2. 2
How the Static Data Center Falls Short
• It started simple
• More user types, services
• Application issues
• Security woes …
• What’s the answer?
3. 3
Dynamic Data Center
• Reconfigure
dynamically
• Manage applications,
not objects
• Context-aware policies
• ADC manages
application services
4. 4
Mobile and Remote Users Growing Dramatically
IDC Research 2010
5. 5
One Access Solution
BIG-IP Access Policy Manager
Remote Access: Web Access Management:
• SSL VPN • Proxy to HTTP apps
– Network Access All Access
– Custom
– Portal Access Use Cases
– 3rd party
– App Tunnels
BIG-IP
Access Policy Manager
Application Access Control:
• Proxy to Non-HTTP apps
– Citrix ICA
– ActiveSync
– Outlook Anywhere
6. 6
Dynamic Services for Unified Access Control
BIG-IP Access Policy Manager in BIG-IP Edge Gateway
• Unify Remote, Web and Application Access
• Fast Access, Authentication and SSO to Apps
• Ensure Strong Endpoint Security
• Scale to Support All Mobile and Remote Users
• Powerful Custom and Built-in Reporting
Manage Access
Based on Identity
7. 7
Secure, Accelerated Remote Access
with BIG-IP APM in Edge Gateway
Edge Gateway includes:
• BIG-IP APM, WA and WOM
8. 8
BIG-IP Edge Gateway
Secures and Accelerates Access to Applications
• Next generation remote access solution
– Converges SSL VPN access security, application
acceleration and availability
– Optimize access for mobile users and remote offices
• BIG-IP Solution for the Network Edge
– Multiple Platforms: 1600, 3600, 3900, 6900, 8900, 11000
– (Licensed concurrently)
– Includes BIG-IP Edge Client solution
• Exponential Performance, Capacity, and Scalability
– Up to 10 Gbps, 600 log-ins per second, 60,000 users
12. 12
Scale to Support the Most Mobile Users
with BIG-IP Edge Gateway (APM+WA+WOM)
Scenario:
Extreme weather results in 150% more employees than usual
working and accessing the network from home
Solution:
Employees experience no delay or bottlenecks because
BIG-IP Edge Gateway:
• Provides secure remote access with up to 10 Gbps of SSL VPN throughput
• Supports up to 60,000 concurrent users and 600 logins per second
13. 13
Disparate connections and application restarts
At Home
(wireless) ? On the way to work
(Aircard)
? Ongoing Logins!
Constantly Re-connecting
? ?
?
In the office Presenting
(docked LAN connection) (corporate wireless)
In the Cafe
(wireless)
14. 14
Increase User Productivity with Anywhere Access
Auto-Connect to VPN with Flexible Client Technology
At home
On the way to work
(wireless)
(Aircard)
Auto-Connect!
Always Connected Application Access
In the office Presenting
(docked LAN connection) (corporate wireless)
In the cafe
(wireless)
19. 19
Mobile Clients for Fast App. Access
• Provide access based on device and identity
• Make dynamic policy decisions
• Authenticate users
• Provide remediation for non-compliant devices
20. 20
BIG-IP Edge Portal for Android App Solutions
Fast App. Access for Android Devices
https://market.android.com/details?id=com.f5.edge.portal
21. 21
Ensure Strong Endpoint Security
BIG-IP Edge Gateway
Allow, deny, or remediate Invoke protected workspace
users based on endpoint for unmanaged devices:
attributes such as:
• Antivirus software version • Restrict USB access
and updates
• Cache cleaner leaves no trace
• Software firewall status
• Ensure no malware enters
• Access to specific applications corporate network
23. 23
Enterprise and Service Provider IT
Network Users
Cloud
Data Center Private Public
Data Center
Applications
Directories App 1 App n
24. 24
F5 Unified Access and Control
Flexible and Dynamic ADC Services
• Supports users worldwide
• Secure IPsec site to site tunnels
• Fast apps to Edge Client users
• Virtual and standalone deployments
Data Center
Headquarters and
Remote Offices
25. 25
Flexible and Dynamic Access Services
Dynamic Webtop, App. Tunnels and Remote Desktop Support
26. 26
Authentication All in One and Fast SSO
F5 BIG-IP Access Policy Manager
Dramatically reduce infrastructure costs; increase productivity
= BIG-IP v11
27. 27
New Detailed Reporting
Quickly Run Built-in or Design Custom Reports
e.g. Who accessed app. or
network and when?
e.g How many XP users are still
on my network?
e.g. Where are users accessing from
(geolocation)?
