F5 Networks Proposal

F5 Networks RFP Response for Solicitation JP14001

State of Utah

WSCA-NASPO Data Communications Product & Services

F5 Networks, Inc. 401 Elliott Avenue West Seattle, Wa. 98119 (206) 272-5555 August 28

th, 201

F5 Networks – WSCA-NASPO Data Communications Services Solicitation #JP14001

F5 Networks – Confidential

EXECUTIVE SUMMARY As the global leader in Application Delivery Networking, F5 makes the connected world run better. In fact, you’ve probably relied on F5 products dozens of times today and didn’t even know it. F5 helps organizations meet the demands that come with the relentless growth of voice, data, and video traffic, mobile workers, and applications—in the data center and the cloud. We realize how important it is for the State of Utah and the WSCA-NASPO Participating Entities to have comprehensive, convenient, and effective purchasing vehicles to support the mission critical nature of running the business of our citizens. In serving your constituents, you also have a duty to ensure the people’s money is being wisely spent. F5 takes this mission seriously and we are committed to all the necessary requirements to support the WSCA-NASPO Data Communications Products & Services public bid. In the recent 2012 State of the CIO Survey

1 there were several topics that were “top of mind” for today’s State CIO; in

that survey there were 4 topics that F5 is uniquely qualified to address:

Consolidation – The survey focuses on consolidation in state government across (12) categories. Of those categories, F5 solutions directly impact (6) of the (12) consolidation categories. When our customer’s leverage the power of our TMOS™ operating platforms it enables them to collapse infrastructure, reduce support staff, and streamline operations. Health and Human Services Modernization and Integration – Every state in the union is actively working on solutions to implement the Affordable Health Care for America Act of 2010. Top of the list in their efforts is implementing health care exchanges to serve their citizens. F5 is working with several states to ensure these applications are available, responsive and can protect healthcare data. Mobility – It’s no secret that the explosion of mobile usage is challenging IT teams everywhere. F5 is at the forefront of providing solutions that break down the barriers in mobile users accessing applications and their data. Because our platform intelligently identifies the type of user, traffic patterns, and the backend resources required, we become the “strategic point of control” that makes everything work seamlessly. Cloud Computing – Public sector organizations today need to figure out when it’s best to build and operate their own infrastructure, when to use third party SaaS options, and how to embrace services like Amazon Web Services. Our solutions are the glue that allows customers to embrace all three environments and have the security and flexibility to interoperate across those business models.

The evaluation team has a big job in sifting through the vendor responses and determining the next generation of vendors that will be supporting the WSCA-NASPO members. We feel compelled to highlight the three key areas that set F5 apart as one of eventual selected vendors:

Vision and Leadership – For several years, F5 has been setting the bar as the Company in the application delivery networking (ADN) and security markets. We are proven the market leader for ADN and continue our legacy of innovation by investing in our TMOS platform and the advanced application management services it provides. World Class Support – Today’s applications are becoming more complicated and our solutions are complex. When you couple that with the mission critical nature of keeping business critical applications running, support is imperative. F5 has best in class, follow the sun support solutions that meet the demanding expectations of our customers. Financial Strength – F5 has the strongest financial position of any of our primary competitors. With a strong balance sheet, proven business model, and no long-term debt, the evaluation team can be assured that we will be here for the long run in helping your members be successful.

1 Survey conducted by NASCIO, TechAmerica and Grant Thornton.


F5 Networks – Confidential Page 1

TABLE OF CONTENTS Section 1: WSCA-NASPO Solicitation General Information ........................................................................... 2 Section 2: General Proposal Requirements and Information ........................................................................ 2 Section 3: Data Communications Provider Mandatory Minimum Requirements ......................................... 2 Section 4: Data Communications Provider Qualifications ............................................................................. 4 Section 5: Service Offering Qualifications ........................................................................................................ 18 5.2 Data Communications Services – Requirements ....................................................................................... 20

5.2.1 DATA CENTER APPLICATION SERVICES ......................................................................................... 20 5.2.2 NETWORKING SOFTWARE ................................................................................................................. 25 5.2.3 NETWORK OPTIMIZATION AND ACCELERATION ........................................................................... 27 5.2.4 OPTICAL NETWORKING ...................................................................................................................... 30 5.2.5 ROUTERS .............................................................................................................................................. 31 5.2.6 SECURITY ............................................................................................................................................. 32 5.2.7 STORAGE NETWORKING .................................................................................................................... 38 5.2.8 SWITCHES............................................................................................................................................. 39 5.2.9 WIRELESS ............................................................................................................................................. 41 5.3.0 UNIFIED COMMUNICATIONS (UC) ..................................................................................................... 43 5.3.1 SERVICES ............................................................................................................................................. 45

Section 6: Evaluation .......................................................................................................................................... 51 Section 7: Master Agreement Terms and Conditions/Exceptions ................................................................. 54 Attachment C – Cost Schedule .......................................................................................................................... 61 F5 Appendices Appendices 1 through 6 are provided in the back sections of the binder containing our bid response. Due to the number pages represented by our data sheets, we have provided a 2

nd binder for those documents.

1. Supplier Response Form Exceptions

2. State of Utah Standard Information Technology Terms and Conditions Proposed Exceptions

3. WSCA-NASPO Master Agreement Terms and Conditions Proposed Exceptions

4. F5 Proposed Additional Vendor Terms

a. End User License Agreement b. Maintenance Terms and Conditions c. Consulting Services Terms and Conditions d. Evaluation Terms and Conditions

5. F5 Authorized Partner List

6. F5 Price List

7. F5 Product Data Sheets



RESPONSE TO WSCA-NASPO SECTIONS For the convenience of the evaluation team, we have copied text from certain portions of the WSCA-NASPO Data Communications Products & Services Bid document into our response document. In order to keep our document to a reasonable number of pages we have only copied those sections we feel are necessary and relevant to our responses. All of our responses are listed in Red and are labeled “F5 Response” for ease of reading by the evaluation team. Section 1: WSCA-NASPO Solicitation General Information F5 Response: The F5 response team has read the items listed in Section 1 and acknowledge that we understand and accept them.

Section 2: General Proposal Requirements and Information F5 Response: The F5 response team has read the items listed in Section 2 and acknowledge that we understand and accept them. Section 3: Data Communications Provider Mandatory Minimum Requirements 3.1 General Information This section contains requirements that must be addressed in order for your proposal to be considered for the evaluation phase of this RFP. All of the items described in this section are non-negotiable. Respondents are required to complete: Mandatory Requirements (M) All Respondents must meet the (M) requirements listed in this section, and explain how the requirement is met. A ‘no’ response on the acceptance document or omission of the required explanation will disqualify the service from further evaluation. 3.1.1 Equipment Offering (M) Identify Equipment Offering in sections 5.2.1-5.3.0. F5 Response: We have provided detailed information about our equipment (product) offerings. For your convenience, we have mirrored your bid structure and embedded our response along with your requirements. Please refer to section 5.2 for this information. We have also provided detailed product information in Appendix 7 located in the supplemental binder included with our response. 3.1.2 Service Offering (M) Identify Service Offerings for all products offered in Sections 5.2.1-5.3.0. F5 Response: We have provided detailed information about our services offerings. For your convenience, we have mirrored your bid structure and embedded our response along with your requirements. Please refer to section 5.3.1 for this information. We have also provided detailed Service information in Appendix 7 located in the supplemental binder included with our response. 3.1.3 Insurance Requirement (M) This pertains to the State of Utah insurance requirements. Other Participating States may identify different insurance requirements during the participating addendum process. Data Communications Provider’s and their authorized contractors shall procure and maintain insurance which shall protect the authorized contractor and The State and/or purchasing entity (as an additional insured) from any claims from



bodily injury, property damage, or personal injury covered by the indemnification obligations set forth herein. The Data Communications Provider’s authorized contractor shall procure and maintain the insurance policies described below at their own expense and shall furnish to the procurement manager, upon award, an insurance certificate listing the participating State(s) as certificate holder and as an additional insured. The insurance certificate must document that the Commercial General Liability insurance coverage purchased by the authorized contractor to include contractual liability coverage applicable to this Master Agreement. In addition, the insurance certificate must provide the following information: the name and address of the insured; name, address, telephone number and signature of the authorized agent; name of the insurance company (authorized to operate in all States); a description of coverage in detailed standard terminology (including policy period, policy number, limits of liability, exclusions and endorsements) and an acknowledgment of notice of cancellation to the participating States.

Authorized contractor is required to maintain the following insurance coverage’s during the term of the WSCA-NASPO Master Agreement:

1) Workers’ Compensation Insurance – The Data Communications Provider’s authorized contractor must

comply with Participating State’s requirements and provide a certificate of insurance. 2) Commercial General Liability Policy per occurrence - $1,000,000. Coverage to include bodily injury

and property damage combined single limit. 3) Business Automobile Policy to include but not limited to liability coverage on any owned, non-owned,

or hired vehicle used by Data Communications Provider’s authorized contractor personnel in the performance of this Master Agreement. The business automobile policy shall have the following limits of liability: Per Occurrence - $1,000,000, Annual Aggregate - $3,000,000, Annual Aggregate applying to products and services - $3,000,000. Coverage must include premises and operations, bodily injury and property damage, personal and advertising injury; blanket contractual, products and services, owner named as an additional insured. The State of Utah must be listed as an additional insured.

Within 10 days of contract award, the Contracted Supplier and/or Authorized Contractor must submit proof of certificate of insurance that meets the above requirements or the Participating States requirements. F5 Response: F5 meets the requirements listed 3.1.3. However, we request the text listed in the second paragraph of this section be amended as follows: Data Communications Provider’s and their authorized contractors shall procure and maintain insurance which shall protect the authorized contractor and The State and/or purchasing entity (as an additional insured) from any claims from bodily injury, property damage, or personal injury covered by the indemnification obligations set forth herein. The Data Communications Provider’s authorized contractor shall procure and maintain the insurance policies described below at their own expense and shall furnish to the procurement manager, upon award, an insurance certificate listing the participating State(s) as certificate holder and as an additional insured. The insurance certificate must document that the Commercial General Liability insurance coverage purchased by the authorized contractor to include contractual liability coverage applicable to this Master Agreement. In addition, the insurance certificate must provide the following information: the name and address of the insured; name, address, telephone number and signature of the authorized agent; name of the insurance company (authorized to operate in all States); a description of coverage in detailed standard terminology (including policy period, policy number, limits of liability, pertinent exclusions and endorsements) and an acknowledgment of notice of cancellation to the participating States. The proposed change is to add the word “pertinent” to the last sentence in the section as shown above. 3.1.4 Delivery (M) The prices offered shall be the delivered price to any WSCA-NASPO purchasing entity. All deliveries shall be F.O.B. destination with all transportation and handling charges paid by the contractor. Responsibility and liability for loss or damage shall remain the Contractor until final inspection and acceptance (within 30 days after delivery for external damage and 30 days for any concealed damage) when responsibility shall pass to the Buyer except as to latent defects, fraud and Contractor’s warranty obligations. The minimum shipment amount will be found in the special terms and conditions. Any order for less than the specified amount is to be shipped with the freight prepaid and added as a



separate item on the invoice. Any portion of an order to be shipped without transportation charges that is back ordered shall be shipped without charge. F5 Response: The F5 response team has read the items listed in Section 3.1.4 and acknowledge that we understand and accept them. 3.1.5 Service Offering Documentation (M) Upon request, user and/or technical documentation should be supplied for all procured products and services. Manuals may be available via the Contracted Supplier’s website. The manual shall contain user and technical instructions appropriate to the service. F5 Response: F5 provides all of our technical documentation for our products on a website that we call DevCentral (https://devcentral.f5.com/). The only requirement for a user to access this site is that they register as a user of DevCentral. There is no cost for this resource.

3.1.6 Data Communications Provider Contract Administrator and Usage Report Administrator (M) The Contracted Supplier shall provide a Contract Administrator to manage compliance with the scope and terms and conditions for this contract. The following Information, at a minimum, regarding the Contract Administrator shall be provided:

a. Administrator’s number of years experience in the Data Communications Services business. b. Confirmation that the Data Communications Provider Contract Administrator has authority to enforce

the scope of work and terms and conditions of the resulting contract. The Contracted Supplier shall also provide a Usage Report Administrator responsible for the quarterly sales reporting described in Section 1.15 Usage Reporting Requirement. F5 Response: F5 is designating Andrea Jagla, Sr. Manager, WW Sales Operations as the Contract Administrator and Usage Report Administrator for this contract. Andrea has 10 years experience in the Data Communications Services business. We confirm that she has the authority to enforce the scope of work and terms and conditions of the resulting contract. Her contact information is provided in our response to section 4.4 of this bid response. 3.1.7 eMarket Center Cooperation (M) To be eligible for contract award, the Contractor must agree to cooperate with WSCA-NASPO and SciQuest (and any authorized agent or successor entity to SciQuest) with uploading a hosted catalog or integrating a punchout site. The contract requirements are in section 7. F5 Response: F5 agrees to use the SciQuest service for hosting our pricing catalog for participating entities for this contract. F5 also agrees to include this as a requirement for any authorized agent authorized by F5 for this contract vehicle. Section 4: Data Communications Provider Qualifications 4.1 General Information: Provide any pertinent general information about the depth and breadth of the Offeror’s product and service offerings and their overall use and acceptance in the Data Communications marketplace.



F5 Response: F5 is the market leader in the Application Delivery Controller2 market. We have the broadest and highest

performing product offering available. Our ADC offerings include; scalable chassis based products, appliance based products and software-based, virtual editions of everything we offer

3. No other vendor has the breadth and performance

we provide. When combined with our TMOS operating system and extensibility solutions like iRules and iApps, we have the most compelling solutions available. We have also been recognized as the market leader by outside organizations like Gartner. http://www.gartner.com/technology/reprints.do?id=1-1CNJ55B&ct=121030&st=sb To substantiate this, we have provided additional information in following key areas:

Intelligent Services Framework

F5 Technologies

BIG-IP Systems

ScaleN Application Delivery Platforms

Support Programs Intelligent Services Framework F5 is the only vendor that provides an open architectural framework, offering IT organizations new ways to deliver services that generate true business value. We call this framework the F5 intelligent services framework. Our intelligent services framework acts as a full proxy—a broker between the users and applications—to provide application delivery awareness at strategic points of control both on- and off-premises. This awareness is achieved through three main components:

Application awareness: Total insight into how the application is supposed to look on the wire

User awareness: Ability to see which users are trying to access which applications from which devices

Resource awareness: Real-time visibility into the entire Application Delivery Network by tying all the pieces of the application delivery infrastructure together

The F5 intelligent services framework combines strategic awareness with network intelligence to deliver the services that solve today’s application delivery challenges. F5 Technologies

4

F5 technologies create a fluid and responsive infrastructure that helps companies align IT functions to constantly changing business needs. These technologies overcome the constraints of static, single-purpose solutions to deliver applications and data with greater agility, security, availability, performance, and scalability. iApps F5 iApps is a powerful set of features in the BIG-IP system that provides a new way to architect application delivery in the data center. It gives you a holistic, application-centric view of how applications are managed and delivered inside, outside, and beyond the data center.

2 We correlate our term, Application Delivery Controller, to your reference of Virtualized Load Balancers as listed in section 5.2.1.1 and Dynamic Load

Balancers as listed in section 5.2.3.1 in your bid. 3 The features and capabilities listed in the F5 Technologies and BIG-IP Systems sections run across our hardware and virtual edition offerings.

4 We have provided specific product information in sections 5.2 through 5.3 as directed by the WSCA-NASPO bid requirements.

http://www.gartner.com/technology/reprints.do?id=1-1CNJ55B&ct=121030&st=sb



By managing application services rather than the individual networking components and configurations, you can dramatically speed up deployment, lower OpEx, and streamline IT operations. You can provision application services in minutes rather than weeks, significantly improving time-to-market and creating a highly efficient and predictable process for successful application delivery. iApps provides a framework that application, security, network, systems, and operations personnel can use to unify, simplify, and control the entire Application Delivery Network (ADN). You gain a contextual view and advanced statistics about the application services supporting the business. iApps abstracts the many individual components required to deliver an application by grouping these resources together in templates associated with applications. This alleviates the need to manage discrete components on the network. iRules F5 iRules is a flexible, programmatic interface that makes it possible to extend and customize the functionality of the BIG-IP system. As an event-driven scripting language, iRules gives you the ability to architect application delivery solutions that improve the security, resiliency, and scale of applications in the data center. iRules provides unprecedented control to directly manipulate and manage any IP application traffic using an easy-to-learn scripting syntax. A robust and active community at F5 DevCentral provides a wealth of existing iRules that can be customized to fit your unique application requirements. With free registration on DevCentral, you have access to hundreds of proven iRules that can mitigate threats and extend the capabilities of your application delivery network. Open APIs (iControl) Not only is every network unique, but security threats and application requirements are constantly evolving, putting different demands on that network. A single-purpose solution that works today might not work tomorrow. That's why F5 uses an open API to give application developers and network professionals complete control over F5 devices, making them extremely scalable and adaptable. F5 provides a software development kit and a well-documented iControl API, so software developers can give their software the ability to control its own application traffic. Using the iControl API, application programmers have devised solutions that:

Bring new servers online and offline dynamically, as needed

Give priority to critical traffic during sudden traffic bursts

Filter out unwanted traffic

Distribute software updates to individual servers without impacting overall service

Manage total delivery of all applications from a single console Microsoft, Oracle, and other organizations have already partnered with F5 to use the iControl API to make their enterprise applications "network aware." TMOS TMOS is the universal product platform shared by F5 BIG-IP products. No single competing technology can solve such a wide variety of application delivery problems over networks. With its application control plane architecture, TMOS gives you intelligent control over the acceleration, security, and availability services your applications require. TMOS establishes a virtual, unified pool of highly scalable, resilient, and reusable services that can dynamically adapt to the changing conditions in data centers and virtual and cloud infrastructures. F5 products built on TMOS offer unusual flexibility through an open API. Applications can instruct TMOS-based devices to control traffic flow and maximize performance using the iControl API. You can gain extremely granular control over any traffic going through F5 devices using iRules. And iApps functionality enables you to deploy and manage network service for each of your specific applications with unprecedented speed and accuracy.



TMOS can also help you virtualize and scale up or scale out on demand as your business needs change. Using ScaleN functionality, you can add or move application delivery workloads as easily as you add or move virtual server workloads to create true deployment flexibility. Big-IP System F5® BIG-IP® Application Delivery Controller (ADC) platforms can manage even the heaviest traffic loads at both layer 4 and layer 7. By merging high-performance switching fabric, specialized hardware, and advanced software, F5 provides the flexibility to make in-depth application decisions without introducing bottlenecks. With the high performance you get from BIG-IP platforms, you can consolidate devices— saving management costs, electricity, space, and cooling—and still have room to grow. Key benefits

Consolidate your infrastructure with purpose-built hardware BIG-IP hardware platforms are designed specifically for application delivery performance and scalability. One device can be configured for server load balancing, global data center load balancing, DNS services, web application firewall, access management, web performance optimization, and WAN optimization.

Offload application servers BIG-IP platforms feature high-performance SSL and compression hardware, as well as advanced connection management, so that you can remove processing-intensive tasks from application servers, consolidate devices, and use these resources more efficiently.

Secure your network Instantly add layer 3–7 protection with ICSA Certified BIG-IP platforms that provide default deny security, a full packet filter engine that limits access in a granular way, and an industry- leading web application firewall.

Reduce your operating costs Spend less time on configuration, upgrades, and maintenance with the simple-to-manage BIG-IP hardware, featuring out-of-band management, front-panel management, warm upgrades, remote boot, and USB support. Lower power and cooling costs in your data center with 80 Plus Gold and Platinum certified high-efficiency power supplies.

Maximize uptime Ensure your critical infrastructure is built on reliable hardware with hot-swappable components, redundant power supplies, redundant fans, compact flash, multi-boot support, and always-on management. Appliances can be deployed in traditional active/standby configuration or horizontal clusters (active/active) to achieve high availability and application-level failover.

BIG-IP Systems

BIG-IP Local Traffic Manager (LTM) – An Application Delivery Networking system that provides intelligent traffic management as well as advanced application security, acceleration, and optimization.

BIG-IP Global Traffic Manager (GTM) – Intelligently directs users to the best-performing data center to ensure high application performance. Scales DNS infrastructure, mitigates DDoS attacks, and delivers a complete, real-time DNSSEC solution.

BIG-IP Access Policy Manager (APM) – Provides flexible, high-performance global access with unified security to business-critical applications and networks.

BIG-IP Advanced Firewall Manager (AFM) – An integrated, full-proxy network firewall with superior scale and performance.



BIG-IP Application Acceleration Manager (AAM) – A strategic combination of data center, transport, and application optimizations that overcomes WAN latency, maximizes server capacity, and speeds application response times.

BIG-IP Application Security Manager (ASM) – A flexible web application firewall that delivers application security in traditional, virtual, and private cloud environments.

Enterprise Manager – Reduces the cost and complexity of managing multiple BIG-IP products by giving you a single-pane view and tools to automate common tasks and optimize performance.

BIG-IP Policy Enforcement Manager (PEM) – Uses subscriber and context awareness to deliver advanced Layer 7 traffic steering, network intelligence, and dynamic control of network resources.

ScaleN Application Delivery Platforms ScaleN is an F5 technology that enables application, operational, and on-demand scaling capabilities to provide more efficient, elastic, and multi-tenant solutions for data centers, clouds, and hybrid deployments. ScaleN breaks away from traditional infrastructure limitations and offers multiple scalability and consolidation models to help organizations meet their specific business needs. Modern data center models are based on flexible and scalable on-demand services to adapt to shifting business requirements and performance and application needs. This on-demand approach eliminates costly over-provisioning methods used in the past to ensure enough capacity was on hand to meet sudden spikes in demand. It also improves resource utilization to deliver a better return on investment. Overview of F5’s Virtual Edition and Appliance based hardware platforms:



Overview of F5’s Chassis based hardware platforms:

Support Programs

5

F5 customer support provides consistently superior service to help you manage your ever-changing IT environment. As a measure of F5’s high-quality, professional service, its worldwide customer support organization has achieved ISO 9001:2008 certification. We have one of the best support programs in the industry. It is important to us that our customers have the support they need in order to realize the value they expect from F5 products. F5’s worldwide customer support organization has implemented an ISO 9001:2008–compliant Quality Management System that ensures that F5 adheres to documented processes and procedures and continues to improve its delivery of customer support. With ISO compliance, you can be confident you’ll receive consistently excellent service. F5 Network Support Centers are strategically located for partners and customers in APAC, Japan, EMEA, and North America. Regionally located support centers enable F5 to provide support in a number of languages through native speaking support engineers who are available when you are, during your business day. Globally dispersing Network Support Centers allows for cases to truly “follow the sun,” which means Network Support Engineers are available to provide help when you need it. 4.2 Warranty Specify the Offeror’s standard warranty offerings for the products and services proposed in the response to this RFP. F5 Response: Provided below is F5’s standard warranty language. Product Warranty – LIMITED WARRANTY

5 We have provided more comprehensive information about our support programs in section 5.3.1 of our response.



Software. F5 warrants that for a period of ninety (90) days from the date of shipment: (i) the media on which the software is furnished will be free of defects in materials and workmanship under normal use; and (ii) the software substantially conforms to its published specifications. Except for the foregoing, the software is provided AS IS. In no event does F5 warrant that the Software is error free, that the Product will operate with any software or hardware other than that provided by F5 or specified in the documentation, or that the Product will satisfy Customer's own specific requirements. Hardware. F5 warrants that the hardware component of any Product will, for a period of one (1) year from the date of shipment by F5, be free from defects in material and workmanship under normal use. Remedy. Customer's exclusive remedy and the entire liability of F5 under this limited warranty and any other guarantee made by F5 is, at F5's option, to repair or replace any Product or component that fails during the warranty period at no cost to Customer. Products returned to F5 must be pre-authorized by F5 with a Return Material Authorization (RMA) number marked on the outside of the package, and sent prepaid, insured and packaged appropriately for safe shipment. The decision to issue an RMA shall be at F5's sole discretion, subject to the warranty terms hereof. Only packages with RMA numbers written on the outside of the shipping carton and/or the packing slips and shipping paperwork will be accepted by F5's receiving department. All other packages will be rejected. The repaired or replaced item will be shipped to Customer, at F5's expense, no later than 7 days after receipt by F5. For customers with Advance Exchange RMA approval (as detailed in Customer's support contract, where applicable), a replacement Product or component will be shipped to Customer on the first business day following confirmation of the failure of the original Product or component per the terms of Customer's support contract. F5 may invoice the Customer for any failed Products or components (a) with respect to which the damage to such Products or components is attributable to actions taken by Customer or any of its agents (including but not limited to the categories set forth in the "Restrictions" paragraph immediately below); or (b) not returned within ten (10) days of shipment of the replacement unit(s). Title to any returned Products or components will transfer to F5 upon receipt. F5 will replace defective media or documentation or, at its option, undertake reasonable efforts to modify the software to correct any substantial non-conformance with the specifications. Restrictions. The foregoing limited warranties extend only to the original Customer, and do not apply if a Product (a) has been altered, except by F5 or an F5-designated representative or in accordance with F5 instructions, (b) has not been installed, operated, repaired, or maintained in accordance with F5's instructions, (c) has been subjected to abnormal physical or electrical stress, misuse, negligence or accident or (d) has been operated outside of the environmental specifications for the Product. Software corrections or upgrades do not extend the Software warranty. The Product is not for resale. Customer may not copy or reproduce the Software, and may not copy or translate the written materials without F5's prior, written consent. Customer may not copy, modify, reverse compile or reverse engineer the Software, or sell, sub-license, rent or transfer any Products or any associated documentation to any third party. F5 reserves the right to limit or terminate support (including error correction services) of any Product version one (1) year after the date of release of a subsequent Product version (not counting bug fixes). The foregoing restriction shall apply even if Customer elects to install a Product version other than the then-currently shipping version of the Product. DISCLAIMER; LIMITATION OF REMEDY. EXCEPT FOR THE WARRANTIES SPECIFICALLY DESCRIBED HEREIN, F5 AND ITS THIRD PARTY LICENSORS DISCLAIM ANY AND ALL WARRANTIES AND GUARANTEES, EXPRESS, IMPLIED OR OTHERWISE, ARISING, WITH RESPECT TO THE PRODUCT, SPECIFICATIONS, SUPPORT OR SERVICES DELIVERED HEREUNDER, INCLUDING BUT NOT LIMITED TO THE WARRANTY OF MERCHANTABILITY AND THE WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE. NEITHER F5 NOR ITS THIRD PARTY LICENSORS HAVE AUTHORIZED ANYONE TO MAKE ANY REPRESENTATIONS OR WARRANTIES OTHER THAN AS PROVIDED ABOVE. THE COLLECTIVE LIABILITY OF F5 AND ITS THIRD PARTY LICENSORS UNDER THIS LICENSE WILL BE LIMITED TO THE AMOUNT PAID FOR THE PRODUCT. NEITHER F5 NOR ITS THIRD PARTY LICENSORS WILL HAVE ANY OBLIGATION OR LIABILITY, WHETHER ARISING IN CONTRACT (INCLUDING WARRANTY), TORT (INCLUDING ACTIVE, PASSIVE OR IMPUTED NEGLIGENCE, STRICT LIABILITY OR PRODUCT LIABILITY) OR OTHERWISE FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL OR INDIRECT DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF USE, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF REVENUE, LOSS OF BUSINESS OR OTHER FINANCIAL LOSS ARISING OUT OF OR IN CONNECTION WITH THE SOFTWARE OR OTHER GOODS OR SERVICES FURNISHED TO LICENSEE BY F5, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

4.3 Website



Award contractors are required to establish and maintain a website applicable to the WSCA-NASPO contract which will allow Participating States to see applicable contract price list, discounts on said price list, approved resellers or partners for their state and any additional information that may be required to assist the participating states in obtaining information concerning the contract award. The State of Utah representing WSCA-NASPO reserves the right to require the award contractor to add additional items to assist in this process. Specify Websites used by the Offeror to facilitate customer ordering under awarded contracts. This is a mandatory requirement. F5 Response: F5 agrees to provide a webpage that can be accessed from www.f5.com for participating entities to access information about F5’s products and services available through WSCA-NASPO. The final content and information hosted on this webpage is to be determined by F5 and WSCA-NASPO after contract award. We are already providing similar capabilities for other public sector contracts. We have provided a graphic showing the website used to support our State of New York contract. 4.4 Customer Service Specify the Offeror’s standard customer service policies and detail the escalation process used to handle customer-generated issues. F5 Response: F5 has procedures in place for escalations that our account team, on the business side, and technical teams, on the support side use for escalations. Should the need arise for escalations on the WSCA-NASPO contract or for escalations by participating members, the following technical and business escalation contacts can be utilized: Business Escalations:

Contact Name Phone Number Email address

WSCA-NASPO Contract Administrator

Andrea Jagla 206-272-6226 [email protected] [email protected]

District Sales Manager Tony Kevin 206-272-7145 [email protected]

VP, Americas Channel Sales Keith McManigal 206-272-7536 [email protected]

SVP, Americas Sales Chris Deardurff 630-203-2784 [email protected]

Technical Escalations: Our Escalations process is composed of two parts: automatic notifications to management and executive leaders of case age and status for Sev1 and Sev2

6 issues, and the customer’s available options for escalating issues which they feel

may not be progressing sufficient to their needs. In the first instance, we have the following operational management notifications:

Owner Severity 1 – Site Down Severity 2 Site at Risk

Managers, Network Support Centers Immediate Immediate

Directors, Service Delivery Immediate 12 hours

Senior Vice President, Customer Services

4 hours 24 hours

Executive Vice President, Operations 24 Hours

In the second instance, we have the following escalation process chain we propose for WSCA-NASPO members to use.

6 An explanation of our severity levels is provided in section 5.3.1.1 of our response.

http://www.f5.com/

mailto:[email protected]







Name Title Phone Number Email address

Duty Manager Duty Manager 888-882-7535

Andrew Pemble Director, Engineering Services

206-418-9571 [email protected]

Ron Runyon Director, Service Delivery, Americas


Mark Kramer SVP, Customer Support


Case escalation is a technical process, which is based upon the technical need for deeper resources within Engineering Services and/or Product Development. Cases are escalated when sufficient information to ascertain that the reported issue exists and the assigned engineer, having had sufficient time to review the information, is not able to associate a documented solution or provide specific instructions to resolve or mitigate the reported issue. Cases are escalated for technical resource assistance, not ownership. Ownership for communicating updates with the customer is retained by the original owner. This is a scalable process, which allows for issues to be appropriately resolved within the most efficient manner, while providing an exceptions process (contacting the Support Duty Manager) for attending to special situations. 4.5 Firm

a. Provide a brief history of your firm including the following: 1. Number of years providing Data Communications Services being offered in response to this RFP.

F5 Response: F5 Networks began in 1996 as F5 Labs, when a young computer scientist and a venture capitalist bet on the chance that the Internet was going to change life as we knew it. Still in its infancy and known then as the World Wide Web, the Internet, they believed, would catch fire quickly, and when it did, web servers would rapidly become overwhelmed, causing traffic to slow to a crawl. Based on that assumption, they developed the company’s first product, the F5 BIG-IP controller, a load balancer that distributed Internet traffic across multiple servers. BIG-IP kept websites up and running when servers failed or were overloaded, accelerated traffic, and provided some basic security features. The entrepreneurs’ gamble paid off; the introduction of BIG-IP in 1997 proved to be timely. In the late1990s, Internet popularity soared, and Internet start-up companies, known as dot.coms, became F5’s quintessential customers. As Internet traffic grew at unimaginable rates, so did F5’s business. Offering just two core BIG-IP products in 1998, F5’s revenue climbed to $4.8 million—more than 20 times that of the previous year. By 2000, about 80 percent of F5’s customers were Internet start-up companies, but the dot.com bubble of the 1990s was about to burst. With vastly overinflated value, many of these once burgeoning businesses failed between 1999 and 2001. During this period, much of F5’s customer base began to dissolve. Fortunately, the company had begun making headway with enterprise customers, whose product needs were very different from those of dot.com companies. Wanting to capture this market, F5 began expanding its product functionality, and the seed was planted for what would eventually become TMOS, F5’s unique traffic management operating system. In the short term, however, the company needed help shifting gears quickly to ensure its own survival. In 2004, having rewritten its core BIG-IP system from the ground up, F5 introduced its game changing technology: TMOS. This “full-proxy” traffic management operating system would eventually become the unified architectural platform for all BIG-IP products. TMOS gave BIG-IP devices—which sat between clients and servers in the data center—the intelligence to inspect and modify packets traveling through them. It also gave BIG-IP the ability to optimize individual connections—client to BIG-IP and BIG-IP to server—across which packets traveled. Together, these unique characteristics put BIG-IP in a perfect position to provide vital services well beyond simple network load balancing. Through world-class product engineering, sincere consideration of customers’ requirements, and key acquisitions, F5 successfully expanded BIG-IP into a family of products that integrates multiple functions—firewall capabilities (edge, network, and application layer); secure remote access services; WAN optimization; and Web acceleration technologies—on a single, unified platform. Until F5, the ability to deliver all these capabilities on one platform or device was unprecedented in the networking market. Organizations that wanted these functions had to purchase separate, non-integrated solutions from multiple vendors.






Industry Recognition Distinguishes F5 as a Leader Just seven years after becoming a publicly traded company, F5 had made a name for itself as a pioneer of Application Delivery Networking (ADN)—a computing approach and set of technologies that ensure network-based applications are always secure, fast, and available. By mid-2005, as measured by industry analyst firm Gartner, F5 had captured the highest share of the overall application delivery controller (ADC) market, eclipsing industry giant Cisco Systems. This leadership position—which F5 has retained since 2005—helped the company weather the economic downturn of 2008 that crushed many of its competitors. F5 Plays a Key Role in Business and Culture Today, with offices in 35 countries, F5 remains on an aggressive growth path as it continues to develop innovative technologies. Growth markets for the company include security, carrier service providers, as well as various vertical industries such as financial services, healthcare, and government. Across industries, F5 maintains its solid reputation for developing innovative, high-quality products and for consistently achieving outstanding customer service ratings. As F5 strives to keep pace with the most rapid growth in its fifteen-year history, it is committed to preserving its unique corporate culture. CEO, John McAdam attributes the company’s continued success to F5’s highly skilled employees, who are passionate about technology and committed to excellence. In turn, the company rewards employees by promoting a strong work/life balance and providing exceptional benefits. Since 2005, F5 has earned more than 20 awards for being one of the best companies to work for.

2. Number of separate services provided in each of the area categories described in this RFP. F5 Response: Here are the sections we are providing solutions for: 5.2.1.1 Virtualized Load Balancers 5.2.1.2 WAN Optimization 5.2.2.1.1 Network Management and Automation 5.2.2.1.2 Data Center Management and Automation 5.2.2.1.3 Cloud Portal and Automation 5.2.3.1 Dynamic Load Balancing 5.2.3.2 WAN Acceleration 5.2.3.3 High Availability and Redundancy 5.2.6.1 Data Center and Virtualization Security Products and Appliances 5.2.6.2 Intrusion Detection/Protection and Firewall Appliances 5.2.6.3 Logging Appliances and Analysis Tools 5.2.6.4 Secure Edge and Branch Integrated Security Products 5.2.6.5 Secure Mobility Products 5.2.6.6 Encryption Appliances 5.2.6.7 On-premise and Cloud-based services for Web and/or Email Security 5.2.6.8 Secure Access We have provided a review of our service offerings in section 5.3.1. We have also provided detailed offering descriptions in Appendix 7.

b. Describe specifically what makes your firm a stable long-term partner for WSCA-NASPO. F5 Response: F5 has worked hard to build the best technology and support offerings in our industry. Our company is strong and built to last. We run a lean company so we can continue to invest into technologies, field teams and support teams to provide our customers with world-class solutions. This focus and commitment has shown through in our financial performance over the last several years. Not only have we grown our revenue but we have also increased our research and development investments so we can continue to provide our customers and partners with cutting edge products, services and business models to enable the Internet and cloud revolutions. Another key element indicating our financial stability is that we have no long-term debt. We have funded all of our accomplishments through sound management and organic investment.



We have provided our financials7 for your review and we feel we have the strongest financial position of any company in

our market. The table below shows our financial performance over the last 5 years:

F5 also has a long history of selling to public sector organizations. Here are some key points about F5’s public sector support:

Current holds (2) GSA contracts – managed by Dell and Carahsoft

Have provided F5 solutions to 48 of the 50 US states over the last 3 years

We have dedicated Account Managers, Inside Sales and Authorized Partners8 focused on public sector accounts

Our solutions help with the new FBI Advanced Authentication and FIPS Mandates for CJIS

c. Describe specifically what information the Data Communications Provider contract administrator would provide at annual meetings with an entity that has executed a participating addendum.

F5 Response: We are prepared to meet with the appropriate members of the WSCA-NASPO team on a quarterly basis. We would host a quarterly review (either in-person or as a web-based meeting) to review activity on the contract from all participating entities for the previous quarter. We would ask that this meeting be 30 days following the date that we submit our quarterly reports to give us an opportunity to organize our information. In this meeting we would review the following topics:

Sales volume & quarterly reporting

Specific customer issues and resolution

Marketing efforts

Process improvement plans

Partner performance

Reporting

d. Describe how you plan to implement the contract including having a single point of contact to perform and manage all aspects of this contract.

Upon notice that F5 has been awarded a WSCA-NASPO contract, F5’s WSCA-NASPO Contract Administrator will engage with WSCA-NASPO to learn the best practices of other vendors who are on the current Data Communications Contract. In our experience, learning what works for the customer allows F5 to build the best implementation plan for success and have the most successful business relationship through the duration of the contract. Below is a list of tasks we will accomplish during the implementation period. This list is not comprehensive but does include our planned high-level activities.

7 We have also provided links to our 10Ks for 2011 and 2012 as directed in section 5.1.4.

8 Both reseller partners and distribution partners



Have the F5 contract administrator start to build relationship with the correct WSCA-NASPO team for this contract

Set-up SciQuest and test the SciQuest process with the F5 Hosted Catalog

Implement a process within F5 to upload a revised price list each quarter in compliance with WSCA-NASPO specifications

Finalize the State of Utah and WSCA-NASPO contracts

Set-up a WSCA-NASPO specific webpage on F5.com

Build the reporting spreadsheet per WSCA-NASPO’s specifications

Build a reporting cadence process including escalation plans

Confirm the authorized subcontractor, partner, list by state

Build an education package for partners that includes: o WSCA-NASPO Contract Overview o Requirements and expectations o Reporting requirements and timing o Pricing o Escalation process o Improvement plan o Causes for termination o Build the process to have annual WSCA-NASPO partner meeting with F5 to make sure we are aligned

and do the right things per the contract o Meet with each partner to review their internal processes to conduct WSCA-NASPO business and

review their reporting process

Set-up the reporting process at F5 and certify through testing

Set-up the WSCA-NASPO fee payment process and test

Conduct a reporting and WSCA-NASPO fee trial run

With WSCA-NASPO, design the quarterly/annual review template and process

Establish a cadence and process for normal and priority communications with between WSCA-NASPO and F5

e. Describe in detail your firm’s escalation management plan including contact information. F5 Response: Should there be a need to escalate issues to F5 management, we will make all possible efforts to rectify the situation through the F5 contract administrator. If these efforts fail, escalation contacts are available in section 4.4. F5 has created an email alias, [email protected], for WSCA-NASPO to use that will be monitored by multiple team members within F5 so that issues can be raised and addressed even if the contract administrator is not available. 4.6 Authorized Sub Contractor Relationships Respondents may propose the use of Servicing Subcontractors or partners however, the Contractor shall remain solely responsible for the performance under the terms and conditions of the Contract if Servicing Subcontractors are utilized. This includes sales report information. The Contractor will be responsible to collect, and report this information from all partners or resellers representing your contract.

a. Briefly describe what your firm requires from potential contractors to become an “Authorized Data Communications Reseller”. Provide an Authorized Contractor List.

F5 Response: F5 goes to market primarily through our channel partners in the United States. F5 has a well regarding Partner Program called UNITY that governs the methodology partners use to be F5 channel partners. UNITY has both quantitative and qualitative requirements, as we want our channel partners to provide more value to our customers than just taking orders. In order to be considered as an “Authorized Data Communications Reseller” on the WSCA-NASPO contract for F5, partners will need to meet the below criteria:

Accept and comply with the reporting requirements per the WSCA-NASPO contract awarded to F5




Accept and comply with the terms and conditions of the WSCA-NASPO contract awarded to F5

Be a Gold or Platinum level partner or if no Gold or Platinum level are resident in a state, then Silver and Authorized partners may be added at F5’s discretion

F5 will take input from WSCA-NASPO members on additional partners that might be added as long as these partners meet the requirements of F5’s UNITY channel program and the WSCA-NASPO specific requirements listed above.

b. Describe in detail how your firm currently measures an authorized contractors’ performance.

F5 Response: F5 measures our authorized contractors’ performance in 4 key areas:

1. Sales Volume

2. Sales and Technical accreditations

3. Technical Certifications

4. Participation and attendance to our annual Partner conference

Every year, F5 reviews our partners’ performance to make sure they are meeting the above criteria and we are not getting complaints from our customers about their performance. If there are complaints, F5 meets with the partner and together we plan a course of action to correct the issues or end our business association. For WSCA-NASPO authorized subcontractors, we will add a customer satisfaction scorecard based on input from WSCA-NASPO. F5 is open to modifying the way we measure authorized contractors performance on the WSCA-NASPO contract based on suggestions from WSCA-NASPO.

c. Describe in detail the process for revoking a designation as a sub contractor from an authorized contractor for

issues related to customer service, or other authorized contractor performance related issues.

F5 Response: F5 will consider feedback from WSCA-NASPO and your members about our performance and our authorized contractor’s performance throughout the course of the contract period. F5 views being an authorized contractor on the F5 WSCA-NASPO contract a privilege and not a right thus our authorized contractors need to meet the expectations of both WSCA-NASPO and F5. If there are issues F5 will take the following actions:

1. Meet with the WSCA-NASPO entity who has the issue and get the facts

2. Potentially have a 3-way meeting with the WSCA-NASPO entity, F5, and the authorized contractor

3. Build a corrective action plan for the authorized contractor with input from the contractor as needed.

4. Monitor the performance of the authorized contractor for a period a time which is dependent on the performance issue

9.

5. Meet with the WSCA-NASPO entity to review the progress and determine if the authorized contractor

has made sufficient progress to be released from the corrective action plan or the plan needs to continue.

9 There might be certain performance issues that require the authorized contractor be immediately removed from the contract



6. If there is no improvement or if there are further performance issues, the contractor will be removed as one of F5’s authorized contractors.

F5 is open to modifying the way we measure authorized contractors performance on the WSCA-NASPO contract based on input from WSCA-NASPO.

d. Describe in detail how your firm will support and assist an authorized contractor in improving their performance

and the corrective action process.

F5 Response: Every quarter, F5 reviews the performance of our partners on an internal dashboard that tracks not only how partners are doing against the 4 areas outlined in section 4b, above, but also on feedback from customers and F5 functional teams. F5 has a quarterly review process where we meet with our Silver, Gold, and Platinum partners to review the performance of the prior quarter, set objectives for the current quarter, and take corrective actions as required. If corrective action is required, F5 sales management gets involved with the principals at the Authorized Partners, documents the issues and reviews the progress on the corrective action plan until met or if the actions continue, removing the authorized contractor from the WSCA-NASPO contract and from the F5 channel program.

e. Describe in detail the process that your firm uses to track and respond to issues and concerns from both your

authorized contractors and from participating entities.

F5 Response: As explained above, F5 uses the quarterly review process to track and respond to issues and concerns regarding our authorized contractors. F5 will address issues immediately as they are brought to our attention from participating entities. If there are issues from participating agencies, F5 will address the issues those issues immediately and then work with WSCA-NASPO to ensure the issue is resolved and that any systemic reasons for the issue are corrected.

f. Describe in detail how your firm will track, report and verify sales from your designated Data Communication

partners and authorized contractors.

F5 Response: F5 uses the below process to process orders in the United States for over 90% of our customers and for 100% of all State, Local, and educational business. To facilitate reporting:

1. F5 will have the Authorized contractor not only place the order on distribution but our distributors will set

up unique accounts that are only for WSCA-NASPO business with each partner. Each distributor will capture the required data for reporting very time an order is places.



2. When the distributor places their order with F5, we will also set up WSCA-NASPO specific accounts, much like we do with other customers today, that will allow F5 to track these orders. The trigger point to make sure this happens is that these are the only accounts at F5 that are always FOB Destination per WSCA-NASPO’s requirements.

3. Every month the authorized contractors are required to send their sales data to both F5 and the

distributor by the 10th day of the following month. If the distributor and/or F5 does not receive by the

13th will communicate this discrepancy to the authorized contractor. Because we already have this

information from the order process, this is to make sure we did not miss any orders that might have gone through another process.

4. By the 15

th day after quarter end, each distributor is required to report the quarterly sales totals to F5. If

the distributor and/or F5 does not receive by the 18th will communicate this discrepancy to the

authorized contractor.

5. F5 will compile the results, compare with our distribution numbers that we have from unique WSCA-NASPO accounts and send the required report to WSCA-NASPO by the 30

th of the month following

quarter end.

6. F5 will verify that WSCA-NASPO has received the report.

7. F5 will cut a check to WSCA-NASPO for the fee the following month If an authorized partner fails to submit their report on time, 2 times in a calendar year, a corrective action process will be put in place. Because the required information will be captured during the ordering process, F5 will have quality information to report even if the reports from authorized partners are late. F5 is open to modifying the way we measure report and verify sales on the WSCA-NASPO contract based on input from WSCA-NASPO as we are open it learning new practices that accommodate WSCA-NASPO requirements.

Section 5: Service Offering Qualifications 5.1 General Information This section contains mandatory minimum requirements that must be met in order for your proposal to be considered for the evaluation phase of this RFP. All of the items described in this section are non-negotiable. Respondents are required to complete: Mandatory Requirements (M) All Respondents must meet the (M) requirements listed in this section, and explain how the requirement is met. A ‘no’ response on the acceptance document or omission of the required explanation will disqualify the service from further evaluation. 5.1.1 General Business Requirements Each provider must meet the following mandatory general business requirements: 5.1.2 Terms and Conditions (M) Respondents must indicate their acceptance of the State of Utah Standard Terms and Conditions in addition to the WSCA-NASPO Terms and Conditions attached to this RFP as Attachment A and Attachment B. Any exceptions to these terms and conditions must be clearly identified in bid response and during the question and answer period on BidSync. Significant exceptions may constitute grounds for rejecting Respondent proposals. F5 Response: We have provided amended versions of the State of Utah Standard Terms and Conditions and the WSCA-NASPO Terms and Conditions. We used the “Comment” feature in Microsoft Word to insert our acceptance and/or proposed alternative language. We have also provided a separate document representing our Additional Vendor Terms



and Conditions. As directed, our additional Terms and Conditions are provided in Arial 10 pt. font and are less than 10 pages in length. All three of these documents are provided in the Appendices section of our response. 5.1.3 Experience (M) Respondents must be able to provide reference service contracts from a minimum of five government or commercial customers for their Data Communications Product and Services offerings. Government references are preferred. References must include environments and complexity that is similar in scope to those described within this RFP. Any proposals from Respondents that cannot meet these requirements will not be considered. The Respondent must provide specific contact information describing their reference service contracts, which may be verified. F5 Response: We have followed the instructions in the bid and asked current, public sector F5 customers to fill out the form provided in Attachment B – Reference Form. The following public sector organizations have confirmed that they have completed the forms and sent them to; Tara Eutsler with the State of Utah.

Agency Agency/Department Name Email Phone Number

State of Missouri Dept. of Transportation Todd Walters [email protected] 573-526-3164

State of California Dep. Of Water Resources Steve Croft [email protected] 916-248-8150

State Oregon Secretary of State Jeff Bustos [email protected] 503-986-2247

State of Washington CTS Phil Davis [email protected] 360-902-3227

State of Ohio Infrastructure Group Kevin Pruett [email protected] 614-466-8827

State of Wisconsin Enterprise Technology Dennis Ward [email protected] 608-224-4061

State of Michigan Network Group Kirk Parrish [email protected] 517-241-8181

5.1.4 Financial Stability (M) The Data Communications Product and Services vendor must provide audited financial statements to the State and should meet a minimum Dun and Bradstreet (D&B) credit rating of 4A2 or better, or a recognized equivalent rating. Please provide the Respondent’s D&B Number and the composite credit rating. The State reserves the right to verify this information. If a branch or wholly owned subsidiary is bidding on this RFP, please provide the D&B Number and score for the parent company that will be financially responsible for performance of the agreement. Prime contractors working on behalf of Respondents must submit financial statements that demonstrate financial stability, and adequate working capital, but do not need to meet 4A2 credit rating requirements. F5 Response: As stated in section 4.5.b, F5 has a strong financial position to support WSCA-NASPO and it’s participating entities. As requested in this section, our D&B number is 95-844-8920 and our composite rating is 5A1. We have provided links to our 10k filings for 2011 and 2012 on our Investor Relations website. This should satisfy the requirement to provide audited financials.

10

http://www.f5.com/about/investor-relations/financial-reports/ 2012 10K http://www.sec.gov/Archives/edgar/data/1048695/000119312512478451/d429871d10k.htm 2011 10k http://www.sec.gov/Archives/edgar/data/1048695/000119312511318885/d223035d10k.htm 2013 Q3 Earnings Report http://www.f5.com/about/news/press/2013/2013q3/

10

It was indicated in the Q&A section of BidSync that links to our Investor Relations website would satisfy this requirement.








http://www.f5.com/about/investor-relations/financial-reports/

http://www.sec.gov/Archives/edgar/data/1048695/000119312512478451/d429871d10k.htm




http://www.f5.com/about/news/press/2013/2013q3/



5.1.5 Other General Responsibilities (M) The Respondent must provide the personnel, equipment, tools, and expertise to meet the requirements in this RFP. (M) Computer applications and Web sites must be accessible to people with disabilities, and must comply with Participating entity accessibility policies and the Americans with Disability Act. (M) Applications and content delivered through Web browsers must be accessible using current released versions of multiple browser platforms (such as Internet Explorer, Firefox, Chrome, and Safari) at minimum. F5 Response: F5 meets all the requirements listed in 5.1.5. 5.2 Data Communications Services – Requirements Offerors may respond to any of the sections where they have substantive product offerings that address the scope detailed in each Section from 5.2.1-5.3.0. All Offerors must include a response to section 5.31 services, that addresses products proposed in 5.2.1-5.3.0. Products may be used by the states in branch offices, main government offices and data centers, and by overall government data communications providers offering carrier class services. Responses should consider this breadth of use and users. The scope and context of this solicitation does not include endpoints such as cell/smart phones, other mobile devices or devices designed exclusively for use by individual users. It is focused on the equipment and software infrastructure required to support provisioning of a variety of network services within a modern digital network. The user context will vary from branch offices through enterprise and statewide data communication network installations. Respondents should offer a range of solutions that are appropriate for installations of varying size and complexity. F5 Response: Introduction to F5 technologies and F5 advantages The features and capabilities listed in section 4.1 and throughout our response in sections 5.2 and 5.3 can run across all of our hardware and virtual edition offerings.

11 We have provided an overview of our hardware and virtual edition

offerings in Appendix 7. 5.2.1 DATA CENTER APPLICATION SERVICES ― Application networking solutions and technologies that enable the successful and secure delivery of applications within data centers to local, remote, and branch-office users using technology to accelerate, secure, and increase availability of both application traffic and computing resources.

