Applies To:

Show Versions Show Versions

Archived Manual Chapter: Getting Started with BIG-IP Secure Access Manager
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

This article has been archived, and is no longer maintained.

F5 Networks® BIG-IP® Secure Access Manager provides remote users with secure access to corporate networks, using most standard web browsers. Secure Access Manager can be set up quickly, and installation requires no modification to existing corporate applications. No configuration or setup is required at the users workstation. If the users web browser can connect to web sites on the Internet, then that browser can make a connection with the Secure Access Manager.
The Secure Access Manager provides a web-based alternative to traditional remote-access technologies such as modem pools, RAS servers, and IPsec Virtual Private Networks (VPNs). Secure Access Manager also brings endpoint security, authentication, access control, and encryption to sensitive wireless and wired LAN environments. By leveraging the browser as a client, the Secure Access Manager enables your corporation or organization to extend secure remote access easily and cost-effectively to anyone connected to the Internet, with no special software or configuration on the remote device.
Standard Web Browser Support
Secure Access Manager can be used with most standard browsers that support secure HTTP (also known as HTTPS).
WAN Security
Secure Access Manager supports common encryption technologies, including RC4, Triple DES, and AES, using standard SSL encryption between the client browser and the Secure Access Manager system.
Authentication
For authentication, Secure Access Manager can be integrated with LDAP directories, Active Directory® and Microsoft® Windows® Domain servers, and RADIUS servers. In addition, client digital certificates may used to authenticate users and devices.
Endpoint Checks
Secure Access Manager provides a broad set of endpoint check features such as client integrity checking, browser cache cleaner, and support for 100+ versions of antivirus and firewall software.
Visual Policy Editor
To facilitate fast, easy policy definitions, Secure Access Manager provides a built-in policy editor that is graphically based, which simplifies the management and auditing of access policies.
Network Access
Secure Access Manager includes Network Access, which gives clients full network access comparable to that offered by a traditional IPsec VPN connection.
High Capacity
Secure Access Manager supports up to 25,000 concurrent user connections, allowing universal, secure access for remote, wireless, and internal network users.
Mobile device support
Secure Access Manager includes Network Access support for Windows Mobile clients.
Macintosh and Linux support
Secure Access Manager includes Network Access support for Macintosh and Linux clients.
Standalone SSL VPN client and APIs
Secure Access Manager includes a standalone SSL VPN client and APIs for building SSL VPN services directly into applications.
BIG-IP system
Secure Access Manager is built on the BIG-IP system, which provides scalability, advanced networking and security functions, and a wide variety of management capabilities.
The BIG-IP® system is a port-based, multilayer switch that supports virtual local area network (VLAN) technology. Because hosts within a VLAN can communicate at the data-link layer (Layer 2), a BIG-IP system reduces the need for routers and IP routing on the network. This in turn reduces equipment costs and boosts overall network performance. At the same time, the BIG-IP systems multilayer capabilities enable the system to process traffic at other OSI layers. The BIG-IP system can perform IP routing at Layer 3, as well as manage TCP, UDP, and other application traffic at Layers 4 through 7.
The BIG-IP system is the foundation for products such as BIG-IP® Secure Access Manager, as well as BIG-IP® Local Traffic Manager, BIG-IP® Global Traffic Manager, BIG-IP® Link Controller, and BIG-IP® Application Security Manager. For more information, see the BIG-IP® Network and System Management Guide.
In a typical configuration, the BIG-IP system functions as a device on the network, directing different types of protocol and application traffic to an appropriate destination server. With BIG-IP Secure Access Manager, SSL VPN Network Access connections from client machines are terminated and forwarded to internal networks.
The most basic configuration of the BIG-IP system includes one or two virtual local area networks (VLANs) with one or more BIG-IP system interfaces (ports) assigned to each VLAN. With BIG-IP Secure Access Manager, you may configure one system interface (also known as a one-arm configuration), two system interfaces (also known as a two-arm configuration), or more system interfaces (ports), depending on the deployment you want.
