HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM - Cyber Security · PDF fileHOBLink JWT is an...

Installation and Configuration Guide

HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM

Software version: 1.0

Issue: July 2014

HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM Software and Documentation - Legal Notice

Contact: HOB GmbH & Co. KGSchwadermuehlstr. 390556 CadolzburgRepresented by: Klaus Brandstätter, Zoran AdamovicPhone: + 49 9103 715 0Fax: + 49 9103 715 271E-mail: [email protected]

Register of Companies: Entered in the Registry of Companies, Registry Court: Amtsgericht Fürth, Registration Number: HRA 5180Tax ID: Sales Tax Identification Number according to Section 27a Sales Tax Act: DE 132 747 002Responsible for content according to Section 55 Paragraph 2 Interstate Broadcasting Agreement: Klaus Brandstätter, Zoran Adamovic, Schwadermuehlstr. 3, 90556 Cadolzburg.

Disclaimer

All rights are reserved. Reproduction of editorial or pictorial contents without express permission is prohibited. HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM software and documentation have been tested and reviewed. Nevertheless, HOB will not be liable for any loss or damage whatsoever arising from the use of any information or particulars in, or any error in, or omission from this document. All information in this document is subject to change without notice, and does not represent a commitment on the part of HOB.

Liability for content

The contents of this publication were created with great care and diligence. While we keep it as up-to-date as practicable, we cannot take any responsibility for the accuracy and completeness of the contents of this publication. As a service provider we are responsible for our own content in this publication under the general laws according to Section 7 paragraph 1 of the TMG. According to Chapters 8 to 10 of the TMG we are not obliged as a service provider to monitor transmitted or stored information not created by us, or to investigate circumstances that indicate illegal activity. Obligations to remove or block the use of information under the general laws remain unaffected. Liability is only possible however from the date of a specific infringement being made known to us. Upon notification of such violations, the content will be removed immediately.

Liability for links

This publication may contain links to external websites over which we have no control. Therefore we cannot accept any responsibility for their content. The respective provider or operator of the website pages to which there are links is always responsible for the content of the linked pages. The linked sites were checked at the time of linking for possible violations of the law. At the time the link was created in this publication, no illegal or harmful contents had been identified. A continuous and on-going examination of the linked pages is unreasonable without concrete evidence of a violation. Upon notification of any violations, such links will be removed immediately.

Copyright

The contents and works on these pages created by the author are subject to German copyright law. Reproducing, copying, modifying, adapting, distributing or any kind of exploiting of this material outside the realms of copyright require the prior written consent of the respective author or creator. The downloading of, and making copies of, these materials is only permitted for private, non-commercial use. Where contents of this publication have not been created by the author, the copyright of the third parties responsible for these contents shall be upheld. In particular any contents created by a third party are marked as such. If you become aware of any copyright infringement within this publication, we kindly ask to be provided with this information. Upon notification of any such violation, the concerned content will be removed immediately.

Trademarks

Microsoft Windows is a trademark of Microsoft Corporation.

All other product names, company names and service names may be trademarks, registered trademarks or service marks of their respective corporations or owners, even if they are not specifically marked as such.

Issued: July 3, 2014

2 Security Solutions by HOB

Purpose of this Guide

This guide is designed to provide system administrators with detailed information concerning HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM and to help them decide where and when this product can be most effectively deployed in their enterprise network.

This documentation contains descriptions of numerous possible scenarios and explains required conditions. The procedures for configuring the individual software components are documented in detail with step-by-step instructions.

Symbols and Conventions

This guide uses certain conventions and abbreviations which are explained here:

References to program commands, options and buttons are printed in Bold, for example: select the command Open.

Cross-references to section headings and figures with numbers are marked in color as follows: Section 5 Information and Support.

File names and text to be entered by the user are printed in Courier New. This input is – unless otherwise mentioned - case sensitive.

In this documentation, HOB-specific terminology is abbreviated as follows:

This symbol indicates useful tips that can make your work easier.

This symbol indicates additional informative text.

This symbol indicates an important tip or procedure that may have far-reaching effects. Please consider carefully the consequences of any changes and settings you make here.

