003-APM Training PDF

F5 Networks Training Configuring BIG-IP® APM V11 Access Policy Manager Student Guide ® v1.4.0 — January, 2014 Configuring BIG-IP APM v11Configuring BIG-IP® APM V11 Student Guide Second Printing; January, 2014 This manual was written for BIG-IP" products version 11.4. Some ofthe features discussed in ths course were added with version 11.4, ut most ofthe concepts apply to previous versions of BIG-IP®, ©2013, FS Networks, Inc. Al rights reserved, Support and Contact Information Obtaining Technical Support Web tech.f5.com (Ask F5) Phone (206) 272-6888 Email (support issues) —support@fS.com Email (suggestions) feedback @fS.com Contacting F5 Networks Web www.f5.com Email sales@f5.com & info@f5.com FS Networks, FS Networks, Lid. FS Networks, Ine. FS Networks, Ine. Corporate Office United Kingdom Asia Pacific Japan 401 Elliott Avenue West ‘Chertsey Gate West 5 Temasck Boulevard ‘Akasaka Garden City 19F Scattle, Washington 98119 Chertsey Surrey KTI68AP_—-#08-01/02 Suntec TowerS 415-1 Akasaka, Minato-ku 1 (888) 88BIG-IP United Kingdom Singapore, 038985 Tokyo 107-0052 Japan (206) 272-5555 7 (44) 0 1932 582-000 T (65) 6533-6103, (81) 3 5114-3200 F (206) 272-5557 F (44)0 1932 582-001, F (65) 6533-6106 F 13 5114-3201, “Training@ts.com EMEATrining@t5.com APACTraining@f5.com JepanTraining@tS.com Configuring BIG-IP APM v11Legal Notices Copyright Copyright 2013, FS Networks, Ine. All rights reserved. F5 Networks, Inc. (F'5) believes the information it furnishes to be accurate and reliable. However, FS assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any time without notice. Trademarks 3DNS, Access Policy Manager, Acopia, Acopia Networks, Advanced Client Authentication, Advanced Routing, APM, Application Security Manager, ARX, AskF5, ASM, BIG-IP, Cloud Extender, CloudFucious, CMP, Data Manager, DevCentral, DevCentral [DESIGN], DSI, DNS Express, DSC, Edge Client, Edge Gateway, Edge Portal, EM, Enterprise Manager, F'5, F5 [DESIGN], F5 Management Pack, F5 Networks, FS World, Fast Application Proxy, Fast Cache, FirePass, Global Traffic Manager, GTM, IBR, Intelligent Browser Referencing, Intelligent Compression, IPv6 Gateway, iApps, iControl, iHealth, iQuery, iRules, iRules OnDemand, ‘Session, IT agility. Your way., L7 Rate Shaping, LC, Link Controller, Local Traffic Manager, LTM, Message Security Module, MSM, Netcelera, OneConnect, Packet Velocity, Protocol Security Module, PSM, Real Traffic Policy Builder, ScaleN, SSL Acceleration, StrongBox, SuperVIP, SYN Check, TCP Express, TDR, TMOS, Traffic Management Operating System, TraffieShield, Transparent Data Reduction, UNITY, VIPRION, vCMP, WA, WAN Optimization Manager, WANJet, WebAccelerator, WOM, and ZoneRunner, are trademarks or service marks of F5 Networks, Ine., in the U.S. and other countries, and may not be used without F5's express written consent. All other product and company names herein may be trademarks of their respective owners. Mater ‘The material reproduced on this manual, including but not limited to graphics, text, pictures, photographs, layout and the like ("Content"), are protected by United States Copyright law. Absolutely no Content from this manual may be copied, reproduced, exchanged, published, sold or distributed without the prior written consent of F5 Networks, Ine Is Patents ‘This product may be protected by U.S. Patents 6,311,278, 6,327,242, 6,374,300, 6,405,219, 6,473,802, 6,505,230, 6,640,240, 6,772,203, 6,970,933, 6,889,249, 7,047,301, 7,051,126, 7,102,996, 7,113,962, 7,114,180, 7,126,955, 7,146,354, 7,197,661, 7,206,282, 7,286,476, 7,287,084, 7,296,145, 7,296,263, 7,308,475, 7,343,413, 7,346,695, 7,349,391, 7,355,977, 7,376,967, 7,383,288, 7,395,349, 7,409,440, 7,409,460, 7,430,755, 7,441,045, 7,461,290, 7,472,413, 7,487,253, 7,490,162, 7,493,383, 7,505,455, 7,509,322, 7,512,673, 7,552,191, 7,558,848, 7,562,110, 7,567,573, 7,580,353, 7,590,625, 7,606,912, 7,639,700, 7,640,347, 7,640,580, 7,650,392, 7,657,618, 7,676,828, 7,697,427, 7,702,809, 7,705,829, 7,107, 182, 7,107,287, 7,707,289, 7,710,867, 7,752,400, 7,768,823, 7,774,484, 7,774,835, 7,783,781, 7,188,335, 7,822,839, 7,826,487, 7,831,712, 7,882,084, 7,916,728, 7,916,730, 7,921,282, 7,945,678, 7,953,838, 7,958,222, 7,958,347, 7,975,025 7,996,886, 8,004,971, 8,005,953, 8,010,668, 8,015,314, 8,024,443, 8,024,483, 8,103,746, 8,103,770, 8,103,809, 8,108,554, 8,112,491, 8,116,222, 8,117,244, 8,121,117, 8,145,768, 8,150,957, 8,159,940, 8,176,164, 8,180,747, 8,185,617, 8,189,476, 8,195,760, 8,195,769, 8,200,957, 8,203,049, 8,204,860, 8,204,930, 8.209,403, 8,239,354, 8,260,958, 8,261,351, 8,275,909, 8,284,657, 8,301,837, 8,306,036, 8,306,038, 8,326,923, 8,326,984, 8,341,296, 8,345,701, Configuring BIG-IP APM v118,346,993, 8,347, 100, 8,352,597, 8,352,785, 8,375,421, 8,379,515, 8,380,854, 8,392,372, 8,392,563, 8,396,836, 8,396,895, 8,397,059, 8,400,919, 8,407,771, 8,412,582, 8,417,681, 8,417,746, 8,417,833, 8,418,233, 8,429,783, 8,432,791, 8,432,799, 8,433,735, 8,438,253, 8,447,871, 8,447,883, 8,447,884, 8,453,120, 8,463,850, 8,463,909, 8,477,609, 8,477,798, 8,484,361. Other patents may be pending, This patent list is complete as of July 2013 Disclaimer F5 Networks, Inc, (F5) believes the information it furnishes to be accurate and reliable, However, FS assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable user licenses. F'5 reserves the right to change specifications at any time without notice. Configuring BIG-IP APM v11Table of Contents Table of Contents Chapter 1: Setting Up the BIG-IP System. Introducing the BIG-IP System Initially Deploying the BIG-IP System, Creating a Backup ofthe BIG-IP System. F5 Support Resources and Tools. Chapter Resources. BIG-IP System Setup Lab8...0:nm omen Lab 1.1 ~ Configure the Management Port. seen: 135 Lab 1.2 ~ Activate the BIG-IP System... 143 Lab 1.3 ~ Classroom Network Configuration 1-50 Lab 1.4 — Test Access and Archive the Configuration. sennnnnnn 15 Lab 1.5 — AskFS Research Lab eee cee eee [6 Chapter 2: APM Traffic Processing... Virtual Servers and Access Profiles APM Configuration Wizards... Logging Sessions : on 21 Lab 2.1 — APM Configuration Wizaed. _ 17 Lab 2.2 ~ Configuration Backup. ssn sos 221 Chapter 3: APM Access Policies and Profiles... 34 Access Policies Overview bos 34 Access Policy Branches. a serneneennie Soh Access Policy Endings 39 Configuring Access Policies and Profiles : 341 Using Web10PS nnn cot . 3.23 Exporting and importing access profiles. 3.25 Lab 3.1 ~ Access Policies. . ssn 3.26 Lab 3.2 ~ Configuration Backup. ee 3.29 Configuring BIG-IP APM v11ii Table of Contents Chapter 4: APM Portal Access. 4d Portal Access Overview at Configuring Portal Acces... 47 Rewrite Profiles... 4-10 SSO and Credential Caching. 412 Lab 4.1 —Porl Acces with Single Sign-On. Lab 4.2 — Configur 19 422 Backup. Chapter 5: APM Network Access... Network Access Overview. Configuring Network Access. BIGAP Bdge Client. at Lab 5.1 — Network Access Optional Lab 5.2 — BIG-IP Edge Client. Lab 5.3 ~ Configuration Backup. Chapter 6: APM Access Control Lists.. Access Control of Resources Overview. son 64 ‘Access Control Lists... Lab 6.1 ~ Access Control Li8ts nnn Lab 6.2 — Layer 7 Access Control Lists... 612 Lab 6.3 ~ Layer 4+ 7 Access Control Lists 6-13 Lab 6.4 ~ Configuration Backup. 6-14 Chapter 7: APM Application Access & Webtops .. Application Access & Webtops Overview. Application Access, Configuring Remote Desktop Access. Configuring Webtops .... _ ~ ee _ Lab 7.1 ~ Full Webtop. a rons TAS, Lab 7.2 Webtop Links. 77 Lab 7.3 ~ Application Access Tunnels. TB Lab 7.4 ~ Network Access Optimized Tunnels... 79 Lab 7.5 ~ Terminal Services 720 Lab 7.6 ~ Single Sign-on for Terminal Services. 721 Lab 7.7 — Terminal Services Java client .onnmoninsn 7.23 Lab 7.8— Configuration Backup. 7.24 Configuring BIG-IP APM v11Table of Contents Chapter 8: BIG-IP LTM Concepts....... LTM Pools and Virtual Servers. Monitor Concepts and Configuration Secure Network Address Translation (SNAT). Lab 8.1 ~ Virtual Servers, Pools and Monitors... Optional Lab 8.2 - SNAT Automap Lab 8.3 — Configuration Backup. Chapter 9: Web Application Access for LTM... ‘Web Applications Access for LTM. Configuring APM and LIM together. Profiles Profile Types and Dependencies Configuring and Using Profiles. SSL Termination/Intiation... SSL Profile Configuration ...cunnnnnesennn Lab 9.1 ~ Web Applications Access for LTM .. Lab 9.2 —Pool Assignment Agent. Optional Lab 9.3 -Self-Signed Certificates Lab 9.4 Configuration Backup. Chapter 10: APM Macros and Authentication Servers.. Access Policy Matos... Configuring Access Policy Macros. i Authentication with Access Policy Manager. Radius Server Authentication LDAP Server Authentication Active Directory Server Authentication. (One-time Password Authentication, Lab 10.1 — AAA Servers. Lab 10.2 ~ Visual Policy Editor Macros Lab 10.3 ~ Active Directory Query. Optional Lab 10.4 ~ AD Query and AD Groups. Lab 104 Configuration Backup. Configuring BIG-IP APM v11Chapter 11: Client-Side Endpoint Security .. Chapter 12: APM Advanced Topics. Chapter 13: APM Authentication Domains... Table of Contents Overview of Client-Side Endpoint Security. Client-Side Endpoint Security Part 1 Client-Side Endpoint Security Part 2... Lab 11.1 ~ Client-Side Process Cheek... Optional Lab 11.2 — Protected Workspaces... Optional Lab 11.3 ~ AV and Firewall Checking... Lab 11.4 — Configuration Backup. General Purpose Actions. Server Side Chocks... Session Variables Introducing Tel. Access iRules Events. : ‘Typical APM iRule Use Case . Configuring Access iRules. Dynamic ACLs. jon Variables 1 Lab 12.1 Ses rare or Lab 12.2 ~ Session Variables 2 12.47 Lab 12.3 iRule, 12.49 Lab 12.4 — Pre-defined Redirect iRule. 12.52 Lab 12.5 ~ Dynamic Access Control Lists. 12.53 Lab 12.6 ~ Allow Access Based on Time nui sen 12-56 Lab 12.7 — Allow Access Based on Day of Weel 12-58 Lab 12.8 — One-Time Password s..sunnnninmnnninninnininnnnnnnennnnens 12-60 Lab 12.9 — Two-Factor Authentication with OTP... 12.62 Lab 12.10 Configuration Backup. 12-65 Authentication Domain Concepts. Lab 13.1 — Authentication Domains. Lab 13.2 — Authentication Domains with SSO... Bo Optional Lab 13.3 ~ Web App Access Logout.. snes BLD Lab 13.4 - Configuration Backup .. ome : 13.13 Configuring BIG-IP APM v11Table of Contents Chapter 14: SAML and Customization .. SAML Overview. Customization Overview u.. Big-IP EDGE Client . ‘Advanced Edit Mode Customization, Lab 14.1 — Customization Tool Lab 14.2 ~ Customized Logon Page Lab 14.3 - SAML dP and SP Services. Lab 14.4 — Configuration Backup. Chapter 15: APM Configuration Project. 15-1 Configuration Project Overview. 1s Lab 15.1 ~ Configuration Restore 152, Lab 15.2- Configuration Project. 153 Appendix A - Installation... f Appendix B - New Features... Course Slides... Configuring BIG-IP APM v11vi vi Table of Contents Configuring BIG-IP APM v11Chapter 1 - Setting Up the BIG-IP System 141 Chapter 1: Setting Up the BIG-IP System Chapter Objectives After completing this chapter, you will be able to: + Access the BIG-IP system to configure the management interface '* Activate the BIG-IP system for operation, including licensing and provisioning * Use the Setup utility to create the classroom lab environment network configuration + Back up the BIG-IP system configuration for safe-keeping Introducing the BIG-IP System Lesson Objectives ‘At the end of this lesson, you should be able to: Articulate the difference between a packet-based design and full-proxy architecture Identify the major elements that comprise the BIG-IP system Articulate the difference between application traffic and administrative traffic Identify the tools that are used to administer the BIG-LP system and describe how to access them Packet-based vs. Full Proxy Architecture Packet-based design ‘A network device with a packet-based (or packet-by-packet) design is located in the middle of communication streams, but is not an endpoint for those communications; it just passes traffic through, as shown in Figure I. = Between client. i] wand server Q oO oO Connection Figure 1: Packet-based design Configuring BIG-IP APM v11 141-2 Chapter 1 - Setting Up the BIG-IP System ‘A packed-based device does often have some knowledge of the protocols that flow through it, but it is far ‘from being a real protocol endpoint. The speed of these devices is primarily based on not having to understand the entire protocol stack, hence reducing the amount of work needed to handle traffic. Advanced packet-based designs can insert data into streams and modify stream contents, but accomplishing this within the context of a single connection requires sophisticated state tracking engines. Full Proxy Platform A full proxy is the opposite of a packet-by-packet design. Instead of having a minimal understanding of the communications streaming through the device, a full proxy completely understands the protocols, and is itself and endpoint and an originator for the protocols. ‘A fall proxy maintains two separate connections — one on the client-side, one on the server-side, as shown in Figure 2. A full proxy device such as the BIG-IP effectively creates a gap between the two ‘connections, allowing the contents of traffic exchanged over the connections to be viewed and modified to address a wide range of security, performance, and availability issues that are unique to each “side” of the proxy. For example, clients often experience higher latency because of lower bandwidth connections, while servers are generally low latency because they’re connected via a high-speed LAN. The ‘optimization and acceleration techniques used on the client side are often very different from those used ‘on the server side because the issues that give rise to performance and availability challenges are vastly different. Or perhaps we'd like to use the BIG-IP system to offload some of resource intensive functions that are normally handled by the application servers such as SSL encryption or data compression, Or suppose we just want to be able to connect a legacy IPv4 network to an IPv6 network. Tce |View and modify Tce - F Client =< _trafficbehavior ——— oo Oo =I Modified Application data application data a CD = oO Encrypted Unencrypted tT a}; oO Compressed Uncompressed IPv4 , FFigure 2: The BIG-IP system is based on a full proxy architecture 12 Configuring BIG-IP APM v11Chapter 4 - Setting Up the BIG-IP System 13 Because the BIG-IP full proxy is an actual protocol endpoint, it fully implements the protocols as both a client and a server. (A packet-based design does not.) This also means the BIG-IP system can have its ‘own TCP connection behavior, such as buffering, retransmits, and TCP options. A client connecting to the BIG-IP system would likely have different connection behavior than the BIG-IP system might use for ‘communicating with the backend servers. Therefore, the BIG-IP system allows for the optimization of ‘every connection uniquely, regardless of the original source or the final destination. Deny-by-Default Some network devices permit all traffic to pass through by default, and then are configured to restrict undesirable traffic. In contrast, remember that the BIG-IP system is a “default deny” system. In other words, when you insert a new BIG-IP system into your network, all traffic is denied to start with, This ‘method provides much tighter security because you must then specifically configure the listeners that will open up the system to traffic processing Throughout the remainder of this class, we'll examine what these listeners are and how they can be configured to exploit BIG-IP’s full proxy capabilities. What’s Inside the BIG-IP System? The internal architecture of the BIG-IP system is separated into two major functional areas — one that is responsible for traffie management and the other that is responsible for operational management, as illustrated in Figure 3. Traffic Management At run-time, when traffic flows through BIG-IP, it all goes through TMOS, a purpose-built operating, system designed and built by F5 specifically to support intelligent application delivery services. This ide” of BIG-IP handles traffic management functions, including but not limited to; ‘Access control (APM) Carrier-grade NAT (CGNAT) Application security (ASM) sb Network firewall (AFM) ‘Compression Application acceleration (AM) Caching Load balancing (LTM) iRules DNS services (GTM) iControl ISP connection management (Link Controller) Operational Management Operational management resides on its own “side” of BIG-IP using off-the-shelf components and software that start with a Linux core. In essence, it’s a box within a box. This “side” of BIG-IP has nothing to do with the actual flow of traffic through BIG-IP aside from configuration, Instead, it provides administrative functionality through the Linux shell (bash), TMOS Shell (TMSH) and the graphical user interface (GUD. Configuring BIG-IP APM v11 131-4 Chapter 1 - Setting Up the BIG-IP System Pee) . Traffic Management BIG-IP®: Hately p>) Figure 3: What's inside the BIG-IP system? What’s on the Outside of a BIG-IP? Figure 4: BIG-1P platform front panel Although the physical layout of each BIG-IP platform is a bit different, they all typically share some common features, as shown in Figure 4, These features include: 1 Management interface 5 2 USB ports 6 3 Console port 7 4 Failover port 8 14 Indicator LEDs LCD pane! LCD control buttons ‘TMM switch interfaces Configuring BIG-IP APM v11Chapter 1 - Setting Up the BIG-IP System 15 LCD Panel and LED Indicators Using the LCD panel and its associated control buttons, you can manage the BIG-IP hardware unit without attaching a console or network cable. For example, you can use the LCD to configure the ‘management port, reboot the BIG-IP system, power the unit on or off, or clear alarms, BIG-IP 7000 SERIES status @ ret] ee J Pred Figure 5: LCD panel on @ BIG-IP 7000 series application delivery controller The status LED indicates the operating state of the system: + Offino light indicates the system is halted and powered down, + Green solid indicates the system is running in normal mode. It also indicates ifthe system is in an Active state in a device group, + Yellow light indicates the system is running impaired. It also indicates if the system is in Standby state in a device group. + Yellow blinking indicates the system is not under host computer control (software/hardware problem, EUD, ete). ‘The alarm LED indicates system alarm conditions and the severity of the alarm: + Offino light indicates no alarm conditions are present, and the system is operating properly. + Red solid indicates an emergency. The system is not operating, and the condition is potentially damaging. + Yellow solid indicates an error. The system is not operating properly, but the condition is not severe or potentially damaging. The power supply LEDs indicate the operating state of the power supplies: + Groen solid indicates the referenced power supply is present and operating properly. It also indicates when the system is in power standby mode. + Yellow solid indicates the referenced power supply is present but not operating properly + Oftino light indicates no power supply present The LED indicators ean also be set as the result of user-defined alerts, as contained in the user_alert.conf file on the BIG-IP system. SNMP alerts and traps are discussed later in this course. Configuring BIG-IP APM v11 1516 Chapter 1 - Setting Up the BIG-IP System Network Connection Entry Points and Traffic Types ‘The BIG-IP system uses two network connection entry points: the TMM switeh interfaces and the management interface (MGMT). ‘The Traffic Management Microkernel (TMM) controls all of the TMM switch interfaces, and the underlying Linux operating system controls the BIG-IP management interface. ‘The BIG-LP system processes two types of traffic: Application traffic and administrative traffic, The ‘management interface processes administrative traffic only. The TMM interfaces ean process both application traffic and administrative traffic. These topics are discussed in more detail throughout the course, as are some of the other aspects of the BIG-IP platform hardware previously shown. Establishing a Connection to BIG-IP Before you can activate, configure, or manage a BIG-IP system, you typically connect BIG-IP toa ‘management workstation or management network so as to easily perform administrative functions. There are several ways to gain initial access to the BIG-IP system and configure the management interface including but not limited to: Using the serial console * Using the LCD panel and control buttons + Using the management interface at its default IP address Note: The BIG-IP setup process is covered in detail in the next lesson. Configuring and Administering BIG-IP ‘The BIG-IP system offers both graphical user interface (GUI) and command line interface (CLI) tools to configure and administer BIG-IP, so that you can work in the environment where you are most. comfortable given the tasks at hand. Once you have completed the initial configuration of BIG-IP, you can continue with more detailed configuration and administration tasks using either CLI tools such as the ‘Traffic Management Shell or tmsh (see Figure 6), or GUL tools such as the Configuration utility, or a combination of the two, Note: Some functions can only be performed with the CLI; others can only be performed (or are more easily performed) with the GUI. Most functions can be performed using either tool. Using Command Line Utilities Depending on your terminal access and user role settings, you can manage the BIG-IP system using command line functions such as the Linux shell (bash), the config utility, and/or the Traffie Management Shell (tmsh). You can use command line tools directly on the BIG-IP system console, or, given appropriate configuration settings, you can connect to the management interface using an SSH client such PuTTY, Tera Term, or SecureCRT, and run commands. 16 Configuring BIG-IP APM v11Chapter 1 - Setting Up the BIG-IP System 17 lUsing keyboard-interactive authentication. lpaseword: Last Login: Tue Aug 20 08:53:54 2013 from 192.168.4.30 [root@bigip4:Active:Standalone} config # tmsh root@ {bigip4) (cfg-sync Standalone) (Active) (/Common) (tmos) # 1tm pool lroot® (bigip4) (cfg~sync Standalone) (Active) (/Common) (tmos.1tm.pool)# create PI me. lnbers add (172.16.20.1:80} root @ {bigip4) (cfg-sync Standalone] (Active) {/Common) (tmos. 1tm.pool) # modify P1 me. Inbers add {172.16.20.2:80 172.16.20.3:80} root@ (bigip4) {cfg-sync Standalone) (Active) (/Conmon) (tmos.1tm.pool)# List P1 itm pool Pl { members [ 172.16.20.1:http { address 172. 16.2 2.16.20.2:http { address 172.16.20.2 16.20.3:nttp { address 172.16.20,3 oct® (bagips) (cfg-ayne standalone) (Active) (/Conmon) (tmos.1ta.poot) # | Figure 6: Example of administering BIG-IP using the command line and tmsh Accessing the Command Line Through the Serial Console AIL BIG-IP platforms have serial console access through the port labeled CONSOLE on BIG-IP. The default setting is N-8-1 at 19,200bps. Prior to initial setup, only the root user has access. After initial setup, the root user still has access and the default administrator user account (admin) has no command line access by default. This can be changed using the CLI or the GUI. Accessing the Command Line Through SSH BIG-LP ships with an SSH server that provides authorized users with secure login connections and file transfer over the network. The server uses cryptographic authentication, automatic session encryption, and integrity protection for all transferred data, As part of initial setup, a BIG-IP administrator can choose whether or not to enable SSH access for one or more IP addresses. By default, the root user has SSH access to all command line utilities and the admin user has no access to the Traffic Management Shell (tmsh) only. Other user roles (e.g. Administrator and Resource-Admin) can also be configured to permit SSH access. The maximum access level (Advanced Shell or tmsh) depends on the role. Configuring BIG-IP APM v11 Ww1-8 Chapter 1 - Setting Up the BIG-IP System Accessing the Configuration Utility (GUI) You can use the Configuration utility (a.k.a. GUI) to manage the BIG-IP system and its configuration objects. You can also use the Configuration utility to monitor network traffic, current connections, and the operating system itself, To access the Configuration utility 1. Open a web browser session to https://. On initial setup this address is the management IP address configured during setup or a self IP address that has port 443 unlocked. 2. When you connect to the Configuration utility, your browser may alert you that the SSL connection is using a secure certificate that is not recognized by a certificate signing authority This is normal behavior as BIG-IP creates a self-signed certificate during installation. Accept the certificate 3, Enter an appropriate username and password such as the default administrative user (admin). This will open the Configuration utility’s Welcome page. (This page is also accessible at any time by clicking the F5 logo in the upper left comer of any Configuration utility page.) ‘The moctules that appear in the Navigation pane vary depending on your license. Configuration Utility Advantages ‘There are distinct advantages to using the Configuration utility (GUI) versus TMOS shell (tmsh) to perform configuration tasks: ‘The learning curve is smaller because it is easier to use and more intuitive. It minimizes the chances of configuration errors. Input is checked and errors are reported immediately. ‘© Changes are recorded immediately in BIG-IP’s configuration files and effective immediately on the system. No restarting of BIG-IP processes or manual reloading of configuration files is required, except in the case of provisioning. ‘* Itis easier to access. More people have browsers installed on their workstations than SSH clients, For products such as Access Policy Manager (APM), Application Security Manager (ASM), and Enterprise Manager (EM), almost all tasks are performed using the GUI over the CLI 18 Configuring BIG-IP APM v11Chapter 1 - Setting Up the BIG-IP System 19 Always-On Management (AOM) ‘The Always-On Management (AOM) is a separate subsystem on some BIG-IP platforms (not VEs) that provides lights-out management for the BIG-IP system using the 10/100/1000 Ethernet management port over SSH, or using the serial console. Since it operates independently from the BIG-IP host subsystem, AOM allows you to manage aspects of the BIG-IP platform, even if the host subsystem is locked up or ‘tured off. Ifthe AOM js reset or fails, the BIG-IP host subsystem continues operation, and there is no interruption to application traffic. ‘The AOM provides the ability to power on/off and restart the BIG-IP host subsystem. The AOM is powered on when power is supplied to the BIG-IP platform; it cannot be turned off. Access the AOM Command Menu Using The Serial Console To access the AOM Command Menu using the serial console, connect the serial console to the BIG-IP's CONSOLE port (as described earlier), then type the following key sequence: then ( within 3 seconds. (On US keyboards, (is the same as .) ‘The AOM Command Menu ope: as displayed below: OM Command Menu Connect to Host subsystem console Reboot Host subsystem (sends reboot command) - Reset Host subsystem (issues hardware reset--USE WITH CARE!) Reset AOM subsystem (issues hardware reset--USE WITH CARR!) Power off Host subsystem (issues hardware shutdown--USE WITH CARE!) AOM baud rate configurator AOM subsystem login AOM network configurator AOM platform information DEP oMAUNE Note: If the BIG-IP Host subsystem is powered off, option 5 changes to Power on Host subsystem. Accessing the AOM Command Menu Using SSH Before you can directly access the AOM over the network using an SSH client such as PuTTY or ‘TeraTerm, you must configure an IP address for AOM by running the N—- AOM network configurator command from the command menu, as shown above. The AOM IP address must be different than the BIG-IP management address, but must be on the same IP subnet. ‘Once the AOM has been configured with an IP address, you can open an SSH client on a workstation connected to the management port on the BIG-IP system and type the following commands: ssh root@ hostconsh Ese then ( (On US keyboards, (is the same as .) Note: For complete steps to configure the AOM, please see ‘SOL9608: Configuring the AOM so itcan be accessed over the network. Configuring BIG-IP APM v11 191-10 Chapter 1 - Setting Up the BIG-IP System Initially Setting Up the BIG-IP System Lesson Objectives After completing this lesson, you will be able to: ‘+ Access the BIG-IP system and configure the management interface using the command line Use the Setup utility to activate the BIG-IP system for operation including licensing, provisioning, installing a device certificate, and configuring platform general properties and user administration ‘+ Use the Setup utility to configure the network objects used in support of the classroom lab environment Access the Welcome page and the Setup utility from anywhere within the Configuration utility, Create a UCS backup of the BIG-IP configuration and download it for safekeeping Initial BIG-IP Setup ‘There are several steps that are performed to initially set up a BIG-IP device, and get it ready to configure for processing application traffic. These steps are summarized in Figure 7. Access Activate Configure 5 (3 rai Dead Platform Confia Cres Ae od Pn ear (orttitd Figure 7: Summary ofthe BIG-IP setup process Configure the management interface for administrative access License the BIG-IP system Provision the desired BIG-IP product modules (e.g. LTM, APM, ASM, ete.) Install an appropriate device certificate Configure platform general properties and user administration Configure network elements including VLANs, self IPs, and, optionally, high availability ouayee 4410 Configuring BIG-IP APM v11Chapter 1 - Setting Up the BIG-IP System 1-11 1. Configuring the Management Interface Accessing the BIG-IP system One of the first steps in setting up a BIG-IP system is to configure the management interface (MGMT), ‘The management interface is used by the BIG-IP system to perform system management functions, and is intended for administrative traffic only. It cannot be used for load-balanced traffic. As there are no access controls available on the management interface (except for limiting SSH access), F5 recommends that ‘you limit network access through this interface to trusted traffic. For security reasons, the management interface should only be connected to a secure, management-only network, such as one that uses an REFC1918 private IP address space. If you do not have a trusted and secure management network, FS recommends that you do not use the management interface, and that you grant administrative access through the TMM switch interfaces or the local serial console. There are several ways you can initially access the BIG-IP system to configure the management interface: + Using a serial console If you're installing a BIG-IP appliance, you can use a null modem cable oor RJ4S console cable (depending on platform model) to connect a management system that is running a terminal emulator program to the BIG-IP console port. If you're installing a BIG-IP VE system, you can use the Console display on your VE management software (such as VMware ‘Vsphere). © Use the LCD panel and associated control buttons ~ This method applies only if you have physical access to a BIG-IP appliance or VIPRION device. There is no equivalent on BIG-IP VE. ‘+ Using the default management interface - You can reconfigure the management interface by connecting to the Ethernet interface labeled Management (MGMT) to remotely access the command line or the GUL FS ships BIG-IP, VIPRION, and Enterprise Manager systems with default values pre-configured for several platform properties, including default management port IP address and netmask, and default credentials for accessing the system. These settings are summarized in the tables that follow. Default IP Addresses Product Management Port IP Address /Netmask Default Route (Gateway) BIG-IP 192.168.1.245/24 None. VIPRION 192.168.1.246/24 None Default Administrative Accounts Login Type Username Password BIG-IP Configuration utility admin admin BIG-IP command line root default Ifthese settings are not appropriate for your network or security needs, they ean and should be changed. We will explore how to change these values in the remainder of this chapter. Configuring BIG-IP APM v11 1111-12 Chapter 1 - Setting Up the BIG-IP System Setting the Management IP Address ‘There are several tools you can use to set the management IP address to something other than the FS default: ‘From the command line via the config command, + From the command line via tmsh commands or a tmsh seript * From the BIG-IP hardware device front panel LCD controls, ‘+ From the GUI via the Configuration utility or the Setup utility (after initial deployment) Configuring the Management IP Address via the Config Command Establish a connection to BIG-IP using the serial console or an SSH session to the default management IP address (192.168.1.245 for BIG-IP; 192.168.1.246 for VIPRION), and log in as the root user with the password of default, Enter config at the Linux bash prompt (e.g. config # config). You will be asked to enter a management IP address, netmask, optional default route, and then confirm your choices. (See the Configure Management IP Address lab later in this chapter for step-by-step instructions.) Note: If you are connected to the BIG-IP system via the management IP address and you change this address, you will ose your connection. You must then establish a new connection to the changed management IP address to continue with any other configuration activities Configuring the Management IP Address via tmsh Establish a connection to BIG-IP using the serial console (not the management IP address), and log in as the root user with the password of default, Enter tmsh at the Linux bash prompt. To change the management IP address, enter: tmsh create /sys management-ip
replacing
with the appropriate management IP address and network mask combination. Note: A BIG-IP system can only have one management IP address assigned to it. The create command changes the existing management-ip address to the new address/netmask specified. We recommend that you do not delete the management IP address using tmsh. Configuring the Management IP Address via the LCD Panel You can also configure the management IP address via the LCD panel on BIG-IP. Access the system menu by pressing the red X button, then set the IP address, netmask, and, optionally, the default route Click Commit to save your settings. (See the Configure Management IP Address lab later in this chapter for step-by-step instructions.) 112 Configuring BIG-IP APM v11Chapter 1 - Setting Up the BIG-IP System 4-13 2. Activating the Software License ‘After configuring the management interface, you can access the GUI through the management interface, and use the Setup utility to begin activating your BIG-IP system for operation. (Note: You could use the ‘command line instead to perform these tasks but itis generally considered more complicated than using the GUL) This next phase begins with a step to activate the license for your BIG-IP system software. The licensing process consists of five basic steps, as illustrated in Figure 8 @©o Admin o Base Registration Key: & CPWFE-JEBZZ-KLRNI-VDOXT-RMKMDD the pouited on be BGP ays) License Figure 8: Overview of the BIG-IP licensing process F5 License Server activate.F5.com Dossier 1. Find the Base Registration Key (Note: A registration key is already pre-populated on F5-shipped BIG-IP hardware devices.) 2. Generate the dossier on the BIG-IP system, The dossier includes the registration key. 3. Send the dossier to the F5 license server at 4, 5. tivate.f5.com Generate the license and send back to the BIG-IP system Install the license on the BIG-IP system, finishing the licensing process License Activation Methods ‘Two activation methods are available: ‘© Automatic licensing can be used when the BIG-IP system has Internet access, and can communicate directly with the F5 License Server. (You can temporarily configure such access for automatic activation; itis not necessary for the BIG-IP system to have permanent Internet access.) BIG-IP automatically generates a dossier, transmits it to the F5 License Server at https://activate.f5.com, downloads the generated license from the license server its configuration folder (config/bigip.1icense), and activates it, ‘+ Manual licensing is required if the BIG-IP system does not have Internet access, or if you'd like to download either the registration key, dossier, and/or license for external storage and safekeeping, Configuring BIG-IP APM v11 1-13114 Chapter 4 - Setting Up the BIG-IP System What's Needed to License? To activate a license for BIG-IP, you will need the following: Base registration key The base registration key is a 27-character string that lets the FS License Server know which FS products you are entitled to license. The base registration key is preinstalled on all FS factory- Purchased BIG-IP systems and will automatically populate into the Configuration/Setup utility ‘when you carry out the licensing steps. (In this class, you may need to locate and manually enter a Base Registration Key.) The base registration key is in the format: AAAAA-BBBBB-CCCCC-DDDDD-EEEEEEE Dos A dossier is automatically generated by BIG-IP during the licensing process. It contains encrypted information that identifies your platform to the F5 License Server. Multiple system settings are stored in the dossier, including the base registration key. Access to the Internet to connect to the F5 License Server As mentioned previously, if the BIG-IP system is on a network with Intemet access, you can have the BIG-IP system carry out the licensing steps automatically. If the BIG-IP system is not, connected to the Intemet, you must manually carry out the licensing steps. Note: For complete, up-to-date licensing instructions and troubleshooting fips, please refer to $0L7752: Overview of licensing the BIG-IP system available at AskF5.com. You will be manually licensing your BIG-IP system during class, and will have an opportunity to walk through the licensing steps in detail there. Configuring BIG-IP APM v14Chapter 1 - Setting Up the BIG-IP System 115 3. Provisioning Modules and Resources MGI eVEDEDED 0 Es x= ‘The license you receive from F5 Networks determines what software modules the BIG-IP system will support. The process of allocating CPU, memory, and disk space to licensed software modules is called provisioning and gives the application adminisirator some control over the way BIG-IP apportions these resources to each module. For example, if you're deploying LTM and ASM to serve mostly as your application firewall (as opposed to load balancing traffic), you may want to allocate more resources to ASM than to LTM. Note: Provisioning is not performed on Enterprise Manager as it runs in a standalone environment, either on its own hardware appliance or as a VE. Provisioning is an operational management feature that is integral to the initial installation and setup of | BIG-IP. Provisioning gives the network administrator limited control over the resources ~ CPU and RAM ~ that are allocated to each licensed module. For example, on a BIG-IP that is licensed for both LTM and GTM, you might want to minimize the resources allocated to GTM to give more resourees to LTM as it's usually the bigger work horse. With the exception of Enterprise Manager, all modules have some reliance on management (Linux), ‘Traffic Manager Microkernel (TMM), and the user interface (UD, so these elements are always provisioned. Other modules must be manually provisioned. Provisioning the Management (MGMT) Module Options for provisioning the Management special module include Small, Medium, and Large. Use Large for configurations containing more than 2,000 objects, or more specifically, for any configuration that exceeds 1,000 objects per 2GB of installed memory. License Status ‘The resource provisioning screen on the GUI shows all modules available on the BIG-IP system and an indication of whether the module is licensed or unlicensed in the License Status column. Although you can provision and configure some unlicensed modules, the unlicensed module functionality is not ‘generally active or is active only on a limited basis Configuring BIG-IP APM v11 44151-16 Chapter 1 - Setting Up the BIG-IP System Provisioning ILevels To provision a licensed module, click the checkbox next to the None option in the Provisioning column, then select one of the available pre-defined resource levels, as shown in Figure 9 ‘+ The Dedicated setting specifies that this is the only active module. If you select Dedicated for ‘one module, the system resets other modules to the None setting. The Dedicated provisioning setting is primarily applicable for Application Security Manager (ASM) and other such modules installed in standalone configurations (when no other modules are installed, including Local Traflie Manager). ‘© Nominal gives the module its minimum functional resources and distributes additional resources to the module only if they are available after all other provisioned modules are enabled. It allocates CPU, memory, and disk space in a way that is applicable for most typical configurations. The Minimum setting allocates the least amount of resources required for the module to be enabled. No additional resources are ever allocated to the module during operation. Note: For more information on how TMM uses CPU and RAM during processing, refer to $0L3242: Overview of BIG-IP Traffic Management Microkemel (TMM) CPU and RAM usage. Pe ou MONT ie se el canenancinbiainestaciii hac NeUb ei en |exxaran Ue ansiesoscsiowctecnaninel °° —____] sano) ee eee | Im vanaperee cn) [arar Zw ° 5 | i camer ome nar (e0NAT) [aE FS newren ° cl 1 Aaron Frew arm) Drone Memes 6 ea | I Aepreaton cceraten manager gay ven 1 veers 2 soa Wh Accesspoty 7M, Dene Unies rae motsiewtostateene 12 6 BE pteton sey ASM) fren Tw Leeree 2 om I Aeptatonvsty na Reponng vey IHone 1 Leones 6 us Ih cio Tanecone Drone 1 vncerses ° WE cre comate.c) Dore 1 earns ci ic Be oar a9 Elena eres ° ow Bh Paterna) Done 1 vnterses % oe | WE rroccat sour PM) Drone Lenses rs 1 (Covet Lovet) Figure 9: Sample Resource Provisioning page in the Configuration utliy showing LTM and ASM provisioned 1416 Configuring BIG-IP APM v11Chapter 1 - Setting Up the BIG-IP System 147 ‘Once you have made and saved your provisioning selections, traffic processing may be briefly interrupted while BIG-IP reloads the configuration. Note: The BIG-IP Product Matrix is a PDF file that lists the various product modules/features and the platforms that support those madules/features. It can be found in SOL10288: BIG-IP software and platform support matrix. S0L9476: The F5 hardware/software compatibility matrix lists the product software versions supported by F5 hardware platforms 4. Importing a Device Certificate In some cases, BIG-IP systems need to exchange SSL certificates and keys in order to verify each other's credentials before exchanging data, For example, multiple BIG-IP systems might need to verify credentials before communicating with each other over a wide area network to collect performance data for global traffic management. To perform mutual authentication, BIG- certificates IP systems can use either self-signed certificates or CA-signed ‘+ Self-signed certificates — When you install BIG-IP software, the application includes a self- signed SSL certificate (ie. created and authenticated by the system on which it resides). © CA-signed certificates ~ If your network includes one or more certificate authority (CA) servers, you can replace the self-signed certificate on each BIG-IP system with a CA-signed certificate (Gc. a certificate that is signed by a third party). Authenticating BIG-IP systems using CA-signed certificates is more secure than using self-signed certificates. ‘After licensing and provisioning is complete, the Setup utility includes an optional step to allow the administrator to import a CA-signed certificate onto the BIG-IP system, replacing the self-signed certificate that was included by default. Import types include certificate/key source pairs or PKCSI2 files. Note: In this course, you will be using the self-signed ceriificate unless otherwise instructed. For more information on managing SSL certificates for BIG-IP devices, please refer to the chapter entitled SSL Certificates for BIG-IP Devices in the BIG-IP TMOS: Concepts manual available at AskF5.com. Activation Complete Once you have completed licensing, provisioning, and installing a device certificate, your BIG-IP system is almost ready to operate. Of course, as a default deny device, the BIG-IP system won't do much of anything until you specifically tell it who it is, where to listen for traffic, and what to do with that traffic when it hears it. This is the time to begin configuring your BIG-IP platform to operate in your application delivery network environment. What this configuration looks like will certainly vary from one shop to another, and frequently from one BIG-IP system to another, depending on the applications that are delivered. Configuring BIG-IP APM v11 1171-18 Chapter 1 - Setting Up the BIG-IP System 5. Specifying BIG-IP Platform Properties After licensing and provisioning, the Setup utility provides options for quickly defining (or changing) certain BIG-IP platform properties, including General Properties and User Administration Properties. ‘Management IP address, netmask, and/or IP address of the default route Host name, host IP address, and time zone Passwords for both the default command line interface user (root), also known as the system. ‘maintenance account, and the default Configuration utility administrative user (admin), * IP address (or range of addresses) allowed for SSH access to BIG-IP You can also configure platform properties in the Configuration utility by navigating to System » Platform. Management Port Configuration You have already learned how to configure the management port on the BIG-IP device using the config command from the command line. The management port can also be configured from within the Setup utility, or from the System » Platform area of the Configuration utility, as shown in Figure 10. ‘The management port can be configured manually or automatically (via DHCP). Note: Effective in version 11.3, configuration of the management port is set to Manual by default on BIG-IP hardware devices, and to Automatic by default on virtual editions. General Properties Management Por Configuration | © Automatic (DHCP) © Manual IP Addressbpretm: [192.1684.31 Management Port [Network Mask [255 25500 | | Management Route: Host Name Bigipa fStm.com Host IP Address | [Use Management Por P Address Time Zone |[AmericaiLos Angeles ¥ Figure 10: Configuring the BIG-IP system's platform general properties ‘When Manual configuration is enabled, you manually configure the management port by assigning an IP address and netmask to the port, as shown in Figure 10. The IP address that you assign to the ‘management port must be on a different network than the self IP addresses that you assign to VLANS. (VLANS are discussed in more detail in the next lesson.) You can also specify an IP address for the BIG- IP system to use as a default route to the management port. Note: BIG-IP supports either an IPv4 or an IPV6 address for the management port. 148 Configuring BIG-IP APM v14Chapter 1 - Setting Up the BIG-IP System 119 When Automatic (DHCP) configuration is enabled, DHCP uses UDP ports 67 and 68. On first boot, the BIG-IP system contacts your DHCP server and obtains a lease for an IP address and default route for the ‘management port, and DNS and NTP servers, ‘The DHCP lease renews automatically at the configured interval. Note: If you do not have a DHCP server on your network, and DHCP configuration is enabled, the BIG-IP system assigns a default IP address of 192.168.1.245 to the management port of BIG-IP hardware devices and virtual editions, and 192.186.1.246 to the management port of VIPRION systems. Host Name Every BIG-IP system must have a host name that isa fully qualified domain name. In your classroom BIG-IP lab environment, your BIG-IP will have the host name bigipX.fStrn.com (where “X” is your workstation number) Host name is used to identify BIG-IP systems during device group configuration and administration, and also to match UCS files with the BIG-IP system on which they were originally created, (UCS files are covered in detail later in this course.) Host IP Address Every BIG-IP system has a host IP address. The default is to use the same address as the management port (Use Management Port IP Address). Time zone Use the Time Zone pull-down to specify the time zone region that most closely represents the location of the BIG-IP system you are configuring. Although it is important to configure this setting, itis more important to ensure that the system time is correctly set to start with. ‘The BIG-IP system uses two clocks to track time: * The hardware clock tracks time even when the system is unplugged, and is used to initialize the ‘operating system clock when the system is booted. ‘© The operating system elock is a software clock that is available when the system is running. This clock stores time according to the local time zone that you configured when you initially set up the system. ‘Once the date and time have been set to a roughly accurate value, FS recommends that you set up the BIG-IP system to keep its clock synchronized with an NTP server. NTP servers can be added to the BIG- IP system later using either the Configuration utility or the command line. The hardware clock ean be initially set using the command line. Note: For more information on configuring the BIG-IP system to use an NTP server, see $0L13380: Configuring the BIG-IP system to use an NTP server from the command line or $S0L3122: Using the BIG-IP Configuration utility to add an NTP server Configuring BIG-IP APM v11 1-191-20 Chapter 1 - Setting Up the BIG-IP System User Admi tration Properties BIG-IP platform properties also include the credentials for the default administrative accounts, and the IP addresses that will be allowed to access the BIG-IP management through SSH, as shown in Figure 1/ | Password: Root Account } | Confirm: _ Password: Admin Account | _ Confirm: _ SSH Access Enabled SSH IP Allow *AllAddresses Figure 11: Configuring root and admin user credentials, and enabling SSH access to the management interface forall IP addresses Administrative Account Passwords ‘The BIG-IP system ships with two default administrative accounts, root and admin. The root account has full command line access but no GUI access to the BIG-IP system. By default, the admin account has GUL access to all functions on the BIG-IP system, but no command line access. (This can be changed later on.) During initial BIG-IP deployment using the Setup utility, you are prompted to enter and confirm new passwords for both the root and admin accounts. In doing so, you will be logged out and then asked to log back into the BIG-IP system. Upon logging back in, you should be returned to the next Setup utility age You can also use System » Platform (in the GUI) to change the default passwords for the root and admin accounts afer initial deployment, and are encouraged to do so on a regular basis to comply with password policies, standards such as PCI compliance, or other security policies appropriate to your organization. 4-20 Configuring BIG-IP APM v11Chapter 1 - Setting Up the BIG-IP System 4-21 Note: You are not required to have any user accounts other than the root and admin accounts, and the root account is not present if the BIG-IP device is running in appliance mode. F5 recommends that you create other user accounts as a way to intelligently control administrative access to system resources. (User administration is covered later in this course.) F5 also recommends that you change all user passwords on a regular basis for security purposes. I you lose or forget the root account password, you can reset it without reinstalling the system software. See SOL13121: Changing system maintenance account passwords (1.x) Controlling SSH Access Administrative access to the BIG-IP system through the management port using an SSH client can be controlled through the SSH Access and SSH IP Allow. When disabled, no SSH access to the BIG-IP system’s management interface is permitted. When enabled, SSH access can be granted to all IP addresses (* All Addresses in the SSH IP Allow pull- down) or limited to selected IP addresses (Specify Range in the SSH IP Allow pull-down). Note: You can also restrict access to the Configuration utility (GUI) by source IP address. See $0L13309: Restricting access to the Configuration utility by source IP address for more information. Configuring BIG-IP APM v11 4-211-22 Chapter 1 - Setting Up the BIG-IP System 6. Configuring the Network After configuring your BIG-LP platform's General and User Administration Properties, you will almost certainly go on to define the network configuration objects that allow the BIG-IP system to integrate into ‘your application delivery network, including defining virtual LANs (VLANs) and self IP addresses. ‘Optionalty, you may also want to set up the BIG-IP system to participate in a high availability configuration, called a device service cluster in F5 terminology. This includes defining settings for ConfigSync operations, failover, and mirroring, and perhaps even configuring a redundant pair of BIG-IP devices ‘The BIG-IP system offers several options for configuring these settings: ‘+ Using the Standard Network Configuration wizard (part of the Setup utility) © “Do-it-yourself” using normal Configuration utility functions (referred to as Advanced Network Configuration in the Setup utility) ‘+ Using an iApp that automatically deploys the desired network configuration objects and perhaps even application specific configuration objects such as virtual servers, pools, and profiles Running a tmsh script that creates the desired configuration objects Using your own iControl user interface Using a combination of the above Note: In this class, we will be using the Setup utility to create the BIG-IP configuration objects that support the classroom network environment. Standard Network Configuration ‘The Standard Network Configuration screens in the Setup utility can be used to: + Configure basic network components including the TMM switch interfaces, VLANs and self IPs. * Configure a standard Active/Standby pair including settings for ConfigSyne, failover, and ‘mirroring, as well as peer discovery. ‘The TMM switch interfaces on the BIG-IP system are the physical ports that connect the BIG-IP system to other devices on the network, such as routers, hubs, switches, destination servers, ete, and process application traffic. Through its interfaces, the BIG-IP system can forward traffic to or from other networks. The exact number of interfaces depends on the platform type. A virtual LAN or VLAN is a way of logically partitioning a physical network so that distinet broadcast domains are created. Hosts can be grouped by a common set of requirements regardless of their physical location, A self IP address is an IP address/netmask combination on the BIG-IP system that you associate with a VLAN to allow the BIG-IP system to access hosts in that VLAN. By virtue of its netmask, a self IP address represents an address space - that is a range of IP addresses spanning the hosts in a VLAN, rather than a single host address. You associate one or more self IP addresses with a VLAN to create a distinct broadcast domain ~ a logical subset of a physical network that is independent of the physical network topology. Note: We will cover VLANs and self IPs in more detail throughout the remainder of this course. 1-22 Configuring BIG-IP APM v11Chapter 1 - Setting Up the BIG-IP System 1-23 Ready for Application Traffic Configuration Once you have completed configuring your BIG-IP system for administrative access, and to participate in your network environment, you're ready to configure it to listen for and process application traffic. The ‘Welcome page is the default landing page when signing into a licensed and provisioned BIG-IP system, This can be changed by modifying the Start Sereen setup under System » Preferences, Welcome Page ‘The Configuration utility's Welcome page contains a variety of useful information, as shown in Figure 12. Use the objects in the Navigation pane to navigate to pages where configuration and administration tasks can be performed. Use the links on the Welcome page to perform additional setup tasks, change your system preferences for the Configuration utility, or link to F'5°s online support sites such as ASKFS ‘and DevCentral, You can usually access the Welcome page by clicking on the F5 logo in the upper left comer of each Configuration utility page. (This can change depending on where you are in the GUI and what your BIG- IP’s preferences are set to.) The contents of the Welcome page are also shown in the About tab. set. Saas emanate pt | gaan ama ee Ser conto spay. pyre Ses dao soup optene Ue tr nt pa et Figure 12: BIG-IP Welcome page Configuring BIG-IP APM v11 1-231-24 Chapter 1 - Setting Up the BIG-IP System. Accessing the Setup Utility After the System is Licensed You can access the Setup utility even after the system is licensed and configured. Navigate to the ‘Welcome screen by clicking on the F5 logo from most anywhere within the Configuration utility (or elick the About tab). Scroll down and click on the Run the Setup Utility link. Context Sensitive Help ‘The Configuration utility provides context sensitive help on each screen, with descriptions of each control and setting shown in the body. Depending on the hardware you have and the settings you configure, you may see only some of the body area’s elements described in the Help panel. To access a screen’s Help content, click the Help tab at the top of the navigation pane, as shown in Figure 13. Launch Button ‘The Launch button launches the Help display in a separate browser pop-up window which can then be moved around on your monitor display. Your browser settings must permit pop-up windows in order for this function to work properly. Print Button Use the Print button to obtain a printable copy of the contextual help for the sereen, Expand and Collapse Buttons Click the Expand button to expand all the help major topics. After clicking Expand, the Collapse button will appear. Clicking Collapse collapses all the help major topics. You can also click a specific help topic heading (e.g. “+ License Type” or “Licensed Date”, as shown in the figure to the right) to expand or collapse that particular topic. 1:24 General Properties a Activate } License Click Activate License to open the License general properties screen, where you can submit licensing keys to activate the system and software © License Type © Licensed Date ‘Specifies he date on which the license was activate. Figure 13: Context sensitive help can be obtained by clicking the Holo tab Configuring BIG-IP APM v11Chapter 1 - Setting Up the BIG-IP System 4-25 Setting Menu Options You can customize your Configuration utility experience using the options, available from the cog pull-down that appears at the left of the menu bar area on each page. (See Figure 14.) Show Compact Menus mow compact menus Auto-close menus ‘The Show compact menus option controls the way the objects will appear |, in the navigation pane. When tured off, a gray bar will appear at the left of |) Delay hiding menu items the Show compact menus selection in the pull-down, and the objects in the [| navigation pane will be longer and include both a title and a description of |_| Add to Favorites: the functionality provided (e.g. Local Traffic — Control the delivery of application traffic for a local area network). When turned on, a green bar will appear at the left of the selection in the pull-down, and the navigation | Print content area objects on the far left will contain a title only (e.g. Local Traffic. Direct link to page Figure 14: Click the widget icon to open ‘solections for satting When Auto-close menus is turned on, any open major configuration object, ‘many aotions in the navigation pane will automatically collapse before another object is opened. When Auto-close ‘menus is turned off, any major configuration object you open in the navigation pane will stay open, even ‘when you click another object. You must manually close an object by clicking on its ttl. Auto-Close Menus Configuring BIG-IP APM v11 1-251-26 Chapter 4 - Setting Up the BIG-IP System Creating an Archive of the BIG-IP System Lesson Objectives After completing this lesson, you will be able to: ‘© Use the Configuration utility to create an archive of BIG-IP system configuration data Note: BIG-IP configuration backup files are covered in more detail later in this course. Understanding Archives As you administer the BIG-IP system using any of the available tools, you create configuration data that consists of system and network definitions, such as VLANs, self IPs, and administrative user accounts, as, well as application traffic elements, such as virtual servers, pools, and profiles. Once you have created this configuration data, you may wish to save it to use for backing out a change, disaster recovery, or even as a way to propagate data to other systems We will cover BIG-IP archives in more detail in the chapter entitled Traffic Management Shell (tmsh) and ‘Managing the BIG-IP Configuration. In the meantime, it’s important that you at least understand how to create an archive so that you can regularly back up your BIG-IP systems before and after cach lab, should ‘you so desire, Using the Archives Feature BIG-IP configuration data can be backed up to a User Configuration Set (UCS) archive file. By default, the UCS archive contains all files required to restore your current configuration including system specific, configuration files, product licenses, user accounts and password information, DNS zone files, and installed SSL keys and certificates. Creating a New Archive Using the Configuration Utility To create a new UCS archive, navigate to System » Archives and click on the Create button. Give the archive a name and click the Finished button to save the archive, as shown in Figure 15. By default, BIG- IP saves the UCS archive file with a es extension and places the file in an archive directory whose path is /varflocal/ues. 1:26 Configuring BIG-IP APM v11Chapter 1 - Setting Up the BIG-IP System 1:27 SR CLMeN Git eneeaea General Properties | File Name Encryption Disabled ¥ Private Keys Include ¥ Reece ed Version | BIG-IP 11.4.0 Build 2384.0 Figure 15: Creating @ UCS archive using the Configuration utilty Note: For more information on backing up and restoring BIG-IP configuration files and transferring archives to a secure location, see SOL13132: Backing up and restoring BIG-IP configuration files (11.x) and SOL178: Transferring files to or from an FS system Configuring BIG-IP APM v14 1271-28 Chapter 1 - Setting Up the BIG-IP System. F5 Support Resources and Tools Lesson Objective: ‘At the end of this lesson, you will be able to: ‘© Describe online FS resources that provide help and support services for BIG-IP products AskF5.com Product Manuals and Release Notes penal cea — 2 > Stem seats oo a oe | New Rteases eee | exo cru ve. an, 9, ass, ome Pre AL a [is ee een sacameee Version [ALLE] | extarpise Manaper 24 fom bec At 2 | ase EN | 0 ream | Diagnostics and Firmware Recent Additions and Updates | View Al Uparedes se grasa 2 ang ba cman so. powtogane crssaiwciaipamesimcsoemene TTT eects 50.1969 cing adeve gaupunhsihe Tame napenet sist Half Information Figure 16: AskF6.com provides a centralized starting point for locating information that relates to BIG-IP system administration and supports Need access to the latest product updates? Looking for product guides, release notes, solutions to known issues, and how-to information? AskF5 is a complete, easy-to-use storehouse for thousands of solutions to help you manage your FS products more effectively. 1-28 Configuring BIG-IP APM v11Chapter 1 - Setting Up the BIG-IP System 1-29 Whether you want to search the knowledge base periodically to research an issue, or you need the most. recent news on your F5 products, AskFS is your source for: ‘© Product manuals and release notes © ‘Hotfix information ‘+ F5 Announcements + Product lifecycle information ‘+ General solutions ‘© BIG-IP Edge Apps for iPhone, iPad, iPod Touch ‘© Known issues ‘+ Procedures for contacting FS Support * Security advisories ‘© Links to software, hotfix, patch, and other file downloads * Best practices ‘+ Links to licensing tools * Diagnostic and firmware upgrades © _ Initiate a customer support case You can also sign up for regular AsKFS updates, including: + Weekly Technews e-mail that outlines product and hotfix releases, updated and new solutions, and new feature notices E-mail alerts for security notices ASKFS’s RSS feed that keeps you informed of new product developments for your BIG-IP versions BIG-IP Version Support ‘The F5 hardware/software compatibility matrix is your best source for information about product versions. and the latest SCCP, AOM, and EUD versions supported by F5 hardware platforms. This table shows each F5 platform and chassis marketing name (e.g. BIG-IP 4200s, BIG-IP 10200v, VIPRION 4800/S100), the platform type, the BIG-IP software versions supported by the platform, the latest version of SCCP/AOM firmware supported by the platform, and the latest version of EUD supported by the platform. We'll cover SCCP/AOM and EUD later in this class. Note: See SOL9476: The F5 hardware/software compatibility matrix for more details. AskF5 Knowledge Base Use the ASkF5 Knowledge Base as your fitst resource when you need help. AskFS solutions are available ‘whenever you need them and include the most up-to-date information available from F5. Preventive and Corrective Issues Management Step-by-step instructions, downloads, and links to additional resources give you the means to solve issues quickly and without delay. Because you can search by product, version, and document type, in addition to key words, itis easy to find the answers you need. For more complex queries, you can narrow your search. using Boolean operators (AND and OR) and Lucene search mode (to modify the way the search engine interprets special characters for wildeard, fuzzy, and proximity searches) Ask provides resources for you to address potential issues before they become reality. In addition to standard searches to find information, you can select a specific product to sec all documents related to that product, read release notes, access product manuals, and view the most requested solutions for the product. Configuring BIG-IP APM v11 4-291-30 Chapter 1 - Setting Up the BIG-IP System Documented known issues are posted to AskFS between release dates so you can implement solutions right away. If vulnerabilities are discovered in a BIG-IP component, F5 will send a security email alert. ‘The email alert will point you to the security advisory, which will specify which products are affected, describe the vulnerability, explain risks associated with running an affected version, and provide available hotfix information. ASKES RSS feeds are an excellent way to stay informed about new documents specific to your F5 products and versions. The AskF’S Recent Additions page, which is published over RSS, provides an overview of recently added or updated documents. You can configure feeds that pertain to specific products, product versions, and document sets, You can also aggregate multiple feeds in your RSS reader to display one unified list of all selected documents. Document Categories ‘The AskFS Knowledge Base is divided into several document types: @)rerse we Qowren @)vona QD) rosiesicong O)miPrsice Q)rnwr O)stt aaieoy @ )rornessape cow sie desertion atin rata ©) inetavor Oy Figure 17: ASKFS Knowiedge Base document categories Searching for Information AskF'5’s Advanced Search functionality provides additional granularity when specifying search criteria, For example, a series of selections can be used to filter the results produced by a keyword search, These include: Produet ~ Limits the search to a specific F5 product Version — When Product filter is specified, further limits the search to a particular version of the selected Product ‘+ Document type ~ Limits the search to a particular document type (e.g, Release Notes, Manuals, Best Practice, Known Issue, Security Advisory, General Solution) ‘* Publication date — Limits the search to documents published within a particular time frame (e.g. ‘week, month, three months, year, two years) ‘* Updated date — Limits the search to documents last updated within a particular time frame (e.g. week, month, three months, year, two years) 4-30 Configuring BIG-IP APM v11Chapter 1 - Setting Up the BIG-IP System 1-31 Sign Up for AskF5 Mailing Lists Security Updates Receive timely security updates and ASM attack signature updates from F5. When remote vulnerabilities are discovered, F5 implements, tests, and releases security hotfixes for any vulnerable supported version, and sends an email alert to the F5 Security mailing list. F5 encourages customers with an active support account to seribe to this list. For more information, see SOL4602: Overview of the F5 security vulnerability response policy. To sign up for the Security mailing lists, click Mailing Lists in the left navigational panel of the ASkF'5 Knowledge Base. TechNews AskES provides two formats for their TechNews email publications: ‘+ Weekly HTML TechNews ~ The weekly TechNews HTML email includes timely information about known issues, product releases, hotfix releases, updated and new solutions, and new feature notices. © Periodic plain text TechNews ~ F' five sends a timely TechNews email any time a product or hotfix is released. This information is always included in the next weekly HTML TechNews email ‘To sign up for the TechNews mailing lists, click Mailing Lists in the left navigational panel of the AskFS Knowledge Base. RSS Feed Use FS RSS feeds to stay informed about new documents pertaining to your installed products, or products of interest. AskF5’s Recent Additions page provides an overview of all the documents recently added to the knowledge base. Recent Additions is also published over RSS to provide additional configurability. You can configure feeds that pertain to specific products, product versions, and/or document sets. You can also aggregate multiple feeds in your RSS Reader to display one unified list ofall selected documents. ‘To sign up for RSS feeds, click the Recent Additions tab at AskI'S.com. After you plug the feeds into the RSS Reader of your choice, you are automatically informed whenever relevant documents are published including known issues, security advisories, best practices, general solutions, manuals, and release notes, Configuring BIG-IP APM v11 1-311-32 Chapter 1 - Setting Up the BIG-IP System Chapter Resources Solution Number ‘SOL7683 SOL2595 SOL13132 SOL10288 SOL3782 SOL12815 8013242 SOL7312 80113284 SOL13148 SOL7752 SOL13369 SOL13127 SOL9476 SOL175 SOL9245 SOL13250 SOL12352 SOL3122 SOL3381 SOL13380 SOL13092 SOL5380 SOL13418 SOL9403 SOL9608 S012200 SOL8986 SOL9957 1-32 Solution Title Connecting a serial terminal to a BIG-IP system ‘Activating and installing a license file from the Command line Backing up and restoring BIG-IP BIG-IP software and platform support matrix Finding the serial number or registration key of your BIG-IP system Overview of Appliance mode Overview of BIG-IP Traffic Management Microkernel (TMM) CPU and RAM usage Overview of the management port Overview of management interface routing Overview of default management access settings for FS products Overview of licensing the BIG-IP system Performing a first-time configuration from the command tine (11x) Restoring the BIG-IP configuration to factory default settings (11x) ‘The F5 hardware/software compatibility matrix Transferring files to or from an F5 system Verifying that a BIG-IP license is valid ‘Overview of port lockdown behavior (10.x-11.x) Datasheets for F5 hardware platforms Using the BIG-IP Configuration utility to add an NTP server Setting the time and date on the BIG-IP system Configuring the BIG-IP system to use an NTP server from the command line (11.x) Overview of securing access to the BIG-IP system ‘Specifying allowable ranges for SSH access Archiving UCS files using the logrotate and crontab utilities (11.x) Overview of the Always-On Management (AOM) subsystem Configuring the AOM so it can be accessed over the network Most recent versions of FS software F5 software life cycle policy Creating a custom RSS feed to view new and updated documents Configuring BIG-IP APM v11BIG-IP System Setup Labs ‘The BIG-IP System Setup Labs are divided into several sections, as follows: Lab 1.1 ~ Configure the Management Port Lab 1.2 ~ Activate the BIG-IP System (License, Provision, Device Certificate) Lab 1.3 ~ Classroom Network Configuration Lab 1.4 ~ Test Access and Archive the Configuration Lab 1.5 — AskF5 Research (if Internet access) Estimated Time for Completion: 48 minutes Note: For all labs, when an °X"is listed in lab instruction steps, please substitute your lab station number instead. For example, for lab station 1, the IP address shown as 192.168.X.31 in the lab instructions would be entered as 192.168.1.31 when carrying out the instruction. A password specified as “rootX" in the instructions would be entered as root Important: If using Firefox as your browser throughout these labs, please do NOT permanently accept any certificate exceptions when accessing the BIG-IP system. Lab Preparation Tasks Verify Workstation IP Addresses are Properly Configured If possible, your workstation should be configured with two IP addresses in order to access the BIG-IP system simultaneously through the management IP address (192,168.X.31) and external self IP address (10.10.X.31). The steps below are generally applicable for a Windows 7 environment. If you are using a different operating system and/or are unfamiliar with how to configure multiple IP addresses, please ‘consult with the instructor. 1. Open the Windows Control Panel function 2. Select Network and Internet (may also be Network Connections) 3. Click View network status and tasks 4, Click Local Area Connection Click the Properties button 6. Double click Internet Protocol Version 4 (TCP/IPv4) Select the radio button next to Use the following IP address and configure the following settings: a. IPaddress: 192.168.X.30 Subnet mask: 255,255.0.0 Default gateway: Leave blank or as provided by your instructor 8. Click the Advanced button to add a second IP address. aeen aanPerce etree Nar] 9. In the Advanced TCP/IP Settings window, click the Add button under the IP addresses area and configure the following: a. IP address: 10.10.X.30 b. Subnet mask: 255.255.0.0 ¢. Default gateway: 10.10.17.33 (or as provided by your instructor) 10. Select the radio button next to Use the following DNS server addresses and sct Preferred DNS serve to 10.10.17.53 (or as provided by your instructor) 11. As necessary, click OK to close all network configuration windows and save your changes. Note: If you cannot configure your PC to have more than one IP address, start with the 192.168.X.30/16 address and then switch to the 10.10.X.30/16 address after the BIG-IP system has been licensed, initially set up, and a standard network configured v > Continue with Lab 1.1: Configure the Management Port ,Lab 1.1 — Configure the Management Port Lab Objectives * Configure the IP address and network mask for the BIG-IP- ‘management port Lab Requirements ‘+ For classrooms with BIG-IP hardware devices, serial console access to the BIG-IP system or physical access to the BIG-IP device if using the LCD option ‘© For classrooms with BIG-IP VEs, access to the preconfigured management port (192.168.X.31) to rerun the config command, if desired. Configure the Management Port Note: Your instructor will tell you which method you will be using to configure your BIG-IP system's management port. Run only one of the following, as indicated by your instructor. A: Configure the management port via the MGMT port (pages 1-36 through 1-38), or B: Configure the management port via a serial console (pages 1-39 through 1-41), or C: Configure the management port via the LCD panel (page 1-42)A: Configure the Management Port via the MGMT Port 1. Gain access to the BIG-IP system’s management port, Open an SSH session using PUTTY (or other SSH client) to the preconfigured management port IP address 192.168.X.31 where “X” is your station number. 