BIG-IP Access Policy Manager : PortalAccessVersion 13.0

Table of ContentsTable of ContentsOverview of Portal Access.7Overview: What is portal access?.7About portal access configuration elements. 7Understanding portal access patching. 8Additional resources and documentation for BIG-IP Access Policy Manager.9Configuring Resources for Portal Access.11Creating a portal access configuration.11Creating a portal access resource item.12Creating a portal access resource item for minimal patching.14Creating a portal access configuration with the wizard. 15Creating a portal access configuration with a template.15Configuring Access Control Lists.17About APM ACLs. 17About ACLs and resource assignments on a full webtop.17Configuring an ACL.17Example ACE settings: reject all connections to a network . 19Example ACE settings: allow SSH to a specific host . 19Example ACE settings: reject all connections to specific file types.20Configuring Webtops for Portal Access. 21About webtops. 21Configuring a webtop for portal access only. 22Configuring a full webtop. 22Creating a webtop link.22Overview: Organizing resources on a full webtop.23About the default order of resources on a full webtop.23Creating a webtop section.23Specifying resources for a webtop section. 24Webtop properties.24Configuring Access Profiles for Portal Access. 25Creating an access profile.25Verifying log settings for the access profile. 27Configuring an access policy. 27Assigning resources to a user. 28Adding connection resources to an access policy.29Adding a webtop, links, and sections to an access policy. 30Access profile settings. 31Configuring Rewrite Profiles for Portal Access. 35About rewrite profiles for Portal Access. 35Portal access rewrite profile Portal Access settings.35Portal access rewrite profile JavaPatcher settings. 35Portal access rewrite profile URI translation settings. 363

Table of ContentsCreating a rewrite profile. 37Configuring Virtual Servers for Portal Access.39Defining a virtual server for portal access.39Integrating Portal Access and Secure Web Gateway. 41Overview: Configuring transparent forward proxy for remote access.41Prerequisites for APM transparent forward proxy for remote access. 41Configuration outline for APM transparent forward proxy for remote access. 42Creating a connectivity profile. 42Adding a connectivity profile to a virtual server.42Creating an access profile for transparent forward proxy. 42Creating a wildcard virtual server for HTTP traffic on the connectivity interface. 43Creating a custom Client SSL forward proxy profile.43Creating a custom Server SSL profile. 44Creating a wildcard virtual server for SSL traffic on the connectivity interface.45Updating the access policy in the remote access configuration.46Implementation result. 47About configuration elements for transparent forward proxy (remote access). 47Per-request policy items that read session variables. 47Logging and Reporting. 49Overview: Configuring remote high-speed APM and SWG event logging. 49About the default-log-setting . 51Creating a pool of remote logging servers. 51Creating a remote high-speed log destination.51Creating a formatted remote high-speed log destination. 52Creating a publisher . 52Configuring log settings for access system and URL request events. 53Disabling logging . 54About event log levels.54APM log example. 55About local log destinations and publishers. 55Configuring a log publisher to support local reports.56Viewing an APM report. 56Viewing URL request logs. 57Configuring a log publisher to supply local syslogs.57Preventing logging to the /var/log/apm file. 57About local log storage locations.58Code expansion in Syslog log messages.58About configurations that produce duplicate log messages.58Methods to prevent or eliminate duplicate log messages. 59About log level configuration. 59Updating the log level for NTLM for Exchange clients .59Configuring logging for the URL database. 59Setting log levels for Portal Access and VDI events. 60Hosting Files with Portal Access on Access Policy Manager. 61About using hosted files with a Portal Access resource.61Task summary.61Uploading files to Access Policy Manager for Portal Access. 61Associating hosted content with access profiles. 62Creating a portal access configuration with hosted content.624

Table of ContentsCreating a portal access resource item for hosted content. 63Implementation result.64Adding Hosted Content to Access Policy Manager.65About uploading custom files to Access Policy Manager. 65Understanding hosted content. 65About accessing hosted content. 65Permissions for hosted content. 65Task summary.66Uploading files to Access Policy Manager.66Associating hosted content with access profiles. 66Implementation result.67Editing Hosted Content with Access Policy Manager. 69About editing hosted files on Access Policy Manager.69Task summary.69Renaming or moving hosted content files. 69Editing hosted content file properties. 69Replacing a hosted file. 70Deleting a hosted file.70Implementation result.71Managing Disk Space for Hosted Content. 73Overview: Managing disk space for hosted content files. 73Allocating the maximum amount of disk space for hosted content. 73Estimating hosted content file disk space usage.73Legal Notices. 75Legal notices. 755