Custom, Built-in and
Saved reports
Exported and used
on other devices
28. 28
Access and Application
Analytics
• Stats grouped by application and user
• Provides
– Business Intelligence
– ROI Reporting
– Capacity Planning
– Troubleshooting Stats Collected Views
– Performance • Client IPs • Virtual Server
• Client Geographic • Pool Member
• User Agent • Response Codes
• User Sessions • URL
• Client-Side Latency • HTTP Methods
• Server Latency
• Throughput
• Response Codes
• Methods
• URLs
29. 29
Access Policy Design
• Industry-leading advanced Visual Policy Editor (VPE)
– Flexible
– Easy to understand, visual representation of policy
– VPE Rules (TCL-based) for advanced functions
– Trigger TMM iRules events
• Usability features
– Macros
– Visual cues to aid configuration
30. 30
Improve Manageability and Reduce Costs
Users
• No context
• Difficult change control
Lack of simplicity, flexibility, context, and • Error-prone
control for the enterprise • Costly
• Licensing/vendor management
VPN Web Accelerator WAN Optimizer DNS Bind Server issues
• Compliance problems
Vendor A Vendor B Vendor C Open Source • Limited control
Resources ?
AAA x 5
AAA x 2
AAA AAA AAA AAA x 10
AAA AAA AD AAA AAA AAA
AAA Private Public
CA
TAM AD AD
OAM
LDAP Cloud
Physical Virtual Multisite data
centers
31. 31
Improve Manageability and Reduce Costs
Users
• Unified access and acceleration
Secure Optimized Session
Simplicity, flexibility, context,
Optimal Gateway
User Requests
and control for the enterprise model
• Simplified change control and
AAA
VPN Web Accelerator
WAN Optimizer DNS Bind Server auditing
Vendor A Vendor B
• Flexible access policies
Vendor C Open Source
• Context-aware: user, device,
BIG-IP Global Traffic Manager BIG-IP Edge Gateway
location, and application
• Control remains within
enterprise
Resources
AAA x 5
AAA x 2
AAA AAA AAA AAA x 10
AAA
AAA
AD AAA AAA AAA
AAA Private Public
CA
TAM AD AD
OAM
LDAP Cloud
Physical Virtual Multisite data
centers
32. 32
Optimal gateways and secure optimized
sessions
Challenges:
Benefits:
Slow connection times meant slow transfers users on 64-bit OS
• WAN optimization = fast connection for mobile
Couldn’t connect to VPN with 64-bitcalls
• Improved VoIP, with fewer dropped OS
VoIP issues caused dropped calls
• Active Directory integration eliminates multiple logins
Lack of support required costly upgrades
• Fast, easy installation
• Implemented: Edge Gateway, LTM, GTM.
“With the Edge Gateway, the connection speed was immediately noticeable.”
Steve Diggory, Technology Manager, PersonalizationMall.com
Case Study: http://www.f5.com/pdf/case-studies/personalization-mall-cs.pdf
Industry: Online Specialty Retail
35. 35
Dynamic Services for Unified Access Control
BIG-IP Access Policy Manager in BIG-IP Edge Gateway
• Unify Remote, Web and Application Access
• Fast Access, Authentication and SSO to Apps
• Ensure Strong Endpoint Security
• Scale to Support All Mobile and Remote Users
• Powerful Custom and Built-in Reporting
Manage Access
Based on Identity
36.