HOB-specific Terminology Abbreviation

HOBLink Java Windows Terminal HOBLink JWT 3.3 Plug-in

Security Solutions by HOB 3


Contents

1 Introduction 7

1.1 HOBLink JWT Exclusive Features ................................................................. 7

1.2 Advantages .................................................................................................... 8

1.3 Functions and Operation ................................................................................ 8

2 Installation and Configuration 9

2.1 Configuring HOBLink JWT Single Sign-on Feature........................................ 9

2.2 Installing and Configuring HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM.... 14

3 Information and Support 33



HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM Introduction

1 IntroductionHOBLink JWT is an advanced RDP client for F5 BIG-IP Access Policy Manager (APM) deployments. This solution provides all BIG- IP APM users with a Remote Desktop client that enables communication with Microsoft Windows Remote Desktop Services. HOB’s RDP is platform-independent and requires no client-side installation, reducing IT administration efforts and TCO. This is a purely software-based solution allowing you to leverage your existing/virtual IT infrastructure without sacrificing security. No confidential/sensitive data remains on the remote device.

Figure 1: HOBLink JWT RDP Client Hosted on an F5 BIG-IP

Figure 2: HOBLink JWT RDP Client Hosted on a Web Server

1.1 HOBLink JWT Exclusive Features

Easyprint built-in technology is used to handle all your local printers (PCL, IP printer, Port Mapping printers, etc.)

Many installation options: on your local computer, web server and BIG-IP APM deployment

Runs on every Java-capable web browser

Scanner devices, Smartcard authentication and application delivery are also supported when used in combination with HOB RD ES

Multi-monitor support

Resolution customization (full screen)


Introduction HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM

Local drive mapping

Small applet (fastest access)

1.2 Advantages

HOBLink JWT iApp available for F5 BIG-IP APM

No installation and administration rights needed on client side – easily and quickly deployable

Solution tailored to your needs, independent of operating systems used

Access to desktops is also possible

Perfect use of existing infrastructure for long-term protection of your investments

Scalable solution – adaptation to new circumstances made easy

Realizing trends like mobile workplaces is made simple

1.3 Functions and Operation

HOBLink JWT is an HOB-owned RDP client for accessing remote desktop servers, VDI and desktop systems. It does not matter if you are using Windows, UNIX, Linux or Mac OS applications. Due to the integrated load balancing mechanism, all server inquiries are optimally distributed to the available hardware, allowing for perfectly distributed resources. By using this, users can easily and securely access central company resources from any client. The advantage is that HOBLink JWT is completely platform-independent on the client side. You can decide which device is used. The users become more independent and can create an individual working environment according to their needs, which significantly enhances performance. Furthermore, HOBLink JWT requires no installation or administration rights on the client side. This saves time and reduces administration effort. Thus, Bring Your Own Device (BYOD) becomes child´s play.


HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM Installation and Configuration

2 Installation and Configuration

2.1 Configuring HOBLink JWT Single Sign-on Feature

Figure 3: F5 BIG-IP APM Admin WebGUI

On the F5 BIG-IP APM WebGUI, select the Main tab. Now select Access Policy > Application Access > Remote Desktops > Remote Desktops. Then click the Create symbol (see Figure 4 on page 10).

If you would like to enable the Single Sign-on feature for the HOBLink JWT plug-in, carefully read the section below before installing and configuring the HOBLink JWT for F5 APM. Otherwise, go to Section 2.2 Installing and Configuring HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM on page 14.


Installation and Configuration HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM

Figure 4: Access Policy Detail

Please use the parameters described in the figure below. The ACL Order parameter does not affect the final configuration. Enter the necessary parameters. The Auto Logon checkbox in the Auto Logon section must be activated and available on the F5 BIG-IP APM portal to work properly.

Figure 5: General Properties Parameters to Configure Single Sign-on Detail

Once you have entered the parameters, go to Access Policy > Policy Profiles > Access Profiles List. Select the policy you would like to update from the list.



Figure 6: Access Profiles List Detail

In the next dialog, click Access Policy.

Figure 7: Access Policy Button Detail

Click Edit Access Policy for Profile ... next to the Visual Policy Editor field.

Figure 8: Edit Access Policy for Profile Detail

A new browser window appears. Select Full Resource Assign.

Figure 9: Access Policy Diagram



Now select Add/Delete.

Figure 10: Properties of Full Resources Assign

Select the Remote Desktop tab and check the remote desktop resource you have just created.

Figure 11: Remote Desktop



Click the Update button.

Click the Save button (see Figure 10 on page 12).

You are now back in the browser window you opened previously. Click Apply Access Policy in the upper-left corner of the page. Then click the green Close button in the upper-right corner of the same browser window.

Figure 12: Apply Access Policy Button

The HOBLink JWT Single Sign-on feature has now been configured on F5. A new resource will be displayed in the portal.

Figure 13: F5 Portal



2.2 Installing and Configuring HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM

Download HOBLink JWT plug-in for F5 BIG-IP APM.zip file from HOB’s FTP Server. In order to get access to HOB’s FTP Server, please contact your sales representative. This file contains three files:

F5-JWT_Plugin.zip which is the plug-in itself.

