Professional Documents
Culture Documents
Cours - Formation F5 APM
Cours - Formation F5 APM
Uploaded by
Elaouni Abdessamad0 ratings0% found this document useful (0 votes)
15 views416 pagesOriginal Title
Cours_Formation F5 APM
Copyright
© © All Rights Reserved
Available Formats
PDF or read online from Scribd
Share this document
Did you find this document useful?
Is this content inappropriate?
Report this DocumentCopyright:
© All Rights Reserved
Available Formats
Download as PDF or read online from Scribd
0 ratings0% found this document useful (0 votes)
15 views416 pagesCours - Formation F5 APM
Cours - Formation F5 APM
Uploaded by
Elaouni AbdessamadCopyright:
© All Rights Reserved
Available Formats
Download as PDF or read online from Scribd
You are on page 1of 416
Configuring BIG-IP APM v13.1
Application Policy Manager
BIG-IP Version 13.1.0.1 | February 2018
F5 Networks Training
Configuring BIG-IP APM v13
Application Policy Manager
Student Guide
®
v13.1.0.1 — February 2018
Configuring BIG-IP APM v13
Configuring BIG-IP APM v13
Student Guide Twenty-Second Printing; February 2018
Support and Contact Information
Obtaining Technical Support Contacting F5 Networks
Web ‘support.f5.com Web www.fS.com
Phone (206) 272-6888 Sales sales@f5.com
com General Info _infowfS.com
Support Issues support@
Suggestions feedback @f5.com
FSNetworks, Ine. FS Networks, Ltd '§ Networks, Ine. PS Networks, Ine.
Corporate Office United Kingdom Asia Pacific Japan
401 Eliot Avenue West Chertsey Gate West 5 Temasek Boulevard ‘Akasaka Gardon City 19F
Scattl, Washington 98119 Chertsey Suey KT168AP_—#08-01/02 Suntec Tower S 4-1-1 Akasoka, Minato-ku
T (888) S8BIG-IP United Kingdom Singapore, 038985 ‘Tokyo 107-0082 Japan
(206) 272-5855 T (48) 0 1932 582-000 (65) 6833-6103 TBI) 35114-3200
F (206) 272 F (44)0 1932 582.001 F (65) 6533-6106 (61) 35114-3201
EMEATraining@fScom —APACTraining@S.com ——_ JapanTraining’@iS.com
Legal Notices
Copyright © 2018, F5 Networks, Inc. All rights reserved.
FS Networks; In. (F5) belioves the information it fishes to be accurate and reliable, However FS assumes no responsibility forthe use oF hi
information; nor any infringement of patents or othe: Fgh of hid partis Which may result ffm suse No license is granted by implication or
‘otherwise under any patent copyeght or atherineleetual propery Fight of FS except a specifically described by applicable user eons. FS
resorss the right fo change speciation al anytime without nie.
Trademarks
‘AAM, Assos Policy Manager, Advanced Client Authentication, Advanced Firewall Manager, Advanced Routing, AFM, APM, Application
‘Avsleration Manager, Application Seuty Manager, AskFS, ASM, BIG, BIG-IP EDGE GATEWAY, 1G-1Q,Claual Extender Clot
Manage, CloudFucious, Cited Muliprocesing, CMP. COHESION, Data Marager, DDoS Foaline, DDoS SWAT, Defonse Net,
.gz. Archived Log
Table 8: Interesting Log Files for BIG-IP APM
Configuring BIG-IP APM v13
Chapter 5: Using Authentication 54
Chapter 5: Using Authentication
Wiki Site Partner Auth !!!
A CIO (cio@fStrn.com)
To: adminX@fStrn.com
The AD team has been unhappy about keeping
partner accounts on the corporate Active
Directory. They will be moving those accounts to
a RADIUS server.
You need to incorporate RADIUS authentication
without making any changes to the way either
employees or partners logon and you need to do
that ASAP!
Prerequisites
This chapter is one of the required chapters and it builds on the concepts and technologies introduced in
Chapter 4 and earlier. The required chapters present the basic foundations of BIG-IP APM.
New Concepts and Technologies
«AD Authentication, Authorization and the AD Query agent
+ RADIUS Authentication
© One-Time Passwords
© Local User Databases
Configuring BIG-IP APM v13 54
5-2 Chapter 5: Using Authentication
Introduction to Access Policy Authentication
In order to use most Auth Agents, you must ereate a corresponding (BIG-IP APM) AAA server first. The
‘an object that points to the “real” AAA server. The BIG-IP APM AAA
BIG-IP APM AAA server
server usually contains any information needed to use the “real” AAA server, such as hostname and
shared secret.
