F5-BigIP Edge gateway introduction
-
Upload
jimmy-saigon -
Category
Technology
-
view
4.054 -
download
0
description
Transcript of F5-BigIP Edge gateway introduction
![Page 1: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/1.jpg)
Advanced Dynamic Services forUnified Access and Control
Presenter
![Page 2: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/2.jpg)
2
How the Static Data Center Falls Short
• It started simple• More user types, services• Application issues• Security woes …• What’s the answer?
Complexity is the Enemy
of Good Security
![Page 3: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/3.jpg)
3
Dynamic Data Center
• Reconfigure dynamically
• Manage applications, not objects
• Context-aware policies• ADC manages
application services
![Page 4: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/4.jpg)
4
Mobile and Remote Users Growing Dramatically
1.2 Billion Mobile Workers WW by 2013
IDC Research 2010
![Page 5: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/5.jpg)
5
One Access SolutionBIG-IP Access Policy Manager
All AccessUse Cases
BIG-IP Access Policy Manager
Web Access Management:• Proxy to HTTP apps
– Custom– 3rd party
Remote Access: • SSL VPN
– Network Access– Portal Access– App Tunnels
Application Access Control:• Proxy to Non-HTTP apps
– Citrix ICA– ActiveSync– Outlook Anywhere
![Page 6: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/6.jpg)
6
Dynamic Services for Unified Access Control BIG-IP Access Policy Manager in BIG-IP Edge Gateway
• Unify Remote, Web and Application Access
• Fast Access, Authentication and SSO to Apps
• Ensure Strong Endpoint Security
• Scale to Support All Mobile and Remote Users
• Powerful Custom and Built-in Reporting
Manage Access Based on Identity
![Page 7: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/7.jpg)
7
Secure, Accelerated Remote Accesswith BIG-IP APM in Edge Gateway
Edge Gateway includes:• BIG-IP APM, WA and WOM
![Page 8: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/8.jpg)
8
BIG-IP Edge Gateway
• Next generation remote access solution– Converges SSL VPN access security, application
acceleration and availability– Optimize access for mobile users and remote offices
Secures and Accelerates Access to Applications
• BIG-IP Solution for the Network Edge– Multiple Platforms: 1600, 3600, 3900, 6900, 8900, 11000
– (Licensed concurrently)– Includes BIG-IP Edge Client solution
• Exponential Performance, Capacity, and Scalability– Up to 10 Gbps, 600 log-ins per second, 60,000 users
![Page 9: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/9.jpg)
9
Secure and Accelerate Application Accesswith BIG-IP Edge Gateway (APM+WA+WOM)
Data Center
![Page 10: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/10.jpg)
10
• Prioritize critical traffic • Dedicated bandwidth per application• No tunneling conflicts of traditional SSL VPN
SECURE APPLICATIONS & DATA
• Centralize access policy enforcement
• Single Sign-On• L4 – L7 full proxy access control • Advanced endpoint security• Secured optimized tunnels• Content encryption
OPTIMIZED APPLICATIONS & DATA
• Caching repetitive content in browser
• Intelligent Compressing• TCP optimization
Secure and Accelerate Application Accesswith BIG-IP Edge Gateway (APM+WA+WOM)
Data Center
![Page 11: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/11.jpg)
11
SharePoint
Accelerate Application Performancewith faster portal file downloads
CompetitorSSL VPN
BIG-IP Edge Gateway ▲
First Access 211 seconds 114 seconds 1.9×
Repeat 47 seconds 16 seconds 2.9×
SAP CompetitorSSL VPN
BIG-IP Edge Gateway ▲
Access 111 seconds 14 seconds 7.9×
F5 tested a first-time user’s attempt:• SharePoint: 4 MB document download• SAP: 27 MB Microsoft Office file
![Page 12: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/12.jpg)
12
Scale to Support the Most Mobile Userswith BIG-IP Edge Gateway (APM+WA+WOM)
Solution:Employees experience no delay or bottlenecks becauseBIG-IP Edge Gateway:
• Provides secure remote access with up to 10 Gbps of SSL VPN throughput
• Supports up to 60,000 concurrent users and 600 logins per second
Scenario:Extreme weather results in 150% more employees than usual working and accessing the network from home
![Page 13: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/13.jpg)
13
Disparate connections and application restarts
Ongoing Logins!