2. When prompted to log into the BIG-IP system, enter root for the username and default for the password. 3. Atthe config. # prompt, enter the command: config Note: Use the key to tab between fields and options in the config tool. Use the and/or keys to remove field content. Use the key to select an option (such as "OK" or "Next’). You can also select an option by moving the mouse cursor over a particular option (such as “OK" or "Next") and clicking. Start the Configuration Process [ 4, Start the process of configuring the management port, On the Configuration Urility panel, as shown below, press the key to select the OK option.apter 1 - Setting Up the BI TSC fl Select Manual Configuration of the IP Address 5. On the Configure IP Address panel, as shown in the example below, ensure the No option is highlighted (to bypass automatic configuration of the IP address) and press the key. (If the No option is not already highlighted, use the key to tab to it before pressing the key.) IMPORTANT: Do NOT select the option shown in the panel below or you may inadvertently reset your BIG-IP device to its default IP address and netmask, rendering it inaccessible. Alert your instructor immediately if you inadvertently do so. Configure IP Address Use automatic configuration of IP address? Current IP Address: 192.168.X.31 Current Netmask: 255.255.0.0 Default Route: < Yes > ae Set the IP Address to 192.168.X.31 6. On the Configure IP Address panel, as shown in the example below, use the , , and/or arrow keys to change the IP address to 192.168.X.31, where “X” is your station number. After changing the IP address, press the key to highlight the OK option, then press the key to continue Configure’ IP Address IP Address 192.168.X.31 aa fe cme ee rene! ‘Set the Netmask to 255.255.0.0 7. On the Configure Netmask panel, as shown in the example below. After changing the netmask, press the key to highlight the OK option, then press the key to continue. Set No Default Route 8. When prompted to create a default route for the management port, select the No option and press the key to continue, as shown in the example below. In our classroom environment, no default route is required. Confirm the Management Port Configuration 9. On the Confirm Configuration panel, ensure that your settings are correct, as shown in the table below, then select the Yes option and press the key to complete the configuration. If the options are not correct, select the No option and rerun the config command. (See earlier steps.) IP Address 192,168.X.31 ‘Netmask 255,255.0.0 Skip forward to Lab 1.2: Activate the BIG-IP System GGTB: Configure the Management Port via a Serial Console Note: Do not do these steps if you already completed A: Configure the Management Port via the MGMT Port. Skip forward instead to Lab 1.2 Activate the BIG-IP System. 1, Gain access to the BIG-IP system's serial port a, For classes using serial cables, connect a null-modem cable between the BIG-IP device and a VT-100 emulator. The serial settings should N-8-1 at 19,200bps. b, For classes using serial terminal emulators, open an SSH session using PuTTY (or other SSH client) to the serial console IP address provided by your instructor. This should connect you to the serial port of your BIG-IP system. You may need to log into the console server before logging into the BIG-IP system in the next step. 2. When prompted to log into the BIG-IP system, enter root for the username and default for the password. 3. Atthe config 4 prompt, enter the command: contig Note: Use the key to tab between fields and options in the config tool. Use the and/or keys to remove field content. Use the key to select an option (such as “OK” or “Next"). You can also select an option by moving the mouse cursor over a particular option (such as "OK" or "Next’) and Start the Configuration Process 4. Start the process of configuring the management port. On the Configuration Uiility panel, as shown below, press the key to select the OK option.Select Manual Configuration of the IP Address 5. Onthe Configure IP Address panel, as shown in the example below, ensure the No option is highlighted (to bypass automatic configuration of the IP address) and press the key. (If the No option is not already highlighted, use the key to tab to it before pressing the - key.) IMPORTANT: Do NOT select the option shown in the panel below or you may inadvertently reset your BIG-IP device to its default IP address and netmask, rendering it inaccessible. Alert your instructor immediately if you inadvertently do so. Set the IP Address to 192.168.X.31 6. On the Configure IP Address panel, as shown in the example below, use the , , and/or arrow keys to change the IP address to 192.168.X.31, where “X” is your station ‘number. After changing the IP address, press the key to highlight the OK option, then press the key to continue. Configuring BIG-IP APM v11Tee real] Set the Netmask to 255.255.0.0 7. On the Configure Netmask panel, as shown in the example below. After changing the netmask, press the key to highlight the OK option, then press the key to continue. figure Netmask Set No Default Route 8. When prompted to create a default route for the management port, select the No option and press, the key to continue, as shown in the example below. In our classroom environment, no default route is required. Management Route i Do you want to create a default route for the management port? — | This is required if you want to connect to the management port from another subnet. < Yes > ao Confirm the Management Port Configuration 9. On the Confirm Configuration panel, ensure that your settings are correct, as shown in the table below, then select the Yes option and press the key to complete the configuration. Ifthe options are not correct, select the No option and rerun the config command, (See earlier steps.) IP Address 192.168.X.31 Netmask [255.255.0.0 > Skip forward to Lab 1.2: Activate the BIG-IP System TanaC: Configure the Management Port via the LCD Panel Note: Do not do these steps if you already completed A: Configure the Management Port via the MGMT Port or B: Configure the Management Port via the Serial Console. Skip forward to Lab 1.2: Activate the BIG-IP System instead. This lab can only be carried out if your classroom environment includes BIG-IP hardware devices. All steps are done using the buttons to the right of the LCD ray display on the front of the BIG-IP device itself. The arrow buttons are used for navigation. The checkmark button is used to make a selection or to save a setting. <<) >>) 1. Press the red X button to start the configuration process. rs) ¥ 2. Using the up/down arrows, navigate to System menu and press the green check mark button to select it Navigate to the Management menu and press the green check mark button to select it. Navigate to the IP Address menu and select it, Navigate to the IP Address field and select it. Using the up and down arrow keys to increment/decrement the values in each octet, enter the IP address a5 192.168.X.31 where “X” is your station number. Press the green check mark button to save your setting, 7. Navigate to the Netmask field and select it 8. Enter the netmask as 255.255.0.0 and save your setting, 9. Use the down arrow to navigate to the Commit menu and select it. When you see the OK menu blinking, click the green checkmark button, > | Continue with Lab 1.2: Activate the BIG-IP System | We =Lab 1.2 — Activate the BIG-IP System Lab Objectives Ensure the BIG-IP system: © Is properly licensed and provisioned for configuration and operation Has a self-signed SSL certificate installed for operation Has a valid host name, and updated root and admin user credentials, Lab Requirements ‘+ Access to the BIG-IP system’s base registration key Access to the Internet or to the BIG-IP system's license file ‘* Network access to the BIG-IP system’s management port Activate the BIG-IP System Note: Your instructor will tell you which method you will be using to activate your BIG-IP system, including licensing, provisioning, and device certificate setup. Two methods are available and instructions for each have been provided in the lab steps that follow. You should run only one set of steps, as outlined below and as indicated by your instructor. Run either: A: Activate a Licensed BIG-IP System (pages 1-44 through 1-45), or B: Activate an Unlicensed BIG-IP System (pages 1-46 through 1-48)A. Activate a Licensed BIG-IP System Provision Your BIG-IP System 1. Open a browser session to https://192.168.X.31 where “X” is your station number. BIG-IP ships with a self-signed SSL certificate. If your browser asks you to, accept the certificate (not permanently, if using Firefox) and log in with username admin and password admin. 2. On the resulting Weleome page, click the Run the Setup Utility link that appears in the Setup area of the page. You may need to scroll down to find it. 3. On the subsequent Setup Utility » License page of the Setup utility, click the Next button to continue. 4, On the subsequent Setup Utility » Resource Provisioning page of the Setup utility, provision your BIG-IP system, as shown below. Corry | Management (MGMT) ‘Small __| Carrier Grade NAT (CGNAT)_| Disabled |_| Local Traffic (LTM) Nominal — When complete, click... Next Note: Your BIG-IP may produce a warning message that certain system daemons may restart, causing your session to wait for a minute or so. This is normal behavior when changing provisioning settings. Accept the BIG-IP Self-Signed De’ e Certificate 5. After provisioning is complete, you should be taken to the Device Certificates page in the Setup utility. We will be using the BIG-IP system's self-signed certificate in class. Note the expiration date for the certificate for possible later discussion, and click the Next button to continue the Setup utility 1-44Configure User Administration 6. Configure host name, time zone, and administrative access usernames/passwords. Remember to substitute your station number for “X.” Some fields may already contain the correct values. Setup utility Re eae General Properties section Management Port Configuration Click the Manual radio button Management Port IP Address{/prefix]: 192.168.X.31 Host Name "| bigipx.t5tr.com Host IP Address Use Management Port IP Address Time Zone i Set to your classrooms local time zone User Administration section Root Account Password: rootX Confirm: rootX ‘Admin Account Password: adminX Confirm: adminX ‘SSH Access Enabled _ SSH IP Allow “All Addresses _ When complete, click... Next, then OK Note: You are changing the passwords for the root and admin accounts, not creating new accounts. Since you are currently logged in using the admin account, you may need to log back in again with your new password. 7. Log back in to BIG-IP as user admin with password of adminX. You should be taken directly to the Setup Utility » Network page. If the page does not load entirely (parts of it are blank), try clicking on any visible tab (such as Mai or About), hard-refresh your browser page (Ctrl-F5) or, worst case scenario, restart your browser and connect to the BIG-IP management port again. > Skip forward to Lab 1.3: Classroom Network ConfigurationTeer B. Activate an Unlicensed BIG-IP System Note: Do not do these steps if you already completed A: Activate a Licensed BIG-IP System. Skip forward instead to Lab 1.3 Classroom Network Configuration. Locate the Base Registration Key and License File Note: Your instructor will let you know where to find the base registration key and license information that you will use during this lab. Please ask your instructor for assistance if you cannot quickly locate this information, 1. Locate the base registration key and license file that you will use in subsequent steps. Your instructor wil let you know where to find them. License Your BIG-IP System 2. Opena browser session to https://192.168.X.31 where “X” is your station number. BIG-IP ships with a self-signed SSL certificate. Accept the certificate (not permanently, if using Firefox) and Jog in with username admin and password adm Note: Upon connecting to your BIG-IP system, you should be directed to the Setup utility. Please let your instructor know if you are not placed directly into the Setup utilty. 3. Click the Next button to start the Setup utility. 4, On the subsequent Setup Utility » License page, click the Aetivate button to begin the licensing process.roa 5. Use the Base Registration Key you located earlier to generate a dossier using either step (a) or (b) below, depending on whether or not the Base Registration Key field already has a value in it, a. Ifyour Base Registration Key field does not already have a value prepopulated init rng er ged General Properties section Base Registration Key Enter the base registration key you found in Step 1. ‘Add-On Registration Key List | Leave blank Activation Method Manual ‘When complete, click... | Next b. If your Base Registration Key field already has a value prepopulated in it: So rg Se ae) General Properties section Activation Method Manual When complete, click... | Next 6. Generate the dossier and install your license. In Step: Dossier below, a file called dossier.do will be downloaded to your workstation. If prompted for where to save the file, choose the desktop. In Step 3: License below, select the bigip.license file you found in a previous lab step. Cera eee) General Properties section Manual Method Select Download/Upload File Step 1: Dossier Click Click Here to Download Dossier File Click Choose File and navigate back to the license file you found earlier When complete, click... | Next Several processes are now restarted, and BIG-IP will be inaccessible for about a minute. Notify your instructor if the process continues for much longer than that. When configuration ‘changes have been Continue verified, click... Step 3: License7. Upon returning to the BIG-IP system from the previous step, you should be taken directly to the Resource Provisioning page of the Setup utility. Provision your BIG-IP system, as shown below. ees Se eae ear Ua Current Resource Allocation section Management (MGMT) ‘Small Carrier Grade NAT (CGNAT) | Disabled ‘Access Policy (APM) Nominal Local Traffic (LTM) Nominal ‘When complete, click... Next Note: Your BIG-IP may produce a warning message that certain system daemons may restart, causing your session to wait for a minute or so. This is normal behavior when changing provisioning settings. Accept the BIG-IP Self-Signed Device Certificate 8, After provisioning is complete, you should be taken to the Device Certificates page in the Setup utility. We will be using the BIG-LP system's self-signed certificate in class. Note the expiration date for the certificate, and click the Next button to continue the Setup utility. ring BIG-IPTae Nae) Configure User Administration 9. Configure host name, time zone, and administrative access usernames/passwords, Remember to substitute your station number for “X.” Some fields may already contain the correct values, org See ct General Properties section Management Port Configuration | Manual _ IP Address(/prefix}: 192.168.X.31 ore cemeiors Network Mask: 255.255.0.0 Host Name igipX.f5trn.com Host IP Address: Use Management Port IP Address Time Zone ‘Set to your classrooms local time zone User Administration section Password: rootX Root Account ere 7 Password: adminX ‘Admin Account ee ‘SSH Access Enabled _| SSH IP Allow “All Addresses: ‘When complete, click. Next, then OK Note: You are changing the passwords for the root and admin accounts, not creating new accounts. Since you are currently logged in using the admin account, you may need to log back in again with your new password. 10. Log back in to BIG-IP as user admin with password of adminX. You should be taken directly to the Setup Utility » Network page. Ifthe page does not load entirely (parts of it are blank), try clicking on any visible tab (Such as Main or About), hard-refresh your browser page (Ctrl-FS) or, ‘worst case scenario, restart your browser and connect to the BIG-IP management port again > | Continue with Lab 1.3: Classroom Network Configuration and Backup , , eM L|Lab 1.3 — Classroom Network Configuration Lab Objectives ‘+ Continue using the Setup utility to create the VLANs and Self IPs that are used in support of the classroom lab environment, and to prepare the BIG-IP system for high availability. Lab Requirements ‘Access toa licensed and provisioned BIG-IP system via the management port * Students already have an open browser window to the BIG-IP system, and are inthe Setup utility, having completed licensing, provisioning, and device certificate steps. Configure the Classroom Network 1. Continue the Setup utility by performing a Standard Network Configuration. Click the Next button under the Standard Network Configuration heading, as shown in Figure 18: | Standard Network Configuration | Creete# standard network configuration by configuring these features Redundancy VLANs Contig Syne Failover Miroring eer Device Discovery (or Redundant Coniigurations) (Nea) | Advanced Network Configuration | Create advanced device configurations by clicking Finished and navigating to the Main ta ofthe Configuration Ubi (Finsned) Figure 18: Click the Next button to use the Setup utlty wizard for standard network configuration anaor Configure Redundant Device Wizard Options 2. Set Redundant Device Wizard Options to prompt for ConfigSyne settings and Hi Availability options. Sy eC aaa tag Redundant Device Wizard Options section Check the box for Display configuration synchronization options ‘Check the box for Display f High Availability options Select Network for Failover Method ConfigSyne When complete, click... | Next Configure Self IPs and VLANs 3. Configure VLAN internal and its self IPs, interface, and port lockdown settings. Sea Sard Internal Network Configuration section ‘Address: 172.16.X.31 Solf IP Netmask: 255.255.0.0 Port Lockdown: Allow Default ‘Address: 172.16.X.33 Port Lockdown: Allow Default Floating IP internal VLAN Configuration section VLAN Name ifore! VLAN Tag ID auto : : van nrtacon Nowe 12 from the Avalable column fo the Untagged column When complete, click... | Next5. Configure the high availability network to use the existing VLAN internal. Setup utility Se eT dead External VLAN Click the Create VLAN external radio button | ‘Address: 10.10.X.31 Self IP Netmask: 255.255.0.0 Port Lockdown: Allow 443 ‘Address: 10.10.X.33, Port Lockdown: Allow 443 Floating IP External VLAN Configuration section VLAN Name external VLAN Tag ID auto Move 1.1 from the Available column to the Untagged column VLAN Interfaces When complete, click...._| Next Sor Tg Pere eave ‘High Availability Network Configuration section a ae High Availability VLAN | Click the Select existing VLAN radio button Select VLAN internal so ip ‘Address: 172.16.X.31 Netmask: 255.255.0.0 High Availability VLAN Configuration section VLAN Name. internal VLAN Tag ID auto VLAN Interfaces 1.2 (untagged) When complete, click... | NextConfigure ConfigSync 6. Configure ConfigSyne on the non-floating self IP for VLAN internal So Ru Pere esa ConfigSyne Configuration section Local Address 172.16.X.31 (internal) ‘When complete, click. Next Configure Unicast and Multicast Failover Settings 7. Use the default settings for Failover Unicast Configuration and Failover Multicast Configuration. Corer Re aaa Failover Unicast Configuration section | 172.16.x.31 | 1026 | internal 192.168.X.31 | 1026 | Management Address Failover Multicast Configuration section Local Address | Port | VLAN Use Failover Multicast Address __| Unchecked (Disabled) When complete, click... | Next Mirroring Configuration 8. Use the default primary and secondary local mirror address settings for Mirroring Configuration, Seri Setup Utility » Mirroring Mirroring Configuration section Primary Local Mirror Address _ 172.16.X.31 (intemal) | ‘Secondary Local Mirror Address _| None When complete, click...._| Next CesareUp the BIG-IP System Finish the Setup Utility ‘You have now completed configuring the network interfaces that are used in support of the classroom environment. We will not be configuring a standard Active/Standby pair in this class so you can exit the Setup utility at this point. 9. Click the Finished button under the Advanced Device Management Configuration heading, You should be taken to the Welcome page, and there should be a message at the top of the page indicating the Setup Utility has completed, similar to what is shown in Figure 19. Si toroid Te Figure 19: Setup Utiity Completion is indicated in the message area afer exiting | Continue with Lab 1.4: Test Access and Archive the ConfigurationLab 1.4 —- Test Access and Archive the Configuration Lab Objectives ‘© Test administrative access to the BIG-IP system ‘© Create a UCS archive of the BIG-IP system configuration. Lab Requirements © Access to a BIG-IP system that has completed the initial setup process, including management port configuration, licensing, provisioning, device certificate setup, and standard network configuration. Test Administrative Access to the BIG-IP System Test SSH (port 22) Access to the Management Port 1. Using PUTTY, open an SSH session fo 192,168.X.31. Make sure the protocol is set to SSH (port 22) before connecting. Log in as root with password rootX. Were you able to connect? What BIG-IP configuration setting(s) permits this access? When you are done, you may close the PuTTY window or leave it open for later lab steps. Test HTTPS (port 443) Access to VLAN External’s Self IPs 2. Open a browser window to https://10.10.X.31 and log in as user admin with password adminX. What are you connecting to at this address? What BIG-IP configuration setting(s) permit this access? Open a browser window to https:/10.10.X.33 and log in as user admin with password adminX. What are you connecting to at this address? What BIG-IP configuration setting(s) permit this access? Note: Although you can connect to the GUI or command line using the BIG-IP system's self IP addresses, such access is typically restricted to avoid security risks. On a customer- or Internet- facing VLAN, there is often no access via the self IPs, or access is restricted to port 443, (HTTPS) only.Test SSH (port 22) Access to VLAN External’s Non-Floating Self IP 4, Using PUTTY, try to open an SSH session to 10.10.X.31. Make sure the protocol is set to SSH (port 22) before connecting. Were you able to connect? Why or why not? Note: Your network connection in the previous step should be refused, as this self I currently protected via Port Lockdown. By default, when using the Setup utility to create VLAN external, the BIG-IP system only permits access to this VLAN's self IPs via port 443 (https) SSH uses port 22. Port Lockdown is covered in more detail later in this course. 5. Reconfigure the self IP address 10.10.X.31 to also allow access via port 22. eT Cun DeLee ea eT Configuration section Port Lockdown Select Allow Custom 7 ‘Select the TCP and Port radio buttons Custom List Enter 22 in the field that appears to the right of Port Click Add _ ‘When finished... Click Update 6. Using PUTTY, try to open an SSH session to 10.10.X.31 again. You should have success this time. If not, review the Port Lockdown settings for this self IP and make sure port 22 was, successfully added in the previous step.Up the BIG-IP System Note: In the next section, you'll start using some Traffic Management Shell (tmsh) commands to become familiar with the command line interface. msh commands will be discussed in more detail in a later chapter. The [less parameter used in the instructions below allows scrolling when tmsh command output is more than the console can display. Use the arrow keys and the space bar to scroll through the output. Type q to quit scrolling mode and return to the Linux bash prompt 7. Us PuTTY, open (or reuse) an SSH s b, th Traffic Management Shell (tmsh) command to view various configuration settings. Using ssion to 10.10.X.31 of to 192.168.X.31: Log in to the SSH session as the root user with password rootX. ‘At the Linux bash prompt, enter the following command and compare the results with what you see in the Configuration utility (GUI) at Network » VLANs. tmsh list /net vian |1ess ‘At the Linux bash prompt, enter the following command and compare the results with what you see in the Configuration utility (GUI) at Network » Self IPs. tmeh list /net self |1ess At the Linux bash prompt, enter the following command and compare the results with what ‘you see in the Configuration utility (GUI) at Network » Interfaces. tmsh list /net interface |less At the Linux bash prompt, enter the following command and compare the results with what you see in the Configuration utility (GUD at System » License. tmsh show /sys license ‘What is the registration key for your BIG-IP system? ‘What is the software version number this license was first activated for? What is the service cheek date for your BIG-IP system?Configure Command Line Access for the Admin User 8. Open another SSH session window to 10.10.X.31 or to 192.168.X.31 and attempt to log in as the admin user with password adminX. Were you successful? ‘Note: Your attempt to log in to the command line interface as the admin user in the previous step should fail. By default, the admin user does not have access to the command line. 9. Update the admin user settings to permit access to the command line interface, but only to the Traffic Management Shell (tmsh). Cone Secu n ce ae tc uy Account Properties section Terminal Access When finished, cick. Note: When changing terminal access for the admin user — the user you are currently logged in as - you may have to log back onto the GUI again. 10. Open an SSH session to 10.10.X.31 or to 192.168.X.31 and test logging in with the admin user credentials again, Were you able to connect this time? 11, How is your access different from the root user? (Hint: Check the prompt after you log in as, each user.) What do you have access to as the root user that you do not have access to as the admin user? Check Root User Access to the GUI 12. Open a browser window to 10.10.X.31 or 192.168.X.31 and attempt to log in as the root user. Were you successful? Note: Your attempt to log into the GUI as user “root” should fail. User “root” does not have access to the BIG-IP systems administrative GUI, only to the command line.Create a UCS Archive of Your Configuration 13, Open a browser window to 10.10.X.31 or 192.168.X.31 and create a backup of your current, configuration CT ung CEE Cu nuke ea General Properties section File Name trainX_base.ucs aaa) Encryption Disabled |_| Private Keys Include ‘When complete, click... Finished, then click OK when the archive is complete 14, Download your new UCS backup to your workstation hard drive for possible use in a later lab. Cun Se une Tue ere a TrainX_base.ues section Click Download: trainX_base.ues, then save to Archive File desktop of your management PC. View the Backup UCS File Using the Command Line Interface 15. Open an SSH session to BIG-IP system. 16. At the config prompt, make a new directory: mkdir /var/tmp/test Note: This directory may already exist from a previous class. If so, continue with the next step. 17. Change to the new directory: ca /var/tmp/test 18, Copy the backup previously downloaded to the new directory (and replace, if necessary). Remember to replace the “X” with your station number in the file names ep /var/local/ucs/trainX_base-ucs trainX_base.ucs 19, Decompress and extract the file contents: tar -xvzf trainx base.ucs ‘The resulting files show the directory structure and all files stored within the UCS backup, Individual files can be viewed with cat, tail, more, Less, and other command line tools. ep colaExpected Results ‘At the end of the previous labs, you should have configured the BIG-IP system up to the point where itis connected to the network and able to process administrative traffic. For the remainder of the class, you'll learn how to configure the BIG-IP system for application delivery. Whether you're working on BIG-IP virtual edition or on actual BIG-IP devices, Figure 20 provides a conceptual representation of the work you've done to date. You can use this as a reference throughout the remainder of the class. 192.168.X.30 fe] 10.10.X.30 MGMTIP 192.168.X.31/16 | VLAN: external Interface: 1.4 Non-floating Self IP: 10.10.x.31/ 16 Floating Self IP: 10.10.X.33 Port Lockdown: Allow Custom (22 & 443) 1.2 Non-floating Self IP: 172.16.x.31/ 16 Floating Self IP: 172.16.X.33 Port Lockdown: Allow Default Figure 20: Conceptual representation of your classroom environment after setup lab completion If you have Internet access in your classroom environment, continue with Lab 1.5: AskF5 Resources Lab.eRe RNs] Lab 1.5 - ASkF5 Research Lab (if Internet) Lab Requirements: © Access to the In it Research Solutions 1. Open a browser session to http://askfS.com 2. Find the release notes for the 1.4.0 version of one of the BIG-IP products (c.g. LTM, GTM, ASM, ete.) and read the section entitled New in 11.4.0. 3. Search for other solutions that relate to the topics presented in this chapter. You can use the list of Chapter Resources on page 1-32, or here are some suggestions a, SOL13132: Backing up and restoring BIG-IP configuration files (1.x) b, SOL2200: Most recent versions of F5 software c. SOL13250: Overview of port lockdown behavior (10.x-11.x) 4, SOLS903: BIG-IP software support policy ©. SOL9I7: Finding the serial number or registration key of your FS device. £ SOL9957: Creating a custom RSS feed to view new and updated documents 4, Search for other AskF5 documents relating to topics in the upcoming modules and explore them. For example: a, Manual Chapter: BIG-IP Local Traffic Manager: Concepts > Nodes b, Manual Chapter: BIG-IP Loe: Traffic Manager: Concepts > Pools ¢. Manual Chapter: BIG-IP Local Traffic Manager: Concepts > Virtual Servers 4. Manual Chapter: BIG-IP Local Traffic Manager: Concepts > SNATs nfiguringChapter 2 — APM Traffic Processing 24 Chapter 2: APM Traffic Processing Virtual Servers and Access Profiles Lesson Objective: During this lesson, you will be introduced to the concepts of virtual servers and access profiles. Virtual Servers Virtual servers are the primary mechanism the BIG-IP system uses to process traffic. Each content site that a BIG-IP system manages must be associated with at least one virtual server. Virtual server definitions include a name, an IP address and a port. Beyond that, virtual servers have many features that allow you to choose how traffic is processed. Clients must be able to reach the virtual server. Often, the virtual address is registered to the site's host. name and clients discover the address via DNS, Altemately, DNS requests may resolve to an address hosted by a firewall or other edge device that will forward such requests to the virtual server. The virtual service port should be the same TCP or UDP port number known to client programs. For example, traffic to F’5 Network's website is processed by a virtual server on a BIG-IP system. The host name www.f5.com resolves fo the IP address of a virtual server, 65.197.145.23. ‘The virtual server's port is 80, the standard port for HTTP. Virtual servers are typically represented by a single IP address: port combination. For BIG-IP LTM virtual servers are associated with a pool to accomplish load balancing. For BIG-IP APM virtual servers are associated with an access profile which determines what checking is done and which resources the client is allowed to access. Access Policies In an access policy, you define the criteria for granting access to various servers, applications, and other resources on your network. Using an access policy, you can define a sequence of checks to enforce the required level of security on a user’s system, before the user is granted access to servers, applications, and other resources on your network. An access policy can also include authentication checks, to authenticate a user before the user is granted access to the network resources, With an access policy you can perform four basic tasks: © Collect formation about the elient system You can use the access policy to collect and evaluate information about client computers. For example, you can check that the user is operating from a company-issued computer, what antivirus Software is present on the machine, what operating system the computer is running, and other aspects of the client configuration. This is accomplished using both client-side checks and server-side checks in the access policy. Configuring BIG-IP APM v11 2422 Chapter 2 - APM Traffic Processing ‘+ Use the authentication action to verify client security against extemal authentication servers The access policy allows you to check and evaluate authentication against an external authentication database or a certificate, to make sure the Auth server recognizes the user. ‘+ Retrieve user’s rights and attributes You can use the access policy to retrieve extended information from authentication servers including LDAP or Microsoft Active Directory® attributes, and use the information retrieved to assign different resources. © Grant access to resources With the access policy, you assign a network access resource after the client is authenticated. Access Profiles An aceess profile is the profile that you select in a virtual server definition to establish a secured connection to a resource. You can also configure an access profile to provide access control and security features to a local traffic virtual server hosting web applications. The access profile contains: ‘* Access policy timeout and concurrent user settings ‘+ Accepted language and default language settings ‘+ Single Sign-On information and domain cookie information for the session ‘+ Customization settings for the access profile ‘© The access policy for the profile Network Packet Flow When client traffic arrives on the BIG-IP system, it is typically destined to a virtual server address and port. The BIG-IP system then processes that request based on the virtual server’s definition. Note that the packet flow must be transparent to the end user. They should not know that their request is being processed by the BIG-IP system and is being directed to other internal servers. In the case of BIG-IP APM, the Virtual Server hands the packet off to an Access Profile. The Access Profile performs different checks on the packet and then assigns a resource (Server Application ot Network Access) based on the success of failure of the checks performed. Later in the course we will discuss how a BIG-IP LTM Virtual Server makes a load balancing decision then hands the packet off to a Server configured within a Pool. For both products, APM and LTM, the Virtual Server is listening for traffic arriving at BIG-IP to a particular destination IP Address and Port. What happens to the packet after that depends on the BIG-IP product acting on it and the Virtual Servers configuration? 22 Configuring BIG-IP APM v1Chapter 2 — APM Traffic Processing 23 APM Configuration Wizards Lesson Objective: During this lesson you will learn how to create a virtual server and access policy using the Access Policy Manager Configuration wizards. Using Access Policy Manager Configuration Wizards With the Access Policy Manager wizards, you can quickly configure any of the three access types with a simple working configuration. After you configure a connection with the wizard, you can go back and edit the configuration to further customize the access policy. To access Access Policy Manager wizards, in the navigation pane, expand Wizards, and click Device Wizards. The Device Wizards sereen opens. The following wizards are available, + Network Access Setup Wizard for Remote Access - Configure a network access VPN connection for remote access. Creates an access policy and local traffic virtual server so that end users can establish a full network access VPN connection to internal resources. ‘© Portal Access Setup Wizard - Configure a remote access connection to one or more intemal ‘web applications. Creates an access policy and local traffic virtual server so that end users ean access internal web applications through a single external virtual server. Use this if you need to provide secure extranet access to internal web applications without creating a full VPN connection © Web Application Access Management for Local Traffic Virtual Servers - Configure authentication and access control for a web application behind a local traffic virtual server. Creates an access policy for a new or existing local traffic virtual server to provide authentication, access control, and endpoint security for a web application, In Chapter 2 we will only focus on the Portal Access Setup Wizard. Configuring BIG-IP APM v11 2324 Chapter 2 - APM Traffic Processing Using the Portal Access Wizard Follow the steps and instructions in the wizard to configure and deploy a working portal access policy. Note the following configuration items, 24 ‘The Policy Name specifies the name of the access policy to be created, and is used as the naming prefix for other objects configured with the access policy. Later, when you look for items created with the wizard, they are named with this prefix. For example, if you specify the prefix mytest, the access policy name is mytest_ap, and the virtual server is named mytest_ys. This name must be unique, and not already in use on the system, ‘When you select the client side check option Enable Antivirus Check in Access Policy, the wizard adds a basie antivirus client-side check to the access policy. You can later refine this client-side check to verify a particular antivirus product, check the date of the virus database, and more. You can also add other client-side checks to the access policy. For more information, see Module 11, Client Side Checks and Actions. You can configure authentication with the wizard, or select No Authentication to create an access policy without authentication. After you select an authentication type, you can view online help for the authentication configuration options by clicking the Help tab in the navigation pane. Specify the internal web application start URI. This specifies the URI of the first page that a user sees after passing the access policy. For example, http://myintranet.siterequest.com or http://myintranetistart.htm)) Specify a host name for the virtual server. In most cases, you do not specify a network when creating this virtual server. Allow the redirect server to be created; this eliminates the simple connection issue that users encounter when they do not type https before the virtual server host ‘When you review the configuration, you can use the Previous and Next buttons to go back and edit the configuration before you click Finish. After you click Finish, the system creates and applies web application objects. You can still edit any item associated with the access profile from the Access Profile page (Access Policy : Access Profiles : name of access profile). You can edit the virtual server at Local Traffic : Virtual Servers : name of virtual server. Configuring BIG-IP APM v11Chapter 2— APM Traffic Processing 25 Logging Lesson Objective: During this lesson, you will learn how to configure logging for BIG-IP APM. Understanding Logging Viewing and maintaining log messages is an important part of maintaining the Access Policy Manager. Log messages inform you on a regular basis of the events that are happening on the system. Some of these events pertain to general events happening within the system, while other events are specific to the Access Policy Manager, such as stopping and starting Access Policy Manager services. Manager uses syslog-ng to log events. The syslog-ng utility is an enhanced version of the standard logging utility syslog. ‘The type of events messages available on the Access Policy Manager are: "Access Policy events Access Policy event messages include logs pertinent to access policy, sso, network access, and web applications. To view access policy events, on the navigation pane, expand System, and click Logs = Audit Logging Audit event messages are those that the Access Policy Manager system logs as a result of changes made to its configuration. For more information on other log events, refer to the BIG-IP® Configuration Guide for Local Traffic Manager™, on the Ask F5SM web site, https://support.f5.com. Introducing Logging Features ‘The logging mechanism on an Access Policy Manager system includes several features designed to keep you informed of system events in the most effective way possible. One of the primary features of logging is its ability to log different types of events, ranging from system events fo access control events. Through the Access Policy Manager system auditing feature, you can even track and report changes that administrator makes to the BIG-IP® system configuration, such as adding a virtual server or changing an access policy. When setting up logging on the Access Policy Manager, you can customize the logs by designating the ‘minimum severity level, or log level, that you want the system to report when a type of event occurs. The ‘minimum log level indicates the minimum severity level at which the system logs that type of event. ‘You can also use the Configuration utility to search for a string within a log event, that is, you can filter the display of the log messages according to the string you provide. Note: Files are rotated daily if their size exceeds 10MB. Additionally, weekly rotations are enforced if the rotated log fle is a week old, regardless whether or not the file exceeds the 10MB threshold. Configuring BIG-IP APM v11 2526 Chapter 2 - APM Traffic Processing Understanding Log Content TThe logs that the system generates include several types of information. For example, all logs show a timestamp, host name, and service for each event, Some logs show a status code, while the audit log shows a user name and a transaction ID corresponding to each configuration change. All logs can contain up to two-line descriptions of each event. ‘The following table displays the categories of information contained in the logs, and the specific logs in which the information is displayed. Log information categories and their descriptions Information Type _| Explanation Log Type Timestamp The time and date that the system logged the | System event message. Access Policy Audit Log Level Provides log level detail for each message. Access Policy Host The host name of the system that logged the | System event message. Because this is typically the host name of the local machine, the appearance of a remote host name could be of interest. Service The service that generated the event. ‘System, Status code The status code associated with the event. ‘Access Policy Note that only events logged by BIG-IP system components, and not operating system services, have status codes. Session ID The ID associated with the user session. ‘Access Policy Description ‘The description of the event that caused the | System system to log the message. User Name The name of the user who made the Audit configuration change. Transaction The identification number of the configuration | Audit change. Event Provides the description of the event so that it | Audit can be applicable to both Audit and Access Access Policy policy logging Note: For standalone clients, once a user has logged out and then logged back in, the sessions ID will be displayed as invalid and will remain as such in the Notice logs. The user is then assigned a new session ID. This is expected behavior of the system. 26 Configuring BIG-IP APM v11Chapter 2— APM Traffic Processing 27 Understanding Log Types ‘The Access Policy Manager automatically logs two main event types: Access policy: Includes messages ereated during access policy validation, sso, network access, and web applications, "Audit: Includes configuration changes. Each type of event is stored in a log file, and the information stored in each log file varies depending on the event type. Access policy events. Messages are logged in the /var/log/apm file, = Audit events, Messages are logged in the /var/log/audit file. Logging System Events Many events that occur on Access Policy Manager are operating system-related events, and do not specifically apply to the Access Policy Manager. The Access Poticy Manager logs the messages for these events in the file /varvlog/messages. Using the Configuration utility, you can display these system messages. On the navigation pane, expand Access Policy, and click Report, and choose Built In Reports and the report System messages. Right click on the report name and choose Run Report, The following figure shows some sample system log entries, el © See inet innate einen amt ee Some tic supmtcan ey ments acetate te meet Configuring BIG-IP APM v11 at28 Chapter 2 - APM Traffic Processing Auditing Configuration Audit logging is an optional feature that logs messages whenever there are changes made by the system, Such changes include the following items: = Useraction ‘= System action "Loading configuration data ‘The Access Policy Manager logs the messages for these auditing events default, audit logging is disabled, the /varilog/audit file. By Setting Log Levels Using the Big-IP management interface, you can set log levels on auditing events and other types of events. The log level indicates the minimum severity level at which the system logs that type of event, For auditing events, you can set a log level that indicates the type of event that the system logs, stich as the user-initiated loading of the Access Policy Manager system configurations, or system-initiated configuration changes. ‘The log levels that you can set on certain types of events, are sequenced from highest severity to lowest severity, like this = Emergency = Alert = Critical "= Error = Waring, = Notice = Informational = Debug To Set the Log Level 1. On the navigation pane, expand System, click Logs, then Configuration and Options ‘The Logs screen changes to display the various logging options available 2. Depending on the type of log messages you want to control, select either Access Policy Logging or Audit Logging. 3. Select the log level for the selected component, and click Update. 28 Configuring BIG-IP APM v11Chapter 2 — APM Traffic Processing 29 To View System Log Messages Once you select your logging options, you can view your logs 1. On the navigation pane, expand System, and click Logs. ‘The Logs screen opens. 2. From the menu bar, the information can be sorted in ascending or descending order bys © Timestamp © Log Level © Host © Event 3. If you want to advance to another screen of messages, first locate the page list at the lower-tight ‘comer of the screen. You can either: * Display the list and select a page number. Click the right arrow to advance to the next page of messages. 4, To filter log messages based on a search string, in Search box (directly above the Timestamp column), type a string, optionally using the asterisk as a wildcard character. 5. Click Search, ‘The screen refreshes and displays only those messages containing the string you specified. Js a " east ganar ozeztcuTeoso201 weet wae sega Contpatn oeéeexenns acta aon: mesun27tozezoquTeoooza12 nace apna uases alec wha cpt 00 an ate ns adsun2r i927 ron 28i2 poke semi Hots 2c 1120024) a Twesinz8022418MT-200020%2 nvtce apm slege Canin lad reutlcaed laa copston, aoe Te un 2609207 GuT-0090 202 8 spat ne cpt20 ane Hans Example system logs screen Configuring BIG-IP APM v11 29240 Chapter 2 - APM Traffic Process Setting Log Levels for Auditing Events An optional type of logging that you can enable is audit logging. Audit logging provides options to control audit logging at the MCP level and at the BIGIP level. This logs audit messages for administrators ‘who perform operations at the user interface level and also through command line interface. For detailed information about auditing events, refer to the BIG-IP® Configuration Guide for Local Traffic Manager, on the Ask FSSM web site, https://support.f5.com, You can choose one of four log levels for audit logging. In this case, the log levels do not affect the severity of the log messages; instead, they affect the initiator of the audit event. The log levels for audit logging are: = Disable This turns audit logging off. This is the default value = Enable This causes the system to log messages for user-initiated configuration changes only. = Verbose This causes the system to log messages for user-initiated configuration changes and any loading of configuration data. = Debug This causes the system to log messages for all user-initiated and system-initiated configuration changes, To Set a Log Level for Audit Events 1. On the navigation pane, expand System, click Logs, then click the Configuration tab and click Options, ‘The Logs screen changes to display the various logging options available. 2. In the Audit Logging area near the bottom of the screen, select a log level from the Audit list, which includes MCP and tmsh. 3. Click Update. 240 Configuring BIG-IP APM v11Chapter 2 — APM Traffic Processing 211 Sessions Lesson Objective: During this lesson, you will learn how to list and manage sessions on BIG-IP APM. Displaying Current Sessions With Access Policy Manager, you can view either the current sessions with the Access Policy Manage Sessions option. It displays all current active sessions that are running on the system. Additionally, you can set options to update session information every few seconds. To Display the Current Sessions 1. On the navigation pane, expand Access Policy, and click Manage Sessions. ‘The Current Sessions page opens. Example Manage Session screen To Change Your Display Options 2. On the navigation pane, expand Access Policy, and click Manage Ses 3. Under Display Options, from the Auto Refresh list, select the time interval (in seconds) to refresh the session table. It is disabled by default. 4, To manually refresh the table, click Refresh Session Table. Configuring BIG-IP APM v11 244242 Chapter 2 - APM Traffic Processing The following table explains the type of information displayed for each session. Reporting information types Information Type Explanation Status The status of the session. Session ID The Session ID of each session. Logon The Logon name used to start a session Client IP The IP address of the client machine that the user connects from. Start Time The Start time of each session Expiration ‘The time at which the session is expected to time out. Bytes In The total number of bytes received by the session. Bytes Out The total number of bytes transmitted by the session. Terminating User Sessions You can terminate selected user sessions that are running on the system for troubleshooting and security purposes. For example, you may find that you need to perform certain troubleshooting tasks on one or multiple user sessions. Or, you notice that there are security issues and need to terminate user sessions immediately for further investigation. Access Policy Manager provides you with the ability to terminate user sessions immediately. To Terminate User Sessions 1. On the navigation pane, expand Access Policy, and click Manage Sessions. ‘This navigates to the Current Sessions page. 2. Select one or more user sessions using the check box on the right hand side, and click Kill Selected Sessions. You are prompted to confirm the Delete, click Delete or Caneel. The active sessions no longer appear in the active session list Note: APM also provides a more detailed reporting facility in Reports. This is discussed in a later module. 242 Configuring BIG-IP APM v11Chapter 2 — APM Traffic Processing 213 Monitoring System and User Information The BIG-IP® Access Policy Manager provides a dashboard that displays system statisties graphically, showing gauges and graphs, and you can view the same statistics in a table view. You can also view user session information specific to Access Policy Manager. You can display the BIG-IP® system dashboard from the main navigation pane. Expand Overview, and click the Dashboard tab. ‘The dashboard also includes online help for information about how to interpret statistics on each of the panels that appear on the screens. Click the question mark (2) in the upper right comer of any window to display the online help, Viewing the Access Policy Manager Dashboard In addition to the BIG-IP® system main dashboard, you can use the Access Policy Maniager dashboard to view specific Access Policy Manager users’ session-based statistics, as well as throughput data, With the Access Policy Manager dashboard, you can view the following information: © Ac = Network Access Portal Access = Access Control Lists Configuring BIG-IP APM v11 243244 Chapter 2 - APM Traffic Processing ‘To view the dashboard, on the navigation pane, expand Aecess Policy, and click Dashboard. Saal | 4a 5 lean Example APM Dashboard sereen By clicking the grid icon information in a table format. in the upper left comer of each window, you can display the same 214 Configuring BIG-IP APM v11Chapter 2— APM Traffic Processing 245 Monitoring Access Sessions ‘The top left window of the Access Policy Manager dashboard displays the total and established connections for all current active sessions. ‘You can view them in either real-time, or historical time ranges. You may want to view active sessions at various times of the day to determine the peak and select the best time to perform system maintenance, for example, If you notice that the total number of sessions have peaked while the total number of established sessions remain low, this may be an indication that a possible malicious attack is occurring in your network environment. ‘The next two figures show a sample Access Sessions window forall active sessions from Access Policy Manager. ree otal [| eatebished Access Sessions window, graphical view peers > amr [endenen) ‘e/a7/2042 #2196100 PN ‘ee2r/2012 12:40:00 °m 6/27/2012 1244.00 06/27/2012 12+40:00 > Active Sessions window, tabular view Monitoring Network Access ‘The top right window of the Access Policy dashboard displays data on the APM network access tunnel connections. You can view throughput numbers to and from the client, as well as compression and ‘monitor the number of open and new connections. This window is useful as a good indicator for peaked traffic to determine the best time to perform system ‘maintenance Configuring BIG-IP APM v11 2452416 Chapter 2 - APM Traffic Processing Monitoring Portal Access ‘The bottom left window displays the number of client requests through the Portal Access Reverse Proxy engine as well as the amount of that data served from cache. Monitoring Access Control Lists The bottom right window of the Access Policy dashboard displays data on the APM Access Control Lists, ‘Access Control Lists a} Allow [continue [§ piscard_[nelect Bf Monitoring System Over ‘The Access Policy Manager Dashboard can be switched to display an overview of the Big-IP system information using the Views option. Click on Standard/Access Policy Manager, then on the fly out menu click Overview Example Dashboard Overview screen 216 Configuring BIG-IP APM v11Lab 2.1 —- APM Configuration Wizard Lab Objectives: © Configure a Virtual Server and Access Profile using the Wizard ‘© Test the virtual server and access profile and verify functionality E imated time for completion: 20 minutes Lab Requirements: ‘* IP-and port addresses available for use on BIG-IP APM that can be reached by the client systems * Actual servers with appropriate routes to return traffic through each BIG-IP APM system Create a Virtual Server and Access Profile Using the Wizard 1. Open a browser session to your BIG-IP web-based admin Ul at https://10.10.X.31 2. From the Navigation pane, expand the Wizards section and then click the link for Device Wizards. 3. In the Wizard Section click the radio button for Portal Access Setup Wizard and then click Next. 4, On the Basic Properties screen set the following values and click Next: Policy Name servert Default Language Leave at default Full Webtop Unchecked Caption PortalOne — Client Side Checks Uncheck the box for Enable Antivirus Check 5. On the Default Gateway Configuration screen set the following value and click Next: IPv4 Gateway Address | 10.10.17.33 Note: if DNS and NTP servers have not been defined previously you will be prompted to enter these values in a new screen, Use 172, 16.20.20 for the DNS and NTP servers. 6. On the DNS and NTP configuration screen, set the server to 172.16.20.20 as shown here, then click Next. DNS Lookup Server List Address 172.16.20.20 and click Add Time Server List Address 172.16.20.20 and click Add tion screen, select Create New, then Active Directory and click Next.8, On the Configure AAA Server screen set the following values and click Next Domain Name fot. ee ‘Server Connection Direct Domain Controller dc fStrn.com Other settings Leave default 9. On the Portal Access screen set the following values and click Next. ‘Select Application Custom Portal Access Start URI http:/172.16.20.4 ‘SSO Configuration unchecked 10. On the Virtual Server (HTTPS conneetion) screen sct the below values and click Next: Virtual Server IP Address 10.10.X.101 (where X is your station number) Leave the box checked for Create Redirect Virtual Server Redirect Server 11, Review your configuration and make sure values are set as stated below: Policy Name —___| servert : ‘Authentication Type Active Directory Domain Controller dc.f5tr.com Domain Name ‘5trn.com Portal Application Start URI__| hitp:1/172.16.20.1 Virtual Server IP Address 10.10.X.101 12. If everything is correct click Next, otherwise click Previous and fix the wrong values. 13, On the Setup Summary screen notice several things have been ereated but specifically Access Profile server1 ‘AAA Servers ‘server!_aaa_srvr | Webtops ‘servert_webtop set to URI http://172.16.20.1 Profiles servert_cp servert_vs set fo a Destination IP Address of aoc 40.10.X:101 and Port of 443, 14, When you are finished reviewing click Finished. Review Your Configuration Using the Web Config Utility 15, From the Navigation pane, expand the Local Traffic section. 16, Select Virtual Servers and notice there are two Virtual Servers listed, server _ys at port 443, and serverl_vs_redirect at port 80. Both have a Destination IP of 10.10.X.10117, From the Navigation pane, expand the Access Policy s 18, Select Access Profiles and server should be listed. 19, Click the E . link for the server Access Profile. You should see something like: + alteoaaden [+ > J faback fetbock Succes foc, = 20. We will explore Access Profile Editing in more detail later. For now, click the Close button in the upper right comer of screen. 21. Staying in the Access Policy section of the Web Configuration utility, select AAA Servers and see that serverl_aaa_srvr is listed. 22, Select Webtops and the server1_webtop should be listed. Click the link for the serverl_webtop, and the Portal Access Start URI should be set to http://172.16.20.1 Test Your Configuration 23. First, open a new browser session on your PC to the application http://172.16.20.1 24, Note the site is unreachable. 25. Next, open another browser session on your PC and point it to your BIG-IP virtual server address of https://10.10.X.101 Note: When connecting you may need to clear out Certificates from your browser of choice in order to be able to connect to https://10.10.X.101 26. When prompted, enter a Username of studentX, a Password of studentX and Logi 27. You should see the serverl web page. Expected Results and Troubleshooting If problems occur, verify the following: If your username / password combination fails try the following, ‘© IF DNS is setup and working then typing nslookup de. £5Strn.com froma BIG-IP ‘command prompt should give an answer of 172.16.20.20. If this is not the case, first try pinging 172.16.20.20 then ask the instructor for help. ‘© Verify your settings for the AAA Server serverl_aaa_srvr are as follows: Domain Controller de.f5trn.com Domain Name f5trn.com * Type: date from a BIG-IP command prompt and verify with the instructor that your BIG-IP date and time are within a minute of the Active Directory server If your usemame / password work but no web page appears ‘+ Verify the start URI for webtop server_webtop is http://172.16.20.1. Configuring BiAccess Policy Logs and Reporting 28. While still logged in, navigate to Aecess Poll ss Manage Sessions to see your active session. 29. Also go explore what can be monitored using the BIG-IP Dashboard by selecting Access Policy : Dashboard. 30. We will use Manage Sessions throughout the rest of the course.Lab 2.2 — Configuration Backup Lab Objective: © Create a backup archive Estimated time for completion: 5 minutes Save the Configuration From the Navigation pane, expand the System section. Bither select Archives and click Create or leave your mouse over Archives and then click the plus (+) sign on the flyout menu. 3. In the General Properties Section, enter the following: File Name studentX_labs1-2 Encryption Disabled Private Keys Include Version iG-IP Version (read only) 4. Click Finished, and when the backup is complete, click OK. 5. Select the backup you just created (click on the file name). 6. Click Downloa |: studentX_labsI-2.ues to save a copy to your desktop.Chapter 2 Ca ied aeChapter 3 - APM Access Policies & Profiles 34 Chapter 3: APM Access Policies & Profiles Access Policies Overview Lesson Objective: During this lesson, you will learn the basic parts and how to configure Access Policies. About Access Pol Inn access policy, you define the criteria for granting access to various servers, applications, and other resources on your network. Using an access policy, you can define a sequence of checks to enforce the required level of security on a user's system, before the user is granted access to servers, applications, and other resources on your network. ‘An access policy can also include authentication checks, to authenticate a user before the user is granted access to the network resources. With an access policy you can perform four basic tasks: ‘* Collect information about the client system You can use the access policy to collect and evaluate information about client computers. For example, you can check that the user is operating from a company-issued computer, what antivirus Software is present on the machine, what operating system the computer is running, and other aspects of the client configuration. This is accomplished using both client-side checks and server-side checks in the access policy. ‘© Use the authentication action to verify client security against external authentication servers ‘The access policy allows you to check and evaluate authentication against an external authentication database or a certificate, to make sure the client system recognizes the user. Retrieve user’s rights and attributes You can use the access policy to retrieve extended information from authentication servers including LDAP or Microsoft Active Directorysattributes, and use the information retrieved to assign different resources. ‘© Grant access to resources With the access policy, you assign a network access resource after the client is authenticated. Configuring BIG-IP APM v11 3432 Chapter 3 - APM Access Policies & Profiles Understanding Access Policy Items An access policy is made up of five kinds of access policy items. These are: © A start point ‘© One or more actions * Branches © Macros and macrocalls * One or more endings Understanding the Access Policy Start Point Every access policy begins ata start point. In the visual policy editor, this is a green rectangle with an angled right side, labeled Start, that has one fallback branch connected to it. You build the access policy starting on this fallback branch An access policy Start point Understanding Access Policy Actions An action performs a specific function in an access policy. ‘These functions include elient checks, authentication checks, and other access policy functions. In the visual policy editor, the action appears as a rectangle surrounded by a single line in the access policy, with one branch entering it on the left, and one or more branches exiting on the right. Ifthe action requires configuration, a red asterisk appears to the left of the action, and the name of the action appears in italics. In the illustration below, the RADIUS action is properly configured, and the resource assign action requires configuration. Fallback Successful Two actions, one unconfigured (denoted by the red asterisk symbol at top lef), in the visual policy editor 32 Configuring BIG-IP APM v11Chapter 3 - APM Access Policies & Profiles 33 Understanding Available Actions ‘The Access Policy Manager includes a number of pre-defined actions. You can see the available actions in the visual policy editor when you click the Add Item button {+}, which is activated by positioning the ‘cursor along the action’s rule branch, The Add Item popup screen opens as a floating popup screen on top of the visual policy editor. To see tables of all the actions, view the Configuration Guide for BIG-IP APM Access Policy Manager on AskFS, Configuring BIG-IP APM v11 3334 Chapter 3 - APM Access Policies & Profiles Access Policy Branches Lesson Objective: During this lesson, you will learn how to configure branches within Access Policies. Understanding Access Policy Branch Rules A branch rule evaluates the result of an access policy action, findings about a client system, or other access policy item. The outcome of the evaluation of a branch rule grants or denies access, or continues on to the next action. The order of branch rules in an access policy determines the flow of action. In an access policy, you use actions for which a set of branch rules are already defined. You can add branch rules to an action, or create new branch rules to test for a specific condition, You can use empty actions to create custom actions, and add your own branch rules to them. The ending is the last branch rule applied. By default, if the user’s system does not meet the access policy requirements, the Access Policy Manager denies the user access. You can change this outcome by changing the access policy ending, and by modifying branch rules to check for different criteria, A branch rule uses data from variables returned by actions to determine user access criteria, ‘When you create a new action, the visual policy editor automatically creates a set of branch rules. The last rule in this set is the fallback branch rule. It cannot be moved. It governs all cases that do not satisfy a preceding branch rule. The following figure shows the flow of a branch rule-checking operation. 34 Configuring BIG-IP APM v11Chapter 3 — APM Access P (Start of action ies & Profiles 35 Internal process of an action Viewing Rules To view a predefined branch rule, you must first add an action to the access policy. The following example describes how to add a predefined action (client cert result) to an access policy, then how (o view the underlying rule, Note: You cannot view the predefined branch rules for every action. To Add a Client Cert Inspection Action and View the Rule 1. On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles. The Access Profiles {st sereen opens. 2. Inthe profile list, find the access policy you want to edit, then click Edit in the Access Policy column. ‘The visual policy editor opens in a new window or new tab, depending on your browser settings. Configuring BIG-IP APM v14 353-6 Chapter 3 - APM Access Policies & Profiles 3. Ona branch of the access policy, click the plus sign (+) to add an action. ‘The Add Item popup screen opens. 4, If the Authentication category is not expanded, click the plus sign (+) to expand it, Select Client Cert Inspection and click Add Item to add the action to the access policy. ‘The Client Cert Result action popup screen opens. 6. Click the Branch Rules tab. Under the Name Suceessful, you sce the text Expressio link to change the expression. 7. Click change. ‘The Expression popup screen opens. 8. Click the Advanced tab. 9. The rule expression for the client cert result action is displayed, as seen below: nowy lient Certificate is valid, and then a expr { [meget (session.ssl.cert.valid}] Arrule displayed in an access policy action Predefined Rules ‘When you configure an action, it creates a predefined rule. To further refine or customize a rule, you can use the expression builder to build a rule from a list of agents and conditions. You can edit a rule on the Rules tab by clicking change. You can edit rules in a rule builder on the Simple tab. You use this rule builder to choose from a simplified set of rules and automatically compile the Tel syntax. You can also use the Advanced tab to edit the rule directly, using Tel. Visual examples of the two editing methods are shown below. 36 Configuring BIG-IP APM vitChapter 3 — APM Access Policies & Profiles 37 Simple | (advanced | Client Certificate is vaid #0 (aad) oR (add Eoression) nals | [ Advanced lexor { [meget {session.ss1.cert.valid}) Simple (top) and Advanced (bottom) rule editing Understanding Access Policy Branches In the visual policy editor, you connect access policy items to other items with branche represents one of following three things: + The result of the evaluation of an access policy rule Most actions have branches that represent the evaluation of rules. These branches might be called Successful, or they might have a more descriptive name. In many cases, a rule branch is a positive result to the evaluation of an action (for example, Active Directory authentication has passed). A rule branch can also be an informational response to the evaluation of an action (for example, client operating system is Windows Vista®). ‘An outgoing terminal from an access policy macro When you configure an access policy macro, the rule branches inside the access poliey macro have endings called terminals. These terminals do not function like access policy endings, but instead, become branches in the access policy to which the macrocall is added, which represent the outcomes of actions inside the maecrocall. © A fallback rule A fallback rule is typically a negative response, ifthe action has successful branches. Some fallback rules are the result of the action returning no match or a failure for the access policy check. Fallback rules are also the result of actions that have no positive or negative result, For example, the logon page action has no positive or negative result, because it sends only a logon page to the client, so the result branch of a logon page is always a fallback rule branch, Configuring BIG-IP APM v11 3738 38 Client 0S An action with multiple branches Chapter 3 - APM Access Policies & Profiles Configuring BIG-IP APM v1Chapter 3 — APM Access Policies & Profiles 39 Access Policy Endings Lesson Objective: During this lesson, you will learn how to configure endings within Access Policies. Introducing Access Policy Endings ‘Access policy endings indicate the final outcome of a branch of the access policy. The Access Policy Manager provides the following endings: Allowed, Deny, and Redireet. In the visual policy editor, endings appear as a rectangle with a cut-out left edge. To alter the settings of these endings, choose the Edit Endings option beside the policy name. sss policy endings Oalow ORedirect @ Deny 3 customization Access policy Edit Endings Understanding the Allow Ending In an access policy, the allow ending is a successful ending that allows the connection defined by the access policy branch. Configure your access policies so that only users who meet your security criteria reach an allow ending, The allow ending performs final validation of assigned resources, the webtop, and any resources added to the access policy branch, and allows the session to start. Configuring BIG-IP APM v11 393-40 Chapter 3 - APM Access Policies & Profiles Note: You must assign a valid network access or portal access resource and a webtop for your users, unless you are using the access policy to control access to a local traffic virtual server, in a web application access management scenario. Understanding the Deny Ending In an access policy, the deny ending denies the user access to the resource, and ends the user’s session. ‘After the user reaches a deny ending, all the session information collected during access policy operation is deleted from the client. You can use this ending at the ends of failed rule branches. When a user reaches ‘deny ending, the user sees an access denied error message web page. Understanding the Redirect Ending In an access policy, the redirect ending sends the user to a URL that you specify. Use this ending when the result of a certain access policy outcome does not result in a webtop ending, but you want to send the user to another internal or external URL. For example, you might send a user to the web site for an antivirus vendor, if an antivirus action determines that the user’s virus definitions are older than the access policy allows. To close the Access Policy Manager session after the redirect, select the Close session after redirect check box. Note: You must type the redirect URL with the leading http:// or https://. 3-10 Configuring BIG-IP APM v11Chapter 3 — APM Access Policies & Profiles 341 Configuring Access Policies and Profiles Lesson Objective: During this lesson, you will learn how to configure Access Profiles. Creating an Access Profile In the BIG-IP® Access Policy Manager™, an access profile isthe profile that you select in a virtual server definition to establish a secured connection to a resource. You can also configure an access profile to provide access control and security features to a local traffic virtual server hosting Portal Access applications. ‘The access profile contains: Access poliey timeout and concurrent user settings ‘© Accepted language and default language settings ‘© Single Sign-On information and domain cookie information for the session ‘© Customization settings for the access profile ‘+ The access policy for the profile Understanding Access Profile Settings On the Access Profile Properties screen, you use the Settings section to configure timeout and session settings. You must select the Custom check box to configure settings for this section, + Inactivity Timeout - Specifies the inactivity timeout for the connection, in minutes. If there is no activity between the client and server within the specified threshold time, the system closes the current session. By default, the threshold is @, which specifies that as long as a connection is established, the inactivity timeout is disabled. However, if an inactivity timeout value is set, when server traffic exceeds the specified threshold, the inactivity timeout is reset. In addition, for Portal Access, you can customize the timing for the warning message to appear for the user prior to session timeout by using the Session Timeout Guard Time setting in the webtop customization settings. The user can click a link inside the message ‘window to reset inactivity timeout, ‘+ Access Policy Timeout - This is designed to keep malicious users from creating a DOS attack on your Secure Access Manager. The timeout requires that a user, who has followed through on a redirect, must reach the webtop before the timeout expires. The default value is 300 seconds. © Maximum Session Timeout - Specifies the maximum lifetime of one session, in minutes. The ‘maximum lifetime is between the time a session is created, to when the session terminates. By default, itis set to 0, which means no limit. When you configure this setting, there is no way to extend the session lifetime, and the user must logout and then log back in to the server, when needed. Configuring BIG-IP APM v11 3413-42 Chapter 3 - APM Access Policies & Profiles ‘+ Max Concurrent Users - Specifies the number of sessions per access profile. The default value is 0, which represents unlimited sessions. Please note that this field is read-only for application editors, All other administrative roles can modify this field, ‘© Max Sessions Per User - Specifies the number of sessions per user. The default value is 0, which represents unlimited sessions. Please note that this field is read-only for application editors. All other administrative roles can modify this field. Understanding Configuration Settings On the Access Profile Properties screen, you use the Configurations section to set Single Sign-On, cookie behavior, and logout behavior, with the following settings: + SSO Configuration - To add an SSO configuration for Single Sign-On, select the configuration from the list. * Domain Cookie - Specifies a domain cookie to use with a web application access management connection. If you specify a domain cookie, then the line domain=specified domain is added to the MRHsession cookie. By default, the Secure Cookie option is enabled. This adds the secure keyword to the session cookie. If you are configuring a web application access management scenario with an HTTPS virtual server for authentication, and using an HTTP local traffic virtual server for applications, clear this check box. * Logout URI Include - Specifies a list of logoff URIs that the access profile sends to the pool member after logoff. This feature is for use with web application access management connections. In the URI box, type a logoff URI to add, then click the Add button. In the Logout URI Timeout box, type the seconds to delay before sending the logoff URI to the application, Creating an Access Profile To Create an Access Profile 1. On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles ‘The Access Profiles List sereen opens. 