37. 37
Multiple-Domain Single Sign-On
• Single Sign-On to multiple LTM/APM or Edge Gateway virtual
servers front ending multiple separate domains or multiple hosts
within same domains
• Configure different cookie settings and SSO methods for different
domains or different hosts in the same domain
Ex. Multiple domains with different SSO methods
38. 38
Dynamic Webtop for End-User
• Customizable and
localizable list of
resources
• Adjusts to mobile devices
• Toolbar, help, and
disconnect buttons
39. 39
Endpoint Inspection – Machine Information
• CPU Info {ID, Name, Clock} • BIOS {Dell, Serial #,
• HDD {Model, Serial#} Manufacturer}
• Motherboard {Model, Serial#} • NICs {Name, MAC}
42. 42
Symmetric Adaptive Compression to Edge
Client
• iSession-style optimization of Network Access tunnels
• Layer with DTLS
– DTLS for fast response of real-time applications
– Optimization reduces bandwidth
43. 43
Edge Client v1.0.1
• Secure web gateway proxy support
• Pre-logon checks
• Auto application launch
44. 44
Secure Web Gateway Integration
• Allows admin to force all
web access through a
secure gateway
• Bypasses secure
gateway for internal
resources
• All traffic is forced
through the tunnel
• Why? Enforce web
browsing policies on
corporate iPads e.g.
45. 45
Secure iPad Web Surfing with Edge Client
Internet
Gateway
BIG-IP
Edge
Full SSL-
Gateway
VPN with APM
Tunnel
Internal
Resource
46. 46
Pre-logon checks for iOS Devices
• Four new session variables:
– session.client.mac_address
– session.client.model
– session.client.platform_version
– session.client.unique_id
• These session variables are gathered automatically and
are available with Solstice and Edge Client 1.0.1
• They can easily be combined with an LDAP/AD Query to
implement white-listing in a custom action.
• Why? Discriminate IT approved issued devices.
Improved access context.
47. 47
Checking the iOS Unique ID
• Custom action “Device ID Check” in this access policy
checks a UUID…
48. 48
App auto-launch
• After Edge Client connects, initiate and auto-launch a 2nd
application on the device.
• Uses a URL form for the App Path
– http://handleopenurl.com/
– http://wiki.akosma.com/IPhone_URL_Schemes
• Issues pre-launch warning
51. 51
Authentication Proxy Integration – VPN
Customer Architecture with
Oracle Access Manager (OAM) and BIG-IP Edge ® Gateway
Mobile
DMZ Data Center
Employees and
Contractors OAM Web Web App
Proxies + OAM (opt)
BIG-IP® Edge
Gateway / OAM BIG-IP® LTM App 1
…
+ASM (opt) App n
+ WA (opt)
• Mobile employees accessing corporate applications using VPN
• OAM auth. services are performed by Edge Gateway in the DMZ OAM Policy
Server, Reporting,
• OAM auth. services may be performed by BIG-IP® Edge Gateway and Auditing
in the DMZ or at the web server with “last mile” security
• Eliminate a directory service for remote access users
52. 52
Security Risk: Mobile User Authentication Sync
DMZ Data Center
Auth. Gateway ADC MS Exchange
• Access to Exchange without VPN to
sync MS email, calendar, contacts
• Security risk
• Extra infrastructure tier in DMZ
53. 53
Secure Environment: Authenticating
ActiveSync Devices
DMZ Data Center
Auth. Gateway BIG-IP® LTM + APM MS Exchange
• Reduce authentication infrastructure and
sync with Exchange
• One location for name space URL
• Scale and support growing mobile user base
• Secure environment
54. 54
Traditional Remote Access
UnifiedVPN
with SSL
Access on F5 BIG-IPs
Cloud
Dynamic Control with BIG-IP Access Policy Manager Private Public
Local and Internet
Mobile Users BIG-IP LTM
SaaS Partners
with APM Consumer Apps
• Accelerated BIG-IP Edge Gateway Hosted Virtual
with APM, WA, and WOM Desktops
remote access
Applications
• Application access SSL VPN App 1 App n
management Directories
• Most powerful, scalable and
simplified access solutions
55. 55
BIG-IP Edge Gateway will
Power New Managed Services
Access Requirements
• Easy / cost effective access scaling
• Advanced, secure VPN with fast deployment
• Custom look and feel per customer
• Virtualized solution to maximize investment
• Enable secure collaboration between 3rd parties
BIG-IP Edge Gateway Delivered
• Superior scalability @ Lowest cost
• Acceleration technology with LAN speed performance
• Improved manageability and security with unified access
• Customized domains for personalized experience
• Virtual routing services with lower opex
56. 56
CSC - Why They Chose BIG-IP Edge Gateway
• Acceleration
– “First of all, the acceleration capabilities that came with it. It’s not just remote access that
it’s providing but also will provide a better user experience in the process leveraging the
BIG-IP acceleration technology that’s already been there, so it’s a proven and well-known
capability.”
