apm profile access
apm profile access(1) BIG-IP TMSH Manual apm profile access(1)
NAME
access - Configures an access profile.
MODULE
apm profile
SYNTAX
Configure the access component within the profile module using the syntax shown in the following sections.
CREATE/MODIFY
create access [name]
options:
accept-languages [add | delete | modify | replace-all-with] {
[name]
}
access-policy [[string] | none]
access-policy-timeout [integer]
app-service [[string] | none]
cache-generation [integer]
customization-group [[string] | none]
default-language [[string] | none]
defaults-from [[string] | none]
domain-cookie [[string] | none]
domain-groups [add | delete | modify | replace-all-with] {
[name]
}
domain-mode [single-domain | multi-domain]
user-identity-method [http | ip-address]
enforce-policy [true | false]
eps-group [[string] | none]
errormap-group [[string] | none]
framework-installation-group [[string] | none]
general-ui-group [[string] | none]
generation-action [increment | noop]
httponly-cookie [true | false]
inactivity-timeout [integer]
logout-uri-include [add | delete | modify | replace-all-with] {
[name]
}
logout-uri-timeout [integer]
log-settings [add | delete | modify | replace-all-with] {
[name]
}
max-concurrent-sessions [[integer] | none]
max-concurrent-users [[integer] | none]
max-failure-delay [integer]
max-in-progress-sessions [[integer] | none]
max-session-timeout [integer]
min-failure-delay [integer]
oauth-profile [[oauth-profile-name] | none]
persistent-cookie [true | false]
primary-auth-service [[string] | none]
restrict-to-single-client-ip [true | false]
sandboxes [add | delete | modify | replace-all-with] {
[name] { retain-public-access [true|false] }
}
scope [profile | virtual-server | global | named | public]
named-scope [[string] | none]
secure-cookie [true | false]
sso-name [[string] | none]
type [all | identity-service | ltm-apm | oauth-resource-server | rdg-rap | ssl-vpn | sso | swg-explicit | swg-transparent | system-authentication]
use-http-503-on-error [true | false]
modify access [name]
options:
accept-languages [add | delete | modify | replace-all-with] {
[name]
}
access-policy [[string] | none]
access-policy-timeout [integer]
app-service [[string] | none]
cache-generation [integer]
customization-group [[string] | none]
default-language [[string] | none]
defaults-from [[string] | none]
domain-cookie [[string] | none]
domain-groups [add | delete | modify | replace-all-with] {
[name]
}
domain-mode [single-domain | multi-domain]
user-identity-method [http | ip-address]
enforce-policy [true | false]
eps-group [[string] | none]
errormap-group [[string] | none]
framework-installation-group [[string] | none]
general-ui-group [[string] | none]
generation-action [increment | noop]
httponly-cookie [true | false]
inactivity-timeout [integer]
logout-uri-include [add | delete | modify | replace-all-with] {
[name]
}
logout-uri-timeout [integer]
log-settings [add | delete | modify | replace-all-with] {
[name]
}
max-concurrent-sessions [[integer] | none]
max-concurrent-users [[integer] | none]
max-failure-delay [integer]
max-in-progress-sessions [[integer] | none]
max-session-timeout [integer]
min-failure-delay [integer]
oauth-profile [[oauth-profile-name] | none]
persistent-cookie [true | false]
primary-auth-service [[string] | none]
restrict-to-single-client-ip [true | false]
sandboxes [add | delete | modify | replace-all-with] {
[name] { retain-public-access [true|false] }
}
scope [profile | virtual-server | global | named | public]
named-scope [[string] | none]
secure-cookie [true | false]
sso-name [[string] | none]
use-http-503-on-error [true | false]
edit access [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list access
list access [ [ [name] | [glob] | [regex] ] ... ]
show running-config access
show running-config access [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
partition
show access
show access [name]
DELETE
delete access [name]
DESCRIPTION
You can use the access component to configure an access profile. An access profile is a pre-configured group of settings
that you can use to configure secure Network Access for an application.
EXAMPLES
create access MyAccessProfile { defaults-from access access-policy "my_access_policy" accepted-languages
"my_accepted_languages" default-language "en" customization-group "company_logout" eps-group 'myepsgroup' framework-
installation-group "company_header" "company_footer" errormap-group "company_errormap" }
Creates an access profile named MyAccessProfile that is based on the default access profile named access, uses the
access policy named my_access-policy, accepts the languages in the my_accepted_languages class, uses English as the
default language, and uses these groups to customize the application pages and messages: company_logout,
company_header, company_footer, and company_errormap.
list access all all-properties
Displays a list of access profiles, including parameter values.
delete access MyAccessProfile
Deletes the access profile named MyAccessProfile.
