Beruflich Dokumente
Kultur Dokumente
version 10.2
MAN-0309-01
Product Version
This manual applies to product version 10.2 of the BIG-IP Access Policy Manager product.
Publication Date
This manual was originally published on May 4, 2010. Revision A was published on February 27, 2012.
Legal Notices
Copyright
Copyright 2007-2012, F5 Networks, Inc. All rights reserved. F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any time without notice.
Trademarks
F5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, Access Policy Manager, APM, Acopia, Acopia Networks, Application Accelerator, Ask F5, Application Security Manager, ASM, ARX, Data Guard, Enterprise Manager, EM, FirePass, FreedomFabric, Global Traffic Manager, GTM, iControl, Intelligent Browser Referencing, Internet Control Architecture, IP Application Switch, iRules, Link Controller, LC, Local Traffic Manager, LTM, Message Security Module, MSM, NetCelera, OneConnect, Packet Velocity, Protocol Security Module, PSM, SSL Accelerator, SYN Check, Traffic Management Operating System, TMOS, TrafficShield, Transparent Data Reduction, uRoam, VIPRION, WANJet, WAN Optimization Module, WOM, WebAccelerator, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written consent.
Patents
This product protected by U.S. Patents 6,505,230, 7,114,180, and 7,349,391. Other patents may be pending.
RF Interference Warning
This is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures.
FCC Compliance
This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This unit generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will be required to take whatever measures may be required to correct the interference. Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules.
Standards Compliance
This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information Technology products at the time of manufacture.
Acknowledgments
This product includes software developed by Bill Paul. This product includes software developed by Jonathan Stone. This product includes software developed by Manuel Bouyer. This product includes software developed by Paul Richards. This product includes software developed by the NetBSD Foundation, Inc. and its contributors. This product includes software developed by the Politecnico di Torino, and its contributors. This product includes software developed by the Swedish Institute of Computer Science and its contributors. This product includes software developed by the University of California, Berkeley and its contributors. This product includes software developed by the Computer Systems Engineering Group at the Lawrence Berkeley Laboratory. This product includes software developed by Christopher G. Demetriou for the NetBSD Project. This product includes software developed by Adam Glass. This product includes software developed by Christian E. Hopps. This product includes software developed by Dean Huxley. This product includes software developed by John Kohl. This product includes software developed by Paul Kranenburg. This product includes software developed by Terrence R. Lambert. This product includes software developed by Philip A. Nelson. This product includes software developed by Herb Peyerl. This product includes software developed by Jochen Pohl for the NetBSD Project. This product includes software developed by Chris Provenzano. This product includes software developed by Theo de Raadt. This product includes software developed by David Muir Sharnoff. This product includes software developed by SigmaSoft, Th. Lockert. This product includes software developed for the NetBSD Project by Jason R. Thorpe. This product includes software developed by Jason R. Thorpe for And Communications, http://www.and.com. This product includes software developed for the NetBSD Project by Frank Van der Linden. This product includes software developed for the NetBSD Project by John M. Vinopal. This product includes software developed by Christos Zoulas. This product includes software developed by the University of Vermont and State Agricultural College and Garrett A. Wollman. In the following statement, This software refers to the Mitsumi CD-ROM driver: This software was developed by Holger Veit and Brian Moore for use with 386BSD and similar operating systems. Similar operating systems includes mainly non-profit oriented systems for research and education, including but not restricted to NetBSD, FreeBSD, Mach (by CMU). This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/). This product includes software licensed from Richard H. Porter under the GNU Library General Public License ( 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html. This product includes the standard version of Perl software licensed under the Perl Artistic License ( 1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current standard version of Perl at http://www.perl.com. This product includes software developed by Jared Minch.
ii
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product contains software based on oprofile, which is protected under the GNU Public License. This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html) and licensed under the GNU General Public License. This product contains software licensed from Dr. Brian Gladman under the GNU General Public License (GPL). This product includes software developed by the Apache Software Foundation (http://www.apache.org/). This product includes Hypersonic SQL. This product contains software developed by the Regents of the University of California, Sun Microsystems, Inc., Scriptics Corporation, and others. This product includes software developed by the Internet Software Consortium. This product includes software developed by Nominum, Inc. (http://www.nominum.com). This product contains software developed by Broadcom Corporation, which is protected under the GNU General Public License.
iii
iv
Table of Contents
Table of Contents
1
Introducing BIG-IP Access Policy Manager
Introducing the BIG-IP system .....................................................................................................1-1 BIG-IP Local Traffic Manager ..............................................................................................1-1 Overview of the BIG-IP Access Policy Manager ......................................................................1-2 Introducing Access Policy Manager features ...................................................................1-2 Understanding BIG-IP Access Policy Manager access types .................................................1-4 Working with network access ............................................................................................1-6 Working with web applications ..........................................................................................1-8 Working with web application access management ................................................... 1-10 Using access profiles and policies ............................................................................................. 1-13 Using authentication in access policies .......................................................................... 1-14 Using the Configuration utility .................................................................................................. 1-16 Overview of components of the Configuration utility ............................................... 1-17 Getting started with BIG-IP Access Policy Manager ............................................................ 1-18 Using Access Policy Manager configuration wizards .................................................. 1-18 Following the recommended configuration path ......................................................... 1-22 Possible configuration scenarios ...................................................................................... 1-23 Finding help and technical support resources ....................................................................... 1-24 Finding the Access Policy Manager software version number ................................. 1-24
2
Configuring Network Access
Introducing network access ..........................................................................................................2-1 Reviewing network access features ...................................................................................2-1 Configuring network access settings ..........................................................................................2-4 Setting up network access ...................................................................................................2-5 Setting DNS and hosts options ..........................................................................................2-9 Mapping drives with network access ............................................................................. 2-10 Launching applications with network access connections ........................................ 2-11 Using lease pools .......................................................................................................................... 2-13 Configuring traffic control ......................................................................................................... 2-15
3
Configuring Web Applications
Introducing web applications ........................................................................................................3-1 Introducing web applications features and operation ...................................................3-1 Introducing web applications support ...............................................................................3-2 Understanding proxy and cache functionality .................................................................3-4 Understanding web application resource items .............................................................3-4 Configuring web applications on Access Policy Manager ......................................................3-7 Configuring a rewrite profile ..................................................................................................... 3-10
4
Configuring Web Application Access Management
Introducing web application access management ....................................................................4-1 Understanding how web application access management works ...............................4-1 Reviewing web application access management options .......................................................4-2 Setting timeouts for web application access policy management ...............................4-2 Understanding other web application access management considerations .............4-3 Configuring web application access management ....................................................................4-4
Table of Contents
5
Configuring Resources
Understanding resources ..............................................................................................................5-1 Using access control lists ..............................................................................................................5-2 Creating access control lists ...............................................................................................5-2 Access control list examples ...............................................................................................5-5 Using webtops .................................................................................................................................5-8
6
Understanding Access Policies
Introducing access policies ............................................................................................................6-1 Understanding access policy items .............................................................................................6-2 Understanding the access policy start point ....................................................................6-2 Understanding access policy actions .................................................................................6-2 Understanding access policy branch rules .................................................................................6-6 Viewing rules ...........................................................................................................................6-7 Predefined rules .....................................................................................................................6-8 Understanding access policy branches .................................................................................... 6-10 Understanding access policy macros ....................................................................................... 6-11 Introducing macro terminals ............................................................................................ 6-12 Introducing access policy endings ............................................................................................ 6-14 Understanding the allow ending ...................................................................................... 6-14 Understanding the deny ending ....................................................................................... 6-14 Understanding the redirect ending ................................................................................. 6-15 Understanding session variables ............................................................................................... 6-16 Using session variables ....................................................................................................... 6-17
7
Creating Access Profiles and Access Policies
Creating an access profile .............................................................................................................7-1 Understanding access profile settings ...............................................................................7-1 Understanding configuration settings ................................................................................7-2 Creating an access profile ....................................................................................................7-2 Applying an access policy .....................................................................................................7-3 Customizing access profile languages ................................................................................7-3 Creating an access policy ..............................................................................................................7-5 Starting the visual policy editor ..........................................................................................7-5 Configuring a basic access policy ........................................................................................7-6 Opening an access policy .....................................................................................................7-7 Adding actions to an access policy ....................................................................................7-7 Using policy endings ..............................................................................................................7-8 Applying an access policy configuration ......................................................................... 7-12 Understanding available actions and categories .................................................................... 7-13 Understanding general purpose checks ......................................................................... 7-13 Understanding authentication actions ............................................................................ 7-13 Understanding client-side checks .................................................................................... 7-13 Understanding client-side actions ................................................................................... 7-14 Understanding server-side checks .................................................................................. 7-14 Configuring macros ..................................................................................................................... 7-15 Using predefined macro templates ................................................................................. 7-17 Using the empty macro template .................................................................................... 7-17 Using the AD auth and resources macro template .................................................... 7-17 Using the AD auth query and resources macro template ........................................ 7-18 Using the LDAP auth and resources macro template ............................................... 7-19 2
Table of Contents
Using the LDAP auth query and resources macro template .................................... 7-20 Using the RADIUS and resources macro template .................................................... 7-21 Using the SecurID and resources macro template ..................................................... 7-22 Using the Windows AV and FW macro template ...................................................... 7-23 Using the client classification and prelogon checks macro template ...................... 7-25 Backing up and importing access profiles ............................................................................... 7-27
8
Configuring General Purpose Access Policy Actions
Introducing general purpose actions ..........................................................................................8-1 Configuring general purpose actions in an access policy .......................................................8-3 Adding and customizing a logon page ...............................................................................8-3 Adding an external logon page ...........................................................................................8-7 Assigning resources ...............................................................................................................8-9 Assigning variables .............................................................................................................. 8-10 Adding a virtual keyboard to the logon screen ........................................................... 8-13 Adding SSO credential mapping ...................................................................................... 8-14 Selecting a route domain ................................................................................................... 8-15 Adding access policy logging ............................................................................................. 8-16 Adding a message box ....................................................................................................... 8-17 Adding a decision box ........................................................................................................ 8-18 Adding an iRule event ........................................................................................................ 8-19
9
Configuring Client Side Checks and Client Side Actions
Understanding client-side checks ................................................................................................9-1 Setting up antivirus check .............................................................................................................9-2 Checking antivirus with the antivirus check access policy item ..................................9-2 Example: Using antivirus check ...........................................................................................9-3 Setting up file check ........................................................................................................................9-6 Checking for a file with the file check access policy item ............................................9-6 Example: Using file check .....................................................................................................9-8 Setting up a machine cert auth check ...................................................................................... 9-10 Understanding machine cert auth check options ........................................................ 9-10 Checking a machine certificate with the machine cert access policy item ............ 9-12 Example: Using machine cert auth check ...................................................................... 9-13 Setting up firewall check ............................................................................................................. 9-14 Setting up the firewall check action ................................................................................ 9-14 Example: Using firewall check .......................................................................................... 9-15 Setting up process check ............................................................................................................ 9-17 Setting up process check access policy item ................................................................ 9-17 Example: Using process check ......................................................................................... 9-17 Setting up registry check ............................................................................................................ 9-19 Expression syntax ............................................................................................................... 9-19 Setting up the registry check action ............................................................................... 9-20 Example: Using registry check ......................................................................................... 9-20 Verifying Windows information ............................................................................................... 9-22 Setting up Windows info action ...................................................................................... 9-22 Example: Using Windows info check ............................................................................. 9-23 Understanding client-side actions ............................................................................................ 9-25 Setting up cache and session control ...................................................................................... 9-26 Setting up the cache and session control access policy item ................................... 9-26 Example: Using cache and session control .................................................................... 9-27 Setting up protected workspace .............................................................................................. 9-30
Table of Contents
Setting up the protected workspace access policy item ........................................... 9-30 Example: Using protected workspace ............................................................................ 9-31 Assigning a Windows group policy template ......................................................................... 9-34 Understanding Windows group policy templates ....................................................... 9-34 Using predefined Windows group policy templates ................................................... 9-34 Understanding the regulatory templates ....................................................................... 9-37 Working with Windows group policy templates ........................................................ 9-38 Setting up the Windows group policy access policy item ......................................... 9-39 Example: Using Windows group policy templates ...................................................... 9-40
10
Configuring Server Side Checks
Introducing server-side checks ................................................................................................. 10-1 Preparing for clients that cannot use client checks .................................................... 10-1 Checking the landing URI of a client .............................................................................. 10-1 Configuring client OS check ...................................................................................................... 10-2 Setting up the client OS check ......................................................................................... 10-2 Example: Using client OS check ...................................................................................... 10-3 Configuring UI mode check ....................................................................................................... 10-5 Understanding ActiveSync connections ......................................................................... 10-5 Setting up the UI mode access policy item ................................................................... 10-6 Example: Using UI mode check ....................................................................................... 10-6 Configuring client-side check capability .................................................................................. 10-9 Setting up the client-side check capability access policy item .................................. 10-9 Example: Using client-side check capability action .................................................... 10-10 Checking a landing URI with the landing URI check .......................................................... 10-12 Setting up the landing URI access policy item ............................................................ 10-12 Example: Using landing URI check ................................................................................ 10-12
11
Configuring Authentication Using AAA Servers
Understanding authentication with Access Policy Manager ............................................... 11-1 Understanding authentication types: for Active Directory and LDAP ................... 11-1 Understanding different RADIUS operation modes ............................................................ 11-3 RADIUS authentication ..................................................................................................... 11-3 RADIUS accounting ............................................................................................................ 11-4 RADIUS authentication and accounting ........................................................................ 11-7 Setting up Access Policy Manager for RADIUS authentication and authorization ....... 11-7 Setting up RADIUS authentication and authorization access policy action item . 11-8 Configuring Access Policy Manager for RADIUS accounting .......................................... 11-13 Setting up RADIUS accounting access policy action item ....................................... 11-13 Configuring Access Policy Manager for RADIUS authentication and accounting ....... 11-15 Setting up a RADIUS authenticating and accounting access policy action item . 11-15 Setting up Access Policy Manager for RSA Native SecurID for authentication and authorization ............................................................................................................................... 11-16 Adding the Access Policy Manager as an agent host to an RSA Native SecurID authentication server ....................................................................................................... 11-17 Configuring the Access Policy Manager to use the RSA Native SecurID authentication server ................................................................................................................................... 11-18 Setting up RSA Native SecurID authentication and authorization access policy action item ...................................................................................................................................... 11-19 Using RSA Native SecurID session variables for access policy rules .................... 11-20 Setting up Access Policy Manager for LDAP authentication and authorization .......... 11-21 Setting up an LDAP server ............................................................................................. 11-21
Table of Contents
Configuring LDAP access policy action item for authentication ........................... 11-22 Configuring LDAP query policy action item ............................................................... 11-25 Using LDAP session variables for access policy rules .............................................. 11-26 Example: Using LDAP query and LDAP authentication to authenticate and authorize users ..................................................................................................................................... 11-28 Troubleshooting LDAP authentication/query ............................................................ 11-29 Setting up Access Policy Manager for Windows Active Directory authentication and authorization ............................................................................................................................... 11-31 Configuring Access Policy Manager to set up an Active Directory for authentication 11-31 Configuring Access Policy Manager to access the Active Directory for authentication 11-32 Configuring Access Policy Manager to access the Active Directory action item for query .................................................................................................................................... 11-34 Using Active Directory session variables for access policy rules .......................... 11-35 Troubleshooting Active Directory authentication/query ........................................ 11-36 Example: Authenticating and authorizing users with Active Directory query and authentication .................................................................................................................... 11-37 Understanding nested groups ................................................................................................. 11-38 Setting up Access Policy Manager for HTTP authentication ........................................... 11-40 HTTP basic authentication ............................................................................................. 11-40 HTTPS basic authentication ........................................................................................... 11-41 HTTP NTLM authentication .......................................................................................... 11-43 HTTP form-based authentication .................................................................................. 11-43 Setting up Access Policy Manager for Oracle Access Manager ...................................... 11-45 Setting up Access Policy Manager for AAA high availability ............................................ 11-46 Setting up RADIUS high availability authentication and accounting servers ....... 11-46 Setting up LDAP high availability servers for authentication and query .............. 11-49
12
Introducing On-Demand Certificate Authentication
Controlling SSL traffic ................................................................................................................. 12-1 Understanding SSL profiles ........................................................................................................ 12-1 Introducing SSL server certificates .......................................................................................... 12-2 Introducing SSL On-Demand Certificates .............................................................................. 12-2 Understanding On-Demand certificate authentication ....................................................... 12-3 Client certificate inspection .............................................................................................. 12-3 On-Demand certificate authentication agent ............................................................... 12-4 Configuring client SSL profiles .................................................................................................. 12-8 Importing a certificate and the corresponding key ..................................................... 12-8 Configuring a clientssl profile ........................................................................................... 12-8 Using On-Demand Certificates to authenticate users ...................................................... 12-10 Validating certificate revocation status ................................................................................. 12-11 Understanding CRLs ........................................................................................................ 12-11 Understanding OCSP ....................................................................................................... 12-12 Configuring an OCSP responder object ...................................................................... 12-13 Creating an SSL OCSP profile ....................................................................................... 12-14 Using CRLDP .............................................................................................................................. 12-15 Configuring a CRLDP server object ............................................................................. 12-15 Configuring a CRLDP configuration object ................................................................ 12-15 Creating a CRLDP profile ............................................................................................... 12-16
Table of Contents
13
Introducing Single Sign-On
Introducing Single Sign-On (SSO) with credential caching and proxying ........................ 13-1 Introducing Single Sign-On configuration objects ....................................................... 13-1 About credential caching ............................................................................................................ 13-4 Configuring credential caching mapping agent ............................................................. 13-4 About credential proxying ......................................................................................................... 13-5 Configuring credential proxying using HTTP basic authentication method .......... 13-5 Configuring credential proxying using HTTP form-based authentication method ....... 13-6 Configuring credential proxying using NTLM v1 authentication method ............. 13-7 Configuring credential proxying using NTLM v2 authentication method ............. 13-8 About External Access Management ....................................................................................... 13-9 Configuring OAM authentication method .................................................................... 13-9 Common use cases for Single Sign-On deployment .......................................................... 13-14 Using Single Sign-On for LTM pool members ............................................................ 13-14 Using Single Sign-On for web application access over network access tunnel .. 13-15 Configuring web applications for single-sign on ........................................................ 13-18
14
Configuring Virtual Servers
Introducing virtual servers with Access Policy Manager .................................................... 14-1 Configuring virtual servers for access policies ...................................................................... 14-2 Creating a virtual server for DTLS ................................................................................. 14-3 Configuring a local traffic virtual server with an access policy .......................................... 14-4
15
Customizing Access Policy Manager Features
Setting up access profile customization .................................................................................. 15-1 Understanding endpoint security message customization ........................................ 15-2 Customizing error messages for the logon process ................................................... 15-4 Understanding framework installation customization options ................................. 15-8 Understanding logon page style customization options ............................................ 15-9 Understanding logout components .............................................................................. 15-13 Customizing a webtop .............................................................................................................. 15-14 Understanding webtop customization fields .............................................................. 15-14 Customizing the BIG-IP Edge Client ...................................................................................... 15-22 Reviewing client customization settings ...................................................................... 15-22 Introducing advanced access policy customization ............................................................ 15-24 Example: Using advanced access policy customization to modify a specific profile ..... 15-24
16
Advanced Topics in Access Policies
Setting up a logon page to collect user credentials ............................................................. 16-1 Understanding the logon page action ............................................................................. 16-1 Example: Using a customized logon page to collect user credentials .............................. 16-5 Using multiple authentication methods .................................................................................. 16-8 Client certificate two-factor authentication ................................................................. 16-8 Example: Using client certificate authentication with Active Directory ......................... 16-9 Configuring the client certificate two factor authentication with Active Directory example ................................................................................................................................. 16-9 Configuring policy routing ....................................................................................................... 16-11 6
Table of Contents
Setting up route domain selection in an access policy ............................................. 16-11 Example: Directing users to different route domains ....................................................... 16-13 Configuring the policy routing example ...................................................................... 16-13 Using advanced access policy rules ........................................................................................ 16-17 Understanding advanced access policy rule situations ............................................. 16-17 Writing advanced access policy rules ........................................................................... 16-18 Using a Tcl expression or program as an advanced access policy rule ................ 16-18 Understanding advanced access policy rule limitations ........................................... 16-19 Editing advanced access policy rules ............................................................................. 16-19 Example: Checking that all present antivirus packages are active on the client system ....... 16-23 Writing the example code .............................................................................................. 16-23 Using this example ............................................................................................................ 16-23 Example: Using a certificate field for logon name .............................................................. 16-25 Writing the example code .............................................................................................. 16-25 Using this example ............................................................................................................ 16-25
17
Logging and Reporting
Understanding logging ................................................................................................................. 17-1 Introducing logging features ............................................................................................. 17-1 Understanding log content ............................................................................................... 17-2 Understanding log types ............................................................................................................. 17-4 Logging system events ....................................................................................................... 17-4 Auditing configuration changes ........................................................................................ 17-4 Setting log levels ........................................................................................................................... 17-6 Setting log levels for auditing events .............................................................................. 17-7 Understanding reports ................................................................................................................ 17-9 Displaying reports for current sessions ........................................................................ 17-9 Terminating user sessions ............................................................................................... 17-10 Displaying reports for all sessions ................................................................................ 17-10 Using scripts to view reports ......................................................................................... 17-11 Viewing statistics ........................................................................................................................ 17-13 Session statistics ................................................................................................................ 17-13 Access policy result statistics ......................................................................................... 17-14 Agent type statistics ......................................................................................................... 17-15 Global profile access statistics ....................................................................................... 17-18 PPP global statistics .......................................................................................................... 17-19 Session info (access info) statistics ................................................................................ 17-19 Monitoring system and user information ............................................................................. 17-21 Viewing the Access Policy Manager dashboard ......................................................... 17-21
18
Configuring SNMP
Introducing SNMP administration ............................................................................................ 18-1 Reviewing an industry-standard SNMP implementation ............................................ 18-1 Reviewing the Access Policy Manager system SNMP implementation ................... 18-1 Summarizing SNMP configuration on the Access Policy Manager system ............ 18-2 Configuring the SNMP agent ..................................................................................................... 18-3 Configuring client access ................................................................................................... 18-3 Controlling access to SNMP data ................................................................................... 18-5 Configuring traps ................................................................................................................ 18-7 Working with SNMP MIB files .................................................................................................. 18-9 Downloading SNMP MIB files ........................................................................................ 18-10
Table of Contents
Understanding the enterprise MIB files ....................................................................... 18-10 Collecting performance data ................................................................................................... 18-14 Collecting data on memory use .................................................................................... 18-15 Collecting data on active connections ......................................................................... 18-15 Collecting data on new connections ............................................................................ 18-16 Collecting data on throughput ....................................................................................... 18-17 Collecting data on HTTP requests ............................................................................... 18-17 Collecting data on RAM Cache utilization .................................................................. 18-18 Collecting data on CPU use ........................................................................................... 18-18 Collecting data on SSL transactions per second ....................................................... 18-20 Additional commands used for SNMP ......................................................................... 18-20
A
Configuring BIG-IP Access Policy Manager clients
Understanding the BIG-IP Edge client .......................................................................................A-1 Introducing BIG-IP Edge Client features .....................................................................A-1 Understanding client components on Windows systems ...........................................A-2 Configuring connectivity profiles ................................................................................................A-4 Understanding connectivity profile compression settings ...........................................A-4 Configuring connectivity profile client settings ..............................................................A-5 Configuring connectivity profile mobile client settings ................................................A-8 Downloading client components .......................................................................................A-8 Customizing client download packages ...........................................................................A-9 Using the component installer package to preinstall client components ..............A-11 Downloading the FullArmor GPAnywhere for VPN component ...........................A-12 Using Macintosh and Linux clients with Access Policy Manager .......................................A-13 Introducing supported network access features .........................................................A-13 Configuring the starting of applications on Macintosh or Linux clients .................A-13 Installing the client on Macintosh and Linux systems .................................................A-14 Establishing client connections ..................................................................................................A-16 Installing the BIG-IP Edge Client for Windows .......................................................A-16 Connecting with the BIG-IP Edge Client .......................................................................A-16 Viewing standalone client traffic and statistics .............................................................A-17 Using the client troubleshooting utility ...................................................................................A-20
B
Access Policy Example
Introducing the example access policy ...................................................................................... B-1 Example: Assigning resource groups based on Active Directory attributes .................... B-2 Configuring resources ......................................................................................................... B-2 Configuring the network access resources .................................................................... B-4 Configuring the access profile, macro, and access policy ............................................ B-6
C
Session Variables
Introducing session variables .......................................................................................................C-1 Introducing Tcl ...............................................................................................................................C-2 Standard operators ...............................................................................................................C-2 Session variables reference ..........................................................................................................C-4 Special purpose user session variables .......................................................................... C-10 Network access resource variable attributes ...................................................................... C-12
Table of Contents
D
Using Access iRule Events
Introducing iRules ..........................................................................................................................D-1 What is an iRule? ..................................................................................................................D-1 Basic iRule elements .............................................................................................................D-2 Understanding ACCESS iRules ...................................................................................................D-4 ACCESS_SESSION_STARTED ..........................................................................................D-4 ACCESS_POLICY_COMPLETED .....................................................................................D-5 ACCESS_ACL_ALLOWED ................................................................................................D-5 ACCESS_ACL_DENIED .....................................................................................................D-5 Using ACCESS_ACL_DENIED ..........................................................................................D-5 ACCESS_SESSION_CLOSED ............................................................................................D-6 ACCESS_POLICY_AGENT_EVENT ................................................................................D-6 Understanding ACCESS iRule Commands ...............................................................................D-7 ACCESS::disable ....................................................................................................................D-7 ACCESS::session commands ..............................................................................................D-7 ACCESS::policy commands .................................................................................................D-8
E
Troubleshooting
Introducing troubleshooting .........................................................................................................E-1 Example: Changing log levels ........................................................................................................E-1 Example: Understanding log messages for endpoint security check failures ....................E-2 Example: Understanding log messages for authentication failures ......................................E-4 Example: Using the adminreporting utility ................................................................................E-5 Example: Understanding the logging action utility in the visual policy editor ...................E-6 Example: Viewing logging history ................................................................................................E-7 Introducing Access Policy Manager log messages ...................................................................E-8 Introducing Kerberos error messages .................................................................................... E-21
Glossary Index
Table of Contents
10
1
Introducing BIG-IP Access Policy Manager
Introducing the BIG-IP system Overview of the BIG-IP Access Policy Manager Understanding BIG-IP Access Policy Manager access types Using access profiles and policies Using the Configuration utility Getting started with BIG-IP Access Policy Manager Finding help and technical support resources
1-1
Chapter 1
Standard Web browser support Access Policy Managers can be used with most standard browsers supporting secure HTTP (also known as HTTPS). These include Internet Explorer, Safari, and Firefox. Privacy The Access Policy Manager supports common encryption technologies, including RC4, Triple DES, and AES. It uses standard SSL encryption from the client browser to the Access Policy Manager. Authentication The Access Policy Manager can perform authentication, authorization, and accounting (AAA), using standard AAA methods, including LDAP directories, Microsoft Active Directory and Microsoft Windows Domain servers, RADIUS servers, and HTTP authentication. The Access Policy Manager supports native RSA SecurID authentication. In addition, the controller can use signed client digital certificates to authenticate devices. Client-side checks The Access Policy Manager provides a broad set of client-side checks such as client integrity checking, browser cache cleaner, secure virtual keyboard, and support for a large number of antivirus and firewall packages. Visual policy editor To facilitate access policy definition, the Access Policy Manager provides a built-in policy editor that is graphically based, which eases management and supports a visual audit of security access policies. Administration The Access Policy Manager provides a web-based Configuration utility. The Configuration utility includes tools for managing the Access Policy Manager, configuring secure access, creating and assigning resources, certificate generation and installation, and customization of the remote client user interface.
1-2
Web application access management With Access Policy Manager, you can configure authentication and access control for a web application behind a local traffic virtual server. Using web application access management, you create an access policy for a new or existing local traffic virtual server to provide authentication, access control, and endpoint security for the web application. Network access With Access Policy Manager, you can configure a network access VPN connection for remote access. Using network access, you create an access policy and local traffic virtual server so end users can establish a full VPN connection to internal network resources. Web application access With the Access Policy Manager you can configure a remote access connection to one or more internal web applications. Using web applications, you create an access policy and local traffic virtual server so end users can access internal web applications through a single external virtual server. Use this if you need to provide secure extranet access to internal web applications without creating a full VPN connection. Audit trail The Access Policy Manager provides audit tools including full-session audit trails, drill-down session queries, and customizable reports and queries. High availability You can configure Access Policy Managers to fail over to standby controllers, ensuring availability for users. Scalability Access Policy Manager integrates with BIG-IP system to support large-scale, high-performance deployments, providing universal, secure access for remote, wireless, and internal network users. BIG-IP system module The Access Policy Manager runs as a module of the BIG-IP system. This integration provides a uniform framework that enables users to leverage access policy features with other BIG-IP modules, such as Web Accelerator, and Application Security Manager. Client support The Access Policy Manager includes web client support for many different systems, including Macintosh and Linux. BIG-IP Edge Client Access Policy Manager is compatible with the BIG-IP Edge Client, a standalone secure client with robust connection features.
1-3
Chapter 1
Web application access management Can use existing local traffic manager virtual server, or create a specific one with the wizard Yes, required with at least one member Yes
No
No
Access profile and access policy Connectivity profile Rewrite profile Network access resource Web applications resource Authentication ACLs Client checks Webtop
Yes
Yes
Yes
No
No
No Yes
Yes No
No No
No
Yes
No
Table 1.1 Configuration elements for Access Policy Manager access types
1-4
Figure 1.1 shows the configuration flow for the three types of access on Access Policy Manager.
A client system can only connect using one of these configuration types at a time. However, you can configure multiple access types, and Access Policy Manager can dynamically determine the access type to provide during the access policy process, after the session starts. Sections following describe each access type and scenario.
1-5
Chapter 1
1-6
The access policy for this scenario is very simple, and contains only one item: a resource assign action that assigns the network access resource, the network access webtop, and any ACLs. The access policy is shown in Figure 1.3. An example resource assign action for this policy is shown in Figure 1.4.
1-7
Chapter 1
Figure 1.4 Resource assign action configured for network access and an ACL
1-8
an access profile and an access policy that assigns the web applications resource and the web applications webtop a virtual server that specifies particular web applications settings, including the rewrite profile and the access profile The objects that define this simple web applications scenario are related as shown in Figure 1.5.
1-9
Chapter 1
The access policy for this scenario is very simple, and contains only one item: a resource assign action that assigns the web applications resource and the web applications webtop. This access policy, as it appears in the visual policy editor, is shown in the Figure 1.6. An example resource assign action for this policy is shown in Figure 1.7.
Figure 1.7 Resource assign action configured for web applications and an ACL
1 - 10
The access policy for this scenario contains a start point, a resource assign action, and an allow ending. You assign one or more ACLs to the access policy with the resource assign action, and by doing so you control access to
Configuration Guide for BIG-IP Access Policy Manager 1 - 11
Chapter 1
the local traffic management virtual server. For a web application access management connection, no network access or web applications resource is assigned, and no webtop is assigned. This access policy appears in the visual policy editor as shown in Figure 1.9. An example resource assign action for this policy, with only an ACL assigned, is shown in Figure 1.10.
Figure 1.9 Basic web application access management policy with ACLs
Figure 1.10 Resource assign action for web application access management, configured for an ACL only
1 - 12
1 - 13
Chapter 1
The basic access policy in Figure 1.11 includes actions that have successful and fallback rule branches (Antivirus Check, Firewall Check, Active Directory authentication), and actions that have single rule branches (Logon Page and Resource Assign). You select an access profile in a virtual server definition, and the access policy associated with that access profile starts when a client connects to the virtual server. Access Policy Manager creates a blank access policy for every access profile. You can configure the access policy to dynamically assign objects to the user when the session starts, to determine the resources a user connects to, and to perform authentication and check client integrity. You can add logic and functionality to the access policy using configurable access policy items, and configure branches that change the flow of the policy. You can specify a web application or network access resource and webtop for the user as well. For more information on access policy structure and configuration, see Chapter 6, Understanding Access Policies, and Chapter 7, Creating Access Profiles and Access Policies.
Figure 1.12 Simple access policy for web application access management
1 - 14
1 - 15
Chapter 1
Figure 1.13 Access policy items in the Configuration utility navigation pane
1 - 16
The identification and messages area The identification and messages area of the Configuration utility is the screen region that is above the navigation pane, the menu bar, and the body. In this area, you find the system identification, including the host name, and management IP address. This area is also where certain system messages display, for example Apply Access Policy, which appears when you need to activate an access policy. The navigation pane The navigation pane, on the left side of the screen, contains the Main tab, the Help tab, and, the About tab. The Main tab provides links to the major configuration objects. The Help tab provides context-sensitive help for each screen in the Configuration utility. The About tab provides a quick way to view commonly used configuration objects. The menu bar The menu bar, which is below the identification and messages area, and above the body, provides links to the additional configuration objects within each major object. The body The body is the screen area where the configuration settings display.
1 - 17
Chapter 1
The system includes online help for every screen in the wizard. To view the online help, click the Help tab in the navigation pane.
1 - 18
1 - 19
Chapter 1
1 - 20
1 - 21
Chapter 1
Determine client-system security requirements. For more information, see Understanding client-side checks, on page 9-1. Identify the authentication mechanism. The Access Policy Manager supports external authentication. You can select from a number of authentication methods, depending on the security setup you employ. These include Active Directory, RADIUS, LDAP, and certificate-based security. If you are not sure which type of authentication you want, review Understanding authentication with Access Policy Manager, on page 11-1. If you already have an authentication mechanism in place and you want to use it for verifying user identity, you can read more in Chapter 11, Configuring Authentication Using AAA Servers, and Chapter 12, Introducing On-Demand Certificate Authentication.
Configure network access resources with the applications and functionality you want to provide, or create web application resources for your users. For web application access management applications, you do not create web applications or network access resources or webtops. For more information, you can review the content in Chapter 2, Configuring Network Access, Chapter 3, Configuring Web Applications, or Chapter 4, Configuring Web Application Access Management. Create ACLs for users. For more information, see Chapter 5, Configuring Resources. Create an access profile and access policy that you can associate with your virtual server, to give your clients secure access. For more information, see Chapter 7, Creating Access Profiles and Access Policies. Assign resources to users. For more information, see Assigning resources, on page 8-9. Test user connectivity. This is a good place to stop and test to make sure that users can connect to the Access Policy Manager. To do so, open a new browser window and log on using a logon account that you know exists. Create client SSL profiles for users. For more information, see Configuring client SSL profiles, on page 12-8. Define your virtual server. See Chapter 14, Configuring Virtual Servers. Create advanced access policies, for more complex secure access scenarios. For more information, you can review the content in Chapter 16, Advanced Topics in Access Policies, and in the BIG-IP Module Interoperability Implementations Guide.
1 - 22
Read sample how-to scenarios. For more information, see Appendix B, Access Policy Example.
To authenticate users from an authentication server If you have an authentication mechanism in place and you want to use it to verify user identity, you can read more in Chapter 11, Configuring Authentication Using AAA Servers. To gather information from client systems If you want to specify requirements for client systems to determine authentication (whether to grant user access) and authorization (which resources to grant access to), you can read more in Chapter 9, Configuring Client Side Checks and Client Side Actions. To configure the resources, applications, and functionality you want to provide If you prefer to start with the resources, applications, and functionality that you want to provide to your users, you can read more in Chapter 5, Configuring Resources, Chapter 2, Configuring Network Access, and Chapter 3, Configuring Web Applications. To learn about logging with the Access Policy Manager If you want to get a head start on understanding the ongoing operations and logging functionality provided with the Access Policy Manager, review content in Chapter 17, Logging and Reporting. To set up certificates on the server If you are ready to set up and install server certificates for the Access Policy Manager, read more in Chapter 12, Introducing On-Demand Certificate Authentication. To see access policy examples If you want exposure to sample policies with step-by-step examples, see Appendix B, Access Policy Example, and Chapter 16, Advanced Topics in Access Policies.
1 - 23
Chapter 1
The BIG-IP Systems: Getting Started Guide describes how to initially set up, configure, and license your BIG-IP system. Before you set up the Access Policy Manager for the first time, we recommend that you read this guide in its entirety to become familiar with the product features, and the procedures for provisioning and licensing features. Release notes Release notes containing the latest information for the current version of the Access Policy Manager are available on the F5 Networks Technical Support web site, https://support.f5.com. This site includes release notes for current and previous versions of the Access Policy Manager. Online help for Access Policy Manager features You can find help online for all screens on the Configuration utility. To open the context-sensitive help in the Configuration utility, click the Help tab in the left navigation pane. To get help on a screen in the visual policy editor, click the Help button. F5 Networks Technical Support web site The F5 Networks Technical Support web site, https://support.f5.com, provides the latest technical notes, answers to frequently asked questions, release notes and release note updates, and the Ask F5SM Knowledge Base. You can also find all the guides in PDF format.