2. Click Create, ‘The New Access Profile screen opens, 3. Inthe Name box, type a name for the access profile. ‘The Access Profile Prope screen appears. 4. To change settings for Inactivity Timeout, Access Policy Timeout, Maximum Session ‘Timeout, and Max Concurrent Users, select the Custom check box, then type numbers for the settings you want to change. 5, To select a Single Sign On (SSO) configuration for the access policy, from the SSO Configuration list, select the SSO configuration. 6. (Optional) In the Domain Cookie box, type the domain cookie. 7. Select the Secure Cookie check box to add the secure keyword to the domain cookie. 3-12 Configuring BIG-IP APM v11Chapter 3 — APM Access Policies & Profiles 313 Ifthe access policy is configured for an HTTP virtual server, clear this check box. 8. Configure the language settings for the access profile. See Customizing access profile languages, below, for more information. 9, Click Finished when the configuration is complete. Applying an Access Policy After you create or change an access policy, the link Apply Access Policy appears in yellow at the top left of the BIG-IP Configuration utility screen. You must click this link to activate the access policy for use in your configuration. To Apply Access Policies 1. Click the Apply Access Policy link ‘The Apply Access Policy screen appears, showing a list of access policies that have been changed. Select the check boxes for one or more access policies to apply, and click the Apply Access Policy button. By default, all access policies that are new or changed are selected. After you apply the access policy, the Access Profiles list screen is displayed Customizing Access Profile Languages ‘Typically, the client’s web browser has language preferences configured, which lists display languages in order of preference. Access Policy Manager detects this order, compares it with the languages configured in the access profile, and presents customized pages and messages in the user-specified language, if that language exists in the access profile. If the user-specified language does not exist in the access profile, the user sees pages in the access profile default language. In the access profile, you can configure the list of accepted languages in which the Access Policy Manager provides messages and customized elements. You can also select a default language for the access profile. The default language is used to provide messages and customized elements to users whose browsers are not identified with a language that is on the list of accepted languages. Though you can specify any custom language strings, most browsers present standard language strings. To see a list of these language strings, refer to http://www.iana.org/assignments/language-subtag- registry, Configuring BIG-IP APM v11 34133-44 Chapter 3 - APM Access Policies & Profiles To Customize Access Profile Languages 1. On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles, The Access Profiles List sereen appears, 2. In the Access Profiles List, click the name of the access profile you want to edit. 3. Configure the access profile language options as follows: ‘+ Toadd a language string to the list of accepted languages, in the Language Settings area, in the String box, type the string for the language, and click Add. + Tocdit a language string, from the Accepted Languages list, select the string and click Edit. ‘+ To delete a language string, from the Accepted Languages list, select the string and click Delete ‘© To set the default language, from the Default Language list, select the language 4, Click Update to update the language settings Creating an Access Policy In an access policy, you define the criteria for granting access to various servers, applications, and other resources on your network, You create an access policy by creating an access profile, which automatically ereates a blank acce: policy. Every access profile has an access policy associated with it. You configure that access policy through the access profil. Starting the Visual Policy Editor To view and edit the access policy associated with an access profile, you use the visual policy editor, a browser-based editor for access policies. To Start the Visual Policy Editor 1. On the Main tab of the navigation pane, expand Access Policy and click Access Profiles. ‘The Access Profiles List screen opens. 2. In the Access Policy column click Edit for the access policy you want to edit, ‘The visual policy editor opens in a new window or new tab, depending on your browser settings. ‘You can right-click and select to open in a new tab or new window, if you want to choose the destination, If this is a new access policy, an unconfigured policy appears. You can also open an access policy from the Access Profiles List screen by clicking the access profile name, then clicking the Access Policy tab, then clicking the Edit link Using Branch Rules a4 Configuring BIG-IP APM v11Chapter 3— APM Access Policies & Profiles, 345 In the visual policy editor, policy branch rules follow each policy action. Typically, an action is followed by both a successful branch rule and a fallback branch rule. Some actions, like the Logon action, are followed by only one branch rule, Some actions are followed by multiple branch rules. In actions where there is only one result branch rule, that result is labeled Fallback. In actions where there is failed result and a successful result, the visual policy editor labels the successful branch rule Successful and the failed branch rule Fallback, Some actions have multiple result branch rules, and no successful branch, For example, the Client OS action in the following illustration has multiple branch rules, and each branch rule is named for the operating system to which the branch rule corresponds, with a fallback branch for any client operating system that does not match a specific branch rule. This allows you to assign actions to any branch rule, and separate endings to any branch rule, Policy actions with various result branch rules To Add Actions to a Branch Rule Click the plus sign on the branch rule where you want to add the action. When you place your cursor over the plus sign, it tums blue and appears between parentheses (+) to indicate that you can click it, Configuring a Basic Access Policy To configure a basic access policy, you need to complete the following tasks. ‘+ Create an access poliey. * Add general purpose actions, client side checks, and server side checks, as needed © Add authentication © Assign resources. Note: You must assign a resource group that contains a network access resource, or the access policy will not function. ‘Finish the access policy. Opening an Access Policy Configuring BIG-IP APM v11 34153-16 Chapter 3 - APM Access Policies & Profiles ‘When you create an access profile, the system automatically creates an associated, blank access policy. To Open an Access Policy 1. On the Main tab of the navigation pane, expand Access Policy and select Access Profiles. ‘The Access Profiles List sereen opens. 2. Click Edit in the Access Policy column of the access policy you want to edit. ‘The visual policy editor opens, displaying the access policy. Access Policy: /Common/new-profile [ EditEndings | (Endings: Akow, Deny [defaut]) a (ann A new, un-configured access policy ‘Adding Actions to an Access Policy ‘When you first open a new access poliey in the visual policy editor, the configuration includes only a start point, a fallback branch rule, and a default ending, To Add an Action to an Access Policy 1. On the Main tab of the navigation pane, expand Access Poliey and click Access Profiles. ‘The Access Profiles List screen opens. 2. Inthe profile lst, find the access policy you want to edit, then click Edit in the Access Policy column. ‘The visual policy editor opens in a new window or new tab, depending on your browser settings. 3. Ona branch rule of the access policy, click the plus sign (+) to add an action. The Add Item popup screen opens. 4. If the action category you want to add is not expanded, click the plus sign (+) next to the action type 5. Select an action to add to the access policy by clicking the option. 6. Click Add Item to add the action to the access policy. ‘The action popup screen opens. 3416 Configuring BIG-IP APM v14Chapter 3 - APM Access Policies & Profiles. 3-17 Using Policy Endings Access policy endings are the end result of a branch rule in an access policy. With access policy endings, ‘you can give users access to the network access connection, deny access to users, or redirect users to ‘another URL. There are three types of endings: © Allow Starts the SSL VPN session and loads the network access or portal access webtop or the full ‘webtop for the user. (Full webtops are covered in a later module.) © Deny Disallows the SSL VPN session and shows the user a Logon Denied web page. © Redirect ‘Transfers the user to the URL specified in the ending configuration. Configuring ACCESS POLICY ENDINGS In the visual policy editor, you can create and delete access policy endings, change any ending in the access policy to another ending, customize endings, and set a default ending, To Create an Access Policy Ending 1. On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles, The Access Profiles List screen opens. 2. In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column. ‘The visual policy editor opens in a new window or new tab, depending on your browser settings. 3. Near the top of the visual policy editor, click the Edit Endings button, ‘The Edit popup screen opens. 4, At the upper left, click the Add Ending button. ‘The now ending appears, highlighted in blue. In the Name box, type a name for the new ending, 6. Select the type of ending (webtop, logon denied, or redirect) + Allow Specifies that the user has access to the network access connection or portal access application or the full webtop, as defined in the access profile and access policy. + Redirect Specifies a URL to which the access policy redirects the user. Type the redirect URL in the box provided. Configuring BIG-IP APM v11 347348 3-48 Chapter 3 - APM Access Policies & Profiles + Deny Specifies the user is not allowed access to the network access resource, and presents a Denied page. To, the color of the ending for better visual clarity in your access policies, click the color square MB, select a color, and click Update. Click Save, Configuring BIG-IP APM v11 HBmAamannnnonanny HaChapter 3 — APM Access Policies & Profiles 3419 To Change an Access Policy Ending (On the Main tab of the navigation pane, expand Aecess Poliey, then click Access Profiles. ‘The Access Profiles List screen opens. In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column, ‘The visual policy editor opens in a new window or new tab, depending on your browser settings Click an access policy ending, ‘The Select Ending popup screen opens. ‘On the Select Ending popup screen, select an ending for the branch rule, Click Save To Set a Default Access Policy Ending 1 4 A On the Main tab of the navigation pane, expand Aecess Poliey, then click Access Profiles. The Access Profiles List screen opens, In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column, ‘The visual policy editor opens in a new window or new tab, depending on your browser settings. Click the Edit Endings button. ‘The Endings popup screen opens. Click the Set Defautt tab, Select the default access policy ending you want to use, and click Save. Customizing the Deny Access Policy Ending The Deny access policy ending provides several customized messages that you ean configure for the access policy. These include text messages for the logout screen. You can also configure these messages for different languages that you have defined for the access policy. To Customize the Deny Access Policy Ending On the Main tab of the navigation pane, expand Aecess Policy, then click Access Profiles. ‘The Access Profiles List screen opens. In the profile list, find the access policy you want to edit, then click Eadit in the corresponding Access Policy column. ‘The visual policy editor opens in a new window or new tab, depending on your browser settings, Click the Edit Endings button. ‘The Endings popup screen opens ‘On the Deny ending you want to customize, click the plus sign (+) next to Customization, ‘The popup screen displays additional setting options. Configuring BIG-IP APM v14 3193-20 Chapter 3 - APM Access Policies & Profiles 5. Customize the text for the logon denied settings by typing the text in the comesponding boxes. Setting Description Language Specifies the language for which you are configuring Deny messages. Error Title Specifies the text that indicates that the session could not start. Error Message Specifies a more specific error message that follows the error title, which indicates that a problem may have occurred during access policy evaluation. New Session Text Specifies the text that precedes the link a user clicks to start a new session. New Session Link Specifies the text label for the hypertext link to start a new session, such as click here. This link immediately follows the New Session Text. Session ID Title ‘Specifies the text that precedes the session number when an error occurs. ACL Denied Page Retry Link Message Specifies the link text that appears when access to a page or site is denied due to an ACL restriction. Logout Link Message ‘Specifies the link text that the user can click to return to logout. 6. Click Save, Applying an Access Policy Configuration To complete the configuration of any access policy, and make the access policy active on the server, click the Apply Access Policy link at the top of the screen. 3-20 Configuring BIG-IP APM v11Chapter 3— APM Access Policies & Profiles 3:21 Understanding Available Actions and Categories When you configure access policies, you select actions from the five categories that the visual policy editor lists in the Add Item popup screen, © General Purpose Authentication * Client Side Checks # Client Side Actions © Server-Side Checks In addition, a sixth category, labeled Macrocalls, appears in the Add Item popup screen if you configure ‘one or more macros in the access policy. Understanding General Purpose Checks General purpose checks ate used for general policy actions, like logon pages, and assignment of resources, variables, and VLANs. General purpose checks also include structural actions that can be used to further refine the flow of access policies. Understanding Authentication Actions ‘Authentication actions are used to add authentication with an authentication server or with a client certificate, Microsoft® Active Directory® and LDAP authentication actions can also be used to perform queries of the Active Directory or LDAP databases. Configuring BIG-IP APM v11 3213-22 Understanding Client-Side Checks Client-side checks are checks that occur on the client computer, which are performed by ActiveX or other browser plugins. The following illustration is an example of how client-side checks appear in the visual policy editor. Success | Falback Client-side checks in an access policy Understanding Client-Side Actions Client-side actions start a particular software state on the client. The Access Policy Manager uses information configured in the client-side actions to install software that configures the system. The systems are returned to their previous states after the secure access session ends Understanding Server-Side Checks Server-side checks occur on the Access Policy Manager server. The Access Policy Manager inspects the request headers from the client to determine UI mode and the Client operating system. A server-side check can also be used to determine whether a client has the ability to run client-side checks. 3:22 Configuring BIG-IP APM v11Chapter 3 — APM Access Policies & Profiles 3-23 Using Webtops Lesson Objective: During this lesson, you will learn how to configure a webtop. About Webtops ‘A webtop is a construct in Access Policy Manager that serves as an endpoint to which resources are attached. There are three types available; a network access only webtop, a portal access webtop, or a full webtop. Network or Portal Access webtops behave transparently, the Full webtop is visible to the user at successful completion of the policy. ‘* A nnetwork access webtop provides a webtop for an access policy branch to which you assign only a network access resource. + A portal access webtop provides a webtop for an access policy branch to which you assign only portal access resources, + A full webtop provides an access policy ending for an access policy branch to which you can optionally assign portal access resources, app tunnels, remote desktops, and webtop links, in addition to a network access tunnel. The full webtop then provides your clients with a web page with which they can choose whichever resource to start. We will look at full webtops in Module F Using Webtops ‘When a user is allowed access by an access policy, that user is typically assigned a webtop. A webtop is the successful end point for a portal access application or network access connection. A portal access \webtop also provides a customizable screen for the user that includes links for working with the portal access applications, and displays messages relating to the connection. ‘You assign a webtop to the user session in a resource assign action in the access policy. Make sure that you assign the correct webtop type; a network access webtop must be assigned with a network access resource, and a portal access webtop must be assigned with a portal access resource. Note: Full webtops are discussed in a later module. Configuring a Webtop for Portal Access Only ‘A webtop allows your users to connect and disconnect from the portal access connection. 1, On the Main tab, click Access Pi -y =: Webtops Click Create to create a new webtop. ‘Type a name for the webtop you are creating. From the Type list, select Portal Access. In the Portal Access Start URI field, specify the URI that the webtop starts. Click Finished. auaen Configuring BIG-IP APM v11 3:233-24 Chapter 3 - APM Access Policies & Profiles ‘The webtop is now configured, and appears in the list. You can edit the webtop further, or assign it to an access policy. ‘To use this webtop, it must be assigned to an access policy with a full resource assign action or with a ‘webtop and links assign action. ‘Adding a Webtop to an Access Policy Before you start this task, you must create an access profile, ‘Add the webtop and webtop links assign action to an access policy to add a webtop and webtop links to an access policy branch. Webtop links are displayed on a full webtop. 1, On the Main tab, click Access Polic ‘The Access Profiles List screen opens. Access Profiles 2. On the Access Profiles List screen, click the name of the access profile for which you want to edit the access policy. ‘The Access Profile properties screen opens for the profile you want to edit 3. On the menu bar, click Aecess Policy. ‘The Access Policy screen opens. 4, Click Edit Aecess Poliey for Profile profile_name. ‘The visual policy editor opens the access policy in a separate window or tab. 5. Onan access policy branch, click the plus symbol (+) to add an item to the access poliey. 6, From the General Purpose section, select Webtop and Links Assign and click the Add Item button. This adds the action to the access policy, and opens a popup assignment screen. 7. In the Name box, type a name for the access policy item. This name is displayed in the action box in the access policy. 8, On the Webtop & Webtop Links Assignment screen, next to the type of resource you want to add, click the Add/Delete link. Available resources are listed, 9, To assign resources, select the options you want, . 10. Click the Save button to save changes to the access policy item. ‘You can now configure further actions on the successful and fallback rule branches of this access policy item Click the Apply Access Policy link to apply and activate your changes to this access policy. 3:24 Configuring BIG-IP APM v11Chapter 3 - APM Access Policies & Profiles 3:25 Exporting and Importing Access Profiles Lesson Objective: During this lesson, you will learn how to export and then import access policies. Overview ‘You can export any access profile, and later restore that access profile, or import it to another Access Policy Manager. Export profiles are saved as files with the extension conf. ‘When you import an exported profile, you select a conf file. You also specify a New Profile Name. By default, Import Profile will create new objects, such as AAA servers, when a profile is exported. This is useful when the profile is imported to a new machine. This feature may be disabled by selecting Reuse Existing Objects and is useful when the profile is imported to the original machine, A Copy option is also available, It copies an existing profile to the same machine and reuses the existing objects. To Export an Access Profile 1. On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles. ‘The Access Profiles List screen opens. 2. Locate the act link, ess profile you want to back up. In the Backup Profile column, click the Export You are prompted to save a eonf file 3. Specify a location and save the file To Import an Access Profile 1, On the Main tab of the navigation pane, expand Aecess Policy, then click Access Profiles. ‘The Access Profiles List screen opens. 2. Click the Import button. ‘The Import Profile screen opens. In the New Profile Name box, type the new imported access policy name, Next to the Config File Upload box, click Browse Select a conf file to import and click the Open button Click the Reuse Existing Objects option if importing to the original box. Finally, click Import and the file is imported to the system, Configuring BIG-IP APM v11 3:25Teac) Lab 3.1 — Access Policies Lab Objec: ‘* Add other branches and endings to your Access Policy 8: ‘+ Test the new access policy and verify functionality Estimated time for completion: 25 minutes Lab Requirements: * IP and port addresses available for use on BIG-IP APM that can be reached by the clients Backup Existing Access Policy Servert 1. Open a browser session to your BIG-IP APM web config utility, http 10.10.X.31. From the Navigation pane, expand the Access Policy section. 2. 3. Select Access Profiles and server should be listed. 4, Click the link to Export under server. Depending on your browser, you may be prompted to specify where the .conf.tar.gz file should be saved on your PC. Unpack the export file and inspect the contents. Note the empty files used for customization and the number of lines of configuration needed for the access policy. 5. This file may be used to restore an access policy on its originating BIG-IP copy the access policy to another BIG-IP. Change the Access Policy 6. From the Navigation pane, should be listed. 7. Click Edit. 8. Click the link for AD_Auth and notice that Max Logon Attempts Allo Max Logon Attempts Allowed to 2 and then click Save expand the Access Policy section. Select Access Profiles and server link for server and you should be in the Visual Policy Editor (VPE). ed is set to 3. Change 9. Click the Close button in the upper right comer of the sereen to get out of the Visual Policy Editor for server 10. Notice two things in your APM browser session, 1) there is a link in the upper left comer to Apply Access Policy, and 2) the server Access Policy should have a yellow flag next to it Note: you may have to refresh your browser to see the yellow flag. These both mean the server ‘Access Policy has changed and you need to apply the changes before they will take effect. Click the checkbox next to the yellow flag and click Apply Access Poliey link button to Apply the Access Policy. Verify the flag has turned green. Test the Change to the Access Policy 11. Test your virtual server again, https://10.10.X.101, by clicking the link to open a new session ‘Test to make sure you are now only allowed 2 invalid logon attempts this time. cones lIAdd Two Webtops 12, From the Navigation pane Access Policy section, select Webtops. 13. The server access profile uses the serverl_webtop, but we want to create two new webtops, so click the Create button, 14, Type server_ssl_webtop in the Name field, select Portal Access from the Type pull down menu, the Link Type as Application URI and enter https://172.16.20.1/ in the Portal Access Start URI field, then click Finished. 15, Click the Create button again, type serverl_unprotected_webtop in the Name field, select Portal Access from the Type pull down menu, the Link Type as Application URI and enter http:/172.16.20.l/unprotected.html in the Portal Access Start URI field, then click Finished. 16, Navigate to Access Policy::Portal Access, click the server_pa_res link and change the Application URI to https:/!172.16.20.1. 17. Click Update. Modify Access Policy Server1 18. Got back into the Visual Policy Editor for server by clicking the Edit... link. 19, Select the link for Full Resource Assign on the Successfl leg of AD Auth. 20, Click the link for Add/Delete, select Webtop tab (not the Webtop Links tab), then select the radio button for /Common/serverl_ssl_webtop, then click Update, and finally the Save button 21, Now click the plus sign (+) 0 the left of the Logon Page box. ide) tab. ile and then click the Add Item button, 22. Select the Endpoint Security (Client 23. Si the radio button for Windows 24. Click the Add new entry button, enter e:\https.txt in the Filename field and then click the Save button. 25. Click the plus sign (+) on the Fallback leg after Windows File check. 26. Sele the Assignment tab. 27, Select the radio button for Advanced Resource Assign and then click the Add Item button, 28. Click the Add new entry button, then the link for Add/Delete, 29, Select the Webtop tab, then select the radio box for /Common/serverl_unprotected_webtop, then the Update button, and then the Save button. 30. Last, the Fallback leg of the Windows File Check should be set to Allow rather than Deny. Click the link for that Deny ending, change it to Allow and click Save 31. Click the Close button in upper right comer of the Visual Policy Editor, 32, Click the link to Apply Access Policy. Test the Modified Server1 Access Policy 33. Test https://10.10.X.101 both with and without the file e:\https.txt present on your PC. Notice you are prompted with a security alert that site 10.10.X.101 is trying to inspect your system and een el=le ineri itis not one of your trusted sites. Allow this site to inspect your system and notice there is a File Cheek message displayed in browser. 34, If the file eAttps.txt is not present on your system then you should see a page that says, along with other things, “Unprotected Page”. 35. Also if you haven't already, make sure to test https://10.10.X.101 with the file present but entering an invalid Username / Password combination twice. You should not be allowed on. Modify Access Policy Server1 36, Get back into the Visual Policy Editor for server! by clicking the Edit link. 37. Click the Edit Endings button in the upper left comer. 38, Click the Add Ending button, change the Name from Ending 1 to AskES redirect for the Name, Click the radio button for Redirect, enter http://support.f5.com in the Url field, and then click the Save button. 39. Click the Deny ending on the Fallback leg after AD Auth, click the radio button for AskRS redirect and then click the Save button, 40. Click the link to Apply Access Policy. 41, Click the Close button in upper right comer of the Visual Policy Editor. With the file e:\https.txt present on your PC access https://10.10.X.101 again. Enter an invalid Username / Password combination twice. 44, Now, rather than being logged off your browser session should be redirected to AsKFS. If you do not have Internet access, you will see the browser redirected to support.£5.com, but the web page will be unavailable.Lab 3.2 - Configuration Backup Lab Objective: © Create a backup archive | Save the Configuration 1. From the Navigation pane, expand the System section. [ 2. Bither select Archives and click Create or leave your mouse over Archives and then click the . plus (+) sign on the flyout menu. [ 3. In the General Properties Section, enter the following: File Name identX_labs1-3 Encryption Disabled [Private Keys include I 4. Click Finished, and when the backup is complete, click OK. 5. Select the backup you just created (click on the file name). 6. Click Download: studentX_labs1-3.ues to save a copy to your desktop.Chapter 4 — APM Portal Access at Chapter 4: APM Portal Access Portal Access Overview Lesson Objective: During this lesson, you will learn the concept of the APM Portal Access feature. Introducing Portal Access Portal Access, enables end users to access intemal web applications, like Lotus® iNotes™® or Microsoft & Outlook® Web Access, with a web browser from outside the network. With Portal Access, the BIG-IP ‘Access Policy Manager communicates with back-end servers, and rewrites the links in the web page so that further requests from the client browser come back to the Access Policy Manager. The advantage is that the client computer requires no client software other than a browser application. Portal Access provides clients with secure access to internal web servers, such as Microsoft Outlook® Web Access (OWA), Microsoft SharePoint®, and IBM@® Domino® Web Access (also known as Lotus® iNotes®). Using Portal Access functionality, you can also provide access to most web-based applications and internal web servers. The rewriting engine also supports rewriting complex JavaScript™. You can use features such as the web cache, minimal content rewriting mode, and others, to help refine compatibility and tune performance. This method of access differs from connections configured for network access, which provide direct access from the client to the internal network. Network Access does not manipulate or analyze the content being passed between the client and the internal network. The Portal Access configuration gives the administrator both refined control over the applications that a user can access through Access Policy Manager, and content inspection for the application data. ‘The other advantage of Portal Access is security. Even if'a workstation might not meet requirements for security for full Network Access, such a workstation can be passed by the access policy to certain required Portal Access, without allowing full network access, Ina Portal Access connection, the client computer itself never communicates directly with the end-point application. That means that all communication is inspected at a very high level, and any attacks originating on the client computer fail because the attack cannot navigate through the links that have been rewritten by the Portal Access engine. Configuring BIG-IP APM v11 “142 Chapter 4 - APM Portal Access Introducing Portal Access Features and Operation Portal Access policies provide secure access to intranet web applications. The application being accessed and the protocol being supported (HTTP and HTTPS) dictate how Portal Access features operate. The following figure shows the process that a Portal Access connection follows. 1 The user starts a secure connection with a web browser to the application URL. 4 2 The Access Policy Manager NSS establishes a connection to 1 the server and receives content from the server in the native application format. 3. The Access Policy Manager rewrites hyperlinks and URLs in the HTML page so they point to the virtual 2 server IP address. o 4 The Access Policy Manager ‘sends the content back to the user's web browser ‘over the connection. The Portal Access functionality of the Access Policy Manager 42 Configuring BIG-IP APM v11Chapter 4 - APM Portal Access 43 Introducing Portal Access Support You can use Portal Access to provide unified, secure access for one or more LAN internal web applications. The Access Policy Manager provides additional functionality to secure connections from client machines, such as public kiosks or PDAS, to ensure the security necessary to allow access to these web applications with a web browser. Understanding Full Patching Mode {In full patching mode, Access Policy Manager primarily retrieves content from backend servers and rewrites content so it can be presented to a web browser, as if the content originated from the Access Policy Manager. The Access Policy Manager portal rewrites content for two reasons: ‘© To make intranet targets resolvable, no matter what the intranet host is, the request must go through the Access Policy Manager. ‘© To make all requests resolvable by the Access Policy Manager, Access Policy Manager unambiguously decides where to proxy the request. In the Portal Access rewriting implementation, the string /f5-w- is prefixed to every HTML link or dynamic URL. This is commonly referred to as a mangle. This provides the required multiplexing behavior on a single Access Policy Manager. For example, assume content from a server contains: Click Here Access Policy Manager rewrites the code as: Click Here In addition to URLs, the Access Policy Manager handles cookies on the server to provide client features, but they are not passed to the client. Understanding Minimal Patching Mode You can use the minimal patching feature to allow only minimal rewriting of your Portal Access content. To use minimal patching, the following conditions must be met: * The Portal Access must reside on a single server. The Access Policy Manager cannot process URLs for multiple servers when minimal patching is enabled. ‘© You must create a Local Traffic pool for that server, and select it as the default pool in the virtual server definition, ‘© You must configure the Portal Access with host * and port 0 (ot any), ‘© You must configure the scheme any, not http or https, In minimal patching mode, only HTML and CSS content is patched. Note: In minimal patching mode, if your web application sets cookies, the cookie domain must match the virtual server domain. ‘Note: If your web application does not use SSL, do not configure the virtual server with the Server SSL profile serverssl. Configuring BIG-IP APM v14 4344 Chapter 4 - APM Portal Access ‘You can configure minimal patching for two modes: ‘+ Scheme Patching Specifies a method of patching that replaces all HTTP scheme addresses with HTTPS scheme addresses. ‘© Host Patching Specifies a method of patching where a host or multiple hosts, typically the actual application server host name, is replaced with another host, the Access Policy Manager virtual server. ‘You can specify multiple hosts separated with spaces for host search strings. The host replace string must be the Access Policy Manager virtual server IP address or fully qualified domain name (FQDN). Understanding Proxy and Cache Fun nality ‘You can use the Access Policy Manager Portal Access feature for the following operations: ‘+ Rewrite of complex HTML, JavaScript, and CSS content ‘© Dynamic eache of rewritten content ‘© Minimal scheme and host patching ‘The Access Policy Manager uses a high-performance, full-content rewrite engine to handle complex HTML, JavaScript, and CSS. You can also enable a built in dynamic cache, so that the Access Policy Manager does not have to repeatedly rewrite content for static objects such as HTML, JavaScript, and style sheets. Understanding Portal Access Resource Items Portal Access resource items are actual web applications that you add to a Portal Access configuration. ‘The Portal Access resource list allows you to specify several web applications using IP addresses, host names, or networks, and then to group these resources under a common Portal Access name. It is also possible to configure every web application individually, with only one item on the Portal Access . Each Portal Access resource item specifies the web application location information, and for the web application. While the Portal Access configuration specifies the overall patching method for a web application access policy, for each separate Portal Access resource item you can specify ‘a web location, and properties for compression, caching, SSO (single sign-on), session timeout, Home tab usage, and logging Understanding Portal Access Headers In a Portal Access resource item in Advanced view, you can configure headers to send to the application server. Headers are sent as name-value pairs. To add a header, type the header name and value in the boxes next to the Header section, and click the Add button. Understanding Portal Access Compression You can define compression functionality for a Portal Access resource item on the Portal Access Resource Item Properties screen, 44 Configuring BIG-IP APM v11Chapter 4 - APM Portal Access 45 ‘The following options are available for Compression: + No Compression Portal Access generated content is not compressed. This requires increased bandwidth, and cone result is slower load times for some application types. However, it also results in less usage of system resources ‘© GZIP Compression Uses the gzip compression utility to substantially reduce the size of generated content. The ‘most noticeable improvement in speed occurs when accessing pages that contain large Java classes or other large elements (images, scripts, and so on), but not when accessing pages that reference Java packages (jar files), class archives (.zip files), or compressed images (jpg, -png, and Compressed TIFF files) For iNotes and other Java-based web mail packages, enabling compression vastly improves the speed in which pages are loaded, Note: To enable compression, configure the Portal Access virtual server HTTP profile with compression enabled. Understanding Portal Access Caching ‘You can define client-side caching functionality for a Portal Access resource item on the Portal Access Resource Item Properties screen. To access the screen, in the navigation pane, expand Access Policy, click Portal Access, and click a resource item. ‘The following options are available for Client Cache: Note: In any caching scenario, Access Policy Manager caches only those objects that the remote server designates can be cached. ‘+ Default - Takes the client cache settings from the rewrite profile. In the rewrite profile, you can specify a client caching option - CSS and JavaSeript, CSS, Images and JavaScript, No Cache or Cache Al. If you configure a client cache setting other than Default in the Portal Access resource item, that setting overrides the cache setting in the rewrite profile. ‘+ Cache All - Caches everything that can be cached, including CSS, images, JavaScript, and XML, Provides the fastest client performance and the lowest security. ‘To allow your clients to download and save attachments, use the Cache All setting, For example, to make sure Outlook Web Access 2007 attachments can be downloaded, configure the Portal Access resource URI /owa/attachment* with the Cache All setting, * No Cache - Caches nothing. This provides the slowest client performance and is the most secure. Allowing Sessions to Time Out ‘To allow sessions to time out based on the timeout settings in the access profile, use this option. To cenable the session timeout for a Portal Access resource, select the Session Timeout check box in the advanced resource item properties. To disable the session timeout for a Portal Access resource item, clear the check box. Configuring BIG-IP APM v11 4546 Chapter 4 - APM Portal Access Configuring Home Tab Insertion ‘The Access Policy Manager inserts a small amount of JavaScript into HTML pages that generates the hometab. The hometab displays the Home and Logout navigation links, and the Address bar, where a user can enter a URI to access the web application. To enable the Home tab on a web application page, select the Home Tab check box in the advanced resource item properties. Pages generated without the Home ‘Tab JavaScript contain no Home or Logout links. The Home tab can be fully customized, 46 Configuring BIG-IP APM v11Chapter 4 - APM Portal Access 47 Configuring Portal Access Lesson Objective: During this lesson, you will learn how to configure the APM Portal Access feature. Configuring Portal Access on Access Policy Manager You can configure the Access Policy Manager to provide access to web applications without requiring client configuration changes or software downloads. Typically, you use Portal Access when your users only require access to specific internal web portal-based applications, and do not require full Network ‘Access, The Access Policy Manager provides security by rewriting URLs and other links in the original HTML document, CSS, and JavaScript content. F5 Networks has tested the following web applications to ensure that the Access Policy Manager handles them without requiring any reconfiguration © Microsoft® Outlook Web Access 2003, 2007 and 2010 ‘+ Microsoft® SharePoint 2003, 2007 and 2010 ‘+ IBM® Lotus Domino Web Access 7.x and 8.0 ‘+ IBM® Tivoli Access Manager for e-business Some of your custom web applications will work with Portal Access without you having to make changes to the applications. If you have a specific web application that requires additional configuration to work through Portal Access, you can generally use Network Access. Network Access provides a direct connection to the internal network, and does not require proxy-based changes or modification of web application content. If you cannot use Portal Access or Network Access to solve access issues, you can try the minimal patching feature. To Configure a Portal Access 1. From the navigation pane, expand Access Policy and click Portal Access. The Portal Access Resource List screen opens 2. Click Create. ‘The New Resource screen opens, 3. Inthe Name box, type a name for the web application. 4, In the Deseription box, enter any optional description. 5. Leave the ACL Order drop down option as Last. 6. In the Configuration section, select whether to Match Case for Paths. 7. From the Patehing Type list, select the patching type for the Portal Access For full and minimal patching types, you can select or clear specific patching methods. Configuring BIG-IP APM v11 478 10. ML 12, Chapter 4 - APM Portal Access If you selected host patching with the minimal patching method, type a host search string, or ‘multiple host search strings separated with spaces, and the host replace string, which must be the ‘Access Policy Manager virtual server IP address or FQDN. If your application is behind a proxy server, to specify a proxy host and port, select Advaneed for the configuration, and type the proxy host and proxy port. In the Application URI box, enter the full URI of the web server webpage or application you will be connecting to, using either IP address or FQDN. Under the Customization Settings enter a Caption as you would like it to appear on a webtop and enter any optional Deseription or Image. Click the Create button to create the web application. The Portal Access Properties screen opens. Note: For detailed information on these settings, refer to the BIG-IP Access Policy Manager Portal Access Guide. To Configure a Portal Access Resource Item 48 1 10. From the navigation pane, expand Access Policy and click Portal Access. ‘The Portal Access Resource List screen opens. Click the name of the web application to which you want to add a resource item. The Portal Access Properties screen opens. In the Resource Items area, click Add. ‘The New Resource Item screen opens. In the New Resource Item section, select Basic or Advanced. Advanced allows you to add Headers. For the Destination setting, sclect the type of destination (Host Name, IP Address) Note: The type of destination must match the destination address your users will specify to connect to the web application, For example, users cannot connect using a host name if you specify an IP address for the web application. ‘Type the host name, IP address, or network address and mask in the boxes provided, In the Port box, type the port number. To allow all ports, type 0, or select Amy from the Scheme list From the Scheme list, select the scheme (HTTP or HTTPS), or select any for both. In the Paths box, type the path to the application. This is the URI, including the leading slash. For example, /webapp/webapp.aspx. ‘You can specify multiple paths by separating them with spaces, and use * and ? wildcard characters. If you select Advanced, you can add headers. In the Name and Value boxes in the Headers section, type the name and value pair for each header, and click Add. Configuring BIG-IP APM v11Chapter 4 - APM Portal Access 49 1 12, 13. In the Resource Item Properties section, select Basic or Advanced. Advanced allows you to enable or disable Session Timeout and the Home Tab. From the Compression list, select the compression option. From the Client Cache lis, select the client caching option Ifyou are using an SSO configuration for Single Sign On, from the SSO Configur: select the SSO configuration. n list, Select whether to enable the Session Update and Home Tab options with the associated check boxes. . From the Log lis, select the logging level, either None or Packet. If Packet, details are logged to the file /var/logipktfilter. |. When you are finished, click Update. ‘The Portal Access Properties screen opens. Configuring BIG-IP APM v11 494-10 Chapter 4 - APM Portal Access. Rewrite Profiles Lesson Objective: During this lesson, you will learn how to configure Rewrite Profiles. Configuring a Rewrite Profile A rewrite profile defines client caching settings for a virtual server. You can configure a rewrite profile and select the rewrite profile when you configure the virtual server for a Portal Access access policy. Alternatively, you can use the default rewrite profile, rewrite. The rewrite profile provides four options for client caching. When a Portal Access resource item’s Client Cache setting is set to Default, the caching option configured in the rewrite profile is used, If the Client Cache option is configured for any other setting, the Portal Access resource item configuration overwrites the setting in the rewrite profile, ‘The following Client Caching options are available in the rewrite profile: * CSS and JavaScript - caches CSS and JavaScript. This is the default rewrite caching. configuration, and provides a balance between performance and security © CSS, Images and JavaScript - Caches CSS, images, and JavaScript. This provides faster client performance but is slightly less secure because of cached images in the client browser cache. + No Cache - Caches nothing. This provides the slowest client performance and is the most secure. © Cache All - Caches everything that can be cached, including CSS, images, JavaScript, and XML. Provides the fastest client performance and the lowest security. ‘The rewrite profile provides an option for Split Tunneling, Split tunneling provides two options to access your web page: Rewrite and Bypass. If you enable split tunneling, Access Policy Manager presents only ‘web pages that satisfy one of these filters. Others are blocked (although note that a blocked public site ‘may still be available outside the webtop). If you do not use split tunneling, Access Policy Manager processes all URLs through the rewriting engine, Ifenabled an additional Rewrite / Bypass List screen appears. It has three configuration areas: = URI- Specify a URL pattem using the following syntax: scheme: //host [:port] /path. You can also use wildcards such as the asterisk ( * ) to denote any sequence of characters and the question mark (? ) for any single character. Access Policy Manager routes these pages, and all links from them, through the Access Policy Manager reverse proxy engine. This engine allows users to access internal pages from outside the network. = Rewrite List - Uses the reverse proxy engine, which rewrites the URL. When you use this, option, Access Policy Manager controis the redirection of the URL. Use this option to access, URLs inside the network. Type a URL match pattern for the sites where you need to create the reverse-proxy and click the Add to Rewrite List button. + Bypass List - Directly accesses the URL and Ieaves the URL unmodified. Use this option to speed up serving public sites. Type a URL match pattem for URLs to be accessed directly, 410 Configuring BIG-IP APM v11Chapter 4 - APM Portal Access 41 bypassing the Access Policy Manager's reverse proxy engine, and click the Add to Bypass List button. ‘The rewrite profile provides fours options for Java Patching. This configures the Access Policy Manager for the verification and re-signing of signed Java Applets. ‘Trusted Certificate Authorities - Selects a CA against which to verify signed applets signatures. Signer - Selects a certificate to use for re-signing Signing Key - Selects a corresponding private key for re-signing, Sign Key Pass Phrase ~ Specifies the encryption passphrase for the private key. To Create a Rewrite Profile From the main navigation pane, expand Aecess Policy, then click Portal Access, and Rewrite Profile List. You can also reach this area via Local Traffic, click Profiles, then Services, then Rewrite, ‘The Rewrite Profile List screen opens. Click Create. ‘The New Profile screen opens. In the Name box, type a name for the rewrite profile. (Optional) From the Parent Profile list, select a parent profile, The new rewrite profile inherits the Client Caching Type setting from the parent profile. (Optional) Next to Settings select the Custom check box to change the Client Caching Type. (Optional) Next to Settings select the Custom check box to enable Split Tunneling, (Optional) Next to Java Patcher Settings, select the check boxes for Trusted Certificate Authorities, Signer, Signing Key, and Sign Key Pass Phrase. Click Finished, Configuring BIG-IP APM v11 an442 Chapter 4 - APM Portal Access SSO with Credential Caching Lesson Objective: During this lesson, you will lear concepts of and how to configure Single Sign-On. Introducing Single Sign-On (SSO) With Credential Caching and Proxying Access Policy Manager provides a single sign-on feature which leverages the credential caching and proxying technology. This feature allows your users to enter their credential once to access their secured web applications. Leveraging this technology, users request access to the secured back-end web server. Once that occurs, Access Policy Manager creates a user session and collects the user identity based on the access policy. Upon successful completion of the access policy, the user identity is cached in a session database. Lastly, the Websso plugin retrieves the cached user credentials and authenticates the user based ‘on the configured authentication method. ‘The single-sign on (SSO) feature provides the following benefits: ‘© Eliminates the need to administer and maintain multiple user logons ‘+ Eliminates the need for users to enter their credentials multiple times Access Policy Manager provides three ways in which you can configure for SSO: + Through Portal Access. ‘+ Through network access with layered virtual servers. © Through Bl IP Local Traffic Manager. Note: For more information, refer to the Configuring Access Policy Manager Guide. Introducing Credential Caching as It Relates to SSO Access Policy Manager supports the following SSO methods: © HTTP Basic Auth With this method, the SSO plugin uses the cached user identity and sends the request with the authorization header. This header contains the token Basic and the base64-encoded of the user name, colon, and the password. + HTTP Form-Based Auth With this method, upon detection of the start URL match, the SSO plugin uses the cached user identity to construct and send the HTTP form-based post request on behalf of the user. © HTTP NTLM Auth vi With this method, NTLM employs a challenge-response mechanism for authentication, where the users can prove their identities without sending a password to the server. 412 Configuring BIG-IP APM v11Chapter 4 - APM Portal Access 413 © HTTP NTLM Auth v2 With this method, NTLM employs a challenge-response mechanism for authentication, where the users can prove their identities without sending a password to the server. This version of NTLM. hhas been updated from version 1 © Kerberos With this method, Kerberos provides transparent authentication of users to Windows Portal Access servers (IIS) joined to Active Directory domain when using an access policy with passwordless authentication method. It can also be used when IIS servers require Kerberos authentication, + SAML With this method, SAML provides transparent authentication for users of LTM Web Applications (ie, the LTM+APM use ease). BIG-IP offers SAML 2.0 support as either a Service Provider or an Identity Provider. SAML is discussed in more detail in module 15. Understanding SSO Object Attributes ‘Access Policy Manager supports four SSO methods. Each method contains a number of attributes that ‘you need to configure properly to support SSO. Note: If you misconfigure SSO objects for one of the authentication methods, HTTP Basic, NTLMv1 or NTLMv2, SSO is disabled for all authentication methods when you access a resource with the misconfigured SSO object. However, HTTP Form-based method is not affected as a result of the misconfigured object. Additionally, SSO is disabled for the current user session only, while all other users remain unaffected. General SSO Object Attributes ‘These general object attributes apply to all SSO methods. In the navigation pane, expand Access Policy, choose SSO Configuration, and click Create. ‘© SSO method: This defines the authentication method for your SSO configuration object. You can select from the following values: HTTP basic, HTTP Form Based, HTTP NTLMvI, or HTTP. NTLMv2. ‘+ Username source: This defines the source session variable name of the user name for SSO authentication, By default, itis the user name session variable session.ss0.token.ast.username. ‘* Password source: This defines the source session variable name of the password for SSO authentication, By default, it is the password session variable session.sso.token.last.password. For HTTP Basic method, there are no additional attributes required. HTTP Form-Based SSO Object Attributes ‘These additional object attributes apply to HTTP Form-Based SSO method. In the navigation pane, expand Access Policy, choose SSO Configuration, and click Create. Select Form Based from the SSO Method setting. * Start URI: Defines the start URI value. If the HTTP request URI matched with the start URI value, the HTTP Form-Based authentication is performed for SSO. Multiple start URI values can be specified in multiple lines for this attribute. You can specify one "*" in the value for wildcard ‘matching. Configuring BIG-IP APM v11 413414 Chapter 4 - APM Portal Access ‘© Form Method: Defines the method of the HTTP Form-Based authentication for SSO. The options are GET or POST. By default, the form method value is set to POST. However, if GET is specified, the SSO authentication is converted as HTTP GET request, ‘+ Form Action: Defines the form action URL used for HT'TP authentication request for SSO. For example, /access/oblix/apps/webgate/bin/webgate.dll. If you do not specify a value for this, attribute, the original request URL is used for SSO authentication. * Form Parameter For User Name: Defines the parameter name of the logon user name. For example, if the HTTP server expects the user name in the form of userid=, then userid is specified as the attribute value ‘+ Form Parameter for Password: Defines the parameter name of the logon password. For example, if the HTTP server expects the password in the form of pass=, then pass is specified as the attribute value. ‘* Hidden Form Parameters/Values: Defines the hidden form parameters required by the authentication server logon form at your location, Hidden parameters must be entered, like this: parami valuel param? value? The parameter name and value are separated by a space, not by an equal sign. Also cach parameter starts on @ new line, ‘+ Successful Logon Detection Match Type: Defines the success detection type that your authentication server uses. You can select one of the following: © By Resulting Redirect URL: If selected, specifies that the authentication success condition is determined by examining the redirect URL from the HTTP response. You ‘can specify multiple values for this option. © By Presence Of Specific Cookie: If selected, specifies that the authentication success condition is determined by examining the cookie value from the response. This options only uses one defined value. © Successful Logon Detection Match Value: Defines the value used by the specific success detection type. HTTP NTLMv1 Object Attribute There is only one additional attribute that applies to HTTP NTLMvI method. In the navigation pane, expand Access Policy, choose SSO Configuration, and click Create. Select NTLMVI from the SSO Method setting. © NTLM Domain: Defines the domain name used for NTLMv1. HTTP NTLMv2 Object Attribute ‘There is only one additional attribute that applies to HTTP NTLMv2 method. In the navigation pane, expand Access Policy, choose SSO Configuration, and click Create, Select NTLMV2 from the SSO Method setting, © NTLM Domain: Defines the domain name used for NTLMy2. 444 Configuring BIG-IP APM v11Chapter 4 - APM Portal Access 415 Assigning SSO Configuration Objects Once you ereate an SSO object, you must apply the object to an access profile or a Portal Access object in order to successfully deploy SSO in your configuration, Assigning an SSO Object to an Access Profile 1, Inthe navigation pane, expand Access Poliey, and click Access Profiles. 2. Select an existing access profile or create a new one 3. On the access profiles properties page, under Configurations, select your SSO object from the SSO Configuration list 4. Click Update. On the same screen, sclect Access Policy to associate your SSO object to your access profile, and the General Properties screen opens, 6. Click Edit Access Policy for Profile "name of your profile.” ‘The visual policy editor opens in a separate browser. 7. On the access policy, click the + sign after your authentication server object(s), to open the Predefined Actions screen. 8. Under General Purpose, select SSO Credential Mapping, and click Add Item. 9, ‘The $SO object is now part of your overall authentication process Configuring Portal Access for Single-Sign On You can configure single sign-on for users to access their web applications and eliminate the need for them to enter their credential multiple times. You can add, modify, or delete your SSO configuration object at any time. You can assign an SSO object as part of the Portal Access resource item. If you do not configure an SSO object at that level, you can use the SSO object at the access profile level instead. Configuring Portal Access for Single Sign-On l 1. Inthe navigation pane, expand Aecess Policy and click SSO Configurations, The New SSO Configuration sereen opens, [ 2. From the SSO Method list, select an SSO method. Additional fields may appear depending on your selection, Type a name for the SSO object. 4. Under Configuration, configure the settings. For detailed information about each setting, refer to the online help. 5. Click Finished and the SSO object is now added to the SSO list. Please note that these objects come in the form of session variables. 6. In the navigation pane, expand Access Profiles, and select an access profile you want the SSO configuration object assigned to. Click the Properties tab. The General Properties screen opens. Under Configurations, in the SSO Configuration field, select your SSO configuration object. 9. Click Finished. ‘The SSO configuration object is now assigned to your access profile. Configuring BIG-IP APM v11 415416 Chapter 4 - APM Portal Access Assigning an SSO Object to a Portal Access Resource Item 1 2, In the navigation pane, expand Access Policy and click Portal Access. The Resource List opens. he Properties page opens. Under Resource Item, add your web application resource item or click an existing one. ‘The Properties Page opens. Click the name of your Portal Access. Under Resource tem Properties, from the SSO Configuration list, select your SSO configuration, Click Update. Configuring SSO credential mapping agent Once you create an SSO configuration object and associate it with your access policy, you must add the SSO credential mapping agent to an access profile. This step ensures that your access policy includes the ‘mapping agent element to authenticate and authorize your users using single sign-on. To Configure SSO Credential Mapping Agent 1 416 In the navigation pane, click Access Policy, and select Access Profiles. The Profile List screen opens. Select an access profile from the list in which you want to add the SSO credential mapping agent. Under Configurations, select an SSO object from SSO Configuration list. Click Update. Select the Access Policy tab. Click Edit Access Pe icy for Profile . The visual policy editor screen opens in a different browser window. Click the small plus sign where you want to add the new access policy action item. A properties sereen opens, Under General Purpose, select SSO Credential Mapping, and click Add Item. The Variable Assign: SSO Credential Mapping sereen opens. For the SSO Token Username and SSO Token Password settings, select where you want to retrieve user name and password from, and click Save. Otherwise, select Custom to enter a different user name and password. The SSO Credential Mapping agent is added to your access policy as part of the overall authentication process, Configuring BIG-IP APM v11Chapter 4 - APM Portal Access air Configuring Network Access with Single-Sign On for Layered Virtual Server You can configure your network access to support SSO through a layered virtual server. This allows your users full network access to multiple web services without requiring them to enter their credential multiple times. Deploying SSO Over Layered Virtual Server for Network Access ‘The example shows how SSO can be deployed through a layered virtual server for network access. The following are requirements to successful deploy SSO for network access: One HTTP virtual server for network access. One or more HTTP layered virtual servers corresponding to the backend protected web services that require authentication and SSO support. Note: To ensure that trafic is handled only by the network access for each layered virtual server, you need to select the network access tunnel option from the VLANs list. Configuring Network Access On the Main tab of the navigation pane, expand Access Policy, and click Network Access. The Network Access Resource List screen opens. Click Create, The New Resource screen opens. In the Name box, type a name for the network access resource. Configure the General Settings for the network access resource. Configure the Client Settings for the network access resource. Click Finished to save the network access resource. The Network Access configuration sereen opens, and you can configure the properties for the network access resource. To configure Network Access Properties 1 ava On the Main tab of the navigation pane, expand Aecess Policy, and click Network Access. The Network Access Resource List screen opens. Click a network access resource on the Resource List. The Network Access editing screen opens. This screen also opens immediately after you create a new network access resource, Configure the Properties for the network access resource on the Properties tab. Configure the DNS and hosts for the network access resource on the DNS/Hosts tab. Configure drive mappings for the network access resource on the Drive Mappings tab. Configure applications to launch for the network access resource on the Launch Applications tab. Note: If you use split tunneling for network traffic, you must properly configure LAN address space setting so that traffic for the web services passes to the network access. tunnel. Configuring BIG-IP APM v11 47448 Chapter 4 - APM Portal Access Configuring Access Policy Profile Once you configure for network access, the next step is to configure an aceess policy profile to manage your network access. he oe 418 On the Main tab of the navigation pane, expand Access Policy, and click Access Profiles. The ‘Access Profiles List screen opens. Click Create, ‘The New Profile screen opens. ‘Type a name for your access policy. Leave all other settings as the default, Ensure that the SSO Configuration field specifies None. Click Finished, and the new access policy is now added to the Access Profile list. From the Access Profiles list, click the new access policy you just created. The Properties page opens. Select the Access Policy tab Click Edit Access Policy for Profile <"name">. The visual policy editor opens. Add your objects to the access policy. Note: For more information on SSO please refer to the Configuring APM guide on ASKFS, Configuring BIG-IP APM v11Lab 4.1 — Portal Access with Single Sign-on Lab Objective: * Add a new Portal Access and Single Sign-On to your Access Policy ‘© Test the new access policy and verify functionality, ‘+ Estimated time for completion: 20 minutes Lab Requirements: © IP and port addresses available for use on BIG-IP APM that can be thed by the clients Create a New Virtual Server 1. From the Navigation pane Local Traffic section, select Virtual Servers and click Create, 2. Configure the following settings and press Finished. Name exchange1_vs Destination Address 10.10.X.102 Port 443 HTTP Profile http SSL Profile (Client) | ctientsst SSL Profile (Server) servers! Source Address Translation | Auto Map Access Profile servert Set the Rewrite Profile 3. When you click shed, APM displays an error message that a rewrite profile is required, Note you may have to scroll to the top of the page to s the error message. 4. Change Rewrite Profile to rewril Set the Connectivity Profile 5. This time APM displays an error message that a connectivity profile is required. 6. Reuse the Connectivity Profile from Lab 2; set it to servert_ep. In the next chapters we will look at the Rewrite and Connectivity Profile in more detail. Click Finished.Note: the connectivity profile is required because it specifies options for the iOS and Android Edge Portal clients (app-based Portal Access for iOS and Android). Create a New Webtop 7. From the Navigation pane Access Policy section, select Webtops and click Create, 8. Specify Name as exchangel_webtop, Type as Portal Access and Link Type as Application URI. 9. Enter https://172.16.20.20/exchange/ in the Portal Access Start URI field, then click Finished. Edit the Access Policy 10. Navigate to Access Poli Access Profiles and click Edit... for the server! access profile. IL. Click Full Resource Assign, then Add/Delete in the new window. In this window, click the Webtop tab and select /Common/exchangel_webtop. 12. Click Update, then Save. 13, Delete the Windows File check by click the “x” at the top of that action. When prompted for confirmation, click the Delete button. Do nor change any of the options. 14, Then Apply Access Policy in the top left comer of the Visual Policy Editor, or VPE, and finally Close to close the VPE. 15. On the client browser, test your virtual server, ttps://10.10.X.102, Note: Notice that you had to login again, using the same credentials, before the OWA. screen was presented Enable SSO for the Access Policy and Test 16, From the Navigation pane Access Policy section, select Access Profiles. 17, Select the Edit... link for server. 18. Click the plus sign (+) on the Suecessful leg after AD_Auth. 19, Select the Assignment tab, then select the radio button for SSO Credential Mapping and click the Add Item button, 20. Take note of the values on this page, then click Save. 21. Click the Close button in the Visual Policy Editor. 22. Navigate to Access Policy : click Create... ‘SSO Configurations :: Forms, not Forms ~ Client Initiated and 23, Enter the name exchange sso, Select OWA 2010 for Use SSO Template. 24, For Destination, select 172.16.20.20 and click Finished. 25. Select Access Profiles, choose server, then click on the SSO / Auth Domains tab. From the SSO Configuration drop down menu select exchange_sso and click Update. 26, Select Access Profiles, click to select the check box next to the server Access Profile. Click the button Apply Access Poli 27. Test your virtual server again, https://10.10.X.102. Your login credentials for APM should be forwarded so you should not have to login a second time to the Exchange server. figuring BIG-IP APM v11Were Lab 4.2 — Configuration Backup Lab Objective: ‘© Create a backup archive [ Save the Configuration | 1. From the Navigation pane, expand the System section. 2. Either select Archives and click Create or leave your mouse over Archives and then click the plus (+) sign on the flyout menu, l 3. In the General Properties Seetion, enter the following File Name studentX_labs1-4 t Encryption Disabled Private Keys Include _| 4. Click Finished, and when the backup is complete, click OK, 5. Select the backup you just created (click on the file name). 6. Click Download: studentX_labst-4.ues to save a copy to your desktop. IP A\Chapter 5 ~ APM Network Access 54 Chapter 5: APM Network Access Network Access Overview Lesson Objective: During this lesson, you will learn the concepts of the Network Access feature. Introducing Network Access ‘The BIG-IP® Access Policy Manager network access feature provides secure access to corporate applications and data using a standard web browser, or the BIG-IP Edge Client™. Using network access, employees, partners, and customers can have access to corporate resources securely, from any location. ‘The Access Policy Manager's network access feature provides users with the functionality of a traditional IPsec VPN client. Unlike IPsec, however, network access does not require any pre-installed software or configuration on the remote user’s computer. It is also much more robust than IPsec VPN against router and firewall incompatibilities. Users connected through network access have equivalent functionality to those users directly connected to the LAN, You can use access policies to control access to network access. Reviewing Network Access Features Network access provides the following features. "Pull access from any client Provides Windows®, Macintosh®, Linux®, and Windows® Mobile users with access to the complete set of IP-based applications, network resources, and intranet files available, as if they were working at their desktop in the office. = Split tunneling of traffic Provides control over exactly what traflic is sent over the network access connection to the internal network and which is not. This feature provides better client application performance by allowing connections to the public Internet to go directly to the destination, rather than being routed down the tunnel and then out to the public Internet, "Client checking Detects operating system and browser versions, antivirus and firewall software, registry settings, processes, and checks files during logon to ensure the client configuration meets the organization's security policy for remote access. = Compression of transferred data Utilizes GZIP compression to compress traffic before it is encrypted, reducing the number of bytes transferred between the Access Policy Manager and the client system, improving performance. Configuring BIG-IP APM v11 545-2 Chapter 6 - APM Network Access Routing table monitoring Monitors changes made in the client's IP routing table during a network access connection. You can configure this feature to halt the connection if the routing table changes, helping prevent possible information leaks. This feature applies to Windows clients only. Session inactivity detection ‘Closes network access connections after a period below an inactivity threshold that you can configure. This feature helps prevent security breaches, tion automatically after establishing the network access connection. This feature simplifies user access to specific applications or sites. Automatic drive mapping Connects the user to a specific drive on the intranet. This feature simplifies user access to files. Automatic drive mapping is available only for Windows clients. ‘Connection-based ACLs Filters network traffic by controlling whether packets are allowed, discarded, of rejected, based on criteria specified. For example, connections can be filtered by Layer 4 properties like source and destination IP address and port, protocol (TCP or UDP), and Layer 7 properties like scheme, host name, and paths. ACLs also support auditing capabilities with logging. ACLs allow groups of users or access policy users to have access to full client-server application support without opening up the entire network to each user. Dynamic IP address assignment Assigns client endpoint IP addresses dynamically from a configured pool of addresses. IP addresses can also be assigned with an external AAA server attribute. ‘Traffic classification, prioritization, and marking Provides the ability to classify and prioritize traffic to ensure levels of service to users with defined characteristics. Configuring BIG-IP APM v11Chapter 5 - APM Network Access 53 Understanding How Network Access Works. Network access implements a point-to-point network connection over SSL. This is a secure solution that works well with firewalls and proxy servers. Network access gives remote users access to all applications, and network resources, Network access settings specify IP address pools that the Access Policy Manager uses to assign IP addresses to a client computer's virtual network adapter. When the end user opens the address of the ‘Access Policy Manager in his web browser, the browser opens an SSL connection to the Access Policy Manager. The user can then log on to the Access Policy Manager. You can see a visual representation of how network access works in the following illustration. 1 The user starts a 443 SSL session with the ‘Access Policy Manager, and logs on. 2 The Access Policy ‘Manager downloads and installs the Activex control or browser plugin to the client. 3. The ActiveX control or browser plugin establishes an encrypted network access tunnel with the Access Policy Manager. 4. The user connects to internal servers over the Network Access connection, as if the client is located directly ‘on the internal network. Network access process Configuring BIG-IP APM v11 5354 Chapter 5 - APM Network Access Configuring Network Access You configure a network access resource to allow your users access to your local network over a secure VPN connection. Lesson Objective: During this lesson, you will leam how to configure the Network Access feature. To Create a Network Access Resource 1, On the Main tab of the navigation pane, expand Access Policy, and click Network Access ‘The Network Access Resource List screen opens. 2. Click Create. ‘The New Resource screen opens. 3. In the Name box, type a name for the network access resource. 4, (Optional) In the Deseription box enter a description for the resource. 5. Under Customization, in the Caption box, type a caption you wish to see appear on a webtop. The default is the value entered in Name. 6. (Optional) In the Detailed Description box enter a description. 