A BIG-IP system has several interfaces for switching or routing traffic from various hosts or other devices on the network. Interfaces are the hardware ports that the BIG-IP system uses to send and receive traffic. When you create a virtual local area network (VLAN) on the BIG-IP system, you can assign multiple interfaces to that VLAN. You can also assign the same interface to multiple VLANs. For more information, see Working with Interfaces in the BIG-IP® Network and System Management Guide.
Spanning tree protocol (STP) and trunks are also supported on BIG-IP systems. For more information, see the BIG-IP® Network and System Management Guide.
A virtual local area network, or VLAN, is a logical collection of hosts on the network. Each VLAN has one or more BIG-IP system interfaces associated with it. VLANs have these primary advantages:
VLANs define boundaries for broadcast domains.
Traditionally, network administrators have deployed routers within the same IP network to define smaller broadcast boundaries. A better solution is to use VLANs. When a host in a VLAN sends a broadcast message to find the MAC address of a destination host, the message is sent to only those hosts in the VLAN. Using VLANs to control the boundaries of broadcast domains prevents messages from flooding the network, thus enhancing network performance.
VLANs simplify system and network maintenance.
Normally, the way to enable hosts to share network resources, such as storage devices and printers, has been to group hosts into the same physical location. Continually moving and re-cabling hosts to other locations on the network, as well as manually updating routing tables, can be a costly and time-consuming task for a system or network administrator. Using VLANs, you can avoid these problems. All hosts that you group within a VLAN can share network resources, regardless of their physical location on the network.
To enhance performance and flexibility, the BIG-IP system comes with two existing virtual local area networks (VLANs), one for your external network, and one for your internal network. Each of these VLANs has a BIG-IP system interface already assigned to it. You can use these two VLANs as is, you can assign additional interfaces to these VLANs, or you can create more VLANs. A key feature of the BIG-IP system is that a single interface can forward traffic for multiple VLANs. For more information, see Using VLANs.
If you plan to deploy BIG-IP Secure Access Manager in a one-arm configuration, with a single interface handling both SSL VPN external traffic and internal traffic, you can use the existing VLAN named external, configured on port 1.1 initially. If you plan to deploy BIG-IP Secure Access Manager in a two-arm configuration, you can use the existing VLAN named external, configured on port 1.1, for SSL VPN traffic from the outside, and the VLAN named internal, configured on port 1.2, for internal traffic. In either case, BIG-IP Secure Access Manager will typically be located behind an Internet firewall, with traffic forwarded to port 443 on the BIG-IP Secure Access Manager external VLAN and interface.
Each VLAN you create has its own self IP address. The BIG-IP system uses this address as the source IP address when sending requests to hosts in a VLAN, and hosts in a VLAN use this IP address as the destination IP address when sending responses to the BIG-IP system.
Note: With BIG-IP Secure Access Manager, self IP addresses are not used for the actual SSL VPN logon screen and Network Access connection. One or more virtual servers are configured to handle client SSL VPN services. The IP address that you assign to a virtual server is the address that is typically exposed to the Internet for SSL VPN services. A self IP address on the external VLAN may optionally be exposed to the Internet to support external HTTPS web access to the BIG-IP Configuration utility, for remote management. F5 Networks recommends that you do not configure the same IP address for a self IP address and a virtual server.
When you first ran the Setup utility, you assigned a self IP address to the internal VLAN, and another (optional) self IP address to the external VLAN (for two-arm configuration). As you create other VLANs, you assign self IP addresses to them, too. Also, units of a redundant system can share a self IP address, to ensure that the BIG-IP system can process server responses successfully when failover has occurred. For more information, see Using self IP addresses.
Another feature that should be familiar to network administrators for managing the BIG-IP systems Layer 3 functions is the routing table. Using the routes feature, you can explicitly add routes that you want the BIG-IP system to use when functioning as a Layer 3 device to forward packets around the network, or you can view the dynamic routes that the BIG-IP system automatically adds to its routing table. You can also dynamically assign VLAN gateways to users in the access policy.
