Lab 1: Access Guided Configuration - Per Request Policy

The purpose of this lab is to leverage Access Guided Configuration (AGC) to deploy an Identity Aware Proxy extended by Per Request Policies (PRP) access controls. The Per Request Policies will restrict access based on AD Group Membership and the URI accessed. Students will configure the various aspects of the application using strictly AGC, review the configuration and perform tests of the deployment.

Objective:

  • Gain an understanding of Access Guided Configurations and its various configurations and deployment models
  • Gain an initial understanding of Per Request Policies and their applicability in various delivery and control scenarios

Lab Requirements:

  • All Lab requirements will be noted in the tasks that follow
  • Estimated completion time: 30 minutes

Lab 1 Tasks:

TASK 1: Intialize Access Guided Configuration (AGC)

  1. Login to your provided lab Virtual Edition: bigp1.f5lab.local

  2. Navigate to: Access -> Guided Configuration

  3. Click the Zero Trust graphic as shown.

  4. Click on the Identity Aware Proxy dialogue box click under Zero Trust

    in the navigation as shown.
image001

  1. Review the Identity Aware Proxy Application configuration example presented.

  2. Scroll through and review the remaining element of the dialogue box to the bottom of the

    screen and click Next.

image002

image003

TASK 2: Config Properties

  1. In the Configuration Name dialogue box, enter agc-app.acme.com.
  2. Toggle Single Sign-On (SSO) & HTTP Header to the On position.
  3. Toggle Application Groups to the On position.
  4. Toggle Webtop to the Off position.
  5. Click Save & Next at the bottom of the dialogue window.
image004

TASK: 3: Configure Virtual Server Properties

  1. Select the Create New radio button under Virtual Server
  2. Select the Host radio button under Destination Address
  3. Enter the IP Address 10.1.10.100 in the dialogue box for Destination Address.
  4. Confirm the Enable Redirect Port is checked.
  5. Confirm the Rediect Port is 80 and HTTP.
  6. Select the Use Existing radio button under Client SSL Profile
  7. Move the f5demo Client SSL Profile to the right, Selected
  8. Scroll to the bottom of the dialogue window and Click Save & Next.

image005

image006

TASK: 4: Configure User Identity

  1. Click the Add button on the User Identity dialogue window.
image007
  1. In the resulting dialogue window, enter agc-f5lab-AD in the Name field.
  2. Confirm Authentication Type is AAA
  3. Confirm Choose Authentication Server Type is Active Directory
  4. Select f5lab.local from the Choose Authentication Server drop down.
image008
  1. Check the Active Directory Query Properties checkbox.
  2. Confirm the Search Filter Type & Search Filter match sAMAccountName values.
  3. Check the Fetch Nested Group checkbox.
  4. Move the memberOf to the right under Required Attributes Selected.
  5. Click Save at the bottom of the dialogue window.
image009

  1. In the dialogue window that follows for User Identity, confirm agc-f5lab-AD is

    listed, then click Save & Next at the bottom if the dialogue window.
image010

TASK 5: Single Sign-on & HTTP Header

  1. Click the Add button on the Single Sign-on & HTTP Header dialogue window.
image011

  1. In the resulting Single Sign-on & HTTP Header Properties dialogue window. Enter

    agc-app-header in the Name field.

  2. Select the HTTP Headers radio button under Type

  3. Click the + (Plus Symbol) in the Action column of the SSO Headers section.

  4. In the new SSO Headers row, enter the following values:

    • Header Operation: replace
    • Header Name: agc-app-uid
    • Header Value: %{subsession.logon.last.username}

  5. Repeat steps 4 & 5 with the following values:

    • Header Operation: replace
    • Header Name: agc-memberOf
    • Header Value: %{subsession.ad.last.attr.memberOf}

  6. At the bottom of the screen, click Save
image012

  1. In the dialogue window that follows for Single Sign-on & HTTP Header, confirm

    agc-app-header is listed, then click Save & Next at the bottom if the

    dialogue window.
image013

TASK 6: Applications

  1. Click the Add button in the Applications dialogue window.
image014

  1. In the Application Properties dialogue window, toggle Advanced Settings to the

    On position.

  2. In the Name field enter agc-app.acme.com.

  3. In the FQDN field enter agc-app.acme.com.

  4. In the Subpath Pattern field enter /apps/app1*.

  5. On the Subpath Pattern row entered in Step 5, click the + (Plus Symbol) twice

    to add two more rows.

  6. In the two new rows add /apps/app2* and /apps/app3* respectively.
image015

  1. In the Pool Configuration section, under Health Monitors area move

    /Common/http to the right Selected side.

  2. In the Pool Configuration section, under Load Balancing Method area select

    /Common/10.1.20.6 from the IP Address/Node name

  3. Click the Save button at the bottom of the dialogue window.
image016

  1. In the Applications dialogue window that follows, expand the Subpaths and ensure

    /apps/app1*, /apps/app2*, /apps/app3* are present for the agc-app.acme.com row.

  2. Click the Save & Next button at the bottom of the dialogue window.
image017

TASK 7: Application Groups

  1. Click the Add button in the Application Groups dialogue window.
image018

  1. In the resulting Application Group Properties dialogue window, enter app1 in the

    Name field.

  2. Move /apps/app1* from the Available side to the Selected side under

    Application List.