The following is a list of AAA servers that are supported by BIG-IP APM.
(2 Acceleration
= RADIUS
AA) Accase wae
ovenew Active Directory
Profiles / Policies soe
HTTP
co oracle Accoss Manager
ae OcSP Responder
Connectivity / VPN a
‘Seoure Web Gateway bo rastad
Access Control Lists perore
aida Local User D8
Endpoint
= Management
{> Device Management ‘Systems
2 CAPTCHA
EQ Network Configurations
[F9) system bis
Figure 4: Access »» Authentication
As you have seen before, after the (BIG-IP APM) AAA server is created, the corresponding
Authentication Agent must be added to the Access Policy.
‘The following is a list ofall Authentication Agents. This is the Authentication tab from the Access Policy
Add Agent window. We will briefly discuss most of the agents below, and many in more detail later in
this chapter and in the course.
5-2 Configuring BIG-IP APM v13
Chapter 5: Using Authentication 53
som awe Deectry athena fen wer exces
tae recep wear fr nnh ecs hgner ectyeh AD ep
‘lent cat ingen Check he est of enter athetaton bythe Lo Taff Cent SL pole
coupe ns ‘erent Revocation Lit Dstt Fo (CRLDP) dent eat authentication
HIT Aah LTP astertcaon of end sr ender
ert Ath ‘eters atentan, ypc felon an HTTP 4 Response action
oa a 00? ashoricaon of re user cde
Loar que 00? gun to pul wer totes for we with rescue aimee ote unions, sch 3 LDAP group mapeng
Leas uth toca Dabs terion
TUM th Rest TUM atheraton oer se crdertls
onan Aeruaton ‘otuh 20 Autharzaton Agent for spe management
onah cere ‘ten chee
‘nuh Scape ‘ott Scope
coe th ‘Online Certs Stats Protec (OCS) cnt reat ute
‘nDerand Cart Auth Dyan an SSL rehardshake and vate the rece cen cateate
OTP Generate enerte One Tine Pascoe (OTP)
OTP erty erty One Tine Paste (OTP)
00S fet ‘Send acounbeg messes 08 RADIUS Seve when wes on and of
AOS Ah AOIUS shertcaton of end wer coders
ASA Sec FSA Seat bwofoer uerteatin of ed user crederls
sent Ay SAM. AU ung SIM Serve Protec
TOMS het Send szounting mesioges 108 TACACS* seer when srg on and of
TwOACS Aa “WOACS + Autertcaon of on user cede
“TniparentIdentty imprt__mor dns (sr) formato ram IMAP server
Figure 2: Access Policy Authentication Agents List
Active Directory, RADIUS, LDAP and RSA SecurlD are the most common authentication methods.
Both AD and LDAP support an Authentication Agent and a Query Agent which is used for user resource
Authorization, Because RADIUS and TACACS* began in the days of dialup MODEMS, they have the
ability to log accounting records, sometimes referred to as Call Detail Records (CDR), which can be used
for usage billing. We'll also look at AD Trusted Domains in this chapter.
Another method of authentication is to use the student's credentials to attempt to logon to a web server. If
the logon attempt is successful, then the BIG-IP system recognized that the credentials were valid and
allows the user access. If the logon attempt fails, BIG-IP denies the user access. BIG-IP APM supports
four methods to test user credentials on a web server: HTTP Basic Auth, NTLM, Form-based Auth and a
Custom Post method. Note that the web server is used only to determine credential validity. The server
response, if any, is lost.
Configuring BIG-IP APM v13 53
54 Chapter 5: Using Authentication
BIG-IP APM can generate and authenticate one-time passwords. We will look at this in more detail later
in this chapter.
TACACS is similar to RADIUS in many respects and is commonly used in networks with a Cisco
Infrastructure.
‘A user certificate check can either be performed when the user connects to BIG-IP APM, or may be
initiated by the Access Policy sometime after the initial connection. This could be useful if a client
certificate is required for specific secure operations, but not for normal tasks.
Because user certificates are sometimes lost or stolen, there are two methods available to confirm that the
certificate is still valid
OAM and Kerberos Constrained Delegation are enterprise authentication and single sign-on platforms but
are beyond the scope of this course. However, SAML is the third enterprise authentication and single
sign-on platform that is covered on the third day.
