression automatically when the CPU usage
reaches the CPU Saver High Threshold and re-enabled compression
when theCPU usage reaches the CPU Saver Low Threshold.
• CPU Saver High Threshold
Specifies the percentage of CPU usage at which the system disables
compression.
• CPU Saver Low Threshold
Specifies the percentage of CPU usage at which the system resumes
content compression at the user-defined rates.
◆ Maintain History
Specifies whether the BIG-IP® Edge Client® maintains a list of recently
used Access Policy Manager servers. The BIG-IP Edge Client always
lists the servers defined in the connectivity profile, and sorts the list of
servers by most recent access, whether this option is selected or not.
However, the BIG-IP Edge Client lists user-entered servers only if this
option is selected.
◆ Use Windows Logon Credentials
Specifies that the BIG-IP Edge Client attempts to log on using the same
credentials that were typed for Windows logon to start the Access Policy
Manager session. To use this option, you must include the User Logon
Credentials Access Service for Windows in the download package,
specified on the Components Download tab, on the BIG-IP Edge Client
for Windows link.The User Logon Credential Access Service for
Windows stores the user’s Windows logon and password in an encrypted
file that persists for the duration of the Access Policy Manager session.
◆ Enable User Password Caching
Specifies whether the BIG-IP Edge Client can cache the user password,
either on the disk or in memory.
◆ Allow user to save encrypted password on disk
When this option is enabled, a Save password checkbox appears on the
logon page. If the user selects the Save password checkbox, the user’s
password is encrypted on disk, and cached when the system reboots or
when the BIG-IP Edge Client is restarted. This option is only available if
the Maintain History option is enabled.
◆ Cache password within application for x minutes
When this option is enabled, the BIG-IP Edge Client caches a user’s
password within the BIG-IP Edge Client application for automatic
reconnection purposes. You can specify an expiration time, to indicate
how long the cached password should remain valid. A value of 0 means
there is no password cache time limit. Even if this option is enabled, the
user is required to enter credentials after a server change, a manual client
disconnect, or a BIG-IP Edge Client restart.
◆ Automatically update components
Specifies that client components are automatically updated on the client
when newer versions are available on the server.
This option applies to updates for the BIG-IP Edge Client, but not to
other client components. When updating the other client components,
prompts are controlled by your browser security settings, the publisher of
the update package and the presence of the F5 Networks Component
Installer Service.
◆ Prompt user before installing updates
Specifies that the user is notified and prompted to continue or cancel
before a newer version of a client component is installed by the server.
This option applies to updates for the BIG-IP Edge Client, but not to
other client components. When updating the other client components,
prompts are controlled by your browser security settings, the publisher of
the update package and the presence of the F5 Networks Component
Installer Service.
A-6
Configuring BIG-IP Access Policy Manager clients
You can configure client settings for a connectivity profile, and then create a
custom client download package that includes the specified connectivity
settings.
• Virtual Server
Specifies the virtual server URL to which the Windows Mobile client
connects.
• Work URL Exceptions List
Specifies URLs that the Windows Mobile client can access through the
secure connection. Type URLs or IP addresses in this box. You can use
wildcards to specify addresses. For example, *.siterequest.com,
files.siterequest.com, 192.168.10.1, and 192.168.* are all valid entries.
You can configure mobile client settings for a connectivity profile, and then
create a custom client download package that includes the specified
connectivity settings.
A-8
Configuring BIG-IP Access Policy Manager clients
Manager servers, and define DNS suffixes that specify whether your
computer is on a local network or not. For more information, see
Customizing client download packages, on page A-9.
• Download the BIG-IP Edge Client for Windows Mobile 5.0 and
higher (ARM processor). Click this link to download the BIG-IP® Edge
Client® for Windows Mobile 5.0 or later devices with an ARM
processor. For more information, see Configuring connectivity profile
mobile client settings, on page A-7.
• Download the BIG-IP Edge Client for Pocket PC 2003 (ARM
processor). Click this link to download the BIG-IP Edge Client for
PocketPC 2003 devices with an ARM processor. For more information,
see Configuring connectivity profile mobile client settings, on page A-7.
• Download the BIG-IP Edge Client for Pocket PC 2003 (x86
processor). Click this link to download the BIG-IP Edge Client for
PocketPC 2003 devices with an x86 processor. For more information, see
Configuring connectivity profile mobile client settings, on page A-7.
A - 10
Configuring BIG-IP Access Policy Manager clients
The client package you specified is downloaded to your local system as the
file BIGIPEdgeClient.exe. You can install this downloaded package onto
client computers, or you can copy the packages to a shared location so that
individual users can complete their own installation.
A - 12
Configuring BIG-IP Access Policy Manager clients
Important
The remote user must have superuser authority, or must be able to supply an
administrative password in order to successfully install the network access
client.
Both Macintosh and Linux systems must also include PPP support (this is
most often the case). When the user runs the network access client and
makes a connection for the first time, the client detects the presence of pppd
A - 14
Configuring BIG-IP Access Policy Manager clients
(the point-to-point protocol daemon), and determines whether the user has
the necessary permissions to run it. If pppd is not present, or if the user does
not have permissions needed to run the daemon, the connection fails.
After installation, the Macintosh client must restart the browser before
starting network access.
Note
If you have a firewall enabled on your Linux system, you need to enable
access on IP address 127.0.0.1 port 44444.
Note
A - 16
Configuring BIG-IP Access Policy Manager clients
On the BIG-IP Edge Client screen, the client can configure the following
connection options:
• Auto-Connect
Starts a secure access connection as it is needed. This option uses the
DNS suffix information defined in the connectivity profile to determine
when the computer is on a defined local network. When the computer is
not on a defined local network, the secure access connection starts. When
the computer is on a local network, the client disconnects, but remains
active in the system tray. When you open the disconnected client, the
message Disconnected - Lan detected appears in the top pane of the
client window, as shown in Figure A.1.
• Connect
Starts and maintains a secure access connection at all times, regardless of
your computer’s network location.
• Disconnect
Stops an active secure access connection, and to prevent the client from
connecting again. After you click this option, a secure access connection
does not start again until you click one of the previous two options.
In addition, the client can click the Change Server button to change the
Access Policy Manager server.
Figure A.2 BIG-IP Edge Client screen with traffic graph expanded
A - 18
Configuring BIG-IP Access Policy Manager clients
The Details screen provides four tabs that contain information relevant to
the operation of the BIG-IP® Edge Client®. Click each tab to view the
information for that feature. The tabs are:
• Connection Details - Shows details of the current connection, including
status, server, tunnel details, and the amount of traffic sent and received.