Table 1.2 Properties and Operations table listing the version number
1 - 24
2
Configuring Network Access
Introducing network access Configuring network access settings Using lease pools Configuring traffic control
Full access from any client Provides Windows, Macintosh, Linux, and Windows Mobile users with access to the complete set of IP-based applications, network resources, and intranet files available, as if they were working at their desktop in the office. Split tunneling of traffic Provides control over exactly what traffic is sent over the network access connection to the internal network and which is not. This feature provides better client application performance by allowing connections to the public Internet to go directly to the destination, rather than being routed down the tunnel and then out to the public Internet. Client checking Detects operating system and browser versions, antivirus and firewall software, registry settings, processes, and checks files during logon to ensure the client configuration meets the organizations security policy for remote access. Compression of transferred data Utilizes GZIP compression to compress traffic before it is encrypted, reducing the number of bytes transferred between the Access Policy Manager and the client system, improving performance. Routing table monitoring Monitors changes made in the client's IP routing table during a network access connection. You can configure this feature to halt the connection if the routing table changes, helping prevent possible information leaks. This feature applies to Windows clients only.
2-1
Chapter 2
Session inactivity detection Closes network access connections after a period below an inactivity threshold that you can configure. This feature helps prevent security breaches. Automatic applications start Starts a client application automatically after establishing the network access connection. This feature simplifies user access to specific applications or sites. Automatic drive mapping Connects the user to a specific drive on the intranet. This feature simplifies user access to files. Note: automatic drive mapping is available only for Windows clients. Connection-based ACLs Filters network traffic by controlling whether packets are allowed, discarded, or rejected, based on criteria specified. For example, connections can be filtered by Layer 4 properties like source and destination IP address and port, protocol (TCP or UDP), and Layer 7 properties like scheme, host name, and paths. ACLs also support auditing capabilities with logging. ACLs allow groups of users or access policy users to have access to full client-server application support without opening up the entire network to each user. Dynamic IP address assignment Assigns client endpoint IP addresses dynamically from a configured pool of addresses. IP addresses can also be assigned with an external AAA server attribute. Traffic classification, prioritization, and marking Provides the ability to classify and prioritize traffic to ensure levels of service to users with defined characteristics.
2-2
2-3
Chapter 2
2-4
6. Configure applications to launch for the network access resource on the Launch Applications tab. For detailed information on these settings, see Launching applications with network access connections, on page 2-11.
Chapter 2
connection usually receives the next IP address available from the lease pool, or is assigned an address with another method. Once the client gets an IP address, that IP address is typically what the end device sees. For example, if a network access client is dynamically assigned the address 10.1.1.1 from the lease pool, and the SNAT Pool setting is None, when the user connects to an internal server; the source address seen by the internal server is 10.1.1.1. In the same situation, if the SNAT Pool setting is Automap, the address seen by the internal server is the internal address of the Access Policy Manager. For many client-server applications, SNAT Automap is adequate. However, it is not supported by Microsoft networking, and SNAT automapping may not be sufficient for network access connections with large numbers of client users. For these more advanced situations, you can create an SNAT pool, then select the name of the SNAT pool from SNAT Pool list. By default, SNAT automapping is enabled. With SNAT Automapping enabled, active FTP connections fail, so you can only use passive FTP. To use active FTP, you must use a routed configuration. If you select None, make sure that your back-end servers are configured to route responses back to the device. If you must use active FTP, set the SNAT Pool option to None. For more information on SNAT Automapping, see the Configuration Guide for BIG-IP Local Traffic Manager. Session Update Threshold Defines the average byte rate that either ingress or egress tunnel traffic must exceed, in order for the tunnel to update a session. If the average byte rate falls below the specified threshold, the system applies the inactivity timeout, which is defined in the Access Profile, to the session. Session Update Window Defines the value that the system uses to calculate the EMA (Exponential Moving Average) byte rate of ingress and egress tunnel traffic.
Basic/Advanced Basic view shows only Traffic Options (split tunneling), Client Side Security options, Allow Local Subnet options, and Client Options. By default, the option Force all traffic through tunnel is enabled. Basic view also shows settings for LAN Address Space and DNS Address Space if you select Use split tunneling for traffic. You must select the Advanced view to configure DTLS mode, specify a client traffic classifier, or specify an exclude address space with split tunneling.
2-6
Use split tunneling for traffic Directs through the network access tunnel all network traffic that is destined for the LAN, specifically, the address specified in the LAN address space box. A tunnel is a secure connection between computers or networks over a public network. When you configure split tunneling, the Access Policy Manager directs all other traffic out of the local network connection. You can configure the LAN address space, the DNS address space, and the Exclude address space (in Advanced mode only), when you enable split tunneling. LAN address space Provides a list of addresses or address/mask pairs describing the target LAN. When you use split tunneling, only the traffic to these addresses and network segments goes through the tunnel configured for network access. You can add multiple address spaces and network masks to the list in their respective boxes, one at a time. DNS address space Provides a list of names describing the target LAN DNS addresses. This box appears only if you use split tunneling. You can add multiple address spaces to the list, one at a time. Exclude address space Specifies addresses for traffic that is not forced through the tunnel, when you use split tunneling. Use this to exclude an address or range of addresses from the LAN address space.
Force all traffic through tunnel Routes all traffic (including traffic to the local subnet) through the tunnel. In this case, there is no local subnet. Users cannot access local resources, such as their printers at home, until they disconnect from network access. This is useful if you want to limit access to certain sites while the user is connected through the network access connection. Allow Local Subnet Check this box to permit local subnet access and local access to any host or subnet in routes that you have specified in the client routing table. If you select this option, clients cannot use the integrated IP filtering engine. Client Side Security Use these settings to configure options for the client on the tunneled network. The settings available are: Prohibit routing table changes during Network Access connection This option terminates client connections when the clients IP routing table changes during a network access session. Integrated IP filtering engine Select this option to protect the VPN from outside traffic (traffic generated by network devices on the clients LAN) and to ensure that the VPN traffic is not leaking traffic to the client's LAN.
2-7
Chapter 2
Allow access to local DHCP server Check this box if you want to allow clients to obtain renewed IP addresses from their local DHCP servers when their DHCP leases expire. This is used when the option Integrated IP filtering engine is enabled.
Client Traffic Classifier Specifies a client traffic classifier to perform client traffic control. For more information, see Configuring traffic control, on page 2-15. Client Options Use these settings to configure Microsoft Networking options for the client. Client for Microsoft Networks Select this option to allow the client PC to access remote resources over a VPN connection. For example, the user can access shared network drives on the remote network. File and printer sharing for Microsoft Networks Select this option to allow remote hosts to access shared resources on the client system over the VPN connection. For example, users on the remote network can access files on the clients computer.
Provide client certificate on Network Access connection when requested If client certificates are required to establish an SSL connection, this option must always be enabled. However, you can disable this option if the client certificates are requested only in an SSL session. If the client certificates are requested, but not required, to establish the SSL connection, the client is not configured to send client certificates. Reconnect To Domain Select the check box Synchronize with Active Directory policies on connection establishment to synchronize the client with the Active Directory network policies when the connection is established. This option, when checked, enables a second check box, Execute logoff scripts on connection termination. Select this check box to run logoff scripts configured on the Active Directory domain when the connection is terminated. Client Interface Speed Type the interface rate to display for secured client connections in bytes per second. The default rate is 100000000 bits per second. The rate you specify in this box is for display only, and does not affect the actual speed of the network access connection. DTLS Select this option to use Datagram Transport Level Security with the network access connection. This option uses UDP as the transport to provide better throughput for latency-sensitive applications like VoIP or streaming video, especially with lossy connections. If the port used by DTLS is blocked by an intermediate firewall or gateway, or not available, the connection automatically falls back to TLS or SSL.
2-8
If you enable the DTLS option, you must configure another virtual server for DTLS with the same IP address as the TCP virtual server to which a user connects to start the Access Policy Manager session. See Creating a virtual server for DTLS, on page 14-3, for more information. DTLS Port Type the port number that the network access resource uses for secure UDP traffic with DTLS. The default port is 4433.
Client proxy settings Directs network access clients to work through the specified proxy server on the remote network. This option requires the client computer to have Internet Explorer 5.0 or later installed. These options are available only when using the Advanced setting, when you select the Client proxy settings option. Client Proxy Uses HTTP for Proxy Autoconfig Script Some applications, like Citrix MetaFrame, can not use the client proxy autoconfig script when the browser attempts to use the file:// prefix to locate it. Select this option to specify that the browser use http:// to locate the proxy autoconfig file, instead of file://. Client Proxy Autoconfig Script Contains the URL of the proxy-autoconfiguration script. Client Proxy Address and Client Proxy Port Contains the address and port number of the proxy server you want network access clients to use to connect to the Internet. Bypass Proxy For Local Addresses Indicates whether you want to use the proxy server for all local (intranet) addresses. Client Proxy Exclusion List Contains the Web addresses that do not need to be accessed through the proxy server. You can use wild card characters to match domain and host names or addresses. For example, you could specify www.*.com, 128.*, 240.*, *., mygroup.*, *x*, and so on. You can add each item separately.
Primary and Secondary Name Servers Represents the IP addresses of the DNS server that network access assigns to the remote user. These should represent DNS server or servers that the internal company network uses. Primary and Secondary WIN Servers Represents the IP addresses of the WINS server to be conveyed to the remote access point. These are needed for Microsoft Networking to function fully. For fully functioning Microsoft network share browsing,
2-9
Chapter 2
you should configure the network access connection to use an SNAT pool. For more information, see Configuring network access settings, on page 2-4.
DNS Default Domain Suffix Represents the DNS suffix to use on the client computer. If you do not specify a default domain suffix, network access uses the first suffix from the Access Policy Manager server DNS setting. Static Hosts Here you can add, edit, and delete static host names. With static hosts, you can configure a list of static hosts for the network access client to use. The static hosts you configure modify a client computers local hosts table and override the configured DNS server, so you should use them only when you need to augment or override the existing DNS. You can also use static hosts when the client machine is locked down, and the DNS relay service is installed, to provide host resolution. For this file-change operation, users on Windows platforms must have local administrative rights to modify the hosts file during the connection, or the administrator must change the attributes of the hosts file to allow non-administrative modification, or the system must have the DNS Relay service installed. Static hosts are supported on Windows clients only.
Drive mapping is supported only for clients with Windows operating systems.
Use an IP addresses instead of NetBIOS names For example, specify \\192.168.191.1\share instead of \\server\share. Use fully qualified DNS names For example, specify \\server.domain.com\share instead of \\server\share. Check the default domain suffix Make sure that the Access Policy Manager is configured with the proper DNS suffixes. Try the operation again Advise users to retry mapping. Subsequent mapping attempts usually succeed after a 30 to 40-second delay. To retry, have the user click the Relaunch button in the user's network access popup window. The relaunch option is available only with the web client, not with the BIG-IP Edge Client.
Parameters:
http://internal_application.siterequest.com
This example starts the Microsoft Terminal Server client against an internal terminal server.
2 - 11
Chapter 2
Application Path:
%SystemRoot%\System32\mstsc.exe
Parameters:
/v:internalterminalserver.siterequest.com /f
Parameters:
\\domain_controller_ip_address %username%
or
domain_name %username%
The domain_name entry represents the target domain name, and the domain_controller_ip_address entry represents the IP address of the domain controller.
2 - 12
Chapter 2
To add a range of IP addresses, in the Member List area, select IP Address Range for the type. In the Start IP Address box, type the first IP address, and in the End IP Address box, type the last IP address. Click the Add button. To delete an IP address or IP address range, select the IP address or IP address range in the member list, and click the Delete button. 4. To save the lease pool, click the Update button. 5. To delete the lease pool, click the Delete button, then click OK on the dialog that appears.
2 - 14
2 - 15
Chapter 2
Shape - Delays packets submitted for transmission until they conform to the specified traffic profile. Discard - Discards packets that do not conform to the specified traffic control profile. Borrow - Allows traffic on the client rate class to borrow resources from other flows that are temporarily idle. Traffic that borrows resources is marked as nonconforming, and receives a lower priority. After you configure a client rate class using the procedure in To configure traffic shaping with a client rate class, on page 2-16, you define a client traffic classifier, in which you select that client rate class, using the procedure To create a client traffic classifier, on page 2-17. Next, you assign the client traffic classifier to a network access resource. The client rate class rate shaping features are then applied to traffic that matches the criteria defined in the client traffic classifier filter.
2 - 16
2 - 17
Chapter 2
2 - 18
3
Configuring Web Applications
Introducing web applications Configuring web applications on Access Policy Manager Configuring a rewrite profile
3-1
Chapter 3
Figure 3.1 The web applications functionality of the Access Policy Manager
In the web applications rewriting implementation, the string /f5-w-<mangled scheme://host:port> is prefixed to every HTML link or dynamic URL. This provides the required multiplexing behavior on a single Access Policy Manager. For example, assume content from a server contains:
***<a href=http://server.company.com/link.htm>Click Here</a>
In addition to URLs, the Access Policy Manager handles cookies on the server to provide client features, but they are not passed to the client.
In minimal patching mode, if your web application sets cookies, the cookie domain must match the virtual server domain.
Note
If your web application does not use SSL, do not configure the virtual server with the Server SSL profile serverssl. You can configure minimal patching for two modes:
Scheme Patching Specifies a method of patching that replaces all HTTP scheme addresses with HTTPS scheme addresses. Host Patching Specifies a method of patching where a host or multiple hosts, typically the actual application server host name, is replaced with another host, the Access Policy Manager virtual server. You can specify multiple hosts separated with spaces for host search strings. The host replace string must be the Access Policy Manager virtual server IP address or fully qualified domain name (FQDN).
3-3
Chapter 3
when accessing pages that contain large Java classes or other large elements (images, scripts, and so on), but not when accessing pages that reference Java packages (.jar files), class archives (.zip files), or compressed images (.jpg, .png, and Compressed TIFF files). For iNotes and other Java-based web mail packages, enabling compression vastly improves the speed in which pages are loaded.
Note
To enable compression, configure the web applications virtual server HTTP profile with compression enabled.
In any caching scenario, Access Policy Manager caches only those objects that the remote server designates can be cached. Default - Takes the client cache settings from the rewrite profile. In the rewrite profile, you can specify a client caching option - CSS and JavaScript, CSS, Images and JavaScript, No Cache or Cache All. If you configure a client cache setting other than Default in the web application resource item, that setting overrides the cache setting in the rewrite profile. Cache All - Caches everything that can be cached, including CSS, images, JavaScript, and XML. Provides the fastest client performance and the lowest security. To allow your clients to download and save attachments, use the Cache All setting. For example, to make sure Outlook Web Access 2007 attachments can be downloaded, configure the web application resource URI /owa/attachment* with the Cache All setting. No Cache - Caches nothing. This provides the slowest client performance and is the most secure.
3-5
Chapter 3
3-6
3-7
Chapter 3
7. If your application is behind a proxy server, to specify a proxy host and port, select Advanced for the configuration, and type the proxy host and proxy port. 8. Click the Create button to create the web application. The Web Applications Properties screen opens.
3-8
13. From the Client Cache list, select the client caching option. See Understanding web application caching, on page 3-5, for more information. 14. If you are using an SSO configuration for Single Sign On, from the SSO Configuration list, select the SSO configuration. 15. Select whether to enable the Session Update and Home Tab options with the associated check boxes. 16. From the Log list, select the logging level. 17. When you are finished, click Update. The Web Application Properties screen opens.
3-9
Chapter 3
To assign the rewrite profile to a virtual server, see Configuring virtual servers for access policies, on page 14-2.
3 - 10
4
Configuring Web Application Access Management
Introducing web application access management Reviewing web application access management options Configuring web application access management
Currently, you can configure access only to web applications with web application access management. Through this method of access control, the Access Policy Manager communicates with backend web servers, forwarding requests from the client to web servers within a local traffic pool. In a typical web application access connection, access occurs through a rewriting engine that rewrites links and URLs to and from the client. Web application access management eliminates the need for content rewriting, allowing access to the configured local traffic pool after the user passes through the access policy checks. In cases where you want additional security to your web applications where the access occurs on your local environment, we highly recommended that you use Access Policy Manager with Local Traffic Manager to achieve this.
4-1
Chapter 4
4-2
want to set the inactivity timeout to a very short duration, as many applications may cache user typing, and generate no traffic for an extended period. In this scenario, a session may time out when the application is still in use, but the content of the user input is not relayed back to the server. For configuration information, see Understanding access profile settings, on page 7-1.
4-3
Chapter 4
When you create an access policy, the policy cannot include a network access or web applications resource or webtop. Configuring for web application access management requires these basic steps: Create an access profile Create nodes that represent the web servers Add nodes to the pool Create a virtual server
4-4
To select a pool
1. On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers. The Virtual Server List screen opens 2. Click the name of the virtual server. The Virtual Server Properties screen opens. 3. Click the Resources tab. 4. From the Default Pool list, select the local traffic pool. 5. Click Update.
4-5
Chapter 4
4-6
5
Configuring Resources
Configuring Resources
Understanding resources
With BIG-IP Access Policy Manager, you use resources to provide secure connection functionality to users. With Access Policy Manager, you configure a resource to allow access to a web application or a network access connection, or you configure an access control list to allow or deny access to clients with a network access, web applications, or web application access management access policies. You use access control lists (ACLs), network access or web applications resources, and webtops to provide functionality to clients. For a web application access management policy, you can assign ACLs, but you cannot assign any other resources. You use ACLs to define allowed and disallowed networks, hosts, and protocols for users. With web applications access policies, you use webtops to provide a web page with useful links to users who connect. You assign ACLs and webtops dynamically in an access policy, using the resource assign action. A network access resource represents a single secure connection that provides an on-network type of experience to an end user. You can define many network access resources on the Access Policy Manager, but each connection uses only one network access resource. To connect a user securely with a network access connection, you must assign a network access resource to an access policy and a network access webtop, using the resource assign action. A network access connection does not manipulate or analyze the content being passed between the client and the internal network. A web application resource provides web browser access to one or more specific internal web applications. With web applications, the Access Policy Manager communicates with back-end servers, and rewrites the links in the response so that all the links in the response content specify the virtual server as the host. This method of access differs from a connection configured for network access, which provide a secured tunnel from the client to the internal network. In this chapter you can learn how to use ACLs and webtops. To configure network access resources, see Chapter 2, Configuring Network Access. To configure web applications, see Chapter 3, Configuring Web Applications. To configure web application access management, see Chapter 4, Configuring Web Application Access Management.
5-1
Chapter 5
ACLs are not enforced on network traffic initiated from the server. Use SNAT automap or SNAT pool options in the network access configuration if you do not want servers to be able to initiate a connection to any client.
5-2
Configuring Resources
5-3
Chapter 5
12. For the Source Port setting, select Port or Port Range. This setting specifies whether the access control list entry applies to a single port or a range of ports. 13. In the Port box or the Start Port and End Port boxes, specify the port or port ranges to which the access control list entry applies. To simplify this choice, you can select from the list of common applications, to the right of the Port box, to add the typical port or ports for that protocol. 14. In the Destination IP Address box, type the IP address to which the ACL controls access. 15. In the Destination Mask box, type the network mask for the destination IP address. 16. For the Destination Ports setting, select Port or Port Range. This setting specifies whether the access control list entry applies to a single port or a range of ports. 17. In the Port box or the Start Port and End Port boxes, specify the port or port ranges to which the access control list entry applies. To simplify this choice, you can select from the list of common applications, to the right of the Port box, to add the typical port or ports for that protocol. 18. From the Scheme list, select the URI scheme for the ACL entry. You can select http, https, or any. Any matches either HTTP or HTTPS traffic. 19. In the Host Name box, type a host to which the ACL applies. The Host Name box supports shell glob matching. For example, you can use the asterisk wildcard (*) to search for zero or more characters, and the question mark wildcard (?) to search for a single character. For example, the host entry *.siterequest.com matches siterequest.com with any prefix. This entry matches www.siterequest.com, mail.siterequest.com, finance.siterequest.com, and any others with the same pattern. The ? matches only the single character represented by the question mark, so n?t.siterequest.com matches the hosts net.siterequest.com and not.siterequest.com, but not neet.siterequest.com, nt.siterequrest.com, or note.siterequest.com. 20. In the Paths box, type the path or paths to which the ACL applies. You can separate multiple paths with spaces, for example, /news /finance. The Paths box supports shell glob matching. You can use the wildcard characters * and question marks (?) to represent single or multiple characters. You can also type a specific URI, for example, /finance/content/earnings.asp, or a specific extension, for example, *.jsp. 21. From the Protocol list, select the protocol to which the ACL applies.
5-4
Configuring Resources
22. From the Log list, select the log level for this access control entry. When events of this type occur, the server records a log message. Options are: None - log nothing. Packet - log the matched packet. 23. Click Finished.
4. If general purpose actions are not expanded, click the plus sign ( ) next to General Purpose. 5. Select Resource Assign, and click Add Item. The Resource Assign action popup screen opens. 6. Click Add new entry. A new resource assign entry appears in the popup screen. 7. To add one or more ACLs, click the Add/Delete ACLs link, then select the check boxes for ACLs you want to assign, and clear the check boxes for ACLs you do not want to assign. ACL assignment is optional. 8. Click Update to return to the Resource Assign popup screen. 9. Click Save to save the action.
5-5
Chapter 5
5-6
Configuring Resources
5-7
Chapter 5
Using webtops
When a user is allowed access by an access policy, that user is typically assigned a webtop. A webtop is the successful end point for a web applications or network access connection. A web applications webtop also provides a customizable screen for the user that includes links for working with the web applications, and displays messages relating to the connection. You assign a webtop to the user session in a resource assign action in the access policy. Make sure that you assign the correct webtop type; a network access webtop must be assigned with a network access resource, and a web applications webtop must be assigned with a web applications resource. Many settings for the webtop can be customized. To customize webtop settings, see Customizing a webtop, on page 15-14.
To create a webtop
1. On the Main tab of the navigation pane, expand Access Policy, then click Webtops. The Webtop List screen opens. 2. Click Create. The New Webtop screen opens. 3. In the Name box, type the name for the webtop. 4. From the Type list, select whether the webtop is a network access or a web applications webtop. If you selected a network access webtop, select whether to automatically minimize the webtop to the system tray, by selecting or clearing the Minimize To Tray check box. If you selected a web applications webtop, in the Web Application start URI box, type the URI for the web application. 5. Click Finished to complete the configuration.
To assign a webtop
1. On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles. The Access Profiles List screen opens. 2. In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column. The visual policy editor opens in a new window or new tab, depending on your browser settings. 3. On a rule branch of the access policy, click the plus sign ( add an action. The Add Item popup screen opens. ) to
4. If general purpose actions are not expanded, click the plus sign ( ) next to General Purpose. 5. Select Resource Assign, and click Add Item. The Resource Assign action popup screen opens.
5-8
Configuring Resources
6. Click Add new entry. A new resource assign entry appears in the popup screen. 7. To specify a webtop for the connection, click the Set Webtop link, and select a webtop to assign. 8. Click Update to return to the Resource Assign popup screen. 9. Click Save to save the action.
5-9
Chapter 5
5 - 10
6
Understanding Access Policies
Introducing access policies Understanding access policy items Understanding access policy branch rules Understanding access policy branches Understanding access policy macros Introducing access policy endings Understanding session variables
Collect information about the client system You can use the access policy to collect and evaluate information about client computers. For example, you can check that the user is operating from a company-issued computer, what antivirus software is present on the machine, what operating system the computer is running, and other aspects of the client configuration. This is accomplished using both client-side checks and server-side checks in the access policy. Use the authentication action to verify client security against external authentication servers The access policy allows you to check and evaluate authentication against an external authentication database or a certificate, to make sure the client system recognizes the user. Retrieve users rights and attributes You can use the access policy to retrieve extended information from authentication servers including LDAP or Microsoft Active Directory attributes, and use the information retrieved to assign different resources. Grant access to resources With the access policy, you assign a network access resource after the client is authenticated.
6-1
Chapter 6
Figure 6.2 Two actions, one unconfigured, in the visual policy editor
6-2
Message Box
Decision Box
6-3
Chapter 6
Action HTTP Auth LDAP Auth LDAP Query On-Demand Cert Auth
Description Adds HTTP authentication to the access policy. Adds LDAP authentication to the access policy. Adds an LDAP query to the access policy. Prompts users for a client certificate if they take a certain branch in the access policy. Adds RADIUS authentication to the access policy. Adds RADIUS accounting to the access policy. Adds RSA SecurID two-factor authentication to the access policy. Checks for antivirus software on the client computer. Can check for antivirus software on Windows, Mac OS, and Linux clients. Checks for firewall software on the client computer. Can check for firewall software on Windows, Mac OS, and Linux clients. Checks for a specific file on the client computer. File check is available as three different actions for Windows, Mac OS, and Linux computers. Checks for the presence of a machine certificate. Checks for the version of Windows and for Windows updates on the client computer. Checks for running processes on the client computer. Process check is available as three different actions for Windows, Mac OS, and Linux computers. Checks for specific values in the Windows registry. Cleans and removes browser cache, and optionally cleans form entries, passwords, dial-up entries, and sets timeouts for the access policy. Provides a secure computing environment with a temporary desktop and profile that is removed after logout.. For use with public computers or in other situations where higher security is required. Temporarily configures the Windows environment with a group policy. Windows Group Policy is an optional add-on that is enabled by FullArmors GPAnywhere product.
Antivirus Check
Firewall Check
Protected Workspace
6-4
Action UI Mode
Description Detects the browser of client type the client is using. This provides three rule branches in your access policy: Full Browser The rule branch the access policy takes if the client is using a web browser, or the BIG-IP Edge Client. Standalone Client The rule branch the access policy takes if the client is using a standalone legacy SSL VPN client. This rule branch is used only if the standalone client is running in Legacy Mode. If the BIG-IP Edge Client is used, the Full Browser rule branch is matched. Fallback The rule branch the access policy takes if the client is not using one of the listed clients.
Checks whether the client supports JavaScript and supports either ActiveX controls or Netscape plug-ins. If a client can support JavaScript and one of these control types, it can run client-side checks. See Preparing for clients that cannot use client checks, on page 10-1. Detects the operating system of the remote client. Access Policy Manager detects this using information from the HTTP header. Checks the landing URI that the client has used to start the current session.
Client OS
Landing URI
6-5
Chapter 6
6-6
Viewing rules
To view a predefined branch rule, you must first add an action to the access policy. The following example describes how to add a predefined action (client cert result) to an access policy, then how to view the underlying rule.
Note
You cannot view the predefined branch rules for every action.
6-7
Chapter 6
3. On a branch of the access policy, click the plus sign [ action. The Add Item popup screen opens.
] to add an
4. If the Authentication category is not expanded, click the plus sign [ ] to expand it. 5. Select Client Cert Inspection and click Add Item to add the action to the access policy. The Client Cert Result action popup screen opens. 6. Click the Branch Rules tab. Under the Name Successful, you see the text Expression: Client Certificate is valid, and then a link to change the expression. 7. Click change. The Expression popup screen opens. 8. Click the Advanced tab. 9. The rule expression for the client cert result action is displayed, as in Figure 6.4: expr { [mcget {session.ssl.cert.valid}] == "0" } To configure the action, see the action description in Understanding available actions and categories, on page 7-13.
Predefined rules
When you configure an action, it creates a predefined rule. To further refine or customize a rule, you can use the expression builder to build a rule from a list of agents and conditions. You can edit a rule on the Rules tab by clicking change. You can edit rules in a rule builder on the Simple tab. You use this rule builder to choose from a simplified set of rules and automatically compile the Tcl syntax. You can also use the Advanced tab to edit the rule directly, using Tcl. Visual examples of the two editing methods are shown in Figure 6.5.
6-8
6-9
Chapter 6
The result of the evaluation of an access policy rule Most actions have branches that represent the evaluation of rules. These branches might be called Successful, or they might have a more descriptive name. In many cases, a rule branch is a positive result to the evaluation of an action (for example, Active Directory authentication has passed). A rule branch can also be an informational response to the evaluation of an action (for example, client operating system is Windows Vista). An outgoing terminal from an access policy macro When you configure an access policy macro, the rule branches inside the access policy macro have endings called terminals. These terminals do not function like access policy endings, but instead, become branches in the access policy to which the macrocall is added, which represent the outcomes of actions inside the macrocall. A fallback rule A fallback rule is typically a negative response, if the action has successful branches. Some fallback rules are the result of the action returning no match or a failure for the access policy check. Fallback rules are also the result of actions that have no positive or negative result. For example, the logon page action has no positive or negative result, because it sends only a logon page to the client, so the result branch of a logon page is always a fallback rule branch.
6 - 10
Macro definitions, macro terminals, and macrocalls are defined for each access policy. Macros you create in one policy do not appear, and cannot be used, in another access policy. Unlike other access policy actions, when you click a macrocall in the access policy, the macro definition is displayed below the access policy in the macros section, and not in a popup screen, as shown in Figure 6.8.
6 - 11
Chapter 6
The BIG-IP Access Policy Manager includes several predefined macro templates. For example, BIG-IP Access Policy Manager includes macro templates for six authentication methods, and for a Windows antivirus and firewall check. For the definitions and configuration information for these included macro templates, see Configuring macros, on page 7-15.
For example, you can configure a macro with four terminals: AV success AV failure File check success File check failure After you add the macrocall to your access policy, the macrocall appears as a single access policy item, with four terminals that appear as four branches, named for the terminals. See Figure 6.9.
Figure 6.9 A macrocall with four macro terminal branches in an access policy
Note
You can make changes to the actions in a macro after you have added the macrocall to an access policy. However, you cannot delete terminals after a macrocall has been added to an access policy or another macro. For this reason, we recommend that you configure macro terminals before you add a macrocall to the access policy.
6 - 13
Chapter 6
You must assign a valid network access or web application resource and a webtop for your users, unless you are using the access policy to control access to a local traffic virtual server, in a web application access management scenario.
6 - 14
You must type the redirect URL with the leading http:// or https://.
6 - 15
Chapter 6
6 - 16
Chapter 6
6 - 18
7
Creating Access Profiles and Access Policies
Creating an access profile Creating an access policy Understanding available actions and categories Configuring macros Backing up and importing access profiles
7-1
Chapter 7
Max Concurrent Users - Specifies the number of sessions per access profile. The default value is 0, which represents unlimited sessions. Please note that this field is read-only for application editors. All other administrative roles can modify this field. Max Sessions Per User - Specifies the number of sessions per user. The default value is 0, which represents unlimited sessions. Please note that this field is read-only for application editors. All other administrative roles can modify this field.
7-2
4. To change settings for Inactivity Timeout, Access Policy Timeout, Maximum Session Timeout, and Max Concurrent Users, select the Custom check box, then type numbers for the settings you want to change. 5. To select a Single Sign On (SSO) configuration for the access policy, from the SSO Configuration list, select the SSO configuration. 6. (Optional) In the Domain Cookie box, type the domain cookie. 7. Select the Secure Cookie check box to add the secure keyword to the domain cookie. If the access policy is configured for an HTTP virtual server, clear this check box. 8. Configure the language settings for the access profile. See Customizing access profile languages, following, for more information. 9. Click Finished when the configuration is complete.
7-3
Chapter 7
In the access profile, you can configure the list of accepted languages in which the Access Policy Manager provides messages and customized elements. You can also select a default language for the access profile. The default language is used to provide messages and customized elements to users whose browsers are not identified with a language that is on the list of accepted languages. Though you can specify any custom language strings, most browsers present standard language strings. To see a list of these language strings, refer to http://www.iana.org/assignments/language-subtag-registry. There are several other places in Access Policy Manager where you can customize settings for different languages. To configure these language settings, see the following tasks and pages: Customizing the Deny access policy ending, on page 7-10 Customizing access profile languages, on page 7-3
Note
If you customize messages, you must customize the same messages separately for each accepted language. Otherwise, default messages will appear for any accepted language for which you have not customized messages. It is recommended that if you customize messages for a specific accepted language, you remove all other languages from the accepted language list.
7-4
You can also open an access policy from the Access Profiles List screen by clicking the access profile name, then clicking the Access Policy tab, then clicking the Edit link.
7-5
Chapter 7
Create an access policy. For more information, see Opening an access policy. Add general purpose actions, client side checks, and server side checks, as needed. For more information, see Adding actions to an access policy, on page 7-7, Understanding client-side checks, on page 7-13, and Understanding server-side checks, on page 7-14. Add authentication. For more information, see Understanding authentication actions, on page 7-13. Assign resources. For more information, see Assigning resources, on page 8-9. Note that you must assign a resource group that contains a network access resource, or the access policy will not function.
7-6
Finish the access policy. For more information, see Applying an access policy configuration, on page 7-12.
7-7
Chapter 7
3. On a branch rule of the access policy, click the plus sign ( add an action. The Add Item popup screen opens.
) to
4. If the action category you want to add is not expanded, click the plus sign ( ) next to the action type. 5. Select an action to add to the access policy by clicking the option. See the full list of action categories and actions at Understanding available actions and categories, on page 7-13. 6. Click Add Item to add the action to the access policy. The action popup screen opens. To configure the action, see the action description in Understanding available actions and categories, on page 7-13.
7-8
4. At the upper left, click the Add Ending button. The new ending appears, highlighted in blue. See Figure 7.3. 5. In the Name box, type a name for the new ending. 6. Select the type of ending (webtop, logon denied, or redirect). Allow Specifies that the user has access to the network access connection or web application, as defined in the access profile and access policy. Redirect Specifies a URL to which the access policy redirects the user. Type the redirect URL in the box provided. Deny Specifies the user is not allowed access to the network access resource, and presents a Denied page. To customize the Denied page, see Customizing the Deny access policy ending, on page 7-10. 7. To change the color of the ending for better visual clarity in your access policies, click the color square , select a color, and click Update. 8. Click Save.
7-9
Chapter 7
2. In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column. The visual policy editor opens in a new window or new tab, depending on your browser settings. 3. Click an access policy ending. The Select Ending popup screen opens. 4. On the Select Ending popup screen, select an ending for the branch rule. 5. Click Save.
7 - 10
4. On the Deny ending you want to customize, click the plus sign ( ) next to Customization. The popup screen displays additional setting options. 5. Customize the text for the logon denied settings by typing the text in the corresponding boxes.
Setting Language Description Specifies the language for which you are configuring Deny messages. This message is not currently used. This message is not currently used. Specifies a thank you message displayed for network access users after logout. Specifies the text that indicates that the session could not start. Specifies a more specific error message that follows the error title, which indicates that a problem may have occurred during access policy evaluation. Specifies the text that precedes the link a user clicks to start a new session. Specifies the text label for the hypertext link to start a new session, such as click here. This link immediately follows the New Session Text. Specifies the text that precedes the session number when an error occurs. Specifies the title text for a page that appears when access is denied by an ACL. Specifies the text that appears when access to a page or site is denied due to an ACL restriction. Specifies the link text that the user can click to return to the previous page. This is displayed when a user reaches the ACL denied page.
Error Message
Session ID Title
ACL denied page title ACL Denied Page Reject Message ACL Denied Page Return Link Message
6. Click Save.
7 - 11
Chapter 7
7 - 12
7 - 13
Chapter 7
For more information on configuring client-side checks, see Chapter 9, Configuring Client Side Checks and Client Side Actions.
7 - 14
Configuring macros
A macro is a group of reusable checks. Using the visual policy editor, you configure macros in the same way that you configure access policies. The difference is that you do not configure access policy endings, but instead you configure terminals for a macro.
To create a macro
1. On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles. The Access Profiles List screen opens. 2. In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column. The visual policy editor opens in a new window or new tab, depending on your browser settings. 3. Click the Add New Macro button. The Add New Macro popup screen opens. 4. Select the macro template. The macro templates are described in the Using predefined macro templates, on page 7-17. 5. In the Name box, type a name for the macro. This is the name by which the macro appears in the Add Action popup screen. 6. Click Save. 7. To expand the macro, click the plus sign ( name. ) next to the macro
8. To edit an action, click the action name. Edits you make to the actions in a macro are applied to the actions in an access policy, after you add the macrocall to the access policy. 9. Add and remove actions from the macro in the same way you add and remove actions from access policies. 10. When you finish customizing an action, click Save.
7 - 15
Chapter 7
5. To change the color of the ending for better visual clarity in your access policies, click the Dropper , select a color, and click Update. 6. If you want to set a default terminal, click the Set Default tab, and select the default terminal. 7. If you want to delete a terminal, click the (x) next to the terminal name.
) next to
5. Select a macro you defined previously and click Add Item. The macrocall is added to the access policy. You can edit the macro items in the macro definition as required.
To delete a macro
Click the (x) button at the right of the screen next to the macro name. You can delete a macro only if it is not in use.
7 - 16
If you open these macro definitions to view them, you can better understand how the macros are configured. Each macro definition includes instructions on how to add and open the macro template.
7 - 17
Chapter 7
5. To edit an action, click the action name. In the macro display, the action popup screen opens. To customize the Active Directory action, see Configuring Access Policy Manager to access the Active Directory for authentication, on page 11-32. To customize the resource assign action, see Assigning resources, on page 8-9. To customize the logon page action, see To customize the logon page action, on page 16-2 6. When you finish customizing an action, click Save. 7. To add this macro to the access policy, see To add a macrocall to an access policy, on page 7-16.
7 - 18
5. To edit an action, click the action name. The action popup screen opens. To customize the Active Directory actions, see Configuring Access Policy Manager to access the Active Directory for authentication, on page 11-32 and Configuring Access Policy Manager to access the Active Directory action item for query, on page 11-34. To customize the resource assign action, see Assigning resources, on page 8-9. To customize the logon page action, see To customize the logon page action, on page 16-2 6. When you finish customizing an action, click Save. 7. To add this macro to the access policy, see To add a macrocall to an access policy, on page 7-16.
7 - 19
Chapter 7
5. To edit an action, click the action name. The action popup screen opens. To customize the LDAP action, see Configuring LDAP access policy action item for authentication, on page 11-22. To customize the resource assign action, see Assigning resources, on page 8-9. To customize the logon page action, see To customize the logon page action, on page 16-2 6. When you finish customizing an action, click Save. 7. To add this macro to the access policy, see To add a macrocall to an access policy, on page 7-16.
