This document discusses Advanced Dynamic Services for Unified Access and Control provided by F5's BIG-IP Access Policy Manager. It summarizes how BIG-IP APM can dynamically configure access based on user identity and context to securely deliver applications to any user on any device. It also highlights how BIG-IP APM scales to support growing numbers of mobile users and ensures strong endpoint security.

1. Advanced Dynamic Services for
Unified Access and Control
Presenter

2. 2
How the Static Data Center Falls Short
• It started simple
• More user types, services
• Application issues
• Security woes …
• What’s the answer?

3. 3
Dynamic Data Center
• Reconfigure
dynamically
• Manage applications,
not objects
• Context-aware policies
• ADC manages
application services

4. 4
Mobile and Remote Users Growing Dramatically
IDC Research 2010

5. 5
One Access Solution
BIG-IP Access Policy Manager
Remote Access: Web Access Management:
• SSL VPN • Proxy to HTTP apps
– Network Access All Access
– Custom
– Portal Access Use Cases
– 3rd party
– App Tunnels
BIG-IP
Access Policy Manager
Application Access Control:
• Proxy to Non-HTTP apps
– Citrix ICA
– ActiveSync
– Outlook Anywhere

6. 6
Dynamic Services for Unified Access Control
BIG-IP Access Policy Manager in BIG-IP Edge Gateway
• Unify Remote, Web and Application Access
• Fast Access, Authentication and SSO to Apps
• Ensure Strong Endpoint Security
• Scale to Support All Mobile and Remote Users
• Powerful Custom and Built-in Reporting
Manage Access
Based on Identity

7. 7
Secure, Accelerated Remote Access
with BIG-IP APM in Edge Gateway
Edge Gateway includes:
• BIG-IP APM, WA and WOM

8. 8
BIG-IP Edge Gateway
Secures and Accelerates Access to Applications
• Next generation remote access solution
– Converges SSL VPN access security, application
acceleration and availability
– Optimize access for mobile users and remote offices
• BIG-IP Solution for the Network Edge
– Multiple Platforms: 1600, 3600, 3900, 6900, 8900, 11000
– (Licensed concurrently)
– Includes BIG-IP Edge Client solution
• Exponential Performance, Capacity, and Scalability
– Up to 10 Gbps, 600 log-ins per second, 60,000 users

9. 9
Secure and Accelerate Application Access
with BIG-IP Edge Gateway (APM+WA+WOM)
Data Center

10. 10
Secure and Accelerate Application Access
with BIG-IP Edge Gateway (APM+WA+WOM)
SECURE APPLICATIONS & DATA
• Centralize access policy
enforcement Data Center
• Single Sign-On
• L4 – L7 full proxy access control
• Advanced endpoint security
• Secured optimized tunnels
• Content encryption
OPTIMIZED APPLICATIONS & DATA
• Caching repetitive content in
browser
• Intelligent Compressing
• TCP optimization
• Prioritize critical traffic
• Dedicated bandwidth per application
• No tunneling conflicts of traditional SSL VPN

11. 11
Accelerate Application Performance
with faster portal file downloads
F5 tested a first-time user’s attempt:
• SharePoint: 4 MB document download
• SAP: 27 MB Microsoft Office file
Competitor BIG-IP Edge
SharePoint
SSL VPN Gateway ▲
First Access 211 seconds 114 seconds 1.9×
Repeat 47 seconds 16 seconds 2.9×
Competitor BIG-IP Edge
SAP
SSL VPN Gateway ▲
Access 111 seconds 14 seconds 7.9×

12. 12
Scale to Support the Most Mobile Users
with BIG-IP Edge Gateway (APM+WA+WOM)
Scenario:
Extreme weather results in 150% more employees than usual
working and accessing the network from home
Solution:
Employees experience no delay or bottlenecks because
BIG-IP Edge Gateway:
• Provides secure remote access with up to 10 Gbps of SSL VPN throughput
• Supports up to 60,000 concurrent users and 600 logins per second

13. 13
Disparate connections and application restarts
At Home
(wireless) ? On the way to work
(Aircard)
? Ongoing Logins!
Constantly Re-connecting
? ?
?
In the office Presenting
(docked LAN connection) (corporate wireless)
In the Cafe
(wireless)

