2. BIG-IP Local Traffic Manager
+ Access Policy Manager
Directory
SharePoint OWA
Cloud
Web servers
App 1 App n
APP
OS
APP
OS
APP
OS
APP
OS
Hosted virtual
desktop
Users
ENABLE SIMPLIFIED APPLICATION ACCESS
with BIG-IP Access Policy Manager (APM)
3. BIG-IP® APM features:
• Centralizes single sign-on and access control services
• Full proxy L4 – L7 access control at BIG-IP speeds
• Adds endpoint inspection to the access policy
• Visual Policy Editor (VPE) provides policy-based access control
• VPE Rules—programmatic interface for custom access policies
• Supports IPv6
BIG-IP® APM ROI benefits:
• Scales to 100K users on a single device
• Consolidates auth. infrastructure
• Simplifies remote, web and application access
control
*AAA = Authentication, authorization and accounting (or auditing)
BIG-IP Access Policy Manager (APM)
Unified access and control for BIG-IP
4. Control Access of Endpoints
Ensure strong endpoint security
Users
BIG-IP APM
• Antivirus software version
and updates
• Software firewall status
• Machine certificate validation
Allow, deny or remediate users based
on endpoint attributes such as:
Invoke protected workspace for unmanaged
devices:
• Restrict USB access
• Cache cleaner leaves no trace
• Ensure no malware enters corporate
network
Web
5. Dynamic End-User Webtop
• Customizable and localizable list of resources
• Adjusts to mobile devices
• Toolbar, help and disconnect buttons
6. INTERNET
INTERNAL LAN
VLAN2
INTERNAL LAN
VLAN1
Mobile users
Branch office
users
Wireless users
LAN users
BIG-IP LTM +APM
BIG-IP LTM VE +APM
-OR-
Virtual desktops
VDI VDI VDI VDI
Hypervisor
AUTO-CONNECT TO THE VPN
Always connected application access
10. F5 Networks, Confidential
Local and
remote users
L-DNS
Geo-location
services
BIG-IP Global Traffic
Manager
Monitoring
vs. iQuery
BIG-IP LTM+APMData center
BIG-IP LTM+APMData center
BIG-IP LTM+APMData center
Global Traffic Manager improves VDI performance
• Xen App/Desktop users sent to
best data center
• Continuous monitoring of
entire infrastructure including
network & application health
• Automatic failover during
outages
• Persistence prevents broken
sessions
SINGLE NAMESPACE FOR GLOBAL AVAILABILITY
Use case
12. Create policy
Corporate domain
Latest AV software
Current O/S
Administrator
User = HR
HR
AAA
server
• Proxy the web applications to
provide
authentication, authorization, endpo
int inspection, and more – all typing
into Layer 4-7 ACLS through F5’s
Visual Policy Editor
ENHANCING WEB ACCESS MANAGEMENT
Use case
8 3 2 8 4 9
13. Users Web servers
App 1
App 2
App 3
WAM proxy
• Endpoint inspection
• Scaling and high availability for
the application and OAM
directory
• Web application security
• Web application acceleration
• Enterprise class architecture
LTM = Local Traffic Manager
ASM = Application Security Manager
WA= WebAccelerator
OAM = Oracle Access Manager
BIG-IP LTM APM
Endpoint security
checks
+ ASM or WA
Oracle access mgr.
Additional BIG-IP benefits
RICHER APPLICATION DELIVERY
Virtualization
HA,LB
Virtualization
(HA, LB for directories)
17. • Dramatically reduce
infrastructure costs;
increase productivity
• Provides seamless
access to all web
resources
• Integrated with
common applications
Use case
CONSOLIDATING APP AUTHENTICATION (SSO)
AAA
server
Corporate
managed device
Latest AV software
Expense
report app
Finance
Salesforce.com
User = Finance
18. What is the problem?
• Users authenticate to their enterprise, but more and more
resources are hosted elsewhere….
• How do we maintain control of those credentials, policies
and their lifecycle?
19. What is SAML?
• Security Assertion Markup Language
• Solid standard current version 2.0 (March 2005)
• Strong commercial and open source support
• An XML-based open standard data format for exchanging
authentication and authorization data between parties, in
particular, between an identity provider (iDP) and a
service provider (SP).”