54 Configuring BIG-IP APM v13
Chapter 5: Using Authentication 55
Active Directory AAA Server
We've already looked at the Active Directory AAA Server in Chapter 2, but we're going to dive in deeper
in this chapter. There are three ways to specify the AD domain controller or controllers. The first method
is to not use a pool and specify a single domain controller. ‘The second option also doesn’t use a pool, but
relics on DNS find the domain controller using service locator records,
The third option is to use a pool (not shown) and specify the domain controllers you want. This is your
safest option in a production environment, because specifying a single domain controller is subject to a
single point of failure. Relying on DNS is better, but in some circumstances can be worse if it chooses a
domain controller halfway around the world. Specifying a pool of DCs reasonably close to BIG-IP APM.
enhances the odds that BIG-IP APM will always be able to authenticate users. The lab only has a single
domain controller, so using the pool is beyond the scope of t
Domain Name {trn.com
| Server Connection Use Pool @ Direct
|
| Domain Controller
Figure 3: AAA Server Configuration
The following shows BIG-IP APM using an Active Directory domain controller that is part of a multi-
domain environment (Forest) with trust relations with the other controllers.
- Active Directory
t5tmcom
area V
User
ia =
— BIG-IP LTM+APM
Figure 4: Active Directory Trusted Domains
Configuring BIG-IP APM v13 55
5-6 Chapter 5: Using Authentication
BIG-IP APM docs not honor trust relationships the way Windows PCs do. Users from other domains
cannot log on to the BIG-IP APM by default. However, enabling the cross domain option in the AD Auth
Agent allows users from other domains to logon to BIG-IP APM. Specifying Trusted Domains limits
which domains can log on to BIG-IP APM. The lab only has a single domain and configuring Trusted
Domains is beyond the scope of this course.
Properties* |{ Branch Rules )
Name: |AD Auth
Active Directory
Type Authentication |
Server None :
Cross Domain Support | Disabled ¢
Figure 5: Access Policy AD Auth Agent: Cross Domain Support Disabled
‘The Trusted Domains field only appears in the Ul when Cross Domain Support is Enabled.
Type ‘Authentication ]
Server None +
Trusted Domains None :
‘Cross Domain Support Enabled $
Figuro 6: Access Policy AD Auth Agent: Cross Domain Support Enabled
56 Configuring BIG-IP APM v13
Chapter 5: Using Authentication 5-7
RADIUS
As mentioned earlier, RADIUS has an Accounting option that allows RADIUS to send the session or user
Logon and Logoff times to a log file. This feature is sometimes used for billing purposes, Unlike AD
and LDAP, RADIUS does not have a query option. Instead any additional information that might be
returned by a Query, is sent back with the Authentication response of Allow or Deny. (There is also a
challenge response, but this is beyond the scope of this course.)
For example, tne two fields returned (if there is content) are the class field, which is typically used
similarly to Group Membership in AD and LDAP, and the Framed-IP field which can be used to provide
aan IP address for the VPN tunnel.
We haven't discussed BIG-IP APM VPNs yet, but you are probably familiar with VPN concepts. By
providing the user with a known IP address other devices within the (enterprise) network can provide
more granular access contro
Many Token-Based One-Time Password providers also use RADIUS as their authentication method.
RSA SecurlD has its own authentication method which BIG-IP APM supports, but RSA recommends the
use of their RADIUS proxy for new implementations. Entrust and Vasco also use RADIUS for their OTP
implementations,
Configuring RADIUS
Create the RADIUS AAA Server configuration that points to the actual RADIUS Server. The server
address is the important part of this configuration. Like the AD Auth agent, the RADIUS server can be
configured to connect directly to a single server or use a pool of servers.
‘AAA Server Name radius.aaa
Type RADIUS
Server Connection Direct
Server Address 172.16.20.1
Table 1: RADIUS AAA Server Configuration
‘The AAA Server information is used by the RADIUS Auth agent in the Access Policy (shown here).
Sia 8B [on rae f+ success, Tao
RADIUS Auth
je +» — aa)
Figure 7: Access Policy with RADIUS Auth Agent
Configuring BIG-IP APM v13 57
58 Chapter 5: Using Authentication
One-Time Password
BIG-IP APM supports its own one-time password implementation, but re!
of the password to a mobile device.
's on Email (or SMS) delivery
rye eas] fo
se] fa
Figure 8: One-Time Password Actual Access Policy
sy fe
(Se
It could work like this: the Logon Page agent is used to prompt for Username. With the username, AD
Query can be used to find the user’s password. It is saved in a session variable.
The OTP Generate agent creates « new password and stores it in a session variable (shown here). The
email agent reads the session variables for email address and password and sends an email to the user or
to an SMS proxy.