F5 Response: F5 meets the requirements listed 5.2.1. F5 BIG-IP is an ICSA Labs certified ADC/Security platform that runs TMOS (Traffic Management OS) and provides organizations a modular and agile framework of intelligent services. TMOS is a purpose-built, real-time operating system completely designed around a full-proxy architecture. Software modules can be licensed to provide strategic points of control, put data into context and add intelligence to the network. The software modules can be added individually or layered on top of a single device to provide a layered approach to providing consolidated Application and Security services. Modules Include:

Local Traffic Manager (LTM) – BIG-IP Local Traffic Manager (LTM) increases operational efficiency and ensures peak network performance by providing a flexible, high-performance application delivery system (ADC/Load Balancing). With its application-centric perspective, BIG-IP LTM optimizes network infrastructure to deliver availability, security, and performance for critical business applications. Global Traffic Manager (GTM) – BIG-IP Global Traffic Manager (GTM) improves the performance and availability of applications by intelligently directing users to the closest or best-performing Data Center, whether physical, virtual, or cloud. Using high-performance DNS services, BIG-IP GTM scales and

11

Some services may not run on all hardware platforms based on certain technical and capacity requirements.



secures your DNS infrastructure from DDoS attacks, and it delivers a complete, real-time DNSSEC solution that protects against hijacking attacks. Advanced Firewall Manager (AFM) – BIG-IP Advanced Firewall Manager (AFM) is a high-performance, stateful, full-proxy network firewall designed to guard your data center against incoming threats that enter the network on the most widely deployed protocols—including HTTP/S, SMTP, DNS, and FTP. Additional features include layer 3 & 4 DoS/DDoS mitigation and threat defense, full-proxy and stateful packet inspection, layer 3 & 4 network firewall, graphical security rule builder and policy control, Robust logging and reporting, and IPSec site-to-site VPN. Application Security Manager (ASM) – BIG-IP Application Security Manager (ASM) protects the applications businesses rely on with an agile, ICSA Labs certified Web Application Firewall (WAF) and provides comprehensive, policy-based web application security. Offering threat assessment and mitigation, visibility, and a high degree of flexibility, BIG-IP ASM helps to secure applications. Access Policy Manager (APM) – BIG-IP Access Policy Manager (APM) is a flexible, high-performance access and security solution that provides unified global access to business-critical applications and networks. By consolidating remote access, web access management, VDI, and other resources in a single policy control point—and providing easy-to-manage access policies—BIG-IP APM helps to free up valuable IT resources and scale cost-effectively. Mobile Access Manager (MAM) – F5 Mobile App Manager (MAM) is a mobile application management and access solution that securely extends the enterprise to personal mobile devices. F5 MAM manages apps and secures data while satisfying the needs of both employees who rely on their mobile devices, and enterprise. For employees, F5 MAM safely separates personal data and usage from corporate oversight for a simpler, more flexible and productive experience. And for IT departments, F5 MAM minimizes the burden of ensuring that corporate data is secure on personal devices. Secure Web Gateway (SWG)

12 - BIG-IP Secure Web Gateway (SWG) provides a secure web gateway

solution, which integrates with the access policy engine to support simplified enforcement of outbound HTTP/HTTPS traffic. The solution ensures that clients are protected from malicious external sites hosting malware. It uses a URL filtering database with near-realtime updates. Response payloads are also inspected by a policy engine to block malware. Organizational data is protected by ensuring that client traffic is valid HTTP or HTTPS and does not contain sensitive data. BIG-IP SWG also integrates with external scanning engines via ICAP with simple GUI based configuration. BIG-IQ – The BIG-IQ system is a centralized management platform that streamlines the management of F5 BIG-IP devices in the network. The functionality offered is dependent on the software license. BIG-IQ Cloud provides cloud tenants self-service access to shared computing resources such as networks, servers, storage, applications, and services. Cloud resources can be private or public, depending on the requirements. Each tenant has restricted and dedicated access to cloud resources based on a specific user account or tenant role, ensuring that tenants have access only to their own resources. Cloud resources are easily expanded and reallocated as needed, providing flexible resource balancing. BIG-IQ Security helps to manage security firewalls for multiple devices from one central location. Firewall management includes discovering, editing, and deploying firewall configurations, as well as consolidating shared firewall objects. Once a firewall device is designated for central management, it is no longer managed locally unless there is an exceptional need. BIG-IQ Device allows for administration and deployment of BIG-IP devices. BIG-IQ Device supports the following for BIG-IP devices:

12 Product on Roadmap and scheduled for Initial Release in Version11.5 expected in Q1 2014 – Additional reference to SWG in section 5.2 are also denoted with ** to refer readers back here clarify the product release status.



o Automatic deployments via PXE and bare metal o Centralized licensing management o Automatic discovery of hardware and virtual instances o Aggregated reporting and monitoring o Backup and restoring of configuration sets

Enterprise Manager (EM) is not a licensed feature set of the BIG-IQ, but rather the precursor to the BIG-IQ product handling the base F5 BIG-IP devices running versions prior to 11.3. It reduces the cost and complexity of managing multiple BIG-IP devices and provides a single-pane view of the entire application delivery infrastructure and provides tools needed to automate common tasks and report on device performance and statistics.

Each of the above product sets is broken out in additional detail in the following sections to provide a more comprehensive description of the features and capabilities. F5 has also included product brochures, spec sheets, and literature available as part of the bid response package in Appendix 7. Visit www.F5.com to get the latest updates as product features, specs, and performance change with updated hardware and software releases.

5.2.1.1 Virtualized Load Balancers ― Virtual devices that act like a reverse proxy to distribute network and/or application traffic across multiple servers to improve the concurrent user capacity and overall reliability of applications. Capabilities should include:

SSL (Secure Sockets Layer) Off-loading

Caching capabilities

Layer 4 Load Balancing

Layer 7 Load Balancing

Detailed Reporting

Supports multiple load balancers in the same system for multiple groups

Supports TLS1.2

F5 Response: F5 meets the requirements listed 5.2.1.1.

Local Traffic Manager (LTM) is the ADC or Load Balancing product. As mentioned above, this is a feature module that can be enabled on dedicated, F5 designed purpose built hardware, or as Virtual machines with a variety of deployment options. Virtualization capabilities include a standalone Virtual Edition BIG-IP (BIG-IP-VE) that runs on any of the Enterprise grade hypervisors and/or Amazon Web Services (AWS). F5 also offers a multi-tenancy solution called VCMP (Virtual Cluster Multi Processing) that allows for multiple virtual BIG-IP guests to be provisioned on a single hardware appliance or chassis.

13

Capabilities Include:

SSL (Secure Sockets Layer) Off-loading – BIG-IP full-proxy architecture allows LTM to fully terminate and validate SSL client connections. This allows for inspection and manipulation of encrypted traffic as it transits from the client side to the server side connection.

Caching capabilities – LTM has configurable caching capabilities that can be defined via individual profile and applied on per Virtual Server basis. Caching decisions can also be based on different parameters in the traffic flow. F5’s implementation of caching is a patented RAM based method and not a typical Hard Disk I/O intensive cache. LTM cache capabilities include:

o High demand objects - This feature is useful if a site has periods of high demand for specific content.

o Static content - This feature is also useful if a site consists of a large quantity of static content such as CSS, javascript, or images and logos.

o Additional dynamic caching capabilities can be provided by our Application Acceleration

13

Not all appliances support VCMP.

http://www.f5.com/



add-on Module.

Layer 4 Load Balancing – LTM fully supports basic L4 load balancing. F5 provides 19 static and dynamic methods of load balancing traffic to backend server pools.

Layer 7 Load Balancing – LTM has a highly configurable interface for performing agile L7 load balancing. Application intelligence and server performance can be taken into account when making a load balancing decision with one of our 19 methods. Our patented Cookie Persistence can also be used with HTTP/S services to ensure users are always returned to the same server for the duration of the session.

GTM also works at the Application Layer by providing layer 7 intelligent DNS resolution ensuring users always get to the right Data Center/resource based on a number of configurable parameters including Geo-location and/or Data Center/Service availability. There are 18 GSLB load-balancing methods to choose from to meet the most diverse business requirements

Detailed Reporting – All modules have standard error and systems logging functions. We also implement the following:

o High Speed Logging (HSL) – A multi destination engine to log detailed information on the traffic flows in real time. Logs can be sent to a SIEM or Indexer for further analysis in the following formats: ArcSight, Remote High-Speed Log, Remote Syslog, and Splunk.

o AVR (Application and Visibility Reporting) – An embedded module that enables the system to collect detailed information and reports on many different parameters as they relate to the application. Where hosts are originating, server response time, client render time, page object load times and a myriad of other detailed reports depending on active modules and/or business objectives.

Supports multiple load balancers in the same system for multiple groups - F5 offers a multi-tenancy solution called vCMP (Virtual Cluster Multi Processing) that allows for multiple BIG-IP guests to be provisioned on a single hardware appliance or chassis. F5 does not allow for oversubscription of guests. Guests can be administrated individually based on organizational policy or team structure/function. Additionally, within each guest, administrative partitions can be configured to give finer grained access control to specific individuals or departments providing visibility and configurability into their application and objects exclusively.

Supports TLS1.2 – Yes, TLS1.2 is fully supported and recommended by F5. Additional Capabilities:

iRules – iRules are a programmatic interface to interact with data real time as it transits the full proxy engine. iRules can solve many application problems that do not have explicit configuration parameters for in the base GUI. DevCentral, a 120K + user community, contains 100’s of samples of simple and complex iRules to help make the creation of iRules as simple as cut and paste.

Compression – LTM can compress content and thus save valuable CPU cycles on the host server. Additionally it can detect what objects it should compress and to what clients through highly customizable iRules configuration. Compression is handled in Hardware on all F5 hardware platforms except the entry level 2000 platform.

ScaleN – F5 high availability architecture is not required to be deployed in a 1+1 configuration where traditionally one unit sits idle. It supports N+1 or many variations of that with device and traffic group flexibility allowing customers to get the most out of the purchased hardware. Available in HW or SW as well as across different platforms, ScaleN allows organizations to Scale in, Scale up and Scale out for maximum performance and agility. See section 5.2.3.3 for additional details.

Advanced Health Checks – LTM contains over 30 prebuilt application and protocol monitors including, HTTP/s, SMTP, Radius, SNMP, TCP and others. Custom monitors can be created per application and run in combination to provide supreme application availability intelligence.

Configurable Persistence – LTM contains many different persistence methods. From simple and industry wide source IP to the more commonly deployed and F5 patented Cookie Persistence. Our fully configurable Universal Inspection Engine (UIE) enables LTM to persist on almost anything in the payload via iRules. This provides unparalleled flexibility for custom or difficult non-standard applications and deployments.



DoS/DDoS and Security – LTM contains over a dozen configurable DoS/DDoS parameters and features including:

o Hardened and dedicated kernel has built in DoS mechanisms that mitigate SYN flood attacks.

o Traffic Handling - Our ability to normally handle tens of thousands valid connections per second make it difficult to affect performance with a flood attack.

o Adaptive connection reaping o IP rate classes o iRules

iApps – iApps provide a framework that users can utilize to unify, simplify, control and automate application deployments. They are often jointly developed with our partners including Oracle, Microsoft, VMWare and offer baked-in industry best-practice configurations.

AWS – BIGIP-VE, which runs any of our modules, can be deployed in Amazon Web Services (AWS) making it the perfect fit to bridge cloud and local Data Center resources.

5.2.1.2 WAN Optimization ― An appliance utilizing a collection of techniques for increasing data-transfer efficiencies across wide-area networks (WAN). Capabilities should include:

CIFS (Common Internet File System) acceleration

Data Compression

SSL encryption/decryption for acceleration (Optional)

Layer 4-7 visibility

Application Specific optimization

F5 Response: F5 meets the requirements listed 5.2.1.2. F5 Application Acceleration Manager (AAM) runs on the TMOS full proxy architecture and provides a robust Application Delivery Optimization Solution and quickly supports and optimizes legacy and emerging protocols/standards (SPDY, FTP, UDP,HLS). Solutions and features include acceleration and optimization of data across specific WAN links as well as features designed to interact in highly optimized ways with Web Browsers to optimize the experience of Web based applications. Capabilities Include:

CIFS (Common Internet File System) acceleration - F5’s CIFS acceleration provides intelligent read-ahead and write-behind plus other techniques to help mitigate the effect of WAN latency.

Data Compression – F5 uses Symmetric data deduplication - Redundant data is no longer transferred across the network through the use of pattern matching and byte caching technologies.

SSL encryption/decryption for acceleration - BIG-IP Application Acceleration Manager offloads computationally intensive SSL encryption and decryption, reducing server processor utilization by up to 50 percent. It consolidates private key creation and storage, SSL certificate management, and FIPS SSL support. Additionally the WAN traffic links between sites can be SSL encrypted and transmitted in a highly secured fashion on the specialized SSL hardware in the Hardware based systems.

Layer 4-7 Visibility – As a full proxy platform, AAM and LTM have visibility into all of the traffic passing through the proxy. Through the use of iRules, custom optimizations or rules can be written to affect the traffic at these various layers

Application Specific Optimizations o HTTP protocol optimizations - AAM maintains high user performance levels by optimally

tuning each HTTP and TCP session for each user’s connection conditions. o MAPI acceleration – AAM’s use of symmetric adaptive compression and symmetric data

deduplication dramatically improves performance and reduces bandwidth usage for customers using Microsoft Exchange, especially when sending email attachments.

o HLS delivery optimization - HTTP Live Streaming (HLS) is the protocol used by a number of devices to view both live and on-demand video. HLS breaks the video down into segments that can be cached for multiple users. HLS can be optimized by caching the individual segments or by controlling the bitrate that is made available to end users.



Additional Capabilities:

Transport Optimizations - BIG-IP Application Acceleration Manager improves the capacity of application servers and the efficiency of network protocols by offloading intensive processing tasks such as SSL encryption, optimizing application, and network protocols.

TCP optimization - BIG-IP Application Acceleration Manager uses adaptive TCP optimization, which combines session-level application awareness, persistent sessions, selective acknowledgements, error correction, and optimized TCP windows. This enables BIG-IP AAM to adapt, in real time, to the latency, packet loss, and congestion characteristics of WAN links.

SPDY Gateway - F5 provides a SPDY gateway in TMOS to convert SPDY requests to HTTP to backend web servers. This takes advantage of the optimizations without requiring disruptive and potentially costly upgrades to application infrastructure.

Symmetric adaptive compression - Symmetric adaptive compression ensures the fastest data reduction for any traffic between BIG-IP systems. Automatically selects and uses the appropriate deflate, bzip2, or LZO compression algorithms (or no compression if the data cannot be compressed) to maximize bandwidth usage and throughput.

Bandwidth Controller- Bandwidth Controller provides the ability to manage the amount of bandwidth a device, subscriber, or application receives. Traffic can either be enforced or marked, identifying and flagging packets that are exceeding bandwidth.

Forward error correction (FEC) - FEC can be enabled between two BIG-IP devices or from a BIG-IP device to an edge client, significantly improving application performance on high packet loss networks.

Parking Lot - The Parking Lot feature in BIG-IP Application Acceleration Manager queues multiple requests for the same new or expired cached object, and then sends only one request to origin web server. When the object is retrieved, BIG-IP AAM responds to all the requests.

Dynamic Content Control (DCC) is a group of capabilities in BIG-IP Application Acceleration Manager that control users’ browser behavior to improve end user experience, ensure the best use of bandwidth, and prevent repetitive or duplicate data from being downloaded. By reducing the amount of conditional requests and data transmitted between the browser and the web application, DCC reduces the effects of WAN latency and errors.

DCC includes these main features:

Intelligent Browser Referencing™—Reduces the number of requests and speeds page rendering times by managing object expiration dates and storing frequently requested objects in the browser cache.

Content reordering - Optimizes the order of when JavaScripts and Cascading Style Sheets (CSS) are loaded to speed up the appearance of page rendering.

Content Inlining—Reduces the number of requests by inlining JavaScripts, CSS, and images directly into HTML, eliminating the need to perform additional GET requests.

MultiConnect—A form of domain sharing that enables browsers to open more simultaneous connections between the browser and web application for increased parallel data transfers.

Image optimization—Reduces size of images by lowering the quality, stripping out unnecessary metadata, and converting the image format.

Dynamic caching - Caches data that may seem dynamic (contains query parameters, cookies, or session IDs) but is actually static data or changes in an identifiable pattern.

Dynamic compression - Compresses dynamic data from web applications and ensures that compression is used only when it will improve performance.

5.2.2 NETWORKING SOFTWARE ― Software that runs on a server and enables the server to manage data, users, groups, security, applications, and other networking functions. The network operating system is designed to allow shared file and printer access among multiple computers in a network, typically a local area network (LAN), a private network or to other networks. Networking software capabilities should include:

Restartable Process

High availability options

Targeted operating systems, i.e. DC, campus, core, wan, etc.

Operating System Efficiencies



F5 Response: F5 Networks does not offer a solution as listed in section 5.2.2. 5.2.2.1 Network Management and Automation ― Software products and solutions for data center automation,

cloud computing, and IT systems management.

F5 Response: F5 meets the requirements listed 5.2.2.1. The F5 BIG-IQ management platform is designed to help automate and manage the F5 BIG-IP devices for physical, virtual and hybrid deployments. It provides an intelligent management framework that simplifies the process of deploying and optimizing application delivery services. BIG-IQ provides organizations with intelligence in the management plane—offering intuitive, flexible, and scalable management of industry-leading BIG-IP solutions. BIG-IQ Cloud automates and orchestrates deployment of F5 application delivery services on BIG-IP products deployed across traditional data centers or public, private, and hybrid cloud infrastructures. BIG-IQ and BIG-IP employ management APIs which allow further integration with third party orchestration suites. The BIG-IQ Cloud management platform comprises multiple components:

iApps Lifecycle Management

Provider and tenant self-service web application portals

The BIG-IQ Cloud Connector plug-in for connecting to private cloud orchestrators, e.g., to VMware vCloud Director and VMware vCloud Networking and Security

The BIG-IQ Cloud Connector for connecting to public cloud providers, o e.g., Amazon Web Services (for cloud bursting)

Service health and performance monitoring

The BIG-IQ Cloud REST API

5.2.2.2 Data Center Management and Automation ― Software products and solutions that capture and automate manual tasks across servers, network, applications, and virtualized infrastructure.

F5 Response: F5 meets the requirements listed 5.2.2.2. The F5 BIG-IQ management platform is designed to help automate and manage the F5 BIG-IP devices

for physical, virtual and hybrid deployments. It provides an intelligent management framework that simplifies the process of deploying and optimizing application delivery services. BIG-IQ provides organizations with intelligence in the management plane—offering intuitive, flexible, and scalable management of industry-leading BIG-IP solutions. BIG-IQ Cloud automates and orchestrates deployment of F5 application delivery services on BIG-IP products deployed across traditional data centers or public, private, and hybrid cloud infrastructures. BIG-IQ and BIG-IP employ management APIs which allow further integration with third party orchestration suites. The BIG-IQ Cloud management platform comprises multiple components:


Provider and tenant self-service web application portals

The BIG-IQ Cloud Connector plug-in for connecting to private cloud orchestrators, e.g., to VMware vCloud Director and VMware vCloud Networking and Security

The BIG-IQ Cloud Connector for connecting to public cloud providers, o e.g., Amazon Web Services (for cloud bursting)


The BIG-IQ Cloud REST API



5.2.2.3 Cloud Portal and Automation ― Software products and solutions for cloud management with policy-based controls for provisioning virtual and physical resources.

F5 Response: F5 partially meets the requirements listed 5.2.2.3. The F5 BIG-IQ is a management platform designed to help automate and manage the F5 devices. It

provides an intelligent management framework that simplifies the process of deploying and optimizing application delivery services. BIG-IQ provides organizations with intelligence in the management plane—offering intuitive, flexible, and scalable management of industry-leading BIG-IP solutions. BIG-IQ Cloud automates and orchestrates deployment of application delivery services on BIG-IP products deployed across traditional data centers or public, private, and hybrid cloud infrastructures. Further clarification of requirements is needed before F5 can confirm full compliance with section 5.2.2.1.3.

5.2.2.4 Branch Office Management and Automation ― Software products and solutions for management of

branch offices. Capabilities include remote troubleshooting, device management, WAN performance monitoring.

F5 Response: F5 Networks does not offer a solution as listed in section 5.2.2.4.

5.2.3 NETWORK OPTIMIZATION AND ACCELERATION ― Devices and tools for increasing data-transfer efficiencies across wide-area networks. 5.2.3.1 Dynamic Load Balancing ― An appliance that performs a series of checks and calculations to

determine which server can best service each client request in order to select the server that can successfully fulfill the client request and do so in the shortest amount of time without overloading either the server or the server farm as a whole. F5 Response: F5 meets the requirements listed 5.2.3.1. F5 Traffic Local Traffic Manager (LTM) running on TMOS offers a variety of Dynamic load balancing algorithms. Additionally the F5 BIGIP appliances can use various methods to determine the health of a server before sending client request to the optimally performing server. The health monitors to determine the optimally performing server are extensive and customizable.

Capabilities Include:

Dynamic Load Balancing Algorithms

Least Connections mode - Distributes connections to the server that is currently managing the fewest open connections at the time the new connection request is received.

Fastest mode – Distributes connections based upon the number of outstanding Layer 7 requests to a pool member and the number of open L4 connections.

Observed mode - Observed mode dynamic load balancing algorithm calculates a dynamic ratio value, which is used to distribute connections among available pool members. The ratio is based on the number of L4 connections last observed for each pool member.

Predictive mode - Predictive mode uses the same metric as Observed mode (concurrent connections). It also takes into account the ongoing performance trend (increasing or decreasing over time) and thus Predictive mode adjusts the pool member ratios more aggressively.

Dynamic Ratio - Selects a server based on various aspects of real-time server performance analysis. These methods are similar to the Ratio methods, except that with Dynamic Ratio methods, the ratio weights are system-generated, and the values of the ratio weights are not



static. These methods are based on continuous monitoring of the servers, and the ratio weights are therefore continually changing.

Health monitors are a key feature of the BIG-IP LTM. Health monitors help to ensure that a server is in an up state and able to receive/process traffic.

The BIG-IP system contains many different pre-configured monitors that can be associated with pools, depending on the type of traffic users want to monitor. When one of the many preconfigured Health monitors does not quite meet the application requirements, Users can create their own custom monitors and associate them with pools allowing for the utmost flexibility.

5.2.3.2 WAN Acceleration ― Appliance that optimizes bandwidth to improve the end user's experience on

a wide area network (WAN). Capabilities should include:

CIFS acceleration

Data Compression

SSL encryption/decryption for acceleration (Optional)

Layer 4-7 visibility

Application Specific optimization

F5 Response: F5 meets the requirements listed 5.2.3.2. F5 Application Acceleration Manager (AAM) runs on the TMOS full proxy architecture and provides a robust Application Delivery Optimization Solution and quickly supports and optimizes legacy and emerging protocols/standards (SPDY, FTP, UDP and HLS). Solutions and features include acceleration and optimization of data across specific WAN links as well as features designed to interact in highly optimized ways with Web Browsers to optimize the experience of Web based applications. Capabilities Include:

CIFS acceleration - F5’s CIFS acceleration provides intelligent read-ahead and write-behind plus other techniques to help mitigate the effect of WAN latency.

Data Compression – F5 uses Symmetric data de-duplication - Redundant data is no longer transferred across the network through the use of pattern matching and byte caching technologies.

SSL encryption/decryption for acceleration - BIG-IP Application Acceleration Manager offloads computationally intensive SSL encryption and decryption, reducing server processor utilization by up to 50 percent. It consolidates private key creation and storage, SSL certificate management, and FIPS SSL support. Additionally the WAN traffic links between sites can be SSL encrypted and transmitted in a highly secured fashion on the specialized SSL hardware in the Hardware based systems.

Layer 4-7 Visibility – As a full proxy platform, AAM and LTM have visibility into all of the traffic passing through the proxy. Through the use of iRules, custom optimizations or rules can be written to affect the traffic at these various layers.

Application Specific Optimizations o HTTP protocol optimizations - AAM maintains high user performance levels by

optimally tuning each HTTP and TCP session for each user’s connection conditions. o MAPI acceleration – AAM’s use of symmetric adaptive compression and symmetric

data deduplication dramatically improves performance and reduces bandwidth usage for customers using Microsoft Exchange, especially when sending email attachments.

o HLS delivery optimization - HTTP Live Streaming (HLS) is the protocol used by a number of devices to view both live and on-demand video. HLS breaks the video down into segments that can be cached for multiple users. HLS can be optimized by caching the individual segments or by controlling the bitrate that is made available to end-users.




Transport Optimizations - BIG-IP Application Acceleration Manager improves the capacity of application servers and the efficiency of network protocols by offloading intensive processing tasks such as SSL encryption, optimizing application, and network protocols.

TCP optimization - BIG-IP Application Acceleration Manager uses adaptive TCP optimization, which combines session-level application awareness, persistent sessions, selective acknowledgements, error correction, and optimized TCP windows. This enables BIG-IP AAM to adapt, in real time, to the latency, packet loss, and congestion characteristics of WAN links.

SPDY Gateway - F5 provides a SPDY gateway in TMOS to convert SPDY requests to HTTP to backend web servers. This takes advantage of the optimizations without requiring disruptive and potentially costly upgrades to application infrastructure.

Symmetric adaptive compression - Symmetric adaptive compression ensures the fastest data reduction for any traffic between BIG-IP systems. Automatically selects and uses the appropriate deflate, bzip2, or LZO compression algorithms (or no compression if the data cannot be compressed) to maximize bandwidth usage and throughput.

Bandwidth Controller- Bandwidth Controller provides the ability to manage the amount of bandwidth a device, subscriber, or application receives. Traffic can either be enforced or marked, identifying and flagging packets that are exceeding bandwidth.

Forward error correction (FEC) - FEC can be enabled between two BIG-IP devices or from a BIG-IP device to an edge client, significantly improving application performance on high packet loss networks.

Parking Lot - The Parking Lot feature in BIG-IP Application Acceleration Manager queues multiple requests for the same new or expired cached object, and then sends only one request to origin web server. When the object is retrieved, BIG-IP AAM responds to all the requests.



Intelligent Browser Referencing™—Reduces the number of requests and speeds page rendering times by managing object expiration dates and storing frequently requested objects in the browser cache.

Content reordering - Optimizes the order of when JavaScripts and Cascading Style Sheets (CSS) are loaded to speed up the appearance of page rendering.

Content Inlining—Reduces the number of requests by inlining JavaScripts, CSS, and images directly into HTML, eliminating the need to perform additional GET requests.

MultiConnect—A form of domain sharing that enables browsers to open more simultaneous connections between the browser and web application for increased parallel data transfers.

Image optimization—Reduces size of images by lowering the quality, stripping out unnecessary metadata, and converting the image format.

Dynamic caching - Caches data that may seem dynamic (contains query parameters, cookies, or session IDs) but is actually static data or changes in an identifiable pattern.

Dynamic compression - Compresses dynamic data from web applications and ensures that compression is used only when it will improve performance.

5.2.3.3 High Availability and Redundancy ― Limits any disruption to network uptime should an appliance

face unforeseen performance issues. Transparently redistributes workloads to surviving cluster appliances without impacting communication throughout the cluster.



F5 Response: F5 meets the requirements listed 5.2.3.3. F5 meets the High Availability and Redundancy requirements above. It does this in a number of different ways in different levels across the platform series. Within the BIGIP platforms, High Availability (HA) is achieved with a feature set known as ScaleN. Data Center level HA is accomplished with the BIGIP product Global Traffic Manager (GTM) making the applications highly available despite catastrophic events that could impact all devices/services at a datacenter. Hardware appliances are designed with capabilities to help make them more highly available with redundant options for key components most likely to suffer failure. ScaleN - This embedded BIGIP feature set allows units to operate in a N+1 operational mode rather than the traditional 1+1 high availability model and thus allows more efficient use of the infrastructure. The concept uses traffic groups and device groups, and then allows the system to transfer different traffic groups from a failed device to defined systems. So in the event of device failure, traffic may be distributed to 3 other devices with additional capacity. On in the N+1 model all services could fail over to the dedicated back up unit. This is also fully compatible with the more traditional 1+1 redundancy model and thus is also fully support for this deployment method. As a part of the high availability configuration, the services can be provisioned to mirror connections to the standby unit. Typically deployed for long-lived services needing this level of redundancy, this can then provide a seamless failover to the standby unit with the connections resuming unaffected by the switchover. This can be defined on each provisioned application individually, reducing the need to consume system resources for services that are short lived and get little or no value from connection state mirroring. All of the above high availability configuration is applicable to both hardware and also virtual or software based BIGIP platforms.

Global Traffic Manager (GTM) - In the event that there is a site level catastrophic event that impacts services delivered from a particular datacenter, the BIGIP Global Traffic Manager (GTM) can detect and route users around this to a datacenter that is still operational and accepting connections. GTM uses advanced health checks to the F5 devices (or other devices/applications) in the datacenter(s). The GTM directs users to the healthy application by resolving DNS queries for the services it is responsible for. Normally it will resolve client DNS requests directing them to the primary DC or to the DC selected via its configurable business ruleset (in cases where multiple active DC’s are in use). In the event of a datacenter level application failure, the GTM will detect this via its health checks and then resolve new DNS queries for this service directing clients to the application running in the secondary (healthy) DC thereby getting users to the application at the datacenter where it is operational. Hardware - Within the F5 BIGIP Hardware Appliances themselves, there is also several features that make the hardware platforms more resilient to failure. Hardware Platform Redundancy Features:

Redundant Power Supplies available on all platforms

Hard Drive Redundancy – Available on the 2U platforms provide RAID HDD

Viprion Platform – Blade redundancy and interface redundancy with LACP and connections to each blade in the chassis cluster

5.2.4 OPTICAL NETWORKING ― High capacity networks based on optical technology and components that provide routing, grooming, and restoration at the wavelength level as well as wavelength based services. F5 Response: F5 does not offer a solution as listed in section 5.2.4.



5.2.4.1 Core DWDM (Dense Wavelength Division Multiplexing) Switches ― Switches used in systems designed for long haul and ultra long-haul optical networking applications. F5 Response: F5 does not offer a solution as listed in section 5.2.4.1.

5.2.4.2 Edge Optical Switches ― Provide entry points into the enterprise or service provider core networks.

F5 Response: F5 does not offer a solution as listed in section 5.2.4.2. 5.2.4.3 Optical Network Management ― Provides capabilities to manage the optical network and allows

operators to execute end-to-end circuit creation. F5 Response: F5 does not offer a solution as listed in section 5.2.4.3.

5.2.4.4 IP over DWDM (IPoDWDM) ― A device utilized to integrate IP Routers and Switches in the OTN (Optical

Transport Network). F5 Response: F5 does not offer a solution as listed in section 5.2.4.4.

5.2.5 ROUTERS ― A device that forwards data packets along networks. A router is connected to at least two networks, commonly two LANs or WANs or a LAN and its ISP's network. Routers are located at gateways, the places where two or more networks connect, and are the critical device that keeps data flowing between networks and keep the networks connected to the Internet. F5 Response: F5 does not offer a solution as listed in section 5.2.5. 5.2.5.1 Branch Routers ― A multiservice router typically used in branch offices or locations with limited numbers

of users and supports flexible configurations/feature. For example: security, VoIP, wan acceleration, etc. F5 Response: F5 does not offer a solution as listed in section 5.2.5.1.

5.2.5.2 Network Edge Routers ― A specialized router residing at the edge or boundary of a network. This

router ensures the connectivity of its network with external networks, a wide area network or the Internet. An edge router uses an External Border Gateway Protocol, which is used extensively over the Internet to provide connectivity with remote networks. F5 Response: F5 does not offer a solution as listed in section 5.2.5.2.

5.2.5.3 Core Routers – High performance, high speed, low latency routers that enable Enterprises to deliver a

suite of data, voice, and video services to enable next-generation applications such as IPTV and Video on Demand (VoD), and Software as a Service (SaaS). F5 Response: F5 does not offer a solution as listed in section 5.2.5.3.

5.2.5.4 Service Aggregation Routers ― Provides multiservice adaptation, aggregation and routing for

Ethernet and IP/MPLS networks to enable service providers and enterprise edge networks simultaneously host resource-intensive integrated data, voice and video business and consumer services. F5 Response: F5 does not offer a solution as listed in section 5.2.5.4.

5.2.5.5 Carrier Ethernet Routers ― High performance routers that enable service providers to deliver a suite of

data, voice, and video services to enable next-generation applications such as IPTV, Video on Demand (VoD), and Software as a Service (SaaS). F5 Response: F5 does not offer a solution as listed in section 5.2.5.5.



5.2.6 SECURITY 5.2.6.1 Data Center and Virtualization Security Products and Appliances ― Products designed to protect high-value data and data center resources with threat defense and policy control.

F5 Response: F5 meets the requirements listed 5.2.6.1. The F5 Application Delivery Firewall (ADF) is a modular solution framework designed to protect high-value data and data center resources with threat defense and policy control. The core of the solution is F5’s Traffic Management Operating System (TMOS) which is a purpose built operating system designed as a high-speed, full-proxy for data center centric protocols. The full-proxy architecture uses a default-deny security posture and is certified by ICSA Labs. Feature modules are licensed to provide specific layers of security depending on the use case and requirements. F5’s Application Delivery Firewall (ADF) runs on virtual or physical appliances, which are available in various sizes and performance levels. Units are commonly implemented in pairs for high availability using F5’s ScaleN technology. Modules and features include: Advanced Firewall Manager (AFM) – The F5 Advanced Firewall Manger solution helps protect corporate resources by implementing strong security services at the edge of the network. The application delivery firewall solution provides ICSA Labs-certified, network-layer protection with a much higher connection capacity than conventional firewalls. And because it terminates SSL, it’s the first high-performance firewall at the edge of the network that can inspect traffic while monitoring the health of the data center it protects.

Application Security Manager (ASM) – F5 provides a flexible, certified web application firewall and a comprehensive, policy-based web application security solution that eliminates the need for multiple appliances and address emerging threats at the application level. This complete solution lowers maintenance and management costs, and reduces the risk of damage to your intellectual property, data, and web applications. It provides protection against OWASP top ten application flaws, business logic exploitation and DDoS attacks. The BIG-IP web application firewall can profile legitimate user behavior to positively define the security policy in addition to a comprehensive negative security approach. Access Policy Manager (APM) – Unified access solutions from F5 help securely connect any user, on any device, from any location to local and global applications. And with comprehensive, flexible policy control from a single device, it’s easier than ever to control access to corporate resources. F5 keeps mobile users productive and data safe—with a solution that optimizes global application delivery in any type of deployment environment. Local Traffic Manager (LTM) – F5 LTM, in addition to the High Availability and ADC features, offers numerous security based features including - SSL proxy for traffic inspection, layer 3 & 4 DoS/DDoS mitigation, full-proxy layer 3 & 4 firewall, Policy control via scripting engine (iRules) for custom zero-day attack mitigation and threat defense, and IPSec site-to-site VPN

Global Traffic Manager (GTM) – While GTM provides many high availability features connecting users to available datacenters, it also provides a suite of security based features including DNS protocol validation, DNS firewall, DNSSEC, and a High-performance in-memory authoritative DNS resolver to mitigate DNS DDoS floods. IP Intelligence – Subscription available for contextual awareness and categorizing/blocking of known malicious IP addresses, anonymous proxies, scanners, botnets and more. BIG-IQ – BIG-IQ provides an intelligent management framework that simplifies the process of deploying and optimizing application delivery services. BIG-IQ provides organizations with intelligence in the management plane—offering intuitive, flexible, and scalable management of industry-leading BIG-IP solutions. 5.2.6.2 Intrusion Detection/Protection and Firewall Appliances ― Provide comprehensive inline network

firewall security from worms, Trojans, spyware, key loggers, and other malware. This includes Next-Generation Firewalls (NGFW), which offer a wire-speed integrated network platform that performs deep



inspection of traffic and blocking of attacks. Intrusion Detection/Protection and Firewall Appliances should provide:

Non-disruptive in-line bump-in-the-wire configuration

Standard first-generation firewall capabilities, e.g., network-address translation, stateful protocol inspection (SPI) and virtual private networking (VPN), etc.

Application awareness, full stack visibility and granular control

Capability to incorporate information from outside the firewall, e.g., directory-based policy, blacklists, white lists, etc.

Upgrade path to include future information feeds and security threats

SSL decryption to enable identifying undesirable encrypted applications (Optional) F5 Response: F5 partially meets the requirements listed 5.2.6.2. The F5 Application Delivery Firewall (ADF) provides a TMOS based platform supporting an industry-leading suite of security modules including a Layer 4 network firewall (AFM), Layer 7 application firewall (ASM), and **Secure Web Gateway (SWG).

Capabilities include:

Non-disruptive in-line bump-in-the-wire configuration – F5 doesn’t support in-line, bump-in-the-wire configuration. However, we do support other third parties solutions that do.

Deployment options including all common network deployment scenarios, including transparent, inline, and routed.

Standard first-generation firewall capabilities – Standard first-generation and application delivery firewall capabilities including NAT, full-proxy, stateful protocol inspection and virtual private networking.

Application awareness, full stack visibility and granular control – Complete application awareness, full stack visibility, and granular control.

Capability to incorporate information from outside the firewall, e.g. directory-based policy, IP intelligence blacklists, white lists – F5 does support this including geolocation, etc.

Upgrade path to include future information feeds and security threats – Support for signature updates and near real time IP reputation database updates. Two examples of this are our integration with third party companies like Websense for URL filtering and dynamic content classification and Whitehat for real time application vulnerability scans and remediation.

SSL decryption to enable identifying undesirable encrypted applications – SSL decryption (and re-encryption, if desired) to enable identifying undesirable encrypted threats.

Advanced Firewall Manager (AFM) – BIG-IP Advanced Firewall Manager (AFM) is a high-performance, stateful, full-proxy network firewall designed to guard your data center against incoming threats that enter the network on the most widely deployed protocols—including HTTP/S, SMTP, DNS, and FTP. Application Security Manager (ASM) – The BIG-IP web application firewall provides protection against OWASP top ten application flaws, business logic exploitation and DDoS attacks in a superior manner compared with a typical IDS/IPS. The BIG-IP web application firewall can profile legitimate user behavior to positively define the security policy in addition to a comprehensive negative security approach. **Secure Web Gateway (SWG) - BIG-IP provides a secure web gateway solution, which integrates with the access policy engine to support simplified enforcement of outbound HTTP/HTTPS traffic. The solution ensures that clients are protected from malicious external sites hosting malware. BIG-IP uses a URL filtering database with near-realtime updates. Response payloads are also inspected by a policy engine to block malware. Organizational data is protected by ensuring that client traffic is valid HTTP or HTTPS and does not contain sensitive data. BIG-IP integrates with external scanning engines via ICAP with simple GUI based configuration.




IP Reputation - BIG-IP can take actions on clients based on the reputation of their IP address. The IP reputation database is cached locally with near real-time external updates. It includes many categories of malicious activity including botnet, DoS, phishing, open proxies, scanners, etc.

Support millions of arbitrary entries in white and blacklists for enforcement at any layer of the protocol stack.

Act as a high performance SSL forward proxy to allow inspection and validation of encrypted HTTPS traffic.

Platform NAT support.

SSL VPN for end user connectivity to datacenter applications.

IPsec and SSL connectivity for secure BIG-IP - server communication.

Further clarification of requirements is needed before F5 can confirm full compliance with section 5.2.6.2.

5.2.6.3 Logging Appliances and Analysis Tools ― Solutions utilized to collect, classify, analyze, and securely store log messages.

F5 Response: F5 partially meets the requirements listed 5.2.6.3. F5 provides a suite of logging and analysis tools designed to provide operational intelligence for the F5 product set. Enterprise Manager (EM) reduces the cost and complexity of managing BIG-IP devices and provides a single-pane view of the entire application delivery infrastructure. EM is able to provide centralized reporting . LogIQ is a free F5 virtual appliance used to collect; aggregate, and view log events for managed BIG-IP devices from a centralized location. LogIQ provides a powerful search tool to easily locate specific log events, as well as the ability to increase storage as needed by utilizing resources from the hypervisor. BIG-IP is also able to integrate with other centralized event managers using high speed logging to efficiently send event information via TCP or UDP to remote management stations. Further clarification of requirements is needed before F5 can confirm full compliance with section 5.2.6.3.

5.2.6.4 Secure Edge and Branch Integrated Security Products ― Network security, VPN, and intrusion

prevention for branches and the network edge. Products typically consist of appliances or routers. F5 Response: F5 meets the requirements listed 5.2.6.4. The F5 Application Delivery Firewall (ADF) meets the above requirements with APM/AFM product modules running on top of TMOS to provide a comprehensive Branch Office security solution that is ICSA Labs certified. Can be deployed on F5 designed appliances or as a virtual machine in the remote site.


Network security via a full-proxy architecture ICSA Labs certified firewall

IPSec and SSL VPN capabilities

Intrusion Prevention

Advanced Firewall Manager (AFM) – Advanced layer 3 & 4 DoS/DDoS mitigation and threat defense, full-proxy and stateful packet inspection layer 3 & 4 network firewall, graphical security rule builder and policy control, Robust logging and reporting, Protocol security and enforcement for HTTP, FTP, DNS &



SMTP, IPSec site-to-site VPN.

Access Policy Manager (APM) – Enables secure, authenticated user access to applications or network resources based on a customizable access policy control, pre-authentication posture inspection, reverse proxy with rewrite, SSL VPN, leverages user contextual awareness for intelligent access policy control decisions. Additional Capabilities:

SSO across multiple domains, Kerberos ticketing, and SAML 2.0, which extends SSO capabilities to cloud-based applications outside the corporate data center

AAA Server Support - Full authentication and access control with AAA servers and support for 2 factor authentication

Client pre-inspection (anti-virus, firewall, process, machine info, OS, browser, registry checks)

Application Tunnel Support

Web Resource (reverse proxy, content rewrite)

Visual Policy Editor to design client access

Additional branch office Modules may include:

Local Traffic Manager (LTM) – F5 LTM in addition to the ADC and High Availability features, LTM offers numerous security based features including - SSL proxy for traffic inspection, layer 3 & 4 DoS/DDoS mitigation, full-proxy layer 3 & 4 firewall, Policy control via scripting engine (iRules) for custom zero-day attack mitigation and threat defense, and IPSec site-to-site VPN. Global Traffic Manager (GTM) – GTM provides many high availability features connecting users to available datacenters, however it also provides a suite of security based features including DNS protocol validation, DNS firewall, DNSSEC, and a High-performance in-memory authoritative DNS resolver to mitigate DNS DDoS floods. IP Intelligence – Subscription available for contextual awareness and blocking of known malicious IP addresses, anonymous proxies, scanners, botnets and more.

5.2.6.5 Secure Mobility Products ― Delivers secure, scalable access to corporate applications across multiple

mobile devices.

F5 Response: F5 meets the requirements listed 5.2.6.5. The F5 Mobile Application Manager (MAM) and Access Policy Manager (APM) work together to provide a robust BYOD management and secure access solution. The APM product in particular, will meet the above requirements for delivering secure, scalable access to corporate applications on multiple mobile devices while the MAM product provides a cloud based solution for corporate management and securely integrating the BYOD into the corporate workplace.


Secured Application Tunnel Support

Support for multiple mobile devices including IOS, Windows, and Android platforms

Ability to scale the number of devices and concurrent access session via the APM secure application tunnels

Access Policy Manager (APM) – Enables secure, authenticated user access to applications or network resources based on a customizable access policy control, pre-authentication posture inspection, reverse proxy with rewrite, SSL VPN, while leveraging user contextual awareness for intelligent access policy control decisions. For Mobile devices, specific inspections and resultant actions can be provisioned to give appropriate levels of control (example: do not allow access for Jail Broken phones).




Client pre-inspection (Device type, anti-virus, firewall, process, machine info, OS, browser, registry checks)


Visual Policy Editor to design client access actions and process flow


Web Resource (reverse proxy, content rewrite)

Mobile Device management including the following: o Secure Enterprise Footprint - Corporate partition where encrypted applications and data

reside that can be managed independently without affecting the overall device o Flexible Policy Management - Administrators can manage application access globally, by

groups, or by individual devices. IT can push down policy and configuration requirements to organization’s divisions quickly and easily, while enforcing compliance

o Secure Access to Productivity Apps - provides employees with secure mobile access to corporate email, calendar functionality, and contacts through Microsoft Exchange ActiveSync

Mobile App Manager (MAM) – A BYOD/mobile application management and access solution that securely extends the enterprise to personal mobile devices. F5 MAM manages apps and secures data while satisfying the needs of both employees who rely on their mobile devices, and enterprise. For employees, F5 MAM safely separates personal data and usage from corporate oversight for a simpler, more flexible and productive experience. And for IT departments, F5 MAM minimizes the burden of ensuring that corporate data is secure on personal devices.

5.2.6.6 Encryption Appliances ― A network security device that applies crypto services at the network transfer

layer - above the data link level, but below the application level. F5 Response: F5 meets the requirements listed 5.2.6.6. The F5 Application Delivery Firewall (ADF) solution provides solutions for providing crypto services at the network transfer layer across a number of the different modules. Features Include:

IPSec for Site to Site encryption

SSL encrypted links between sites

Remote access solutions for SSL VPN connectivity

SSL encryption for Application tunnels 5.2.6.7 On-premise and Cloud-based services for Web and/or Email Security ― Solutions that provide threat

protection, data loss prevention, message level encryption, acceptable use and application control capabilities to secure web and email communications.

F5 Response: F5 partially meets the requirements listed 5.2.6.7. BIG-IP provides a **Secure Web Gateway (SWG) solution, which integrates with the access policy engine to support simplified enforcement of outbound HTTP/HTTPS traffic. The solution ensures that clients are protected from malicious external sites hosting malware. BIG-IP uses a URL filtering database with near-real-time updates. Response payloads are also inspected by a policy engine to block malware. Organizational data is protected by ensuring that client traffic is valid HTTP or HTTPS and does not



contain sensitive data. BIG-IP integrates with external scanning engines via ICAP with simple GUI based configuration. Capabilities Include:

IP Reputation Database - Take actions on clients based on the reputation of their IP address. The database is cached locally with near real-time external updates. It includes many categories of malicious activity including botnet, DoS, phishing, open proxies, scanners, etc.

Support millions of arbitrary entries in white and blacklists for enforcement at any layer of the protocol stack.

Act as a high performance SSL forward proxy to allow inspection and validation of encrypted HTTPS traffic.

F5 offered solution for cloud based services for web security is a virtualized instance of the Application Security Manager (ASM), a fully Layer 7 WAF product. F5 does not offer solutions related to email security.

Further clarification of requirements is needed before F5 can confirm full compliance with section 5.2.6.7.

5.2.6.8 Secure Access ― Products that provide secure access to the network for any device, including

personally owned mobile devices (laptops, tablets, and smart phones). Capabilities should include:

Management visibility for device access

Self-service on-boarding

Centralized policy enforcement

Differentiated access and services

Device Management F5 Response: F5 meets the requirements listed 5.2.6.8. The F5 Mobile Application Manager (MAM) and Access Policy Manager (AFM) work together to meet the above requirements for managing and delivering Secure, scalable access to corporate applications on multiple mobile Devices.


Management visibility for device access reporting – We support users, devices, or applications

Self-service on-boarding – via link and interactive dialogue or direct access to app on iTunes/GooglePlay

Centralized Policy Enforcement – with policies applied to groups as defined in AD with changes in AD reflected automatically

Differentiated access and services – based on AAA inspection and group membership, device inspection, attributes in a configurable Visual Policy Editor

Device Management – can be defined for the entire device or for the Applications Partition as required.

Mobile App Manager (MAM) – A BYOD/mobile application management and access solution that securely extends the enterprise to personal mobile devices. F5 MAM manages apps and secures data while satisfying the needs of both employees who rely on their mobile devices, and enterprise. For employees, F5 MAM safely separates personal data and usage from corporate oversight for a simpler, more flexible and productive experience. And for IT departments, F5 MAM minimizes the burden of ensuring that corporate data is secure on personal devices. Additional Capabilities:

Secure Enterprise Footprint - Corporate partition where encrypted applications and data reside



that can be managed independently without affecting the overall device

Flexible Policy Management - Administrators can manage application access globally, by groups, or by individual devices. IT can push down policy and configuration requirements to organizations quickly and easily, while enforcing compliance

Secure Access to Productivity Apps - provides employees with secure mobile access to corporate email, calendar functionality, and contacts through Microsoft Exchange ActiveSync

Access Policy Manager (APM) – Enables secure, authenticated user access to applications or network resources based on a customizable access policy control, pre-authentication posture inspection, reverse proxy with rewrite, SSL VPN, while leveraging user contextual awareness for intelligent access policy control decisions. For Mobile devices, specific inspections and resultant actions can be provisioned to give appropriate levels of control (example: do not allow access for Jail Broken phones) and provide secure access to all applications authenticated to. Additional Capabilities:

Client pre-inspection (Device type, anti-virus, firewall, process, machine info, OS, browser, registry checks)


Visual Policy Editor to design client access actions and process flow


5.2.7 STORAGE NETWORKING ― High-speed network of shared storage devices connecting different types

of storage devices with data servers. F5 Response: F5 does not offer a solution as listed in section 5.2.7.

5.2.7.1 Director Class SAN (Storage Area Network) Switches and Modules ― A scalable, high-performance,

and protocol-independent designed primarily to fulfill the role of core switch in a core-edge Fibre Channel (FC), FCOE or similar SAN topology. A Fibre Channel director is, by current convention, a switch with at least 128 ports. It does not differ from a switch in core FC protocol functionality. Fibre Channel directors provide the most reliable, scalable, high-performance foundation for private cloud storage and highly virtualized environments. F5 Response: F5 does not offer a solution as listed in section 5.2.7.1.

5.2.7.2 Fabric and Blade Server Switches ― A Fibre Channel switch is a network switch compatible with the

Fibre Channel (FC) protocol. It allows the creation of a Fibre Channel fabric, which is currently the core component of most SANs. The fabric is a network of Fibre Channel devices, which allows many-to-many communication, device name lookup, security, and redundancy. FC switches implement zoning; a mechanism that disables unwanted traffic between certain fabric nodes. F5 Response: F5 does not offer a solution as listed in section 5.2.7.2.

5.2.7.3 Enterprise and Data Center SAN and VSAN (Virtual Storage Area Network) Management ―

Management tools to provisions, monitors, troubleshoot, and administers SANs and VSANs. F5 Response: F5 does not offer a solution as listed in section 5.2.7.3.

5.2.7.4 SAN Optimization ― Tools to help optimize and secure SAN performance (ie. Encryption of data-at-rest,

data migration, capacity optimization, data reduction, etc. F5 Response: F5 does not offer a solution as listed in section 5.2.7.4.



5.2.8 SWITCHES ― Layer 2/3 devices that are used to connect segments of a LAN (local area network) or multiple LANs and to filter and forward packets among them. F5 Response: F5 does not offer a solution as listed in section 5.2.8. 5.2.8.1 Campus LAN – Access Switches ― Provides initial connectivity for devices to the network and controls

user and workgroup access to internetwork resources. The following are some of the features a campus LAN access switch should support:

Security i. SSHv2 (Secure Shell Version 2) ii. 802.1X (Port Based Network Access Control) iii. Port Security iv. DHCP (Dynamic Host Configuration Protocol) Snooping

VLANs

Fast Ethernet/Gigabit Ethernet

PoE (Power over Ethernet)

link aggregation

10 Gb support

Port mirroring

Span Taps

Support of IPv6 and IPv4

Standards-based rapid spanning tree

Netflow Support (Optional).

F5 Response: F5 does not offer a solution as listed in section 5.2.8.1. 5.2.8.2 Campus LAN – Core Switches ― Campus core switches are generally used for the campus backbone

and are responsible for transporting large amounts of traffic both reliably and quickly. Core switches should provide:

High bandwidth

Low latency

Hot swappable power supplies and fans

Security i. SSHv2 ii. MacSec encryption iii. Role-Based Access Control Lists (ACL)


1/10/40/100 Gbps support

IGP (Interior Gateway Protocol) routing

EGP (Exterior Gateway Protocol) routing

VPLS (Virtual Private LAN Service) Support

VRRP (Virtual Router Redundancy Protocol) Support

Netflow Support.