20. What is SAML? Now in English
• Its ‘Internet/Web’ SSO
• Eliminates Need for Multiple Passwords/Password
Databases in Multiple Locations
• Enables Enterprise in the ‘Cloud’
22. • Dramatically reduce
infrastructure costs;
increase productivity
• Provides seamless
access to all web
resources
• Integrated with
common applications
Use case
CONSOLIDATING APP AUTHENTICATION (SSO)
AAA
server
Corporate
managed device
Latest AV software
Expense
report app
Finance
User = Finance
23. Load Balancing AD FS Infrastructure with BIG-IP
Of f i ce 365
Shar ePoi nt Onl i ne
Exchange Onl i ne
Lync Onl i ne
Cor por at e Net wor k
AD FS Far m
Act i ve
Di r ect or y
Per i met er Net wor k
AD FS Pr oxy Far m
Cor por at e
User s
• Local Traffic Manager
• Intelligent traffic management
• Advanced L7 health monitoring – (Ensures the AD FS service is responding)
• Cookie-based persistence
24. Cor por at e Net wor k
AD FS Far m
Act i ve
Di r ect or y
Cor por at e
User s
Of f i ce 365
Shar ePoi nt Onl i ne
Exchange Onl i ne
Lync Onl i ne
Load Balancing AD FS with Local Traffic Manager
Per i met er Net wor k
AD FS Pr oxy Far m
25. Publishing AD FS with Access Policy Manager
Cor por at e Net wor k
AD FS Far m
Act i ve
Di r ect or y
Cor por at e
User s
Of f i ce 365
Shar ePoi nt Onl i ne
Exchange Onl i ne
Lync Onl i ne
Load Balancing AD FS with Local Traffic Manager
Replacing the AD FS Proxy farm with APM provides:
• Enhanced Security
• Variety of authentication methods
• Client endpoint inspection
• Multi-factor authentication
• Improved User Experience
• SSO across on-premise and cloud-based
applications
• Single-URL access for hybrid deployments
• Simplified Architecture
• Removes the AD FS proxy farm layer as well as
the need to load balance the proxy farm
26. Federating with Access Policy Manager and SAML
• Available with version 11.3, APM includes full SAML support
• Ability to act as IDP, (Identity Provider) for access to external claims-based resources including
Office 365
• Act as service provider, (SP) to facilitate federated access to on-premise applications
• Streamlined architecture, (no need for the AD FS architecture)
• Simplified iApp deployment
Cor por at e Net wor k
Act i ve Di r ect or y
Cor por at e
User s
Of f i ce 365
Shar ePoi nt Onl i ne
Exchange Onl i ne
Lync Onl i ne
29. Sample Detailed Report
Gain a deeper understanding:
• All sessions with geo-location
• Local time
• Virtual IP
• Assigned IP
• ACLs
• Applications and OSs
• Browsers
• All sessions
• Customize reports
• Export for distribution
30. Access and Application Analytics
Stats grouped by
application and user
Provides:
• Business intelligence
• ROI reporting
• Capacity planning
• Troubleshooting
• Performance
Stats collected
• Client IPs
• Client geographic
• User agent
• User sessions
• Client-side latency
• Server latency
• Throughput
• Response codes
• Methods
• URLs
Views
• Virtual server
• Pool member
• Response codes
• URL
• HTTP methods
BIG-IP APM = AAA control on BIG-IP Integrates with AAA servers—including Active Directory, LDAP, RADIUS, and Native RSA SecurID
Add-On Module for BIG-IP Family (For new BIG-IP platforms, e.g. 3600, 3900, 6900, 6900 FIPS, 8900, 8950 and 11050. Available as an add-on module for BIG-IP LTM.)Access Profile for Local Traffic Virtual Servers (Very simple configuration to add an Access Policy to an LTM Virtual. Just select an Access Profile from the pulldown menu under the LTM Virtual configuration page. The rest of the Access Policy is configured under the Access Control left-hand menu, where AAA servers are configured, ACLs and ACEs are defined, and VPE is used to create the visual policy.)APM Policy Engine (This is the advanced policy engine behind APM add-on for BIG-IP)Industry Leading Visual Policy Editor (VPE) (See screenshot. Next generation of visual policy editor which has been a big selling point for FirePass. Others, e.g. Cisco, and started trying to copy, but years behind in this area).VPE Rules (TCL-based) for Advanced Policies (Ability to edit the iRules-like TCL rules behind the VPE directly, for advanced configurations, or to create all new rules for custom deployments. Tight integration between the VPE rules and TMM iRules – e.g. ability to drive Access Policies via TMM iRules, Access Policy creating new iRules events, etc.).Endpoint SecurityMore than a dozen different