• Routing Table - Shows the current routing table for the client system.
• IP Configuration - Shows the current IP configuration for the client
system. The information in this tab is the same information you see when
you issue the command ipconfig /all at the Windows command
prompt.
• Miscellaneous - Shows version information for the client software, the
Access Policy Manager servers defined in the client, and the DNS
suffixes used for network location awareness.
A - 20
Configuring BIG-IP Access Policy Manager clients
A - 22
B
Access Policy Example
Configuring resources
This section shows how to configure the lease pools and ACLs for the
example.
B-2
Access Policy Example
5. Above the Access Control Entries list, click the Add button.
The New Access Control Entry screen opens.
6. From the Type list, select L4.
7. From the Action list, select Allow.
8. Click Finished.
Because you did not type any IP addresses or ports, but only
selected an action, this ACL is configured as a default ACL, which
means this action (Allow) is applied to all connections, on all IP
addresses, and all protocols.
9. On the Main tab of the navigation pane, click ACLs again.
10. Click the Create button.
The New ACL screen opens.
11. In the Name box, type the name AD_ACL2.
12. Click the Create button.
The ACL Properties screen opens.
13. Above the Access Control Entries list, click the Add button.
The New Access Control Entry screen opens.
14. From the Type list, select L4.
15. In the Destination Ports area, from the Port list, select FTP.
16. From the Action list, select Reject.
17. Click Finished.
Again, because you did not type any IP addresses, but only selected
an action and a protocol, this ACL rejects all connections on any IP
address that attempt to use port 21, the typical FTP port.
B-4
Access Policy Example
B-6
Access Policy Example
Figure B.2 The AD auth query and resources macro after preparation, and after the second AD Query
action is added
B-8
Access Policy Example
4. In the Name box for the new terminal, replace the name Terminal 1
with the name Group200.
5. Click the color chooser box next to Group200.
6. Select the blue color #5 to change the color of the terminal, and
click Save.
Note that you can choose any color for this terminal.
7. Click Save.
8. In the macro configuration, click the Failure terminal connected to
the Resource Assign 2 action.
The Select Terminal popup screen opens.
9. Select the Group200 terminal, and click Save.
The section of the macro you just configured appears in the
following figure.
Figure B.3 The resource assign actions and macro terminals in the edited macro
To complete the configuration, you must add this macro to your access
policy, using the following procedure.
B - 10
C
Session Variables
• Introducing Tcl
Note
Introducing Tcl
You write rules in Tcl. Although this appendix is not an exhaustive
reference for writing and using Tcl expressions, it includes some common
operators and syntax rules. Tcl expressions begin with the syntax expr. For
more information, see http://www.tcl.tk/man/tcl8.5/TclCmd/expr.htm.
Note
Standard operators
You can use Tcl standard operators with most BIG-IP® Access Policy
Manager rules. You can find a full list of these operators in the Tcl online
manual, at http://www.tcl.tk/man/tcl8.5/TclCmd/expr.htm.
Standard operators include:
• - + ~ !
Unary minus, unary plus, bit-wise NOT, logical NOT. None of these
operators may be applied to string operands, and bit-wise NOT may be
applied only to integers.
• **
Exponentiation. Valid for any numeric operands.
• */%
Multiply, divide, remainder. None of these operators may be applied to
string operands, and remainder may be applied only to integers. The
remainder will always have the same sign as the divisor and an absolute
value smaller than the divisor.
• + -
Add and subtract. Valid for any numeric operands.
• << >>
Left and right shift. Valid for integer operands only. A right shift always
propagates the sign bit.
• < > <= >=
Boolean less than, greater than, less than or equal to, and greater than or
equal to. Each operator produces 1 if the condition is true, 0 otherwise.
These operators may be applied to strings as well as numeric operands, in
which case string comparison is used.
• == !=
Boolean equal to and not equal to. Each operator produces a zero/one
result. Valid for all operand types.
• eq ne
Boolean string equal to and string not equal to. Each operator produces a
zero/one result. The operand types are interpreted only as strings.
C-2
Session Variables
• in ni
List containment and negated list containment. Each operator produces a
zero/one result and treats its first argument as a string and its second
argument as a Tcl list. The in operator indicates whether the first
argument is a member of the second argument list; the ni operator inverts
the sense of the result.
• &
Bit-wise AND. Valid for integer operands only.
• ^
Bit-wise exclusive OR. Valid for integer operands only.
• |
Bit-wise OR. Valid for integer operands only.
• &&
Logical AND. Produces a 1 result if both operands are non-zero, 0
otherwise. Valid for boolean and numeric (integers or floating-point)
operands only.
• ||
Logical OR. Produces a 0 result if both operands are zero, 1 otherwise.
Valid for boolean and numeric (integers or floating-point) operands only.
• x?y:z
If-then-else, as in C. If x evaluates to non-zero, then the result is the
value of y. Otherwise the result is the value of z. The x operand must
have a boolean or numeric value.
Rule operators
A rule operator compares two operands in an expression. In addition to
using the Tcl standard operators, you can use the operators listed below.
• contains - Tests if one string contains another string.
• ends_with - Tests if one string ends with another string.
• equals - Tests if one string equals another string.
• matches - Tests if one string matches another string.
• matches_regex - Tests if one string matches a regular expression.
• starts_with - Tests if one string starts_with another string.
• switch - Evaluates one of several scripts, depending on a given value.
Logical operators
Logical operators are used to compare two values.
• and - Performs a logical "and" comparison between two values.
• not - Performs a logical "not" action on a value.
• or - Performs a logical "or" comparison between two values.
C-4
Session Variables
Denied Ending session.policy.result string "access_ The result of the access policy.
denied" The result is the ending; for this
ending, the result is
access_denied.
session.check_av.$name. UI state
item_0.ui
C-6
Session Variables
Mac file check session.mac_check_file.$name. string True - if all files exist on the
item_0.exist client.
C-8
Session Variables
C - 10
Session Variables
session.client.version string
session.client.js bool
session.client.activex bool
session.client.plugin bool
session.assigned.acls.sorted string "ACL1 ACL3 ACL5" A space-delimited list of assigned ACLs. This
variable is created to store the list of ACLs.
To modify the list of ACLs with the variable
assign action or an advanced access policy
rule, modify the previous session variable,
session.assigned.acls.
session.assigned.leasepool string lp1 The lease pool assigned to the client session.