7 - 20
To add and customize the LDAP auth query and resources macro
1. In the visual policy editor, click the Add New Macro button. The Macro Template popup screen opens. 2. Select the macro template LDAP auth query and resources. 3. Click Save. The popup screen closes. 4. To expand the macro, click the (plus) next to the macro name.
5. To edit an action, click the action name. The action popup screen opens. To customize the LDAP actions, see Configuring LDAP query policy action item, on page 11-25 and Configuring LDAP access policy action item for authentication, on page 11-22. To customize the resource assign action, see Assigning resources, on page 8-9. To customize the logon page action, see To customize the logon page action, on page 16-2 6. When you finish customizing an action, click Save. 7. To add this macro to the access policy, see To add a macrocall to an access policy, on page 7-16.
7 - 21
Chapter 7
5. To edit an action, click the action name. The action popup screen opens. To customize the RADIUS action, see Setting up RADIUS authentication and authorization access policy action item, on page 11-8. To customize the RADIUS action for authentication with RSA SecurID over RADIUS, see Configuring RSA SecurID using RADIUS, on page 11-11. To customize the resource assign action, see Assigning resources, on page 8-9. To customize the logon page action, see To customize the logon page action, on page 16-2 6. When you finish customizing an action, click Save. 7. To add this macro to the access policy, see To add a macrocall to an access policy, on page 7-16.
7 - 22
5. To edit an action, click the action name. In the macro display, the action popup screen opens. To customize the SecurID action, see Setting up RSA Native SecurID authentication and authorization access policy action item, on page 11-19. To customize the resource assign action, see Assigning resources, on page 8-9. To customize the logon page action, see To customize the logon page action, on page 16-2 6. When you finish customizing an action, click Save. To add this macro to the access policy, see To add a macrocall to an access policy, on page 7-16.
7 - 23
Chapter 7
A client-side Windows information action, that checks for the existence of Windows XP Service Pack 2 or Service Pack 3. The fallback branch for this action includes a logging action that logs any Windows Info failure. A client-side antivirus check action. This action is in the default state, so it checks that any supported antivirus is enabled on the client system. You can configure this further to check for a specific supported antivirus solution, and for other antivirus parameters. The fallback branch for this action includes a logging action that logs any antivirus failure. A client-side firewall check action. This action is in the default state, so it checks that any supported firewall is enabled on the client system. You can configure this further to check for a specific supported firewall solution and version. The fallback branch for this action includes a logging action that logs any firewall failure. One successful and several failure terminals.
5. To edit an action, click the action name. The action popup screen opens. To customize the UI Mode action, see Setting up the UI mode access policy item, on page 10-6. To customize the Client OS action, see Setting up the client OS check, on page 10-2. To customize the Windows information action, see Setting up Windows info action, on page 9-22. To customize the antivirus check action, see Checking antivirus with the antivirus check access policy item, on page 9-2. To customize the firewall check action, see Setting up the firewall check action, on page 9-14. To customize logging actions, see Adding access policy logging, on page 8-16. 6. When you finish customizing an action, click Save.
7 - 24
7. To add this macro to the access policy, see To add a macrocall to an access policy, on page 7-16.
7 - 25
Chapter 7
To add and customize the client classification and prelogon checks macro
1. In the visual policy editor, click the Add New Macro button. The Macro Template popup screen opens. 2. Select the macro template Client Classification and Prelogon checks. 3. Click Save. The popup screen closes. 4. To expand the macro, click the (plus) next to the macro name.
5. To edit an action, click the action name. The action popup screen opens. To customize the Client-Side Check Capability action, see Setting up the client-side check capability access policy item, on page 10-9. To customize the Client OS action, see Setting up the client OS check, on page 10-2. To customize UI Mode actions, see Setting up the UI mode access policy item, on page 10-6. To customize antivirus check actions, see Checking antivirus with the antivirus check access policy item, on page 9-2. To customize logging actions, see Adding access policy logging, on page 8-16. To customize the protected workspace action, see Setting up the protected workspace access policy item, on page 9-30. 6. When you finish customizing an action, click Save. 7. To add this macro to the access policy, see To add a macrocall to an access policy, on page 7-16.
7 - 26
The import prefix you specify must begin with a letter, and the import prefix name can include only letters, numbers, and the underscore ( _ ) character.
7 - 27
Chapter 7
7 - 28
8
Configuring General Purpose Access Policy Actions
Introducing general purpose actions Configuring general purpose actions in an access policy
8-1
Chapter 8
Message box Adds a message box that posts a message to the user. To continue, the user must click a link for which you provide the text. The user then proceeds on the same rule branch in the access policy. Decision box Adds a decision box that provides two options to the user for the access policy. You can then configure separate actions on the two branches, depending on user selections. iRule event Adds an iRule event to the access policy. Empty action Adds a blank action from which you can create your own action.
8-2
8-3
Chapter 8
Session Variable Name - Specifies the session variable name that the server uses to store the data typed in the text field. For example, the session variable username stores the username input omaas as the session variable string session.logon.last.username=omaas. Read Only - Specifies whether the logon page agent is read-only, and always used in the logon process as specified. You can use this to add logon POST variables or session variables that you want to submit from the logon page for every session that uses this access policy. You can use a read only logon page field to populate a field with a value from a session variable. For example, you can use the On-Demand Certificate agent to extract the CN (typically the user name) field from a certificate, then you can assign that variable to session.logon.last.username. In the logon page action, you can specify session.logon.last.username as the session variable for a read only logon page field that you configure. When Access Policy Manager displays the logon page, this field is populated with the information from the certificate CN field (typically the user name). Figure 8.1 shows some items that can be customized with the logon page action.
Figure 8.1 Items that you can customize with the logon page action
8-4
2. In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column. The visual policy editor opens in a new window or new tab, depending on your browser settings. 3. On a rule branch of the access policy, click the plus sign ( add an action. The Add Item popup screen opens. ) to
4. If general purpose actions are not expanded, click the plus sign ( ) next to General Purpose. 5. Select Logon Page and click Add Item. The Logon page action popup screen opens. 6. In the Logon Page Agent section, enable the fields you want to display on the logon page. By default, a text field for user name, and a password field for the password are enabled and displayed.You can specify up to three more fields to display, or customize the ones enabled. 7. From the Language list, select the language for which you want to customize messages. The four default languages include English (en), Japanese (ja), simplified Chinese (zh-tw), and traditional Chinese (zh-cn). You can specify more languages in the Access Profile properties Language Settings section. 8. Customize the logon page elements: Form Header Text Specifies the text that appears at the top of the logon box. Logon Page Input Field # (1-5) - These fields specify the text that is displayed on the logon page for each of the logon page agents, defined in the Logon Page Agent screen area. Save Password Checkbox Specifies the text that appears adjacent to the check box that allows users to save their passwords in the logon form. This field is used only in the secure access client, and not in the web client. Logon Button Specifies the text that appears on the logon button, which a user clicks to post the defined logon agents. Front Image Specifies an image file to display on the logon page. Click Browse to select a file from the file system. Click Show image or Hide Image to show or hide the currently selected image file. Click Revert to Default Image to discard any customization and use the default logon page image. New Password Prompt Specifies the prompt displayed when a new Active Directory password is requested.
8-5
Chapter 8
Verify Password Prompt Specifies the prompt displayed to confirm the new password when a new Active Directory password is requested. Password and Password Verification do not Match Specifies the prompt displayed when the new Active Directory password and verification password do not match. 9. Click Save when the fields are customized.
8-6
8-7
Chapter 8
Figure 8.3 External logon page request to Access Policy Manager virtual server
4. If general purpose actions are not expanded, click the plus sign ( ) next to General Purpose. 5. Select External Logon Page and click Add Item. The External Logon page action popup screen opens. 6. In the External Logon Server URI box, type the external logon page URI. 7. Click Save when you are finished.
8-8
Assigning resources
You assign access control lists, a network access or web application resource, and a webtop to the access policy. Each of these resources contains configuration items. You must assign a network access or web applications resource for a working network access connection or web applications access policy. You can also assign webtops for network access or web applications with the resource assign action. For a web application access management connection, you do not assign a resource or a webtop. You assign ACLs to all access types with the resource assign action.
4. If general purpose actions are not expanded, click the plus sign ( ) next to General Purpose. 5. Select Resource Assign, and click Add Item. The Resource Assign action popup screen opens. 6. Click Add new entry. A new resource assign entry appears in the popup screen. 7. To add one or more ACLs, click the Add/Delete ACLs link, then select the check boxes for ACLs you want to assign, and clear the check boxes for ACLs you do not want to assign. ACL assignment is optional. 8. Click Update to return to the Resource Assign popup screen. 9. To specify that this is a network access connection, click the Set Network Access Resource link, and select a network access resource to assign. A working network access connection must specify a network access resource and a network access webtop. 10. Click Update to return to the Resource Assign popup screen. 11. To specify that this is a web applications connection, click the Add/Delete Application Resources link, and select a web applications resource to assign. A working web applications connection must specify a web applications resource. 12. Click Update to return to the Resource Assign popup screen.
8-9
Chapter 8
13. To specify a webtop for the connection, click the Set Webtop link, and select a webtop to assign. For a network access connection, specify a network access webtop. For a web applications connection, specify a web applications webtop. 14. Click Update to return to the Resource Assign popup screen. 15. Click Save to save the action.
Assigning variables
You use the variable assign action to assign configuration variable, a predefined session variable, or a custom variable resource variable to a AAA server attribute or to a custom expression. This allows you, for example, to assign a custom lease pool for a network access resource, based on the path in an access policy. After the procedure for how to use the variable assign action, this section includes two simple examples. For an example scenario that uses the variable assign action with a Tcl expression to provide more advanced functionality, see Using advanced access policy rules, on page 16-17. For a list of the configuration variables you can assign with the variable assign action, and the accepted formats for replacement values, see Network access resource variable attributes, on page C-12.
4. If general purpose actions are not expanded, click the plus sign ( ) next to General Purpose. 5. Select Variable Assign and click Add Item. The Variable Assign action popup screen opens. 6. Click Add new entry. 7. Under Assignment, click change. The Variable Assignment popup screen opens.
8 - 10
8. In the left pane of the Variable Assignment popup screen, select the variable to assign. You can select Custom Variable and type the custom variable name in the box, or you can select Predefined Session Variable and select the type, name, and property from the current configuration. 9. In the right pane of the Variable Assignment popup screen, select the value to assign the variable. You can select AAA Attribute and select the agent type, attribute type, and attribute name, or you can select Custom Expression and type a custom expression in the box. 10. Click Finished when you have assigned the variable. 11. Click Save to save the action.
To use this example, you must have a lease pool defined on the Access Policy Manager, and the name of that lease pool must be defined as the user attribute, myAttribute, on the Active Directory server.
4. If general purpose actions are not expanded, click the plus sign ( ) next to General Purpose. 5. Select Variable Assign and click Add Item. The Variable Assign action popup screen opens.
8 - 11
Chapter 8
6. Click Add new entry. 7. Under Assignment, next to empty, click change. The Variable Assignment popup screen opens. 8. In the left pane, select Configuration Variable. 9. From the Type list, select Network Access. 10. From the Name list, select a network access resource. 11. From the Property list, select leasepool_name. 12. In the right pane, select AAA Attribute. 13. From the Agent Type list, select AD. 14. From the Attribute Type list, select Use users attribute. 15. In the AD Attribute Name box, type myAttribute. 16. Click Finished. 17. Click Save to save the action.
When a user reaches this action in the access policy, Access Policy Manager gets the value for myAttribute from the users AAA attributes, and replaces the lease pool defined in the network access resource with this value.
4. If general purpose actions are not expanded, click the plus sign ( ) next to General Purpose.
8 - 12
5. Select Variable Assign and click Add Item. The Variable Assign action popup screen opens. 6. Click Add new entry. 7. Under Assignment, next to empty, click change. The Variable Assignment popup screen opens. 8. In the left pane, select Configuration Variable. 9. From the Type list, select Network Access. 10. From the Name list, select a network access resource. 11. From the Property list, select leasepool_name. 12. In the right pane, select Custom Expression. 13. In the Custom Expression box, type leasepool1 (including the quotes). 14. Click Finished. 15. Click Save to save the action.
When a user reaches this action in the access policy, Access Policy Manager evaluates the custom expression, in this case, a simple string with the lease pool name, and replaces the lease pool defined in the network access resource with this value.
8 - 13
Chapter 8
Note: Add the virtual keyboard in front of a logon page action with which you want to virtual keyboard to be used. 4. If general purpose actions are not expanded, click the plus sign ( ) next to General Purpose. 5. Select Virtual keyboard and click Add Item. The Virtual keyboard action popup screen opens. 6. From the Virtual Keyboard list, select Enabled to enable the virtual keyboard, or Disabled to disable the virtual keyboard. 7. From the Move Keyboard After Every Keystroke list, select Enabled to move the virtual keyboard after the user clicks each keystroke, or Disabled to not move the virtual keyboard after each keystroke. This option can further obscure the password that you type with the virtual keyboard. 8. From the Allow Manual Input list, select Enabled to allow the user to type the password with the physical keyboard or the virtual keyboard. Select Disabled to allow the user to type the password only with the virtual keyboard. 9. Click Save when the fields are customized.
8 - 14
8 - 15
Chapter 8
3. On a rule branch of the access policy, click the plus sign ( add an action. The Add Item popup screen opens.
) to
4. If general purpose actions are not expanded, click the plus sign ( ) next to General Purpose. 5. Select Route Domain Selection and click Add Item. The Route Domain Selection action popup screen opens. 6. From the Route Domain ID list, select a route domain ID to use with this access policy. The route domain must be already defined on the Access Policy Manager. For more information, see Configuring policy routing, on page 16-11.
4. If general purpose actions are not expanded, click the plus sign ( ) next to General Purpose. 5. Select Logging and click Add Item. The logging action popup screen opens. 6. Click Add new entry. 7. Select a category of session variables to write to the log.
8 - 16
If you select a predefined category, all session variables for that session variable category are logged using wildcards. For example, for Active Directory, the session variables session.ad.last.* are logged. If you select the Custom, category, you can type a session variable or session variable category to log in the Session Variables box. 8. To log more session variables, or session variable categories, click Add new entry. 9. When you have finished, click Save to save the action.
To add a message
1. On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles. The Access Profiles List screen opens. 2. In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column. The visual policy editor opens in a new window or new tab, depending on your browser settings. 3. On a rule branch of the access policy, click the plus sign ( add an action. The Add Item popup screen opens. ) to
4. If general purpose actions are not expanded, click the plus sign ( ) next to General Purpose. 5. Select Message Box and click Add Item. The Message Box action popup screen opens. 6. From the Language list, select the language for the message. 7. In the Message box, type the message to the user. You can use HTML tags for formatting, as in the example: <font color=red> Please click the link below to continue. </font> 8. In the Link box, type the text that the user must click to continue. This text appears as a link the user can click to continue. 9. Click Save.
8 - 17
Chapter 8
8 - 18
iRule event access policy items must be processed and completed before the access policy can continue.
8 - 19
Chapter 8
8 - 20
9
Configuring Client Side Checks and Client Side Actions
Understanding client-side checks Setting up antivirus check Setting up file check Setting up a machine cert auth check Setting up firewall check Setting up process check Setting up registry check Verifying Windows information Understanding client-side actions Setting up cache and session control Setting up protected workspace Assigning a Windows group policy template
Chapter 9
4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Checks. 5. Select Antivirus Check and click Add Item to add the action to the access policy. The Antivirus Check action popup screen opens. 6. Configure the antivirus entry. a) From the Antivirus ID list, select the antivirus vendor. Select Any to allow the access policy to pass with any antivirus. In this list, Windows-specific firewalls are marked with the prefix [Win], Macintosh-specific firewalls are marked with the prefix [Mac], and Linux-specific firewalls are marked with the prefix [Lin]. b) From the State list, select a state for the antivirus. Select Enabled to specify that the selected antivirus (or any antivirus) is running on the computer. Select Unspecified to verify the presence of the antivirus software, but not the state.
9-2
c) If you require a specific virus software engine version (for example, 5200.2000), in the Version box, type the version number. Note that this check does not allow for later versions, so if you check for a specific version, a later version will fail. d) If you require a specific virus database version (for example, 4.931.00), in the Database Version box, type a database version. Note that this check does not allow for later versions, so if you specify a check for a specific version, a later version will fail. e) If you require that the virus database not be older than a certain age, in the DB Age Not Older Than (days) box, type the database age in days. Be sure to use settings that are compatible with your software. Some antivirus services provide updates frequently, every few days; some antivirus services update only every week or less. 7. To add another antivirus type to the action, click Add New Entry, and repeat step 6. 8. Click Save to complete the configuration.
This is not a complete example. For the example to work, you must assign an Allow ending to successful branches. You can assign a network access or web applications resource using the resource assign action, along with associated webtops. For a web application access management connection, you need not assign resources. This example is configured starting with an empty access policy.
9-3
Chapter 9
4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Checks. 5. Select Antivirus Check and click Add Item to add the action to the access policy. The Antivirus Check action popup screen opens. 6. Configure McAfee for Windows: a) From the Antivirus ID list, select [win/mac/linux] McAfee, Inc. b) From the State list, select Enabled. c) In the DB Age Not Older Than (days) box, Type 7. 7. Click Add new entry to add an antivirus entry to the action. Note that new entries are added above previously configured entries, by default. 8. Configure Symantec for Macintosh: a) From the Antivirus ID list, select [mac] Symantec Corp. b) From the State list, select Enabled. c) In the DB Age Not Older Than (days) box, type 7. 9. Click Add new entry to add an antivirus entry to the action. Note that new entries are added above previously configured entries, by default. 10. Configure Symantec for Linux: a) From the Antivirus ID list, select [win/linux] Symantec Corp. b) From the State list, select Enabled. c) In the DB Age Not Older Than (days) box, Type 7. The configured action appears as shown in Figure 9.1. 11. Click Save to save the access policy.
9-4
9-5
Chapter 9
Checking for a file with the file check access policy item
Add a file check action to an access policy in a situation where verifying the presence of a certain file can increase confidence in the security of the client system.
4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Checks. 5. Select the file check action for your platform: For Windows, select Windows File Check and click Add Item to add the action to the access policy. For Macintosh, select Mac File Check and click Add Item to add the action to the access policy. For Linux, select Linux File Check and click Add Item to add the action to the access policy. The File Check action popup screen opens. 6. Click Add new entry to add a file entry to the action. 7. Configure the entry. a) In the FileName box, type the name for the file you want to check. Note that this is the only setting that is required.
9-6
b) If you want to verify that the MD5 checksum matches, in the MD5 box, type or paste the MD5 checksum. c) If you require an exact size for the file, in the Size box, type the size in bytes. Note that if you type a 0 in this box, no file size check occurs. To check for a 0-byte file, you must instead type the MD5 checksum in the MD5 box. The MD5 checksum for a 0-byte file is always d41d8cd98f00b204e9800998ecf8427e. d) If you want to specify the file creation date, in the Date box, type the file creation date. The default date of 1970-01-01 00:00:00 is the same as specifying no date. You can determine the file creation date by right-clicking the file in Windows, and selecting Properties. The file creation date must be translated to a 24-hour clock, if your system is not on 24-hour time. For example, you would type the file creation date Wednesday, February 27, 2008, 1:23:37 PM in this box as 2008-02-27 13:23:37. The file creation date is set in UTC, or Greenwich Mean Time (GMT), so the server and client timezones are not the same as the file time, and you must adjust the file time you specify accordingly. e) For Windows file check only, if you require that the file be signed, in the Signer box, type the signer. f) For Windows file check only, in the Version box, type the version of the file, if you want to specify a version, or greater than or less than a version of the file. g) For Windows file check only, from the Version Comparison list, select the version comparison operator. Select = if you want the file to be the exact version you specify, select < if you want the checked file version to be greater than the version number you specify, and select > if you want the checked file version to be less than the version number you specify. 8. To add another file to the action, repeat steps 6-7. 9. Click Save to complete the configuration.
9-7
Chapter 9
This is not a complete example. For the example to work, you must assign an Allow ending to successful branches. You can assign a network access or web applications resource using the resource assign action, along with associated webtops. For a web application access management connection, you need not assign resources. This example is configured starting with an empty access policy.
4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Checks. 5. Select Windows File Check and click Add Item to add the action to the access policy. The File Check action popup screen opens. 6. Click Add new entry to add a file entry to the action. 7. Configure the entry: In the File Name box, type wininet.dll. In the MD5 box, type the MD5 checksum 38ab7a56f566d9aaad31812494944824. Many MD5 checksum utilities include a copy function to simplify this step. In the Size box, type 658432. In the Version box, type 6.0.2900.2904. From the Version Comparison list, select =. The configured action appears as shown in Figure 9.2. 8. Click Save to complete the configuration.
9-8
9-9
Chapter 9
extracted content with the machines FQDN. Note that the order of RDNs is the same as is displayed; the required separator is a comma ( , ). Subcases for regex extraction follow: Partial extraction. For example,
".*DNS Name=([^,]+).*"
or
".*Other Name:Principal Name=([^,]+).*".
For a regular expression '.*DNS Name=([^,]+).*', the value of the DNS Name field is extracted for matching. Whole extraction. Leave this field empty or use "(.*)", in order to allow the entire SubjectAltName content to be extracted for matching. Any - Specifies that the first certificate in the specified certificate store is sent to the server for further validation. Any other certificates are ignored. Issuer - Specifies that the content from the Issuer field matches the pattern specified by the regular expression. When this option is selected, the Issuer box appears. This box is required for the Issuer match, as well as Issuer and Serial Number match. The regular expression is used to match the Issuers content against the specified pattern. Note that the order of RDNs is the same as is displayed; the required separator is a comma ( , ). Subcases for the regex match are as follows: Partial match. For example,
"CN=.*, OU=FP, O=F5, L=San Jose, S=CA, C=US"
Issuer and Serial Number - Specifies that the content from the Issuer field matches the pattern specified by the regular expression, and that the serial number precisely matches your input. When this option is selected, the Issuer box appears. This box is required for the Issuer match, as well as Issuer and Serial Number match. The regular expression is used to match the Issuers content against the specified pattern. When this option is selected, the Serial Number box appears. The serial number must be an exact match (for example, the hex string must be typed in the same order as it is displayed by OpenSSL and Windows cert tools). For example, 0102030405060708090a.
9 - 11
Chapter 9
Save Certificate in a session variable Select Enabled to save the complete encrypted text of the machine certificate in a session variable, session.windows_check_machinecert.<name>.cert.
Checking a machine certificate with the machine cert access policy item
Use the machine cert auth check action to check for the existence of fields in a machine cert, to ensure that client systems comply with your security policy.
4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Checks. 5. Select Machine Cert Auth and click Add Item to add the action to the access policy. The Machine Cert Auth action popup screen opens. 6. In the Certificate Store Name box, type the certificate store name, or use the provided value, MY. 7. From the Certificate Store Location list, select the certificate store registry location. 8. From the CA Profile list, select the certificate authority. 9. From the OCSP Responder list, select an OCSP responder, if required, or None. 10. From the Certificate Match Rule list, select the desired certificate match rule, and enter values in any related boxes that appear. See Understanding machine cert auth check options, on page 9-10, for more information. 11. From the Save Certificate in a session variable list, select Enabled to save the certificate in a session variable, or Disabled to not save the certificate as a session variable. 12. Click Save to complete the configuration.
9 - 12
This is not a complete example. For the example to work, you must assign an Allow ending to successful branches. You can assign a network access or web applications resource using the resource assign action, along with associated webtops. For a web application access management connection, you need not assign resources. This example is configured starting with an empty access policy.
4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Checks. 5. Select Machine Cert Auth and click Add Item to add the action to the access policy. The Machine Cert Auth action popup screen opens. 6. From the Certificate Match Rule list, select SubjectAltName match FQDN. 7. In the Subject Alternative Name box, type *.siterequest.com. 8. Leave all other settings at their default values. 9. Click Save to complete the configuration.
9 - 13
Chapter 9
4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Checks. 5. Select Firewall Check and click Add Item to add the action to the access policy. The Firewall Check action popup screen opens. 6. Click Add new entry to add a firewall entry to the action. 7. Configure the entry. From the Firewall ID list, select a firewall, or select Any to allow the access policy to pass with any supported firewall. In this list, Windows-specific firewalls are marked with the prefix [Windows], Macintosh-specific firewalls are marked with the prefix [Mac], and Linux-specific firewalls are marked with the prefix [Linux]. From the State list, select the state to allow for the firewall. Select Enabled to specify that the selected firewall (or any firewall) is running on the computer. Select Unspecified to verify the presence of the firewall software, but not the state.
9 - 14
If you require a specific firewall software version, in the Version box, type a version number. 8. To add another firewall type to the action, repeat steps 6-7. 9. Click Save to complete the configuration.
This is not a complete example. For the example to work, you must assign an Allow ending to successful branches. You can assign a network access or web applications resource using the resource assign action, along with associated webtops. For a web application access management connection, you need not assign resources. This example is configured starting with an empty access policy.
4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Checks. 5. Select Firewall Check and click Add Item to add the action to the access policy. The Firewall Check action popup screen opens. 6. Click Add new entry to add a firewall entry to the action. 7. Configure Microsoft: From the Firewall ID list, select [win] Microsoft Corp. (MSWindowsFW). From the State list, select Enabled. 8. Click Add new entry to add a firewall entry to the action. 9. Configure Apple Computer:
9 - 15
Chapter 9
From the Firewall ID list, select [mac] Apple Computer, Inc. From the State list, select Enabled. 10. Click Add new entry to add a firewall entry to the action. 11. Configure iptables: From the Firewall ID list, select [linux] IPTables. From the State list, select Enabled. The configured action appears as shown in Figure 9.3. 12. Click Save to complete the configuration.
9 - 16
4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Checks. 5. Select the Process Check for the operating system you are checking, and click Add Item to add the action to the access policy. The Process Check action popup screen opens. 6. In the Expression box, type the expression. 7. Click Save to complete the configuration.
This is not a complete example. For the example to work, you must assign an Allow ending to successful branches. You can assign a network access or web applications resource using the resource assign action, along with
9 - 17
Chapter 9
associated webtops. For a web application access management connection, you need not assign resources. This example is configured starting with an empty access policy.
4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Checks. 5. Select Windows Process Check and click Add Item to add the action to the access policy. The Process Check action popup screen opens. 6. In the Expression box, type the process check expression as follows:
(winlogon.exe AND GoogleDesktop.exe) AND NOT gator*
The configured action appears as shown in Figure 9.4. 7. Click Save to complete the configuration.
9 - 18
Expression syntax
Syntax for registry checker expressions is as follows:
"key" comparison_operator data "key" ISPR "key"."value" comparison_operator data "key"."value" ISPR
key Represents a path in the Windows registry. value Represents the name of the value. comparison_operator Represents one of the comparison operators (< <= > >= != =) or ISPR. ISPR is used to verify that a key or value is present. For equality use =. The operator == is not valid here. data Represents the content to compare against.
Note
Quotation marks (") are required around key and value arguments. Quotation marks are used in data if the content contains spaces, commas, slashes, tabs, or other delimiters. If quotation marks exist as part of the registry path or value name, they should be doubled (use two sets of quotation marks). data is treated as a version number if it is entered in the format d.d[.d][.d] or d,d[,d][,d] (where d is a number), and as a date if it is entered in the format mm/dd/yyyy.
Checks for the presence of the specified path in the registry. "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer.Version">= "6.0.2900.2180"
Checks that the Internet Explorer version is greater than or equal to the value specified.
9 - 19
Chapter 9
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InternetExplorer.
Version" >= "5.0.2800.0" AND "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ InternetExplorer.Version" <= "6.0.2900.0"
Checks for the presence of Internet Explorer. With this registry check, the Internet Explorer version must be greater than or equal to 5.0.2800.0, and less than or equal to 6.0.2900.0.
4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Checks. 5. Select Registry Check and click Add Item to add the action to the access policy. The Registry Check action popup screen opens. 6. In the Expression box, type the registry check expression. 7. Click Save to complete the configuration.
9 - 20
2. In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column. The visual policy editor opens in a new window or new tab, depending on your browser settings. 3. On a branch of the access policy, click the plus sign ( action. The Add Item popup screen opens. ) to add an
4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Checks. 5. Select Registry Check and click Add Item to add the action to the access policy. The Registry Check action popup screen opens. 6. In the Expression box, type:
"HKEY_LOCAL_MACHINE\Software\Google\Google Desktop.ResourceDLL"
The configured action appears as shown in Figure 9.5. 7. Click Save to complete the configuration.
9 - 21
Chapter 9
4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Checks. 5. Select Windows Info and click Add Item to add the action to the access policy. The Windows Info action popup screen opens. 6. Click the Rules tab. 7. Click the Add Rule button. 8. In the Name box, type a name for the rule. 9. Next to Expression: Empty, click change. The Add Expression popup screen opens. 10. Click the Add Expression button. 11. From the Agent Sel. list, select Windows Info. 12. From the Condition list, select Windows platform or Windows update. If you selected Windows platform, from the Windows Platform is list, select the Windows version. If you selected Windows update, in the Windows patch box, type the update name. The format for this can be a KB patch or a Windows service pack, for example KB869074 or SP2. 13. Click Save to complete the configuration.
9 - 22
This is not a complete example. For the example to work, you must assign an Allow ending to successful branches. You can assign a network access or web applications resource using the resource assign action, along with associated webtops. For a web application access management connection, you need not assign resources. This example is configured starting with an empty access policy.
4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Checks. 5. Select Windows Info and click Add Item to add the action to the access policy. The Windows Info action popup screen opens. 6. Click the Rules tab. 7. Click Add Rule. 8. Type the name XP SP2 for the rule. 9. Next to Expression: Empty, click change. The Expression popup screen opens. 10. Click the Add Expression button. The popup screen displays new information. 11. From the Agent Sel. list, select Windows Info. 12. From the Condition list, select Windows platform. 13. From the Windows Platform is list, select Windows XP. 14. Click the Add Expression button. 15. To add the next expression, next to AND, click Add Expression. The popup screen displays new information. 16. From the Agent Sel. list, select Windows Info.
Configuration Guide for BIG-IP Access Policy Manager 9 - 23
Chapter 9
17. From the Condition list, select Windows update. 18. From the Windows Platform is list, select Windows XP. 19. In the Windows Patch box, type SP2. 20. Click the Add Expression button. The Expression popup screen shows the expression configured as shown in Figure 9.6. To view the rule you have created, click the Advanced tab. You see the expression expr { [mcget {session.windows_info_os.last.platform}] == WinXP && [mcget {session.windows_info_os.last.updates}] contains SP2 } 21. Click Finished. 22. Click Save to complete the configuration.
9 - 24
9 - 25
Chapter 9
You can use the cache and session control action to clean cache and related session information from the Internet Explorer browser only. The action does not clear browser cache and session-related items from Firefox, Safari, or any other browser. However, other items you configure in the action are cleaned on all Windows systems.
Note
Cache and Session Control is not compatible with Protected Workspace. You should not use a Protected Workspace action in a session that includes the Cache and Session Control action.
4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Checks. 5. Select Cache and Session Control and click Add Item to add the action to the access policy. The Cache and Session Control action popup screen opens.
9 - 26
6. Configure the entry. For the option Clean forms and passwords autocomplete data option, select Enabled or Disabled. Enabled removes autocomplete data from web forms, and deletes saved passwords from the system after the user logs out. For the option Empty Recycle Bin, select Enabled or Disabled. Enabled ensures that the Recycle Bin is emptied on the system after the user logs out. For the option Force session termination if the browser or Webtop is closed, select Enabled or Disabled. Enabled forces the session to close when the user closes the web browser or the network access webtop. For the option Remove dial-up entries used by Network Access client, select Enabled or Disabled. Enabled removes the VPN connection from the users Network Connections Dial-up Networking folder. From the Terminate session on user inactivity list, select a setting in minutes or hours to force the session to close if the user is inactive for the specified time. Select Custom to specify a custom setting, in seconds. Select Disabled to not terminate the session on user inactivity. User inactivity is the period of time during which the user has not input any data using the keyboard or mouse on the client system. This is not traffic inactivity over the VPN. From the Lock workstation on user inactivity list, select a setting in minutes or hours to force the users workstation to lock if the user is inactive for the specified time. Select Custom to specify a custom setting, in seconds. Select Disabled to not lock the users workstation because of user inactivity. User inactivity is the period of time during which the user has not input any data using the keyboard or mouse on the client system. This is not traffic inactivity over the VPN. 7. Click Save to complete the configuration.
This is not a complete example. For the example to work, you must assign an Allow ending to successful branches. You can assign a network access or web applications resource using the resource assign action, along with
9 - 27
Chapter 9
associated webtops. For a web application access management connection, you need not assign resources. This example is configured starting with an empty access policy.
4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Actions. 5. Select Cache and Session Control, and click Add Item to add the action to the access policy. The Cache and Session Control action popup screen opens. 6. Configure the entry. For the option Clean forms and passwords autocomplete data, select Enabled. For the option Force session termination if the browser or Webtop is closed, select Enabled. From the Terminate session on user inactivity list, select 30 minutes to force the session to close after 30 minutes of inactivity. From the Lock workstation on user inactivity list, select 5 minutes to lock the users workstation after 5 minutes of inactivity. The completed policy appears as shown in Figure 9.7. 7. Click Save to complete the configuration.
9 - 28
9 - 29
Chapter 9
Cache and Session Control is not compatible with Protected Workspace. You should not use a Protected Workspace action in a session that includes the Cache and Session Control action.
Note
You cannot assign a Windows group policy template after a session is in the protected workspace. To use Windows group policies with protected workspace, you must place the Windows group policy action before the protected workspace action in the access policy.
4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Actions.
9 - 30
5. Select Protected Workspace and click Add Item to add the action to the access policy. The Protected Workspace action popup screen opens. 6. Configure the protected workspace. Enable or disable the option to Close Google Desktop Search when the user starts the protected workspace session. Note that selecting Enabled in this option is more secure. Enable or disable the option to Allow user to temporarily switch from Protected Workspace when the user is in the protected workspace session. Enable or disable the option to Allow user to use printers. Select the option for the setting Allow write access to USB flash drives. In addition to the Disabled option and the option to allow write access to All USB flash drives, this setting provides a third option, Only IronKey Secure Flash Drives, which allows a user to write only to specialized, highly secured flash drives created by IronKey, Inc. Enable or disable the option to Allow user to burn CDs. 7. If you want to allow protected workspace users to have write access to a specific server, click the Add new entry button and type the name of the server. To add more servers, repeat this step. To remove a server, click the X button next to the name of the server. 8. Click Save to complete the configuration.
This is not a complete example. For the example to work, you must assign an Allow ending to successful branches. You can assign a network access or web applications resource using the resource assign action, along with associated webtops. For a web application access management connection, you need not assign resources. This example is configured starting with an empty access policy.
9 - 31
Chapter 9
2. In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column. The visual policy editor opens in a new window or new tab, depending on your browser settings. 3. On a branch of the access policy, click the plus sign ( action. The Add Item popup screen opens. ) to add an
4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Actions. 5. Select Protected Workspace and click Add Item to add the action to the access policy. The Protected Workspace action popup screen opens. 6. Configure the action as follows: From the Close Google Desktop Search list, select Enabled. From the Allow user to temporarily switch from Protected Workspace list, select Disabled. From the Allow user to use printers list, select Disabled. From the Allow write access to USB flash drives list, select Only IronKey Secure Flash Drives. From the Allow user to burn CDs list, select Disabled. 7. Click Add new entry to add a server to which a user can write. In the box that appears, type Quarantine. Note that new entries are added above previously configured entries, by default. The configured action appears as shown in Figure 9.8. 8. Click Save to save the access policy.
9 - 32
9 - 33
Chapter 9
You cannot assign a Windows group policy template after a session is in the protected workspace. To use Windows group policies with protected workspace, you must place the Windows group policy action before the protected workspace action in the access policy.
GLBA Template
9 - 34
Description Based on the HIPAA (Health Insurance Portability and Accounting Act) standard. This policy is used for desktop and laptops to help prevent access to unauthorized information. Microsoft Common Usage (high) for desktops and laptops. This policy is used in managed environments and provides high restrictions on user access to devices, configuration, and applications. Microsoft Common Usage (light) for desktops and laptops. This policy is used in managed environments, and provides light restrictions on user access to devices, configuration, and applications. Based on the PCI (Payment Card Industry) standard. This policy is used for desktop and laptops to help prevent access to unauthorized information. Microsoft Specialized Security (Limited Functionality) for desktops and laptops. This is a more focused security policy, with greater restrictions on configuration access. Terminal Services for client terminal services. This policy is used in environments where the primary use is terminal services.
PCI Template
9 - 35
Chapter 9
Disabling user access to system tools such as the registry editor. Additional information can be found in the Windows Server 2003 security section at: http://www.microsoft.com/technet/security/prodtech/windowsserver200 3/w2003hg/s3sgch01.mspx
9 - 36
9 - 37
Chapter 9
it establishes procedures for processing, storing, and transmitting sensitive data, and offers some protection against security vulnerabilities that may expose that information. Companies using PCI must also go through an outside audit to validate their compliance. There are 12 requirements within 6 major areas of concern: network security monitoring, network security testing, protecting cardholder data, vulnerability management, access control, and policy maintenance. You can find the specifics of PCI DSS at: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml Examples of settings that are applied as part of the PCI template: Suspend session after 15 minutes of inactivity. Restrict anonymous access to Named Shares. Disable Advanced Settings in Internet Explorer.