The Address Resolution Protocol, or ARP feature gives you the ability to view or add entries to the ARP cache, which the BIG-IP system uses to match IP addresses to Media Access Control (MAC) addresses when using Layer 3 to send packets to destination hosts. For more information, see Configuring Address Resolution Protocol in the BIG-IP® Network and System Management Guide.
A powerful security feature that the BIG-IP system offers is packet filtering. Using packet filtering, you can control and restrict the types of traffic passing through the BIG-IP system. Besides defining the action that the BIG-IP system should take when receiving a packet (accept, discard, or reject), you can exempt certain types of traffic from packet filtering, based on protocol, IP address, MAC address, or VLAN. For more information, see Configuring Packet Filters in the BIG-IP® Network and System Management Guide.
The packet filtering function is generally used to protect the BIG-IP system itself, or for configuring static filters. BIG-IP Secure Access Manager includes advanced access control capabilities with ACLs (Access Control Lists) and ACEs (Access Control Entries) for managing traffic terminated from network access SSL VPN tunnels. For more information on Secure Access Manager access control lists and entries, see the chapter Configuring Network Access Resources in the BIG-IP® Secure Access Manager Administrator Guide.
This section of the guide addresses some of the system management options that are common to all BIG-IP systems. These options include creating and maintaining administrative user accounts, configuring System Network Management Protocol (SNMP), and configuring and maintaining redundant systems.
You partially configure some of these options by running the Setup utility on the BIG-IP system. Once you have run the Setup utility, you can use the Configuration utility to complete the configuration of these options and to manage the BIG-IP system on an ongoing basis.
With the lights-out management feature, you can remotely manage certain aspects of the operation of the hardware unit and the BIG-IP traffic management operating system in the event that the traffic management software becomes incapacitated. For more information, see the BIG-IP® Network and System Management Guide.
You can create administrative partitions for local traffic management objects (such as virtual servers and pools), and then give BIG-IP system administrators access to individual partitions. This imposes a finer granularity of access control on BIG-IP system administrative users.
Administrative user accounts can reside either locally on the BIG-IP system, or remotely on a separate authentication server such as a Lightweight Directory Access Protocol (LDAP), Active Directory, or Remote Authentication Dial-in User Service (RADIUS) server. You can also manage the three special user accounts: root, admin, and support.
For each new user account that you create, you can assign a user role that defines the type and level of access granted to that user. The available user roles for Secure Access Manager are: Administrator, Application Editor, and Guest.
For more information, see the BIG-IP® Secure Access Manager Administrator Guide.
System Network Management Protocol (SNMP) is an industry-standard protocol that allows you to manage the BIG-IP system remotely, along with other devices on the network. The BIG-IP system provides the SNMP agent and the MIB files that you need to manage the system remotely using SNMP. For more information, see the BIG-IP® Network and System Management Guide.
To ensure high availability of the BIG-IP system, you can set up a redundant-system configuration. Then, if one BIG-IP system becomes unavailable, another BIG-IP system can immediately take over to process the traffic.
When you first run the Setup utility on a BIG-IP system, you specify whether the system is a unit of a redundant system. When you configure two BIG-IP systems to function as units of a redundant system, a process known as failover occurs when one of those units becomes unavailable for any reason. Failover ensures that the BIG-IP system can still process traffic when a unit is unavailable.
Redundant systems for BIG-IP Secure Access Manager are supported in active/standby mode. In active/standby mode, when a failover occurs, by default, the standby unit becomes active, and remains active, until failover occurs again. For more information, see the BIG-IP® Network and System Management Guide.