At Home (wireless)
On the way to work(Aircard)
In the office(docked LAN connection)
Presenting(corporate wireless)
Constantly Re-connecting
In the Cafe(wireless)
?
?? ?
?
![Page 14: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/14.jpg)
14
Increase User Productivity with Anywhere AccessAuto-Connect to VPN with Flexible Client Technology
Auto-Connect!
At home (wireless)
On the way to work(Aircard)
In the office(docked LAN connection)
Presenting(corporate wireless)In the cafe
(wireless)
Always Connected Application Access
![Page 15: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/15.jpg)
15
• Flexible Deployment– Web-Delivered and Standalone Client– Mac, Windows, Linux– iPhone, iPad, iTouch
• Drive Security– Endpoint inspection– Full SSL VPN– Per-user flexible Policy
• Enable Mobility– Smart connection roaming– Uninterrupted application sessions
• Accelerate Access– Adaptive compression– Client-side cache– Client-side QoS
BIG-IP Edge Client
![Page 16: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/16.jpg)
16
Easily Design Access for iPhoneBIG-IP Edge Client Connection, Statistics and Settings
![Page 17: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/17.jpg)
17
Easily Design Access for iPadBIG-IP Edge Client Connection, Statistics and Settings
![Page 18: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/18.jpg)
18
Configure iOS Access to Applicationswith BIG-IP Edge Portal
![Page 19: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/19.jpg)
19
• Provide access based on device and identity
• Make dynamic policy decisions
• Authenticate users
• Provide remediation for non-compliant devices
Mobile Clients for Fast App. Access
![Page 20: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/20.jpg)
20
BIG-IP Edge Portal for Android App Solutions
Fast App. Access for Android Devices
https://market.android.com/details?id=com.f5.edge.portal
![Page 21: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/21.jpg)
21
Ensure Strong Endpoint Security
• Antivirus software versionand updates
• Software firewall status
• Access to specific applications
• Restrict USB access
• Cache cleaner leaves no trace
• Ensure no malware enters corporate network
Allow, deny, or remediate users based on endpoint attributes such as:
Invoke protected workspace for unmanaged devices:
BIG-IP Edge Gateway
![Page 22: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/22.jpg)
22
Internet Facing Applications
Remote Users
Data Center
Directories
BIG-IP Edge Gateway+Access Policy Manager
+WebAccelerator+WAN Optimization Manager
![Page 23: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/23.jpg)
23
Private Public
Cloud
Enterprise and Service Provider IT
Mobile & Remote Users
App 1 App n
Network Users
Data Center Applications
Directories
Data Center
BIG-IP Edge Gateway+Access Policy Manager
+WebAccelerator+WAN Optimization Manager
![Page 24: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/24.jpg)
24
F5 Unified Access and ControlFlexible and Dynamic ADC Services
BIG-IP Edge Gateway+Access Policy Manager
+WebAccelerator+WAN Optimization Manager
Headquarters and Remote Offices
CorporateWAN
IPsec: Optimized Site-to-Site Tunnels
Internet
BIG-IP System Virtual Editions
BIG-IP Edge Gateway
Data Center
BIG-IP GlobalTraffic Manager
BIG-IP LocalTraffic Manager
+Access Policy Manager
Mobile and Remote Users
Public/PrivateCloud
Optimized Applications to BIG-IP Edge Client
• Supports users worldwide
• Secure IPsec site to site tunnels
• Fast apps to Edge Client users
• Virtual and standalone deployments
![Page 25: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/25.jpg)
25
Flexible and Dynamic Access Services Dynamic Webtop, App. Tunnels and Remote Desktop Support
![Page 26: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/26.jpg)
26
Authentication All in One and Fast SSO F5 BIG-IP Access Policy Manager
Dramatically reduce infrastructure costs; increase productivity
= BIG-IP v11
![Page 27: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/27.jpg)
27
New Detailed ReportingQuickly Run Built-in or Design Custom Reports
Custom, Built-in and Saved reports
Exported and usedon other devices
e.g How many XP users are still on my network?
e.g. Who accessed app. or network and when?
e.g. Where are users accessing from (geolocation)?