7. (Optional) In the Image box browse to a custom image you wish to associate to the resource on the webtop. 8. Click Finished to save the network access resource. ‘The Network Access Properties sereen opens and you can configure the various properties for the network access resource. Note: For detailed information on these settings, refer to the BIG-IP Access Policy Manager Network Access Configuration Guide. To Configure Network Access Properties 1. On the Main tab of the navigation pane, expand Access Poliey, and click Network Access. ‘The Network Access Resource List sereen opens. 2. Click a network access resource on the resource list. ‘The Network Access Properties screen opens. This screen also opens immediately after you cteate a new network access resource. Configure the network access IP address and client settings on the Network Settings tab. Configure the Optimization setting on the Optimization tab, Configure the DNS and host settings for the network access resource on the DNS/Hosts tab. ea) Configure drive mappings for the network ac resource on the Drive Mappings tab. 54 Configuring BIG-IP APM v11Chapter 5 - APM Network Access 55 7. Configure applications to launch for the network access resource on the Launch Applications tab, Setting Up Network Access ‘You use options on the Network Access Properties sereen to configure general tunnel information, tunneling and network settings, proxy settings for the client, and IP address assignment. You can also configure client behavior, map network drives, and set applications to start when network access connects. Setting General Properties General properties include the name and a description of the network access connection = Name Specifies a name for the connection. This is the name the end user sees in the Network Connections control panel in Windows. = Description ‘A description of the network access connection. This is informational only. Configuring General Network Access Server Settings General settings are settings that configure the network access connection on the server side, and are not specific to each client = Basic/Advanced Basie view hides the SNAT Pool and Timeout settings. Select Advanced to display these options for configuration. = Enable Network Tunnel This is enabled by default. = Supported IP Version Select either IPV4 or IPV4 & IPV6, The default is IPV4. If IPV4 & IPV6 is selected an additional IPV6 Lease Pool option appears on screen = IPV4 Lease Pool Lease pools allow you to specify a collection of IP addresses as a single object, and associate that object with a network access resource. This allows a network access connection to be automatically assigned an unallocated IP address to use for the client IP address. Select a lease pool here to assign a lease pool to the network access resource, To create a lease pool within this screen, click the (+) sign next to IPV4 Lease Pool. = IPV6 Lease Pool Select an IPV6 lease pool here to assign to the network access resource. To create a pool within this screen, click the (+) sign next to IPV6 Lease Pool = Compression Configuring BIG-IP APM v11 5556 56 Chapter 5 - APM Network Access This setting compresses all VPN traffic between the network access client and the Access Policy Manager. Select GZ1P Compression to compress traffic between the client and the Access Policy Manager. The default is No Compression. Compression is not active when the network access connection is configured for DTLS Proxy ARP Proxy ARP allows remote clients to use IP addresses from the LAN IP subnet, and no configuration changes are required on other devices such as routers, hosts, or firewalls. IP address ranges on the LAN subnet are configured in a lease pool and assigned to network access tunnel clients. When this setting is enabled, a host on the LAN that sends an ARP query for a client address gets a response from Access Policy Manager with its own MAC address. Traffic is sent to the Access Policy Manager and forwarded to clients over network. access tunnels. SNAT Pool You can select whether to use SNAT auto mapping or a specific SNAT pool. When a client starts a network access connection, it receives a dynamic IP address assignment to use for the PPP tunnel connection, The connection usually receives the next IP address available from the lease pool, or is assigned an address with another method, Once the client gets an IP address, that IP address is typically what the end device sees. For example, if a network access client is dynamically assigned the address 10.1.1.1 from the lease pool, and the SNAT Pool setting is None, when the user connects to an internal server; the source address seen by the internal server is 10.1.1.1. In the same situation, if the SNAT Pool setting is Automap, the address seen by the internal server is the internal address of the Access Policy Manager. For many client-server applications, SNAT Automap is adequate. However, itis not supported by Microsoft®) networking, and SNA'T automapping may not be sufficient for network access connections with large numbers of client users. For these more advanced situations, you can create an SNAT pool, then select the name of the SNAT pool from SNAT Pool list. ‘By default, SNAT automapping is enabled. With SNAT Automapping enabled, active FTP connections fail, so you can only use passive FTP. ‘* Ifyou select None, make sure that your back-end servers are configured to route responses back to the device. If you must use active FTP, set the SNAT Pool option to None. For more information on SNAT Automapping, see the Configuration Guide for BIG-IP® Local Traffic Manager. Session Update Threshold Displays the session update threshold. The session update threshold defines, in bytes per second, the criterion for updating the session. If the average bitrate falls below the threshold, the session is considered inactive, and the session is ended according to the inactivity timeout settings defined in the access profile, Session Update Window Displays, in seconds, the period over which the bitrate is to be averaged. The session update window is used with the session update threshold to define when the session is inactive. If the Configuring BIG-IP APM v11Chapter 5 - APM Network Access 57 average bit rate exceeds the session update threshold, the session is updated, and if it is below the threshold, it is not updated. Ifthe session is not updated within the time specified for the inactivity timeout, the session expires. If you set the bitrate threshold to zero, session update timeouts are not applied. Configuring Settings On Network Access Clients Client settings govern specific configuration items on the network aecess client system. Basic/Advanced Basic view shows only Traffic Options (split tunneling), Client Side Security options, Allow Local Subnet options, and Client Options. By default, the option Foree all traffic ‘through tunnel is enabled. Basic view also shows settings for LAN Address Space and DNS Address Space if you sclect Use split tunneling for traffic. You must select the Advanced view to configure DTLS mode, specify a client traffic classifier, or specify an exclude address space with split tunneling. Use split tunneling for traffic Directs through the network access tunnel all network traffic that is destined for the LAN, specifically, the address specified in the LAN address space box. A tunnel is a secure connection between computers or networks over a public network. When you configure, tunneling, the Access Policy Manager directs all other traffic out of the local network connection. You can configure the LAN address space, the DNS address space, and the Exclude address space (in Advanced mode only), when you enable split tunneling. © IPV4 LAN address space Provides a list of addresses or address/mask pairs describing the target LAN. When ‘you use split tunneling, only the traffic to these addresses and network segments goes through the tunnel configured for network access. You can add multiple address spaces and network masks to the list in their respective boxes, one at a time. it © DNS address space Provides a list of names describing the target LAN DNS addresses. This box appears only if you use split tunneling. You can add multiple address spaces to the list, one at a time ‘+ IPv4 Exclude address space Specifies addresses for traffic that is not forced through the tunnel, when you use split tunneling. Use this to exclude an address or range of addresses from the LAN address space. Force all traffic through tunnel Routes all traffic (including traffic to the local subnet) through the tunnel. In this case, there is no local subnet. Users cannot access local resources, such as their printers at home, until they disconnect from network access. This is useful if you want to limit access to certain sites while the user is connected through the network access connection. Allow Local Subnet Check this box to permit local subnet access and local access to any host or subnet in routes, that you have specified in the client routing table. If you select this option, clients cannot use the integrated IP filtering engine. Configuring BIG-IP APM v11 5758 58 Chapter 5 - APM Network Access = Client Side Security Use these settings to configure options for the client on the tunneled network. The settings available are: ‘* Prohibit routing table changes during Network Access connection This option terminates ctient connections when the client's IP routing table changes during a network access session. ‘Integrated IP filtering engine Select this option to protect the VPN from outside traffic (traffic generated by network devices on the clients LAN) and to ensure that the VPN traffic is not leaking traffic to the client's LAN. ‘© Allow access to local DHCP server Cheek this box if you want to allow clients to obtain renewed IP addresses from their local DHCP servers when their DHCP leases expire. This is used when the option Integrated IP filtering engine is enabled. © Client Traffic Classifier Specifies a client traffic classifier to perform client traffic control. To create a classifier within this screen click the (+) sign next to the drop down menu. Client Options Use these settings to configure Microsoft Networking options for the client. * Client for Microsoft Networks Select this option to allow the client PC to access remote resources over a VPN connection. For example, the user can access shared network drives on the remote network. © File and printer sharing for Microsoft Networks Select this option to allow remote hosts to access shared resources on the client system over the VPN connection. For example, users on the remote network can access files on the client’s computer. «Provide client certificate on Network Access connection when requested Ifclient certificates are required to establish an SSL connection, this option must always be enabled, However, you can disable this option if the client certificates are requested only in an SSL session. Ifthe client certificates are requested, but not required, to establish the SSL connection, the client is not configured to send client certificates. Reconnect To Domain Select the check box Synchronize with Active Directory policies on connection establishment to synchronize the client with the Active Directory network policies when the connection is established. This option, when checked, enables a second check box, Execute logoff scripts on connection termination. Select this check box to run logoff scripts configured on the Active Directory domain when the connection is terminated. "Client Interface Speed Configuring BIG-IP APM v11Chapter 5 - APM Network Access 59 ‘Type the interface rate to display for secured client connections in bytes per second. The default rate is 100000000 bits per second. Do not change this value unless FS Support tells, you to do so. * Display connection tray icon When enabled, balloon notifications for the network display tray icon (when a connection is made) are displayed, Client Power Management This can be set to Ignore, Prevent, or Terminate. It specifies how network access handles client power management settings, for example, when the users puts the system into standby mode, or closes the lid on a laptop. = Ignore — ignores the client settings for power management + Prevent ~ prevents power management events from occurring when the client is enabled + Terminate ~ terminates the client when a power management event occurs = pTLs Select this option to use Datagram Transport Level Security with the network access connection. This option uses UDP as the transport to provide better throughput for lateney- sensitive applications like VoIP or streaming video, especially with lossy connections. Ifthe port used by DTLS is blocked by an intermediate firewall or gateway, or not available, the connection automatically falls back to TLS or SSL. If you enable the DTLS option, you must configure another virtual server for DLS with the same IP address as the TCP virtual server to which a user connects to start the Access Policy Manager session, © DTLS Port ‘Type the port number that the network access resource uses for secure UDP traffic with DTLS. The default port is 4433. = Client proxy settings Direots network access clients to work through the specified proxy server on the remote network. This option requires the client computer to have Internet Explorer 5.0 or later installed. These options are available only when using the Advaneed setting, when you select the Client proxy settings option. © Client Proxy Uses HTTP for Proxy Autoconfig Seript ‘Some applications cannot use the client proxy autoconfig script when the browser attempts to use the file:/ prefix to locate it. When enabled, this option specifies the browser uses fttp://to locate the proxy autocontfig file instead. ‘+ Client Proxy Autoconfig Seript Contains the URL of the proxy-autoconfiguration script. ‘+ Client Proxy Address and Client Proxy Port Contains the address and port number of the proxy server you want network access clients to use to connect to the Internet. ‘* Bypass Proxy For Local Addresses Configuring BIG-IP APM v11 595-10 Chapter 5 - APM Network Access Indicates whether you want to use the proxy server for all local (intranet) addresses. ‘+ Client Proxy Exclusion List Contains the Web addresses that do not need to be accessed through the proxy server. ‘You can use wild card characters to match domain and host names or addresses. For example, you could specify www.*.com, 128.*, 240.*,*., mygroup.*, #x*, and so on. You can add each item separately. Optimized Tunnel Configuration ‘An optimized application is a set of compression characteristics that are applied to traffic flowing from the network access client to a specific IP address, network, or host, on a specified port or range of ports ‘An optimized tunnel provides a TCP Layer 4 connection to an application. You can configure optimized applications separately from the standard TCP Layer 3 network access tunnel specified on the Network Settings page. Optimized application tunnels take precedence over standard network access tunnels, so for specified destinations, an optimized connection is established, whether the network access tunnel is enabled or not. In cases where optimized application tunnels have overlapping addresses or ranges, tunnels are prioritized in the following order: = Anaddress definition with a more specific network mask takes precedence. = Anaddress definition with a scope defined by a more specific subnet takes precedence. = A tunnel defined by a host name takes precedence over a tunnel defined by an IP address, = A tunnel defined by a host name takes precedence over a tunnel defined by a host name with awildcard. For example, web. siterequest .com takes precedence over *.siterequest . com. "A tunnel defined by a host name with a wildcard takes precedence over a tunnel defined by a network address. For example, *.siterequest . com takes precedence over 1.2.3.4/16. = For equivalent tunnels with different port ranges, the tunnel with a smaller port range takes, precedence. For example, web. siterequest .com:21-22 takes precedence over web. siterequest .com: 21-30. Configuring an Optimized Application on a Network Access Tunnel ‘You must create a network access resource, or open an existing resource, before you can perform this task, ‘You can configure the description of a network access resource with network access properties. 1. On the Main tab, click Access Policy :: Network Access. ‘The Network Access List screen opens. 2. Click the name to select a network access resource on the Resource List. ‘The Network Access editing screen opens. Note: This screen also opens immediately after you create a new network access resource. 5-10 Configuring BIG-IP APM v11Chapter 5 - APM Network Access 6. Click Finished. ‘The optimized application configuration is added to the network access resource. 7. Click the Update button, ‘Your changes are saved and the page refreshes. Optimized Application Settings a4 tion for a host with the network access resource, click Optimization on the Click Add to add a new optimized application configuration. Configure the Destination and Port settings, and any required optimization characteristics Use the following settings to configure an optimized application. Setting Value Description Destination Host | Fully Qualified | Select this option to apply optimization to a specific named Name Host Name host. Specify a fully qualified domain name (FQDN) for the destination Destination IP | IP Address Select this option to apply optimization to a host at a Address specific IP address. Specify an IP address for the destination, Destination Network IP. Select this option to apply optimization to a network. Network ‘Address and Mask | Specify a network IP address and subnet mask for the destination Ports(s) Specific Numeric | You can specify a single port on which to optimize traffic, Port or Port List | or select Port Range to specify an inclusive range. If you optimize traffic on a single port, you can type a port ‘number, or you can select an application from the list of common applications to add the appropriate port, for example, FTP. Compression | Enabled/Disabled | Enable or disable all the following compression codecs, Settings Deflate Enabled/Disabled | Enable or disable Deflate compression. Deflate compression uses the least CPU resources, but compresses, the least effectively, 1z0 Enabled/Disabled | Enable or disable LZO compression. LZO compression offers a balance between CPU resources and compression ratio, compressing more than Deflate compression, but with less CPU resources than Bzip2. Brip2 Enabled/Disabled | Enable or disable bzip2 compression. Bzip2 compression uses the most CPU resources, but compresses the most effectively. Configuring BIG-IP APM v11 5-115-12 Chapter 5 - APM Network Access Setting Yalue Description Adaptive Enabled/Disabled | Enable or disable adaptive compression. Adaptive compression automatically selects the compression type ‘based on network and traffic characteristics Setting DNS and Hosts Op’ ns Select the DNS/Hosts tab when you want to set parameters for DNS configuration, and for static host names, ‘The screen presents options for specifying the following settings: 5-12 IPV4 Primary and IPV4 Secondary Name Servers Represents the IP addresses of the DNS server that network access assigns to the remote user. ‘These should represent DNS server or servers that the internal company network uses. Primary and Secondary WIN Servers Represents the IP addresses of the WINS server to be conveyed to the remote access point. ‘These are needed for Mictosoft Networking to function fully. For fully functioning Microsoft network share browsing, you should configure the network access connection to use an SNAT pool DNS Default Domain Suffix Set a DNS suffix to be sent to the client. If this field is lef blank, the controller will send its, own DNS suffix. You can specify multiple default domain suffixes separated with commas, The feature allows the client to resolve hostnames without a domain suffix, for example, http://myserver should resolve as http://myserver.company.com if the "DNS Default Domain Suffix” is set to "company.com" Register this connection’s addresses in DNS Select this check box to register the address of this connection in the DNS server. Use this connection’s DNS suffix in DNS registration, Select this check box to register the default domain suffix when you register the connection in DNS. Enforce DNS search order Select this check box to use a local DNS as a primary and the EDGE Gateway as a secondary DNS when used with split tunneling. This check box is selected by default. Static Hosts Here you can add, edit, and delete static host names. With static hosts, you can configure a list of static hosts for the network access client to use. The static hosts you configure modify ‘client computer’s local hosts table and override the configured DNS server, so you should use them only when you need to augment or override the existing DNS. You can also use static hosts when the client machine is locked down, and the DNS relay service is installed, to provide host resolution Configuring BIG-IP APM v11Chapter 5 - APM Network Access 5-13 For this file-change operation, users on Windows platforms must have local administrative rights to modify the hosts file during the connection, or the administrator must change the attributes of the hosts file to allow non-administrative modification, or the system must have the DNS Relay service installed. Static hosts are supported on Windows clients only. Setting Up Lease Pools A lease pool specifies a collection of IP addresses as a single object. You can use a lease pool to associate that collection of IP addresses with a network access resource. Use a lease pool with a network access connection to automatically assign an unallocated IP address to a network access client. To Create a Lease Pool ib (On the Main tab of the navigation pane, expand Access Policy, use the cursor to point to Network Access, and click Lease Pools, then click IPV4 Lease Pools. ‘The Lease Pool List screen opens. Click the Create button, ‘The New Lease Pool sereen opens. In the Name box, type a name for the lease pool. ‘The initial character for a lease pool name must be a letter, followed by either another letter, a number, a period, an underscore, or a dash, Avoid using global reserved words such as all, delete, disable, enable, help, list, none, show, or None. Add IP addresses to the lease pool. = Toadd a single IP address, in the Member List area, select IP Address for the type. In the IP Address box, type the IP address, and click the Add button. = Toadd a range of IP addresses, in the Member List area, select IP Address Range for the type. In the Start IP Address box, type the first IP address, and in the End IP Address box, ‘ype the last IP address. Click the Add button, = To delete an IP address or IP address range, select the IP address or IP address range in the ‘member list, and click the Delete button. When you have finished adding IP addresses to the list, click the Finished button, You can click the Repeat button to create and save the lease pool, then immediately create another lease pool with the same members, and a blank name. To Edit or Delete a Lease Pool 1 On the Main tab of the navigation pane, expand Access Policy, hover over Network Access, and click Lease Pools. ‘The Lease Pool List sereen opens, In the Name column, click the name of the lease pool to edit. ‘The Lease Pool Properties screen opens. Add or remove IP addresses for the lease pool. Configuring BIG-IP APM v11 5413514 Chapter 5 - APM Network Access "Toad a single IP address, in the Member List area, select IP Address for the type. In the IP Address box, type the IP address, and click the Add button. * Toadd a range of IP addresses, in the Member List area, select IP Address Range for the type. Inthe Start IP Address box, type the first IP address, and in the End IP Address box, type the last IP address. Click the Add button. = To delete an IP address or IP address range, select the IP address or IP address range in the ‘member list, and click the Delete button, 4, To save the lease pool, click the Update button, 5. To delete the lease pool, click the Delete button, then click OK on the dialog that appears. To Assign a Lease Pool to a Network Access Resource 1. On the Main tab of the navigation pane, expand Access Policy and click Network Access. ‘The Network Access Resource List sereen opens. 2. Inthe Name column, click the name of the network access resource to which you want to assign the lease pool ‘The Network Access Properties sereen opens. Select the Network Settings tab. In the IPV4 Lease Pool list, select the lease pool to assign. When you are finished, click the Update button. To Create an IPV6 Lease Pool This is simitar to creating an IPV4 lease pool. For more information refer to the BIG-IP Access Policy Manager Network Access Configuration Guide. Mapping Drives with Network Access Use the Drive Mappings tab to map network drives when a network access connection is established. ‘You can set options for specifying the UNC path to the network share, the preferred drive letter to use for drive mapping, and a description. Ifthe drive letter is in use, the user is allowed to select any free drive letter. Note: For more information on these settings, refer to the BIG-IP Access Policy Manager Network Access Configuration Guide. Using drive mappings options, you can specify network shares to be mapped automatically on the client computer whenever a user logs on. Because the Access Policy Manager does not verify the accuracy of a path, you must make sure that the path is correct. Note: Drive mapping is supported only for clients with Windows operating systems. Troubleshooting Drive Mapping Failures After establishing a network access connection, Windows needs a varying length of time before it can start using WINS for NetBIOS name resolution (depending on network speed and other factors, usually about one minute). During this time, the drive-mapping operation can fail and provide the message: The 544 Configuring BIG-IP APM v11Chapter 5 - APM Network Access 515, network resource type is not correct. If the UNC path is configured with the NetBIOS name, you may get the message: The network path was not found. If drive mapping fails, try the following corrections: Use an IP addresses instead of NetBIOS names For example, specify \192.168.191.1\share instead of \server'share. = Use fully qualified DNS names For example, specify \\server.domain.com\share instead of \\server\share. "Cheek the default domain suffix Make sure that the Access Policy Manager is configured with the proper DNS suffixes. "Try the operation again Advise users to retry mapping. Subsequent mapping attempts usually succeed after 2 30 to 40-second delay. To retry, have the user click the Relaunch button in the user’s network access popup window. ‘The relaunch option is available only with the web client, not with the BIG-IP Edge Client Launching Applications with Network Access Connections Use the Launch Applications tab to set options for configuring network access to start client-side applications. This feature is particularly useful for network access clients who connect to application servers for which they have a client-side component on their computers. For example, it is common to configure network access connections for directly accessing an internal Exchange server. In this case, ‘when the client makes a network access connection, it automatically starts an Outlook client on the connecting computer. This makes access easier for the end user. You can specify different applications for Windows, Macintosh, iOS, and UNIX remote systems. Note: For more information on these settings, refer to the BIG-IP Access Policy Manager Network Access Configuration Guide. Specifying Application Paths and Parameters On the Launch Applications screen, under General Properties, check the Display warning before Jaunching applications box to display a warning to the network access user before any applications start. You can configure multiple applications to launch by adding applications to the application list. For each application you configure, specify the complete path in the Application Path box and any application parameters in the Parameters box, and select the target operating system from the Operating System list. The following examples contain strings for the Application Path and Parameters boxes. This example starts Intemet Explorer pointed at an internal web server. = Application Path: explore Parameters: hetp://internal_application.siterequest.com This example starts the Microsoft Terminal Server client against an internal terminal server. Configuring BIG-IP APM v11 5-155-16 Chapter 5 - APM Network Access "Application Path: ‘YSystemRoot%\System32\mstse.exe "Parameters: /vsinternaltert erver-siterequest.com /f Running Domain Scripts For certain client systems, you can automatically run domain logon scripts after establishing a network access connection. The client systems must meet the following requirements: ‘The system is running Microsoft Windows 2000, Windows XP, or later. ‘The remote user’s computer is a member of the specified domain. The user is logged on to Windows using domain credentials cached on the local client computer. The following example illustrates how to start a domain logon script: = Application Path: logon Parameters: \\domain_controller_ip_address Yousername% or domain_name Yeusername% ‘The domain_name entry represents the target domain name, and the domain_controller_ip_address entry represents the IP address of the domain controller. 5-16 Configuring BIG-IP APM v11Chapter 5 - APM Network Access 5-17 BIG-IP Edge Client You configure the BIG-IP Edge Client to open a network access tunnel to allow your users access to your local network over a secure VPN connection. Lesson Objective: During this lesson, you will learn how to configure the BIG-IP Edge Client. Understanding the BIG-IP Edge Client ‘Access Policy Manager includes automatic installation support for Windows clients, so you can use the ‘Access Policy Manager for secure remote access. The BIG-IPs Access Policy Manager downloads components to the end user’s computer at initial logon. The downloaded client components enable the various features of the Access Policy Manager functionality. This download occurs automatically for those systems that support software installation. For clients that do not support such automatic software installation, you can configure and distribute the BIG-IP Edge client, configured to meet the needs of the client systems you support. The type of control downloaded differs depending on the user’s operating system. For proper functionality, the controls require certain conditions: For Microsofte Windowse-based computers, the requirements are: ‘+ The user must have ActiveX enabled if the browser is Internet Explorer. ‘© If the browser is not Internet Explorer, the user must allow software installation ‘+ One of the following must be true: ‘© The user has Administrator privileges on the client system. ‘© The client control is already installed on the system, ‘© The Component Installer Package for Windows has been installed on the system, For Apple Macintosh (OS X only) and Linux-based systems, the user must have Superuser authority, or the user must supply the administrative password at the time of initial installation, Introducing BIG-IP Edge Client™ Features The BIG-IP Edge Client™ includes several features that are not available in the web client, These features are especially useful for roaming users; that is, users who take a laptop from one place to another, and wish to remain connected to the corporate or company network as much as possible. Understanding Location Awareness ‘The BIG-IP Edge Client™ provides a location awareness feature. Using location awareness, the client connects automatically only when it is not on a specified network. The administrator specifies the networks that are considered in-network, by adding DNS suffixes to the client installer download. package. With a location aware client enabled, a user with a corporate laptop can go from a corporate office, with a secured wireless or wired network connection, to an offsite location with a public wireless network connection, and maintain a seamless connection to allowed corporate resources. Configuring BIG-IP APM v11 SAT5-18 Chapter 5 - APM Network Access Understanding Automatic Reconnection ‘The BIG-IP Edge Client™ provides an automatic reconnection feature, This feature attempts to automatically reconnect the user’s computer to corporate network resources whenever the client connection is dropped or ended prematurely. Downloading Client Components ‘The Downloads screen is available in the Welcome page on first access, or, via the main navigation pane on the About tab, or, expand Access Poliey and click Secure Connectivity and click the Clients Download tab. ‘You can also return to the Welcome page at any time by clicking on the configuration utility. This can be changed via the System::Preferences Logo at the top right of the ‘Start Sereen option. Click on the FS Logo sa link to the available BIG-IP Edge Client™ components download links. These include: © Big-IP Edge Client™ for Windows Click this link to configure a customized download package with the options you need to govern Windows logon integration and other functionality of the standalone Windows client. In the ‘custom installer package, you can choose packages to install, specify Access Policy Manager servers, and define DNS suffixes that specify whether your computer is on a local network or not. ‘© BIG-AP Edge Client™ for Mac OS Click this link to configure a customized download package with the options you need to govern functionality of the BIG-IP Edge Client™ for the Macintosh operating system. In the custom installer package, you can choose options to install, + BIG-IP Edge Command Line Client for Linux Click this link to download a GZIP archive of an installer script and associated package of libraries to setup a network access connection from a Linux client command line. ‘+ BIG-IP Edge Client™ for Windows Mobile 5.0 and higher (ARM processor). Click this link to download the BIG-IP Edge Client™ for Windows Mobile 5.0 or later devices with an ARM processor. 5-18 Configuring BIG-IP APM v11Chapter 5 - APM Network Access Agents ‘The folowing agents provide acconal tunctonatty for Misresot Wingoie Server™ patos, = ISAPL Pugin + SAFI Plugin (6 eaion) ‘Ths plugen uses the Wl nterace te gather system mates for use n Dypamic Rabo load balancing mode. 5-19 BBIG4P Edge Client™ Components Use the foowing inks to download BIGHP Eze Cilent™ applications and cos. + BIGIP Edge Clan for Windows, Mac OS end Unux + Component instar Package for Windows amor GPAnyere for VPN + Fulurmer GPAnywhere for VPN (16 eston) = sjrouolt Sena 08 ier wancer * Gtent Troubleshooting Unity for Windows ‘This hance provides integration with NET platform to gather systom metres fr use n Dynamic Ratio load balancing mede ‘SNMP MBS ‘The comprossod fs listed below contain all SNMP MIB ie othe BIGAP an Enterprise Manager systems. + Download F5 Mids (mibe_15ar.g2) siserver™ Plugin * Hell Server Pugin ‘This pug-n gathers statistics about the RealSystern™ serve for use in Dynamic Ratio loa balancing SSH Clients ‘You can access the BIG. command in Interface by using an SSH cent on your local werk station, The Open SSH |Web ss provides Inks to tree SSH cles fra pumber of operating systems, + pw openssh com Customizing Client Download Packages On the Download Client Components screen that you access from the BIG-IP Edge Client™ for ‘Windows link, you can specify client options that govern Windows logon integration and functionality of the standalone Windows client, ‘The following client options are available: ‘+ Web BIG-IP Edge Client™ for Windows Select this option to download software that a client can use to access the Access Policy Manager from a web browser. ‘+ Standalone BIG-IP Edge Client™ for Windows Sclect this option to download a separate application that a client can use to access the Access Policy Manager. ‘+ BIG-IP Edge Client™ COM API for Windows Select this option to download a COM API for Windows clients. The COM API allows you to develop secure client-server applications. + Dialup Entry / Windows Logon Integration Select this option to download a dialup networking, entry for the secure access connection. This dialup networking entry allows users to connect to the Secure access connection from the Windows logon prompt, even before they log on to the local computer. One feature this option allows is that a user can authenticate to the corporate network before the user logs on to his computer. ‘+ Endpoint Security for Windows Select this option to download the plugins that do endpoint inspection on a client machine. ‘* Component Installer Service for Windows Sclect this option to download an installer service that allows the Access Policy Manager to install components on a client computer even if the client does not have rights o install software. For example, use this to allow a user with limited rights to install from the Access Policy Manager, when typically the user cannot, Configuring BIG-IP APM v11 5195-20 Chapter 5 - APM Network Access ‘+ DNS Relay Proxy Service for Windows Select this option to download the DNS relay proxy service to the client. This allows a client system to run the DNS relay proxy service and conform to the Access Policy Manager’s DNS Relay Proxy Service configuration ‘Traffic Control Service for Windows Select this options to download the traffic control service. This allows a client system to use the traffic control rules defined in the server to govern secure access traffic on the client. User Logon Credentials Access Service for Windows Sclect this option to include the software service that allows the client to store encrypted Windows logon credentials, and use those credentials to log on to the Access Policy Manager. Select the option Add Virtual Server to trusted sites list, below, to simplify user interaction when using Windows logon credentials. You can enable logon with Windows credentials on the Client Configuration ta, with the option Use Windows Logon Credentials. * Auto launch BIG-IP Edge Client™ after Windows Logon Select this option to start the BIG- IP Edge Client™ after the user logs on to Windows. ‘Add virtual server list to trusted sites Select this option to add the virtual servers (specified in the Virtual Servers list on the Client Configuration tab) to the Windows Trusted sites list, the first time this client starts. Virtual servers added to the Trusted sites list with this option remain on the ‘usted sites list indefinitely. This works with the User Logon Credentials Access Service for ‘Windows to provide seamless logon with the BIG-IP Edge Client™, if Access Policy Manager accepts the same credentials that your users use to log on to Windows. To Configure the Client Package 1. On the Main tab of the navigation pane, expand Access Policy, and click Secure Connectivity Profiles. The Connectivity Profiles List screen opens. 2. Click the connectivity profile for which you want to download the client, The parent profile is called connectivity. If none other exists, you can create a copy of this one using the Create button. Accept all the default options and click Finished. Once you click on this new profile, the Connectivity Profile Properties sereen opens. 3. The Connectivity Profile Properties screen displays options for Network Access Compre Settings and tabs at the top of the screen for Client Configuration and Mobile Client Configuration offer more configuration options. Note: For more information on these settings, refer to the BIG-IP Access Policy Manager Network Access Configuration Guide. To Download the Client Package 1. On the Main tab of the navigation pane, expand Access Policy, then click Secure Connectivity and elick Connectivity Profiles. Then click the Clients Download tab. The BIG-IP Edge Client Components downloads screen opens 2. Click the SSL VPN Client for Windows / MacOS Platform link, sclect the Connectivity Profile to use from the drop down menu and click Next. This takes you to the BIG-IP Edge Client™ ‘Components section. Click Big-IP Edge Client for Windows. The Connectivity Profile Customized Package screen opens. Select the features and options to add to the installer package 4. When you have finished configuring the client download package, click the Download button. 5:20 Configuring BIG-IP APM v11Chapter 5 - APM Network Access 5:21 ‘The client package you specified is downloaded to your local system as the file BIGIPEdgeClient.exe You can install this downloaded package onto client computers, or you can copy the packages to a shared location so that individual users can complete their own installation, Using the Component Installer Package to Preinstall Client Components Your security policy may prohibit granting users the power user rights needed to install ActiveX components, or your browser security policy may prohibit downloading active elements. For these reasons, you might prefer to preinstall components on your users’ Windows systems. ‘You can use the Components Download screen to download the Component Installer Service for ‘Windows package containing the Windows components needed for the various Access Policy Manager functions. You can use the Component Installer service to install and upgrade client-side Access Policy Manager components forall kinds of user accounts, regardless of the rights under which the user i ‘working. This component is especially useful for installing and upgrading client-side components when the user has insufficient rights to install or upgrade the components directly. For information about configuring the MSI installer to run with elevated privileges, see the documentation for your operating system, ‘This is valid only for Windows-based installations, There is no MSI functionality for installing on client systems running other operating systems. ‘You must use an account that has administrative rights to initially install the Component Installer on the client computer as a part of Client Components Package (MSI). Once installed and running, the Component Installer automatically installs and upgrades client-side Access Policy Manager components It can also update itself. ‘The Component Installer requires that the installation or upgrade packages be signed using the F’5 Networks certificate or another trusted certificate. By default, F’5 Networks signs all components using the F5 Networks certificate. To Download the Component Installer Package 1. The package may be downloaded from the About tab at the top of the navigation pane. Click it and select Downloads, then click Component Installer package for Windows. You are prompted to run or save the file BIGLPComponentInstaller.msi, 2. There is another method to install only this package. On the Main tab of the navigation pane, expand Access Policy, click Secure Conneetivity and click the Components Download tab. 3. Inthe Customized Package section, via the check boxes, only select the Component Installer Service for Windows. Click Download and you are prompted to save the new package Downloading the FullArmor GP Anywhere for VPN Component From the Components Download screen, you can download an installer that enables FullArmor GPAnywhere integration with clients To Download FullArmor GPAnywhere for VPN 1. Click the About tab at the top of the navigation pane. 2. Inthe Downloads section, click the FullArmor GPAnywhere for VPN link to download the MSI installer. You are prompted to save the installer package GPAnywhere.msi 3. There is also a 64bit version FullArmor GPAnywhere for VPN (x64 edition) available. Configuring BIG-IP APM v11 5:215:22 Chapter 5 - APM Network Access Using Macintosh and Linux Clients with Access Policy Manager ‘The Access Policy Manager includes network access support for remote Macintosh and Linux clients, so ‘you can use Access Policy Manager for secure remote access in mixed-platform environments. As with the Windows platform support, you do not need to preinstall or preconfigure any client software when using Access Policy Manager with Macintosh and Linux systems, ifthe elient systems allow installation of the required browser components Note: For more information refer to the Configuration Guide for BIG-IP Access Policy Manager and to the BIG-IP Access Policy Manager Network Access Configuration Guide. Establishing Client Connections Users can initiate connections through network access from Windows, Linux, and Macintosh OS X systems, by connecting to the virtual server address using various browsers, or by starting the BIG-IP Edge client. They can also use network access from Windows mobile versions on PDAs. For alist of browsers that network access supports, see the Configuring BIG-IP APM Guide Installing the BIG-IP Edge Client™ for Windows Using the BIG-IP Edge client, users can access their BIG-IP Edge connections without using a web browser. The elient gives users seamless access to the network access connection. You can provide the BIG-IP Edge Client™ to your users after you configure and download the package. Connecting with the BIG-IP Edge Client After a user installs the BIG-IP Edge Client™ for Windows, the user starts the client by choosing Start, then All Programs, then BIG-IP Edge Client. Ifthe client has not been configured with a list of Access Policy Manager addresses, the user is prompted for an address When the client first starts, the client ‘window appears. ee @ -pito-connect BIG-IP Edge Client™ screen On the BIG-IP Edge Client™ screen, the client can configure the following connection options: + Auto-Connect Starts a secure access connection as itis needed. This option uses the DNS suffix information defined in the connectivity profile to determine when the computer is on a defined local network. ‘When the computer is not on a defined local network, the secure access connection starts. When the computer is on a local network, the client disconnects, but remains active in the system tray. 5-22 Configuring BIG-IP APM v11Chapter 5 - APM Network Access 5-23 ‘When you open the disconnected client, the message Disconnected - Lan detected appears in the top pane of the client window, as shown in figure above. © Connect Starts and maintains a secure access connection at all times, regardless of your computer's network location © Disconnect Stops an active secure access connection, and to prevent the client from connecting again. After ‘you click this option, a secure access connection does not start again until you click one of the previous two options. In addition, the client can click the Change Server button to change the ‘Access Policy Manager server. Viewing Standalone Client Traffic and Statistics The BIG-IP Edge Client™ provides a simple throughput graph, as well as more extended logging and statistic viewing features. To View Secure Access Traffic Details 1, Ifthe client is minimized to the system tray, click the system tray icon. ‘The BIG-IP Bdge Client™ screen opens, as shown in previous figure. 2. At the bottom of the client window, click the View Details button. The details pop-up sereen ‘opens, as shown in the figure, following. ‘The Details screen provides four tabs that contain information relevant to the operation of the BIG-IP Edge client. Click each tab to view the information for that feature. The tabs are: ‘© Connection Details - Shows details of the current connection, including status, server, tunnel details, and the amount of traffic sent and received, Routing Table - Shows the current routing table for the client system, IP Configuration - Shows the current IP configuration for the client system, The information in this tab is the same information you see when you issue the command ipconfig /ali at the Windows command prompt. © Miscellaneous - Shows version information for the client software, the Access Policy Manager servers defined in the client, and the DNS suffixes used for network location awareness. Configuring BIG-IP APM v11 5-23Lab 5.1 — Network Access Objective: = Build an Access Policy that uses a Network Access resource = Test the new access policy and verify functionality Estimated time for completion: 20 minutes Lab Requirements: = IP and port addresses available for use on BIG-IP APM that can be reached by the clients Create a New Virtual Server and Access Profile Using the Wizard 10.10.X.31. tion pane, expand the Wizards section and then click the link for Device 1, Open a browser session to your BIG-IP APM web configuration utility at https: 2 3. In the Wizard Section click the radio button for Network Access Setup Wizard for Remote Access and then click Next. 4, On the Basie Properties screen set the following values and click Next: Policy Name ssi_vpn Default Language Leave at default Full Webtop Leave disabled Caption —_ [Defaults to Policy Name Client Side Checks | Uncheck the box for Enable Antivirus Check On the Select Authentication screen, select the following settings and click Next. Authentication Options | Use Existing Select AAA Server server1_aaa_srv 6. On the Configure Lease Pool screen, leave the Supported IP Version as IPV4. 7. Click the radio button for IP Address Range. Enter the following values (where X is station), click the Add button and then click Next. Start IP Address 10.20.X.1 End IP Address 10.20.X.253 8. On the Configure Network Aceess screen, click the radio button for Use Split 24u 16, Enter the following IPV4 LAN Address Space values, click the Add button and then click Next. IP Address 172.16.0.0 Netmask 255.255.0.0 J On the Configure DNS Hosts for Network Access screen, leave the IPV4 Primary Name Server set as 172.16.20.20 and click Next On the Virtual Server (HTTPS connect mn) screen set the below values: Virtual Server IP Address 10.10.X.103 a Leave the box checked for Create Redirect Virtual Server Redirect Server Click Next. Review your configuration and make sure values are set as stated below. Policy Name ‘ssi_vpn Use Existing AAA Server serverl_aaa_stvr [ Network Access Traffic Options | Use split tunneling for traffic IPV4 LAN Address Space 172.16.0.0 / 255.255.0.0 Assigned IPV4 Lease Pool ssl_vpn_Ip IPV4 Primary Name Server 172.16.20.20 Virtual Server IP Address 10.10.X.103 _ Ifeverything is correct click Next, otherwise click Previous and fix the wrong values. On the Setup Summary sereen notice several things have been created but specifically: ‘Access Profile ‘ssl_vpn. [ AAA Servers serverl_aaa_srvr Network Access ssi_vpn _na_res 5 Lease Pools sslvpn_ip Webtops ‘ssi_vpn _webtop Profiles pn_cp sssi_vpn_vs set to a Destination IP Address eee of 10.10.X.103 and Port of 443. When you are finished reviewing click Finished. Test Your New Virtual Server and Network Access Policy 19, ‘Try opening a browser session to http://172.16.20.2. It shouldn’t work. ‘Try opening a putty session to 172.16.20.3 and it shouldn’t work either. Open another browser session to your Virtual Server at https://10.10.X.103, Login when prompted and click Yes when prompted to accept both ssl certificates. Notice the browser soreen goes through stages of Connecting, Authenticating, Finalizing and Connected, ‘The browser session is then minimized to the Windows tray. Look for the FS icon in the system tray, double-click it and the browser session will be displayed.While connected, open another browser to http://172.16.20.2. This time it should work. Try hittps://172.16.20.1 and that should work also. ‘Try an ssh session to 172.16.20.3 and that also should work. If you want to login, use student / student. 21, Now go back to your Virtual Server at https://10.10.X.103, and click the Logout link in upper right comer of the screen. You should no longer be able to access devices on the 172.16/16 network because your tunnel has been closed Modify the Webtop 22. From the Navigation pane, expand the Aecess Policy section. 23. Select Websops and click ssl_vpn_webtop. 24. Uncheck the Minimize to tray setting, then click Update, 25. Select Aecess Profiles and then the Edit... link for the ssl_ypn profile. 26. Click the link for AD Auth, verify the Server is set to /Common/serverl_aaa_srvr and change the Max Logon Attempts allowed to 1 and click Save. 27. Click the Close button in the upper right comer of the Visual Policy Editor, then make sure to Apply your changes to your Access Policy Test Your New Virtual Server and Network Access Policy Changes 28, 29, Make sure your previous Network Access SSL VPN tunnel is closed, Open another browser session to your Virtual Server at https://10.10.X.103, Confirm only ‘one logon attempt is allowed. Open a new session, login when prompted and click Yes when prompted to accept both SSL certificates. Your browser session should not be minimized to the Windows tray this time, While the tunnel is open, try connecting to http://172.16.20.2 and ssh to 172.16.20.3. Now logout of the SSL VPN session, and you should no longer be able to access devices on the 172.16/16 network because your tunnel has been closed. onaner Optional Lab 5.2 — BIG-IP Edge Client Labe Objectives Download the BIG-IP Edge Client ‘Test by connecting to APM Estimated time for completion: § minutes Download the Client 1. On the client browser, login to BIG-IP on https://10.10.X.31. Navigate to Access Policy :: Secure Connectivity and click on ssl_ypn_ep in the new window. Note: if you click the plus sign, you will see a brief summary of the client settings for iOS, Android, Windows and Macintosh. 3. Click the Edit Profile button, 4, In the new pop-up window, select Win/Mae Edge Client, then click Allow Password Cacl 5. 4, then click Add... and , fill in the Alias and Host Name fields with Student X 103 respectively, then click Update. 6. Click OK to save the settings. 7. Select ssl_ypn_ep, then click the Customize Package down-arrow and click on the Windows Tink, 8. In the pop-up window, click the Download button. 9. Save then run the BIGIPEdgeClient.exe download file. This program will run a wizard ~ click Next at cach prompt. 10, The application will run the next time the client is rebooted, but it may not run after the installation. Look for the F5 logo in the Windows system tray. 11, Ifitis not running, run the “standalone” client from the command line with Program Files\F5 VPN\f5fpclientw Program Files (x86)\F5 VPN\f5fpclientw 12, Ifit comes up in Connect mode, press the Disconnect button. 13, Click Change Server. Note the client's server list has been pre-populated with your BIG-IP's VPN virtual from step 4 14, Click Next, then click Conneet. 15. When the client shows its status ss Connected, click the Show Graph and View Details buttons. 16. Test to make sure you can access devices on the 172.16.X/24 network when the Edge Client is connected, 17. Click Disconnect, then click Connect. Note you did not need to provide logon credentials the second time. The client cached them as configured in step 4. 18, Click Disconnect.Lab 5.3 - Configuration Backup Lab Objective: = Create a backup archive Save the configuration 1. Create an archive named studentX_labs1-S. 2. Download the new archive to your desktop. eer MepisChapter 6 — APM Access Control Lists 6-1 Chapter 6: APM Access Control Lists Access Control of Resources Overview Lesson Objective: During this lesson, you will learn APM resource concepts and how to use Access Control Lists to control access to these resources. Access Control of Resources Overview With BIG-IP® Access Policy Manager™, you use resources to provide secure connection functionality to users. With Access Policy Manager, you configure a resource to allow access to a web application or a network access connection ot an application access connection, or you configure an access control list to allow or deny access to clients with a network access, web applications, or web application acces ‘management access policy. ‘You use access control lists (ACLs) for network access or portal access resources or application access to provide or limit functionality to clients. You use ACLs to define allowed and disallowed networks, hosts, and protocols for users. You assign ACLs in the access policy. A network access resource represents a single secure connection that provides an on-network type of experience to an end user. You can define many network access resources on the Access Policy Manager, bbut each connection uses only one network access resource. To connect a user securely with a network ‘access connection, you must assign a network access resource to an access policy and a network access or full webtop, using the resource assign actions. A network access connection does not manipulate or analyze the content being passed between the client and the internal network. A portal access resource provides web browser access to one or more specific intemal web applications, With portal applications, the Access Policy Manager communicates with back-end servers, and rewrites the links in the response so that all the links in the response content specify the virtual server as the host This method of access differs from a connection configured for network access, which provide a secured tunnel from the client to the internal network. ‘An application access resource (application or app tunnel) provides secure, application-level TCP/IP connections from the client to the network. An application tunnel differs from a network access resource in that it provides a single point to point connection to a specific application. Additionally, optimization is available for application tunnels. With compression settings for application tunnels, you can specify the available compression codecs for client-to-server connections. The server compares the available ‘compression types configured with the available compression types on the server, and chooses the most effective mutual compression setting. You configure compression for the server in the connectivity profile. Configuring BIG-IP APM v11 6462 Chapter 6 - APM Access Control Lists Access Control Lists Lesson Objective: During this lesson, you will lear how to configure Access Control Lists (ACLs) for APM resources. Using Access Control Lists ‘You use access control lists, or ACLs, to restrict user access to specified host and port combinations. For an ACL to have an effect on traffic, at least one access control entry, or ACE, must be configured. In ‘an access control entry, the only item that is required is the action. When you configure an ACL with an entry with only an action defined, that action becomes the default access control action forall traffic to which the ACL is applied. All ACLs consist of one or more ACEs. Order matters. The uppermost ACE is examined first, followed by all subsequent ACES. If the first ACE is equivalent to an Allow All, then the subsequent ACEs will be irrelevant. BIG-IP allows for the easy reordering of ACES in the Admin UL ACL entries can work on OSI Layer 4, the protocol layer, OSI Layer 7, the application layer, or both. ‘When you first create an access control entry, you can select whether the entry is for Layer 4, Layer 7, or for both, You can use a Layer 4 or Layer 7 ACL with network access, web applications, or web application access ‘management connections, with the following configuration notes. With network access, you can use a Layer 7 ACL that is configured to provide access control for port 80 HTTP connections. However, if you want to provide access control for anything that is not on port 80, you must create a second virtual server, configured with the IP address to which the ACL entry applies, and the default access profile, access. For HTTPS network access connections, you can use Layer 7 ACL entries only if the virtual server has the private key of the backend server. Ifyou assign no ACLs to an access policy, the default behavior allows access. To restrict resources to only those you specify in an ACL, add an ACL entry configured to reject all connections at the end of the ACL entry list. The access policy will then reject any connection not matched by a previous entry. Most commonly, a single ACL (with multiple ACEs) will be applied to a user session. However, there may be circumstance where multiple ACLs will be applied to a session. In this case, the priority of the ACLs relative to each is very important. Just as ACEs within a single ACL can be reordered to provide the correct priority, multiple ACLs may be reordered relative to each other to provide the correct priority ACLs To restate, the order you specify for ACLs and ACEs determines their priority. BIG-IP assigned only to the current session. You assign ACLs in the access policy with the ACL Assign action and the Full Resource Assign action, so ACLs apply only to clients who reach that action in the access policy. 62 Configuring BIG-IP APM v11Chapter 6 - APM Access Control Lists 63 Creating Access Control Lists You create an access control list to provide or deny access to network resources. To Create an Access Control List 6 10, ‘On the Main tab of the navigation pane, expand Access ‘The User-defined ACLs screen opens. Click Create. xy, and click ACLs. ‘The New ACL sereen opens. In the Name box, type a name for the access control list and leave the Type as Static In the Description box, you can add an oj mnal description of the access control From the Order list, you can optionally determine in what order to add the new ACL. Select After to add the ACL aftera specific ACL, that you can then select. * Select Specify to type the specific number of the ACL in the list. "Select Last to add the ACL at the last position in the list In the Match Case for Paths list you can specify whether the alphabetic case is considered when ‘matching paths in the ACL entry Click the Create button, ‘The ACL Properties screen opens. In the Access Control Entries area, click Add to add an entry to the access control lis. ‘The New Access Control Entry screen appears. From the Type list, select whether this is a Layer 4 (L4), Layer 7 (L7), or Layer 4+ Layer 7 (LA+L7) access control entry. From the Action list, select the action for the access control entry. If you are creating a default access control list, complete this step, then skip to the last step in this procedure. Actions for the a control list entry are: # Allow - Permit the traffic. "Continue - Skip checking against the remaining ACL entries in this ACL, and continue evaluation at the next ACL, = Discard - Drop the packet silently. Reject - Drop the packet and send a TCP RST message on TCP flows or proper ICMP messages on UDP flows. Silently drop the packet on other protocols. Note: If HTTP traffic matches a Layer 4 ACL, a TCP RST message is sent. The ACL Deny page is sent when traffic is matched and denied on a Layer 7 ACL. In the Souree IP Address box, type the source IP address. This specifies the IP address to which the access control list entry applies. Configuring BIG-IP APM v11 636-4 6-4 Chapter 6 - APM Access Control Lists 12. In the Source Mask box, type the network mask for the source IP address. This specifies the network mask for the source IP address to which the access control list entry applies 13, For the Source Port setting, select Port or Port Range ‘This setting specifies whether the access control list entry applies to a single port or a range of ports, 14, In the Port box or the Start Port and End Port boxes, specify the port or port ranges to which the access control list entry appli To simplify this choice, you can select from the list of common applications, to the right of the Port box, to add the typical port or ports for that protocol. 15, In the Destination IP Address box, type the IP address to which the ACL controls access. 16, In the Destination Mask box, type the network mask for the destination IP address. 17. For the Destination Ports setting, select Port or Port Range. ‘This setting specifies whether the access control list entry applies to a single port or a range of ports, 18, In the Port box or the Start Port and End Port boxes, specify the port or port ranges to which the access control list entry applies. ‘To simplify this choice, you can select from the list of common applications, to the right of the Port box, to add the typical port or ports for that protocol. 19, From the Scheme list, select the URI scheme for the ACL entry. You can select http, https, or any. Any matches either HTTP or HTTPS traffic. 20. In the Host Name box, type a host to which the ACL applies. ‘The Host Name box supports shell glob matching, For example, you can use the asterisk wildcard (*) to search for zero or more characters, and the question mark wildcard (2) to search for a single character. For example, the host entry *.siterequest.com matches siterequest.com with any prefix. This entry matches www.siterequest.com, mail.siterequest.com, finance.siterequest.com, and any others with the same patter, ‘The ? matches only the single character represented by the question mark, so n2t.siterequest.com matches the hosts net.siterequest.com and not.siterequest.com, but not, neet-iterequest.com, nt.siterequrest.com, or note.siterequest.com. 21. In the Paths box, type the path or paths to which the ACL applies. You can separate multiple paths with spaces, for example, /news /finanee. The Paths box supports shell glob matching. You can use the wildcard characters * and question marks (2) to represent single or multiple characters. You can also type a specific URI, for example, ‘/Minance/content/earnings.asp, ot a specific extension, for example, * jsp. 22. From the Protocol lst, select the protocol to which the ACL applies, AUl, TCP, or UDP. Configuring BIG-IP APM v11Chapter 6 - APM Access Control Lists 65 23. From the Log list, select the log level for this access control entry. ‘When events of this type occur, the server records a log message. Options are: * None - log nothing. "Packet - log the matched packet to /var/log/pktfilter. 24. Click Finished. To Assign an Access Control List 1. On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles. ‘The Access Profiles List screen opens. 2. In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column, ‘The visual policy editor opens in a new window or new tab, depending on your browser settings. 3. Onarule branch of the access policy, click the plus sign (+) to add an action. ‘The Add Item popup screen opens. 4, If general purpose actions are not expanded, click the plus sign (+) next to General Purpose, 5. Select ACL Assign, and click Add Item. ‘The Resource Assign action popup sereen opens. 6. To add one or more Statie ACLs, click the Add/Delete link, then select the check boxes for ACLs you want to assign, and clear the check boxes for ACLs you do not want to assign. ACL assignment is optional 7. Click Save to save your ACL selection. Access Control List Examples The following examples show how to use ACLs to prevent access to servers, oF to allow only certain types of traffic to access servers. Example: Reject All Connections to a Specific Network In this ACL example, all connections to a specific network at 192.168.112.0/24 are rejected. To configure an ACL to reject all connections to a specific network 1. Configure the access control entries as follows, = Source IP Address - 0.0.0.0 (note that when you leave an IP address entry blank, the result is the same as typing the address 0.0.0.0). = Source Mask - 0.0.0.0 = Source Ports - All Ports Destination IP address - 192.168.112.0 Configuring BIG-IP APM v11 6566 Example: Allow SSH Access to a Specific Host = Destination Mask - 255.255.255.0 = Destination Ports - All Ports = Protocol - All Protocols = Action - Reject Click Finished. Chapter 6 - APM Access Control Lists In this ACL example, SSH connections are allowed to the internal host at 192.168.112.9. To Configure an ACL to Allow SSH Connections 66 1 Configure the access control entries as follows. = Source IP Address - 0.0.0.0 = Source Mask - 0.0.0.0 = Source Ports - All Ports = Destination IP address - 192.168.112.9 = Destination Mask - 255.255.255.255 = Destination Ports - Port 22 (or select SSH) = Protocol - TCP = Action - Allow Click Finished. Configuring BIG-IP APM v11Chapter 6 - APM Access Control Lists 67 Example: Reject Connections to Specific File Types In this ACL example, all connections that attempt to open files with the extensions DOC, EXE, and TXT are rejected, To Configure an ACL to Reject Connections to Specific File Types 1. Configure the access control entries as follows. = Source IP Address - 0.0.0.0 = Source Mask - 0.0.0.0 = Source Ports - All Ports = Destination IP address - 0.0.0.0 = Destination Mask - 0.0.0.0 ‘| Destination Ports - All Ports Scheme - http Paths -*doc *.exe “txt * Protocol - All Protocols = Action - Reject 2. Click Finished. Configuring BIG-IP APM v11 67Lab 6.1 —- Access Control Lists Lab Objectives: Build ACLs that affect traffic through a Network Access tunnel Test the new access policy and verify functionality Estimated time for completion: 20 minutes Test Network Access Before ACLs 1. Open a browser session to your Network Access Virtual Server at https://10,10.X.103. Alternately, you could use BIG-IP Edge Client. 2. While the Network Access tunnel is connected, open a couple other browser sessions to ttp://172.16.20.1, and https://172.16.20.2, both should work. Now go back to your Virtual Server at https://10.10.X.103, and click the Logout link in upper right comer of the screen. You should no longer be able to access devices on the 172.16/16 network Create a Layer 4 ACL 4, Navigate to Access Policy : ACLs and click Create... in the new window. 5. Name the new ACL rejeet_server1_acl and click Create. Leave the other settings at default. 6. Under Access Control Entries click the Add button. 7. Configure the following settings and click Finished: Type La Destination IP Address - Type Host Destination IP Address — Address 172.16.20.1 | Action Reject Log Packet 8. Navigate to Access Poliey :: Access Profiles 9. Select the Kait . link for ss!_ypn and you should be in the Visual Policy Editor. 10. Click the Full Resource Assign action. Il. Click the Add/Delete link. Select the Statie ACLs tab, then sel sCommon/reject_serverl_ael and click Update. 12, Click Save, then click the Close button to get out of the Visual Policy Editor. 13, Make sure to remember to Apply Access Policy so that changes take effect. figuring BIG-IP APM v11Test the ACL 14, Make sure you are logged out of your previous Network Access tunnel session, )X.103 again. 16, Test the following combinations. If you want to login to the ssh server, use student/student credentials: 15, Log on to your Network Access Virtual Server at https:/I — 7 172.16.20.1:22 (ssh) 172.16.20.2:22 (ssh) 172.16.20.1:23 (telnet) 172.16.20.1:80 (HTTP) 172.16.20.2:80 (HTTP) 172.16.20.1:443 (HTTPS) Note: You may have to delete the browser cache for this to work properly on port 80. Create a Second ACE for the ACL 17. Navigate to Access Policy 18, Click the Add... button. ACLs and click the link for reject_serverl_acl. 19. Configure the following settings and click Finished: [Type La Destination IP Address - Type Host Destination IP Address — Address 172.16.20.1 Destination Port(s)— Port 23 Action | allow Log Packet 20. Don't forget to Apply Access Policy. 21. When you're done the ACEs should look like this. Confirm and test. Be sure to log out of BIG- IP client session (and VPN) and log back in to get a new session with the new ACLS. oN CooneyAccess Control Entries “Change Order... )CAdd. © | Stems |r Pon)| txPatat |oaPon)| Fula [cg [Adon Pacet Reet any 172.16.20, Note: This time you might expect telnet on 172.16.20.1 to work. Did it? Why not? It turns out ACEs have precedence. They work from the top down. Reorder the ACE 22. Navigate to Access Polie ACLs and click reject_serverl_acl. 23. On the new page, click the Change Order... button. 24, Allow port 23 on 172.16.20.1 before reject every other port. 25. Click Fi ished and Apply Access Policy 26, Test again. Did you need to log out? Create a Second Layer 4 ACL 27. Navigate to Access Poliey :: ACLs and click Create. 28, Name the new ACL allow_serverl_ssh_ael and click Create, then click Add... in the new page. 29. Configure the following settings and press Finished. Type “4 Destination IP Address — Type Host Destination IP Address ~ Address 172.16.201 Destination Port(s) — Port 22 Action Allow Log | Packet 30. Add the new ACL to the Full Resource Assign action in the ss/_ypn Access Profile, Review steps 9 13 if necessary ‘Note: Do not remove the existing ACL for the ACL Assign action. This action should have two ACLs selected. 31. Be sure to Apply Access Policy, log out of the client browser and log back in again, and testTone 32, 33 35, 36. Note: Does it work? You may already suspect the reason. Just like multiple ACEs, when multiple ACLs are used together, they also have precedence. Note: in many cases a single ACL with multiple ACEs will be used. But there are times when multiple ACLs will be required. Navigate to Access Policy :: ACLs and look at the ACLs. Lower number ACLs have higher precedence. CLs :: AIACLs. Navigate to Access P . Click Change ACL Order... Make reject_serverl_acl the last (lowest priority) ACL and click Finished. Remember to Apply Access Policy and log out and log back in. ‘Then test. This time it should work as expectedLab 6.2 — Layer 7 Access Control Lists Lab Objective: Add a Layer 7 ACL into the mix. Estimated time for completion: 5 minutes Create a L7 ACE or ACL 2. 3 Create anew ACL named reject_egi_acl. Create a new ACE, using the Add... button, For the New Access Control Entry, set Type to L7, set Scheme to http, set Paths to fenv.egi, set Action to Reject, set Log to Packet and click Finished. . the Access Policy and add the new ACL to the Advanced Resource Assign Remember to Apply Access Policy and from the client browser, logout and log back into the BIG-IP on https://10.10.X.103 using your studentX credentials. ‘After the VPN is connected, in a new browser window, go to http://172.16.20.2 and click on the Source IP Address link. Repeat for http://172.16.203. Repeat for https:i/172.16.20.3.Lab 6.3 — Layer 4 + 7 Access Control Lists Lab Objective: "Change the Layer 7 ACE toa Layer 4+7 ACE. = Estimated time for completion: 5 minutes Change the L7 ACE to L4+L7 1. Suppose we only wanted to Reject /env.cgi on 172.16.20.2. If we were using a host name, we could do this in the L7 ACE. Because we are using the IP address we must use an L4+7 ACE. 2, Navigate to Access Policy :: ACLs. Select the ACE labeled http:///env.egi/* to drill down to the ACE. Change the type from L7 to L4¥L7. Set the Destination IP Address Type to Most and the Address to 172.16.20.2. Click Update. Remember to Apply Access Policy and from the client browser, logout and log back to BIG-IP. ‘on https://10.10.X.103 using studentX credentials. Alternately, you may use the BIG-IP Edge Client. 7. After the VPN is connected, in a new browser window, go to http://172.16.20.2 and click on the Source IP Address link. 8. Repeat for http://172.16.20.3Lab Objective: = Create a backup archive Save the Configuration 1. Create an archive named studentX_labs1-6. 2. Download the new archive to your desktop.Chapter 7 — APM Application Access & Webtops 7 Chapter 7: APM Application Access & Webtops Application Access & Webtops Overview Lesson Objective: During this lesson, you will learn how to configure Application Access resources, including application tunnels, or app tunnels, and remote desktops. You will also learn about the three types of webtops and how to configure full webtops and webtop links. Application Access ‘An app tunnel (application tunnel) provides secure, application-level TCP/IP connections from the client to the network, Additionally, optimization is available for app tunnels. With compression settings for app tunnels, you can specify the available compression codecs for client-to-server connections, The BIG-IP compares the available compression types configured with the available compression types on the client, and chooses the most effective rmutual compression setting based on the type of traffic to provide application specific optimization. The compression settings for the BIG-IP are configured in the connectivity profile. Configuring an App Tunnel Object When you create an app tunnel object, that object becomes a simple container that holds app tunnel resources. Once you specify those resources from within the app tunnel resource, you can then assign the resource to ‘an access policy. ‘On the Main tab, click Access Polic: ‘The App Tunnels screen opens. 