Table of Contents6

Overview of Portal AccessOverview: What is portal access?Portal access allows end users access to internal web applications with a web browser from outside thenetwork. With portal access, the BIG-IP Access Policy Manager communicates with back-end servers,and rewrites links in application web pages so that further requests from the client browser are directedback to the Access Policy Manager server. With portal access, the client computer requires no specializedclient software other than a web browser.Portal access provides clients with secure access to internal web servers, such as Microsoft OutlookWebAccess (OWA), Microsoft SharePoint, and IBM Domino Web Access. Using portal access functionality,you can also provide access to most web-based applications and internal web servers.Portal access differs from network access, which provides direct access from the client to the internalnetwork. Network access does not manipulate or analyze the content being passed between the client andthe internal network. The portal access configuration gives the administrator both refined control over theapplications that a user can access through Access Policy Manager, and content inspection for theapplication data. The other advantage of portal access is security. Even if a workstation might not meetrequirements for security for full network access, such a workstation can be passed by the access policyto certain required web applications, without allowing full network access. In a portal access policy, theclient computer itself never communicates directly with the end-point application. That means that allcommunication is inspected at a very high level, and any attacks originating on the client computer failbecause the attack cannot navigate through the links that have been rewritten by the portal access engine.About portal access configuration elementsA portal access configuration requires several elements: A portal access resource including one or more portal access resource itemsAn access profileAn access policy that assigns both: A portal access resource A portal access or full webtopA rewrite profile (you can use the default rewrite profile)A connectivity profileA virtual server that assigns the access profile and a rewrite profilePortal access elements are summarized in this diagram.

Overview of Portal AccessFigure 1: Portal access elementsUnderstanding portal access patchingPortal access patches, or rewrites, links in web content. Portal access rewrites links in complex Java,JavaScript, Flash, CSS, and HTML content. In full patching mode, Access Policy Manager retrievescontent from back-end servers and rewrites links in that content so it can be presented to a web browser,as if the content originated from the Access Policy Manager. Portal access rewrites content to makeintranet targets resolvable, no matter what the intranet host is.Understanding full patching modeIn full patching mode, you can select one or more of the following content types in which portal accessrewrites links.8Patching content typeDescriptionHTML patchingRewrites links in HTML content to redirect to theAccess Policy Manager .JavaScript patchingRewrites link content in JavaScript code to redirectrequests to the Access Policy Manager.CSS patchingRewrites links to CSS files, and within CSScontent, to redirect to the Access Policy Manager.Flash patchingRewrites links in Flash movies and objects toredirect requests to the Access Policy Manager.Java patchingRewrites link content in Java code to redirectrequests to the Access Policy Manager. AccessPolicy Manager can also relay and handle any

BIG-IP Access Policy Manager: Portal AccessPatching content typeDescriptionsocket connections required by a patched Javaapplet.Understanding minimal patching modeIn minimal patching mode, portal access allows only minimum rewriting of web application content.Minimal patching mode is useful for troubleshooting, or when full portal access patching fails with a fileor site.In minimal patching mode, only HTML and CSS content is patched.To use minimal patching, the following conditions must be met: You must create a local traffic pool for the application server or servers, and select it as the defaultpool in the virtual server definition.You must add a portal access resource item to the portal access resource, and configure it with host *,and port 0 (or any). In addition, the path /* must be specified in the resource item.You must configure the scheme any, not http or https.Minimal patching does not use a webtop, and will fail if one is assigned. For this reason, you mustdisable the Publish on webtop option, and you can not assign a webtop to the minimal patchingaccess policy branch.Important: In minimal patching mode, if your web application sets cookies, the cookie domain mustmatch the virtual server domain.Important: If your web application does not use SSL, do not configure the virtual server with the ServerSSL profile serverssl.Patching modeDescriptionScheme patchingSpecifies a method of patching that replaces allHTTP scheme addresses with HTTPS schemeaddresses.Host PatchingSpecifies a method of patching where one ormultiple hosts (typically the actual applicationserver host name) are replaced with another host,the Access Policy Manager virtual server. Youcan specify multiple hosts separated with spacesfor host search strings. The host replace stringmust be the Access Policy Manager virtual serverIP address or fully qualified domain name(FQDN).Additional resources and documentation for BIG-IP Access PolicyManagerYou can access all of the following BIG-IP system documentation from the AskF5 Knowledge Baselocated at