![Page 28: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/28.jpg)
28
Access and ApplicationAnalytics
Stats Collected• Client IPs• Client Geographic• User Agent• User Sessions• Client-Side Latency• Server Latency• Throughput• Response Codes• Methods• URLs
Views • Virtual Server• Pool Member• Response Codes• URL• HTTP Methods
• Stats grouped by application and user • Provides
– Business Intelligence– ROI Reporting– Capacity Planning– Troubleshooting– Performance
![Page 29: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/29.jpg)
29
Access Policy Design
• Industry-leading advanced Visual Policy Editor (VPE)– Flexible– Easy to understand, visual representation of policy– VPE Rules (TCL-based) for advanced functions– Trigger TMM iRules events
• Usability features– Macros– Visual cues to aid configuration
![Page 30: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/30.jpg)
30
Users
Lack of simplicity, flexibility, context, and control for the enterprise
Resources
Physical Virtual Multisite data centers
Private Public
Cloud
VPN
Vendor A
Web Accelerator
Vendor B
WAN Optimizer
Vendor C
LDAP
OAM
TAM
CAAAA
AAA AAAAAA AAA AAA
AAA AAA AAA
AAA x 10
AAA x 5AAA x 2
AD AD
• No context• Difficult change control• Error-prone• Costly• Licensing/vendor management
issues• Compliance problems• Limited control
AD
DNS Bind Server
Open Source
?
Improve Manageability and Reduce Costs
![Page 31: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/31.jpg)
31
Users
Simplicity, flexibility, context, and control for the enterprise
Resources
Physical Virtual Multisite data centers
Private Public
CloudLDAP
OAM
TAM
CAAAA
AAAAAA AAA AAA
AAA AAA AAA
AAA x 10
AAA x 5AAA x 2
AD AD
AD
BIG-IP Edge GatewayBIG-IP Global Traffic Manager
VPN
Vendor A
Web Accelerator
Vendor B
WAN Optimizer
Vendor C
DNS Bind Server
Open Source
AAA
Use
r R
eq
ue
sts
Op
tima
l Ga
tew
ay
• Unified access and acceleration model
• Simplified change control and auditing
• Flexible access policies• Context-aware: user, device,
location, and application• Control remains within
enterpriseA
AA
Sec
ure
Opt
imiz
ed S
essi
on
Secure Optimized Session
Improve Manageability and Reduce Costs
![Page 32: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/32.jpg)
32
Benefits:• WAN optimization = fast connection for mobile users on 64-bit OS• Improved VoIP, with fewer dropped calls• Active Directory integration eliminates multiple logins• Fast, easy installation• Implemented: Edge Gateway, LTM, GTM.
