apm profile access
apm profile access(1) BIG-IP TMSH Manual apm profile access(1)
NAME
access - Configures an access profile.
MODULE
apm profile
SYNTAX
Configure the access component within the profile module using the syntax shown in the following sections.
CREATE/MODIFY
create access [name]
options:
accept-languages [add | delete | modify | replace-all-with] {
[name]
}
access-policy [[string] | none]
access-policy-timeout [integer]
app-service [[string] | none]
cache-generation [integer]
customization-group [[string] | none]
default-language [[string] | none]
defaults-from [[string] | none]
domain-cookie [[string] | none]
domain-groups [add | delete | modify | replace-all-with] {
[name]
}
domain-mode [single-domain | multi-domain]
user-identity-method [http | ip-address]
enforce-policy [true | false]
eps-group [[string] | none]
errormap-group [[string] | none]
framework-installation-group [[string] | none]
general-ui-group [[string] | none]
generation-action [increment | noop]
httponly-cookie [true | false]
inactivity-timeout [integer]
logout-uri-include [add | delete | modify | replace-all-with] {
[name]
}
logout-uri-timeout [integer]
log-settings [add | delete | modify | replace-all-with] {
[name]
}
max-concurrent-sessions [[integer] | none]
max-concurrent-users [[integer] | none]
max-failure-delay [integer]
max-in-progress-sessions [[integer] | none]
max-session-timeout [integer]
min-failure-delay [integer]
oauth-profile [[oauth-profile-name] | none]
persistent-cookie [true | false]
primary-auth-service [[string] | none]
restrict-to-single-client-ip [true | false]
sandboxes [add | delete | modify | replace-all-with] {
[name] { retain-public-access [true|false] }
}
scope [profile | virtual-server | global | named | public]
named-scope [[string] | none]
secure-cookie [true | false]
sso-name [[string] | none]
type [all | identity-service | ltm-apm | oauth-resource-server | rdg-rap | ssl-vpn | sso | swg-explicit | swg-transparent | system-authentication]
use-http-503-on-error [true | false]
modify access [name]
options:
accept-languages [add | delete | modify | replace-all-with] {
[name]
}
access-policy [[string] | none]
access-policy-timeout [integer]
app-service [[string] | none]
cache-generation [integer]
customization-group [[string] | none]
default-language [[string] | none]
defaults-from [[string] | none]
domain-cookie [[string] | none]
domain-groups [add | delete | modify | replace-all-with] {
[name]
}
domain-mode [single-domain | multi-domain]
user-identity-method [http | ip-address]
enforce-policy [true | false]
eps-group [[string] | none]
errormap-group [[string] | none]
framework-installation-group [[string] | none]
general-ui-group [[string] | none]
generation-action [increment | noop]
httponly-cookie [true | false]
inactivity-timeout [integer]
logout-uri-include [add | delete | modify | replace-all-with] {
[name]
}
logout-uri-timeout [integer]
log-settings [add | delete | modify | replace-all-with] {
[name]
}
max-concurrent-sessions [[integer] | none]
max-concurrent-users [[integer] | none]
max-failure-delay [integer]
max-in-progress-sessions [[integer] | none]
max-session-timeout [integer]
min-failure-delay [integer]
oauth-profile [[oauth-profile-name] | none]
persistent-cookie [true | false]
primary-auth-service [[string] | none]
restrict-to-single-client-ip [true | false]
sandboxes [add | delete | modify | replace-all-with] {
[name] { retain-public-access [true|false] }
}
scope [profile | virtual-server | global | named | public]
named-scope [[string] | none]
secure-cookie [true | false]
sso-name [[string] | none]
use-http-503-on-error [true | false]
edit access [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list access
list access [ [ [name] | [glob] | [regex] ] ... ]
show running-config access
show running-config access [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
partition
show access
show access [name]
DELETE
delete access [name]
DESCRIPTION
You can use the access component to configure an access profile. An access profile is a pre-configured group
of settings that you can use to configure secure Network Access for an application.
EXAMPLES
create access MyAccessProfile { defaults-from access access-policy "my_access_policy" accepted-languages
"my_accepted_languages" default-language "en" customization-group "company_logout" eps-group 'myepsgroup'
framework-installation-group "company_header" "company_footer" errormap-group "company_errormap" }
Creates an access profile named MyAccessProfile that is based on the default access profile named access,
uses the access policy named my_access-policy, accepts the languages in the my_accepted_languages class,
uses English as the default language, and uses these groups to customize the application pages and
messages: company_logout, company_header, company_footer, and company_errormap.
list access all all-properties
Displays a list of access profiles, including parameter values.
delete access MyAccessProfile
Deletes the access profile named MyAccessProfile.