3. Click the group policy template that you want to download. The template Properties screen opens. 4. Next to Configuration File, click the Download link. The web browser pops up a save file dialog. 5. Click the Save button to save the file.
4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Actions. 5. Select Windows group policy and click Add Item to add the action to the access policy. The Windows group policy action popup screen opens. 6. From the Windows group policy list, select the group policy to apply to client computers. You can add your own group policy templates that you create with
9 - 39
Chapter 9
the FullArmor GPAnywhere add-on. For more information on group policy templates, see Understanding Windows group policy templates, on page 9-34. 7. Click Save to complete the configuration.
This is not a complete example. For the example to work, you must assign an Allow ending to successful branches. You can assign a network access or web applications resource using the resource assign action, along with associated webtops. For a web application access management connection, you need not assign resources. This example is configured starting with an empty access policy.
4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Actions. 5. Select Windows Group Policy and click Add Item to add the action to the access policy. The Windows group policy action popup screen opens. 6. From the Windows Group Policy list, select _GLBA_Template. The configured action appears as shown in Figure 9.9. 7. Click Save to save the access policy.
9 - 40
9 - 41
Chapter 9
9 - 42
10
Configuring Server Side Checks
Introducing server-side checks Configuring client OS check Configuring UI mode check Configuring client-side check capability Checking a landing URI with the landing URI check
10 - 1
Chapter 10
4. If server-side check actions are not expanded, click the plus sign ( ) next to Server Side Checks. 5. Select Client OS and click Add Item to add the action to the access policy. The Client OS action popup screen opens. 6. Click Save to complete the configuration. 7. To activate the access policy, click the Apply Access Policy link at the top of the visual policy editor screen.
10 - 2
This is not a complete example. For the example to work, you must assign an Allow ending to successful branches. You can assign a network access or web applications resource using the resource assign action, along with associated webtops. For a web application access management connection, you need not assign resources. This example is configured starting with an empty access policy.
4. If server-side check actions are not expanded, click the plus sign ( ) next to Server Side Checks. 5. Select Client OS and click Add Item to add the action to the access policy. The Client OS action popup screen opens. 6. Click Save. 7. On the Windows 7, Windows XP and Windows Vista branches following the client OS action, configure allowed endings. Configure logon denied endings for all other branches. To configure endings, see Configuring access policy endings, on page 7-8. The completed policy appears as shown in Figure 10.1. 8. To activate the access policy, click the Apply Access Policy link at the top of the visual policy editor screen.
10 - 3
Chapter 10
10 - 4
10 - 5
Chapter 10
The following actions are not supported on ActiveSync clients: On-Demand Certificate Authentication any client side check any client side action
4. If server-side check actions are not expanded, click the plus sign ( ) next to Server Side Checks. 5. Select UI Mode and click Add Item to add the action to the access policy. The UI Mode action popup screen opens. 6. Click Save to complete the configuration. 7. To activate the access policy, click the Apply Access Policy link at the top of the visual policy editor screen.
This is not a complete example. For the example to work, you must assign an Allow ending to successful branches. You can assign a network access or web applications resource using the resource assign action, along with
10 - 6
associated webtops. For a web application access management connection, you need not assign resources. This example is configured starting with an empty access policy.
4. If server-side check actions are not expanded, click the plus sign ( ) next to Server Side Checks. 5. Select UI Mode and click Add Item to add the action to the access policy. The UI Mode action popup screen opens. 6. Click Save. 7. On the Full Browser branch following the UI Mode action, click the plus sign ( ). The Add Item popup screen opens. 8. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Checks. 9. Select Cache and Session Control and click Add Item. The cache and session control action popup screen opens. 10. Click Save. 11. On the Standalone Client branch following the UI mode action, and the Successful branch following the cache and session control action, configure Allow endings. 12. Configure logon denied endings for all other branches. To configure endings, see Configuring access policy endings, on page 7-8. The completed policy appears as shown in Figure 10.2. 13. To activate the access policy, click the Apply Access Policy link at the top of the visual policy editor screen.
10 - 7
Chapter 10
10 - 8
4. If server-side check actions are not expanded, click the plus sign ( ) next to Server Side Checks. 5. Select Client-Side Check Capability and click Add Item to add the action to the access policy. The Client-Side Check Capability action popup screen opens. 6. Click Save to complete the configuration. 7. To activate the access policy, click the Apply Access Policy link at the top of the visual policy editor screen.
10 - 9
Chapter 10
This is not a complete example. For the example to work, you must assign an Allow ending to successful branches. You can assign a network access or web applications resource using the resource assign action, along with associated webtops. For a web application access management connection, you need not assign resources. This example is configured starting with an empty access policy.
4. If server-side check actions are not expanded, click the plus sign ( ) next to Server Side Checks. 5. Select Client-Side Check Capability and click Add Item to add the action to the access policy. The Client-Side Check Capability action popup screen opens. 6. Click Save. 7. On the Full branch following the Client-Side Check Capability action, click the plus sign ( ). The Add Item popup screen opens. 8. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Checks. 9. Select Antivirus check and click Add Item. The antivirus check action popup screen opens. 10. Click Save. 11. On the Successful branch following the Antivirus action, configure an Allow ending. 12. Configure logon denied endings for all other branches. To configure endings, see Configuring access policy endings, on page 7-8. The completed policy appears as shown in Figure 10.3.
10 - 10
13. To activate the access policy, click the Apply Access Policy link at the top of the visual policy editor screen.
10 - 11
Chapter 10
4. If server-side check actions are not expanded, click the plus sign ( ) next to Server Side Checks. 5. Select landing URI and click Add Item to add the action to the access policy. The Landing URI action popup screen opens. 6. Click Save to complete the configuration. 7. To activate the access policy, click the Apply Access Policy link at the top of the visual policy editor screen.
10 - 12
example, you add a resource assign action after the landing URI check for the URI /owa. For a complete working scenario, assign a web applications resource for Outlook Web Access with this resource assign action.
Note
This example does not detail how to create and assign web application resources. For detailed instructions, see Configuring web applications on Access Policy Manager, on page 3-7, and Assigning resources, on page 8-9.
4. If server-side check actions are not expanded, click the plus sign ( ) next to Server Side Checks. 5. Select Landing URI and click Add Item to add the action to the access policy. The Landing URI action popup screen opens. 6. In the Name box, type OWA. 7. Click the Rules tab. The Rules for the action popup screen are displayed. The predefined rule for this action is Expression: Landing URI is /uri1. 8. Next to Expression: Landing URI is /uri1, click the change link. The expression builder popup screen opens. 9. In the Landing URI is box, type /owa. On the OWA branch, add a resource assign action and configure it for Outlook Web Access, if you have an Outlook Web Access server and resources. To configure the web application, see Configuring web applications on Access Policy Manager, on page 3-7 To assign the resource, see Assigning resources, on page 8-9. The completed policy appears as shown in Figure 10.4. 10. Click Save. 11. To activate the access policy, click the Apply Access Policy link at the top of the visual policy editor screen.
10 - 13
Chapter 10
10 - 14
11
Configuring Authentication Using AAA Servers
Understanding authentication with Access Policy Manager Understanding different RADIUS operation modes Setting up Access Policy Manager for RADIUS authentication and authorization Configuring Access Policy Manager for RADIUS accounting Configuring Access Policy Manager for RADIUS authentication and accounting Setting up Access Policy Manager for RSA Native SecurID for authentication and authorization Setting up Access Policy Manager for LDAP authentication and authorization Setting up Access Policy Manager for Windows Active Directory authentication and authorization Understanding nested groups Setting up Access Policy Manager for HTTP authentication Setting up Access Policy Manager for Oracle Access Manager Setting up Access Policy Manager for AAA high availability
11 - 1
Chapter 11
access the Active Directory for authentication, on page 11-32, and Configuring Access Policy Manager to access the Active Directory action item for query, on page 11-34.
Important
To use a specific authentication method, you must have at your site a server that supports the scheme. You can set up authentication using any combination of the following methods. RADIUS server Uses the server at your site that supports authentication using the RADIUS protocol. For more information on this method, see RADIUS authentication, on page 11-3. LDAP server Uses the server at your site that supports authentication using LDAP. For more information on this method, see Setting up Access Policy Manager for LDAP authentication and authorization, on page 11-21. Microsoft Active Directory Uses the server at your site that supports Kerberos authentication against a Windows 2000 or later server. For more information on this method, see Setting up Access Policy Manager for Windows Active Directory authentication and authorization, on page 11-31. HTTP authentication Uses external web-based authentication servers to validate user logons and passwords, and to control user access to specific network resources. For more information on this method, see Setting up Access Policy Manager for HTTP authentication, on page 11-40. RSA SecurID over RADIUS Uses the RADIUS protocol for authentication. To use RSA SecurID over RADIUS, you must select RADIUS as the authentication method. For more information on this method, refer to Configuring RSA SecurID using RADIUS, on page 11-11. RSA Native SecurID Uses the RSA Native SecurID protocol for authentication. To use RSA Native SecurID, you must have an authentication server set up, and you must select SecurID as the authentication method. For more information on this method, refer to Setting up Access Policy Manager for RSA Native SecurID for authentication and authorization, on page 11-16.
11 - 2
RADIUS authentication
RADIUS authentication allows you to authenticate and authorize your users to access their resources through a RADIUS server that you configure on the Access Policy Manager. For more information on how to set up authentication using a RADIUS server, refer to Setting up RADIUS authentication and authorization access policy action item, on page 11-8. The following tasks provide information on how to set up your RADIUS server. You can also leverage user information, in the form of attributes, to allow users access to various network resources.
Important
Be sure that the RADIUS server is configured to recognize the Access Policy Manager as a client. Use the same shared secret in both the RADIUS server configuration and in the Access Policy Manager configuration. Setting up RADIUS authentication and authorization involves the following tasks: Setting up a RADIUS server Setting up RADIUS access policy action items
RADIUS attributes
The table, following, lists the specific RADIUS authentication attributes that the Access Policy Manager sends with RADIUS requests.
Attribute User-Name User-Password NAS-IP-Address Purpose Indicates the name of the user to be authenticated. Indicates the password of the user to be authenticated. Indicates the identifying IP Address of the NAS.
11 - 3
Chapter 11
Purpose Indicates the type of service the user has requested. Indicates the physical port number of the NAS which is authenticating the user.
RADIUS accounting
You can report user session information to an external RADIUS accounting server. If you select this mode only, the system assumes that you have set up another type of authentication method to authenticate and authorize your users to access their resources. For more information on how to set up RADIUS accounting, refer to To configure RADIUS accounting, on page 11-13. The Access Policy Manager operates as a client of the external RADIUS accounting server, and is responsible for retrieving user information. It sends accounting messages indicating when the network access is initiated or terminated, by sending the RADIUS accounting start and stop messages. However, the RADIUS accounting start message does not mean the actual network access will be successfully established. If a user logs in, but the network tunnel fails to establish, the user is not presented with a logon denied page. Instead, the user either sees an error message on the webtop and must manually log out, or is automatically logged out of a session. In either case, the accounting stop message is sent when the user is logged out and the session terminates. RADIUS accounting works in the following ways: When a user logs on to the Access Policy Manager, the system sends session start information to the RADIUS accounting server. Session start information consists of the RADIUS username, the RADIUS sessionid of the users session, and a RADIUS accounting status start message, indicating that the session has started. When the user terminates the session by logging off the Access Policy Manager, the system sends session end information to the RADIUS accounting server. The session end information includes the RADIUS username, the RADIUS sessionid, and the RADIUS accounting status stop message, indicating that the session has ended. Also included in this stop message is the RADIUS service duration, which represents the total time the user session was active.
11 - 4
Acct-Status-Type
Acct-Authentic
Service-Type Nas-IP-Address
NAS-Port
Tunnel-Client-Endpoint
Class
11 - 5
Chapter 11
Acct-Status-Type
Acct-Session-Time:
Acct-Output-Octets
If the user does not log off, but simply closes the web browser window, the Access Policy Manager sends the RADIUS stop message when the users session times out. RADIUS accounting messages are sent asynchronously. The Access Policy Manager stores the users sessions start and end information in its database, and sends them to the RADIUS accounting server.
Important
Be sure to configure your RADIUS accounting server to recognize the Access Policy Manager as a client. Refer to your external servers user manual for more information how to do perform this task.
11 - 6
If you use the Timeout setting, you must use also the Retries setting. If these settings are enabled, the Access Policy Manager attempts to reach the AAA server within the specified timeframe in seconds. If the server does not respond, the Access Policy Manager retries the authentication attempt, depending on how many retries you specify.
11 - 7
Chapter 11
11 - 8
session.RADIUS.last.attr.$attr_name
session.RADIUS.last.errmsg
11 - 9
Chapter 11
You can add your own custom rules using the session variables. For example, you can create your own custom rules when you want different users assigned to different network resources. For more information on how to add custom access policy rules, refer to Chapter 5, Creating Access Profiles and Access Policies.
Table 11.6 General steps to test and ensure successful RADIUS authentication
11 - 10
Steps to Take Confirm that the Access Policy Manager is registered as a RADIUS client. Note: Since the Access Policy Manager makes requests from the self IP address to the RADIUS server for authentication requests, the address of the self IP address should be registered as a RADIUS client. Check the RADIUS logs and check for any errors.
Use the tcpdump utility from the Access Policy Manager when authentication attempts are made. For example, %tcpdump-i 1.1 -s /tmp/dump. You must first determine what interface the self IP address is on. The results indicate activities between the Access Policy Manager and the authentication server. Run the authentication test. After authentication fails, stop the tcpdump, download the tcpdump records to a client system, and use an analyzer to troubleshoot. Important: If you decide to escalate the issue to Customer Support when you encounter authentication issues that you cannot otherwise resolve on your own, you must provide the output of running the tcpdump utility.
Table 11.6 General steps to test and ensure successful RADIUS authentication
Passcode
11 - 11
Chapter 11
Possible explanations and corrective actions Even if the RADIUS server has been started from the SecurID options window on the Windows SecurID server, the server may not be active. In the Windows Services Manager, make sure that the server is set to start each time the server boots, and is currently running. RSA SecurID authentication using RADIUS takes place on a different port than the native securid authentication. While using RSA SecurID over RADIUS, the SecurID server is a client of itself. The RADIUS service functions as a standalone process, and if the SecurID server is not set up as a client of itself, it rejects the Access Policy Manager authentication request and does not store anything in the logs. Check that the RSA SecurID is configured properly. To facilitate communication between the Access Policy Manager and the RSA SecurID, an Agent Host record must be added to the RSA Authentication Manager database. For an example on how to add an agent host, refer to Adding the Access Policy Manager as an agent host to an RSA Native SecurID authentication server, on page 11-17. The Agent Host record identifies the Access Policy Manager within its database and contains information about communication and encryption. To create the Agent Host record, you need the following information. Host name IP addresses for all network interfaces RADIUS secret (Click Assign/Change Encryption Key to input the secret. This RADIUS secret must match the corresponding RADIUS secret on the Access Policy Manager). When adding the Agent Host record, you should configure the Access Policy Manager as a communication server. This setting is used by the RSA Authentication Manager to determine how communication with the Access Policy Manager will occur.
11 - 12
11 - 13
Chapter 11
4. For the Visual Policy Editor setting, click the link Edit Access Policy for Profile "<name of policy>" to start the visual policy editor. The visual policy editor opens in a new window or new tab, depending on your browser settings. 5. Click the small plus sign [+] where you want to add the new access policy action item. A properties screen opens. 6. Under Authentication, select RADIUS Acct and click Add item. The RADIUS Auth object popup opens in the visual policy editor. 7. On the Properties tab, select the name of your RADIUS accounting server from the AAA Server list, and click Save. 8. Click Activate Access Policy to save your configuration. The AAA server is added to the access policy, and is now a part of the overall authentication process. The RADIUS access policy action automatically creates the session variables, as shown in Table 11.9.
Session Variable session.RADIUS.last.acctresult Description Provides the result of the RADIUS accounting. The available values are: 0:Failed 1:Passed $acct_attr_name is a value that represents the users accounting information attributes.
session.RADIUS.last.acct.$acct_attr_na me
11 - 14
To add the RADIUS authentication and accounting server as an access policy action item
1. In the navigation pane, expand Access Policy, and click Access Profiles. The Access Profiles List screen opens. 2. On the Access Profiles list screen, click the name of your profile. The Properties screen opens. 3. On the menu bar, click Access Policy. The Access Policy screen opens. 4. For the Visual Policy Editor setting, click the link Edit Access Policy for Profile "<name of policy>" to start the visual policy editor. The visual policy editor opens in a new window or new tab, depending on your browser settings. 5. Click the small plus sign [+] where you want to add the new access policy action item. A properties screen opens in the visual policy editor. 6. Under Authentication, select RADIUS Auth and click Add item. The RADIUS Auth object popup opens.
11 - 15
Chapter 11
7. Now select RADIUS Acct and click Add item. The RADIUS authentication and accounting objects popup opens in the visual policy editor. 8. On the Properties tab, select the name of your RADIUS server from the AAA Server list, and click Save. 9. Click Activate Access Policy to save your configuration. The RADIUS authentication and accounting server is added to the access policy, and is now a part of the overall authentication process.
Setting up Access Policy Manager for RSA Native SecurID for authentication and authorization
RSA Native SecurID is a two-factor authentication mechanism developed by RSA, the Security Division of EMC. This mechanism of authentication is based on a user PIN or password and a token generated by an authenticator and provided to the user. A token is an authentication code generated every 60 seconds by an authenticator (hardware or software) assigned to the user. The Access Policy Manager supports the following RSA Native SecurID feature checklist.
RSA SecurID checklist New PIN mode Associated items Force authentication after new PIN generated System generated PIN User-defined (4-8 alpha-numeric) User-defined (5-7 numeric) User-selectable Deny 4 and 8 digit PIN Deny alpha-numeric PIN
Passcode
Setting up RSA Native SecurID authentication and authorization involves the following tasks: Add the Access Policy Manager as an agent host to an RSA Native SecurID authentication server Configure the Access Policy Manager to use the RSA Native SecurID authentication server
11 - 16
Please refer to your RSA SecurID Implementation Guide for information on how to set up your RSA Native SecurID authentication server.
Adding the Access Policy Manager as an agent host to an RSA Native SecurID authentication server
To enable communications between the Access Policy Manager and an RSA Native SecurID authentication server, you must add the Access Policy Manager as an agent host to the authentication server. The agent host record identifies the Access Policy Manager within the server authentication database, and includes information about communication and encryption.
To add the Access Policy Manager as an agent host to an RSA Native SecurID authentication server
1. On the administrative interface of your RSA Native SecurID authentication server, click the Agent Host tab, and select the Add Agent item. 2. In the Name box, specify a name for identifying the Access Policy Manager agent host configuration. This may or may not be a DNS-resolvable name. This name can be different from the FQDN configured on the Access Policy Manager. 3. In the Network Address box, type the IP address used by the Access Policy Manager while communicating with the RSA Native SecurID authentication server. This address must be the source IP address present in the IP packets received by the RSA Native SecurID authentication server from the Access Policy Manager. 4. From the Agent Type list, select UNIX agent. 5. For Encryption Type, select DES. 6. Verify that the Node Secret Created check box is cleared, if it is currently checked. 7. Check the Open to All Locally Known Users check box. 8. Check the Search Other Realms for Known Users check box. 9. Click the Requires Name Lock check box. 10. Clear any selection from the check boxes Enable Offline Authentication, Enable Windows Password Integration, and Create Verifiable Authentication. 11. Click OK.
11 - 17
Chapter 11
12. Click the Agent Host tab, and select the Generate Configuration Files item. The Generate Configuration File screen opens. 13. Select the One Agent Host option, and then select from the list the Access Policy Manager agent host you just configured. 14. Save the agent host configuration file onto your local system. 15. Click OK. 16. Add users who are authorized to use the Access Policy Manager. For more information on how to do this, refer your RSA Native SecurID authentication server administrator guide.
Configuring the Access Policy Manager to use the RSA Native SecurID authentication server
After you add the Access Policy Manager as an agent host to your RSA Native SecurID authentication server, you can configure the Access Policy Manager to use the authentication server as part of your authentication process.
To configure the Access Policy Manager to use the RSA Native SecurID authentication server
1. In the navigation pane, expand Access Policy, and click the [+] sign next to the AAA Servers to add a new server. The New Server General Properties screen opens. 2. In the Name box, type the name for your AAA server. 3. In the Type box, select the SecurID option as your AAA server type. The screen refreshes to show configure options for SecurID. 4. In the Configuration section, for the Agent Host IP Address (must match the IP address in SecurID Configuration File), if there is a NAT device in the network path between the Access Policy Manager and the RSA SecurID server, type the address as translated by the NAT device. Otherwise, select the IP address from among those configured on the Access Policy Manager. In all cases, this IP address must match the SourceIP address in the IP packets received by the RSA SecurID server. 5. For the Configuration File, browse to upload the sdconf.rec file from your authentication server. Consult your RSA Authentication Manager administrator to obtain this file.
11 - 18
You must rename the configuration file to sdconf.rec and copy it to the Access Policy Manager before you can use the command line interface commands to configure RSA Native SecurID. Then, you add the SecurID server as you would add any AAA server. Remember that the server name must be the directory name to which the configuration file was copied to.
Setting up RSA Native SecurID authentication and authorization access policy action item
To complete the authentication process, you must add the RSA Native SecurID action to an access policy.
11 - 19
Chapter 11
Using RSA Native SecurID session variables for access policy rules
You can authorize your users with user information provided by the RSA Native SecurID authentication server in the form of attributes. These attributes, converted into session variables, can be used to create rules. For more information on session variables and how to use them to create your rules, refer to Appendix C, Session Variables. The RSA Native SecurID access policy action automatically creates the session variables, as shown in Table 11.12.
Description Provides the result of the RSA Native SecurID authentication. The available values are: 0:Failed 1:Passed $attr_name is a value that represents the users attributes received during RSA Native SecurID authentication. Each attribute is converted to separate session variables.
session.securid.last.attr.$attr_name
11 - 20
11 - 21
Chapter 11
4. Click Finish. The new LDAP server is added to the AAA Server List.
Note
If your LDAP directory allows anonymous query, you do not need to specify an administrative account or password in the required fields. Either specify credentials of any LDAP account that allows querying this part of the LDAP directory, or create a new LDAP account for Access Policy Manager.
11 - 22
10. Enable the Show Extended Error option. This displays comprehensive error messages generated by the authentication server to display on the users Logon page. We recommend enabling this setting only in a testing or debugging environment. Otherwise, your system might be vulnerable to malicious attacks. 11. Specify the Max Logon Attempt Allowed setting. This gives the users an opportunity to re-enter their user credentials if their first attempt to log on fails. Set this value to be greater than 1, and a logon page reappears for the user after a log on failure. Set this value to 1, and no logon retry is allowed. The available range is 1-5, with 3 set as the default value. 12. Click Activate Access Policy to save your configuration. The SecurID server is added to the access policy, and is now a part of the overall authentication process.
11 - 23
Chapter 11
Access Policy Manager supports using session variables in the SearchFilter, SearchDN, and UserDN fields. For example, if you want to use the users CN from the users SSL certificate as input in one of these fields, you can use the session variable session.ssl.cert.last.cn in place of session.logon.last.username. Refer to Appendix C, Session Variables, for more information.
11 - 24
11 - 25
Chapter 11
Description Provides the result of LDAP authentication/query. The available values are: 0:Failed 1:Passed $attr_name is a value that represents the users attributes received during LDAP authentication/query. Each attribute is converted to separate session variables. Useful for troubleshooting. This contains the last error message generated for LDAP. Example: aad2a221.session.ldap.last.errmsg
session.ldap.last.attr.$attr_name
session.ldap.last.errmsg
11 - 26
You can add your own custom rules using the session variables, as previously described. For instance, you can create your own custom rule to assign different network resources to users. For more information on how to add custom access policy rules, refer to Chapter 7, Creating Access Profiles and Access Policies.
to a distinguished name. 7. Click Finish to update the rule and return to the LDAP Query properties. 8. Click Save to update the LDAP Query properties and return to the access policy. The LDAP query default rule has been updated in the access policy.
Note
This is an example of how to update the default rule. Alternatively, you can change both the expression type and value and add other rules.
11 - 27
Chapter 11
Example: Using LDAP query and LDAP authentication to authenticate and authorize users
Figure 11.1 is an example of an access policy with all the elements associated to authenticate and authorize your users with LDAP query and LDAP authentication. Notice that the objects were added to the access policy as part of the authentication process.
11 - 28
Make sure that your log level is set to the appropriate level. The default log level is notice. Refer to Chapter 17, Logging and Reporting, for more information on how to use the logging feature. Additionally, you can look into the session reports for information on users logon attempts. In the navigation pane, expand Access Policy, choose Reports, and click the active session ID to see all the session variables.
Possible errors LDAP Auth Failed Possible explanations and corrective actions User name or password does not match records. No LDAP server is associated with the LDAP Auth agent. The target LDAP server host/port information associated with the LDAP Auth agent may be invalid. The target LDAP service may be not accessible. The specified administrative credential is incorrect. If no administrative credential is specified, then the user name or password does not match. No LDAP server is associated with the LDAP Query agent. The target LDAP server host/port information associated with the LDAP Query agent may be invalid. The target LDAP service may be not accessible. If the LDAP Query is successfully, then check whether the LDAP Query Rules are properly configured.
11 - 29
Chapter 11
You should Check that your access policy is attempting to perform authentication
Steps to Take Refer to the message boxes in your access policy to display information on what the access policy is attempting to do. Refer to /var/log/apm file to view authentication attempts by the access policy. Note: Make sure that your log level is set to the appropriate level. The default log level is notice. Refer to Chapter 17, Logging and Reporting, for more information on how to use the logging feature. Access the Access Policy Manager through the command line interface and check your connectivity by pinging the LDAP server using the host entry in the AAA Server box. Confirm that the LDAP port 389 is not blocked between the Access Policy Manager and the LDAP server. Verify that the administrative credentials are correct on the LDAP server, and that they match the credentials used by the AAA entry. Note: A good test is to use full administrative credentials with all rights. If that works, you can use less powerful credentials for verification.
Use the tcpdump utility from the Access Policy Manager when authentication attempts are made. For example, %tcpdump-i 1.1 -s /tmp/dump. You must first determine what interface the self IP is on. The tcpdump records indicate activities between the Access Policy Manager and the authentication server. Run the authentication test. After authentication fails, stop the tcpdump, and download the tcpdump to a client system, and use an analyzer to troubleshoot. Important: If you decide to escalate the issue to Customer Support when you encounter authentication issues that you cannot otherwise resolve on your own, you must provide the output of running the tcpdump utility.
Table 11.15 General steps to test and ensure successful LDAP authentication
11 - 30
Setting up Access Policy Manager for Windows Active Directory authentication and authorization
Setting up Windows Active Directory authentication and authorization involves the following tasks: Configure Access Policy Manager to set up an Active Directory server for authentication Configure Access Policy Manager to access Active Directory authentication policy action item Configure Access Policy Manager to access Active Directory query policy action item
11 - 31
Chapter 11
Although it is not required, you can enter the admin name and password during this initial configuration, although this will only apply to AD query.
By default, users are given only one attempt to reset their password. However, an administrator can configure the max logon attempt allowed of the authentication agent to a value larger than 1, which gives users multiple opportunities to reset their passwords.
Configuring Access Policy Manager to access the Active Directory for authentication
To use Active Directory authentication, you must specify the authentication type as AD Auth in the visual policy editor. Additionally, you need specific information from your Active Directory server administrator.
11 - 32
To configure Access Policy Manager to access the Active Directory policy action item for authentication
1. In the navigation pane, expand Access Policy, and click Access Profiles. The Access Profiles List screen opens. 2. On the Access Profiles list screen, click the name of your profile. The Properties screen opens. 3. On the menu bar, click Access Policy. The Access Policy screen opens. 4. For the Visual Policy Editor setting, click the link Edit Access Policy for Profile "<name of policy>" to start the visual policy editor. The visual policy editor opens in a new window or new tab, depending on your browser settings. 5. Click the small plus sign [+] where you want to add the new access policy action item. A properties screen opens. 6. Under Authentication, select AD Auth, and click Add item. The Active Directory object popup opens in the visual policy editor. 7. Specify information for the UserPrincipalName setting. This allows the administrator to enforce the user to enter the username in the UPN naming style, and to use the domain name from the user-specified UPN for authentication. For example, user@domain. 8. Enable the Show Extended Error option. This displays comprehensive error messages generated by the authentication server to display on the users Logon page. We recommend enabling this setting only in a testing or debugging environment. Otherwise, your system might be vulnerable to malicious attacks. 9. Specify the Max Logon Attempt Allowed setting. This gives the users an opportunity to re-enter their user credentials if their first attempt to log on fails. Set this value to be greater than 1, and a logon page reappears for the user after a log on failure. Set this value to 1, and no logon retry is allowed. The available range is 1-5, with 3 set as the default value. 10. Click Activate Access Policy to save your configuration. The Active Directory server is added to the access policy, and is now a part of the overall authentication process.
11 - 33
Chapter 11
Configuring Access Policy Manager to access the Active Directory action item for query
To use Active Directory query, you must specify the authentication type as Query and then use the appropriate Active Directory server. This feature queries the appropriate part of the directory tree structure (specified by the search base, or container, DN) to find a user within that directory.
To configure Access Policy Manager to access Active Directory action item for query
1. In the navigation pane, expand Access Policy, and click Access Profiles. The Access Profiles List screen opens. 2. On the Access Profiles list screen, click the name of your profile. The Properties screen opens. 3. On the menu bar, click Access Policy. The Access Policy screen opens. 4. For the Visual Policy Editor setting, click the link Edit Access Policy for Profile "<name of policy>" to start the visual policy editor. The visual policy editor opens in a new window or new tab, depending on your browser settings. 5. Click the small plus sign [+] where you want to add the new access policy action item. A properties screen opens. 6. Under Authentication, select AD Query, and click Add item. The LDAP object popup opens in the visual policy editor. 7. On the Properties tab, select the name of your Active Directory server from the AAA Server list, and click Save. 8. Specify information for the SearchFilter setting. For more information about these settings, refer to Specifying SearchFilter and SearchDN settings, on page 11-23. 9. Enable the Fetch Primary Group option. This adds the users primary group settings to the memberOf session variable. Additionally, sub-groups from the users primary group are added to the memberOf session variable if the nested group feature variable is enabled. For example, user@domain. 10. Enable the UserPrincipalName option. This allows the administrator to enforce the user to enter their username in the UPN naming style, and to use the domain name from the user-specified UPN for authentication. For example, user@domain
11 - 34
11. Enable the Fetch Nested Groups option. For more information on nested groups, refer to Understanding nested groups, on page 11-38. 12. Enable the Required Attributes (optional). By default, all user attributes are loaded if you do not specify any required attributes. However, if you specify certain required attributes, then only those specified attributes are retrieved from the LDAP server, which will improves system performance. 13. Click Activate Access Policy to save your configuration. The LDAP server is added to the access policy, and is now part of the overall authentication process.
Tip
Both DNS forward and reverse lookup of the domain name processes should work properly to ensure that the domain name resolves to the IP address of the domain controller, and the reverse address resolves to the domain name.
Session Variable for Active Directory Authentication and Query session.ad.last.authresult session.ad.last.queryresult
Description Provides the result of Active Directory authentication/query. The available values are: 0:Failed 1:Passed $attr_name is a value that represents the users attributes received from the Active Directory server. Each attribute is converted to separate session variables. $attr_name is a value that represents the users group attributes received from the Active Directory server. Each attribute is converted to separate session variables.
session.ad.last.attr.$attr_name
session.ad.last.attr.group.$attr_name
11 - 35
Chapter 11
Make sure that your log level is set to the appropriate level. The default log level is notice. Refer to Chapter 17, Logging and Reporting, for more information on how to use the logging feature. Additionally, you can look into the session reports for information on user's logon attempts. In the navigation pane, expand Access Policy, click Reports and on the screen, click the active session ID to see all the session variables.
Possible errors Domain controller reply did not match expectations, (-1765328237) Possible explanations and corrective actions This error occurs when the principal/domain name does not match with the domain controller servers database. For example, if the actual domain is SALES.MYCOMPANY.COM", and the administrator specifies STRESS as the domain, then the krb5.conf file displays the following, default_realm = SALES SALES = { domain controller = <domain controller server> admin = <admin server> So, when the administrate tries to authenticate with useraccount@SALES, the krb5 library notices that the principal name SALES differs from the actual one in the server database.
11 - 36
You should Check to see if your access policy is attempting to perform authentication
Steps to Take Refer to the message boxes in your access policy to display information on what the access policy is attempting to do. Refer to the /var/log/apm file to view authentication attempts by the access policy. Note: Make sure that your log level is set to the appropriate level. The default log level is notice. Refer to Chapter 17, Logging and Reporting, for more information on how to use the logging feature. Access the Access Policy Manager through the command line interface and check your connectivity by pinging the Active Directory server using the host entry in the AAA Server. Confirm that the Active Directory port 88 or 389 is not blocked between the Access Policy Manager, and the Active Directory server. Confirm that the Active Directory server name can be resolved to the correct IP address, and that the reverse name resolution (IP address to name) is also possible. Confirm that the Active Directory server and the Access Policy Manager have the correct time setting configured. Note: Since Active Directory is sensitive to time settings, we suggest that NTP be used to set the correct time on the Access Policy Manager.
Use the tcpdump utility from the Access Policy Manager when authentication attempts are made. For example, use the command %tcpdump-i 1.1 -s /tmp/dump. You must first determine what interface the self IP address is on. These TCP dumps indicate activities between the Access Policy Manager and the authentication server. Run the authentication test. After authentication fails, stop the tcpdump, and download the output to a client system and use an analyzer to troubleshoot. Important: If you decide to escalate the issue to Customer Support when you encounter authentication issues that you cannot otherwise resolve on your own, you must provide the output of running the tcpdump utility.
Table 11.18 General steps to test and ensure successful Active Directory authentication
Example: Authenticating and authorizing users with Active Directory query and authentication
Figure 11.3 is an example of an access policy with all the elements associated to authenticate and authorize your users with Active Directory query and Active Directory authentication. Notice that the objects were added to the access policy as part of the authentication process.
11 - 37
Chapter 11
Figure 11.3 Example of authenticating and authorizing users with Active Directory query and authentication
The nested groups feature works slightly differently for both LDAP and Active Directory. If you want to use nested groups for Active Directory query, you can also use it in conjunction with, or independently from, Fetch Group Attribute. The table, following, displays the results of your Active Directory query if nested groups is used in conjunction with Fetch Group Attributes.
11 - 38
Active Directory Query Results This setting queries all groups the user belongs to. This includes the users memberOf groups which include the users primary group, and groups nested through all membersOf groups. This setting queries the users memberOf groups plus the primaryGroupDN. However, it does not query any nested groups. This setting queries the users memberOf groups, including the nested groups through the memberOf groups. However, the primaryGroupDN is not queried. This setting queries the users memberOf group only. This means that only the groups with which users are directly associated are queried.
Off
On
On
Off
Off
Off
11 - 39
Chapter 11
F5 Networks strongly recommends using HTTPS because basic authentication passes user credentials as clear text. However, to support HTTPS authentication, Access Policy Manager must be set up and configured through a layered virtual. For more information, refer to HTTPS basic authentication, on page 11-41
To configure Access Policy Manager to use an external server for HTTP basic authentication
1. In the navigation pane, expand Access Policy, and click the [+] sign next to the AAA Servers to add a new server. The AAA Server screen opens. 2. Type a name for your AAA server and select HTTP from the Type list. The screen refreshes to provide additional settings specific to the HTTP Type. 3. For the Auth Type setting, select Basic/NTLM. The screen refreshes to display only the option that is specific to HTTP 4. In the Start URL box, type the complete URL that returns the logon form. 5. Click Finished.
11 - 40
You can test the URL by logging on with valid and invalid credentials to make sure your external authentication server issues a challenge when invalid credentials are entered.
11 - 41
Chapter 11
4. Click Save, and then click Apply Access Policy to save your changes.
To create a new node for the server that performs the HTTPS authentication
1. In the navigation pane, expand Local Traffic, and click Nodes. The Node List screen opens. 2. Click Create. The New Node screen opens. 3. Type in the IP address of your server and click Finished. The new node is created.
11 - 42
7. In the navigation pane, click Local Traffic, point to Virtual Servers, and choose Virtual Address List. 8. Select the new servers IP address from the list. The Configuration screen opens. 9. Clear the ARP check box to disable ARP for the new virtual server. 10. Assign the access policy to the new virtual server.
To configure Access Policy Manager to use an external server for HTTP NTLM authentication
1. In the navigation pane, expand Access Policy, and click the [+] sign next to the AAA Servers to add a new server. The AAA Server screen opens. 2. Type a name for your server. 3. For the Type setting, select HTTP from the list. The General Properties screen opens 4. For the Auth Type setting, select Basic/NTLM. 5. For the Start URL setting, type the complete URL that returns the logon form. Make sure to include the protocol (HTTP or HTTPS), server, and port. 6. Click Finished.
To configure Access Policy Manager to use an external server for HTTP form-based authentication
1. In the navigation pane, expand Access Policy, and click the [+] sign next to the AAA Servers to add a new server. The AAA Server screen opens. 2. Type a name for your server. 3. For the Type setting, select HTTP. 4. For the Auth type setting, select Form Based.
