f5-bigip edge gateway introduction
DESCRIPTION
TRANSCRIPT
Advanced Dynamic Services forUnified Access and Control
Presenter
2
How the Static Data Center Falls Short
• It started simple• More user types, services• Application issues• Security woes …• What’s the answer?
Complexity is the Enemy
of Good Security
3
Dynamic Data Center
• Reconfigure dynamically
• Manage applications, not objects
• Context-aware policies• ADC manages
application services
4
Mobile and Remote Users Growing Dramatically
1.2 Billion Mobile Workers WW by 2013
IDC Research 2010
5
One Access SolutionBIG-IP Access Policy Manager
All AccessUse Cases
BIG-IP Access Policy Manager
Web Access Management:• Proxy to HTTP apps
– Custom– 3rd party
Remote Access: • SSL VPN
– Network Access– Portal Access– App Tunnels
Application Access Control:• Proxy to Non-HTTP apps
– Citrix ICA– ActiveSync– Outlook Anywhere
6
Dynamic Services for Unified Access Control BIG-IP Access Policy Manager in BIG-IP Edge Gateway
• Unify Remote, Web and Application Access
• Fast Access, Authentication and SSO to Apps
• Ensure Strong Endpoint Security
• Scale to Support All Mobile and Remote Users
• Powerful Custom and Built-in Reporting
Manage Access Based on Identity
7
Secure, Accelerated Remote Accesswith BIG-IP APM in Edge Gateway
Edge Gateway includes:• BIG-IP APM, WA and WOM
8
BIG-IP Edge Gateway
• Next generation remote access solution– Converges SSL VPN access security, application
acceleration and availability– Optimize access for mobile users and remote offices
Secures and Accelerates Access to Applications
• BIG-IP Solution for the Network Edge– Multiple Platforms: 1600, 3600, 3900, 6900, 8900, 11000
– (Licensed concurrently)– Includes BIG-IP Edge Client solution
• Exponential Performance, Capacity, and Scalability– Up to 10 Gbps, 600 log-ins per second, 60,000 users
9
Secure and Accelerate Application Accesswith BIG-IP Edge Gateway (APM+WA+WOM)
Data Center
10
• Prioritize critical traffic • Dedicated bandwidth per application• No tunneling conflicts of traditional SSL VPN
SECURE APPLICATIONS & DATA
• Centralize access policy enforcement
• Single Sign-On• L4 – L7 full proxy access control • Advanced endpoint security• Secured optimized tunnels• Content encryption
OPTIMIZED APPLICATIONS & DATA
• Caching repetitive content in browser
• Intelligent Compressing• TCP optimization
Secure and Accelerate Application Accesswith BIG-IP Edge Gateway (APM+WA+WOM)
Data Center
11
SharePoint
Accelerate Application Performancewith faster portal file downloads
CompetitorSSL VPN
BIG-IP Edge Gateway ▲
First Access 211 seconds 114 seconds 1.9×
Repeat 47 seconds 16 seconds 2.9×
SAP CompetitorSSL VPN
BIG-IP Edge Gateway ▲
Access 111 seconds 14 seconds 7.9×
F5 tested a first-time user’s attempt:• SharePoint: 4 MB document download• SAP: 27 MB Microsoft Office file
12
Scale to Support the Most Mobile Userswith BIG-IP Edge Gateway (APM+WA+WOM)
Solution:Employees experience no delay or bottlenecks becauseBIG-IP Edge Gateway:
• Provides secure remote access with up to 10 Gbps of SSL VPN throughput
• Supports up to 60,000 concurrent users and 600 logins per second
Scenario:Extreme weather results in 150% more employees than usual working and accessing the network from home
13
Disparate connections and application restarts
Ongoing Logins!
At Home (wireless)
On the way to work(Aircard)
In the office(docked LAN connection)
Presenting(corporate wireless)
Constantly Re-connecting
In the Cafe(wireless)
?
?? ?
?
14
Increase User Productivity with Anywhere AccessAuto-Connect to VPN with Flexible Client Technology
Auto-Connect!