14. 14
Increase User Productivity with Anywhere Access
Auto-Connect to VPN with Flexible Client Technology
At home
On the way to work
(wireless)
(Aircard)
Auto-Connect!
Always Connected Application Access
In the office Presenting
(docked LAN connection) (corporate wireless)
In the cafe
(wireless)

15. 15
BIG-IP Edge Client
• Flexible Deployment
– Web-Delivered and Standalone Client
– Mac, Windows, Linux
– iPhone, iPad, iTouch
• Drive Security
– Endpoint inspection
– Full SSL VPN
– Per-user flexible Policy
• Enable Mobility
– Smart connection roaming
– Uninterrupted application sessions
• Accelerate Access
– Adaptive compression
– Client-side cache
– Client-side QoS

16. 16
Easily Design Access for iPhone
BIG-IP Edge Client Connection, Statistics and Settings

17. 17
Easily Design Access for iPad
BIG-IP Edge Client Connection, Statistics and Settings

18. 18
Configure iOS Access to Applications
with BIG-IP Edge Portal

19. 19
Mobile Clients for Fast App. Access
• Provide access based on device and identity
• Make dynamic policy decisions
• Authenticate users
• Provide remediation for non-compliant devices

20. 20
BIG-IP Edge Portal for Android App Solutions
Fast App. Access for Android Devices
https://market.android.com/details?id=com.f5.edge.portal

21. 21
Ensure Strong Endpoint Security
BIG-IP Edge Gateway
Allow, deny, or remediate Invoke protected workspace
users based on endpoint for unmanaged devices:
attributes such as:
• Antivirus software version • Restrict USB access
and updates
• Cache cleaner leaves no trace
• Software firewall status
• Ensure no malware enters
• Access to specific applications corporate network

22. 22
Internet Facing Applications
Data Center
Remote Users
Directories

23. 23
Enterprise and Service Provider IT
Network Users
Cloud
Data Center Private Public
Data Center
Applications
Directories App 1 App n

24. 24
F5 Unified Access and Control
Flexible and Dynamic ADC Services
• Supports users worldwide
• Secure IPsec site to site tunnels
• Fast apps to Edge Client users
• Virtual and standalone deployments
Data Center
Headquarters and
Remote Offices

25. 25
Flexible and Dynamic Access Services
Dynamic Webtop, App. Tunnels and Remote Desktop Support

26. 26
Authentication All in One and Fast SSO
F5 BIG-IP Access Policy Manager
Dramatically reduce infrastructure costs; increase productivity
= BIG-IP v11

27. 27
New Detailed Reporting
Quickly Run Built-in or Design Custom Reports
e.g. Who accessed app. or
network and when?
e.g How many XP users are still
on my network?
e.g. Where are users accessing from
(geolocation)?
Custom, Built-in and
Saved reports
Exported and used
on other devices

28. 28
Access and Application
Analytics
• Stats grouped by application and user
• Provides
– Business Intelligence
– ROI Reporting
– Capacity Planning
– Troubleshooting Stats Collected Views
– Performance • Client IPs • Virtual Server
• Client Geographic • Pool Member
• User Agent • Response Codes
• User Sessions • URL
• Client-Side Latency • HTTP Methods
• Server Latency
• Throughput
• Response Codes
• Methods
• URLs

29. 29
Access Policy Design
• Industry-leading advanced Visual Policy Editor (VPE)
– Flexible
– Easy to understand, visual representation of policy
– VPE Rules (TCL-based) for advanced functions
– Trigger TMM iRules events
• Usability features
– Macros
– Visual cues to aid configuration

30. 30
Improve Manageability and Reduce Costs
Users
• No context
• Difficult change control
Lack of simplicity, flexibility, context, and • Error-prone
control for the enterprise • Costly
• Licensing/vendor management
VPN Web Accelerator WAN Optimizer DNS Bind Server issues
• Compliance problems
Vendor A Vendor B Vendor C Open Source • Limited control
Resources ?
AAA x 5
AAA x 2
AAA AAA AAA AAA x 10
AAA AAA AD AAA AAA AAA
AAA Private Public
CA
TAM AD AD
OAM
LDAP Cloud
Physical Virtual Multisite data
centers