11 - 43
Chapter 11
5. For the Form Method setting, select either GET or POST. By default, the form method value is POST. If you specify GET, then the authentication request is converted as HTTP GET. 6. For the Form Action setting, type the complete destination URL use for authentication. 7. In the Form Parameter for both User Name and Password, type the parameter names and password used by the form you are sending the POST request to. An example of a user name is USER, and a password example is PASSWORD. 8. In the Hidden Form Parameters/Values box, type the hidden form parameters required by the authentication server logon form at our location. For more information on how to determine hidden parameters and values, refer to Determining the hidden parameters, following. 9. In the Number Of Redirects To Follow box, type the number of pages away from the landing page the request should travel before failing. 10. In the Successful Logon Detection Match Type box, choose the method your authenticating server uses, and specify the option definition. For example, if you select the By Presence Of A Specific Cookie option, the next field changes to Cookie Name. As an example, enter a cookie name, such as SMSESSION. 11. The Success Logon Detection Value setting populates to whatever method you selected for the Successful Logon Detection Type setting.
11 - 44
11 - 45
Chapter 11
11 - 46
4. For the Health Monitors setting, select gateway_icmp, and click the more button (<< ) to add it to the Active list. This lets the BIG-IP system know when the servers are active or inactive. 5. Optionally, in the Resources area, enable the Priority Group Activation by selecting Less than from the list. 6. For the New Members setting, in the Address box, type in the IP address for your RADIUS server, the Service Port (1812), and a Priority level. 7. Repeat steps 1-6 for each RADIUS server you wish to add, and then click the Add button. Each IP address of the RADIUS server should appear in the New Members table. 8. Click Finished.
Important
You will need to add a second server pool for RADIUS accounting. You add this the same way as the authentication pool. However, instead of using port 1812, use port 1813 since that is the default RADIUS accounting port.
11 - 47
Chapter 11
3. On the menu bar, click the Resources tab. 4. For Default Pool, select the server pool you created. 5. Click Update to save your information.
Important
You will need to create a second virtual server, using the same procedure for RADIUS accounting. Remember to use port 1813.
11 - 48
7. Verify that the request is being sent to the other server. 8. Log out again, re-enabling the server, and try one more time to verify that the new requests are being sent to the high priority server again.
11 - 49
Chapter 11
11 - 50
7. Ensure that Protocol is set to the default value TCP. 8. Leave all other settings at the defaults, and click Finished.
11 - 51
Chapter 11
8. Enter information in any other required fields. You can find details for each setting in the online help. 9. Click Activate Access Policy to save your configuration.
11 - 52
12
Introducing On-Demand Certificate Authentication
Controlling SSL traffic Understanding SSL profiles Introducing SSL server certificates Introducing SSL On-Demand Certificates Understanding On-Demand certificate authentication Configuring client SSL profiles Using On-Demand Certificates to authenticate users Validating certificate revocation status Using CRLDP
12 - 1
Chapter 12
12 - 2
12 - 3
Chapter 12
absence of the certificate. Granting access is not dependent on whether a certificate is present, nor does connection terminate if a certificate is not received.
Note
When the certificate authentication mode is set to Require on the New Client SSL Profile screen, the user must provide a valid client certificate. Otherwise, the connection is not allowed. The recommended option for the client cert result agent is Request.
12 - 4
If the access policy rule in the On-Demand certificate agent detects that the validation was a success, then the access policy assigns the resource R1 to the user, and takes the user to the allow ending. Otherwise, the user is denied access.
12 - 5
Chapter 12
If you want to authenticate the client with a valid certificate at the beginning of the initial SSL handshake of your access policy, then you should select Request from the Client SSL Profile screen when you set up your client SSL profile.
12 - 6
6. From the Auth Mode option, select either Request or Required. The default is Request. 7. Click Save. The system adds the On-Demand Certificate authentication agent to your access policy.
Note
If your access policy is configured with an On-Demand certificate authentication action, the user's browser must have a valid certificate. Otherwise, your browser may stop responding because the client failed to provide a valid certificate. To avoid running into this problem, we highly recommend you use the Decision box agent in your access profile so that the users are given an option to specify whether or not they have a valid certificate.
12 - 7
Chapter 12
12 - 8
7. For the Trusted Certificate Authorities setting, select your trusted certificate authority. 8. For the Ciphers setting, type in a NATIVE cipher to support the On-Demand Client Certificate check. The list of supported NATIVE cipher includes the following: RC4-MD5 RC4-SHA AES128-SHA AES256-SHA DES-CBC3-SHA DES-CBC-SHA EXP1024-RC4-MD5 EXP1024-RC4-SHA EXP1024-DES-CBC-SHA EXP-RC4-MD5 EXP-DES-CBC-SHA NULL-MD5 NULL-SHA 9. In the Client Authentication area, check the Custom box. You can select from the four options available, Your choice depends on the type of agent you want to use in your access policy as part of On-Demand Certificate validation. However, we recommend that you select either Ignore for On-Demand Certificate Authentication or Request for client certificate result agent 10. Click Finished. Your clientssl profile is now created.
12 - 9
Chapter 12
12 - 10
Understanding CRLs
A certificate revocation list (CRL) is a list of revoked (invalid) certificates. The CRL describes the reason for the revoked status of the certificate, and provides the certificates issue date and originator. The list also notes its next update. When a user with a revoked On-Demand Certificate attempts to log on to the Access Policy Manager, the system allows or denies access based on the CRL configured in the sslclient profile. A CRL is one of three common methods for maintaining valid, certificate-based access to servers in a network. CRLDP is an industry-standard protocol designed to manage SSL certificates revocation on a network or system. The main limitation of CRL is that the current state of the CRL requires frequent updates. Whereas, OCSP checks certificate status in real time. You can read more about OCSP in Understanding OCSP, following. The CRL is a PEM-formatted file containing a list of revoked certificate attached to the client SSL profile. Make sure the CRL file is kept up-to-date. You must manually install the CRL file to the /config/ssl/ssl.crl directory since this is not an automatic process.
12 - 11
Chapter 12
Note that if you have multiple CRL files, you cannot aggregate them into one master file. You must point to the individual file (in PEM format) if you want to retrieve CRL information.
Note
You should not configure CRL updates if you are using the Access Policy Manager to generate and issue On-Demand Certificates to users (using either a self-signed client root CA certificate, or a client root CA certificate from a trusted CA). In this case the Access Policy Manager manages CRLs internally.
Understanding OCSP
The Online Certificate Status Protocol (OCSP) enables applications to determine the revocation status of a certificate. OCSP provides more timely revocation information than is possible using CRLs, and may also be used to obtain additional status information. An OCSP client, in this case the Access Policy Manager, acts as the client, and issues a status request to an OCSP responder, and suspends acceptance of that certificate until the responder provides a response. The Access Policy Manager supports OCSP validation of On-Demand Certificates.
Note
Do not use On-Demand Certificate OCSP if you are using the Access Policy Manager to generate/issue On-Demand Certificates to users (using either a self-signed client root CA certificate, or a client root CA certificate issued by a trusted CA). In this case, the Access Policy Manager is managing CRLs internally.
12 - 12
Setting up OCSP requires these tasks: Configuring an OCSP responder object Creating an SSL OCSP profile Binding the SSL OCSP profile to a virtual server
12 - 13
Chapter 12
12 - 14
Using CRLDP
CRLDP stands for Certificate Revocation List Distribution Point. CRLDP checks the revocation status of an SSL certificate as part of authenticating that certificate. CRL distribution points are used to distribute certificate revocation information across a network. A distribution point is a URI or directory name specified in an SSL certificate that identifies how the server obtains CRL information. In addition, distribution points can be used in conjunction with CRLs to configure certificate authorization using any number of LDAP servers. In setting up CRLDP, you complete the following tasks: Configuring a CRLDP server object Configuring a CRDLP configuration object Creating a CRLDP profile Binding the CRLDP profile to a virtual server.
12 - 15
Chapter 12
12 - 16
2. From the list of virtual servers, click the name of the server you want to bind the CRDLP profile. The Properties screen opens. 3. From the Configuration setting, select Advanced. 4. From the Available box, for the Authentication Profiles, select the CRLDP profile you want to bind to the virtual server. 5. Click the move button (<<) to move the SSL OCSP profile to the Enabled box. 6. Click Update. The CRLDP Profile is now associated with your virtual server.
12 - 17
Chapter 12
12 - 18
13
Introducing Single Sign-On
Introducing Single Sign-On (SSO) with credential caching and proxying About credential caching About credential proxying About External Access Management Common use cases for Single Sign-On deployment
If you misconfigure SSO objects for one of the authentication methods, HTTP Basic, NTLMv1, NTLMv2, or OAM, SSO is disabled for all authentication methods when you access a resource with the misconfigured SSO object. However, HTTP Form-based method is not affected as a result of the misconfigured object. Additionally, SSO is disabled for the current user session only, while all other users remain unaffected.
13 - 1
Chapter 13
Username Conversion: This converts PREWIN2k/UPN username input format to the format you want to use for SSO. For example, convert domain\username or username@domain to username. For HTTP Basic. NTLM v1, NTLM v2, and OAM authentication methods, there are no additional attributes required.
Parameters name and value are separated by a space, and not by an equal sign. Each parameter starts on a new line. For more information on hidden parameters, refer to Determining the hidden parameters, on page 11-44
13 - 2
Successful Logon Detection Match Type: Defines the success detection type that your authentication server uses. You can select one of the following: By Resulting Redirect URL: If selected, specifies that the authentication success condition is determined by examining the redirect URL from the HTTP response.You can specify multiple values for this option. By Presence Of Specific Cookie: If selected, specifies that the authentication success condition is determined by examining the cookie value from the response. This options only uses one defined value. Successful Logon Detection Match Value: Defines the value used by the specific success detection type.
Access Policy Manager supports the following formats from the username field on the logon page in order to authenticate to the back-end server: domain\username and username@domain.
13 - 3
Chapter 13
13 - 4
6. Click Edit Access Policy for Profile <name of your profile>. The visual policy editor screen opens in a different browser window. 7. Click the small plus sign access policy action item. A properties screen opens. where you want to add the new
8. Under General Purpose, select SSO Credential Mapping, and click Add Item. The Variable Assign: SSO Credential Mapping screen opens. 9. For the SSO Token Username and SSO Token Password settings, select where you want to retrieve user name and password from, and click Save. Otherwise, select Custom to enter a different user name and password. The SSO Credential Mapping agent is added to your access policy as part of the overall authentication process.
13 - 5
Chapter 13
5. Click Finished. You are now ready to configure your access profile with the appropriate access policy.
3. Configure your access profile with the appropriate access policy, for example, SSO Credential Mapping. 4. Click Apply Access Policy. You are now ready to associate the SSO object to your access profile. Refer to Assigning SSO configuration objects for instructions.
13 - 7
Chapter 13
13 - 8
Figure 13.1 Example of BIG-IP Access Policy Manager and OAM deployment
13 - 9
Chapter 13
F5 Networks currently supports OAM 10gR4 (Oracle Access Manager 10.1.4.0.1) and later.
Note
For information on integration between Access Policy Manager and Oracle Access Manager, refer to the Deployment Guide available on AskF5.com at https://support.AskF5.com. The following tasks are required to successfully configure Access Policy Manager for OAM integration with SSO capability. Configure the Access Server and Access Gate through Oracles administration user interface Create nodes for the backend web server Create a pool for Local Traffic Manager Create a AAA OAM server Configure the SSO object with the EAM method type as OAM. Configure the access profile using SSO and associate the SSO object to the access profile Create a virtual server and associate the access profile to the virtual server Assign the default pool to the virtual server
13 - 10
To configure the SSO object with the EAM method type as OAM
1. In the navigation pane, expand Access Policy, and select SSO Configurations. The SSO Config list screen opens. 2. Click Create. The General Properties screen opens. 3. From the SSO method, select the authentication method you want to use with OAM.
13 - 11
Chapter 13
4. Under SSO Method Configuration, specify the username and password you want cached for single sign-on. 5. Under External Access Management, select the Oracle Access Management to specify the Access Management Method. 6. For Oracle Access Management Server, select the Oracle Access Management server you created previously. 7. Click Finished. You are now ready to configure your access profile with the appropriate access policy.
To configure the access profile and associate the SSO object to the access profile
1. In the navigation pane, expand Access Policy. The Profile List screen opens. 2. Select an access profile by clicking on Edit to launch the visual policy editor. 3. Configure your access profile with the appropriate access policy, for example, SSO Credential Mapping. 4. Click Apply Access Policy. You are now ready to associate the SSO object to your access profile.
To create a virtual server and associate the access profile to the virtual server
1. In the navigation pane, expand Local Traffic, and select Virtual Servers. The Virtual Server List screen opens. 2. From the Access Profile under Access Policy, select your access profile you want to associate to your virtual server. 3. Click Update. You access profile is now associated to your virtual server.
13 - 12
5. Click Update You successfully configured Access Policy Manager for OAM as the SSO method.
13 - 13
Chapter 13
13 - 14
9. Add your objects to the access policy. Once you added your SSO object to your access policy, bind your access policy to your Local Traffic Manager virtual server.
Using Single Sign-On for web application access over network access tunnel
You can configure your network access to support SSO through a layered virtual server. This allows your users full network access to multiple web services without requiring them to enter their credential multiple times. The following are requirements to deploy SSO for network access: One HTTP virtual server for network access. One or more HTTP layered virtual servers corresponding to the backend protected web services that requires authentication and SSO support.
Note
To ensure that traffic is handled only by the network access for each layered virtual server, you need to select the network access tunnel option from the VLANs list. For more information, refer to the steps in To configure a layered virtual server for your web service, on page 13-17.
13 - 15
Chapter 13
2. Click a network access resource on the Resource List. The Network Access editing screen opens. This screen also opens immediately after you create a new network access resource. 3. Configure the Properties for the network access resource on the Properties tab. See Setting up network access, on page 2-5, for more information. 4. Configure the DNS and hosts for the network access resource on the DNS/Hosts tab. See Setting DNS and hosts options, on page 2-9, for more information, or refer to the online help. 5. Configure drive mappings for the network access resource on the Drive Mappings tab. See Mapping drives with network access, on page 2-10, for more information, or refer to the online help. 6. Configure applications to launch for the network access resource on the Launch Applications tab. See Launching applications with network access connections, on page 2-11, for more information, or refer to the online help.
Note
If you use split tunneling for network traffic, you must properly configure LAN address space setting so that traffic for the web services passes to the network access tunnel. For more information on how to configure LAN address space, see To configure network access properties, on page 2-4.
13 - 16
Before you proceed to create a layered virtual server for your web service, make sure to create an SSO object and select a preferred SSO method for your object. For more information on how to create an SSO object, refer to General SSO object attributes, on page 13-2. 1. In the navigation pane, expand Access Policy, and click Access Profiles. The Access Profile screen opens. 2. Create an access profile with a dummy default access policy. 3. From the Access Profiles list screen for your access profile, make sure to select the SSO object that you created and want to associate with this access profile in SSO Configuration. 4. Click Update. Now, you need to associate a layered HTTP virtual server for your web service to the virtual server for network access.
13 - 17
Chapter 13
5. On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers. The Virtual Server List screen opens. 6. Select the layered virtual server you created for your web service. The General Properties screen opens. 7. From VLAN and Tunnel Traffic, select network access tunnel to ensure that the layered virtual server sends traffic from the network traffic to the network access tunnel interface. 8. Associate the dummy access profile you created by selecting it from the list.
Important
Make sure that both Address Translation and Port Translation settings remain cleared. You can find these settings by selecting the Advanced option for Configuration. 9. Click Update. For every web service you want to add, you must follow the steps in creating an HTTP virtual server for network access, and configuring a layered virtual server for your web service.
Your users are now able to access multiple web services without having to enter their credential multiple times.
13 - 18
5. Click Finished. The SSO object is now added to the SSO list.Please note that these objects come in the form of session variables. 6. In the navigation pane, expand Access Profiles, and select an access profile you want the SSO configuration object assigned to. 7. Click the Properties tab. The General Properties screen opens. 8. Under Configurations, in the SSO Configuration field, select your SSO configuration object. 9. Click Finished. The SSO configuration object is now assigned to your access profile.
13 - 19
Chapter 13
13 - 20
14
Configuring Virtual Servers
Introducing virtual servers with Access Policy Manager Configuring virtual servers for access policies Configuring a local traffic virtual server with an access policy
When you create a virtual server, the BIG-IP system places the virtual server into your current administrative partition. For information on partitions, see the TMOS Management Guide for BIG-IP Systems. For production deployment of your configuration, you should either edit the clientssl profile to use your imported certificate and key, or create a new profile based on the clientssl profile that uses your own certificate and key. For more information, see Configuring a clientssl profile, on page 12-8. For initial evaluation of Access Policy Manager, you may select the default clientssl profile in the SSL Profile (Client) list. This default profile does not contain a valid SSL server certificate, but it can be used for initial Access Policy Manager evaluation and testing.
14 - 1
Chapter 14
14 - 2
15. If you are creating a virtual server to use with a web application in minimal patching mode, from the Default pool list, select the local traffic pool for this application. 16. Click Finished to complete the configuration.
14 - 3
Chapter 14
14 - 4
15
Customizing Access Policy Manager Features
Setting up access profile customization Customizing a webtop Customizing the BIG-IP Edge Client Introducing advanced access policy customization
If you customize messages, you must customize the same messages separately for each accepted language. Otherwise, default messages will appear for any accepted language for which you have not customized messages. It is recommended that if you customize messages for a specific accepted language, you remove all other languages from the accepted language list. You can add and remove languages from the accepted language list in the access profile.
Chapter 15
6. Click the Find Customization button. The screen refreshes to show the selected customization information. 7. Configure the customization for the selected customization type. 8. To restore the default setting for a customization, click the Restore button next to the setting. To restore all defaults for a customization category, click the Restore All Defaults button. 9. Click Update.
Windows Protected Workspace action message Windows Protected Workspace logon: short message
15 - 2
Description Specifies the message displayed when the protected workspace starts, and the system requires some time to display the protected workspace. Specifies the link text specified that the user can click to continue without starting protected workspace. Specifies the message displayed when protected workspace has successfully started, Specifies the message displayed when the system is checking the client for an unspecified action. Specifies the message displayed while the client is installing software.
Windows Protected Workspace continue link Windows Protected Workspace started: close browser message Checking client message
Installing message (appended to other messages) Downloading message (appended to other messages) New browser window required message
Specifies the message displayed while the client is downloading software components. Specifies the message displayed when browser settings have changed, and the user must open a new browser window to continue. Specifies the link text that the user clicks to continue after opening a new browser window. Specifies the messages displayed when client-side security checks fail. You can specify link text to cancel and link text to continue. The continue link allows the client to continue on the fallback branch. Specifies the message displayed when the cache and session control ActiveX control is loading and the user may be prompted to allow cache and session control installation. Specifies the text displayed when the client requires ActiveX to start the cache and session control plug-in, and ActiveX is not available or enabled. Specifies the link text that the user clicks to continue when the cache and session control plug-in cannot load. Specifies the message displayed when a popup blocker is enabled. The message includes information on how to allow popups from the BIG-IP device. Note: We recommend that you use an HTML editor to edit the HTML code for this box. The code appears unformatted and without line breaks in the box. Specifies the message displayed when the cache and session control plug-in fails to start. The message includes information on possible causes. Note: We recommend that you use an HTML editor to edit the HTML code for this box. The code appears unformatted and without line breaks in the box.
Continue link
15 - 3
Chapter 15
Description Specifies the text displayed while the cache and session control plug-in starts. Note: We recommend that you use an HTML editor to edit the HTML code for this box. The code appears unformatted and without line breaks in the box. Specifies the label for the virtual keyboard. Specifies the link text that the user clicks to hide the virtual keyboard.
Unsupported User-Agent
15 - 4
Description Specifies the error displayed when a session cannot start because the system is not licensed. Specifies the error displayed when cookies are disabled, and this causes the session ID to be unavailable in the request. Specifies the error displayed when the Session ID is not correct. This may occur because the session has timed out.
Invalid Session ID
RADIUS challenge failure RADIUS challenge failure with extended error Incorrect LDAP username or password with extended error
15 - 5
Chapter 15
Description Specifies the text displayed when the RSA SecurID logon or password is incorrect. Specifies the text displayed when the RSA SecurID logon or password is incorrect, and includes the error message from the SecurID component.
15 - 6
Incorrect resource assigned (Web Application) Missing Network Access resource More than one Network Access resource Network Access and Web Application resources assigned Web Application resources have inconsistent patching methods
Resource does not exist Webtop does not exist ACL does not exist Inconsistent host replacement string Invalid Web Application start URI
15 - 7
Chapter 15
We recommend that you use an HTML editor to edit the HTML code for the framework installation. The code appears unformatted and without line breaks in the boxes. You can customize the following framework installation settings:
Setting ActiveX install options screen Description Specifies the page text and links that prompt a user to install a new ActiveX browser component. This screen appears for Windows Internet Explorer users only. Specifies the page text and links that prompt a user to install a new browser plug-in component. This screen provides manual download and installation options. This screen appears for most operating systems and browsers. Specifies the page text and links that prompt a user to install a new browser plug-in component. This screen provides manual download and installation options. This screen appears for Linux operating systems and browsers. Specifies the page text and links displayed when the user's browser does not currently allow software installation. This page contains information about how to enable software installation, and links to continue to install plug-ins or to continue without installing the browser plug-ins. Specifies the page text and links displayed when the user's browser does not currently allow software installation.This page contains information about how to enable software installation, and links to continue to install plug-ins or to continue without installing the browser plug-ins. This screen appears for Linux operating systems and browsers. Specifies the text that appears on a page with a Java applet to install a new browser plugin. This page appears only on non-Windows systems.
Browser plug-in install with manual install options screen (Linux) Allow browser plugin install screen
15 - 8
Description Specifies the page text and links that appear when the Java applet is installing software. This page appears only on non-Windows systems.
Specifies the page text and links that appear when the Java applet is installing software. This page appears only on Macintosh systems with the Safari web browser.
Specifies the page text and links that appear when the installation of software with a Java applet fails. This page allows the user options to restart the session, download and manually install the software, or continue without installing software. This page appears only on non-Windows systems.
15 - 9
Chapter 15
15 - 10
15 - 11
Chapter 15
15 - 12
Session ID Title
15 - 13
Chapter 15
Customizing a webtop
You can customize the appearance of a webtop, including the language of the webtop, the layout of the webtop screen, the messages displayed when starting and closing the connection, and any error messages. A webtop must be assigned to an access profile to see and customize the webtop for the languages assigned to the access profile. If you customize a webtop that is not assigned to any access profile, you can customize the default set of languages only.
To customize a webtop
1. On the Main tab of the navigation pane, expand Access Policy, then click Webtops. The Webtop List screen opens. 2. Click the name of the webtop to customize. The Webtop Properties screen appears. 3. Click the Customization tab. The Webtop Customization screen appears. 4. From the Language list, select the language for which you want to customize settings. 5. Click the Find Customization button. The screen displays customization settings. 6. Configure customization settings for the webtop. 7. When you have finished, click Update.
15 - 14
Description Specifies the code that creates a local credentials request screen. This is required for Linux systems only. We recommend that you edit this code in an HTML editor to make the layout easier to view. Do not add manual line breaks to the webtop form; this causes errors. Use the <br> tag to add a line break to the code. Specifies the message displayed on the logon screen when the logon sequence is initializing. Specifies the message displayed on the logon screen when the logon sequence is installing software. Specifies the message displayed on the logon screen when the logon sequence is starting installed software. Specifies the message displayed on the logon screen when the client is queued to make a connection. Specifies the message displayed on the logon screen when the client is connecting. Specifies the message displayed on the logon screen when the client is reconnecting. Specifies the message displayed on the logon screen when the client is connected. Specifies the message displayed on the logon screen when the client is disconnected. Specifies the message displayed on the logon screen when the connection fails. Specifies the message displayed when an error occurs, and the connection is dropped. Check the log files for more specific information. Specifies the error displayed when a change to the client routing table causes the session to stop and the client to be disconnected. Specifies the error displayed when a configuration error causes the session to stop and the client to be disconnected. Specifies the message displayed when an internal client error occurs and causes the network access session to fail. Check the log files for more specific information. Specifies the error message displayed when an error occurs on the server, and causes the session to fail. Check the log files for more specific information. Specifies the error message displayed when the F5 plug-in is not installed or is incompatible with the current server. This error occurs on Macintosh and Linux clients only.
Initialization message
Installation message
Loading message
Queued message
Connecting message
Reconnecting message
Connected message
Disconnected message
Failed message
Connection dropped error message Routing table change caused disconnect error message Disconnected due to configuration error message Network Access client internal error message
15 - 15
Chapter 15
Setting Plugin installation incomplete error message Connection failed to start error message Connection already established error message New BIG-IP Edge Client available message Secure connection stopped message Connection to server could not start error message pppd daemon did not start error message (mac/linux) Installation error pppd daemon not found in /usr/sbin directory (mac/linux) Downloading progress bar (caption)
Description Specifies the message displayed when the F5 plugin is not installed correctly. This error occurs on Linux clients only. Specifies the message displayed when the connection cannot start. Check the log files for more specific information. Specifies the message displayed when a connection is already established.
Specifies the message displayed when a newer version of the BIG-IP Edge client plugin is available for download from the server. Specifies the message displayed when the secure connection is stopped by the client. Check the log files for more specific information. Specifies the error message displayed when the client cannot make a connection to the server. Check the log files for more specific information. Specifies the error message displayed when the pppd daemon cannot start. This error occurs on Macintosh and Linux clients only. Specifies the error message displayed when the pppd daemon cannot start. This error occurs on Macintosh and Linux clients only.
Specifies the caption displayed above the progress bar when client components are downloading.
15 - 16
Description Specifies the text on the webtop screen that the user clicks to show the IP address configuration. Specifies the text on the webtop screen that heads the status section.
Status element -
Activity section received data compression element Activity section sent data compression element Details section caption
15 - 17
Chapter 15
Session timeout return to session without further maximum timeout reminders link
15 - 18
Description Specifies the background color of both session timeout pop-up screens. Specifies the width of both session timeout pop-up screens, in pixels. Specifies the height of both session timeout pop-up screens, in pixels. Specifies the text that precedes the amount of time until the session expires in both session timeout pop-up screens. Specifies the text heading on the session timeout warning pop-up screen, when the timeout occurs because the session is idle. Specifies the text heading on the session timeout warning pop-up screen, when the timeout occurs because the maximum duration for the session has been reached.
15 - 19
Chapter 15
Setting Hometab - Reduced toolbar image Hometab - Reduced toolbar Hometab - Field separator image
Description Specifies the image that represents the hometab when it is reduced. Click the View/Hide link to show or hide the specified graphical element. Specifies the text that is displayed to expand the reduced hometab. Specifies the image that is used to separate elements on the hometab. Click the View/Hide link to show or hide the specified graphical element. Specifies the image that the user clicks to open the specified URL in the current window. Click the View/Hide link to show or hide the specified graphical element. Specifies the alt text for the image that the user clicks to open the specified URL in the current window. Specifies the image that the user clicks to open the specified URL in a new window. Click the View/Hide link to show or hide the specified graphical element. Specifies the alt text for the image that the user clicks to open the specified URL in a new window. Specifies the image for the link that the user clicks to go to the web applications home screen. Click the View/Hide link to show or hide the specified graphical element. Specifies the text for the link that the user clicks to go to the web applications home screen. Specifies the alt text for the link image that the user clicks to go to the web applications home screen. Specifies the image for the link that the user clicks to log out of the web applications connection. Click the View/Hide link to show or hide the specified graphical element. Specifies the text for the link that the user clicks to log out of the web applications connection.
Hometab - Open in same window image text Hometab - Open in new window image
15 - 20
Description Specifies the alt text for the image that the user clicks to log out of the web applications connection. This is a comma-separated list of all the elements displayed on the hometab. The hometab is arranged in the order in which you specify these elements. Elements can be used more than once. The default specification is: shrink,divider,url,divider,home_text,home_image,divider,logout_text, logout_image. You can specify the following elements for the home tab: shrink - Specifies the hometab shrink element. divider - Specifies a hometab field separator element. url -Specifies the hometab URL box element. home_text - Specifies the home link text element. home_image - Specifies the home image element. logout_text - Specifies the logout link text element. logout_image - Specifies the logout image text element.
15 - 21
Chapter 15
15 - 22
Description Specifies the set of icons to display in the system tray when the client is in use. Select F5 to show the F5 red ball in the system tray. Select Generic to show a set of unbranded icons. Specifies the copyright text displayed when the user selects About from the BIG-IP Edge Client menu. The default text is Copyright (C) 2004-2009 F5 Networks, Inc. Specifies the link text displayed below the copyright when the user selects About from the BIG-IP Edge Client menu. The default link text is http://www.f5.com.
About text
About link
15 - 23
Chapter 15
Although flexible, this feature is intended for advanced users. Therefore, you should carefully study the template files before using advanced customization.
15 - 24
[root@bigip6401mgmt:Active] config # advCustHelp myProfile Profile Name : myProfile The list of advanced customization files are /config/customization/advanced/logout/myProfile_logout/logout_en.inc /config/customization/advanced/logout/myProfile_logout/logout_ja.inc /config/customization/advanced/logout/myProfile_logout/logout_zh-cn.inc /config/customization/advanced/logout/myProfile_logout/logout_zh-tw.inc /config/customization/advanced/header/myProfile_header/header_en.inc /config/customization/advanced/header/myProfile_header/header_ja.inc /config/customization/advanced/header/myProfile_header/header_zh-cn.inc /config/customization/advanced/header/myProfile_header/header_zh-tw.inc /config/customization/advanced/footer/myProfile_footer/footer_en.inc /config/customization/advanced/footer/myProfile_footer/footer_ja.inc /config/customization/advanced/footer/myProfile_footer/footer_zh-cn.inc /config/customization/advanced/footer/myProfile_footer/footer_zh-tw.inc /config/customization/advanced/logon/myProfile_act_logon_page_ag/logon_en.inc /config/customization/advanced/logon/myProfile_act_logon_page_ag/logon_ja.inc /config/customization/advanced/logon/myProfile_act_logon_page_ag/logon_zh-cn.inc /config/customization/advanced/logon/myProfile_act_logon_page_ag/logon_zh-tw.inc /config/customization/advanced/logout/myProfile_end_denied_ag/logout_en.inc /config/customization/advanced/logout/myProfile_end_denied_ag/logout_ja.inc /config/customization/advanced/logout/myProfile_end_denied_ag/logout_zh-cn.inc /config/customization/advanced/logout/myProfile_end_denied_ag/logout_zh-tw.inc
Chapter 15
15 - 26
For the purpose of this example, we are using English as the language of choice, so make sure you use the tmp_header_en.inc template. The HTML code that you display should be properly formatted for easier readability, as shown below.
</style> <![endif]--> <table id="top_banner" border="0" cellpadding="0" cellspacing="0" width="100%" height="80"> <tr bgcolor='#738495'> <td><img border="0" src='/public/images/my/flogo.png'><!--[if IE 6]><img border="0" src="/public/images/my/tr.gif" class="pngfix" style="filter:progid:DXImageTransform.Microsoft.AlphaImageLoade r(src='/public/images/my/flogo.png',sizingMethod='auto');"><![endif]--></td> <td valign="middle" align="right"><img border="0" src='/public/images/my/fbanner.png'><!--[if IE 6]><img src="/public/images/my/tr.gif" border="0" class="pngfix" style="filter:progid:DXImageTra nsform.Microsoft.AlphaImageLoader(src='/public/images/my/fbanner.png',sizingMethod='aut o');"><![endif]--></td> </tr> </table>
4. Copy the template tmp_header_en.inc to header_en.inc. You can now use any text editor, such as vi, to modify the content of the file.
15 - 27
Chapter 15
5. After you have edited the file, the system should display code. The page is now ready to be used. You need to notify the Access Policy Manager system that the new page is ready, and you need to clear the old pages from the cache.
[root@bigip6401mgmt:Active] myProfile_header # more header_en.inc <!--[if IE 6]> <style type="text/css" media="screen"> #top_banner img { display: none; } #top_banner img.pngfix { display: block; } </style> <![endif]--> <table id="top_banner" border="0" cellpadding="0" cellspacing="0" width="100%" height="80"> <tr bgcolor='#738495'> <td><img border="0" src='/public/images/my/flogo.png'><!--[if IE 6]><img border="0" src="/public/images/my/tr.gif" class="pngfix" style="filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(src='/public/images/my /flogo.png',siz ingMethod='auto');"><![endif]--></td> <td valign="middle" align="center"><img border="0" src='/public/advanced/images/myProfile/image00.jpg'><!--[if IE 6]><img src="/public/images/my/tr.gif" border="0" class="pngfix" style="filter:progid:DXImageTransform.Microsoft.Alpha ImageLoader(src='/public/advanced/images/myProfile/image00.jpg',sizingMethod='auto');"> <![endif]--></td> <td valign="middle" align="right"><img border="0" src='/public/images/my/fbanner.png'><!--[if IE 6]><img src="/pub lic/images/my/tr.gif" border="0" class="pngfix" style="filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(src=' /public/images/my/fbanner.png',sizingMethod='auto');"><![endif]--></td> </tr>
15 - 28
16
Advanced Topics in Access Policies
Setting up a logon page to collect user credentials Example: Using a customized logon page to collect user credentials Using multiple authentication methods Example: Using client certificate authentication with Active Directory Configuring policy routing Example: Directing users to different route domains Using advanced access policy rules Example: Checking that all present antivirus packages are active on the client system Example: Using a certificate field for logon name
16 - 1
Chapter 16
16 - 2
3. On a branch of the access policy, click the plus sign ( action. The Add Item popup screen opens.
) to add an
4. If general purpose actions are not expanded, click the plus sign ( ) next to General Purpose. 5. Select Logon Page and click Add Item. The Logon Page configuration popup screen opens. 6. Select the language you want to customize. 7. Customize the logon page agents: For each Logon Page Agent you are using, customize the type of logon page agent. For each agent you can specify a Post Variable Name, Session Variable Name, and whether the agent is Read Only.See Adding and customizing a logon page, on page 8-3, for more information. 8. Customize the elements in the Customization section. Form Header Text - Specifies the text that appears at the top of the login box. Logon Page Input Field # (1-5) - These fields specify the text that is displayed on the logon page for each of the logon page agents, defined in the Logon Page Agent screen area. Save Password Checkbox- Specifies the text that appears adjacent to the check box that allows users to save their passwords in the logon form. This field is used only in the secure access client, and not in the web client. Logon Button - Specifies the text that appears on the logon button, which a user clicks to post the defined logon agents. Front Image - Specifies an image file to display on the logon page. Click Browse to select a file from the file system. Click Show image or Hide Image to show or hide the currently selected image file. Click Revert to Default Image to discard any customization and use the default logon page image. New Password Prompt - Specifies the prompt displayed when a new Active Directory password is requested. Verify Password Prompt - Specifies the prompt displayed to confirm the new password when a new Active Directory password is requested. Pasword and Password Verification do not Match - Specifies the prompt displayed to confirm the new password when a new Active Directory password is requested. 9. Click Save when the settings are customized.
16 - 3
Chapter 16
16 - 4
16 - 5
Chapter 16
Typically you configure the logon page by adding your own custom logo and graphics. To simplify this example, the header box is left as the default with the F5 graphics and background color. 1. On the Access Policy screen, click the Customization tab. 2. From the Customization Type list, select general UI. 3. From the Language list, select en. 4. Click Find Customization.
16 - 6
5. Under Page Footer Settings, in the Footer Text box, type For use by employees of Bogon Networks, Inc., and subsidiaries.<br>Copyright 2009 Bogon Networks, Inc.<br>All rights reserved. 6. Click Update. 7. Click Apply Access Policy.
16 - 7
Chapter 16
16 - 8
Configuring the client certificate two factor authentication with Active Directory example
This example provides a guide to the tasks involved in the configuration of this access policy. Note that this is not a step-by-step procedure, but a list of procedures, with references to the tasks that you must perform to complete the example.
16 - 9
Chapter 16
4. Add the Active Directory auth action to the successful rule branch of the access policy. See Configuring Access Policy Manager to access the Active Directory for authentication, on page 11-32. 5. Add the resource assign action to the successful rule branch of the access policy. The resource assign action must set a network access resource. You can optionally assign ACLs, and a network access webtop. See Assigning resources, on page 8-9. 6. Change the ending of the successful branch of the access policy to an Allowed ending. See Using policy endings, on page 7-8. 7. Click Apply Access Policy to start the access policy.
16 - 10
16 - 11
Chapter 16
4. If general purpose actions are not expanded, click the plus sign ( ) next to General Purpose. 5. Select Route Domain Selection and click Add Item to add the action to the access policy. The Route Domain Selection action popup screen opens. 6. From the Route Domain ID list, select the route domain ID. 7. Click Save to complete the configuration.
16 - 12
16 - 13
Chapter 16
3. In the Name box, type a name for the access profile, for example, PolicyRouteTest. 4. Click Finished. The Access Policy screen appears.