The user receives the password on her mobile device and types it into the password prompt from the
second Email agent. The OTP Verify agent matches the password from the second Logon Page (session
variable) against the store password from OTP Generate (session variable)
However, the typical implementation uses a user certificate instead of prompting for username (in the first
Logon Page agent). The cert contains the username, which is extracted and used by the AD Query Agent
to find the email address. By only prompting the user once we have streamlined the logon process.
Using either method, when combined with a prompt for the AD password and using the corresponding
AD Authentication Agent, provides Two-Factor Authentication, ie, something the user has (smart phone
or user certificate) and something the user knows (password).
58 Configuring BIG-IP APM v13
Chapter 5: Using Authentication 5-9
Local User Database
BIG-IP APM also provides a local user database. This is not meant to replace Active Directory for
enterprise logon, but it could easily replace a RADIUS server that had a small number of maintenance
accounts ~ thus reducing total account management overhead.
The first step is to create and name the database itself, The italicized settings are the defaults. ‘The first
two settings indicate the user gets three attempts to logon within a ten minute interval. If the user fails,
this will result in a lockout with a ten minute duration. This stymies automated authentication attacks as
well as possibly minimizing the impact of user denial of service attacks
Database Instance local-users.db
Lockout Interval 600 (seconds)
Lockout Threshold 3 (attempts)
Dynamic User Remove interval 1800 (seconds)
Table 2: Local Database Instance Configuration
The next step is to add a user to the newly created database.
Username student19
Password .
Instance local-users.db
Table 3: Local User Database Configuration
Finally add the LocalDB Auth agent to your access policy. Because multiple user databases are allowed,
the agent must specify which database to use. Unlike AD Auth and RADIUS, this agent has a third
branch (not shown here) for users that are locked out. In that case, itis possible to provide locked out
users receive a customized Deny message.
Figure 9: Local User Database Authentication Policy
Local User Database Temporary Usernames
‘The third setting is a little more complicated. The Local User Database can be used to store temporary
usernames as well. For example, if usernames are being authenticated against Active Directory, the BIG-
IP Access Policy Manager can be configured to save the username of an unsuccessful logon. If'that
username is attempted more than some number of times within a certain period, BIG-IP can prevent any
further log on attempts from reaching Active Directory. The third setting works when temporary names
are allowed. In this case, that temporary name is only stored for a specific period and then that name is
deleted.
Configuring BIG-IP APM v13 5-9
Chapter 6: Understanding Assignment Agents 61
Chapter 6: Understanding Assignment Agents
Problems Updating Wiki Servers !!!
A ClO (cio@fStrn.com)
To: adminX@f5trn.com
Of the three wiki servers we are load balancing,
only one of them is writeable. The other two are
read only. This has become a problem for
employees trying to update the wiki.
Make it so any employee wanting to update it,
only goes to the first wiki server.
Also, please remind all remote users not to share
the Wiki content and you need to do it ASAP!
Prereq es
This chapter is one of the required chapters and it builds on the concepts and technologies introduced in
Chapter 5 and earlier. The required chapters present the basic foundations of BIG-IP APM.
New Concepts and Technologies
+ Visual Policy Editor List of Assignment Agents
* Advanced Resource Assign Agent
* Session Variable Assign Agent
Configuring BIG-IP APM v13 64
62 Chapter 6: Understanding Assignment Agents
List of Assignment Agents
Access Policy Assignment Tab
‘The following are all of the Assignment Agents available in the Access Policy
(Geson|(Ratertzabon | Assorment Enns Seu (Sener Sde (Eons Sun (Gent Sas) Genera Pures
ACL Assign Assign existing Access Control Lists (ACLS)
20 Grup Resource Assan Map ACL nd esoures based on ser Active Decor group membership
‘Advanced Resource Assign Expression-based assignment of Connectivty Resources, Webtop, and ACLS
BWC Policy Assign Bandwicth Controller polices
‘crx Smart Access Enable Cr SmartAccess Mites when deploying with NenApp or XenDesktop
Dynamic ACL. Assign and map Access Control Usts (ACLS) retrieved from an external cirectory such as RADIUS o* LDAP
LDAP Group Resource Assign Map ACLS and resources based on user LDAP group membership
Links Section and WebtO?_gsson 4 Yiettop, Webzop Links and Webtop Sections
a
rea An “oe a el
po ey son Sa A ae oe oh ig fw Ya in een
Se Fa Gas Roa
{Us Dara a SMAT ——_ypaeny sec Rete Dana ad SAAT sets
‘$50 Credential Mapping _ Enables Single Sigr-On (SSO) credentials caching and assigns SSO variables
Variable Assign ‘Assign custom variables, configurston variables, or predefined session variables
‘vmnere View Policy ‘Speck a policy thet vl apo to VMware View connections
Figure 1: Access Policy Assignment Agents List
In this course, you are going to focus on one assignment agent as much as possible, the Advanced
Resource Assign agent. Anything that can be configured in the following six agents can also be
configured using the Advanced Resource Assign:
* ACL Assign
+ AD Group Resource Assign
‘© LDAP Group Resource Assign
* Links, Section and Webtop Assign
© Pool Assiz
© Resource Assign
Note that this agent was called the Full Resource Assign in carlier versions and sometimes labelled as
ign” in macro templates, which have not yet been covered
“Resource Ass
6-2 Configuring BIG-IP APM v13
Chapter 6: Understanding Assignment Agents 63
‘The ACL Assign agent has been superceded by the Advanced Resource Assign, but remains in the Access
Policy for backwards compatibility with older versions of BIG-IP APM.