2. Click Create, ‘The New App Tunnel Resource screen opens. :: Application Access :: App Tunnels. ‘Type a name and enter a description for your app tunnel, 4, Although an ACL is automatically created for your application object, you can choose to determine the order of your ACL as it appears in the ACL list. Use the ACL Order list to select the placement you want 5. Under Default Customization Settings, type a Caption for the app tunnel This caption identifies the app tunnel and enables it to appear on a full webtop. The default is the value of the Name field, Click Create, You have just created an app tunnel object. Configuring BIG-IP APM v11 7A7-2 Chapter 7 - APM Application Access & Webtops Con Tunnel g an Application Resource Item for an App ‘The application resource item specifies how to create a particular tunnel. The application field serves as a hint to Access Policy Manager* in order to help with special handling of specific protocols. Compression settings specify which compression codecs the tunnels can use, while the Launch Application ficld allows you to define an application that will run once you establish the resource tunnel. 1. On the Main tab, click Aecess Policy, Application Access, and select App Tunnels ‘The list of app tunnels opens. 2. Click the name of the app tunnel you created. ‘The Properties screen opens. 3. Under Resource Items, click Add, ‘The New Resource Item screen opens. 4, For Destination type, specify whether the application destination is a host or an IP address, You cannot use the fully qualified domain name to connect to an application resource that is configured with an IP address destination type. 5. Specify your port or port range for the application, 6. From the Application Protocol lis, select the application protocol Option Description None Specifies that the app tunnel resource uses neither RPC or FTP protocols. Microsoft RPC Specifies that the resource uses the Microsoft® RPC protocol Microsoft Exchange RPC Server _| Specifies that the resource uses the Microsoft Exchange RPC Server protocol FIP Specifies that the resource uses FTP protocol 7. ‘The Log options are None or Packet. Ifset to Packet, details of the connection are logged tothe file Iwarflog/pkttilter. 8. Under Compression Settings, compression can be Enabled or Disabled, The following values are available. 72 Configuring BIG-IP APM v11Chapter 7 - APM Application Access & Webtops 73 Setting Value Description Compression | Enabled/Disabled | Enable or disable all the following compression codecs Settings Deflate Enabled/Disabled | Enable or disable Deflate compression. Deflate ‘compression uses the least CPU resources, but compresses the least effectively. LZz0 Enabled/Disabled | Enable or disable LZO compression. LZO compression offers a balance between CPU resources and compression ratio, compressing more than Deflate compression, but with less CPU resources than Bzip2. Brip2 Enabled/Disabled | Enable or disable bzip2 compression. Bzip2 compression uses the most CPU resources, but compresses the most effectively. Adaptive Enabled/Disabled | Enable or disable adaptive compression. Adaptive compression automatically selects the compression type based on network and traffic characteristics 9. For the Application Path setting, optionally specify a path for a elient side application to start ‘once the application access tunnel is established. 10. For the Parameters setting, specify any parameters associated with the application that starts, with the Application Path. The parameters you can add are: ‘+ Shost - This is substituted with the loopback host address. '* Sport - The loopback port. Use this ifthe original local port has changed due to conflicts with other software. 11. Click Finished, ‘The resource appears in the app tunnel object. Configuring an Access Policy to Include an App Tunnel and Webtop On the Main tab, click Access Policy :: Access Profiles, ‘The Access Profiles List sereen opens. 2. On the Access Profiles List screen, click the name of the access profile for which you want to edit the access policy. ‘The Access Profile properties screen opens for the profile you want to edit. 3. On the menu bar, click Aecess Policy. The Access Policy screen opens. 4, Click Edit Access Poliey for Profile profile_name. ‘The visual policy editor opens the access policy in a separate window or tab, Configuring BIG-IP APM 11 73rT 10. Chapter 7 - APM Application Access & Webtops Click the [+] sign anywhere in your access profile to add your new policy action item. An Add Item window opens. Select Full Resource Assign agent, and click Add Item. The Properties screen opens. Under Resource Assignment, click Add new entry. Under Expression, click Add/Delete. Under App Tunnel Resources select your app tunnel resource from the available choices. Under Webtop, select a full webtop from the available choices, and click Update. You are then placed back in the visual policy editor. Click Save and make sure to click Apply ‘Access Policy. ‘Your app tunnel and webtop are now both assigned to the session. You must associate this access policy ‘and a connectivity profile with your virtual server. Attaching an Access Policy to the Virtual Server for App Tunnels When creating a virtual server for an access policy, specify that the virtual server is a host virtual server, and not a network virtual server. 1 aye On the Main tab, click Local Traffic :: Virtual Servers. The Virtual Server List sereen displays a list of existing virtual servers Click the name of the virtual server you want to modify, In the Destination setting, in the Address field, type the IP address you want to use for the virtual server. From the HTTP Profile list, select http. In the Access Policy area, from the Access Profile list, select the aecess profile. From the Connectivity Profile list, select the connectivity profile Click Update. ‘Your access policy is now associated with the virtual server. TA Configuring BIG-IP APM v11Chapter 7 - APM Application Access & Webtops 75 Configuring Remote Desktop Access Application Access Remote Desktops allow users to access the following types of internal servers in virtual desktop sessions: = Microsoft” Remote Desktop servers = Citrix® servers You can configure remote desktops by name or by their internal IP addresses, and grant or deny users the ability to set up their own favorites. With Access Policy Manager you can configure clients to access a server running Microsoft Remote Desktop Services. Microsoft Remote Desktop servers run the Microsoft Remote Desktop Protocol (RDP) server. RDP is a protocol that provides a graphical interface to another computer on a network. APM provides two types of RDP clients, one using Microsoft Active-X, the other using Java, Citrix remote desktops are supported by Citrix XenApp and ICA clients. With Access Policy Manager you can configure clients to access servers using Citrix terminal services. You provide a location from ‘which a client can download and install a Citrix client for a Citrix ICA connection. Configuring a Resource for Citrix or Microsoft Remote Desktops Depending on whether you choose to configure a Microsoft or Citrix remote desktop, some options may not be available, Refer to the online help and the BIG-IP Access Policy Manager Application Access Guide for more information about the parameters you can configure for remote desktops. 1. On the Main tab, navigate to Access Policy ‘The Remote Desktops list opens. pplication Access :: Remote Desktops. ‘The General Properties sercen opens. 3. Enter a name and optional description for the connection. 4, For Type, choose either Citrix or RDP. Configure the following settings: Options _| Description For Citrix | Specify your Destination, accept or change the Port (Default is 80), and select the | ACL Order. | ForRDP | Specify your Destination and Port (Default is 3389). All other settings are optional. To provide a cross-platform Java client for this RDP connection, select the Java Client check box. The virtual server must also have the Citrix & Java Support option enabled 5. Under the Customization Settings section, type a Caption. The caption identifies the remote desktop name that appears on a full webtop. An image may also be associated with it. 6. Click Finished. Configuring BIG-IP APM v11 TS76 Chapter 7 - APM Application Access & Webtops Configuring an Access Policy to Include a Remote Desktop and Webtop ‘This procedure is applicable if you want to configure Access Policy Managers for Citrix or Microsoft RDP terminal services. 1. On the Main tab, click Access Policy ‘The Access Profiles List screen opens. Access Profiles. 2. On the Access Profiles List screen, click the name of the access profile for which you want to edit the access policy. ‘The Access Profile properties screen opens for the profile you want to edit 3. On the menu bar, click Access Policy. ‘The Access Policy screen opens. 4, Click Edit Access Policy for Profile profile_name. ‘The visual policy editor opens the access policy in a separate window or tab. 5. Click the [4] sign anywhere in your access profile to add your new policy action item. An Add Item window opens. 6. Select Full Resource Assign agent, and click Add Item, ‘The Properties screen opens. Under Resource Assignment, click Add new entry. Under Expression, click Add/Delete. Under Remote Desktop Resourees select your remote desktop from the available choices. Under Webtop, select a full webtop from the available choices, and click Update. 10. You are then placed back in the visual policy editor. Click Save and maki Access Policy. ture to click Apply Your remote desktop and webtop are now both assigned to the session, ‘To complete the process, you must associate the access policy and a connectivity profile with a virtual server $0 users can launch the remote desktop session, Ifthe remote desktop is of type Citrix or you are using the Java RDP client you must enable the option Citrix & Java Support on any virtual server using this access policy Attaching an Access Policy to a Virtual Server for Remote Desktops When creating a virtual server for an access policy, specify that the virtual server is a host virtual server, and not a network virtual server. 1. On the Main tab, click Local Traffic :: Virtual Servers. ‘The Virtual Server List screen displays a list of existing virtual servers, 2. Click the name of the virtual server you want to modify. 3. In the Destination setting, in the Address field, type the IP address you want to use for the virtual server. 16 Configuring BIG-IP APM v11Chapter 7 - APM Application Access & Webtops TT 4, From the HTTP Profile lis, select http. 5. Inthe Access Policy area, from the Access Profile list, select the access profile. 6, Ifyou are using a connectivity profile, from the Connectivity Profile list, select the connectivity profile. 7. Ifyou are creating a virtual server to use with portal access resources in addition to remote desktops, from the Rewrite Profile list, select the default rewrite profile, or another rewrite profile you created, 8. Select the Citrix & Java Support check box if you want to provi resources or use the Java RDP client. sonnections to Citrix desktop 9. Select the OAM Support check box if you want to provide native integration with an OAM server for authentication and authorization, You must have an OAM server configured in order to enable OAM support 10. Click Update. The access policy is now associated with the virtual server. Note: For more information on application tunnels and remote desktops, refer to the BIG-IP ‘Access Policy Manager Application Access Guide. Configuring BIG-IP APM v11 TT78 Chapter 7 - APM Application Access & Webtops Configuring Webtops ‘There are three webtop types you can define on Access Policy Managers. You can define a network access only webtop, a portal access webtop, or a full webtop. = A network access webtop provides a webtop for an access policy branch to which you assign only a network access resource. = A portal access webtop provides a webtop for an access policy branch to which you assign only portal access resourees, = A full webtop provides an access policy ending for an access policy branch to which you can optionally assign portal access resources, app tunnels, remote desktops, and webtop links, in addition to a network access tunnel. The full webtop then provides your clients with a web page ‘on which they ean choose a network access connection to start, Full Resource assign action with resources and a webtop assigned Configuring a Full Webtop {A full webtop allows your users to connect and disconnect from a network access connection, portal access resources, app tunnels, remote desktops, and other administrator-defined links. 1, On the Main tab, click Access Policy :: Webtops Click Create to create a new webtop, ‘Type a name for the webtop you are creating, From the Type list, select Full. 78 Configuring BIG-IP APM v4Chapter 7 - APM Application Access & Webtops 7-9 5. Under Configuration, the option Minimize to Tray is enabled by default. If this check box is selected, the webtop is minimized to the system tray automatically after the network access tunnel connection starts. This box appears only if you selected Network Access or Full as the type of webtop. With a network access webtop, the webtop automatically minimizes to the tray. With a full webtop, the webtop minimizes to the system tray only after the network access connection is started. 6. Click Finished. ‘The webtop is now configured, and appears in the list. You can edit the webtop further, or assign it to an access policy, To use this webtop, it must be assigned to an access policy with a full resource assign action or with a webtop and links assign action, All resources assigned to the full webtop are displayed on a full webtop. Full webtop example showing a Webtop link, Application tunnel, and two Network Access resources Creating a Webtop Link ‘You can create and customize links that you can assign to full webtops. Links are defined applications and websites that appear on a webtop, and can be clicked to open a web page or application. You can customize these links with descriptions and icons. 1. On the Main tab, click Access Policy > Webtops > Webtop Links 2. Click Create to create a new webtop link, 3. Inthe Name field, type a name for the new webtop link. 4. Inthe Application URI field, type the application URL. 5 In the Caption field, type a descriptive caption. ‘The “aption field is prepopulated with the text from the Name field If you want to add a detailed description, type it in the Detailed Description field. To specify an icon image for the item on the webtop, click in the Image field and choose an mage, or click the Browse button. Click View/Hlide to show or hide the currently selected image. 8. Click Finished, Configuring BIG-IP APM v11 7-97-10 Chapter 7 - APM Applic tion Access & Webtops ‘The webtop link is now configured, and appears in the list, and on a full webtop assigned with the same action. You can edit the webtop link further, or assign it to an access policy. Before you can use this webtop link, it must be assigned to an access poliey with a full webtop, using cither a full resource assign action or a webtop and links assign action. Webtop Properties Use these properties to configure a webtop. Property | Value Description Type Network Access, | Use Network Access for a webtop to which you assign Portal Access or only a single network access resource Full © Use Portal Access for a webtop to which you assign only portal access resources. + Use Full fora webtop to which you assign a single network access resource, multiple portal access resources, and ‘multiple application access application tunnel resources, or any combination of the three types. Portal Access | URI Specifies the URI that the web application starts. For Ful Start URI webtops, portal access resources are published on the webtop with the associated URI you define when you select the Publish on Webtop option. Minimize to | Enabled or If this check box is selected, the webtop is minimized to the Tray Disabled system tray automatically after the network access connection starts. With a network access webtop, the webtop automatically minimizes to the tray. With a full webtop, the webtop minimizes to the system tray only after the network access, connection is started Adding Full Resources to an Access Policy Before you start this task, you must create an access profile. ‘Add the full resource assign action to an access policy to add a network access resource, portal access resources, application tunnel resources, and remote desktop resources to an access policy branch, You can also assign ACLs, webtops, and webtop links with the full resource assign action, 1. On the Main tab, click Access Policy :: Access Profiles The Access Profiles List sereen opens. 2. On the Access Profiles List screen, click the name of the access profile for which you want to edit the access policy ‘The Access Profile properties sereen opens for the profile you want to edit. 710 Configuring BIG-IP APM v11Chapter 7 - APM Application Access & Webtops 71 3. On the menu bar, click Access P¢ The Access Policy screen opens. 4. Click Edit Access Policy for Profile profile_name. ‘The visual policy editor opens the access policy in a separate window or tab. 5. Onan access policy branch, click the plus symbol (+) to add an item to the access policy. 6. From the General Purpose section, select Full Resouree Assign and click the Add Item button, The Full Resource Assign popup screen opens. 7. Inthe Name box, type a name for the access policy item. ‘This name is displayed in the action box in the access policy. 8. Click the Add new entry button. A new resouree line is added to the list 9. To assign resources, below Expression, click the Add/Delete link. ‘The Resource Assignment popup screen opens. 10. Assign resources using the tabs as follows. Tab Description Static ACLs Allows you to select one or more ACLs defined on the system, Each ACL you select is assigned to the access policy branch on which this resource assi action operates, Network Access. | Allows you to select a single network access resource from the system. You Resources can select only one network access resource. The network access resource you select is assigned to the access policy branch on which this resource assign action operates. Portal Access | Allows you to select one or more portal access resources from the system, Resources ‘The portal access resources you select are assigned to the access policy branch on which this resource assign action operates, AppTunnel Allows you to select one or more application tunnel resources from the Resources system. The application tunnel resources you select are assigned to the access policy branch on which this resource assign action operates. Remote Desktop | Allows you to select one or more remote desktop (terminal server) resources Resources from the system. The remote desktop resources you select are assigned to the access policy branch on which this resource assign action operates. SAML Allows you to select a predefined SAML resource from the system. Note, if ‘you add a webtop for a SAML resource, the webtop type must be full Webtop Links | Allows you to select links to pages and applications defined on the system to display on the full webtop. A full webtop must be assigned to display webtop links Configuring BIG-IP APM v11 71TA2 Chapter 7 - APM Appli ‘Tab Description Webtop Allows you to select a webtop from the system. The webtop resource you select is assigned to the access policy branch on which this resource assign action operates. You can select a webtop that matches the resource type, or & full webtop. Static Pool Allows you to dynamically assign a predefined LTM pool to a session. This value takes precedence over any existing assigned pool attached to the virtual server. Dynamic Band- | Allows you to assign a dynamic bandwidth policy to a session. A dynamic width Policy | policy enforces the specified maximum user rate and flow fairness for all ‘traffic associated with the policy and for each session. Static Band- | Allows you to assign a static bandwidth policy to a session. A static policy width Potiey | enforces the maximum rate for combined traffic and does not guarantee faimess bandwidth for each session. 1. Click the Save button to save changes to the access policy item. You can now configure further actions on the successful and fallback rule branches of this access policy item. Click the Apply Access Poliey link to apply and activate your changes to this access policy. ae Full Resource Assign options Full Resource Assign Dynamic Webtop ‘The Full Resource Assign VPE item also provides powerful logic functionality which allows the administrator to configure APM to make dynamic decisions on which resources are, or are not allocated toa user, depending on the outcome of a set of predefined checks. This allows a user to be presented with a dynamically allocated full webtop. Checks are set using the Expression:ehange option which opens @ new window and allows you to set each check as a combination of a selected Agent and a Condition to match in the result of that Agent action. For example, the Agent could be a Landing URI check, the condition is set to confirm itis equal to land! 742 Configuring BIG-IP APM v11Chapter 7 - APM Application Access & Webtops Example configuration using the Landing URI Agent Configuring BIG-IP APM v11 7-137-14 Chapter 7 - APM Application Access & Webtops: Adding an Expression Setting 7-44 On the main navigation pan, click Access Policy :: Access Profiles ‘The Access Profiles List screen opens. ‘On the Access Profiles List sereen, click the Edit link to the right of the name of the access profile for which you want to edit the access policy. ‘The Visual Policy Editor opens for the profile you want to edit. Click on the Full Resource Assign action in your existing policy. The Resource Assignment ‘window opens. If you do nor already have resources assigned, click Add new entry under the Resource Assignment title. A new entry is added to the resource assignment list Click Add/Delete. A new window listing the resources that can be assigned opens. Select the resources you require —a webtop must be assigned with at least one resource attached to it. Click Update and Save. Ifresources have already been assigned, click the change link to the right of the Expression title. ‘A new window opens listing Simple and Advanced. Under Simple, click Add Expression. Expand the Agent Selection drop down list and choose which agent you wish to use. Choose the Condition it needs to meet. Click Add Expression again and you are given an option to add another agent selection and condition underneath an OR title. Click Finished and only one agent check will be set. Once the Expression is set, it can be changed again using the change link, and resources can be added or removed using the Add/Delete link Configuring BIG-IP APM v11Lab 7.1 - Full Webtop_ Lab Objective: "Create a full user facing webtop with all of the resources we've already created Estimated time for completion: 15 minutes Create a Full Webtop 1. Navigate to Access Policy :: Webtops and click Create... on the next screen, 2. On the next page, set the Name to web 1 ‘0 Tray option and click Finished. \i_webtop. Set the Type to Full. Disable the Minimize Create a Connectivity Profile 3. Navigate to Access Policy :: Seeure Conneetivi and click Add... in the popup window. 4, Set the Profile Name to web_ui_ep and the Parent Profile to /Common/eonneetivity. Click OK. Create an Access Profile 5. Navigate to Access Policy :: Access Profiles and click Create... on the next screen, 6. On the next page, set the Name to web_ui. 7. Scroll down to Language Settings :: Languages and select English, click the [<<] button and press Finished. 8. On the Access Profiles page, click the Edit... next to the newly-created web_ui page. This will ‘open the Visual Policy Editor in a new tab or new window. Create the New Visual Policy 9. Click the + link on the Start fallback path. Select Logon Page and click Add Item. The new page provides Logon Page customization options. Use the defaults and click Save. 10. Click the + link on the Logon Page fallback path. Click the Authenticate tab, then select AD Auth and click Add Item. The new page provides AD Auth configuration options. For Server, select /Common/serverl_aaa_srvr and press Save. 11, Click the + Tink on the AD Auth Successful path. Click the Assignment tab, then select Advanced Resource Assign and click Add Item, 12. On the new page, click Add New Entry. Then click the Add/Delete link. 13. In the Network Access tab, select /Commonissl_vypn_na_res. 14, In the Portal Access tab, select /Common/serverl_pa_res. 15. In the Webtop tab, select /Common/web_ui_webtop and click Update, then Save.16, Click the Deny ending on the Advanced Resource Assign path, Select the Allow ending and click . Save. [ 17, When you are done, your access policy should look like this: 5). imams] aie | apauth| 22 4» —__________——_] a] 18, Click the Apply Access Policy link at the top left of the Visual Policy Editor page. ‘Then click Close. Create a New Virtual Server ‘Traffic :: Virtual Servers and click Create 19, Navigate to L on the new page. ished. 20. On the next page, configure the following settings and click Fin Name web | Destination Address Service Port 443 HTTP Profile http ] SSL Profile (client) lientssl SSL Profile (server) serverss! : Access Profile web_ui Connectivity Profile web_ui_ep Rewrite Profle rewrite [ Source Address Translation | Auto Map 21. Test the new user webtop by connecting to https://10.10.X.104. Test both the Network Access and Portal Access resources.Lab Objective: "Create two webtop links to AskFS and DevCentral Estimated time for completion: 5 minutes Create Two Webtop Links 1, Navigate to Access Policy :: Webtops :: Webtop Links and click Create... on the new page. 2. On the next page, configure the following settings and click Finished. Name askf5_link Link Type Application URE Application URI | http://support.t5.com Caption ASKES Click Finished. Repeat this process for DevCentral at http://devcentra £5.com, Navigate to Access Policy :: Access Profiles and click the Edit ink for web_ui 6. In the Visual Policy Editor, click the Advanced Resource Assign action. In the sub-window click Add/Delete, 7. In the Webtop Links tab, select both /Common/askfS_link and /Common/deveentral_link. Click Update, then Save. 8. Click the Apply Access Policy link. Click Close to close the VPE window. 9, Test the user webtop at https://10.10.X.104. ‘Test the new webtop links for AskFS and DevCentral ‘Note: From the perspective of the end user, what is the difference between the portal access links (Web and Web SSL) and the new webtop inks. From the perspective of the admin and APM, what isthe difference?Lab 7.3 —- Application Access Tunnels Lab Objective: Create an Application Access AppTunnel to ssh into a Linux server Estimated time for completion: 5 minutes Create an AppTunnel Resource 6, Navigate to Access Policy :: Application Access :: AppTunnels and click Create... on the next Page. (On the next page, enter ssh_aa_res for the Name, Server! S: Create. H for the Caption, and click (On the next page, click Add... in the Resource Items section Configure this page with the following settings and click Finished. Destination Type IP Address Destination IP Address | 172.16.20.1 Port 2 Application Path CAProgram Files\PuTTY\putty.exe (the path may vary by machine) Parameters 172.16.20.1 Add this AppTumnel resource to the access policy using the Visual Policy Editor. For the web_ui Access Profile, click Edit... and click the Advanced Resource Assign action, Click Add/Delete. In the AppTunnel tab, check /Common/ssh_aa_res, Click Update, then click Save. Click Apply Access Policy, then click Close. Test the AppTunnel by connecting to https://10.10.X.104. How does the AppTunnel link look different from the Portal Access link? Click the link. Test ssh with credentials student/student, Configuring BILab 7.4 — Network Access Optimized Tunnels Lab Objective: = Create an optimized tunnel for the Network Access VPN build in Lab 5. Estimated time for completion: $ minutes Create an Optimized Tunnel 1. Navigate to Access Policy click the Optimization tab, Network Access. Click the ss|_ypn_na_res link. On the new page, 2. On the next page, click Add... Configure the new page with the following settings and click Finished. Destination Type IP Address Destination IP Address | 172.16.20.1 | Port Range 22-23 Compression | Enabled Deflate Enabled \zo Enabled Bzip2 : Enabled Adaptive Enabled 4, Click Apply Access Policy. Note that the SSL VPN resource is already in the Access Policy, so there is no need to use the VPE at this point. ‘5. Test the optimized tunnel by connecting to https://10.10.X.104 and opening the SSL VPN. Use PUTTY SSH to connect to 172.16.20.1. Login in as student/student and run the find /usr/share command. 6, Close the tunnel by clicking Disconnect. Reopen the SSL VPN. This will reset the counters, 7. Use PUTTY telnet to connect to 172.16.20.1 and run the find /usr/share command. Note: What are the differences for compression between ssh and telnet. Why? Was compression seen on send and/or receive? Why?Lab 7.5 — Terminal Services Lab Objectives: "Create a Windows Terminal Service using RDP "Test the new access policy and verify functionality Estimated time for completion: § minutes Create a Remote Desktop 1, Navigate to Access Policy :: Application Access next page. + Remote Desktops and click Create... on the 2. On the new page, enter the following settings and click Finished. Name rdp_aa_res Type RDP Destination Type IP Address Destination IP Address | 172.16.20.20 Port 3389 Caption Remote Desktop 3. Add this RDP resource to the access policy web ui using the Visual Policy Editor, as you have done in the previous labs. 4, Test the new RDP resource by trying to login to Windows Terminal Services with username FSTRN\studentX and password studentX. The Lab Windows Server is not configured for Terminal Services, but the logon prompt is proof that the BIG-IP APM is configured correctly Tae]Lab 7.6 — Single Sign-on for Terminal Services Lab Objective: = Add Single Sign-On to the RDP terminal services created in the previous lab Estimated time for completion: 5 minutes Add SSO capability for Remote Desktop : Application Access :: Remote Desktops and click on the rdp_aa_res link. Enable Auto Logon. Click Update. 2, Note the Username, Password and Domain Source fields that appear when Auth Logon is enabled. What are the values in the fields? Where does session.logon.last.domain come from? Add Domain Field to Logon Page ext to : Access Profiles. On the Access Profile page, click Ei 3. Navigate to Access Policy the web_ui policy. 4. In the Visual Policy Editor, click on the Logon Page action. Notice the first two fields are usemame and password and that the remaining three are unused. For field 3, select Type as text and Post and Session Variable Names as domain, Logon Page Agent ‘Split domain from full Username | ( No_ b CAPTCHA Configuration (None 14) Post Variable Name ‘Session Variable Name password [passuord [domain [domaie] free [ieee frei (helas Set Logon Page Input Field #3 to Domain, as shown below. Save. Apply Access Policy. Close.[customization ano Cm Reset all defaults FormHesder Text _|[Se22*e Logon
for FS Networks Logon Page Input Field |[Usemame a gon ge tap il |Paovord G Logon Pee out Feld [bore 6 If still logged into RDP from the previous lab, logout and log back in again. Test your solution using FSTRN for the domain name. If SSO is working correctly you will receive this message: pete eet Corre ee a oa fodLab 7.7 — Terminal Services Java client Lab Objectives: = Create a Windows Terminal Service using the Java RDP client ‘= Test the configuration in the previous lab with the Java RDP client Estimated time for completion: 5 minutes Create a Remote Desktop 1. Navigate to Access Policy rdp_aa_res link 2. Under General Properties, enable the Java Client check box and click Update. Notice how some of the screen options like Access to Local Resources and User Experience are ‘automatically removed from the screen. Application Access :: Remote Desktops and click on the 3. Navigate to Local Traffic :: Virtual Servers and select the web_ui_ys virtual server. 4. In the Access Policy section, click the checkbox to enable VDI & Java Support. 5. Logout out of any existing session and reconnect to https://10.10.X.104. From the webtop click the Remote Desktop link. Confirm a Java connection is attempted to the remote RDP server, you should see @ message on your local client screen indicating Java is starting, and a different F5 sereen message from the earlier Active-X connection.Lab 7.8 - Configuration Backup Lab Objective: "Create a backup archive Save the Configuration 1, Create an archive named studentX,_labs1-7. 2. Download the new archive to your desktop. nfiguring BIG-IP APMChapter 8 - BIG-IP LTM Concepts et Chapter 8: BIG-IP LTM Concepts LTM Pools and Virtual Servers Lesson Objective: During this lesson, you will be introduced to the concepts of virtual servers, pools and pool members. Pool Members Each of the actual servers used for client traffic are defined on your BIG-IP system and are known as pool ‘members. Each pool member will include the IP address and port of a server. You can define pool ‘members with their host name if the BIG-IP system can resolve the name. Similarly, the service name can be used instead of the port value ifa standard port is being used. Frequently, servers are located within networks that use private (RFC 1918) addresses and physically isolated from public networks. This allows you to take advantage of the many of the security features of the BIG-IP system. Pool ‘members are defined as you create pools. Nodes The devices represented by the IP addresses of pool members are called nodes. Nodes only have an IP ‘address and may represent multiple pool members while pool members. Nodes are typically not defined directly. Rather, as pool members are defined, the associated nodes are created automatically. Pools A pool is a group of pool members. With rare exception, all the members of a given pool host the same content. Pools are named, and like other objects on BIG-IP systems, their names can begin with a letter or underscore, can contain numbers and cannot contain spaces. In addition to members, pools also have their own load balancing method, monitors and other features that are defined when the pool is created or set ata later time. You can also view or reset statistics on pools and their members. ‘When a new connection is initiated to a virtual server that is mapped to a pool, various criteria, including the poo!’s load balancing method, are used to determine which member to use for that request Virtual Servers Virtual servers are the primary mechanism the BIG-IP system uses to process and track traffic. Each content site that a BIG-IP system manages must be associated with at least one virtual server. Like pools, virtual server definitions include a name, an IP address and a port. Beyond that, virtual servers have ‘many features that allow you to choose how traffic is processed. Clients must be able to reach the virtual server. Often, the virtual address is registered to the site’s host name and clients discover the address via DNS. Alternately, DNS requests may resolve to an address hosted by a firewall or other edge device that will forward such requests to the virtual server. ‘The virtual service port should be the same TCP or UDP port number known to client programs. For example, traffic to FS Network's website is processed by a virtual server on a BIG-IP system. The host name www.f5.com resolves to the IP address of a virtual server, 65.197.145.23. ‘The virtual server's port is 80, the standard port for HTTP. Configuring BIG-IP APM v14 8182 Chapter 8 - BIG-IP LTM Concepts All virtual servers are represented by a single IP address: service combination and usually are associated with a pool. This association maps the virtual server address to the actual server addresses. When client traffic is processed by the BIG-IP system, the following functions typically occur: * Note availability of all poo! members "Load balance traffic across a group of actual servers "Translate virtual server addresses to the pool member's IP address Return responses through the source path For most virtual servers, IP address and port translation is enabled by default, In advanced configurations, address and port translation is sometimes disabled. In addition, virtual servers can be configured to perform additional traffic management including: Direct trafic based on traffic content ‘Persist subsequent requests to the same pool member ‘These are just a few of the options available within the definition of virtual servers and pools. Network Packet Flow ‘When client traffic arrives on the BIG-IP system, it is typically destined to a virtual server address and port. The BIG-IP system then processes that request based on the virtual server's definition. Note that the packet flow must be transparent to the end user. They should not know that their request is being processed by the BIG-IP system and is being directed to other internal servers (pool members). While there are many exceptions to the following description, the following describes the most common traffic flow through the BIG-IP system, ‘When the client sends their packet, the destination address is the virtual server address on the BIG-IP system and the source address is that of the client. BIG-IP system takes that destination address and translates it into the IP address of one of the pool members, chosen by the load-balancing algorithm but leaves the client's IP address intact. The pool member’s response has the source and destination addresses reversed, so one the response, the BIG-IP system must translate the pool member's address back to the virtual server's address. This flow is shown in the following pictur. 82 Configuring BIG-IP APM v11Chapter 8 - BIG-IP LTM Concepts 83 207.17.117.20 Packet # 1. Sre - 207.17.117.20:4003 © Intern = 7 Dest — 216.34.94.17:80 acme LTM translates Dest Address to Node based on RED (1020 Balancing Packet # 1 Sre— 207.17.117.20:4003 Dest ~ 172.16.20.1:80 Pool Configura 1. From the Navigation pane, expand the Local Traffic section. 2. Either select Pools and then the Create button or leave your mouse over Pools and then click the (Create option on the flyout menu. 3. _In the Configuration section, select values for the following parameters: Configuration level__| Basic Name No spaces; begins with letter or underscore Health Monitors ‘Option to test pool member availability 4, In the Resources section, select values for the following parameters: Load Balancing Metaal Method to choose between pool members Priority Grou Fauhes p Option to rate priority of pool members Enter IP Address or DNS name and Service Port for each member. Click Add for each pool member. New Members 5. When complete, click Finished. Configuring BIG-IP APM v11 8384 Chapter 8 - BIG-IP LTM Concepts Monitor Concepts and Configuration Lesson Objective: During this lesson, you will lea the basic concepts behind BIG-IP LTM monitors and how to assign them to pool members. Overview Health monitors test the availability of devices and services on the network and are used to determine whether pool members are working properly. Monitors generally test (1) specific devices for (2) an expected response within (3) a defined time interval. Node checks can affect the state of all pool members at that IP address. Member checks affect the status of that member. Multiple monitors may be assigned to any node, member, or pool. This is discussed in more detail in the BIG-IP LTM: Advanced Topies course. Each Health monitor ean accept the attributes of one of the many pre-configured monitors or can be custom designed to meet a specific need. Generally, if the monitor indicates the device is unavailable due to lack of response or an inappropriate response, that particular device will not be sent any client traffic. ‘The only exception is the Inband monitor, also discussed in more detail in the advanced course. The BIG-IP system will continue to check devices for availability even after they have been marked down. Once a device is available, the device will be sent new client traffic. Node / Address Checking Some monitors are primarily designed to determine whether an IP address is reachable, When such monitors are associated with nodes, they affect the availability of all services associated with that node’s IP address. When a monitor associated with a node is unsuccessful, that node and all pool members at that IP address are consider offline. When this occurs, the pool members’ status will be marked as Offline ~ Parent Down indicating that a check of the IP address has failed. When a monitor associated with a node is successful, that node is marked available, but the status of pool members’ at that address will not be changed. This is due to the fact that the node test does not verify that any pool member's IP address and port are working properly. The result is that node monitors alone can make pool members unavailable, but cannot mark them as available. While there are multiple monitors able to verify that a node is available, the most typical is the ICMP echo request-response process. TCP ECHO is another node monitor. All checks assigned to nodes must either be portless such as ICMP or have a defined port (such as TCP ECHO — port 7) Service Checking Another type of monitor determines whether a service is available by communicating with an IP address and port. The TCP monitor is an example of this type of check. The TCP monitor opens a TCP connection to the specified IP address and port and then closes the connection. ‘The monitor is successful ifthe TCP connection is established. When such monitors are associated with pool members, they determine the availability of a service. When a monitor associated with a pool member is unsuccessful, that pool member is considered offline and no requests are sent to that pool member. Monitors that check to determine whether a service is listening can be associated with a pool or individual pool members. Monitors assigned to check services may have a defined port, such as 80 or 443, or may have their port undefined (*) so that they will assume the port of the device with which they are associated, 84 Configuring BIG-IP APM v11Chapter 8 - BIG-IP LTM Concepts 85 Content Checking Better monitors do more than verify that a service is listening; they also test whether the server is serving appropriate content. Typically, monitors used to check content from servers open TCP connections and then issue one or more commands to the server. The actual response is then compared to the expected response. The HTTP monitor is an example of this type of check. By default, it opens @ TCP connection and then issues aGET_/ command. It has no default receive rule, so no particular response is required for a match to occur. Generally, a production HTTP-based monitor would modify the HTTP template to include a specific file in the GET _/ request and include a string or regular expression in receive rule. For example, a web server might be sent an http GET / index.htm request. The BIG-IP system will then examine the response to see if it contains the expected content. Either way, the connection is then closed. Like service checks, these monitors can always be associated with pools or individual pool members and can be associated with nodes if the monitor's port alias is specified in the monitor definition, HTTP, HTTPS and HTTPS_443 are examples of monitor templates that can perform content checking, Creating a Custom Monitor 1. From the Navigation pane, expand the Local Traffic section. 2. Bither select Monitors and click Create or leave your mouse over Monitors and then click the Create option on the flyout menu, 3. In the General Properties section, enter the following: Name | Custom Name (no spaces) Type ‘Choose a Monitor type Template 4, Inthe Configuration section, enter appropriate settings. Typical settings include: Configuration | Basic / Advanced Send String | Command to send to server. Receive Rule | Regular expression that should match a portion of the server's [ response Interval Time between monitor instances and time for each instance to complete successfully. Should not be so frequent that the server does not respond in time. Timeout Time for a successful monitor occurrence before the device is| considered unavailable. The recommended timeout is three times the interval value plus one. This would mean the monitor must fail in three consecutive attempts before the device is marked unavailable. Transparent | If chosen, the monitor has two destinations: a first hop and an ultimate. The ultimate destination should be specified as the monitor's “Alias Address.” User Name _| User name expected by server application. Password | Password for the User Name. Reverse Checkbox. Indicates monitor will consider a device unavailable when the server's response matches the receive rule. Configuring BIG-IP APM v11 8586 Chapter 8 - BIG-IP LTM Concepts Alias. IP Address. Default: * All Addresses. ] Address Default indicates the monitor will test the address of the device (advanced) | that is assigned the monitor. If the IP address is specified, that | IP address is checked but the results are applied to the member | that was assigned the monitor, not the device that was tested. Alias Service | Port. Default: * All Ports Port Default indicates the monitor will test the port of the device that is (advanced) | assigned the monitor. If a port is specified, that port is checked but the results are applied to the member that was assigned the monitor, not the device that was tested ‘When complete, click Finished. Monitor Associations Creating custom monitors is an important process, but unless the monitor is assigned fo something—a node, a pool member or a pool—the monitor will not perform any tests. Assignments can be performed by group, individually, or both. By default, there are no monitor assignments, Assigning Monitors to Pool Members Like nodes, there are no default monitors associated with any pool members. Also like nodes, pools ‘members can be associated with a default monitor, a specific monitor, or no monitor. However, with pool ‘members, the default monitor is not on the global level, but on the pool level. The three choices for a given pool member are: = Inherit from Pool = Member Specific = None Inherit from Pool is the default setting for all pool members. ‘This allows you to assign a monitor at the pool level only and be assured that each pool member will be tested in the same way. Setting a Pool’s Monitor This setting affects all members in that pool that are set to Inherit from Pool. 1. From the Navigation pane, expand the Local Traffic section and then Pools. 2. From the list of pools, select the pool of interest. 3. Within the Configuration section, enter the following: Configuration Level | Basic Health Monitors | Move (<<) desired monitor to the Active column 4, When complete, click Update, 86 Configuring BIG-IP APM v11Chapter 8 - BIG-IP LTM Concepts 87 Virtual Server, Pool, Member and Node Status Monitors will cause virtual servers, pools, pool members and nodes to have one of the states in the chart below. In each case, the state of the parent is a function of any monitors testing it directly and any ‘monitors testing that parent’s children, Status (Color) Status Definition © AVAILABLE (Green) General: For a child, a monitor is successful. For a parent, at least one child is Green, Node: The most recent monitor was successful. Pool Member: The most recent monitor was successful and associated node is not offline. Pool: At least one pool member is available. Virtual Server: At least one Pool is available. = UNKNOWN (Blue) General: For a child, no monitor is associated (or the timeout has not yet been reached). For a parent, all child objects are blue. Node: Either no monitor is assigned or the monitor has neither succeeded nor exceeded the timeout period. Pool Member: Either no monitor is assigned or the monitor neither succeeded nor exceeded the timeout period. Pool: No members are available and at least one is unknown, Others may be offline. Virtual Server: All pools are unknown. _ Avunavaiaste (Yellow) General: For a child, a connection limit has been reached. For a parent, all children have reached their connection limit. Node: The current connections are at the limit set for the node. Pool Member: The current connections are at the limit for the pool member. Pool: All pool members are at their connection limits, Virtual Server: The default pool is at its connection limit. @ OFFLINE (Red) General: For a child, a monitor has failed. For a parent, atleast one child object is red AND there are no green or yellow children. Node: Monitor did not succeed during the recent timeout period. Pool Member: Either the member or node monitor did not succeed during the most recent timeout period. Pool: One or more members are offline, and no members are either unknown or available. Virtual Server: One or more pools are offline, and no pools are available. Configuring BIG-IP APM v11 8788 Chapter 8 - BIG-IP LTM Concepts Secure Network Address Translation (SNAT) Lesson Objective: During this lesson, you will leam how to use SNATS to manage traffic through the BIG-IP system. SNAT Applications Generally, SNATS are used to resolve a routing issue, One typical example involves translating the source address of multiple intemal servers to a single extemal address. Often, the intemal servers have private IP addresses which cannot be routed on the Internet. By translating the source address to a single external address, few IP addresses are used, traffic must flow through a single device, and the true address of the internal servers is hidden, Another example involves inbound traffic to servers that have a default route that routes traffic around the BIG-IP system. When inbound traffic arrives on the servers, they ‘would normally send their responses through their default routes. But if the BIG-IP system performed address translation when load balancing traffic to the server, the response must pass back through the BIG-IP system to allow it to un-translate the packet. SNATing the inbound traffic is a solution to this problem, When the server receives the packet, the source address is now one owned by the BIG-IP system and responses will be sent to the BIG-IP. 'S SHARING EXTERNAL IP ‘Mute Dev iseS via BIG-IP 88 Configuring BIG-IP APM v11Chapter 8 - BIG-IP LTM Concepts 89 Configuring SNATs SNAT definitions all include three parts: which devices are eligible to be SNATed, what address is to be used for the SNAT, and which VLANs are eligible for the SNAT. Devices that are eligible are often defined in a list of IP addresses or networks. ‘The address used for the SNATT is often a status IP address, but can be designated as automap which indicates the BIG-IP should used one of its selF-P addresses for the SNAT Enabling a SNAT within a Virtual Server When SNATs are enabled within a virtual server, all clients using the virtual server are eligible to be SNATed. 1, From the Navigation pane, expand the Local Traffic section 2. Bither select Virtual Servers and Create, or use the flyout menus to expand Virtual Servers > Create and click Create 3. In the Configuration section, change the Source Address Translation option to either Automap, or specify a Source Address Translation. 4, When complete, click Update. Configuring BIG-IP APM v11 89Lab 8.1 - Virtual Servers, Pools and Monitors Lab Objectives: * Configure pools for servers = Configure virtual servers and associate them with a pool = Verify functionality Estimated time for completion: 10 minutes Lab Requirements: = IP and port addresses available for use on BIG-IP LTM that can be reached by the clients = Actual servers with appropriate routes to return traflic through each BIG-IP LTM system Create a Pool 1. From the Navigation pane, expand the Local Traffie section 2. Select Pools and then the Create button. 3. In the Configuration section, enter the following: Configuration Level Name Health Monitors 4, In the Resources section, enter the following: Load Balancing Method Round Robin Priority Group Activation Disabled New Members, New Node. | 172.16.20.1 port 80, For each, enter Address and | 172.16.20.2 port 80 Service Port and press Add _| 172.16.20.3 port 80 5. When complete, click Finished. Create a Virtual Server that uses this pool 6. From the Navigation pane, expand the Local Traffic section. 7. Select Virtual Servers and click Create feo] ene RaName ee Itm_vs ] Destination 10.10.X.105 Service Port 80 (or HTTP) ‘Source Address Translation | Auto Map Default Pool server_pool Verification Through Statistics 9. Open a new browser session on your PC and point it to your virtual server address of hhttp://10.10.X.105. Note the results and refresh the screen 5-10 times. 10. View statistics and configuration information through: a. Local Traffic :: Virtual Servers :: Statisties b. Local Traffic :: 11. Did traffic go to each poo! member? 12, Did each pool member manage the same number of connections? 13, Did each pool member manage the same number of bytes? 14, How many TCP connections are opened each time you refresh the browser page? Expected Results and Troubleshooting = Expected result: 5 connections per refresh distribute evenly among the pool members. = Ifnot, verify the following: «Is traffic getting to the virtual server? + Does 10.10.X.105 appear in your workstation’s ARP table? arp -a + Does the Statistics page show traffic received by vs_http? Verify that the address and port are correctly configured * Is traffic getting to the pool members? © Ifno traffic is going TO the pool members: + Verify server_pool has been assigned to Him_ys * Verify the correct members address / port * If traffic goes TO pool member, but does not return: + Verify that self IP address 172.16,X.33 is configured on port 1.2 (this address is the pool members’ default route.) Create a Second Pool and Virtual Server 15, From the Navigation pane, expand the Local Traffic section. 16. Select Virtual Servers and click Create.24. 2s, 26. 27. 28. Configure the following setting itm_ssi_vs 10. 05: ‘Service Port 443 (or HTTPS) Source Address Translation | Auto Map | . Since we “forgot” to create the pool first, navigate to the Resources Section and click the “#” character to the right of Default Pool. . Use ssl_server_pool for the Name and https for Health Monitor ‘Add the following new members to the pool: 172.16.20.1:443, 172.16.20.2:443 and 172.16.20.3:443, When the pool is complete, press ished. Back in the Virtual Server page, configure the Default Poo! to the newly created ssl_server_pool and click Finished. ication through Statistics . Open a new browser session on your PC and point it to your virtual server address (attps://10.10.X.105). Note the results and refresh the screen 5-10 times. For Internet Explorer, use Ctr-FS to refresh. ‘View statistics and configuration information through: a. Local Traffic :: Virtual Servers :: Statist b, Did traffic go to each pool member? Did each poo! member manage the same number of connections? Did each pool member manage the same number of bytes? How many TCP connections are opened each time you refresh the browser page?Optional Lab 8.2 - SNAT Automap Lab Objective: = Associate SNAT Autorap with a Virtual Server Estimated time for completion: 10 minutes Testing Behavior without the SNAT 10.x.108, 1. Open a browser session to https: 2. Verify your IP address at the Web server by clicking the link that says Source IP Address. You should sce your PC unchanged address: 10.10.X.30. 3. Have a partner attempt to open a browser session to your virtual server ttps://10.10.X.105. Your partners connection should fail due to the routes on the servers (see below), The Classroom Servers have the Routes specified in table below: Destination’ Gateway | _ 10.10.4124 172.16.1.33 10.10.2124 172.16.2.33 10.10.3/24 172.16.3.33 10.10.4/28 172.16.4.33 10.10.46/24 172.16.16.33 10.10.47/24 172.16.17.33 Configure the Itm_ssl_vs Virtual Server to Use SNAT Automap 4, From the Navigation pane, select Local Traffic menu, Virtual Servers option, and select Im_ssl_ys 5. In the General Properties section, scroll down to the bottom of the configuration screen. 6. Inthe Source Address Translation option, sclect Automap and then the Update button. Testing the SNAT 7. Open a browser session to https://10.10.X.105, 8, Verify your IP address at the Web server by clicking the Click Here to Show Source IP Address link, Check the source IP and notice your source address has changed to 172.16.X.33 which is the internal floating Self IP Address of your BIG-IP. 9. Now, your partner's connection to your https://10.10.X.105 virtual server should work because of SNATing. onfiguring BIGLab 8.3 — Configuration Backup Lab Objective: "Create a backup archive Save the Configuration 1, Create an archive named studentX_labs1-8. 2, Download the new archive to your desktop.Chapter 9 — Web Application Access for LTM ot Chapter 9: Web Application Access for LTM Web Application Access for LTM Lesson Objective: During this lesson, you will leam how an Access Policy can be applied to BIG-IP LTM, Applying an Access Policy in BIG-IP LTM The BIG-IP® Access Policy Manager™ provides various methods to pass user traffic and control access to applications by creating traffic tunnels using network access or allowing access to specific web applications. However, the flexibility of Access Policy Manager provides another method to perform access control to web applications configured as locai traffic pool members. This method allows an ‘Access Policy to be applied to a BIG-IP LM Virtual Server and default Pool configuration with the Pool being the resource. Note: An APM Access Policy applied to a BIG-IP LTM Virtual Server and Pool is often referred to as Web Application Access Management within F5 Networks Documentation. Itis also known as LTM+APM mode (LTM plus APM). How an Access Policy Applied to an LTM Virtual Server Works ‘An Access Policy on top of LTM provides users the ability to access their web applications, through web browser, without the use of tunnels or specific resources. In this scenario the user is authenticated and checked by the access policy in Access Policy Manager, without defining a resource or webtop. For example, you can have a configuration with ACLs, security checks, and authentication. Note: Currently, you can only configure access to web applications on top of Bi L™ Through this method of access control, the Access Policy Manager communicates with backend web servers, forwarding requests from the client to web servers defined within a local traffic pool Ina typical Portal Access application connection, access occurs through a rewriting engine that rewrites links and URLs to and from the client. APM on top of LTM eliminates the need for content re-writing, allowing access directly to the configured local traffic pool after the user passes through the access policy checks. In cas where you want additional security to your web applications where the access occurs on your local environment, we highly recommended that you use Access Policy Manager with Local Traffic Manager to achieve this. Options for an Access Policy on an LTM Virtual Server ‘There are some APM configuration options you may want to consider before setting up this method for ‘web application access. Configuring BIG-IP APM v11 ot9-2 Chapter 9 - Web Application Access for LTM Front-end SSL ‘The decision to either use or not use SSL should be dictated by the level of security required. Applications that do any form of authentication where passwords are transmitted in the clear, oor where any information between the client and the virtual server must be secured, should use SSL. Additionally, where SSL is used by the backend web servers, it is best to configure SSL by the virtual server. HTTP profile compression ‘You can enable compression on the HTTP profile used by the virtual server. Use compression, to provide a better end user experience, particularly where there is limited bandwidth or high latency between the virtual server and the client. Setting Timeouts for APM Configurations ‘The web application access type does not have a logout mechanism, so you must configure a custom timeout option from the following choices. Web application access management timeouts are set due to user inactivity. ‘The following timeout mechanisms are available: Cache and Session Control access policy item - The cache and session control access policy item terminates a user session when it detects that the browser window is closed. You can also use the cache and session control action in an access policy, to provide inactivity timeouts to the user session. Use the Terminate session on User Inaetivity setting to configure the timeout for @ ‘web application access management session. The cache and session control action is supported on Windows browsers only. Access Profile properties, You can configure a timeout in the access profile. ‘© The Maximum Session Timeout setting provides an absolute limit for the duration of the access policy connection, regardless of user activity. If you want to ensure that user session is closed after a certain period of time, configure this setting. Note that this setting is configured in seconds, ‘¢ The Inactivity Timeout setting terminates the session if there is no traffic flow in the specified amount of time. Note that this setting is configured in seconds. Depending ‘on the application, you may not want to set the inactivity timeout to a very short uration, as many applications may cache user typing, and generate no traffic for an extended period. In this jion may time out when the application is still in use, but the content of the user input is not relayed back to the server. Other APM and LTM Considerations ‘You must consider the following configuration items when using APM on top of LTM. 92 SSL matehing SSL should be used consistently on the virtual server, as it is used with the web server. In other words, ifthe web server uses SSL, the virtual server should use SSL. Mutt lost service ‘When you implement a service with multiple hosts, access through the virtual server for new requests causes the load balancing algorithm for the associated member pool to select a new server. This can cause problems if persistence to a particular host is required. Configuring BIG-IP APM v11Chapter 9 - Web Application Access for LTM 93 Configuring APM and LTM Together Lesson Objective: During this lesson, you will learn how to configure APM with BIG-IP LTM. Configuring APM with BIG-IP LTM Configuring for APM and LTM together requires that you configure both the BIG-IP® Local Traffic Manager and Access Policy Manager. ‘When you configure for this method of access, you create a virtual server that has one or more pool ‘members and HTTP servers, and you attach an access policy to that virtual server. This access policy optionally provides endpoint security, authentication, and access control lists. Nodes and pools that provide the web applications are associated with this virtual server. Note: When you create an access policy, the policy cannot include a network access or portal access resource or webtop. Configuring for web application access management requires these basic steps: * Create an access profile ‘* Create nodes that represent the web servers ‘+ Add nodes to the pool ‘© Create a virtual server and attach the poliey and pool To Create an Access Profile 1. On the Main tab of the navigation pane, expand Access Policy, and click Aceess Profiles. ‘The Access Profile creen opens. 2. Click the Create button ‘The New Access Profiles screen opens, 3. Specify the information for all the required parameters, 4, Add any checks and actions requited to the access policy. You can assign an ACL action, but do not assign a webtop or a portal access or network access resource. Note: Ifthe virtual server is to use HTTP/Port 80, remember to disable Secure Cookie in this policy. Configuring BIG-IP APM v14 93o4 Chapter 9 - Web Application Access for LTM [SS crows Authentication Domaine [Bi siage Domain © susp Domains [secure | Creitnt | ar ony one BH Example APM Policy with Cookie Options::Secure Cookie disabled. To Create Nodes that Represent Web Servers eo et On the Main tab of the navigation pane, expand Local Traffic, and click Nodes. Click Create, Enter an address for the node. Repeat and create additional nodes for every web servers you want to represent. Click Finished. To Add Nodes to a Pool 2. 3 a On the Main tab of the navigation pane, expand Local Traffic, and click Pools Click Create. For each node created, add them to the pool as New Members. Click Finished, To Create a Virtual Server eet ont o4 (On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers. Click Create. ‘Type the name and address of the virtual server. Select a service port Select the HTTP Profile from the available options, ‘The default profile, http, is usually sufficient, unless additional configuration options are needed, Select the SSL profile (Client) setting A client SSL profile is only required if you want to enable SSL from the client to the virtual server. Select the SSL profile (Server) setting, A server SSL profile is only required if the pool members require SSL. From the Access Profile list, select an access profile you created for web application access, ‘management, Click Finished. Configuring BIG-IP APM vitChapter 9 - Web Application Access for LTM 95 To Select a Poo! 1. On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers. ‘The Virtual Server List screen opens 2. Click the name of the virtual server. ‘The Virtual Server Properties screen opens, 3. Click the Resourees tab. 4. From the Default Pool list, sclect the local traffic pool, 5. Click Update. By assigning an access profile to the virtual server, it becomes an LTM + APM virtual server. This configuration step provides the virtual server access to the various APM functionality. A very simple configuration such as displaying a message box, and the ability to record session variables may only be required, or it may be much more complicated, ‘The simplest APM policy that can be attached is pictured below. This passes connections to the virtual server through the APM policy without taking any obvious action to the resources that should be configured for that virtual server. [Access Policy: /Common/itm-plus-apm [sata =a Es Bes] Example APM Policy Pool Assignment Agent ‘A pool is usually assigned to a virtual server using the Resources tab in the virtual server properties configuration screen. Another method for assigning resources can be achieved for example using an iRule, APM provides another method using the Pool Assignment Agent. A Pool must be previously configured before being able to make an assignment using this agent. Configure a Pool using the Local Traffie::Pool navigation pane option. A pool assigned using the pool assignment agent takes precedence over any pool assigned via the virtual server resources tab. A pool assigned using an iRule will take precedence over both of thes Configuring BIG-IP APM v11 9596 Chapter 9 - Web Application Access for LTM To Assign a Pool Agent 1, On the Main tab of the navigation pane, expand Access Policy, and click Access Profiles, ‘The Access Profile screen opens. 2. Select the Access Profile you wish edit and click the Edit link. ‘The Visual Policy Editor screen opens. Click on the (+) sign in the policy. The Add Item screen opens. Click Pool Assign and Add Item, Under Pool Assignment, click Add/Delete and choose the Static Poo! you wish to use. Click Save. Click Apply Access Policy. Pool Assignment Agent and configuration ‘The Pool Assignment Agent functionality is also available within the Full Resource Assign Agent as a selectable option called Statie Pool and can be configured similarly within the VPE. Example Static Pool configuration 96 Configuring BIG-IP APM v11Chapter 9 - Web Application Access for LTM 97 7 [Common/itm_static (Eki) (eare now te faea) suc, [ata | + Example policy with both endings set to allow. On successful authentication one pool is assigned, if unsuccessful the default pool configured via the Resources tab will be used. Configuring BIG-IP APM v11 9798 Chapter 9 - Web Application Access for LTM Profiles Lesson Objective: During this lesson, you will learn what profiles are and how they are used in the BIG-IP system. Profile Concepts When dealing with large configurations, two key problems exist: traffic management attributes need to be repeatedly configured across all objects, and changing settings across these objects can be tedious and complicated Profiles are a powerful configuration tool that offers a simple way to define standard traffic policies and apply those policies across many virtual servers. Through a profile, you can also change a setting for traffic across many different applications. Profiles define capabilities and actions for the virtual server. > [Encymned Profiles provide: ‘+ A centralized place to define specific traffic behavior such as compression, SSL, and authentication that can be applied to multiple virtual servers, ‘+ A centralized place to change any setting and have them applied to all applications using an existing profile. A profile tells a virtual server how to process packets it receives based upon the profile’s parameters. For example, if you wish to encrypt / decrypt traffic through the BIG-IP system, create a virtual server that hhas a clientssl and / or serverssl profile associated with it. If you wish to persist based on the client’s IP address, associate a source_addr persistence profile to a virtual server. When choosing how to process traffic through your virtual servers, you can either choose from the many provide profiles or use any of them as templates to ereate custom profiles. For example, the default source_addr profile persists for 180 seconds. If you wish to persist for a different period, you could create a custom profile and associate it with the virtual server. 98 Configuring BIG-IP APM v11Chapter 9 - Web Application Access for LTM 99 Profile Types and Dependencies Lesson Objective: During this lesson, you will learn how individual profiles deal with specific portions of packets and are dependent upon each other for the overall processing of client traffic through the BIG-IP LTM, Profile Dependency Overview Profiles can both complement and contradict each other. More specifically, some profiles are dependent on others and some combinations of profiles are not allowed. For example, a BIG-IP system profile cannot use an HTTP profile to process data unless a TCP profile is present as well. As a general rule, profiles of a given layer of the OSI model are dependent upon profiles of lower layers and profiles of the same layer cannot co-exist. DX [ue] Network Data Link Physical One example of dependencies involves Access Profiles parsing HTTP data, You've already seen that specifying an Access Profile requires an HTTP profiles. A virtual server does not know what HTTP data is unless it also has an HTTP profile. Finally, since HTTP is a TCP protocol, the virtual server would require a TCP profile also, Profiles that cannot co-exist often support the same layer on the OSI model. For example, a virtual server cannot have both TCP and UDP profiles, nor can a virtual server have both FTP and HTTP profiles. It ‘would be rare to try to combine FTP and HTTP, but common to have an application that could use TCP and UDP. The FastL4 supports TCP and UDP traffic, but sacrifices some layer 7 abi Configuring BIG-IP APM v11 999-10 Chapter 9 - Web Application Access for LTM Virtual Server Default Profiles The BIG-IP system provides many default profiles. Most can be used without modification and all can be used as templates to create custom profiles. The various profiles give you methods to manage TCP, UDP, FTP, HTTP, SSL and other types of traffic. Profiles also give you a way to enable persistent sessions and to manage client application authentication. Once you have assigned a profile to a virtual server, the BIG-IP system manages any traffic that corresponds to that profile type according to the settings defined in that profile. Default profiles are useful when the values contained in them meet your needs. Custom profiles are useful when you want your values to differ from those contained in the default profile. Ata minimum, every virtual server must reference a layer 4 profile such as UDP, TCP or FastL4, Every virtual server will have a default layer 4 profile, but which it is depends on the type of virtual server its protocol. The table below shows some of the combinations. Virtual Server Type Protocol _| Default Profile Standard TCP TCP Standard UDP UDP ‘Standard SCTP SCTP Forwarding (IP) TCP fastl4 Performance (Layer 4) | TCP. fastl4 940 Configuring BIG-IP APM v11Chapter 9 - Web Application Access for LTM ont Configuring and Using Profiles Lesson Objectiv During this lesson, you will learn how to create custom profiles. Custom Profile Configuration ‘When you create profiles, you must use an existing profile as a template (the parent), make desired changes, and save the new profile, The parent can either be one of the default templates or a custom template. If the parent is later changed, the changes may flow through to your custom profile. During profile creation, profile to be based. An © (ou identify the name of the parent profile on which you want your custom, smple of a parent profile is the default TCP profile tep. To Create a Custom Profile (Standard Method) 1. From the Navigation pane, expand the Local Traffie section. 2. Either click Profiles and click Create, or hover over Profiles, choose the type from the flyout menu and click Create. 3. In the General Properties section enter the following: Name Name the custom profile Profile type _| Choose the type of profile Parent Profile | Choose the parent profile. 4. Inthe Configuration section select options as desired. The actual parameters will vary significantly. Some profiles have only few settings, some have as many as 30. If you want to censure a change in the parent does not later affect this profile, check the Custom box. Once checked, a later change in the parent will have no effect on this profile. 5. Click Finished Assigning Profiles to Virtual Servers ‘Once you have created a profile, it must be associated with one or more virtual servers to have an effect. ‘Then, whenever the virtual server receives that type of traffic, the BIG-IP system applies the profile settings to that traffic. To Assign a Profile to a Virtual Server 1. From the Navigation pane, expand the Local Traffie section. Select Virtual Servers, Select the virtual server of interest. 3 4, For persistence and HTTP Class profiles, click the Resources tab, Configuring BIG-IP APM v11 on9-12 Chapter 9 - Web Application Access for LTM 5. Forall other profiles, remain in the Properties section. 6. Locate the option for the type of persistence you wish to associate with the virtual server. 7. Choose the custom profile from the drop-down list of available profiles. 8. ‘When complete, click Update. Note: You can assign a profile to a virtual server as you create the virtual server. Traffic can use multiple protocols and services, so users often associate multiple profiles with a single virtual server, For example, a client application might use the TCP, SSL, and HTTP protocols and services to send a request. Depending on what is being done to the traffic, it could be appropriate to have three profile types assigned to the virtual server: TCP, Client SSL, and HTTP. 942 Configuring BIG-IP APM v11Chapter 9 - Web Application Access for LTM 913 SSL Termination/Initiation Lesson Objectives Upon completion of this lesson, you will leam about the BIG-IP LTM encryption/deeryption methods, components, flow, and the different capacity for SSL acceleration of the various BIG-IP platforms, Client-Side SSL Termination A BIG-IP virtual server can act as the end-point for fully encrypted SSL-encapsulated sessions such as HITPS. Once the traffic is decrypted, layer 7 features, such as cookie persistence and iRulles can be applied as the traffic is send to a pool member. ‘There are numerous advantages to this arrangement. For instance, pool members only have to process ‘unencrypted traffic, which provides better server performance and reduced cost since cach server does not need an SSL Accelerator card. In addition, a single certificate installed on the BIG-IP LITM System can take the place of a certificate installed on each pool member, thereby allowing off-loading of certification verification tasks Configuring BIG-IP APM v11 913a4 Chapter 9 - Web Application Access for LTM Client-Side SSL Traffic Flow 1. Client traffic is directed to the virtual server. This traffic is encrypted. For this connection, the BIG-IP acts as the server in the SSL negotiations. 