apm profile access
apm profile access(1) BIG-IP TMSH Manual apm profile access(1)
NAME
access - Configures an access profile.
MODULE
apm profile
SYNTAX
Configure the access component within the profile module using the
syntax shown in the following sections.
CREATE/MODIFY
create access [name]
options:
accept-languages [add | delete | modify | replace-all-with] {
[name]
}
access-policy [[string] | none]
access-policy-timeout [integer]
app-service [[string] | none]
cache-generation [integer]
customization-group [[string] | none]
default-language [[string] | none]
defaults-from [[string] | none]
domain-cookie [[string] | none]
domain-groups [add | delete | modify | replace-all-with] {
[name]
}
domain-mode [single-domain | multi-domain]
user-identity-method [http | ip-address]
eps-group [[string] | none]
errormap-group [[string] | none]
framework-installation-group [[string] | none]
general-ui-group [[string] | none]
generation-action [increment | noop]
httponly-cookie [true | false]
inactivity-timeout [integer]
logout-uri-include [add | delete | modify | replace-all-with] {
[name]
}
logout-uri-timeout [integer]
log-settings [add | delete | modify | replace-all-with] {
[name]
}
max-concurrent-sessions [[integer] | none]
max-concurrent-users [[integer] | none]
max-failure-delay [integer]
max-in-progress-sessions [[integer] | none]
max-session-timeout [integer]
min-failure-delay [integer]
oauth-profile [[oauth-profile-name] | none]
persistent-cookie [true | false]
primary-auth-service [[string] | none]
restrict-to-single-client-ip [true | false]
sandboxes [add | delete | modify | replace-all-with] {
[name] { retain-public-access [true|false] }
}
scope [profile | virtual-server | global]
secure-cookie [true | false]
sso-name [[string] | none]
type [all | identity-service | ltm-apm | oauth-resource-server | rdg-rap | ssl-vpn | sso | swg-explicit | swg-transparent | system-authentication]
use-http-503-on-error [true | false]
modify access [name]
options:
accept-languages [add | delete | modify | replace-all-with] {
[name]
}
access-policy [[string] | none]
access-policy-timeout [integer]
app-service [[string] | none]
cache-generation [integer]
customization-group [[string] | none]
default-language [[string] | none]
defaults-from [[string] | none]
domain-cookie [[string] | none]
domain-groups [add | delete | modify | replace-all-with] {
[name]
}
domain-mode [single-domain | multi-domain]
user-identity-method [http | ip-address]
eps-group [[string] | none]
errormap-group [[string] | none]
framework-installation-group [[string] | none]
general-ui-group [[string] | none]
generation-action [increment | noop]
httponly-cookie [true | false]
inactivity-timeout [integer]
logout-uri-include [add | delete | modify | replace-all-with] {
[name]
}
logout-uri-timeout [integer]
log-settings [add | delete | modify | replace-all-with] {
[name]
}
max-concurrent-sessions [[integer] | none]
max-concurrent-users [[integer] | none]
max-failure-delay [integer]
max-in-progress-sessions [[integer] | none]
max-session-timeout [integer]
min-failure-delay [integer]
oauth-profile [[oauth-profile-name] | none]
persistent-cookie [true | false]
primary-auth-service [[string] | none]
restrict-to-single-client-ip [true | false]
sandboxes [add | delete | modify | replace-all-with] {
[name] { retain-public-access [true|false] }
}
scope [profile | virtual-server | global]
secure-cookie [true | false]
sso-name [[string] | none]
use-http-503-on-error [true | false]
edit access [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list access
list access [ [ [name] | [glob] | [regex] ] ... ]
show running-config access
show running-config access [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
partition
show access
show access [name]
DELETE
delete access [name]
DESCRIPTION
You can use the access component to configure an access profile. An
access profile is a pre-configured group of settings that you can use
to configure secure Network Access for an application.
EXAMPLES
create access MyAccessProfile { defaults-from access access-policy
"my_access_policy" accepted-languages "my_accepted_languages" default-
language "en" customization-group "company_logout" eps-group
'myepsgroup' framework-installation-group "company_header"
"company_footer" errormap-group "company_errormap" }
Creates an access profile named MyAccessProfile that is based on
the default access profile named access, uses the access policy
named my_access-policy, accepts the languages in the
my_accepted_languages class, uses English as the default language,
and uses these groups to customize the application pages and
messages: company_logout, company_header, company_footer, and
company_errormap.
list access all all-properties
Displays a list of access profiles, including parameter values.
delete access MyAccessProfile
Deletes the access profile named MyAccessProfile.