F5-JWT_Plugin.tmpl, the iApp used to configure the plug-in from the F5 BIG-IP APM admin WebGUI.

This guide.

Begin by logging into the F5 BIG-IP Admin WebGUI.

Figure 14: F5 BIG-IP APM Log In

You have now been directed to the F5 BIG-IP Admin WebGUI.

Figure 15: F5 BIG-IP APM Admin WebGUI



Select Access Policy on the left side of the screen and click Hosted Content (Figure 4 on page 10). A new section is displayed.

On the upper-right side of the GUI, click Upload.

The Create New File dialog is displayed. Click the Browse button and then select F5-JWT_Plugin.zip. Uploading starts automatically.

Figure 16: Create New File Uploading

Once uploaded, enter f5jwtplugin in the File Destination Folder field. Then choose Upload and extract from the File Action menu.

Figure 17: Create New File

For demo purposes:

under Secure Level, select public. Otherwise, select Session or Profile depending on your security needs. Then click OK.



The upload and unzip process starts. Once finished, the uploaded files will be displayed in the F5 BIG-IP APM WebGUI.

Figure 18: F5 BIG-IP APM WebGUI Hosted Contact

Now it is time to upload the HOBLink JWT iApp template (F5-JWT_Plugin.tmpl) to F5 BIG-IP APM. The HOBLink JWT iApp sets up and configures the HOBLink JWT plug-in. Multiple HOBLink JWT options and features can be configured (printers, display, drive mapping, etc).

On the Main tab, click iApp and select Templates. Select Import….

Figure 19: Import File

Select the F5-JWT_Plugin.tmpl and click Upload.

The F5-JWT_Plugin.tmpl is now displayed on the iApp Template List (see Figure 20 on page 17).



Figure 20: Template List

The HOBLink JWT 3.3 Plug-in can now be configured. From iApp, select Application Services and click the Create button. Choose a name for the new service (e.g. example) and select F5-JWT_Plugin from the Template list.

Figure 21: Template Selection

The HOBLink JWT 3.3 Plug-in iApp configuration form is displayed. Now set up the different JWT parameters to fit your requirements.



Figure 22: Template Selection Basic

If you have previously configured the HOBLink JWT Single Sing-on feature, go to Logon settings (see Figure 23 on page 19) and set Use HOB Single Sign-On parameter to YES as well as setting the Logon automatically field to YES. Then, type the name of the remote desktop resource you created (e.g my_test) following the steps in Section 2.1 Configuring HOBLink JWT Single Sign-on Feature on page 9. Otherwise, go to the next step.



Figure 23: Template Selection Basic Logon Settings

Once done, click the Finished button at the end of the page. A new application service has now been deployed (example).

Figure 24: Application Service

The HOBLink JWT 3.3 Plug-in now needs to be made available on the F5 BIG-IP APM Webtop.

It is assumed that Webtop, Virtual Servers and Policy Profiles were configured previously. For further information, please refer to the Configuration Guide for BIG-IP Access Policy Manager.


http://support.f5.com/content/kb/en-us/products/big-ip_apm/manuals/product/apm_config_10_2_0/_jcr_content/pdfAttach/download/file.res/Configuration_Guide_for_BIG-IP_Access_Policy_Manager.pdf


On the left side of the screen, click Access Policy. A new section is displayed. Click Portal Access. Click Create….

Figure 25: Create Button

A New Resource… form is now displayed.

Figure 26: Portal Access

The HOBLink JWT 3.3 Plug-in iApp produces an html configuration page (e.g. example.html, as displayed in Figure 27 on page 21) which is automatically hosted on the F5 BIG-IP APM Sandbox in the /f5jwtplugin directory.Important: make sure the directory matches.



Figure 27: Static File List

In the Item Type parameter, Hosted Content must be selected.The html page previously generated (in our case, example.html) by the iApp should be selected in the Hosted Files parameter as displayed in Figure 28 on page 22. Click Create to finish.

Files created by the iApp must be deleted manually.

In order to prevent unauthorized access to the .hmtl file, please set Secure Level parameter to Policy.



Figure 28: Plugin Sandbox

A Resource Items section appears. Click the Add button to create a new item.

Figure 29: Resource Items

Point to the HOBLink JWT applet (jwtwebJ2.jar) hosted in the F5 BIG-IP APM sandbox, as described in Figure 30 on page 23.



Figure 30: New Resource Item Detail

The rest of the parameters should be selected as displayed below. When you are done, click Finished.