At home (wireless)
On the way to work(Aircard)
In the office(docked LAN connection)
Presenting(corporate wireless)In the cafe
(wireless)
Always Connected Application Access
15
• Flexible Deployment– Web-Delivered and Standalone Client– Mac, Windows, Linux– iPhone, iPad, iTouch
• Drive Security– Endpoint inspection– Full SSL VPN– Per-user flexible Policy
• Enable Mobility– Smart connection roaming– Uninterrupted application sessions
• Accelerate Access– Adaptive compression– Client-side cache– Client-side QoS
BIG-IP Edge Client
16
Easily Design Access for iPhoneBIG-IP Edge Client Connection, Statistics and Settings
17
Easily Design Access for iPadBIG-IP Edge Client Connection, Statistics and Settings
18
Configure iOS Access to Applicationswith BIG-IP Edge Portal
19
• Provide access based on device and identity
• Make dynamic policy decisions
• Authenticate users
• Provide remediation for non-compliant devices
Mobile Clients for Fast App. Access
20
BIG-IP Edge Portal for Android App Solutions
Fast App. Access for Android Devices
https://market.android.com/details?id=com.f5.edge.portal
21
Ensure Strong Endpoint Security
• Antivirus software versionand updates
• Software firewall status
• Access to specific applications
• Restrict USB access
• Cache cleaner leaves no trace
• Ensure no malware enters corporate network
Allow, deny, or remediate users based on endpoint attributes such as:
Invoke protected workspace for unmanaged devices:
BIG-IP Edge Gateway
22
Internet Facing Applications
Remote Users
Data Center
Directories
BIG-IP Edge Gateway+Access Policy Manager
+WebAccelerator+WAN Optimization Manager
23
Private Public
Cloud
Enterprise and Service Provider IT
Mobile & Remote Users
App 1 App n
Network Users
Data Center Applications
Directories
Data Center
BIG-IP Edge Gateway+Access Policy Manager
+WebAccelerator+WAN Optimization Manager
24
F5 Unified Access and ControlFlexible and Dynamic ADC Services
BIG-IP Edge Gateway+Access Policy Manager
+WebAccelerator+WAN Optimization Manager
Headquarters and Remote Offices
CorporateWAN
IPsec: Optimized Site-to-Site Tunnels
Internet
BIG-IP System Virtual Editions
BIG-IP Edge Gateway
Data Center
BIG-IP GlobalTraffic Manager
BIG-IP LocalTraffic Manager
+Access Policy Manager
Mobile and Remote Users
Public/PrivateCloud
Optimized Applications to BIG-IP Edge Client
• Supports users worldwide
• Secure IPsec site to site tunnels
• Fast apps to Edge Client users
• Virtual and standalone deployments
25
Flexible and Dynamic Access Services Dynamic Webtop, App. Tunnels and Remote Desktop Support
26
Authentication All in One and Fast SSO F5 BIG-IP Access Policy Manager
Dramatically reduce infrastructure costs; increase productivity
= BIG-IP v11
27
New Detailed ReportingQuickly Run Built-in or Design Custom Reports
Custom, Built-in and Saved reports
Exported and usedon other devices
e.g How many XP users are still on my network?
e.g. Who accessed app. or network and when?
e.g. Where are users accessing from (geolocation)?
28
Access and ApplicationAnalytics
Stats Collected• Client IPs• Client Geographic• User Agent• User Sessions• Client-Side Latency• Server Latency• Throughput• Response Codes• Methods• URLs
Views • Virtual Server• Pool Member• Response Codes• URL• HTTP Methods
• Stats grouped by application and user • Provides
– Business Intelligence– ROI Reporting– Capacity Planning– Troubleshooting– Performance
29
Access Policy Design
• Industry-leading advanced Visual Policy Editor (VPE)– Flexible– Easy to understand, visual representation of policy– VPE Rules (TCL-based) for advanced functions– Trigger TMM iRules events
• Usability features– Macros– Visual cues to aid configuration
30
Users
Lack of simplicity, flexibility, context, and control for the enterprise
Resources
Physical Virtual Multisite data centers
Private Public
Cloud
VPN
Vendor A
Web Accelerator
Vendor B
WAN Optimizer
Vendor C
LDAP
OAM
TAM
CAAAA
AAA AAAAAA AAA AAA
AAA AAA AAA
AAA x 10
AAA x 5AAA x 2
AD AD
• No context• Difficult change control• Error-prone• Costly• Licensing/vendor management
issues• Compliance problems• Limited control
AD
DNS Bind Server
Open Source
?