31. 31
Improve Manageability and Reduce Costs
Users
• Unified access and acceleration
Secure Optimized Session
Simplicity, flexibility, context,
Optimal Gateway
User Requests
and control for the enterprise model
• Simplified change control and
AAA
VPN Web Accelerator
WAN Optimizer DNS Bind Server auditing
Vendor A Vendor B
• Flexible access policies
Vendor C Open Source
• Context-aware: user, device,
BIG-IP Global Traffic Manager BIG-IP Edge Gateway
location, and application
• Control remains within
enterprise
Resources
AAA x 5
AAA x 2
AAA AAA AAA AAA x 10
AAA
AAA
AD AAA AAA AAA
AAA Private Public
CA
TAM AD AD
OAM
LDAP Cloud
Physical Virtual Multisite data
centers

32. 32
Optimal gateways and secure optimized
sessions
Challenges:
Benefits:
 Slow connection times meant slow transfers users on 64-bit OS
• WAN optimization = fast connection for mobile
 Couldn’t connect to VPN with 64-bitcalls
• Improved VoIP, with fewer dropped OS
 VoIP issues caused dropped calls
• Active Directory integration eliminates multiple logins
 Lack of support required costly upgrades
• Fast, easy installation
• Implemented: Edge Gateway, LTM, GTM.
“With the Edge Gateway, the connection speed was immediately noticeable.”
Steve Diggory, Technology Manager, PersonalizationMall.com
Case Study: http://www.f5.com/pdf/case-studies/personalization-mall-cs.pdf
Industry: Online Specialty Retail

33. 33
The Most Scalable Access Solution
8 7X JNPR SA6500
3X Juniper SA4500
7 3X Cisco 5585
Number of Devices Req’d
3X Citrix MPX10500
6 6X Citrix MPX21500
6X Cisco ASA 5580
5
4 F5
Juniper SA4500 Cisco
3 2X Cisco 5520
Citrix MPX5500 Juniper
2 Citrix
1
0 F5 BIG-IP 1600 F5 BIG-IP 6900 F5 BIG-IP 8900 F5 BIG-IP 11050
Number of Concurrent Users Supported

34. 34
Multiple Platform Solutions
Platform Base Conc. Max Conc. Platform Base Conc. Max Conc.
(APM on Users Users (Edge Users Users
LTM) Gateway)
Virtual
250 500 - - -
Edition
1600 500 1,000 1600 300 1,000
3600 500 5,000 3600 500 5,000
3900 500 10,000 3900 1,000 10,000
6900 500 25,000 6900 2,500 25,000
8900 500 40,000 8900 5,000 40,000
8950 500 40,000 - - -
11000 500 60,000 11000 10,000 60,000
11050 500 60,000 - - -

35. 35
Dynamic Services for Unified Access Control
BIG-IP Access Policy Manager in BIG-IP Edge Gateway
• Unify Remote, Web and Application Access
• Fast Access, Authentication and SSO to Apps
• Ensure Strong Endpoint Security
• Scale to Support All Mobile and Remote Users
• Powerful Custom and Built-in Reporting
Manage Access
Based on Identity

37. 37
Multiple-Domain Single Sign-On
• Single Sign-On to multiple LTM/APM or Edge Gateway virtual
servers front ending multiple separate domains or multiple hosts
within same domains
• Configure different cookie settings and SSO methods for different
domains or different hosts in the same domain
Ex. Multiple domains with different SSO methods

38. 38
Dynamic Webtop for End-User
• Customizable and
localizable list of
resources
• Adjusts to mobile devices
• Toolbar, help, and
disconnect buttons

39. 39
Endpoint Inspection – Machine Information
• CPU Info {ID, Name, Clock} • BIOS {Dell, Serial #,
• HDD {Model, Serial#} Manufacturer}
• Motherboard {Model, Serial#} • NICs {Name, MAC}

40. 40
Application Tunnels
• Layered with Symmetric Adaptive Compression services

41. 41
Microsoft RDP Remote Desktop
Microsoft RDP Remote Desktop

42. 42
Symmetric Adaptive Compression to Edge
Client
• iSession-style optimization of Network Access tunnels
• Layer with DTLS
– DTLS for fast response of real-time applications
– Optimization reduces bandwidth

43. 43
Edge Client v1.0.1
• Secure web gateway proxy support
• Pre-logon checks
• Auto application launch

44. 44
Secure Web Gateway Integration
• Allows admin to force all
web access through a
secure gateway
• Bypasses secure
gateway for internal
resources
• All traffic is forced
through the tunnel
• Why? Enforce web
browsing policies on
corporate iPads e.g.