F5 Response: F5 does not offer a solution as listed in section 5.2.8.2. 5.2.8.3 Campus Distribution Switches ― Collect the data from all the access layer switches and forward it to

the core layer switches. Traffic that is generated at Layer 2 on a switched network needs to be managed, or segmented into Virtual Local Area Networks (VLANs), Distribution layer switches provides the inter-VLAN routing functions so that one VLAN can communicate with another on the network. Distribution layer switches provides advanced security policies that can be applied to network traffic using Access Control Lists (ACLs).

High bandwidth

Low latency




Security (SSHv2 and/or 802.1X)


Jumbo Frames Support

Dynamic Trunking Protocol (DTP)

Per-VLAN Rapid Spanning Tree (PVRST+)

Switch-port auto recovery

NetFlow Support or equivalent

F5 Response: F5 does not offer a solution as listed in section 5.2.8.3. 5.2.8.4 Data Center Switches ― Data center switches, or Layer 2/3 switches, switch all packets in the data

center by switching or routing good ones to their final destinations, and discard unwanted traffic using Access Control Lists (ACLs), all at Gigabit and 10 Gigabit speeds. High availability and modularity differentiates a typical Layer 2/3 switch from a data center switch. Capabilities should include:

High bandwidth

Low latency


Ultra-low latency through wire-speed ports with nanosecond port-to-port latency and hardware-based Inter-Switch Link (ISL) trunking

Load Balancing across Trunk group able to use packet based load balancing scheme

Bridging of Fibre Channel SANs and Ethernet fabrics

Jumbo Frame Support

Plug and Play Fabric formation that allows a new switch that joins the fabric to automatically become a member

Ability to remotely disable and enable individual ports

Support NetFlow or equivalent

F5 Response: F5 does not offer a solution as listed in section 5.2.8.4. 5.2.8.5 Software Defined Networks (SDN) – Virtualized Switches and Routers ―Technology utilized to support

software manipulation of hardware for specific use cases.

F5 Response: F5 does not offer a solution as listed in section 5.2.8.5. 5.2.8.6 Software Defined Networks (SDN) ― Controllers - is an application in software-defined networking

(SDN) that manages flow control to enable intelligent networking. SDN controllers are based on protocols, such as OpenFlow, that allow servers to tell switches where to send packets. The SDN controller lies between network devices at one end and applications at the other end. Any communications between applications and devices have to go through the controller. The controller uses multiple routing protocols including OpenFlow to configure network devices and choose the optimal network path for application traffic.

F5 Response: F5 does not offer a solution as listed in section 5.2.8.6.

5.2.8.7 Carrier Aggregation Switches ― Carrier aggregation switches route traffic in addition to bridging

(transmitted) Layer 2/Ethernet traffic. Carrier aggregation switches’ major characteristics are:

Designed for Metro Ethernet networks

Designed for video and other high bandwidth applications

Supports a variety of interface types, especially those commonly used by Service Providers Capabilities should include:

Redundant Processors

Redundant Power

IPv4 and IPv6 unicast and multicast



High bandwidth

Low latency


MPLS (Multiprotocol Label Switching)

BGP (Border Gateway Protocol)

Software router virtualization and/or multiple routing tables

Policy based routing

Layer 2 functionality i. Per VLAN Spanning Tree ii. Rapid Spanning Tree iii. VLAN IDs up to 4096 iv. Layer 2 Class of Service (IEEE 802.1p) v. Link Aggregation Control Protocol (LACP) vi. QinQ (IEEE 802.1ad)


5.2.8.8 Carrier Ethernet Access Switches ― A carrier Ethernet access switch can connect directly to the

customer or be utilized as a network interface on the service side to provide layer 2 services.

Hot-swappable and field-replaceable integrated power supply and fan tray

AC or DC power supply with DC input ranging from 18V to 32 VDC and 36V to 72 VDC

Ethernet and console port for manageability

SD flash card slot for additional external storage

Stratum 3 network clock

Line-rate performance with a minimum of 62-million packets per second (MPPS) forwarding rate

Support for dying gasp on loss of power

Support for a variety of small form factor pluggable transceiver (SFP and SFP+) with support for Device Object Model (DOM)

Timing services for a converged access network to support mobile solutions, including Radio Access Network (RAN) applications

Support for Synchronous Ethernet (SyncE) services

Supports Hierarchical Quality of Service (H-QoS) to provide granular traffic-shaping policies

Supports Resilient Ethernet Protocol REP/G.8032 for rapid layer-two convergence

F5 Response: F5 does not offer a solution as listed in section 5.2.8.8. 5.2.9 WIRELESS ― Provides connectivity to wireless devices within a limited geographic area. System capabilities should include:

Redundancy and automatic failover

IPv6 compatibility

NTP Support F5 Response: F5 does not offer a solution as listed in section 5.2.9.

5.2.9.1 Access Points ― A wireless Access Point (AP) is a device that allows wireless devices to connect to a

wired network using Wi-Fi, or related standards. Capabilities should include:

802.11a/b/g/n

802.11n

802.11ac

Capable of controller discovery method via DHCP (onsite controller or offsite through Cloud Architecture)

UL2043 plenum rated for safe mounting in a variety of indoor environments

Support AES-CCMP (128-bit)

Provides real-time wireless intrusion monitoring and detection




5.2.9.2 Outdoor Wireless Access Points ― Outdoor APs are rugged, with a metal cover and a DIN rail or other

type of mount. During operations they can tolerate a wide temperature range, high humidity and exposure to water, dust, and oil. Capabilities should include:

Flexible Deployment Options

Provides real-time wireless intrusion monitoring and detection

Capable of controller discovery method via DHCP (onsite controller or offsite through Cloud Architecture)


5.2.9.3 Wireless LAN Controllers ― An onsite or offsite solution utilized to manage lightweight access points in

large quantities by the network administrator or network operations center. The WLAN controller automatically handles the configuration of wireless access-points. Capabilities should include:

Ability to monitor and mitigate RF interference/self-heal

Support seamless roaming from AP to AP without requiring re-authentication

Support configurable access control lists to filter traffic and denying wireless peer to peer traffic

System encrypts all management layer traffic and passes it through a secure tunnel

Policy management of users and devices provides ability to de-authorize or deny devices without denying the credentials of the user, nor disrupting other AP traffic

Support configurable access control lists to filter traffic and denying wireless peer to peer traffic

F5 Response: F5 does not offer a solution as listed in section 5.2.9.3. 5.2.9.4 Wireless LAN Network Services and Management ― Enables network administrators to quickly plan,

configure and deploy a wireless network, as well as provide additional WLAN services. Some examples include wireless security, asset tracking, and location services. Capabilities should include:

Provide for redundancy and automatic failover

Historical trend and real time performance reporting is supported

Management access to wireless network components is secured

SNMPv3 enabled

RFC 1213 compliant

Automatically discover wireless network components

Capability to alert for outages and utilization threshold exceptions

Capability to support Apple’s Bonjour Protocol / mDNS

QoS / Application identification capability

F5 Response: F5 does not offer a solution as listed in section 5.2.9.4. 5.2.9.5 Cloud-based services for Access Points ― Cloud-based management of campus-wide WiFi

deployments and distributed multi-site networks. Capabilities include:

Zero-touch access point provisioning

Network-wide visibility and control

RF optimization,

Firmware updates

F5 Response: F5 does not offer a solution as listed in section 5.2.9.5. 5.2.9.6 Bring Your Own Device (BYOD) ― Mobile Data Management (MDM) technology utilized to allow

employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and use those devices to access privileged government information and applications in a secure manner. Capabilities should include:



Ability to apply corporate policy to new devices accessing the network resources, whether wired or wireless

Provide user and devices authentication to the network

Provide secure remote access capability

Support 802.1x

Network optimization for performance, scalability, and user experience

F5 Response: F5 interprets this requirement as MDM from the perspective of the Access Point and in this case would not have a solution to meet the above requirements. If it is more generic MDM requirements, please refer back to section 5.2.6.8 - Secure Access to see the full F5 MAM/APM capabilities for MDM.

5.3.0 UNIFIED COMMUNICATIONS (UC) ― A set of products that provides a consistent unified user interface and user experience across multiple devices and media types. Unified Communications that is able to provide services such as session management, voice, video, messaging, mobility, and web conferencing. It can provide the foundation for advanced unified communications capabilities of IM and presence-based services and extends telephony features and capabilities to packet telephony network devices such as IP phones, media processing devices, Voice over IP (VoIP) gateways, and multimedia applications. Additional services, such as unified messaging, multimedia conferencing, collaborative contact centers, and interactive multimedia response systems, are made possible through open telephony APIs. General UC solution capabilities should include:

High Availability for Call Processing

Hardware Platform High Availability

Network Connectivity High Availability

Call Processing Redundancy F5 Response: F5 does not offer a solution as listed in section 5.3.0. 5.3.0.1 IP Telephony ― Solutions utilized to provide the delivery of the telephony application (for example, call

setup and teardown, and telephony features) over IP, instead of using circuit-switched or other modalities. Capabilities should include:

Support for analog, digital, and IP endpoints

Centralized Management

Provide basic hunt group and call queuing capabilities

Flexibility to configure queue depth and hold time, play unique announcements and Music on Hold (MoH), log in and log out users from a queue and basic queue statistics (from the phone

E911 Support

F5 Response: F5 does not offer a solution as listed in section 5.3.0.1. 5.3.0.2 Instant messaging/ Presence ― Solutions that allow communication over the Internet that offers quick

transmission of text-based messages from sender to receiver. In push mode between two or more people using personal computers or other devices, along with shared clients, instant messaging basically offers real-time direct written language-based online chat. Instant messaging may also provide video calling, file sharing, PC-to-PC voice calling and PC-to-regular-phone calling.


5.3.0.3 Unified messaging ― Integration of different electronic messaging and communications media (e-mail,

SMS, Fax, voicemail, video messaging, etc.) technologies into a single interface, accessible from a variety of different devices.

Ability to access and manage voice messages in a variety of ways, using email inbox, Web browser, desktop client, VoIP phone, or mobile phone

Visual Voicemail Support (Optional)




5.3.0.4 Contact Center ― A computer-based system that provides call and contact routing for high-volume telephony transactions, with specialist answering “agent” stations and a sophisticated real-time contact management system. The definition includes all contact center systems that provide inbound contact handling capabilities and automatic contact distribution, combined with a high degree of sophistication in terms of dynamic contact traffic management.


5.3.0.5 Communications End Points and Applications

Attendant Consoles

IP Phones

F5 Response: F5 does not offer a solution as listed in section 5.3.0.5. 5.3.0.6 UC Network Management ― Provides end-to-end service management for Unified Communications.

Capabilities include testing, performance monitoring, configuration management, and business intelligence reporting.


5.3.0.7 Collaboration ― Voice, video, and web conferencing; messaging; mobile applications; and enterprise

social software.

F5 Response: F5 does not offer a solution as listed in section 5.3.0.7. 5.3.0.8 Collaborative Video ― A set of immersive video technologies that enable people to feel or appear as if

they were present in a location that they are not physically in. Immersive video consists of a multiple codec video system, where each meeting attendee uses an immersive video room to “dial in” and can see/talk to every other member on a screen (or screens) as if they were in the same room and provides call control that enables intelligent video bandwidth management. F5 Response: F5 does not offer a solution as listed in section 5.3.0.8.

5.3.0.8.1 Content Delivery Systems (CDS) ― A large distributed system of servers deployed in

multiple data centers connected by the Internet. The purpose of the content delivery system is to serve content to end-users with high availability and high performance. CDSs serve content over the Internet, including web objects (text, graphics, URLs, and scripts), downloadable objects (media files, software, documents), applications (e-commerce, portals), live streaming media, on-demand streaming media, and social networks. F5 Response: F5 does not offer a solution as listed in section 5.3.0.8.1.

5.3.0.8.2 Physical Security ― Technology utilized to restricting physical access by unauthorized people to controlled facilities. Technologies include: a. Access control systems b. Detection/Identification systems, such as surveillance systems, closed circuit

television cameras, or IP camera networks and the associated monitoring systems. c. Response systems such as alert systems, desktop monitoring systems, radios,

mobile phones, IP phones, and digital signage d. Building and energy controls

F5 Response: F5 does not offer a solution as listed in section 5.3.0.8.2.



5.3.1 SERVICES ― For each Category above (5.21-5.30), the following services should be available for procurement as well at the time of product purchase or anytime afterwards. F5 Response: All the F5 services listed in this RFP response are available for procurement both at time of purchase as well as anytime afterwards. 5.3.1.1 Maintenance Services ― Capability to provide technical support, flexible hardware coverage, and smart, proactive device diagnostics for hardware.

F5 Response: Here is the overview of F5’s maintenance and technical support options. All F5 products come with a one-year manufacturer’s hardware warranty and a 90-day software media warranty. Technical support is limited to F5 products with active support contracts. F5 Standard (5 x 10) support and Premium (7 x 24) support include remote assistance both online and over the phone, proactive support for planned maintenance, advance RMA replacement, software upgrades, and help with F5 iRules scripts. You can upgrade your support with Expedited RMA Services and Maintenance Add-On Packages. In addition, F5 provides many free, self-service resources to help you get the most from your F5 investment. Expert Assistance When You Need It Count on F5 Support to provide the help you need, when you need it. F5’s worldwide customer support organization has implemented an ISO 9001:2008–compliant Quality Management System that ensures that F5 adheres to documented processes and procedures and continues to improve its delivery of customer support. With ISO compliance, you can be confident you’ll receive consistently excellent service. Network Support Centers F5 Network Support Centers are strategically located for partners and customers in APAC, Japan, EMEA, and North America. Regionally located support centers enable F5 to provide support in a number of languages through native speaking support engineers who are available when you are, during your business day. Globally dispersing Network Support Centers allows for cases to truly “follow the sun,” which means Network Support Engineers are available to provide help when you need it.

Standard support hours are Monday through Friday, 8:00 a.m. to 6:00 p.m., your local time.

Premium support hours are every day, around the clock, 365 days a year. The following table details the features provided in Standard support and Premium support.

Network Support Engineers



F5 Network Support Engineers have extensive knowledge of F5 technology and receive continuous training in the latest features and updates to F5 products. When you contact Support, your call will be routed to the best subject matter expert for your case. WebSupport Portal F5’s WebSupport Portal provides you with more flexibility and fast access to F5 Network Support Centers, at any time. Quickly create new support cases, receive an automated case number, read case details and updates, upload troubleshooting attachments, and more. Online help is always available. Proactive Case Management With Proactive Case management, you can alert F5 Support of upcoming scheduled maintenance on your F5 devices. That way, if you do need assistance, you’ll save the time spent opening a new case and providing diagnostic files, and F5 Network Support Engineers can be quickly assigned to your case. iRules Support Standard and Premium support include iRules scripting language assistance. Standard iRules support Standard iRules support provides basic syntactical review for customers with active Standard support maintenance contracts. Premium iRules support In addition to Standard iRules support services, Premium iRules support adds validation, troubleshooting, and functional testing of scripted iRules for customers with Premium support maintenance contracts. F5 also offers self-service iRules resources on the F5 DevCentral online community. Software Upgrades and Updates New software releases are available at no charge for supported products. Self-Service Resources To get the most value from your F5 solution investment, explore the resources provided by the AskF5 Knowledge Base and the F5 DevCentral online community. AskF5 Knowledge Base Consider AskF5 as your first source for answers. Visit the AskF5 website for software downloads, licensing tools, product guides, release notes, solutions to known issues, and how-to information. You can also sign up to receive security email alerts and product- specific RSS feeds. F5 DevCentral At F5 DevCentral, you can join an online, developer community of more than 60,000 F5 users worldwide who collaborate and share innovations, including code samples, new techniques, and other tips. Expedited RMA Services Expedited Return Materials Authorization (RMA) Services include options for Next Business Day delivery, 4-Hour delivery, and for a technician to install the product for you. All levels include advance replacement. Customers with Standard or Premium support levels can upgrade to Expedited RMA Services. RMA requests can be submitted only during supported hours, in accordance with the unit’s base maintenance contract. Maintenance Add-On Packages Maintenance Add-On Packages offer an opportunity for you to proactively improve your IT infrastructure and better align IT with business goals on an ongoing basis. Customers with Standard or Premium support levels can purchase Add-On Packages.



The following table compares the features provided in the various Add-On Packages available for additional support. Only customers with Standard or Premium support can purchase Add-On Packages.

Technical Account Management The Technical Account Management package provides a Technical Account Manager (TAM) to assist in facilitating communication between your business owners and F5 technical resources and identify and anticipate issues. During escalation, the TAM provides a single point of contact and conducts calls for Severity 1 (site down) priority case management until the issue is resolved. Best Practices With the Best Practices package, an F5 consultant will work closely with you to ensure your organization is making the most of its F5 technology. The package includes a one-year engagement starting with an initial onsite network assessment lasting 10 consecutive days. The initial assessment is followed by monthly 3-consecutive day visits for hands-on help with improving your infrastructure to align your F5 solution with your business goals. You will also receive priority assistance with Severity 1 calls. Premium Plus The highest level of support, Premium Plus provides a dedicated team of F5 Network Support Engineers who become familiar with your unique business environment and objectives, a Technical Account Manager, and a dedicated phone line for your calls. Weekly status meetings and quarterly in-depth reviews provide an opportunity for you to work with your F5 team to address current issues and help you reach future goals. For immediate needs, your calls receive the highest priority status. You can purchase a Premium Plus Add-On to your Standard (5 x 10) support that matches your contracted hours. You can also purchase a Premium Plus Add-On to your Premium (7 x 24) support for your contracted hours or for 5 x 10 local time coverage. Case Severity Definitions and Response Times All F5 Network Support Centers uphold the following case severity definitions and target response times to ensure that the appropriate resources are used to resolve all technical issues as efficiently as possible. F5 will endeavor to respond to Severity 1 and Severity 2 issues within one hour. Understanding that unforeseen events could delay attempts, F5 expects that the majority of



Severity 1 and Severity 2 issues will be responded to within this service level. Initial response is defined as the time from when the F5 case was created to when a Network Support Engineer first attempts to contact the case contact for troubleshooting and updates the case log reflecting this action. When a case is logged as Severity 1, F5 Network Support Managers are immediately notified to ensure the case is assigned within the appropriate timeframe to an appropriately skilled Network Support Engineer.

5.3.1.2 Professional Services

F5 Response: F5 provides a comprehensive portfolio of consulting and advanced services to assist our customers in architecting, implementing, maintaining, and optimizing their F5 deployments. Our Professional Services team will work directly with your organization to identify the best approach for the delivery of the requested services. With scores that are consistently above 9 points out of 10, we deliver world-class consulting services for our customers. Whether onsite or remote, packaged offerings or custom statements of work, the F5 team will deliver a solution that is right for your IT infrastructure and that can scale to deliver fast, secure, and available applications.

Deployment Services Survey/ Design Services ― Includes, but not limited to, discovery, design, architecture review/validation, and readiness assessment. F5 Response: F5 consultants are skilled in the design of optimal network architectures and in the creation of comprehensive deployment plans. Efficiency, flexibility, scalability, and security will underpin the design and architecture using F5 best practices. Implementation Services ― Includes, but not limited to, basic installation and configuration or end-to-end integration and deployment. F5 Response: F5 Professional Services provides Implementation Services for all BIG-IP, Enterprise Manager, VIPRION following a standard 4-step approach: plan, architect, configure and implement. Our consultants’ proven methodology and depth of knowledge in security, network performance and infrastructure helps deliver an optimal solution to secure your infrastructure, deliver superior performance, and scale to meet the demands of your business. Optimization ― Includes, but not limited to, assessing operational environment readiness, identify ways to increase efficiencies throughout the network, and optimize Customer’s infrastructure, applications and service management. F5 Response: F5 Professional Services optimization offerings focus on maximizing the performance, health, and security of F5 deployments. An F5 consultant can configure advanced product features such as compression, caching, and traffic shaping as well as perform network performance and application tuning to optimize your deployment. In addition, our Proactive Assessment provides an audit of F5 BIG-IPs to ensure the devices are optimally configured focusing on the operating systems, architecture, security, performance, and availability.

Remote Management Services ― Includes, but not limited to, continuous monitoring, incident management, problem management, change management, and utilization and performance reporting that may be on a subscription basis.

F5 Response: F5 Networks does not currently offer a solution to support remote device management, continuous monitoring nor utilization and performance reporting of a customer’s environment. For incident management, problem management and change management, customers can leverage one of our Enhanced Services subscription offerings below:



Technical Account Manager (TAM) is notified of all cases and works with the appropriate resources on a timely resolution that aligns with your organization’s unique requirements. In addition to helping resolve immediate issues, a TAM provides proactive services, such as regular status and quarterly review meetings, to help organizations improve operations and plan for future network needs.

Premium Plus customers receive priority support status, with access to a dedicated senior-level, F5-certified Enterprise Account Engineer, led by a Technical Account Manager (TAM). In addition, Premium Plus customers receive a dedicated phone line for support requests and the F5 team is immediately notified when a request is submitted through the F5 Network Support Centers. A key component of Premium Plus offering is the creation of a Service Delivery Plan, which details your F5 technology implementation, conditions for satisfaction and outlines future initiatives and key priorities. The initiatives and conditions for satisfaction are reviewed during weekly status calls and formally during quarterly reviews.

Service Delivery Manager provides a balanced selection of technical support and proactive professional services management to address the needs of large F5 installations. The construction of the service is tailored to the specific requirements discussed between the Customer and F5 and documented in the Service Delivery Plan. The plan will define the delivery of skills assessments, product lifecycle reports, service performance reports and review meetings.

Consulting/Advisory Services ― Includes, but not limited to, assessing the availability, reliability, security and performance of Customer’s existing solutions.

F5 Response: Our consultants are not only highly skilled, but hold certifications on F5 technologies to help maintain the optimal health of your F5 environments. Our consultants can assist with operational improvement initiatives, assess the availability, reliability, security and performance of your solutions, and contribute extensive product expertise to your organization.

Data Communications Architectural Design Services ― Developing architectural strategies and roadmaps for transforming Customer’s existing network architecture and operations management.

F5 Response: F5’s Solution Definition Workshop helps organizations revisit their existing architecture designs to evaluate current and future performance, security, scalability and operational readiness. Through a facilitated, interactive workshop, our subject matter experts will review key design scenarios with your team, share latest thought leadership, and introduce technology advancements that will yield an optimal and comprehensive solution designed specifically for your business. To support the transformation, F5 can offer upgrade services that will bring F5 products to the latest releases and migration services that take configurations from commercially available security and load balancing products and brings them to the F5 family of offerings.

Statement of Work (SOW) Services ― Customer-specific tasks to be accomplished and/or services to be delivered based on Customer’s business and technical requirements.

F5 Response: F5 Professional Services has extensive experience working with customers to tailor their F5 solutions to meet unique technical requirements. We can start with custom scripting and application monitor development customization for extended application verification, complex monitors, iRules® scripting language, and iControl® API. In addition, we work with key technology application partner (TAP) solutions including Microsoft Exchange, VDI solutions from Citrix and VMware, DAST providers such as Cenzic, Whitehat, Qualsys and IBM to support key business application requirements.



5.3.1.3 Partner Services ― Provided by Contractor’s Authorized Partners/Resellers.

Subject to Contractor’s approval and the certifications held by its Partners/Resellers, many Partners/Resellers can also offer and provide some or all of the Services as listed above at competitive pricing, along with local presence and support. As the prime, Contractor is still ultimately responsible for the performance of its Partners/ Resellers. Customers can have the option to purchase the Services to be directly delivered by Contractor (OEM) or its certified Partners/Resellers.

F5 Response: Many of our anticipated Authorized Partners/Resellers are able to provide their own services as defined in this bid. Upon contract award, we will provide a list of authorized of partners that can provide these services.

5.3.1.4 Training ― Learning offerings for IT professionals on networking technologies, including but not limited

to designing, implementing, operating, configuring, and troubleshooting network systems pertaining to items provided under the master agreement.

F5 Response: F5 provides training that supports the requirements of application developers, network architects as well as network administrators, operators, and engineers. Our learning offerings include:

• No-charge, self-paced Web-Based Training (WBT) courses that introduce professionals to basic

technology concepts related to F5 technology, recent changes to F5 products and basic configurations for BIG-IP Local Traffic Manager (LTM).

• Onsite training provides for an F5 instructor to work with you to tailor course content to fit specific needs. In addition to knowledge transfer, onsite training provides an excellent opportunity for members from different departments in an organization to get together to discuss options and share best practices. F5 provides PCs, F5 equipment and manuals for up to 16 students in a class.

• Open enrollment classes can be instructor-led or virtual instructor-led delivered by F5 certified instructors providing both course material and labs. In addition to formal training, IT professionals can also acquire additional knowledge about F5 technologies through DevCentral. DevCentral is the F5 user community and a key source for code, configurations, discussions, articles, and all-around technical know-how.

In addition to the professional services listed above, we also provide an industry leading service, community-centric and award winning website called DevCentral (https://devcentral.f5.com/). This resource allows our customers to get quick and organic support by interacting with their peers in a natural and organic way.

5.3.2 ADDING PRODUCTS

The ability to add new equipment and services is for the convenience and benefit of WSCA-NASPO, the Participating States, and all the Authorized Purchasers. The intent of this process is to promote “one-stop shopping” and convenience for the customers and equally important, to make the contract flexible in keeping up with rapid technological advances. The option to add new product or service categories and/items will expedite the delivery and implementation of new technology solutions for the benefit of the Authorized Purchasers. After the contracts are awarded, additional IT product categories and/or items may be added per the request of the Contractor, a Participating State, an Authorized Purchaser or WSCA-NASPO. Additions may be ad hoc and temporary in nature or permanent. All additions to an awarded Contractor or Manufacturer’s offerings must be products, services, software, or solutions that are commercially available at the time they are added to the contract award and fall within the original scope and intent of the RFP (i.e., converged technologies, value adds to manufacturer’s solution offerings, etc.). F5 Response: The F5 response team has read the items listed in Section 5.3.2 and acknowledge that we understand and accept them.



5.3.2.1 New Product from Contractors ― If Contractor, a Participating State, an Authorized Purchaser or WSCA-NASPO itself requests to add new product categories permanently, then all awarded Contractors (Manufacturers) will be notified of the proposed change and will have the opportunity to work with WSCA-NASPO to determine applicability, introduction, etc. Any new products or services must be reviewed and approved by the WSCA-NASPO Contract Administrator. F5 Response: The F5 response team has read the items listed in Section 5.3.2.1 and acknowledge that we understand and accept them. 5.3.2.2 Ad Hoc Product Additions ― A request for an ad hoc, temporary addition of a product category/item must be submitted to WSCA-NASPO via the governmental entity’s contracting/purchasing officer. Ad hoc, temporary requests will be handled on a case-by-case basis. F5 Response: The F5 response team has read the items listed in Section 5.3.2.2 and acknowledge that we understand and accept them. 5.3.2.3 Pricelist Updates ― As part of each Contractor’s ongoing updates to its pricelists throughout the contract term, Contractor can add new SKUs to its awarded product categories that may have been developed in-house or obtained through mergers, acquisitions or joint ventures; provided, however, that such new SKUs fall within the Contractor’s awarded product categories. F5 Response: The F5 response team has read the items listed in Section 5.3.2.3 and acknowledge that we understand and accept them. Section 6: Evaluation 6.1 General Information Proposals will be evaluated for completeness and compliance with the requirements of this RFP by a sourcing team. The sourcing team may engage additional qualified individuals during the process to assist with technical, financial, legal, or other matters. Except at the invitation of the sourcing team, no activity or comments from Offerors regarding this RFP shall be discussed with any member of the sourcing team during the evaluation process. An Offeror who contacts a member of the sourcing team in reference to this RFP may have its proposal rejected. Each proposal must be submitted in Microsoft Word or Excel, or PDF labeled and organized in a manner that is congruent with the section number, headings, requirements, and terminology used in this RFP. Proposal documents must be use Arial font size 10. All proposals must be submitted in electronic form. F5 Response: The F5 response team has read the items listed in Section 6.1 and acknowledge that we understand and accept them. 6.2 Administrative Requirements Compliance The sourcing team will evaluate each proposal for compliance with administrative requirements. Non compliance with any of these requirements will render a proposal non-responsive. Only those proposals that pass the administrative requirements will be evaluated further. In order to pass the Administrative Requirements, the following must be received by due date and time associated with this RFP as listed in Bid Sync. F5 Response: The F5 response team has read the items listed in Section 6.2 and acknowledge that we understand and accept them. 6.2.1 References



Vendor must provide a least three current account references for which your company provides similar Data Communications services for private, state and/or large local government clients (preferably government/public entities). Offerors are required to submit Attachment B - Reference Form, for business references. The business providing the reference must submit the Reference Form directly to the State of Utah, Division of Purchasing. It is the offeror’s responsibility to ensure that completed forms are received by the State of Utah Division of Purchasing on or before the proposal submission deadline for inclusion in the evaluation process. Business references not received, or not complete, may adversely affect the offeror’s score in the evaluation process. The Purchasing Division reserves the right to contact any or all business references for validation of information submitted. F5 Response: F5 has asked several customers to act as references by filling out the form provided in Attachment B. We have received confirmation that more than (5) entities have completed form B and returned them to Tara Eutsler with the State of Utah, as directed. For the evaluation team’s convenience, we have listed (7) of those entities with contact information in section 5.1.3 of this bid response document.

6.3 Minimum Scope Requirements Compliance The sourcing team will evaluate each proposal that passed the administrative requirements for compliance with Section 5.2 Data Communications Services – Requirements. Scope requirements are evaluated in terms of the breadth and depth of the offeror proposal for each of the section 5.2.1-5.3.0 Scope categories. Only those proposals in each section that score 70% or better will move on to cost evaluation. F5 Response: The F5 response team has read the items listed in Section 6.3 and acknowledge that we understand and accept them. 6.4 Evaluation Criteria The following table details how each proposal shall be evaluated on a basis of 100 points. An evaluation committee comprised of representatives from some WSCA-NASPO member States will be appointed by the WSCA-NASPO Contract Administrator to perform the proposal evaluation. All Offeror’s proposals will be initially reviewed for compliance with the mandatory general requirements in Section 3 and Sections 5.1.1-5.1.5 stated within the RFP. Any proposal failing to meet one or more mandatory requirement(s) will be considered non-responsive and deemed “unacceptable”, and will be eliminated from further consideration. Those proposals deemed “acceptable” or “potentially acceptable” will be evaluated against the following proposal evaluation criteria using a point-based scoring methodology. Proposal evaluation criteria are listed in relative order of importance:

6.4.1 Cost – (bid sheets including discounts off list price attached) – 30% Given that technology products generally depreciate over time and go through typical product lifecycles, it is more favorable for customers to have prime contracts be based on minimum discounts off the Offeror’s’ commercially published pricelists versus fixed pricing. In addition, Offerors must have the ability to update and refresh their respective price books, as long as the agreed-upon discounts are fixed. Minimum guaranteed contract discounts do not preclude an Offeror and/or its authorized resellers from providing deeper or additional, incremental discounts at there sole discretion.

6.4.1.1 Refurbished Equipment – Many IT manufacturers offer refurbished equipment at a substantially lower cost with attractive warranties that also address risk concerns some customers may have with refurbished gear. Offerors add an optional provision for manufacturer-certified refurbished equipment to be available for procurement under this contract. This offering will not be evaluated as part of the cost scoring process.



Score will be assigned as follows:

0 = Failure, no response

1 = Poor, inadequate, fails to meet requirement

2 = Fair, only partially responsive

3 = Average, meets minimum requirement

4 = Above average, exceeds minimum requirement

5 = Superior

6.4.2 Demonstrate ability to provide products and services within scope of the RFP (Section 5.2-5.31) – 25% 6.4.3 Qualifications, technical ability, maintenance, training and value added services – 10% 6.4.4 Ability to supply to WSCA-NASPO member states/geographical coverage -10% 6.4.5 Offer profile and references (i.e., financial stability, presence in marketplace, adequate staff, marketing efforts etc.) – 20% 6.4.6 Administrative (i.e., report generating ability, e-commerce, account reps, problem resolution, customer satisfaction, website hosting and other administrative related issues) – 5%

At the option of the evaluation committee the WSCA-NASPO Contract Administrator may initiate discussion(s) with Offerors who submit responsive or potentially responsive proposals for the purpose of clarifying aspects of the proposal(s), however, proposals may be evaluated without such discussion(s). Such discussion(s) is not to be initiated by Offerors. Based on the competitive range of the evaluation scores, the evaluation committee may choose to make a “finalist list” of offeror’s; if opted for, all offeror’s will be notified of their status at this juncture by the Procurement Manager. Finalist Offeror’s may be required, at the option of the evaluation committee, to present their proposals and possibly demonstrate their Internet website to the evaluation committee. The Procurement Manager will schedule the time and location for each Offeror presentation. Each Offeror presentation will be of equal duration for all offeror’s and may also include an additional amount of time reserved for questions/answers. The sourcing team will evaluate each proposal that has passed the administrative requirements and met or exceeded the Section 3 and Section 5.1.1-5.1.5 Mandatory Requirements. WSCA-NASPO Data Communications Equipment and Associated Products #JP14001 Firm Name: Section Number: Evaluator: Date: Score

(0-5) Weight

Points

1. Demonstrated Ability to meet scope of requirements (25 points possible)

------- -------

Scope and Varity of products provided 8 points possible X 1.6

Experience and technical ability of manufacturer 7 points possible X 1.4

Maintenance Program 2 points possible X .40

Training Program 2 points possible X .40

Service Program 2 points possible X .40

Demonstrate Effective Reseller Program managed by the manufacturer in WSCA / NASPO States

4 points possible X .80

2. Demonstrate Qualifications and Technical Ability (10 points possible)

------- ---------

Technical Staff Qualifications 2 points possible X .40

Maintenance Staff Qualifications 2 points possible X .40

Training Staff Qualifications 2 points possible X .40

Technical Suitability of Products 4 points possible X .80

3. Demonstrate ability to supply WSCA / NASPO member 10 points possible X 2



States (10 points possible)

4. Company profile and references (20 points) ----- --------

Financial Statements and Records 10 points possible X 2

References, Reputation, Breadth and Depth of Offering 10 points possible X 2

5. Demonstrate ability to provide administrative support (5 points possible)

5 points possible X 1

6. Cost (30 points possible)* Services (10 Points) Product Offering Discount Percentage (20 points)

30 points possible ------- -------- * Inserted by Purchasing

TOTAL EVALUATION POINTS

(100 points possible)

Total

* Purchasing will use the following cost formula for the “Services”: The points assigned to each Offeror’s cost proposal will be based on the lowest proposal price. The offeror with the lowest Proposed Price will receive 100% of the price points. All other Offerors will receive a portion of the total cost points based on what percentage higher their Proposed Price is than the Lowest Proposed Price. An Offeror who’s Proposed Price is more than double (200%) the Lowest Proposed Price will receive no points. The formula to compute the points is: Cost Points x (2- Proposed Price/Lowest Proposed Price). Purchasing will use the following cost formula for the “Product Offering Discount Percentage”: The points assigned to each Offeror’s cost proposal will be based on the highest discount percentage. The Offeror with the highest discount percentage will receive 100% of the price points. All other Offerors will receive a portion of the total cost points based on what percentage lower their discount percentage is than the highest discount percentage. An Offeror who’s proposed percentage discount is less than double (200%) the highest discount percentage will receive no points. The formula to compute the points is: Cost Points x (2- Highest Proposed Discount/Proposed Discount).

F5 Response: The F5 response team has read the items listed in all the Sections and sub-sections in 6.4 and acknowledge that we understand and accept them.

Section 7: Master Agreement Terms and Conditions/Exceptions 7.1 WSCA-NASPO Master Agreement Terms and Conditions

7.1.1 The WSCA-NASPO Contract Administrator referred to in section 2 of the WSCA-NASPO Master Agreement Terms and Conditions is Debra Gunderson, State of Utah Division of Purchasing and General Services. This RFP represents the WSCA-NASPO Contract Administrator’s written approval of the modifications, waivers, alterations, amendments, and supplements to the Master Agreement Terms and Conditions made in this RFP and this Section 7. F5 Response: The F5 response team has read the items listed in Section 7.1.1 and acknowledges and accepts them. 7.1.2 Except as limited in this section or elsewhere in this RFP, Participating Entities who execute a Participating Addendum may alter, modify, supplement, or amend the WSCA-NASPO Master Agreement Terms and Conditions as necessary to comply with Participating Entity law or policy with respect to their orders under the Master Agreement. A Contractor may not deliver Products or perform services under this Master Agreement until a Participating Addendum acceptable to the Participating Entity and Contractor is executed. The -NASPO Terms and Conditions are applicable to any order by a Participating Entity, except to the extent altered, modified, supplemented or amended by a Participating Addendum. By way of illustration and not limitation, this authority may apply to unique delivery and invoicing requirements, confidentiality requirements, defaults on orders, governing law and venue relating to orders by a Participating Entity, Indemnification, and insurance requirements. Statutory or



constitutional requirements relating to availability of funds may require specific language in some Participating Addenda in order to comply with applicable law. The expectation is that these alterations, modifications, supplements, or amendments will be addressed in the Participating Addendum or, with the consent of the Participating Entity and Contractor, may be included in the commitment voucher (e.g. purchase order or contract) used by the Participating Entity to place the order. F5 Response: The F5 response team has read the items listed in Section 7.1.2 and acknowledges and accepts them. 7.1.3 The term Purchasing Entity and Participating Entity shall both mean “Participating Entity” as that term is defined in WSCA-NASPO Master Agreement Terms and Conditions. F5 Response: The F5 response team has read the items listed in Section 7.1.3 and acknowledges and accepts them. 7.1.4 With respect to section 11, Indemnification, the terms of any Participating Addendum may alter, modify, supplement, or amend the language in section 11 and may include a limitation of liability mutually agreeable to the Participating Entity and the Contractor.

F5 Response: The F5 response team has read the items listed in Section 7.1.4 and acknowledges and accepts them.

7.1.5 With regard to section 20, Participants, Participating Entities who are not states may under some circumstances sign their own Participating Addendum, subject to the approval of the Chief Procurement Official of the state where the Participating Entity is located. Contractors may upon request obtain a copy of the written authorization from the WSCA-NASPO Contract Administrator.

F5 Response: The F5 response team has read the items listed in Section 7.1.5 and acknowledges and accepts them.

7.2 Offeror Exceptions to Terms and Conditions

7.2.1 The Lead State discourages exceptions to contract terms and conditions in the RFP, attached Participating Entity terms and conditions (if any), and the WSCA-NASPO Master Agreement Terms and Conditions. As specified in this RFP, exceptions may cause a proposal to be rejected as nonresponsive when, in the sole judgment of the Lead State (and its evaluation team), the proposal appears to be conditioned on the exception or correction of what is deemed to be a deficiency or unacceptable exception would require a substantial proposal rewrite to correct. Moreover, Offerors are cautioned that award may be made on receipt of initial proposals without clarification or an opportunity for discussion, and the nature of exceptions would be evaluated. Further, the nature of exceptions will be considered in the competitive range determination if one is conducted. Exceptions will be evaluated to determine the extent to which the alternative language or approach poses unreasonable, additional risk to the state, is judged to inhibit achieving the objectives of the RFP, or whose ambiguity makes evaluation difficult and a fair resolution (available to all vendors) impractical given the timeframe for the RFP. F5 Response: The F5 response team has read the items listed in Section 7.2.1 and acknowledges and accepts them. 7.2.2 The Lead State will entertain exceptions to contract terms and conditions in this RFP, including the WSCA-NASPO Master Agreement Terms and Conditions. Offerors are strongly encouraged to be judicious in identifying exceptions. F5 Response: The F5 response team has read the items listed in Section 7.2.2 and acknowledges and accepts them.



7.2.3 Based on the market research conducted by the Lead State, the following provisions are intended to frame the contours of exceptions that may be acceptable, additional risk so long as the Offeror’s exceptions are specified with sufficient particularity. F5 Response: The F5 response team has read the items listed in Section 7.2.3 and acknowledges and accepts them. 7.2.4 The Lead State will consider Offeror standard terms for inspection and acceptance, so long as a reasonable time for acceptance is stated. However, the Participating Entities right to exercise revocation of acceptance under its Uniform Commercial Code must be preserved. Submit the standard terms with the offer and describe generally how commerciality in their use is established, e.g., identify publicly-available catalogs where the warranty terms are used and how long they have been in use. F5 Response: The F5 response team has proposed terms for inspections and acceptance in Section 26 of the WSCA-NASPO Master Agreement Terms and Conditions document. The F5 solutions being proposed have been available on our State of New York Office of General Services contract since 2009 and F5 has sold a significant volume via that contract to several public sector entities. In addition, F5 solutions are available on two GSA schedules, one held by Dell and the other by Carahsoft where F5 warranty provisions apply. The Dell GSA schedule has been in place since 2010 and the Carahsoft GSA schedule was established in 2011. 7.2.5 The Lead State will consider standard warranty and/or maintenance terms, but the alternative warranty and/or maintenance will be evaluated to determine whether they provide comparable protection to the warranty specified in section 30 of the WSCA-NASPO Master Agreement Terms and Conditions. Provide the terms of the warranty and maintenance in the offer. Also describe generally how commerciality is established for those terms, e.g., publicly-available catalogs the warranty terms are used and how long they have been in use. Provide one reference from a customer having comparable sales volume who is using the warranty and maintenance provisions, where the warranty term has expired, and who has exercised rights under the warranty. F5 Response: The F5 response team has included our standard warranty in Section 4.2 of our bid response. F5’s maintenance terms are available in the provided F5 Networks Additional Terms and Conditions document included in our bid response. The F5 solutions being proposed have been available on the State of New York Office of General Services contract since 2009 and F5 has sold a significant volume via that contract to several public sector entities. In addition, F5 solutions are available on two GSA schedules, one held by Dell and the other by Carahsoft where F5 warranty provisions apply. The Dell GSA schedule has been in place since 2010 and the Carahsoft GSA schedule was established in 2011. Listed below are two references as requested in this section:

Company Name Email Phone

University of North Carolina Sidney Stafford [email protected] 919-445-0124

Allrecipes.com Eamon Gavin [email protected] 206-436-7485

7.2.6 Intellectual property. The Lead State will consider license terms and conditions that as a minimum convey to Participating Entities a nonexclusive, irrevocable, perpetual, paid-up, royalty free license to use software or other intellectual property delivered with or inherent in the commodity or service, and to transfer the license rights to third parties for government purposes. Provide the terms of the license, including any terms that cover third party intellectual property used in the Offeror’s solution. Offerors should be aware that Participating Entities using federal funds may be required to negotiate additional or different terms to satisfy minimum rights requirements of their federal grants.





F5 Response: The F5 response team has included license terms in the End User License Agreement and Consulting Services terms provided in the F5 Networks Additional Terms and Conditions document included in our bid response. 7.2.7 Any limitation of liability provision – including any exclusion of damages clause – proposed by an Offeror to be the default limitation of liability provision under the Master Agreement must preserve a reasonable amount of direct damages for breach of contract, additionally permit the Participating Entity to recoup amounts paid for supplies or services not finally accepted (as in the case of advance or progress payments, if used), and preserve the right of the Participating Entity to be held harmless from costs of litigation as well as ultimate liability within limits agreed by the parties. Moreover, any limitation of liability clause proposed by an Offeror should be reciprocal, cover lost profits, and exclude claims or liability arising out of intellectual property infringement, bodily injury (including death), damage to tangible property, and data breach. Include the text of any such language if proposed. Further, provide contact information for a public entity, or private entity if no public entity exists, where the limitation of liability clause (or another clause substantially similar) operated to limit liability. If no such example exists, provide contact information for a state, or if no state exists, a higher education institution, or if none exists, a city or county represented by counsel in the negotiations who has agreed to the proposed terms and conditions. F5 Response: The F5 response team has included limitation of liability clauses in the Additional Terms and Conditions document included in our bid response. We are not aware of an example where the limitation of liability clause operated to limit liability in either a public or private entity. The State of Washington CTS is an example of a state that has agreed to the proposed terms and conditions. We have provided Phil Davis, Security Manager with CTS, as a reference. His contact information is listed in section 5.1.3. 7.2.8 The enumerated examples in subsection 7.2 are not intended to limit the ability of Offerors to propose additional, reasonable exceptions. For any other exception, where the exception is based on claims of standard or normal commercial practice, provide contact information for a state, or if no state exists, a higher education institution, or if none exists, a city or county represented by counsel in the negotiations who has agreed to the proposed terms and conditions. F5 Response: The F5 response team has included limitation of liability and disclaimer clauses in the Additional Terms and Conditions document included in our bid response. The State of Washington CTS is an example of a state that has agreed to the proposed terms and conditions. We have provided Phil Davis, Security Manager with CTS, as a reference. His contact information is listed in section 5.1.3.

7.3 WSCA-NASPO eMarket Center

7.3.1 In July 2011, WSCA-NASPO entered into a multi-year agreement with SciQuest, Inc. whereby SciQuest will provide certain electronic catalog hosting and management services to enable eligible WSCA-NASPO entity’s customers to access a central online website to view and/or shop the goods and services available from existing WSCA-NASPO Cooperative Contracts. The central online website is referred to as the WSCA-NASPO eMarket Center Contractor shall either upload a hosted catalog into the eMarket Center or integrate a punchout site with the eMarket Center. Supplier’s Interface with the eMarket Center There is no cost charged by SciQuest to the Contractor for loading a hosted catalog or integrating a punchout site. At a minimum, the Contractor agrees to the following:

1. Implementation Timeline: WSCA-NASPO eMarket Center Site Admin shall provide a written request

to the Contractor to begin enablement process. The Contractor shall have fifteen (15) days from receipt of written request to work with WSCA-NASPO and SciQuest to set up an enablement



schedule, at which time SciQuest’s technical documentation shall be provided to the Contractor. The schedule will include future calls and milestone dates related to test and go live dates. The contractor shall have a total of Ninety (90) days to deliver either a (1) hosted catalog or (2) punch-out catalog, from date of receipt of written request. F5 Response: The F5 response team has read the items listed in Section 7.3.1 and will work with WSCA-NASPO and SciQuest to set up an enablement schedule. F5 will comply and have either a hosted catalog or punch-out catalog delivered for use by WSCA participating entities.

2. Definition of Hosted and Punchout: WSCA-NASPO and SciQuest will work with the Contractor; to

decide which of the catalog structures (either hosted or punch-out as further described below) shall be provided by the Contractor. Whether hosted or punch-out, the catalog must be strictly limited to the Contractor’s awarded contract offering (e.g. products and/or services not authorized through the resulting cooperative contract should not be viewable by WSCA-NASPO Participating Entity users).

a. Hosted Catalog. By providing a hosted catalog, the Contractor is providing a list of its awarded products/services and pricing in an electronic data file in a format acceptable to SciQuest, such as Tab Delimited Text files. In this scenario, the Contractor must submit updated electronic data annually to the eMarket Center for WSCA-NASPO Contract Administrator’s approval to maintain the most up-to-date version of its product/service offering under the cooperative contract in the eMarket Center.

b. Punch-Out Catalog. By providing a punch-out catalog, the Contractor is providing its own online catalog, which must be capable of being integrated with the eMarket Center as a. Standard punch-in via Commerce eXtensible Markup Language (cXML). In this scenario, the Contractor shall validate that its online catalog is up-to-date by providing a written update quarterly to the Contract Administrator stating they have audited the offered products/services and pricing listed on its online catalog. The site must also return detailed UNSPSC codes (as outlined in line 3) for each line item. Contractor also agrees to provide e-Quote functionality to facilitate volume discounts.

F5 Response: The F5 response team has read the items listed in Section 7.3.1.2 and acknowledges them. F5 will limit catalog postings to the awarded contract offering. F5 will work with WSCA-NASPO and SciQuest to determine if the Hosted Catalog or Punch-Out Catalog is more efficient for F5 to implement during the 90-day window.

3. Revising Pricing and Product Offerings: Any revisions (whether an increase or decrease) to pricing or product/service offerings (new products, altered SKUs, etc.) must be pre-approved by the WSCA-NASPO Contract Administrator and shall be subject to any other applicable restrictions with respect to the frequency or amount of such revisions. However, no cooperative contract enabled in the eMarket Center may include price changes on a more frequent basis than once per quarter. The following conditions apply with respect to hosted catalogs:

a. Updated pricing files are required by the 1st of the month and shall go into effect in the

eMarket Center on the 1st day of the following month (i.e. file received on 1/01/14 would be

effective in the eMarket Center on 2/01/14). Files received after the 1st of the month may be

delayed up to a month (i.e. file received on 11/06/14 would be effect in the eMarket Center on 1/01/15).

b. Contract Administrator-approved price changes are not effective until implemented within the eMarket Center. Errors in the Contractor’s submitted pricing files will delay the implementation of the price changes in eMarket Center.

F5 Response: The F5 response team has read the items listed in Section 7.3.1.3 and acknowledges them. F5 will limit catalog uploads to once a quarter and understands the update publishing schedule.

4. Supplier Network Requirements: Contractor shall join the SciQuest Supplier Network (SQSN) and

shall use the SciQuest’s Supplier Portal to import the Contractor’s catalog and pricing, into the



SciQuest system, and view reports on catalog spend and product/pricing freshness. The Contractor can receive orders through electronic delivery (cXML) or through low-tech options such as fax. More information about the SQSN can be found at: www.sciquest.com or call the SciQuest Supplier Network Services team at 800-233-1121. F5 Response: The F5 response team has read the items listed in Section 7.3.1.4 and acknowledges them.

5. Minimum Requirements: Whether the Contractor is providing a hosted catalog or a punch-out catalog, the Contractor agrees to meet the following requirements:

a. Catalog must contain the most current pricing, including all applicable administrative fees and/or discounts, as well as the most up-to-date product/service offering the Contractor is authorized to provide in accordance with the cooperative contract; and

b. The accuracy of the catalog must be maintained by Contractor throughout the duration of the cooperative contract between the Contractor and the Contract Administrator; and

c. The Catalog must include a Lead State contract identification number; and d. The Catalog must include detailed product line item descriptions; and e. The Catalog must include pictures when possible; and f. The Catalog must include any additional WSCA-NASPO and Participating Addendum

requirements.* F5 Response: The F5 response team has read the items listed in Section 7.3.1.5 and acknowledges them.

6. Order Acceptance Requirements: Contractor must be able to accept Purchase Orders via fax or

cXML. a. The Contractor shall provide positive confirmation via phone or email within 24 hours of the

Contractor’s receipt of the Purchase Order. If the Purchasing Order is received after 3pm EST on the day before a weekend or holiday, the Contractor must provide positive confirmation via phone or email on the next business day.

F5 Response: The F5 response team has read the items listed in Section 7.3.1.6 and acknowledges them.

7. UNSPSC Requirements: Contractor shall support use of the United Nations Standard Product and Services Code (UNSPSC). UNSPSC versions that must be adhered to are driven by SciQuest for the suppliers and are upgraded every year. WSCA-NASPO reserves the right to migrate to future versions of the UNSPSC and the Contractor shall be required to support the migration effort. All line items, goods or services provided under the resulting statewide contract must be associated to a UNSPSC code. All line items must be identified at the most detailed UNSPSC level indicated by segment, family, class and commodity. More information about the UNSPSC is available at: http://www.unspsc.com and http://www.unspsc.com/FAQs.asp#howdoesunspscwork. F5 Response: The F5 response team has read the items listed in Section 7.3.1.7 and acknowledges them.

8. Applicability: Contractor agrees that WSCA-NASPO controls which contracts appear in the eMarket Center and that WSCA-NASPO may elect at any time to remove any supplier’s offering from the eMarket Center. F5 Response: The F5 response team has read the items listed in Section 7.3.1.8 and acknowledges them.