Challenges: Slow connection times meant slow transfers Couldn’t connect to VPN with 64-bit OS VoIP issues caused dropped calls Lack of support required costly upgrades
Optimal gateways and secure optimized sessions
“With the Edge Gateway, the connection speed was immediately noticeable.” Steve Diggory, Technology Manager, PersonalizationMall.com
Case Study: http://www.f5.com/pdf/case-studies/personalization-mall-cs.pdf Industry: Online Specialty Retail
![Page 33: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/33.jpg)
33
The Most Scalable Access Solution
0
1
2
3
4
5
6
7
8
F5CiscoJuniperCitrix
Juniper SA45002X Cisco 5520Citrix MPX5500
6X Citrix MPX215006X Cisco ASA 5580
F5 BIG-IP 11050
7X JNPR SA65003X Juniper SA45003X Cisco 55853X Citrix MPX10500
F5 BIG-IP 1600 F5 BIG-IP 6900 F5 BIG-IP 8900
Number of Concurrent Users Supported
Nu
mb
er o
f D
evic
es
Req
’d
![Page 34: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/34.jpg)
34
Multiple Platform Solutions
Platform(APM on LTM)
Base Conc. Users
Max Conc. Users
Platform(Edge
Gateway)
Base Conc. Users
Max Conc. Users
Virtual Edition
250 500 - - -
1600 500 1,000 1600 300 1,000
3600 500 5,000 3600 500 5,000
3900 500 10,000 3900 1,000 10,000
6900 500 25,000 6900 2,500 25,000
8900 500 40,000 8900 5,000 40,000
8950 500 40,000 - - -
11000 500 60,000 11000 10,000 60,000
11050 500 60,000 - - -
![Page 35: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/35.jpg)
35
Dynamic Services for Unified Access Control BIG-IP Access Policy Manager in BIG-IP Edge Gateway
• Unify Remote, Web and Application Access
• Fast Access, Authentication and SSO to Apps
• Ensure Strong Endpoint Security
• Scale to Support All Mobile and Remote Users
• Powerful Custom and Built-in Reporting
Manage Access Based on Identity
![Page 36: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/36.jpg)
![Page 37: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/37.jpg)
37
Multiple-Domain Single Sign-On
• Single Sign-On to multiple LTM/APM or Edge Gateway virtual servers front ending multiple separate domains or multiple hosts within same domains
• Configure different cookie settings and SSO methods for different domains or different hosts in the same domain
Ex. Multiple domains with different SSO methods
![Page 38: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/38.jpg)
38
Dynamic Webtop for End-User
• Customizable and localizable list of resources
• Adjusts to mobile devices• Toolbar, help, and
disconnect buttons
![Page 39: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/39.jpg)
39
Endpoint Inspection – Machine Information
• CPU Info {ID, Name, Clock}• HDD {Model, Serial#}• Motherboard {Model, Serial#}
• BIOS {Dell, Serial #, Manufacturer}
• NICs {Name, MAC}
![Page 40: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/40.jpg)
40
Application Tunnels
• Layered with Symmetric Adaptive Compression services
![Page 41: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/41.jpg)
41
Microsoft RDP Remote Desktop
Microsoft RDP Remote Desktop
![Page 42: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/42.jpg)
42
Symmetric Adaptive Compression to Edge Client
• iSession-style optimization of Network Access tunnels• Layer with DTLS
– DTLS for fast response of real-time applications– Optimization reduces bandwidth
![Page 43: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/43.jpg)
43
Edge Client v1.0.1
• Secure web gateway proxy support• Pre-logon checks • Auto application launch
![Page 44: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/44.jpg)
44
Secure Web Gateway Integration
• Allows admin to force all web access through a secure gateway
• Bypasses secure gateway for internal resources
• All traffic is forced through the tunnel
• Why? Enforce web browsing policies on corporate iPads e.g.
![Page 45: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/45.jpg)
45
Secure iPad Web Surfing with Edge Client
BIG-IP Edge
Gatewaywith APM
Full SSL-VPN
Tunnel
Internet
Gateway
Internal Resource
![Page 46: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/46.jpg)
46
Pre-logon checks for iOS Devices
• Four new session variables:– session.client.mac_address– session.client.model– session.client.platform_version– session.client.unique_id
• These session variables are gathered automatically and are available with Solstice and Edge Client 1.0.1
• They can easily be combined with an LDAP/AD Query to implement white-listing in a custom action.
• Why? Discriminate IT approved issued devices. Improved access context.
![Page 47: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/47.jpg)
47
Checking the iOS Unique ID
• Custom action “Device ID Check” in this access policy checks a UUID…
![Page 48: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/48.jpg)
48
App auto-launch
• After Edge Client connects, initiate and auto-launch a 2nd application on the device.