‘The AD Group and LDAP Group Resource Assign Agents function similarly to the Advanced Resource
Assign, but allow for easier to use mapping of resources to AD Groups and LDAP Groups.
‘The Links, Section and Webtop Assign Agent has been superceded by the Advanced Resource Assign,
but remains in the Access Policy for backwards compatibility with older versions BIG-IP APM. Note
that Webtop Sections are new for BIG-IP APM 12.0. The Pool Assign and Resource Assign Agents have
been replaced by the Advanced Resource Assign, but remain in the Access Policy for backwards
compatibility with older versions BIG-IP APM.
‘The Dynamic ACL Assign Agent will be discussed in Chapter 14 and the Single Sign-On Credential
Mapping Agent will be discussed in Chapter 15.
‘There are some additional agents shown that are beyond the scope of this course. A brief explanation for
cach is provide below:
BWC Policy: You can create a “Bandwidth Controller” (really it’s a Bandwidth Policy) in the
‘Acceleration Menu, This is part of the AAM product, but some parts are included without a
license or without provisioning. Once a controller is created, it can be assigned to a BIG-IP APM
policy using this agent.
Citrix SmartAceess Filters: Citrix NetScaler has a similar feature to BIG-IP APM (but not as,
powerful or flexible) that performs endpoint checks on the client. Based on these checks a string
is passed to Citrix that can be used to determine which resources are available. Eg, all client
endpoint checks passed, the string might be “Very Secure” and all resources are available, The
string is completely arbitrary. After performing the appropriate endpoint checks, BIG-IP APM.
can send the appropriate string to Citrix.
RDG Policy: This agent assigns a secondary Access Policy (of type RDG-RAP) that runs every
time a remote desktop client requests a new connection to a host that is behind BIG-IP APM. It is
used to determine whether the client should have access to the targeted host.
Route Domain and SNAT Selection: This allows the admin to set the Route Domain and the
SNAT settings in the Policy, overriding the specification in the Virtual, SNAT (now called
Source Address Translation in the Virtual) can be set to None, Automap or specify a Pool.
Configuring BIG-IP APM v13 63
64 Chapter 6: Understanding Assignment Agents
Using the Advanced Resource Assign Agent
The Access Policy from the previous chapter is shown below
tos, Taran fh nf "ps,
AD AUD | rteack * | Successful
om +a]
RADIUS AD |
Figure 2: Wiki Accoss Policy Poet
The idea for the new policy is to allow certain users to access the one member of the pool that is editable,
but to do this, a new pool must be created that just contains the one editable host, as shown here.
Pool Name wiki-edit.pool
Pool Members 172.16.20.1:443
Pool Monitor —_ wiki-443
Table 1: Wiki Edit Poo! Configuration
The next step is to add an Advanced Resource Assign Agent to your Access Policy, as show below.
Sates fatback
sxc Ta |
BADIUS Aut oe
Figure 3: Access Policy with Advanced Resource Assignment Agent pe
Edit the Advanced Resource Assign Agent and click Add new entry, shown here.
Figure 4: Access Policy Advanced Resource Assign Agent Properties Sheet
In the newly created entry, click Add/Delete,
6-4 Configuring BIG-IP APM v13
Chapter 6: Understanding Assignment Agents 65
freeevap IMENT ECHL EEE SLE -ESEE SESE SEE HERE EE EAU SEE Ean OI AEE EERE
sere
aes Anat
“Ade nem entry naar ee:
Boren cane e
secvoaen
Figure 5: Access Policy Advanced Resource Assign Agent: add new resource
Here you see the kinds of resources you can add to your policy. You will look at each one of these
options in depth in the next chapters. Note the 0/0 in each tab, this means 0 resources available and 0
selected. Only Static Pool is different. Click the Static Pool tab.