OPTIONS
accept-languages
Specifies the name of a class that defines the languages supported
by the access profile. The default languages are en (English), ja
(Japanese), zh-cn (simplified Chinese (PRC)), and zh tw
(traditional Chinese (Taiwan)). This option is required.
access-policy
Specifies the access policy that you want to enforce using this
access profile. An access policy contains various security checks
that a client must pass before the BIG-IP Access Policy Manager
grants access to a protected application. This option is required.
access-policy-timeout
Specifies, for this access profile, the number of seconds within
which a user must complete the steps to gain access to an
application. The default is 300 seconds. This option is designed
to quickly release session resources when a user does not complete
the access process, for example, when the user closes the browser
before completing the access process.
app-service
Specifies the name of the application service to which the object
belongs. The default value is none. Note: If the strict-updates
option is enabled on the application service that owns the object,
you cannot modify or delete the object. Only the application
service can modify or delete the object.
customization-group
Specifies the customization group that defines the appearance of
the logout and error pages. This option is required.
default-language
Specifies the default language for the BIG-IP Access Policy
Manager that you want to implement with this access profile. The
default is en (English). If the client requests a language that is
not supported, the BIG-IP Access Policy Manager uses the default
value. This option is required.
defaults-from
Specifies the default access policy from which this profile is
created. This option is required.
domain-cookie
Specifies a domain cookie to use with an application access
control connection. If you specify a domain cookie, then the line
domain=specified_domain is added to the MRHsession cookie. The
default is none.
domain-groups
Specifies a group of multiple domains or multiple hosts in
multiple domains to which a single user session has access. For
example, you can use this option to configure a single user
session to have access to three domains: www.a.com, www.b.com, and
www.c.com. When a user logs in to any of these domains, that user
can access the other domains without logging in again. This option
is required when you set the domain-mode option to multi-domain.
This option is ignored when you set the access domain-mode option
to single-domain.
For each domain in the domain group, you can specify the following
settings:
cookie-host
Specifies the host name for which to create the user's
session cookie.
cookie-domain
Specifies the domain for which to create the user's session
cookie.
secure-cookie
Adds a security attribute to the user's session cookie.
persistent-cookie
Adds a persistence attribute to the user's session.
sso-name
Specifies the SSO method to use when accessing a backend
application.
domain-mode
Specifies how the SSO configuration is applied. The options are:
single-domain
Applies the SSO configuration to a single domain. This is the
default.
When you set domain-mode to single-domain, you must also set
the sso-name option.
multi-domain
Applies the SSO configuration across multiple domains. This
option allows users a single APM login/session and applies
the credentials across multiple Local Traffic Manager or
Access Policy Manager virtual servers in front of different
domains. Note that to apply SSO configurations across
multiple domains, all virtual servers must be on one BIG-IP
system.
When you set domain-mode to multi-domain, you must also
configure the domain-group option, and provide a URI for the
primary-auth-service option.
user-identity-method
Specifies how access will bind a session to a request.
http Use http information such as cookies and URI query string to
identify user.
ip-address
Use IP address to identify a user. Do not use this setting if
clients may be behind a NAT.
eps-group
This option is required.
errormap-group
Specifies the customization settings for the error map that you
want to implement with this access profile. This setting is
required.
framework-installation-group
Specifies the customization settings for the header and footer
that you want to implement with this access profile. This setting
is required.
generation-ui-group
Specifies the generation of the user interface group for the new
generation access configuration. This option is required.
generation-timeout
Specifies the timeout, in seconds, for the new generation access
configuration.
generation-action
increment
Activates the current access policy configuration for an
access profile. For example, the following command activates
current access policy configuration for profile
myAccessProfile: tmsh modify apm profile access
myAccessProfile generation-action increment
noop Specifies "no operation to be performed". This is the
default.
sync Specifies that the policy is being modified due to APM policy
sync operation. This is an internal action; you should not
set it.
httponly-cookie
Specifies whether HttpOnly directive should be inserted in HTTP
response from BIG-IP. The client browser should prevent script
from accessing cookie, if this flag is set in the response. The
default is false.
inactivity-timeout
Specifies, for this access profile, the number of seconds that the
session on the client can be idle before the server disconnects
the VPN tunnel. The default is 900 seconds.
logout-uri-include
Specifies a list of URIs to include in the access profile for
initiating session logout.