OPTIONS
accept-languages
Specifies the name of a class that defines the languages supported by the access profile. The default languages are en
(English), ja (Japanese), zh-cn (simplified Chinese (PRC)), and zh tw (traditional Chinese (Taiwan)). This option is
required.
access-policy
Specifies the access policy that you want to enforce using this access profile. An access policy contains various
security checks that a client must pass before the BIG-IP Access Policy Manager grants access to a protected
application. This option is required.
access-policy-timeout
Specifies, for this access profile, the number of seconds within which a user must complete the steps to gain access
to an application. The default is 300 seconds. This option is designed to quickly release session resources when a
user does not complete the access process, for example, when the user closes the browser before completing the access
process.
app-service
Specifies the name of the application service to which the object belongs. The default value is none. Note: If the
strict-updates option is enabled on the application service that owns the object, you cannot modify or delete the
object. Only the application service can modify or delete the object.
customization-group
Specifies the customization group that defines the appearance of the logout and error pages. This option is required.
default-language
Specifies the default language for the BIG-IP Access Policy Manager that you want to implement with this access
profile. The default is en (English). If the client requests a language that is not supported, the BIG-IP Access
Policy Manager uses the default value. This option is required.
defaults-from
Specifies the default access policy from which this profile is created. This option is required.
domain-cookie
Specifies a domain cookie to use with an application access control connection. If you specify a domain cookie, then
the line domain=specified_domain is added to the MRHsession cookie. The default is none.
domain-groups
Specifies a group of multiple domains or multiple hosts in multiple domains to which a single user session has access.
For example, you can use this option to configure a single user session to have access to three domains: www.a.com,
www.b.com, and www.c.com. When a user logs in to any of these domains, that user can access the other domains without
logging in again. This option is required when you set the domain-mode option to multi-domain. This option is ignored
when you set the access domain-mode option to single-domain.
For each domain in the domain group, you can specify the following settings:
cookie-host
Specifies the host name for which to create the user's session cookie.
cookie-domain
Specifies the domain for which to create the user's session cookie.
secure-cookie
Adds a security attribute to the user's session cookie.
persistent-cookie
Adds a persistence attribute to the user's session.
sso-name
Specifies the SSO method to use when accessing a backend application.
domain-mode
Specifies how the SSO configuration is applied. The options are:
single-domain
Applies the SSO configuration to a single domain. This is the default.
When you set domain-mode to single-domain, you must also set the sso-name option.
multi-domain
Applies the SSO configuration across multiple domains. This option allows users a single APM login/session and
applies the credentials across multiple Local Traffic Manager or Access Policy Manager virtual servers in front
of different domains. Note that to apply SSO configurations across multiple domains, all virtual servers must be
on one BIG-IP system.
When you set domain-mode to multi-domain, you must also configure the domain-group option, and provide a URI for
the primary-auth-service option.
user-identity-method
Specifies how access will bind a session to a request.
http Use http information such as cookies and URI query string to identify user.
ip-address
Use IP address to identify a user. Do not use this setting if clients may be behind a NAT.
enforce-policy
Set this option to false, if you don't want to enforce the access-policy. The default is true which means the access-
policy is always enforced. This option can only be modified for SWG-Transparent type profile.
eps-group
This option is required.
errormap-group
Specifies the customization settings for the error map that you want to implement with this access profile. This
setting is required.
framework-installation-group
Specifies the customization settings for the header and footer that you want to implement with this access profile.
This setting is required.
generation-ui-group
Specifies the generation of the user interface group for the new generation access configuration. This option is
required.
generation-timeout
Specifies the timeout, in seconds, for the new generation access configuration.
generation-action
increment
Activates the current access policy configuration for an access profile. For example, the following command
activates current access policy configuration for profile myAccessProfile: tmsh modify apm profile access
myAccessProfile generation-action increment
noop Specifies "no operation to be performed". This is the default.
sync Specifies that the policy is being modified due to APM policy sync operation. This is an internal action; you
should not set it.
httponly-cookie
Specifies whether HttpOnly directive should be inserted in HTTP response from BIG-IP. The client browser should
prevent script from accessing cookie, if this flag is set in the response. The default is false.
inactivity-timeout
Specifies, for this access profile, the number of seconds that the session on the client can be idle before the server
disconnects the VPN tunnel. The default is 900 seconds.
logout-uri-include
Specifies a list of URIs to include in the access profile for initiating session logout.
logout-uri-timeout
Specifies the timeout used to delay logout for the customized logout URIs defined in the logout uri include list
log-settings
Specifies one or more log-setting containers to associate with this profile
max-concurrent-sessions
Specifies, for this access profile, the number of concurrent sessions allowed. The default is 0 (zero), which
represents unlimited sessions. Users assigned an administrative role of Application Editor can view the value of this
option. Users assigned any other administrative role can modify this option.