  3. Click the Save button at the bottom of the dialogue window.
image019

  1. Click the Add button in the Application Groups dialogue window that follows and

    repeat steps 2 through 4 using the following values:

    • Name: app2, Selected: /apps/app2*
    • Name: app3, Selected: /apps/app3*
    • Name: base, Selected: /
image020
  1. Review the Applications Groups dialogue window following completion of step 5 and
  2. Click the Save & Next button at the bottom of the dialogue window.
image021

TASK 8: Contextual Access

  1. Click the Add button in the Contextual Access dialogue window.
image022

  1. In the Contextual Access Properties dialigue window that follows, enter

    app1-access in the Name field.

  2. Select Application Group from the Resource Type drop down.

  3. Select app1 from the Resource drop down.

  4. Select agc-f5lab-AD from the Primary Authentication drop down.

  5. Select agc-app-header from the HTTP Header drop down.
image023

  1. In the Assign User Groups section, scroll through the available groups to find the

    app1 Group Name. Click the Add button in the Action column.

    (The filter can be used to find the appropriate group faster.)

  2. Verify the added group in the Selected User Groups.

  3. Click the Save button at the bottom of the dialogue window.
image024

  1. Click the Add button in the Contextual Access dialogue window.

  2. Repeat steps 2 through 9 for app2 and app3 using the following values

    App2

    Contextual Access Properties

    • Name: app2-access
    • Resource Type: Application Group
    • Resource: app2
    • Primary Authentication: agc-f5lab-AD
    • HTTP Header: agc-app-header

    Assign User Groups

    • Add Group Name app2

    App3

    Contextual Access Properties

    • Name: app3-access
    • Resource Type: Application Group
    • Resource: app3
    • Primary Authentication: agc-f5lab-AD
    • HTTP Header: agc-app-header

    Assign User Groups

    • Add Group Name app3
image025
  1. Click the Add button in the Contextual Access dialogue window.
image026

  1. In the Contextual Access Properties dialogue window that follows, enter

    base-access in the Name field.

  2. Select Application Group from the Resource Type drop down.

  3. Select base from the Resource drop down.

  4. Select agc-f5lab-AD from the Primary Authentication drop down.

  5. Select agc-app-header from the HTTP Header drop down.
image027

  1. In the Assign User Groups section, scroll through the available groups to find the

    Sales Engineering Group Name. Click the Add button in the Action column.

  2. Verify the added group in the Selected User Groups.

  3. Click the Save button at the bottom of the dialogue window.
image028

  1. Review the resulting Contextual Access dialogue window for completion of all

    created access rules.

  2. Click the Save & Next button at the bottom of the dialogue window.
image029

TASK 9: Customization

  1. Scroll the bottom of the Customization Properties dialogue window, leaving all

    defaults and then click Save & Next.

image030

image031

TASK 10: Session Management Properties

  1. Scroll the bottom of the Session Management Properties dialogue window, leaving all

    defaults and then click Save & Next.

image032

image033

TASK 11: Summary

  1. In the resulting Summary dialogue window, review the configured elements and then

    click the Deploy button.
image034

  1. Click the Finish button in the final dialogue window. Access Guided Configuration

    will return to the start screen and agc-app.acme.com will be DEPLOYED

image035

image036

TASK 12: Testing

  1. Begin a RDP session with the Jumphost (10.1.10.10) through the Student Portal.

  2. Open Firefox from the desktop and navigate to https://agc-app.acme.com. A bookmark

    link has been provided in the toolbar.

  3. Logon to the resulting logon page with UserID: user1 and Password: user1
image037

  1. Click on the Application 1 button in the ACME Application/Service Portal.

  2. A new tab will open displaying received headers demonstrating the user has accces to the

    application.

image038

image039

  1. Return to the ACME Application/Service Portal and click Application 2.

  2. A new tab will open displaying a Block Page (customizable), restricting access to the

    application based on AD group membership.

image040

image041

  1. Close the open application tabs and return to the ACME Application/Service Portal

    and click the Logout button, then close the browser.

  2. Run the Add-User1-to-App2 Powesrshell script link provided on the Jumphost

    desktop. The script will run and automatically close.

image042

image043

  1. Reopen Firefox using the desktop link on the Jumphost and launch the

    agc-app.acme.com application from the link provided in the broswer.

  2. Click on the Application 2 button in the ACME Application/Service Portal.

  3. A new tab will open displaying received headers demonstrating the user has accces to the

    application becasue of the change in the user’s Group Membership.
image044

TASK 13: Review

  1. Login to your provided lab Virtual Edition: bigp1.f5lab.local

  2. Navigate to: Access -> Overview -> Active Sessions

  3. Here you can see the active session and any subsessions created by virtue of the Per

    Request Policies and view their associated varibles.

  4. Click on the View asscoiated with the active session’s subsession.
image045

  1. In the resulting variable view, review the subsession variables created as a result of

    access requests performed in testing.
image046

  1. Navigate to: Access -> Profiles/Policies -> Per-Request Policies in the left-hand

    navigation menu.

  2. In the resulting dialogue window, click on the Edit link in the

    agc-app.acme.com_perRequestPolicy row.

  3. Review the created Per Request Policy

image047

image048

TASK 14: End of Lab1

  1. This concludes Lab1, feel free to review and test the configuration.
image000