2. When the BIG-IP receives the traffic, the client-ssl profile properties allow the virtual server to establish an SSL session with the client and to decrypt the traffic. Typically, the traffic is then load balanced to a pool member. Other processes, such as persistence and iRules, could also be applied to the traffic. 3. ‘The chosen pool member processes the clear text traffic and returns its response back to the BIG- IP system. 4, The BIG-IP system then sends it back to the client after first encrypting the response via the Client SSL Profile of the Virtual Server. If needed, the response can be sent back through the same device (firewall, router) that sent the initial packet Server-Side SSL Initiation Using SSL encryption enhances performance and management but reduces security. This is due to having un-encrypted traffic flowing between the BIG-IP system and pool members. If security is a priority, the BIG-IP system can encrypt the traffic prior to sending it to pool members using a server-ssl profile. Still, since the traffic was un-encrypted within the LTM System, a variety of profile and rule-based load balancing and authorization features are available to the administrator. Ifall traffic on the network must be enerypted, either apply no ssl profiles or apply both a client-ssl and setver-ss profile to a given virtual server. If no ssl profiles are applied, the BIG-IP system will not have access to the layer 7 data Traffic Flow with Client-SSL and Server-SSL 1. Client traffic is directed to the virtual server. This traffic is encrypted, 2. When the BIG-IP receives the traffic, the client-ssl profile properties allow the virtual server to establish an SSL session with the client and to decrypt the traffic. Typically, the traffic is then load balanced to a pool member. Other processes, such as persistence and iRules, could also be applied to the traffic. 3. The virtual server's server-ssl profile is utilized to re-encrypt the traffic before itis sent on to the pool member. For this connection, the BIG-IP system acts as the client in the SSL negotiations. 4, The pool member receives the encrypted traffic, decrypts and processes it, encrypts the response and returns it to the BIG-LP system. 5. ‘The BIG-IP system decrypts the response, applies persistence and iRules as defined, and encrypts the traffic within the client-side connection, 9-44 Configuring BIG-IP APM v14Chapter 9 - Web Application Access for LTM 915 SSL Accelera ‘When servers encrypt and decrypt SSL traffic their performance is severely affected. Tests have shown packet processing time increase 20-30 times when SSL encryption is used. Frequently, installing SSL ‘Accelerator cards helps servers that are processing SSL. traffic. These SSL Accelerator cards use hardware to encrypt and decrypt traffic rather than passing this work along to the software. With these cards, servers processing SSL packets can achieve throughput comparable to servers not processing SSL. packets. SSL Accelerator Cards One or more SSL Accelerator cards are installed in all BIG-IP systems. ‘These cards allow the BIG-IP system to perform both the SSL key exchange and bulk crypto work in hardware. ‘The maximum transactions per section (TPS) may be limited by license. ‘The maximum TPS supported on each platform is shown in the table below. Configuring BIG-IP APM v11 9-159416 Chapter 9 - Web Application Access for LTM Bulk | APM Max Platform Eee, Crypto | Sessions / | FIPS (Gbis) ccU BIG-IP VE 2500" BIG-IP 1600 5000/1000 1 1000 BIG-IP 2000s = 72000 4 500 BIG-IP 2200s 74000 4 5000 * BIG-IP 3600 40,000/ 2000 2 5000 BIG-IP 3900 45,000/ 3000 24 10,000 BIG-IP 4000s = 74500 8 40,000 * BIG-P 4200v = 1 9000 8 10,000 7 BIG-IP 6000s = 110,000 12 20,000 BIG.IP 5200v — 112,000 12 20,000 BIG-IP 6900 25,000/ 5000 4 25,000 | v BIG.IP 69008 == 110,000 4 25,000 BIG-IP 7000s = 116,000 18 40,000 BIG.IP 7200v = 125,000 18 40,000 | Future BIG-IP 8900/6950 56,000 / 10,000 96 40000 | v BIG.IP 89508 100,000 720,000 96 40,000 BIG-IP 100008 == 124,000 22 80,000 BIG-IP 10200v — 142,000 22 0,000 fv BIG-IP 10200v-SSL — 175000 | 33 | 80000 | v BIG-IP 11000111050 100,000 / 20,000 18 60,000 | v ‘VIRION 2400 (12100) 150,000 / 10,000 9 60,000 VIPRION 4400 (1410014200) 150,000 / 10,000 @ 100,000 + VIPRION 4480 (1430014340) —_ 130,000 20 100,000 ¢ VIPRION 4800 (1430014340) 130,000 20 200,000 + * VE Lab Max Session/Max CPU is 10; 2200s Max CCU Is 2500; 4000s Max CCU is 5000 + VIPRION chassis mit muliple blades required to reach max CCU 916 Configuring BIG-IP APM v11Chapter 9 - Web Application Access for LTM. 917 SSL Profile Configuration Enabling Client SSL Profiles Client SSL management involves three steps: ‘© Generating the certificate and key © Configuring the client-ssl profile ‘* Configuring the virtual server Generate a Certificate 1. From the Navigation pane, expand the Local Traffic section. 2. Either select SSL. Certificate List and click Create or leave your mouse over SSL Certificate List and then click the (+) sign In the General Properties section, enter a Name for the certifi 4. In the Certificate Properties section, enter the following: Issuer Certificate Authority or Self ‘Common Name FQDN of site Division Division within the company [Organization ‘Company Name Locality Location name - Usually the city ‘State or Province State or Province ‘Countyy Country and Country Code E-Mail Address If required Challenge Password | If required - Certificate Authority only Confirm Password Hfrequired — ‘ate Authority only Lifetime In days Subject Aternatve X508v8 SAN text 5. Inthe Key Properties, choose the encryption level (512, 1024, 2048,4096) 6. Click Finished. Create a Client SSL Profile: 7. From the Navigation pane, expand the Local Traffic section, 8, Either select Profiles / SSL click Client and then click Create or use the flyout menus to expand Profiles > SSL > Client > (+) sign. 9. In the General Properties section, enter a Name and accept elientssl as the parent profile. 10, From the Configuration section, check the custom button to the right of “Certificate” and “Key”. For both Certificate and Key, select an appropriate option from the drop-down list, Configuring BIG-IP APM v11 o479-18 Chapter 9 - Web Application Access for LTM 11. Click Finished. Creating the Virtual Server 12. From the Navigation pane, expand the Local Traffic section. 13. Bither select Virtual Servers and click Create or expand Virtual Servers to Virtual Servers List and then click the (+) sign. 14, In the General Properties Section, enter the following: Name Name of choice Destination IP Address or FODN ‘Service Port 443 (typically) State Enabled 15, In the Configuration section, choose your custom clientssl profile as the SSL. Profile (Client) and leave all other settings at their defaults 16. In the Resourees section, choose a Default Pool and click Finished. Using Existing Certificates Accessing certificates generally involves three steps: a. Creating a Certificate Request b. Submitting the Request to a Certificate Authority (or Generating a Self-Signed Certificate) c. Installing the Certificate Ifyou have already received a certificate from a certificate authority, it can be referenced within the clientssl profile definition and then used with the BIG-IP system. To Install an Existing Certificate 17. From the Navigation pane, expand the Local Traffic section. 18, Select SSL Certificate List and click Import or leave your mouse over SSL Certificate List and click the (+) option on the flyout menu. 19, Select the Import Type (Key, Certificate, PKCS 12, Archive, Certificate Revocation List) 20. Enter the Certificate Name and Source. Select the Source, either Upload and Browse to the file or choose Paste Text and enter the details. Note that the certificate or archive file must be either a base-64 encoded text string or in PEM format 21. Click Import. NOTE: By default, the BIG-IP system stores certificates in the /config/ssV/ssl.crt directory and keys in the /eonfig/ssl/ssl.key directory. Files in these locations are also synchronized between redundant systems, so they only need to be installed on one system and then synchronized 918 Configuring BIG-IP APM v11Lab 9.1 - Web Application Access for LT™M Lab Objective: © Take an existing LTM Virtual Server and apply an APM Access Policy ‘+ Understand the relationship to the Rewrite and Connectivity Profiles ‘+ Understand the relationship with the Client and Server SSL Profiles Estimated time for completion: 10 minutes Lab Requirements: ‘© Existing LTM Virtual Servers and Pools from Module 8 Labs Behavior Before Configuration. 1. Open a Web browser to https://10.10.X.105. 2. Note the pool member address and port in the body of the web page (172.16.20.x:443). 3. Verify that Virtual Server https://10.10.X.105 has no clientssl (SSL Profile (Client) or servers! (SSL profile (Server)) profiles. Profile Dependencies. 4, Select Local Traffic :: Virtual Servers then the link for server1_ys at https://10.10.X.101. Scroll down and set the Rewrite Profile to None and then click the Update button. 5. You receive an error stating a Rewrite Profile is required, Note: you may have to scroll to the top of the page to view the error. 10.X.103, Set 6. Select Local Traffic :: Virtual Servers then the link for ss_ypn_ys at htt the Connectivity Profile to None and then click the Update button. 7. Note that you receive an error stating a Connectivity Profile is required. 8. These Profiles are required for their respective Access Profiles because of the Resources that are assigned within each Access Profile Change Virtual Server’s Access Policy and Test 9, Navigate to Local Traffi etps://10.10.X.10! Virtual Servers, and select the link for Itm_ssl_vs at 10. In the new page, scroll down and set the Access Profile to server. 11, Notice you may re fe a message box stating an http profile is needed. 12, Try clicking the Update button and notice you receive an error message that an http profile is, required for an Access Profile. 13. Set the HTTP Profile option to the default http profile and then click Update again.14, Notice you receive an error message that rewrite profile is required for an Access Profile. 15, Set the Rewrite Profile option to the default rewrite Profile and then click Update again. 16. Notice you receive another error message that a Connectivity Profile is required. Set the connectivity profile option to the server1_ep profile and click Update. 17. Navigate to Aecess Policy :: Aecess Profiles and click Edit... for server! 18. Click the X on the SSO Credential Mapping action on the Successful path after AD Auth, 19, When prompted select Connect previous node to fallback branch and click Delete 20. Click the X on the Full Resource Assign action. 21, When prompted, select Connect previous node to the Success branch and click Delete, 22. When fi fsbo Tra [tack | | Success, [eo and Close the Visual Policy Editor. raffie : hed, your Access Policy should look like this: 23. Apply Access Pi 24. Navigate to Local tual Servers and sclect Itm_ssl_vs. Set the Rewrite Profile option to None and the Connectivity Profile to None. Click Update again. Note: Notice you no longer need a Rewrite Profile for this Access Profile since there is no Portal Access resource and you don't need the Connectivity Profile because there is no Network Access resource. 26. Test your virtual server again, https://10.10.X.105, Note: Notice the Virtual Server fails to connect. If you receive a web page it's probably because your browser served them from cache so force a refresh. The reason this Virtual Server hangs is because we must un-encrypt on BIG-IP in order to process the Access Policy. Behavior with clientss! and serverssl Profiles 27. Select Local Traffic :: Virtual Servers and click the link for the Itm_ssl_ys Virtual Server at https://10.10.x.105. Change both the SSL Profile (Client) to elientssl, and the SSL Profile (server) option to serverssl. Click Update. 28. Test your virtual server again, https://10.10.X.105, by clicking the link to open a new session. Now you should be prompted for Username and Password and then see the Pool Members web pages after signing in,Lab 9.2 — Pool Assignment Agent Lab Objective: '* Configure the Pool Assignment Agent to make its pool take precedence over the default setting of an existing virtual server Estimated time for completion: 10 minutes Create a New Pool 1. From the Navigation pane, expand the Local Traffic section. 2, Select Pools and then the Create button. 3. In the Configuration section, enter the following: Configuration Level Basic Name static_pool Health Monitors HTTP, 4, In the Resources section, enter the following: Load Balancing Method Round Robin Priority Group Activation isabled New Members, Node List and | 172,16.20.3 port 80 lick Add 5. When complete, click Finished. Check the Configuration of an Existing Virtual Server 6. From the Navigation pane, expand the Local Traffic section. 7. Select Virtual Servers and click on the Itm_vs virtual server created in the Module 8 lab. 8. Confirm it still has the original server_pool pool attached by clicking on the Resources tab and checking the Default Pool setting, If not, set it so and press Update. Confirm the Connection to the Original Pool 9. Open a new browser session on your PC and point it to http://10.10.X.105 Refresh the screen S- 10 times and confirm it load balances between webservers in the default pool Create an Access Policy Using the Pool Agent 10. On the Main tab of the navigation pane, expand Access Policy, and click Access Profiles. Mane)11. Click Create. 12, Set the Name to Itm_static. 13. In the section SSO Across Authenti ‘ookie Options, disable the Secure Cookie option by removing any tick from the box. 14, Set the Language as English (en). 15. Click Fi hed. The newly created profile should now be listed in the Access Profiles list, 16. Click the Edit link to the right of the Itm_statie profile. ‘The Visual Policy Editor screen now opens. The only actions listed should be Start and Deny. 17. Click on the Deny ending and change it to Allow. 18. Click on the (+) sign in the policy. 19. Select the Assignments tab, click Advanced Resource Assign and Add Item. 20, Click Add new entry, then click Add/Delete 21, Under the Static Pool tab, select /Common/statie_pool created earlier. 22. Click Update, then click Save. 23. Click Apply Access Policy. Configure the Virtual Server to Use the Access Policy 24, From the Navigation pane, expand the Local Traffic section. lect Virtual Servers and click on the ltm_vs virtual server. 26. In the Properties section configure the following settings and click Update. ltm_vs [10.10.X.105 10 (or HTTP) hnttp lautomap _—_ftm_stConfirm the Connection to the New Agent Assigned Pool 27. Open a new browser session on your PC and point it to http://10.10.X.105 Refresh the screen several times. It should direct you to one webserver onily and not Joad balance as there is only one webserver in the new pool Check the Session Log From the Navigation pane expand the Aecess Poliey section and click Reports. 28. In the popup window, click the Run Report button, using the default options. 29. The All Sessions report is displayed. 30. For the current session, click the View Session Variables link, 31. Look for the session variable called session.assignedpool, this should be set to /Commonistatic_pool. Note: Reports and session variables are discussed in a later moduleOptional Lab 9.3 — Self-Signed Certificates Lab Objective: © Create a self-signed certificate and a client SSL profile Estimated time for completion: 10 minutes Generate a Certificate 1. Navigate to System:: File Management :: SSL Certificate page. 2. On the next page, configure the following propert ist and click Create on the new and click Finished, Name my_cert Issuer Self ‘Common Name Division F5 Networks Locality Seattle State or Province Washington County us E-Mail Address it@my.corp [1 - 365 ‘Key Type. __| RSA Size 2048 Create a Client SSL Pro’ affic :: Profiles : SL 3. Navigate to Local jent and click Create on the new page. 4, In the General Properties section, enter the name my_clientssl and accept elientssl as the parent profile. 5. From the Configuration section, check the custom buttons to the right of Certificate and Key For both certificate and key, choose my_eert from the drop-down lis. 6. Click Finished. ecru n)Dees Creating the Virtual Server 7. Navigate to Local Traffic irtual Servers and click Create... on the next page, 8. In the new page, ‘onfigure the following settings and then press Finished. Name my_vs Destination’ 10.10.X.106 ‘Service Port 443 (or HTTPS) ‘SSL Profile (Client) | my_clientss! Default Pool ‘server_pool | Behavior After Configuration 9, Open a Web browser to https://10.10.X.106. When prompted view the certificate. (For Internet Explorer 8, click Continue to this website, then click Certificate Error next to the URL bar.Cee Lab 9.4 — Configuration Backup Objective: + Create a backup archive Save the Configuration 1. Create an archive named studentX_labs1-9. 2. Download the new archive to your desktop.Chapter 10 - APM Macros and Authentication Servers 10-4 Chapter 10: APM Macros and Authentication Servers Access Policy Macros Lesson Objective: During this lesson, you will learn why you might use Macros in an Access Policy. Understanding Access Policy Macros ‘A macro is a collection of actions that you can configure to provide common access policy functions. You can create a macro for any action ot series of actions in an access policy. You can also create macros that contain macrocalls to other macros (nested macros). After you create a macro, you place it in the access policy by adding an item called a macrocall to your policy. A macrocall is an action that performs the functions defined in a macro. In the visual policy editor, a macrocall appears in an access policy, or in a macro definition, as a single rectangular item, surrounded by a double line, with one or more outgoing macro terminal branches, called terminals, as shiown below. Successful ‘AD auth and resources Faire A macrocall in an access policy Macro definitions, macro terminals, and macrocalls are defined for each access policy. Macros you create in one policy do not appear, and cannot be used, in another access policy. Unlike other access policy actions, when you click a macrocall in the access policy, the macro definition is displayed below the access policy in the macros section, and not in a popup sereen, as shown in the following illustration, Configuring BIG-IP APM v11 10-410-2 Chapter 10 - APM Macros and Authentication Servers {nausea J succes mh | A macro expanded below an access policy ‘The BIG-IP® Access Policy Manager™ includes several predefined macro templates. For example, BIG- IP Access Policy Manager includes macro templates for six authentication methods, and for a Windows antivirus and firewall check, Introducing Macro Terminals ‘A macro does not have endings, as does an access policy. Instead, a macro contains one or more end points called terminals. Terminals are the macro branches that are the result of the actions you add to the macro. The access policy uses the macro terminals after you insert a macrocall into an access policy. A macro can have many terminals. You can use terminals as you use access policy endings within the macro configuration. Macro terminals are common shared endpoints for the access policy macro item. After you add a macro to the access policy using a macrocall, each macro terminal defined in the macro appears as a separate shared output. For example, if you configure four macro terminals, and use those terminals ten times in the macro definition, when you add the macrocall access policy item to the access policy, only four outputs appear from the access policy item. To make macros easier to use, you can assign the macro terminals descriptive names and specific colors with the visual policy editor. When you add a macro to your access policy, the terminals from the macro become branches, and the branches take the names of their terminals. For example, you can configure a macro with four terminals: © AV success © AV failure © File check success © File check failure 102 Configuring BIG-IP APM v11Chapter 10 - APM Macros and Authentication Servers 10-3 ‘After you add the macrocall to your access policy, the macrocall appears as a single access policy item, with four terminals that appear as four branches, named for the terminals. A AV fare Fa | AV success -— Fle check success ee] File check future lie] A macrocall with four macro terminal branches in an access policy AV and File Check Note: You can make changes to the actions in a macro after you have added the macrocall to an access policy. However, you cannot delete terminals after a macrocall has been added to an access policy or another macro. For this reason, we recommend that you configure macro terminals before you add a macrocall to the access policy. Configuring BIG-IP APM v11 10-3,10-4 Chapter 10 - APM Macros and Authentication Servers Configuring Access Policy Macros Lesson Objective: During this lesson, you will lear how to configure Access Policy Macros. Configuring macros ‘A macto is a group of reusable checks. Using the visual policy editor, you configure macros in the same ‘way that you configure access policies, The difference is that you do not configure access policy endings, but instead you configure terminals for a macro. To Create a Macro 1. On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles. The Access Profiles List screen opens. 2. In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column, The visual policy editor opens in a new window or new tab, depending on your browser settings. 3. Click the Add New Macro button. ‘The Add New Macro popup sereen opens. 4, Select the macro template to use. 5. Inthe Name box, type a name for the macro, This is the name by which the macro appears in the Add Aetion popup screen. 6. Click Save, 7. To expand the macro, click the plus sign (+) next to the maero name. 8. Toedit an action, click the action name. Edits you make to the actions in a macro are applied to the actions in an access policy, after you add the macrocall to the access policy 9. Add and remove actions from the macro in the same way you add and remove actions from access policies. 10, When you finish customizing an action, click Save. To Delete a Macro Click the (x) button at the right of the screen next to the macro name. You can delete a macro only if itis not in use. Note: For more example configurations, refer to the Configuration Guide for BIG-IP Access Policy Manager. 10-4 Configuring BIG-IP APM v11Chapter 10 - APM Macros and Authentication Servers 10-5 Using Predefined Macro Templates ‘You can use predefined macro templates to create macros that you can use in your policies. The predefined macro templates are listed below: ‘© Empty macro template © AD auth and resources macro template ‘© AD auth query and resources macro template ‘+ LDAP auth and resources macro template ‘+ LDAP auth query and resources macro template ‘+ RADIUS and resources macro template + SecurlD and resources macro template © Windows AV and FW macro template ‘Client Classification and Prelogon checks ip: If you open these macro definitions to view them, you can better understand how the macros are configured. Each macro definition includes instructions on how to add and open the macro template. Using the Empty Macro Template You can use the empty macro template to add an unconfigured macro template that includes only a start point and an end point to the access policy. Use this as a starting point to configure a new macro for an access policy. Using the AD Auth and Resources Macro Template ‘The AD auth and resources macro template is a preconfigured macro template that adds Active Directory authentication to your access policy. ‘This macro template includes: a start point (In) a logon page action ‘+ an Active Directory authentication action ‘+ aresource assign action, that follows a successful Active Directory authentication ‘© successful and failure terminals Using the AD Auth Query and Resources Macro Template ‘The AD auth query and resources macro template is a predefined macro template that adds an Active Directory query and Active Directory authentication to your access policy. Configuring BIG-IP APM v11 10-510-6 Chapter 10 - APM Macros and Authentication Servers This macro template includes: ‘© astart point (In) ‘+ alogon page action ‘+ an Active Directory authentication action ‘+ an Active Directory query action ‘© aresource assign action, that follows a successful Active Directory authentication ‘© successful and failure terminals Using the RADIUS and Resources Macro Template The RADIUS and resources macro template is a preconfigured macro template that adds RADIUS authentication and resources to your access policy. ‘This macro includes: © start point (In) * a logon page action * a RADIUS authentication action ‘* a resource assign action, that follows successful RADIUS authentication ‘© successful and failure terminals Configuring the RADIUS and Resources Macro In this macro, you must configure both the RADIUS action and the resource assign action. You can optionally customize the logon page action with custom messages, and localized messages for different languages. 106 Configuring BIG-IP APM v11Chapter 10 - APM Macros and Authentication Servers 10-7 Authentication with Access Policy Manager Lesson Objective: During this lesson, you will learn APM Authentication Server concepts. Understanding Authentication with Access Policy Manager Authentication is the process of verifying the identity of a user logging on to a network. In a typical authentication process, a system requires that users provide logon information such as user name and password. The system then checks those credentials against information maintained remotely or locally ona server or in a database. Authorization is the process of enabling users with access to resources, applications, and network shares. Accounting is the process of reporting user session information, as well as updating the external RADIUS. accounting server. ‘The BIG-IP® Access Policy Manager uses the concept of ss policies to authenticate and ‘The stringent nature of the authentication mechanism you use for the Access Policy Manager should match your local network. That is, you should use equally high standards for the Access Policy Manager authentication as you do for your local network. ‘To set up authentication, log on to the Configuration utility and on the navigation pane, expand Access Policy, and click AAA Servers. Understanding Authentication Types: and LDAP ‘There are two types of authentication as they pertain to Active Directory and LDAP authentications, and they use two separate access policy items. ‘* Auth: This means authentication only. In this case, the Access Policy Manager just verifies user's credentials against an external server © Query: This means the Access Policy Manager queries the external server for additional information about the user. ‘Auth and Query are independent of each other, and you do not necessarily need to have them configured within the same access policy. However, as an administrator, you must make a decision on which type of policy item you would like to add to your access policy. For instance, if you added AD Auth to your policy, you cannot change it later to AD Query unless you go into your access policy and delete the AD Auth item completely from your policy. Configuring BIG-IP APM v11 10-710-8 Chapter 10 - APM Macros and Authentication Servers ‘You can set up authentication using any combination of the following methods © RADIUS server Uses the server at your site that supports authentication using the RADIUS protocol. For more information on this method, see RADIUS authentication, on page 11-3. © LDAP server Uses the server at your site that supports authentication using LDAP. + Microsoft® Active Directory® Uses the server at your site that supports Kerberos authentication against a Windows® 2000® or later server. © HTTP authentication Uses external web-based authentication servers to validate user logons and passwords, and to control user access to specific network resources. ‘* RSA SecurID (Native) Uses the RSA SecurID native protocol for authentication. To use RSA native securid, you must have an authentication server set up, and you must select SeeurID as the authentication method, * RSA SecurID (via RADIUS proxy) To use RSA SecurlD via RADIUS proxy, you must select RADIUS as the authentication ‘method. © TACACS+ Used to authenticate against a TACACS+ (Terminal Access Controller Access-Control System Plus) system © Kerberos Used after a HTTP 401 Response action to negotiate against a server using SPNEGO/Kerberos. Typically this is a Windows® later server. * OAM (Oracle Access Manager) * Uses an Oracle agent to authenticate and authorize against an Oracle® Access System. + CRLDP and OCSP ‘+ CRLDP authentication uses Certificate Revocation List Distribution Point to check the revocation status of an SSL certificate, as part of authenticating that certificate. ‘+ OCSP authentication uses the Online Certificate Status Protocol to check the responder for the status of an SSL certificate, as part of the authentication process. 108 Configuring BIG-IP APM v11Chapter 10 - APM Macros and Authentication Servers 10-9 RADIUS Server Authentication Lesson Objective: During this lesson, you will learn how to configure APM for RADIUS Server Authentication, Understanding Different RADIUS Operation Modes ‘The Access Policy Manager provides you with three modes of operation for RADIUS. You can use a RADIUS server to authenticate your users, retrieve user session information using a RADIUS accounting server, or perform both actions within a single access policy. ‘The three operation modes for RADIUS include: © RADIUS authentication © RADIUS accounting © RADIUS authentication and accounting RADIUS Authentication RADIUS authentication allows you to authenticate and authorize your users to access their resources through a RADIUS server that you configure on the Access Policy Manager. ‘The following tasks provide information on how to set up your RADIUS server. You can also leverage user information, in the form of attributes, to allow users access to various network resources. Important: Be sure that the RADIUS server is configured to recognize the Access Policy Manager as a client. Use the same shared secret in both the RADIUS server configuration, and in the Access Policy Manager configuration, Setting up RADIUS authentication and authorization involves the following tasks: © Setting up a RADIUS server ‘© Setting up RADIUS access policy action items RADIUS Attributes The following are specific RADIUS authentication attributes that the Access Policy Manager sends with RADIUS requests. RADIUS Access-Request attributes include the following: + User-Name: This indicates the name of the user to be authenticated, + User-Password: This indicates the password of the user to be authenticated + NAS-IP-Address: This indicates the identifying IP Address of the NAS. * Service-Type: This indicates the type of service the user has requested. © NAS-Port: This indicates the physical port number of the NAS which is authenticating the user. Configuring BIG-IP APM v11 10-910-10 Chapter 10 - APM Macros and Authentication Servers RADIUS Accounting ‘You can report user session information to an extemal RADIUS accounting server. If you select this mode only, itis assumed that you have set up another type of authentication method to authenticate and. authorize your users to access their resources. ‘The Access Policy Manager operates as a client of the external RADIUS accounting server, and is responsible for retrieving uscr information. It sends accounting messages indicating whether or not network access is initiated or terminated by sending the RADIUS accounting start and stop messages, though the RADIUS accounting start message doesn't mean the actual network access will be successfully established. If user logs in, but the network tunnel fails to establish, the user is not presented with a logon denied page. Instead, the user either sees an error message on the webtop and must manually log out, or they are automatically logged out of a session. In either case, the accounting stop message is sent when the user is logged out and the session terminates. RADIUS Authentication and Accounting ‘You can perform both RADIUS authentication and accounting actions. Keep in mind that if you select this mode, the RADIUS server and the RADIUS accounting server must run on different service ports, and that Access Policy does not send RADIUS accounting information to the RADIUS accounting server unless the user has been authorized by the RADIUS server. Setting Up Access Policy Manager for RADIUS Authentication and Authorization ‘The first task in setting up a RADIUS authentication is to configure the RADIUS server. To Set Up a RADIUS server 1. On the navigation pane, expand Aceess Policy, and click AAA Servers. ‘The AAA Server List screen opens. 2. Click the AAA Servers by Type Tab, choose Radius from the list ‘The Radius Servers sereen opens. Click Create. Type a name for your AAA server. In the Configuration section, select the Mode as Authentication. Enter the information in the required fields (marked with a vertical blue line) and click Finish. ‘The new RADIUS server is now added to the AAA Server List. Setting Up RADIUS Authentication and Authorization Access Policy Action Item To complete the authentication process, you must add the RADIUS server to an access policy as an action item. On the navigation pane, expand Aécess Policy, and click Access Profiles, choose the access policy you require, click the Edit option on its right, the Visual Policy editor screen opens. Click the small plus sign (+) where you want to add the Radius Authentication, The actions sereen opens, choose Radius 10-10 Configuring BIG-IP APM v11Chapter 10 - APM Macros and Authentication Servers, 10-11 ‘Auth. Inside that item set the AAA Server as the Radius server you defined. Click Save and Apply Access Policy Using RADIUS Authentication Default Rules ‘The Access Policy Manager provides two default rules for the RADIUS authentication access policy action. You use these rules to organize your users into the following two categories: © Authenticated Users: These users were authenticated successfully and are able to access their webtop. ‘+ Users Fails Authentication: These users failed authentication and are directed to the logon denied page. You can add your own custom rules using the session variables. For example, you can create your own custom rules when you want different users assigned to different network resources. Example: Using RADIUS Access Policy Action to Authenticate and Authorize Your Users RADIUS authentication is an important part of the access policy. To ensure that your users are authenticated, you must add the RADIUS server as an action item to the access policy. ‘The following illustration shows an example of an access policy with all the elements associated to authenticate and authorize your users. Note that the RADIUS object was added to the access policy as part of the authentication process, as a result, providing two default rules. Example of RADIUS access policy action ‘Note: For more information on Radius authentication, refer to the BIG-IP Access Policy Manager Authentication Configuration Guide. Configuring BIG-IP APM v11 10-1110-12 Chapter 10 - APM Macros and Authentication Servers LDAP Server Authentication Lesson Objective: Daring this lesson, you will leam how to configure APM for LDAP Server Authentication. Setting up Access Policy Manager for LDAP Authentication and Authorization The Access Policy Manager can authenticate using any LDAP database, including a Windows Active Directory. You can use an LDAP-protocol-based directory, including an Active Directory, to authenticate users. In this ease, you do not store user information on the Access Policy Manager. Instead, you obtain it from the LDAP entry. Setting up LDAP authentication and authorization involves the following tasks: ‘© Setting up an LDAP server. © Configuring an LDAP authentication access policy action item. ‘© Configuring an LDAP Query access policy action item, Setting Up an LDAP Server The first task in setting up an LDAP authentication is to configure an LDAP server To Configure an LDAP Server 1, On the navigation pane, expand Access Policy, and click AAA Servers. The AAA Servers List screen opens 2. Click the AAA Servers by Type Tab. Choose LDAP from the list. ‘The LDAP Servers screen opens. 3. Click the Create button. ‘The General Properties screen opens. 4, Type a name for your LDAP server. 5. Set Server Connect In to Direct. 6. Enter the information in the required fields (marked with a vertical blue line). For Admin DN, center CN=administrator,CN=users,DC-sales,DC=mycompany,DC=co m, for example. 7. Click Finish. The new LDAP server is added to the AAA Server List. Note: If your LDAP directory allows anonymous query, you do not need to specify an admin account or password in the required fields. Either specify credentials of any LDAP account that allows querying this part of the LDAP directory, or create a new LDAP account for Access Policy Manager. 10412 Configuring BIG-IP APM vitChapter 10 - APM Macros and Authentication Servers 10-13 Configuring the LDAP Access Policy Action Item for Authentication ‘As with Radius, to use LDAP authentication, you must add it as an action item to your policy. It is listed as LDAP Auth in the Visual Policy Editor. Additionally, you need to set specific search information in its configuration. You do not need to set all of them at the same time. You will need to contact the LDAP server administrator for this information, LDAP Auth Settings Manager Authentication Configuration Guide. Enter the VPE LDAP Auth item, In the Server tab, select the LDAP server you configured previously from the drop down list. Specify information for the Search and Search DN settings. ‘The Access Policy Manager queries the LDAP server using SearchDN and SearchFilter. If i finds a matching user entry, it uses the returned DN value and the user-entered password to bind to the LDAP directory. If the bind succeeds, the authentication succeeds, that is, the user is validated. Ifthe bind fails, the authentication fails. Depending on the LDAP structure, a Seareh base DN would be similar to the following string: de=sales, de mycompany, de=com In an LDAP structure, a Seareh filter would be similar to the following string: AccountNam ‘session.logor last.username}, By default, all user attributes are loaded if the admin does not specify any required attributes. However, if the admin specifies certain user attributes, then only those specified attributes are loaded, which improves performance on the LDAP server. Specify information for the UserDN setting. ‘This step is required only if you do not use the SearchDN setting with the SearchFilter setting. ‘The Access Policy Manager attempts to bind with the LDAP server using the supplied DN and user-entered password. Ifthe bind succeeds, that is, authentication succeeds, the user is validated. Ifthe bind fails, the authentication fails. This value is @ fully qualified DN of the user with rights to run the query. We recommend specifying this value in lowercase and without spaces for compatibility with some specific LDAP servers. The specific content of this string depends on your directory layout. For example, in an LDAP structure, a typical UserDN for query would be similar to the following string: en=% {session.logon.last.username}, en=users, de=sales, de=com. Note: For more information on LDAP authentication, refer to the BIG-IP Access Policy Configuring BIG-IP APM v11 10-1310-14 Chapter 10 - APM Macros and Authentication Servers Active Directory Server Authentication Lesson Objective: During this lesson, you will learn how to configure APM for Active Directory Authentication Setting Up Access Policy Manager for Windows Active Directory Authentication and Authorization Setting up Windows Active Directory authentication and authorization involves the following tasks: ‘© Configuring an Access Policy Manager Active Directory server for authentication, ‘+ Configuring an Access Policy Manager Active Directory authentication policy action item. ‘© Configuring an Access Policy Manager Active Directory query action item, Configuring an Access Policy Manager Active Directory Server for Authentication ‘The first task for setting up Active Directory authentication is to configure an Active Directory server. You will need to contact the Active Directory server administrator to confirm details such as domain and ‘Administrator name and password, To Configure an Active Directory Server 1. On the navigation pane, expand Access Policy and click AAA Servers. The AAA Servers List screen opens. 2. Click the AAA Servers by Type Tab. Choose Active Directory. The Active Directory Servers screen opens, Click Create. The New Server screen opens. ‘Type a name for your AAA server Set the Server connection as Direct. Enter the information in the required fields (marked with a vertical blue line) and click Finish, ‘The new Active Directory server is added to the AAA Server list. Note: It is highly recommend you configure an NTP Server. The reason is that the time on the Access Policy Manager and the time on the domain controller need to be within 5 minutes of each other. Otherwise, authentication will fail. On the navigation pane, expand System, click General Properties, and from the Device menu, choose NTP. Remember also that you need to configure a DNS server that is aware of your Active Directory domain. On the navigation pane, expand System, click General Properties, and on the Device menu, choose DNS. If you do not have an NTP server, find the time on your domain controller, and set the time on the Access Policy Manager to be within 5 minutes of that time using the date 10-14 Configuring BIG-IP APM v11Chapter 10 - APM Macros and Authentication Servers 10-15 ‘command, To enter a new date/time, type the command: date MMDDHHmmYYYY, where: ‘MM is the numerical month DDis the numerical day HH is the numerical hour (24-hour clock) mm is the numerical minute YYYY is the numerical year. So if your domain controller says it is November 7, 2007 8:24a.m, you would type: date 110708242007 Configuring an Access Policy Manager Active Directory Authentication Action Item To use Active Directory authentication, you must add it as an action item to your policy. Iti listed as AD Auth in the Visual Policy Editor. AD Auth Settings 1. Enter the VPE AD Auth item. In the Server tab, select the Active Directory server you configured previously from the drop down list. 2. Click Save and Apply Access Policy. Configuring an Active Directory Query Action Item ‘To use Active Directory query, you must specify the authentication type as Query and then use the appropriate Active Directory server. This feature queries the appropriate part of the directory tree structure (specified by the search base, or container, DN) to find a user within that directory. To configure the Access Policy Manager Active Directory query action item I. Inside the Visual Policy Editor Items screen, under Authentication choose AD Query and click ‘Add Item. 2. For the Server setting, select the name of your Active Directory server created previously. 3. Specify information for the following setting: SearchFilter: Allows the administrator to specify the search eriteria to be used while querying Active Directory server for users” information. Session variables are supported as part of search query string For example, (SAMAccountName=% {session logon. last.username}) 4, Click Save. ‘The AD query action item has several available options for query, not all need to be activated at the same time. For more information on Active Directory authentication and the details on the various option settings and their combination, refer to the BIG-IP Access Policy Manager Authentication Configuration Configuring BIG-IP APM v11 10-4510-16 Chapter 10 - APM Macros and Authentication Servers Using Active Directory Session Variables for Access Policy Rules ‘You can authorize your users with user information provided by the Active Directory server in the form of attributes. For each attribute, the system automatically creates a session variable, Session variables for Active Directory SESSION VARIABLE DESCRIPTION session. ad.last.attr.$attr_name [Sattr_name is a value that represents the users lattributes received from the Active Directory. Each pittribute is converted to separate session ariables. jession.ad.last.attr.primarygroup.$attr_namejprimarygroup.Sattr_name is a value that fepresents the user's group attributes received rom the Active Directory. Each attribute is sonverted to separate session variables. jession.ad.last.actualdomain [AD Auth agent sets this variable to the actual user| jomain used for successful Active Directory authentication, whether cross-domain support is enabled or disabled. ;ession.ad.last.authresult IProvides the result of the Active Directory uuthentication. The available values are: © 0: Failed +1: Passed |session.ad.last.queryresult [Provides the result of the Active Directory query. |The available values are: + 0: Failed +1: Passed \session.ad.last.errmsg [Displays the error message for the last login. If [session.ad.last.authresult or [session.ad.last.queryresult is set to 0, then [session.ad.last.errmsg may be useful for roubleshooting purposes. Note: For more information on session variables, refer to the Configuration Guide for BIG-IP Access Policy Manager To View Active Directory Session Variables 1. On the navigation pane, expand Access Policy, click Manage Sessions, and click Reports. 2, Click an active Session ID. This redirects you to the Reports section of the main navigation pane and shows the specific session details. 3. Scroll down the list of session variables displayed until you see the Active Directory session variables. 4. Going directly to the Reports area will also automatically query and display all the current sessions and session IDs which you can click to display in detail, 10-16 Configuring BIG-IP APM v11Chapter 10 - APM Macros and Authentication Servers 10-17 Command Line Help for Authentication and Query ‘There are two commands that might be helpful in troubleshooting authentication problems, adtest and Idapseareh. The Idapsearch Command 5 Networks recommends using the Idapseareh command to verify basic connectivity between the BIG- IP and Active Directory or LDAP server(s), and to verify expected authentication results. You can specify the following options for the Idapseareh command: Command option Function x Use simple authentication H [LDAP UR in the form protocol:l/host:port b [Base level from which to begin search - 5 [Levels to search D [Bind user with eredentials/permissions to search the database n Shows what would be done, but does not actually perform the search Ww Specifies the password ining | lw System will prompt for password | Verifying User Search Requests To simulate the initial search for a user in an authentication connection, type the following command at the BIG-IP command line: ldapsearch -xLLL -H '1dap://1dapA.company.com' -b “ousgroup,descompany,descom* -s sub -D “cnsbindu: -w 'mypassword' *(cneuseri)* ©, descompany, dexcom* ‘The LDAP server will return an entry that appears similar to the following example: dn: wid=userl,ou=group, d inetorgPerson =company, dc=com objectClass: To test the same search against an LDAP server running on an alternative port, type the following command: ldapsearch -xbLL -H 'ldap://1dapA.company.com:390' -b “ou=group,de=company,de=com" -s sub -D “cn=binduser,dc=company,dc=com" -w 'mypassword' "(cn=userl)" Configuring BIG-IP APM v11 10-1710-48 Chapter 10 - APM Macros and Authentication Servers The adtest Command ‘The BIG-IP APM adtest tool can be used to test query and authentication to an Active Directory server. The basic syntax of the command can be viewed by typing adtest -h from the command line, and output will appear similar to the following example: {rooteapm_01:Active] config # adtest -h adtest: option requires an argument -- h usage: adtest [options] -t test typelauth| query|chgpswal -n test number[default: 1] -¢ concurrency [default: 1] -h hostname -P port -r realm “A adminName -C credential cache file name -W adminPassword -N New Password -u userName -w userPassword -g fetch group[true| false] -U enablevPN{true|faise] -£ filter[default: 'sAMAccountName=cuserName>'] Examples: adtest -t auth -r "host.example.com" -u jones -w 123456 adtest - t query -h “host.example.com" -r "host.example.com" -A administrator -w passwordi\la -u jones adtest -t chgpswd -h “host.example.com* jones -w 123456 -N abcdet “nost-exampl ‘The auth test type will test authentication, Active Directory authentication does not require administrative credentials. For example: adtest -t auth -h “adserver.example.com* -r "exampledomain. local" -A administrator -W password123 -u jones -w letmein Test done: total tests: 1, success-1, failure-0 The administrator credentials provided in were unnecessary. If one were to run the same command with incorrect administrative credentials, the command would still yield a successful result, For example: adtest -t auth -h "adserver.example.com" -r "exampledomain.local" -u jones -w letmein Test done: total test: 1, success=1, failur 10-18 Configuring BIG-IP APM v11Chapter 10 - APM Macros and Authentication Servers 10-19 However, administrative credentials are required for a query to succeed. The following is an example of a query command sent with improper credentials: adtest -t query -h "adserver.example.com" -r "exampledomain.local" -A administrator -W invalidpaseword -u jones -w letmein query with '(saMAccountNamesjones)' failed in get_init creds password(): Preauthentication failed, principal administrator@ExAMPLEDOMAIN.LOCAL (-1765328360) done: total tests: 1, success=0, failure=1 ‘The same command with proper credentials would show the following results: adtest -t query -h "adserver.example.com" -r “exampledomain.local" -A administrator -W password123 -u jones -w letmein total tests: 1, success=1, failure=0 Configuring BIG-IP APM v11 10-1910-20 Chapter 10 - APM Macros and Authentication Servers. One-Time Passwords Introduction BIG-IP can create unique one-time passwords that the user receives via email or SMS and the uses to login to BIG-IP. Four actions in the access policy are associated with this process, but typically only three of the four are used One-Time Password Generation You can use an OTP Generate action to generate a one-time use time-limited password that you can send to auser. You can define the OTP Generate action with these elements: OTP Length Specifies the length of the one-time password. Select from the values provided. Defaults to 6. OTP Timeout Specifies the number of seconds that the password is valid, Defaults to 300. Sending the Password to the User ‘Access Policy Manager supports sending the one-time password to a user through email or text, ‘messaging. To send email from an aceess policy, use the Email agent action. To use this agent, you must have an external SMTP server. To send a text message from an access policy, you can use either of these agents: Email ‘To use this agent, configure your external SMTP server to deliver the OTP to an SMS gateway. HTTP Auth ‘To use this agent, configure an HTTP AAA server type in APM that uses form-based authentication, One-time Password Verification In an access policy, the OTP Verify action checks for a match between a user-centered password and the ‘one-time password generated previously by the OTP Generate action. The OTP Verify action also checks whether the one-time password has expired. You can define the OTP Verify action with this element: Max Logon Attempts Allowed Limits the number of logon attempts. Select from the values provided. Defaults to 3. 10-20 Configuring BIG-IP APM v11Chapter 10 - APM Macros and Authentication Servers 10-21 Macros ‘The visual policy editor also includes new macro templates, a template for sending an OTP over email and a template for sending an OTP using the HTTP Auth agent. Session Variables ‘The following table list the session variables used by OTP. The first three are used by OTP Generate and the final one is used by OTP Verify. SESSION VARIABLE TYPE DESCRIPTION session.otp.assigned.val string Generated one-time password value to send to the end user. Example message: One-Time Passcode: 96{session.otp.assigned.val} session.otp.assigned.expire string | Internally used timestamp; OTP expiration in seconds since this date and time: (00:00:00 UTC, January 1, 1970) session.otp.assigned.ttl string | OTP time-to-live; configurable as OTP timeout in seconds. Example message: OTP expires after use or in se{session.otp.assigned.ttl} seconds session.otp.verify.last.authresult | bool | Result of OTP authentication attempt: 0 - Failed 1 - Passed Example Policy The following access policy shows an OTP that uses email to send the one-time password to the user’s phone. a=. “CE The Logon Page, AD Auth and Full Resource Assign action, as well as the endings — Start, Allow and Deny, are already familiar. In the diagram below, we focus on the new actions in the middle of the poliey, [Sess {orp cenerate [+ [Ena + [Lonon Page OT ant | AD Overy fatoak Configuring BIG-IP APM v11 10-2110-22 Chapter 10 - APM Macros and Authentication Servers ‘The user must enter valid credentials (tested in AD Auth) for the flow to reach the AD Query. This query is setup to retrieve the user's email address as seen below. If successful it continues to the OTP Generate action, IFAD does not return an email address, the fallback path flows to a deny ending as shown below and in the visual policy above. ‘The OTP Generate action creates a one-time password. Only two options are available for configuration: ‘OTP Generate G00] ‘After the one-time password is created, itis emailed to the user in the Email Agent action. Note the use of the session variable in the To field. ‘This session variable was retrieved by the AD Query action. Also, ‘note the two session variables from the OTP Generate action in the message field. Finally note SMTP. Configuration. It must be pre-configured in BIG-IP by navigating to System :: Configuration :: Device :: SMTP and creating an SMTP server configuration. 10-22 Configuring BIG-IP APM v11 AAMT AAA Honaan HEEB i &Chapter 10 - APM Macros and Authentication Servers 10-23 Email Agent | saTPConfiguation | (7éonmovenal Ble leid [One Time Passcode: Se(sessionotp.signed.val) res after use or in %{session.ctp assigned tl) seconds | ‘The second Logon Page action, labeled Logon Page OTP only, is used to prompt only for the one time password. In the following diagram, the username prompt is set for none. Logon Page Agent Seger alee CAPTOIA Cotiguration Te Post Variable Name Session Variable Name ‘Read Only 1 Core 75) [emame ] (Gerane 1 Gy In the customization section of the Logon Page, the password label is changed to One-time Password. Customization lanavage (=) eset all defo Form Header Text [See Logon
for FS Networks pen ee opt a sera Logon Page Input Field [One-time Password la Finally the OTP Verify action verifies that the user entered the one-password that was sent by the OTP. Generate action. OTP Verify NexiogonAtenptsAlowed _|(3 8) ‘There is a lab for the OTP features in Chapter 12, that investigates the use of session variables in more depth. Configuring BIG-IP APM v11 10-23Lab 10.1 — AAA Servers Lab Objectives: * Build a RADIUS Authentication configuration, * Test RADIUS Authentication in later labs Estimated time for completion: 5 minutes Lab Requirements: ‘© IP and port addresses available for use on BIG-IP APM that can be reached by the clients Add a New AAA Server Using RADIUS Authenticai 1, Navigate to Access Policy :: AAA Servers :: RADIUS and the click the Create button on the new page. 2. Configure the following settings and click Finished. Name radius_aaa_srvr Mode: ‘Authentication Server Connection Direct Server Address 172.16.20.1 ‘Auth Service Port 1812 testing123 _| Confirm Secret testing123Lab 10.2 - Visual Policy Editor Macros Lab Objectives: Build Macros that check RADIUS and Active Directory Authentication, Test the new access policy and verify functionality Estimated time for completion: 20 minutes Create Two Macros 1 9, 10. ul 12, 13, 14, Is 16, 17. 18, 19, 20. 21 22, Select Aecess Poliey :: Access Profiles and click the Create button. Give your Profile a name of auth_macros and select En Click Finished. Click Click the Add New Macro button. as an Accepted Language. it link for the auth_macros Profile to get into the Visual Policy Editor From the Select macro template pulldown choose RADIUS and resoure Change the Name to My RADIUS and then click Save, Click the Add New Macro button again, From the Seleet macro template pulldown choose AD auth and resources. Change the Name to My AD and then click Save. Click the large plus sign (+) in front of your two new macros. For the My RADIUS macro on the Successful leg, click the link for Resource Assign. Next, click the Add new entry button. For the new entry immediately below, click the Add/Delete link. Click the Webtop (not Webtop Links) tab Select /Common/serverI_ssl_webtop, then click Update. Finally, click Save. Click the link for RADIUS acti min the My RADIUS macro. Change the AAA Server to /Common/radius_aaa_srvr, and the Max Logon Attempts Allowed to 1 and click Save. For the My AD macro on the Successful! path, click the link for Resource Assign and set the Webtop to Common/exchangel_webtop (for a reminder, see steps 12-17). For the My AD macro elick the link for AD Auth in the decision box. Change the AAA Server to /Common/serverl_aaa_srvr and click Save. Add a message box, in the General Purpose tab, to the Successful leg of each macro: My RADIUS macro: _| Message Box RAD Passed RADIUS Auth [My AD macro: Message Box AD Passed AD Auth23. And add a message box to the Fallback leg of each macro: My RADIUS macro:_| Message Box RAD fail Failed RADIUS Auth _| My AD macro: Message Box AD fail Failed AD Auth | ish Your Empty Access Policy 24. The main policy section should be empty, only a Start and Deny. 25. Click the plus sign (+) in between the Start and Deny Terminals, 26. Click the Macrocalls tab, then click the radio button for the My RADIUS Macrocall and then the Add Item bution, 27. On the Successful leg of RADIUS Macro change the Ending to Allow. 28. Close out of the Visual Policy Editor and Apply the Access Policy. Test Your New Access Policy xrver auth_macros_vs on 10.10.X.107:443 using the auth_macros Ac: Note: remember to apply appropriate Profiles like http, clientssl, serverssl, connectivity and rewrite to match the Virtual Server and resources you are using in your configuration. Also remember to set Source Address Translation to Auto Map. It is not needed for 172.16.20.1-3, but is needed for 172.16.20.20 (Exchange), If the page does not display correctly, you may have to set the SSL Profile (Server) to serverssl-insecure-compatible. 30. Login as studentX/studentX and test with both a successful and a failed logon attempt. If you type in an invalid password you should only get one chance, then you're logged off. Add AD Auth as a Fallback Authentication and Test Again 31. Navigate to the auth_macros VPE. 32. On the failure leg of the main policy add the My AD macrocall 33. On the Successful leg of My AD macro change the Ending to Allow and test. 34. Your access policy should look like this: figuring BIG-IP A\‘Access Policy: /Commaon/auth_macros (Ga indinge) cerengs nou dew (tee) pe en tans % ) Macro: My AD (fename / Settings. ale) (Tema: Succes, are (4st) fia] [noe Treats: ice Fre eeu) % | Macro: My RADIUS (jename / Settings canna > [esos Asan | +» TT foe n Tiesto.» paoius Example configuration 35. Since both Auth servers use the same usernames and passwords, use credentials student17/studentl7. User student17 is a valid AD account, but is not valid on RADIUS. (student18/student18 should work on RADIUS, but not AD) 36. Test the Active Directory authentication, 37. Notice you get the logon page a second time with this configuration after RADIUS fails. Fix this, design problem by deleting the logon page from both macros and adding the logon page to the main Access Policy and test again. alg‘Access Policy: /Common/auth_macros (ea tnaings (Endings: Alon, Deny [eetout) succes roiwre J (Gaia New Macro & E] Macro: My AD (Rename /Sewings) (Gait Terminals) (Termnats Success Folure(defutl) ita ,_[ "sce atoace a | a = FE Macro: My RADIUS Gfename7senings) (GaTerinaa) (Terma: Sica re [dua Fax succes, ratoace esaue Saceaniis [2 +o [ nec aston [22+ » JT) Example configuration with Logon Page on main policy 38. Change the order of the My RADIUS and My AD macros in the main policy and test again, Without Macros, changing the order would be difficult. 39. Test for both AD and RADIUS authentication, Practice Using the Commands adtest and Idapsearch 40, From a BIG-IP command prompt issue both commands below adtest -t auth -r £5trn.com -u studentx -w studentx reh -h de. £Strn.com -x CN="Student x" memberof 4. -b CNeUsers,DC=£5trn,DC=com \ Student X",CN-Users,DC=£5trn,DC=com -w studentx \ Was the adtest successful? And what groups are student! a member of? We will use the ‘group information in the next lab,Lab 10.3 - Active Directory Query Objective: * Build an Access Policy that uses AD Query and AD Authentication and test. Estimated time for completion: 15 minutes Create a New Policy 1. Use the following steps to create a new Access Polie 5 E] Macro: My AD Query Genane resting) When complete, it will look like this: Create an AD Query Macro 2. Select Access Policy :: Access Profiles and click the Create button. Give the new Access Profi click Finished. d_query, select En as an Accepted Language and, Click the Edit... link for the ad_query Profile to get into the Visual Poliey Editor. Click the Add New Maero button, 4 5. 6. From the Select macro template pulldown choose AD auth query and resources. 7. Change the Name to My AD Query and then click Save 8 Click the large plus sign (+) in front of the AD macro. 9. Click the X sign to remove the AD Logging Action 10. Click the links for both AD Auth and AD Query and change the AAA Server to serverl_aaa_srvr and then click Save Change the Branch Rule for My AD Query 9. Click the link for the AD Query action. 10, Click the Branch Rules tab. 11. Click the X box to the right “Primary Group ID is 100” to delete this branch rule. 12, Click the Add Branch Rule button and change the name to Accounting,13, 14, Click the link for change under the Accounting branch rule Click the Add Expression button and set the following values: ‘Agent Sel: ‘AD Query Condition User is a Member of User is a Member of: | CN=Accounting, CN=Users,DC=f5tmn,DC=com, 15, 16. 17, Add 18, 19. Test 20. ai. 22. 23, 24 25, 26. 27, 28. 10-30 Note: Do not put spaces after the commas in the User is a Member of field, Click the Add Expression button again and click Finished, then click Save Use the Advanced Resource Assign action to assign different Resources to both the Accounting and Fallback legs of the AD Query (see the previous lab for suggestions). Change the Endings on both the Accounting and fallback legs of AD Query to Suecessful AD Query to the Main Policy In the main policy add the My AD Query macrocall after th fart box. Also in the main policy change the Ending on the Successful leg of My_ADQuery to Allow. Your New Access Policy Make sure you Apply the Access Policy, change the auth_macros_vs Virtual Server to use the ad_query Access Profile and test your Virtual Server again. Login to the Virtual Server as student. In the BIG-IP Admin UI, navigate to Access Poli On the right si : Reports. , under the Reports Browser, find Current Sessions :: Run Reports For the most recent (top-most) studentl entry, click View Session Variables. Find session variable session.ad.lastattr.memberOf, (Note session is implied — start drilling down at ad.) Notice that the user student1 is a member of the Group Accounting (CN=Accounting). ‘Test your policy again by logging out and back in as student5. Find out what group user studentS is a member of, by either looking Reports or by looking in Jvar/log/apm. How did that information get in the log file? Hint: look at you access policy in the Visual Policy Editor.{ Optional Lab 10.4 — AD Query and AD Groups ‘© Estimated time for completion: 15 minutes Add other Groups to Your AD Query Macro 1. Add other Branch Rules to AD Query for the groups Finanee, Legal and IT. The student userids should be in each group as follows: Student ‘Accounting Finance Legal iT student? to 4 student6 to 8 Student9to12 | student13 to 16 You could also use the 1dapsearch command below to verify this: ldapsearch -h de. f5trn.com -b CN=Users,DC=£5trn,DC=com -D CN= student1,CNsUsers,DC=f5trn,DCscom -w studenti -x CNsstudenti memberof 3. Set the following values for each Expression where XXXX is the Group name. ‘The group names are case sensitive with Active Directory so match the case above. Agent Sei ‘AD Query Condition: User is a Member of, User is a M | and IT legs of AD Query. Change the Endings on each Group leg of AD Query to Successful Assign different Resources to the Finance, ‘Test by successfully logging in with the appropriate studentX user. Remember to check group membership by expanding Session Variables in Aecess Policy Reports, eon en|Lab 10.5 — Configura Lab Objective: © Create a backup archive Save the Configuration 1. Create an archive named studentX_labs1-10. 2. Download the new archive to your desktop.Chapter 11 - Client-Side Endpoint Security 1-4 Chapter 11: Client-Side Endpoint Security Overview of Client-Side Endpoint Security Lesson Objective: After this lesson, you will be able to list the Client Side Checks available with APM and understand the concept for each check, Understanding Client-Side Checks In BIG-IP® Access Policy Manager™ access policies, you use elient-side checks to collect and verify system information. In the visual policy editor, you can use the information collected by client-side checks in an access policy, to enforce a specific security level before granting access to network resources. You can also use this information to perform remediation and protect your network resources. ‘The Access Policy Manager provides these checks as a set of access policy actions that you can use to construct an access policy to evaluate client systems. Access Policy Manager uses ActiveX controls or browser plug-ins to collect information about client systems. For those clients that do not support browser add-ons or that do not allow browser software installation, the client-side security process ean inspect HTTP headers to gather information on the client operating system, including the client operating system and browser type. You can check that a client supports client-side checks with the client-side check capability action. Ifa client does not support client- side checks, that client can follow a different access policy branch, While Access Policy Manager provides checks for many client devices, some client-side checks may not be supported on all supported operating systems. The Access Policy Manager supports the following client-side checks. = Antivirus check Checks information about installed Windows, Macintosh, or Linux antivirus software, including vendor, version, state (enabled or disabled), and virus database age. = Firewall check Checks information about installed Windows, Macintosh, or Linux firewalls, including vendor, state (enabled or disabled), and version. = File check (3 types) Checks for the presence or absence of Windows, Macintosh, or Linux files based on specific file. = Machine Cert Auth Checks the client system for an installed machine certificate. Configuring BIG-IP APM v11 W4Chapter 11 - Client-Side Endpoint Security Windows info Checks the version information for the Windows operating system, such as version and hotfix information from the remote system. Process check (3 types) Checks for running Windows, Macintosh, or Linux processes. Registry check Checks the Windows registry for keys and values that you specify. Configuring BIG-IP APM v11Chapter 11 - Client-Side Endpoint Security 11-3 Client-Side Endpoint-Security Part 1 Lesson Objective: During this lesson, you will learn how to configure APM Client Side Checks. Setting Up Anti You use the antivirus check action to check for antivirus software on the client computer. You can configure the antivirus check action to search for antivirus software from a set of available antivirus vendors, or for specific antivirus applications. In addition, the antivirus check can determine the specific version of the software, the specific virus database version, the age of the virus database, and whether the antivirus software is enabled. rus Check When you configure the antivirus action with multiple antivirus types, the antivirus types work as logical OR operators. If one antivirus type you specify matches the software on the client computer, the action passes, regardless of other antivirus conditions that are specified in the action. Checking Antivirus with the Antivirus Check Access Policy Item Use the antivirus check action to assure that clients who connect to secure resources are using an approved and up-to-date antivirus solution. To Add an Antivirus Check Action (On the Main tab of the navigation pane, expand Access Poliey, then click Access Profiles. ‘The Access Profiles List screen opens. 2. In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column, The visual policy editor opens in a new window or new tab, depending on your browser settings. 3. Ona branch of the access policy, click the plus sign (+) to add an action. ‘The Add Item popup screen opens. 4, Ielient-side check actions are not expanded, click the plus sign (+) next to Client Side Checks. 5. Select Antivirus Cheek and click Add Item to add the action to the access policy. ‘The Antivirus Check action popup screen opens. 6. Configure the antivirus entry. a) From the Antivirus ID list, select the antivirus vendor. Select Amy to allow the access policy to pass with any antivirus. In this list, Windows-specific firewalls are marked with the prefix [Win], Macintosh-specific firewalls are marked with the prefix [Mae], and Linux-specific firewalls are marked with the prefix [Lin] b)_ From the State list, select a state for the antivirus. Select Enabled to specify that the selected antivirus (or any antivirus) is running on the computer. Select Unspecified to verify the presence of the antivirus software, but not the state. Configuring BIG-IP APM v11 11.3114 1. 8 Chapter 11 - Client-Side Endpoint Security ©) IF you require a specific virus software engine version (for example, $200.2000), in the Version box, type the version number. Note that this check does not allow for later versions, so if you check for a specific version, a later version will fail. d) I you require a specific virus database version (for example, 4.931.00), in the Database Version box, type a database version. Note that this check does not allow for later versions, 0 if you specify a check for a specific version, a later version will fail @) If you require that the virus database not be older than a certain age, in the DB Age Not Older Than (days) box, type the database age in days. Be sure to use settings that are compatible with your software. Some antivirus services provide updates frequently, every few days; some antivirus services update only every week or less. ‘To add another antivirus type to the action, click Add New Entry, and repeat step 6. Click Save to complete the configuration, Example: Using Antivirus Check In this example, the administrator adds support for two popular corporate antivirus solutior IcAfee on Windows, and Symantec on Mac and Linux platforms. The administrator specifies that any of these antivirus solutions must be running, with virus databases no older than 7 days, for the elient computers to pass the condition successfully. Note: This is not a complete example. For the example to work, you must assign an Allow ending to successful branches. You can assign a resource along with an associated webtop. For a web application access management connection, you need ot assign resources. This example is configured starting with an empty access policy. To Configure the Example Action 14 On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles. ‘The Access Profiles List sereen opens, In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column, ‘The visual policy editor opens in a new window or new tab, depending on your browser settings. On a branch of the access policy, click the plus sign (+) to add an action. ‘The Add Item popup sereen opens. If client-side check actions are not expanded, click the plus sign (+) next to Client Side Checks, Select Antivirus Check and click Add Item to add the action to the access policy. The Antivirus Check action popup screen opens. Configure McAfee for Windows: a) From the Antivirus ID list, select [win/mac/linux] McAfee, Ine. b)_ From the State list, select Enabled ©) In the DB Age Not Older Than (days) box, type 7 Click Add new entry to add an antivirus entry to the action, Note that new entries are added above previously configured entries, by default, Configuring BIG-IP APM v11Chapter 11 - Client-Side Endpoint Security 11-5 8. Configure Symantec for Macintosh: a) From the Antivirus ID list, select [mac] Symantec Corp. b) From the State list, select Enabled. ©) Inthe DB Age Not Older Than (days) box, type 7. 9. Click Add new entry to add an antivirus entry to the action. Note that new entries are added above previously configured entries, by default 10. Configure Symantec for Linux: 1. From the Antivirus ID list, select [win/linux] Symantec Corp. 2. From the State list, select Enabled, 3. In the DB Age Not Older Than (days) box, Type 7. ‘The configured action appears as shown in the following illustration, 1, Click Save to save the access policy. 