Using the Syslog utility, the BIG-IP system logs many different types of events, related to the operating system, packet filtering, local traffic management, and auditing. You can use the Configuration utility to display each type of event. For specific types of local traffic events, because each individual event is associated with a severity, you can set a minimum log level on an event type. Setting a minimum log level on an event type affects which messages the system displays, based on event severity. For example, use a minimum log level of Notice (the default level) for access control and secure connectivity components to log useful system information for these components. For more information, see the BIG-IP® Secure Access Manager Administrator Guide.
The BIG-IP system includes several different services. Some of these services, such as MCPD and TMM, must be running in order to process application traffic, while others are optional, such as postfix or radvd.
There is a core set of services that have heartbeats and that are associated with failover in a redundant system. When you configure a redundant system, you can specify the action that you want the BIG-IP system to take if it fails to detect a heartbeat. For example, you can configure the BIG-IP system to reboot if it fails to detect a heartbeat for the MCPD service. Finally, there are times when you might need to stop a service in order to perform a specific system-management task. For example, we recommend that you stop the TMM service when installing a new version of the BIG-IP system. For more information, see the BIG-IP® Secure Access Manager Administrator Guide.
Every BIG-IP system includes a set of essential configuration data that you create when you initially configure your system. To protect this data in the event of a system problem, you can create an archive, also known as a UCS file. An archive is a backup copy of your configuration data that you create and store on the BIG-IP system. If your original configuration data becomes corrupted for some reason, you can use the archive to restore the data. As an added layer of protection, you can download your archives to a remote system, in case the BIG-IP system itself becomes unavailable. When the system is up and running again, you can upload the data back onto the system. For more information, see Saving and Restoring Configuration Data in the BIG-IP® Network and System Management Guide.
The BIG-IP system offers a browser-based utility for managing the BIG-IP system, and, as an alternative, various command line utilities. Note that all procedures in this guide describe how to manage the system using the browser-based Configuration utility.
The Configuration utility is a browser-based application that you use to configure and monitor the BIG-IP system. Once you complete the instructions for the Setup utility, you can use the Configuration utility to perform additional configuration steps necessary for your system. In the Configuration utility, you can also monitor current system performance, and download administrative tools such as the SNMP MIBs or the SSH client. For a list of browser versions that the Configuration utility supports, see the release notes for this product on the AskF5SM web site, https://support.f5.com.
One of the tasks you can perform with the Configuration utility is setting administrative user preferences. Setting administrative user preferences customizes the way that the Configuration utility displays information for you. For example, when you display a list of objects such as the virtual servers that you have created, the utility normally displays ten objects, or records, per screen. However, you can change this value so that the utility displays more, or fewer, than ten records per screen.
Table 1.1, following, lists and describes the settings that you can configure to customize the display of the Configuration utility.
Specifies, for all list screens, the number of records that the system displays by default. The default setting is 10.
Specifies the screen that displays when you open a new browser session for this system. Possible values are: Welcome, Traffic Summary, Performance, Statistics, and Virtual Servers.
Specifies, when checked, that the system expands the configuration options from Basic to Advanced. The Basic setting displays the most common and more frequently-edited settings for a feature, while the Advanced setting displays all of the settings for a feature.
Note: This is a display feature only; when you select Basic, any options that remain hidden still apply to the configuration, with their default values.
Specifies, when checked, that the system displays host names, rather than IP addresses, if the IP address has host name associated with it.
Specifies the format for the statistical data. Select Normalized if you want the system to display rounded values. Select Unformatted if you want the system to display the actual values to all places. Note that you can override the default format on the individual statistics screens.
Specifies the default rate at which the system refreshes statistical data. Possible values are: 10 seconds, 20 seconds, 30 seconds, 60 seconds, 3 minutes, and 5 minutes.
Note that you can override the default refresh rate on the individual statistics screens.
Specifies whether the BIG-IP encrypts all archives (.ucs files) that you create. Possible values are:
On Request -- Causes the encryption of archives to be optional.
On -- Causes the BIG-IP system to automatically encrypt all archives that you create. When you select this value, you must create a passphrase when you create an archive.