16. Optionally, click the Set Webtop link, and select a network access webtop to assign to clients who successfully authenticate with Active Directory, then click the Update button. 17. Click Save to save the action. 18. On the fallback branch following the Active Directory action, click the plus sign ( ) to add an action. The Add Item popup screen opens. 19. If authentication actions are not expanded, click the plus sign ( next to Authentication. 20. Select the RADIUS Auth action, and click Add Item. The RADIUS authentication action popup screen opens. 21. From the AAA Server list, select a RADIUS server. If you do not have a RADIUS server, you can leave the action unconfigured for the purposes of the example. 22. Click Save to save the action. 23. On the successful branch following the RADIUS action, click the plus sign ( ) to add an action. The Add Item popup screen opens. 24. If general purpose actions are not expanded, click the plus sign ( ) next to General Purpose. 25. Select the Route Domain Selection action, and click Add Item. The Route Domain Selection action popup screen opens. 26. From the Route Domain ID list, select 1. This assigns the route domain gateway you defined earlier to clients who successfully authenticate to the RADIUS server. 27. Click Save to save the action. 28. On the successful branch following the route domain selection action, click the plus sign ( ) to add an action. The Add Item popup screen opens. 29. If general purpose actions are not expanded, click the plus sign ( ) next to General Purpose. 30. Select the Resource Assign action, and click Add Item. The Resource Assign action popup screen opens. 31. Click the Add new entry button. 32. Click the Set Network Access Resource link, select a network access resource to assign to clients who successfully authenticate with RADIUS, and click the Update button. 33. Optionally, click the Set Webtop link, and select a network access webtop to assign to clients who successfully authenticate with Active Directory, then click the Update button. )
16 - 15
Chapter 16
Note that you can assign the same network access resource to both types of clients, and because a different route domain is specifies in the route domain selection action, the clients will still reach separate routers. 34. Click Save to save the action. 35. Click the endings following the two resource assign actions, and change them both to allow endings, by selecting Allow and clicking Save.
16 - 16
You can use an advanced access policy rule to make flexible decisions after an access policy action completes. To do this, you add the advanced access policy rule on the Advanced tab in the Expression popup screen of an action. In this scenario, if the value returned by the expression is not zero, the rule is evaluated as true, and the access policy runs and follows the corresponding rule branch. If the value returned by the expression is zero, the rule is evaluated as false, and the access policy follows the branch assigned to the negative response (typically a fallback branch). You can use an advanced access policy rule to add flexibility when assigning resources to users. To do this, you add the advanced access policy rule on the Advanced tab in the Expression popup screen of the resource assign action. In this scenario, if the value returned by the expression is not zero, the resource assignment rule is evaluated true, and the corresponding resource or ACL is assigned to the user. If the value returned by the expression is zero, the resource assignment rule is evaluated as false, and the resource or ACL is not assigned. You can use an advanced access policy rule to add flexibility by creating a custom session variable, and then assigning the session variable in other advanced access policy rules. To do this, you use the custom variable and custom expression options in the variable assign action. In this scenario, the value returned by the custom expression is assigned to the custom variable. You can use an advanced access policy rule to override the properties of an assigned network access resource. To do this, you assign a configuration variable to a custom expression, in the variable assign action. In this scenario, the value returned by the expression is used to overwrite the value of the selected property from the network access resource.
16 - 17
Chapter 16
In this example, the name of the session variable, session.ssl.cert.cn, is enclosed in braces { }. The brackets [ ] that enclose the entire command are the TCL notation for command evaluation.
The return value of the expression is the return value used in the access policy rule.
Note
The Tcl language specifies that the expression begin with the syntax expr. For a complete description of the various operators and syntax allowed in a Tcl expression, see http://www.tcl.tk/man/tcl8.0/TclCmd/expr.htm.
16 - 18
The name space for Access Policy Manager is shared across all rules. If you define a Tcl variable in one rule, it is accessible in another rule also. We recommend that you use a unique prefix for local variables in each rule, to avoid polluting variables from different rules.
16 - 19
Chapter 16
7. In the Advanced box, type the expression. 8. When you are finished, click Finished. 9. Click Save.
In this scenario, if the value returned by the expression is not zero, the rule is evaluated as true, and the access policy continues and follows the corresponding rule branch. If the value returned by the expression is zero, the rule is evaluated as false, and the access policy follows the branch assigned to the negative response (typically a fallback branch).
In this scenario, the expression returns a value. If the return value is not zero, the resource assignment rule is true, and the access policy assigns the corresponding resource or ACL to the user. If the return value is zero, the resource assignment rule is evaluated as false, and the access policy does not assign the resource or ACL.
16 - 20
In this scenario, the custom expression returns a value that the variable assign action then assigns to the custom variable.
16 - 21
Chapter 16
8. From the Name list, select the name of the network access resource in which you want to overwrite the variable. 9. From the Property list, select the network access resource property you want to overwrite with a custom expression. 10. In the Custom Expression box, type the expression. 11. When you are finished, click Finished. 12. Click Save.
In this scenario, the expression returns a value that overwrites the value of the selected property from the network access resource.
16 - 22
Example: Checking that all present antivirus packages are active on the client system
By default, the access policy evaluates the antivirus check successfully if any of the detected antivirus packages are present and active on the client system. In this advanced rule example, you change the antivirus check behavior so the access policy evaluates the antivirus check successfully only if all detected antivirus packages are active.
set i 1; set count [mcget {session.windows_check_av.last.count} ]; set minage [expr 7 * 24 * 3600]; while { $i <= $count } { if { [mcget "session.windows_check_av.last.item_$i.state" ] == 0 || [mcget "session.windows_check_av.last.item_$i.db_time" ] < [expr { [mcget "session.user.starttime"] - $minage } ] } { return 0; }; set i [expr {$i + 1}]; }; return 1;
Figure 16.3 Tcl code to check that all antivirus packages are active
4. If client-side check actions are not expanded, click the plus sign ( ) next to Client Side Checks.
16 - 23
Chapter 16
5. Select Antivirus Check and click Add Item. The Antivirus action popup screen opens. 6. Click the Branch Rules tab. 7. Next to the Expression, click change. The rule editor popup screen opens. 8. Click the Advanced tab. 9. In the Advanced box, type this complete expression:
set i 1; set count [mcget {session.windows_check_av.last.count} ]; set minage [expr 7 * 24 * 3600]; while { $i <= $count } { if { [mcget "session.windows_check_av.last.item_$i.state" ] == 0 || [mcget "session.windows_check_av.last.item_$i.db_time" ] < [expr { [mcget "session.user.starttime"] $minage } ] } { return 0; }; set i [expr {$i + 1}]; }; return 1;
10. When you are finished, click Finished. 11. Click Save.
Figure 16.4 Rule for antivirus example access policy in expression popup screen
16 - 24
set
foreach field $cn_fields { if ($field contains "CN=") { set name [string range $field [expr { [string first "=" $field ] + 1} ] end ] ; return $name ; } } ;
Figure 16.5 Tcl code to extract the logon name from a certificate field
4. If general purpose actions are not expanded, click the plus sign ( ) next to General Purpose.
16 - 25
Chapter 16
5. Select Variable Assign and click Add Item. The Variable Assign action popup screen opens. 6. Click the Add New Entry button. 7. Under Assignment, next to empty, click change. The variable assignment editor popup screen opens. 8. In the Custom Variable box, type session.logon.last.username. 9. In the Custom Expression box, type the complete expression:
set
foreach field $cn_fields { if ($field contains "CN=") { set name [string range $field [expr { [string first "=" $field ] + 1} ] end ] ; return $name ; } } ;
10. When you are finished, click Finished. 11. Click Save.
Figure 16.6 Case study rule for Certificate CN in variable assign popup screen
16 - 26
17
Logging and Reporting
Understanding logging Understanding log types Setting log levels Understanding reports Viewing statistics Monitoring system and user information
Understanding logging
Viewing and maintaining log messages is an important part of maintaining the Access Policy Manager. Log messages inform you on a regular basis of the events that are happening on the system. Some of these events pertain to general events happening within the system, while other events are specific to the Access Policy Manager, such as stopping and starting Access Policy Manager system services. The Access Policy Manager uses syslog-ng to log events. The syslog-ng utility is an enhanced version of the standard logging utility syslog. The type of events messages available on the Access Policy Manager are: Access Policy events Access Policy event messages include logs pertinent to access policy, sso, network access, and web applications. To view access policy events, on the navigation pane, expand System, and click Logs Audit Logging Audit event messages are those that the Access Policy Manager system logs as a result of changes made to its configuration. For more information on other log events, refer to the BIG-IP Configuration Guide for Local Traffic Manager, on the Ask F5SM web site, https://support.f5.com.
17 - 1
Chapter 17
You can also use the Configuration utility to search for a string within a log event, that is, you can filter the display of the log messages according to the string you provide. For more information, see Setting log levels, on page 17-6.
Tip
You can also configure the system to send email or to activate pager notification based on the priority of the logged event.
Note
Files are rotated daily if their size exceeds 10MB. Additionally, weekly rotations are enforced if the rotated log file is a week old, regardless whether or not the file exceed the 10MB threshold.
17 - 2
.
Information Type Timestamp Explanation The time and date that the system logged the event message. Log Type System Access Policy Audit Access Policy System
Provides log level detail for each message. The host name of the system that logged the event message. Because this is typically the host name of the local machine, the appearance of a remote host name could be of interest. The service that generated the event. The status code associated with the event. Note that only events logged by BIG-IP system components, and not operating system services, have status codes. The ID associated with the user session. The description of the event that caused the system to log the message.
Session ID Description
Note
For standalone clients, once a user has logged out and then logged back in, the sessions ID will be displayed as invalid and will remain as such in the Notice logs. The user is then assigned a new session ID. This is expected behavior of the system.
17 - 3
Chapter 17
17 - 4
The Access Policy Manager logs the messages for these auditing events in the /var/log/audit file. Using the Configuration utility, you can display audit log messages. Table 17.3 shows some sample audit log entries. In this example, the first entry shows that user Janet enabled the audit logging feature, while the second and third entries show that user Matt designated the BIG-IP system to be a redundant system with a unit ID of 1.
Timestamp Mon Feb 14 03:34:45 PST 2008 User Name janet Transaction 79255-1 Event DB_VARIABLE modified: name="config.auditing" DB_VARIABLE modified: name="failover.isredundant" value="true" DB_VARIABLE modified: name="failover.unitid" value="1"
matt
79609-1
matt
79617-1
By default, audit logging is disabled. For information on enabling this feature, see Setting log levels, following.
17 - 5
Chapter 17
The log levels that you can set on certain types of events, are sequenced from highest severity to lowest severity, like this: Emergency Alert Critical Error Warning Notice Informational Debug
17 - 6
17 - 7
Chapter 17
Verbose This causes the system to log messages for user-initiated configuration changes and any loading of configuration data. Debug This causes the system to log messages for all user-initiated and system-initiated configuration changes.
You can find additional information about logging in Logging BIG-IP Systems Events of the BIG-IP Configuration Guide for Local Traffic Manager, on the Ask F5SM web site, https://support.f5.com.
17 - 8
Understanding reports
You can review reports about the sessions created on the system. With Access Policy Manager, you can view either Current Sessions or All Sessions. Under Current Sessions, you can configure your settings to display according to your sessions Table 17.4 displays the information type of the report and its descriptions.
17 - 9
Chapter 17
Explanation The status of the session. The Session ID of each session. The Logon name used to start a session The IP address of the client machine that the user connects from. The Start time of each session The time at which the session is expected to time out. The total number of bytes received by the session. The total number of bytes transmitted by the session.
17 - 10
2. On the menu bar, click All Sessions. A more detailed screen opens for all sessions running on the system. 3. To view detailed information per session, click a Session ID. A Session Summary screen opens.
Description This displays the access control log messages. This returns logon log messages. This returns access control logs for the given session id <sid>/.
This returns session activity information to the given session id <sid>. This returns the number of entries in access control and logon logs. This returns entries starting from the given <index>. The default is the first entry <index is 1>/
-count
-start <index>
17 - 11
Chapter 17
Description This returns entries until the given <index>. The default is the last entry. Prints the onscreen message.
-help
17 - 12
Viewing statistics
You can use the Access Policy Manager to view statistics for both Access Profile and Secure Connectivity. You can view the stats for any given access profile or for all access profiles (cumulative). The following table display the type of statistics supported by Access Policy Manager. The table also includes information on whether statistic objects are accessible by command line or by SNMP.
Session statistics
Session statistics are based on user sessions.
Description Total number of active sessions (Pending+Validated, Validated alone) Maximum number of active sessions since the system up-time Total number of active sessions completed validation Total number of active sessions on-going validation
GUI Y
CLI Y
SNMP Y
MaxActiveSessions
ValidatedActiveSessions PendingActiveSessions
Y Y
Y Y
Y Y
17 - 13
Chapter 17
Description Total number of user sessions reached allow ending Total number of user sessions reached deny ending Total number of user sessions terminated due to internal errors Total number of user sessions terminated due to timeouts Total number of user sessions terminated due to allow timeouts Total number of user sessions terminated by Admin Total number of user sessions terminated due to user logout Total number of user sessions terminated due to other reasons (Cache Cleaner, etc)
GUI Y Y Y
CLI Y Y Y
SNMP Y Y Y
TimedoutSessions AllowTimedoutSessions
Y Y
Y Y
Y Y
AdminTerminatedSessions UserLoggedoutSessions
Y Y
Y Y
Y Y
MiscTerminated Sessions
17 - 14
Statistics Object DenyendingAgent AllowendingAgent RedirectendingAgent allowAgent EPSProtectedWorkspace EPSOsInfo EPSFileCheck EPSFwCheck EPSProcCheck EPSRegCheck EPSLinuxfilecheck EPSLinuxprocescheck EPSMacfilecheck EPSMacprocesscheck EPSWindowsbrowsercach ecleaner EPSWindowsgrouppolicy EPSWindowscmachinecer tcheck externalLogon variableAssign routeDomainSelection LogonpageAgent
Description Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent
GUI Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
CLI Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
SNMP Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y
Agent Agent
Y Y
Y Y
Y Y
Y Y Y Y
Y Y Y Y
Y Y Y Y
17 - 15
Chapter 17
Statistics Object VLANAgent LoggingAgent ActiveDirectoryAgent LDAPAgent RADIUSAgent RADIUSAccountingAgent securIDAgent HTTPAgent clientcertAgent EPS cache cleaner EPS Antivirus ResoureAssignment DecisionBox MessageBox
Description Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent Agent
GUI Y Y Y Y Y Y Y Y Y Y Y Y Y Y
CLI Y Y Y Y Y Y Y Y Y Y Y Y Y Y
SNMP Y Y Y Y Y Y Y Y Y Y Y Y Y Y
17 - 16
The following statistics objects are supported for each agent type.
Statistics Object TotalInstances Description Number of instances of a specific agent type in the access policy Total number of times the specific agent was used Total number of success conditions created/reached by the agent Total number of error conditions created/reached by the agent Total number of session variables created by the agent GUI Y CLI Y SNMP Y
TotalUsages TotalSuccesses
Y Y
Y Y
Y Y
TotalErrors
TotalSessionVariables
17 - 17
Chapter 17
Description The total sessions created in the system The total established sessions in the system The total active user sessions in the system The total user sessions going through access policy evaluation in the system The total user sessions that have completed access policy evaluation in the system The total aggregated sessions terminated due to timeout or error (any kind). The total packets transmitted by the network tunnel in the system The total sessions timed out in the access policy evaluation phase and network access connection phase in the system. The total sessions that resulted in allow in the system The total sessions that resulted in access deny in the system The total sessions that resulted in redirect ending in the system The total sessions that resulted in redirect ending with sessions in the system
GUI Y Y Y Y
CLI Y Y Y Y
SNMP Y Y Y Y
CurrentEstablishedSessions
MiscTerminatedSessons
UserLoggedoutSessions
AdminTerminatedSessions
AllowEnding ResultDeny
Y Y
Y Y
Y Y
ResultRedirect
ResultRedirectWithSession
17 - 18
Statistics Object TotLinks CurLinks MaxLinks RxBytes TxBytes RxFrames TxFramess RxErrors
Description The total PPP sessions in the system The total current PPP sessions in the system The maximum PPP sessions allowed in the system The total number of bytes received by PPP in the system The total number of bytes transmitted by PPP in the system The total packets received by PPP in the system The total packets transmitted by PPP in the system The total number of packets with errors received by PPP in the system The total number of packets with errors transmitted by PPP in the system
GUI Y Y Y Y Y Y Y Y
CLI Y Y Y Y Y Y Y Y
TxErrors
Description Status of the sessions (established, pending, unspecified) Logon name The IP address of the machine in which the user is connected. The session start time The expiration time of the session
GUI Y Y
CLI Y Y
SNMP N N
Y Y
Y Y
N N
17 - 19
Chapter 17
Statistics Object RxBytes TxBytes RxPackets TxPackets ingress (raw) ingress (compressed) egress (raw) egress (compressed)
Description Total bytes received in the network access connection Total bytes transmitted in the network access connection Total packets received in the network access connection Total packets transmitted in the network access connection These determine compression ratios. These determine compression ratios. These determine compression ratios. These determine compression ratios.
GUI Y Y Y Y Y Y Y Y
CLI Y Y Y Y Y Y Y Y
SNMP N N N N N N N N
17 - 20
By clicking the grid icon in the upper left corner of each window, you can display the same information in a table format.
17 - 21
Chapter 17
17 - 22
17 - 23
Chapter 17
17 - 24
18
Configuring SNMP
Introducing SNMP administration Configuring the SNMP agent Working with SNMP MIB files Collecting performance data
Configuring SNMP
18 - 1
Chapter 18
Using the Access Policy Manager system implementation of SNMP, the SNMP manager can perform these distinct functions: Poll for information (such as performance metrics). Receive notification of specific events that occur on the Access Policy Manager system. Set data for SNMP objects that have a read/write access type. The last item in the list refers to the ability of an SNMP manager system to enable or disable various Access Policy Manager system objects such as virtual servers and nodes. Specifically, you can use SNMP to: Enable or disable a virtual server Enable or disable a virtual address Enable or disable a node Enable or disable a pool member Set a node to an up or down state Set a pool member to an up or down state Reset statistical data for all Access Policy Manager objects
Configuring the SNMP agent There are a number of things you can do to configure the SNMP agent on the Access Policy Manager system. For example, you can allow client access to information that the SNMP agent collects, and you can configure the way that the SNMP agent handles SNMP traps. Traps are definitions of unsolicited notification messages that the Access Policy Manager alert system and the SNMP agent send to the SNMP manager when certain events occur. Downloading MIB files You can download two sets of MIB files to your remote manager system: the standard SNMP MIB files and the enterprise MIB files. From the navigation pane, expand Overview, and click Welcome. From the Welcome screen, scroll down to Downloads.
18 - 2
Configuring SNMP
18 - 3
Chapter 18
18 - 4
Configuring SNMP
18 - 5
Chapter 18
8. For the Access setting, select an access level, either Read Only or Read/Write. (This access level applies to the community name you specified in step 6.) 9. Click Finished.
WARNING
You must remember to configure both authentication and privacy settings to use SNMPv3. Otherwise, an error occurs and SNMPv3 will not work properly.
Note
SNMPv3 currently supports AuthPriv setting only. It does not support AuthNoPrivacy. When you use the Configuration utility to assign an access level to a community or user, the utility updates the snmpd.conf file, assigning only a single access setting to the community or user. There might be times,
18 - 6
Configuring SNMP
however, when you want to configure more sophisticated access control. To do this, you must edit the /config/snmp/snmpd.conf file directly, instead of using the Configuration utility. For example, Figure 18.1 shows a sample snmpd.conf file when you use the Configuration utility to grant read/write access to a community.
rocommunity public default rwcommunity public1 127.0.0.1 .1.3.6.1.4.1.3375.2.2.10.1
Figure 18.1 Sample access-control assignments in the snmpd.conf file In this example, the string rocommunity identifies a community named public as having the default read only access level (indicated by the strings ro and default). This read only access level prevents any allowed SNMP manager in community public from modifying a data object, even if the object has an access type of read/write. The string rwcommunity identifies a community named public1 as having a read/write access level (indicated by the string rw). This read/write access level allows any allowed SNMP manager in community public1 to modify a data object under the tree node.1.2.6.1.4.1.3375.2.2.10.1 (ltmVirtualServ) on the local host 127.0.0.1, if that data object has an access type of read/write. For more information, see the man page for the snmpd.conf file.
Configuring traps
On the Access Policy Manager system, traps are definitions of unsolicited notification messages that the Access Policy Manager alert system and the SNMP agent send to the SNMP manager when certain events occur on the Access Policy Manager system. Configuring SNMP traps on a Access Policy Manager system means configuring the way that the Access Policy Manager system handles traps, as well as setting the destination for notifications that the alert system and the SNMP agent send to an SNMP manager. The Access Policy Manager system stores traps in two specific files: /etc/alertd/alert.conf Contains default SNMP traps. /config/user_alert.conf Contains user-defined SNMP traps.
Important
Do not add or remove traps from the /etc/alertd/alert.conf file. You use the Configuration utility to configure traps, that is, enable traps and set trap destinations. When you configure traps, the Access Policy Manager system automatically updates the alert.conf and user_alert.conf files.
18 - 7
Chapter 18
If you are using SNMP V3 and want to configure a trap destination, you do not use the SNMP screens within the Configuration utility. Instead, you configure the snmpd.conf file. For more information, see the man page for the snmpd.conf file.
18 - 8
Configuring SNMP
2. From the Traps menu, choose Destination. The SNMP Destination screen opens. 3. In the upper-right corner, click Create. The New Trap Record screen opens. 4. For the Version setting, select an SNMP version number. 5. In the Community box, type the community name for the SNMP agent running on the Access Policy Manager system. 6. In the Destination box, type the IP address of the SNMP management system. 7. In the Port box, type the SNMP management system port number that is to receive the traps. 8. Click Finished.
All Access Policy Manager system statistics are defined by 64-bit counters. Thus, because only SNMP v2c supports 64-bit counters, your management system needs to use SNMP v2c to query Access Policy Manager system statistics data.
18 - 9
Chapter 18
To manage a Access Policy Manager system with SNMP, you need to use the standard set of SNMP commands. For information on SNMP commands, consult your favorite third-party SNMP documentation, or visit the web site http://net-snmp.sourceforge.net.
18 - 10
Configuring SNMP
The Access Policy Manager system includes a set of enterprise MIB files: F5-BIGIP-COMMON-MIB.txt F5-BIGIP-LOCAL-MIB.txt F5-BIGIP-SAM-MIB.txt F5-BIGIP-SYSTEM-MIB.txt These MIB files contain information that you can use for your remote management station to poll the SNMP agent for Access Policy Manager system-specific information, receive Access Policy Manager system-specific notifications, or set Access Policy Manager system data.
18 - 11
Chapter 18
18 - 12
Configuring SNMP
To see all available enterprise MIB system objects, you can view the F5-BIGIP-SYSTEM-MIB.txt file in the directory /usr/share/snmp/mibs on the Access Policy Manager system.
18 - 13
Chapter 18
For some types of metrics, such as memory use, simply issuing an SNMP command with an OID gives you the information you need. For other types of metrics, the data that you collect with SNMP is not useful until you perform a calculation on it. For example, to determine the throughput rate of client bits coming into the Access Policy Manager system, you must perform the following calculation on the data that you collect with the OID shown:
( sysStatClientBytesIn (.1.3.6.1.4.1.3375.2.1.1.2.1.3)*8 ) / time
This calculation takes the data resulting from specifying the OID sysStatClientBytesIn, multiplies the value by 8, and divides it by the elapsed time. The following sections contain tables that list: The performance data that the Configuration utility displays The OIDs that you can use to collect the performance data The calculations that you must perform to interpret the performance data that you collect
Note
If an OID that is listed in any of the following sections does not show a calculation, then no calculation is required.
18 - 14
Configuring SNMP
Required SNMP OIDs sysStatClientCurConns (.1.3.6.1.4.1.3375.2.1.1.2.1.8) sysStatClientCurConns (.1.3.6.1.4.1.3375.2.1.1.2.1.8) sysStatServerCurConns (.1.3.6.1.4.1.3375.2.1.1.2.1.15) (sysStatClientBytesOut (.1.3.6.1.4.1.3375.2.1.1.2.1.5) *8 ) / time sysClientsslStatCurConns (.1.3.6.1.4.1.3375.2.1.1.2.9.2) sysServersslStatCurConns (.1.3.6.1.4.1.3375.2.1.1.2.10.2)
client server
18 - 15
Chapter 18
Required SNMP OIDs and the required calculations sysStatClientTotConns (.1.3.6.1.4.1.3375.2.1.1.2.1.7) sysTcpStatAccepts (.1.3.6.1.4.1.3375.2.1.1.2.12.6) / time sysTcpStatConnects (.1.3.6.1.4.1.3375.2.1.1.2.12.8) /time sysStatClientTotConns (.1.3.6.1.4.1.3375.2.1.1.2.1.7) / time sysStatServerTotConns (.1.3.6.1.4.1.3375.2.1.1.2.1.14) / time sysStatPvaClientTotConns (.1.3.6.1.4.1.3375.2.1.1.2.1.21) / time sysStatPvaServerTotConns (.1.3.6.1.4.1.3375.2.1.1.2.1.28) / time ( sysClientsslStatTotNativeConns (.1.3.6.1.4.1.3375.2.1.1.2.9.6) + sysClientsslStatTotCompatConns (.1.3.6.1.4.1.3375.2.1.1.2.9.9) ) / time ( sysServersslStatTotNativeConns (.1.3.6.1.4.1.3375.2.1.1.2.10.6) + sysServersslStatTotCompatConns (.1.3.6.1.4.1.3375.2.1.1.2.10.9) ) / time sysTcpStatAccepts (.1.3.6.1.4.1.3375.2.1.1.2.12.6) / time sysTcpStatConnects (.1.3.6.1.4.1.3375.2.1.1.2.12.8) / time
SSL Server
18 - 16
Configuring SNMP
Required SNMP OIDs and the required calculations ( (sysStatClientBytesIn (.1.3.6.1.4.1.3375.2.1.1.2.1.3) + sysStatClientBytesOut (.1.3.6.1.4.1.3375.2.1.1.2.1.5) )*8 ) / time ( (sysStatServerBytesIn (.1.3.6.1.4.1.3375.2.1.1.2.1.10) + sysStatServerBytesOut (.1.3.6.1.4.1.3375.2.1.1.2.1.12) )*8 /) time ( sysStatClientBytesIn (.1.3.6.1.4.1.3375.2.1.1.2.1.3)*8 ) / time ( sysStatClientBytesOut (.1.3.6.1.4.1.3375.2.1.1.2.1.5) *8 ) / time ( sysStatServerBytesIn (.1.3.6.1.4.1.3375.2.1.1.2.1.10)*8 ) / time ( sysStatServerBytesOut (.1.3.6.1.4.1.3375.2.1.1.2.1.12) *8 ) / time
Client Bits In Throughput (detailed graph) Client Bits Out Server Bits In Server Bits Out
Required SNMP OID and the required calculation sysStatHttpRequests (.1.3.6.1.4.1.3375.2.1.1.2.1.56) / time
18 - 17
Chapter 18
Required SNMP OID sysHttpStatRamcacheHits (.1.3.6.1.4.1.3375.2.1.1.2.4.46) / (sysHttpStatRamcacheHits (.1.3.6.1.4.1.3375.2.1.1.2.4.46) + sysHttpStatRamcacheMisses (.1.3.6.1.4.1.3375.2.1.1.2.4.47) ) *100 sysHttpStatRamcacheHitBytes (.1.3.6.1.4.1.3375.2.1.1.2.4.49) / (sysHttpStatRamcacheHitBytes (.1.3.6.1.4.1.3375.2.1.1.2.4.49) + sysHttpStatRamcacheMissBytes (.1.3.6.1.4.1.3375.2.1.1.2.4.50) ) *100 sysHttpStatRamcacheEvictions (.1.3.6.1.4.1.3375.2.1.1.2.4.54) / (sysHttpStatRamcacheHits (.1.3.6.1.4.1.3375.2.1.1.2.4.46) + sysHttpStatRamcacheMisses (.1.3.6.1.4.1.3375.2.1.1.2.4.47)) *100
Byte Rate
Eviction Rate
Table 18.8 Required OIDs for collecting metrics on RAM Cache utilization
Required SNMP OIDs and the required calculation (DeltaCpuUser + DeltaCpuNice + DeltaCpuSystem) / (DeltaCpuUser + DeltaCpuNice + Delta CpuIdle + DeltaCpuSystem + DeltaCpuIrq + DeltaCpuSoftirq + DeltaCpuIowait) (DeltaTmTotalCycles - (DeltaTmIdleCycles + DeltaTmSleepCycles) / DeltaTmTotalCycles) *100
18 - 18
Configuring SNMP
3. Using the resulting delta values (for example, DeltaCpuUser), calculate the CPU[0-n] metric, according to the formula shown in table 18.9.
18 - 19
Chapter 18
2. For each OID, calculate the delta of the values from the two polls, as shown in the following example. Note that in the formula shown, values such as sysStatTmTotalCycles2 and sysStatTmTotalCycles1 represent the values that result from the two polls you performed in step 1 for each OID.
DeltaTmTotalCycles = sysStatTmTotalCycles2 sysStatTmTotalCycles1 DeltaTmIdleCycles = sysStatTmIdleCycles2 sysStatTmIdleCycles1 DeltaTmSleepCycles = sysStatTmSleepCycles2 sysStatTmSleepCycles1
3. Using the resulting delta values (for example, DeltaTmTotalCycles), calculate the TMM CPU Usage metric, according to the formula shown in table 18.9.
Required SNMP OIDs and the required calculations sysStatClientTotConns (.1.3.6.1.4.1.3375.2.1.1.2.1.7) / time
18 - 20
Configuring SNMP
Task Viewing global access statistics for SNMPv1 Viewing global access statistics for SNMPv2 Viewing global access statistics for SNMPv3
Command snmpwalk -c <communitystring> -v <1> <mgmtIPofSecureAccessManager> enterprises.3375.2.6.1.2 snmpwalk -c <communitystring> -v <2c> <mgmtIPofSecureAccessManager> enterprises.3375.2.6.1.2 snmpwalk -v 3 -u <username> -a MD5 -A <authPassword> enterprises.3375.2.6.1.2 or snmpwalk -v 3 <username> -x DES -X <privacy password> <mgmtIPofSecureAccessManager> enterprises.3375.2.6.1.2 snmpwalk -c <communitystring> -v <1> <mgmtIPofSecureAccessManager> enterprises.3375.2.6.2.1 snmpwalk -c <communitystring> -v <2c> <mgmtIPofSecureAccessManager> enterprises.3375.2.6.2.1 snmpwalk -v 3 -u <username> -a MD5 -A <authPassword> enterprises.3375.2.6.2.1 or snmpwalk -v 3 <username> -x DES -X <privacy password> <mgmtIPofSecureAccessManager> enterprises.3375.2.6.2.1 snmpwalk -c <communitystring> -v <1> <mgmtIPofSecureAccessManager> enterprises.3375.2.6.1.1 snmpwalk -c <communitystring> -v <2c> <mgmtIPofSecureAccessManager> enterprises.3375.2.6.1.1 snmpwalk -v 3 -u <username> -a MD5 -A <authPassword> enterprises.3375.2.6.1.1 or snmpwalk -v 3 <username> -x DES -X <privacy password> <mgmtIPofSecureAccessManager> enterprises.3375.2.6.1.1
Viewing global PPP statistics for SNMPv1 Viewing global PPP statistics for SNMPv2 Viewing global PPP statistics for SNMPv3
Viewng profile access statistics for SNMPv1 Viewng profile access statistics for SNMPv2 Viewng profile access statistics for SNMPv3
18 - 21
Chapter 18
18 - 22
A
Configuring BIG-IP Access Policy Manager clients
Understanding the BIG-IP Edge client Configuring connectivity profiles Using Macintosh and Linux clients with Access Policy Manager Establishing client connections Using the client troubleshooting utility
A-1
Appendix A
User rights OK OK OK OK OK
A-2
Access Policy Manager plugin Windows Process check Registry check UI mode check Client-Side Check Capability Client OS check Landing URI check Logging action
User rights OK OK OK OK
Administrator rights OK OK OK OK
OK OK OK
OK OK OK
OK OK OK
OK OK OK
The following table lists user rights required to use other access policy checks.
Access Policy Manager component Cache and Session Control Client Cert Inspection On-Demand Cert Auth Active Directory (auth or query) HTTP Auth LDAP (auth or query) RADIUS (auth or accounting) RSA SecurID Power User rights OK OK OK OK OK OK OK OK
User rights OK OK OK OK OK OK OK OK
Admin rights OK OK OK OK OK OK OK OK
Table A.2 User rights requirements for other access policy checks
For client systems that have the components pre-installed using the MSI package, the requirements are the same. In cases in which user rights are insufficient, although the system cannot download the update, the previously installed component still works.
A-3
Appendix A
Compression settings for the client are not configurable. Compression on the client can be enabled or disabled in the network access resource settings for the connection, but the compression levels cannot be configured. The settings in the client profile for compression settings apply only to server-side compression.
A-4
CPU Saver Specifies, when enabled, that the system monitors the percentage of CPU usage and disables compression automatically when the CPU usage reaches the CPU Saver High Threshold and re-enabled compression when theCPU usage reaches the CPU Saver Low Threshold. CPU Saver High Threshold Specifies the percentage of CPU usage at which the system disables compression. CPU Saver Low Threshold Specifies the percentage of CPU usage at which the system resumes content compression at the user-defined rates.
Virtual Servers Specifies the servers that you want to define in the client downloads. The servers you add here appear as connection options in the BIG-IP Edge client. Network Location Awareness Specifies DNS suffixes that are considered to be "in the local network." DNS suffixes specified here are considered to be local network suffixes, and conform to the rules specified for the local network. When the BIG-IP Edge Client is configured to use the option Auto-Connect, the client connects when the systems DNS suffix is not one defined on this list. When the client DNS suffix does appear on this list, the client automatically disconnects. If you do not specify any DNS suffixes, the option Auto-Connect does not appear in the downloaded client.
A-5
Appendix A
Maintain History Specifies whether the BIG-IP Edge Client maintains a list of recently used Access Policy Manager servers. The BIG-IP Edge Client always lists the servers defined in the connectivity profile, and sorts the list of servers by most recent access, whether this option is selected or not. However, the BIG-IP Edge Client lists user-entered servers only if this option is selected. Use Windows Logon Credentials Specifies that the BIG-IP Edge Client attempts to log on using the same credentials that were typed for Windows logon to start the Access Policy Manager session. To use this option, you must include the User Logon Credentials Access Service for Windows in the download package, specified on the Components Download tab, on the BIG-IP Edge Client for Windows link.The User Logon Credential Access Service for Windows stores the users Windows logon and password in an encrypted file that persists for the duration of the Access Policy Manager session. Enable User Password Caching Specifies whether the BIG-IP Edge Client can cache the user password, either on the disk or in memory. Allow user to save encrypted password on disk When this option is enabled, a Save password checkbox appears on the logon page. If the user selects the Save password checkbox, the users password is encrypted on disk, and cached when the system reboots or when the BIG-IP Edge Client is restarted. This option is only available if the Maintain History option is enabled. Cache password within application for x minutes When this option is enabled, the BIG-IP Edge Client caches a users password within the BIG-IP Edge Client application for automatic reconnection purposes. You can specify an expiration time, to indicate how long the cached password should remain valid. A value of 0 means there is no password cache time limit. Even if this option is enabled, the user is required to enter credentials after a server change, a manual client disconnect, or a BIG-IP Edge Client restart. Automatically update components Specifies that client components are automatically updated on the client when newer versions are available on the server. This option applies to updates for the BIG-IP Edge client, but not to other client components. When updating the other client components, prompts are controlled by your browser security settings, the publisher of the update package and the presence of the F5 Networks Component Installer Service. Prompt user before installing updates Specifies that the user is notified and prompted to continue or cancel before a newer version of a client component is installed by the server. This option applies to updates for the BIG-IP Edge client, but not to other client components. When updating the other client components, prompts
A-6
are controlled by your browser security settings, the publisher of the update package and the presence of the F5 Networks Component Installer Service.
Do not perform component updates Prevents client components from being automatically updated when newer versions appear on the server. This applies to both BIG-IP Edge Client updates, and updates to client components.
Enforce session settings (do not allow users to change session settings) When this option is enabled, a user cannot change the session settings (history, password caching, and component update settings) when connected to a Access Policy Manager server. If this option is not enabled, the session settings configured in the connectivity profile are not enforced, and current user preferences are used instead. You can configure client settings for a connectivity profile, and then create a custom client download package that includes the specified connectivity settings.
A-7
Appendix A
A-8
Big-IP Edge Client for Windows Click this link to configure a customized download package with the options you need to govern Windows logon integration and other functionality of the standalone Windows client. In the custom installer package, you can choose packages to install, specify Access Policy Manager servers, and define DNS suffixes that specify whether your computer is on a local network or not. For more information, see Customizing client download packages, on page A-9. Download the BIG-IP Edge Client for Windows Mobile 5.0 and higher (ARM processor). Click this link to download the BIG-IP Edge Client for Windows Mobile 5.0 or later devices with an ARM processor. For more information, see Configuring connectivity profile mobile client settings, on page A-8. Download the BIG-IP Edge Client for Pocket PC 2003 (ARM processor). Click this link to download the BIG-IP Edge Client for PocketPC 2003 devices with an ARM processor. For more information, see Configuring connectivity profile mobile client settings, on page A-8. Download the BIG-IP Edge Client for Pocket PC 2003 (x86 processor). Click this link to download the BIG-IP Edge Client for PocketPC 2003 devices with an x86 processor. For more information, see Configuring connectivity profile mobile client settings, on page A-8.
Web BIG-IP Edge Client for Windows Select this option to download software that a client can use to access the Access Policy Manager from a web browser. Standalone BIG-IP Edge Client for Windows Select this option to download a separate application that a client can use to access the Access Policy Manager. Dialup Entry / Windows Logon Integration Select this option to download a dialup networking entry for the secure access connection. This dialup networking entry allows users to connect to the secure access connection from the Windows logon prompt, even before they log on to the local computer. One feature this option allows is that a user can authenticate to the corporate network before the user logs on to his computer. Endpoint Security for Windows Select this option to download the plugins that do endpoint inspection on a client machine.