• Secure and Granular Access Control
– “Another factor that was key was the highly granular access control capabilities, so that
allows us to provide the differing levels of access for different types of user and different
types of devices that I was talking about, with third parties, with personal devices, which
makes it flexible for future needs as well.”
• Virtualization of Access Services
– “One of the key things we were looking at in the evaluation as a managed service
provider was the ability to provide full virtualization for multiple customer environments
(via BIG-IP Virtual Servers concept), and obviously high scalability, so that’s all a direction
we’re heading in with the cloud computing model.”
• Converged Services Platform
– “We can deliver multiple services on it, not just remote access, so it provides a point of
leverage for us as well.”
57. 57
Repeatable Access to Applications
Clients Applications
BIG-IP
Edge Gateway
• Increases mobile productivity automatically entering
Windows logon credentials when using Edge Client
• Easier access to applications with seamless VPN access
• ICSA Labs certified SSL-VPN solution
58. 58
VoIP: Slow Applications Affect Productivity
Packet loss with TCP/SSL = high
latency. Network squeezes VoIP
100%
80% Max Bandwidth
60%
40% Network Traffic
20% VoIP Traffic
0%
Low Traffic App. App. Spike Delivered
growth App.
User experiencing Traditional SSL VPN:
choppy communication Apps./VoIP sent
simultaneously What did he say?
• Ensuring positive end-user application experience a complex problem
• Slow applications can be caused by a number of things:
– Packet loss due to chatty or jittery protocols
– High latency LANs
– Poorly designed apps.
59. 59
VoIP: Improved User Communications
BIG-IP Edge
Gateway manages
app. performance
100%
80% Max Bandwidth
60%
Network Traffic
40%
20% VoIP Traffic
0%
Low Traffic App. App. Spike Delivered
growth App.
User: clear phone call
Hear you loud and
clear...
Edge Gateway improves application and VoIP performance
• Tight connection and prioritized traffic with dedicated app. bandwidth
– Client-side QoS for Windows machines: VoIP traffic first and apps. traffic second
• Applications and upper layer protocols react to lost packet(s)
– Secures each packet
60. 60
Security Problem: Geolocation Access Risk
• Need to block access from countries or regions
• Help with business intelligence of where users are accessing from
• Looking for capacity planning and ability to audit the location
• Access policy based on location
UK Data Center
61. 61
Enforcing Access Restrictions
Simple, accurate, centralized enforcement
UK Data Center
BIG-IP Edge Gateway
App
Servers
BIG-IP Edge
Gateway with
IP Geolocation
Database
Solution
Centralized Location Control
• Decreased risk – access is controlled
at perimeter
• Reduced capital and operational
expenses through centralized control
• Reduced application development time
• Simplified network configuration
63. 63
BIG-IP APM/Edge Gateway V11 Features
Advanced Dynamic Services for Unified Access Control
• IPsec optimized site-to-site • EndPoint Inspection:
Protected Workspace, Machine Info Inspector
tunnels
• Dynamic Webtop: with Application Tunnels • Powerful reporting/analytics:
• Access: External Dynamic ACLs, Flash Custom & built-in reports, Access and
Application Analytics for remote access solution
patching, Oracle Access Manager 11g
• Hosted VDI: Microsoft Remote • Scale for Global enterprise:
Desktops, Expanded Citrix VDI support (Proxy and
11000 Series: ^60k users, w/1.2 TB of storage
Portal mode)
• SSO enhancements: SSO across multiple
domains, Kerberos auth. (CAC cards, etc)
64. 64
Edge Gateway v10.2 Security Features
• Edge Gateway
– Integration with Oracle Access Manager
– ICSA Certified – SSL -VPN
– Geolocation Agent in VPE
– MS ActiveSync Support
• Edge Client
– Reuse of Windows logon credentials
65. 65