Improve Manageability and Reduce Costs
31
Users
Simplicity, flexibility, context, and control for the enterprise
Resources
Physical Virtual Multisite data centers
Private Public
CloudLDAP
OAM
TAM
CAAAA
AAAAAA AAA AAA
AAA AAA AAA
AAA x 10
AAA x 5AAA x 2
AD AD
AD
BIG-IP Edge GatewayBIG-IP Global Traffic Manager
VPN
Vendor A
Web Accelerator
Vendor B
WAN Optimizer
Vendor C
DNS Bind Server
Open Source
AAA
Use
r R
eq
ue
sts
Op
tima
l Ga
tew
ay
• Unified access and acceleration model
• Simplified change control and auditing
• Flexible access policies• Context-aware: user, device,
location, and application• Control remains within
enterpriseA
AA
Sec
ure
Opt
imiz
ed S
essi
on
Secure Optimized Session
Improve Manageability and Reduce Costs
32
Benefits:• WAN optimization = fast connection for mobile users on 64-bit OS• Improved VoIP, with fewer dropped calls• Active Directory integration eliminates multiple logins• Fast, easy installation• Implemented: Edge Gateway, LTM, GTM.
Challenges: Slow connection times meant slow transfers Couldn’t connect to VPN with 64-bit OS VoIP issues caused dropped calls Lack of support required costly upgrades
Optimal gateways and secure optimized sessions
“With the Edge Gateway, the connection speed was immediately noticeable.” Steve Diggory, Technology Manager, PersonalizationMall.com
Case Study: http://www.f5.com/pdf/case-studies/personalization-mall-cs.pdf Industry: Online Specialty Retail
33
The Most Scalable Access Solution
0
1
2
3
4
5
6
7
8
F5CiscoJuniperCitrix
Juniper SA45002X Cisco 5520Citrix MPX5500
6X Citrix MPX215006X Cisco ASA 5580
F5 BIG-IP 11050
7X JNPR SA65003X Juniper SA45003X Cisco 55853X Citrix MPX10500
F5 BIG-IP 1600 F5 BIG-IP 6900 F5 BIG-IP 8900
Number of Concurrent Users Supported
Nu
mb
er o
f D
evic
es
Req
’d
34
Multiple Platform Solutions
Platform(APM on LTM)
Base Conc. Users
Max Conc. Users
Platform(Edge
Gateway)
Base Conc. Users
Max Conc. Users
Virtual Edition
250 500 - - -
1600 500 1,000 1600 300 1,000
3600 500 5,000 3600 500 5,000
3900 500 10,000 3900 1,000 10,000
6900 500 25,000 6900 2,500 25,000
8900 500 40,000 8900 5,000 40,000
8950 500 40,000 - - -
11000 500 60,000 11000 10,000 60,000
11050 500 60,000 - - -
35
Dynamic Services for Unified Access Control BIG-IP Access Policy Manager in BIG-IP Edge Gateway
• Unify Remote, Web and Application Access
• Fast Access, Authentication and SSO to Apps
• Ensure Strong Endpoint Security
• Scale to Support All Mobile and Remote Users
• Powerful Custom and Built-in Reporting
Manage Access Based on Identity
37
Multiple-Domain Single Sign-On
• Single Sign-On to multiple LTM/APM or Edge Gateway virtual servers front ending multiple separate domains or multiple hosts within same domains
• Configure different cookie settings and SSO methods for different domains or different hosts in the same domain
Ex. Multiple domains with different SSO methods
38
Dynamic Webtop for End-User
• Customizable and localizable list of resources
• Adjusts to mobile devices• Toolbar, help, and
disconnect buttons
39
Endpoint Inspection – Machine Information
• CPU Info {ID, Name, Clock}• HDD {Model, Serial#}• Motherboard {Model, Serial#}
• BIOS {Dell, Serial #, Manufacturer}
• NICs {Name, MAC}
40
Application Tunnels
• Layered with Symmetric Adaptive Compression services
41
Microsoft RDP Remote Desktop
Microsoft RDP Remote Desktop
42
Symmetric Adaptive Compression to Edge Client
• iSession-style optimization of Network Access tunnels• Layer with DTLS
– DTLS for fast response of real-time applications– Optimization reduces bandwidth
43
Edge Client v1.0.1
• Secure web gateway proxy support• Pre-logon checks • Auto application launch
44
Secure Web Gateway Integration
• Allows admin to force all web access through a secure gateway
• Bypasses secure gateway for internal resources
• All traffic is forced through the tunnel
• Why? Enforce web browsing policies on corporate iPads e.g.