max-concurrent-users
Specifies, for this access profile, the number of concurrent sessions allowed. The default is 0 (zero), which
represents unlimited sessions. This field is Read-only for Application Editors. Users assigned any other
administrative role can modify this field.
max-failure-delay
Specifies the maximum random delay after authentication failure during the access policy. It is the maximum number of
seconds before the user is shown an error message on the logon page and prompted to re-enter credentials. The default
is 5 seconds. 0 (zero) represents no delay. Note: Set max-failure-delay to no more than one-half the access-policy-
timeout value and no more than 65 seconds greater than min-failure-delay.
max-in-progress-sessions
Specifies the maximum number of in-progress concurrent sessions a user can have. The in-progress sessions are the
sessions for which an access policy has not completed. The default is 0, which represents an unlimited number of such
sessions.
max-session-timeout
Specifies the maximum lifetime of one session. The maximum lifetime is the number of seconds between session creation
and session termination.
min-failure-delay
Specifies the minimum random delay after authentication failure during the access policy. It is the minimum number of
seconds before the user is prompted for credentials again or shown an error message on the logon page. The default is
2 seconds.
[name]
Specifies the name of the access profile. This option is required.
oauth-profile
Specifies an oauth profile for use with an OAuth Authorization Server.
persistent-cookie
Specifies to retain the cookie for a user session, even when the user session is terminated, when set to true.
Although this is an insecure method, this setting is useful and required in cases where you have a third-party
application, such as Sharepoint, and need to store the cookie in a local database so that any attempt to access
backend server applications through Access Policy Manager succeeds. The default is false.
primary-auth-service
Specifies the address of your primary authentication URI. This setting is required when you set the domain-mode option
to multi-domain.
For example, when you set this option to https://logon.yourcompany.com, the user session is stored on this primary
domain, and the user can access multiple backend applications from multiple domains and hosts without re-entering
credentials.
restrict-to-single-client-ip
Specifies whether a user session is tied to a single client IP. If during session's lifetime, the user's client IP
address changes, the current session is terminated. The user needs to re-login to create a new session from the new
client IP address. The default is false.
sandboxes
Specifies the association between the access profile and the sandbox. If retain-public-access is set to true, this
association is retained even if there is no resource that uses sandbox files in the access policy that corresponds to
this access profile.
scope
Specifies the confining scope for sessions created by the profile. Set this option to profile (which is also the
default-value) to confine the validity of a session to the profile from which it was created. Set this option to
virtual-server to further confine the validity of a session to the virtual server from which it was created. Setting
this option to global allows the session to be valid on any virtual server with any access profile that also specifies
global scope. Setting this option to named allows the session to be valid for any virtual server with access profile
using the same named-scope value. The option public is allowed for only SSLO access profiles and sessions aren't
created.
named-scope
Specifies the string to which the validity of a session is confined to. This setting is required when you set the
scope option to named.
secure-cookie
Set this option to true, if you want to add a secure keyword to the session cookie. Set this option to false, if you
want to configure an application access control scenario that uses an HTTPS virtual server to authenticate the user,
and then sends the user to an existing HTTP virtual server to use applications. The default is true.
sso-name
Specifies the SSO configuration that you want BIG-IP Access Policy Manager to use to submit the user's credentials to
the backend application. This allows the user to log in once to the Access Policy Manager and then gain access to
backend applications without logging in again.
type Specifies the type of access profile. You can specify the following types for an access profile.
all Supports ltm-apm and ssl-vpn access types.
identity-service
Used internally to provide identity service for a supported integration. Only APM creates this type of profile.
ltm-apm
For web access management configuration.
oauth-resource-server
Supports apps and devices that use OAuth tokens but do not support cookies.
rdg-rap
For validating connections to hosts behind APM when APM acts as a gateway for RDP clients.
ssl-vpn
For network access, portal access, or application access.
sso For configuring matching virtual servers for Single Sign-On (SSO).
swg-explicit
For Secure Web Gateway explicit forward proxy.
swg-transparent
For Secure Web Gateway transparent forward proxy.
system-authentication
For configuring administrator access to the BIG-IP system (when using APM as a pluggable authentication module).
use-http-503-on-error
Set this option to true to use HTTP response code 503 for error pages sent by BIG-IP Access Policy Manager to clients.
Set this option to false to use HTTP response code 200. The default is false.
SEE ALSO
apm sso, apm policy
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying, recording, or information storage and retrieval systems, for any purpose other than the purchaser's personal
use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2011-2013, 2015-2016. All rights reserved.
BIG-IP 2019-02-10 apm profile access(1)