Edge Gateway v10.1 Features
• Secure accel. remote access • Manageability / Usability
– Remote Access, Application Acceleration – QoS on Windows machines (client side)
and Network Optimization – D-TLS (Datagram-Based TLS) Network
– Global VPN and Unified Access to Access Transport for secure packets
Datacenter – Customizeable user interface
– Dynamic per-session layer 4 - 7 (HTTP) – Policy import/export
ACLs – Reporting and stats
– SSO/Credential Caching – Set-up deployment wizards
– TCP Optimization – Dashboard executive summary
– Symmetric adaptive compression
– Asymmetric and symmetric application
acceleration • Interoperability and Integration
– Data de-duplication – Edge Gateway and GTM interoperability
– MAPS and CIFS acceleration – Edge Gateway events in iRules
– Splunk for F5 logging and reporting
• Dynamic User Access
– Web-based and standalone BIG-IP Edge • Virtualization Architecture
Client – Multiple virtual Edge Gateways
– Mobility: Domain detection and smart – Targeted at Service Providers and large
connection enterprises
– Acceleration: Dynamic data compression – Separate access policy grouping for each
virtual Edge Gateway
• Thorough Device Inspection – Can have separate security administrators
– Master administrator control
– Endpoint Inspection checks
– Protected Workspace with encryption and
Virtual File System
– Group policy integration
– Virtual Keyboard
66. 66
Edge Gateway – v10.1 Features
• Application Acceleration
– TCP optimization for client to gateway and gateway to gateway
connections
– Symmetric Adaptive Compression for client to gateway and gateway
to gateway connections
– HTTP/HTTPS asymmetric acceleration for client to gateway
connections
– HTTP/HTTPS symmetric acceleration for gateway to gateway
connections
– Data de-duplication services for gateway to gateway connections
– MAPI and CIFS acceleration for gateway to gateway connections
• D-TLS (Datagram-Based TLS) Network Access Transport
67. 67
Edge Gateway – v10.1 Features
• Portal Access Security
– OWA 2003, OWA 2007, SharePoint 2003, SharePoint 2007, MS
Communicator 2007
– Oracle Portal 3.0 (10g Release 2, version 10.1.2)
– PeopleSoft Portal 9, PeopleSoft Portal HR 9
– SAP Netweaver,
– Notes 7, Notes 8
• Authentication and Authorization Services
– RADIUS, LDAP, and AD support
– SSO/Credential Caching: HTTP Basic, HTTP
NTLMv1/v2, Cookie, Form, and HTTP Header
– Dynamic per-session layer 4 - 7 (HTTP) ACLs
– Native RSA SecurID
– RADIUS accounting
– Authentication server redundancy
68. 68
Edge Gateway – v10.1 Features
• Virtualization Architecture
– Multiple virtual Edge Gateways
– Targeted at Service Providers
(managed service offering) and
large enterprises (segmented
based on business units/groups)
– Separate access policy grouping
for each virtual Edge Gateway
– Can have separate security
administrators
– Master administrator control
69. 69
Edge Gateway – v10.1 Features
• BIG-IP Edge Client
– Web delivered and standalone
– New look and feel
– Mobility: Roaming and smart
connection
– QoS on Windows machines (client
side)
– Acceleration: Adaptive compression
– SDK for integration
• Endpoint Security
– Windows and Macintosh checks
– Protected Workspace (Parity with FP
6.1) with encryption and Virtual File
System
– Group policy integration
– Virtual Keyboard
70. 70
High Cost to Scale Remote Access
DMZ
Traditional SSL VPN
(clustered 3 max)
4,000 Remote Users Internet $751K for
Datacenter
26k users Resouces
1,000 Wireless Users
Internal LAN
VLAN 1
Utilize existing user directory
15,000 Corporate Users
Internal LAN
VLAN 2
• Cost prohibitive scaling for remote access
• Three-unit cluster supports 26k users at $29 per user
• Asymmetric acceleration not available for remote
6,000 Corporate Branch access
Users
• Limited QoS
• User and application disruption when roaming
71. 71
BIG-IP Edge Gateway: High Performance, Low Cost
DMZ
BIG-IP Edge Gateway
