Applies To:

Show Versions Show Versions

Archived Manual Chapter: Introducing BIG-IP Secure Access Manager
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

This article has been archived, and is no longer maintained.

The BIG-IP® system is a port-based, multilayer switch that supports virtual local area network (VLAN) technology. Because hosts within a VLAN can communicate at the data-link layer (Layer 2), a BIG-IP system reduces the need for routers and IP routing on the network. This in turn reduces equipment costs and boosts overall network performance. At the same time, the BIG-IP systems multilayer capabilities enable the system to process traffic at other OSI layers. The BIG-IP system can perform IP routing at Layer 3, as well as manage TCP, UDP, and other application traffic at Layers 4 through 7. The following modules provide comprehensive traffic management and security for many traffic types. The modules are fully integrated to provide efficient solutions to meet any network, traffic management, and security needs.
BIG-IP® Local Traffic Manager includes features that help make the most of network resources. Using the powerful Configuration utility, you can customize the way that the BIG-IP system processes specific types of protocol and application traffic. By using features such as virtual servers, pools, and profiles, you ensure that traffic passing through the BIG-IP system is processed quickly and efficiently, while meeting all of your security needs. For more information, see the Configuration Guide for BIG-IP® Local Traffic Management.
The F5 Networks® BIG-IP® Secure Access Manager is a software component of the BIG-IP hardware platform that provides remote users with secure access to corporate networks, using most standard web browsers. The Secure Access Manager is easy to set up with proper planning, and installation requires no modification to existing corporate applications. No configuration or set up is required at the users remote location. If the users Web browser can connect to Web sites on the Internet, then that browser can connect to the Secure Access Manager.
The Secure Access Manager provides a web-based alternative to traditional remote-access technologies such as modem pools, RAS servers, and IPsec-layer virtual private networks (VPNs). By leveraging the browser as a standard thin client, the Secure Access Manager enables your corporation or organization to extend secure remote access easily and cost-effectively to anyone connected to the Internet, with no special software or configuration on the remote device. You do not need to make any additions or changes to the back-end resources being accessed. This approach eliminates the IPsec VPN support burden, and adds application functionality well beyond mere connectivity.
The Secure Access Manager enables full access to corporate networks, providing a user experience similar to an IPsec VPN connection.
Standard Web browser support
Secure Access Managers can be used with most standard browsers supporting secure HTTP (also known as HTTPS). These include Internet Explorer®, Mozilla®, Safari, and Firefox®.
WAN security
The Secure Access Manager supports common encryption technologies, including RC4, Triple DES, and AES. It uses standard SSL encryption from the client browser to the Secure Access Manager.
Authentication
The Secure Access Manager can perform authentication using your own authentication method, including LDAP directories, Microsoft® Active Directory® and Microsoft Windows® Domain servers, and RADIUS servers. The Secure Access Manager supports two-factor (token-based) authentication with RSA SecurID over RADIUS. In addition, the controller uses signed digital certificates to authenticate devices.
Endpoint security
The Secure Access Manager provides a broad set of endpoint security features such as client integrity checking, browser cache cleaner, and support for 100+ versions of antivirus and firewall software.
Visual policy editor
To facilitate access policy definition, the Secure Access Manager provides a built-in policy editor that is graphically based, which eases management and supports a visual audit of security access policies.
Administration
The Secure Access Manager provides a web-based Configuration utility. The Configuration utility includes tools for managing the Secure Access Manager, configuring secure access, creating and assigning resources, certificate generation and installation, and customization of the remote client user interface.
Network access
The Secure Access Manager includes the network access feature, which gives remote clients full network access comparable to that offered by a traditional IPsec VPN connection.
Audit trail
The Secure Access Manager provides audit tools including full-session audit trails, drill-down session queries, and customizable reports and queries.
High availability
You can configure Secure Access Managers to fail over to standby controllers, ensuring availability for users.
Scalability
Secure Access Manager integrates with BIG-IP system to support large-scale, high-performance clustering, which offers universal, secure access for remote, wireless, and internal network users.
Integration with BIG-IP system
Integration between the Secure Access Manager and BIG-IP system provides a uniform framework, an architecture that provides remote, WLAN, and LAN access control as a unified solution, rather than having to manage access control and security policies in different places.
Macintosh and Linux support
The Secure Access Manager includes network access support for Macintosh® and Linux® remote clients.
Standalone VPN client and APIs
Secure Access Manager includes a standalone VPN client and APIs for building Secure Access Manager remote access services into applications.
The Secure Access Manager is available on the BIG-IP 4300 platform only. The 4300 platform (Figure 1.1) is a 2U rack-mounted controller designed for large enterprises, supporting up to 25,000 concurrent users.