C - 12
Session Variables
session.logon.last.username string "username" You can use the session user name variable
with the variable assign action to replace the
user name value that is passed to an
authentication action in the access policy. An
authentication action then authenticates with
this user name value. For an example, see
Example: Using a certificate field for logon
name, on page 16-25.
<dns>
<dns_primary>IP Address</ dns_primary>
<dns_secondary>IP Address</ dns_secondary>
</dns>
<dns>
<dns_primary>4.2.2.1</ dns_primary>
<dns_secondary>4.2.2.2/ dns_secondary>
</dns>
Important
The result of an evaluated expression or custom expression that you use to
replace a network access property must provide a value in the format
described in the Attribute value format column.
C - 14
Session Variables
C - 16
Session Variables
client_interface_speed int The number for the client interface speed value in
the network access resource, in bytes.
tunnel_port_dtls int The attribute is the DTLS port, for example 4433.
Note: setting this to any number other than 0
enables DTLS in the network access resource,
and sets the number you specify as the DTLS
port.
C - 18
D
Using Access iRule Events
• Introducing iRules
Introducing iRules
An iRule is a powerful and flexible feature within the BIG-IP® Local Traffic
Manager™ system that you can use to manage your network traffic. Using
syntax based on the industry-standard Tools Command Language (Tcl), the
iRulesTM feature not only allows you to select pools based on header data,
but also allows you to direct traffic by searching on any type of content data
that you define. Thus, the iRules feature significantly enhances your ability
to customize your content switching to suit your exact needs.
The remainder of this introduction presents an overview of iRules, lists the
basic elements that make up an iRule, and shows some examples of how to
use iRules to direct traffic to a specific destination such as a pool or a
particular node.
Important
For complete and detailed information on iRules syntax, see the F5
Networks DevCentral web site, http://devcentral.f5.com. Note that iRules
must conform to standard Tcl grammar rules; therefore, for more
information on Tcl syntax, see
http://tmml.sourceforge.net/doc/tcl/index.html.
What is an iRule?
An iRule is a script that you write if you want individual connections to
target a pool other than the default pool defined for a virtual server. iRules
allow you to more directly specify the destinations to which you want traffic
to be directed. Using iRules, you can send traffic not only to pools, but also
to individual pool members, ports, or URIs.
The iRules you create can be simple or sophisticated, depending on your
content-switching needs. Figure D.1 shows an example of a simple iRule.
when CLIENT_ACCEPTED {
if { [IP::addr [IP::client_addr] equals 10.10.10.10] } {
pool my_pool
}
}
iRules can direct traffic not only to specific pools, but also to individual pool
members, including port numbers and URI paths, either to implement
persistence or to meet specific load balancing requirements.
The syntax that you use to write iRules is based on the Tool Command
Language (Tcl) programming standard. Thus, you can use many of the
standard Tcl commands, plus a robust set of extensions that the BIG-IP
system provides to help you further increase load balancing efficiency.
Event declarations
iRules are event-driven, which means that the BIG-IP system triggers an
iRule based on an event that you specify in the iRule. An event declaration
is the specification of an event within an iRule that causes the BIG-IP
system to trigger that iRule whenever that event occurs. Examples of event
declarations that can trigger an iRule are HTTP_REQUEST, which triggers
an iRule whenever the system receives an HTTP request, and
CLIENT_ACCCEPTED, which triggers an iRule when a client has
established a connection.
Figure D.2 shows an example of an event declaration within an iRule.
when HTTP_REQUEST {
if { [HTTP::uri] contains "aol" } {
pool aol_pool
} else {
pool all_pool
}
}
For more information on iRule events, see the Configuration Guide for
BIG-IP® Local Traffic Manager™.
D-2
Using Access iRule Events
Operators
An iRule operator compares two operands in an expression. In addition to
using the Tcl standard operators, you can use the operators listed in Table
D.1.
Operator Syntax
contains
Relational matches
operators equals
starts_with
ends_with
matches_regex
not
Logical
and
operators or
For example, you can use the contains operator to compare a variable
operand to a constant. You do this by creating an if statement that represents
the following: "If the HTTP URI contains aol, send to pool aol_pool."
Figure D.2, on page D-2, shows an iRule that performs this action.
iRule commands
An iRule command within an iRule causes the BIG-IP system to take some
action, such as querying for data, manipulating data, or specifying a traffic
destination. The types of commands that you can include within iRules are:
◆ Statement commands
These commands cause actions such as selecting a traffic destination or
assigning a SNAT translation address. An example of a statement
command is pool <name>, which directs traffic to the named load
balancing pool. For more information, see the Configuration Guide for
BIG-IP® Local Traffic Manager™.
◆ Commands that query or manipulate data
Some commands search for header and content data, while others
perform data manipulation such as inserting headers into HTTP requests.
An example of a query command is IP::remote_addr, which searches
for and returns the remote IP address of a connection. An example of a
data manipulation command is HTTP::header remove <name>, which
removes the last occurrence of the named header from a request or
response.
◆ Utility commands
These commands are functions that are useful for parsing and
manipulating content. An example of a utility command is decode_uri
<string>, which decodes the named string using HTTP URI encoding
and returns the result. For more information on using utility commands,
see the Configuration Guide for BIG-IP® Local Traffic Manager™.
Note
iRule event access policy items must be processed and completed before the
access policy can continue.
ACCESS_SESSION_STARTED
This event occurs when a new user session is created. This is triggered after
creating the session context and initial session variables related to user’s
source IP, browser capabilities and accepted languages.
Using ACCESS_SESSION_STARTED
This event provides a notification that a new session is created. You can use
this event to prevent a session from being created when a specific event
occurs. For example, if the user is exceeding the concurrent sessions limit,
or if the user does not qualify for a new session due to custom logic, you can
prevent a session from starting.
You can use ACCESS::session commands to get and set various session
variables. Admin can also use TCP, SSL, and HTTP iRule commands to
determine various TCP, SSL, or HTTP properties of the user.
ACESS_SESSION_STARTED examples
In this example, the system writes the browser user-agent to the log file
when the session starts.
when ACCESS_SESSION_STARTED {
log local0.notice "APM: Received a new session from browser: [ACCESS::session data get
"session.user.agent"]"
}
when ACCESS_SESSION_STARTED {
set user_subnet [ACCESS::session data get "session.user.clientip"]
if { ($user_subnet & 0xffffff00) != "192.168.255.0" } {
log local0.notice "Unauthorized subnet"
ACCESS::session remove
}
D-4
Using Access iRule Events
ACCESS_POLICY_COMPLETED
This event occurs when the access policy execution completes for a user
session.
