F5 Access Policy Manager Overview
Enable Simplified Application Access with BIG-IP Access Policy Manager (APM)
© F5 Networks, Inc
2
One Access Solution – BIG-IP APM Remote Access: • SSL VPN – Network Access – App Tunnels – Portal Access – Edge Client – Windows, Mac, Linux – SmartPhones – Tablets
Application Access Control: • Proxy to Non-HTTP apps – VDI – Citrix (ICA Proxy) – VMware View (PCoIP) – MS Terminal Services/RDS – Exchange – ActiveSync – Outlook Anywhere © F5 Networks, Inc
Web Access Management: All Access Use Cases
BIG-IP Access Policy Manager
• Proxy to HTTP apps – Outlook Web Access – SharePoint – Custom – Single Sign On – Internal Applications – SaaS Applications (SAML)
Security: – Endpoint Scanning – Endpoint Cleanup – Multi-factor authentication with several directories and methods
3
Outbound Security Services Identity bridging across corporate and SaaS resources • SAML 2.0 services • SSO SAML SP
SSL Forward Proxy
SAML IdP
SSO and Federation
AAA Server
© F5 Networks, Inc
4
Authentication All in One and Fast SSO F5 BIG-IP Access Policy Manager
Dramatically reduce infrastructure costs; increase productivity
© F5 Networks, Inc
5
Dynamic Webtop for End-User • Customizable and localizable list of resources • Adjusts to mobile devices • Java-based resources for client flexibility
• Combine multiple access resources
© F5 Networks, Inc
6
Control Access of Endpoints Ensure strong endpoint security
BIG-IP APM
Allow, deny, or remediate users based on endpoint attributes such as: • Antivirus software version and updates - SUBSCRIPTION INCLUDED • Software firewall status
• Access to specific applications
© F5 Networks, Inc
Invoke protected workspace for unmanaged devices: • Restrict USB access • Cache cleaner leaves no trace • Ensure no malware enters corporate network
7
Access Policy Design • Industry-leading advanced Visual Policy Editor (VPE) • • • •
Flexible Easy to understand, visual representation of policy VPE Rules (TCL-based) for advanced functions Trigger TMM iRules events
• Usability features • Macros • Visual cues to aid configuration
© F5 Networks, Inc
8
Access Policy Design
© F5 Networks, Inc
9
BIG-IP Access Policy Manager Microsoft Exchange
ActiveSync, Microsoft Solution
DMZ
Data Center MS Exchange
MS TMG or ISA
•
Microsoft Solution AD
•
Authenticate user before client accessing Exchange server
•
Exchange 2007/2010 can verify deviceid
•
AD group check and basic url filter can be implemented on TMG
Microsoft Discontinues TMG
© F5 Networks, Inc
12
Reaction Ranged From Disappointment to Anger… • TMG was a good product, and was well liked by it’s administrators. • Familiar Windows Interface • Point and Click • Cost Effective
“Really? Do you think that everyone is going to the cloud? Seriously, this is a total mess.”
“It breaks my heart.”
“Pity MSFT. ISA & TMG were very strong product sets and truly best in class.”
“Bad news about TMG, how are we expected to publish applications, load balance web sites, Sharepoint, etc?” Source: http://blogs.technet.com/b/server-cloud/archive/2012/09/12/important-changes-to-forefront-product-roadmaps.aspx?PageIndex=5#comments
© F5 Networks, Inc
13
ActiveSync, F5 BIG-IP APM Solution DMZ
Data Center MS Exchange
•
SSL Offload
•
Verify and enable access based on • User /password, AD group membership •
IP location, Deviceid , Devicestype , Useragent
•
Brute force detection
•
ActiveSync commands used
•
URI (allow acces request to /Microsoft-Server-Activesync)
•
User home server
AD
BIG-IP Access Policy Manager VDI Solutions
Enable Hosted Virtual Desktops
• Simple virtual deployment
• Power to scale and grow
• Managed local and remote access
• Vendor agnostic
© F5 Networks, Inc
16
VMware View Availability & Scalability Intelligent Traffic Management
• Between VMware View security servers or connection servers
• Aggregate multiple VMware View pods to appear as a single pod • Between VMware View pods Centralized Virtual Desktops
• Between data centers BIG-IP Local Traffic Manager
DMZ
BIG-IP Local Traffic Manager Access Policy Manager
Max 10,000 users per pod BIG-IP Global Traffic Manager
BIG-IP Local Traffic Manager
DMZ
BIG-IP Local Traffic Manager Access Policy Manager
Centralized Virtual Desktops
Secure Access Replace VMware View Security Server
• Highly scalable • Host Endpoint checks • Simplify topology • Powerful AAA capabilities
© F5 Networks, Inc
18
Ease and Speed of Deployment iApp for VMware View
• Configure network for VMware View automatically • Admin answers simple, goal-based questions • iApp for VMware View configures network based on Admin’s input
• Benefits • Faster (minutes instead of days) • Reduces errors • Replicates to groups of servers easily
© F5 Networks, Inc
BIG-IP
19