9. The WSCA-NASPO Contract Administrator reserves the right to approve the pricing on the eMarket Center. This catalog review right is solely for the benefit of the WSCA-NASPO Contract Administrator and Participating Entities, and the review and approval shall not waive the requirement

http://www.sciquest.com/

http://www.unspsc.com/

http://www.unspsc.com/FAQs.asp#howdoesunspscwork



that products and services be offered at prices (and approved fees) required by the Master Agreement. F5 Response: The F5 response team has read the items listed in Section 7.3.1.9 and acknowledges them.

* Although suppliers in the SQSN normally submit one (1) catalog, it is possible to have multiple contracts applicable to different WSCA-NASPO Participating Entities. For example, a supplier may have different pricing for state government agencies and Board of Regents institutions. Suppliers have the ability and responsibility to submit separate contract pricing for the same catalog if applicable. The system will deliver the appropriate contract pricing to the user viewing the catalog. Several WSCA-NASPO Participating Entities currently maintain separate SciQuest marketplaces, these Participating Entities do enable certain WSCA-NASPO Cooperative Contracts. In the event one of these entities elects to use this WSCA-NASPO Cooperative Contract (available through the eMarket Center) but publish to their own eMarketplace, the Contractor agrees to work in good faith with the entity and WSCA-NASPO to implement the catalog. WSCA-NASPO does not anticipate that this will require substantial additional efforts by the Contractor; however, the supplier agrees to take commercially reasonable efforts to enable such separate SciQuest catalogs.



Attachment C – Cost Schedule ________________________________________________________________________________________________

Solicitation Number JP14001 WSCA-NASPO Data Communications RFP

PRICING HAS BEEN REDACTED FOR TECHNICAL REVIEW PURPOSES

ATTACHMENT A

STATE OF UTAH STANDARD INFORMATION TECHNOLOGY TERMS AND CONDITIONS (FOR WSCA CONTRACTS and DTS RELATED CONTRACTS)

1. AUTHORITY: Provisions of this contract are pursuant to the authority set forth in 63G-6, Utah Code Annotated, 1953,

as amended, Utah State Procurement Rules (Utah Administrative Code Section R33), and related statutes which permit the State to purchase certain specified services, and other approved purchases for the State.

2. CONTRACT JURISDICTION, CHOICE OF LAW, AND VENUE: The provisions of this contract shall be governed by

the laws of the State of Utah. The parties will submit to the jurisdiction of the courts of the State of Utah for any dispute arising out of this Contract or the breach thereof. Venue shall be in Salt Lake City, in the Third Judicial District Court for Salt Lake County.

3. LAWS AND REGULATIONS: The Contractor and any and all supplies, services, equipment, and construction

furnished under this contract will comply fully with all applicable Federal and State laws and regulations, including applicable licensure and certification requirements.

4. RECORDS ADMINISTRATION: The Contractor shall maintain, or supervise the maintenance of all records

necessary to properly account for the payments made to the Contractor for costs authorized by this contract. These records shall be retained by the Contractor for at least four years after the contract terminates, or until all audits initiated within the four years, have been completed, whichever is later. The Contractor agrees to allow State and Federal auditors, and State Agency Staff, access to all the records to this contract, for audit and inspection, and monitoring of services. Such access will be during normal business hours, or by appointment.

5. CERTIFY REGISTRATION AND USE OF EMPLOYMENT "STATUS VERIFICATION SYSTEM”: The Status

Verification System, also referred to as “E-verify”, only applies to contracts issued through a Request for Proposal process, and to sole sources that are included within a Request for Proposal. It does not apply to Invitation for Bids or to the Multi-Step Process.

1. Status Verification System

(1) Each offeror and each person signing on behalf of any offeror certifies as to its own entity, under penalty of perjury, that the named Contractor has registered and is participating in the Status Verification System to verify the work eligibility status of the contractor’s new employees that are employed in the State of Utah in accordance with applicable immigration laws including UCA Section 63G-12-302.

(2) The Contractor shall require that the following provision be placed in each subcontract at every tier: “The subcontractor shall certify to the main (prime or general) contractor by affidavit that the subcontractor has verified through the Status Verification System the employment status of each new employee of the respective subcontractor, all in accordance with applicable immigration laws including UCA Section 63G-12-302 and to comply with all applicable employee status verification laws. Such affidavit must be provided prior to the notice to proceed for the subcontractor to perform the work.”

(3) The State will not consider a proposal for award, nor will it make any award where there has not been compliance with this Section.

(4) Manually or electronically signing the Proposal is deemed the Contractor’s certification of compliance with all provisions of this employment status verification certification required by all applicable status verification laws including UCA Section 63G-12-302.

2. Indemnity Clause for Status Verification System (1) Contractor (includes, but is not limited to any Contractor, Design Professional, Designer or Consultant) shall

protect, indemnify and hold harmless, the State and its officers, employees, agents, representatives and anyone that the State may be liable for, against any claim, damages or liability arising out of or resulting from violations of the above Status Verification System Section whether violated by employees, agents, or contractors of the following: (a) Contractor; (b) Subcontractor at any tier; and/or (c) any entity or person for whom the Contractor or Subcontractor may be liable.

(2) Notwithstanding Section 1. above, Design Professionals or Designers under direct contract with the State shall only be required to indemnify the State for a liability claim that arises out of the design professional's services, unless the liability claim arises from the Design Professional's negligent act, wrongful act, error or omission, or other liability imposed by law except that the design professional shall be required to indemnify the State in regard to subcontractors or subconsultants at any tier that are under the direct or indirect control or responsibility of the Design Professional, and includes all independent contractors, agents, employees or anyone else for whom the Design Professional may be liable at any tier.

6. CONFLICT OF INTEREST: Contractor represents that none of its officers or employees are officers or employees of

Comment [b1]: F5 proposed solution: We would like to clarify that these additional terms are subject to and incorporated into the WSCA-NASPO Master Agreement.

Comment [b2]: Agreed.





the State of Utah, unless disclosure has been made in accordance with 67-16-8, Utah Code Annotated, 1953, as amended.

7. CONFLICT OF INTEREST WITH STATE EMPLOYEES: In addition to the provisions of State of Utah Terms and

Conditions # 6, Conflict of Interest, the Contractor certifies that no person in the State’s employment, directly or through subcontract, will receive any private financial interest, direct or indirect, in the contract. The Contractor will not hire or subcontract with any person having such conflicting interest.

8. CONTRACTOR ACCESS TO SECURE STATE FACILITIES / CRIMINAL CONVICTION INFORMATION / FORMER FELONS: The Contractor shall provide (at its own expense) the State with sufficient personal information about its agents or employees, and the agents and employees of its subcontractors (if any) who will enter upon secure premises controlled, held, leased, or occupied by the State during the course of performing this contract so as to facilitate a criminal record check, at State expense. “Sufficient personal information” about its agents or employees, and the agents and employees of its subcontractors (if any) means for the Contractor to provide to the State Project Manager, in advance of any on-site work, a list of the full names of the designated employees, including their social security number, driver license number and the state of issuance, and their birth date. Thereafter, on their first site visit, each contractor employee expected to work on-site shall be fingerprinted by the State, and the State is authorized to conduct a federal criminal background check based upon those fingerprints and personal information provided. Contractor, in executing any duty or exercising any right under this contract, shall not cause or permit any of its agents or employees, and the agents and employees of its subcontractors (if any) who have been convicted of a felony and misdemeanors other than minor misdemeanors to enter upon any premises controlled, held, leased, or occupied by the State. A felony and misdemeanor are defined by the jurisdiction of the State of Utah, regardless of where the conviction occurred.

9. DRUG-FREE WORKPLACE: The Contractor agrees to abide by the Department of Technology Services (DTS)

drug-free workplace policies while on State of Utah premises. DTS will provide the Contractor with a copy of these written “drug-free workplace policies” upon request.

10. CODE OF CONDUCT: When Contractor employees are working on-site, the Contractor agrees to follow and enforce

DTS Policy 2000-001 Code of Conduct. If Contractor is working at facilities controlled by other State agencies, Contractor agrees to follow and enforce the Code of Conduct Policy of these other State agencies when Contractor is providing services at these facilities under provisions of this contract. The Contractor will assure that each employee or volunteer under Contractor’s supervision receives a copy of such Code of Conduct, and a signed statement to this effect must be in each Contractor or Subcontractor employee’s/volunteer’s file and is subject to inspection and review by the State’s monitors. Upon request, DTS agrees to provide Contractor with a copy of any applicable codes of conduct. If a Contractor or Subcontractor is working at any State agency which has a Code of Conduct applicable to this Contract, the DTS Project Manager will provide the Contractor with a copy in advance of the Contractor’s on-site contract services performance.

11. INDEMNITY CLAUSE: The Contractor agrees to indemnify, save harmless, and release the State of Utah, and all its

officers, agents, volunteers, and employees from and against any and all loss, damages, injury, liability, suits, and proceedings arising out of the performance of this contract which are caused in whole or in part by the acts or negligence of the Contractor's officers, agents, volunteers, or employees, but not for claims arising from the State's sole negligence. The parties agree that if there are any Limitations of the Contractor’s Liability, including a limitation of liability for anyone for whom the Contractor is responsible, such Limitations of Liability will not apply to injuries to persons, including death, or to damages to property.

12. EMPLOYMENT PRACTICES CLAUSE: The Contractor agrees to abide by the provisions of Title VI and VII of the

Civil Rights Act of 1964 (42USC 2000e) which prohibits discrimination against any employee or applicant for employment or any applicant or recipient of services, on the basis of race, religion, color, or national origin; and further agrees to abide by Executive Order No. 11246, as amended, which prohibits discrimination on the basis of sex; 45 CFR 90 which prohibits discrimination on the basis of age; and Section 504 of the Rehabilitation Act of 1973, or the Americans with Disabilities Act of 1990 which prohibits discrimination on the basis of disabilities. Also, the Contractor agrees to abide by Utah's Executive Order, dated March 17, 1993, which prohibits sexual harassment in the work place.

13. TERMINATION: Unless otherwise stated in the Special Terms and Conditions, this contract may be terminated, with

cause by either party, in advance of the specified termination date, upon written notice being given by the other party. The party in violation will be given ten (10) working days after notification to correct and cease the violations, after which the contract may be terminated for cause. This contract may be terminated without cause, in advance of the specified expiration date, by either party, upon sixty (60) days prior written notice being given the other party. On termination of this contract, all accounts and payments will be processed according to the financial arrangements set forth herein for approved services rendered to date of termination.



Comment [b9]: Proposed solution: F5 customarily does not disclose sensitive employee information to customers, but will certify that particular employees have passed a thorough background check and we can disclose the categories of background information checked.



Comment [b12]: Proposed solution: F5 would like to clarify that indemnification is for third party damages, and that exceptions to the limitations of liability will be limited to injuries to persons, including death, or to damages to tangible property, where F5 is at fault.


In the event of such termination, and professional services apply to the contract; the Contractor shall be

compensated for services properly performed under this Contract up to the effective date of the notice of termination. The Contractor agrees that in the event of such termination for cause or without cause, Contractor’s sole remedy and monetary recovery from the State is limited to full payment for all work properly performed as authorized under this Contract up to the date of termination as well as any reasonable monies owed as a result of the Contractor having to terminate contracts necessarily and appropriately entered into by the Contractor pursuant to this Contract. Contractor further acknowledges that in the event of such termination, all work product, which includes but is not limited to all manuals, forms, contracts, schedules, reports, and any and all documents produced by Contractor under this Contract up to the date of termination are the property of the State and shall be promptly delivered to the State.

14. SUSPENSION OF WORK: Should circumstances arise which would cause the State to suspend the work, but not

terminate the contract, this will be done by formal notice. The work may be reinstated upon advance formal notice from the State.

15. NONAPPROPRIATION OF FUNDS: The Contractor acknowledges that the State cannot contract for the payment of

funds not yet appropriated by the Utah State Legislature. If funding to the State is reduced due to an order by the Legislature or the Governor, or is required by State law, or if federal funding (when applicable) is not provided, the State may terminate this contract or proportionately reduce the services and purchase obligations and the amount due from the State upon 30 days written notice. In the case that funds are not appropriated or are reduced, the State will reimburse Contractor for products delivered or services performed through the date of cancellation or reduction, and the State will not be liable for any future commitments, penalties, or liquidated damages.

16. SALES TAX EXEMPTION: The State of Utah’s sales and use tax exemption number is 11736850-010-STC, located

at http://purchasing.utah.gov/contract/documents/salestaxexemptionformsigned.pdf. The tangible personal property or services being purchased are being paid from State funds and used in the exercise of that entity’s essential functions. If the items being purchased are construction materials, they will be converted into real property by employees of this government entity, unless otherwise stated in the contract.

17. SECURE PROTECTION AND HANDLING OF DATA:

1. Network Security: Contractor agrees at all times to maintain network security that - at a minimum - includes:

network firewall provisioning, intrusion detection, and regular third party penetration testing. Likewise Contractor agrees to maintain network security that conforms to one of the following:

a. Those standards the State of Utah applies to its own network, found at http://www.dts.utah.gov;

b. Current standards set forth and maintained by the National Institute of Standards and Technology, includes those at: http://web.nvd.nist.gov/view/ncp/repository/; or

c. Any generally recognized comparable standard that Contractor then applies to its own network and approved by DTS in writing.

2. Data security: Contractor agrees to protect and maintain the security of the State of Utah data with protection

that is at least as good as or better than that maintained by the State of Utah. These security measures included but are not limited to maintaining secure environments that are patched and up to date with all appropriate security updates as designated, (ex. Microsoft Notification).

3. Data Transmission: Contractor agrees that any and all transmission or exchange of system application data with the State of Utah and/or any other parties expressly designated by the State of Utah, shall take place via secure means, (ex. HTTPS or FTPS).

4. Data Storage: Contractor agrees that any and all State of Utah data will be stored, processed, and maintained solely on designated target servers approved of by DTS and that no State of Utah data at any time will be processed on or transferred to any portable or laptop computing device or any portable storage medium, unless such medium is part of the Contractor's designated backup and recovery process.

5. Data Encryption: Contractor agrees to store all State of Utah backup data as part of its designated backup and recovery process in encrypted form, using no less than 128 bit key.

6. Password Protection. Contractor agrees that any portable or laptop computer that has access to a State of Utah network, or stores any non-public State of Utah data is equipped with strong and secure password protection.

Comment [b14]: Proposed solution: F5 would like to clarify that the State will own all work product that is the property of State under this Agreement (see Section 26).




Comment [b18]: F5 proposed solution: We need to discuss with DTS what comparable standard will meet their approval. F5 has vulnerability scanning conducted by 3

rd parties

continuously on all external properties, and F5 maintains a 4 tier firewall structure, including public DMZ’s and corporate DMZ’s, that provide defense-in-depth to all customer interactions, customer support, and web-facing traffic.

Comment [b19]: F5 proposed solution: We would like to discuss the State’s data protection standard to confirm whether we meet it. F5’s patch requirements are triaged, verified, prioritized, and scheduled according to several interrelated workflow management processes.


Comment [b21]: F5 proposed solution: We would like to discuss what types of data may be disclosed to F5. Current F5 professional services and customer support work flows do not require storage of any customer sensitive data. F5 employs Bitlocker hard disk encryption on WIN laptops, and PGP Desktop, with hard disk encryption, is available to users on request.

Comment [b22]: F5 proposed solution: F5 does not presently encrypt tapes used for backup or disaster recovery operations.


http://web.nvd.nist.gov/view/ncp/repository

7. Data Re-Use: Contractor agrees that any and all data exchanged shall be used expressly and solely for the purpose enumerated in this Contract. Contractor further agrees that no State of Utah data of any kind shall be transmitted, exchanged or otherwise passed to other Contractors or interested parties except on a case-by-case basis as specifically agreed to in writing by DTS.

8. Data Destruction: The Contractor agrees that upon termination of this Agreement it shall erase, destroy, and

render unreadable all State of Utah data from all non-state computer systems and backups, and certify in writing that these actions have been completed within 30 days of the termination of this Agreement or within 7 days of the request of DTS, whichever shall come first.

18. NOTIFICATION AND DATA BREACHES: Contractor agrees to comply with all applicable laws that require the notification of individuals in the event of unauthorized release of personally-identifiable information or other events requiring notification in accordance with DTS Policy 5000-1250-PR1 Computer Incident Reporting Procedure (copy

available upon request). In the event of a data breach of any Contractor's security obligations or other event requiring notification under applicable law (Utah Code Annotated § 13-44-101 thru 301 et al), Contractor agrees at its own expense to assume responsibility for informing all such individuals in accordance with applicable laws and to indemnify, hold harmless and defend the State of Utah against any claims, damages, or other harm related to such Notification Event.

19. CHANGE MANAGEMENT: Contractor agrees to comply with DTS Change Management Policy 4000-0004. This DTS policy requires that any work performed by the Contractor that has the potential to cause any form of outage, or modify the State’s infrastructure architecture must first be reviewed by the DTS Change Management Committee, and coordinated accordingly. The DTS Project Manager will inform the Contractor if this change control requirement is applicable. Following this notification, any failure by the Contractor that causes outages or data security breaches caused by the Contractor as a direct result of failure to comply, will result in the Contractor’s liability for the damages.

For reference purposes, the latest version of DTS Change Management Policy 4000-0004 is detailed at http://dts.utah.gov/policies/documents/4000-0004changemanagementpolicy.pdf.

20. PUBLIC INFORMATION: Contractor agrees that the contract, related Sales Orders, and Invoices will be public documents, and may be available for distribution. Contractor gives the State express permission to make copies of the contract, related Sales Orders, and Invoices in accordance with the State of Utah Government Records Access and Management Act (GRAMA). Except for sections identified in writing and expressly approved by the State Division of Purchasing, Contractor also agrees that the Contractor’s response to the solicitation will be a public document, and copies may be given to the public under GRAMA laws. The permission to make copies as noted will take precedence over any statements of confidentiality, proprietary information, copyright information, or similar notation.

21. CREDITING STATE IN ADVERTISING / PUBLICITY: Any publicity given to the project or services provided herein

shall identify the State of Utah’s managing agency as the sponsoring agency and shall not be released without prior written approval by that State agency’s Project Manager.

22. STATE AGENCY WEB SITE BRANDING: The Contractor agrees to use the DTS logo, or a newer version if

replaced in the future, on websites produced under terms of this contract. Contractor further agrees to allow a State agency to also utilize their own web site branding and logo, if requested by that State agency.

23. ORDERING AND INVOICING: All orders will be shipped promptly in accordance with the delivery schedule. The

Contractor will promptly submit invoices (within 30 days of shipment or delivery of services) to the State. The State contract number and/or the agency purchase order number shall be listed on all invoices, freight tickets, and correspondence relating to the contract order. The prices paid by the State will be those prices listed in the contract. The State has the right to adjust or return any invoice reflecting incorrect pricing.

24. PROMPT PAYMENT DISCOUNT: Offeror may quote a prompt payment discount based upon early payment;

however, discounts offered for less than 30 days will not be considered in making the award. Contractor shall list Payment Discount Terms on invoices. The prompt payment discount will apply to payments made with purchasing cards and checks. The date from which discount time is calculated will be the date a correct invoice is received or receipt of shipment, whichever is later; except that if testing is performed, the date will be the date of acceptance of the merchandise.

25. PAYMENT: 1. Payments are normally made within 30 days following the date the order is delivered or the date a correct invoice

is received, whichever is later. After 60 days from the date a correct invoice is received by the appropriate State official, the Contractor may assess interest on overdue, undisputed account charges up to a maximum of the interest



Comment [b26]: F5 proposed solution: We would like to discuss what other events F5 will be held responsible for.





Comment [b31]: Proposed solution: F5 would like to clarify that product ordering and invoicing will be done through authorized data communications resellers.


http://dts.utah.gov/policies/documents/4000-0004changemanagementpolicy.pdf

rate paid by the IRS on taxpayer refund claims, plus two percent, computed similarly as the requirements of Utah Code Annotated Section 15-6-3. The IRS interest rate is adjusted quarterly, and is applied on a per annum basis, on the invoice amount that is overdue.

2. The contract total may be changed only by written amendment executed by authorized personnel of the parties.

Unless otherwise stated in the Contract, all payments to the Contractor will be remitted by mail, electronic funds transfer, or the State of Utah’s purchasing card (major credit card). The State of Utah will not allow the Contractor to charge end users electronic payment fees of any kind.

3. The acceptance by the Contractor of final payment without a written protest filed with the State within ten (10)

working days of receipt of final payment shall release the State from all claims and all liability to the Contractor for fees and costs of the performance of the services pursuant to this Contract.

4. Overpayment: The Contractor agrees that if during or subsequent to the contract performance, a CPA audit, or a

State agency audit determines that payments were incorrectly reported or paid the State may adjust the payments. The Contractor shall, upon written request, immediately refund to DTS any such overpayments. The Contractor further agrees that the State shall have the right to withhold any or all-subsequent payments under this or other contracts that the Contractor may have with the State until recoupment of overpayment is made.

5. Payment withholding: the Contractor agrees that the adequate reporting, record keeping, and compliance

requirements specified in this contract are a material element of performance and that if the Contractor’s record keeping practices, compliance, and/or reporting to DTS are not conducted in a timely and satisfactory manner, DTS may withhold part or all payments under this or any other contract until such deficiencies have been remedied. This includes, but is not limited to, Contractors failure to provide timely invoicing, and/or other requirements described elsewhere within this contract. In the event of the payment(s) being withheld, DTS agrees to provide ten (10) day advance Notice to the Contractor of the deficiencies that must be corrected in order to bring about the release of withheld payment. Contractor shall have ten (10) days thereafter to correct the cited reporting or record keeping practice deficiencies or the contract may be terminated.

26. COPYRIGHT: The contractor agrees that any and all Deliverables prepared for the State of Utah as required by this

contract, to the extent to which it is eligible under copyright law in any country, shall be deemed a work made for hire, such that all rights, title and interest in the work and Deliverables shall be exclusively owned by the State of Utah. State of Utah reserves a royalty-free, nonexclusive, and irrevocable license to reproduce, publish, or otherwise use and to authorize others to use for Federal or State Government purposes, such software, modifications and documentation. To the extent any Deliverable is deemed not to be, for any reason whatsoever, work made for hire, Contractor agrees to assign and hereby assigns all right title and interest, including but not limited to copyright patent, trademark and trade secret, to such Deliverables, and all extensions and renewals thereof, to the State of Utah. Contractor further agrees to provide all assistance reasonably requested by the State of Utah in the establishment, preservation, and enforcement of its rights in such Deliverables, without any additional compensation to Contractor. Contractor agrees to and hereby, to the extent permissible, waives all legal and equitable rights relating to the Deliverables, including without limitation any and all rights of identification of authorship and any and all rights of approval, restriction or limitation on use or subsequent modifications.

27. OWNERSHIP, PROTECTION AND USE OF RECORDS: Except for confidential medical records held by direct care

providers, the State shall own exclusive title to all information gathered, reports developed, and conclusions reached in performance of this Contract. The Contractor may not use, except in meeting its obligations under this contract, information gathered, reports developed, or conclusions reached in performance of this Contract without the express written consent of the State. The improper use or disclosure of any information concerning a State of Utah client, or a State of Utah employee for any purpose not directly connected with the administration of the State, or the Contractor’s responsibilities with respect to services purchased under this agreement, is prohibited except on written consent of the state agency employee, state agency client, their attorney, or their responsible parent or guardian. The Contractor will be required to sign a Confidential Information Certification form in situations where they will be given access to confidential computerized records. The Contractor agrees to maintain the confidentiality of records it holds as agent for the State as required by Government Records Access and Management Act (“GRAMA”), or other applicable federal or state law. The State of Utah shall own and retain unlimited rights to use, disclose, or duplicate all information and data (copyrighted or otherwise) developed, derived, documented, stored, or furnished by the Contractor under the Contract. The Contractor, and any subcontractors under its control, expressly agrees not to use confidential client, or confidential federal, state, or local government data, without prior written permission from the State of Utah Project Manager and appropriate officials of the State Agency.

28. OWNERSHIP, PROTECTION, AND USE OF CONFIDENTIAL FEDERAL, STATE, OR LOCAL GOVERNMENT

INTERNAL BUSINESS PROCESSES AND PROCEDURES: The improper use or disclosure by any party of protected internal Federal or State business processes, polices, procedures, or practices is prohibited. Confidential




Comment [b36]: Proposed solution: F5 would like to remove the withholding payments remedy, and accept the rest of the clause.

Comment [b37]: Proposed solution: F5 would like to remove the withholding payments remedy, and accept the rest of the clause.

Comment [b38]: Proposed solution: F5 would like to clarify that F5 will own developments and configurations of our core products and fully license such developments to the State.

Comment [b39]: Proposed solution: F5 would like to clarify that F5 will own developments and configurations of our core products and fully license such developments to the State.

federal or state business processes, policies, procedures, or practices shall not be divulged by the Contractor, Contractor’s employees, or their Subcontractors, unless prior written consent has been obtained in advance from the State of Utah Project Manager.

29. OWNERSHIP, PROTECTION, AND RETURN OF DOCUMENTS AND DATA UPON CONTRACT TERMINATION

OR COMPLETION: All documents and data pertaining to work required by this contract will be the property of the State and must be delivered to the State within 30 working days after termination or completion of the contract, regardless of the reason for contract termination, and without restriction or limitation to their future use. Any State data that may be returned under provisions of this clause must either be in the format as originally provided, or in a format that is readily usable by the State or that can be formatted in a way that it can be used. Costs for all of these described items will be considered as included in the basic contract compensation of the work described used by the State.

30. CONFIDENTIALITY: Contractor, and anyone for whom the Contractor may be liable, must maintain the

confidentiality of any non-public personal information. Personal information includes, but is not limited to, names, social security numbers, birth dates, address, credit card numbers and financial account numbers. The State reserves the right to identify additional reasonable types or categories of information that must be kept confidential by the Contractor and anyone for whom the Contractor may be liable. This duty of confidentiality shall be ongoing and survive the term of this contract.

31. TERMINATION UPON DEFAULT: In the event this contract is terminated as a result of a default by the Contractor,

the State may procure or otherwise obtain, upon such terms and conditions as the State deems appropriate, services similar to those terminated, and Contractor shall be liable to the State for any and all damages arising there from, including, but not limited to, attorneys’ fees and excess costs incurred by the State in obtaining similar services.

32. PROCUREMENT ETHICS: The Contractor understands that a person who is interested in any way in the sale of any

supplies, services, construction, or insurance to the State of Utah is violating the law if the person gives or offers to give any compensation, gratuity, contribution, loan or reward, or any promise thereof to any person acting as a procurement officer on behalf of the State, or who in any official capacity participates in the procurement of such supplies, services, construction, or insurance, whether it is given for their own use or for the use or benefit of any other person or organization (63G-6-1002, Utah Code Annotated, 1953, as amended).

33. WORKERS’ COMPENSATION: The Contractor shall furnish proof to the State, upon request and maintain during

the life of this contract, workers’ compensation insurance for all its employees as well as any subcontractor employees related to this contract.

34. LIABILITY INSURANCE: The Contractor agrees to provide and to maintain during the performance of the contract,

at its sole expense, a policy of liability insurance. The limits of the policy shall be no less than $1,000,000.00 for each occurrence and $3,000,000.00 aggregate.

It shall be the responsibility of the Contractor to require any of their Subcontractor(s) to secure the same insurance coverage as prescribed herein for the Contractor.

35. ENTIRE AGREEMENT: This Agreement, including all Attachments, and documents incorporated hereunder, and the

related State Solicitation constitutes the entire agreement between the parties with respect to the subject matter, and supersedes any and all other prior and contemporaneous agreements and understandings between the parties, whether oral or written. The terms of this Agreement shall supersede any additional or conflicting terms or provisions that may be set forth or printed on the Contractor’s work plans, cost estimate forms, receiving tickets, invoices, or any other related standard forms or documents of the Contractor that may subsequently be used to implement, record, or invoice services hereunder from time to time, even if such standard forms or documents have been signed or initialed by a representative of the State. The parties agree that the terms of this Agreement shall prevail in any dispute between the terms of this Agreement and the terms printed on any such standard forms or documents, and such standard forms or documents shall not be considered written amendments of this Agreement.

36. SURVIVORSHIP: This paragraph defines the specific contractual provisions that will remain in effect after the

completion of or termination of this contract, for whatever reason: (a) State of Utah Standard IT Terms and Conditions # 2, Contract Jurisdiction, Choice of Law, and Venue; (b) State of Utah Standard IT Terms and Conditions # 17, Secure Protection and Handling of Data; (c) State of Utah Standard IT Terms and Conditions # 18, Notification and Data Breaches; (d) State of Utah Standard IT Terms and Conditions # 26, Copyright; (e) State of Utah Standard IT Terms and Conditions #27, Ownership, Protection, and Use of Records, including Residuals of such records; and (f) State of Utah Standard IT Terms and Conditions # 28, Ownership, Protection, and Use of Confidential Federal, State, or Local Government Internal Business Processes, including Residuals of such confidential business processes; (g) State of Utah Standard IT Terms and Conditions # 29, Ownership, Protection, and Return of Documents and Data


Comment [b41]: Proposed solution: F5 would like to clarify that F5 will own developments and configurations of our core products and license such developments to the State for its use.


Comment [b43]: Proposed solution: F5 would like to discuss limiting damages to direct damages.





Upon Contract Termination or Completion; and (h) State of Utah Standard IT Terms and Conditions # 30, Confidentiality.

37. WAIVER: The waiver by either party of any provision, term, covenant or condition of this Contract shall not be

deemed to be a waiver of any other provision, term, covenant or condition of this Contract nor any subsequent breach of the same or any other provision, term, covenant or condition of this Contract.

If professional services are applicable to this solicitation/contract, the following terms and conditions apply: 38. TIME: The Contractor shall complete the scope of services work in a manner to achieve any milestones identified in

the procurement documents related to this Contract and the attachments to this Contract. The full scope of services work shall be completed by any applicable deadline stated in the solicitation.

39. TIME IS OF THE ESSENCE: For all work and services under this Contract, time is of the essence and Contractor

shall be liable for all damages to the State of Utah and anyone for whom the State of Utah may be liable, as a result of the failure to timely complete the scope of work required under this Contract.

40. CHANGES IN SCOPE: Any changes in the scope of the services to be performed under this Contract shall be in the

form of a written amendment to this Contract, mutually agreed to and signed by duly authorized representatives of both parties, specifying any such changes, fee adjustments, any adjustment in time of performance, or any other significant factors arising from the changes in the scope of services.

41. PERFORMANCE EVALUATION: The State of Utah may conduct a performance evaluation of the Contractor’s

services, including specific personnel of the Contractor. References in the Contract to Contractor shall include Contractor, Contractor’s subcontractors, or subconsultants at any tier, if any. Results of any evaluation will be made available to the Contractor.

42. WAIVERS: No waiver by the State or Contractor of any default shall constitute a waiver of the same default at a later

time or of a different default. 43. INSURANCE: 1. To protect against liability, loss and/or expense in connection with the performance of services described under

this Contract, the Contractor shall obtain and maintain in force during the entire period of this Contract without interruption, at its own expense, insurance as listed below from insurance companies authorized to do business in the State of Utah and with an A.M. Best rating as approved by the State of Utah Division of Risk Management.

2. The following are minimum coverages that may be supplemented by additional requirements contained in the

solicitation for this Contract or provided in an Attachment to this Contract; if no insurance limits are identified in the solicitation, insurance minimums will default to Section 44. Liability Insurance Requirements:

(1) Worker’s Compensation Insurance and Employers’ Liability Insurance. Worker’s compensation insurance shall cover full liability under the worker’s compensation laws of the jurisdiction in which the service is performed at the statutory limits required by said jurisdiction.

(2) Professional liability insurance in the amount as described in the solicitation for this Contract, if applicable. (3) Any other insurance described in the solicitation for this Contract, if applicable. 3. Any type of insurance or any increase of limits of liability not described in this Contract which the Contractor

requires for its own protection or on account of any statute, rule, or regulation shall be its own responsibility, and shall be provided at Contractor’s own expense.

4. The carrying of insurance required by this Contract shall not be interpreted as relieving the Contractor of any other

responsibility or liability under this Contract or any applicable law, statute, rule, regulation, or order. 44. STANDARD OF CARE: The services of Contractor and its subcontractors and subconsultants at any tier, if any,

shall be performed in accordance with the standard of care exercised by licensed members of their respective professions having substantial experience providing similar services which similarities include the type, magnitude and complexity of the services that are the subject of this Contract. The Contractor shall be liable to the State of Utah for claims, liabilities, additional burdens, penalties, damages or third party claims (i.e. another Contractor’s claim against the State of Utah), to the extent caused by wrongful acts, errors or omissions that do not meet this standard of care.

45. STATE REVIEWS, LIMITATIONS: The right of the State to perform plan checks, plan reviews, other reviews and/or

comment upon the services of the Contractor, as well as any approval by the State, shall not be construed as relieving










the Contractor from its professional and legal responsibility for services required under this Contract. No review by the State or any entity/user, approval or acceptance, or payment for any of the services required under this Contract shall be construed to operate as a waiver by the State of any right under this Contract or of any cause of action arising out of the performance or nonperformance of this Contract, and the Contractor shall be and remain liable to the State in accordance with applicable law for all damages to the State caused by the wrongful acts, errors and/or omissions of the Contractor or its subcontractors or subconsultants at any tier, if any.

(Revised July 1, 2013)


1

WSCA-NASPO Master Agreement Terms and Conditions

1. AGREEMENT ORDER OF PRECEDENCE: The Master Agreement shall consist of the following documents: 1. A Participating Entity’s Participating Addendum (“PA”); 2. WSCA-NASPO Master Agreement Terms and Conditions; 3. The Statement of Work; 4. The Solicitation; and 5. Contractor's response to the Solicitation. These documents shall be read to be consistent and complementary. Any conflict among these

documents shall be resolved by giving priority to these documents in the order listed above. Contractor

terms and conditions that apply to this Master Agreement are only those that are expressly accepted by

the Lead State and must be in writing and attached to this Master Agreement as an Exhibit or

Attachment. No other terms and conditions shall apply, including terms and conditions listed in the

Contractor’s response to the Solicitation, or terms listed or referenced on the Contractor's website, in the

Contractor quotation/sales order or in similar documents subsequently provided by the Contractor.

2. AMENDMENTS The terms of this Master Agreement shall not be waived, altered, modified,

supplemented or amended in any manner whatsoever without prior written approval of the WSCA-

NASPO Contract Administrator.

3. ASSIGNMENT/SUBCONTRACT Contractor shall not assign, sell, transfer, subcontract or sublet rights,

or delegate responsibilities under this contract, in whole or in part, without the prior written approval of the

WSCA-NASPO Contract Administrator.

4. CANCELLATION Unless otherwise stated in the special terms and conditions, any Master Agreement

may be canceled by either party upon 60 days notice, in writing, prior to the effective date of the

cancellation. Further, any Participating State may cancel its participation upon 30 days written notice,

unless otherwise limited or stated in the special terms and conditions of this solicitation. Cancellation

may be in whole or in part. Any cancellation under this provision shall not effect the rights and obligations

attending orders outstanding at the time of cancellation, including any right of and Purchasing Entity to

indemnification by the Contractor, rights of payment for goods/services delivered and accepted, and

rights attending any warranty or default in performance in association with any order. Cancellation of the

Master Agreement due to Contractor default may be immediate.

5. CONFIDENTIALITY, NON-DISCLOSURE AND INJUNCTIVE RELIEF

5.1 Confidentiality. Contractor acknowledges that it and its employees or agents may, in the course of

providing the Product under this Master Agreement, be exposed to or acquire information that is



Comment [b3]: F5 proposed solution: F5 would like to discuss the possibility of assignment in the event of merger.



2

confidential to Participating Entity or Participating Entity’s clients. Any and all information of any form that

is marked as confidential or would by its nature be deemed confidential obtained by Contractor or its

employees or agents in the performance of this Master Agreement, including, but not necessarily limited

to (a) any Participating Entity records, (b) personnel records, and (c) information concerning individuals, is

confidential information of Participating Entity (“Confidential Information”). Any reports or other

documents or items (including software) that result from the use of the Confidential Information by

Contractor shall be treated in the same manner as the Confidential Information. Confidential Information

does not include information that (a) is or becomes (other than by disclosure by Contractor) publicly

known; (b) is furnished by Participating Entity to others without restrictions similar to those imposed by

this Master Agreement; (c) is rightfully in Contractor’s possession without the obligation of nondisclosure

prior to the time of its disclosure under this Master Agreement; (d) is obtained from a source other than

Participating Entity without the obligation of confidentiality, (e) is disclosed with the written consent of

Participating Entity or; (f) is independently developed by employees, agents or subcontractors of

Contractor who can be shown to have had no access to the Confidential Information.

5.2 Non-Disclosure. Contractor shall hold Confidential Information in confidence, using at least the

industry standard of confidentiality, and not to copy, reproduce, sell, assign, license, market, transfer or

otherwise dispose of, give, or disclose Confidential Information to third parties or use Confidential

Information for any purposes whatsoever other than the performance of this Master Agreement to

Participating Entity hereunder, and to advise each of its employees and agents of their obligations to keep

Confidential Information confidential. Contractor shall use commercially reasonable efforts to assist

Participating Entity in identifying and preventing any unauthorized use or disclosure of any Confidential

Information. Without limiting the generality of the foregoing, Contractor shall advise Participating Entity

immediately if Contractor learns or has reason to believe that any person who has had access to

Confidential Information has violated or intends to violate the terms of this Master Agreement and

Contractor shall at its expense cooperate with Participating Entity in seeking injunctive or other equitable

relief in the name of Participating Entity or Contractor against any such person. Except as directed by

Participating Entity, Contractor will not at any time during or after the term of this Master Agreement

disclose, directly or indirectly, any Confidential Information to any person, except in accordance with this

Master Agreement, and that upon termination of this Master Agreement or at Participating Entity’s

request, Contractor shall turn over to Participating Entity all documents, papers, and other matter in

Contractor's possession that embody Confidential Information. Notwithstanding the foregoing, Contractor

may keep one copy of such Confidential Information necessary for quality assurance, audits and

evidence of the performance of this Master Agreement.

5.3 Injunctive Relief. Contractor acknowledges that breach of this Section, including disclosure of any

Confidential Information, will cause irreparable injury to Participating Entity that is inadequately

compensable in damages. Accordingly, Participating Entity may seek and obtain injunctive relief against

the breach or threatened breach of the foregoing undertakings, in addition to any other legal remedies

that may be available. Contractor acknowledges and agrees that the covenants contained herein are

necessary for the protection of the legitimate business interests of Participating Entity and are reasonable

in scope and content.

6. DEBARMENT The contractor certifies that neither it nor its principals are presently debarred,

suspended, proposed for debarment, declared ineligible, or voluntarily excluded from participation in this

transaction (contract) by any governmental department or agency. If the contractor cannot certify this

statement, attach a written explanation for review by WSCA-NASPO.

7. DEFAULTS & REMEDIES


3

a. The occurrence of any of the following events shall be an event of default under this Master Agreement:

i. Nonperformance of contractual requirements; or ii. A material breach of any term or condition of this Master Agreement; or iii. Any representation or warranty by Contractor in response to the solicitation or in this Master Agreement proves to be untrue or materially misleading; or iv. Institution of proceedings under any bankruptcy, insolvency, reorganization or similar law, by or against Contractor, or the appointment of a receiver or similar officer for Contractor or any of its property, which is not vacated or fully stayed within thirty (30) calendar days after the institution or occurrence thereof; or v. Any default specified in another section of this Master Agreement.

b. Upon the occurrence of an event of default, Lead State shall issue a written notice of default, identifying the nature of the default, and providing a period of 15 calendar days in which Contractor shall have an opportunity to cure the default. The Lead State shall not be required to provide advance written notice or a cure period and may immediately terminate this Master Agreement in whole or in part if the Lead State, in its sole discretion, determines that it is reasonably necessary to preserve public safety or prevent immediate public crisis. Time allowed for cure shall not diminish or eliminate Contractor’s liability for damages, including liquidated damages to the extent provided for under this Master Agreement. c. If Contractor is afforded an opportunity to cure and fails to cure the default within the period specified in the written notice of default, Contractor shall be in breach of its obligations under this Master Agreement and Lead State shall have the right to exercise any or all of the following remedies:

i. Exercise any remedy provided by law; and ii. Terminate this Master Agreement and any related Contracts or portions thereof; and iii. Impose liquidated damages as provided in this Master Agreement; and iv. Suspend Contractor from receiving future bid solicitations; and v. Suspend Contractor’s performance; and vi. Withhold payment until the default is remedied.

d. In the event of a default under a Participating Addendum, a Participating Entity shall provide a written notice of default as described in this section and have all of the rights and remedies under this paragraph regarding its participation in the Master Agreement, in addition to those set forth in its Participating Addendum. 8. DELIVERY Unless otherwise indicated in the Master Agreement, the prices are the delivered price to

any Participating State agency or political subdivision. All deliveries shall be F.O.B. destination with all

transportation and handling charges paid by the contractor. Responsibility and liability for loss or damage

shall remain the Contractor until final inspection and acceptance when responsibility shall pass to the

Buyer except as to latent defects, fraud and Contractor’s warranty obligations. The minimum shipment

amount will be found in the special terms and conditions. Any order for less than the specified amount is

to be shipped with the freight prepaid and added as a separate item on the invoice. Any portion of an

order to be shipped without transportation charges that is back ordered shall be shipped without charge.

9. FORCE MAJEURE Neither party to this Master Agreement shall be held responsible for delay or

default caused by fire, riot, acts of God and/or war which is beyond that party’s reasonable control.

WSCA-NASPO may terminate this Master Agreement after determining such delay or default will

reasonably prevent successful performance of the Master Agreement.

10.GOVERNING LAW This procurement and the resulting agreement shall be governed by and

construed in accordance with the laws of the state sponsoring and administering the procurement. The

construction and effect of any Participating Addendum or order against the Master Agreement(s) shall be

governed by and construed in accordance with the laws of the Participating Entity’s State. Venue for any

claim, dispute or action concerning an order placed against the Master Agreement(s) or the effect of an

Participating Addendum shall be in the Purchasing Entity’s State.



Comment [b9]: F5 proposed solution: It does not appear that liquidated damages are provided for under this agreement, so F5would propose to delete this remedy and the withholding payment remedy. F5 would also like to propose industry standard warranty disclaimers and limitations of liability for indirect damages and cap for damages.


Comment [b11]: Proposed solution: F5 would like to clarify that latent defects after the warranty period are covered by the support agreement.



4

11. INDEMNIFICATION The Contractor shall defend, indemnify and hold harmless WSCA-NASPO, the

Lead State and Participating Entities along with their officers, agencies, and employees as well as any

person or entity for which they may be liable from and against claims, damages or causes of action

including reasonable attorneys’ fees and related costs for any death, injury, or damage to property arising

from act(s), error(s), or omission(s) of the Contractor, its employees or subcontractors or volunteers, at

any tier, relating to the performance under the Master Agreement. This section is not subject to any

limitations of liability in this Master Agreement or in any other document executed in conjunction with this

Master Agreement

12. INDEMNIFICATION – INTELLECTUAL PROPERTY The Contractor shall defend, indemnify and

hold harmless WSCA-NASPO, the Lead State and Participating Entities along with their officers,

agencies, and employees as well as any person or entity for which they may be liable ("Indemnified

Party") from and against claims, damages or causes of action including reasonable attorneys’ fees and

related costs arising out of the claim that the Product or its use, infringes Intellectual Property rights

("Intellectual Property Claim"). The Contractor’s obligations under this section shall not extend to any

combination of the Product with any other product, system or method, unless:

(1) the Product, system or method is:

(a) provided by the Contractor or the Contractor’s subsidiaries or affiliates;

(b) specified by the Contractor to work with the Product; or

(c) reasonably required, in order to use the Product in its intended manner, and the infringement could not

have been avoided by substituting another reasonably available product, system or method capable of

performing the same function; or

(2) it would be reasonably expected to use the Product in combination with such product, system or

method.

The Indemnified Party shall notify the Contractor within a reasonable time after receiving notice of an

Intellectual Property Claim. Even if the Indemnified Party fails to provide reasonable notice, the

Contractor shall not be relieved from its obligations unless the Contractor can demonstrate that it was

prejudiced in defending the Intellectual Property Claim resulting in increased expenses or loss to the

Contractor. If the Contractor promptly and reasonably investigates and defends any Intellectual Property

Claim, it shall have control over the defense and settlement of it. However, the Indemnified Party must

consent in writing for any money damages or obligations for which it may be responsible. The Indemnified

Party shall furnish, at the Contractor’s reasonable request and expense, information and assistance

necessary for such defense. If the Contractor fails to vigorously pursue the defense or settlement of the

Intellectual Property Claim, the Indemnified Party may assume the defense or settlement of it and the

Contractor shall be liable for all costs and expenses, including reasonable attorneys’ fees and related

costs, incurred by the Indemnified Party in the pursuit of the Intellectual Property Claim. This section is

not subject to any limitations of liability in this Master Agreement or in any other document executed in

conjunction with this Master Agreement.

13. INDEPENDENT CONTRACTOR The contractor shall be an independent contractor, and as such

shall have no authorization, express or implied to bind WSCA-NASPO or the respective states to any

agreements, settlements, liability or understanding whatsoever, and agrees not to perform any acts as

agent for WSCA-NASPO or the states, except as expressly set forth herein.

14. INDIVIDUAL CUSTOMER Except to the extent modified by a Participating Addendum, each Participating Entity shall follow the terms and conditions of the Master Agreement and applicable Participating Addendum and will have the same rights and responsibilities for their purchases as the Lead

Comment [b14]: F5 proposed solution: F5 would like to limit this indemnification to third party claims due to F5’s negligence or willful misconduct for death, personal injury, or damage to tangible property, and add notice and control provisions in line with Section 12.

Comment [b15]: F5 proposed solution: F5 would like to clarify that F5 will be responsible for defending its intellectual property, and that indemnification will be limited where infringement is due to alterations made by customer or where customer has been notified that an updated version of the product is available and not infringing.


5

State has in the Master Agreement, including but not limited to, any indemnity or to recover any costs allowed in the Master Agreement and applicable Participating Addendum for their purchases. Each Participating Entity will be responsible for its own charges, fees, and liabilities. The Contractor will apply the charges and invoice each Participating Entity individually.

15. INSURANCE Contractor shall, during the term of this Master Agreement, maintain in full force and effect, the insurance described in this section. Contractor shall acquire such insurance from an insurance carrier or carriers licensed to conduct business in the Participating Entity’s state and having a rating of A -, Class VII or better, in the most recently published edition of Best’s Reports. Failure to buy and maintain the required insurance may result in this Master Agreement’s termination or at a Participating Entity’s option, result in termination of its Participating Addendum.

Coverage shall be written on an occurrence basis. The minimum acceptable limits shall be as indicated

below, with no deductible for each of the following categories:

a) Commercial General Liability covering the risks of bodily injury (including death), property damage and

personal injury, including coverage for contractual liability, with a limit of not less than $1 million per

occurrence/$2 million general aggregate;

b) Contractor must comply with any applicable State Workers Compensation or Employers Liability

Insurance requirements.

Contractor shall pay premiums on all insurance policies. Such policies shall also reference this Master

Agreement and shall have a condition that they not be revoked by the insurer until thirty (30) calendar

days after notice of intended revocation thereof shall have been given to Participating Entity by the

Contractor.

Prior to commencement of the work, Contractor shall provide to the Participating Entity a written

endorsement to the Contractor’s general liability insurance policy that (i) names the Participating Entity as

an additional insured, (ii) provides that no material alteration, cancellation, non-renewal, or expiration of

the coverage contained in such policy shall have effect unless the named Participating Entity has been

given at least thirty (30) days prior written notice, and (iii) provides that the Contractor’s liability insurance

policy shall be primary, with any liability insurance of the Participating Entity as secondary and

noncontributory.

Contractor shall furnish to Participating Entity copies of certificates of all required insurance within thirty

(30) calendar days of the Participating Addendum’s effective date and prior to performing any work.

Copies of renewal certificates of all required insurance shall be furnished within thirty (30) days after

renewal date. These certificates of insurance must expressly indicate compliance with each and every

insurance requirement specified in this section. Failure to provide evidence of coverage may, at State’s

sole option, result in this Master Agreement’s termination.

Coverage and limits shall not limit Contractor’s liability and obligations under this Master Agreement.

16. LAWS AND REGULATIONS Any and all supplies, services and equipment offered and furnished

shall comply fully with all applicable Federal and State laws and regulations.

17. LICENSE OF PRE-EXISTING INTELLECTUAL PROPERTY Contractor grants to the Participating

Entity a nonexclusive, perpetual, royalty-free, irrevocable, unlimited license to publish, translate,

reproduce, modify, deliver, perform, display, and dispose of the Intellectual Property, and its derivatives,

used or delivered under this Master Agreement, but not created under it (“Pre-existing Intellectual

Property”). The license shall be subject to any third party rights in the Pre-existing Intellectual Property.

Comment [b17]: F5 proposed solutions: F5 would like to clarify here that products will be ordered through authorized data communications resellers.



6

Contractor shall obtain, at its own expense, on behalf of the Participating Entity, written consent of the

owner for the licensed Pre-existing Intellectual Property.

18. NO WAIVER OF SOVEREIGN IMMUNITY In no event shall this Master Agreement, any Participating

Addendum or any contract or any purchase order issued thereunder, or any act of a Lead State or a

Participating Entity, be a waiver by the Participating Entity of any form of defense or immunity, whether

sovereign immunity, governmental immunity, immunity based on the Eleventh Amendment to the

Constitution of the United States or otherwise, from any claim or from the jurisdiction of any court.

If a claim must be brought in a federal forum, then it must be brought and adjudicated solely

and exclusively within the United States District Court for the Participating State. This section

applies to a claim brought against the Participating State only to the extent Congress has

appropriately abrogated the Participating State’s sovereign immunity and is not consent by the

Participating State to be sued in federal court. This section is also not a waiver by the

Participating State of any form of immunity, including but not limited to sovereign immunity and

immunity based on the Eleventh Amendment to the Constitution of the United States.

19. ORDER NUMBERS Master Agreement order and purchase order numbers shall be clearly shown on

all acknowledgments, shipping labels, packing slips, invoices, and on all correspondence.

20. PARTICIPANTS WSCA-NASPO is the cooperative purchasing arm of the National Association of

State Procurement Officials. It is a cooperative group contracting consortium for state government

departments, institutions, agencies and political subdivisions (e.g., colleges, school districts, counties,

cities, etc.,) for all 50 states, the District of Columbia and the organized US territories. Obligations under

this Master Agreement are limited to those Participating States who have signed a Participating

Addendum where contemplated by the solicitation. Financial obligations of Participating States are

limited to the orders placed by the departments or other state agencies and institutions having available

funds. Participating States incur no financial obligations on behalf of political subdivisions. Unless

otherwise specified in the solicitation, the resulting award(s) will be permissive.

21. ENTITY PARTICIPATION Use of specific WSCA-NASPO cooperative Master Agreements by state

agencies, political subdivisions and other entities (including cooperatives) authorized by individual state’s

statutes to use state contracts are subject to the approval of the respective State Chief Procurement

Official. Issues of interpretation and eligibility for participation are solely within the authority of the

respective State Chief Procurement Official.

22.PAYMENT Payment for completion of a contract order is normally made within 30 days following the

date the entire order is delivered or the date a correct invoice is received, whichever is later. After 45

days the Contractor may assess overdue account charges up to a maximum rate of one percent per

month on the outstanding balance. Payments will be remitted by mail. Payments may be made via a

State or political subdivision “Purchasing Card” with no additional charge.

23. PUBLIC INFORMATION This Master Agreement and all related documents are subject to disclosure

pursuant to the Participating Entity’s public information laws.