Using ACCESS_POLICY_COMPLETED
This event provides a notification that access policy execution has
completed for the user. You can use this event to perform post-access-policy
work. For example, you can read and set session variables after the access
policy is executed.
You can use ACCESS::policy and ACCESS::session commands to get and
set various session variables. Admin can also use TCP, SSL, and HTTP
iRule commands to determine various TCP, SSL, or HTTP properties of the
user.
ACCESS_ACL_ALLOWED
This event occurs when a resource request passes the access control criteria
and is allowed through the ACCESS filter. This event is only triggered for
resource requests and does not trigger for internal access control URIs such
as my.policy.
Using ACCESS_ACL_ALLOWED
This event notifies you that a resource request is being allowed to pass
through the network. You can use this event to create custom logic that is
not supported in a standard ACL.
For example, you can further limit access based on specific session
variables, rate controls, or HTTP or SSL properties of the user.
You can use ACCESS::session commands to get and set session variables in
this event, and ACCESS::acl commands to enforce additional ACLs.
ACCESS_ACL_DENIED
This event occurs when a resource request fails to meet the access control
criteria and is denied access.
Using ACCESS_ACL_DENIED
This event provides notification that a resource request has been denied to
pass through the network.
You can use this event to implement custom logic that is not supported in
the standard ACLs. For example, you can send out a specific response,
based on specific session variables, and HTTP or SSL properties of the user.
This event may also be useful for logging purposes.
You can use ACCESS::session commands to get and set session variables in
this event, and ACCESS::acl commands to enforce additional ACLs.
ACCESS_SESSION_CLOSED
This event occurs when a user session is removed. This can occur because a
user logs out, because the user session times out due to inactivity, or because
the user session is terminated by an administrator.
You can use the ACCESS::session command to get session variables in this
event. iRule commands which require a flow context can not be used in this
event.
Using ACCESS_SESSION_CLOSED
This event is used like ACCESS_SESSION_STARTED.
ACCESS_POLICY_AGENT_EVENT
This event allows you to insert an iRule event agent in an access policy at
some point in the access policy:
On the server during access policy execution, the iRule event agent is
executed and ACCESS_POLICY_AGENT_EVENT is raised in iRules.
You can get the current agent ID (using an iRule command ACCESS::policy
agent_id ) to determine which iRule agent raised the event, and to do create
some customized logic.
Using ACCESS_POLICY_AGENT_EVENT
Use this event to execute iRule logic inside TMM at the desired point in the
access policy execution. For example, if you want to do concurrent session
checks for a particular AD group, insert this agent after the AD query, and
once user’s group has been retrieved from AD query, check to see how
many concurrent sessions exist for that user group in an iRule inside TMM.
D-6
Using Access iRule Events
ACCESS::disable
This command disables the access control enforcement for a particular
request URI. The request passes through the access policy without any
access control checks, except for checks that the session is valid and that the
policy reaches an allow ending.
Use this event with the HTTP_REQUEST iRule event.
ACCESS::session commands
The following commands are used with the ACCESS::session command.
ACCESS::session remove
This deletes the user session and all associated session variables. The
session is removed immediately after this command is invoked and no
session variables can be accessed after this command.
ACCESS::session commands can be used only in ACCESS events.
ACCESS::session exists
This commands returns TRUE when the session with provided sid exists,
and returns FALSE otherwise. This command is allowed to be executed in
different events other then ACCESS events. One scenario for which you can
when HTTP_REQUEST {
set apm_cookie [HTTP::cookie value MRHSession]
if { $apm_cookie != "" && ! [ACCESS::session exists $apm_cookie] } {
HTTP::respond 401 WWW-Authenticate "Basic realm=\"www.example.com\""
return
}
}
ACCESS::policy commands
The following ACCESS::policy commands are available.
ACCESS::policy agent_id
This returns the identifier for the agent raising the
ACCESS_CUSTOM_EVENT.
ACCESS::policy result
Returns the result of the access policy process. The result is one of the
following:
• allow
• deny
• redirect
The ACCESS::policy command can only be used in
ACCESS_POLICY_COMPLETED, ACCESS_ACL_ALLOWED and
ACCESS_ACL_DENIED events.
ACCESS::acl result
This returns the result of ACL match for a particular URI in
ACCESS_ACL_ALLOWED and ACCESS_ACL_DENIED events.
This result can have one of the following values
• allow
• discard
• reject
• continue
ACCESS::acl lookup
This returns the name of all the assigned ACLs for a particular session.
D-8
Using Access iRule Events
when ACCESS_ACL_ALLOWED {
ACCESS::acl eval "additional_acl"
}
D - 10
E
Troubleshooting
• Introducing troubleshooting
Introducing troubleshooting
BIG-IP® Access Policy Manager® provides ways to troubleshoot issues that
you may encounter from time to time. There are a number of files, utilities,
and command line interfaces that you can use to pinpoint the problem areas
and resolve them quickly.
This appendix provides several different examples that you can refer to in
order to understand how Access Policy Manager troubleshooting tools work.
Following the examples, you will find sections on Access Policy Manager
log messages and Kerberos error messages.
Tip
Make sure the log messages are displayed in chronological order, from the
most recent logs to the older ones. Within the Log message screen, click
TimeStamp to sort the logs based on the most recent times.
Figure E.2 displays a sample log message. The most pertinent data is
highlighted in the figure, and described, following.
E-2
Troubleshooting
Note
Since the firewall check returned a result of 0, the final return value on the
access policy check resulted in an access denied policy ending. Therefore,
the sessionID created for your access is immediately deleted.
The example in figure E.3 displays the highlighted response received from
the Active Directory server, which states that the user name entered on the
logon page does not appear to be a valid user in the Active Directory
database.