When you work with F5 Networks Technical Support, you might need to have the version number of the Secure Access Manager software that is running on your platform. You can find the software version number in the Configuration utility. Expand System in the navigation bar, then click General Properties. The screen presents the host name and software version number. The following is an example of the version numbers.
Host Name     ssl.example.com
Version            BIG-IP_SAM 8.0.0 Build 1533.0
The Secure Access Manager offers remote connection support for Windows®, Macintosh®, and Linux® clients. The controller supports IP applications on all three platforms, and includes an open API that third-party application vendors can use to build secure remote access solutions into their client applications.
Unlike IPsec VPNs, the web-based remote access of the Secure Access Manager works over all ISP connections, and from behind other firewalls. ISPs cannot detect and block Secure Access Manager conversations as they might with detected IPsec traffic. Failover options provide high availability.
Endpoint security
The Secure Access Manager provides a broad set of endpoint security features such as a client integrity checking, browser cache cleaner, and support for 100+ versions of antivirus and firewall software.
Encryption
You can get several levels of encryption, depending on the capability of the client browser and the configuration of Secure Access Manager security settings. The controller supports high encryption standards such as Triple DES and AES, as well as FIPS and hardware encryption accelerator options.
Authentication
The Secure Access Manager supports two authentication methods.
Access Control
You can use the Secure Access Manager to grant users access to specific applications on an individual level or on a group level, enabling role-based access. With Secure Access Managers access controls, you can restrict individuals and groups to particular internal resources. For example, partners can have access restricted to an extranet server, while sales staff are allowed to connect to email, the company intranet, and the internal customer-tracking system. The Secure Access Manager access control lists allow you to configure administrators access by restricting access to different features.
Full network access provides a connection that is always available, assuming the client machine supports it. Full network access virtually puts the client machine inside the company network, so that clients perform operations exactly as if they sat at their corporate computers.
Typically, an administrator uses full network access as the deployment method for client computers that are from a well-known or trusted source, such as company-provided laptops.
You can install and configure the Secure Access Manager quickly. An intuitive, browser-based client interface means you do not have to train remote access users.
Whether you maintain users externally or internally, you can specify several levels of security. Specifying security requirements ensures that unauthorized users do not have access while authorized users do. For example, you can:
Require that the clients logging on have a specific certificate. If the certificate you define is not present, you can prevent logon or provide access to a restricted set of resources. For more information about certificates, see Chapter 9, Using Client Certificate Authentication.
Gather information about the client environment and grant or restrict access based on the antivirus software type and update time, the presence of a firewall, the operating system and browser version, and other factors. For more information about access policy inspection of client systems, see Understanding endpoint checks.
The Configuration utility is the browser-based graphical user interface for the BIG-IP system. In the Configuration utility, the Main tab provides access to the secure connectivity configuration objects, as well as the network, system, and local traffic configuration objects. The Help tab contains context-sensitive online help for each screen.
Figure 1.2 shows the Welcome screen of the Configuration utility.
The identification and messages area
The identification and messages area of the Configuration utility is the screen region that is above the navigation pane, the menu bar, and the body. In this area, you find the system identification, including the host name, and management IP address. This area is also where certain system messages display, for example Activate Access Policy, which appears when you need to activate an access policy.
The navigation pane
The navigation pane, on the left side of the screen, contains the Main tab, the Help tab, and, the Search tab. The Main tab provides links to the major configuration objects. The Help tab provides context-sensitive help for each screen in the Configuration utility. The Search tab provides a quick way to locate configuration objects.
The menu bar
The menu bar, which is below the identification and messages area, and above the body, provides links to the additional configuration objects within each major object.
The body
The body is the screen area where the configuration settings display.
In the Access Control and Secure Connectivity sections of the navigation pane, when you click an item, the Configuration utility opens a screen that contains only secure access configuration items.We refer to the navigation pane of the BIG-IP Configuration utility as simply the navigation pane.
The Secure Access Manager is a multi-featured appliance whose interface allows configuration from any location. To initially set up the secure access connections for users, you can follow different choices in your approach. You can follow the guidelines in The recommended path, following, to set up Secure Access Manager, or you can elect to travel your own path, choosing from the options described in Possible configuration scenarios.
If you are new to the Secure Access Manager, you can follow the path outlined in this section. This recommended path is designed to guide you through the most common operations, and includes references to other sections with related functionality.
Identify the authentication mechanism.
The Secure Access Manager supports external authentication. You can select from a number of authentication methods, depending on the security setup you employ. These include Active Directory, RADIUS, LDAP, and certificate-based security.
Create an access profile and access policy that you can associate with your virtual server, to give your clients secure access.