Off -- Prevents you from encrypting any archive that you create. When you select this value, the Encryption setting on the New Archive screen becomes unavailable.
BIG-IP® Secure Access Manager Administrator Guide
You can find extensive information on configuring the Secure Access Manager in the BIG-IP® Secure Access Manager Administrator Guide, available on the F5 Networks Technical Support web site, https://support.f5.com.
Online help for the Secure Access Manager
You can find help online for all screens in the Secure Access Manager. Click the Help tab in the center of the left side of the screen.
F5 Networks Technical Support web site
The F5 Networks Technical Support web site, https://support.f5.com, provides the latest documentation for the product, including:
The AskF5SM Knowledge Base.
Through our AskF5SM web site at https://support.f5.com, you can view examples of Secure Access Manager solutions. We recommend that you browse this site.
The F5 Solution Center contains proven interoperability and integration solutions that empower organizations to deliver predictable and secure applications in an unpredictable network environment. The F5 Solution Center offers detailed documentation that demonstrates how to increase the return on investment (ROI) of your application and network infrastructures through superior reliability, security, and performance. You can access this site at http://www.f5.com/solutions.
This section describes the Secure Access Manager documentation. It outlines the contents of this guide, and explains how we refer to examples, introduce new terms, use cross references, and detail the conventions we use in command syntax. It also explains where to find the release notes, and how to get online help, additional documentation, and technical support.
The BIG-IP® Secure Access Manager Getting Started Guide describes how to initially set up, configure, and license the Secure Access Manager. Before you set up the Secure Access Manager for the first time, we recommend that you read this guide in its entirety to become familiar with its features.
Important: We also recommend that you gather your network configuration settings before you configure the Secure Access Manager. You can use this information to assist you as you go through the initial configuration process.
Once you complete this initial configuration, you can use information in the BIG-IP® Secure Access Manager Administrator Guide to help you continue the configuration process. The BIG-IP® Secure Access Manager Administrator Guide is available as an Adobe Acrobat file (PDF) on the F5 Networks Technical Support web site, https://support.f5.com.
Getting Started with Secure Access Manager
This chapter briefly covers the Secure Access Manager features and an overview of BIG-IP system features, and contains information on where to find additional technical information.
Installing and Licensing Secure Access Manager
This chapter describes the tasks you need to complete to set up the Secure Access Manager, including unpacking the device, performing initial configuration, and using the Quick Setup wizard.
Working with Secure Access Manager
This chapter guides you through the post-setup configuration tasks, and describes how to verify your configuration and perform basic maintenance tasks, such as logging on and updating software.
This guide is intended for use by system and network administrators who install and configure IT equipment and software. This guide assumes that administrators have experience installing software and working with network configurations. You should be able to set up and manage a firewall and manage a Linux or Windows server.
To help you easily identify and understand certain types of information, this documentation uses the following stylistic conventions.
All examples in this document use only private class IP addresses. When you configure the settings we describe, you must use valid IP addresses suitable to your own network in place of our sample addresses.
When we first define a new term, the term is shown in bold italic text. For example, HTTPS is HyperText Transport Protocol (Secure), or secure HTTP.
We apply bold text to a variety of items to help you easily pick them out of a block of text. These items include web addresses, IP addresses, utility names, most controls in the Configuration utility, and portions of commands such as variables and keywords. For example, click the Browse button and navigate to the file that you want to restore.
We use italic text to denote a reference to a document title. In references where we provide the name of a book as well as to a specific chapter in a book, we show the book name in bold, italic and the chapter or section name in italic text to help quickly differentiate the two. For example, you can find information about additional configuration tasks in the chapter Logging and Reporting in the BIG-IP® Secure Access Manager Administrator Guide.
We show actual, complete commands in bold Courier text. For example, to log on to the Maintenance Console, type the user name:
Note that we do not include the corresponding screen prompt, unless the command is shown in a figure that depicts an entire command line screen.
Table 1.2 describes additional special conventions used in command line syntax.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)