© F5 Networks, Inc 3
One Access Solution – BIG-IP APM
All Access
Use Cases
BIG-IP
Access Policy Manager
Web Access Management: • Proxy to HTTP apps
– Outlook Web Access
– SharePoint
– Custom
– Single Sign On
– Internal Applications
– SaaS Applications (SAML)
Remote Access: • SSL VPN
– Network Access
– App Tunnels
– Portal Access
– Edge Client
– Windows, Mac, Linux
– SmartPhones
– Tablets
Application Access Control: • Proxy to Non-HTTP apps
– VDI
– Citrix (ICA Proxy)
– VMware View (PCoIP)
– MS Terminal Services/RDS
– Exchange
– ActiveSync
– Outlook Anywhere
Security: – Endpoint Scanning
– Endpoint Cleanup
– Multi-factor authentication with several
directories and methods
© F5 Networks, Inc 4
Outbound Security Services
Identity bridging across
corporate and SaaS resources
• SAML 2.0 services
• SSO
AAA
Server
SSL Forward Proxy SAML IdP
SSO and Federation
SAML SP
© F5 Networks, Inc 5
Dramatically reduce infrastructure costs; increase productivity
Authentication All in One and Fast SSO F5 BIG-IP Access Policy Manager
© F5 Networks, Inc 6
• Customizable and localizable list of resources
• Adjusts to mobile devices
• Java-based resources for client flexibility
• Combine multiple access resources
Dynamic Webtop for End-User
© F5 Networks, Inc 7
Control Access of Endpoints Ensure strong endpoint security
• Antivirus software version and updates - SUBSCRIPTION INCLUDED
• Software firewall status
• Access to specific applications
• Restrict USB access
• Cache cleaner leaves no trace
• Ensure no malware enters corporate network
Allow, deny, or remediate users based on
endpoint attributes such as:
Invoke protected workspace for unmanaged
devices:
BIG-IP APM
© F5 Networks, Inc 8
• Industry-leading advanced Visual Policy Editor (VPE)
• Flexible
• Easy to understand, visual representation of policy
• VPE Rules (TCL-based) for advanced functions
• Trigger TMM iRules events
• Usability features
• Macros
• Visual cues to aid configuration
Access Policy Design
ActiveSync, Microsoft Solution
• Microsoft Solution
• Authenticate user before client accessing Exchange server
• Exchange 2007/2010 can verify deviceid
• AD group check and basic url filter can be implemented on TMG
Data Center
AD
DMZ
MS TMG or ISA
MS Exchange
© F5 Networks, Inc 13
Reaction Ranged From Disappointment to Anger…
• TMG was a good product, and was well liked by it’s administrators. • Familiar Windows Interface
• Point and Click
• Cost Effective
“Really? Do you think that everyone is going to the cloud? Seriously, this is a total mess.”
“It breaks my heart.”
“Pity MSFT. ISA & TMG were very strong product sets and truly best in class.”
“Bad news about TMG, how are we expected to publish applications, load balance web sites, Sharepoint, etc?”
Source: http://blogs.technet.com/b/server-cloud/archive/2012/09/12/important-changes-to-forefront-product-roadmaps.aspx?PageIndex=5#comments
ActiveSync, F5 BIG-IP APM Solution
• SSL Offload
• Verify and enable access based on
• User /password, AD group membership
• IP location, Deviceid , Devicestype , Useragent
• Brute force detection
• ActiveSync commands used
• URI (allow acces request to /Microsoft-Server-Activesync)
• User home server
Data Center
AD
DMZ
MS Exchange
© F5 Networks, Inc 16
Enable Hosted Virtual Desktops
• Simple virtual deployment
• Managed local and remote access
• Power to scale and grow
• Vendor agnostic
VMware View Availability & Scalability Intelligent Traffic Management
• Between VMware View security servers or connection servers
• Aggregate multiple VMware View pods to appear as a single pod
• Between VMware View pods
• Between data centers
Max 10,000 users per pod
Centralized
Virtual
Desktops
Centralized
Virtual
Desktops
BIG-IP
Global Traffic Manager
BIG-IP
Local Traffic Manager
DMZ
BIG-IP
Local Traffic Manager
Access Policy Manager
BIG-IP
Local Traffic Manager
Access Policy Manager
BIG-IP
Local Traffic Manager
DMZ
© F5 Networks, Inc 18
Secure Access Replace VMware View Security Server
• Highly scalable
• Host Endpoint checks
• Simplify topology
• Powerful AAA capabilities
© F5 Networks, Inc 19
Ease and Speed of Deployment iApp for VMware View
• Configure network for VMware View automatically
• Admin answers simple, goal-based questions
• iApp for VMware View configures network
based on Admin’s input
• Benefits
• Faster (minutes instead of days)
• Reduces errors
• Replicates to groups of servers easily
BIG-IP