45
Secure iPad Web Surfing with Edge Client
BIG-IP Edge
Gatewaywith APM
Full SSL-VPN
Tunnel
Internet
Gateway
Internal Resource
46
Pre-logon checks for iOS Devices
• Four new session variables:– session.client.mac_address– session.client.model– session.client.platform_version– session.client.unique_id
• These session variables are gathered automatically and are available with Solstice and Edge Client 1.0.1
• They can easily be combined with an LDAP/AD Query to implement white-listing in a custom action.
• Why? Discriminate IT approved issued devices. Improved access context.
47
Checking the iOS Unique ID
• Custom action “Device ID Check” in this access policy checks a UUID…
48
App auto-launch
• After Edge Client connects, initiate and auto-launch a 2nd application on the device.
• Uses a URL form for the App Path– http://handleopenurl.com/– http://wiki.akosma.com/IPhone_URL_Schemes
• Issues pre-launch warning
49
App Auto-launch
Skype configured to auto-launch…
50
BIG-IP Edge Client for BIG-IP v10.2.1
iMac Edge Client (Leopard/Snow Leopard)
51
BIG-IP® LTM
+ASM (opt)
+ WA (opt)
App 1
OAM Policy Server, Reporting,
and Auditing
…
App n
MobileEmployees and
Contractors
Data Center
• Mobile employees accessing corporate applications using VPN
• OAM auth. services are performed by Edge Gateway in the DMZ
• OAM auth. services may be performed by BIG-IP® Edge Gateway in the DMZ or at the web server with “last mile” security
• Eliminate a directory service for remote access users
Web App+ OAM (opt)
DMZ
BIG-IP® Edge Gateway / OAM
Customer Architecture with Oracle Access Manager (OAM) and BIG-IP Edge ® Gateway
Authentication Proxy Integration – VPN
OAM Web Proxies
52
Security Risk: Mobile User Authentication Sync
• Access to Exchange without VPN to sync MS email, calendar, contacts
• Security risk• Extra infrastructure tier in DMZ
Data Center
MS Exchange
DMZ
Auth. Gateway ADC
53
Secure Environment: Authenticating ActiveSync Devices
• Reduce authentication infrastructure and sync with Exchange
• One location for name space URL • Scale and support growing mobile user base• Secure environment
BIG-IP® LTM + APM
Data Center
MS Exchange
DMZ
Auth. Gateway
54
Traditional Remote Access with SSL VPN
SaaS Partners
Internet
Unified Access on F5 BIG-IPs
Directories
Local and Mobile Users
Applications
Hosted Virtual Desktops
Consumer Apps
• Most powerful, scalable and simplified access solutions
Private Public
Cloud
BIG-IP LTM with APM
• Application access management
• Accelerated remote access
Dynamic Control with BIG-IP Access Policy Manager
with APM, BIG-IP Edge Gateway
WA, and WOM
App 1 App nSSL VPN
55
BIG-IP Edge Gateway will Power New Managed Services
Access Requirements• Easy / cost effective access scaling • Advanced, secure VPN with fast deployment• Custom look and feel per customer• Virtualized solution to maximize investment• Enable secure collaboration between 3rd parties
BIG-IP Edge Gateway Delivered• Superior scalability @ Lowest cost• Acceleration technology with LAN speed performance• Improved manageability and security with unified access • Customized domains for personalized experience• Virtual routing services with lower opex
56
• Acceleration– “First of all, the acceleration capabilities that came with it. It’s not just remote access that
it’s providing but also will provide a better user experience in the process leveraging the BIG-IP acceleration technology that’s already been there, so it’s a proven and well-known capability.”