A-9
Appendix A
Component Installer Service for Windows Select this option to download an installer service that allows the Access Policy Manager to install components on a client computer even if the client does not have rights to install software. For example, use this to allow a user with limited rights to install from the Access Policy Manager, when typically the user cannot. DNS Relay Proxy Service for Windows Select this option to download the DNS relay proxy service to the client. This allows a client system to run the DNS relay proxy service and conform to the Access Policy Managers DNS Relay Proxy Service configuration. Traffic Control Service for Windows Select this options to download the traffic control service. This allows a client system to use the traffic control rules defined in the server to govern secure access traffic on the client. User Logon Credentials Access Service for Window Select this option to download a service that allows the user to log on with cached Windows credentials. The service allows you to set the session option Use Windows Logon Credentials, which configures sessions to request the Windows logon credentials from the BIG-IP Edge Client when the Access Policy Manager session starts. The User Logon Credential Access Service for Windows stores the users Windows logon and password in an encrypted file that persists for the duration of the Access Policy Manager session. Auto launch BIG-IP Edge Client after Windows Logon Select this option to start the BIG-IP Edge Client after the user logs on to Windows. Add virtual server list to trusted sites Select this option to add the virtual servers (specified in the Virtual Servers list on the Client Configuration tab) to the Windows Trusted sites list, the first time this client starts. Virtual servers added to the Trusted sites list with this option remain on the trusted sites list indefinitely. This works with the User Logon Credentials Access Service for Windows to provide seamless logon with the BIG-IP Edge Client, if Access Policy Manager accepts the same credentials that your users use to log on to Windows.
5. Select the features and options to add to the installer package. 6. When you have finished configuring the client download package, click the Download button. The client package you specified is downloaded to your local system as the file BIGIPEdgeClient.exe. You can install this downloaded package onto client computers, or you can copy the packages to a shared location so that individual users can complete their own installation.
Appendix A
A - 12
A - 13
Appendix A
The remote user must have superuser authority, or must be able to supply an administrative password in order to successfully install the network access client. Both Macintosh and Linux systems must also include PPP support (this is most often the case). When the user runs the network access client and makes a connection for the first time, the client detects the presence of pppd
A - 14
(the point-to-point protocol daemon), and determines whether the user has the necessary permissions to run it. If pppd is not present, or if the user does not have permissions needed to run the daemon, the connection fails. After installation, the Macintosh client must restart the browser before starting network access.
Note
If you have a firewall enabled on your Linux system, you need to enable access on IP address 127.0.0.1 port 44444.
A - 15
Appendix A
On Microsoft Windows platforms, the user might see a new network connection icon in the system tray.
A - 16
On the BIG-IP Edge Client screen, the client can configure the following connection options: Auto-Connect Starts a secure access connection as it is needed. This option uses the DNS suffix information defined in the connectivity profile to determine when the computer is on a defined local network. When the computer is not on a defined local network, the secure access connection starts. When the computer is on a local network, the client disconnects, but remains active in the system tray. When you open the disconnected client, the message Disconnected - Lan detected appears in the top pane of the client window, as shown in Figure A.1. Connect Starts and maintains a secure access connection at all times, regardless of your computers network location. Disconnect Stops an active secure access connection, and to prevent the client from connecting again. After you click this option, a secure access connection does not start again until you click one of the previous two options. In addition, the client can click the Change Server button to change the Access Policy Manager server.
A - 17
Appendix A
Figure A.2 BIG-IP Edge Client screen with traffic graph expanded
A - 18
The Details screen provides four tabs that contain information relevant to the operation of the BIG-IP Edge client. Click each tab to view the information for that feature. The tabs are: Connection Details - Shows details of the current connection, including status, server, tunnel details, and the amount of traffic sent and received. Routing Table - Shows the current routing table for the client system. IP Configuration - Shows the current IP configuration for the client system. The information in this tab is the same information you see when you issue the command ipconfig /all at the Windows command prompt. Miscellaneous - Shows version information for the client software, the Access Policy Manager servers defined in the client, and the DNS suffixes used for network location awareness.
A - 19
Appendix A
A - 20
5. To compress the resulting file, select the compressed check box. 6. Click the Save As button to save the resulting report as an html file or a text file on the file system. To view the results without saving the report, click View.
A - 21
Appendix A
A - 22
B
Access Policy Example
Introducing the example access policy Example: Assigning resource groups based on Active Directory attributes
B-1
Appendix B
Configuring resources
This section shows how to configure the lease pools and ACLs for the example.
B-2
5. Above the Access Control Entries list, click the Add button. The New Access Control Entry screen opens. 6. From the Type list, select L4. 7. From the Action list, select Allow. 8. Click Finished. Because you did not type any IP addresses or ports, but only selected an action, this ACL is configured as a default ACL, which means this action (Allow) is applied to all connections, on all IP addresses, and all protocols. 9. On the Main tab of the navigation pane, click ACLs again. 10. Click the Create button. The New ACL screen opens. 11. In the Name box, type the name AD_ACL2. 12. Click the Create button. The ACL Properties screen opens. 13. Above the Access Control Entries list, click the Add button. The New Access Control Entry screen opens. 14. From the Type list, select L4. 15. In the Destination Ports area, from the Port list, select FTP. 16. From the Action list, select Reject. 17. Click Finished. Again, because you did not type any IP addresses, but only selected an action and a protocol, this ACL rejects all connections on any IP address that attempt to use port 21, the typical FTP port.
Appendix B
8. In the Name box, type the name AD_Lease2. 9. In the Member List select the existing entry (192.168.105.1 192.168.105.100) and click Delete. 10. In the Start IP Address box and the End IP Address box, type the start and end IP addresses for the IP address range. In this example, the start IP address is 192.168.106.100, and the end IP address is 192.168.106.111. 11. Click the Add button to add the IP addresses to the lease pool. 12. Click Finished.
B-4
3. In the Name box, type CaseStudy_NA_AD1 as the name for the network access resource. 4. From the lease pool list, select AD_Lease1. 5. Click Finished. The Properties screen for the network access resource opens. 6. On the Main tab of the navigation pane, under Access Policy, click Network Access again. The Network Access screen opens. 7. Click the Create button to create a new network access resource. The New Resource screen opens. 8. In the Name box, type CaseStudy_NA_AD2 as the name for the network access resource. 9. From the lease pool list, select AD_Lease2. 10. Click Finished.
B-5
Appendix B
B-6
2. Click the AD Query action to view the configuration The AD Query action popup screen opens. 3. Click the Branch Rules tab. 4. Verify that the Name box contains Primary Group ID is 100. If this is not the name in the Name box, type the correct name. 5. Verify that the text Expression: User's Primary Group ID is 100 appears below the Name box. If the expression is not configured correctly, click the change link, make the changes, and click Finished. 6. On the Fallback rule branch connected to the AD Query action, click the plus sign ( ). The Add Item popup screen opens. 7. If the list of authentication actions is not expanded, click the plus sign ( ) next to Authentication to expand the list. 8. Select AD Query and click Add Item. The Active Directory query action popup screen opens. 9. In the Name box, type AD Query 2. 10. Click the Branch Rules tab. 11. In the Name box, type Primary Group ID is 200. 12. Next to Expression: Users Primary Group ID is 100, click the change link. The Expression popup screen opens. 13. In the Users Primary Group ID is box, type 200. 14. Click Finished. 15. Click Save.
Figure B.2 The AD auth query and resources macro after preparation, and after the second AD Query action is added
B-7
Appendix B
B-8
4. In the Name box for the new terminal, replace the name Terminal 1 with the name Group200. 5. Click the color chooser box next to Group200. 6. Select the blue color #5 to change the color of the terminal, and click Save. Note that you can choose any color for this terminal. 7. Click Save. 8. In the macro configuration, click the Failure terminal connected to the Resource Assign 2 action. The Select Terminal popup screen opens. 9. Select the Group200 terminal, and click Save. The section of the macro you just configured appears in the following figure.
Figure B.3 The resource assign actions and macro terminals in the edited macro
To complete the configuration, you must add this macro to your access policy, using the following procedure.
B-9
Appendix B
B - 10
C
Session Variables
Introducing session variables Introducing Tcl Session variables reference Network access resource variable attributes
Session Variables
When using session variables in an access policy configuration, for example, in a logging agent, a session variable may or may not exist depending on the result of the access policy process.
C-1
Appendix C
Introducing Tcl
You write rules in Tcl. Although this appendix is not an exhaustive reference for writing and using Tcl expressions, it includes some common operators and syntax rules. Tcl expressions begin with the syntax expr. For more information, see http://www.tcl.tk/man/tcl8.5/TclCmd/expr.htm.
Note
You use iRules on the BIG-IP system to provide functionality to the BIG-IP system components. Tcl commands specific to iRules are not available in access policy rules.
Standard operators
You can use Tcl standard operators with most BIG-IP Access Policy Manager rules. You can find a full list of these operators in the Tcl online manual, at http://www.tcl.tk/man/tcl8.5/TclCmd/expr.htm. Standard operators include: - + ~ ! Unary minus, unary plus, bit-wise NOT, logical NOT. None of these operators may be applied to string operands, and bit-wise NOT may be applied only to integers. ** Exponentiation. Valid for any numeric operands. */% Multiply, divide, remainder. None of these operators may be applied to string operands, and remainder may be applied only to integers. The remainder will always have the same sign as the divisor and an absolute value smaller than the divisor. + Add and subtract. Valid for any numeric operands. << >> Left and right shift. Valid for integer operands only. A right shift always propagates the sign bit. < > <= >= Boolean less than, greater than, less than or equal to, and greater than or equal to. Each operator produces 1 if the condition is true, 0 otherwise. These operators may be applied to strings as well as numeric operands, in which case string comparison is used. == != Boolean equal to and not equal to. Each operator produces a zero/one result. Valid for all operand types. eq ne Boolean string equal to and string not equal to. Each operator produces a zero/one result. The operand types are interpreted only as strings.
C-2
Session Variables
in ni List containment and negated list containment. Each operator produces a zero/one result and treats its first argument as a string and its second argument as a Tcl list. The in operator indicates whether the first argument is a member of the second argument list; the ni operator inverts the sense of the result. & Bit-wise AND. Valid for integer operands only. ^ Bit-wise exclusive OR. Valid for integer operands only. | Bit-wise OR. Valid for integer operands only. && Logical AND. Produces a 1 result if both operands are non-zero, 0 otherwise. Valid for boolean and numeric (integers or floating-point) operands only. || Logical OR. Produces a 0 result if both operands are zero, 1 otherwise. Valid for boolean and numeric (integers or floating-point) operands only. x?y:z If-then-else, as in C. If x evaluates to non-zero, then the result is the value of y. Otherwise the result is the value of z. The x operand must have a boolean or numeric value.
Rule operators
A rule operator compares two operands in an expression. In addition to using the Tcl standard operators, you can use the operators listed below. contains - Tests if one string contains another string. ends_with - Tests if one string ends with another string. equals - Tests if one string equals another string. matches - Tests if one string matches another string. matches_regex - Tests if one string matches a regular expression. starts_with - Tests if one string starts_with another string. switch - Evaluates one of several scripts, depending on a given value.
Logical operators
Logical operators are used to compare two values. and - Performs a logical "and" comparison between two values. not - Performs a logical "not" action on a value. or - Performs a logical "or" comparison between two values.
C-3
Appendix C
session.ad.$name.attr.group. $attr_name
string
LDAP action
session.ldap.$name.authresult
bool
session.ldap.$name.queryresult
bool
C-4
Session Variables
Name session.policy.result
Type string
Description The result of the access policy. The result is the ending; for this ending, the result is access_denied. The result of the access policy. The result is the ending; for this ending, the result is redirect. The URL specified in the redirect, for example, "http://www.siterequest.com"
Redirect Ending
session.policy.result
string
"redirect"
session.policy.result.redirect.url
string
Allowed Ending
session.policy.result
string
"allowed"
The result of the access policy. The result is the ending; for this ending, the result is allowed. The resource that is automatically started for a network access webtop The type of webtop resource. The webtop type can be network_access or web_application. 0 - Indicates an Antivirus failure 1 - Indicates at least one Antivirus matches the criteria
session.policy.result.webtop. network_access.autolaunch
string
"resname"
session.policy.result.webtop.type
string
"network_a ccess"
Antivirus check
session.windows_check_av.$name. result
integer
string
Control string of the virus database. 0 - data is not available non-0 integer - Date of last database update (seconds since 1/1/1970)
integer
string
integer
string
string
C-5
Appendix C
Type integer
Format
session.windows_check_av.$name. item_0.ui session.windows_check_av.$name. item_0.vendor session.windows_check_av.$name. item_0.version session.windows_check_av.$name. count Decision box session.decision_box.last.result string
UI state
Antivirus vendor
string
Antivirus version
integer
integer
0 - User chooses option 2 on the decision page, which corresponds to the fallback rule branch in the action 1 - User chooses option 1 on the decision page
File check
session.windows_check_file.$name. item_0.exist session.windows_check_file.$name. item_0.result session.windows_check_file.$name. item_0.md5 session.windows_check_file.$name. item_0.version session.windows_check_file.$name. item_0.size session.windows_check_file.$name. item_0.modified session.windows_check_file.$name. item_0.signer
string
True - if all files exist on the client. Set when files on the client meet the configured attributes. MD5 value of a checked file.
integer
string
string
integer
Date the file was modified in UTC form. File signer information.
Firewall check
string
integer
C-6
Session Variables
Type string
Format
session.windows_check_fw.$name. state
integer
integer
The number of detected firewalls. 0 - No firewalls match the criteria. 1 - At least one firewall matches the criteria
integer
string
Type ID of the firewall (for example, McAfeeFW) The firewall software version.
string
integer
0 - Failure 1 - Success -1 - Invalid check expression 0 - Failure 1 - Success -1 - Invalid check expression Stores the Internet Explorer version "SP2KB1 2345KB54 321" A list of installed SP and KB fixes for Internet Explorer
Registry check
session.windows_check_registrys. $name.result
integer
Windows info
string
string
session.windows_info_os.$name. platform
string
WinXP - Windows XP Win2k - Windows 2000 WinNT - Windows NT4 Win95 - Windows 95 Win98 Windows 98 Win98SE - Windows 98 SE WinME - Windows Me Win2003 - Windows 2003 WinVI - Windows Vista WinLH - Windows 2008
C-7
Appendix C
Type string
session.windows_info_os.$name.user
string
string
string
session.assigned.webtop
string
session.ssl.cert.l
string
Organizational Unit Common Name Certificate Result (OK or error string) 0 - certificate does not exist 1- certificate exists Certificate version Certificate serial number Validity end date Validity start date Certificate issuer Email Country State
session.ssl.cert.exist
integer
C-8
Session Variables
Name session.ui.mode
Type enum
session.ui.lang
string
The language in use in the session. The character set used in the session. The client type as determined by HTTP headers.
session.ui.charset
"
session.client.type
enum
string bool bool bool string "Win" "Win98" "WinME" "Win2k" "WinXP" "WinVI" "Linux" "MacOS" "PocketPC " "WinCE" The client platform as determined by HTTP headers.
C-9
Appendix C
session.assigned.clientip
string
session.requested.clientip
string
session.end
string
session.assigned.leasepool session.assigned.resources
string string
The lease pool assigned to the client session. A space-delimited list of assigned resource names. This list is generated based on the list of assigned resource groups. The route domain ID number assigned to the client session. The informational Universally Unique Identifier for a session. A UUID is a 128-bit number, displayed as 32 hexadecimal digits in 5 groups separated by hyphens, in the form 8-4-4-4-12 for a total of 36 characters. For example, 62ea1423-7a4c-ed22-2101-45eda3a6bb01 The Universally Unique Identifier for a session. To change the UUID stored in the informational variable session.assigned.uuid, use this variable.
session.assigned.route_domain
int
session.assigned.uuid
string
session.user.uuid
string
C - 10
Session Variables
Name session.logon.last.username
Type string
Format "username"
Description You can use the session user name variable with the variable assign action to replace the user name value that is passed to an authentication action in the access policy. An authentication action then authenticates with this user name value. For an example, see Example: Using a certificate field for logon name, on page 16-25. The session password variable contains the user password that is collected in the logon page action. This variable stores the password, then sends it to the authentication server. You should not configure the variable assign action to replace this variable.
session.logon.last.password
string
"password"
C - 11
Appendix C
Figure C.1 Network access resource XML formatting example The following is an example of replacement code you could write, based on this table entry.
<dns> <dns_primary>4.2.2.1</ dns_primary> <dns_secondary>4.2.2.2/ dns_secondary> </dns>
The result of an evaluated expression or custom expression that you use to replace a network access property must provide a value in the format described in the Attribute value format column.
Type string
Attribute value format The attribute value is the name of a leasepool that exists on Access Policy Manager The attribute value is 0, 2, or 3. 0 - None (no SNAT) 2 - SNAT pool (assigned with the variable snatpool_name) 3 - Automap
snat_type
integer
snatpool_name
string
The attribute value is the name of an SNAT pool. The SNAT pool must be configured on the Access Policy Manager.
Session Variables
Type int
Attribute value format The attribute value is 0 or 1. 0 = disable compression 1 = enable compression
client_proxy_settings
The attribute is XML, formatted as follows: < client_proxy_settings > <client_proxy>1</client_proxy> <client_proxy_script>proxy_script </client_proxy_script> <client_proxy_address>proxyaddress </ client_proxy_address> <client_proxy_port>proxyport</client_proxy_port> <client_proxy_local_bypass>1 </client_proxy_local_bypass> <client_proxy_exclusion_list> <item>exclusion_list_item1</item> <item>exclusion_list_item2</item> </client_proxy_exclusion_list> </client_proxy_settings> Note that <client_proxy> should have the value 1 for the other settings to be effective, otherwise all other setting from <client_proxy_settings> will be ignored.
drive_mapping
Vector (Struct)
The attribute is XML, formatted as follows: <drive_mapping> <item> <description> description</description> <path>drive_path</path> <drive>drive_letter</drive> </item> </drive_mapping> Note that the drive letter range is from D to Z.
session_update_threshold
int
The attribute value is the session update threshold, in seconds. The attribute value is the session update window, in seconds. The attribute is XML, formatted as follows: <address_space_include_dns_name> <item><dnsname> dnsname1 </dnsname></item> <item><dnsname> dnsname2 </dnsname></item> </address_space_include_dns_name>
session_update_window
int
address_space_include_dns_name
Vector (string)
address_space_include_subnet
Vector (network)
The attribute value is a space-separated list of subnets. For example: 192.168.30.0/255.255.255.0 172.30.11.0/255.255.255.0
C - 13
Appendix C
Type Vector(network)
Attribute value format The attribute value is a space-separated list of subnets. For example: 192.168.30.0/255.255.255.0 172.30.11.0/255.255.255.0 The attribute value is 0 or 1. 0 = disable address space protection 1 = enable address space protection
address_space_protect
Bool
address_space_local_subnets_excluded
Bool
The attribute value is 0 or 1. 0 = disable address space local subnet exclusion 1 = enable address space local subnet exclusion
address_space_dhcp_requests_excluded
Bool
The attribute value is 0 or 1. 0 = disable address space DHCP request exclusion 1 = enable address space DHCP request exclusion
split_tunneling
Bool
The attribute value is 0 or 1. 0 = disable split tunneling 1 = enable split tunneling Note: If split_tunneling is set to 0 then you must set the following variables: address_space_exclude_subnet = "" address_space_include_subnet = "128.0.0.0/128.0.0.0 0.0.0.0/128.0.0.0" address_space_include_dns_name = "*"
dns
String
The attribute is XML, formatted as follows: <dns> <dns_primary>IPAddress</ dns_primary> <dns_secondary>IPAddress</ dns_secondary> </dns>
dns_suffix
String
The DNS Default Domain Suffix. For example, siterequest.com. The attribute is XML, formatted as follows: <wins> <wins_primary >IPAddress</ wins_primary > <wins_secondary>IPAddress</ wins_secondary> </wins>
wins
String
static_host
Vector(staticHost)
The attribute is XML, formatted as follows: <static_host> <item> <hostname>hostname</hostname> <address>IPAddress</address> </item> </static_host>
C - 14
Session Variables
Type int
Attribute value format The number for the client interface speed value in the network access resource, in bytes. The attribute value is 0 or 1. 0 = disable integrated IP filtering engine 1 = enable integrated IP filtering engine
client_ip_filter_engine
Bool
client_power_management
Bool
The attribute value is 0 or 1. 0 = disable client power management 1 = enable client power management
microsoft_network_client
Bool
The attribute value is 0 or 1. 0 = disable the Client for Microsoft Networks option 1 = enable the Client for Microsoft Networks option
microsoft_network_server
Bool
The attribute value is 0 or 1. 0 = disable the File and printer sharing for Microsoft Networks option 1 = enable the File and printer sharing for Microsoft Networks option
warn_before_application_launch
Bool
The attribute value is 0 or 1. 0 = disable the Display warning before launching applications option 1 = enable the Display warning before launching applications option
application_launch
Vector(AppLaunch)
The attribute is XML, formatted as follows: <application_launch> <item> <path>path</path> <parameter>string</parameter> <os_type>WINDOWS</os_type> </item> </application_launch> For the <os_type> value, type WINDOWS. This field is case sensitive. Note that application launch is currently supported for Windows only.
C - 15
Appendix C
Type Bool
Attribute value format The attribute value is 0 or 1. 0 = disable the Provide client certificate on Network Access connection when requested option 1 = enable the Provide client certificate on Network Access connection when requested option
tunnel_port_dtls
int
The attribute is the DTLS port, for example 4433. Note: setting this to any number other than 0 enables DTLS in the network access resource, and sets the number you specify as the DTLS port.
C - 16
D
Using Access iRule Events
Introducing iRules
An iRule is a powerful and flexible feature within the BIG-IP local traffic manager system that you can use to manage your network traffic. Using syntax based on the industry-standard Tools Command Language (Tcl), the iRulesTM feature not only allows you to select pools based on header data, but also allows you to direct traffic by searching on any type of content data that you define. Thus, the iRules feature significantly enhances your ability to customize your content switching to suit your exact needs. The remainder of this introduction presents an overview of iRules, lists the basic elements that make up an iRule, and shows some examples of how to use iRules to direct traffic to a specific destination such as a pool or a particular node.
Important
For complete and detailed information on iRules syntax, see the F5 Networks DevCentral web site, http://devcentral.f5.com. Note that iRules must conform to standard Tcl grammar rules; therefore, for more information on Tcl syntax, see http://tmml.sourceforge.net/doc/tcl/index.html.
What is an iRule?
An iRule is a script that you write if you want individual connections to target a pool other than the default pool defined for a virtual server. iRules allow you to more directly specify the destinations to which you want traffic to be directed. Using iRules, you can send traffic not only to pools, but also to individual pool members, ports, or URIs. The iRules you create can be simple or sophisticated, depending on your content-switching needs. Figure D.1 shows an example of a simple iRule.
Figure D.1 Example of an iRule This iRule is triggered when a client-side connection has been accepted, causing the BIG-IP system to send the packet to the pool my_pool, if the clients address matches 10.10.10.10. Using a feature called the Universal Inspection Engine, you can write an iRule that searches either a header of a packet, or actual packet content, and then directs the packet based on the result of that search. iRules can also direct packets based on the result of a client authentication attempt.
D-1
Appendix D
iRules can direct traffic not only to specific pools, but also to individual pool members, including port numbers and URI paths, either to implement persistence or to meet specific load balancing requirements. The syntax that you use to write iRules is based on the Tool Command Language (Tcl) programming standard. Thus, you can use many of the standard Tcl commands, plus a robust set of extensions that the BIG-IP system provides to help you further increase load balancing efficiency.
Event declarations
iRules are event-driven, which means that the BIG-IP system triggers an iRule based on an event that you specify in the iRule. An event declaration is the specification of an event within an iRule that causes the BIG-IP system to trigger that iRule whenever that event occurs. Examples of event declarations that can trigger an iRule are HTTP_REQUEST, which triggers an iRule whenever the system receives an HTTP request, and CLIENT_ACCCEPTED, which triggers an iRule when a client has established a connection. Figure D.2 shows an example of an event declaration within an iRule.
when HTTP_REQUEST { if { [HTTP::uri] contains "aol" } { pool aol_pool } else { pool all_pool } }
Figure D.2 Example of an event declaration within an iRule For more information on iRule events, see the Configuration Guide for BIG-IP Local Traffic Manager.
D-2
Operators
An iRule operator compares two operands in an expression. In addition to using the Tcl standard operators, you can use the operators listed in Table D.1.
Syntax
contains matches equals starts_with ends_with matches_regex not and or
Logical operators
For example, you can use the contains operator to compare a variable operand to a constant. You do this by creating an if statement that represents the following: "If the HTTP URI contains aol, send to pool aol_pool." Figure D.2, on page D-2, shows an iRule that performs this action.
iRule commands
An iRule command within an iRule causes the BIG-IP system to take some action, such as querying for data, manipulating data, or specifying a traffic destination. The types of commands that you can include within iRules are:
Statement commands These commands cause actions such as selecting a traffic destination or assigning a SNAT translation address. An example of a statement command is pool <name>, which directs traffic to the named load balancing pool. For more information, see the Configuration Guide for BIG-IP Local Traffic Manager. Commands that query or manipulate data Some commands search for header and content data, while others perform data manipulation such as inserting headers into HTTP requests. An example of a query command is IP::remote_addr, which searches for and returns the remote IP address of a connection. An example of a data manipulation command is HTTP::header remove <name>, which removes the last occurrence of the named header from a request or response. Utility commands These commands are functions that are useful for parsing and manipulating content. An example of a utility command is decode_uri <string>, which decodes the named string using HTTP URI encoding and returns the result. For more information on using utility commands, see the Configuration Guide for BIG-IP Local Traffic Manager.
D-3
Appendix D
iRule event access policy items must be processed and completed before the access policy can continue.
ACCESS_SESSION_STARTED
This event occurs when a new user session is created. This is triggered after creating the session context and initial session variables related to users source IP, browser capabilities and accepted languages.
Using ACCESS_SESSION_STARTED
This event provides a notification that a new session is created. You can use this event to prevent a session from being created when a specific event occurs. For example, if the user is exceeding the concurrent sessions limit, or if the user does not qualify for a new session due to custom logic, you can prevent a session from starting. You can use ACCESS::session commands to get and set various session variables. Admin can also use TCP, SSL, and HTTP iRule commands to determine various TCP, SSL, or HTTP properties of the user.
ACESS_SESSION_STARTED examples
In this example, the system writes the browser user-agent to the log file when the session starts.
when ACCESS_SESSION_STARTED { log local0.notice "APM: Received a new session from browser: [ACCESS::session data get "session.user.agent"]" }
Figure D.3 ACCESS_SESSION_STARTED example logging browser user-agent In this example, the system limits application access to the subnet 192.168.255.0 only.
when ACCESS_SESSION_STARTED { set user_subnet [ACCESS::session data get "session.user.clientip"] if { ($user_subnet & 0xffffff00) != "192.168.255.0" } { log local0.notice "Unauthorized subnet" ACCESS::session remove } }
ACCESS_POLICY_COMPLETED
This event occurs when the access policy execution completes for a user session.
Using ACCESS_POLICY_COMPLETED
This event provides a notification that access policy execution has completed for the user. You can use this event to perform post-access-policy work. For example, you can read and set session variables after the access policy is executed. You can use ACCESS::policy and ACCESS::session commands to get and set various session variables. Admin can also use TCP, SSL, and HTTP iRule commands to determine various TCP, SSL, or HTTP properties of the user.
ACCESS_ACL_ALLOWED
This event occurs when a resource request passes the access control criteria and is allowed through the ACCESS filter. This event is only triggered for resource requests and does not trigger for internal access control URIs such as my.policy.
Using ACCESS_ACL_ALLOWED
This event notifies you that a resource request is being allowed to pass through the network. You can use this event to create custom logic that is not supported in a standard ACL. For example, you can further limit access based on specific session variables, rate controls, or HTTP or SSL properties of the user. You can use ACCESS::session commands to get and set session variables in this event, and ACCESS::acl commands to enforce additional ACLs.
ACCESS_ACL_DENIED
This event occurs when a resource request fails to meet the access control criteria and is denied access.
Using ACCESS_ACL_DENIED
This event provides notification that a resource request has been denied to pass through the network. You can use this event to implement custom logic that is not supported in the standard ACLs. For example, you can send out a specific response, based on specific session variables, and HTTP or SSL properties of the user. This event may also be useful for logging purposes.
Configuration Guide for BIG-IP Access Policy Manager
D-5
Appendix D
You can use ACCESS::session commands to get and set session variables in this event, and ACCESS::acl commands to enforce additional ACLs.
ACCESS_SESSION_CLOSED
This event occurs when a user session is removed. This can occur because a user logs out, because the user session times out due to inactivity, or because the user session is terminated by an administrator. You can use the ACCESS::session command to get session variables in this event. iRule commands which require a flow context can not be used in this event.
Using ACCESS_SESSION_CLOSED
This event is used like ACCESS_SESSION_STARTED.
ACCESS_POLICY_AGENT_EVENT
This event allows you to insert an iRule event agent in an access policy at some point in the access policy: On the server during access policy execution, the iRule event agent is executed and ACCESS_POLICY_AGENT_EVENT is raised in iRules. You can get the current agent ID (using an iRule command ACCESS::policy agent_id ) to determine which iRule agent raised the event, and to do create some customized logic.
Using ACCESS_POLICY_AGENT_EVENT
Use this event to execute iRule logic inside TMM at the desired point in the access policy execution. For example, if you want to do concurrent session checks for a particular AD group, insert this agent after the AD query, and once users group has been retrieved from AD query, check to see how many concurrent sessions exist for that user group in an iRule inside TMM.
D-6
ACCESS::disable
This command disables the access control enforcement for a particular request URI. The request passes through the access policy without any access control checks, except for checks that the session is valid and that the policy reaches an allow ending. Use this event with the HTTP_REQUEST iRule event.
ACCESS::session commands
The following commands are used with the ACCESS::session command.
ACCESS::session remove
This deletes the user session and all associated session variables. The session is removed immediately after this command is invoked and no session variables can be accessed after this command. ACCESS::session commands can be used only in ACCESS events.
ACCESS::session exists
This commands returns TRUE when the session with provided sid exists, and returns FALSE otherwise. This command is allowed to be executed in different events other then ACCESS events. One scenario for which you can
D-7
Appendix D
use this command is to support a nonstandard HTTP application. The iRule verifies the MRHSession cookie, and provides a customized response that instructs the client to re-authenticate, as in the following example.
when HTTP_REQUEST { set apm_cookie [HTTP::cookie value MRHSession] if { $apm_cookie != "" && ! [ACCESS::session exists $apm_cookie] } { HTTP::respond 401 WWW-Authenticate "Basic realm=\"www.example.com\"" return } }
ACCESS::policy commands
The following ACCESS::policy commands are available.
ACCESS::policy agent_id
This returns the identifier for the agent raising the ACCESS_CUSTOM_EVENT.
ACCESS::policy result
Returns the result of the access policy process. The result is one of the following: allow deny redirect The ACCESS::policy command can only be used in ACCESS_POLICY_COMPLETED, ACCESS_ACL_ALLOWED and ACCESS_ACL_DENIED events.
ACCESS::acl result
This returns the result of ACL match for a particular URI in ACCESS_ACL_ALLOWED and ACCESS_ACL_DENIED events. This result can have one of the following values allow discard reject continue
ACCESS::acl lookup
This returns the name of all the assigned ACLs for a particular session.
D-8
D-9
Appendix D
D - 10
E
Troubleshooting
Introducing troubleshooting Example: Changing log levels Example: Understanding log messages for endpoint security check failures Example: Understanding log messages for authentication failures Example: Using the adminreporting utility Example: Understanding the logging action utility in the visual policy editor Example: Viewing logging history Introducing Access Policy Manager log messages Introducing Kerberos error messages
Troubleshooting
Introducing troubleshooting
BIG-IP Access Policy Manager provides ways to troubleshoot issues that you may encounter from time to time. There are a number of files, utilities, and command line interfaces that you can use to pinpoint the problem areas and resolve them quickly. This appendix provides several different examples that you can refer to in order to understand how Access Policy Manager troubleshooting tools work. Following the examples, you will find sections on Access Policy Manager log messages and Kerberos error messages.
E-1
Appendix E
Make sure the log messages are displayed in chronological order, from the most recent logs to the older ones. Within the Log message screen, click TimeStamp to sort the logs based on the most recent times. Figure E.2 displays a sample log message. The most pertinent data is highlighted in the figure, and described, following.
E-2
Troubleshooting
The following highlighted literal strings are described: windows_check_fw. This is the session variable object that represents the endpoint security check on the Windows firewall. This variable is allocated if your access policy profile has a firewall action included in your endpoint security check. state. This is the objects attribute that describes the status of the Windows firewall running on your clients desktop. 0 value. This value means that the current state of the Windows firewall is disabled. If the value displayed is 1, the Windows firewall is then enabled. Since the firewall check returned a result of 0, the final return value on the access policy check resulted in an access denied policy ending. Therefore, the sessionID created for your access is immediately deleted.
E-3
Appendix E
The example in figure E.3 displays the highlighted response received from the Active Directory server, which states that the user name entered on the logon page does not appear to be a valid user in the Active Directory database.
E-4
Troubleshooting
E-5
Appendix E
Example: Understanding the logging action utility in the visual policy editor
Access Policy Manager provides a tool called logging action, within the visual policy editor. This tool lets you tailor the logging of any session variables to the access control logs, so that you can better identify and understand the cause of a users logon failure. Figure E.5 displays a sample log message generated based on a logon failure. You can view this message by using the navigation pane. Expand System, click Logs, and on the menu bar, click Access Control.
E-6
Troubleshooting
E-7
Appendix E
Description Specifies that the APD daemon started with the wrong parameters. This can happen only if the administrative user modifies the start scripts for APD.
Troubleshooting Make sure that the command line arguments to the APD daemon have not been modified in the /etc/bigstart/scripts/apd file. Factory settings: -d 3 -f Make sure that the command line arguments to the APD daemon have not been modified in the /etc/bigstart/scripts/apd file. Factory settings: -d 3 -f Make sure that the command line arguments to the APD daemon have not been modified in the /etc/bigstart/scripts/apd file. Factory settings: -d 3 -f
013c0002
ERROR
Specifies that the APD daemon started with the wrong parameters. This can happen only if the administrative user modifies the start scripts for APD.
013c0003
ERROR
Specifies that the APD daemon started with the wrong parameters. This can happen only if the administrative user modifies the start scripts for APD.
013c0004
INFO
Specifies the name of the agent that is started and the returned value. The returned value is an integer. Indicates the access policy items that the user system followed to reach the specified ending. The name of the ending is ending_denied, webtop or redirect ending. Specifies the rules that are followed when the system processes the access policy. This is an informational message that the variable <Session Variable Name> is set to the value <value>, and the access policy can use it in the session.
013c0005
NOTICE
<Session ID> Following rule '%s' from item '%s' to ending '%s'
013c0006
INFO
<Session ID> Following rule '%s' from item '%s' to item '%s' Session variable <Session Variable Name> set to <value>
013c0007
INFO
E-8
Troubleshooting
Message <Session ID> Connectivity resource '%s' assigned through resource group '%s'
Description Specifies that the resource assign action has assigned the specified connectivity resource to the session. Specifies that the resource assign action has assigned the specified ACL to the session. Specifies the user name used for the logon page. Specifies that the AAA agent is retrieving the AAA server information. Specifies that the access policy configuration is incomplete. The AAA agent specified in the log message is not associated with a valid AAA server. Specifies that APD daemon failed to initialize the access policy. This error indicates that the APD daemon is unable to decrypt the administrative password for the AAA server specified in the log message. This indicates a critical system failure. Specifies that the APD daemon failed to initialize the access policy. The access policy contains an agent of unknown type. This indicates a critical system failure. Informational. Specifies the <Result> of an Active Directory authentication attempt. The result is either failed or successful. Informational. Specifies the <Result> of an Active Directory query attempt. The result is either failed or successful.
Troubleshooting
013c0009
NOTICE
013c0010
NOTICE
<Session ID> Username '%s' <Session ID>: agent: Retrieving AAA server: <ServerName> <Session ID>: agent: No AAA server associated with <Agent Name>
013c0013
INFO
013c0014
ERROR
Make sure a AAA Server is assigned in the AAA action <Agent Name> configuration in the access policy.
013c0015
ERROR
<Session ID>: agent: Failed to decrypt <StringName> of AAA server: <Server Name>
013c0016
ERROR
013c0017
INFO
<Session ID> AD agent: Auth (logon attempt:<Count>): authenticate with '<UserName>' <Result> <Session ID> AD agent: Query: query with '<Filter>' <Result>
013c0019
INFO
E-9
Appendix E
Description Specifies that one of the access policy agents encountered an error, as described by the error message, during access policy processing. Specifies that one of the access policy agents encountered an error, as described by the error message, during access policy processing. Specifies that a AAA server operation of the type specified in the log message failed with the error described by the error message.
013c0022
ERROR
013c0042
ERROR
<AuthType> indicates the authentication module in which the error occurred. The <ErrorMessage> contains information that can point to the cause of the error. <AuthType> indicates the authentication module in which the error occurred. The <ExceptionMessage> contains information that can point to the cause of the error.
013c0043
ERROR
Specifies that a AAA server operation of the type specified in the log message failed with the error described by the error message.