E-4
Troubleshooting
E-6
Troubleshooting
Status Log
code level Message Description Troubleshooting
013c0001 ERROR 00000000: Number of ports Specifies that the APD Make sure that the
should not exceed: <Port daemon started with the command line arguments to
Count> wrong parameters. This can the APD daemon have not
happen only if the been modified in the
administrative user modifies /etc/bigstart/scripts/apd
the start scripts for APD. file. Factory settings:
-d 3 -f
013c0002 ERROR 00000000: Number of Specifies that the APD Make sure that the
threads should not exceed: daemon started with the command line arguments to
<Thread Count> wrong parameters. This can the APD daemon have not
happen only if the been modified in the
administrative user modifies /etc/bigstart/scripts/apd
the start scripts for APD. file. Factory settings:
-d 3 -f
013c0003 ERROR 00000000: Couldn't create Specifies that the APD Make sure that the
APD listener: <Listener ID> daemon started with the command line arguments to
wrong parameters. This can the APD daemon have not
happen only if the been modified in the
administrative user modifies /etc/bigstart/scripts/apd
the start scripts for APD. file. Factory settings:
-d 3 -f
013c0006 INFO <Session ID> Following Specifies the rules that are
rule '%s' from item '%s' to followed when the system
item '%s' processes the access policy.
E-8
Troubleshooting
Status Log
code level Message Description Troubleshooting
013c0009 NOTICE <Session ID> ACL '%s' Specifies that the resource
assigned assign action has assigned
the specified ACL to the
session.
013c0013 INFO <Session ID>: agent: Specifies that the AAA agent
Retrieving AAA server: is retrieving the AAA server
<ServerName> information.
013c0014 ERROR <Session ID>: agent: No Specifies that the access Make sure a AAA Server is
AAA server associated with policy configuration is assigned in the AAA action
<Agent Name> incomplete. The AAA agent <Agent Name>
specified in the log message configuration in the access
is not associated with a valid policy.
AAA server.
013c0015 ERROR <Session ID>: agent: Failed Specifies that APD daemon No troubleshooting
to decrypt <StringName> of failed to initialize the access information available.
AAA server: <Server policy. This error indicates
Name> that the APD daemon is
unable to decrypt the
administrative password for
the AAA server specified in
the log message. This
indicates a critical system
failure.
013c0016 ERROR <Session ID>: agent: Specifies that the APD No troubleshooting
Unknown agent type daemon failed to initialize the information available.
<TypeID> access policy. The access
policy contains an agent of
unknown type. This indicates
a critical system failure.
Status Log
code level Message Description Troubleshooting
013c0021 ERROR <Session ID>: agent: Specifies that one of the No troubleshooting
ERROR: <ErrorMessage> access policy agents information available.
encountered an error, as
described by the error
message, during access
policy processing.
013c0022 ERROR <Session ID>: agent: Specifies that one of the No troubleshooting
EXCEPTION: access policy agents information available.
<ExceptionMessage> encountered an error, as
described by the error
message, during access
policy processing.
013c0042 ERROR <Session ID> <AuthType> Specifies that a AAA server <AuthType> indicates the
module: ERROR: operation of the type authentication module in
<ErrorMessage> specified in the log message which the error occurred.
failed with the error The <ErrorMessage>
described by the error contains information that
message. can point to the cause of
the error.
013c0043 ERROR <Session ID> <AuthType> Specifies that a AAA server <AuthType> indicates the
module: EXCEPTION: operation of the type authentication module in
<ExceptionMessage> specified in the log message which the error occurred.
failed with the error The <ExceptionMessage>
described by the error contains information that
message. can point to the cause of
the error.
013c0057 ERROR <Session ID> <AuthType> Specifies that the LDAP <AuthType> indicates the
module: ERROR: unbind operation for either authentication module in
ldap_unbind() failed, LDAP or Active Directory® which the error occurred.
<ErrorMessage> failed with the error The <ErrorMessage> for
described in the error ldap_unbind() contains
message. more information about the
cause of the error.
E - 10
Troubleshooting
Status Log
code level Message Description Troubleshooting
013c0070 ERROR 00000000: AD agent: Specifies that the Active Make sure that DNS is
ERROR: %s failed for Directory action encountered properly configured to
<hostname/IPaddr> an error while trying to resolve the forward and
authenticate against the reverse lookup for the AAA
external AAA server with the server.
host name and IP address
listed in the error message.
Status Log
code level Message Description Troubleshooting
013c0082 ERROR <Session ID> Invalid rule Specifies that the access No troubleshooting
exists in access policy. policy configuration is not information available.
Unable to find nextnode. valid. One of the access
policy rules is followed by an
item that is not valid.
013c0084 ERROR <Session ID> Access Specifies that, during access No troubleshooting
Policy execution failed with policy processing, an access information available.
error: %d policy action encountered an
error, described in the error
message.
013c0086 ERROR <Session ID> Rule Specifies that the error No troubleshooting
evaluation failed with error: described in the error information available.
%s message occurred while
trying to evaluate an access
policy rule during access
policy processing.
E - 12
Troubleshooting
Status Log
code level Message Description Troubleshooting
013c0087 ERROR <Session ID> Invalid Specifies that an error Make sure that the session
session variable exists in occurred while attempting to variable configured in the
rule expression. evaluate an access policy access policy rule does
rule during access policy exist when the rule runs.
processing.
This error indicates that a
session variable that is not
valid is present in the rule
expression.
013c0088 ERROR <Session ID> Unable to Specifies that an error Make sure that the session
find session variable used in occurred while attempting to variable configured in the
rule expression. evaluate an access policy access policy rule does
rule during access policy exist when the rule runs.
processing.
This error indicates that a
session variable that is not
valid is present in the rule
expression.
013c0089 ERROR 00000000: Configuration STOP Specifies that the APD No troubleshooting
change notification received has received a configuration information available.
for an unknown access change notification for an
profile: %s unknown access profile.
This indicates a critical
system failure.
013c0090 ERROR 00000000: Configuration Specifies that the APD has No troubleshooting
add notification received for received ADD notification for information available.
an already existing profile: an existing access profile.
%s This indicates a critical
system failure.
013c0091 ERROR 00000000: Invalid request Specifies that the response No troubleshooting
header received from received during access information available.
remote client. Socket error: policy processing from a
%s remote client is not valid.
The log message logs the
incoming HTTP request
header received from the
remote client.
013c0092 ERROR 00000000: Invalid POST Specifies that the response No troubleshooting
request received from received during access information available.
remote client. Len: %d policy processing from the
remote client is not valid.
The log message logs the
length of the incoming HTTP
POST request received from
the remote client.
Status Log
code level Message Description Troubleshooting
013c0094 ERROR <Session ID> Couldn't get Specifies that APD failed to No troubleshooting
session variable from retrieve a session variable information available.
session db. Session var: %s (logged by the log message)
from the session database.