Figure 31: New Resource Item Complete Detail

Now the Portal Resource configuration looks like this…



Figure 32: Plug-in Sandbox End

Create a rewrite profile to sign the JWT applet as described below.

F5 BIG-IP APM rewrites the HOBLink JWT network API and signs it before it is delivered to the remote client (desktop computer or laptop) so a Portal Access Rewrite Profile must be configured.



On the F5 BIG-IP APM menu, select Portal Access then Rewrite.

Figure 33: Access Policy Rewrite

Now click on Create New Profile to create a new Portal Rewrite Profile (e.g. rewrite-portal). Set General Information section as displayed below.

Figure 34: Create New Profile Rewrite



Set the Portal (Access) section as displayed below.

Figure 35: Create New Profile Rewrite Portal Access

Continue editing the rewrite profile by clicking on Java Patcher Settings to assign the certificates to this profile which will be used to sign the HOBLink JWT applet. A trusted certificate issued by a trusted certificate authority (Verisign, Thawte, etc) must be selected. The Signer and Signing Key fields may be self-generated.

Figure 36: Create Profile Rewrite JavaPatcher Settings



Under URI Translation, leave Settings as displayed here.

Figure 37: URI Translation

Now we must assign this rewrite profile to the virtual server in charge of serving the Portal. Go to Local Traffic > Virtual Servers > Virtual Server List.

Figure 38: Local Traffic

Select a virtual server and go to the Content Rewrite section. Select the rewriting profile you have just created. Leave HTML Profile as None.



Figure 39: Content Rewrite

Be sure an access policy and a connectivity profile have been assigned to the virtual server. Do not forget to enable the VDI & Java Support checkbox as can be seen above.

Now go to Access Policy > Access Profiles > Access Profiles List.

Figure 40: Access Profiles

From the profile list, choose the one you previously configured.



Click on Access Policy.

Figure 41: Access Policy Button Detail

Under the General Properties section, click on Edit Access Policy for Profile.

The Access Policy editor is displayed in a new window.

Figure 42: Access Policy Diagram

Click Full Resource Assign. A new window overlaps the previous one. Click Add/Delete.

Figure 43: Properties of Full Resource Assign



Click Portal Access. The portal objects previously configured are displayed. Check the JWT portal object and then click on Update.

Figure 44: Portal Access Update

The window will then close. Click Save (see Figure 43 on page 29) to commit changes.

Now, click Apply Access Policy to bring HOBLink JWT 3.3 to life.

Figure 45: Apply Access Policy Button

Deleting the F5 cache:F5 caches all previously downloaded HOBLink JWT applets. That means an old version of the HOBLink JWT applet could be downloaded if no Cache deletion is performed. Log into F5 command line as root user. Jump to the tmsh shell and run the command below.This will completely remove all outdated JWT applets hosted on the cache.



Figure 46: TMSH

Open a web browser and direct it to the F5 Portal.

Figure 47: F5 BIG-IP APM Log In

Log into the portal. Now the HOBLink JWT link is there. If HOBLink JWT 3.3 Plug-in Single Sign-on feature has been enabled, an additional link (e.g my_test) is also displayed.

Figure 48: F5 Portal HOBLink JWT

Click the JWT_plugin_sandbox link and the application will be automatically launched on your desktop computer or laptop from the F5 BIG-IP APM Sandbox. Now you are ready to reach your corporate remote desktops through an F5 BIG-IP APM appliance.



Figure 49: RDP Window


HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM Information and Support

3 Information and SupportIf you would like further information about HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM or if you need product support, please contact us at:

U.S.A. and Canada

General Enquiries:

Phone: + 1 866 914 9970

Fax: + 49 9103 715 3299

E-mail: [email protected]

Web: www.hobsoft.com

Technical Support:

Phone: + 1 866 914 9970

Fax: + 49 9103 715 3299


Germany

General Enquiries:

Phone: + 49 9103 715 0

Fax: + 49 9103 715 3271


Web: www.hob.de

Technical Support:

Phone: + 49 9103 715 3161

Fax: + 49 9103 715 3299


Other Countries

General Enquiries:

Phone: + 49 9103 715 3103

Fax: + 49 9103 715 3299


Web: www.hobsoft.com

Technical Support:

Phone: + 49 9103 715 3103

Fax: + 49 9103 715 3299



mailto:[email protected]

http://www.hobsoft.com





http://www.hobsoft.com

Date post:	01-Feb-2018
Category:	Documents
Upload:	hoangnhi
View:	237 times
Download:	1 times

HOBLink JWT 3.3 Plug-in for F5 BIG-IP APM - Cyber Security · PDF fileHOBLink JWT is an...

Documents