• Uses a URL form for the App Path– http://handleopenurl.com/– http://wiki.akosma.com/IPhone_URL_Schemes
• Issues pre-launch warning
![Page 49: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/49.jpg)
49
App Auto-launch
Skype configured to auto-launch…
![Page 50: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/50.jpg)
50
BIG-IP Edge Client for BIG-IP v10.2.1
iMac Edge Client (Leopard/Snow Leopard)
![Page 51: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/51.jpg)
51
BIG-IP® LTM
+ASM (opt)
+ WA (opt)
App 1
OAM Policy Server, Reporting,
and Auditing
…
App n
MobileEmployees and
Contractors
Data Center
• Mobile employees accessing corporate applications using VPN
• OAM auth. services are performed by Edge Gateway in the DMZ
• OAM auth. services may be performed by BIG-IP® Edge Gateway in the DMZ or at the web server with “last mile” security
• Eliminate a directory service for remote access users
Web App+ OAM (opt)
DMZ
BIG-IP® Edge Gateway / OAM
Customer Architecture with Oracle Access Manager (OAM) and BIG-IP Edge ® Gateway
Authentication Proxy Integration – VPN
OAM Web Proxies
![Page 52: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/52.jpg)
52
Security Risk: Mobile User Authentication Sync
• Access to Exchange without VPN to sync MS email, calendar, contacts
• Security risk• Extra infrastructure tier in DMZ
Data Center
MS Exchange
DMZ
Auth. Gateway ADC
![Page 53: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/53.jpg)
53
Secure Environment: Authenticating ActiveSync Devices
• Reduce authentication infrastructure and sync with Exchange
• One location for name space URL • Scale and support growing mobile user base• Secure environment
BIG-IP® LTM + APM
Data Center
MS Exchange
DMZ
Auth. Gateway
![Page 54: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/54.jpg)
54
Traditional Remote Access with SSL VPN
SaaS Partners
Internet
Unified Access on F5 BIG-IPs
Directories
Local and Mobile Users
Applications
Hosted Virtual Desktops
Consumer Apps
• Most powerful, scalable and simplified access solutions
Private Public
Cloud
BIG-IP LTM with APM
• Application access management
• Accelerated remote access
Dynamic Control with BIG-IP Access Policy Manager
with APM, BIG-IP Edge Gateway
WA, and WOM
App 1 App nSSL VPN
![Page 55: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/55.jpg)
55
BIG-IP Edge Gateway will Power New Managed Services
Access Requirements• Easy / cost effective access scaling • Advanced, secure VPN with fast deployment• Custom look and feel per customer• Virtualized solution to maximize investment• Enable secure collaboration between 3rd parties
BIG-IP Edge Gateway Delivered• Superior scalability @ Lowest cost• Acceleration technology with LAN speed performance• Improved manageability and security with unified access • Customized domains for personalized experience• Virtual routing services with lower opex
![Page 56: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/56.jpg)
56
• Acceleration– “First of all, the acceleration capabilities that came with it. It’s not just remote access that
it’s providing but also will provide a better user experience in the process leveraging the BIG-IP acceleration technology that’s already been there, so it’s a proven and well-known capability.”
• Secure and Granular Access Control – “Another factor that was key was the highly granular access control capabilities, so that
allows us to provide the differing levels of access for different types of user and different types of devices that I was talking about, with third parties, with personal devices, which makes it flexible for future needs as well.”
• Virtualization of Access Services– “One of the key things we were looking at in the evaluation as a managed service
provider was the ability to provide full virtualization for multiple customer environments (via BIG-IP Virtual Servers concept), and obviously high scalability, so that’s all a direction we’re heading in with the cloud computing model.”
• Converged Services Platform– “We can deliver multiple services on it, not just remote access, so it provides a point of
leverage for us as well.”
CSC - Why They Chose BIG-IP Edge Gateway
![Page 57: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/57.jpg)
57
• Increases mobile productivity automatically entering Windows logon credentials when using Edge Client• Easier access to applications with seamless VPN access• ICSA Labs certified SSL-VPN solution
ApplicationsClients
BIG-IPEdge Gateway
Repeatable Access to Applications
![Page 58: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/58.jpg)
58
Packet loss with TCP/SSL = high latency. Network squeezes VoIP
Traditional SSL VPN: Apps./VoIP sent simultaneously
User experiencing choppy communication
What did he say?