24. RECORDS ADMINISTRATION AND AUDIT The contractor will maintain, or supervise the

maintenance of all records necessary to properly account for the payments made to the contractor for

costs authorized by this Master Agreement. These records will be retained by the contractor for at least

four years after the Master Agreement terminates, or until all audits initiated within the four years have

Comment [b20]: F5 proposed solution: F5 would like to clarify here that our products are commercial off –the-shelf items, and the license is therefore limited to use for internal business purposes.





Comment [b25]: F5 proposed solutions: F5 would like to clarify here that products will be ordered through authorized data communications resellers and that support ordered directly from F5 is payable annually in advance.


7

been completed, whichever is later. The contractor agrees to allow WSCA-NASPO, State and Federal

auditors, and state agency staff access to all the records of this Master Agreement and any order placed

under this Master Agreement, for audit and inspection, and monitoring of services. Such access will be

during normal business hours, or by appointment.

25.REPORTS and ADMINISTRATIVE FEES The contractor shall submit quarterly reports to the WSCA-

NASPO Contract Administrator showing the quantities and dollar volume of purchases by each

participating entity.

The contractor must pay a WSCA-NASPO administrative fee of one quarter of one percent (.25%) in

accordance with the terms and conditions of the Master Agreement. The WSCA-NASPO administrative

fee shall be submitted quarterly and is based on sales of products and services. The WSCA-NASPO

administration fee is not negotiable. This fee is to be included as part of the pricing submitted with

proposal.

Additionally, some States may require that an additional fee be paid directly to the State on purchases

made by procuring entities within that State. For all such requests, the fee level, payment method and

schedule for such reports and payments will be incorporated in a Participating Addendum that is made a

part of the Master Agreement. The contractor may adjust the Master Agreement pricing accordingly for

purchases made by procuring agencies within the jurisdiction of the State. All such agreements may not

affect the WSCA-NASPO administrative fee or the prices paid by the procuring agencies outside the

jurisdiction of the State requesting the additional fee.

26. STANDARD OF PERFORMANCE AND ACCEPTANCE The Standard of Performance applies to all

Product(s) purchased under this Master Agreement, including any additional, replacement, or substitute

Product(s) and any Product(s) which are modified by or with the written approval of Contractor after

Acceptance by the Participating Entity. The Acceptance Testing period shall be thirty (30) calendar days

or other time period identified in the solicitation or the Participating Addendum, starting from the day after

the Product is installed and Contractor certifies that the Product is ready for Acceptance Testing. If the

Product does not meet the Standard of Performance during the initial period of Acceptance Testing,

Participating Entity may, at its discretion, continue Acceptance Testing on a day-to-day basis until the

Standard of Performance is met. Upon rejection, the Contractor will have fifteen (15) calendar days to

cure the Standard of Performance issue(s). If after the cure period, the Product still has not met the

Standard of Performance Participating Entity may, at its option: (1) declare Contractor to be in breach and

terminate the Order; (2) demand replacement Product from Contractor at no additional cost to

Participating Entity; or, (3) continue the cure period for an additional time period agreed upon by the

Participating Entity and the Contractor. Contractor shall pay all costs related to the preparation and

shipping of Product returned pursuant to the section. No Product shall be accepted and no charges shall

be paid until the Standard of Performance is met. The warranty period will begin upon Acceptance.

27. SYSTEM FAILURE OR DAMAGE In the event of system failure or damage caused by the Contractor

or its Product, the Contractor agrees to use its best efforts to restore or assist in restoring the system to

operational capacity.

28. TITLE OF PRODUCT Upon Acceptance by the Participating Entity, Contractor shall convey to

Participating Entity title to the Product free and clear of all liens, encumbrances, or other security

interests.Transfer of title to the Product shall include an irrevocable and perpetual license to use the

Embedded Software in the Product. If Participating Entity subsequently transfers title of the Product to

another entity, Participating Entity shall have the right to transfer the license to use the Embedded



Comment [b29]: F5 proposed solution: F5 products are COTS items, and we offer free evaluation periods before purchase, so F5 would like to propose clarifying that the Standard of Performance is F5’s standard warranties and other specifications agreed to by the parties, and that the warranty period begins on delivery unless the parties agree to an acceptance process.


8

Software with the transfer of Product title. A subsequent transfer of this software license shall be at no

additional cost or charge to either Participating Entity or Participating Entity’s transferee.

29. WAIVER OF BREACH Failure of Lead State or Participating Entity to declare a default or enforce

any rights and remedies shall not operate as a waiver under this Master Agreement or Participating

Addendum. Any waiver by the Lead State or Participating Entity must be in writing. Waiver by the Lead

State or Participating Entity of any default, right or remedy under this Master Agreement or Participating

Addendum, or breach of any terms or requirements shall not be construed or operate as a waiver of any

subsequent default or breach of such term or requirement, or of any other term or requirement under this

Master Agreement or Participating Addendum.

30. WARRANTY The Contractor warrants for a period of one year from the date of Acceptance that: (a)

the Product performs according to all specific claims that the Contractor made in its response to the

solicitation, (b) the Product is suitable for the ordinary purposes for which such Product is used, (c) the

Product is suitable for any special purposes identified in the solicitation or for which the Participating

Entity has relied on the Contractor’s skill or judgment, (d) the Product is designed and manufactured in a

commercially reasonable manner, and (e) the Product is free of defects. Upon breach of the warranty,

the Contractor will repair or replace (at no charge to the Participating Entity) the Product whose

nonconformance is discovered and made known to the Contractor. If the repaired and/or replaced

Product proves to be inadequate, or fails of its essential purpose, the Contractor will refund the full

amount of any payments that have been made. The rights and remedies of the parties under this

warranty are in addition to any other rights and remedies of the parties provided by law or equity,

including, without limitation, actual damages, and, as applicable and awarded under the law, to a

prevailing party, reasonable attorneys’ fees and costs.

31. ASSIGNMENT OF ANTITRUST RIGHTS Contractor irrevocably assigns to a Participating Entity any

claim for relief or cause of action which the Contractor now has or which may accrue to the Contractor in

the future by reason of any violation of state or federal antitrust laws (15 U.S.C. § 1-15 or a Participating

Entity’s state antitrust provisions), as now in effect and as may be amended from time to time, in

connection with any goods or services provided to the Contractor for the purpose of carrying out the

Contractor's obligations under this Master Agreement or Participating Addendum, including, at a

Participating Entity's option, the right to control any such litigation on such claim for relief or cause of

action.

Contractor shall require any subcontractors hired to perform any of Contractor's obligations, under this

Master Agreement or Participating Addendum, to irrevocably assign to a Participating Entity, as third

party beneficiary, any right, title or interest that has accrued or which may accrue in the future by reason

of any violation of state or federal antitrust laws (15 U.S.C. § 1-15 or a Participating Entity’s state antitrust

provisions), as now in effect and as may be amended from time to time, in connection with any goods or

services provided to the subcontractor for the purpose of carrying out the subcontractor's obligations to

the Contractor in pursuance of this Master Agreement or Participating Addendum, including, at a

Participating Entity's option, the right to control any such litigation on such claim for relief or cause of

action.

32. WSCA-NASPO eMARKET CENTER Awarded responders are required to participate in the WSCA-

NASPO eMarket Center and, working through WSCA-NASPO’s contractor (SciQuest), connect with the

eMarket Center. The ideal situation would be to use either a hosted (by SciQuest) or Punchout Level 2

catalog configurations, but actual requirements will be determined by the Lead State Contract

Administrator, WSCA-NASPO, WSCA-NASPO’s contractor (SciQuest) and the awarded contractor, after



Comment [b33]: F5 proposed solution: F5 would like to clarify that the software warranty is 90 days and hardware warranty is one year, and the software warranty for defects is in accordance with F5 standard specifications and any specifications agreed to by the parties.


9

award. Participation does not require an awarded responder to have any special level of technology or

technological understanding.

Definitions Acceptance - means a written notice from a purchasing entity to contractor advising Contractor that the Product has passed its Acceptance Testing. Acceptance of a product for which acceptance testing is not required shall occur following the completion of delivery, installation, if required, and a reasonable time for inspection of the product, unless the Purchasing Entity provides a written notice of rejection to contractor. Acceptance Testing - means the process for ascertaining that the Product meets the standards set forth in the section titled Standard of Performance and Acceptance, prior to Acceptance by the Purchasing Entity. Contractor - means the person or entity delivering Products or performing services under the terms and

conditions set forth in this Master Agreement.

Intellectual Property – means any and all patents, copyrights, service marks, trademarks, trade secrets,

trade names, patentable inventions, or other similar proprietary rights, in tangible or intangible form, and

all rights, title, and interest therein.

Lead State - means the State conducting this cooperative solicitation and centrally administering any resulting Master Agreement with the permission of the Signatory States. Master Agreement – means the underlying agreement executed by and between the Lead State, as WSCA-NASPO contract administrator, acting on behalf of WSCA-NASPO, and the Contractor, as now or hereafter amended. Order - means any purchase order, sales order, or other document used by a Participating Entity to order the Products. Participating Addendum - means a bilateral agreement executed by a Contractor and a Participating Entity incorporating this Master Agreement and any other additional Participating Entity specific language or other requirements ,e.g. ordering procedures specific to the Participating Entity, other terms and conditions. Participating Entity - means a state, or other legal entity, properly authorized by a state to enter into the Master Agreement or Participating Addendum or who is authorized to order under the Master Agreement or Participating Addendum. Product - Any equipment, software (including embedded software), documentation, or deliverable supplied or created by the Contractor pursuant to this Master Agreement. WSCA-NASPO -is a cooperative group contracting consortium for state procurement officials, representing departments, institutions, agencies, and political subdivisions (i.e., colleges, school districts, counties, cities, etc.) for all states and the District of Columbia. WSCA-NASPO is a cooperative purchasing arm of the National Association of State Procurement Officials (NASPO).

Additional Definitions and Alternative Terms for Consideration


10

Below are additional definitions and alternative terms for consideration by the sourcing teams depending

upon the nature of the solicitation and negotiations between the Contractor and Vendor.

Embedded Software - means one or more software applications which permanently reside on a

computing device.

Machine Code – means microcode, basic input/output system code, utility programs, device drivers,

diagnostics, and another code delivered with a computing device for the purpose of enabling the function

of the computing device, as stated in its published specifications.

(revised March 2013)

Appendix 5 – Listing of Authorized Contractors by State

F5 Networks – Confidential Page 1 of 4

Alabama

CDW ProSys Milestone Systems Software House Dell Alaska

CDW World Wide Technology Dell Arizona Accuvant Centurylink World Wide Technology Dell Trace3 ASG Arkansas Fishnet Dell Presidio Networked Solutions California Dell World Wide Technology Evolve Technology Headquarters Accenture Trace3 Datalink CDW Kovarus Inc Accuvant AT&T Inc. NWN Corporation Bear Data Applied Computer Solutions Insight FusionStorm Integrated Archive Systems ePlus (NC) - HQ PCM/SARCOM Hewlett-Packard Company Colorado Trace3 CDW South Seas Corporation Dell MSN Communications Fishnet Accuvant Connecticut

Dell Integralis Accuvant NWN Corporation Regan Technologies Delaware Dell ePlus (NC) - HQ Continental Resources Comm Solutions District of Columbia Dell ePlus (NC) - HQ CDW Access IT Group Florida Dell Accuvant Fishnet Milestone Systems Presidio Networked Solutions Accenture CentricsIT Access IT Group CDW Hewlett-Packard Company UNICOM Government Georgia Dell Presidio Networked Solutions CDW CentricsIT Milestone Systems Forsythe ProSys Software House Hawaii Accuvant Mountain States Networking StorageHawk Idaho



ASG Dell Illinois Nexum Meridian IT CDW Accuvant Dell AT&T Inc. RKON Sirius Konsultek Software House Indiana Dell Nexum Fishnet Presidio Networked Solutions Netech Corporation Forsythe CDW Iowa Dell Net Direct Systems Forsythe Fishnet IP Pathways World Wide Technology Kansas Fishnet Cincinnati Bell Insight Sirius Kentucky Dell Nexum Louisiana Trace3 CDW Dell Maine Logicalis Cambridge Dell Maryland Dell CDW Access IT Group Software House Presidio Networked Solutions Massachusetts Continental Resources Corporate Technologies Dell Presidio Networked Solutions CDW ePlus (NC) - HQ Nexum Verizon Communications Michigan AmeriNet Meridian IT CDW Milestone Systems Dell Centurylink Minnesota Milestone Systems Forsythe CDW Insight Fishnet Software House Dell Mississippi Milestone Systems Agilysys Dell Missouri World Wide Technology Enterprise Consulting Group CDW Sirius Dell Montana CDW Accuvant Nebraska



Fishnet Sirius Dell OnX Enterprise Solutions Nevada CDW Accuvant Hewlett-Packard Company New Hampshire Nexum CDW Corporate Technologies New Jersey ePlus (NC) - HQ FusionStorm Computer Sciences Corp Hewlett-Packard Company Continental Resources Sirius Dell Software House New Mexico

CDW Dell New York Vandis Continental Resources Annese & Associates Hewlett-Packard Company IGX Global Access IT Group CDW Agilysys Dell ePlus (NC) - HQ Dimension Data IBM CentricsIT Sirius Computer Sciences Corp Software House North Carolina Secure Enterprise Computing Fishnet Dell Milestone Systems CDW World Wide Technology Forsythe Software House Hewlett-Packard Company North Dakota Sirius Corporate Technologies Centurylink Ohio Dell CDW Nexum Presidio Networked Solutions Accuvant Cincinnati Bell Oklahoma Fishnet Presidio Networked Solutions Dell Oregon Dell Sirius CDW Pennsylvania Dell Access IT Group Comm Solutions CentricsIT ePlus (NC) - HQ FusionStorm Fishnet HA Storage Systems Software House UNICOM Government Verizon Communications Rhode Island Dell Network Access South Carolina Dell CentricsIT Sirius Hewlett-Packard Company



Milestone Systems Tennessee Dell Presidio Networked Solutions Nexum ProSys Bedroc Texas Dell M & S Technologies FutureCom Sigma Solutions Accudata Systems CDW Software House Fishnet Presidio Networked Solutions CompuCom Forsythe Lumenate Utah ASG Dell Advanced Systems Group Vermont CDW Dell Virginia CDW World Wide Technology Dell Access IT Group ePlus (NC) - HQ Continental Resources Fishnet ESI Information Technologies SLAIT Consulting UNICOM Government Dimension Data Washington Datec Extend Networks Dell Hewlett-Packard Company Sirius TechPower Solutions CDW World Wide Technology Presidio Networked Solutions Dimension Systems Structured West Virginia Dell CDW ePlus (NC) - HQ Wisconsin CDW Meridian IT Nexum MSI Dell Sirius Wyoming South Seas Corporation Dell Trace3

F5 Networks Additional Vendor Terms and Conditions

End User License Agreement

1. Scope. This License applies to the software product (“Software”) you have licensed from F5

Networks, Inc. (“F5”). Certain Software is licensed for use in conjunction with F5 hardware which together

with the Software will be referenced as the “Product.” This License is a legal agreement between F5 and

the single entity (“Licensee”) that has acquired the Software from F5 under these terms and conditions.

The Software incorporates certain third party software programs subject to the terms and restrictions of

the applicable licenses identified herein.

2. License Grant. Subject to the terms of this License, F5 grants to Licensee a perpetual, non-

exclusive, non-transferable license to use the Software for which Licensee has paid the required license

fees in object code form for Licensee’s internal business purposes. Other than as specifically described

herein, no right or license is granted to any of F5’s trademarks, patents, copyrights, or other intellectual

property rights and F5 retains all rights not granted herein. The Software incorporates certain third party

software, which is used subject to licenses from the respective owners. The third party software is

identified in the Software release notes for the Software version. The protections given to F5 under this

License also apply to the suppliers of this third party software.

3. Restrictions.

(a) The Software, documentation and the associated copyrights and other intellectual property rights

are owned by F5 or its licensors and are protected by law and international treaties. Licensee may not

copy or translate the documentation provided with the Software or available online (“Documentation”)

without F5’s prior, written consent. Licensee may install, use, access, display and run the Software only

in the manner in which it has been licensed as indicated herein and in the applicable purchase order,

quote or the license file for such Product or Software, including but not limited to any restrictions on

number of protected applications, number or type of licensed devices, number of authorized copies or

instances, number of users, bandwidth, non-production use or database restrictions. Licensee agrees

that it will not defeat, circumvent or disable any copy protection mechanism or mechanism in the Software

used to limit license duration or access to non-licensed functionality or capacity, and that any such

attempt will be a material breach of this Agreement. F5 reserves the right to audit Licensee’s use of the

Software or authorize others to conduct such an audit on its behalf and to disable any application or

functionality that has not been specifically licensed, in addition to any other rights and remedies available

to F5.

(b) For Software modules purchased in conjunction with a F5 device, the Software is not transferable

to other F5 devices or third party hardware. For Software provided in stand-alone form (not embedded in

a F5 hardware Product), Licensee may only install and use the Software in object code form on the

server(s) for which Licensee has a valid license key issued to it by F5 or its authorized sub-licensor and

only for the duration of the validity of such license key. The use of any hardware or software to pool

resources or reduce the number of devices that directly access or use the Software (sometimes referred

to as 'virtualization') will not reduce the number of license keys required. Licensee must have a separate

license key for each instance of the Software. F5 may restrict Licensee’s use of the Software, by at least

one of the following locking methods: (i) an instance identifier; (ii) hypervisor in use; (iii) a bridge; and/or

(iv) Media Access Control (MAC) address. Licensee agrees that it will not attempt to circumvent any of

the foregoing license key restrictions or to have others do so on its behalf.

(c) Certain portions of the Software include third party software modules as identified in the

applicable Software release notes, including but not limited to, MySQL licensed from MySQL AB and

JavaTM

licensed from Oracle America, Inc., and are subject to additional limitations imposed by those third

parties (“Restricted Third Party Software”). Certain portions of the Software may also include

geographical or other data (“Data”). Licensee agrees that it will only use such Restricted Third Party

Software or Data in conjunction with the Product and not as standalone software. Licensee will not (i)

copy the Restricted Third Party Software or Data onto any public or distributed network; (ii) use the

Restricted Third Party Software or Data separately to operate in or as a time-sharing, outsourcing, service

bureau, application service provider or managed service provider environment; (iii) use the Restricted

Third Party Software or Data as a general server, as a standalone application or with applications other

than the Software under this license; (iv) change any proprietary rights notices which appear in the

Restricted Third Party Software or Data; or (v) modify the Restricted Third Party Software or Data.

(d) Licensee may not copy (except to make one archival copy for backup and disaster recover

purposes), modify, sell, sub-license, rent or transfer the Software, Data or any associated Documentation

to any third party. Licensee may not disassemble, reverse compile or reverse engineer the Software or

any Data incorporated in the Software or encourage others to do so except as required by law for

interoperability purposes, and then only after Licensee has given Supplier an opportunity to provide

information or software necessary to resolve such interoperability issues.

4. Export Control. F5’s standard Product incorporates cryptographic software. Licensee agrees to

comply with the Export Administration Act, the Export Control Act, all regulations promulgated under such

Acts, and all other US government regulations relating to the export of technical data and equipment and

products produced therefrom which are applicable to Licensee. In countries other than the US, Licensee

agrees to comply with the local regulations regarding importing, exporting or using cryptographic

software. Licensee agrees it will not export or re-export the Software to any country, person, or entity

subject to U.S. export restrictions. Specifically, Licensee agrees not to export or re-export the Software: (i)

to any country to which the U.S. has embargoed or restricted the export of goods or services, or to any

national of any such country, wherever located, who intends to transmit or transport the Software back to

such country; (ii) to any person or entity who Licensee knows or has reason to know will utilize the

Software or portion thereof in the design, development or production of nuclear, chemical or biological

weapons; or (iii) to any person or entity who has been prohibited from participating in U.S. export

transactions by any federal agency of the U.S. government, including but not limited to anyone on the

U.S. Treasury Department's list of Specially Designated Nationals or the U.S. Department of Commerce's

Table of Denial Orders. By installing or using the Software, Licensee represents and warrants that it is not

located in, under control of, or a national or resident of any such country or on any such list.

5. Limited Warranty. F5 warrants that for a period of 90 days from the date of shipment: (i) the media on which the Software is furnished will be free of defects in materials and workmanship under normal use; and (ii) the Software substantially conforms to its published specifications. Except for the foregoing, the Software is provided AS IS. In no event does F5 warrant that the Software is error free, that it will operate with any software or hardware other than that provided by F5 or specified in the documentation, or that the Software will satisfy Licensee’s own specific requirements. (a) Remedy. Licensee’s exclusive remedy under this limited warranty is that F5, at F5’s option, will repair or replace any Software that fails during the warranty period at no cost to Licensee. F5 will replace defective media or documentation or, at its option, undertake reasonable efforts to modify the Software to correct any substantial non-conformance with the specifications. (b) Restrictions. The foregoing limited warranties extend only to the original Licensee, and do not apply if the Software (i) has been altered, except by F5 or an F5-designated representative or in

accordance with F5 instructions, (ii) has not been installed, operated, repaired, or maintained in accordance with F5’s instructions, (iii) has been subjected to abnormal physical or electrical stress, misuse, negligence or accident or (iv) has been operated outside of the environmental specifications for the Software. F5’s limited software warranty does not apply to software corrections or upgrades. 6. Notice to U.S. Government End Users. The Software and Documentation qualify as “commercial

items,” as that term is defined at Federal Acquisition Regulation (“FAR”) (48 C.F.R.) 2.101, consisting of

“commercial computer software” and “commercial computer software documentation” as such terms are

used in FAR 12.212. Consistent with FAR 12.212 and DoD FAR Supp. 227.7202-1 through 227.7202-4,

and notwithstanding any other FAR or other contractual clause to the contrary in any agreement into

which this End User License Agreement may be incorporated, Licensee may provide to Government end

user or, if this Agreement is direct, Government end user will acquire, the Software and Documentation

with only those rights set forth in this End User License Agreement. Use of either the Software or

Documentation or both constitutes agreement by the Government that the Software and Documentation

are “commercial computer software” and “commercial computer software documentation” and constitutes

acceptance of the rights and restrictions herein.

7. DISCLAIMER; LIMITATION OF REMEDY. EXCEPT FOR THE WARRANTIES SPECIFICALLY DESCRIBED HEREIN, F5 AND ITS THIRD PARTY LICENSORS DISCLAIM ANY AND ALL WARRANTIES AND GUARANTEES, EXPRESS, IMPLIED OR OTHERWISE, ARISING, WITH RESPECT TO THE SOFTWARE, DATA, SPECIFICATIONS, OR DOCUMENTATION DELIVERED HEREUNDER, INCLUDING BUT NOT LIMITED TO THE WARRANTY OF MERCHANTABILITY, WARRANTY OF NON-INFRINGEMENT OR TITLE AND THE WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE. F5 MAKES NO WARRANTY CONCERNING THE COMPLETENESS OR ACCURACY OF THE DATA OR INFORMATION OBTAINED OR DERIVED THROUGH THE USE OF THE DATA INCLUDED IN THE SOFTWARE AND THE DATA IS PROVIDED “AS IS”. F5 HAS NOT AUTHORIZED ANYONE TO MAKE ANY REPRESENTATIONS OR WARRANTIES OTHER THAN AS PROVIDED ABOVE OR TO OTHERWISE MODIFY THE TERMS OF THIS LICENSE. THE COLLECTIVE LIABILITY OF F5 AND ITS THIRD PARTY LICENSORS UNDER THIS LICENSE WILL BE LIMITED TO THE AMOUNT PAID FOR THE PRODUCT. F5 AND ITS THIRD PARTY LICENSORS WILL NOT HAVE ANY OBLIGATION OR LIABILITY, WHETHER ARISING IN CONTRACT (INCLUDING WARRANTY), TORT (INCLUDING ACTIVE, PASSIVE OR IMPUTED NEGLIGENCE, STRICT LIABILITY OR PRODUCT LIABILITY) OR OTHERWISE FOR ANY PUNITIVE, EXEMPLARY, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR INDIRECT DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF USE, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF REVENUE, LOSS OF BUSINESS OR OTHER FINANCIAL LOSS ARISING OUT OF OR IN CONNECTION WITH THE SOFTWARE OR OTHER GOODS OR SERVICES FURNISHED TO LICENSEE BY F5, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. TO THE EXTENT PERMITTED BY LAW, F5’S THIRD PARTY LICENSORS WILL NOT HAVE ANY LIABILITY FOR ANY DIRECT DAMAGES OF ANY KIND UNDER THIS LICENSE AGREEMENT. THE LIMITATIONS CONTAINED IN THIS SECTION WILL APPLY NOTWITHSTANDING ANY FAILURE OF AN ESSENTIAL PURPOSE OF ANY LIMITED REMEDY PROVIDED UNDER ANY TERM OF THIS AGREEMENT. SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES. IN THOSE JURISDICTIONS, SUCH INAPPLICABILITY WILL NOT AFFECT THE REMAINDER OF THE PROVISIONS IN THIS SECTION. 8. Non-Production Use Software. If Licensee purchases an F5 Product or licenses F5 Software designated as “non-production,” “non-commercial,” “lab” or “development” Product in the applicable purchase order, quote or the license file for such Product or Software (“Non-Production Software”), Licensee may use the Software included with such Product to conduct testing and development in Licensee’s non-production environment only and not to manage data traffic or applications in the ordinary course of Licensee's business. Licensee agrees that any use of Non-Production Software in violation of the preceding sentence is a material breach of this Agreement.

9. Evaluation Software. If the Software is “Evaluation Software,” notwithstanding any other terms to

the contrary in this Agreement, Licensee may use the Software only for its internal demonstration, test or

evaluation purposes and not in a production environment. NOTWITHSTANDING ANY TERMS TO THE

CONTRARY IN THIS LICENSE, F5 DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, FOR

EVALUATION SOFTWARE AND IT IS PROVIDED ON AN “AS IS” BASIS. EVALUATION SOFTWARE

HAS A NON-PERPETUAL TIME LIMITED LICENSE THAT WILL “TIME-OUT” AND DISABLE THE

SOFTWARE UPON EXPIRATION OF THE EVALUATION PERIOD. Licensee agrees that it will not

attempt to defeat or circumvent any duration mechanism for evaluation Software. Licensee also agrees

that it will not use any evaluation Software beyond the prescribed license duration.

10. Termination. The license granted in Section 2 is effective until terminated and will automatically terminate if Licensee fails to comply with any of the terms and conditions set forth herein. Upon termination, Licensee will destroy the Software and documentation and all copies or portions thereof. 11. Acknowledgements. The Software includes Data and software developed by third parties subject to separate licenses. Please refer to the Acknowledgement section found in the Software Documentation. 12. GPL. Limited portions of the software contain software code subject to the GNU GPL Version 2.

Please refer to the Acknowledgement section found in the Software documentation for the specific

references. GPL software is not subject to the restrictions set forth in this License but is licensed

separately under the GPL. Only those portions of the software that are licensed under the GPL are

subject to the GPL license. All other software code is subject to the restrictions set forth elsewhere in this

License. Furthermore, those portions of the software that are licensed under the GPL are subject to the

remaining terms and conditions of the License to the extent that those terms are not inconsistent with the

terms of the GPL.

Maintenance Terms and Conditions

1. Term. Coverage under this Agreement will commence on the earlier of (i) (90) days after the date the Product is shipped from the manufacturing facilities of F5, or (ii) the date the covered Product is activated with F5, or (iii) if F5 has no record of license activation, Service will begin on the ship date and no service extensions will apply. Customer support agreements will automatically renew for additional one year terms upon submission of a purchase order for renewal, unless either Customer or F5 provides written notice of termination at least 30 days prior to the end of any such term. In the event that Customer accesses F5 support services in any way after this Agreement has expired or been terminated, Customer will continue to be bound by this Agreement. Each renewal will be at F5’s then-current rate. Services pricing will be charged for all F5 product platform and add-on software purchases. The total service price will be calculated as a percentage of total list prices, appropriate to the level of service purchased. Either party may terminate this Customer support agreement upon 30 days’ notice in the event of a material breach by the other party, provided such breach is not cured by the end of such 30 day period.

2. F5’s Obligations. (a) F5 will provide telephone support for any product covered by this Agreement. Such support will

consist of responding to trouble calls as reasonably required to make the product perform as described in the current product specifications. Customer will receive Standard or Premium service as indicated in its order for the customer support services.

(b) Customer is entitled, at no charge, to updated versions of covered products, such as bug fixes and new releases that are generally made available at no additional cost to F5's customers that have ordered maintenance services for the relevant time period. The foregoing right shall not include any options, upgrades or future products which F5 or third party vendors charge for as a separate product

or where Customer’s installed hardware platform has no further upgrades available according to either (i) the applicable F5 software release notes provided with each release and also available for review via the Ask F5 service or (ii) a written end-of-life announcement communicated to Customer by F5. F5 is not obligated to provide hardware upgrades to ensure compatibility with new software versions of its products or to ensure that new software versions of its products are compatible with outdated hardware platforms.

(c) F5 will, at its option, repair or replace any product or component that fails during the term of

Customer’s support agreement at no cost to Customer, provided that Customer contacts the F5 technical support center to report the failure and complies with F5’s return policies. Products returned to F5 must be pre-authorized by F5 with a Return Material Authorization (RMA) number marked on the outside of the package, and sent prepaid, insured and packaged appropriately for safe shipment. Only packages with RMA numbers written on the outside of the shipping carton and/or the packing slips and shipping paperwork will be accepted by F5's receiving department. All other packages will be rejected. A replacement product or component will be shipped from F5’s USA operations to the Customer on the next business day following F5’s confirmation of the failure of the original product or component via remote troubleshooting and receipt from the customer of the RMA Template containing customer provided delivery and system configuration information (Note: there are international exceptions). Customer will return the failed product or component to F5 under the RMA number issued by F5 upon receipt of the replacement. F5 may invoice the Customer for any failed products or components (a) with respect to which the damage to such Products or components is attributable to actions taken by Customer or any of its agents (including but not limited to the categories set forth in Section 3 below); or (b) not returned within ten (10) business days of shipment of the replacement unit(s) (c) Product not returned in the original packaging box or the replacement unit packaging that causes undue damage to the unit. Title to any returned products or components will transfer to F5 upon receipt. F5 will be responsible for all freight charges for returned Products or components provided Customer uses F5 designated carrier. F5 will replace defective media or documentation or, at its option, undertake reasonable efforts to modify the software to correct any substantial non-conformance with the specifications.

(d) ASK F5 is a 24-hour, 7-day-a-week online service that allows customers to receive rapid answers to F5 product and service-related questions. Customers simply type a question into their Web browser; ASK F5 responds to the query. ASK F5 is also fully integrated with F5's technical support center, allowing customers to quickly communicate on-line with support staff who are experts in F5 products. F5 provides ASK F5 online support services at no charge during the term of this Agreement, provided that Customer must register to obtain a user name and password in order to access the Ask F5 services.

(e) If remote access is not an available option, it will take significantly longer to identify and resolve the outstanding incident. When accessing customer systems F5 will:

Inform customer before any access is made.

Backup copies of configuration files will be made before any work is performed.

No changes will be made without prior authorization.

Once authorized, changes will be made on stand-by units whenever possible.

Make use of security shred bins for all sensitive customer information that may be written on paper.

F5 does not send out customer information

(f) F5 specifically disclaims any and all support or repair obligation with respect to any application that has not undergone feature-set approval and F5’s QA process for feature integration (a “Non-Supported Application”). Customer acknowledges that if a new support case is created in accordance with F5’s support process where the issue is suspected to be, or is found to be, attributable to a Non-Supported Application, F5 may elect one of the following options, at its sole discretion:

Remove the Non-Supported Application, following consultation with Customer, in order to continue to resolve the issue; or

Cease work on the case and recommend that Customer remove the Non-Supported Application from the F5 Product in order to continue toward resolution.

If the F5 Product continues to function improperly or if the issue persists due to the Non-Supported Application, F5 will cease all support efforts on the case. The parties will then cooperate to develop a mutually satisfactory “for-fee” arrangement for continuing work on the issue.

3. Restrictions. Services provided by F5 under this Agreement are limited to the covered product and are contingent upon the Customer’s proper use of the product in the application for which it was designed. F5 will not be obligated to provide any service or to correct any malfunction, damage or other problem if the product: (a) has been altered, except by F5 or an F5-designated representative or in accordance with F5 instructions, (b) has not been installed, operated, repaired, or maintained in accordance with F5 instructions, (c) has been subjected to abnormal physical or electrical stress, misuse, negligence or accident, (d) has been operated outside of the environmental specifications for the product or (e) is related to configuration of Customer’s network beyond that necessary to the use or installation of F5 products. F5 reserves the right to limit or terminate development support (including error correction services) of any product version one (1) year after the date of release of a subsequent product version in accordance with its end of life policies (available through AskF5). The foregoing restriction shall apply even if Customer elects to install a product version other than the then-currently shipping version of the product.

4. Recertification. Requests for maintenance on Products purchased from sources other than an F5 VAR or directly from F5 (i.e. used or purchased from an online auction), or where maintenance has lapsed on the Product for more than 180 days, will first be subject to an inspection by a representative of F5 at the rate of $10,000 USD per unit ($20,000 USD for redundant systems) payable to F5 Networks. The inspection will determine if the unit is at a maintainable state and eligible for coverage. Once the unit has passed inspection, a maintenance contract and additional services may be purchased at the current published rates.

5. Lapsed Service Fee. If Customer purchases an annual Maintenance Agreement for a Product where maintenance has lapsed on the Product by up to 180 days, Customer will be charged a “Lapsed Service” fee at the rate of $2,000 USD in addition to the then-current standard maintenance fee pro-rated for the time period during which no maintenance was in effect.

6. Expedited RMA Services (Limited Availability Area). Where Customer has purchased an

Expedited RMA service, the terms of this Section will also apply. Products covered under any of these services must have an active maintenance service contract. Expedited RMA service purchased by Customer will be available fifteen business days after the receipt and acceptance of the purchase order for service and the customer’s completed Expedited RMA Service paperwork, providing full hardware configuration to be supported and accurate installation address of product (template provided by F5 Sales). F5 will make a reasonable effort to match the current configuration of the supported hardware. However, it is the customer’s duty to notify F5 in writing of any hardware configuration changes or changes to the Product location covered by this agreement. F5 requires ten business days to implement necessary changes to support the new configuration and/or location, and will be subject to Availability Area. If change notification is not made, F5 will take responsibility for the configuration and location on file at F5 only. Notification regarding physical moves of appliances must be made via email to [email protected].

4 Hour RMA Services: For customers with Products deployed within the F5 Four Hour RMA

Availability Area (the Availability Area), F5 will make a commercially reasonable effort to deliver a

Replacement unit within 4 hours of an F5 determination that a Replacement unit is needed and

receipt from the customer of the completed RMA Template containing customer provided delivery and

system configuration information. Customer acknowledges and agrees that the Replacement unit

may be delivered with a different System Software version than the version installed on the failed unit.

For customers with units that are not within the Availability Area or who otherwise do not meet the

criteria listed for F5 Four Hour RMA Availability, F5 will use commercially reasonable efforts to deliver

a replacement unit as soon as practicable. The four hour period will be defined by the business hours

covered by customer’s support contract. Accessories such as optical modules and cables and

mechanical items such as rail kits, latches, and bezels are not covered by Expedited RMA Services.

Limited parts, including ARX batteries, are not covered by Expedited RMA Services for safety and

regulatory reasons and will be subject to F5’s standard RMA processes. Please contact your F5

representative for further details. Provided the customer technical contact completes the RMA

Template, for customers that purchase the Expedited 4 Hour RMA with Technician Service (Limited

Availability Area), the technician, working under the direct supervision of a remote F5 Network

Support Engineer, will:

a) Remove and replace the failed unit; b) Load the F5 Manufacturing Released System Software version on the Replacement unit that

most closely matches, without exceeding, the System Software version on the failed unit; c) Activate the License on the Replacement Appliance where applicable.

The Customer understands and agrees that execution of the three steps above requires the Customer to

provide a site escort for the Technician as well as high speed internet access and telephone connectivity

both in reasonable proximity to the work area. The technician will not: a) Troubleshoot; b) Apply Hot

Fixes or software patches; c) Upgrade software; d) Make changes to the environment; e) Restore the

configuration, create a basic configuration, or perform any other configuration activity f) Fulfill requests

made by the customer’s on-site representative.

Consulting Services Terms and Conditions

1. F5 will provide Customer with a specified number of hours of professional services ("Services") as set

forth in a Statement of Work. If deliverables are defined by the parties in the SOW, F5 will use its

commercially reasonable efforts to provide such deliverables (the “Deliverables”), but will not be obligated

to provide Services beyond the hours set forth in the SOW. In the event that a Statement of Work is not

specified, F5 will use commercially reasonable efforts to provide such Services as requested by Customer

up to the number of hours defined by the parties.

2. Intellectual Property Rights. Except as described below, the Deliverables which are first produced or

created for Customer by F5 under a Statement of Work incorporating this Agreement shall be the

property of Customer and shall be considered works made for hire under this Agreement.

Notwithstanding the foregoing, any developed technology, including patentable and unpatentable ideas,

know-how, technical data, or techniques, and all intellectual property rights appurtenant thereto which

may be developed by F5 under this Agreement or in the delivery of any services hereunder that derive

from, improve, enhance or modify F5’s product(s) or pre-existing intellectual property, including but not

limited to product enhancements embodied in “iRules” and/or using the “iControl” open API, will be the

property of F5 (collectively, “F5 Developments”). Customer will have a non-exclusive license to the F5

Developments to the extent necessary to enable Customer to use any F5 Deliverable(s). Subject to the

limitations placed on F5 by the confidentiality provisions of this Agreement or by any existing non-

disclosure agreement between F5 and Customer, F5 may in its sole discretion develop, use, market,

license, or sell the F5 Developments and any software, application or product that is similar or related to

that which was developed by F5 for Customer. F5 shall not be required to disclose information

concerning any F5 Developments which F5 deems to be proprietary or confidential.

3. Limited Warranties, Disclaimer, and Exceptions. F5 warrants that the Services provided hereunder will

be performed in a professional manner consistent with the quality of F5's performance of services for

similarly situated customers and in accordance with generally accepted industry standards. F5 makes no

guarantees or assurances that the Services will achieve Customer’s specific goals or provide additional

functionality to Customer’s F5 appliance. F5 EXPRESSLY DISCLAIMS ALL OTHER WARRANTIES

EXPRESS OR IMPLIED INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A

PARTICULAR PURPOSE OR NON-INFRINGEMENT.

Evaluation Terms and Conditions

1. EVALUATION SCHEDULES: From time to time the parties may, under this Agreement, execute

schedules pursuant to which F5 agrees to provide the F5 products (each a “Product”) described in such

schedules to Customer for Customer’s internal testing pursuant to this Agreement (each an “Evaluation

Schedule”). The Products for which this Agreement is being entered into may include (a) hardware

(including embedded software and intellectual and proprietary rights related thereto), (b) software

(including intellectual and proprietary rights related thereto) and (c) other products described in an

Evaluation Schedule. Each Evaluation Schedule will be substantially in the form of the attached Schedule

A and together with any other documents incorporated into the Evaluation Schedule will constitute a

separate and independent contract for evaluation testing of the applicable Product(s) between F5 and

Customer. F5 and Customer will enter into a separate Evaluation Schedule for each evaluation

undertaken by Customer. Multiple Evaluation Schedules may be executed and active under this

Agreement. Evaluation Schedule(s) will set forth the applicable Loan Period, which may be extended upon

mutual agreement between the parties. Customer will not lease, sublease, assign, or otherwise transfer or

dispose of the Product(s). Customer will not remove, move, or relocate the Product from its Ship To

Location identified in the Evaluation Schedule without prior written approval from F5.

2. DISCLAIMER: The Product is provided “AS IS” and possibly with faults. F5 DISCLAIMS ANY AND

ALL WARRANTIES AND GUARANTEES, EXPRESS, IMPLIED OR OTHERWISE, ARISING, WITH

RESPECT TO THE PRODUCT DELIVERED HEREUNDER, INCLUDING BUT NOT LIMITED TO THE

WARRANTY OF MERCHANTABILITY, THE WARRANTY OF FITNESS FOR A PARTICULAR

PURPOSE, AND ANY WARRANTY OF NON-INFRINGEMENT OF THE INTELLECTUAL PROPERTY

RIGHTS OF ANY THIRD PARTY. CUSTOMER WILL USE THE PRODUCT AT ITS OWN RISK. F5

WILL NOT BE LIABLE TO CUSTOMER FOR ANY INDIRECT DAMAGES INCURRED IN USING THE

PRODUCT. IN NO EVENT WILL F5 BE LIABLE FOR LOSS OF PROFITS, LOSS OF USE, LOSS OF

DATA, BUSINESS INTERRUPTION, NOR FOR PUNITIVE, INCIDENTAL, CONSEQUENTIAL, OR

SPECIAL DAMAGES OF ANY KIND, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

3. TERMINATION AND DUTY TO RETURN: Each Evaluation Schedule will terminate on the date

indicated in the Evaluation Schedule. Either party may terminate an Evaluation Schedule or this

Agreement at any time without cause upon thirty (30) days written notice to the other party; however, all

obligations of confidentiality and the disclaimer and limitations described in Section 2 will survive

termination of this Agreement for any reason. Upon termination of an Evaluation Schedule or this

Agreement, Customer will promptly return the Product(s) to F5 by suitably secure courier with active

tracking (such as Federal Express), or otherwise as requested by F5 in equivalent working condition as

when delivered to Customer, excepting reasonable wear and tear. Customer will be responsible for any

damaged Products or components caused by Customer’s negligence or intentional misconduct or that of its

employees or agents.

What’s Inside

2 Unified Global Access

3 Consolidated Infrastructure and Simplified Management

5 Dynamic and Centralized Access Control

7 Superior Security

8 Flexibility, High Performance, and Scalability

10 BIG-IP APM Architecture

11 BIG-IP APM Platforms

11 VIPRION Platforms

13 F5 Services

13 More Information

Today, business resources, such as applications and data, are accessed inside and outside the traditional business perimeter. Local and remote employees, partners, and customers often access applications without context or security. A central policy control point delivers access based on context and is critical to managing a scalable, secure, and dynamic environment.

BIG-IP® Access Policy Manager® (APM) is a flexible, high-performance access and security solution that provides unified global access to your applications and network. By converging and consolidating remote access, LAN access, and wireless connections within a single management interface, and providing easy-to-manage access policies, BIG-IP APM helps you free up valuable IT resources and scale cost-effectively.

Key benefits

Provide unified global access Consolidate remote access, LAN access, and wireless connections in one interface.

Consolidate and simplify Replace web access proxy tiers and integrate with OAM, XenApp, and Exchange to reduce infrastructure and management costs.

Centralize access control Gain a simplified, central point of control to manage access to applications by dynamically enforcing context-aware policies.

Ensure superior access and endpoint security Protect your organization from data loss, virus infection, and rogue device access with comprehensive endpoint capabilities.

Obtain flexibility, high performance, and scalability Support all of your users easily, quickly, and cost-effectively.

Achieve Unified Access Control and Scale Cost-Effectively

BIG-IP Access Policy Manager DATASHEET

DATASHEET BIG-IP Access Policy Manager

2

Unified Global AccessAs the mobile workforce grows, users require access to corporate resources from different types of networks and an increasing variety of devices. Ensuring secure and fast application performance for remotes users is a key challenge.

One solution for all access

BIG-IP APM is positioned between the applications and the users, creating a strategic control point in the network. The device protects your public-facing applications by providing policy-based, context-aware access to external users while consolidating your access infrastructure. It also provides secure remote access to corporate resources from all networks and devices.

By converging and consolidating remote access, LAN access, and wireless connections within a single management interface, and providing easy-to-manage access policies, BIG-IP APM puts IT back in control of application access.

BIG-IP Platform

Private/Public Cloud

Local and Remote Users

Data Center

VDI VDI VDI

App Servers

App 1 App n

APMLTM

Directories

BIG-IP APM consolidates and manages all access to networks and applications.

“Always connected” remote access

BIG-IP APM works with an optional client to provide secure remote access. This state-of- the-art, integrated client, BIG-IP® Edge Client,® provides location awareness and zone determination to deliver a secure, persistent, policy-based access unlike any other. BIG-IP Edge Client helps ensure continued user productivity whether the user is at home on a wireless network, using an air card in transit, giving a presentation from corporate wireless, in a café on guest wireless, or docked on a LAN connection. BIG-IP Edge Client can automatically detect domains and connect, even after losing a VPN connection, or it can disconnect when a LAN connection is detected.

BIG-IP APM extends managed access for remote and mobile users to support a wide range of mobile devices. The BIG-IP® Edge Portal™ application facilitates secure remote access to enterprise web applications and is available for all Apple iOS and Android devices. Full SSL


3

VPN is available through BIG-IP Edge Client on Apple Mac, iPhone, iPad; Microsoft Windows devices; Linux platforms; and Android devices.

Enhanced connectivity to IPv6 networks

The Internet is evolving from IPv4 to IPv6. To ensure business continuity and future growth, organizations must expand their networking capabilities to support the coexistence of IPv4 and IPv6. BIG-IP APM fully supports IPv6, delivering a true global access experience.

Consolidated Infrastructure and Simplified ManagementBy integrating enterprise-wide and cost-effective application access management with centralized application delivery directly on the BIG-IP LTM system, BIG-IP APM greatly simplifies the implementation of authentication, authorization, and accounting (AAA) services.

Single sign-on

BIG-IP APM supports single sign-on (SSO) across multiple domains and Kerberos ticketing, enabling additional types of authentication, such as Federal Common Access Cards and the use of Active Directory authentication for all applications. Users are automatically signed on to back-end applications and services that are part of a Kerberos realm. This provides a seamless authentication after the user has authenticated through one of the supported end-user authentication schemes.

Security Assertion Markup Language (SAML) 2.0 support extends BIG-IP SSO options still further by supporting both identity provider (IdP) initiated connections and service provider initiated connections. This functionality extends SSO capabilities to cloud-based applications outside the corporate data center, and it allows for identity federation across an organization’s BIG-IP platforms. This functionality minimizes time spent logging into multiple applications with SSO and enables a unified user portal for cloud, web, virtual desktop infrastructure (VDI), and client/server applications.

Automatically synchronized Exchange services

BIG-IP APM supports the synchronization of email, calendar, and contacts with Microsoft Exchange on mobile devices that use the Microsoft ActiveSync protocol, such as the Apple iPhone. By eliminating the need for an extra tier of authentication gateways to accept Microsoft Outlook Web Access, ActiveSync, and Outlook Anywhere connections, BIG-IP APM helps you consolidate your infrastructure and keep users productive. When it’s time to migrate to Exchange 2010, BIG-IP APM works with Active Directory to facilitate seamless mailbox migration over time. When the migration is complete, BIG-IP APM provides managed access to Exchange with single URL access, regardless of user, device, or network.

Consolidated AAA infrastructure

Other authentication solutions use application coding, separate web server agents, or specialized proxies, which can present significant management, cost, and scalability issues. With AAA control directly on the BIG-IP system, BIG-IP APM enables you to apply customized access policies across many applications and gain centralized visibility of your authorization environment. You can consolidate your AAA infrastructure, eliminate redundant tiers, and simplify management to reduce capital and operating expenses by up to 85 percent.


4

Consolidated access for Oracle

BIG-IP APM integrates with Oracle Access Manager, so you can design access policies and manage policy-based access services for Oracle applications from one location. By consolidating plug-ins and web authentication proxies, this integration can help you reduce CapEx and OpEx.

Simplified access for virtual application environments

Using BIG-IP APM, administrators gain dynamic control over the delivery and security components of enterprise virtualization solutions and benefit from unified access, security, and policy management. For instance, in a typical Citrix XenApp/XenDesktop implementation, an administrator can replace Citrix authentication management, Secure Ticket Authority (STA), NetScaler, and XenApp Services sites (required for Citrix sourced enterprise deployment) with BIG-IP APM.

BIG-IP APM supports VMware View and Citrix XenApp/XenDesktop simultaneously, as well as other technologies in the mix. In addition, BIG-IP APM provides a single, scalable access control solution that includes both remote and LAN access policy and control with no configuration changes required to back-end servers. The solution can also be extended to other applications to achieve a simplified, lower cost, highly scalable enterprise infrastructure.

Advanced reporting

An in-depth view of logs and events provides access policy session details. With reports from technology alliance partner Splunk—a large-scale, high-speed indexing, and search solution— BIG-IP APM helps you gain visibility into application access and traffic trends, aggregate data for long-term forensics, accelerate incident responses, and identify unanticipated problems before users experience them.

BIG-IP APM is capable of providing customized reports with granular data and statistics for intelligent reporting and analysis. Examples include detailed session reports by:

• Access failures

• Users

• Resources accessed

• Group usage

• IP geolocation


5

Custom reports provide granular data and statistics for intelligent analysis.

Out-of-the-box configuration wizards

BIG-IP APM helps reduce administrative costs by making it easy to quickly configure and deploy authentication and authorization services. The configuration wizard includes a set of pre-built application access and local traffic virtual device wizards. It creates a base set of objects as well as an access policy for common deployments, and it automatically creates branches in the configuration to support necessary configuration objects. With step-by-step configuration, context-sensitive help, review, and summary, setting up authentication and authorization services on BIG-IP APM is simple and fast.

Real-time access health data

The access policy dashboard on the BIG-IP system gives you a fast overview of access health. You can view the default template of active sessions, network access throughput, new sessions, and network access connections, or create customized views using the dashboard windows chooser. By dragging and dropping the desired statistics onto the window pane, you gain a real-time understanding of access health.

Dynamic and Centralized Access ControlBy making context-aware, policy-based access decisions, BIG-IP APM strengthens corporate compliance with security standards and ensures that users can stay productive with appropriate application access.

Advanced Visual Policy Editor

The advanced, GUI-based Visual Policy Editor (VPE) makes it easy to design and manage granular access control policies on an individual or group basis. With the VPE, you can


6

quickly and efficiently create or edit entire dynamic access policies with a few simple clicks. For example, you can: design an authentication server policy integrated with RADIUS; assign resources for access once authorization is complete; or deny access for failure to comply with policy. A geolocation agent provides automatic lookup and logging. This simplifies the configuration process and enables you to customize user access rules according to your organization’s geolocation policy. By centralizing policy control, the VPE helps you manage access more cost-effectively.

The advanced Visual Policy Editor makes it easy to create access policies.

Dynamic access control

BIG-IP APM provides access authentication using access control lists (ACLs) and authorizes users with dynamically applied layer 4 and layer 7 ACLs on a session. Both L4 and L7 ACLs are supported based on endpoint posture as a policy enforcement point. BIG-IP APM allows individual and group access to approved applications and networks using dynamic, per-session L7 (HTTP) ACLs. You can use the Visual Policy Editor to quickly and easily create ACLs.

Access policies

With BIG-IP APM, you can design access policies for authentication and authorization, as well as optional endpoint security checking, to enforce user compliance with corporate policies. You can define one access profile for all connections coming from any device, or you can create multiple profiles for different access methods, each with their own access policy. For example, you can create a policy for application access authentication or dynamic ACL connections. With policies in place, your network becomes context-aware: it understands who the user is, where the user is accessing the application, and what the current network conditions are at the time of access.

Context-based authorization

By driving identity into the network, BIG-IP APM gives you a simplified, central point of control over user access. When tens of thousands of users access an application, BIG-IP APM offloads SSL encryption processing, provides authentication and authorization services, and optionally creates a single secure SSL connection to the application server. Context-based authorization gives you complete, secure, and policy-based control over users’ navigation.


7

Superior SecurityBy making context-aware, policy-based access decisions, BIG-IP APM strengthens corporate compliance with security standards and ensures that users can stay productive with appropriate web access.

VPN technologies

BIG-IP APM works with an optional client to provide SSL VPN remote access to mobile and remote workers. It offers a Datagram Transport Layer Security (DTLS) mode for remote connections, which is well suited for securing and tunneling applications that are delay sensitive. For traffic between branch offices or data centers, IPsec encryption is enabled. By using VPN technologies in the F5 unified access solution, organizations gain end-to-end security across the entire global infrastructure.