For more information, see Chapter 5, Creating Access Profiles and Access Policies.
Test user connectivity.
This is a good place to stop and test to make sure that users can connect to the Secure Access Manager. To do so, open a new browser window and log on using a logon account that you know exists.
Configure network access resource groups with the applications and functionality you want to provide.
For more information, you can review the content in Chapter 3, Configuring Network Access.
Create advanced access policies, for more complex secure access scenarios.
For more information, you can review the content in Chapter 10, Advanced Topics in Access Policies.
Read sample how-to scenarios.
For more information, see Appendix B, Access Policy Example.
To authenticate users from an authentication server
If you have an authentication mechanism in place and you want to use it to verify user identity, you can read more in Chapter 8, Configuring Authentication Using AAA Servers.
To gather information from client systems
If you want to specify requirements for client systems to determine authentication (whether to grant user access) and authorization (which resources to grant access to), you can read more in Chapter 7, Configuring Endpoint Checks.
To configure the resources, applications, and functionality you want to provide
If you prefer to start with the resources, applications, and functionality that you want to provide to your users, you can read more in Chapter 2, Configuring Resources, and Chapter 3, Configuring Network Access.
To learn about logging with the Secure Access Manager
If you want to get a head start on understanding the ongoing operations and logging functionality provided with the Secure Access Manager, review content in Chapter 11, Logging and Reporting.
To set up certificates on the server
If you are ready to set up and install server certificates for the Secure Access Manager, read more in Chapter 9, Using Client Certificate Authentication.
To see access policy examples
If you want exposure to sample policies with step-by-step examples, see Appendix B, Access Policy Example, and Chapter 10, Advanced Topics in Access Policies.
This guide provides overview information about the Secure Access Manager, and step-by-step instructions for key features.
This guide is available as a PDF file and as an HTML file in the AskF5SM Knowledge Base, on the F5 Networks Technical Support web site, https://support.f5.com.
This guide is intended for system and network administrators who configure and maintain IT equipment and software. This guide assumes that administrators have experience working with network configurations.
To help you easily identify and understand certain types of information, this documentation uses the following stylistic conventions.
All examples in this documentation use only private class IP addresses. When you set up the solutions we describe, you must use valid IP addresses suitable to your own network in place of our sample addresses.
When we first define a new term, the term is shown in bold italic text. For example, HTTPS is HyperText Transport Protocol (Secure), or secure HTTP.
We apply bold text to a variety of items to help you easily pick them out of a block of text. These items include web addresses, IP addresses, utility names, and portions of commands such as variables and keywords. For example, the ping command requires that you include at least one <ip_address> or <fully qualified domain name> variable.
We use italic text to indicate a reference to another document or section of a document. We use bold, italic text to denote a reference to a book title.
For example, you can find information about various Secure Access Manager models in the BIG-IP® Secure Access Manager Getting Started Guide, Chapter 1, Getting Started with Secure Access Manager.
We show actual, complete commands in bold Courier text. Note that we do not include the corresponding screen prompt, unless the command is shown in a figure that depicts an entire command line screen. For example, to log on to the Maintenance Console, type the user name:
Table 1.1 explains additional special conventions used in command line syntax.
A Tip suggests ways to make administration easier or faster. For example:
A Note provides supplemental, helpful information. For example:
Note: If you want users to be able to see customized messages for different languages, you can configure this with access policy customization.
An Important note contains important information. For example:
A Warning describes actions that can cause data loss or problems. For example:
Warning: If you are using an Active Directory authentication server, your Active Directory server and Secure Access Manager times must be synchronized to within five minutes, otherwise, authentication will fail.
The BIG-IP® Secure Access Manager Getting Started Guide describes how to initially set up, configure, and license the Secure Access Manager. Before you set up the Secure Access Manager for the first time, we recommend that you read this guide in its entirety to become familiar with the product features.
The BIG-IP® Platform Guide: 4300 describes the 4300 platform hardware.
Release notes
Release notes containing the latest information for the current version of the Secure Access Manager are available from the Secure Access Manager in HTML format on the F5 Networks Technical Support web site, https://support.f5.com. This site includes release notes for the current, and all previous versions of the Secure Access Manager.
Online help for Secure Access Manager features
You can find help online for all screens on the Configuration utility. To open the context-sensitive help in the Configuration utility, click the Help tab in the left navigation pane. To get help on a screen in the visual policy editor, click the question mark () icon.
F5 Networks Technical Support web site
The F5® Networks Technical Support web site, https://support.f5.com, provides the latest technical notes, answers to frequently asked questions, release notes and release note updates, and the AskF5SM Knowledge Base. You can also find all the guides in PDF format.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)