endpoint security checks available (Large number of agents available, e.g. Virtual Keyboard, AV and firewall checks, process, file, and registry checks, extended Windows info, client and machine certificates, etc.)Manage endpoints via Group Policy enforcement and Protected Workspace (Endpoint remediation capabilities like Protected Workspace and Full Armor-based AD Policy enforcement, in addition to Cache Cleaner, redirects to remediation pages, and message and decision boxes).Authentication and AuthorizationFlexible authentication and authorization capabilities via client cert, AD, LDAP, RADIUS, RSA SecurID agents (Broad array of authentication, authorization, and accounting capabilities – including RADIUS accounting).Access ControlHigh-Performance Dynamic Layer 4 and Layer 7 (HTTP/HTTPS) ACLs (Role/User-based Access Control engine built directly into TMM, via hudfilters. Supports dynamic assignment and enforcement of layer 4 ACL/firewall capabilities, as well as now supporting dynamic layer-7 HTTP/HTTPS URL-based access controls. High-performance as built directly into dataplane.)
Endpoint SecurityMore than a dozen different endpoint security checks available (Large number of agents available, e.g. Virtual Keyboard, AV and firewall checks, process, file, and registry checks, extended Windows info, client and machine certificates, etc.)Manage endpoints via Group Policy enforcement and Protected Workspace (Endpoint remediation capabilities like Protected Workspace and Full Armor-based AD Policy enforcement, in addition to Cache Cleaner, redirects to remediation pages, and message and decision boxes).
Web Access Management – BIG-IP proxies the customer’s web applications and provides authentication, authorization, endpoint inspection, and more – all typing into Layer 4-7 ACLS through F5’s easy-to-use Visual Policy Editor.
Exchange / Active Sync – The application Access solution helps secure Exchange deployment across Active Sync / Mobile, Outlook Web Access and Outlook Anywhere. In addition to access control and security, F5 can aid in disaster recover, Exchange 2007 to 2010 migration and provide single namespace capabilities. Secures Active Sync / Mobile, OWA and Outlook AnywhereAssists in disaster recovery and Exchange 2007 to 2010 migrationMigrate over time Authenticate usersSingle URL accessManaged accessAfter migrationScale to 60K usersNo cross-CAS overhead High availabilityExpanded bullets:Solution allows organizations to migrate over-time while BIG-IP APM authenticated users in the DMZ to ensure there are no unknown users accessing the system.Organizations can distribute a single URL and depending on user or group – BIG-IP APM will direct the user to the appropriate server for Exchange iteration (OWA / ActiveSync or Outlook Anywhere)This give users direct access to email without updating bookmarks or settingsOranizations can alsom manage email access for all devices from all locations and any network.
Single sign-on (SSO) – users login to BIG-IP once and enjoy seamless access to all web resources, leveraging a variety of SSO methods (SAML, Credential Caching, Kerberos) to integrate with common applications. This allows system administrators to provision and de-provision application to applications uniformly, even when apps live in the cloudF5 HelpsDramatically reduce infrastructure costs; increase productivityProvides seamless access to all web resourcesIntegrated with common applications
Single sign-on (SSO) – users login to BIG-IP once and enjoy seamless access to all web resources, leveraging a variety of SSO methods (SAML, Credential Caching, Kerberos) to integrate with common applications. This allows system administrators to provision and de-provision application to applications uniformly, even when apps live in the cloudF5 HelpsDramatically reduce infrastructure costs; increase productivityProvides seamless access to all web resourcesIntegrated with common applications
Supports users worldwide Secure IPsec site to site tunnelsFast apps to Edge Client usersVirtual and standalone deploymentsAPM v11 on Edge Gateway surpasses VPN feature parity IPSec (iSessions) site to site (gateway to gateway) extending layer 3 networks vs. initial IPSec (client to site) where normally SSL VPN is a replacementApp Tunnels: new and improved Easily configurable Dynamic WebtopFlash patching