Strong endpoint security

BIG-IP APM can deliver an inspection engine through the browser to examine the security posture of a device and determine whether the device is part of the corporate domain. Then, based on the results, it can assign dynamic access control lists to deliver context-based security. More than a dozen integrated endpoint inspection checks are preconfigured, including OS, antivirus software, firewall, file, process, registry, as well as the device’s MAC address, CPU ID, and HDD ID. Administrators can map hardware attributes to user role to allow more decision points for access control. A browser cache cleaner will automatically remove any sensitive data at the end of a user’s session.

Dynamic webtops

The dynamic webtop displays a list of web-based applications available to a user after authentication. The content of the webtop is dynamic in the sense that only resources for which the user is authorized are displayed to the user. The webtop is customizable based on a user’s identity, context, and group membership. Webtops can be set up with SAML-enabled SSO for a seamless user experience.

Application tunnels

If an endpoint doesn’t comply with the security posture policy, an application tunnel can provide access to a particular application without the security risk of opening a full network access tunnel. For example, mobile users can simply click their Microsoft Outlook clients to get secure access to their emails, no matter where they are in the world. Application tunnels are also completely WAN optimized, so those application connections benefit from adaptive compression, acceleration, and TCP optimization to efficiently deliver content to the users.

Encrypted environment with protected workspace

Using tight encryption, BIG-IP APM provides an optional protected workspace for users who need a secure local computing environment. In this mode, users cannot write files to locations outside the protected workspace. The content in temporary folders and browser caches are deleted at the end of the session to ensure maximum protection of data. You can configure BIG-IP APM to automatically switch users of Microsoft Windows 7 (32-bit), Windows XP, and Windows Vista to a protected workspace.


8

Secure access with Java patching

Typically, a user opens a Java applet, such as IBM terminal emulator, and it will open up network connections on arbitrary ports, which may be blocked by firewalls and might use SSL to secure the traffic. This makes the applet unusable by remote employees. With Java rewrite, BIG-IP APM transforms or “patches” server Java applets in real time so that clients that execute the applets will connect back through BIG-IP APM using SSL over an authenticated BIG-IP APM session. With BIG-IP APM, rewrite once and store patched Java in RAM cache, so there is no need to rewrite every time.

Comprehensive application access and security

With the efficient, multi-solution BIG-IP platform, you can add application security without sacrificing access performance. BIG-IP APM and BIG-IP® Application Security Manager™ (ASM) run together on the BIG-IP LTM appliance to protect applications from attack while providing flexible, layered, and granular access control. Attacks are filtered immediately to ensure application availability and security and an optimum user experience. This integrated solution helps you ensure compliance with local and regional regulations, including PCI DSS, so you can minimize fine payouts and protect your organization from data loss. And since there is no need to introduce a new appliance to the network, you save costs with an all-in-one solution.

Flexibility, High Performance, and ScalabilityBIG-IP APM delivers fast application access and performance to keep your users productive and enable your organization to scale quickly and cost-effectively.

Flexible deployment

BIG-IP APM can be deployed in three different ways to meet a variety of access needs. It can be deployed as an add-on module for BIG-IP® Local Traffic Manager™ to protect public-facing applications; it can be delivered as a standalone appliance; it can also run on BIG-IP LTM Virtual Edition to deliver flexible application access in virtualized environments.

Hosted virtual desktop

Virtual desktop deployments have to scale to meet the needs of thousands of users and hundreds of connections per second. BIG-IP APM includes native support for Microsoft Remote Desktop Protocol (RDP) and native secure web proxy support for Citrix XenApp, XenDesktop, and PCoIP for VMware View. In addition, BIG-IP APM will pass down a Java-based applet that acts as a Java RDP client and executes in the client’s browser. This Java RDP client is a quick virtual desktop infrastructure (VDI) option as requirements dictate and is a secure remote access solution for Mac and Linux users. The highly scalable, high performance application delivery capabilities of BIG-IP APM provide simplified access and control to users in hosted virtual desktop environments.

High availability for AAA servers

By delivering seamless user access to web applications in a highly available and heterogeneous environment, BIG-IP APM improves business continuity and saves your organization from revenue loss that can result from decreased user productivity. BIG-IP APM integrates with AAA servers—including Active Directory, LDAP, RADIUS, and Native RSA


9

SecurID—and delivers high availability through the intelligent traffic management capabilities of BIG-IP LTM.

Credential caching

BIG-IP APM provides credential caching and proxy services for single sign-on (SSO), so users only need to sign in once to access approved sites and applications. As users navigate, sign-on credentials are delivered to web applications, saving time and increasing productivity.

Unprecedented performance and scale

BIG-IP APM access offers SSL offload at network speeds and supports up to 3,000 logins per second. For organizations with an ever-growing base of web application users, BIG-IP APM scales quickly and cost-effectively to support up to 200,000 concurrent users on a VIPRION chassis platform or 60,000 concurrent users on a single high-end appliance.

Virtual Clustered Multiprocessing

BIG-IP APM is also available on a chassis platform and supports a Virtual Clustered Multiprocessing (vCMP®) environment. The vCMP hypervisor provides the ability to run multiple instances of BIG-IP APM. This allows for multi-tenancy and effective separation. With vCMP, network administrators can virtualize while achieving a higher level of redundancy and control.


10

BIG-IP APM ArchitectureRunning as a module on BIG-IP Local Traffic Manager, BIG-IP APM uses F5’s unique,

purpose-built TMOS® operating system. TMOS is an intelligent, modular, and high-performing

operating system that delivers insight, flexibility, and control to help you deliver and protect

your web applications.

TMOS delivers:

· SSL offload

· Caching

· Compression

· TCP/IP optimization

· Advanced rate shaping and quality of service

· IPv6 Gateway™

· IP/port filtering

· iRules® scripting language

· VLAN support through a built-in switch

· Resource provisioning

· Route domains (virtualization)

· Remote authentication

· Report scheduling

· Full proxy

· Key management and failover handling

· SSL termination and re-encryption to web servers

· VLAN segmentation

· DoS protection

· System-level security protections

· BIG-IP APM and BIG-IP Application Security Manager layering

· BIG-IP APM and BIG-IP WebAccelerator layering

· F5 Enterprise Manager support

BIG-IP APM features include:

· Portal access, app tunnel, and network access

· IPv6 ready

· Granular access policy enforcement

· Advanced Visual Policy Editor, including geolocation agent

· AAA server authentication and high availability

· DTLS mode for delivering and securing applications

· Microsoft ActiveSync and Outlook Anywhere support with client-side NTLM

· Simplified access management for Citrix XenApp and XenDesktop

· Native client support for Microsoft RDP client and Java RDP client

· Full proxy support for the VMware View PCoIP protocol

· Seamless Microsoft Exchange mailbox migration

· L7 access control list (ACL)

· Protected workspace support and encryption

· IP geolocation agent in Visual Policy Editor

· Credential caching and proxy for single sign-on

· Java patching (rewrite) for secure access

· Flexible deployment in virtual VMware environments

· Integration with Oracle Access Manager

· Single sign-on with support for Kerberos, credential caching, and SAML 2.0

· Context-based authorization with dynamic L4/L7 ACLs

· Windows machine certificate support

· Windows Credential Manager integration

· External logon page support

· Access control support to BIG-IP Local Traffic Manager (LTM) virtual server

· Out-of-the-box configuration wizards

· Scale up to 100,000 concurrent users

· Policy routing

· Export and import of access policies

· Configurable timeouts

· Health check monitor for RADIUS accounting

· Clustered multiprocessing

· Landing URI variable support

· DNS cache/proxy support

· SSL VPN remote access with an optional client

· Always connected access with BIG-IP Edge Client

· Easy application access with BIG-IP Edge Portal

· Broad client platform support (iPad, iPhone, Mac, Windows, Linux, Android)

· Browser support: IE, Firefox, Chrome

· Site-to-site IPsec encryption

· Application tunnels

· Dynamic webtops based on user identity

· Protected workspace

· Auth. methods: form, certificate, Kerberos SSO, SecurID, basic, RSA token, smart card, N-factor

· Endpoint inspection: Windows, Mac, Linux, antivirus, and firewall checks

· More than a dozen endpoint checks

· Virtual keyboard support

· Style sheets for customized logon page

· Windows Mobile package customization

· Centralized advanced reporting with Splunk

· Virtual Clustered Multiprocessing (vCMP)

11


BIG-IP APM PlatformsBIG-IP APM is available as a standalone appliance or as a software add-on module to existing BIG-IP deployments. BIG-IP APM offers a range of models to suit a variety of performance demands.

BIG-IP VE

VIPRION PlatformsBIG-IP Local Traffic Manager and Access Policy Manager are also available on the modular VIPRION system. This chassis and blade architecture enables simple scalability as your Application Delivery Network grows. See the VIPRION Datasheet for details.

VIPRION 4480 ChassisVIPRION 4800 Chassis

VIPRION 2100 BladeVIPRION 4300 Blade

VIPRION 2400 Chassis

image to come

11000 Series 7000 Series8900 Series10000 Series

4000 Series 3900 Series

3600 Series 2000 Series 1600 Series

5000 Series6900 Series

http://www.f5.com/pdf/products/viprion-overview-ds.pdf

12


BIG-IP APM Standalone Base Concurrent Users Maximum Concurrent Users

BIG-IP APM VE Standalone Lab (10 Mbps) 10 10

BIG-IP APM VE Standalone (200 Mbps) 100 2,500

BIG-IP APM VE Standalone (1 Gbps) 250 2,500

2000s 100 500

2200s 100 2,500

4000s 500 5,000

4200v 1,000 10,000

5200v 2,000 20,000

7200v 4,000 40,000

10200v 8,000 60,000

BIG-IP APM Add-Ons Base Concurrent Users Maximum Concurrent Users

BIG-IP APM Module for BIG-IP VE 250 2,500

1600 500 1,000

2000s 100 500

2200s 100 2,500

3600 500 5,000

3900 500 10,000

4000s 500 5,000

4200v 500 10,000

5000s 500 20,000

5200v 500 20,000

6900 500 25,000

7000s 500 40,000

7200v 500 40,000

8900 500 40,000

10200v 500 60,000

11000 500 60,000

VIPRION 2400 500 60,000

VIPRION 4480 500 100,000

VIPRION 4800 500 200,000

13


F5 ServicesF5 Services offers world-class support, training, and consulting to help you get the most from your F5 investment. Whether it’s providing fast answers to questions, training internal teams, or handling entire implementations from design to deployment, F5 Services can help you achieve IT agility. For more information about F5 Services, contact [email protected] or visit f5.com/services.

More InformationTo learn more about BIG-IP APM, use the search function on f5.com to find these and other resources.

Product overviews

BIG-IP Access Policy Manager

White paper

Delivering Virtual Desktop Infrastructure with a Joint F5-Microsoft Solution

Technical brief

Secure iPhone Access to Corporate Web Applications

Case study

Security Company Keeps Systems Protected and Apps Accessible

Video

Web Application Access Management for BIG-IP LTM

F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 www.f5.com

F5 [email protected]

F5 Networks Ltd.Europe/Middle-East/[email protected]

F5 NetworksJapan [email protected]

F5 Networks, Inc.Corporate [email protected]

©2013 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. DS-4156 0613

http://www.f5.com/services

http://www.f5.com

http://www.f5.com/pdf/products/big-ip-access-policy-manager-overview.pdf

http://www.f5.com/pdf/white-papers/f5-microsoft-vdi-wp.pdf

http://www.f5.com/pdf/white-papers/secure-iphone-access-tb.pdf

http://www.f5.com/pdf/case-studies/reliance-protectron-cs.pdf

http://devcentral.f5.com/weblogs/dctv/archive/2010/03/02/in-5-minutes-or-less-web-application-access-management-for.aspx

http://www.f5.com

mailto:apacinfo%40f5.com?subject=

mailto:emeainfo%40f5.com?subject=

mailto:f5j-info%40f5.com?subject=

mailto:info%40f5.com?subject=

What’s Inside

2 Security for the New Application-Centric Network

4 Protection for Communications Service Providers

4 BIG-IP AFM Features and Specifications

6 BIG-IP AFM Availability

7 BIG-IP AFM Platforms

7 VIPRION Platforms

8 F5 Services

8 More Information

BIG-IP Advanced Firewall Manager DATASHEET

Businesses rely on applications for internal productivity and for external customer access. At the same time, applications and the data centers that host them are increasingly under threat from sophisticated, targeted attacks.

F5® BIG-IP® Advanced Firewall Manager™ (AFM) is a high-performance, stateful, full-proxy network firewall designed to guard data centers against incoming threats that enter the network on the most widely deployed protocols—including HTTP/S, SMTP, DNS, and FTP. By aligning firewall policies with the applications they protect, BIG-IP AFM streamlines application deployment, security, and monitoring. With its scalability, security, and simplicity, BIG-IP AFM forms the core of the F5 application delivery firewall solution.

Key benefits

Scale to meet network demand Meet demanding data center scalability needs with a solution built on top of F5’s proven TMOS® architecture, hardware systems, and virtual editions.

Protect with a full-proxy firewall Terminate incoming client connections and inspect them for security threats, before forwarding them on to the server.

Streamline firewall deployment Simplify security configuration with firewall policies oriented around the applications themselves—and speed up app deployment.

Customize reporting for visibility Log events at high speeds and define per-application logging configuration, allowing flexibility in log destinations and information logged.

Inspect SSL sessions Fully terminate SSL connections to identify potentially hidden attacks—and do this at high scale and high throughput.

Ensure application availability Provide protection against more than 50 DDoS vectors to ensure application availability, with detailed visibility into attack conditions. For certain platforms, SYN flood protection is handled in the hardware.

Secure the Data Center, Protect Applications, and Defend the Network

DATASHEET BIG-IP Advanced Firewall Manager

2

Security for the New Application-Centric NetworkBuilding on its strong background in Application Delivery Controllers, F5 brings together security and deep application fluency to protect servers and data center infrastructure.

Application delivery firewall

BIG-IP AFM is the core of the F5 application delivery firewall solution—the first of its kind in the industry, which combines the network firewall with traffic management, application security, user access management, and DNS security. By consolidating the security functions of several BIG-IP® modules onto a single platform, the F5 application delivery firewall reduces management complexity and overhead, while still maintaining superior performance and scalability. Building upon BIG-IP® Local Traffic Manager™, the number-one traffic management solution by market share, the application delivery firewall has deep application fluency in the most widely deployed enterprise applications. This translates to advanced security capabilities, such as application-specific detection of anomalous latency conditions.

One Platform

DNSSecurity

TrafficManagement

ICSA-CertifiedFirewall

ApplicationSecurity

AccessControl

DDoSProtection

SSLInspection

The F5 application delivery firewall brings together key network and security functions on a single platform.

The following BIG-IP modules function in concert to build out the complete application delivery firewall solution:

• BIG-IP Advanced Firewall Manager (AFM)—Advanced network firewall that forms the core of the F5 application delivery firewall solution. It provides full SSL visibility at scale, as well as network-layer and session-layer distributed denial-of-service (DDoS) mitigation.

• BIG-IP Local Traffic Manager (LTM)—Provides advanced traffic management, load balancing, and application delivery.

• BIG-IP® Application Security Manager™ (ASM)—Delivers application security, web scraping and bot prevention, and HTTP DDoS mitigation.

• BIG-IP® Access Policy Manager® (APM)—Provides access management, secure remote access, and user context.

• BIG-IP® Global Traffic Manager™ (GTM)—High-scale DNS solution that defends against DNS attacks such as DNS DDoS and spoofing. It also provides a high-performance DNS response signing with DNSSEC.

• IP Intelligence and Geolocation—These additional services provide IP reputation and geolocation information for added context-aware security.


3

Application-centric firewall policies

By bringing together application delivery, application security, user access, and firewall policies, BIG-IP AFM streamlines application deployment and simplifies firewall policy assurance. Rather than rigid zone-based or segment-based constructs, with BIG-IP AFM, firewall policies are more logically aligned with the applications themselves. This has several operational advantages for IT organizations. Most immediately, interaction between applications teams and network/security teams is minimized and optimized. Details about the application parameters, including server addressing, SSL offload, and access policies, are now grouped together with security parameters, including firewall policies, SSL inspection, and logging. Gone are the days of mapping applications to zones, or scouring through spreadsheets of firewall policies to find the applicable IP address for a particular application server.

Further, since the configuration for an application is unified with its associated firewall policy, deprovisioning of applications is also streamlined. When an application is deprovisioned, the obsolete firewall rules are simultaneously deprovisioned.

BIG-IP AFM orients firewall policies around the application itself—streamlining security operations.

Full-proxy security

Unlike traditional firewalls, BIG-IP AFM is built on a full-proxy architecture, which means that incoming client connections are fully terminated, inspected for possible security threats, and only then forwarded to the server—assuming no threats are present.

In the reverse direction, server-to-client communication is also proxied, and the F5 application delivery firewall solution with BIG-IP AFM can scrub return data for sensitive information—for instance, protocol response codes that could divulge network information for reconnaissance attacks and private data, such as credit card or Social Security numbers.

Security extensibility with iRules

All BIG-IP modules benefit from the power and extensibility of F5 iRules®, a scripting language with open APIs that can operate directly on payloads in the data plane. F5 DevCentral™, a community of more than 120,000 F5 users, provides an environment for users to create and share iRules, which administrators can use to expand the functionality of BIG-IP AFM flexibly. In the past, DevCentral has provided customers with significant additional security functionality, including the following iRule solutions:


4

iRule Solution

Transparent Web App Bot ProtectionBlocks illegitimate requests from automated bots that bombard a contact form

Distributed Apache KillerDenies application requests that cause a web server denial-of-service (DoS)

DNS Blackhole with iRulesPrevents employees from accessing known bad websites at the DNS level

Thwart Dictionary AttacksRestricts excessive login attempts using the exponential backoff algorithm

SSL Renegotiation DoS AttackDrops connections that renegotiate SSL sessions more than five times a minute

Protection for Communications Service ProvidersBIG-IP AFM—with its unmatched scale and performance—is also ideal for communications service provider (CSP) deployments. In CSP environments, BIG-IP AFM helps protect not only the network itself, but also subscribers from attacks.

In mobile networks, BIG-IP AFM forms the basis of the F5 S/Gi firewall solution. Deployed at the Gi interface of 3G networks and the SGi interface of 4G/LTE networks, the S/Gi firewall solution enforces network perimeters, protects the mobility infrastructure and mobile subscribers, and gives CSPs the scalability and flexibility for advanced service enforcement.

The S/Gi firewall solution takes advantage of F5’s intelligent services framework, meaning CSPs can consolidate additional network and security functions such as carrier-grade NAT and subscriber traffic visibility—all on a single platform.

BIG-IP AFM Features and SpecificationsBIG-IP Advanced Firewall Manager is a stateful, full-proxy firewall that provides advanced network protection.

Firewall

Protocol anomaly detection Yes

L4 DoS and DDoS protection Yes

SSL DoS and DDoS protection Yes

DNS and DDoS protection Yes—with BIG-IP GTM

HTTP DoS and DDoS protection Yes—with BIG-IP ASM

Number of DDoS vectors covered More than 50

SSL inspection Yes

IP reputation and geolocationYes—including identifying Tor exit nodes/anonymous proxies, malware, and command-and-control (C&C) servers (separately licensed)

Central management Yes—with BIG-IQ™ Security


5

IPsec

Site-to-site Yes

Keying methods Manual, Internet Key Exchange v1 (IKEv1)

Authentication methods Preshared key, RSA signature

Diffie-Hellman groups 1, 2, 5, 14, 15, 16, 17, 18

Encryption algorithms3DES, AES-128, AES-192, AES-256, AES-GCM-128, AES-GCM-256

Hash/HMAC algorithmsSHA-1, AES-GMAC-128, AES-GMAC-192, AES-GMAC-256

Platform Features

Multi-tenancy Yes—with vCMP®

High availability Yes—active-passive or active-active

SSL VPN

Remote access Yes—with BIG-IP APM

Scale and Performance

VIPRION 4800(8 x B4340)

VIPRION 4480(4 x B4300)

VIPRION 2400(4 x B2100)

BIG-IP 11050/11000

BIG-IP 10200v

Maximum firewall throughput

640 Gbps 320 Gbps 160 Gbps44 Gbps/ 24 Gbps

80 Gbps

Connections per second

8.8 million 4.8 million 1.8 million 1.1 million 850,000

Maximum concurrent connections

576 million 144 million 48 million24 million/ 30 million

36 million


BIG-IP 8950/8900

BIG-IP 4200v

BIG-IP 6900

BIG-IP 3900


20 Gbps/ 12 Gbps

10 Gbps 6 Gbps 4 Gbps


810,000/ 360,000

250,000 225,000 158,000


12 million 10 million 6 million 6 million


6


BIG-IP 2200S

BIG-IP 2000S

BIG-IP 3600

BIG-IP 1600


5 Gbps 2.5 Gbps 2 Gbps 1 Gbps


135,000 67,000 59,000 36,000


5 million 2.5 million 3 million 3 million

BIG-IP AFM AvailabilityBIG-IP Advanced Firewall Manager is available bundled with other modules to enable specific application delivery firewall use cases, as follows.

Bundle Name BIG-IP AFM BIG-IP LTM BIG-IP ASM BIG-IP APMBIG-IP APM-lite (10 users)

Application Delivery Firewall

✓ ✓ ✓

Application Delivery Firewall with Application Security

✓ ✓ ✓ ✓

Application Delivery Firewall with Access Management

✓ ✓ ✓ ✓

Application Delivery Firewall with Application Security and Access Management

✓ ✓ ✓ ✓ ✓

Advanced Firewall Manager Add-On (for systems that already have BIG-IP LTM)

✓

Note: All BIG-IP AFM licenses include protocol security, routing, and maximum SSL. IP Intelligence and

Geolocation are available add-ons for all bundles.

7


BIG-IP AFM PlatformsBIG-IP Advanced Firewall Manager is available as an add-on module for integration with BIG-IP Local Traffic Manager on any BIG-IP platform or BIG-IP LTM Virtual Edition (VE). For detailed physical specifications, please refer to the BIG-IP System Hardware Datasheet.

BIG-IP AFM VE

VIPRION PlatformsBIG-IP Advanced Firewall Manager is also available as an add-on module to BIG-IP Local Traffic Manager on the modular VIPRION® platform. This chassis and blade architecture enables simple scalability as your Application Delivery Network grows. See the VIPRION Datasheet for details.

1600 Series2000 Series

3600 Series3900 Series4000 Series

11000 Series 8900 Series10000 Series 6900 Series

VIPRION 2100 BladeVIPRION 4300 Blade VIPRION 4200 Blade

VIPRION 2400 ChassisVIPRION 4480 ChassisVIPRION 4800 Chassis

http://www.f5.com/pdf/products/big-ip-platforms-datasheet.pdf

www.f5.com/pdf/products/viprion-overview-ds.pdf

8



More InformationTo learn more about BIG-IP AFM, use the search function on f5.com to find these and other resources.

Web pages

BIG-IP Advanced Firewall Manager

F5 Security

Solution profile

High-Performance Application Delivery Firewall

White paper

A New Firewall for the Data Center







mailto:consulting%40f5.com?subject=


http://www.f5.com

http://www.f5.com/products/big-ip/big-ip-advanced-firewall-manager/overview/

http://www.f5.com/it-management/topics/security/

http://www.f5.com/pdf/solution-profiles/big-ip-ltm-firewall-security-sp.pdf

http://www.f5.com/pdf/news/2012-Infonetics-Whitepaper-A-New-Firewall-for-the-Data-Center-June-2012.pdf

http://www.f5.com





What’s Inside

2 Integrated Application Delivery Optimization

2 Data Center Optimizations

3 Transport Optimizations

4 Application Delivery Optimizations

7 F5 Application Ready Solutions

8 Flexible Deployment Options

10 The Power of the BIG-IP System

12 The BIG-IP Application Acceleration Manager Architecture

12 BIG-IP Application Acceleration Manager Platforms

12 Virtual Platform

13 F5 Services

13 More Information

BIG-IP Application Acceleration Manager DATASHEET

Organizations depend on applications to support business operations and drive revenue. At the same time, users are demanding more from those applications, including faster load times and access across a wide variety of devices. Poor performing applications can result in reduced employee productivity, abandoned shopping carts, and missed recovery point objective and recovery time objective (RPO/RTO) targets.

F5® BIG-IP® Application Acceleration Manager™ (AAM) combines the application delivery features previously available in BIG-IP® WAN Optimization Manager™ (WOM) and BIG-IP® WebAccelerator™. BIG-IP AAM overcomes network, protocol, and application issues to help you meet application performance, data replication, and disaster recovery requirements presented by cloud, mobile applications, and video distribution. By offloading your network and servers, BIG-IP AAM decreases the need for additional bandwidth and hardware. Users get fast access to applications, and you gain greater revenue and free up IT resources for other strategic projects.

Key benefits

Improve the user experience Improve end user experience through multiple optimization technologies applied at all layers of the application delivery chain.

Optimize data center efficiency Consolidate devices and services to deliver optimized apps. Reduce the application load from servers and the network by offloading CPU-intensive processing tasks.

Streamline Application Delivery Optimization Quickly support and optimize legacy and emerging protocols/standards (SPDY, FTP, UDP, HLS). Optimize delivery of any application content to any device without recoding apps.

Overcome All Application Performance Bottlenecks

DATASHEET BIG-IP Application Acceleration Manager

2

Integrated Application Delivery OptimizationBIG-IP Application Acceleration Manager is built natively on the F5 TMOS® unified architecture, enabling the integration of application delivery with web performance and WAN optimization technologies. This enables traditional acceleration technologies like SSL offloading, compression, caching, and traffic prioritizing to combine with technologies like image optimization, video delivery optimization, and byte-level data deduplication, thereby reducing complexity in your data center.

BIG-IP AAM makes use of the F5 iControl® application programming interface (API) and F5 iRules® scripting language capabilities, giving you unprecedented flexibility and control in scaling, managing, and optimizing your BIG-IP system.

BIG-IP AAM can optimize a wide variety of protocols delivered to either a client browser, desktop application, or another BIG-IP device, depending on the deployment. Optimizations are divided into data center optimizations, including server and network optimizations, transport optimizations, and application delivery optimizations, including application protocol and web performance optimizations.

Data Center OptimizationsBIG-IP Application Acceleration Manager optimizes the data center to help with the ever-changing demands on IT infrastructure, such as large amounts of data, including videos, and the use of mobile devices. Data center optimization can help to reduce application load from servers by offloading CPU-intensive tasks like encryption, caching, and compression and reduce bandwidth by sending less data over the network. The end result is a more efficient infrastructure.

BIG-IP AAM can improve the performance of WAN application traffic by optimizing application protocols, prioritizing traffic, optimizing TCP from clients to servers, and reducing the amount of data sent over the WAN, helping to prevent costly bandwidth upgrades. Quality of service (QoS) technologies ensure that critical or time-sensitive applications receive priority over others to maximize performance over the WAN. They provide granular control of traffic based on enterprise needs, enabling you to manage and prioritize bandwidth per application and improve QoS for critical applications over the WAN.

Data Center Optimizations

Devices Microsoft SharePoint

Virtualized Apps

Hypervisor

VDI VM

Cloud

Of�oading

NetworkServices

TCPConnection

SSL Caching Compression

BIG-IP Application Acceleration Manager optimizes the data center.


3

Symmetric data deduplication

With symmetric data deduplication, BIG-IP Application Acceleration Manager delivers a highly advanced level of WAN optimization. This provides significantly more bandwidth for applications and effectively expands WAN capacity to improve response times and increase throughput. Redundant data is no longer transferred across the network through the use of pattern matching and byte caching technologies. Symmetric data deduplication ensures high-speed application performance and reduces the amount of data transferred over the WAN by up to 99 percent.

Solid state drives deduplication

Data duplication can be done in memory or hard drive disks. Typically, memory-based deduplication is recommended due to the slow I/O performance of standard hard drives. However, for large volumes of data, deduplication using solid state drives (SSD) can have up to a three time improvement in replication time over memory-based deduplication.

BIG-IP Application Acceleration Manager running on the BIG-IP 11000 platform, with support for four 600 GB SSDs, is the ideal choice for the high-volume requirements of data center to data center replication or as the head end of a hub and spoke deployment.

SSL acceleration

BIG-IP Application Acceleration Manager offloads computationally intensive SSL encryption and decryption, reducing server processor utilization by up to 50 percent. It consolidates private key creation and storage, SSL certificate management, and FIPS SSL support. BIG-IP AAM standalone devices run on the F5 TMOS operating system and include the maximum available TPS for that specific hardware platform.

Parking Lot

The Parking Lot feature in BIG-IP Application Acceleration Manager queues multiple requests for the same new or expired cached object, and then sends only one request to origin web server. When the object is retrieved, BIG-IP AAM responds to all the requests. This reduces the load on the servers when a flood of requests come in at once.

Transport Optimizations BIG-IP Application Acceleration Manager improves the capacity of application servers and the efficiency of network protocols by offloading intensive processing tasks such as SSL encryption, optimizing application, and network protocols. Optimization features include the following.

Symmetric adaptive compression

Symmetric adaptive compression ensures the fastest data reduction for any traffic between BIG-IP systems. Symmetric adaptive compression automatically selects and uses the appropriate deflate, bzip2, or LZO compression algorithms (or no compression if the data cannot be compressed) to maximize bandwidth usage and throughput. In addition, symmetric adaptive compression can use BIG-IP hardware compression where available to provide unprecedented scalability.


4

Forward error correction (FEC)

Forward error correction (FEC) is a method for controlling errors in transmitted data over high packet loss communication channels. Data is sent in a redundant manner, enabling the receiving end to correct any potential errors or corrupted data without requiring a retransmission. FEC can be enabled between two BIG-IP devices or from a BIG-IP device to an edge client, significantly improving application performance on high packet loss networks.

HTTP protocol optimizations

BIG-IP Application Acceleration Manager maintains high user performance levels by optimally tuning each HTTP and TCP session for each user’s connection conditions. Optimizations for Microsoft NTLM authentication protocol enhance access to protected resources.

Bandwidth Controller

Bandwidth Controller provides the ability to manage the amount of bandwidth a device, subscriber, or application receives. Traffic can either be enforced or marked, identifying and flagging packets that are exceeding bandwidth.

TCP optimization

When application performance suffers, IT managers often assume that adding bandwidth will solve the problem. But TCP throughput degrades significantly on the WAN, particularly on high-latency, intercontinental links, so adding bandwidth is often ineffective.

To overcome inherent protocol limitations, BIG-IP Application Acceleration Manager uses adaptive TCP optimization, which combines session-level application awareness, persistent sessions, selective acknowledgements, error correction, and optimized TCP windows. This enables BIG-IP AAM to adapt, in real time, to the latency, packet loss, and congestion characteristics of WAN links, to fully utilize available bandwidth and accelerate application traffic (for up to 20 Gbps LAN-side, TCP optimized throughput).

Application Delivery OptimizationsApplication Delivery Optimization is a holistic way of looking at all the pieces in the delivery chain that need to be optimized from the transport mechanism to the application protocol. BIG-IP Application Acceleration Manager solves application delivery issues by optimizing the TCP stack and the application protocol and ensuring the best use of bandwidth.

Application performance on the WAN is affected by a large number of factors that can’t be solved by adding bandwidth alone. Performance is limited by factors such as the natural behavior of application protocols that were not designed for WAN conditions, application protocols that engage in excessive handshaking, and the serialization of the applications themselves.

CIFS acceleration

Microsoft’s remote file access protocol, common Internet file system (CIFS), is standard on Windows clients and servers and is commonly used to provide complete read/write access to files across data centers and branch offices. CIFS is a “chatty” protocol and not designed for high latency WAN environments. F5’s CIFS acceleration provides intelligent read-ahead and write-behind plus other techniques to help mitigate the effect of WAN latency. This provides


5

significant reduction in transfer times and bandwidth usage, improving performance of enterprise information transferred over the WAN.

MAPI acceleration

Message Application Programming Interface (MAPI) is the email protocol used by Microsoft Exchange Server and Outlook clients. Use of symmetric adaptive compression and symmetric data deduplication dramatically improves performance and reduces bandwidth usage for customers using Microsoft Exchange, especially when sending email attachments.

HLS delivery optimization

HTTP Live Streaming (HLS) is the protocol used by a number of devices to view both live and on-demand video. HLS breaks the video down into segments that can be cached for multiple users. HLS can be optimized by caching the individual segments or by controlling the bitrate that is made available to end users.

SPDY gateway

SPDY is an emerging new application-layer protocol developed by Google that augments HTTP by improving the inefficiencies related to connection management and data transfer, with the goal of improved performance. It supports multiple streams within a single TCP connection, compresses the HTTP headers, and allows for prioritization of requests.

Because requests are interleaved on a single channel, the efficiency of TCP is much higher: fewer network connections need to be made, and fewer, but more densely packed, packets are issued. These benefits would specifically help in the mobile use case, given the typical slower mobile connection.

F5 provides a SPDY gateway in TMOS to convert SPDY requests to HTTP to backend web servers. This takes advantage of the optimizations without requiring disruptive and potentially costly upgrades to application infrastructure.

Web performance optimization

BIG-IP Application Acceleration Manager solves web content delivery issues by modifying the data and reducing the number of round trips required to fully display a web page. The result is significantly decreased download times, reduced bandwidth usage, and lower costs for using enterprise web applications in remote office and mobile deployments.

Mobile users face additional challenges due to the proliferation of different types of mobile devices, from smartphones to tablets, which have different operating systems and browsers. The additional latencies due to the extra hop from cell towers and WiFi hotspots make matters worse. Users end up with a range of page download times, all which are typically worse than what users get at the office or home.

To resolve these performance issues, BIG-IP Application Acceleration Manager uses a number of techniques to improve the end user experience. These optimizations do not require any server side installations, client side software, or changes to users’ browsers.


6

Devices

Devices

Before F5

With F5

JPG

CSS

HTML

Web Applications

Web Applications

JPGCSSHTML

Application Delivery Optimization reduces the number of round trips required to deliver a web application.



• Intelligent Browser Referencing™—Reduces the number of requests and speeds page rendering times by managing object expiration dates and storing frequently requested objects in the browser cache. Ensures that the browser only downloads truly dynamic and unique content by eliminating the download of repetitive data and browser conditional requests for static data that is incorrectly considered dynamic.

• Content reordering—Optimizes the order of when JavaScripts and Cascading Style Sheets (CSS) are loaded to speed up the appearance of page rendering.

• Content inlining—Reduces the number of requests by inlining JavaScripts, CSS, and images directly into HTML, eliminating the need to perform additional GET requests. This optimization is beneficial for content that will be viewed only once or for mobile devices that have limited cache sizes.

• MultiConnect—A form of domain sharing that enables browsers to open more simultaneous connections between the browser and web application for increased parallel data transfers. MultiConnect is extremely effective on high latency/high bandwidth networks such as satellite and mobile networks.

• Dynamic linearization—Enables users to display PDF pages or jump to specific pages and view them without having to wait for the entire document to download first.

Dynamic Data Reduction (DDR) reduces bandwidth utilization and improves page load times by reducing the amount of data that needs to traverse the WAN or Internet. F5 BIG-IP Application Acceleration Manager offers the following DDR functions:

• Image optimization—Reduces size of images by lowering the quality, stripping out unnecessary metadata, and converting the image format. For mobile devices, this optimization can be more beneficial given the smaller screen sizes and slower mobile connections.


7

• Minification—Removes white space and comments from JavaScripts and Cascading Style Sheets, reducing the size of the files. Useful for situations where compression cannot be performed.

• Dynamic caching—Caches data that may seem dynamic (contains query parameters, cookies, or session IDs) but is actually static data or changes in an identifiable pattern. By fully inspecting every aspect of HTTP requests, controlling caching behavior, and invalidating cached data, BIG-IP Application Acceleration Manager caches a high percentage of data from dynamic web applications while maintaining proper application behavior. BIG-IP AAM cache can scale up to 1 TB, depending on the hardware platform.

• Dynamic compression—Compresses dynamic data from web applications and ensures that compression is used only when it will improve performance. Dynamic compression is different from standard compression implementations because of its high efficiency and its ability to avoid widespread browser compression bugs. Even dynamic content requiring unique session IDs within every link on the page can be delivered and compressed, often with zero compression overhead.

F5 Application Ready SolutionsF5 works with some of the world’s largest software vendors to bring you F5 Application Ready Solutions, a complete set of resources that simplifies the design, deployment, and management of your applications across the network. F5 Application Ready Solutions are designed, engineered, tested, and documented with BIG-IP Application Acceleration Manager—along with F5’s integrated product line—in a variety of real-world environments.

F5 Application Ready Solutions reduce the time, money, and errors associated with deploying and managing mission-critical, enterprise applications. Only F5 offers this comprehensive set of essential, application-specific tools.

Application acceleration policies

Pre-defined, validated web acceleration policies enable you to quickly configure and deploy BIG-IP Application Acceleration Manager to optimize your application acceleration right from the start. These policies can be used as built-in templates to enable you to customize BIG-IP AAM for your specific web applications.

Validated web application acceleration policies that ship with BIG-IP AAM include Microsoft SharePoint, Oracle Portal, SAP Portal, Microsoft Office Outlook Web Access, Oracle E-business Suite 11 and 12, Oracle Siebel CRM, and many more. Generic policies are also available for custom and less common applications that do not have a pre-defined policy. BIG-IP AAM configurations and policies can also be managed and updated using F5 iApps® templates.

Application Ready Solution guides

Each specific Application Ready Solution guide provides a comprehensive overview, details how to ease your application deployment, and shows you the specific results you can achieve with your BIG-IP Application Acceleration Manager implementation.


8

Deployment guides

Detailed, step-by-step procedures walk you through deployment from day one. Every procedure has been thoroughly tested and optimized in real-world environments to achieve top performance. Each deployment guide contains a comprehensive set of configuration scenarios to cover your specific needs.

Active user community

An active, collaborative community on F5 DevCentral™ offers feedback, documents, and tips for a successful deployment. Dedicated Application Ready Solution pages provide application-specific content, including downloads, help and forum discussions, links to related podcasts, and more.

Flexible Deployment OptionsBIG-IP Application Acceleration Manager can be deployed in multiple modes to suit your existing infrastructure and network topology, and to simplify deployment.

Core and advanced acceleration options

BIG-IP Application Acceleration Manager Core offers acceleration as a core component of BIG-IP® Local Traffic Manager™ (LTM). Compression, Bandwidth Controller, F5 iSession® network tunneling, and SPDY gateway capabilities are available as part of every BIG-IP LTM platform. The full BIG-IP Application Acceleration Manager product provides advanced application protocol optimizations.

Cost-effective asymmetric deployment

BIG-IP Application Acceleration Manager can be placed in the data center in an asymmetric deployment to achieve performance improvements of two to five times. In addition, deploying in a remote site for caching offload can speed up local requests for specific recurring high volume data and applications. Unique to BIG-IP AAM, asymmetric web acceleration offers immediate, significant return on investment (ROI) for a moderate investment.

Asymmteric topologies can be either inline or one-armed. When deploying in an inline topology, BIG-IP Application Acceleration Manager is installed in the data path behind the WAN router, in either a routed or bridged configuration.

With one-arm mode using policy-based routing (PBR), BIG-IP Application Acceleration Manager can be deployed to optimize traffic based on specific policies on the router, making this deployment method extremely flexible for application needs. One-arm mode using the Cisco-developed Web Cache Control Protocol v2 (WCCP) and other methods can be used to deploy BIG-IP devices with a single connection to a switch or router. With WCCP support there is no need to change network topology.

Symmetric deployment for maximum acceleration

Symmetric deployments can provide acceleration of up to 10 times over unaccelerated applications. In a symmetric implementation, BIG-IP Application Acceleration Manager is deployed at the data center and at one or more key remote locations or data centers. By serving unchanged content directly from the remote device, symmetric acceleration further eliminates the effects of high latency connections. The result is maximum performance


9

acceleration and additional decreases in bandwidth usage. The role of the device whether it is fronting an application or remote from an application can be configured on a per application basis not on a per device basis.

As the foundation for site-to-site communication, the F5 iSession network tunneling feature secures and accelerates data traveling over the WAN. Any two BIG-IP devices can be deployed symmetrically to create a site-to-site secure connection to improve transfer rates, reduce bandwidth, and offload encryption for more efficient WAN communication. Through iSession, all data can be symmetrically encrypted between two BIG-IP devices using either SSL or IPsec, providing site-to-site data security. SSL throughput is based on the level of your BIG-IP hardware platform.

Clustering to scale

BIG-IP Application Acceleration Manager devices can be clustered to create very large arrays to scale capacity as your web application acceleration needs grow.

Creating a private content delivery network (CDN)

Many organizations may choose not to use commercial content delivery network (CDN) providers because their content is internal, dynamic, and confidential or they do not want to pay the recurring costs. Deployed symmetrically in conjunction with other F5 solutions, BIG-IP Application Acceleration Manager enables your organization to create its own private enterprise CDN. This provides your enterprise websites with high availability and performance, content control, and denial-of-service (DoS) attack protection. It can also help you reduce OpEx costs and meet regulatory compliance.

E-commerce stand-in capability

When e-commerce web servers go down, BIG-IP Application Acceleration Manager can ensure high availability by “standing in” and continuing to serve static content that is already cached. BIG-IP AAM can prevent lost or abandoned shopping carts and hand off to financial transaction servers for processing.

Product module or standalone solution

BIG-IP Application Acceleration Manager is available as a product module on BIG-IP Local Traffic Manager or as a standalone solution on any of the hardware appliance platforms.

Acceleration and security in one

You can accelerate and secure web applications by running BIG-IP Application Acceleration Manager, BIG-IP® Access Policy Manager®, and BIG-IP® Application Security Manager™ concurrently on the same BIG-IP device. This saves the cost of extra hardware, rack space, and energy consumption, while simplifying deployment through consolidated and centralized access to the management interface.


10

Dynamic discovery

BIG-IP Application Acceleration Manager drastically reduces configuration time by discovering remote BIG-IP device peers and the networks that they serve. Once a remote BIG-IP device has been discovered and a secure connection is established, the BIG-IP device then updates available networks for WAN optimization. Servers and clients that communicate across the WAN can be added or removed, without having to reconfigure the BIG-IP devices.

The Power of the BIG-IP SystemBIG-IP Application Acceleration Manager, as part of the BIG-IP system family, includes the following features.

Performance dashboard

The performance dashboard offers a detailed “on-box” monitoring and reporting tool, giving administrators a quick look at real-time data, performance, and bandwidth gains for traffic optimized with BIG-IP Application Acceleration Manager. The easy-to-use GUI provides a faster, intuitive way to find the information you need: historical statistics, log based alerts, remote peer status, health statistics, and more.

The performance dashboard provides real-time data for traffic optimized with BIG-IP Application Acceleration Manager.

F5 TMOS plug-ins

Native integration with TMOS plug-ins gives BIG-IP Application Acceleration Manager faster performance and better stability under high load. This full compatibility with BIG-IP Clustered Multiprocessing (CMP®) enables it to run on multi-core systems.

iRules flexibility

F5 iRules, a TCL-based scripting language to control the behavior of BIG-IP devices, can be used with BIG-IP Application Acceleration Manager. An example is using an iRule to eliminate round trips due to URL redirection. The iRule would detect URL redirects and serve the “final” URL content, reducing the additional round trips from browser to web server.


11

NTLM authentication support

The NTLM authentication protocol requires frequent re-authentication with the application server and can significantly affect web application performance. Native NTLM authentication optimization is now part of the TMOS OneConnect™ feature, which enables greater performance scalability when accelerating NTLM-enabled web applications.

Resource provisioning

BIG-IP Application Acceleration Manager resource provisioning automatically allocates CPU, memory, and disk space for the modules licensed on the BIG-IP system, based on the provisioning options chosen. This makes optimal system resource allocation easier, and an enhanced UI provides graphical representation of the allocations. Often BIG-IP modules can be enabled without requiring a system reboot.

Evaluation licensing

For existing BIG-IP customers, this feature enables customers to evaluate BIG-IP Application Acceleration Manager and other BIG-IP product modules without needing to re-license the BIG-IP device.

Logical Volume Manager (LVM)

Unlike normal disk storage, Logical Volume Manager (LVM) virtualizes physical disks into logical volumes that allow disk partitions to be resized as needed without having to reinstall TMOS or requiring system downtime in order to migrate data to a larger disk partition. The result is increased flexibility and improved performance for BIG-IP Application Acceleration Manager disk-based cashing.


12

BIG-IP Application Acceleration Manager PlatformsBIG-IP Application Acceleration Manager is available on hardware appliances or VIPRION® modular chassis and blade systems designed specifically for application delivery. F5 systems enables simple on-demand scalability as your Application Delivery Network grows. See the BIG-IP System Hardware and VIPRON Datasheets for specifications and details.

Virtual PlatformBIG-IP Application Acceleration Manager Virtual Edition (VE) offers the flexibility of a virtual software solution for web performance optimization. Running on your choice of hypervisor and hardware, BIG-IP AAM VE can help you meet the needs of your virtualized environment in the data center or at remote sites.

The BIG-IP Application Acceleration Manager ArchitectureRunning as a module on BIG-IP Local Traffic Manager or as a standalone appliance, BIG-IP

Application Acceleration Manager uses F5’s unique, purpose-built TMOS operating system.

TMOS is an intelligent, modular, and high-performing full proxy operating system that

optimizes, secures, and accelerates your web applications.

BIG-IP Application Acceleration Manager Core features include:

· Symmetric adaptive compression

· SPDY gateway

· Bandwidth Controller

· Dynamic compression

· Caching

· Compression

· TCP Express

· OneConnect

BIG-IP Application Acceleration Manager features include:

· Intelligent Browser Referencing (IBR)

· Image optimization

· Content reordering

· Dynamic caching/deduplication

· Multi-protocol optimizations (HTTP, FTP, MAPI, UDP)

· Forward error correction

· Parking Lot (GET request queuing)

· MultiConnect

· PDF Dynamic Linearization

· Pre-defined and generic acceleration policies for ease of configuration

· Performance dashboard

· Flexible deployment (symmetric and asymmetric)

· Scalable clustering

· E-commerce stand-in capability

· BIG-IP APM, ASM, and AAM layering

· iApps support

13



More InformationTo learn more about BIG-IP Application Acceleration Manager, use the search function on f5.com to find these and other resources.

White paper

Application Delivery Optimization

Blogs

Programmable Cache-Control: One Size Does Not Fit All

Random Acts of Optimization






©2013 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. CS03-2294 0513



http://www.f5.com/pdf/white-papers/application-delivery-optimization-wp.pdf

https://devcentral.f5.com/blogs/us/programmable-cache-control-one-size-does-not-fit-all

https://devcentral.f5.com/blogs/us/random-acts-of-optimization

http://www.f5.com





Scaling and securing every environment helps protect your business from site outages and improves DNS and application performance. Securing DNS infrastructures from the latest DDoS attacks and protecting DNS query responses from cache poisoning helps keep your online business running and viable. But to fully achieve these goals, organizations need an efficient way to monitor DNS infrastructure and application health, and scale on demand to meet exact requirements.

F5® BIG-IP® Global Traffic Manager™ (GTM) distributes DNS and user application requests based on business policies, data center and network conditions, user location, and application performance. BIG-IP GTM delivers F5’s high-performance DNS Services with visibility, reporting, and analysis; scales and secures DNS responses geographically to survive DDoS attacks; delivers a complete, real-time DNSSEC solution; and ensures global application high availability.

Key benefits

Scale DNS to more than 10 million RPS with a fully-loaded chassis BIG-IP GTM dramatically scales DNS to more than 10 million query RPS and controls DNS traffic. It ensures that users are connected to the best site, and delivers On-Demand Scaling for DNS and global apps.

Gain control and secure global application delivery Route users based on business, geolocation, application, and network requirements to gain flexibility and control. Also ensure application availability and protection during DNS DDoS attacks or volume spikes.

Improve application performance Send users to the site with the best application performance based on application and network conditions.

Deploy flexibly, scale as you grow, and manage your network efficiently BIG-IP GTM Virtual Edition (VE) delivers flexible global application management in virtual and cloud environments. Multiple management tools give you complete visibility and control; advanced logging, statistics and reporting; and a single point of control for your DNS and global app delivery resources.

Scale and Protect DNS Infrastructure and Optimize Global App Delivery

BIG‑IP Global Traffic Manager DATASHEET

What’s Inside

2 Unmatched DNS Performance

2 DNS Caching and Resolving

3 Secure Applications

5 Globally Available Applications

8 Simple Management

11 Network Integration

13 Architecture

14 BIG-IP GTM Platforms

14 VIPRION Platform

15 Virtual Platform

15 DNS On-Demand Scaling

15 Easy DNS with GSLB Evaluation and Testing

16 DNS Query RPS Maximum Performance

17 F5 Services

17 More Information

DATASHEET BIG-IP Global Traffic Manager

2

Unmatched DNS PerformanceBIG-IP GTM delivers DNS performance that can handle even the busiest sites. This helps your organization provide the best quality of service for your users while eliminating poor application performance.

When sites have a volume spike in DNS query volumes due to legitimate requests or distributed denial of service (DDoS) attacks, BIG-IP GTM manages requests with multicore processing and DNS Express™, dramatically increasing DNS performance to more than 10 million responses per second (RPS) to quickly respond to all queries. DNS Express improves standard DNS server functions by offloading DNS functions as a secondary DNS server. BIG-IP GTM zone transfers DNS records from the authoritative DNS server and answers DNS queries—delivering exponential performance improvements that optimize DNS infrastructures, and scaling to protect against DDoS attacks.

Benefits and features of multicore processing and DNS Express include:

• High-speed response and DDoS attack protection with in-memory DNS

• Authoritative DNS serving out of RAM

• Configuration size for tens of millions of records

• Scalable DNS performance

• Consolidate DNS servers

DNS Caching and ResolvingBy enabling a DNS cache on BIG-IP GTM, the number of DNS queries and the latency can be further reduced by having BIG-IP GTM respond immediately to client requests. BIG-IP GTM can consolidate the cache and increase the cache hit rate. This reduces DNS latency up to 80 percent, with DNS caching reducing the number of DNS queries for the same site within a short period of time. In addition to caching, adding resolver functions to BIG-IP GTM allows the device to do its own DNS resolving without requiring the use of an upstream DNS resolver.

Caching profiles available to select for multiple caches include:

• Transparent cache

• BIG-IP GTM site in between client and DNS internal/external

• Hot cache

• Caching resolver

• No cache response so that BIG-IP GTM sends out the request with the response coming back for resolving and caching

• Validating caching resolver

BIG-IP GTM supports all common DNS deployments that are either authoritative or local resolver DNS.


3

Data Center 1

Private/PublicCloud

Data Center 2Internal Clients

BIG-IP Platform

GTM

BIG-IP GTM reduces the average DNS response time for mobile devices and PCs from an average of 300 milliseconds (ms) and 100 ms respectively to just 15 ms. For context, 400 ms is the blink of an eye.

Secure ApplicationsDNS denial-of-service attacks, cache poisoning, and DNS hijacking threaten the availability and security of your applications. BIG-IP GTM protects against DNS attacks and enables you to create polices that provide an added layer of protection for your applications and data.

Hardened device

All BIG-IP devices are ICSA network firewall certified, allowing for BIG-IP GTM to be deployed as a firewall in the DMZ zone. BIG-IP GTM is designed to resist common attacks by thwarting teardrop attacks, by protecting itself and servers from ICMP attacks, and by not running SMTPd, FTPd, Telnetd, or any other attackable daemons.

DNS attack protection

Built-in protocol validation automatically drops UDP floods and malformed packets. The protocol validation filter accepts only valid queries for processing. The unmatched performance of DNS Express in BIG-IP GTM can tolerate high levels of DNS attacks—to more than 10 million RPS depending on device—protecting your organization while still maintaining maximum and continuous availability for applications and services.