013c0095 ERROR <Session ID> File Check Specifies that the file check Log and inspect the
Agent: File check failed. action encountered an error session variables for the file
during access policy check action.
processing.
013c0096 NOTICE 00000000: A new access Specifies that the system has
profile: %s has been initialized the specified
initialized access profile.
Access Policy Manager
accepts any request received
for this access profile from
this point forward, and sends
these requests through the
associated access policy.
013c0097 NOTICE 00000000: A new access Specifies that the system has
policy: %s has been initialized a new access
initialized policy.
013c0098 NOTICE 00000000: Access profile: Specifies that the system has
%s has been removed. deleted an access profile.
Access Policy Manager
denies any request received
for this access profile from
this point forward.
013c0099 NOTICE 00000000: Access policy: Specifies that the system has
%s has been removed. deleted an access profile.
013c0100 NOTICE 00000000: Access profile: Specifies that the system has
%s configuration changes detected changes you have
need to be applied for the made to the access profile
new configuration to take configuration.
effect. The modified or new
configuration changes are
not yet active. You must
activate the access policy for
the new changes to take
effect.
E - 14
Troubleshooting
Status Log
code level Message Description Troubleshooting
013c0101 NOTICE 00000000: Access profile: Specifies that the system has
%s configuration has been started the access policy
applied. Newly active associated with the access
generation count is: %d profile.
Access Policy Manager
increments the generation
count by one every time an
access policy is activated.
013c0102 NOTICE <Session ID> Access policy The final result of the access
result: %s policy. Valid results are
Logon_Denied or Webtop
013c0104 ERROR 00000000: <Session ID> Specifies that APD failed to Access Policy Manager
Failed to store configuration store a session variable was unable to store the
variable (error:%d, (logged by the log message) session variable in the
name:'%s', value:'%s') in the session database. session database. Either an
The log message logs the internal processing error or
name of the error a failure in database
encountered along with the memory allocation
variable and value of the occurred.
variable.
013c0105 ERROR <Session ID> <AuthType> Specifies that the AAA action Make sure that the AAA
agent: No AAA server encountered an error during Server <ServerName>
associated with access policy processing, exists in the bigip.conf file.
<ServerName>. because the AAA server This might happen when a
information could not be AAA server is deleted from
located. bigip.conf, but the AAA
server is still being used by
a AAA action.
013c0106 WARNI <Session ID> AD module: Specifies that the Active Refer to the
NG WARNING: <Action> Directory Auth or Query <ErrorMessage> text,
<Object> failed in action encountered an error which contains information
<FunctionName>(): during access policy about the cause of the
<ErrorMessage> processing. error.
(ErrorCode) Action has one of the
values:
- query with
- authentication with
- change password for
Object has one of the
values:
- Filter
- <AdminUserName>
- <UserName>
The error message is
included with the source
code function name.
Status Log
code level Message Description Troubleshooting
013c0107 ERROR <Session ID> AD module: Specifies that the Active Refer to the
ERROR: <Action> Directory Auth or Query <ErrorMessage> text,
<Object> failed in action encountered an error which contains information
<FunctionName>(): during access policy about the cause of the
<ErrorMessage> processing. error.
(ErrorCode) Action has one of the
values:
- query with
- authentication with
- change password for
Object has one of the
values:
- Filter
- <AdminUserName>
- <UserName>
The error message is
included with the source
code function name.
013c0108 ERROR <Session ID> RADIUS Specifies that, during access Refer to the
module: ERROR: policy processing, the <ErrorMessage> text,
authentication with RADIUS Auth action which contains information
<UserName> failed in encountered an error. about the cause of the
<FunctionName>(): The log message includes error.
<ErrorMessage> the user name and error
(ErrorCode) message, along with the
source code function name.
013c0109 WARNI <Session ID> LDAP Specifies that the LDAP Auth Refer to the
NG module: WARNING: or Query action encountered <ErrorMessage> text,
<Action> <Object> failed in an error during access policy which contains information
<FunctionName>(): processing. about the cause of the
<ErrorMessage> Action has one of the error.
(ErrorCode) values:
- query with
- authentication with
Object has one of the
values:
- Filter
- <AdminUserName>
- <UserName>
The message also includes
the error message and the
source code function name.
E - 16
Troubleshooting
Status Log
code level Message Description Troubleshooting
013c0110 ERROR <Session ID> LDAP Specifies that the LDAP Auth Refer to the
module: ERROR: <Action> or Query action encountered <ErrorMessage> text,
<Object> failed in an error during access policy which contains information
<FunctionName>(): processing. about the cause of the
<ErrorMessage> Action has one of the error.
(ErrorCode) values:
- query with
- authentication with
Object has one of the
values:
- Filter
- <AdminUserName>
- <UserName>
The message also includes
the error message and the
source code function name.
Status Log
code level Message Description Troubleshooting
013c1003 ERROR Attempt to access renderer Indicates that a client directly An attempt by a client to
externally: (URI=<URI accessed one or more access a resource on the
String>) resources inside the renderer internal HTTP daemon or
directory. This is a security service has been detected
violation and the system by the system. If the user
does not allow it. The system request is associated with a
logs the corresponding URI session ID, you can
here. determining the client IP
address from the log
messages.
013c1004 NOTICE Invalid Session ID <Client The incoming request did not
Session ID> Expect correspond to any known
(<Session ID>) (URI=<URI session ID in the system.
String>) The corresponding URI is
also logged.
013c1010 NOTICE License NOT available for Specifies that the system ran
user session out of licenses while
processing user session
requests. All available
licenses are already in use.
013c1011 NOTICE CCA: Found a valid cert - Specifies that a valid client
adding it to the certificate is received from
MEMCACHED remote client. The client
certificate is stored in the
session database.
013c1012 INFO Client cert result = <Result The result of the failed
Status> client cert authentication:
revoked, unable to verify
or another result.
E - 18
Troubleshooting
Status Log
code level Message Description Troubleshooting
013c1013 INFO Client Cert Auth using Logs the result of OCSP Check the OCSP
OCSP: Status code = <Auth authentication. Responder and OCSP
Status> Following are possible profile configuration
values: settings. The reason for the
failure will be listed in the
0 : Success access control log file.
1 : Failure
-1: Error
2 : Not authenticated
013c1014 INFO Client Cert Auth using Logs the result of Client Cert Check the CRLDP server
CRLDP: Status code = Authentication using CRLDP. and CRLDP profile
<Auth Status> Following are possible configuration settings. The
values: reason for the failure will be
available in the access
0 : Success
control log file.