Overview of Portal AccessDocumentDescriptionBIG-IP Access PolicyManager : Application AccessThis guide contains information for an administrator to configureapplication tunnels for secure, application-level TCP/IP connectionsfrom the client to the network.BIG-IP Access PolicyManager : Authentication andSingle-Sign OnThis guide contains information to help an administrator configureAPM for single sign-on and for various types of authentication, suchas AAA server, SAML, certificate inspection, local user database,and so on.BIG-IP Access PolicyManager : CustomizationThis guide provides information about using the APM customizationtool to provide users with a personalized experience for accesspolicy screens, and errors. An administrator can apply yourorganization's brand images and colors, change messages and errorsfor local languages, and change the layout of user pages and screens.BIG-IP Access PolicyManager : Edge Client andApplication ConfigurationThis guide contains information for an administrator to configure theBIG-IP system for browser-based access with the web client aswell as for access using BIG-IP Edge Client and BIG-IP EdgeApps. It also includes information about how to configure or obtainclient packages and install them for BIG-IP Edge Client forWindows, Mac, and Linux, and Edge Client command-line interfacefor Linux.BIG-IP Access PolicyManager : ImplementationsThis guide contains implementations for synchronizing accesspolicies across BIG-IP systems, hosting content on a BIG-IP system,maintaining OPSWAT libraries, configuring dynamic ACLs, webaccess management, and configuring an access policy for routing.BIG-IP Access PolicyManager : Network AccessThis guide contains information for an administrator to configureAPM Network Access to provide secure access to corporateapplications and data using a standard web browser.BIG-IP Access PolicyManager : Portal AccessThis guide contains information about how to configure APM PortalAccess. In Portal Access, APM communicates with back-endservers, rewrites links in application web pages, and directsadditional requests from clients back to APM. BIG-IP Access PolicyThis guide contains information to help an administrator configureManager : Secure Web Gateway Secure Web Gateway (SWG) explicit or transparent forward proxyand apply URL categorization and filtering to Internet traffic fromyour enterprise.10BIG-IP Access PolicyManager : Third-PartyIntegrationThis guide contains information about integrating third-partyproducts with Access Policy Manager (APM ). It includesimplementations for integration with VMware Horizon View, OracleAccess Manager, Citrix Web Interface site, and so on.BIG-IP Access PolicyManager : Visual Policy EditorThis guide contains information about how to use the visual policyeditor to configure access policies.Release notesRelease notes contain information about the current softwarerelease, including a list of associated documentation, a summary ofnew features, enhancements, fixes, known issues, and availableworkarounds.Solutions and Tech NotesSolutions are responses and resolutions to known issues. Tech Notesprovide additional configuration instructions and how-toinformation.

Configuring Resources for Portal AccessCreating a portal access configuration1. On the Main tab, click Access Connectivity / VPN Portal Access Portal Access Lists.The Portal Access List screen opens.2. Click the Create button.The New Resource screen opens.3. Type the name and an optional description.4. From the ACL Order list, specify the placement for the resource.Option DescriptionLastSelect this option to place the new portal access resource last in the ACL list.AfterSelect this option to select, from the list of configured ACLs, the ACL that this portalaccess resource should follow in sequence.Specify Select this option to specify an order number, for example, 0 or 631for the ACL.5. From Configuration, select Basic or Advanced.The Advanced option provides additional settings so you can configure a proxy host and port.6. For the Match Case for Paths setting, select Yes to specify that portal access matches alphabetic casewhen matching paths in the portal access resource.7. From the Patching Type list, select the patching type for the web application.For both full and minimal patching types, you can select or clear patching methods specific to yourselection.8. If you selected Minimal Patching and the Host Patching option, type a host search string, ormultiple host search strings separated with spaces, and the host replace string, which must be theAccess Policy Manager virtual server IP address or fully qualified domain name.9. To publish a link for the web application on the full webtop, or to use hosted content files, for thePublish on Webtop setting, select the Enable check box.Important: Do not enable the Publish on Webtop setting if you are configuring the portal accessresource for minimal patching.10. If you enabled Publish on Webtop, select whether the Link Type is an application URI or a fileuploaded to the hosted content repository. Application URI: This is the main URI used to start this portal access resource. You canconfigure other URIs with specific caching and compression settings by adding resource items tothe portal access resource, after the main resource is configured.Hosted Content: Use content uploaded to the hosted content repository to present on the webtop.When you select a hosted content file (typically a web-browser readable file), that file becomesthe main destination for this webtop link.Note: In the Resource Items area, you must add all resources that you have uploaded to thehosted content repository that apply to this particular hosted content link.11. In the Customization Settings for English area, in the Caption field, type a caption.The caption appears on the full webtop, and is required. This field is required even if you do notselect the Publish on webtop option.