013c0049
INFO
<Session ID> LDAP agent: Auth (logon attempt:<Count>): authenticate with '<UserName>' <Result>
Provides an informational message that indicates that the LDAP authentication attempt occurred. The Result is either failed or successful. Provides an informational message that indicates that the LDAP query attempt occurred. The Result is either failed or successful. Specifies that the LDAP unbind operation for either LDAP or Active Directory failed with the error described in the error message. <AuthType> indicates the authentication module in which the error occurred. The <ErrorMessage> for ldap_unbind() contains more information about the cause of the error.
013c0051
INFO
<Session ID> LDAP agent: Query: query <Result>, dn: <DN>, filter: <Filter>
013c0057
ERROR
E - 10
Troubleshooting
Message <Session ID> RADIUS agent: (logon attempt:<Count>) authenticate with <UserName>' <Result>
Description Specifies an informational message that indicates that the RADIUS authentication attempt occurred. The Result is either failed or successful.
Troubleshooting
013c0059
INFO
<Session ID> RADIUS agent: (logon attempt:<Count>) radius challenge response received, reply-message: <Message> 00000000: AD agent: ERROR: %s failed for <hostname/IPaddr> Specifies that the Active Directory action encountered an error while trying to authenticate against the external AAA server with the host name and IP address listed in the error message. Make sure that DNS is properly configured to resolve the forward and reverse lookup for the AAA server.
013c0070
ERROR
013c0075
INFO
<Session ID> AD agent: Auth (logon attempt: <Count> ): password changed successfully for '<UserName>' <Session ID> AD agent: Auth (logon attempt: <Count>): Domain password has been expired and must be changed for '<UserName>' <Session ID> AD agent: Auth (logon attempt: <Count>): failed to change password for '<UserName>' 00000000: Access policy '%s' configuration has changed. Access profile '%s' configuration changes need to be applied for the new configuration Specifies that the access policy configuration has changed. The modified or new configuration changes are not yet active and you must activate the access policy for the changes to take effect.
013c0076
INFO
013c0077
INFO
013c0079
NOTICE
E - 11
Appendix E
Description Specifies that the APD daemon failed to communicated with the session database. This indicates a critical system failure. Specifies that an access policy action encountered an error, described in the error message, while the access policy was processing. Specifies that the access policy configuration is not valid. One of the access policy rules is followed by an item that is not valid. Specifies that an error occurred while the system was receiving data from the remote client during access policy processing. Indicates a critical system failure. Specifies that, during access policy processing, an access policy action encountered an error, described in the error message. Specifies that an error, described in the error message, occurred while sending the data response to the remote client during access policy processing. This might occur if the remote client disconnects during access policy processing. Specifies that the error described in the error message occurred while trying to evaluate an access policy rule during access policy processing.
013c0081
ERROR
<Session ID> Agent execution failed for agent: %d and access policy item: %d
013c0082
ERROR
<Session ID> Invalid rule exists in access policy. Unable to find nextnode.
013c0083
ERROR
00000000: Request from remote client could not be received from socket. Socket error: %s
013c0084
ERROR
013c0085
ERROR
<Session ID> Response could not be sent to remote client. Socket error:%s
013c0086
ERROR
E - 12
Troubleshooting
Description Specifies that an error occurred while attempting to evaluate an access policy rule during access policy processing. This error indicates that a session variable that is not valid is present in the rule expression.
Troubleshooting Make sure that the session variable configured in the access policy rule does exist when the rule runs.
013c0088
ERROR
Specifies that an error occurred while attempting to evaluate an access policy rule during access policy processing. This error indicates that a session variable that is not valid is present in the rule expression.
Make sure that the session variable configured in the access policy rule does exist when the rule runs.
013c0089
ERROR
STOP Specifies that the APD has received a configuration change notification for an unknown access profile. This indicates a critical system failure.
013c0090
ERROR
Specifies that the APD has received ADD notification for an existing access profile. This indicates a critical system failure. Specifies that the response received during access policy processing from a remote client is not valid. The log message logs the incoming HTTP request header received from the remote client.
013c0091
ERROR
00000000: Invalid request header received from remote client. Socket error: %s
013c0092
ERROR
Specifies that the response received during access policy processing from the remote client is not valid. The log message logs the length of the incoming HTTP POST request received from the remote client.
E - 13
Appendix E
Message 00000000: Request header parsing failed while processing request from remote client
Description Specifies that an error occurred while processing the received request from the remote client during access policy processing. Specifies that APD failed to retrieve a session variable (logged by the log message) from the session database. Specifies that the file check action encountered an error during access policy processing. Specifies that the system has initialized the specified access profile. Access Policy Manager accepts any request received for this access profile from this point forward, and sends these requests through the associated access policy.
013c0094
ERROR
<Session ID> Couldn't get session variable from session db. Session var: %s
013c0095
ERROR
Log and inspect the session variables for the file check action.
013c0096
NOTICE
013c0097
NOTICE
00000000: A new access policy: %s has been initialized 00000000: Access profile: %s has been removed.
Specifies that the system has initialized a new access policy. Specifies that the system has deleted an access profile. Access Policy Manager denies any request received for this access profile from this point forward.
013c0098
NOTICE
013c0099
NOTICE
00000000: Access policy: %s has been removed. 00000000: Access profile: %s configuration changes need to be applied for the new configuration to take effect.
Specifies that the system has deleted an access profile. Specifies that the system has detected changes you have made to the access profile configuration. The modified or new configuration changes are not yet active. You must activate the access policy for the new changes to take effect.
013c0100
NOTICE
E - 14
Troubleshooting
Message 00000000: Access profile: %s configuration has been applied. Newly active generation count is: %d
Description Specifies that the system has started the access policy associated with the access profile. Access Policy Manager increments the generation count by one every time an access policy is activated.
Troubleshooting
013c0102
NOTICE
The final result of the access policy. Valid results are Logon_Denied or Webtop
013c0103
NOTICE
<Session ID> Retry Username '<UserName>' 00000000: <Session ID> Failed to store configuration variable (error:%d, name:'%s', value:'%s') Specifies that APD failed to store a session variable (logged by the log message) in the session database. The log message logs the name of the error encountered along with the variable and value of the variable. Access Policy Manager was unable to store the session variable in the session database. Either an internal processing error or a failure in database memory allocation occurred.
013c0104
ERROR
013c0105
ERROR
Specifies that the AAA action encountered an error during access policy processing, because the AAA server information could not be located.
Make sure that the AAA Server <ServerName> exists in the bigip.conf file. This might happen when a AAA server is deleted from bigip.conf, but the AAA server is still being used by a AAA action. Refer to the <ErrorMessage> text, which contains information about the cause of the error.
013c0106
WARNI NG
<Session ID> AD module: WARNING: <Action> <Object> failed in <FunctionName>(): <ErrorMessage> (ErrorCode)
Specifies that the Active Directory Auth or Query action encountered an error during access policy processing. Action has one of the values: - query with - authentication with - change password for Object has one of the values: - Filter - <AdminUserName> - <UserName> The error message is included with the source code function name.
Appendix E
Message <Session ID> AD module: ERROR: <Action> <Object> failed in <FunctionName>(): <ErrorMessage> (ErrorCode)
Description Specifies that the Active Directory Auth or Query action encountered an error during access policy processing. Action has one of the values: - query with - authentication with - change password for Object has one of the values: - Filter - <AdminUserName> - <UserName> The error message is included with the source code function name.
Troubleshooting Refer to the <ErrorMessage> text, which contains information about the cause of the error.
013c0108
ERROR
<Session ID> RADIUS module: ERROR: authentication with <UserName> failed in <FunctionName>(): <ErrorMessage> (ErrorCode)
Specifies that, during access policy processing, the RADIUS Auth action encountered an error. The log message includes the user name and error message, along with the source code function name. Specifies that the LDAP Auth or Query action encountered an error during access policy processing. Action has one of the values: - query with - authentication with Object has one of the values: - Filter - <AdminUserName> - <UserName> The message also includes the error message and the source code function name.
Refer to the <ErrorMessage> text, which contains information about the cause of the error.
013c0109
WARNI NG
<Session ID> LDAP module: WARNING: <Action> <Object> failed in <FunctionName>(): <ErrorMessage> (ErrorCode)
Refer to the <ErrorMessage> text, which contains information about the cause of the error.
E - 16
Troubleshooting
Message <Session ID> LDAP module: ERROR: <Action> <Object> failed in <FunctionName>(): <ErrorMessage> (ErrorCode)
Description Specifies that the LDAP Auth or Query action encountered an error during access policy processing. Action has one of the values: - query with - authentication with Object has one of the values: - Filter - <AdminUserName> - <UserName> The message also includes the error message and the source code function name.
Troubleshooting Refer to the <ErrorMessage> text, which contains information about the cause of the error.
013c0112
ERROR
<Session ID> EndPoint inspection data is not valid: Agent Result: %s SessionID: %s DeviceInfo: %s Token: %s Signature: %s
Specifies that an error occurred while reading the received request from the remote client during access policy processing. The received request has invalid end-point inspection data. The log message logs various parts of the inspection data. Specifies the session variable name and its corresponding value. Specifies that an error occurred while the system was reading the received request from a remote client during access policy processing. The request received is for a profile that does not exist. This can happen if the access profile has been deleted while the remote client is processing the access policy.
013c0113
NOTICE
<Session ID> %s is %s
013c0114
ERROR
013c1002
NOTICE
E - 17
Appendix E
Description Indicates that a client directly accessed one or more resources inside the renderer directory. This is a security violation and the system does not allow it. The system logs the corresponding URI here.
Troubleshooting An attempt by a client to access a resource on the internal HTTP daemon or service has been detected by the system. If the user request is associated with a session ID, you can determining the client IP address from the log messages.
013c1004
NOTICE
Invalid Session ID <Client Session ID> Expect (<Session ID>) (URI=<URI String>)
The incoming request did not correspond to any known session ID in the system. The corresponding URI is also logged. The client IP of the incoming request did not match that stored internally for this session. This log message indicates that the system received a request for a protected resource from a client with an empty session ID. A request to a protected resource was received with an empty session ID.
013c1005
NOTICE
Invalid Client IP: we have=<IP Address> client ip=<Client IP Address> (URI=<URI String>) Attempt to access protected resource w/o valid session (URI=<URI String>)
013c1006
NOTICE
013c1007
NOTICE
Request to a protected resource w/o session ID (<URI String>) User Agent: <User Agent Name> License NOT available for user session
013c1009
NOTICE
013c1010
NOTICE
Specifies that the system ran out of licenses while processing user session requests. All available licenses are already in use. Specifies that a valid client certificate is received from remote client. The client certificate is stored in the session database. The result of the failed client cert authentication: revoked, unable to verify or another result.
013c1011
NOTICE
013c1012
INFO
E - 18
Troubleshooting
Message Client Cert Auth using OCSP: Status code = <Auth Status>
Description Logs the result of OCSP authentication. Following are possible values: 0 : Success 1 : Failure -1: Error 2 : Not authenticated
Troubleshooting Check the OCSP Responder and OCSP profile configuration settings. The reason for the failure will be listed in the access control log file.
013c1014
INFO
Logs the result of Client Cert Authentication using CRLDP. Following are possible values: 0 : Success 1 : Failure -1: Error 2 : Not authenticated
Check the CRLDP server and CRLDP profile configuration settings. The reason for the failure will be available in the access control log file.
013c1015
WARN
Specifies that the client certificate the system received from the remote client has been revoked. Specifies that the client certificate the system received from the remote client is not a valid PKI certificate. Specifies that the client certificate the system received from the remote client could not be authenticated using OCSP. An error occurred during authentication. Specifies that the client certificate the system received from the remote client could not be authenticated using OCSP. An error occurred during authentication. Logs the SSL cipher information for the SSL session with the remote client. Check the OCSP Responder and OCSP profile configuration settings. The reason for the failure will be available in the access control log file.
013c1016
WARN
013c1017
WARN
OCSP Failure.
013c1018
WARN
OCSP Error.
Check the OCSP Responder and OCSP profile configuration settings. The reason for the failure will be available in the access control log file.
013c1020
NOTICE
E - 19
Appendix E
Description Specifies that a valid client certificate was received from the remote client. Logs the Common Name (CN) field from the received certificate. Specifies that an error occurred during user session processing and the user is being redirected to an error page. This page is shown to the user, and the user session is removed. The error code points to one of the customizable error messages. All session variables and the session are removed from memory. A request for the logout page was received, and the user was redirected to the logout page. There is no client IP address assigned for the network access resource for this session.
Troubleshooting
013c1022
NOTICE
013c1023
NOTICE
Deleted
013c1024
NOTICE
013c1025
ERROR
Value from the session.assigned.clientip session variable is assigned to the client IP address. Either the session variable does not exist or the Session DB failed to read the variable value.
013c1026
NOTICE
Each UNIT has a unique failover_id similar to the Unit ID used in High Availability. Each UNIT has a unique failover_id similar to the Unit ID. This is used for High Availability. Session data was deleted when failover occurred. The session is from the other UNIT and was in the middle of the access policy process.
013c1027
INFO
013c1028
NOTICE
E - 20
Troubleshooting
A new password is rejected by the Active Directory server. For example, the current password may have been entered as the new password, or the password length is too short.
E - 21
Appendix E
E - 22
Glossary
Glossary
absolute URL An absolute URL specifies the exact location of a file or directory on the internet. access control list (ACL) In Access Policy Manager, the ACL is a set of restrictions associated with a resource or favorite that defines access for users and groups. access policy An access policy contains steps that the client and server go through before access is granted to a connection by the Access Policy Manager. See also action, client side check, endpoint security, branch rule. access profile An access profile is a pre-configured group of settings that you can use to configure secure network access for an application. action An action is an ordered set of rules for evaluating a remote system. Each action invokes one or more inspectors. The action then uses rules to test the inspectors findings. In the visual policy editor, an action is depicted by a rectangle. Active Directory The Active Directory is a network structure supported by Windows 2000, or later, that provides support for tracking and locating any object on a network. advanced rules In an access policy, advanced rules provide customized functionality. This functionality is useful when you want more functionality than is provided by the default access policy rules and the rules created with the expression builder. allow ending An allow ending is a successful ending for the user in the access policy. authentication Authentication is the process of verifying the identity of a user logging on to a network. authentication action Authentication actions are usedin an access policy to add an authentication check with a AAA server or with a client certificate.
Glossary - 1
Glossary
authentication query Authentication query seaches the appropriate part of the directory tree structure of a AAA server, such as LDAP or Active Directory, to find a user within that directory. authorization Authorization is the process of enabling user access to resources, applications, and network shares. branch rule Branch rules test the inspectors findings about a client system. The order of rules in a pre-logon sequence determines the flow of action. certificate A certificate is an online credential signed by a trusted certificate authority and used for SSL network traffic as a method of authentication. client certificate A client certificate enables the Access Policy Manager to verify the identity of a users computer, and to control access to specific resources, applications, and files. client component A client component is a control downloaded from the Access Policy Manager that enables the various features of Access Policy Manager functionality. client side check In an access policy, a client side check defines a set of actions that need to be taken in order to evaluate the client system or device. Configuration utility The Configuration utility is the browser-based application that you use to configure the Access Policy Manager. decision box In the visual policy editor, a decision box is an policy action that provides a user with two options for accessing a system. domain name A domain name is a unique name that is associated with one or more IP addresses. Domain names are used in URLs to identify particular Web pages. For example, in the URL http://www.siterequest.com/index.html, the domain name is siterequest.com.
Glossary - 2
Glossary
Domain Name System (DNS) The Domain Name System (DNS) is a system that stores information associated with domain names, making it possible to convert IP addresses such as 192.168.16.8, into more easily understood names such as www.siterequest.com. Dynamic Host Configuration Protocol (DHCP) DHCP is a protocol for assigning dynamic IP addresses to devices on a network. With dynamic addressing, a device can be assigned a different IP address every time it connects to the network. endpoint security Endpoint security is a centrally managed method of monitoring and maintaining client-system security. See also client side check and resource protection. FIPS Federal Information Processing Standards (FIPS) are publicly announced standards developed by the U.S. Federal government for use by all (non-military) government agencies and by government contractors. The Access Policy Manager can be configured with FIPS 140-encryption hardware, which stores all certificates and private keys in the FIPS hardware. FQDN (fully qualified domain name) The fully qualified domain name (FQDN) is an unambiguous domain name that specifies a nodes position in the DNS tree hierarchy absolutely, for example, myfirepass.siterequest.com. See also domain name. high availability High availability is the process of ensuring access to resources despite any failures or loss of service in the setup. For hardware, high availability is ensured by the presence of a redundant system. See also redundant system. hot fix A hot fix (patch) is an intended modification to the BIG-IP Access Policy Manager. HTTP (HyperText Transport Protocol) HTTP is the method that is used to transfer information on the Internet and on intranets. HTTPS (HyperText Transport Protocol [Secure] HTTPS is secure HTTP. See also HTTP (HyperText Transport Protocol).
Glossary - 3
Glossary
inspector An inspector is an ActiveX control or Java plug-in that gathers information about the users computer, evaluating factors such as the presence of viruses or antivirus software, operating system version, running processes, and others. interface A physical port on an F5 system is called an interface. IP address An IP address (Internet Protocol address) is a unique number that identifies a single device and enables it to use the Internet Protocol standard to communicate with another device on a network. See also self IP address and virtual IP address. IPsec IPsec (Internet Protocol Security) is a communications protocol that provides security for the network layer of the Internet without imposing requirements on applications running above it. local traffic management Local traffic management refers to the process of managing network traffic that comes into or goes out of a local area network (LAN), including an intranet. name resolution Name resolution is the process by which a name server matches a domain name request to an IP address, and sends the information to the client requesting the resolution. NAT (Network Address Translation) A NAT is an alias IP address that identifies a specific node managed by the Access Policy Manager system to the external network. network access Network access is a Access Policy Manager feature that provides secure access to corporate applications and data using a standard web browser. network configuration Network configuration is the process of setting up the Access Policy Managers web services on network interfaces. See also web service. port A port is a number that is associated with a specific service supported by a host.
Glossary - 4
Glossary
redundant system Redundant system refers to a pair of units that are configured for failover. In a redundant system, there are two units, one running as the active unit and one running as the standby unit. If the active unit fails, the standby unit takes over and manages connection requests. resource A resource is an application, a file, or a server on your network to which you want users to have secure access. resource protection Resource protection is the process of using a defined protected configuration to protect a set of resources. self IP address A self IP address is an IP address that uniquely identifies each Access Policy Manager interface or VLAN interface. See also IP address and virtual IP address. sequence See access policy. server certificate A server certificate verifies the servers identity to a users computer session variable A session variable contains a number or string that represents a specific piece of information about the client system, the Access Policy Manager, or another piece of information. split tunneling Split tunneling is a process that provides control over exactly what traffic is sent over the network access connection to the internal network. SSL (Secure Sockets Layer) SSL is a network communications protocol that uses public-key technology as a way to transmit data in a secure manner. standby controller/standby unit A standby unit in a redundant system is the unit that is always prepared to become the active unit if the active unit fails.
Glossary - 5
Glossary
strong password A strong password is one that is difficult to detect by both humans and computer programs, which effectively protects data from unauthorized access. A strong password typically consists of a specific number of alphanumeric characters of differing case, as well as certain punctuation characters. superuser Superusers are users who have cross-realm access to all groups and features. A superuser creates realm administrators, upgrading them from Access Policy Manager users, and delegating full or restricted access to Access Policy Manager functionality or groups. tunnel A tunnel is a secure connection between computers or networks over a public network. URI In the Access Policy Manager context, URI means the fully-qualified domain name, followed by the path designator /<uri-specific_path>. virtual host In the Access Policy Manager context, a virtual host means the domain name or IP address that users specify when logging on to a web service you create on a virtual IP. See also virtual IP address. virtual IP address A virtual IP address is an IP address that identifies a virtual (that is, non-physical) network location. The Access Policy Manager uses virtual IP addresses for redundant systems. See also IP address, redundant system, and self IP address. visual policy editor The visual policy editor consists of a graphical area in which you create, view, or modify an access policy by clicking to add and delete actions and rules that are visually shown on the graph. See also access policy, action, and branch rule. web service A web service is a method of communication that applications written in various programming languages and running on various platforms can use to exchange data over networks, such as the Internet or an intranet. webtop The webtop is the users home page, which grants access to the network access connection.
Glossary - 6
Index
Index
31581 Heading2
applying 7-3 assigning a webtop 5-8 assigning an ACL 5-5 assigning resources 8-9 assigning variables 8-10 configuring for systems that cannot use client-side checks 10-1 creating 7-5 logging session variables 8-16 selecting a VLAN 8-15 setting a default ending 7-10 understanding basic configuration 7-6 understanding branches 6-10 understanding endings 7-8 understanding rules and actions 6-6 access policy ending creating 7-8 access policy example B-1 Access Policy Manager finding software version 1-24 access profile and browser language strings 7-4 backup 7-27 creating 7-2, B-6 customizing 15-1 customizing languages 7-4 domain cookie option 7-2 import 7-27 secure cookie option 7-2 specifying a logout URI 7-2 accounting collecting user information 11-1 overview 11-1 ACLs See access control lists. actions and internal process for 6-6 and pre-defined 6-3 and rules 6-6 using in access policies 6-2 active connection statistics 18-14, 18-15 Active Directory configuring query action B-6 active FTP and SNAT automap 2-6 ActiveSync adding to virtual server 14-2 using UI Mode to create an ActiveSync branch 10-5 AD Query action B-6 adminreporting utility E-5 advanced access policy rules and mcget command 16-18 creating a custom variable with 16-21 replacing configuration variable with custom expression 16-21 understanding situations 16-17
Index - 1
Index
using 16-17 writing 16-18 writing in an action 16-19 writing in resource assign action 16-20 advCustHelp utility 15-24 alarm RMON group 18-13 Alert log level 17-6 alert system 18-7 allow ending configuring 7-9 allow local subnet 2-7 allowed ending understanding 6-14 an 5-5 antivirus check action understanding 9-2 using 9-2 application access and web applications 3-2 application launch configuring for Macintosh or Linux A-13 application-specific MIB files 18-1 See also enterprise MIB files. apply access policy 7-3 Ask F5 and support 1-24 assigning a webtop 5-8 assigning an ACL 5-5 assigning resources 8-9 assigning variables 8-10 audit log 17-2 audit logging and /var/log/ltm directory 17-5 enabling and disabling 17-7 auditing events and log levels 17-7 authentication choosing an authentication scheme 11-1 determining a method 11-2 overview 11-1 setting up RADIUS authentication and authorization 11-3, 11-14 troubleshooting E-4 authentication actions understanding 7-13 authentication warnings 18-8 authorization overview 11-1 authorizaton accessing resources 11-1
for certificate revocation lists 12-12 for Online Certificate Status Protocol 12-12 BIG-IP alert system 18-2 BIG-IP system information 18-3 BIG-IP system objects, SNMP 18-2 branch rules and branches 6-10 examples 6-7 understanding 7-5 branches in access policies 6-10 browser cache cleaner action understanding 9-26 using 9-26
C
cache and compression configuring 3-5 calculations 18-14 certificate revocation list and best practices 12-12 and limitation 12-11 described 12-11 certificates and Online Certificate Status Protocol 12-12 overview 12-2 understanding SSL server certificates 12-2 client configuring settings A-7 configuring to use Windows logon credentials A-6 customizing appearance 15-22 client access allowing 18-2, 18-4 configuring 18-3 client certificates and best practices 12-12 and certificate revocation list updates 12-12 and Online Certificate Status Protocol 12-12 client components downloading A-1 understanding A-1 client connections establishing A-16 client download wizard understanding client options A-9 using A-5, A-10, A-11, A-12 Client for Microsoft Networks 2-8 client OS check action understanding 10-2 using 10-2 client proxy settings 2-9 client settings for network access 2-6 client traffic classifier creating 2-17 client troubleshooting utility downloading A-20
B
back up an access profile 7-27 best practices and client certificates 12-12
Index - 2
Index
clients and adminstrative rights A-1 clients, SNMP 18-3 client-side actions 7-14 client-side checks 7-13 preparing for systems that cannot use 10-1 understanding 9-1 collecting Windows information 9-22 common operations, following recommended path 1-22 communities and access levels 18-5, 18-7 and trap destinations 18-8 community access 18-5 company-specific MIB files 18-1 component installer using A-11 compressing traffic 2-1 config variables assigning 8-10 configuration changes auditing 17-4 configuration data loads logging 17-8 configuration tasks for SNMP agent 18-3 summary for SNMP 18-2 Configuration utility and components 1-17 and identification and messages area 1-17 and menu bar 1-17 and navigation pane 1-17 configurations and scenarios 1-23 connection statistics 18-14, 18-16 connectivity profile configuring client settings A-7 configuring mobile client settings A-8 customizing client appearance 15-22 specifying Windows logon credentials A-6 contact information 18-3 contact name 18-3 content searching D-1 content switching customizing D-1 context-sensitive online help 1-24 Controlling SSL Traffic 12-1 CPU use statistics 18-14, 18-18 Critical log level 17-6 CRL See certificate revocation list. current sessions displaying reports 17-9 customization for advanced user profiles 15-24 restore a default setting 15-2 customizing logon page elements 15-8
customizing logon page fonts 15-9 customizing logon page footer 15-9 customizing logon page header 15-9
D
data MIB files 18-12 data access control, SNMP 18-3 data loads logging 17-8 data object values, SNMP 18-1 data objects in MIB files 18-9 modifying 18-5, 18-7 See also access levels. Debug log level 17-6 decision box action 8-18 default access control actions 5-2 default access levels assigning 18-7 modifying 18-5 default ending 7-10 denied ending understanding 6-14 deny ending configuring 7-9 destinations, SNMP 18-7, 18-8 detecting ActiveSync clients 10-5 DNS setting on remote computers 2-9 understanding options 2-9 domain cookie option 7-2 domain scripts running 2-12 DTLS 2-8 configuring a virtual server 14-3
E
email, sending 17-2 Emergency log level 17-6 endings and understanding 6-14, 7-8 creating 7-8 deny 6-14 for allowed users 6-14 for logon denied 7-8 for redirect 6-15 for webtop 7-8 redirect 7-8 setting default 7-10 endpoint security and internal process for an action 6-6 and rule syntax C-2 troubleshooting E-2 understanding rules and actions in access policies Index - 3
Index
6-6 enterprise MIB files and Configuration utility 18-1 content of 18-10 defined 18-1 downloading 18-2, 18-10 Error log level 17-6 error messages customizing 16-4 logging E-8 viewing Kerberos E-21 event notifications, SNMP 18-2 event RMON group 18-13 expr command using 16-18 External Access Management About 13-9 external logon page action using 8-8
history RMON group 18-13 Home tab enabling 3-6 host names in logs 17-2 hosts file 2-10 setting on remote computers 2-9 HTTP request statistics 18-14, 18-17 HTTPS and network access 2-2
I
import an access profile 7-27 information collection 18-2 Information log level 17-6 information polling 18-2 information, SNMP 18-3 installing Windows client packages A-11 integrated IP filtering engine 2-7 interfaces monitoring 18-13 Introducing Single Sign-On with Credential Caching and Proxying 13-1 Introducing SSL server certificates 12-2 IP address with DTLS and network access virtual servers 14-3 IP addresses for SNMP traps 18-8 specifying 18-3 iRule command types D-3 iRule elements D-2 iRule event declarations D-2 iRule operators D-3 iRules defined D-1 viewing reference D-4 irules understanding D-1
F
F5 Technical Support, contacting 1-24 F5-BIGIP-COMMON-MIB.txt file 18-10 F5-BIGIP-LOCAL-MIB.txt file 18-10, 18-11 F5-BIGIP-SYSTEM-MIB.txt file 18-10, 18-12 fallback branch 6-10 file and printer sharing option 2-8 file check action understanding 9-6 using 9-6 firewall check action understanding 9-14 using 9-14 force all traffic through tunnel option 2-7 framework installation 15-8 FTP for active FTP and SNAT automap 2-6 full patching understanding 3-2
G
general purpose actions configuring 8-3 understanding 8-1 global statistics data 18-12 graphs, SNMP 18-14 group policy adding a template 9-38 downloading a template 9-38, 9-39
K
Kerberos error messages E-21
L
landing URI check using 10-12 launch applications application paths and parameters 2-11 understanding options 2-11 lease pools assigning to a network access resource 2-14 creating 2-13, 4-4, 4-5, 14-4, B-3 understanding 2-13 Linux
H
header searching D-1 help locating online help 1-24
Index - 4
Index
and supported network access features A-13 configuring application launch A-13 installing client on A-14 local application traffic 18-11 local traffic management information 18-10 log contents 17-2 log levels changing E-1 defined 17-6 setting 17-6 log messages E-8 logging action understanding 8-16, E-6 logging session variables in an access policy 8-16 logical operators C-3 logical operators, listed D-3 logon denied ending customizing 7-10 understanding 7-8 logon history E-7 logon page adding a virtual keyboard 8-14 customizing 15-1 customizing elements 15-8 customizing fonts 15-9 customizing footer 15-9 customizing header 15-9 customizing with logon page action 16-2 understanding logout components 15-13 logon page action understanding 16-1 using 8-4 logon page fonts 15-9 logon page footer 15-9 logon page header 15-9 logout understanding components 15-13 logout message customizing 16-4 Logout URI Include 7-2 loopback interface 18-3
M
machine cert check action understanding 9-10 using 9-12 machine location 18-3 Macintosh and supported network access features A-13 configuring application launch A-13 macro templates for AD auth and resources 7-17 for AD auth query and resources 7-18 for LDAP auth and resources 7-19 for LDAP auth query and resources 7-20
for RADIUS and resources 7-21 for SecurID and resources 7-22 for Windows AV and FW 7-23 macro terminals branches 6-10 configuring 7-15 understanding 6-12 macrocalls adding to an access policy 7-16 understanding 6-11 macros adding to an access policy 7-16 configuring 7-15 understanding 6-11 understanding terminals 6-12 management information base See also MIB-II MIB. See MIB. mcget command using 16-18 memory use statistics 18-14, 18-15, 18-18 message box action 8-17 metrics collection 18-14 MIB and device management 18-1 defined 18-1 See also MIB-II MIB. MIB file contents 18-10 MIB file locations 18-1 MIB file types 18-9 MIB files defined 18-9 described 18-1 downloading 18-2 MIB-II MIB 18-1 MIB-II objects 18-12 minimal patching configuring 3-3 minimum log levels 17-1 defined 17-6 setting 17-6 mobile client configuring settings A-8
N
Net-SNMP 18-1 network access and allow local subnet option 2-7 and client proxy settings 2-9 and client settings 2-6 and clients 2-1 and compression 2-1 and drive mapping 2-10 and file and printer sharing option 2-8 and functionality supported 2-1
Index - 5
Index
and integrated IP filtering option 2-7 and launch applications options 2-11 and Linux support A-13 and Macintosh support A-13 and Microsoft Networks client 2-8 and point-to-point protocol 2-2 and routing table changes option 2-7 and session update threshold 2-6 and session update window 2-6 and split tunneling option 2-7 and Web Applications 3-1 configuring properties 2-4, 13-14, 13-15, 13-16, 13-17, 13-18 creating 2-4 creating resource 2-4 establishing client connections A-16 forcing all traffic through the tunnel 2-7 IP addresses and DTLS 14-3 overview 2-1 understanding 2-2 understanding general properties 2-5 understanding general settings 2-5 with DTLS 2-8 network access resource assigning variable attributes C-12 creating B-4 network information 18-12 new connection statistics 18-14, 18-16 Notice log level 17-6 notification events 18-8 notification messages 18-2, 18-7 See also traps. notifications, SNMP 18-11 NOTIFICATION-TYPE designation 18-11
and iRules D-1 platform information 18-12 policy example B-1 policy-based routing 8-15, 16-11 example 16-13 port numbers 18-8 pre-defined actions 6-3 process check action understanding 9-17 using 9-17 prohibit routing table changes 2-7 protected workspace understanding 9-25, 9-30 protected workspace action using 9-30, 9-39
Q
query commands, defined D-3
R
RADIUS authentication, setting up 11-3, 11-14 rate statistics 18-17, 18-20 read/write access level 18-5, 18-7 read-only access level 18-5, 18-7 redirect ending configuring 7-9 understanding 6-15, 7-8 registry check action and expression syntax for 9-19 specifying registry values 9-19 understanding 9-19 using 9-20 relational operators, listed D-3 release notes 1-24 Remote Network Monitoring See RMON implementation remote system management 18-3 Reporting 17-9 reports displaying 17-9 resource assign action assigning a webtop 5-8 assigning an ACL 5-5 using 8-9 resource group example B-2 resources and access control lists 5-2 configuring B-2 understanding 5-1 restore default customization settings 15-2 RMON groups 18-13 RMON implementation 18-13 RMON-MIB.txt file 18-13 route domain selection action using 16-13
O
object data, SNMP 18-2 object ID definitions, RMON 18-13 object presentation 18-1 object values, SNMP 18-1 OIDs 18-14 Online Certificate Status Protocol and best practices 12-12 using 12-12 online help 1-24 operating system-related events logging 17-4 operators D-3
P
pager notifications, activating 17-2 partitions and virtual servers 14-1 performance metrics, SNMP 18-2, 18-14 persistence Index - 6
Index
route domains understanding 16-11 rule branches adding actions 7-6 rule operators C-3 rule operators, listed D-3 rules and actions in access policies 6-2 and session variables 6-16 and syntax elements C-2 See iRules. understanding 6-6 using C-2 viewing predefined 6-8
S
secure cookie option 7-2 security and client-side checks 9-1 and Web Applications 3-1 server-side checks 7-14 service flow creating 2-16 service names in logs 17-2 session update threshold 2-6 session update window 2-6 session variables and mcget command 16-18 assigning 8-10 definition 6-17 logging in an access policy 8-16 understanding 6-16, C-1 using in access policies 16-17 viewing reference C-4 severity log levels defined 17-6 setting 17-6 SNAT automap and active FTP 2-6 pool 2-5 SNAT information 18-10 SNAT pool setting 2-5 SNMP and syslog 18-9 configuring 18-7 in the Configuration utility 18-4 See also SNMP managers. See SNMP agent. SNMP agent access to 18-4 configuring 18-2 defined 18-1 SNMP client 18-3 SNMP commands
for collecting statistics 18-14 using 18-2, 18-10 SNMP data access control 18-3 SNMP manager functions 18-2 SNMP managers as trap destinations 18-8 defined 18-1 SNMP MIB files See MIB files. SNMP object data 18-2 SNMP tasks 18-1, 18-2 SNMP traps handling 18-2 See also traps. SNMP user access 18-6 SNMP users 18-5 snmpd.conf files and access levels 18-6 for trap configuration 18-8 snmpget command 18-14 software version, finding 1-24 split tunneling and DNS address space 2-7 and exclude address space 2-7 and LAN address space 2-7 defined 2-7 using in network access 2-7 SSL server certificates understanding 12-2 standalone secure access client installing A-16 using to remotely access corporate LAN A-16 standard operators C-2 starting applications from network access 2-11 statement commands defined D-3 static hosts setting on remote computers 2-10 understanding 2-10 statistical data 18-12 statistics and RMON group 18-13 and SNMP 18-11 viewing reports 17-13 status codes in logs 17-2 successful branch 6-10 support and Ask F5 1-24 contacting F5 Networks Technical Support 1-24 system data, SNMP 18-11 system events logging 17-4 system information configuring 18-3
Index - 7
Index
polling for 18-11 system interface monitoring 18-13 system location 18-3 system messages viewing 1-17 system objects, SNMP 18-2 system-initiated changes logging 17-8
in logs 17-2 users See SNMP users. See user accounts. using session variables 16-17, C-10
V
variable assign action understanding 8-10 using 8-10 using to replace configuration variable 16-21 version of software, finding 1-24 virtual keyboard action adding 8-14 virtual server information 18-10 virtual servers and DTLS 14-3 visual policy editor, starting 7-5 VLAN selecting in an access policy 16-11 VLAN gateway using with policy-based routing 16-11 VLAN selection action using 8-15, 16-11
T
task summary for SNMP 18-2 Tcl and logical operators C-3 and namespace sharing 16-19 and rule operators C-3 and standard operators C-2 and validation 16-19 using expr command 16-18 using expression as a rule 16-18 using mcget command 16-18 using to write rules 16-18 Tcl syntax D-2 Technical Support at F5, contacting 1-24 throughput rate statistics 18-14, 18-17, 18-20 timestamps in logs 17-2 Tools Command Language syntax D-2 transaction IDs in logs 17-2 trap destinations configuring 18-3 setting 18-7, 18-8 trap locations 18-10, 18-11 traps configuring 18-3 defined 18-2, 18-7 handling 18-2 identifying 18-11 tree structure 18-1 troubleshooting E-1 two-factor authentication example 16-9
W
Warning log level 17-6 warnings 18-8 web application configure a resource item 3-8 Web Applications and features 3-1 and security 3-1 web applications and network access 3-1 configuring 3-7 configuring minimal patching 3-3 Home tab 3-6 introducing 3-1 webtop 5-8 assigning 5-8 creating 5-8 webtop ending understanding 7-8 Windows antivirus and firewall macro template 7-23 Windows group policy adding templates 9-38 downloading templates 9-38, 9-39 understanding 9-25, 9-34 Windows info action understanding 9-22 using 9-22 Windows logon credentials installer service A-10 specifying that client use A-6
U
UCD-SNMP 18-1 UI mode check understanding 10-5 using 10-6, 10-9 UIE commands, defined D-3 UIE, defined D-1 Universal Inspection Engine, defined D-1 user changes logging 17-7 user names Index - 8