45. 45
Secure iPad Web Surfing with Edge Client
Internet
Gateway
BIG-IP
Edge
Full SSL-
Gateway
VPN with APM
Tunnel
Internal
Resource

46. 46
Pre-logon checks for iOS Devices
• Four new session variables:
– session.client.mac_address
– session.client.model
– session.client.platform_version
– session.client.unique_id
• These session variables are gathered automatically and
are available with Solstice and Edge Client 1.0.1
• They can easily be combined with an LDAP/AD Query to
implement white-listing in a custom action.
• Why? Discriminate IT approved issued devices.
Improved access context.

47. 47
Checking the iOS Unique ID
• Custom action “Device ID Check” in this access policy
checks a UUID…

48. 48
App auto-launch
• After Edge Client connects, initiate and auto-launch a 2nd
application on the device.
• Uses a URL form for the App Path
– http://handleopenurl.com/
– http://wiki.akosma.com/IPhone_URL_Schemes
• Issues pre-launch warning

49. 49
App Auto-launch
Skype configured to auto-launch…

50. 50
BIG-IP Edge Client for BIG-IP v10.2.1
iMac Edge Client (Leopard/Snow Leopard)

51. 51
Authentication Proxy Integration – VPN
Customer Architecture with
Oracle Access Manager (OAM) and BIG-IP Edge ® Gateway
Mobile
DMZ Data Center
Employees and
Contractors OAM Web Web App
Proxies + OAM (opt)
BIG-IP® Edge
Gateway / OAM BIG-IP® LTM App 1
…
+ASM (opt) App n
+ WA (opt)
• Mobile employees accessing corporate applications using VPN
• OAM auth. services are performed by Edge Gateway in the DMZ OAM Policy
Server, Reporting,
• OAM auth. services may be performed by BIG-IP® Edge Gateway and Auditing
in the DMZ or at the web server with “last mile” security
• Eliminate a directory service for remote access users

52. 52
Security Risk: Mobile User Authentication Sync
DMZ Data Center
Auth. Gateway ADC MS Exchange
• Access to Exchange without VPN to
sync MS email, calendar, contacts
• Security risk
• Extra infrastructure tier in DMZ

53. 53
Secure Environment: Authenticating
ActiveSync Devices
DMZ Data Center
Auth. Gateway BIG-IP® LTM + APM MS Exchange
• Reduce authentication infrastructure and
sync with Exchange
• One location for name space URL
• Scale and support growing mobile user base
• Secure environment

54. 54
Traditional Remote Access
UnifiedVPN
with SSL
Access on F5 BIG-IPs
Cloud
Dynamic Control with BIG-IP Access Policy Manager Private Public
Local and Internet
Mobile Users BIG-IP LTM
SaaS Partners
with APM Consumer Apps
• Accelerated BIG-IP Edge Gateway Hosted Virtual
with APM, WA, and WOM Desktops
remote access
Applications
• Application access SSL VPN App 1 App n
management Directories
• Most powerful, scalable and
simplified access solutions

55. 55
BIG-IP Edge Gateway will
Power New Managed Services
Access Requirements
• Easy / cost effective access scaling
• Advanced, secure VPN with fast deployment
• Custom look and feel per customer
• Virtualized solution to maximize investment
• Enable secure collaboration between 3rd parties
BIG-IP Edge Gateway Delivered
• Superior scalability @ Lowest cost
• Acceleration technology with LAN speed performance
• Improved manageability and security with unified access
• Customized domains for personalized experience
• Virtual routing services with lower opex

56. 56
CSC - Why They Chose BIG-IP Edge Gateway
• Acceleration
– “First of all, the acceleration capabilities that came with it. It’s not just remote access that
it’s providing but also will provide a better user experience in the process leveraging the
BIG-IP acceleration technology that’s already been there, so it’s a proven and well-known
capability.”
• Secure and Granular Access Control
– “Another factor that was key was the highly granular access control capabilities, so that
allows us to provide the differing levels of access for different types of user and different
types of devices that I was talking about, with third parties, with personal devices, which
makes it flexible for future needs as well.”
• Virtualization of Access Services
– “One of the key things we were looking at in the evaluation as a managed service
provider was the ability to provide full virtualization for multiple customer environments
(via BIG-IP Virtual Servers concept), and obviously high scalability, so that’s all a direction
we’re heading in with the cloud computing model.”
• Converged Services Platform
– “We can deliver multiple services on it, not just remote access, so it provides a point of
leverage for us as well.”