1 : Failure
-1: Error
2 : Not authenticated
013c1017 WARN OCSP Failure. Specifies that the client Check the OCSP
certificate the system Responder and OCSP
received from the remote profile configuration
client could not be settings. The reason for the
authenticated using OCSP. failure will be available in
An error occurred during the access control log file.
authentication.
013c1018 WARN OCSP Error. Specifies that the client Check the OCSP
certificate the system Responder and OCSP
received from the remote profile configuration
client could not be settings. The reason for the
authenticated using OCSP. failure will be available in
An error occurred during the access control log file.
authentication.
Status Log
code level Message Description Troubleshooting
013c1024 NOTICE Redirecting to Logout page A request for the logout page
was received, and the user
was redirected to the logout
page.
013c1025 ERROR Failed to allocate client IP There is no client IP address Value from the
address for session assigned for the network session.assigned.clientip
(<Session ID>) access resource for this session variable is
session. assigned to the client IP
address. Either the session
variable does not exist or
the Session DB failed to
read the variable value.
013c1027 INFO Setting unit id <Failover ID> Each UNIT has a unique
as part of session failover_id similar to the Unit
ID. This is used for High
Availability.
E - 20
Troubleshooting
Client not found in User account does not exist on the server.
Kerberos database
while getting initial
credentials
E - 22
Glossary
Glossary
absolute URL
An absolute URL specifies the exact location of a file or directory on the
internet.
access policy
An access policy contains steps that the client and server go through before
access is granted to a connection by the Access Policy Manager. See also
action, client side check, endpoint security, branch rule.
access profile
An access profile is a pre-configured group of settings that you can use to
configure secure network access for an application.
action
An action is an ordered set of rules for evaluating a remote system. Each
action invokes one or more inspectors. The action then uses rules to test the
inspectors’ findings. In the visual policy editor, an action is depicted by a
rectangle.
Active Directory
The Active Directory is a network structure supported by Windows® 2000,
or later, that provides support for tracking and locating any object on a
network.
advanced rules
In an access policy, advanced rules provide customized functionality. This
functionality is useful when you want more functionality than is provided by
the default access policy rules and the rules created with the expression
builder.
allow ending
An allow ending is a successful ending for the user in the access policy.
authentication
Authentication is the process of verifying the identity of a user logging on to
a network.
authentication action
Authentication actions are usedin an access policy to add an authentication
check with a AAA server or with a client certificate.
authentication query
Authentication query seaches the appropriate part of the directory tree
structure of a AAA server, such as LDAP or Active Directory, to find a user
within that directory.
authorization
Authorization is the process of enabling user access to resources,
applications, and network shares.
branch rule
Branch rules test the inspectors’ findings about a client system. The order of
rules in a pre-logon sequence determines the flow of action.
certificate
A certificate is an online credential signed by a trusted certificate authority
and used for SSL network traffic as a method of authentication.
client certificate
A client certificate enables the Access Policy Manager to verify the identity
of a user’s computer, and to control access to specific resources,
applications, and files.
client component
A client component is a control downloaded from the Access Policy
Manager that enables the various features of Access Policy Manager
functionality.
Configuration utility
The Configuration utility is the browser-based application that you use to
configure the Access Policy Manager.
decision box
In the visual policy editor, a decision box is an policy action that provides a
user with two options for accessing a system.
domain name
A domain name is a unique name that is associated with one or more IP
addresses. Domain names are used in URLs to identify particular Web
pages. For example, in the URL http://www.siterequest.com/index.html,
the domain name is siterequest.com.
Glossary - 2
Glossary
endpoint security
Endpoint security is a centrally managed method of monitoring and
maintaining client-system security. See also client side check and resource
protection.
FIPS
Federal Information Processing Standards (FIPS) are publicly announced
standards developed by the U.S. Federal government for use by all
(non-military) government agencies and by government contractors. The
Access Policy Manager can be configured with FIPS 140-encryption
hardware, which stores all certificates and private keys in the FIPS
hardware.
high availability
High availability is the process of ensuring access to resources despite any
failures or loss of service in the setup. For hardware, high availability is
ensured by the presence of a redundant system. See also redundant system.
hot fix
A hot fix (patch) is an intended modification to the BIG-IP Access Policy
Manager.
inspector
An inspector is an ActiveX control or Java plug-in that gathers information
about the user’s computer, evaluating factors such as the presence of viruses
or antivirus software, operating system version, running processes, and
others.
interface
A physical port on an F5 system is called an interface.
IP address
An IP address (Internet Protocol address) is a unique number that identifies
a single device and enables it to use the Internet Protocol standard to
communicate with another device on a network. See also self IP address and
virtual IP address.
IPsec
IPsec (Internet Protocol Security) is a communications protocol that
provides security for the network layer of the Internet without imposing
requirements on applications running above it.
name resolution
Name resolution is the process by which a name server matches a domain
name request to an IP address, and sends the information to the client
requesting the resolution.
network access
Network access is a Access Policy Manager feature that provides secure
access to corporate applications and data using a standard web browser.
network configuration
Network configuration is the process of setting up the Access Policy
Manager’s web services on network interfaces. See also web service.
port
A port is a number that is associated with a specific service supported by a
host.
Glossary - 4
Glossary
redundant system
Redundant system refers to a pair of units that are configured for failover. In
a redundant system, there are two units, one running as the active unit and
one running as the standby unit. If the active unit fails, the standby unit takes
over and manages connection requests.
resource
A resource is an application, a file, or a server on your network to which you
want users to have secure access.
resource protection
Resource protection is the process of using a defined protected configuration
to protect a set of resources.
self IP address
A self IP address is an IP address that uniquely identifies each Access Policy
Manager interface or VLAN interface. See also IP address and virtual IP
address.
sequence
See access policy.
server certificate
A server certificate verifies the server’s identity to a user’s computer
session variable
A session variable contains a number or string that represents a specific
piece of information about the client system, the Access Policy Manager, or
another piece of information.
split tunneling
Split tunneling is a process that provides control over exactly what traffic is
sent over the network access connection to the internal network.
strong password
A strong password is one that is difficult to detect by both humans and
computer programs, which effectively protects data from unauthorized
access. A strong password typically consists of a specific number of
alphanumeric characters of differing case, as well as certain punctuation
characters.
superuser
Superusers are users who have cross-realm access to all groups and features.