[sacns60
Figure 6: Access Policy Advanced Resource Assign Agent: tabbed list of resource types
Select the wiki-edit pool and save.
manasa se aca
Figure 7: Access Polley Advanced Resource Assign Agont: change tho default pool
‘This shows your entire Advanced Resource Assign configuration at this point. But what is wrong with it?
With this configuration, every employce (remember this is on the AD Auth branch) will always go to the
first host which writeable, but will lose the benefit of the pool. Employees should only go to this pool
when they want to edit the wiki
xprmion Ent eee 2
3 sai Poa: Cannan pct
toa
Figure 8: Access Policy Advanced Resource Assign Agent: resource ist summary
Configuring BIG-IP APM v13 65
6-6 Chapter 6: Understanding Assignment Agents
‘To make that happen you need to change the expression, so that the wiki-edit pool is used when the
employee adds “Yedit” to the end of the URL they use to access the wiki, eg, wiki.fStm.com/edit. The
first step is to click Add Expression.
Simple |[advanced
Add Expressio
Figure 9: Access Policy Advanced Resouree Assign Agent: add exrpression
‘The next step is to specify the actual expression and again, click Add Expression.
‘Simple
‘Agent Sel: Landing URI
Condition: Landing URI. $
Landing URLs [eat
( cancel
Figure 10: Access Policy Advanced Resource Assign Agent: landing URI expression
After adding the expression, the Advance Resource Assign now succinetly states, IF the landing URI is
/edit THEN change the default pool to wiki-edit. pool
(rors: Lancing U's fet chase cy
1 sete Poot: Carmona nl
este
Figure 11: Access Policy Advanced Resource Assign Agent: resource lst summary
Here you see the Access Policy with details for every Agent that doesn’t use the default settings.
6-6 Configuring BIG-IP APM v13
Chapter 6: Understanding Assignment Agents
67
‘Message: Piease do not share Wiki Content ) ( Message: Please do not share Wiki Content |
Se Se
Bae) + Lan ace | +f
yl
ae 7 zt
{ Server. on/fStn.
| Max Logon Attempts Alowod:
/
/
\
Ba
( Server. /Common/radius.aa8 ) (Expression: Landing URI is /edit |
‘Max Logon Attempts Allowed: 1
| state Poot /Common/wikiedit pol |
Configuring BIG-IP APM v3.
Figure 12: Access Policy
67
Resource Assignments Labs Overview
Archive and Save the Previous Lab Configuration
Archive the current configuration, name the file studentX-lab6 and download it to your Windows
client.
When You’ve Completed the Following Labs...
You will be able to create a dynamic policy that assigns different pools based on the user's
authentication grouping. If you complete the challenge lab, you will also be able to create a
‘Two-Factor Authentication policy using Active Directory and One-Time Passwords,
You will need 15 minutes to complete these lab exercises.
Lab 6.1 - Dynamic Pool Assignment
This lab is your first introduction to dynamic assignments. Rather than serving a user with a
load balanced page, it serves users who authenticate with Active Directory, a single page so
that it can be edited.
Create a new Pool
Pool Name wiki-edit pool
Health Monitors wiki.mon
Pool Members 172.16.20.1:443
Create an Access Profile and edit the Access Policy
1. Create a new Access Profile named wiki.
following
p.10 and edit the new policy to look like the
Message: Please do not share Wiki Content
Max Logon Attempts Allowed: 1
~N
tock
Server: [Common/fStrn.aaa |
( Server ;Commoniradius.saa
Max Logon Attempts Allowed: 4
2. Change the wiki.vs Virtual Server to use this policy
Tests and Results
Login as studentX. Which servers are used?
Note: You may have to do a force refresh for each of these tests.
Repeat for student17. Which servers?
Repeat for student18. Which servers?
figuring BIG-IP A\
Chapter 7: Configuring Portal Access ™
Chapter 7: Configuring Portal Access
OWA Losing DMZ Interface !!
A CIO (cio@f5trn.com)
To: adminX@fStrn.com
The Security Team has demanded that the public
facing IP address for OWA be removed and the
Email Team has agreed.
You need to find a way to make OWA available to
all of our employees, but without compromising
corporate security. Oh, and you need to do it
ASAP!
Prerequisites
This chapter is one of the required chapters and it builds on the concepts and technologies introduced in
Chapter 6 and earlier. The required chapters present the basic foundations of BIG-IP APM.