DNS load balancing

BIG-IP GTM can be used to front-end a pool of static DNS servers. If the DNS request is for a name controlled by BIG-IP GTM, BIG-IP GTM will answer the request. If not, BIG-IP GTM can load balance the request to a pool of DNS servers, providing very high DNS query response performance for static DNS.

Security control

Administrators can strengthen site security and diffuse attacks before they start with BIG-IP GTM. iRules® can help you create policies that block DNS requests from rogue sites or known sources of attacks before they can do damage.


4

Packet filtering

BIG-IP GTM uses packet filtering to limit or deny access to and from websites based on monitoring the traffic source, destination, or port.

DNS firewall

DNS DDoS, cache poisoning of LDNS, and other unwanted DNS attacks and volume spikes can cause DNS outage and lost productivity. These attacks and traffic spikes increase volume dramatically and can take down DNS servers.

BIG-IP GTM with security, scale, performance, and control functionality provides DNS firewall benefits. It shields DNS from attacks and other undesired DNS queries and responses that reduce DNS performance.

F5 DNS firewall services include:

• Protocol inspection and validation

• DNS record type ACL*

• DNS load balancing

• High-performance DNS cache

• High-performance DNS slave scales responses dramatically

• Stateful inspection (never accepts unsolicited responses)

• ICSA certified (can be deployed in the DMZ)

• Ability to scale across devices using IP Anycast

• Secure responses (DNSSEC)

• DNSSEC responses rate limits

• Complete DNS control using DNS iRules

• DDoS threshold alerting*

• DNS logging and reporting

• Hardened F5 DNS code (not BIND protocol)

*Requires provisioning BIG-IP® Advanced Firewall Manager™ to access functionality.

Internal Clients

LDNSDNS Firewall in BIG-IP Platform

GTM

DMZ Data Center

Servers

WebApplications

Internet

BIG-IP GTM keeps DNS available with firewall services protecting DNS infrastructure from high- volume attacks and malformed packets.

BIG-IP Platform

GTM

BIG-IP Platform

GTM


5

Complete DNSSEC

With BIG-IP GTM DNSSEC support, you can digitally sign and encrypt your DNS query responses. This enables the resolver to determine the authenticity of the response, preventing DNS hijacking and cache poisoning. These signed DNS responses are used in conjunction with the BIG-IP GTM intelligent DNS system so you receive all the benefits of global server load balancing while also securing your DNS query responses. Alternatively, you can use BIG-IP GTM in front of traditional DNS servers to easily deploy and load balance DNSSEC within your existing infrastructure.

Centralized DNSSEC key management

Many IT organizations have or want to standardize on FIPS-compliant devices and secure DNSSEC keys. You can use BIG-IP GTM with FIPS cards that provide 140-2 support for securing your keys. In addition, BIG-IP GTM integrates and uses Hardware Security Modules (HSMs) from Thales for implementation, centralized management, and secure handling of DNSSEC keys, delivering lower OpEx, consolidation, and FIPS compliance. DNSSEC capabilities are now included with many of the latest platforms for fast implementation with Thales HSMs.

Top-level domain support for DNSSEC

For DNS administrators who want to delegate to other secure sub-domains, BIG-IP GTM allows easy management of DNSSEC as a top-level domain, becoming a parent zone.

DNSSEC validation

In most networks, DNS resolvers offload DNSSEC record requests and crypto calculations to validate that the DNS response being received is correctly signed. DNSSEC responses coming into the network requires high CPU loads on DNS resolving servers. With BIG-IP GTM DNSSEC validation, administrators can easily offload and validate DNSSEC on the client side using BIG-IP GTM for resolving. This results in superior DNS performance and a dramatic increase in the site response to end users.

Globally Available ApplicationsOrganizations rely on applications to stay competitive, so ensuring global availability is critical. BIG-IP GTM offers sophisticated health monitoring that supports a wide variety of application types, giving organizations the flexibility to adapt quickly and stay competitive.

Global load balancing

User experience suffers when organizations with distributed data centers are unable to allocate global traffic by routing the user to the best and closest data center based on specific business policies. Changing network and user conditions can overwhelm a data center during peak traffic times. BIG-IP GTM provides comprehensive, high-performance application management services that support evolving application requirements.

Dynamic ratio load balancing

BIG-IP GTM routes users to the best global resource based on comprehensive site and network metrics. For example, the quality of service (QoS) load balancing mode includes a hops coefficient, based on the number of hops between the client and the local DNS.

Advanced global load balancing

BIG-IP GTM includes the industry’s most advanced traffic distribution capabilities to match the needs of any organization or globally deployed application.

· Round robin

· Global availability

· LDNS persistence

· Application availability

· Geography

· Virtual server capacity

· Least connections

· Packets per second

· Round trip time

· Hops

· Packet completion rate

· User-defined QoS

· Dynamic ratio

· LDNS

· Ratio

· Kilobytes per second


6

Managers can use hop rate to send the user to the data center that requires the fewest hops, ensuring more rapid access. Dynamic Ratio load balancing mode solves the problem of

“winner takes all” common to other global traffic management systems. Dynamic Ratio sends a portion of traffic to the best performing site, second best performing site, and so on—in proportion to the health and performance of network and server resources.

Wide area persistence

User connections can persist across applications and data centers and be automatically routed to the appropriate data center or server, based on application state. BIG-IP GTM synchronizes persistence information across all devices, ensuring that users are directed back to the same site regardless of their entry point. Finally, it propagates the desired persistence information to local DNS servers, reducing the required frequency of synchronizing back-end databases. Session integrity is always maintained, with no more broken sessions or lost or corrupted data. The result is improved application performance and more efficient use of your infrastructure.

Geographic load balancing

Determining the location of users is critical to ensuring they are connected to the best data center and served the right content. BIG-IP GTM includes an IP geolocation database from a third-party vendor to accurately identify exactly where a user is located. Each IP can be located at the continent, country, and state/province level to enable very granular traffic policies and improve application performance.

Custom topology mapping

BIG-IP GTM offers organizations deploying intranet applications the ability to set up custom topology mappings. By defining and saving custom region groupings, you can configure topology based on traffic distribution policies that match your internal infrastructure.

Infrastructure monitoring

BIG-IP GTM checks the health of the entire infrastructure, eliminating single points of failure and routing traffic away from poorly performing sites. By collecting performance and availability metrics from data centers, ISP connections, servers, caches, and user content, BIG-IP GTM ensures high availability and adequate capacity prior to directing traffic to a site.


7

User – Seattle

Site 1 – San Francisco

Corporate Servers

Router BIG-IP Platform

GTM

BIG-IP Platform

LTM

2

3

1

4

Corporate Servers


GTM

BIG-IP Platform

LTM

Corporate Servers


GTM

BIG-IP Platform

LTM

Site 2 – New York

Site 3 – Milan

BIG-IP GTM ensures users are always connected to the best site (see illustration).

(1) User queries local DNS to resolve domain, and local DNS queries BIG-IP GTM.

(2) BIG-IP GTM uses metrics collected for each site and identifies the best server.

(3) BIG-IP GTM responds to local DNS with IP address.

(4) User is connected to site.

Application health monitoring

Today’s sophisticated applications require intelligent health checks to determine availability. Instead of relying on a single health check, BIG-IP GTM aggregates multiple monitors so you can check the application state at multiple levels. This results in highest availability, improved reliability, and the elimination of false positives to reduce management overhead.

BIG-IP GTM provides pre-defined, out-of-the-box health monitoring support for more than 18 different applications, including SAP, Oracle, LDAP, and mySQL. BIG-IP GTM performs targeted monitoring of these applications to accurately determine their health, reduce downtime, and improve user experience. It also allows you to group related objects so that if one application fails, other apps that depend on it will be marked out of


8

service. This enables you to align and monitor application objects according to business logic and profitability, build scalable traffic distribution policies, and better manage application dependencies.

Disaster recovery/business continuity planning

In addition to performing comprehensive site availability checks, you can define the conditions for shifting all traffic to a backup data center, failing over an entire site, or controlling only the affected applications.

Simple ManagementManaging a distributed, multiple-site network from a single point is an enormous challenge. BIG-IP GTM provides tools that give you a global view of your infrastructure with the means to manage the network and add polices to ensure the highest availability for your business-critical applications.

Web-based user interface

BIG-IP GTM provides a simple way for your organization to manage its global infrastructure from a centralized location:

• Efficient list and object management for complete visibility of global resources

• Unique naming of global objects to reduce administration and build the infrastructure around business policies

• Sorting and searching for fast access to global objects

• Streamlined setup and object creation to reduce configuration times

• Enhanced management of distributed applications as part of one collective group

• Context-sensitive help for information on objects, commands, and configuration examples

Powerful command line interface

TMSH, a tree-based command line interface for BIG-IP GTM, has integrated search, context-sensitive help, and batch-mode transactions. By providing a shell that is simple to navigate and enabling you to script complex commands, TMSH can significantly reduce management time.

Automated setup and synchronization

Autosync automates setup and secure synchronization of multiple BIG-IP GTM devices. With Autosync, you can make configuration changes from any BIG-IP GTM device in the network, eliminating difficult hierarchical management common to DNS.

Scalable and optimized configurations

For IT organizations with numerous GSLB configurations, Incremental Sync delivers high-performance optimizations for large deployments. With more devices in a sync group, administrators will notice that configuration changes are reflected faster across sync groups. Incremental Sync delivers GSLB configuration scalability. For large deployments with GSLB configurations and rapid user changes, you can completely protect changes by manually saving when most convenient.


9

Configuration retrieval

AutoDiscovery enables BIG-IP GTM retrieve configurations from any number of distributed BIG-IP systems, removing the need to repeat configurations across devices.

Data center and sync groups

BIG-IP GTM enables you to create logical groups of network equipment to ensure the efficient use of monitoring and metrics collection. The result is a highly optimized solution that can support the Internet’s busiest sites by intelligently sharing the information with members in the logical group.

Distributed application management

Organizations often struggle to align their applications and infrastructure with their business goals and policies. BIG-IP GTM gives you the ability to define dependencies between application services and manage them as a group. With distributed application management, you can build scalable traffic distribution policies and improve efficiency with granular control of data center objects.

iRules

Using F5’s event-driven iRules®, you can customize the dynamic distribution of global traffic. BIG-IP GTM looks deep inside DNS messages to distribute application traffic to the desired data center, pool, or virtual server. This capability reduces latency, increases protection against malicious attacks, and improves application performance. Because iRules is based on an easy-to-use, TCL-based scripting language, administrative costs are nominal.

Customize traffic with QoS

DNS administrators wanting to design traffic decisions based on quality of service (QoS) metrics can easily develop custom load balancing algorithms using QoS metrics in iRules. These allow you to develop algorithms that use round trip time, hops, hit ratio, packet rate, bits per second, virtual server capacity, topology, virtual server score, and link capacity for unique and customized traffic requirements.

DNS iRules

You can easily manage DNS queries, responses, and actions for a fast, customized DNS infrastructure using DNS iRules. For instance, you can configure DNS iRules with filtering capabilities by using packet filters and query logging to enable protection and reporting of DNS. Because BIG-IP GTM can configure DNS iRules to manipulate DNS packets, administrators can add commands enabling dynamic DNS query and response management.

ZoneRunner

ZoneRunner™ is an integrated zone file management tool that simplifies DNS zone file management and reduces the risk of misconfiguration. It provides a secure environment in which to manage your DNS infrastructure while validating and error-checking zone files.Built on the latest version of BIND, ZoneRunner provides:

• Auto population of commonly used protocols

• Validation/error checking for zone file entries

• Rollback for the last transaction


10

• Command line versions of zone management

• Zone importation from an external server or a file

• Automatic reverse lookups

• Easy creation, editing, and searching of all records

• Easy management of Name Authority Pointer (NAPTR) records for LTE and 4G requirements

DNS health monitor

BIG-IP GTM deployed inline easily manages and load balances DNS servers. The DNS health monitor available in BIG-IP GTM and BIG-IP® Local Traffic Manager™ (LTM) monitors DNS server health and helps configure DNS based on reporting. The DNS health monitor detects if the servers are operating at peak performance or not and helps in reconfiguring for optimal responses.

For example, when monitoring outbound DNS responses, BIG-IP GTM receives valid response from the DNS server sending an outbound query response. Or, in another example, if no devices answer a DNS request, the DNS monitor will check the path to see if the DNS infrastructure is working.

High speed logging

You can easily manage DNS and global app logging for fast network visibility and planning. By improving data information with high speed logging of DNS queries and responses, syslog, and global server load balancing decision logs, high speed logging enables fast network recognition with quick, deep search and display. For key network critical functions, there is centralized data recognition of all logs for destinations, formats, alerts, and more.

Enhanced DNS detailed statistics

BIG-IP GTM delivers advanced DNS statistics for administrators with enhanced detailed data for profiles such as query type counts (A, CNAME, NS, RRSIG, AAAA, SRV and “other” types) with requests, responses, and percentage counts. Stats are per profile and per device global count for fast visibility and planning of DNS delivery infrastructure. DNS detail stats are viewable in DNS profile or in analytics reporting.

GUI statistics show rated capacity of instances like query RPS and object limits for DNS. This delivers reporting such as A requests, AAAA requests, and DNS resolutions for use in capacity planning for DNS. On viewing current statistics, administrators can choose to purchase more capacity to deploy the exact capability they require.

Advanced DNS reporting and analytics

F5 Analytics provides advanced DNS reporting and analysis of applications, virtual servers, query names, query types, client IPs, top requested names, and more for business intelligence, capacity planning, ROI reporting, troubleshooting, performance metrics, and tuning, enabling maximum optimization of the DNS and global app infrastructure. Thresholds can be set for some of the statistics, and an alert can be delivered via syslog, SNMP, or email when the threshold is exceeded. You can export the data off-box to a third-party remote logging/reporting engine for enhanced analysis.


11

Administrators can easily manage DNS using analytics with advanced reporting and analysis of actions for fast visibility of DNS delivery and infrastructure.

F5 Enterprise Manager

Enterprise Manager™ can help you significantly reduce the cost and complexity of managing multiple F5 devices. You gain a single-pane view of your entire application delivery infrastructure and the tools you need to reduce deployment times, eliminate redundant tasks, and efficiently scale your infrastructure to meet your business needs.

Network IntegrationBIG-IP GTM is designed to fit into your current network and into your plans for the future.

SNMP management application support

BIG-IP GTM integrates its MIBs and an SNMP agent with DNS. This enables SNMP management applications to read statistical data about the current performance of BIG-IP GTM. SNMP management packages have an exact view of what BIG-IP GTM is doing, while keeping an eye on standard DNS information.

Third-party integration

BIG-IP GTM communicates and integrates with a broad array of network devices. This includes support for various types of remote hosts, including SNMP agents: UCD, snmpd, Solstice Enterprise, and the NT/4.0 SNMP agent. BIG-IP GTM also talks to third-party caches, servers, routers, and load balancers to accurately diagnose the health of your network endpoints and provide a heterogeneous solution for global traffic management.


12

IPv6/IPv4 support

BIG-IP GTM supports next-generation IPv6 networks, resolving AAAA queries without requiring wholesale network and application upgrades.

As IPv6 adoption grows, BIG-IP GTM eases the transition to IPv6 by bridging the gap between IPv6/IPv4 DNS. The DNS translation between IPv6 and IPv4 networks is seamless as BIG-IP GTM provides DNS gateway and translation services for hybrid IPv6 and IPv4 solutions, and manages IPv6 and IPv4 DNS servers in DNS64 environments. For AAAA queries from clients, BIG-IP LTM configured with NAT64 transforms IPv6 to IPv4 for those IPv4-only environments. The response data is sent to the client from NAT64 using IPv6. BIG-IP GTM enables the customer to run pure internal IPv6 and maintain connectivity to IPv6/IPv4 Internet.

IP Anycast integration

BIG-IP GTM and IP Anycast integration increases DNS performance as more devices are added to support millions of DNS queries. DNS query volumes directed to one IP address, whether legitimate or during a denial-of-service (DoS) attack, are easily managed by distributing the load among multiple geographic BIG-IP GTM devices with an IP Anycast integration. Administrators scale DNS infrastructure up and out to manage DNS request load to one IP, increasing revenue by servicing more users and protecting brand with trustworthy query response.

Network managers realize these benefits:

• Improved user performance and reliability

• Reduced network latency for DNS transactions

• Fewer queries routed to distant servers

• Lower rates of dropped query packets, reducing DNS timeouts/retries

• Fewer congested routers

BIG-IP Platform

GTM

BIG-IP Platform

GTM

BIG-IP GTM and IP Anycast integration distributes the DNS request load by directing single IP requests to multiple local devices.


13

Global server load balancing in virtual and cloud environments

Easily spin up new deployments of global server load balancing with BIG-IP GTM Virtual Edition (VE) standalone or BIG-IP GTM running on BIG-IP LTM VE. Provide flexible global application availability by routing users to applications in data centers, managing Internet SaaS and outsourced applications, or directing users to the most available cloud applications.

ArchitectureThe advanced architecture of BIG-IP GTM gives you total flexibility to control application delivery without creating traffic bottlenecks.

TMOS

At the heart of BIG-IP GTM is the F5 operating system, TMOS®, that provides a unified system for optimal application delivery, giving you total visibility, flexibility, and control across all services. TMOS empowers BIG-IP GTM to integrate with other F5 products and intelligently adapt to the diverse and evolving requirements of applications and networks.

Query and response performance and scalability

BIG-IP GTM query and response performance scales linearly on larger platforms and increases performance by integrating functions in TMOS.

BIG-IP GTM is provisionable for platforms that support F5 virtual Clustered Multiprocessing (vCMP®).

14


BIG‑IP GTM PlatformsBIG-IP Global Traffic Manager is available as a standalone appliance on the platforms listed below, and for BIG-IP GTM Virtual Edition. It is available as an add-on module for BIG-IP Local Traffic Manager (LTM) on any BIG-IP platform, including the VIPRION® carrier-class chassis, and for BIG-IP LTM Virtual Edition. For detailed specifications, refer to the BIG-IP System Hardware Datasheet.

VIPRION PlatformBIG-IP Global Traffic Manager is also available as an add-on module to BIG-IP Local Traffic Manager on the modular VIPRION system. This chassis and blade architecture enables simple scalability as your Application Delivery Network grows. See the VIPRION Datasheet for details.

image to come

11050 Series (NEBS Optional) 10200 Series

BIG-IP GTM VE2200/2000 Series 1600 Series

4200 Series 3900 Series5200 Series

7200 Series 6900 FIPS and NEBS Series

3600 Series

VIPRION 2100 BladeVIPRION 4300 Blade VIPRION 4200 Blade

VIPRION 2400 ChassisVIPRION 4480 ChassisVIPRION 4800 Chassis



http://www.f5.com/pdf/products/big-ip-platforms-ds.pdf


15


Virtual PlatformBIG-IP Global Traffic Manager Virtual Edition (VE) offers flexibility of a virtual BIG-IP system. Supported on several leading hypervisors and selected cloud environments, BIG-IP GTM VE can help meet the needs of your virtualized environment.

BIG-IP GTM VE

Hypervisors:

VMware vSphere ESX/ESXi 4.0 U1, 4.1 U2 and ESXi 5.0 U1, 5.1 and vCloud Director 1.5

Citrix Xen Server 5.6 SP2 and 6.0

Community Xen 3.0 on CentOS 5.9 and Community Xen 4.2 on Fedora 18

KVM on Red Hat Enterprise Linux 6.3 and CentOS 6.3

Microsoft Hyper-V on Windows Server 2008 R2 SP1 and Windows 2012 R2

Amazon EC2

BIG-IP Virtual Edition is also available as an Amazon Machine Image for use within Amazon Web Services.

DNS On‑Demand Scaling Administrators have the option to add DNS and GSLB On-Demand Scaling with rate-limit and object limit capacity as desired to BIG-IP GTM or LTM appliances. This option supports requirements for exact traffic performance, resulting in lower CapEx and OpEx. On-Demand Scaling includes the following services: DNS, GSLB, DNSSEC, and Advanced Routing. User interface statistics show rated capacity of instances, such as query RPS and object limits, which deliver fast traffic detail for easy capacity planning. Contact your regional F5 sales representative or reseller for more information.

Easy DNS with GSLB Evaluation and Testing With the latest version of BIG-IP LTM, you can select DNS Lite, a performance-limited and free provisioning option with full DNS and GSLB capabilities for fast evaluation and testing. This invaluable option requires no evaluation keys or time limits for in-depth traffic performance and management analysis. Customers wanting to move to production deployment must purchase an appropriate BIG-IP GTM solution.

16


Platform Max Query RPS

Virtual Edition 250,000

1600 320,000

2000s 170,000

2200s 345,000

3600 N/A

3900 815,000

4000s 350,000

4200v 700,000

5000s 615,000

5200v 1,230,000

7000s 720,000

7200v 1,440,000

8900 N/A

8950 1,965,000

10000s 800,000

10200v 1,600,000

11000 N/A

11050 2,160,000

VIPRION 2100 Blade 1,000,000

VIPRION 2400 Full-Chassis (4 Blades) 4,000,000

VIPRION 4200 Blade 1,840,000

VIPRION 4300 Blade N/A

VIPRION 4480 Full-Chassis (4 Blades) N/A

VIPRION 4800 Full-Chassis (8 blades) N/A

Note: N/A indicates test results are not available at this time.

DNS Query RPS Maximum PerformanceBIG-IP GTM delivers DNS query response per second (RPS) with high performance scalability. The table below lists many BIG-IP platforms with DNS Express enabled for authoritative DNS query response with maximum capabilities per platform.

17



More InformationTo learn more about BIG-IP GTM, use the search function on f5.com to find these and other resources.

Datasheet

BIG-IP System Hardware Datasheet

White papers

The Dynamic DNS Infrastructure

Cloud Balancing: The Evolution of GSLB

Distributing Applications for Disaster Planning and Availability

DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks

F5 and Infoblox DNS Integrated Architecture

High-Performance DNS Services

Case study

SaaS Provider RelayHealth Delivers Innovative Healthcare Applications with F5 Solutions









http://www.f5.com


http://www.f5.com/pdf/white-papers/dynamic-dns-infrastructure-wp.pdf

http://www.f5.com/pdf/white-papers/cloud-balancing-white-paper.pdf

http://www.f5.com/pdf/white-papers/disaster-recovery-wp.pdf

http://www.f5.com/pdf/white-papers/dnssec-wp.pdf

http://www.f5.com/pdf/white-papers/infoblox-wp.pdf

http://www.f5.com/pdf/white-papers/dns-services-big-ip-v11-wp.pdf

http://www.f5.com/pdf/case-studies/relayhealth-cs.pdf

http://www.f5.com/pdf/case-studies/relayhealth-cs.pdf


http://www.f5.com




What’s Inside

2 Application Intelligence

3 Programmable Infrastructure

4 Scalable Infrastructure

5 BIG‑IP Platforms

5 BIG‑IP Virtual Edition

6 F5 Services

6 DevCentral

7 More Information

BIG-IP Local Traffic Manager DATASHEET

Applications drive innovation and profitability, allowing your business to leverage trends such as cloud computing, mobility, and software‑defined networks (SDN). Your IT department depends on your network infrastructure to meet the challenges of today— and tomorrow.

F5® BIG‑IP® Local Traffic Manager™ (LTM) helps you deliver your applications to your users, in a reliable, secure, and optimized way. You get the extensibility and flexibility of an intelligent services framework with the programmability you need to manage your physical, virtual, and cloud infrastructure. With BIG‑IP LTM, you have the power to simplify, automate, and customize applications faster and more predictably.

Key benefits

Deliver applications rapidly and reliably Ensure that your customers and users have access to the applications they need—whenever they need them.

Customize and automate with programmable infrastructure Control your applications—from connection and traffic to configuration and management—with F5’s unique TMOS® operating system, which includes native protocol support, an open‑management API, and an event‑driven scripting language.

Transition to SDN and cloud networks Realize operational consistency and comply with business needs across physical, virtual, and cloud environments with deployment flexibility and scalability.

Easily deploy and manage applications User‑defined F5 iApps® Templates make it easy to deploy, manage, and get complete visibility into your applications.

Secure your critical applications Protect the apps that run your business with industry‑leading SSL performance and visibility.

Application delivery with programmable infrastructure

DATASHEET BIG-IP Local Traffic Manager

2

Application Intelligence

Application Traffic Management

BIG‑IP LTM includes static and dynamic load balancing to eliminate single points of failure. Application proxies give you protocol awareness to control traffic for your most important applications. BIG‑IP LTM also tracks the dynamic performance levels of servers in a group, ensuring that your applications are not just always on, but are easier to scale and manage.

Secure Application Delivery

BIG‑IP LTM delivers industry‑leading SSL performance and visibility for inbound and outbound traffic, so you can cost‑effectively protect your entire user experience by encrypting everything from the client to the server. It also defends against potentially crippling DDoS attacks and provides ICAP services for integration with DLP and virus protection.


BIG‑IP LTM dramatically improves page load times and the user experience by making real‑time protocol and traffic‑management decisions based on application and server conditions, extensive connection management, and TCP and content offloading.

Application Visibility and Monitoring

You get more efficient troubleshooting, capacity planning, performance tuning, and optimization by monitoring exactly how your application is performing for real users based on application response time, network conditions, and user context. F5 Analytics captures application‑specific statistics reported at different levels of the service, such as URL, throughput, and server latency—with views per virtual servers, pools, and nodes. BIG‑IP LTM makes it simple to integrate with your existing tools using industry standards such as sFlow, SNMP, and syslog.

F5 Analytics provides real time application-level statistics.

Load Balancing 101: The Evolution to Application Delivery Controllers


http://www.f5.com/pdf/white-papers/evolution-adc-wp.pdf



http://www.f5.com/pdf/white-papers/ssl-security-white-paper.pdf


3

Programmable Infrastructure

iRules

F5 iRules® is a data‑plane scripting language, which enables a broad range of functionality to be programmatically inserted into your network. Customers routinely implement security mitigation rules, support new protocols, and fix application‑related errors in real time. With robust and flexible iRules, you can easily and rapidly develop solutions that you can then deploy across multiple applications confidently.

iApps

BIG‑IP LTM includes F5 iApps, a powerful solution that enables you to manage application services rather than individual devices and objects. iApps gives you greater visibility into and control over application delivery—and helps you deploy in hours rather than weeks. This application‑centric approach aligns the network with your applications and adapts application delivery to business needs.

iApps Templates simplifies application deployments.

iControl

The F5 iControl® API and SDK help automate and integrate third‑party applications and BIG‑IP LTM. iControl supports a true publish/subscribe model, which reduces network overhead and improves the performance of applications that integrate with BIG‑IP LTM through the iControl interface. For most applications, this can reduce network bandwidth and processing time on both the client and server sides.

iCall

iCall is a powerful scripting framework based on TMSH (TMOS Shell command‑line interface) and Tcl that helps customers maintain their environment and reduce downtime by automating tasks. It monitors for events and executes scripts to resolve issues quickly and predictably. iCall enables administrators to react to specified events by executing services

The Programmable Network

http://www.f5.com/pdf/white-papers/the-programmable-network-white-paper.pdf


4

on the management plane, such as generating a TCP stack dump on a failure, executing a specific iApp to reconfigure application network service settings, or adjusting load balancing weights on application services based on a change in health monitoring data.

Scalable Infrastructure

Cloud Ready

BIG‑IP LTM makes it easy to realize operational consistency and comply with business needs across physical, virtual, and cloud environments, removing the friction of transitioning applications between traditional physical and cloud architectures.

ScaleN

F5 ScaleN™ technology uses application, operational, and on‑demand scaling capabilities to enable more efficient, elastic, and multi‑tenant solutions for data centers, clouds, and hybrid deployments. ScaleN moves beyond traditional infrastructure limitations and offers multiple scalability and consolidation models to help you meet your specific business needs.

Virtual Networking

The BIG‑IP® SDN Services module natively supports VXLAN and offers gateway capabilities with BIG‑IP LTM bridging VXLAN and traditional VLAN networks. This lets you keep things simple, applying application delivery network services across both virtual and traditional networks.

Advanced Routing

The BIG‑IP® Advanced Routing™ module allows BIG‑IP LTM to provide networking routing capabilities such as BGP, RIP, OSPF, ISIS and BFD for enhanced interoperability within the network, increasing the resilience and capacity of your network.

ScaleN: Elastic Infrastructure

VXLAN and the BIG-IP Platform

http://www.f5.com/pdf/white-papers/scalen-elastic-infrastructure-white-paper.pdf

http://www.f5.com/pdf/white-papers/vxlan-and-big-ip-platform-white-paper.pdf

http://www.f5.com/pdf/white-papers/vxlan-and-big-ip-platform-white-paper.pdf

5


BIG‑IP PlatformsBIG‑IP LTM and associated modules are available on BIG‑IP hardware appliances or VIPRION® modular chassis and blade systems designed specifically for application delivery. F5 enables simple, on‑demand scalability as your application delivery network grows. See the BIG‑IP System Hardware and VIPRION datasheets for specifications and details. For the latest information about specific module support for each platform, see the latest release notes on askf5.com.

BIG‑IP Virtual EditionBIG‑IP Local Traffic Manager Virtual Edition (VE) provides the capabilities of BIG‑IP LTM with the flexibility of a virtual platform. Supported on several leading hypervisors and in selected cloud environments, BIG‑IP LTM VE can help you meet the needs of your virtualized environment.

10000 Series

BIG-IP LTM VE

Hypervisors Supported:

Microsoft Hyper-V for Windows Server 2008 R2 and 2012

Citrix XenServer 5.6 and 6.0

VMware vSphere Hypervisor 4.0, 4.1, and 5.0, and 5.1 and vCloud Director 1.5

KVM—Linux Kernel 2.6.32 (RHEL 6.2/6.3, CentOS 6.2/6.3)

BIG-IP LTM VE is also available as an Amazon Machine Image for use within Amazon Web Services.

VIPRION 2400 Chassis




6

Application Traffic Management

· Intelligent load balancing

· Application protocol support (TCP, HTTP, SPDY, SSL, SIP, etc.)

· Application health monitoring

· Application connection state management


· Symmetric adaptive compression

· RAM cache and compression

· Bandwidth controller

· TCP optimization

· SPDY gateway


· SSL/TLS encryption offload (hardware accelerated)

· Algorithm agility (RSA, ECC, DSA)

· Internal HSM/Network HSM (FIPS 140-2)

· SSL visibility (inbound/outbound)

Application Visibility and Monitoring

· iApps Analytics

· Performance dashboard

· High-speed logging

· sFlow

Programmable Infrastructure

· iRules for data plane programmability

· iCall for event-based control-plane scripting

· iApps for app-level config management and deployment

· iControl for Management API (SOAP)

Scalable Infrastructure

· On-demand scaling

· All-active application scaling

· Operational scaling (multi-tenant and virtualization)

· Advanced Routing (BGP, RIP, OSPF, ISIS, BFD)

· SDN Services license (VXLAN)

Add-on modules

· BIG-IP® Access Policy Manager®

· BIG-IP® Application Acceleration Manager™

· BIG-IP® Advanced Firewall Manager™

· BIG-IP® Application Security Manager™

· BIG-IP® Global Traffic Manager™

F5 ServicesF5 Services offers world‑class support, training, and consulting to help you get the most from your F5 investment. Whether it’s providing fast answers to questions, training internal teams, or handling entire implementations from design to deployment, F5 Services can help you achieve IT agility. For more information, contact [email protected] or visit f5.com/services.

DevCentralThe F5 DevCentral™ user community of 120,000+ members is your source for the best technical

documentation, discussion forums, blogs, media, and more related to Application Delivery Networking.



7


More InformationTo learn more about BIG‑IP LTM, use the search function on f5.com to find these and other resources.

Web

BIG-IP Local Traffic Manager

DevCentral

Datasheets

BIG-IP System Hardware

VIPRION

White papers

Top Considerations When Choosing an ADC

Load Balancing 101: Nuts and Bolts

Case studies

Varolii: SaaS Provider Ensures High Uptime and Resiliency for Critical Customer Apps with F5

Kettering Health Network Achieves Optimal Performance of EpicCare EMR with F5 Solution

Pandora Scales to Serve Tens of Millions of Internet Radio Users with F5 Solution







http://www.f5.com/products/big-ip/big-ip-local-traffic-manager/

https://devcentral.f5.com/



http://www.f5.com/pdf/white-papers/adc-considerations-wp.pdf

http://www.f5.com/pdf/white-papers/load-balancing101-wp.pdf

http://www.f5.com/pdf/case-studies/varolii-case-study.pdf

http://www.f5.com/pdf/case-studies/varolii-case-study.pdf

http://www.f5.com/pdf/case-studies/kettering-case-study.pdf

http://www.f5.com/pdf/case-studies/kettering-case-study.pdf

http://www.f5.com/pdf/case-studies/pandora-case-study.pdf


http://www.f5.com




F5® BIG-IP® Application Delivery Controller (ADC) platforms can manage even the heaviest traffic loads at both layer 4 and layer 7. By merging high-performance switching fabric, specialized hardware, and advanced software, F5 provides the flexibility to make in-depth application decisions without introducing bottlenecks.

With the high performance you get from BIG-IP platforms, you can consolidate devices—saving management costs, electricity, space, and cooling—and still have room to grow.

Key benefits

Consolidate your infrastructure with purpose-built hardware BIG-IP hardware platforms are designed specifically for application delivery performance and scalability. One device can be configured for server load balancing, global data center load balancing, DNS services, web application firewall, access management, web performance optimization, and WAN optimization.

Offload application servers BIG-IP platforms feature high-performance SSL and compression hardware, as well as advanced connection management, so that you can remove processing-intensive tasks from application servers, consolidate devices, and use these resources more efficiently.

Secure your network Instantly add layer 3–7 protection with ICSA Certified BIG-IP platforms that provide default deny security, a full packet filter engine that limits access in a granular way, and an industry-leading web application firewall.

Reduce your operating costs Spend less time on configuration, upgrades, and maintenance with the simple-to-manage BIG-IP hardware, featuring out-of-band management, front-panel management, warm upgrades, remote boot, and USB support. Lower power and cooling costs in your data center with 80 Plus Gold and Platinum certified high-efficiency power supplies.

Maximize uptime Ensure your critical infrastructure is built on reliable hardware with hot-swappable components, redundant power supplies, redundant fans, compact flash, multi-boot support, and always-on management. Appliances can be deployed in traditional active/standby configuration or horizontal clusters (active/active) to achieve high availability and application-level failover.

Deliver More Applications for More Users

BIG-IP System HARDWARE DATASHEET

HARDWARE DATASHEET BIG-IP System

2

Intelligent Performance Where It MattersPerformance traditionally has been measured in terms of throughput, but this doesn’t accurately represent the complex needs of application delivery. Connection capacity and L7 transactions per second are critical for an ADC to support the increasing needs of modern web applications and infrastructure. For instance, an ADC needs to be able to process high levels of layer 4 and layer 7 connections and make more decisions at the application layer, such as inspecting and removing sensitive information or transforming application-specific payloads. BIG-IP appliances have the intelligence and performance to deliver the maximum amount of application layer decisions while securing your data and infrastructure.

Simplify Your Network BIG-IP ADC appliances can help you simplify your network by offloading servers and consolidating devices, saving management costs as well as power, space, and cooling in the data center.

With the massive performance and scalability of the BIG-IP platform, you can reduce the number of Application Delivery Controllers you need to deliver even the most demanding applications. By offloading computationally intense processes, you can significantly reduce the number of application servers needed.

BIG-IP hardware includes:

• SSL hardware acceleration—Offload costly SSL processing and accelerate key exchange and bulk encryption with best-in-market SSL performance.

• Hardware compression—Cost-effectively offload traffic compression processing from your servers to improve page load times and reduce bandwidth utilization.

• OneConnect™ connection pooling—Aggregate millions of TCP requests into hundreds of server-side connections. Increase server capacity and ensure requests are handled efficiently.

• Embedded Packet Velocity Acceleration (ePVA)—Provide high-performance L4 throughput and denial-of-service (DoS) protection. ePVA uses field-programmable gate array (FPGA) technology tightly integrated with TMOS and software to deliver:

• High performance interconnect between Ethernet ports and processors.

• L4 offload, enabling leading throughput and reduced load on software.

• Hardware-accelerated SYN flood protection.

• More than 20 DoS attacks detected and mitigated in hardware.

• Predictable performance for low latency protocols such as Financial Information eXchange (FIX).


3

The Advantages of F5 BIG-IP Technology Unique architecture and patented hardware and software innovations from F5 offer unmatched capabilities, including:

F5 ScaleN architecture

ScaleN enables you to scale performance on demand, virtualize, or horizontally cluster multiple BIG-IP devices, creating an elastic Application Delivery Networking infrastructure that can efficiently adapt as your business needs change.

• On-demand scaling—Increase capacity and performance with on-demand scaling, where you can simply add more power to your existing infrastructure instead of adding more devices. The latest BIG-IP appliance models can be upgraded to the higher performance model within each series through on-demand software licensing. On-demand licensing enables organizations to right-size application delivery services and support growth without requiring new hardware.

• Operational scaling—F5 can virtualize Application Delivery Controller (ADC) services with a multi-tenant architecture that supports a variety of BIG-IP versions and product modules on a single device. Multi-tenant device virtualization is provided by F5’s unique Virtual Clustered Multiprocessing (vCMP®) technology, which enables select hardware platforms to run multiple BIG-IP guest instances. Each BIG-IP guest instance looks and acts like a physical BIG-IP device, with a dedicated allocation of CPU, memory, and other resources.

You can further divide each vCMP guest using multi-tenant features such as partitions and route domains, which can isolate configuration and networks on a per-virtual-domain basis. Within each virtual domain, you can further isolate and secure configuration and policies by using a role-based access system for greater administrative control. When combining both route domains/partitions with vCMP guests, F5 provides the highest density multi-tenant virtualization solution that can scale to hundreds of virtual ADC (vADC) instances.

This ability to virtualize BIG-IP ADC services means service providers and enterprise users can isolate based on BIG-IP version, enabling departmental or project-based tenancy as well as performance guarantees, while benefiting from managing a single, consolidated application delivery platform and increased utilization.

• Application scaling—Increase capacity by adding BIG-IP resources through an all-active approach. With application scaling, you can scale beyond the traditional device pair to eliminate the need for idle and costly standby resources. Application scaling achieves this through two forms of horizontal scale: Application Service Clustering, which focuses on application scalability and high availability, and Device Service Clustering, designed to efficiently and seamlessly scale BIG-IP application delivery services.

Application Service Clustering delivers sub-second failover and comprehensive connection mirroring for a highly available cluster of up to eight devices at the application layer, providing highly available multi-tenant deployments. Workloads can be moved across a cluster of devices or virtual instances without interrupting other services and can be scaled to meet the business demand.

Device Service Clustering can synchronize full device configurations in an all-active deployment model, enabling consistent policy deployment and enforcement across devices—up to 32 active nodes. This ensures a consistent device configuration that simplifies operations.


4

F5 TMOS platform

At the heart of BIG-IP appliances is TMOS®, the F5 operating system that provides a unified system for optimal application delivery, giving you total visibility, flexibility, and control across all services. With TMOS, you can intelligently adapt to the diverse and evolving requirements of applications and networks.

F5 SYN Check

F5 uses a collaborative software SYN cache and hardware SYN cookie approach to protect against large scale SYN flood DDoS attacks. This capability is available on all TMOS platforms in software and utilizes the embedded Packet Velocity Acceleration (ePVA) field-programmable gate array (FPGA) on select hardware platforms to provide improved performance (up to 80 million SYN cookies per second on the BIG-IP 10200v appliance). When a SYN flood is detected, the ePVA turns on the SYN Check™ feature to prevent invalid sessions from getting to the servers or exhausting the BIG-IP device resources. SYN Check is unique in that it can be applied on a per-virtual-IP/application basis, meaning if one application is under attack, the others are not affected. F5 is the only ADC that implements hardware-based SYN cookies in L4 and full proxy L7 mode.

Next-Generation ADC AppliancesWith the introduction of the new BIG-IP 2000, 4000, 5000, 7000, and 10000 series appliances, F5 continues to invest and innovate in hardware development to ensure that even the most demanding web applications are available, secure, and fast. The new BIG-IP hardware offers industry-leading performance in application decisions per second, SSL processing, and hardware compression for each class of ADC. Enterprises and service providers can deploy multiple application delivery services, offload SSL processing, and efficiently consolidate on a single, unified platform. In addition, with the capability to upgrade from a base appliance to a higher capacity model in that series through a software license, F5 provides on-demand flexibility to match changing business needs.

5


Specifications 11050 11000

Intelligent Traffic Processing:

L7 requests per second: 2.5M L4 connections per second: 1M Throughput: 42 Gbps/40 Gbps L4/L7

L7 requests per second: 2.5M L4 connections per second: 1M Throughput: 24 Gbps L4/L7

Hardware SSL:Included: 500 TPS Maximum: 20,000 TPS (2K keys) 15 Gbps bulk encryption*

Included: 500 TPS Maximum: 20,000 TPS (2K keys) 15 Gbps bulk encryption*

FIPS SSL:FIPS 140-2 Level 2 (option) 9,000 TPS (2K keys)

FIPS 140-2 Level 2 (option) 9,000 TPS (2K keys)

Hardware DDoS Protection: N/A N/A

Hardware Compression: N/AIncluded: 50 Mbps Maximum: 16 Gbps

Software Compression:Included: 50 Mbps Maximum: 12 Gbps

N/A

Software Architecture: 64-bit TMOS 64-bit TMOS

On-Demand Upgradable: N/A N/A

Processor: Dual CPU, hex core (12 processing cores) Dual CPU, hex core (12 processing cores)

Memory: 32 GB 48 GB

Hard Drive:Two 600 GB drives, 10,000 RPM (RAID 1) Two 600 GB drives, 10,000 RPM (RAID 1); Optional 4x 300 GB

or 600 GB SSD

Gigabit Ethernet CU Ports: Optional SFP Optional SFP

Gigabit Fiber Ports (SFP): Optional SFP Optional SFP

10 Gigabit Fiber Ports (SFP+): 10 SR or LR (sold separately, 2 SR included) 10 SR or LR (sold separately, 2 SR included)

40 Gigabit Fiber Ports (QSFP+): N/A N/A

Power Supply: Dual 850W included, DC optional Dual 850W included, DC optional

Typical Consumption: 440W (dual A/C power - 110V input) 440W (dual A/C power - 110V input)

Input Voltage: 90–240 VAC +/- 10% auto switching, 50/60 hz 90–240 VAC +/- 10% auto switching, 50/60 hz

Typical Heat Output: 1501 BTU/hour (110V input) 1501 BTU/hour (110V input)

Dimensions:5.2” (13.2 cm) H x 17.4” (44.2 cm) W x 21.4” (54.36 cm) D 3U industry standard rack-mount chassis

5.2” (13.2 cm) H x 17.4” (44.2 cm) W x 21.4” (54.36 cm) D 3U industry standard rack-mount chassis

Weight: 52 lbs. (23.6 kg) (dual power supply) 52 lbs. (23.6 kg) (dual power supply)

Operating Temperature: 32° to 104° F (0° to 40° C) 32° to 104° F (0° to 40° C)

Operational Relative Humidity: 5 to 85% at 40° C 5 to 85% at 40° C

Safety Agency Approval:

UL 60950-1:2001, 1st Edition CSA C22.2 No. 60950-1-03 IEC 60950-1: 2005, 2nd Edition EN 60950-1: 2005, 2nd Edition


Certifications/ Susceptibility Standards:

EN 55022:2006 + C1:2006 EN 55024:1998 + A1: 2001 + A2:2003 FCC Part 15B Class A VCCI Class ANEBS compliant (option)

EN 55022:2006 + C1:2006 EN 55024:1998 + A1: 2001 + A2:2003 FCC Part 15B Class A VCCI Class A

*Maximum throughput.

6



Specifications 10200v/10200v-SSL 10000s


L7 requests per second: 2M L4 connections per second: 1M L4 HTTP requests per second: 14M Throughput: 80 Gbps/40 Gbps L4/L7

L7 requests per second: 1M L4 connections per second: 500K L4 HTTP requests per second: 7M Throughput: 80 Gbps/40 Gbps L4/L7

Hardware SSL:

Included: 42,000 TPS (2K keys) Max for 10200v: 42,000 TPS (2K keys) Max for 10200v-SSL: 75,000 TPS (2K keys) 22 Gbps bulk encryption* for 10200v 33 Gbps bulk encryption* for 10200v-SSL

Included: 21,000 TPS (2K keys) Maximum: 21,000 TPS (2K keys) 22 Gbps bulk encryption*


N/A

Hardware DDoS Protection: 80M SYN cookies per second 40M SYN cookies per second

Hardware Compression:Included: 24 Gbps Maximum: 24 Gbps

N/A

Software Compression: N/AIncluded: 12 Gbps Maximum: 12 Gbps


On-Demand Upgradable: N/A Yes

Processor: Intel hex core (total 12 processor cores) Intel hex core (total 12 processor cores)

Memory: 48 GB 48 GB

Hard Drive: Two 1 TB drives (RAID 1) Two 1 TB drives (RAID 1)

Gigabit Ethernet CU Ports: Optional SFP Optional SFP



40 Gigabit Fiber Ports (QSFP+):2 SR4 (sold separately) (QSFP+ optical breakout cable assemblies available to convert to 10 gigabit ports) Note: Only optics provided by F5 are supported.

2 SR4 (sold separately) (QSFP+ optical breakout cable assemblies available to convert to 10 gigabit ports) Note: Only optics provided by F5 are supported.

Power Supply: Dual 850W included (80+ Platinum efficiency), DC optional Dual 850W included (80 Plus Platinum efficiency), DC optional

Typical Consumption: 320W (dual supply, 110V input) 320W (dual supply, 110V input)

Input Voltage: 90–240 VAC +/- 10% auto switching, 50/60hz 90–240 VAC +/- 10% auto switching, 50/60hz

Typical Heat Output: 1090 BTU/hour (dual supply, 110V input) 1090 BTU/hour (dual supply, 110V input)

Dimensions:3.45“ (8.76 cm) H x 17.3” (43.94 cm) W x 21.4” (54.36 cm) D 2U industry standard rack-mount chassis

3.45“ (8.76 cm) H x 17.3” (43.94 cm) W x 21.4” (54.36 cm) D 2U industry standard rack-mount chassis



Operational Relative Humidity: 10 to 90% at 40° C 10 to 90% @ 40° C


UL 60950-1 2nd Edition CAN/CSA C22.2 No. 60950-1-07 EN 60950-1:2006, 2nd Edition IEC 60950-1:2006, 2nd Edition Evaluated to all CB Countries



EEN 300 386 V1.5.1 (2010-10); EN 55022:2006 + A1:2007 EN 61000-3-2:2006; EN 61000-3-3:1995 + A1:2000 + A2:2005 EN 55024: 2010; USA FCC Class A

EEN 300 386 V1.5.1 (2010-10); EN 55022:2006 + A1:2007 EN 61000-3-2:2006; EN 61000-3-3:1995 + A1:2000 + A2:2005 EN 55024: 2010; USA FCC Class A

7



Specifications 8950/8950S 8900


L7 requests per second: 1.9M L4 connections per second: 800K Throughput: 20 Gbps L4/L7

L7 requests per second: 1.2M L4 connections per second: 400K Throughput: 12 Gbps L4/L7

Hardware SSL:

Included: 500 TPS Maximum for 8950: 10,000 TPS (2K keys) Maximum for 8950S: 20,000 TPS (2K keys) 9.6 Gbps bulk encryption*

Included: 500 TPS Maximum: 10,000 TPS (2K keys) 9.6 Gbps bulk encryption*

FIPS SSL: N/AFIPS 140-2 Level 2 (option) 4,000 TPS (2K keys)


Hardware Compression: N/AIncluded: 50 Mbps Maximum: 8 Gbps


N/A



Processor: Dual CPU, quad core (8 processing cores) Dual CPU, quad core (8 processing cores)

Memory: 16 GB 16 GB

Hard Drive: Two 1TB drives (RAID 1) Two 1TB drives (RAID 1)

Gigabit Ethernet CU Ports: 16 16

Gigabit Fiber Ports (SFP): 8 LX; SX or copper (4 SX included) 8 LX; SX or copper (4 SX included)

10 Gigabit Fiber Ports (SFP+): 2 SR or LR (sold separately) 2 SR or LR (sold separately)

40 Gigabit Fiber Ports (QSFP+):

N/A N/A

Power Supply: Dual 850W included, DC optional Dual 850W included, DC optional

Typical Consumption: 419W (dual A/C power, 110V input) 397W (dual A/C power, 110V input)

Input Voltage: 90–240 VAC +/- 10% auto switching, 50/60 hz 90–240 VAC +/- 10% auto switching, 50/60hz

Typical Heat Output: 1431 BTU/hour (110V input) 1536 BTU/hour (110V input)



Weight: 52 lbs. (23.6 kg) (dual power supply) 45.5 lbs. (20.6 kg) (dual power supply)


Operational Relative Humidity: 5 to 85% at 40° C 5 to 85% at 40º C



UL 60950 (UL1950-3) CSA-C22.2 No. 60950-00 (bi-national standard with UL 60950) CB TEST CERTIFICATION TO IEC 950 EN 60950


EN 55022:2006 + C1:2006 EN 55024:1998 + A1: 2001 + A2:2003 FCC Part 15B Class A VCCI Class A

EN55022 1998 Class A EN55024 1998 Class A FCC Part 15B Class A VCCI Class A

8



Specifications 7200v 7000s


L7 requests per second: 1.6M L4 connections per second: 775K L4 HTTP requests per second: 7M Throughput: 40 Gbps/20 Gbps L4/L7

L7 requests per second: 800K L4 connections per second: 390K L4 HTTP requests per second: 3.5M Throughput: 40 Gbps/20 Gbps L4/L7

Hardware SSL:Included: 25,000 TPS (2K keys) Maximum: 25,000 TPS (2K keys) 18 Gbps bulk encryption*


FIPS SSL: Future option N/A

Hardware DDoS Protection: 40M SYN cookies per second 20M SYN cookies per second

Hardware Compression:Included: 18 Gbps Maximum: 18 Gbps

N/A

Software Compression: N/AIncluded: 9 Gbps Maximum: 9 Gbps


On-Demand Upgradable: N/A Yes

Processor: 1 quad core Intel Xeon processor (total 8 processing cores) 1 quad core Intel Xeon processor (total 8 processing cores)

Memory: 32 GB 32 GB

Hard Drive: Two 1TB (RAID 1) Two 1TB (RAID 1)





Power Supply:Two 400 W included (80 Plus Gold Efficiency), DC optional

Two 400 W included (80 Plus Gold Efficiency), DC optional

Typical Consumption: 205W (dual supply, 110V input) 205W (dual supply, 110V input)

Input Voltage: 90-240 VAC, 50/60hz 90-240 VAC, 50/60hz

Typical Heat Output: 700 BTU/hour (dual supply, 110V input) 700 BTU/hour (dual supply, 110V input)





Operational Relative Humidity: 10 to 90% @ 40° C 10 to 90% @ 40° C


ANSI/UL 60950-1-2011 CSA 60950-1-07, including Amendment 1:2011 Low Voltage Directive 2006/95/EC CB Scheme EN 60950-1:2006+A11:2009+A1:2010+A12:2011 IEC 60950-1:2005, A1:2009



EN 300 386 V1.5.1 (2010-10); EN 55022:2010 EN 61000-3-2:2006+A1:2009+A2:2009; EN 61000-3-3:2008 EN 55024:2010; EN 55022:2010; EN 61000-3-3:2008 EN 55024:2010; USA FCC Class A


9


Specifications 6900/6900S 5200v


L7 requests per second: 600K L4 connections per second: 220K Throughput: 6 Gbps L4/L7

L7 requests per second: 1.5M L4 connections per second: 700K L4 HTTP requests per second: 7M Throughput: 30 Gbps/15 Gbps L4/L7

Hardware SSL:

Included: 500 TPS Maximum for 6900: 5,000 TPS (2K keys) Maximum for 6900S: 10,000 TPS (2K keys) 4 Gbps bulk encryption*

Included: 21,000 TPS (2K keys) Maximum: 21,000 TPS (2K keys) 12 Gbps bulk encryption


N/A

Hardware DDoS Protection: N/A 40M SYN cookies per second

Hardware Compression:Included: 50 Mbps Maximum: 5 Gbps

Included: 12 Gbps Maximum: 12 Gbps

Software Compression: N/A N/A



Processor: Dual CPU, dual core (4 processing cores) 1 quad core Intel Xeon processor (total 8 processing cores)

Memory: 8 GB 32 GB

Hard Drive: Two 1TB drives (RAID 1) 1 TB


Gigabit Fiber Ports (SFP): 8 LX; SX or copper (4 SX included) Optional SFP

10 Gigabit Fiber Ports (SFP+): N/A 8 SR or LR (sold separately)


Power Supply: Dual 850W included, DC optionalOne 400 W included (80 Plus Gold Efficiency), dual power and DC options

Typical Consumption: 321W (dual A/C power, 110V input) 165W (single supply, 110V input)

Input Voltage: 90–240 VAC +/- 10% auto switching, 50/60hz 90-240 VAC, 50/60hz

Typical Heat Output: 1024 BTU/hour (110V input) 564 BTU/hour (single supply, 110V input)


1.75” (4.45 cm) H x 17” (43.18 cm) W x 21” (53.34 cm) D 1U industry standard rack-mount chassis

Weight: 45.5 lbs. (20.6 kg) (dual power supply) 21 lbs. (9.53 kg) (one power supply)


Operational Relative Humidity: 5 to 85% at 40º C 10 to 90% @ 40° C





EN55022 1998 Class A; EN55024 1998 Class A FCC Part 15B Class A; VCCI Class A; NEBS compliant (option)



10


Specifications 5000s 4200v


L7 requests per second: 750K L4 connections per second: 350K L4 HTTP requests per second: 3.5M Throughput: 30 Gbps/15 Gbps L4/L7

L7 requests per second: 850K L4 connections per second: 300K L4 HTTP requests per second: 2.5M Throughput: 10 Gbps L4/L7

Hardware SSL:Included: 10,000 TPS (2K keys) Maximum: 10,000 TPS (2K keys) 12 Gbps bulk encryption


FIPS SSL: N/A N/A

Hardware DDoS Protection: 20M SYN cookies per second N/A

Hardware Compression: N/AIncluded: 8 Gbps Maximum: 8 Gbps

Software Compression:Included: 6 Gbps Maximum: 6 Gbps

N/A


On-Demand Upgradable: Yes N/A

Processor: 1 quad core Intel Xeon processor (total 8 processing cores) 1 quad core Intel Xeon processor (total 8 processing cores)

Memory: 32 GB 16 GB

Hard Drive: 1 TB 500 GB



10 Gigabit Fiber Ports (SFP+): 8 SR or LR (sold separately) 2 SR or LR (sold separately)


Power Supply:One 400 W included (80 Plus Gold Efficiency), dual power and DC options

One 400W included (80 Plus Gold efficiency), dual power and DC options

Typical Consumption: 165W (single supply, 110V input) 95W (single supply, 110V input)

Input Voltage: 90-240 VAC, 50/60hz 90-240 VAC +/- 10% auto switching, 50/60hz

Typical Heat Output: 564 BTU/hour (single supply, 110V input) 324 BTU/hour (single supply, 110V input)

Dimensions:1.75” (4.45 cm) H x 17” (43.18 cm) W x 21” (53.34 cm) D 1U industry standard rack-mount chassis


Weight: 21 lbs. (9.53 kg) (one power supply) 20 lbs. (9.1 kg) (one power supply)


Operational Relative Humidity: 10 to 90% @ 40° C 10 to 90% at 40º C






EN 300 386 V1.5.1 (2010-10); EN 55022:2006 + A1:2007 EN 61000-3-2:2006; EN 61000-3-3:1995 + A1:2000 + A2:2005 EN 55024:2010; USA-FCC Class A

?