OPTIONS
accept-languages
Specifies the name of a class that defines the languages supported by the access profile. The default
languages are en (English), ja (Japanese), zh-cn (simplified Chinese (PRC)), and zh tw (traditional
Chinese (Taiwan)). This option is required.
access-policy
Specifies the access policy that you want to enforce using this access profile. An access policy contains
various security checks that a client must pass before the BIG-IP Access Policy Manager grants access to
a protected application. This option is required.
access-policy-timeout
Specifies, for this access profile, the number of seconds within which a user must complete the steps to
gain access to an application. The default is 300 seconds. This option is designed to quickly release
session resources when a user does not complete the access process, for example, when the user closes the
browser before completing the access process.
app-service
Specifies the name of the application service to which the object belongs. The default value is none.
Note: If the strict-updates option is enabled on the application service that owns the object, you cannot
modify or delete the object. Only the application service can modify or delete the object.
customization-group
Specifies the customization group that defines the appearance of the logout and error pages. This option
is required.
default-language
Specifies the default language for the BIG-IP Access Policy Manager that you want to implement with this
access profile. The default is en (English). If the client requests a language that is not supported, the
BIG-IP Access Policy Manager uses the default value. This option is required.
defaults-from
Specifies the default access policy from which this profile is created. This option is required.
domain-cookie
Specifies a domain cookie to use with an application access control connection. If you specify a domain
cookie, then the line domain=specified_domain is added to the MRHsession cookie. The default is none.
domain-groups
Specifies a group of multiple domains or multiple hosts in multiple domains to which a single user
session has access. For example, you can use this option to configure a single user session to have
access to three domains: www.a.com, www.b.com, and www.c.com. When a user logs in to any of these
domains, that user can access the other domains without logging in again. This option is required when
you set the domain-mode option to multi-domain. This option is ignored when you set the access domain-
mode option to single-domain.
For each domain in the domain group, you can specify the following settings:
cookie-host
Specifies the host name for which to create the user's session cookie.
cookie-domain
Specifies the domain for which to create the user's session cookie.
secure-cookie
Adds a security attribute to the user's session cookie.
persistent-cookie
Adds a persistence attribute to the user's session.
sso-name
Specifies the SSO method to use when accessing a backend application.
domain-mode
Specifies how the SSO configuration is applied. The options are:
single-domain
Applies the SSO configuration to a single domain. This is the default.
When you set domain-mode to single-domain, you must also set the sso-name option.
multi-domain
Applies the SSO configuration across multiple domains. This option allows users a single APM
login/session and applies the credentials across multiple Local Traffic Manager or Access Policy
Manager virtual servers in front of different domains. Note that to apply SSO configurations across
multiple domains, all virtual servers must be on one BIG-IP system.
When you set domain-mode to multi-domain, you must also configure the domain-group option, and
provide a URI for the primary-auth-service option.
user-identity-method
Specifies how access will bind a session to a request.
http Use http information such as cookies and URI query string to identify user.
ip-address
Use IP address to identify a user. Do not use this setting if clients may be behind a NAT.
enforce-policy
Set this option to false, if you don't want to enforce the access-policy. The default is true which means
the access-policy is always enforced. This option can only be modified for SWG-Transparent type profile.
eps-group
This option is required.
errormap-group
Specifies the customization settings for the error map that you want to implement with this access
profile. This setting is required.
framework-installation-group
Specifies the customization settings for the header and footer that you want to implement with this
access profile. This setting is required.
generation-ui-group
Specifies the generation of the user interface group for the new generation access configuration. This
option is required.
generation-timeout
Specifies the timeout, in seconds, for the new generation access configuration.
generation-action
increment
Activates the current access policy configuration for an access profile. For example, the following
command activates current access policy configuration for profile myAccessProfile: tmsh modify apm
profile access myAccessProfile generation-action increment
noop Specifies "no operation to be performed". This is the default.
sync Specifies that the policy is being modified due to APM policy sync operation. This is an internal
action; you should not set it.
httponly-cookie
Specifies whether HttpOnly directive should be inserted in HTTP response from BIG-IP. The client browser
should prevent script from accessing cookie, if this flag is set in the response. The default is false.
inactivity-timeout
Specifies, for this access profile, the number of seconds that the session on the client can be idle
before the server disconnects the VPN tunnel. The default is 900 seconds.
logout-uri-include
Specifies a list of URIs to include in the access profile for initiating session logout.
logout-uri-timeout
Specifies the timeout used to delay logout for the customized logout URIs defined in the logout uri
include list
log-settings
Specifies one or more log-setting containers to associate with this profile
max-concurrent-sessions
Specifies, for this access profile, the number of concurrent sessions allowed. The default is 0 (zero),
which represents unlimited sessions. Users assigned an administrative role of Application Editor can view
the value of this option. Users assigned any other administrative role can modify this option.