New Concepts and Technologies
+ BIG-IP APM Component View
* Landing Page (Full Webtop)
* Portal Access (aka Reverse Proxy or HTTP Tunneling)
© Rewrite Profile
‘+ Connectivity Profile
‘+ Portal Access Resource and Resource Item
‘© Virtual Server for Portal Access
Configuring BIG-IP APM v13 TA
72 Chapter 7: Configuring Portal Access
Introduction to Portal Access
So far, you've looked at BIG-IP LTM used in conjunction with the Access Policy. From @ BIG-IP APM
perspective, this is called Web Application Access. In this chapter, you're going to look at another access
method, Portal Access, which is sometimes referred to as HTTP Tunneling or Reverse Proxy.
Web Application Access is a Layer 4 Proxy whereas Portal Access is Layer 7. You will examine these in
more detail in the next few pages. These are the components of BIG-IP APM, the Access Policy and
three remote access methods.
Layer 4 Proxy
Coty
Remote Access -
' Nemes Soa)
Pores
Clay
Layer 7 Proxy (aka Reverse Proxy)
Figure 1: BIG-IP APM Components and Access Methods
Web Application Access does not use a landing page, after connecting to BIG-IP APM and a possible
logon page, the user is connected to the pool. Remote Access typically uses a landing page, which
displays all the resources dynamically provisioned for the user, as shown here on the Full Webtop
Landing Page
For a user connecting to Web Application Access, the Virtual Server goes to the pool, but for a user
connecting to Remote Access, the Virtual Server goes to a Landing Page, which can have many
resources, such as Network Access, Application Access and Portal Access.
72 Configuring BIG-IP APM v13
Chapter 7: Configuring Portal Access 7-3
forF5 Networks eee
eonoee, wom
Figure 2: Logon Page then Landing Page
Unlike connecting to the wiki server for Web Application Access, for this Portal Access example, the user
will log on to BIG-IP and then get a landing page (or Full Webtop in BIG-IP APM nomenclature). In the
lab case, initially the student will have only one resource, or option, to click on.
When the user clicks that resource on the landing page, things begin to happen. BIG-IP APM (remember
BIG-IP architecture is full proxy) sends request to a backend server. This is configured in the resource
as the starting URI as you will see in the configuration slides.
‘The backend server responds with an HTML page. BIG-IP APM encodes every link in the page and
sends it to the user. Only the highlighted text is displayed on the left side.
Below is an example of what happens when a user clicks a Portal Access Resource on the Landing Page,
or Full Webtop.
Configuring BIG-IP APM v13 7-3
14 Chapter 7: Configuring Portal Access
2. a
En cep
connect.f5trn.com intranet.internal
HOST connect.f5trn.com HOST intranet.internal
GET / GET/
href="https://connect.5trn.com menu.js'>
/15.w-687474703a2121696e7472616e logo.png"/>
65742e696e7465726e616c$$
/appearance.css"/>
You might also like
- The Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeFrom EverandThe Subtle Art of Not Giving a F*ck: A Counterintuitive Approach to Living a Good LifeRating: 4 out of 5 stars4/5 (5813)
- The Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreFrom EverandThe Gifts of Imperfection: Let Go of Who You Think You're Supposed to Be and Embrace Who You AreRating: 4 out of 5 stars4/5 (1092)
- Never Split the Difference: Negotiating As If Your Life Depended On ItFrom EverandNever Split the Difference: Negotiating As If Your Life Depended On ItRating: 4.5 out of 5 stars4.5/5 (844)
- Grit: The Power of Passion and PerseveranceFrom EverandGrit: The Power of Passion and PerseveranceRating: 4 out of 5 stars4/5 (590)
- Hidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceFrom EverandHidden Figures: The American Dream and the Untold Story of the Black Women Mathematicians Who Helped Win the Space RaceRating: 4 out of 5 stars4/5 (897)
- Shoe Dog: A Memoir by the Creator of NikeFrom EverandShoe Dog: A Memoir by the Creator of NikeRating: 4.5 out of 5 stars4.5/5 (540)
- The Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersFrom EverandThe Hard Thing About Hard Things: Building a Business When There Are No Easy AnswersRating: 4.5 out of 5 stars4.5/5 (348)
- Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureFrom EverandElon Musk: Tesla, SpaceX, and the Quest for a Fantastic FutureRating: 4.5 out of 5 stars4.5/5 (474)