Configuring Resources for Portal Access12. Optionally, in the Detailed Description field type a description for the web application.13. In the Image field, specify an icon for the web application link. Click the View/Hide link to show thecurrent icon.14. If your application is behind a proxy server, to specify a proxy host and port, you must selectAdvanced for the configuration to display additional fields, and type the proxy host and proxy port.Important: Portal access does not support forwarding HTTPS requests through the HTTPS proxy. Ifyou specify the HTTPS scheme in the Application URI field and specify a proxy host, portal accessdoes not forward the requests.15. Click the Create button.This completes the portal access resource configuration.Add resource items to the portal access resource to provide functionality for your web applications.Creating a portal access resource itemYou create a portal access resource item to add a port, path, and other portal access functionality to aportal access resource. If your portal access resource is a hosted content file (for example, a webapplication) you must add that file, and all related files from the hosted content repository that are usedwith the hosted content file. For example, you might add image files, CSS, and scripts that are requiredby the web page or application. You typically use resource items to refine the behavior for webapplication directories; for example, you might specify No Compression and a Cache All cachingpolicy for the /attachment directory for a portal access resource.1. On the Main tab, click Access Connectivity / VPN Portal Access Portal Access Lists.The Portal Access List screen opens.2. Click the name of a portal access resource.The Portal Access Properties screen for that resource opens.3. In the Resource Items area, click the Add button.A New Resource Item screen for that resource opens.4. Select whether the resource item is application paths or hosted content. Paths: If you select this option, set the host name or IP address, URI paths, the scheme, and theport.Hosted Content: If you select this option, choose an item from the list of content uploaded to thehosted content repositoryNote: You must add all files that you have uploaded to the hosted content repository that apply tothis particular hosted content resource.5. Configure the properties for the resource item. To add headers, select Advanced next to New Resource Item.To configure Session Update, Session Timeout, and Home Tab, select Advanced next toResource Item Properties.6. Click Finished.This creates the portal access resource item.Portal access resource item propertiesUse these properties to configure a resource item for a portal access resource.12PropertyValueDescriptionItem TypePaths or HostedContentSpecifies whether the resource item is a path to a web resourceor an uploaded file from the hosted content repository.

BIG-IP Access Policy Manager: Portal AccessPropertyValueDescriptionDestinationHost name, IPaddress, ornetwork addressand maskSpecifies whether the web application destination is a host or anIP address, and provides the host name or IP address. You canspecify an IPv4 or IPv6 IP address, or a host name that resolvesto either an IPv4 or IPv6 address. When a resource isconfigured using the host name, and the host name resolves toboth IPv4 and IPv6 addresses, the IP address family preferencesetting in the client's DNS configuration is used to choose theIP address type from the DNS response.Hosted FilesA local fileIf the item type is Hosted Content, you can select a local filefrom this list to specify as the resource.Important: If the portal access resource is a hosted content file,all related files must be defined separately as portal accessresource items within that portal access resource.PortA port number or 0 Specifies the port for the web application. 0 means the webapplication matches port 80 for the http scheme option, andport 443 for the https scheme option.Schemehttp, https, or any Specifies whether the URI scheme for the web application ishttp, https, or any (either HTTP or HTTPS) scheme.PathsAn applicationpath or paths,separated byspacesSpecifies any paths for the web application. You can separatemultiple paths with spaces. You can use wildcards, forexample /*.HeadersName-value pairsSpecifies any custom headers required by the web application.To add a header, type the header name in the Name field, andthe header content in the Value field, then click the Add button.CompressionNo compressionor GZIPcompressionNo Compression specifies that application data sent to theclient browser is not compressed. GZIP Compression specifiesthat application data sent to the client browser is compressedwith GZIP compression.Important: To use GZIP compression with a portal accessresource, in the virtual server definition, you must specify theHTTP Compression Profile setting as httpcompression.Client CacheDefault, CacheAll, or No CacheSpecifies settings for client caching of web applications. In therewrite profile that you associate with the virtual server for theportal access resource, you can specify a client caching option:CSS and JavaScript, CSS, Images and JavaScript, NoCache or Cache All. If you configure a client cache settingother than Default in the portal access resource item, thatresource setting overrides the cache setting in the rewriteprofile. Default uses the client cache settings from the rewriteprofile.Cache All uses cache headers as is from the back-endserver, and allows caching of everything that can be cached,includ

Portal access differs from network access, which provides direct access from the client to the internal network. Network access does not manipulate or analyze the content being passed between the client and the internal network. The portal access configuration gives the administrator both refined control over the