57. 57
Repeatable Access to Applications
Clients Applications
BIG-IP
Edge Gateway
• Increases mobile productivity automatically entering
Windows logon credentials when using Edge Client
• Easier access to applications with seamless VPN access
• ICSA Labs certified SSL-VPN solution

58. 58
VoIP: Slow Applications Affect Productivity
Packet loss with TCP/SSL = high
latency. Network squeezes VoIP
100%
80% Max Bandwidth
60%
40% Network Traffic
20% VoIP Traffic
0%
Low Traffic App. App. Spike Delivered
growth App.
User experiencing Traditional SSL VPN:
choppy communication Apps./VoIP sent
simultaneously What did he say?
• Ensuring positive end-user application experience a complex problem
• Slow applications can be caused by a number of things:
– Packet loss due to chatty or jittery protocols
– High latency LANs
– Poorly designed apps.

59. 59
VoIP: Improved User Communications
BIG-IP Edge
Gateway manages
app. performance
100%
80% Max Bandwidth
60%
Network Traffic
40%
20% VoIP Traffic
0%
Low Traffic App. App. Spike Delivered
growth App.
User: clear phone call
Hear you loud and
clear...
Edge Gateway improves application and VoIP performance
• Tight connection and prioritized traffic with dedicated app. bandwidth
– Client-side QoS for Windows machines: VoIP traffic first and apps. traffic second
• Applications and upper layer protocols react to lost packet(s)
– Secures each packet

60. 60
Security Problem: Geolocation Access Risk
• Need to block access from countries or regions
• Help with business intelligence of where users are accessing from
• Looking for capacity planning and ability to audit the location
• Access policy based on location
UK Data Center

61. 61
Enforcing Access Restrictions
Simple, accurate, centralized enforcement
UK Data Center
BIG-IP Edge Gateway
App
Servers
BIG-IP Edge
Gateway with
IP Geolocation
Database
Solution
Centralized Location Control
• Decreased risk – access is controlled
at perimeter
• Reduced capital and operational
expenses through centralized control
• Reduced application development time
• Simplified network configuration

62. 62
Only ADC with Geolocation Access Rules
• VPE – Geolocation Rules
• iRules not required
• Custom session variables
• Custom notification messages
• Logging Client locations
• Reporting

63. 63
BIG-IP APM/Edge Gateway V11 Features
Advanced Dynamic Services for Unified Access Control
• IPsec optimized site-to-site • EndPoint Inspection:
Protected Workspace, Machine Info Inspector
tunnels
• Dynamic Webtop: with Application Tunnels • Powerful reporting/analytics:
• Access: External Dynamic ACLs, Flash Custom & built-in reports, Access and
Application Analytics for remote access solution
patching, Oracle Access Manager 11g
• Hosted VDI: Microsoft Remote • Scale for Global enterprise:
Desktops, Expanded Citrix VDI support (Proxy and
11000 Series: ^60k users, w/1.2 TB of storage
Portal mode)
• SSO enhancements: SSO across multiple
domains, Kerberos auth. (CAC cards, etc)

64. 64
Edge Gateway v10.2 Security Features
• Edge Gateway
– Integration with Oracle Access Manager
– ICSA Certified – SSL -VPN
– Geolocation Agent in VPE
– MS ActiveSync Support
• Edge Client
– Reuse of Windows logon credentials