logout-uri-timeout
Specifies the timeout used to delay logout for the customized
logout URIs defined in the logout uri include list
log-settings
Specifies one or more log-setting containers to associate with
this profile
max-concurrent-sessions
Specifies, for this access profile, the number of concurrent
sessions allowed. The default is 0 (zero), which represents
unlimited sessions. Users assigned an administrative role of
Application Editor can view the value of this option. Users
assigned any other administrative role can modify this option.
max-concurrent-users
Specifies, for this access profile, the number of concurrent
sessions allowed. The default is 0 (zero), which represents
unlimited sessions. This field is Read-only for Application
Editors. Users assigned any other administrative role can modify
this field.
max-failure-delay
Specifies the maximum random delay after authentication failure
during the access policy. It is the maximum number of seconds
before the user is shown an error message on the logon page and
prompted to re-enter credentials. The default is 5 seconds. 0
(zero) represents no delay. Note: Set max-failure-delay to no more
than one-half the access-policy-timeout value and no more than 65
seconds greater than min-failure-delay.
max-in-progress-sessions
Specifies the maximum number of in-progress concurrent sessions a
user can have. The in-progress sessions are the sessions for which
an access policy has not completed. The default is 0, which
represents an unlimited number of such sessions.
max-session-timeout
Specifies the maximum lifetime of one session. The maximum
lifetime is the number of seconds between session creation and
session termination.
min-failure-delay
Specifies the minimum random delay after authentication failure
during the access policy. It is the minimum number of seconds
before the user is prompted for credentials again or shown an
error message on the logon page. The default is 2 seconds.
[name]
Specifies the name of the access profile. This option is required.
oauth-profile
Specifies an oauth profile for use with an OAuth Authorization
Server.
persistent-cookie
Specifies to retain the cookie for a user session, even when the
user session is terminated, when set to true. Although this is an
insecure method, this setting is useful and required in cases
where you have a third-party application, such as Sharepoint, and
need to store the cookie in a local database so that any attempt
to access backend server applications through Access Policy
Manager succeeds. The default is false.
primary-auth-service
Specifies the address of your primary authentication URI. This
setting is required when you set the domain-mode option to multi-
domain.
For example, when you set this option to
https://logon.yourcompany.com, the user session is stored on this
primary domain, and the user can access multiple backend
applications from multiple domains and hosts without re-entering
credentials.
restrict-to-single-client-ip
Specifies whether a user session is tied to a single client IP. If
during session's lifetime, the user's client IP address changes,
the current session is terminated. The user needs to re-login to
create a new session from the new client IP address. The default
is false.
sandboxes
Specifies the association between the access profile and the
sandbox. If retain-public-access is set to true, this association
is retained even if there is no resource that uses sandbox files
in the access policy that corresponds to this access profile.
scope
Specifies the confining scope for sessions created by the profile.
Set this option to profile (which is also the default-value) to
confine the validity of a session to the profile from which it was
created. Set this option to virtual-server to further confine the
validity of a session to the virtual server from which it was
created. Setting this option to global allows the session to be
valid on any virtual server with any access profile that also
specifies global scope.
secure-cookie
Set this option to true, if you want to add a secure keyword to
the session cookie. Set this option to false, if you want to
configure an application access control scenario that uses an
HTTPS virtual server to authenticate the user, and then sends the
user to an existing HTTP virtual server to use applications. The
default is true.
sso-name
Specifies the SSO configuration that you want BIG-IP Access Policy
Manager to use to submit the user's credentials to the backend
application. This allows the user to log in once to the Access
Policy Manager and then gain access to backend applications
without logging in again.
type Specifies the type of access profile. You can specify the
following types for an access profile.
all Supports ltm-apm and ssl-vpn access types.
identity-service
Used internally to provide identity service for a supported
integration. Only APM creates this type of profile.
ltm-apm
For web access management configuration.
oauth-resource-server
Supports apps and devices that use OAuth tokens but do not
support cookies.
rdg-rap
For validating connections to hosts behind APM when APM acts
as a gateway for RDP clients.
ssl-vpn
For network access, portal access, or application access.
sso For configuring matching virtual servers for Single Sign-On
(SSO).
swg-explicit
For Secure Web Gateway explicit forward proxy.
swg-transparent
For Secure Web Gateway transparent forward proxy.
system-authentication
For configuring administrator access to the BIG-IP system
(when using APM as a pluggable authentication module).
use-http-503-on-error
Set this option to true to use HTTP response code 503 for error
pages sent by BIG-IP Access Policy Manager to clients. Set this
option to false to use HTTP response code 200. The default is
false.
SEE ALSO
apm sso, apm policy
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2011-2013, 2015-2016. All rights
reserved.
BIG-IP 2016-10-31 apm profile access(1)