A superuser creates realm administrators, upgrading them from Access
Policy Manager users, and delegating full or restricted access to Access
Policy Manager functionality or groups.
tunnel
A tunnel is a secure connection between computers or networks over a
public network.
URI
In the Access Policy Manager context, URI means the fully-qualified
domain name, followed by the path designator /<uri-specific_path>.
virtual host
In the Access Policy Manager context, a virtual host means the domain
name or IP address that users specify when logging on to a web service you
create on a virtual IP. See also virtual IP address.
virtual IP address
A virtual IP address is an IP address that identifies a virtual (that is,
non-physical) network location. The Access Policy Manager uses virtual IP
addresses for redundant systems. See also IP address, redundant system,
and self IP address.
web service
A web service is a method of communication that applications written in
various programming languages and running on various platforms can use to
exchange data over networks, such as the Internet or an intranet.
webtop
The webtop is the user’s home page, which grants access to the network
access connection.
Glossary - 6
Index
Index
applying 7-3
/var/log/messages directory 17-4 assigning a webtop 5-8
assigning an ACL 5-5
assigning resources 8-9
assigning variables 8-10
31581 configuring for systems that cannot use client-side
Heading2 checks 10-1
Adding the client certificate into creating 7-5
logging session variables 8-16
your access policy 12-6
selecting a VLAN 8-15
setting a default ending 7-10
A understanding basic configuration 7-6
a 5-8 understanding branches 6-10
access control understanding endings 7-8
to SNMP data 18-3 understanding rules and actions 6-6
access control entries access policy ending
adding 5-3 creating 7-9
access control list access policy example B-1
assigning 5-5 Access Policy Manager
access control lists finding software version 1-24
adding entries 5-3 access profile
and actions 5-3 and browser language strings 7-4
and default actions 5-2 backup 7-27
and network access creating 7-2, B-6
creating 5-3, 14-2, 14-3, B-2 customizing 15-1
examples 5-5 customizing languages 7-4
logging 5-5 domain cookie option 7-2
understanding 5-2 import 7-27
access levels, managing 18-5 secure cookie option 7-2
access policy specifying a logout URI 7-2
adding a browser cache cleaner action 9-26 accounting
adding a client OS check 10-2 collecting user information 11-2
adding a decision box 8-18 overview 11-2
adding a file check action 9-6 ACLs
adding a firewall check action 9-14 See access control lists.
adding a landing URI check 10-12 actions
adding a logon page 8-4 and internal process for 6-6
adding a machine cert check action 9-12 and pre-defined 6-3
adding a macrocall 7-16 and rules 6-6
adding a message 8-17 using in access policies 6-2
adding a process check action 9-17 active connection statistics 18-14, 18-15
adding a protected workspace action 9-30, 9-39 Active Directory
adding a registry check action 9-20 configuring query action B-6
adding a UI mode check 10-6, 10-9 active FTP
adding a virtual keyboard to the logon page 8-14 and SNAT automap 2-6
adding a Windows info action 9-22 ActiveSync
adding actions 7-8 adding to virtual server 14-2
adding an antivirus check 9-2 using UI Mode to create an ActiveSync branch 10-5
adding an external logon page 8-8 AD Query action B-6
adding an iRule event 8-19 adminreporting utility E-5
adding logging 8-16 advanced access policy rules
adding the macro B-6 and mcget command 16-18
and actions 6-2 creating a custom variable with 16-21
and general purpose actions 8-1 replacing configuration variable with custom
and internal process for an action 6-6 expression 16-21
and session variables 6-16 understanding situations 16-17
Index - 2
Index
G K
general purpose actions Kerberos error messages E-21
configuring 8-3
understanding 8-1
global statistics data 18-12 L
graphs, SNMP 18-14 landing URI check
group policy using 10-12
adding a template 9-38 launch applications
downloading a template 9-38, 9-39 application paths and parameters 2-11
understanding options 2-11
lease pools
H assigning to a network access resource 2-14
header searching D-1 creating 2-13, 4-4, 4-5, 14-4, B-3
help understanding 2-13
locating online help 1-24 Linux
Index - 4
Index
and supported network access features A-13 for RADIUS and resources 7-21
configuring application launch A-13 for SecurID and resources 7-22
installing client on A-14 for Windows AV and FW 7-23
local application traffic 18-11 macro terminals
local traffic management information 18-10 branches 6-10
log contents 17-2 configuring 7-15
log levels understanding 6-12
changing E-1 macrocalls
defined 17-6 adding to an access policy 7-16
setting 17-6 understanding 6-11
log messages E-8 macros
logging action adding to an access policy 7-16
understanding 8-16, E-6 configuring 7-15
logging session variables in an access policy 8-16 understanding 6-11
logical operators C-3 understanding terminals 6-12
logical operators, listed D-3 management information base
logon denied ending See also MIB-II MIB.
customizing 7-11 See MIB.
understanding 7-8 mcget command
logon history E-7 using 16-18
logon page memory use statistics 18-14, 18-15, 18-18
adding a virtual keyboard 8-14 message box action 8-17
customizing 15-1 metrics collection 18-14
customizing elements 15-8 MIB
customizing fonts 15-9 and device management 18-1
customizing footer 15-9 defined 18-1
customizing header 15-9 See also MIB-II MIB.
customizing with logon page action 16-2 MIB file contents 18-10
understanding logout components 15-13 MIB file locations 18-1
logon page action MIB file types 18-9
understanding 16-1 MIB files
using 8-4 defined 18-9
logon page fonts 15-9 described 18-1
logon page footer 15-9 downloading 18-2
logon page header 15-9 MIB-II MIB 18-1
logout MIB-II objects 18-12
understanding components 15-13 minimal patching
logout message configuring 3-3
customizing 16-4 minimum log levels 17-1
Logout URI Include 7-2 defined 17-6
loopback interface 18-3 setting 17-6
mobile client
configuring settings A-8
M
machine cert check action
understanding 9-10 N
using 9-12 Net-SNMP 18-1
machine location 18-3 network access
Macintosh and allow local subnet option 2-7
and supported network access features A-13 and client proxy settings 2-8
configuring application launch A-13 and client settings 2-6
macro templates and clients 2-1
for AD auth and resources 7-17 and compression 2-1
for AD auth query and resources 7-18 and drive mapping 2-10
for LDAP auth and resources 7-19 and file and printer sharing option 2-8
for LDAP auth query and resources 7-20 and functionality supported 2-1
Index - 6
Index
Index - 8