1 Mell Smet Co, 2 vad nc ca, 3 iodides, Antivirus check example Setting Up File Check ‘You use the file check action for Windows, Macintosh, or Linux to verify the presence of one or more files on a client system. On all supported platforms, the file check action can verify one or more file properties, including the file name, size, date, and MDS checksum. In addition, the Windows version of the file check action can verify version and signer information. Ifa file with the described properties exists, the client is passed to the successful branch. Ifthe file docs not exist, or a file exists but one or more properties are not correct, the client is passed to the fallback branch. Checking for a File with the File Check Access Policy Item ‘Add a file check action to an access policy in a situation where verifying the presence of a certain file can increase confidence in the security of the client system, Configuring BIG-IP APM v11 44-511-6 Chapter 11 - Client-Side Endpoint Security To Add a File Check Action 11-6 ‘On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles. ‘The Access Profiles List sereen opens. In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column, ‘The visual policy editor opens in a new window or new tab, depending on your browser settings. On a branch of the access policy, click the plus sign (+) to add an action. ‘The Add Item popup screen opens. If client-side check actions are not expanded, click the plus sign (+) next to Client Side Checks. Select the file check action for your platform: = For Windows, select Windows File Check and click Add Item to add the action to the access policy. "For Macintosh, select Mac File Check and click Add Item to add the action to the access. policy. "For Linux, select Linux File Cheek and click Add Item to add the action to the access policy. The File Check action popup screen opens. Click Add new entry to add a file entry to the action. Configure the entry. ‘+ Inthe FileName box, type the name for the file you want to check Note that this is the only setting that is required. ‘+ Ifyou want to verify that the MDS checksum matches, in the MDS box, type or paste the MDS checksum, ‘+ Ifyou require an exact size for the file, in the Size box, type the size in bytes. Note that if you type a 0 in this box, no file size check occurs. To check for a 0-byte file, you ‘must instead type the MDS checksum in the MDS box. The MDS checksum for a 0-byte file is always d41d8cd98f00b204e9800998ecfB427e. ‘© Ifyou want to specify the file creation date, in the Date box, type the file creation date. The default date of 1970-01-01 00:00:00 is the same as specifying no date. You can determine the file creation date by right-clicking the file in Windows, and selecting Properties. The file creation date must be translated to a 24-hour clock, if your system is not on 24-hour time. For example, you would type the file creation date Wednesday, February 27, 2008, 1:23:37 PM in this box as 2008-02-27 13:23:37. The file cteation date is set in UTC, o Greenwich Mean Time (GMT), so the server and client timezones are not the same as the file time, and you must adjust the file time you specify accordingly. * For Windows file check only, if you require that the file be signed, in the Signer box, type the signer. For Windows file check only, in the Version box, type the version of the file, if you want to specify a version, or greater than or less than a version of the file Configuring BIG-IP APM v11Chapter 11 - Client-Side Endpoint Security 147 8 9, ‘* For Windows file check only, from the Version Comparison list, select the version comparison operator. Select = if you want the file to be the exact version you specify, select < if you want the file to be less than the version you specify, and select > if you want the version to be greater than the version you specify. To add another file to the action, repeat steps 6-7. Click Save to complete the configuration. Example: Using File Check In this example, the administrator adds a Windows file check action, with the requirement that a system file, wi jinet.dll, be present on the client system. The file must be version 6.0.2900.2904, be 658,432 bytes in size, and have an MDS checksum of 38ab7a56f566d9aaad31812494944824, Note: This is not a complete example. For the example to work, you must assign an Allow ending fo successful branches. You can assign a resource along with an associated webtop. For a web application access management connection, you need ot assign resources. This example is configured starting with an empty access policy. To Configure the Example Action (On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles. ‘The Access Profiles List screen opens. In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column, The visual policy editor opens in a new window or new tab, depending on your browser settings. On a branch of the access policy, click the plus sign (+) to add an action. The Add Item popup screen opens. If client-side check actions are not expanded, click the plus sign (+) next to Client Side Checks. Select Windows File Cheek and click Add Item to add the action to the access policy. ‘The File Check action popup screen opens. Click Add new entry to add a file entry to the action Configure the entry: = Inthe File Name box, type wininet dll = Inthe MDS box, type the MDS checksum 38ab7a56f566d9aaad3 1812494944824 Many MDS checksum utilities include a copy function to simplify this step. = Inthe Size box, type 658432 Inthe Version box, type 6.0.2900.2904. "From the Version Comparison list, select = ‘The configured action appears as shown in the following illustration. Click s ve to complete the configuration. Configuring BIG-IP APM 11 WT11-8 Chapter 11 - Client-Side Endpoint Security ‘Sze ve os Sone Date Version 1 fxeinet.at sab 7asersedfoses2_][__ [1970-01-01 dfooons.o0| Windows file check example Note: For more example configurations, refer to the BIG-IP Access Policy Manager product documentation Setting up a machine cert auth check ‘You use the machine certificate authentication check action to check for the presence of a machine certificate on the client computer. You can configure the action to check for a certificate in a specific location, and to requite matches with particular certificate fields to pass Understanding machine cert auth check options ‘The machine cert auth check can be configured with a number of options. These options are listed below: = Certificate Store Name Specifies the certificate store name that the action attempts to match, The certificate store can be a system store with a predefined name like MY, or a user-defined name. The store name can contain alphanumeric characters, The default store name is MY. = Certificate Store Location Specifies the type and location of the store that contains the certificate, either the local ‘machine or the current user. The store locations are in the following registry locations: ‘* LocalMachine - searches in HKEY_LOCAL_MACHINE for the machine certificate. ‘© CurrentUser - searches in HKEY_CURRENT_USER for the machine certificate. "CA Profile Specifies the certificate authority profile for the machine certificate, To configure a certificate authority, on the navigation pane, expand Local Trafic, click Profiles, from the SSL menu select Certificate Authority, and click Create. " OCSP Responder Specifies the Online Certificate Status Protocol responder configured to provide certificate status. The OCSP responder is used to check the status of the machine certificate configured in the machine cert auth check action. 118 Configuring BIG-IP APM v11Chapter 11 - Client-Side Endpoint Security 11-9 = Certificate Match Rule Specifies how the machine cert auth check action identifies the certificate. The following ‘match rules are supported: SubjectCN Match FQDN - Specifies that the common name in the machine certificate matches the computer's fully qualified domain name (FQDN). SubjectAltName Match FQDN - Specifies that the content extracted from the Subject Alternative Name field, using a specified regular expression, must match the computer’s FQDN. ‘When this option is selected, the SubjeetAltName box appears. This box is required for the SubjectAltName match value only. The regular expression is "used to extract content from the first subgroup matched in the Subject Alternative Name, and then to compare the extracted content with the machine's, FQDN. Note that the order of RDNs is the same as is displayed; the required separator is a comma (, ). Subcases for regex extraction follow Partial extraction, For example, ".*DNS Name=([*,]+).*" ".*0ther Name:Principal Name=({*,]+).*" Fora regular expression "DNS Name=({*,[+)."", the value of the DNS Name field is extracted for ‘matching, Whole extraction. Leave this field empty or use "(.*)", in order to allow the centre SubjectAltName content to be extracted for matching, Any - Specifies that the first certificate in the specified certificate store is sent to the server for further validation. Any other certificates are ignored. Issuer - Specifies that the content from the Issuer field matches the pattem specified by the regular expression. ‘When this option is selected, the Issuer box appears. This box is required for the Issuer match, as well as Issuer and Serial Number match. The regular expression is used fo match the Issuer’s content against the specified pattern, Note that the order of RDN is the same as is displayed; the required separator is comma (, ). Subcas for the regex match are as follows: Partial match. For example, "CN=.+, OU=FP, O=FS, L=San Jose, S“CA, C=US" Exact Match, For example, "CN=Root, OU=FP, O=FS, L=San Jose, S=CA, us" Configuring BIG-IP APM vit 11941-10 Chapter 11 - Client-Side Endpoint Security * Issuer and Serial Number - Specifies that the content from the Issuer field matches the pattem specified by the regular expression, and that the serial number precisely matehes your input. ‘When this option is selected, the Issuer box appears. This box is required for the Issuer match, as well as Issuer and Serial Number match. The regular expression is used to match the Issuer's content against the specified pattern When this option is selected, the Serial Number box appeats. The serial number ‘must be an exact match (for example, the hex string must be typed in the same order as itis displayed by OpenSSL and Windows cert tools). For example, (0102030405060708090a. ‘© Save Certificate in a session variable Select Enabled to save the complete encrypted text of the machine certificate in a session variable, session.windows_check_machinecert..cert. Checking a Machine Certificate with the Machine Cert Access Policy Item Use the machine cert auth check action to check for the existence of fields in a machine cert, to ensure that client systems comply with your security policy. To Add a Machine Cert Auth Check Action 14-10 1. On the Main tab of the navigation pane, expand Aceess Policy, then click Access Profiles. ‘The Access Profiles List sereen opens. 2. In the profile lis, find the access policy you want to edit, then click Edit in the Act column, Policy ‘The visual policy editor opens in a new window or new tab, depending on your browser settings, 3. Ona branch of the access policy, click the plus sign (+) to add an action, ‘The Add Item popup screen opens. 4, Ifelient-side check actions are not expanded, click the plus sign (+) next to Client Side Cheeks. 5. Select Machine Cert Auth and click Add Item to add the action to the access policy. The Machine Cert Auth action popup sereen opens. 6. Inthe Certificate Store Name box, type the certificate store name, or use the provided value, MY. From the Certificate Store Location list, select the certificate store registry location. From the CA Profile list, select the certificate authority. 9. From the OCSP Responder list, select an OCSP responder, if required, or None. 10. From the Certificate Match Rule list, select the desired certificate match rule, and enter values in any related boxes that appear. 11, From the Save Certificate in a session variable list, sclect Enabled to save the certificate in a session variable, or Disabled to not save the certificate as a session variable. 12, Click Save to complete the configuration, Configuring BIG-IP APM v11Chapter 11 - Client-Side Endpoint Security 14-11 Example: Using Machine Cert Auth Check In this example, the machine certificate checks the fully qualified domain name for www.siterequest.com against the Subject Alternative Name field. ‘Note: This is not a complete example. For the example to work, you must assign an Allow ending to successful branches. You can assign a resource along with an associated webtop. For a web application access management connection, you need not assign resources. This example is configured starting with an empty access policy. To Configure the Example Action 1. On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles. ‘The Access Profiles List sereen opens, 2. In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column, The visual policy editor opens in a new window or new tab, depending on your browser settings. 3. Ona branch of the access poliey, click the plus sign (+) to add an action. ‘The Add Item popup screen opens. 4. If-client-side check actions are not expanded, click the plus sign (+) next to Client Side Checks. Select Machine Cert Auth and click Add Item to add the action to the access policy. ‘The Machine Cert Auth action popup sereen opens, From the Ce 6 ificate Mateh Rule list, select SubjectAltName match FQDN. 7. Inthe Subject Alternative Name box, type *.siterequest.com. 8. Leave all other settings at their default values, 9. Click Save to complete the configuration, Setting Up Process Check With the process check action, you can verify that one or more particular processes are or are not running, ‘You use the process check action with a Boolean expression to check for proc: client system ssses that are running on the The Boolean expressions you specify can use the wildcards * and ?, parentheses () to combine values, and the logical operators AND, OR, and NOI Setting Up Process Check Access Policy Item You can add process checks for Windows, Linux, or Mac clients. To Add a Process Check Action 1. On the Main tab of the navigation pane, expand Aecess Policy, then click Access Profiles. ‘The Access Profiles List screen opens. Configuring BIG-IP APM v11 14-1114-12 6, 1, Chapter 11 - Client-Side Endpoint Security In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column, ‘The visual policy editor opens in a new window or new tab, depending on your browser settings. (On a branch of the access policy, click the plus sign (+) to add an action, ‘The Add Item popup sereen opens. If client-side check actions are not expanded, click the plus sign (+) next to Client Side Cheeks. Select the Process Check for the operating the action to the access policy. stem you are checking, and click Add Item to add ‘The Process Check action popup screen opens. In the Expression box, type the expression. Click Save to complete the configuration. Example: Using Process Check In this example, you use the process check a nto determine the presence of the running Windows processes winlogon.exe and GoogleDesktop.exe, You also determine that no process with gator in the name is running. To Add the Example Action 1 14-12 On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles. ‘The Access Profiles List screen opens. In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column, The visual policy editor opens in a new window or new tab, depending on your browser settings. On a branch of the access policy, click the plus sign (+) to add an action. ‘The Add Item popup screen opens. If client-side check actions are not expanded, click the plus sign (+) next to Client Side Checks. Select Windows Process Cheek and click Add Item to add the action to the access policy. The Process Check action popup screen opens. In the Expression box, type the process check expression as follows: (winlogon.exe AND GoogleDesktop.exe) AND NOT gator* ‘The configured action appears as shown in the following illustration. Click Save to complete the configuration. Configuring BIG-IP APM v11Chapter 11 - Client-Side Endpoint Security 14-13 a aT ETS [(vniogon.exe AND GoogleDesktop.exe) AND NOT gator" Process check example Verifying Windows Information You use the Windows info check action to verify the presence of Windows oper Windows patches, or Windows updates. ig system versions, Windows 7 SPL Vita Pz. Windows info PSP er $3 Windoers Server 2003 SPL or SP2 Windows Server 2008 SPI or SP2 Windows 8 falsack Windows info check example Configuring BIG-IP APM v11 11-1311-14 Chapter 11 - Client-Side Endpoint Security Client-Side Endpoint Security Part 2 You use client-side actions to start a particular software state on the client. The Access Policy Manager uses information configured in the client-side actions to install software that configures the system. ‘The systems retum to their previous states after the secure access session ends. Lesson Objective: After this lesson, you will be able to list the Client Side Actions available with APM and understand the concept for cach check. Understanding Client-Side Actions ‘The following client-side actions are available. "Cache and session control Loads a cache and session control access policy item that removes all session-specific information from the client’s browser after logout or session termination. Cache and session control also allows you to configure session inactivity timeouts, clean up saved form information and passwords, and remove some other information from a Windows system. = Protected workspace Protected Workspace configures a temporary Windows user workspace for the secure access session that prevents external access, and deletes any files created before leaving the protected area, = Windows group policy ‘The Windows group policy action assigns a Windows group policy template to an access policy in a network access session. Once assigned to a successful session, the Windows group policy reconfigures the client system’s configuration to conform to the selected policy template. Using Windows group policy templates, you can make configuration changes to client systems that exist for the duration of the network access session. After the network access session is terminated, all Windows group policy changes are rolled back, and the client system reverts to its previous state. Cache and Session Control Action Use the Cache and session control to remove the browser's cache of all temporary files at the end of every session from client PCs, and to control session inactivity options. When you use this option, the Secure ‘Access Manager removes the cached information when the client uses the Logout button, or when the client closes the browser window to end the session. The cache control removes and overwrites with zeroes any data you select. You can also force session termination with this action, and set 2 user inactivity timeouts to lock the workstation or close the session. 14-14 Configuring BIG-IP APM v11Chapter 11 - Client. ide Endpoint Security 14-15 Properties= fence Wane: Browser Cache and Session Control ‘Gear temporary nternetfles and cookies ‘Gean forms and passwords autocomplete data Empty Recyde Bin Empty Temporary Folder Force sesson termination f the browser or Webtop is dosed Remove dialup entries used by Network Access chent [Terminate session on User Inactivity {Lock workstation on User Inactivity Cache and Session Control Action Example ‘Note: The Cache and Ses: not compatible with the Protected Workspace action. You should not use a Protected Workspace action in a session that, includes the Cache and Session Control action. Protected workspace action Protected workspace configures a temporary Windows user workspace for the secure access session that prevents external access, and deletes any files created before leaving the protected area. Protected workspace allows you to restrict end users from printing, saving files, or storing information in the ‘Windows registry on a client accessing the secure access manager. Protected workspace reduces the risk of unintentional or accidental information leaks, but does not eliminate it. For example, EXE, DLL, and IME files are not encrypted. Protected workspace restricts users to a temporary workspace on the remote system, which is newly created at the beginning of each new session. This workspace contains temporary Desktop and My Documents folders. In protected mode, the user cannot unintentionally or accidentally waite files to locations outside the temporary folders. The protected workspace control deletes the temporary workspace and all of the folder contents at the end of the session. Configuring BIG-IP APM v14 14-1514-16 Chapter 11 - Client-Side Endpoint Security Protected Workspace Action Example Note: Protected Workspace is not compatible with the Cache and Session Control action. You should not use a Protected Workspace action in a session that includes the Cache and Session Control action. Windows group policy action The Windows group policy action allows you to assign a Windows group policy, which changes security settings for the Windows client environment for the duration of the network access session, To use Windows group policy functionality, you must purchase a separate license for the feature. Windows group policy templates Windows group policy templates allow you to configure and assign group policies for Windows machines. ‘dynamically per user session in the access policy. Using Windows group policy templates, you can make configuration changes to client systems that exist for the duration of a network access or web applications session. The system applies the Windows group policy changes after the Windows group policy check is successful, and before resources are assigned. After the user terminates the session, all Windows group policy changes are rolled back, and the client system reverts to its previous state. 11-16 Configuring BIG-IP APM v11Chapter 11 - Client-Side Endpoint Security 14417 ‘You can use predefined Windows group policy templates with Access Policy Manager. To define your own Windows group policy templates, you must purchase a license for the GPAnywhere product from Full Armor. Note: If you want to use Protected Workspace with Windows Group Policy, you must configure the access policy so the Windows Group Policy is processed first, and the protected workspace action follows it. Note: For more information on Windows Group Policy Templates refer to the BIG-IP Access Policy Manager product documentation Predefined Windows Group Policy Templates ‘The following table lists the predefined Windows group policy templates included with Access Policy Manager, and their functional descriptions, Predefined Windows Group Policy Templates Template Description EC Domain XPSP2 Desktops _| Microsoft Enterprise Client Policy for desktops and laptops Template This is a moderate policy, balancing security and usability. Firewall Settings Template ‘Access Policy Manager settings for enabling the user's firewall. This policy is used to ensure that the user's Microsoft firewall is configured and running, GLBA Template Based on the Gramm-Leach-Bliley GLBA standard. This policy is used for desktop and laptops to help prevent access to unauthorized information. HIPAA Template Based on the HIPAA (Health Insurance Portability and ‘Accounting Act) standard. This policy is used for desktop and laptops to help prevent access to unauthorized information. Highly Managed Tempiate Microsoft Common Usage (high) for desktops and laptops. This policy is used in managed environments and provides high restrictions on user access to devices, configuration, and applications, Lightly Managed Template Microsoft Common Usage (light) for desktops and laptops. This policy is used in managed environments, and provides light restrictions on user access to devices, configuration, and applications. Configuring BIG-IP APM v11 14-1711-48 Chapter 11 - Client-Side Endpoint Security Predefined Windows Group Policy Templates Template Description PCI Template ‘SSLF Domain Template Terminal Services Taskstation Template Based on the PCI (Payment Card Industry) standard. This policy is used for desktop and laptops to help prevent access to unauthorized information. Microsoft Specialized Security (Limited Functionality) for desktops and laptops. This is a more focused security policy, with greater restrictions on configuration access. Terminal Services for client terminal services. This policy is used in environments where the primary use is terminal services. 11-48 Configuring BIG-IP APM v14Pees Lab 11.1 - Client-Side Process Checks Lab Objective: Add new Client Side Checks to your Access Policy Test the new access policy and verify functionality Estimated time for completion: 15 minutes Lab Requirements: = IP and port addresses available for use on BIG-IP APM that can be reached by the clients Create a New Access Policy 1. Navigate to Access Policy :: Access Profiles and click Create 2. Entera Name of client_checks, then scroll down and select English as an Accepted Language. 3. Click Finished. 4. Click the Edit... link for the elient_checks to get into the Visual Policy Editor. 5. Your Access Policy should be Empty right now and only have a Start and Deny Ending with a plus sign (+) on the fallback leg in between, 6. Click the plus sign (+) on the Fallback leg after Start. the radio button for Windows Process check in the Endpoint Security (Client-Side) tab and click the Add Item button, 8. Enter (notepad.exe AND NOT cmd.exe) OR (cmd.exe AND NOT notepad. exe) in the Expression field and then click the Save button. Note the "AND", the "OR" and the "NOT" must be in uppercase, 9. Click the plus sign (+) on the Successful leg after Windows Process Check. 10, Select the radio button for Advanced Resource Assign in the Assignment tab and then click the Add Item button. 11, Click the Add new entry button, then the link for Add/Delete. 12, Select all of the available resources and webtop links, but do not select the static ACL or the static Pool, Select the /Common/web_ui_webtop webtop, and then click the Update button and then the Save button. 13, Last, set the Suocessfi leg of the Windows Process Check to Allow rather than Deny, then elick Save 14, Click Apply Access Policy and then click Close. Configuring BIG-IP APM v11Assign and Test Your New Access Policy 15, Navigate to Local Traffic :: Virtual Servers and click on web_ui_ys. 16, Change the Access Profile from web_ui to elient_checks. 17. Test the web_ui_vs Virtual Server by opening a browser session to https://10.10.X.104. 18. You should be prompted whether to allow site 10.10.X.104 to inspect your system, After allowing this, you should notice a Process Check msg displayed in the brow: 19. Test with neither notepad.exe nor emd.exe running on your PC 20. Then test with only notepad.exe running. 21. Next test with only emd.exe running, 22. Finally, test with both notepad.exe and emd.exe running on the PC. Note: Notice there is no AD authentication done but the user receives a resource. Failed sessions report Your Session could not be established. ‘The session reference number: 23. From the admin shell, run the following command: grep session-id /var/log/apm 24. You should see the text: Following rule ‘fallback' from item ‘Windows Process Check* to ending ‘Deny’ Access Policy result: Logon Deny 25. If you do not see the expected results use putty to ssh into BIG-IP and run the following, ‘command from the bash command line: tmsh modify sys db log.access.syslog value enable ‘Then repeat steps 22 thru 24. Enable Continuous Checking 26. Logout of the session and run emd.exe only. Open a browser to https://10.10.X.104. 27. Close the cmd.exe window. The connection to the webtop will continue to work. Test by on a resource or a webtop link. 28. In the VPE, clik on the Windows Process and Apply Access Policy. tion again, Enable Continuous Checking, Save 29. Again, logout of the session and run emd.exe only. Open a browser to https://10.10.X.104. 30. Close the cmd.exe window. What happens to the webtop? Click on a resource, but not a webtop link. What happens? Why not test using a webtop? Note: You may have to wait for a minute or two for the connection to drop. How long did you have to wait?Optional Lab 11.2 — Protected Workspaces Lab Objective: = Configure Client Protected Workspace Estimated time for completion: 5 minutes Configure Protected Workspace 1. Add a Windows Protected Workspace action in the Endpoint Security (Client-Side) tab to the Suocessful leg of the Windows Process Check Ifyou are still logged in as studentX from the previous lab, you will need to logout and log back in‘again 3. Test by trying to save a file to the Windows desktop then logging out of the Protected Workspace (APM session) and seeing if the file is still there. cre] renOptional Lab 11.3 — AV and Firewall Chec Lab Objective: Configure File and Anti-Virus Checks Estimated time for completion: § minutes Configure File and Anti-Virus Checking 1. Remove the Windows Process Check and the Protected Workspace actions. 2. Ifyou elient machine is running antivirus software, add the Antivirus Cheek action in the Endpoint Security (Client-Side) tab on the Windows Process Check — Successful branch. 3. Select Antivirus Platform as Any, Vendor Id as Any, Product ID as Any and State Enabled. ewall Check action in the Endpoint Security (Client-Side) tab on the Antivirus Check Select the Firewall Platform as Win, the Vendor ID as Microsoft Corp., the Product ID as Microsoft Windows Firewall 7, 8, Vista, XP SP2+ and the State as Enabled. 6. Test by enabling and disabling the client PC’s antivirus (if used) and firewall applications.me ssTeCTa Lab 11.4 — Configuration Backup Objective: "Create a backup archive Save the Configuration 1. Create an archive named studentX_labs1-11. 2, Download the new archive to your desktop.renin nChapter 12 — APM Advanced Topics 124 Chapter 12: APM Advanced Topics General Purpose Actions Lesson Objective: During this lesson, you will learn about Access Policy Actions and how to configure them. About General Purpose Actions In BIG-IP® Access Policy Manager™, you configure access policies with general purpose actions in the visual policy editor. Use general purpose actions to add logon pages, assign resources, variables, and route domains. General purpose actions also include structural actions that you can use to further refine the flow of access policies. The general purpose actions appear in the Add Item popup sereen in the order that follows. = Date time ‘Checks the current time and/or date and compares with allowed values. Multiple branch rules ‘may be used, eg, connecting from 8am to Spm follows one path, Spm to 11pm follows another path and any other time follows the fallback path, * Logon page ‘Adds a logon page to the access policy. You can add a number of customized fields, including password fields or other flexible fields. You can also customize messages and links on the logon page, and create custom messages for different languages = External logon page Adds an extemal logon page to the access policy. This can be used with an extemal logon server to provide an external logon page for the access policy. = Resource assign ‘Assigns connectivity resources to the access policy. With this action, you can add network access, portal access, application tunnel and remote desktop resources. You must also assign a webtop for these via the Webtop and Links Assign action. Web application access management (access to a local traffic virtual server) does not require a resource assign action; however, you can assign ACLs. + Webtop and Links Assign Assigns Webtops Links or Webtop of different types to the access policy. © Variable assign Assigns one or more variables to the ac session variables assigned to a session. = SSO Credential Mapping s policy. Use this to modify configuration variables or Assigns an agent that allows you to map single sign-on credentials, which can be used to automatically submit user credentials to different backend servers. Configuring BIG-IP APM v11 12412-2 122 Chapter 12 - APM Advanced Topics Route Domain and SNAT selection Selects a route domain object for policy-based routing. Route domains allow for highly configurable and complex VLAN routing. For more information on route domains and SNATs refer to the APM and TMOS product documentation, Message box Adds @ message box that posts a message to the user. To continue, the user must click a Tink for which you provide the text. The user then proceeds on the same rule branch in the aecess policy. Dynamic ACL Allows assignment of Access Control Lists (ACLs) retrieved from an external directory server using methods such as RADIUS or LDAP. Empty action ‘Adds a blank action from which you can create your own action, HTTP 401 Response Provides a HTTP 401 Response action for Basic or SPNEGO/Kerberos authentication. Full Resource Assign ‘A more advanced version of resource assign. Assigns resources of all types to an access policy without the need for an additional Webtop and Links Assign action. It also provides advanced expression based assignment of these resources, so for example an incoming client landing URI could be checked and evaluated and a particular resource assigned if passed. ACL As Assigns an Access Control List (ACL) to the access policy. Pool Assign Assigns a Local Traffic Pool to the access policy. Virtual Keyboard Displays a pop up window in the user’s browser, which provides a virtual keyboard that allows the user to enter sensitive information such as passwords, while preventing snooping from keyboard loggers and other similar attacks. Citrix Smart Access Enables Citrix SmartAccess filters to be set when deploying with Citrix XenApp or XenDesktop. Logging ‘Adds a logging agent that logs the specified session variables to the system logs. Decision box Adds a decision box that provides two options to the user for the access policy. You ean then configure separate actions on the two branches, depending on user selections. iRule event Adds an iRule event to the access policy. Configuring BIG-IP APM v11Chapter 12 - APM Advanced Topics 12-3 Adding and Customizing a Logon Page You can customize the logon page with custom fields and text for different sections of the logon form. On the logon page you can also localize text messages for different languages. The logon page displays up to five logon page agents that can be fully customized. You can define a logon page agent with the following elements: ‘Type - Specifies the type of logon page agent. You can specify any agent to be text, password, oF A text agent type displays a text field, and shows the text that is typed in that field = A password agent type displays an input field, but displays the typed text input as, asterisks. A none agent type specifies that the field is not displayed on the logon page. Post Variable Name - Specifies the variable name that is prepended to the data typed in the text, ficld. For example, the POST variable username sends the user name input omaas as the POST. string username=omaas. Session Variable Name - Specifics the session variable name that the server uses to store the data typed in the text field. For example, the session variable usemame stores the username input ‘omaas as the session variable string session. logon. last.username=omaas. Read Only - Specifies whether the logon page agent is read-only, and always used in the logon process as specified. You can use this to add logon POST variables or session variables that you ‘want to submit from the logon page for every session that uses this access policy. You can use a read only logon page field to populate a field with a value from a session variable. For example, you can use the On-Demand Certificate agent to extract the CN (typically the user name) field from a certificate, and then you can assign that variable to session.logon.ast.username. In the logon page action, you can specify session.logon.tast-username as the session variable for a read only logon page field that you configure. When Access Policy Manager displays the logon page, this field is populated with the information from the certificate CN field (typically the user name). Configuring BIG-IP APM v11 12:312-4 Chapter 12 - APM Advanced Topics ‘The following figure shows some items that can be customized with the logon page action: Form Header Text ' ' Front image, —— Logon page input field 4 location 1 ——Logon page input field 2 Cesee3}——— Logon button 1 ' 1 1 1 ' 1 ' 1 1 A tems that you can customize with the logon page action Note: Customization is discussed in greater detail in a later Chapter. Adding an External Logon Page ‘You can add a link to an external logon page to use for logon credentials. This can be used with an ‘external solution to provide robust logon credentials to the access policy. When the user reaches the external logon page action, the following occurs. + The access policy manager sends an HTML page containing JavasScript code that redirects, users to the external server. + The client submits a post_url variable. This post variable is used by the extemal application to return a value to the access policy. When the user completes authentication on the external server, the extemal server posts back to the URL specified in this variable, to continue the session. ‘The value of post_url is in the format: ttp(or https)://Imy.poli ‘The is the URI visible to the user, taken from the HTTP Host, header value sent by the browser. 124 Configuring BIG-IP APM v11Chapter 12 - APM Advanced Topics 12-5 HTML Content Sample for External Logon Page Submission ‘The following figure shows the content of a sample submission to an external logon server from the external logon page action,
External Logon Page Submission Sample Sample Request from External Logon Page to Virtual Server After the external logon server validates the user, the external server must return the user to the URL. specified in post_url, and must post the username and password variables, which are then used by Access Policy Manager to validate the user, as shown in the following figure: post /my-policy NTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms- excel, application/vnd.ns-powerpoint, spplication/asword, epplicatioa/s-ns- application, application/x-ns-xbap, application/vnd.ms-xpsdocument application/xami+xnt, application/x-silverlight, */* Referer: https://external_server_1P_address/loginform2.1.php. Accept-Language: en, zh-tw;g=0.8,2h-cn;q=0.5,4;q-0.3 Content-Type: application/x-www-form-urlenceded Accept-Encoding: gzip, deflate User-agent: Mozilla/4.o (compatible; MSIE 6.0; windows NT 5.1; Svi; Infopath. NET CLR 2.080727; .WET CLR 3.0.04506.640; .NET CLR 3.5.21022; .NET CLR 3:0.4506.2352; .NET CLR 3.5.30725) Host: virtual_server_tP_address connection: Keep-Alive cache-Contral: no-cache Cookie: LastNRH Session=723¢8a16; MmuSeseion-254dbbo1detbasdoacen26f373328a15 username-103 ntgoxepasaworda71 Example Message Box Adding a Deci: n Box ‘You can add a decision box anywhere in an access policy. You use a decision box to present two options to the user. You might use a decision box when a user fails an endpoint security check, or when a user fails to authenticate. In these cases, one branch can provide an option to allow the user to continue onto a quarantine network that provides only limited access to a segregated subnet, The other branch can provide an option to log out, and present the user with a logon denied ending, Another use could be to allow the user to continue to a redirect ending that takes the user to a helpful URL, for example, to the web site of an antivirus vendor to download virus database updates, [Propertes | [Branch des) Name: customization aes a (fesetaldefadts eas fesse croose on of he folowing vo opfons belo Fields mae geenicon legac [ootent Field 2mage redian ieee [ooton2 Example Decision Box Configuring BIG-IP APM v11 1294240 Chapter 12 - APM Advanced Topics Adding an iRule Event ‘You can add an iRule event anywhere in an access policy. You use an iRule event to add iRule processing to.an access policy at a specific point ‘To add an iRule event action: 1. On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles. ‘The Access Profiles List sercen opens. 2. In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column, ‘The visual policy editor opens in a new window or new tab, depending on your browser settings. 3. Onarule branch of the access policy, click the plus sign (+) to add an action. ‘The Add Item popup screen opens. 4, Select iRule event and click Add Item. ‘The Custom iRule Event Agent popup screen opens. 5. Inthe ID box, type the iRule event you want to insert. 6. Click Save. Note: iRule event access policy items must be processed and completed before the access policy can continue. Example iRule Event Item 12:40 Configuring BIG-IP APM v11Chapter 12 - APM Advanced Topics 12-41 Server Side Checks Lesson Objective: During this lesson, you will lea about server-side checks Introducing Server-Side Checks In addition to client-side checks, the BIG-IP® Secure Access Manager™ provides server-side checks, ‘When the access poliey is processed, server-side checks allow the server to check clients and make policy decisions based on information that a client presents to the server. For example, the UI mode check presents a query to find out what type of client is connecting, and routes the client to the different policy branches (for full browser clients, standalone clients, or neither) based on the results of the query. Server side checks include: = Client-side Check Capability = Client type = Client for MS Exchange = Client Os = Landing URL = IP Geolocation Match Client Type Check ‘You can use the client type check to determine whether the client is using a full browser, the standalone client, or another client to access the Access Policy Manager. The default Client Type check includes five branches: + An Edge Portal branch, which indicates that the user is connecting with the Edge Portal mobile app. + An Edge Client branch, which indicates thatthe user is connecting with the BIG-IP Edge Client or BIG-IP Edge Client app, supported on multiple devices and operating systems. = A Citrix Receiver branch, which indicates that the user is connecting using a Citrix receiver. = A ull or Mobile Browser branch, which indicates that the user is connecting with a Windows ‘web browser or a mobile browser = A Fallback branch, which indicates that the user is connecting with another method. Configuring BIG-IP APM v11 12-111242 Chapter 12 - APM Advanced Topics ee [ Expression: Uf Mode i Ful Browser “Oat toc shoo rower GRUIMode ePocetPC canoe [ Example Client Type Check Configuration Screen [ Setting Up the Client Type Access Policy Item [ ‘We recommend that you use the client type check as one of the first checks in your access policy. You can then configure the Edge Client branch with all ofthe checks that you require for fully capable clients, QO while also providing access policy branches for other clients. You can also provide different resources or simpler checks for mobile clients using the Edge Portal app, assign Mac checks to MacOS clients, and rake other choices based on the client type response & To Add a Client Type Action [ 1. On the Main tab of the navigation pane, expand Access Poliey, then click Access Profiles. ‘The Access Profiles List sereen opens [ 2. In the profile list, find the access policy you want to edit, then click Edit in the Access Policy column, E ] ‘The visual policy editor opens in a new window or new tab, depending on your browser settings. 3. Ona branch of the access policy, click the plus sign (+) to add an action. ‘The Add Item popup screen opens. 4, If'server-side check actions are not expanded, click the plus sign (+) next to Server Side Checks. & Select Client Type and click Add Item to add the action to the access policy. ‘The Client Type action popup screen opens. 6. Click Save to complete the configuration, 7. To activate the access policy, click the Apply Access Policy link at the top of the visual policy editor screen, Hoa 1242 Configuring BIG-IP APM v11 A &Chapter 12 - APM Advanced Topics 12-13 Example: Using Client Type Check In this example, you add a client type check, add a cache and session control endpoint security check to the full browser brane! and change endings to allow for all non-fallback branches. Note: This is not a complete example. For the example to work, you must assign an Allow ending to successful branches. You can assign a network access, portal access, app tunnel, or remote desktop resource using one of the resource assign actions, along with an associated network access, portal access, or full webtop. For an LTM + APM connection, you need not assign resources. This example is configured starting with an ‘empty access policy. To Add the Example Client Type Check Action 1 10, 1 12, 13. ‘On the Main tab of the navigation pane, expand Access Policy, then click Access Profiles. The Access Profiles List screen opens. In the profile list, find the ac column, policy you want to edit, then click Edit in the Access Policy The visual policy editor opens in a new window or new tab, depending on your browser settings. Ona branch of the a ‘cess policy, click the plus sign (+) to add an action, ‘The Add Item popup screen opens. Ifserver-side check actions are not expanded, click the plus sign (+) next to Server Side Checks. Select Client Type and click Add Item to add the action to the access policy. ‘The Client Type action popup screen opens. Click Save. (On the Full Browser branch following the Client Type action, click the plus sign (). ‘The Add Item popup screen opens. Ifclient-side check actions are not expanded, click the plus sign () next to Client Side Cheeks. Select Cache and Session Control and click Add Item, ‘The cache and session control action popup sereen opens. Click Save On all branches except for the fallback branches, configure Allow endings Configure logon denied endings for all other branches. To configure endings, see Configuring access policy endings. ‘The completed policy appears as shown below. To activate the access policy, click the Apply Access Policy link at the top of the visual policy editor screen, Configuring BIG-IP APM v11 12-4312-44 Example Client Type Check Policy Client OS Check Chapter 12 - APM Advanced Topics ‘The client OS check allows you to check the operating system the client is using. The default client OS check includes eight rule branches. Seven of these rule branches correspond to the operating systems specified in the name of the rule. If, while running the access policy, Access Policy Manager detects the operating system on the client as one of the specified operating systems, the access policy uses that rule branch. The access policy uses the fallback rule branch when it detects any other operating system, These are the operating system rule branches: 42-44 Windows 8® Windows 76 Windows Vista® Windows XP® Windows 20008 Windows Server 20088 Windows Server 20030 Windows Mobile® Linux Android® Macos® ios Configuring BIG-IP APM v11BAW Aaa eo BEBEBBHeEASB mm Chapter 12 - APM Advanced Topics 12.45 Setting Up the Client OS Check We recommend that you use the client OS check at the beginning of an access policy, so you can build access policies using the separate operating system branches for functionality specific to those operating systems. Example Client OS check screen Configuring BIG-IP APM v11 12-4512-16 Chapter 12 - APM Advanced Topics Checking the Landing URI of a Client ‘The landing URI action checks the landing URI the client entered to reach the access policy. The landing URI is the actual landing address after the domain name; for example, for an Outlook Web Access: connection at http://www.siterequest.com/owa, tie landing URL is /owa. The landing URI action provides a separate rule branch for each configured URI, and a fallback branch is provided for URIs that do not conform. Checking a Landing URI with the Landing URI Check You can use the Landing URI check to check the landing URI with which the user has accessed the access policy. The default Landing URI check includes two branches: * A Landing URI branch, which indicates the landing URI for which the policy should check, and evaluates as true if the specified landing URI is reached. = A Fallback branch, which indicates that the user is connecting with a different landing URI. Example Landing URI check. Users can connect to the virtual server by name or IP address alone or use «a landing URI as for example bttps:/192.168.109.200/land! or https://192.168.109.200/land1/. Connecting elsewhere will be directed to the fallback path Note: For more details on Server side checks refer to the Configuration Guide for BIG-IP Access Policy Manager 12-46 Configuring BIG-IP APM v11 DReRoEaAawnBaAnA rcChapter 12 - APM Advanced Topics 1247 Session Variables Lesson Objective: During this lesson, you will learn how Session Variables ean be used in APM. Understanding Session Variables Session variables can be of two types: = System variables ‘These session variables are created in the APM product automatically for use by the system in various actions, = Custom variables ‘These session variables are created by system administrator typically for use in manipulating policy flow. They can be used by themselves or in combination with system variables. They are created using the Variable Assign Agent. This agent may also be used to manipulate system session variable values von: bie espn] = (CAddinew entry. (CoAddnew entry _) Assignment 1 session.assigned.pool = expr [/Commonjstatic pool} change Example Variable Assign agent, Reading for the top down, it shows (1) setting a system variable value, and (2) creating and setting a custom variable ‘The rules in access policies use the values that the actions return in session variables. During access policy operation, the Access Policy Manager collects various information about the system that is attempting access. This information is organized in a hierarchical arrangement and is stored as the user's session data. Session variables are variables that allow the access policy to access user’s session data, The name of a session variable consists of multiple hierarchical nodes separated by periods (.). ‘The Access Policy Manager names session variables in the following manner: session.ad..queryresult = query result (0 = failed, I=passed) Configuring BIG-IP APM v11 12471248 Chapter 12 - APM Advanced Topics session.ad..authresult = authentication result (0 = failed, I=passed) session.ad..attr. = the name of an attribute retrieved during the Active Directory query. Fach retrieved attribute is converted to a separate session variable. Note that attributes assigned to a user on the AAA server are specific to that server, and not to Access Policy Manager. ‘The following illustration shows how Access Policy Manager names session variables. 1" level: session session T session radius. Scare meso ‘session windows_check_file.last. md5 result ‘session ssl. gert.cn result ‘ £ ‘ 2" level: type radius ssi 3 level: agent name cs . = or Sname cont last last intermediate levels are —_—_|_— pe cate a information = 4 4 4” level: node name attr result result 5" level: attribute name framed-ip Session variable naming scheme Note: Do not change the name of system created session variables, as later functionality will expect them to exist using those exact names, SSO being a particular exam 12.18 Configuring BIG-IP APM v11Chapter 12 - APM Advanced Topics 12-19 Using Session Variables You can use session variables to customize access rules or to define your own access policy rules. You can assign uscrs specific resources based on session variables, using the resource assign action. You can use session variables to configure rules in access policies. You can use the values of session variables to provide different outcomes for policies. ‘The rules in an access policy store the values that the actions return in session variables. A session variable contains a number or string that represents a specific piece of information. ‘You can use the session variable strings in the visual policy editor, to customize a rule for a specific action in an access poliey. Note: When using session variables in an access policy configuration, for example, ina logging agent, a session variable may or may not exist depending on the result of the access policy process. You can view the session variables for a session by expanding Access Policy on the main navigation pane and going to the Reports section. Expand the Built In Reports section and run either All Sessions or Current Sessions for example. In the output, click a Session ID link or click View Session Variables to view the session variables for the session, Boomacsve |) a sehen caret ata apt Example Report showing a session ‘You can also view session variables logged to the APM logfile /var/log/apm. ‘A Message Box agent can also be used to display the value of a session variable to a user while the APM policy is executing. This is useful for troubleshooting. The syntax to use is: {session variable name} [Welcome 9e(session logon-lastusername) [Ghachere to continue Example Message Box Agent with Session Variable Configuring BIG-IP APM v11 12:4912.20 Chapter 12 - APM Advanced Topics Welcome jpjones icknere to continue Example Output of Session Variable Set Inside a Message Box Agent When you use session variables, you typically write them in custom rules, in the Tel language. This is discussed later in this module. Session Variables in the Configuration Utility Within the BIG-IP Access Policy Manager configuration utility, for many configuration fields, you can use a session variable to reference data from the session that populates a field at session runtime. Some points to note are: + Notall fields support session variables. ‘The list of supported fields are detailed in the Configuration Guide for BIG-IP Access Policy Manager. = Session variables in a configuration field can be encrypted, for example password fields. Any field that supports session variables can support multiple session variables. For example, you can create a URL from session variables, * Use session.logon.protocol to specify the protocol for the URL. © Use session.networkname to specify the host address portion of the URL. * Use session.start.path to specify the path info that follows the host address. So if'a URL is of the form https://www. iterequest.com/owa ‘+ https is sessionogonprotocol ‘+ wwwasiterequest.com is session.network.name © owa is session.start.path Here is an example where an application access RDP server connection is configured using a session variable as the destination. This session variable is defined and set elsewhere in the access policy attached to the virtual server. 12.20 Configuring BIG-IP APM v11Chapter 12 - APM Advanced Topics 12.21 8 Policy »» Application Access: Remote Desktops : Remote Desktops ROP inka session variable Type: @Host tame IP Adsress. Host iame| sesession logon lastrdpserven mag 6 Example configuration utility using a session variable Note: For more details on session variables refer to the Configuration Guide for BIG-IP Access Policy Manager. Session Variables Reference ‘This table includes session variables and related reference information for each session variable that you can use with Access Policy Manager. Note: Refer to the Configuration Guide for Big-IP Access Policy Manager, Appendix C. for more examples of session variables and reference tables. Session variables for BIG-IP Access Policy Manager Agent | Name Type | Format | Description ‘Active | session.ad.Sname.queryresult bool Result ofthe Active Directory Directory ‘query action 0- Failed 1 - Passed session.ad $name authresult bool Resul of the Active Directory ‘authentication attempt 0- Failed 1-Passed session.adSname.attrSattr_name | string Users attributes retrieved during Active Directory query. Each attribute is converted to a ‘separate session variable, session.ad Sname.attr. group Sattr__| string Users group attributes retrieved Configuring BIG-IP APM v11 12:2112.22 Chapter 12 - APM Advanced Topics Session variables for BIG-IP Access Policy Manager Agent Type Format Description name during Active Directory query. Each group altribute is converted toa separate session variable. LDAP, action session dap $name.authresuit session Idap$name.altr Satt_ name boo! string Result of the LDAP authentication attempt 0- Failes 1- Passed Users altrbutes retrieved during AD query. Each attnbute is Converted to a separate session variable session.{dap.$name.queryresult bool Result of the LDAP query. 0- Failed 1 Passed RADIUS, ‘action session radius.Sname.authresult session radius. $name alr Satt_ bool string Resull of the RADIUS authentication attempt. 0- Failed 1-Passed User attributes retrieved during RADIUS authentication, Each attribute is converted to a separate session variable, Denies Ending session.polcy.result string “The result of the access policy. ‘The results the ending; for this ending, the result is access_denied. Redirect, Ending session policy. result session policy. result redirect uri string string “redirect” ‘The result of the access policy. The results the ending: for this ending, the result is redirect. ‘The URL specified in the redirect, for example, “hitp:iwwwsiterequest.com* ‘Allowed Ending session policy.result session.policy.resultwebtop network_access.autolaunch session.policy.result.webtop type string string string "webtop" “resname" “network, access” ‘The result of the access policy. The result is the ‘ending; for this ending, the result is webtop. The resource that is automatically started for a network access webtop The type of webtop resource. ‘The webtop type can be network access or web_application. Antivirus check 12.22 session.windows_check_ av.Sname.result integer 0 - Indicates an Antivirus failure 1- Indicates at least one Configuring BIG-IP APM v11Chapter 12 - APM Advanced Topics 12-23 ‘Session variables for BIG-IP Access Policy Manager Agent | Name Type | Format | Description ‘Antivirus matches the criteria session.windows_check_av | string Control string of the virus $name item_0.db_signature database session.windows check av | integer 0- data is not available Sname item_0.db_time rnon-0 integer - Date of last database update (seconds since 1/1/1970) session.windows_check_av.$n_| string Antivirus database version, ‘ame item_0.db_version Antivirus | session.windows_check av | integer 41 Antivirus check | $name. item_O.features: 2 Anti-spyware 3 - Personal Firewall 4~ Application Firewall session.windows check av | string ‘Antivirus Type ID (for $name item_0.id example, MeafeeAV) session.windows check av | string Software name $name item_O.name session.windows_check_av | integer 0- Undefined Sname.item_0.state 1 Antivirus protection is active 2.- Antivirus is not active (disabled) session.windows_check_av. Ulstate $name item_0.ui session.windows_check_av. | string Antivirus vendor Sname.item_O.vendor session.windows_check_av. | string Antivirus version Sname.item_0.version session.windows_check_av. | integer Number of detected antivirus Sname.Count Decision | session.decision_box.ast.result | integer (0- User chooses option 2 on box the decision page, which ‘corresponds to the fallback rule branch in the action 4 - User chooses option 1 on the decision page File session.windows check file | string True - if all files exist on the check | Sname.item_0.exist client session.windows_check file | integer Set when files on the client Sname.item_O.result Configuring BIG-IP APM v11 ‘meet the configured 12-2312:24 Chapter 12 - APM Advanced Topics. Session variables for BIG-IP Access Policy Manager Agent | Name Type | Format | Description attributes, session windows check file | string MDS value of a checked file. $name item_0.md5 session.windows_check file | string The version of a checked file. $name.item_0.version session.windows_check file | integer The file size, in bytes. $name.item_0.size session.windows_check fle Date the fle was modified in $name item_0.modified UTC form, File session.windows_check_file File signer information, check | Sname item_0.signer Firewall | session.windows_check fw | string Name of the firewall software. check | Sname.item_O.name session.windows_check fw | integer (0000 - Unknown type $name item_0.features (0002 - Personal Firewall (0004 - Application Firewall session.windows_check fw | string 1 - Firewall is active Sname.item_0.state 2-- Firewall is not active (disabled) 0- undefined session.windows_check fw | integer 1 Atleast one active firewall Sname.state is detected 0- No active firewalls detected session.windows_check fw | integer The number of detected $name.count firewalls, session.windows check fw | integer (0 - No firewalls match the $name,resuit criteria, 1 - Atleast one firewall matches the criteria session.windows check fw | string Type ID of the firewall (for $name item_0.id example, McAfeeFW) session.windows_check fw | string The firewall software version. $name.item_O.version Process | session.windows_check_ integer 0- Failure check —_| process $name.result 1 - Success -1 - Invalid check expression Registry | session.windows_check_ integer 0- Failure check —_| registrys $name.result 1- Suocess 12.24 Configuring BIG-IP APM v11Chapter 12 - APM Advanced Topics 12-25 Session variables for BIG-IP Access Policy Manager Agent | Name Type | Format _| Description “1 - Invalid check expression Windows | session.windows_info_os string ‘Stores the Internet Explorer info Sname.ie_version version session.windows_info_os string | "ISP2;KB | A lstof installed SP and KB ‘Sname.ie_updates 412345)KB__| fixes for Intomet Explorer 543211" Windows | session.windows_info_os string WinXP - Windows XP info $name. platform Win2k - Windows 2000 WinNT - Windows NT4 Win9S - Windows 95 Win98 Windows 98 Win98SE - Windows 98 SE WinME - Windows Me Win2003 - Windows 2003 Winvi - Windows Vista WinLH - Windows 2008 session.windows_info_os string | "SP2;KB | A lst of installed SP and KB Sname.updates 42345iKB__| fixes for Windows 54321!" session.windows_info_os string List of current windows user Sname.user names session windows_info_os string List of computer names $name,computer Resource | session.assigned.resource_ | String | “rgnamet | A space-delimited list of allocation | groups sgname2" | assigned resource groups. This list is generated based cn the list of assigned resource groups. session assigned. webtop string | ‘webtop_na | The name of the assigned me" webtop. Glient | session.ssl.certXS09extension | string 509 extensions certificate authenti | session.ssl.cert.ou string Organizational Unit cation session ssl.cert.cn string ‘Common Name session ss.cert.valid string Certiicate Result (OK or error string) session ssl.cert exist integer 0 - certificate does not exist Configuring BIG-IP APM v11 1-cerlficate exists 12.2512-26 Chapter 12 - APM Advanced Topics ‘Session variables for BIG-IP Access Policy Manager Agent | Name Type | Format | Description session ssl.cert.version string Certificate version session ssl.cert.serial string Certificate serial number session.ssl.cert.end string Validity end date session.ssl.cert.start string Validity start date Client | session.ssi.certissuer string Certificate issuer certificate authentication session.ssl.cert.email string Email session.ssl.cert.c string Country session.ssi.cert.st string State Session | session.ui.mode enum | 0- full ‘The Ul mode, as determined manage- 1-mini | by HTTP headers. ment HTML 2-iMode 3- XML 4-WML 5-WAP, 6 -Pocket PC session.ui.lang string | "en" The language in use in the session, session.ui.charset 7 ‘The character set used in the session, session.client.type enum | “ie” The client type as determined ‘firefox’ | by HTTP headers. "standalon session.client.version string session.clientjs boo! session.client.activex boo! session client. plugin bool session client platform string The client platform as determined by HTTP headers, 12.26 Configuring BIG-IP APM v11Chapter 12 - APM Advanced Topics 12:27 Session variables for BIG-IP Access Policy Manager Agent | Name Type _| Format Description “Linuxt "MacOS" "Pocket Pc" "wince" Special Purpose User Session Variables Use the following session variables with the variable assign action to customize the behavior of a user ‘Special purpose user session variables Name Type _| Format Description session assigned.acis, string | “AGL1 ACL3 ACLS" | A space-delimited list of assigned ACLs. session assigned. acis sorted string | “ACL1 ACLS ACLS" | A space-delimited ist of assigned ‘ACLS. This variable i creatod to store the ist of ACLS. To modify the list of ‘ACLs with the variable assign action or {an advanced access policy rule, rmodity the previous session variable, session.assigned.acis, session assigned.clientip string | x0ee.0ex.00.0 | The informational variable that stores For example, the client IP address assigned by 492.168.1210 ‘Access Policy Manager. session end string | admin_terminated | An informational variable that stores logged_out the reason the session was timed_out terminated. session assigned. leasepool sting | tpt The lease poo! assigned tothe cent session, session assigned resources string | “rest res3 res" | A space-delmited ist of assigned resource names. This list is generated based on the lst of assigned resource groups. session.assigned.route_domain | int 1 The route domain ID number assigned to the client session. session user sessionid sting | sting “The ID for a session. For example, Configuring BIG-IP APM v11 2240683. 12.2712.28 Chapter 12 - APM Advanced Topics Special purpose user session variables Type Format Description session logon lastusemname session logon ast.password string string “password ‘You can use the session user name variable with the variable assign action to replace the user name value that is, passed to an authentication action in| the access policy. An authentication action then authenticates with this user name value, Contains the user password that is Collected in the logon page action This variable stores the password, then sends it to the authentication server. You should not configure the Variabie assign action to replace this variable. 12.28 Configuring BIG-IP APM v11Chapter 12 - APM Advanced Topics 12:29 Introducing Tcl ‘You write rules in Tel. Although this section is not an exhaustive reference about writing and using Tel expressions, it includes some common operators and syntax rules, Tel expressions begin with the syntax expr. For more information, see http://www.tel.tk/man/tel8.5/TelCmd/expr.htm. Note: You use iRules™ on the BIG-IP system to provide functionality to the BIG-IP system components. Tol commands specific to iRules are not available in access policy rules. Standard Operators You can use Tel standard operators with most BIG-LPa® Access Policy Manager rules. You can find a fall list of these operators in the Tel online manual, at http://www.tel.tk/man/tel8.5/TelCmd/expr.htm. Standard operators include: Standard Operators Operator Usage ee! Unary minus, unary plus, bit-wise NOT, logical NOT. None of these operators may be applied to string operands, and bit-wise NOT may be applied only to integers. a Exponentiation. Valid for any numeric operands. 1% Multiply, divide, remainder. None of these operators may be applied to string operands, and remainder may be applied only to integers. The remainder will always have the same sign as the divisor and an absolute value smaller than the divisor. + Add and subtract. Valid for any numeric operands. <<>> Left and right shift. Valid for integer operands only. A right shift always propagates the sign bit. Boolean less than, greater than, less than or equal to, and greater than or equal to. Each operator produces 1 if the condition is true, 0 otherwise. These operators may be applied to strings as well as numeric operands, in which case string comparison is used. Boolean equal to and not equal to. Each operator produces a zero/one result. Valid for all operand types. eqne Boolean string equal to and string not equal to. Each operator produces a zerolone result. The operand types are interpreted only as strings. Configuring BIG-IP APM v11 12:2912-30 Chapter 12 - APM Advanced Topics Standard Operators Operator Usage inni List containment and negated list containment. Each operator produces a zerofone result and treats its first argument as a string and its second argument as a Tcl list. The in operator indicates whether the first argument is a member of the second argument list; the ni operator inverts the sense of the result. & Bit-wise AND. Valid for integer operands only. a -wise exclusive OR. Valid for integer operands only. I Bit-wise OR. Valid for integer operands only. BR Logical AND. Produces a 1 result if both operands are non-zero, 0 otherwise. Valid for boolean and numeric (integers or floating-point) operands only. Logical OR. Produces a 0 result if both operands are zero, 1 otherwise. Valid for boolean and numeric (integers or floating-point) operands only. I-then-else, as in C. If x evaluates to non-zero, then the result is the value of y. Otherwise the result is the value of z. The x operand must have a boolean or numeric value. Rule Operators A rule operator compares two operands in an expression, In addition to using the Tel standard operators, you can use the operators listed below. Rule Operators Operator Usage contains Tests if one string contains another string. ends_with Tests if one string ends with another string. equals Tests if one string equals another string. matches Tests if one string matches another string, matches_regex ‘Tests if one string matches a regular expression starts_with Tests if one string starts_with another string switch Evaluates one of several scripts, depending on a given value. 12:30 Configuring BIG-IP APM vitChapter 12 - APM Advanced Topics 12:31 Logical Operators Logical operators are used to compare two values. Logical operators Operator Usage And Performs a logical "and" comparison between two values. Not Performs a logical "not" action on a value. or Performs a logical "or" comparison between two values, Using Advanced Access Policy Rules You can use advanced rules in an access policy to provide customized functionality to users. This functionality is useful when the default access policy rules and the rules created with the expression builder do not provide functionality you require. ‘When you write an expression in the Advanced tab of the rule popup screen, a non-zero return value typically causes the rule to be evaluated as true or successful, and the access policy follows the corresponding rule branch. The return value of O causes the rule to be evaluated as false, and the rule follows the corresponding branch, or a fallback branch, Understanding Advanced Access Policy Rule Situations ‘You can use advanced access policy rules in four situations in the visual policy editor. ‘You can use an advanced access policy rule to make flexible decisions after an access policy action completes. To do this, you add the advanced access policy rule on the Advanced tab in the Expression popup sereen of an action. In this scenario, if the value retuned by the expression is not zero, the rule is evaluated as true, and the access policy runs and follows the corresponding rule branch, Ifthe value returned by the expression is zero, the rule is evaluated as false, and the access policy follows the branch assigned to the negative response (typically a fallback branch). ‘© You can use an advanced access policy rule to add flexibility when assigning resources to ers. To do this, you add the advanced access policy rule on the Advanced tab in the ssion popup screen of the resource assign action. In this scenario, if the value retumed by the expression is not zero, the resource assignment rule is, evaluated true, and the corresponding resource or ACL is assigned to the user. Ifthe value returned by the expression is zero, the resource assignment rule is evaluated as false, and the resource or ACL is not assigned + You can use an advanced access policy rule to add flexibility by creating a custom session variable, and then assigning the session variable in other advanced access policy rules. To do this, you use the custom variable and custom expression options in the variable assign action. In this scenario, the value returned by the custom expression is assigned to the custom variable. Configuring BIG-IP APM v11 12:3112:32 Chapter 12 - APM Advanced Topics * You can use an advanced access policy rule to override the properties of an assigned network access resource. To do this, you assign a configuration variable to a custom expression, in the variable assign action. In this scenario, the value retumed by the expression is used to overwrite the value of the selected property from the network access resource. Writing Advanced Access Policy Rules Advanced access policy rules are written in the Tel programming language. An advance access policy rule is a Tel program, You can use the various facilities provided by the Tel language in advance access policy rules. For example, you can use loops (while, foreach, and so on), conditions (ifelse, switch, and ‘more), functions (proc), and built-in Tel commands (strings, split, for instance) as well as various Tel operators. For comprel jive documentation on the Tel language, sce http:/vww.teltk/doc! Understanding the meget Command In Access Policy Manager access policies, session variables are accessed from system memory during the evaluation of an access policy rule. Access Policy Manager stores all session variables generated in a session in its memory cache. The Tel command that gets these variables is meget, which is an abbreviation for "get the session variable from the memory eache." ‘The general syntax to access a session variable follows. Imcget {session.ssl.cert.cn} 1 In this example, the name of the session variable, session.ssL.cert.en, is enclosed in braces { }. The brackets | | that enclose the entire command are the TCL notation for command evaluation, Using a Tel expression or program as an advanced access policy rule You can use a Tel expression or a complete Tel program as an advanced access policy rule. The return value of the expression or program is used to evaluate the access policy rule. For example, the following access policy rule uses a TCL expression to check if the Organizational Unit (OU) field of a user certificate contains the text PD. sion.ssl.cert.0U}] contains "Pp" } expr { [meget { ‘The return value of the expression is the retum value used in the access policy rule. Note: The Tcl language specifies that the expression begin with the syntax expr. For a ‘complete description of the various operators and syntax allowed in a Tol expression, see http:/Avww.tcl.tk/man/tel8.0/TelCmd/expr-htr Understanding Advanced Access Policy Rule Limitations In Access Policy Manager, the Tel code entered in an action is not validated for proper Tel syntax. If there is a Tel syntax error in a rule, this error is not caught at configuration time, but the rule fails at session establishment time. We recommend that you test rules with an independent Tel shell before they are configured in the access policy to avoid this. ‘The semicolon separator (s) is required between two consecutive Tel statements. This is not the same as using the default newline (\n) as a separator. 