F5 APM Essentials & PUA

Michael Coleman, Bill Church

Senior Federal SE, Army
 Objective 1.x Portal Access

F5 Bootcamp 2015 2
 Objective 1.x Network Access

Network
Lease from
Client Access /
Lease Pool
Webtop

Virtual Network
ACLs
Server Access

Connectivity Access
Profile Profile

F5 Bootcamp 2015 3
 Objective 1.x Application Access

Client

Application
Virtual Server Access
Resource

Access Policy
Connectivity
/ Access
Profile
Profile

F5 Bootcamp 2015 4
 Objective 2.x APM Client / Server SSO Auth Matrix

Client Side Server Side SSO

Authentication
Forms LDAP & RADIUS Basic NTLM Kerberos SAM
Based L
Forms Based
Basic
Client Side NTLM **
Client Side Kerberos
Client Certificate
OTP
SAML

** Outlook Anywhere Client Support Only.

F5 Bootcamp 2015 5
 Edge Components - Windows
Service Controls

Installer Super Host Inspection VPN Tunnel Protected Win32 OPSWAT Machine Cache Windows Custom Edge Edge DNS Traffic Component
Control Host Host Server Workspace Inspector Cert Cleaner GPO Dialer (Windows) (COM/API) Relay Control Installer
Proxy

Base Control

Network Access

Application
Tunnels

Endpoint Security

Windows Logon

Component
Installer

Edge (Windows)

Edge (COM/API)

DNS Relay Proxy

Traffic Control

F5 Bootcamp 2015 6
 Objective 2.x APM iRule Commands
Commands
ACCESS::acl WEBSSO::disable
ACCESS::disable WEBSSO::enable
ACCESS::enable WEBSSO::select
ACCESS::policy REWRITE::disable
ACCESS::respond REWRITE::enable
ACCESS::restrict_irule_events REWRITE::payload
ACCESS::session REWRITE::post_process
ACCESS::user
ACCESS::uuid

F5 Bootcamp 2015 7
 Objective 2.x APM iRule Events
Events
ACCESS_ACL_ALLOWED
ACCESS_ACL_DENIED
ACCESS_POLICY_AGENT_EVENT
ACCESS_POLICY_COMPLETED
ACCESS_SESSION_CLOSED
ACCESS_SESSION_STARTED
REWRITE_REQUEST_DONE
REWRITE_RESPONSE_DONE

F5 Bootcamp 2015 8
LTM

F5 Agility 2014 9
 Objective 3.x Failure Behavior
Failure During: What Happened?
Access Policy Execution • User must reconnect.
• After reconnect, access policy restarted from
beginning.
Tunnel Use • Network Access Tunnels re-established.
• TCP connections lost.
• Reconnection handled automatically.
Other • For connections associated with failed device,
requests fail during failover time.
• Other connections operate without failure.

F5 Bootcamp 2015 10
 Summary… You should be able to:
• Determine client-system security requirements.

• Identify the authentication mechanism.

• Configure network access resources with the applications and functionality you want to provide, or
create app tunnels, remote desktops, and portal access resources for your users.

• Create ACLs for users.

• Create an access profile and access policy that you can associate with your virtual server, to give
your clients secure access.

• Assign resources to users.

• Test user connectivity.

• Create client SSL profiles for users.

• Define your virtual server.

• Create advanced access policies, for more complex secure access scenarios.
F5 Bootcamp 2015 11