• Secure and Granular Access Control – “Another factor that was key was the highly granular access control capabilities, so that
allows us to provide the differing levels of access for different types of user and different types of devices that I was talking about, with third parties, with personal devices, which makes it flexible for future needs as well.”
• Virtualization of Access Services– “One of the key things we were looking at in the evaluation as a managed service
provider was the ability to provide full virtualization for multiple customer environments (via BIG-IP Virtual Servers concept), and obviously high scalability, so that’s all a direction we’re heading in with the cloud computing model.”
• Converged Services Platform– “We can deliver multiple services on it, not just remote access, so it provides a point of
leverage for us as well.”
CSC - Why They Chose BIG-IP Edge Gateway
57
• Increases mobile productivity automatically entering Windows logon credentials when using Edge Client• Easier access to applications with seamless VPN access• ICSA Labs certified SSL-VPN solution
ApplicationsClients
BIG-IPEdge Gateway
Repeatable Access to Applications
58
Packet loss with TCP/SSL = high latency. Network squeezes VoIP
Traditional SSL VPN: Apps./VoIP sent simultaneously
User experiencing choppy communication
What did he say?
VoIP: Slow Applications Affect Productivity
• Ensuring positive end-user application experience a complex problem• Slow applications can be caused by a number of things:
– Packet loss due to chatty or jittery protocols– High latency LANs– Poorly designed apps.
Low Traffic App. growth
App. Spike Delivered App.
0%
20%
40%
60%
80%
100%
Max Bandwidth
Network Traffic
VoIP Traffic
59
Low Traffic App. growth
App. Spike Delivered App.
0%
20%
40%
60%
80%
100%
Max Bandwidth
Network Traffic
VoIP Traffic
Edge Gateway improves application and VoIP performance• Tight connection and prioritized traffic with dedicated app. bandwidth
– Client-side QoS for Windows machines: VoIP traffic first and apps. traffic second• Applications and upper layer protocols react to lost packet(s)
– Secures each packet
BIG-IP Edge Gateway manages app. performance
VoIP: Improved User Communications
Hear you loud and clear...
User: clear phone call
60
Security Problem: Geolocation Access Risk
• Need to block access from countries or regions
• Help with business intelligence of where users are accessing from • Looking for capacity planning and ability to audit the location
• Access policy based on location
UK Data Center
61
Enforcing Access Restrictions Simple, accurate, centralized enforcement
UK Data Center
App Servers
Solution
Centralized Location Control• Decreased risk – access is controlled
at perimeter• Reduced capital and operational
expenses through centralized control• Reduced application development time• Simplified network configuration
BIG-IP Edge Gateway
BIG-IP Edge Gateway with IP Geolocation
Database
62
Only ADC with Geolocation Access Rules
• VPE – Geolocation Rules• iRules not required• Custom session variables• Custom notification messages• Logging Client locations• Reporting
63
BIG-IP APM/Edge Gateway V11 FeaturesAdvanced Dynamic Services for Unified Access Control
• IPsec optimized site-to-site tunnels
• Dynamic Webtop: with Application Tunnels
• Access: External Dynamic ACLs, Flash patching, Oracle Access Manager 11g
• Hosted VDI: Microsoft Remote Desktops, Expanded Citrix VDI support (Proxy and Portal mode)
• SSO enhancements: SSO across multiple domains, Kerberos auth. (CAC cards, etc)
• EndPoint Inspection: Protected Workspace, Machine Info Inspector
• Powerful reporting/analytics: Custom & built-in reports, Access and Application Analytics for remote access solution
• Scale for Global enterprise: 11000 Series: ^60k users, w/1.2 TB of storage
64
Edge Gateway v10.2 Security Features• Edge Gateway
– Integration with Oracle Access Manager– ICSA Certified – SSL -VPN – Geolocation Agent in VPE– MS ActiveSync Support
• Edge Client – Reuse of Windows logon credentials
65
Edge Gateway v10.1 Features
• Secure accel. remote access– Remote Access, Application Acceleration and