4,000 Remote Users Internet
Datacenter
Resouces
1,000 Wireless Users
$188K for
Internal LAN
VLAN 1 26k users
25% of
cost
Utilize existing user directory
15,000 Corporate Users
Internal LAN • Consolidation: 3:1 on Access and Acceleration
VLAN 2
• High performance – 26,000 users at $7+ per user
• Scale up to 40,000 users
• Flexible and centralized security policy management
6,000 Corporate Branch • Integrated endpoint security checking
Users
• Integrated application acceleration – up to 10x
Hinweis der Redaktion
One solution to manage all access policies regardless of access networkCapacity and performance to secure all user trafficOptimizes application delivery to remote and mobile usersImproves quality of real-time applications; soft phones and streaming media
BIG-IP Edge Gateway is a next generation access solution Converges “edge services”; SSL VPN, web application acceleration, and WAN optimization services into a unified platform.Think Edge Application Delivery Controller (Edge ADC)TMOS as foundation for future edge servicesProvides LAN-like application performance to remote and mobile usersMarket leading endpoint inspection, authentication, and L3 – L7 access controlsBIG-IP Edge Client enhances the end-user experience Multiple BIG-IP Edge Gateway solutions1600, 3600, 3900, 6900, and 8900Concurrent user licensing modelIndustry best performance and capacity and disruptive pricingUp to 8 Gbps of SSL VPN tunnel throughputUp to 600 log-ins per second, 36,000 per minuteUp to 40,000 concurrent users per applianceLess than half the cost of nearest competitorJust the beginning of F5’s broader Edge ADC vision
Access from Any network, any time, anywhere – Edge client is also smart enough to “turn off” when it isn’t needed – so when users are on the corporate LAN, Edge client automatically disconnects, letting users connect locally, and reconnects when you move to wifi or public access, SEAMLESSLY and in real time, with no prompt to the users Increases mobile productivity automatically enteringlogon credentials when using Edge Client Easier access to applications with seamless VPN access ICSA Labs certified SSL-VPN solution
Endpoint SecurityMore than a dozen different endpoint security checks available (Large number of agents available, e.g. Virtual Keyboard, AV and firewall checks, process, file, and registry checks, extended Windows info, client and machine certificates, etc.)Manage endpoints via Group Policy enforcement and Protected Workspace (Endpoint remediation capabilities like Protected Workspace and Full Armor-based AD Policy enforcement, in addition to Cache Cleaner, redirects to remediation pages, and message and decision boxes).
Endpoint inspection and remediationLocal and remote access controlScale and high performance
Endpoint inspection and remediationLocal and remote access controlScale and high performance
App Tunnels: new and improved Easily configurable Dynamic Webtop
Challenges: Slow connection times meant slow transfersCouldn’t connect to VPN with 64-bit OSVoIP issues caused dropped callsLack of support required costly upgrades Benefits:WAN optimization = fast connection for mobile users on 64-bit OSImproved VoIP, with fewer dropped callsActive Directory integration eliminates multiple loginsFast, easy installation
Forbes.com = Edge Gateway one of the best
QuovaGeolocation database in BIG-IPBasic flow (for this example):User hits custom GeolocationCheck agentIf a user is coming from the US, goes to login page, authenticates, and then is allowed access to OWA.If a user is coming from China, goes through an extra antivirus endpoint security check, and then is allowed access.If a user is coming from any other country, a messages box is shown and user is denied access.Unknown path indicates the user’s IP address cannot be looked up in the geolocation db (usually because coming from private address space).