- Her Body and Other Parties: StoriesFrom EverandHer Body and Other Parties: StoriesRating: 4 out of 5 stars4/5 (822)
- The Emperor of All Maladies: A Biography of CancerFrom EverandThe Emperor of All Maladies: A Biography of CancerRating: 4.5 out of 5 stars4.5/5 (271)
- The Sympathizer: A Novel (Pulitzer Prize for Fiction)From EverandThe Sympathizer: A Novel (Pulitzer Prize for Fiction)Rating: 4.5 out of 5 stars4.5/5 (122)
- The Little Book of Hygge: Danish Secrets to Happy LivingFrom EverandThe Little Book of Hygge: Danish Secrets to Happy LivingRating: 3.5 out of 5 stars3.5/5 (401)
- The World Is Flat 3.0: A Brief History of the Twenty-first CenturyFrom EverandThe World Is Flat 3.0: A Brief History of the Twenty-first CenturyRating: 3.5 out of 5 stars3.5/5 (2259)
- The Yellow House: A Memoir (2019 National Book Award Winner)From EverandThe Yellow House: A Memoir (2019 National Book Award Winner)Rating: 4 out of 5 stars4/5 (98)
- Devil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaFrom EverandDevil in the Grove: Thurgood Marshall, the Groveland Boys, and the Dawn of a New AmericaRating: 4.5 out of 5 stars4.5/5 (266)
- Team of Rivals: The Political Genius of Abraham LincolnFrom EverandTeam of Rivals: The Political Genius of Abraham LincolnRating: 4.5 out of 5 stars4.5/5 (234)
- A Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryFrom EverandA Heartbreaking Work Of Staggering Genius: A Memoir Based on a True StoryRating: 3.5 out of 5 stars3.5/5 (231)
- On Fire: The (Burning) Case for a Green New DealFrom EverandOn Fire: The (Burning) Case for a Green New DealRating: 4 out of 5 stars4/5 (74)
- The Unwinding: An Inner History of the New AmericaFrom EverandThe Unwinding: An Inner History of the New AmericaRating: 4 out of 5 stars4/5 (45)
- NCA SlideDeckDocument160 pagesNCA SlideDeckElaouni AbdessamadNo ratings yet
- Netscout University - Lab - Payload Regular Expression - DNSDocument6 pagesNetscout University - Lab - Payload Regular Expression - DNSElaouni AbdessamadNo ratings yet
- Netscout University - Lab - DoS Host Alerts p2Document6 pagesNetscout University - Lab - DoS Host Alerts p2Elaouni AbdessamadNo ratings yet
- Netscout University - Lab - Router Profiled Automatic Threshold ConfigurationDocument6 pagesNetscout University - Lab - Router Profiled Automatic Threshold ConfigurationElaouni AbdessamadNo ratings yet
- Netscout University - Lab - Understand The Structure of The Mitigation PageDocument5 pagesNetscout University - Lab - Understand The Structure of The Mitigation PageElaouni AbdessamadNo ratings yet
- Netscout University - Lab - Blackhole Mitigation Flow Spec TMS - DNSDocument5 pagesNetscout University - Lab - Blackhole Mitigation Flow Spec TMS - DNSElaouni AbdessamadNo ratings yet
- Netscout University - Lab - How To Access The Sightline Graphical InterfaceDocument4 pagesNetscout University - Lab - How To Access The Sightline Graphical InterfaceElaouni AbdessamadNo ratings yet
- PocketGuide Jun23Document40 pagesPocketGuide Jun23Elaouni AbdessamadNo ratings yet
- K13297 Overview of VLAN FailsafeDocument4 pagesK13297 Overview of VLAN FailsafeElaouni AbdessamadNo ratings yet
- How To Enforce HTTP Strict Transport Security (HSTS) On A Virtual ServerDocument3 pagesHow To Enforce HTTP Strict Transport Security (HSTS) On A Virtual ServerElaouni AbdessamadNo ratings yet
- Ultra Reliable Communication in B5G Mmwave Networks Risk Beam Alignment GameDocument2 pagesUltra Reliable Communication in B5G Mmwave Networks Risk Beam Alignment GameElaouni AbdessamadNo ratings yet
- Managing BIG-IP ASM Live Updates (14.1.x and Later)Document9 pagesManaging BIG-IP ASM Live Updates (14.1.x and Later)Elaouni AbdessamadNo ratings yet
- Configuring BIGIP GTM V11global Traffic ManagerDocument2 pagesConfiguring BIGIP GTM V11global Traffic ManagerElaouni AbdessamadNo ratings yet
- Overview of The BIG-IP ASM CSRF Protection FeatureDocument5 pagesOverview of The BIG-IP ASM CSRF Protection FeatureElaouni AbdessamadNo ratings yet
- Configuring BIG IP LTM V11local Traffic ManagerDocument2 pagesConfiguring BIG IP LTM V11local Traffic ManagerElaouni AbdessamadNo ratings yet
- Formation Arbor SP TmsDocument13 pagesFormation Arbor SP TmsElaouni AbdessamadNo ratings yet