max-concurrent-users
Specifies, for this access profile, the number of concurrent sessions allowed. The default is 0 (zero),
which represents unlimited sessions. This field is Read-only for Application Editors. Users assigned any
other administrative role can modify this field.
max-failure-delay
Specifies the maximum random delay after authentication failure during the access policy. It is the
maximum number of seconds before the user is shown an error message on the logon page and prompted to re-
enter credentials. The default is 5 seconds. 0 (zero) represents no delay. Note: Set max-failure-delay to
no more than one-half the access-policy-timeout value and no more than 65 seconds greater than min-
failure-delay.
max-in-progress-sessions
Specifies the maximum number of in-progress concurrent sessions a user can have. The in-progress sessions
are the sessions for which an access policy has not completed. The default is 0, which represents an
unlimited number of such sessions.
max-session-timeout
Specifies the maximum lifetime of one session. The maximum lifetime is the number of seconds between
session creation and session termination.
min-failure-delay
Specifies the minimum random delay after authentication failure during the access policy. It is the
minimum number of seconds before the user is prompted for credentials again or shown an error message on
the logon page. The default is 2 seconds.
[name]
Specifies the name of the access profile. This option is required.
oauth-profile
Specifies an oauth profile for use with an OAuth Authorization Server.
persistent-cookie
Specifies to retain the cookie for a user session, even when the user session is terminated, when set to
true. Although this is an insecure method, this setting is useful and required in cases where you have a
third-party application, such as Sharepoint, and need to store the cookie in a local database so that any
attempt to access backend server applications through Access Policy Manager succeeds. The default is
false.
primary-auth-service
Specifies the address of your primary authentication URI. This setting is required when you set the
domain-mode option to multi-domain.
For example, when you set this option to https://logon.yourcompany.com, the user session is stored on
this primary domain, and the user can access multiple backend applications from multiple domains and
hosts without re-entering credentials.
restrict-to-single-client-ip
Specifies whether a user session is tied to a single client IP. If during session's lifetime, the user's
client IP address changes, the current session is terminated. The user needs to re-login to create a new
session from the new client IP address. The default is false.
sandboxes
Specifies the association between the access profile and the sandbox. If retain-public-access is set to
true, this association is retained even if there is no resource that uses sandbox files in the access
policy that corresponds to this access profile.
scope
Specifies the confining scope for sessions created by the profile. Set this option to profile (which is
also the default-value) to confine the validity of a session to the profile from which it was created.
Set this option to virtual-server to further confine the validity of a session to the virtual server from
which it was created. Setting this option to global allows the session to be valid on any virtual server
with any access profile that also specifies global scope. Setting this option to named allows the session
to be valid for any virtual server with access profile using the same named-scope value. The option
public is allowed for only SSLO access profiles and sessions aren't created.
named-scope
Specifies the string to which the validity of a session is confined to. This setting is required when you
set the scope option to named.
secure-cookie
Set this option to true, if you want to add a secure keyword to the session cookie. Set this option to
false, if you want to configure an application access control scenario that uses an HTTPS virtual server
to authenticate the user, and then sends the user to an existing HTTP virtual server to use applications.
The default is true.
sso-name
Specifies the SSO configuration that you want BIG-IP Access Policy Manager to use to submit the user's
credentials to the backend application. This allows the user to log in once to the Access Policy Manager
and then gain access to backend applications without logging in again.
type Specifies the type of access profile. You can specify the following types for an access profile.
all Supports ltm-apm and ssl-vpn access types.
identity-service
Used internally to provide identity service for a supported integration. Only APM creates this type
of profile.
ltm-apm
For web access management configuration.
oauth-resource-server
Supports apps and devices that use OAuth tokens but do not support cookies.
rdg-rap
For validating connections to hosts behind APM when APM acts as a gateway for RDP clients.
ssl-vpn
For network access, portal access, or application access.
sso For configuring matching virtual servers for Single Sign-On (SSO).
swg-explicit
For Secure Web Gateway explicit forward proxy.
swg-transparent
For Secure Web Gateway transparent forward proxy.
system-authentication
For configuring administrator access to the BIG-IP system (when using APM as a pluggable
authentication module).
use-http-503-on-error
Set this option to true to use HTTP response code 503 for error pages sent by BIG-IP Access Policy
Manager to clients. Set this option to false to use HTTP response code 200. The default is false.
SEE ALSO
apm sso, apm policy
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or by any means, electronic or
mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose
other than the purchaser's personal use, without the express written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2011-2013, 2015-2016. All rights reserved.
BIG-IP 2019-02-10 apm profile access(1)