12.32 Configuring BIG-IP APM v11Chapter 12 - APM Advanced Topics 12-33 Note: The name space for Access Policy Manager is shared across all rules. If you define a Tcl variable in one rule, it is accessible in another rule also. We recommend that you use a unique prefix for local variables in each rule, to avoid polluting variables from different rules Configuring BIG-IP APM v11 12.331234 Chapter 12 - APM Advanced Topics Access iRules Events Lesson Objective: During this lesson, you will Learn what iRule Events are available for Access iRules. Introducing iRules ‘An iule is a powerful and flexible feature within the BIG-IP® local traffic manager system that you can use to manage your network traffic. Using syntax based on the industry-standard Tools Command Language (Tel), the iRules™ feature not only allows you to select pools based on header data, but also allows you to direct traffic by searching on any type of content data that you define. Thus, the iRules feature significantly enhances your ability to customize your content switching to suit your exact needs. ‘The remainder of this introduction presents an overview of ‘Rules, lists the basic elements that make up an iRule, and shows some examples of how to use iRules to direct traffic to specific destination such as 1 pool or a particular node. Note: For complete and detailed information on iRules syntax, see the F5 Networks DevCentral web site, http://devcentral.f5.com. Note that Rules must conform to standard Tel grammar rules; therefore, for more information on Tal syntax, see http:/Amml.sourceforge.net/doc/tcVindex.html. What is an iRule? An iRule is a script that you write if you want individual connections to target a pool other than the default pool defined for a virtual server. (Rules allow you to more directly specify the destinations to which you want traffic to be directed. Using iRules, you can send traffic not only to pools, but also to individual pool members, ports, or URIs ‘The iRules you create can be simple or sophisticated, depending on your content-switching needs. The following figure shows an example of a simple iRule. when CLIENT ACCEPTED ( if { [1P::addr [1P::client_addr] equals 10.10.10.10] } { pool my_pool } } Example of an iRule This iRule is triggered when a client-side connection has been accepted, causing the BIG-IP system to send the packet to the pool my_pool, ifthe client's address matches 10.10.10.10. Using a feature called the Universal Inspection Engine, you can write an iRule that scarches either a header of packet, or actual packet content, and then directs the packet based on the result of that search. iRules can also direct packets based on the result of a client authentication attempt, 12.34 Configuring BIG-IP APM v11Chapter 12 - APM Advanced Topics 12-35 iRules can direct traffic not only to specific pools, but also to individual pool members, including port numbers and URI paths, either to implement persistence or to meet specific load balancing requirements. ‘The syntax that you use to write iRules is based on the Tool Command Language (Tel) programming, standard, Thus, you can use many of the standard Tel commands, plus a robust set of extensions that the BIG-IP system provides to help you further increase load balancing efficiency. Basic iRule Elements iRules are made up of these basie elements: ‘© Event declarations © Operators ‘© iRule commands Event Declarations iRules are event-driven, which means that the BIG-IP system triggers an iRule based on an event that you specify in the iRule, An event declaration is the specification of an event within an iRule that causes the BIG-IP system to trigger that iRule whenever that event occurs. Examples of event declarations that can trigger an iRule are HTTP_REQUEST, which triggers an iRule whenever the system receives an HTTP request, and CLIENT_ACCCEPTED, which triggers an iRule when a client has established a connection, The following figure shows an example of an event declaration within an iRule. when HITP_REQUEST { if ( (HTrp::uri] contains "aol" } { pool aol_pool } ese { pool all_pool } y Example of an event declaration within an iRule For more information on iRule events, see the Configuration Guide for BIG-IP® Local Traffic Manager™. Configuring BIG-IP APM v11 12-3512:36 Chapter 12 - APM Advanced Topics Operators An iRule operator compares two operands in an expression. In addition to using the Tel standard operators, you can use the operators listed in the following table. iRule operators Operator ‘Syntax Relational operators contains matches equals starts_with ends_with matches_regex Logical operators not and or For example, you can use the contains operator to compare a variable operand to a constant, You do this by creating an if statement that represents the following: "If the HTTP URI contains aol, send to pool aol_pool.” Figure D.2, on page D-2, shows an iRule that performs this action. iRule commands An iRule command within an iRule causes the BIG-IP system to take some action, such as querying for data, manipulating data, or specifying a traffic destination. The types of commands that you can include within iRules are: ‘© Statement commands ‘These commands cause actions such as selecting @ traffic destination or assigning a SNAT translation address. An example of a statement command is pool , which directs, traffic to the named load balancing pool. For more information, see the Configuration Guide for BIG-IP® Local Traffic Manager. ‘© Commands that query or manipulate data ‘Some commands search for header and content data, while others perform data manipulation such as inserting headers into HTTP requests. An example of a query command is IP::remote_addr, which searches for and returns the remote IP address of a connection. An example ofa data manipulation command is H'TTP::header remove , which removes the last occurrence of the named header from a request or response. ‘© Utility commands These commands are functions that are useful for parsing and manipulating content, An example of a utility command is decode_uri , which decodes the named string using HTTP URL encoding and retums the result, For more information on using utility commands, sce the Configuration Guide for BIG-IP® Local Traffic Manager. 12-36 Configuring BIG-IP APM v11Chapter 12 - APM Advanced Topics 12.37 Typical APM iRule Use Case Lesson Objective: During this lesson, you will learn how to implement an iRule for a typical use case. APM Web Applications Plus Something Extra Web applications are a common application for APM. Typically APM provides authentication for a web server. It may also provide authorization, by only allowing some users access to the server or allowing users access to different parts of the server by implementing Layer 7 ACLs. However, some customers want to display the same page to all authenticated users, but depending on the user's group membership, they want (0 customize that page. Typically this isin the form of adding information or links that are only viewable by a specific group. For example, all users go to the same intranet page, but users in Accounting get some additional information that is only for them. Likewise, users in Finance see the same intranet page, but also get some additional text and links only for them. In order for this to work, APM must first perform some sort of authorization lookup and then pass some attribute, such as group membership, to the web server. ‘The most common method of authentication and authorization is Active Directory. The AD Query action in the VPE can perform the authorization lookup. Typically, this action then performs one or more branches (not including fallback) that allow resources to be added based on the results. In this ease, the web server is performing the authorization, so APM must somehow pass the AD Query results to the web server. The implication is the AD Query has no branch rules, other than the fallback path ‘There are multiple ways that APM can pass the AD Query results to the web server. APM can place the results at the end of the URL in the form of: ?groups=Finance Also, APM can place the results inside a cookie. However, the most APM customers choose to write the results to an HTTP header. HTTP headers are pre-defined, but custom headers can be used by prepending the header with X-, such as X-Groups: Finance ‘Rules are the glue that take the results from the AD Query, store it in a session variable, and put it into the HTTP header. The rule looks like: when ACCESS_ACL ALLOWED { set groups [ACCESS ession data get "session.ad.. HTTP: :header insert X-Groups "$groups" Configuring BIG-IP APM v11 12:3712-38 Chapter 12 - APM Advanced Topics The event that fires this iRule, ACCESS_ACIL,_ALLOWED, occurs whenever a packet destined for the web server is allowed by the ACL. Note every packet entering the APM virtual server for this web application must go through the ACL check, thus every packet will have the results from the AD Query. However, the AD Query only occurs once. The iRule then gets the Active Directory group list from a session variable and assigns it toa local variable, The session variable is not show here; determining the correct variable is an exercise left to the reader. Finally, that information is put into the HTTP header, X-Groups. Creating a Redirect Virtual Users often attempt to connect to a secure virtual server on port 80. This is because most web browsers translate www mysecureserver .com to http: //www.mysecureserver.com, The redirect virtual server automatically takes the connection that lands on port 80 and redirects it to port 443. So far, this has been automatically configured for us by the wizard. We can configure a redirect, manually, but it is done with a pre-defined iRulle -_sys_https_redirect. ‘There are several iRules that are commonly used and have already been written. These iRules typically start with “_sys”. eae APM_ExchangeSuppart_OA Basichuth , 1 _s¥8_APM_ExchangeSuppert helper B Newokuer jpp0r_main wat servers _s78 PU_acaname Proties _878_au_rbdelogate co kai Pools - } _sy8_auth_ssl_crtdp Nodes =3y8.auth_ssL_oosp wise nips rearect Trafic Class Predefined iRule Events 12.38 Configuring BIG-IP APM v11Chapter 12 - APM Advanced Topics 12-39 Configuring Access iRules Lesson Objective: During this lesson, you will learn the options for and how to configure Access iRules. Understanding Access iRules ‘This section includes session variables and related reference information for each session variable that ‘you can use with Access Policy Manager. Note: iRule event access policy items must be processed and completed before the access policy can continue. ACCESS_SESSION_STARTED This event occurs when a new user session is created. This is triggered after cteating the session context and initial session variables related to user's source IP, browser capabilities and accepted languages. Using ACCESS_SESSION_STARTED This event provides a notification that a new session is created. You can use this event to prevent a session from being created when a specific event occurs. For example, if the user is exceeding the concurrent sessions limit, or if the user does not qualify for a new session due to custom logic, you can prevent a session from starting. You can use ACCESS::session commands to get and set various session variables. Admin can also use ‘TCP, SSL, and HTTP iRule commands to determine various TCP, SSL, or HTTP properties of the user. ACCESS_POLICY_COMPLETED This event 0 surs when the access policy execution completes for a user session. Using ACCESS_POLICY_COMPLETED This event provides a notification that access policy execution has completed for the user. You can use this event to perform post-access-policy work. For example, you can read and set session variables after the access policy is executed. You can use ACCESS::policy and ACCESS::session commands to get and set various session variables. Admin can also use TCP, SSL, and HTTP iRule commands to determine various TCP, SSL, or HTTP properties of the user. ACCESS_ACL_ALLOWED This event occurs when a resource request passes the access control criteria and is allowed through the ACCESS filter. This event is only triggered for resource requests and does not trigger for internal access control URIs such as my.policy. Configuring BIG-IP APM v11 12:3912.40 Chapter 12 - APM Advanced Topics Using ACCESS_ACL_ALLOWED This event notifies you that a resource request is being allowed to pass through the network. You can use this event to create custom logic that is not supported in a standard ACL. For example, you can further limit access based on specific session variables, rate controls, or HTTP or SSL properties of the user. You can use ACCESS::session commands to get and set session variables in this event, and ACCESS::acl ‘commands to enforce additional ACLs. ACCESS_ACL_DENIED ‘This event occurs when a resource request fails to meet the access control criteria and is denied access. Using ACCESS_ACL_DENIED This event provides noti ation that a resource request has been denied to pass through the network. ‘You can use this event to implement custom logic that is not supported in the standard ACLs. For ‘example, you can send out a specific response, based on specific session variables, and HTTP or SSL properties of the user. This event may also be useful for logging purposes. You can use ACCESS::session commands to get and set session variables in this event, and ACCESS::acl ‘commands to enforce additional ACLs. ACCESS_SESSION_CLOSED This event occurs when a user session is removed. This can occur because a user logs out, or because the user session has timed out due to inactivity. You can use the ACCESS::session command to get session variables in this event. iRule commands which require a flow context cannot be used in this event. Using ACCESS_SESSION_CLOSED ‘This event is used like ACCESS_SESSION_STARTED. ACCESS _POLICY_AGENT_EVENT This event allows you to insert an iRule event agent in an a ess policy at some point in the access policy: (On the server during access policy execution, the iRule event agent is executed and ACCESS_POLICY_AGENT_EVENT is raised in iRules. ‘You can get the current agent ID (using an iRule command ACCESS::policy agent_id ) to determine Which iRule agent raised the event, and to do create some customized logic. Using ACCESS_POLICY_AGENT_EVENT Use this event to execute iRule logic inside TMM at the desired point in the access policy exceution. For ‘example, if you want to do concurrent session checks for a particular AD group, insert this agent after the AD query, and once user’s group has been retrieved from AD query, check to see how many concurrent sessions exist for that user group in an iRule inside TMM. 12.40 Configuring BIG-IP APM v11Chapter 12 - APM Advanced Topics 12-41 Understanding Access iRule Commands ACCESS: This command disables the access control enforcement for a particular request URI. The request is passed through access control module without any access control checks (excludes valid session check as well as policy allowed check), able Valid iRule events where this command can be used: HTTP_REQUEST event. ACCESS::session commands ‘The following commands are used with the ACCESS::session command, ACCESS::session data get + This returns the value of session variable. Admin can read multiple session variables in the single instance of this command. ACCESS::session data set [] + ‘This sets the value of session variable to be the given . Admin can set multiple session variables in the single instance of this command. ACCESS::session remove ‘This removes (deletes) the user session and all associated session variables. Session is removed immediately after this command is invoked and no session variables can be accessed after this command. ACCESS::session commands can be used only in ACCESS events, ACCESS::policy commands ‘The following commands are used with the ACCESS::policy command. ACCESS: :policy agent_i This returns the identifier for the agent raising the ACCESS_CUSTOM_EVENT. ACCESS::policy result Returns the result of the access policy process. The result is one of the following: + Allow + Deny + Redirect The ACCESS:-policy command can only be used in ACCESS_POLICY_COMPLETE, ACCESS_ACL_ALLOW and ACCESS_ACL_DENY events. Configuring BIG-IP APM v11 12-4112.42 Chapter 12 - APM Advanced Topics ACCESS::acl commands ‘The following commands are used with the ACCESS::acl command, ACCESS::acl result This returns the result of ACL match fora particular URI in ACCESS_ACL_ALLOW and ACCESS_ACL_DENIED events. This result can have one of the following values ACCESS: Allow Discard Reject Continue 1e1 lookup ‘This returns the name of all the assigned ACLs for a particular session ACCES: 1c! eval $acls_name_fist ‘This applies all the acls specified in acls_name_list for a particular flow/URL ACCESS::ael commands can only be used in ACC! events. 12.42 | ACL_ALLOW and ACCESS_ACL_DENY Configuring BIG-IP APM v11Chapter 12 - APM Advanced Topics. 12-43 Dynamic ACLs ‘The ACLs described in the previous section are static ACLs. That is, the ACLs have been created and configured as part of the Access Policy, prior to the user's connection to BIG-IP. ‘These static ACLs are stored on the BIG-IP and only change when an admin updates the access policy ACL. Dynamic ACLs are stored someplace other than BIG-IP and are retrieved when the user connects to BIG- IP. There are a number of advantages to this arrangement, for example: ‘© ACLs can be customized on a per-user or per-group basis, # ACLs can be modi ied by IT staff who are not familiar with or have access to BIG-IP ‘+ ACLs can be changed automatically by scripts to reflect dynamic network access policies such as day-of-week or current threat level Dynamic ACLs are typically stored in Active Directory, LDAP or RADIUS and are associated with an individual user or a group. The information in the dynamic ACL is retrieved using AD Query, LDAP Query or RADIUS Auth and is stored in a session variable. BIG-IP supports two ACL formats for dynamic ACLs. Cisco formatted ACLs used in a multi-vendor environment to share access control information, BIG-IP supports Cisco ACLs, with the exception of the following keywords: © tos © established © time-range © dynamic © precedence BIG-IP supports native F5 ACLs, which can be used for Layer 3, Layer 4 or Layer 7 access control, The F5 ACL specification is shown below. ACL_SPEC : "{ " ACTION SPEC [AUX_KEYWORD_SPEC] CONTEXT_SPEC " }" ACTION SPEC ::= "allow" | "reject " | "continue " | "discard * AUX_KEYWORD_SPEC ::= "log " | "log-packet " | "log-verbose " | “log-summary " | "log-config " CONTEXT_SPEC ::= "ip " [PROTO_NUM_SPEC " "] ADDR_SPEC | "tcp " ADDR_SPEC | "udp " ADDR_SPEC | “http " ADDR_SPEC " " HTTP_URL_SPEC PROTO_NUM_SPEC mom .. "25s" Configuring BIG-IP APM v11 12-4312-44 Chapter 12 - APM Advanced Topics ADDR_SPEC SRC_IP_PORT_SPEC DST_IP_PORT_SPEC SRC_IP_PORT_SPEC IP_PORT_SPEC DST_IP_PORT_SPEC IP_PORT_SPEC IP_PORT_SPEC ::= "any" ["/" PREFIX_LENGTH_MASK] [":" PORT_SPEC] | IP_V4_ADDRESS ["/" PREFIX LENGTH MASK] [":" PORT_SPEC] PORT_SPEC ::= PORT | PORT *-" PORT HTTP_URL_SPEC HTTP_PROTO_SPEC "://" HOSTNAME "/" PATH LIST SPEC HPTP_PROTO_SPEC ::= "hetpt | "https" | "+" PATH_LIST_SPEC PATH_SPEC | (PATH_SPEC *|" PATH_LIST_SPEC) Note: HOSTNAME and PATH_SPEC may contain "2" or "* chars for glob matching Several examples of F5 dyanamic ACLs are show below. allow ip 51 any 1.2.3.4 } reject log top any:1024-65535 2.3.4.5:80 } discard log-verbose udp any 4.4.5.6:5-20 } { { { * { continue log-config ip any any/8 } ( allow http any any http://+.£Snet.com/* } { allow http any 10.0.0.0/24 https: //main?treet /main.aspx|error*.html } * { reject http any 10.0.0.1:8080 http: //myproxy/bad-url -html 12.44 Configuring BIG-IP APM v11Lab 12.1 - Session Variables 1 Lab Objective: ‘Output Session Variables to the APM log files and use a variable to check browser type, Estimated time for completion: 15 minutes Lab Req ‘ements: ‘+ IP and port addresses available for use on BIG-IP APM that can be reached by the clients Create an Access Policy that Logs Session Variables 1. Navigate to Access Policy :: Access Profiles and click Create... Name it browser_log, select English as an Accepted Language and click Fi Click Edit... for the browser_log access policy. Select Add New Macro Change the name of the new Macro from Empty to Sess Click the large (+) next to Macro: Session Log. Click the (+) sign on the fallback leg of the macro. Click the logging radio button in the General Purpose tab to select the logging agent action. Click Add Item, 10. Click Add New Entry. 11. Select Client Variables. This will write all the client variables to /var/log/apm. 12, Click Add New Entry again. Select Custom. In the Session Variable field, type session.client.type. 13. In the Log Message, type: Session variables follow... 14, Click Save. 15, In the main Policy section, click the + sign on the fallback leg. 16, Select the Session Log Macro in the Macrocalls tab and click Add Item.Create an Access Policy that Checks Browser Type 17. In the main policy section, Click the + sign on the “out” leg after the Session Log Macro. 18, Click the Empty radio button in the General Purpose tab and then click Add Item, 19. Name the action Browser Check. 20. Click the Branch Rules tab. 21, Click Add Branch Rule and name the rule “Suecessful” 22. Under the Expression line, click Change and click Advaneed tab. 23. Add the text below and click Finished, then click Save: expr {[meget {session.client.type}] == "Mozilla"} 24, On the "Successful" branch, click the + Assignment tab and click Add Item, 25. Click Add new entry, then Add/Delete. 26. In the Webtop Links tab, select both /Common/askfS_link and /Common/deveentral_link. select Advanced Resource Assign in the 27. In the Webtop tab, select /Common/web_ui_webtop. 28. Click Update, then Save. 29. Change the ending with the Advanced Resource Assign to Allow. 30. On the fallback branch, add a message box that says “Access denied. Firefox required.” 31. Apply Access Policy and click Close. 32. Apply the browser_log policy to the web_ui_vs virtual (10.10.X.104). Test Your New Access Policy 33. Test your Virtual Server with both Internet Explorer and Firefox. 34. Using Firefox you should be allowed to the resource you specified 35. Using Internet Explorer you should receive the Access Denied message. Note: Internet Explorer 11 behaves differently than previous versions. If you do not see the access denied message, continue to the next step to learn why. 36. View the log output in /var/log/apm. 37. What happens when you use Chrome? Why?Lab 12.2 — Session Variables 2 Lab Objective: © Use a session variable as an RDP destination, I Estimated time for completion: 15 minutes Lab Requirements: ‘© IP and port addresses available for use on BIG-IP APM that can be reached by the clients Create an RDP Resource 1. Navi c to Access Policy Application Access :: Remote Desktops and click Create. ! 2. Name it rdp_sessionvar_res, set the Type to RDP, sct the Destination type to Host Name and enter the value %{session.logon.last.rdpserver} into the Host Name input field. I 3. Enable Auto Logon and enter My Remote Desktop for the Caption and click Finished. Create an Access Policy that Uses an RDP Resource Navigate to Access Policy :: Access Profiles and click Create. Name it rdp_sessionvar, select English as an Accepted Language and click Finished. Click Edit for the rdp_sessionvar access policy. Click on the Deny ending and set it to Allow. em ae After Start click on the (+) sign and add a Logon Page action. 9. Click on the new Logon Page to edit it. In the Logon Page Agent section, alter the third line to the following settings © Type-text ‘© Post Variable Name and Session Variable Name — rdpserver In the Customization section alter the Logon Page Input Field #3 field to RDP Server IP Address 10. Clicl 11. After the n Page, click the (+) sign and add a Advanced Resource Assign action. 12, Edit the Advanced Resource Action and add two items to it, a l /Common/web_ui_webtop, and an Remote Desktop resour 13, Click Update. 14, Click Save. full webtop - ‘/Common/rdp_sessionvar_res. 15. Click Apply Access Policy. fenrreae)=)Attach the Policy to a Virtual Server 16. Apply the rdp_sessionvar policy to the web_ui_vs virtual (10.10.X.104), Test Your New Access Policy 17. Connect to the virtual server. You should see three entry fields. Enter student for the name and password fields and for the new third field, enter 172.16.20.20. 18. A full webtop should be shown with one RDP fink. Click on the link and you should eventually see a Windows Terminal Server logon screen. The lab Windows Server is not configured for ‘Terminal Services but the logon prompt is proof that the RDP connection we built dynamically using a session variable is connecting correctly. 19. Notice that since we didn’t provide a domain name, like in the earlier remote desktop lab, the server defaults to the local workgroup, DC, as shown her DC\student1 enerLab 12.3 —iRule’ Lab Objectives: © Use an iRule to put the results for an AD Query into an HTTP header. ‘© Test the new iRule and verify functionality Estimated time for completion: 18 minutes Create a Portal Access Webtop for the /ntranet Server 1. Navigate to Access Policies :: Webtops and select Create. Type intranet_webtop in the Name ficld, then select Type as Portal Access. 2. Select Link Type as Application URI, then type https:/172.16.20.1/intranet.php in the Portal Access Start URI field and press Finished. Create an Access Policy that Includes an AD Query 3. Navigate to Access Policy :: Access Profiles and select Create 4, Type intranet in the Name field. Select English as an Accepted Language. Click Finished 5. Click the Rdit... link for the intranet access policy, and the Visual Policy Editor will open for that policy. Create a policy that looks like this by following the steps below: a + rte fn, Fs of —" on ‘la — 6. For AD Auth, set the Server to /Common/serverl_aaa_srvr. 7. For AD Query, set the Server to /Common/serverl_aaa_srvr. Leave all other settings at theit default Note: AD_Query has two paths, but we only need the fallback path. In this access policy, APM does not make any policy decisions based on the information returned by AD_Query. However, policy decisions are being made by the web server. 8. To remove the User Primary Group ID is 100 branch, click on the AD Query action (if that action is not already open) and select the Branch Rules tab, Then select the [x] button in the gray box for that branch rule and click Save. 9. For Advanced Resource Assign, click Add new entry, then Add/Delete, then click on the Webtop tab 10. Set the webtop to intranet_webtop and click Update and Save. 11. Set the terminal following the Advanced Resource Assign to Allow. 12. Click the Apply Access Poliey link and the click Close, to close the VPE.Create a Virtual Server 13. Navigate to Local Traffic :: Virtual Servers, and click the Create button, 14. Configure the following settings and click Finished. Name intranet_vs Destination 10.10.X.108 Service Port 443 HTTP Profile : tip SSL Profile (Client) clients! SSL Profile (Server) servers! | Source Address Translation ‘Auto Map Access Profile intranet Connectivity Profile servert_cp Rewrite Profile rewrite Test the New Virtual Server 15. Test the new virtual server by connecting to https://10.10.X.108. 16. Note the intranet page only shows information appropriate of all corporate user. Create an iRule 17, Navigate to Local Traffic :: (Rules and click Create. Set the Name to intranet_irule and insert the following iRule and click Finished. when ACCESS_ACL_ALLOWED { set groups [ACCHSS::session data get "session.ad.last.attr.memberof"] HTTP: header insert X-Groups “$groups"Add the iRule to the Virtual Server \ 18, Navigate to Local Traffic :: Virtual Servers and click on intranet_ys. ; 19, Select the Resources tab, l 20. In the Rules section, click Manage. 21. Enable the intranet_irule and click Finished. Test the iRule 22, Test the new iRule by connecting to https://10.10.X.108., | Note: if you get an error, you may have mistyped the iRule. Either go System :: Logs :: \ System or from the shell, view the /var/log/tm log file, 23. Note the intranet page now also shows group-based information for studentX, \ 24, The different groups are student] —4, student 5 — 8, 9-12 and 13-16. Login as a student in a different group. eeeLab 12.4 — Pre-defined Redirect iRule Lab Objectives: ‘+ Use a pre-defined iRule to redirect a port 80 connection to port 443, ‘+ Test the new iRule and verify functionality Estimated time for completion: 5 minutes Lab Requirements: ‘© Existing Web Application virtual server Create a Virtual Server 1, Test without the redirect rule by connecting to hip://10.10.X.108. 2. On BIGAP, in the admin UL, navigate to Local Traffic button. {ual Servers, and click the Create 3. Set the Name, Destination and Service Port of the new virtual server to intranet_redir, 10.10.X.108 and 80, respectively. 4, Set the HTTP Profile to http. 5. In the Resources secti inished. in Rules, enable_sys_https_redirect. 6. Click Test the Redirect Virtual Server 7. Test the redirect virtual server by connecting to http://10.10.X.108. You should be automatically redirected to https://10.10.X.108. 8. View the contents of the redirect iRule by navigating to Local Traffi the _sys_hatps_redirect link {Rules and clicking on aaa eran)ae Lab 12.5 - Dynamic Access Control Lists Lab Objective: ‘* Implement user-specific dynamic ACLs that reside in the user's Active Directory settings. Estimated time for completion: 20 minutes Create a New Access Policy 1. Following the steps below, create a new Access Policy using the following steps. When you have finished, your configuration will look like thi Ba) [ans Note: The ACL assign has been combined with the Advanced Resource Assign action. Create a Dynamic ACL 2. Navigate to Access Policy :: ACLs and click Create... 3. Set the Name to user_ael, set the Type to Dynamic and click Create. 4, Navigate to Access Policy :: ACLs :: All ACLs and click Change ACL Order... 5. Put the user_acl above (higher precedence than) reject_server1_ael and click Finished. Add AD Query to the Access Policy 6. Navigate to Access Polley :: Access Profiles and create a new Profile named dy Remember to select English as an Available Language. 7. Click Kdit... for the dyn_acl access policy. 8. Add an AD Query action on the AD Auth success path. Set the AAA Server to /Common/serverl_aaa_srvr and Save, Your policy will look like this: Sap tatbeck User Primary Group 10 is 100 | AD Que falibact [felback, toe ee J] 9. ‘The AD Query action has a predefined path, User Primary Group ID is 100, that we won't need. 10. Click the AD Query action, then click the Branch Rules tab. 11, For the first Branch Rule, click the [X] button to the right.17. 18, 19, 20. 21 22, 23, 24, Click Save. ‘Add the Dynamic ACL as shown above in step 1 In the new window, click Add new entry. Configure the following settings and click Save. Source (dropdown) | Custom Source (field) session.ad.last.attr.extensionAttributet ACL /Common/user_ac! Format 5 Your policy should now look like: AD Quer falback | _[ faltvack , | Start | Successful 1» J pen | Complete the Access Policy as show above in step 1. Remember to add the AAA server to the AD Auth action, Add network access resource na_res and webtop web_ui_webtop to the access policy. Add all of the static ACLs. Click Apply Access Policy then apply the policy to the https://10.10.X.103 virtual server. Remember to logout of the client browser. ‘Note: Only student17 has HTTPS access to 172.16.20.1, all the other students do not. ‘Open the SSL VPN either by using the elient browser https://10.10.X.103. ‘Test with both the your account (studentX) and the student!7 (username student17, password student17) account. Log on as student and confirm you have no access to https://172.16.20.1. While logged on using studentl7 credentials, in the Admin UI navigate to Aecess Policy Reports. Click Run Report in the popup window. The All Sessions report is run by default, Look for the most recent (top-most) session for student! 7. Click View Session Variables. Note: The session variables are listed in a tree structure, and the first part of the variable is implied.eam 25. View the following variables and note their values. I session.ad.last.altr.extensionAttribute1 | Comes directly from Active Directory ; session.assigned.dacl./Common/user_acl | Used by user_acl dynamic ACL; copied | from Active Directory by Dynamic ACL action in VPE session.dynamic-acl.last.result Error status; 1 means action was successful — it does not mean a I dynamic ACL was found 26. Click on the All Sessions tab. Look again at the most recent session for studentI7 and click the Session ID link. Here we see all of the session information from the moment you first connected l to BIG-IP up to the time the SSL VPN was connected. 27. This information is also available in the log file. Click the Current Sessions tab again to read the 8 character hexadecimal session ID. 28. ssh into BIG-IP and type the following command: I grep session-id /var/log/apm l You will sce the same information in the Admin UL Reports 29. You enabled logging on the statie ACLs and by looking at the session variables above you can [ see that logging is enabled on the dynamic ACLs. Run the following command to see the results grep session-id /var/log/pktfilter cls using that [ 30. Find the Session ID for the most recent studentX logon. Run both grep comma Session ID. 31. Finally, the ACL logs are also available in the Admin Ul. Navigate to System :: Logs :: Packet Iter and view the results.need Topic Lab 12.6 — Allow Access Based on Time Lab Objectives: © Use the Date Time action © Test the functionality of the new action Estimated time for completion: 5 minutes Lab Requirements: ‘© Confirm the time on the Active Directory Server is correct. Otherwise, you will have change the times in this lab to match the time on Active Directory. Create an Access Policy that Includes a Date Time Action 1, Navigate to Aecess Policy :: Access Profiles and select Create. 2. Type datetime in the Name field. Select English as an Accepted Language. Click Finished. 3. Click the Rait.. link for the datetime access policy, and the Visual Policy Editor will open for that policy. Create a policy that looks like the following: nT foback , ater |S +> foloace eusiness Hours fatback Start -+—»-{ advanced Resource Assign 4. Configure the Date Time action by creating a branch rule configured as shown here: Simple || Advanced Time from: [8:00 AM a AND Time to: [5:00 PM wi AND Day is (Wednesday # i The day show above is Wednesday. For your configuration, use the today’s day of the week. Note we named the branch rule Business Hours. 5. Configure the Advanced Resource Assign to display several resources or webtop Links on a full webtop. Review one of your previous labs, if necessary 6. The Message Box should be renamed to be more descriptive. ‘The message it provides the user should be similar to: Access denied. You are only permitted access from 8:00am to 5:00pm.Create a New Virtual Server 7. Create... Virtual Server advaneed_vs on IP Address and Port 10.10.X.109:443 with Profiles http and clientssl and. Source Address Translation Auto Map Access Profile datetime 8. Depending on the resources you assigned in step 5, you may need to add a Connectivity Profile and a Rewrite Profile. 9. Save your chan; s and apply the access policy. Test the New Access Policy 10. Login to the new virtual server. You should see the desktop. 11. In the Ace Policy, change the day in the Date Time action to any day but today’s day of week, 12. Login again to new virtual server. You should see the error message you created in step 6.Lab 12.7 — Allow Access Based on Day of Week Lab Objectives: ‘© Modify the TCL commands in the VPE branch rules © Understand how si mn variables interact with VPE branch rules Test the functionality of the new action Estimated time for completion: 5 minutes Lab Requirements: * Existing Access Policy and Virtual Server from the previous lab Edit the Access Policy from the Previous Lab 1. Click the Date Time action in the access policy. 2. Inspect the action. Do you see a way to allow access for weekdays? 3. Because there is no casy way to do this, we will do it by modifying the TCL code created by the action, But first, change the day to Monday. 4, Then add another condition. The action will look like the following: Simple* |{ Advanced | ‘Time from: [8:00 AM i) ‘AND Time to: [5:00 PM i AND Dayis (Monday | +) a AND Dayis (Friday 4) i Note: As is, there is no way this condition could be true, because the day can’t be Monday and be Friday. femme nae plcNext click on the Advanced tab. You will sce the TCL code for this condition in the branch rule: ‘Advanced lexpr { [moget {session.user.starttime}] >= [clock scan "8:00 AM") 88 [clock scan "5:00 PM] >= [moget {session.user.starttime}] 8& (clock format [moget {session.user starttime}] -format You] == 1 8B [clock format [meget |{session.user.starttime}] -format Yu] == 5 } Note: The == 1 here means Monday and == 5 means Friday. Rather than having the day == Monday and the day == Friday, we want the day >= Monday and the day <= Friday. If this doesn't make sense to you, ask your instructor to explain 6. Change = 1 0 >= 1 and cha 505. 7. When you save your changes, you will see the branch rule Business Hours described as shown here: ier a Sem: ey (iat neon er sate) > - [dock scan 8:00") 88 (clock scan "5: >= (menet =) 8A [dock format Uneget (esionserstarttime)] format Seu] >= 1 BK [ockforat (meaet nS eeortsrces due 8 Save your changes and apply the access policy. Test and Explain 9. Login to the virtual server. You should see the desktop. 10. Given the above TCL seript, explain how it works. anLab 12.8 - One-Time Passwords Lab Objectives: * Learn about and use the one-time password actions ~ OTP Generate and OTP Verify Learn about and use a session variable as value in a VPE action ‘© Test the functionality of the new action Estimated time for completion: 5 minutes Lab Requirement: ‘* Existing Access Policy and Virtual Server from the previous lab Edit the Access Policy from the Previous Lab 1. Add the OTP Generate, the Logon Page, and the OTP Verify action to you access policy as shown below. Sf" fa] of Note: One-time passwords typically rely on some sort of out-of-band delivery mechanism, such as a token with RSA SecurlD. In the case where BIG-IP generates the one-time password, it would typically be delivered to the user via SMS. A BIG-IP one-time password is stored in a session variable named session.otp.assigned.val. 2. Because we don’t have access to an SMS gateway for this lab, we will display the generated on time password on the logon page. Edit the Login Page action as shown below, specifically the Form Header Text and Logon Page Input Field #2 fields: [Secure Logon
for F5 Networks
Form Meade: Tet [Use %(session tp assignd.va) for your One-time Password Logon Page Input Field [Username #1 |Logan Page input Field |[One-time Password a Note: Not the variable name and the syntax used to express the value of the one-time password on the logon page.3. Save your configuration and apply the access policy. Test 4. Connect to the virtual server. The Logon page will display the following: Secure Logon for F5 Networks Use 346622 for your One-time Password Username 5, Login using any username and the one-time password shown on your logon page. Why doesn’t it matter which username you use? Note: The one-time password shown above is 346622. Your password will differ. 6. Logout and login again, Does the one-time password change? wn (etre)era Lab 12.9 — Two-factor Authentication Using _ OTP Lab Objectives: © Combine OTP with AD for two-factor authentication * Understand how to reassign values to session variables * Test the funetionality of the new action Estimated time for completion: 5 minutes Lab Requirements: * Existing Access Policy and Virtual Server from the previous lab Edit the Access Policy from the Previous Lab 1. Adda Variable Assign action and an AD Auth action to you access policy as show below. a =a C is fa] = = j 2. Configure the AD Auth action as you have in previous labs 3. Configure the Logon Page action as shown in the next two figures. First configure a second password ion Variable Name password2 as shown here. Post Variable Nome Sesion Variable Nam Reed Ony 3 al [enna] rosa || password [fino > fumed) fae] faa] (rooted Note: The full session variable name is session.logon.last.password2, but we only enter the very last part of it here. (emir Mine) lIesen 4, Next add a prompt for the second password. Use “Domain Password” as shown here, This password. This password will be used with Active Directory authentication FomMeader Tet [se %(sessionotp assigned.) for your One-time Password 4 [ Logon Page input Field [Username ai [ logon age inp ie [One-time Posse fs Logon Page Input Field [Domain Password 33 5. Configure the Variable Assign action as shown here: [Fenton variate __1 fff trsocara 2] = [Fomeetepreccenl ef f fssionlogan last password [ort (cession ogon at pacswor)]) Note: The OTP Verify action used the session. logon. last,password to verify the one- | time. The problem is the AD Auth action also uses session./ogon last. password to verify the credentials with Active Directory. Because the AD password is currently ; stored in session. logon.last password2, we must assign password? to password after | the OTP verify, but before the AD Auth. 6. Save your configuration and apply the aceess policy. TeMen len ae Gato the virtual server. The Logon page will display the following: Secure Logon for F5 Networks Use 532730 for your One-time Password Usemame One-time Password Domain Password (| se the one-time password shown on your logon page. Use studentX for the username and domain password. Logout and try again, Does the one-time password change? ‘Assuming we were delivering the one-time password via SMS, rather than putting it on the logon page, why would this qualify as two-factor authentication? figuring BIG-IP APM vLab 12.10 — Configuration Backup Lab Objective: © Create a backup archive Save the Configuration 1. Create an archive named studentX_labs1-12. 2. Download the new archive to your desktop etree T= vi xo)ieChapter 13 - APM Authentication Domains 13-4 Chapter 13: APM Authentication Domains Authentication Domains Concepts Lesson Objective: During this lesson, you will learn how to configure and use APM authentication domains. Using Authentication Domains Access Policy Managers (APM) provides a method to enable your users to use @ single login or session across multiple virtual servers in separate domains. Users can access back-end applications either through multiple domains or through multiple hosts within a single domain, eliminating additional credential requests when they go through those multiple domains. With multi-domain support you have the option of applying different SSO methods across different domains. Note: To enable multi-domain support, all virtual servers must be on a single BIG-IPe system. ‘These are some of the benefits that using multi-domain support for SSO includes: = Enables a user to sign out from all the domains at once * Allows a user to move from one domain to another seamlessly. This eliminates the need rerun the access policy, and thus, maintains the established session for the user. = Enables different cookie settings (Secure, Host/Domain and Persistent) for different domains or for different hosts within same domain = Enables the use of multiple SSO configurations to sign users on to multiple back-end applications for a single APM session How Does Multi-Domain Support Work for SSO? ‘The configuration process in which you successfully set up multi-domain support for SSO requi following elements. = Anaccess profile that includes a set of participating domains An SSO configuration associated with each of the domains, Additionally, a designated URL that specifies the primary authentication service is included in the access profile. Note: The host name of the URL is a virtual server that provides an access policy to retrieve the credentials from the user. If an un-authenticated user reaches any domain specified in the domain group, a re-direct is first made to the primary authenticating service so that credentials are collected in order to establish a session. Configuring BIG-IP APM v11 13113-2 Chapter 13 - APM Authentication Domains. = A virtual server. An access profile associated with each of the virtual servers participating in the domain group. The same access profile must be attached to all these virtual servers, ny rua) \—> ei rr cra NT ac Pe ey Weta Poe Configuration process for multi-domain support for SSO 13-2 Configuring BIG-IP APM v11Chapter 13 - APM Authentication Domains 133 ne User How multi-domain support for SSO works Task Summary for Configuring Domain Support for SSO ‘Access Policy Manager SSO lets you configure either a single domain or multiple domains for SSO. To set up this configuration, follow the procedures in the task list. Task List = Configuring an access policy for SSO single domain support = Configuring an access poticy for SSO multi-domain support Creating a virtual server for SSO multi-domain support Configuring an Access Policy for SSO Single Domain Support ‘These steps apply only if you are setting up your access policy for SSO single domain support. 1. On the Main tab, click Access Policy :: Access Profiles. The Access Profiles List screen opens. 2. From the list, select an access profile in which you want to add SSO capability ‘The properties screen for that access profile opens. Configuring BIG-IP APM v11 13:3134 Chapter 13 - APM Authentication Domains On the Access Profil select Single Domain . 8 tab, for Domain Mode, properties screen, in the SSO /Auth Dom: For the SSO Configuration setting, select an available SSO configuration from the list to apply to your access policy. Click Finished, On the Access Profiles List sereen, click the name of the access profile for which you want to edit the access policy. The Access Profile properties screen opens for the profile you want to c In the Access Policy column, click the Edit link for the profile you want to configure to launch the visual policy editor. ‘The visual policy editor opens the access profile in a separate window or tab. Click the [+ sign anywhere in your access profile to add your new policy action item. An Add Item window opens. For Predefined Actions, under General Purpose, select SSO Credential Mapping, and click Add Item. Click Save, You have now added SSO capability to your access policy. Configuring an Access Policy for SSO Multi-Domain Support A user should be able to connect to any one of the virtual servers that participate in the domain group, and receive a request for credentials only once. Subsequent connections to other virtual servers within the domain group should not require the users to provide their credentials. 13-4 (On the Main tab, click Access Policy :: Access Profiles ‘The Access Profiles List sereen opens. From the list, select an access profile in which you want to add SSO capability. ‘The properties screen for that access profile opens. On the Access Profiles properties sercen, in the SSO /Auth Domains tab, for Domain Mode select Multiple Domai ‘When you select Multiple Domains, additional options appear. You should make configuration changes to only the Configure Authentication Domains and Primary Authentication URI settings. ‘The other areas or options are designated for only single domain configuration. For Primary Authentication URI, type the URI the client is directed to, for example, http: //login.com in order to receive an Access Policy Manager session. Each domain that you configure indicates the domain the Access Policy Manager ses (established by the primary authentication URI) is bound to. ion For Configure Authentication Domains, click Add and select either Host or Domain from the list, and continue to click Add for each host or domain you want to add, From the SSO Config list, select the configuration that you want to associate to each host or domain. Click Update. Configuring BIG-IP APM v11Chapter 13 - APM Authentication Domains 13-5 Creating a Virtual Server for SSO Multi-Domain Support For every domain, a virtual server should be configured. 1 ‘On the Main tab, click Local Traffic > Virtual Servers ‘The Virtual Server List screen displays a list of existing virtual servers. Click the Create button, ‘The New Virtual Server sere opens. ‘Type a unique name for the virtual server. From Access Profile, select the profile you previously configured to attach to the virtual server. Click Finished. should be repeated for every domain you specify in your access policy. Configuring BIG-IP APM v11 13.5Lab 13.1 — Authentication Domains Lab Objective: Create an Authentication Domain with three domains Estimated time for completion: 25 minutes Create an Access Profile 1. Before beginning, use ssh to run the following command from the bash command line on BIG- PP: tmsh modify sys db apm.rotatesessionid value disable Note: In BIG-IP version 11.2, F5 introduced a new feature — enabled by default ~ to provide additional safeguards against session hijacking. However this feature breaks. Multiple Authentication Domains and must be disabled. 2. Create... an Access Profile with the Name my_s 3. Edit... the Access Policy for my_sites to include Logon Page and AD Auth actions and an Allow ending. For AD Auth Server use /Common/serverl_aaa_srvr. fallback ‘| fallback 1 .oaon Page + a Start } Allow jo e Create Three New Pools 4, Create... Poo! my_store_pool with Member (IP Address and Port) 172.16.20.1 ‘monitor. :80 and HTTP 5. Create... Pool my_partners_pool with Member 172.16.20.2:80 and HTTP monitor. 6. Create... Poo! my_intranet_pool with Member 172.16.20.3:80 and HTTP monitor. Create Three New Virtual Servers 7. Create... Virtual Server my_store_ys on. IP Address and Port 10.10.X.111:443 with Profiles http, clientssl and my_sites and. Source Address Translation Auto Map and. Default Pool my_store_pool. 8. Click the Repeat button, rather than the Finished button. 9. Repeat for my_partners_ys on 10.10. 10. Click Repeat. .112:443 with my_partners_pool. IL. Repeat for my_intranet_vs on 10.10.X.113:443 with my_intranet_pool12 13 14, Click Repeat. Finally repeat for my_login_vs on 10.10.X.110:443 with no default pool Click Finished. Test the Virtual Servers Navigate to Access Policy :: Manage Sessions. If there are any current sessions, select them and then click Kill Selected Sessions. On the client browser, test using the following hostnames. Login to each server using the studentX credential. A local DNS server is required to resolve these names, if this fails manually add entries to the clients local host file, C:\Windows\System32\drivers\ete\Hosts login.my-store.corp 10.10.x.110 www.my-store.corp 10.10.X.111 www.-my-partners.corp 10.10.X.112 www.my-intranet..corp 10.10.X.113 Go back to Manage Session, You should see four current sessions. This is an important point. Kill the existing sessions in preparation for the next step, Create a Static Host Entry 18, 19, 20. Navigate to System :: Configuration :: Device :: Hosts, Add static host using IP Address 10.10.X.110 and Hostname login.my-store.corp. Click Add then Update Change the Access Profile ai 2. 2. 24, 2s. 26. 27 Navigate to Access Profiles. Click on my-sites to edit the Access Profile (as opposed to the adjacent Edit... link to edit the Access Policy using the VPE), Click the SSO/Auth dom: ns tab, Change the Domain Mode to Multiple Domains. Set the Primary Authentication URI to https://ogin.my-store.corp cure Cookie. For Primary Cookie Options, disable Si For Authentication Domain Configuration, for Cookie Scope, choose Host from the drop down ‘menu and set the text field to www.my-store.corp. Disable Secure Cookie and click Update. Click Add again, for Cookie set Host, enter www.my-partners.corp and disable Secure Cookie. Click Add again, for Cookie set Host, enter www.my-intranet.corp and disable Secure Cookie. Click Finished and Apply Access Policy.Test the Authentication Domain ‘The configuration should look as follows: ‘S80 Across Authentication Domaine Derain Mode 0 singe Darin @ Mutipie Domains | Primary Aumenteaion UR} | htpsiiogn myo com secure Primary Cooke Optons GPersitent HTTP Only Seca Coat | Persian Cooke | HTTP Oni Coote 880 conta | wonumysiore orp No No No None wwwmyntranetcorp No No No None 30. On the client browser, go to https://www.my-partners.corp. Note: BIG-IP has a self-signed cert; the browser will complain about it twice, due to the redirect. 31, Before you acknowledge to cert problem, note the full redirect URI. ‘To what host was the session redirected? Provide credenti at the logon page. Note: After login you are redirected back to www.my-partners.corp. 33. In a second tab on the same browser, go to https://wwwamy-intranet.corp. Note you were not prompted by BIG-IP for logon credentials, 34, In a third tab on the same browser, go to https://www.my-store.corp. Refresh the first two tabs to prove the sessions are still active, Go back to Manage Sessions. You should see just one session with the usemame you entered the on the first session. You have three different domains sharing a single session! Note: Remember to exit your browser and restart a new one between tests. 36. Try deleting the session, repeating the previous test in a different order: https:/iwww.my- intranet.corp, then https://www.my-partners.corp. What is the expected result?Lab 13.2 — Authentication Domains with SSO Lab Objective: ‘* Add SSO to the Authentication Domain ereated in the previous lab Estimated time for completion: 1S minutes Change All the Pool Members 1. For the following, navigate to Pools, select each pool then click the Members tab, To my_store_pool, Add... 172.16.20.6:80 then Remove 172.16.20. 1:80 To my partners pool, Add... 172.16.20.7:80 then Remove 172.16.20.2:80 To my_intranet pool, Add... 172.16.20.8:80 then Remove 172.16.20.3:80 2. From the client browser, connect to httpsi/www.my-partners.corp and ttps://www.my- intranet.corp to confirm the site prompts for Basic Auth authentication, in addition to the LTM logon page Note: IE and Chrome may require a Windows reboot to resolve the new IP addresses, but Firefox will work correctly. Configure a Basic Auth 3. From the admin browser, navigate to Access Policy :: SSO Config 4, Create basie_auth_sso using SSO Method HTTP BasieUpdate the Access Profile 5. Navigate to Access Profiles. Edit my_sites, inside SSO/Auth Domains enable the Secure and Persistent Cookie Options for the Primary Authentication URI 6. Also edit each Authentication Domain entry, enable the Secure and Persistent Cookie options and set the SSO Configuration to basie_auth_sso. ‘$80 Across Authentication Domains Domain Mode |. Single Domain @ Muliple Domains | Primary Aubenicaton UR! hipsogin my-store corp secure | Primary Cookie Opsons | Persistent GTP only ‘$50 Configuration (Hone Update) (wea..) Persistent Coote | HTTP Ony Cooke S80Contg | wewmypannercom Yes Yes No wow my store. Yes Yos No basic aut, sso No basie_aut_ss0 wera mpinianetoorp Yes 7. Click Update. Update the Access Policy 8. Click the Access Po Access Policy. 9. Inthe VPE, after the Logon Page action, add the tab, Use the default settings and click Save. tab, then click Edit Access Policy for Profile "my_sites" to edit the ‘SO Credential Mapping action, in the Assign 10. The visual policy should look like this: Sa) +L toson Pace [OP +f 50 Credential Mapsina faa Successful, >} Allow je ADAuh 11. Don't forget to Apply Access PolicyTest SSO on the Authentication Domain 12, 13, Configuring BIC Note: the redirect back to www.my-store.corp, for the BIG-IP login page. Navigate to Manage Sessions and kill any remaining sessions, On the client browser, go to https://www.my-partners.corp. After the login, the session is redirected back to www.my-partners.corp and single sign- on is preformed transparently to the user. In a new tab in the same browser, go to https://www-my-intranet.corp. Note: The user is automatically logged in, without providing credentials to either BIG-IP or the web site. This is multi-domain SSO. On the mn and confirm that there is only a single xdmin browser, navigate to Manage SesOptional Lab 13.3 - Web App Access Logout Lab Objective: ‘+ Log the user out of the BIG-IP authentication domain. stimated time for completion: 5 minutes Confirm the Logout Link has no Effect on the Session 1. Click the Logout link on the page. ‘Then click the browser Baek button and the Refresh button. Now click the other site links on the browser page. Configure Logout URI 2. Navigate to the my_sites Access Profile. 3. Configure the Logout URI Include for the Nogout.html URL. 4, Remember to click Update and Apply Access Policy. Confirm the Logout Link Now Works 5. Navigate to Manage Sessions and kill any current sessions, 6. Close and reopen the client browser. 7. Connect to one of the following: ttps://www.my-partners.corp Inttps://www.my-intranet.corp https://www.my-store.corp 8. Click several site links on the browser page. 9. Click the Logout link and the Refresh button the browser page. 10. Can you browse to any of the above pages? Note: This functionality only works with LTM Web Apps (LTM+APM mode). It does not currently work with Network Access, Application Access or Portal Access. figuring Bi vanLab 13.4 — Configuration Backup Lab Objective: Create a backup archive Save the Configuration I. Create an archive named studemtX_labst-13. 2. Download the new archive to your desktop. Conran T=lChapter 14 — SAML and Customization 144 Chapter 14: SAML and Customization SAML Overview SAML Introduction Security Assertion Markup Language (SAML) defines a common XML framework for creating, requesting, and exchanging authentication and authorization data among entities known as Identity Providers (IdPs) and Service Providers (SPs). This exchange enables single sign-on among such entities. IdP is a system or administrative domain that asserts information about a subject. The information that an 1aP asserts pertains to authentication, attributes, and authorization, An assertion is a claim that an Id ‘makes about a subject Service Provider is @ system or administrative domain that relies on information provided by an IdP.. Based on an assertion from an IdP, a service provider grants or denies access to protected services. In simple terms, an ldP is a claims producer and a service provider is a claims consumer. An IdP produces assertions about users, attesting to their identities. Service providers consume and validate assertions before providing access to resources. SAML 2.0 is an OASIS open standard. The SAML core specification defines the structure and content of assertions. SAML metadata ‘SAML metadata specifies how configuration information is defined and shared between two communicating entities: a SAML Identity Provider (IdP) and a SAML service provider. Service provider ‘metadata provides information about service provider requirements, such as whether the service provider requires a signed assertion, the protocol binding support for endpoints (AssertionConsumerService) and which certificates and keys to use for signing and encryption, IdP metadata provides information about IaP requirements, such as the protocol binding support for endpoints (SingleSignOnService), and which certificate to use for signing and eneryption. Benefits of Using APM for SAML Support Access Policy Manager as a SAML Identity Provider (IdP) When you use Access Policy Manager®®(APM™) as a SAML 1dP, APM can authenticate and generate assertions for a user who can then gain access to resources protected by SAML. APM provides SAML assertions (claims) that service providers verify and consume. In this role, APM acts as an authentication server and provides single sign-on to service provider resources, Access Policy Manager as a SAML Service Provider ‘When you use APM as a SAML service provider, APM consumes SAML assertions (claims) and validates their trustworthiness. After successfully verifying the assertion, APM creates session variables from the assertion contents. In an access policy, you can use these session variables to finely control access to resources and to determine which ACLs to assign. Based on the values of session variables, you can create multiple branches in the policy, assigning different resources and different ACLs on cach branch, When it runs, the access policy follows a branch depending on the values of session variables. Configuring BIG-IP APM vit 14-414-2 Chapter 14 - SAML and Customization Federation APM systems operate with one another when one APM system is configured as an IdP and other APM. systems are configured as service providers. This allows a user to authenticate with one APM acting as an IdP, and then use any number of APM systems, serving as service providers, without having to re~ authenticate. Configuring BIG-IP as a SAML Identity Provider Configure BIG-IP as a SAML identity provider when you want it to provide single sign-on authentication service for a group of external SAML service providers. Configure BIG-IP as a SAML Service Provider Configure BIG-IP as a SAML service provider when you want it to protect services that are behind it. Direct users to an external SAML identity provider for authentication, IdP-initiated and Service Provider-Initiated Client Connections Access Policy Manager supports client connections that initiate at the IdP or at the service provider. 142 Configuring BIG-IP APM v11Chapter 14 - SAML and Customization 14-3 Customization Overview Lesson Objective: During this lesson, you will learn about the facilities that APM provides to customize the product for different working environments. Customization overview As already seen in previous modules, BIG-IP® Access Policy Manager™ offers various options while configuring resources to customize the look and fee! of what is presented to the users of the system. Some examples are; = Ability to add captions to resources "Ability to change the text of prompts and messages displayed, for example in the Logon Page or Message Box actions. "Ability to display or not to display some items to a user "Ability to display different images and colors, In addition, Access Policy Manager provides a single facility to manage the customization system wide. This configuration tool is available by expanding Access Policy in the main navigation pane and choosing, Customization option. The following screen opens. = Example Customization Tool Quick Start view. Configuring BIG-IP APM v14 14-314-4 Chapter 14 - SAML and Customization ‘The configuration tool offers two views, Quick Start or Basic and Advanced. The Quick Start view offers basic customization options for the various resources that are available on the APM system. The view can be toggled using View drop down menu. a ey er a a ee a a ey Foon facr ahe er_ antigen Semen se Gace nee Example Customization Tool Advanced Mode Quick Start or Basic Customization view You can use the Basie Customization view to configure common settings for access profile web pages, and the webtop captions, descriptions, and images for any item that appears on a full webtop. In addition, you can customize webtop font size and link colors. With this view, you can customize: ‘+ Common Page Styles - Specifies settings for the logon form display, header image, and alignment of items ‘+ Webtop items - Specifies settings for the display of resources (app tunnels, remote desktops, network access tunnels, webtop links, and portal access resources) on the fall webtop. ‘+ Common webtop settings - Specifies display settings that apply to all resources on the fall webtop. ‘+ Webtop links - Specities display settings that apply to all resources on the full webtop. 14.4 Configuring BIG-IP APM v11Chapter 14 - SAML and Customization 14-5 Basic Customization Start Basic customization to configure custom settings for access profiles and items that appear on the full ‘webtop. Basic customization provides a starting point that you can later refine through the Advanced. ‘Customization view. 1. From the Main tab, click Aecess Poliey > Customization > Quick Start. The Basic Customization view opens. 2. Inthe left column of the page, select the category of items to customize. For example, select Network Access to customize the appearance of a network access resource item on the full webtop. 3. On the right-side of the page, from the list, select the specific item for which you want to customize settings. The customizable settings for the item are displayed. 4. Configure settings for the resource item or access profile, After you customize settings, click Save to save the new customization settings. To return to the original settings and discard your changes, click Revert. moras ‘eon Se ‘oh er) menses Custom ses (Bl carmen nenape seme = eee Example Customization Tool basic view of a Network Access resource. Configuring BIG-IP APM v11 14-514-6 Chapter 14 - SAML and Customization Advanced Customization View 1, From the Main tab, click Access Policy > Customization > Advanced. The Advanced Customization view opens. 2. In the left column of the page, select the category of items to customize. For example, select Webtops to customize the appearance of a full webtop. Click on the (#) sign to expand all the available webtops. Fouche + Ane Les ine Y= |B fomacunhaintte tomer ening | sn Example Customization Tool Advanced view. 3. Choose a particular webtop and click on its (+) sign to expand it further into the various customizable settings for the webtop resource. 146 Configuring BIG-IP APM v11Chapter 14 - SAML and Customization 147 4. On the right-side of the page, from the list, select the specific item for which you want to customize settings. The selected view is at Branding showing the colors, logos and icon images associated with the webtop. Tamra 7 tine =| iw ies ls teaming | eer 2 1D) mmr comme Sa eet a Example Customization Tool Advanced Branding view. Yim erne | Qian Bom ee e 5. Change the selected view to Localization and it shows the common text messages. Feta rate 2 Scanian sen a ‘Eira soe Dirt one a [Braveop conto me, |Erawy oo ater _Bravenscoctoene ‘Diemer tine + Kee Ket | Nine ai io Example Customization Tool Advanced Localization view. Configuring BIG-IP APM v11 2 etme tonae | Qreaw aime | ee 14714-8 Chapter 14 - SAML and Customization 6. Click on Full Webtop Settings. The text message the user sees on the webtop can be altered by clicking on the existing message in the right hand window pane and entering new text. ‘Language: English (en) = ae eae — a oe ee eer Se ee Newer Access Nemo: Aosess Tootar- Hop Language’ Engi (en) “hisilscone to your webiopch>= Your webion provides Ink. woot He hep 7. Enter the new text and press retum, then click on the Save icon above the page. The new text is saved for use by the existing webtop. For example: Example Full Webtop with customized message in the top right hand side. 148 Configuring BIG-IP APM v11Chapter 14 - SAML and Customization 14-9 ‘The Language setting can be altered to allow customization to suit your geographical location. For example: @ | Langue Brena ie) -Appleatons ard inks ‘Apieacones yeriaces ty unt mess Invocuzca un recut Herne Header essage Benvenido a FS Networks Heb Window Contents “ Su excror web eae ep window Comets Hester ‘Ayuda ce esertneo wed. Tooter yess Example Full Webtop Localization with messages listed in Spanish, Branding View, Adding an Image The branding view allows customization of the icons, images, and colors displayed in the APM components. The images are stored in a library on the APM system. To replace an existing image with cone of your own, first the image needs to be uploaded to the APM library so that it ean be referenced within the customization screen options. ‘As an example, here are the steps to add an image and replace that used on the Logon Page right hand side main window Upload an Image to the Library 1. Click the Image Browser icon on the top right of the Advanced Customization sereen. ‘The image browser window opens. 2. Click Filter Images::Default Images and the browser displays the default APM images. 3. Click Add Image fusing Microsoft Intemet Explorer, a Windows Explorer window opens to browse your local system files. Enter the location of the local image repository, for example in Microsoft Windows 7, it is C:\Users\Publie\Pictures\Sample Pictures Configuring BIG-IP APM v11 14-914-10 Chapter 14 - SAML and Customization 4, Click on the image you wish to upload. ‘The image should be added to the library and displayed within the Image Browser in the Filter Images option set to User Uploaded Images. 5. Close the browser. Change the Logon Page Default Image 1, Locate the Access Policy that contains the Logon Page item you wish to customize within the Advanced Customization view. 2. Choose the Branding tab, 14-10 Configuring BIG-IP APM v11Chapter 14 - SAML and Customization 14-11 3. Click on the right hand side Value box for the image you wish to change. 4, A new window opens allowing the new image to be chosen. Chose the image you wish to set and click Change. 5. Click the Save icon, 6. Click Apply Access Policy if prompted. 7. Login to the virtual server using the policy and Logon Page item you customized and it should show the new image that you uploaded displayed on the main window on the right hand side. Example Logon Page with customized image. Note: You can switch back to the default system image by clicking on the Value box and clicking the Restore Default button. Configuring BIG-IP APM v11 14-1114-12 Chapter 14 - SAML and Customization Preview Mode ‘You can preview what pages will look like by clicking the Preview icon on the top of the Advanced. Customization window. For example here is a Logon Page item from inside an Access Poticy to which we have added a third field, This is exactly what is seen when connecting to the virtual server using that APM policy. Example preview of a Logon Page item. 1442 Configuring BIG-IP APM v11Chapter 14 - SAML and Customization 14-13 BIG-IP EDGE Client To personalize client pages, you use BIG-IP® Edge Client® customization. You can change the branding and localization of the BIG-IP Edge Client on client PCs and devices. Personalizing client colors, logos, and icons Ina connectivity profile, you can customize the appearance of the BIG-IP® Edge Client®and the web client. The settings you specify are saved with the connectivity profile, and applied when users download the client package. 1. On the Main tab, click Access Policy > Customization . The Customization tool appears, in Basic Customization view. 2. From the View list, select Advanced Customization, The Customization tool switches to Advanced (tree) view. 3. In Advanced Customization view, from the Form Factor menu at the top of the Customization tool, select BIG-IP Edge Client. 4, Under Form Factor: BIG-IP Edge Client, select the Branding tab, 5, Expand the folders in the Customization tool navigation pane to select the BIG-IP Edge Client in Customization Settings > Connectivity Profiles > name_of_connectivity_profile > BIG-IP Edge Client 6. Customize the settings for BIG-IP Edge Client branding. 7. After you customize settings, elick the Save icon atthe top of the Customization tool As before you can preview these customization settings using the Preview option. enter =| te == KR RY | ins Vr sat oer] mt | Pee (het | Woe em fentec MC ge Ct) Ey Cat wl i a et mate deer) | ar i Example BIG-IP EDGE Branding settings. Localizing Screen Appearance for BIG-IP Edge Client Configure localization for BIG-IP® Edge Client to change the messages and text in the BIG-IP Edge Client application. 1. On the Main tab, click Access Pe Basic Customization view. -y > Customization . The Customization tool appears, in Configuring BIG-IP APM v11 14-1314-14 Chapter 14 - SAML and Customization 2. From the View list, select Advanced Customization. The Customization tool switches to Advanced (tree) view. 3. In Advanced Customization view, from the Form Factor menu at the top of the Customization tool, select BIG-IP Edge Client. 4, Under Form Factor: BIG-IP Edge Client select the Localization tab, 5. Expand the folders in the Customization tool navigation pane to select the BIG-IP Edge Client in Customization Settings > Connectivity Profiles > name_of_connectivity_profile > BIG-IP Edge Client . 6. Atthe top right-side of the customization settings pane, select the Language for which to customize localization messages for the BIG-IP Edge Client. 7. Customize the settings for BIG-IP Edge Client localization. After you customize settings, click the Save icon at the top of the Customization tool Fema «Rate ES KS Rn | Be ver omens — yl) Riwpetiownr | Qreven Breet | hee formtacon i tdpe Chet ) Ele Form Factor:tal © a) Branding U4, Advanced 2 Si Custoraaton Senge 2 Ca Access roties vetoes @EaNetwork access Cp remete Oeatope @GaPenat Access aa Wetton inka Configuring BIG-IP APM v11 14-451416 Chapter 14 - SAML and Customization This opens a new window with a choice of 2 areas, Access Profiles and Webtops. fentaar = tate Eo Be mB Ferman tromer <\) Aenced Caton ter ence sa ‘ane te Each section can be expanded to show the components there and hw they are linked to the Access policy Manager object. For example, this screen shows the file ‘Jogon.ine’ associated with the Logon Page defined for the “ap-lab3’ access policy: fess =) ta == IeenFatec ne wise ae Geena sare Stenean Semen aouee Seine ‘Boo wine Die Somcere Sameer ‘The code can be viewed by scrolling up and down using the seroll bar on the right hand side of the Advanced Customization Editor window. It can also be edited directly inside the window. Note: If you are editing a large amount of these files, it is recommended that you copy and paste the code into your favourite editor and work on it there. Once satisfied with its statements and layout ~ typically the indentation, you can copy it back in. Once you have finished editing, click Save Draft atthe top right of the window. Drrevew Brovoa | Drew 14.16 Configuring BIG-IP APM v11Chapter 14 - SAML and Customization 14-17 You will be prompted to save the changes; 1 _) Fr ~e¢esy_tersetaposeesn)~ Be te eae ‘cer]) te. ("eexe” mm eftelidasevtinge (ei) ("eype"))) 1 sinias_seee fGen] = "A {aeaaton. 1ogen Sevwiay_seecsngntss) (reaiue") = te ‘Then click the Save icon at the top of the screen to save all changes and then update the Access Policy so the effect tales place on next login. You can also choose not to keep your edits using the Revert icon. Configuring BIG-IP APM v11 144714-18 Chapter 14 - SAML and Customization Ifso you will be prompted as follows: More Information ‘The customization tool provides online Help. Click the “? Help” icon on the top right ofthe For more detailed information on the various Customization settings and other advanced features, refer to the BIG-P Access Policy Manager Customization Guide and the Configuration Guide for BIG-IP_ Access Policy Manager. 14.18 Configuring BIG-IP APM v11 Anon han oA Howmwoan AFRAARBAReABLab 14.1 — Customization Tool Lab Objective: © Customize an APM policy using the Customization Tool. Estimated time for completion: 10 minutes Lab Requirements: ‘Existing APM configuration with several resources attached to a virtual server. Use the web_ui_ys policy attached to the virtual server https://10.10.X.104 Select a Virtual Server and Its Policy to Customize 1. Navigate to Local Traffic tual Servers and sclect web_ui_vs. 2. Change the Access Policy back to web ui 3. Connect to htt Of the logon pay 10.10.X.104, login as studentX/studentX and observe the current look and feet and webtop, 4, Navigate to Access Policy :: Customization :: Advanced. 5. Select the Localization tab. 6. Using the plus (+) sign, expand Customization Settings, then Webtops, then /Common/web_ui_webtop, then click on Full Webtop Settings. 7... Change Applications and Links to Corporate Favorites, change Header Message to Welcome to My Company, and change Nerwork Access to Secure VPN Access. 8. Click the Save button, 9. Click Apply Access Policy. N10 1104 and observe the new captions. The logon page should show a new 11, Return to Access Poliey :: Customization :: Advanced. 12, Click Preview. A new window opens. 13, Expand Access Profiles, expand /Common/web_ui, expand Aceess Policy, expand Logon Pages, click on Logon Page. The right hand window should show your new customized Logon Page. Add a New Image to Display on the Logon Page 14, Refer to the steps detailed earlier in this module to add an image from your local PC client to the APM library and then alter the Logon Page. 15. Connect to https://10.10.X.104 and observe the new image,Croce er eeu Retry Lab 14.2: Customized Logon Page Lab Objective: * Customize an Access Policy Logon Page ites Estimated time for completion: 10 Lab Requirements: ‘© Use the existing virtual server, https://10.10.X.104, the existing remote desktop resource, rdp_aa_res, and the existing full webtop, web_ui_webtop. Note: As we have already covered most of the item creation process in earlier labs, not all the step are fully detailed here. Create a New Access Profile 1. Create a new access profile with the name domain and select English as an Accepted Language Edit the Access Policy 2. Edit the Access Policy as shown below. 3. Edit the Logon Page action to add the Domain in both the Logon Page Agent and Customization sections as shown below. 4, For the Advanced Resource Assign action, add rdp_aa_res and web_ui_webtop. Add a few other resources to round out the APM webtop. ca) | CAPTCHA configuration (None 1) ‘Tyee Post Variable Name ‘Session Variable Name Read Only 1 fom [eemame ] [leername 1 Geeta) 2 (password ta) [password ] fressnore ] No i) 2 Con) (domin Sd Configuring BIand Customization language Gesell deta) z Te _|[Becure Logon
for FS Networks Logon Page Input Field [Username #1 Logon Page Input Field [Password #2 Logon Page input Field [Domain #3 Customize the Logon Page 5. Go to Access Policy :: Customization. 6. Change View from Basic Customization to Advanced Customization. : Ey Customization Settings BE Access Proties ization & (/Commoncatny Access (/Commoriad_query 7. Change Edit Mode to Advanced. 8. In the left navigation pane, drill down to Custor Settings :: Access Profiles :: /Common/domain Policy :: Logon Pages :: Logon Page :: logon.ine. 9. In the editor window, scroll down to line 364, as shown here. 360 361 | disableSubmit(form); 362 | return true; 363 |} 364 | 365 | //--> 366 | 367 | 368 | 369 | 370 | 371 372 include_custonized_pa C"general_ui", “header. inc”); 10, Insert the javascript text at line 364 exactly as shown. Line 369 also needs to be modified, Note: Line 369 will be line 385 after the edits. Confirm it has been modified as shown below.365 | function dropdown £ 365 vor allTDs = docunent.getElenentsByTogNane("ta"); For Cin®; 1 < alls. length; i+) { if CQLUTDSLi] innertML ‘index0FC'donain') > © && al1TDsLi] -innerHTML .indexOF( ave ‘var replacetext = ‘label for="text”sDonain Name' + ‘

003-APM Training PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

003-APM Training PDF

Uploaded by

Copyright:

Available Formats