11


Specifications 4000s 3900



L7 requests per second:400K L4 connections per second:175K Throughput: 4 Gbps L4/L7


Included: 500 TPS Maximum: 3,000 TPS (2K keys) 2.4 Gbps bulk encryption*

FIPS SSL: N/A N/A


Hardware Compression: N/A N/A

Software Compression:Included: 4 Gbps Maximum: 4 Gbps

Included: 50 Mbps Maximum: 3.8 Gbps



Processor: 1 quad core Intel Xeon processor (total 8 processing cores) Quad core CPU (4 processing cores)

Memory: 16 GB 8 GB

Hard Drive: 500 GB 300 GB, 10,000 RPM


Gigabit Fiber Ports (SFP): Optional SFP 4 optional LX, SX, or copper

10 Gigabit Fiber Ports (SFP+): 2 SR or LR (sold separately) N/A


Power Supply:One 400W included (80 Plus Gold efficiency), dual power and DC options

One 300W included, dual power and DC options

Typical Consumption: 95W (single supply, 110V input) 175W (110V input)

Input Voltage: 90-240 VAC, 50/60hz 90-240 VAC +/- 10% auto switching

Typical Heat Output: 324 BTU/hour (single supply, 110V input) 598 BTU/hour (110V input)





Operational Relative Humidity: 10 to 90% @ 40º C 10 to 90% at 40º C


EN 60950-1:2006, 2nd Edition IEC 60950-1:2006, 2nd Edition Evaluated to all CB Countries UL 60950-1 2nd Edition CAN/CSA C22.2 No. 60950-1-07



EN 300 386 V1.5.1 (2010-10) EN 55022:2006 + A1:2007 EN 61000-3-2:2006 EN 61000-3-3:1995 + A1:2000 + A2:2005 EN 55024: 2010 USA FCC Class A



12



Specifications 3600 2200s


L7 requests per second:135K L4 connections per second: 115K Throughput: 2 Gbps L4/L7


Hardware SSL:Included: 500 TPS Maximum: 2,000 TPS (2K keys) 2 Gbps bulk encryption*


FIPS SSL: N/A N/A


Hardware Compression: N/AIncluded: 4 Gbps Maximum: 4 Gbps


N/A



Processor: Dual core CPU (2 processing cores) Intel dual core (total 4 processing cores)

Memory: 4 GB 8 GB

Hard Drive: 500 GB 500 GB


Gigabit Fiber Ports (SFP): 2 optional LX, SX, or copper Optional SFP

10 Gigabit Fiber Ports (SFP+): N/A 2 SR or LR (sold separately)


Power Supply: One 300W included, dual power and DC optionsOne 400W included (80+ Gold efficiency), dual power and DC options

Typical Consumption: 114W (110V input) 74W (single supply, 110V input)

Input Voltage: 90-240 +/- 10% VAC auto switching 90–240 VAC +/- 10% auto switching, 50/60hz

Typical Heat Output: 563 BTU/hour (110V input) 252 BTU/hour (single supply, 110V input)





Operational Relative Humidity: 10 to 90% at 40º C 10 to 90% at 40° C







13


Specifications 2000s 1600


L7 requests per second: 212K L4 connections per second: 75K L4 HTTP requests per second: 550K Throughput: 5 Gbps L4/L7

L7 requests per second:100K L4 connections per second:60K Throughput: 1 Gbps L4/L7


Included: 500 TPS Maximum: 1,000 TPS (2K keys) 1 Gbps bulk encryption*

FIPS SSL: N/A N/A


Hardware Compression: N/A N/A

Software Compression:Included: 2.5 Gbps Maximum: 2.5 Gbps

Included: 50 Mbps Maximum: 1 Gbps



Processor: Intel dual core (total 4 processing cores) Dual core CPU (2 processing cores)

Memory: 8 GB 4 GB

Hard Drive: 500 GB 500 GB


Gigabit Fiber Ports (SFP): Optional SFP 2 optional LX, SX, or copper

10 Gigabit Fiber Ports (SFP+): 2 SR or LR (sold separately) N/A


Power Supply:One 400W included (80+ Gold efficiency), dual power and DC options

One 300W included, dual power and DC options

Typical Consumption: 74W (single supply, 110V input) 105W (110V input)

Input Voltage: 90–240 VAC +/- 10% auto switching, 50/60hz 90-240 +/- 10% VAC auto switching

Typical Heat Output: 252 BTU/hour (single supply, 110V input) 512 BTU/hour (110V input)





Operational Relative Humidity: 10 to 90% at 40° C 10 to 90% at 40º C








14


More InformationVisit these resources on f5.com to learn more about the BIG-IP family of products.

Datasheets

BIG-IP Local Traffic Manager

BIG-IP Global Traffic Manager

BIG-IP Advanced Firewall Manager

BIG-IP Application Security Manager

BIG-IP Access Policy Manager

BIG-IP Application Acceleration Manager

BIG-IP Carrier-Grade NAT

BIG-IP Policy Enforcement Manager

Report

F5 Comparative Performance Report ADC 2013

White papers

ScaleN: Elastic Infrastructure

BIG-IP Application Delivery Hardware: A Critical Component

Clustered Multiprocessing: Changing the Rules of the Performance Game

Virtual Clustered Multiprocessing (vCMP)







http://www.f5.com

http://www.f5.com/pdf/products/big-ip-local-traffic-manager-ds.pdf

http://www.f5.com/pdf/products/big-ip-global-traffic-manager-ds.pdf

http://www.f5.com/pdf/products/big-ip-advanced-firewall-manager-datasheet.pdf

http://www.f5.com/pdf/products/big-ip-application-security-manager-ds.pdf

http://www.f5.com/pdf/products/big-ip-access-policy-manager-ds.pdf

http://www.f5.com/pdf/products/big-ip-application-acceleration-manager-datasheet.pdf

http://www.f5.com/pdf/products/big-ip-cgnat-datasheet.pdf

http://www.f5.com/pdf/products/big-ip-policy-enforcement-manager-datasheet.pdf

http://www.f5.com/pdf/reports/F5-comparative-performance-report-ADC-2013.pdf

http://www.f5.com/pdf/white-papers/scalen-elastic-infrastructure-white-paper.pdf

http://www.f5.com/pdf/white-papers/application-delivery-hardware-wp.pdf

http://www.f5.com/pdf/white-papers/application-delivery-hardware-wp.pdf%20

http://www.f5.com/pdf/white-papers/viprion-clustered-multiprocessing-wp.pdf

http://www.f5.com/pdf/white-papers/vcmp-wp.pdf


http://www.f5.com




What’s Inside

2 What Is BIG-IQ Cloud?

2 Simplified Provisioning

2 Consolidated Management

3 Integrate with Existing Cloud Tools

4 Enable Cloud Bursting

5 Better Visibility in the Cloud

6 F5 Services

6 More Information

DATASHEET

BIG-IQ Cloud

1

Automate Application Networking Services in the CloudTraditionally, enterprises have deployed Application Delivery Controllers (ADCs) as strategic points of control in the IT infrastructure to seamlessly provision, manage, and monitor applications and services without affecting the performance of other segments of the network. As many enterprises begin to adopt cloud-based network infrastructures—whether private, public, or hybrid—they also work to implement self-service deployment models. But many of the network services required for provisioning and managing applications are not automated for cloud deployments and require many highly manual provisioning tasks.

F5® BIG-IQ™ Cloud is an application networking services management solution for F5 BIG-IP® ADC–enabled cloud infrastructures. It addresses orchestration problems and automates application networking services in public, private, and hybrid cloud deployments.

Key benefits

Simplify provisioning and consolidate management Reduce provisioning time from weeks to minutes using an integrated provider portal through which you can manage devices, tenants, connectors, and applications, and offer tenants a self-serve provisioning portal to manage ADC services.

Integrate flexibly Use cloud connectors to connect with third-party orchestration tools.

Enable cloud bursting Extend to the public cloud infrastructure using the BIG-IQ Cloud REST API.

Gain cloud visibility Get a view into application health with health status visibility across private, public, and hybrid clouds.

DATASHEET BIG-IQ Cloud

2

What Is BIG-IQ Cloud?

BIG-IQ Cloud is an intelligent management platform that manages BIG-IP ADC services in cloud architectures. It supports interoperability and portability of applications between clouds via cloud bursting. It also supports on-demand self-service through provider and tenant portals that can be integrated with third-party and self-service cloud automation and orchestration tools, such as VMware vCloud Director, through a REST-based API.

Data Center 2Data Center 1 Data Center 4Data Center 3

Public Cloud(Amazon Web Services)

Third-Party CloudOrchestrators

(VMware vCloud Director)

BIG-IQ Cloud Portal

iAppsLifecycle

Management

CloudConnectors

BIG-IQ Cloud Portal

Tenant Portal

BIG-IQ CloudREST API

Provider PortalVE

BIG-IQCloud

Simplified Provisioning

As your IT department transitions to cloud deployment models, users need to be able to provision applications and services in the cloud without relying on IT. Otherwise, cloud advantages are negated by inefficient, costly operational processes.


BIG-IQ Cloud Lifecycle Management performs create, read, update, and delete (CRUD) operations on iApps Templates, and through iApps, you can discover and customize apps, allow for application configuration changes, and also decommission an application service. BIG-IQ Cloud maintains a catalog of F5 iApps® Templates—flexible, app-centric templates that enable you to quickly deploy services using optimal configurations. With iApps Templates, an administrator uses a central interface to easily deploy apps in multiple tenants, and can attach different services to each application. Once an iApp has been customized for the tenant’s needs, it can be easily deployed across tenants on multiple BIG-IP devices.

Consolidated Management

Without the appropriate network integration, administrators will have to toggle between multiple management consoles to provision end-to-end services, wasting valuable time and expertise. BIG-IQ Cloud can be integrated with other third-party management and orchestration systems through its REST-based API. System administrators can efficiently configure self-serve application-related services through a single console—eliminating errors and boosting productivity.

F5 BIG-IQ Cloud components integrate and collaborate to provide consistent, cross-environment management of application network services.


3

Provider and tenant self-service portals

BIG-IQ Cloud provides a web-based portal that offers application networking self-services across multiple tenants and devices. The portal provides a comprehensive view into all available BIG-IP devices (virtual or physical), apps, tenants, and cloud connectors in a single UI. There are two different views: a provider view and a tenant view.

The provider view includes a comprehensive list of services, including:

•A catalog of application networking services.

•Deployed tenants.

•Available applications to service from.

•A list of available customized connectors.

•An inventory of BIG-IP devices.

The tenant view contains a subset of the provider view. Tenants can further customize ADC services within limits set by the provider.


BIG-IQ Cloud provides a view into application health with health status visibility across private, public, and hybrid clouds. The provider and tenant views indicate application health status through red and green indicators. This enhanced visibility enables you to proactively monitor application health.

Integrate with Existing Cloud Tools

As cloud administrators leverage the public cloud to reduce CapEx, they need central visibility and control of what is moving from their private cloud into the public cloud. This saves significant administration time and consolidates cloud management and monitoring tools into a single dashboard for full visibility into cloud orchestration.

Cloud connectors

BIG-IQ Cloud connects with third-party orchestration tools. For instance, F5 created a customized private cloud connector from BIG-IQ Cloud to VMware vCloud Director and VMware vCloud Networking and Security. This connector enables two-way communication between BIG-IQ Cloud and the VMware vCloud Director portal, so you can configure application networking services directly from VMware vCloud Director. BIG-IQ Cloud can also interface with any third-party cloud orchestrator that can use REST-based APIs.


4

Provider Portal Tenant Portal

Shared Management Plane

InfrastructurePolicy

Data Center andSecurity Policy

ApplicationDelivery Policy

VM VM VM

Hypervisor CloudManagement

Platforms

VEBIG-IQ

Cloud

BIG-IQ Cloud REST API

The BIG-IQ Cloud REST API enables integration with third-party cloud orchestrators and supports cloud bursting. It is exposed through port 443 and offers RBAC, SSL, and basic authentication support. The BIG-IQ Cloud REST API includes several categories:

REST API Category Functionality

Provider interface Licensing functionality

Connector Create custom cloud connections with third-party cloud orchestrators

Tenant Create, modify, and delete tenants

iApps Management Service Create, delete, and retrieve statistics and health of application services

Tenant Services Create, delete, and retrieve tenant service instances

Enable Cloud Bursting

Your cloud strategy can comprise both private and public clouds, so interoperability between these discrete environments is crucial. When demand for computing capacity spikes, you may “burst” through to a public cloud to take advantage of additional resources. You may also fluctuate between types of resources—sometimes using virtual servers, other times physical. With your application hosting infrastructure distributed across multiple clouds and multiple types of resources, having the appropriate application networking service intelligence for provisioning is a necessity.

BIG-IQ Cloud enables integrated management of the application network services required to deliver applications in the cloud.


5

Cloud bursting to Amazon Web Services

BIG-IQ Cloud Connectors for the public cloud assist in bursting application capacity. Cloud connectors use the REST-based API to provision a secure tunnel between private and public clouds to establish a secure control session between BIG-IQ Cloud and the BIG-IP virtual editions in the public cloud. A secure data session between BIG-IP devices in the private cloud and BIG-IP virtual editions in the public cloud accelerates the data traffic between BIG-IP devices in private and public clouds.

Public Cloud Control Session

Secure Control Session

REST API

iAppsLifecycle

Management

CloudConnectors

Multiple-TenantPublic Cloud

Secure Data Session

VEBIG-IQ

Cloud

Better Visibility in the Cloud

Your IT department needs to be able to migrate apps and services in and out of the cloud, to integrate with on-premises infrastructure, and to achieve cloud federation. The ability to port applications and services to different cloud environments is key to taking advantage of the flexibility of the cloud. To that end, BIG-IQ Cloud offers maximum efficiency by enabling you to centrally provision, manage, and gain insight into service usage through a central interface.

The F5 BIG-IQ Cloud Connector architecture shortens the provisioning process for application delivery via both private and public clouds.

6








F5 Services

F5 Services offers world-class support, training, and consulting to help you get the most from your F5 investment. Whether it’s providing fast answers to questions, training internal teams, or handling entire implementations from design to deployment, F5 Services can help you achieve IT agility. For more information about F5 Services, contact [email protected] or visit f5.com/services.

More Information

To learn more about BIG-IQ Cloud, visit f5.com to find these and other resources.

Solution profile

Automate Configuration of Application Networking Services in the Cloud

White paper

Managing the Cloud with BIG-IQ Cloud


http://www.f5.com





http://www.f5.com/support/

http://www.f5.com/pdf/solution-profiles/big-iq-cloud-solution-profile.pdf

http://www.f5.com/pdf/white-papers/big-iq-cloud-white-paper.pdf

What’s Inside:

2 Application Performance and Statistics

2 Performance Monitoring Module

3 Complete Device Visibility

3 Centralized and Automated Management

6 Enterprise Manager Platforms

8 F5 Services

8 More information

DATASHEET

Reduce the Cost of Managing Your Application Delivery InfrastructureWith the tremendous increase in application traffic in virtually every organization, enterprise Application Delivery Networking deployments are becoming larger throughout the business, across data centers, and over international boundaries. As these deployments expand, gaining visibility and manageability over multiple devices is critical to efficiently and cost-effectively managing the IT infrastructure.

F5® Enterprise Manager™ significantly reduces the cost and complexity of managing multiple F5 devices. You gain a single-pane view of your entire application delivery infrastructure and the tools you need to automate common tasks, ensure optimized application performance, and improve budgeting and forecasting to meet changing business needs. Enterprise Manager is available as a physical or virtual edition.

Enterprise Manager

1

Key benefits

Ensure optimized performance Get an up-to-date, comprehensive view of application traffic and device performance. Set thresholds and alerts to react quickly to changing network conditions and user demands.

Reduce TCO through automation Use a single interface to automate common operational tasks for your F5 devices, reducing total cost of ownership and OpEx.

Improve budgeting and forecasting Use 160 customizable metrics to gain

complete visibility into your application delivery infrastructure over time and improve planning and budgeting for future projects.

Troubleshoot more effectively Quickly isolate application performance and traffic management problems to minimize the effect on your business.

Gain flexibility Deploy according to your business needs with the flexibility of physical and virtual Enterprise Manager editions.

DATASHEET Enterprise Manager

2

Application Performance and Statistics

Gain a full picture of your application performance across the entire F5 infrastructure with the Centralized Analytics Module, available through purchase of an add-on license. Analytics provides real-time application performance statistics such as response time, network latency, and other application relevant statistics.

Performance Monitoring Module

The Performance Monitoring Module, included on the Enterprise Manager 4000 physical and virtual editions, offers advanced visibility and reporting tools that give you highly detailed information you can use to further optimize your F5 devices.

Detailed device and object statistics

The Performance Monitoring Module collects not only device statistics but also statistics for objects configured on the device such as virtual servers, pools, and nodes. Using iQuery® to efficiently communicate with F5 devices and collect individual statistics, the Performance Monitoring Module provides more than 160 metrics. Administrators can configure the frequency of collection from 30 seconds to 300 seconds. Customizable graphs present detailed information, and each metric can be associated with a threshold and alert.

Customizable thresholds and alerts

You can use customizable thresholds and alerts in Enterprise Manager to react quickly to changing network conditions and user demands. Alert methods include:

•SNMP trap to remote server

•Email containing alert details

•Syslog event to remote server

Open database architecture

The Performance Monitoring Module collects data and stores it on the MySQL database in Enterprise Manager. This database is open for external databases to access and back up the data, along with external reporting services such as SQL Server Reporting Services, Crystal Reports, and other external reporting services. You can also collect and store data in an external MySQL database, providing additional flexibility for administrators to allocate larger storage.

Automated reporting

Gain visibility into the performance of your BIG-IP LTM environment and easily share this information with others in your organization with automated reports. You can easily schedule recurring report emails from Enterprise Manager.

Supported F5 devices

Enterprise Manager supports all F5 TMOS®-enabled devices, including:

· BIG-IP® Local Traffic Manager™

· BIG-IP® Global Traffic Manager™

· BIG-IP® Application Security Manager™

· BIG-IP® Link Controller™

· BIG-IP® WebAccelerator™

· BIG-IP® WAN Optimization Manager™

· BIG-IP® Access Policy Manager™

· BIG-IP® Edge Gateway™


3

Complete Device Visibility

Enterprise Manager provides a real-time status of all your F5 application delivery devices in a single interface.

Device inventory and control

Enterprise Manager keeps critical device information in a central location. You can easily find platform information, software versions, serial numbers, and registration keys for all of your supported F5 devices, and you can view and select between installed software versions.

Historical data

Enterprise Manager collects device and traffic statistics and stores this data for historical analysis and trending. You can use this information to establish a baseline of normal performance and operations and leverage graphs and alerts to isolate problems that occur in the environment.

Effective capacity planning

With Enterprise Manager, you get granular visibility into which applications are increasing in traffic pattern or reaching thresholds as well as which devices are reaching capacity. You can analyze this data historically through a capacity planning report to maintain sufficient capacity.

Service contract end date information

Current service contract expiration information is readily available in Enterprise Manager. As part of a comprehensive device inventory, you can use this information to effectively plan for renewals so devices will be up to date for support. Enterprise Manager also includes customized alerts to notify users in advance of expiration.

SSL performance

A convenient report is available to monitor the performance of SSL transactions. With the industry requirement to migrate to 2048-bit SSL keys, capacity planning for your current hardware is critical.

Centralized and Automated Management

Enterprise Manager gives you tools to select, stage, and automate common operational tasks, helping you reduce total cost of ownership and operating expenses for your F5 devices.

Customizable configuration templates

With Enterprise Manager, you can create and store or stage a set of templates that contain device profiles, configurations settings, iRules® definitions, and much more. You can create new templates by simply selecting an existing template, modifying it, and pushing out the changes, or you can build entirely new templates. When a new device is ready to join the environment, you can simply push the template out and the new box is configured based on your standards without worrying about errors or deviation from your established standards. Enterprise Manager templates ensure that your customers receive consistent service while you scale your Application Delivery Network infrastructure to handle growth.


4

Distributed configuration management

Enterprise Manager can distribute administrative functions across customized roles. Configuration changes can be entered and staged by one set of administrators, and then be deployed by another set. Limited administrative control can be extended to a larger group of administrators that have less familiarity with F5 devices.

Staged configuration templates

With Enterprise Manager, you can create configuration templates prior to a maintenance window and stage them for future implementation. This frees up the administrator to complete the configuration and testing in advance. During the maintenance window, an operations engineer with a lower level of access to the BIG-IP system can then deploy the templates.

Simplified upgrades of F5 devices

Simplify upgrades using a centralized wizard that takes into account dynamic properties of your environment such as high availability state and specific version contingencies. This helps reduce the potential for errors during the upgrade process. Software upgrade packages can be proactively staged on the target device through the wizard as well. By allowing the staging of the software before the maintenance window, the time required to upgrade the device during the maintenance window is significantly reduced.

Integration with BIG-IP iHealth service

F5 BIG-IP® iHealth® integration enables you to proactively manage the health of all your BIG-IP devices. By automating the diagnostic process and checking for known issues and common mistakes, Enterprise Manager can help you stay current with F5 best practices and optimize your ADN infrastructure.

Automatic configuration backup

Enterprise Manager can automatically back up valuable configuration files, including license information, on a daily, weekly, or customized schedule. You can store multiple configurations per device.

Single and multi-device configuration comparison (diff config)

By making it easy for you to try different network configurations, Enterprise Manager helps you troubleshoot issues in the environment. You can make temporary network changes, compare the changes, and then safely roll back to previous configurations from the archive at any time. Enterprise Manager provides quick recovery from configuration errors and provides safeguards when reconfiguring devices. In addition, you can compare configurations across two BIG-IP devices, which enables you to verify configurations in a high availability pair, across different data centers or staging and production environments.

BIG-IP ASM security policy deployment

Using a centralized wizard in Enterprise Manager, you can deploy BIG-IP Application Security Manager (ASM) policies across multiple BIG-IP ASM devices without accessing each individual device. This saves administrators significant time and effort in dynamic environments where security policies can change frequently.


5

Centralized SSL management

SSL certificates can be centrally stored and managed with Enterprise Manager. You can configure certificate expiration alerts to avoid the expense and disruption associated with expired certificates.

Node management

Enterprise Manager gives you the ability to centrally manage not only your BIG-IP devices but also virtual servers, pools, pool members, and nodes. Using the node management feature, you can leverage Enterprise Manager’s search functionality to find the objects and place them in an object container. Once these objects have been identified, you can select one of the following actions: enable, disable, or force offline.

Authorization for node management

The administrative partitions that are available in BIG-IP Local Traffic Manager (LTM) are inherited by Enterprise Manager, so you can use the same permissions to ensure that users have the appropriate access.

6


Physical Specifications 4000 Series

Processor: Quad core CPU

Memory: 8 GB

Gigabit Ethernet CU Ports: 8

Gigabit Ethernet Fiber Ports (SFP):

4 optional LX, SX, or copper

Typical Consumption: 175 W (110V input)

Dimensions:1.75" H × 17" W × 21" D (per unit) 1U industry standard rack-mount chassis

Weight: 20 lbs. (one power supply)

Operating Temperature: 32° to 104° F (0° to 40° C)

Relative Humidity:10 to 90% @ 40º C, per Telcordia GR-63-CORE 5.1.1 and 5.1.2



Electromagnetic Emissions Certifications/Susceptibility

Standard:


4000 Series

Enterprise Manager Platforms

Enterprise Manager is available as a physical, appliance-based device, shipped on a dedicated, enterprise-grade platform, or as a virtual edition for VMware environments.

7

DATASHEET Enterprise ManagerDATASHEET Enterprise Manager

Enterprise Manager Virtual Edition

Recommended Host System Requirements

It is highly recommended that the host system contain CPUs based on AMD-V or Intel-VT technology.

Hypervisor:VMware vSphere Hypervisor 4.0, 4.1, and 5.0 Citrix XenServer 5.6 Microsoft Hyper-V for Windows Server 2008 R2

Processor: 2–4 CPU cores

Memory: 2–8 GB RAM

Network Adapters: 2–8 network interfaces

Disk Space: 250 GB hard drive

8







©2012 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, and IT agility. Your way., are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. CS03-00015 0412

F5 Services


More Information

Enterprise Manager supports all TMOS-enabled F5 devices in the BIG-IP product family. To learn more about Enterprise Manager, use the search function on F5.com to find these and other resources.

Datasheet

BIG-IP Modules

BIG-IP iHealth

Product overview

Enterprise Manager

White paper

Application Delivery Network Platform Management

Case study

Rackspace Hosting


http://www.f5.com





http://f5.com/services

http://www.f5.com

http://www.f5.com/pdf/products/big-ip-modules-ds.pdf

http://www.f5.com/pdf/customer-support/big-ip-ihealth-ds.pdf

http://www.f5.com/pdf/products/enterprise-manager-overview.pdf

http://www.f5.com/pdf/white-papers/adn-platform-management-wp.pdf

http://www.f5.com/pdf/case-studies/rackspace-cs.pdf

F5 BIG-IP® ScaleN Application Delivery PlatformsPerformance, scalability, quality & reliability.

Recommended for:

• Developer/Lab/QA environments• Cloud deployments• Software Defined Data Centers (SDDCs)• Remote sites• Accelerated deployment• Deploying security services close to the application Performance (Dependent on allocation of host resources):

• Up to 325K L7 RPS• Up to 100K L4 CPS• Up to 3.4K SSL TPS (2K Keys)• Up to 3Gbps bulk throughput• Up to 5Gbps L7/L4 throughput• Up to 4Gbps Compression tput

Hypervisors:

• VMware, XenServer, Hyper-V, KVM, Amazon Web Services

Module Support*:

• LTM, GTM, AAM, AFM, ASM, APM, CGNAT, and PEM app services modules

BIG-IP® Virtual Edition

Recommended for:

• Tech startups• Small to Mid-sized companies (100-1000 employees) Performance:

• 212K to 425K L7 RPS• 75K to 150K L4 CPS • 2K to 4K SSL TPS (2K Keys), 4Gbps bulk throughput• 5Gbps L7/L4 Throughput • 2.5Gbps to 4Gbps Compression tput

Key Features:

• Dual core Intel Xeon processor• 8 GB RAM• 500 GB Hard Drive• 2x 10G and 8x 1G ports• Dual 80 Plus GOLD and DC power supply options

Module Support*:

• LTM, GTM, AAM, AFM, ASM, and APM app services modules.

Replaces: 1500/1600

BIG-IP® 2000s/2200s

Recommended for:

• State and Local governments• Small to Mid-sized companies needing unified app delivery services Performance:

• 425K to 850K L7 RPS• 150K to 300K L4 CPS • 4.5K to 9K SSL TPS (2K Keys), 8Gbps bulk throughput• 10Gbps L7/L4 Throughput • 4Gbps to 8Gbps Compression tput

Key Features:

• Quad core Intel Xeon processor • 16 GB RAM• 500 GB Hard Drive• 2x 10G and 8x 1G ports• Dual 80 Plus GOLD and DC power supply options

Module Support*:

• LTM, GTM, AAM, AFM, ASM, and APM app services modules. Replaces: 3400/3600

BIG-IP® 4000s/4200v

Recommended for:

• State and Local governments • Small to Mid-sized companies needing unified app delivery services• More complex security or acceleration requirements

Performance:

• 750K to 1.5M L7 RPS• 350K to 700K L4 CPS • 10K to 21K SSL TPS (2K Keys), 12Gbps bulk throughput• 15/30Gbps L7/L4 Throughput • 6Gbps to 12Gbps Compression tput• 20M to 40M Hardware SYN cookies per second

Key Features:

• Quad core Intel Xeon processor • 32 GB RAM• 1 TB Hard Drive• 8x 10G and 4x 1G ports• Dual 80 Plus GOLD and DC power supply options• vCMP virtualization support included (5200v)• Custom ePVA FPGA enabling: Hardware DDoS Protection Layer 4 Traffic Acceleration

Module Support*:

• LTM, GTM, AAM, AFM, ASM, APM, CGNAT, and PEM app services modules Replaces: 3400/3900

BIG-IP® 5000s/5200v

Recommended for:

• Mid-size enterprises (1,000 employees +)• Federal government agencies• Service Provider/ Telco environments• Web 2.0 Enterprises• Online Retailers Performance:

• 800K to 1.6M L7 RPS• 390K to 775K L4 CPS • 15K to 25K SSL TPS (2K Keys), 18Gbps bulk throughput• 20/40Gbps L7/L4 Throughput • 9Gbps to 18Gbps Compression tput• 20M to 40M Hardware SYN cookies per second

Key Features:

• Quad core Intel Xeon processor • 32 GB RAM• 2x 1TB Hard Drives (RAID 1)• 8x 10G and 4x 1G ports• Dual 80 Plus Gold power supplies (DC power option)• vCMP virtualization support included (7200v)• Custom ePVA FPGA enabling: Hardware DDoS Protection Layer 4 Traffic Acceleration

Module Support*:


Replaces: 6400/6800/6900

BIG-IP® 7000s/7200v

Recommended for:

• Mid-size to Large enterprises (1,000 to 5,000 employees)• Global Fortune 5000• Federal government agencies• Service Provider/ Telco environments• Web 2.0 Enterprises• Online Retailers

Performance:

• 1M to 2M L7 RPS• 500K to 1M L4 CPS • 21K to 75K SSL TPS (2K Keys), 22Gbps to 33Gbps bulk throughput• 40/80Gbps L7/L4 Throughput • 12Gbps to 24Gbps Compression tput• 40M to 80M Hardware SYN cookies per second

Key Features:

• Hex core Intel Xeon processor • 48 GB RAM• 2x 1TB Hard Drives (RAID 1)• 2x 40G and 16x 10G ports• Dual 80 Plus Platinum power supplies (DC power option)• vCMP virtualization support included (10200v)• Custom ePVA FPGA enabling: Hardware DDoS Protection Layer 4 Traffic Acceleration

Module Support*:


Replaces: 8400/8800/8900/8950

BIG-IP® 10000s/10200v

Recommended for:

• Mid-size to Large enterprises (1,000 to 5,000 employees)• Global Fortune 5000• Federal government agencies• Service Provider/ Telco environments• Web 2.0 Enterprises• Online Retailers• DC-DC WAN Optimization

Performance:

• 2.5M L7 RPS• 1M L4 CPS • 20K SSL TPS (2K Keys), 15Gbps bulk throughput• 24Gbps L7/L4 Throughput (11000)• 40/42Gbps L7/L4 Throughput (11050)• 12Gbps to 16Gbps Compression tput

Key Features:

• Two Hex core AMD Opteron processors• 32/48 GB RAM• 2x 600GB Hard Drives (RAID 1)• 4x 600GB Solid State Drives option (11000)• 10x 10G ports• Dual power supplies (DC power option)

Module Support*:

• LTM, GTM, AAM, AFM, ASM, and APM app services modules

Replaces: N/A

BIG-IP® 11000/11050

VIPRION® 2100 Blade

Recommended for:

• Large enterprises (5,000 employees +)• Service Provider/Telco environments• Deployment in DC core networks• DC Consolidation• NEBS environments

Performance:

• Up to four blades in VIPRION® 4480 chassis and up to eight blades in VIPRION® 4800 chassis• 2.5M L7 RPS (B4300), 2M L7 RPS (B4340N)• 1.4M L4 CPS (B4300), 1.1M L4 CPS (B4340N)• 30K SSL TPS (2K Keys), 20Gbps bulk throughput• 40/80Gbps L7/L4 Throughput • 20Gbps Hardware Compression tput• 80M Hardware SYN cookies per second

Key Features:

• Two Hex core Intel Xeon processor • 48 GB RAM (B4300), 96 GB RAM (B4340N)• 1 600GB Hard Drive• 2x 40G and 8x 10G ports• Four power supplies (DC power option for C4480)• NEBS Compliant• vCMP virtualization support• Custom ePVA FPGA enabling: Hardware DDoS Protection Layer 4 Traffic Acceleration

Module Support*:


Replaces: B4100/B4200/C4400

VIPRION® 4300/4340N Blade

F5 BIG-IP® Application Delivery SolutionsF5 VIPRION® Chassis

VIPRION® 4480

VIPRION® 4800

VIPRION® 2400

LTM: Local Traffic Manager™ GTM: Global Traffic Manager™ AAM: Application Acceleration Manager™ AFM: Application Firewall Manager™ ASM: Application Security Manager™ APM: Application Policy Manager™ CGNAT: Carrier-Grade Network Address Translation™ PEM: Policy Enforcement Manager™ *Please see F5 Product Release notes on AskF5.com for exceptions to module support©2013 F5 Networks, Inc. All rights reserved. F5, F5 Networks, and the F5 logo are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5.

Recommended for:

• Mid-size to Large enterprises (1,000 to 5,000 employees)• Global Fortune 5000• Web 2.0 Enterprises• Online Retailers

Performance:

• Up to four blades in VIPRION® 2400 chassis• 1M L7 RPS• 400K L4 CPS •10K SSL TPS (2K Keys), 9Gbps bulk throughput• 18/40Gbps L7/L4 Throughput • 10Gbps Hardware Compression tput• 40M Hardware SYN cookies per second

Key Features:

• Quad core Intel Xeon processor • 16 GB RAM• 1 300GB Hard Drive• 8x 10G ports• Dual power supplies (DC power option)• vCMP virtualization support• Custom ePVA FPGA enabling: Hardware DDoS Protection Layer 4 Traffic Acceleration

Module Support*: • LTM, GTM, AAM, AFM, ASM, APM, and CGNAT app services modules

Replaces: N/A

BIG-IP® Local Traffic Manager™

• Deliver applications rapidly and reliably with intelligent load balancing• Customize and automate with programmable infrastructure to build and adapt to your needs• Transition to SDN and cloud environments with consistent application delivery services• Easily deploy and manage applications with F5 iApp Templates• Secure your critical applications with SSL without compromising on performance, scalability or visibility

BIG-IP® Global Traffic Manager™

• Scale DNS to more than 10 million query RPS with a fully-loaded VIPRION® chassis• Protect your DNS infrastructure from DDoS attacks and support high volumes• Improve application performance by directing traffic based on business needs • Deploy flexibly, scale as you grow, and manage your complex DNS and App network efficiently

BIG-IP® Application Acceleration Manager™

• Reduces first-visit page load times for SaaS applications by as much as 50%• Reduces amount of data sent to mobile devices and overcomes inherent network latency issues• Ensures that video quality is improved, web pages load faster, and applications perform better • Improves replication and backup times to meet disaster recovery SLA’s• Eliminates point solutions by combining acceleration technologies in a single, integrated solution

BIG-IQ Cloud

• Provides automation, orchestration, and control of application services in cloud environments • Orchestrated application delivery and network services• Self-service and automated service provisioning capabilities• Multi-tenant self-service portal for health monitoring• Simplifies IT operations and improves productivity

Application Delivery Firewall

• Protects against DDoS at all Layers (Network, Session, and Application layers)• Most scalable Firewall on the market, with high scale proxy architecture – including SSL• Perfect solution as a perimeter firewall protecting the data center • Optionally add application security and DNS Security capabilitites for complete protection

BIG-IP® Application Security Manager™

• Web Application Firewall for HTTP(S)• Includes an integrated XML firewall• Protects against unknown, “zero-day” and known attacks, including SQL Injection, Cross-site Scripting, DOS and DDOS, Buffer Overflows, Google Hacking, Cookie Poisoning, Brute Force Attacks, OWASP Top 10, and more…• Data Leakage Prevention and regulatory compliance (PCI, HIPPA…)

BIG-IP® Access Policy Manager™

• Enhances web access management –proxies web applications and provides authentication, authorization, endpoint inspection • Simplifies VDI –improves the scale and reliability of their VDI/RDP deployments, while also simplifying VDI infrastructure. • Streamlines Exchange –helps secure Exchange deployments across ActiveSync/Mobile, Outlook Web Access, and Outlook Anywhere • Federates Identity – instantly provisions or de-provisions access to corporate applications, including SaaS applications, while users login to BIG-IP® once and enjoy seamless access to all web resources

What’s Inside

2 Boost Security for Employees and the Enterprise

3 Reduce IT Overhead

3 Encourage Employee Compliance

4 Improve Employee Productivity

4 Minimize Costs

5 F5 Services

5 More Information

DATASHEET

F5 Mobile App Manager

1

Safely Extend the Enterprise to Personal Mobile DevicesWith the advent of the smartphone, enterprises were pushed into the bring-your-own-device (BYOD) era. As organizations struggled to secure data and resources, IT was forced to manage employees’ personally owned mobile devices and associated data—in addition to corporate data and applications. Current mobile device management (MDM) solutions focus on controlling the device and deploying agents to provide device-level VPN corporate network access. The problem: your mobile employees are subject to corporate visibility and control of their personal information, while your IT department is forced to manage and transport data and applications that aren’t essential to your business operations.

F5 helps you address these challenges with F5® Mobile App Manager (MAM), a mobile application management and access solution that securely extends the enterprise to personal mobile devices. F5 MAM manages apps and secures data while satisfying the needs of both your employees who rely on their mobile devices, and your enterprise. For employees, F5 MAM safely separates personal data and usage from corporate oversight for a simpler, more flexible and productive experience. And for your IT department, F5 MAM minimizes the burden of ensuring that corporate data is secure on personal devices.

Key benefits

Boost security for the enterprise and the user With F5 MAM, you can deliver secure access and encryption to corporate data and apps, while leaving employees’ personal data and apps separate and untouched.

Reduce IT overhead F5 MAM eliminates the need for IT to manage enterprise-issued mobile devices and the associated infrastructure.

Encourage employee compliance Through secure, separate enterprise apps, F5 MAM lets employees make the most of the native mobile device experience while minimizing enterprise security risks.

Improve employee productivity Employees can collaborate from any location, at any time, making the most of every work day.

Lower costs F5 MAM helps you take full advantage of BYOD benefits and associated cost savings, while reducing help desk costs.

DATASHEET


2

• Device notifications

• Device provisioning

• App Store/App management

• Basic MDM

• User self-service portal

• MAM Workspace

• MAM Wrapper and AppTunnel/VPN

• MAM Connect

• MAM Browser

• Endpoint inspection

• Provisioning/identity info

Internet

F5 MAM

AppTunnelBIG-IP APM

Enterprise premises

• AppTunnel termination

• AD/LDAP tie-in

• User provisioning

• VPE agent for F5 MAM query

F5 MAM includes:

•Mobile App Manager Wrapper and AppTunnel/VPN—A security wrapper automatically applied to select enterprise applications, MAM Wrapper ensures separation of business and personal elements, as well as provisions AppTunnel/VPN (application-specific network access).

•Mobile App Manager Connect—A secure, encrypted personal information manager (PIM) that integrates with Microsoft Exchange to deliver enterprise email, calendar, contacts, and notes—separate from personal PIM apps.

•Mobile App Manager Browser—A secure, managed browser for enterprise use, completely separate from the user’s personal browser.

•Mobile App Manager App Store—An easy-to-administer enterprise content and application store.

•Mobile App Manager Workspace—A virtual enterprise workspace available for Android devices that keeps enterprise data and apps separate. For iOS devices, F5 MAM offers equivalent security and management functionality using application wrappers.

Boost Security for Employees and the Enterprise

F5 MAM is equally compelling for employees and IT because it safely separates personal data and usage from corporate oversight. Employees retain the freedom to take full advantage of their devices, without having to disable useful features. IT manages only the enterprise subset of the data and apps on the device, and is not burdened with transporting and managing personal information.

Application Wrapping

F5 MAM’s application wrapping capabilities simplify the deployment of select apps to an employee’s mobile device. MAM Wrapper is applied to the target app automatically and post-compile, so there is no need to touch the application code. MAM Wrapper enables data to be shared across enterprise-secured apps. For example, when an employee attempts to open an attachment via the email component of MAM Connect, the wrapped version of the corresponding viewer application will be used to open that attachment.

MAM Wrapper includes data-at-rest encryption and restricted copy and paste functionality. MAM Wrapper also includes AppTunnel secure data transport enabled by the AppTunnels feature of F5 BIG-IP® Access Policy Manager® (APM), and more. Wrapped applications can be

The F5 MAM hybrid architecture combines cloud-based app management with on-premises application tunnel termination.

DATASHEET


3

made available via the MAM App Store, a customizable portal that IT can use to push select apps. Content distribution can be differentiated based on platform or user group membership.

Reduce IT Overhead

F5 MAM employs a Software-as-a-Service (SaaS)-based delivery mechanism to help streamline your deployment. With a SaaS-based solution IT doesn’t need to deploy, configure, or manage additional hardware. Simply purchase the licenses you need, and application management can occur instantly. Key components and capabilities of F5 MAM including application wrapping, application tunnels, and flexible policy management provide a comprehensive app security and management environment.

Application Tunnels

F5 MAM helps organizations shift from secure device-level connectivity to secure app-level connectivity, while ensuring that the enterprise footprint on a personal mobile device is limited to the enterprise data and applications accessed through the device. You can now replace existing device-level VPNs with application-specific VPNs, by taking advantage of BIG-IP APM AppTunnels, which enable a single encrypted connection to specific services such as Microsoft Exchange. As a result, only the enterprise subset of the overall personal device data and applications are secured and transported by the corporate network, leaving the connectivity of the device itself, and the management of personal data and applications, to the device owner.

Flexible Policy Management

Administrators can manage application access globally, by groups, or by individual devices. IT can push down policy and configuration requirements to your organization’s divisions quickly and easily, while enforcing compliance. This allows administrators to maintain consistent policies across all devices in the enterprise, and gives your organization a mobile IT solution that extends from data and applications on the endpoint into the cloud and the data center.

Encourage Employee Compliance

Many enterprise security policies for MDM, such as disabling the camera on a mobile device, may severely limit the employee’s enjoyment of or most productive use of the device. Another concern is that most MDM products are designed to examine the entire device and all of its contents, making no distinction between business and personal. Not only is this a potential privacy issue, there is a risk to the user of losing personal data (such as photos or contacts) should the enterprise find it necessary to wipe the device clean of enterprise data. In general, the more you attempt to control employees’ personal mobile device use, the less likely they are to willingly comply with your organization’s security regulations. This can result in a significant barrier to adoption.

Secure Enterprise Footprint

F5 MAM removes this barrier by letting employees work with their devices as they wish. F5 MAM doesn’t inspect content or disable features; instead, it creates a secure footprint on the device that is reserved for enterprise data and access. Each enterprise application is securely wrapped, which restricts incorrect or inappropriate use. Secure access is automatically provisioned by the application itself, and in the event that a device is lost or stolen, IT can wipe clean only the enterprise data from the device and leave personal data untouched.

DATASHEET


4

Improve Employee Productivity

When employees are empowered to use their own devices for work, they tend to resolve business issues and make important decisions faster, in real-time. Because employees can collaborate from any location at any time, and use key productivity and communications apps on their devices, they tend to be more efficient and more productive during the work day.

Secure Access to Productivity Apps

MAM Connect provides employees with secure mobile access to corporate email, calendar functionality, and contacts through Microsoft Exchange ActiveSync. Much care has been taken to replicate, and in some cases improve upon the usability and experience of the native email clients provided with mobile devices. Time-sensitive emails can be addressed immediately, from any location, and instant access to global address lists makes it easy for users to find and contact the people they need within the organization.

Minimize Costs

With F5 MAM, organizations can eliminate the need to issue corporate mobile devices and deploy the associated infrastructure—such as the servers that enable them—thereby reducing CapEx and OpEx. When combined with the productivity gains that BYOD brings, this trend can provide your enterprise with a significant advantage. Separating or segregating enterprise from personal data and applications also results in fewer help desk calls.

5

DATASHEET








F5 Services


More Information

To learn more about F5 MAM, use the search function on f5.com to find these and other resources.

White paper

BYOD 2.0: Moving Beyond MDM

Video

Inside Look: Mobile App Manager


http://www.f5.com




http://www.f5.com

http://www.f5.com/pdf/white-papers/big-ip-apm-mobile-application-manager.pdf

http://www.f5.com/featured/video/inside-look-mam/

F5 ServicesWorld-class technology solutions. Your way.

An organization’s ability to address technology challenges,

pursue opportunities, and grow its business is only as

effective as its IT agility. F5 provides the tools to help

you create a flexible IT infrastructure that aligns with your

business demands. And F5 offers world-class support,

training, and consulting services to ensure you get the

most from your F5 technology.

Getting it right, the first timeUnexpected obstacles can arise when deploying new technology.

Difficulties finding answers to questions or a lack of necessary skills

in-house can slow deployments. System downtime can disrupt user

productivity, and busy IT teams can become overburdened.

Whether it’s providing fast answers to questions, training internal

teams, or handling entire implementations from design to

deployment, F5 Services can help. F5 Services engineers, trainers,

and consultants have the F5 product knowledge and industry

expertise to anticipate issues, avoid problems, and reduce network

support costs. F5 support engineers follow standardized, ISO-

compliant processes and procedures, ensuring that worldwide,

you receive the same high-quality technical support. F5 also offers

many self-service resources, including diagnostic tools, an extensive

online knowledge base, and an active online community consisting

of tens of thousands of IT professionals.

Whatever level of assistance you require to realize a fast return on

your F5 investment, you can depend on F5 Services to deliver.

F5 key differentiators

• International Organization for Standardization (ISO)–compliant Quality Management System

• Worldwide Network Support Centers• World-class customer service ratings• Self-service tools, such as

AskF5™ Knowledge Base and BIG-IP® iHealth™ System

F5 Network Support Centers

“F5’s Technical Support has been great... they will go the extra mile to help you with configuration and iRules.”

System Administrator, Medium Enterprise Computer Software CompanyTVID: 42D-2E7-A6F

Solving the customer problem, not just the caseImplementation is just the beginning of integrating new technology

into an organization. Hardware and software must be maintained,

updated, and adapted to fit changing market conditions and

business demands. Companies today need a technology provider

that can address immediate needs quickly, competently, and in a

manner that moves the business forward.

F5 Services provides the resources to keep your technology running

at peak performance and make the most of your investment. Several

maintenance support levels are available, including options for

technical account management and dedicated support packages,

so you can be certain your organization has the support it requires.

Consultants who are knowledgeable about F5 products and industry

best practices can offer valuable perspective into challenges and

opportunities. In addition, F5 offers courses ranging from essentials

to advanced topics, so you can create your own in-house experts.

Top organizations rely on F5

• 42 of the top 50 Fortune 500® companies1

• 18 of the top 20 U.S. commercial banks1

• 10 of the top 10 global telecom providers2

• 8 of the top 10 global web parent companies3

Investing in the future of your businessAs your organization evolves and grows, it faces new application

delivery, scalability, and storage challenges. Remote workers and

offices around the world can expand opportunities but also raise

access and security concerns. New technology trends need to be

evaluated and incorporated in a way that is right for your business.

Wherever your business takes you, F5 can provide support and

services to meet your technology challenges. To assist your offices

worldwide, regionally located support centers offer help in many

languages through native-speaking engineers. F5 support also

includes sustaining development, so you can feel confident about

choosing F5 for your long-term needs.

Experienced F5 consultants are available to provide advice and tailor

product configurations to best serve your organization’s needs as

it grows. In addition, training programs are available onsite at your

location, in global facilities, or remotely.

When you align with a company that is as forward-thinking as you

are, you realize the most value possible from your F5 technology

investment, immediately and long-term.

1 Fortune 500® 2010. Fortune 500 is a registered trademark of the FORTUNE magazine division of Time Inc.

2 Ovum/Datamonitor Companies, Home & Work, March 2010. 3 The Nielsen Company, Top 10 Global Web Parent Companies, Home & Work, May 2010.

Learn more about F5 ServicesCreate the IT infrastructure your organization needs to

support business demands today and attain long-term goals.

F5 Services offers expertise, assistance, and resources to help

you achieve IT agility.

For more information about F5 Services, contact

[email protected] or use the search function on F5.com

to find these resources.

F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 [email protected] www.f5.com

Overviews > Technical Support Services

> Professional Services

> Global Training Services

Date post:	01-Jan-2017
Category:	Documents
Upload:	leque
View:	247 times
Download:	4 times