F5 Access Policy Manager Overview

F5 Access Policy Manager Overview

Enable Simplified Application Access with BIG-IP Access Policy Manager (APM)

© F5 Networks, Inc

2

One Access Solution – BIG-IP APM Remote Access: • SSL VPN – Network Access – App Tunnels – Portal Access – Edge Client – Windows, Mac, Linux – SmartPhones – Tablets

Application Access Control: • Proxy to Non-HTTP apps – VDI – Citrix (ICA Proxy) – VMware View (PCoIP) – MS Terminal Services/RDS – Exchange – ActiveSync – Outlook Anywhere © F5 Networks, Inc

Web Access Management: All Access Use Cases

BIG-IP Access Policy Manager

• Proxy to HTTP apps – Outlook Web Access – SharePoint – Custom – Single Sign On – Internal Applications – SaaS Applications (SAML)

Security: – Endpoint Scanning – Endpoint Cleanup – Multi-factor authentication with several directories and methods

3

Outbound Security Services Identity bridging across corporate and SaaS resources • SAML 2.0 services • SSO SAML SP

SSL Forward Proxy

SAML IdP

SSO and Federation

AAA Server

© F5 Networks, Inc

4

Authentication All in One and Fast SSO F5 BIG-IP Access Policy Manager

Dramatically reduce infrastructure costs; increase productivity

© F5 Networks, Inc

5

Dynamic Webtop for End-User • Customizable and localizable list of resources • Adjusts to mobile devices • Java-based resources for client flexibility

• Combine multiple access resources

© F5 Networks, Inc

6

Control Access of Endpoints Ensure strong endpoint security

BIG-IP APM

Allow, deny, or remediate users based on endpoint attributes such as: • Antivirus software version and updates - SUBSCRIPTION INCLUDED • Software firewall status

• Access to specific applications

© F5 Networks, Inc

Invoke protected workspace for unmanaged devices: • Restrict USB access • Cache cleaner leaves no trace • Ensure no malware enters corporate network

7

Access Policy Design • Industry-leading advanced Visual Policy Editor (VPE) • • • •

Flexible Easy to understand, visual representation of policy VPE Rules (TCL-based) for advanced functions Trigger TMM iRules events

• Usability features • Macros • Visual cues to aid configuration

© F5 Networks, Inc

8

Access Policy Design

© F5 Networks, Inc

9

BIG-IP Access Policy Manager Microsoft Exchange

ActiveSync, Microsoft Solution

DMZ

Data Center MS Exchange

MS TMG or ISA

•

Microsoft Solution AD

•

Authenticate user before client accessing Exchange server

•

Exchange 2007/2010 can verify deviceid

•

AD group check and basic url filter can be implemented on TMG

Microsoft Discontinues TMG

© F5 Networks, Inc

12

Reaction Ranged From Disappointment to Anger… • TMG was a good product, and was well liked by it’s administrators. • Familiar Windows Interface • Point and Click • Cost Effective

“Really? Do you think that everyone is going to the cloud? Seriously, this is a total mess.”

“It breaks my heart.”

“Pity MSFT. ISA & TMG were very strong product sets and truly best in class.”

“Bad news about TMG, how are we expected to publish applications, load balance web sites, Sharepoint, etc?” Source: http://blogs.technet.com/b/server-cloud/archive/2012/09/12/important-changes-to-forefront-product-roadmaps.aspx?PageIndex=5#comments

© F5 Networks, Inc

13

ActiveSync, F5 BIG-IP APM Solution DMZ

Data Center MS Exchange

•

SSL Offload

•

Verify and enable access based on • User /password, AD group membership •

IP location, Deviceid , Devicestype , Useragent

•

Brute force detection

•

ActiveSync commands used

•

URI (allow acces request to /Microsoft-Server-Activesync)

•

User home server

AD

BIG-IP Access Policy Manager VDI Solutions

Enable Hosted Virtual Desktops

• Simple virtual deployment

• Power to scale and grow

• Managed local and remote access

• Vendor agnostic

© F5 Networks, Inc

16

VMware View Availability & Scalability Intelligent Traffic Management

• Between VMware View security servers or connection servers

• Aggregate multiple VMware View pods to appear as a single pod • Between VMware View pods Centralized Virtual Desktops

• Between data centers BIG-IP Local Traffic Manager

DMZ

BIG-IP Local Traffic Manager Access Policy Manager

Max 10,000 users per pod BIG-IP Global Traffic Manager

BIG-IP Local Traffic Manager

DMZ

BIG-IP Local Traffic Manager Access Policy Manager

Centralized Virtual Desktops

Secure Access Replace VMware View Security Server

• Highly scalable • Host Endpoint checks • Simplify topology • Powerful AAA capabilities

© F5 Networks, Inc

18

Ease and Speed of Deployment iApp for VMware View

• Configure network for VMware View automatically • Admin answers simple, goal-based questions • iApp for VMware View configures network based on Admin’s input

• Benefits • Faster (minutes instead of days) • Reduces errors • Replicates to groups of servers easily

© F5 Networks, Inc

BIG-IP

19