65. 65
Edge Gateway v10.1 Features
• Secure accel. remote access • Manageability / Usability
– Remote Access, Application Acceleration – QoS on Windows machines (client side)
and Network Optimization – D-TLS (Datagram-Based TLS) Network
– Global VPN and Unified Access to Access Transport for secure packets
Datacenter – Customizeable user interface
– Dynamic per-session layer 4 - 7 (HTTP) – Policy import/export
ACLs – Reporting and stats
– SSO/Credential Caching – Set-up deployment wizards
– TCP Optimization – Dashboard executive summary
– Symmetric adaptive compression
– Asymmetric and symmetric application
acceleration • Interoperability and Integration
– Data de-duplication – Edge Gateway and GTM interoperability
– MAPS and CIFS acceleration – Edge Gateway events in iRules
– Splunk for F5 logging and reporting
• Dynamic User Access
– Web-based and standalone BIG-IP Edge • Virtualization Architecture
Client – Multiple virtual Edge Gateways
– Mobility: Domain detection and smart – Targeted at Service Providers and large
connection enterprises
– Acceleration: Dynamic data compression – Separate access policy grouping for each
virtual Edge Gateway
• Thorough Device Inspection – Can have separate security administrators
– Master administrator control
– Endpoint Inspection checks
– Protected Workspace with encryption and
Virtual File System
– Group policy integration
– Virtual Keyboard

66. 66
Edge Gateway – v10.1 Features
• Application Acceleration
– TCP optimization for client to gateway and gateway to gateway
connections
– Symmetric Adaptive Compression for client to gateway and gateway
to gateway connections
– HTTP/HTTPS asymmetric acceleration for client to gateway
connections
– HTTP/HTTPS symmetric acceleration for gateway to gateway
connections
– Data de-duplication services for gateway to gateway connections
– MAPI and CIFS acceleration for gateway to gateway connections
• D-TLS (Datagram-Based TLS) Network Access Transport

67. 67
Edge Gateway – v10.1 Features
• Portal Access Security
– OWA 2003, OWA 2007, SharePoint 2003, SharePoint 2007, MS
Communicator 2007
– Oracle Portal 3.0 (10g Release 2, version 10.1.2)
– PeopleSoft Portal 9, PeopleSoft Portal HR 9
– SAP Netweaver,
– Notes 7, Notes 8
• Authentication and Authorization Services
– RADIUS, LDAP, and AD support
– SSO/Credential Caching: HTTP Basic, HTTP
NTLMv1/v2, Cookie, Form, and HTTP Header
– Dynamic per-session layer 4 - 7 (HTTP) ACLs
– Native RSA SecurID
– RADIUS accounting
– Authentication server redundancy

68. 68
Edge Gateway – v10.1 Features
• Virtualization Architecture
– Multiple virtual Edge Gateways
– Targeted at Service Providers
(managed service offering) and
large enterprises (segmented
based on business units/groups)
– Separate access policy grouping
for each virtual Edge Gateway
– Can have separate security
administrators
– Master administrator control

69. 69
Edge Gateway – v10.1 Features
• BIG-IP Edge Client
– Web delivered and standalone
– New look and feel
– Mobility: Roaming and smart
connection
– QoS on Windows machines (client
side)
– Acceleration: Adaptive compression
– SDK for integration
• Endpoint Security
– Windows and Macintosh checks
– Protected Workspace (Parity with FP
6.1) with encryption and Virtual File
System
– Group policy integration
– Virtual Keyboard

70. 70
High Cost to Scale Remote Access
DMZ
Traditional SSL VPN
(clustered 3 max)
4,000 Remote Users Internet $751K for
Datacenter
26k users Resouces
1,000 Wireless Users
Internal LAN
VLAN 1
Utilize existing user directory
15,000 Corporate Users
Internal LAN
VLAN 2
• Cost prohibitive scaling for remote access
• Three-unit cluster supports 26k users at $29 per user
• Asymmetric acceleration not available for remote
6,000 Corporate Branch access
Users
• Limited QoS
• User and application disruption when roaming

71. 71
BIG-IP Edge Gateway: High Performance, Low Cost
DMZ
BIG-IP Edge Gateway
4,000 Remote Users Internet
Datacenter
Resouces
1,000 Wireless Users
$188K for
Internal LAN
VLAN 1 26k users
25% of
cost
Utilize existing user directory
15,000 Corporate Users
Internal LAN • Consolidation: 3:1 on Access and Acceleration
VLAN 2
• High performance – 26,000 users at $7+ per user
• Scale up to 40,000 users
• Flexible and centralized security policy management
6,000 Corporate Branch • Integrated endpoint security checking
Users
• Integrated application acceleration – up to 10x