VoIP: Slow Applications Affect Productivity
• Ensuring positive end-user application experience a complex problem• Slow applications can be caused by a number of things:
– Packet loss due to chatty or jittery protocols– High latency LANs– Poorly designed apps.
Low Traffic App. growth
App. Spike Delivered App.
0%
20%
40%
60%
80%
100%
Max Bandwidth
Network Traffic
VoIP Traffic
![Page 59: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/59.jpg)
59
Low Traffic App. growth
App. Spike Delivered App.
0%
20%
40%
60%
80%
100%
Max Bandwidth
Network Traffic
VoIP Traffic
Edge Gateway improves application and VoIP performance• Tight connection and prioritized traffic with dedicated app. bandwidth
– Client-side QoS for Windows machines: VoIP traffic first and apps. traffic second• Applications and upper layer protocols react to lost packet(s)
– Secures each packet
BIG-IP Edge Gateway manages app. performance
VoIP: Improved User Communications
Hear you loud and clear...
User: clear phone call
![Page 60: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/60.jpg)
60
Security Problem: Geolocation Access Risk
• Need to block access from countries or regions
• Help with business intelligence of where users are accessing from • Looking for capacity planning and ability to audit the location
• Access policy based on location
UK Data Center
![Page 61: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/61.jpg)
61
Enforcing Access Restrictions Simple, accurate, centralized enforcement
UK Data Center
App Servers
Solution
Centralized Location Control• Decreased risk – access is controlled
at perimeter• Reduced capital and operational
expenses through centralized control• Reduced application development time• Simplified network configuration
BIG-IP Edge Gateway
BIG-IP Edge Gateway with IP Geolocation
Database
![Page 62: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/62.jpg)
62
Only ADC with Geolocation Access Rules
• VPE – Geolocation Rules• iRules not required• Custom session variables• Custom notification messages• Logging Client locations• Reporting
![Page 63: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/63.jpg)
63
BIG-IP APM/Edge Gateway V11 FeaturesAdvanced Dynamic Services for Unified Access Control
• IPsec optimized site-to-site tunnels
• Dynamic Webtop: with Application Tunnels
• Access: External Dynamic ACLs, Flash patching, Oracle Access Manager 11g
• Hosted VDI: Microsoft Remote Desktops, Expanded Citrix VDI support (Proxy and Portal mode)
• SSO enhancements: SSO across multiple domains, Kerberos auth. (CAC cards, etc)
• EndPoint Inspection: Protected Workspace, Machine Info Inspector
• Powerful reporting/analytics: Custom & built-in reports, Access and Application Analytics for remote access solution
• Scale for Global enterprise: 11000 Series: ^60k users, w/1.2 TB of storage
![Page 64: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/64.jpg)
64
Edge Gateway v10.2 Security Features• Edge Gateway
– Integration with Oracle Access Manager– ICSA Certified – SSL -VPN – Geolocation Agent in VPE– MS ActiveSync Support
• Edge Client – Reuse of Windows logon credentials
![Page 65: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/65.jpg)
65
Edge Gateway v10.1 Features
• Secure accel. remote access– Remote Access, Application Acceleration and
Network Optimization– Global VPN and Unified Access to Datacenter– Dynamic per-session layer 4 - 7 (HTTP) ACLs– SSO/Credential Caching – TCP Optimization– Symmetric adaptive compression– Asymmetric and symmetric application
acceleration– Data de-duplication– MAPS and CIFS acceleration
• Dynamic User Access– Web-based and standalone BIG-IP Edge Client– Mobility: Domain detection and smart
connection– Acceleration: Dynamic data compression
• Thorough Device Inspection– Endpoint Inspection checks– Protected Workspace with encryption and
Virtual File System– Group policy integration– Virtual Keyboard
• Manageability / Usability– QoS on Windows machines (client side)– D-TLS (Datagram-Based TLS) Network