Network Optimization– Global VPN and Unified Access to Datacenter– Dynamic per-session layer 4 - 7 (HTTP) ACLs– SSO/Credential Caching – TCP Optimization– Symmetric adaptive compression– Asymmetric and symmetric application
acceleration– Data de-duplication– MAPS and CIFS acceleration
• Dynamic User Access– Web-based and standalone BIG-IP Edge Client– Mobility: Domain detection and smart
connection– Acceleration: Dynamic data compression
• Thorough Device Inspection– Endpoint Inspection checks– Protected Workspace with encryption and
Virtual File System– Group policy integration– Virtual Keyboard
• Manageability / Usability– QoS on Windows machines (client side)– D-TLS (Datagram-Based TLS) Network
Access Transport for secure packets– Customizeable user interface – Policy import/export– Reporting and stats– Set-up deployment wizards– Dashboard executive summary
• Interoperability and Integration– Edge Gateway and GTM interoperability– Edge Gateway events in iRules– Splunk for F5 logging and reporting
• Virtualization Architecture– Multiple virtual Edge Gateways– Targeted at Service Providers and large
enterprises – Separate access policy grouping for each
virtual Edge Gateway– Can have separate security
administrators– Master administrator control
66
Edge Gateway – v10.1 Features
• Application Acceleration– TCP optimization for client to gateway and gateway to gateway
connections– Symmetric Adaptive Compression for client to gateway and gateway
to gateway connections– HTTP/HTTPS asymmetric acceleration for client to gateway
connections– HTTP/HTTPS symmetric acceleration for gateway to gateway
connections – Data de-duplication services for gateway to gateway connections– MAPI and CIFS acceleration for gateway to gateway connections
• D-TLS (Datagram-Based TLS) Network Access Transport
67
Edge Gateway – v10.1 Features
• Portal Access Security– OWA 2003, OWA 2007, SharePoint 2003, SharePoint 2007, MS Communicator
2007– Oracle Portal 3.0 (10g Release 2, version 10.1.2) – PeopleSoft Portal 9, PeopleSoft Portal HR 9– SAP Netweaver, – Notes 7, Notes 8
• Authentication and Authorization Services– RADIUS, LDAP, and AD support– SSO/Credential Caching: HTTP Basic, HTTP NTLMv1/v2, Cookie, Form, and
HTTP Header– Dynamic per-session layer 4 - 7 (HTTP) ACLs– Native RSA SecurID– RADIUS accounting– Authentication server redundancy
68
• Virtualization Architecture– Multiple virtual Edge Gateways– Targeted at Service Providers
(managed service offering) and large enterprises (segmented based on business units/groups)
– Separate access policy grouping for each virtual Edge Gateway
– Can have separate security administrators
– Master administrator control
Edge Gateway – v10.1 Features
69
Edge Gateway – v10.1 Features
• BIG-IP Edge Client– Web delivered and standalone– New look and feel– Mobility: Roaming and smart connection– QoS on Windows machines (client side)– Acceleration: Adaptive compression– SDK for integration
• Endpoint Security– Windows and Macintosh checks– Protected Workspace (Parity with FP 6.1)
with encryption and Virtual File System– Group policy integration– Virtual Keyboard
70
DMZ
4,000 Remote Users
15,000 Corporate Users
Internal LANVLAN 1
Internet
1,000 Wireless Users
Internal LANVLAN 2
Utilize existing user directory
Datacenter Resouces
6,000 Corporate Branch Users
Traditional SSL VPN (clustered 3 max)
$751K for 26k users
High Cost to Scale Remote Access
• Cost prohibitive scaling for remote access • Three-unit cluster supports 26k users at $29 per user • Asymmetric acceleration not available for remote
access• Limited QoS• User and application disruption when roaming
71
BIG-IP Edge Gateway: High Performance, Low Cost
DMZ
4,000 Remote Users
15,000 Corporate Users
Internal LANVLAN 1
Internet
1,000 Wireless Users
Internal LANVLAN 2
Utilize existing user directory
Datacenter Resouces
6,000 Corporate Branch Users
BIG-IP Edge Gateway
$188K for 26k users
25% of cost
• Consolidation: 3:1 on Access and Acceleration • High performance – 26,000 users at $7+ per user
• Scale up to 40,000 users• Flexible and centralized security policy management• Integrated endpoint security checking• Integrated application acceleration – up to 10x