Access Transport for secure packets– Customizeable user interface – Policy import/export– Reporting and stats– Set-up deployment wizards– Dashboard executive summary
• Interoperability and Integration– Edge Gateway and GTM interoperability– Edge Gateway events in iRules– Splunk for F5 logging and reporting
• Virtualization Architecture– Multiple virtual Edge Gateways– Targeted at Service Providers and large
enterprises – Separate access policy grouping for each
virtual Edge Gateway– Can have separate security
administrators– Master administrator control
![Page 66: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/66.jpg)
66
Edge Gateway – v10.1 Features
• Application Acceleration– TCP optimization for client to gateway and gateway to gateway
connections– Symmetric Adaptive Compression for client to gateway and gateway
to gateway connections– HTTP/HTTPS asymmetric acceleration for client to gateway
connections– HTTP/HTTPS symmetric acceleration for gateway to gateway
connections – Data de-duplication services for gateway to gateway connections– MAPI and CIFS acceleration for gateway to gateway connections
• D-TLS (Datagram-Based TLS) Network Access Transport
![Page 67: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/67.jpg)
67
Edge Gateway – v10.1 Features
• Portal Access Security– OWA 2003, OWA 2007, SharePoint 2003, SharePoint 2007, MS Communicator
2007– Oracle Portal 3.0 (10g Release 2, version 10.1.2) – PeopleSoft Portal 9, PeopleSoft Portal HR 9– SAP Netweaver, – Notes 7, Notes 8
• Authentication and Authorization Services– RADIUS, LDAP, and AD support– SSO/Credential Caching: HTTP Basic, HTTP NTLMv1/v2, Cookie, Form, and
HTTP Header– Dynamic per-session layer 4 - 7 (HTTP) ACLs– Native RSA SecurID– RADIUS accounting– Authentication server redundancy
![Page 68: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/68.jpg)
68
• Virtualization Architecture– Multiple virtual Edge Gateways– Targeted at Service Providers
(managed service offering) and large enterprises (segmented based on business units/groups)
– Separate access policy grouping for each virtual Edge Gateway
– Can have separate security administrators
– Master administrator control
Edge Gateway – v10.1 Features
![Page 69: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/69.jpg)
69
Edge Gateway – v10.1 Features
• BIG-IP Edge Client– Web delivered and standalone– New look and feel– Mobility: Roaming and smart connection– QoS on Windows machines (client side)– Acceleration: Adaptive compression– SDK for integration
• Endpoint Security– Windows and Macintosh checks– Protected Workspace (Parity with FP 6.1)
with encryption and Virtual File System– Group policy integration– Virtual Keyboard
![Page 70: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/70.jpg)
70
DMZ
4,000 Remote Users
15,000 Corporate Users
Internal LANVLAN 1
Internet
1,000 Wireless Users
Internal LANVLAN 2
Utilize existing user directory
Datacenter Resouces
6,000 Corporate Branch Users
Traditional SSL VPN (clustered 3 max)
$751K for 26k users
High Cost to Scale Remote Access
• Cost prohibitive scaling for remote access • Three-unit cluster supports 26k users at $29 per user • Asymmetric acceleration not available for remote
access• Limited QoS• User and application disruption when roaming
![Page 71: F5-BigIP Edge gateway introduction](https://reader033.fdocuments.us/reader033/viewer/2022061119/546b1a84af795919088b4e9b/html5/thumbnails/71.jpg)
71
BIG-IP Edge Gateway: High Performance, Low Cost
DMZ
4,000 Remote Users
15,000 Corporate Users
Internal LANVLAN 1
Internet
1,000 Wireless Users
Internal LANVLAN 2
Utilize existing user directory
Datacenter Resouces
6,000 Corporate Branch Users
BIG-IP Edge Gateway
$188K for 26k users
25% of cost
• Consolidation: 3:1 on Access and Acceleration • High performance – 26,000 users at $7+ per user
• Scale up to 40,000 users• Flexible and centralized security policy management• Integrated endpoint security checking• Integrated application acceleration – up to 10x