Applies To:

Show Versions Show Versions

Manual Chapter: Introducing the FirePass Controller
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

The F5 Networks FirePass® controller is a network appliance that provides remote users with secure access to corporate networks, using most standard Web browsers. The FirePass controller is easy to set up with proper planning, and installation requires no modification to existing corporate applications. No configuration or set up is required at the users remote location. If the users Web browser can connect to Web sites on the Internet, then that browser can connect to the FirePass controller.
The FirePass controller provides a web-based alternative to traditional remote-access technologies such as modem pools, RAS servers, and IPsec-layer Virtual Private Networks (VPNs). By leveraging the browser as a standard thin client, the FirePass controller enables your corporation or organization to extend secure remote access easily and cost-effectively to anyone connected to the Internet with no special software or configuration on the remote device. You do not need to make any additions or changes to the back-end resources being accessed. This approach eliminates the IPsec VPN support burden, and adds application functionality well beyond mere connectivity.
The FirePass controller enables full access to network resources, and provides broad application support, including:
Standard Web browser support
FirePass controllers can be used with most standard browsers supporting secure HTTP (also known as HTTPS). These include Internet Explorer®, Netscape Navigator®, Mozilla®, Safari, and Firefox®.
WAN security
The FirePass controller supports common encryption technologies, including RC4, Triple DES, and AES. It uses standard SSL encryption from the client browser to the FirePass controller.
The FirePass controller can perform authentication using your own authentication method, including LDAP directories, Active Directory and Microsoft® Windows® Domain servers, RADIUS servers, to support two-factor (token-based) authentication, support for RSA SecurID, and integration with single sign-on (SSO) systems such as Oracle® COREid®, eTrust SiteMinder®, and others. The FirePass controller can also perform basic authentication using its internal data base. In addition, the controller uses signed digital certificates to authenticate devices.
Broad application support
The FirePass controller provides access to virtually all corporate and desktop applications, including email applications such as Outlook Web Access (OWA) and iNotes, file and intranet server access, client-server application access, legacy host application access (mainframe, AS/400, and Telnet), and Terminal Services/Citrix® application access.
Mobile device access
The FirePass controller provides email, file, and intranet server access from mini-browsers on mobile devices, including Internet-enabled (WAP and iMode) telephones, and PDAs.
Endpoint security
The FirePass controller provides a broad set of endpoint security features such as a protected workspace, client integrity checking, browser cache cleaner, secure virtual keyboard, and support for 100+ versions of antivirus and firewall software.
Visual policy editor
To facilitate policy definition, the FirePass controller provides a built-in policy editor that is graphically based, which eases management and supports a visual audit of endpoint security policies.
The FirePass controller provides a web-based Administrative Console. The console includes tools for installing and managing the FirePass controller, managing user and group enrollment, configuring clustering and failover, certificate generation and installation, and customization of the remote client pages.
Audit trail
The FirePass controller provides audit tools including full-session audit trails, drill-down session queries, and customizable reports and queries.
Client/Server application support
The FirePass controller provides application-specific tunnels for client-server applications like Microsoft® Outlook®, ERP package applications, and custom TCP/IP applications. The FirePass controller also includes Network Access which gives remote clients full network access comparable to that offered by a traditional IPsec VPN connection.
High availability
You can configure FirePass controllers to fail over to standby controllers, ensuring availability for users.
FirePass controller cluster nodes support up to 20,000 users with built-in load balancing support (4100 and 4300 controllers only). In addition, the FirePass controller integrates with BIG-IP system to support large-scale, high-performance clustering, which offers universal, secure access for remote, wireless, and internal network users.
Integration with BIG-IP system
Integration between the FirePass controller and BIG-IP system provides a uniform framework; an architecture that provides remote, WLAN, and LAN access control as a unified solution, rather than requiring you to manage access control and security policies in three different places. For information about the BIG-IP system, see the F5 Networks web site at
MacOS and Linux support
The FirePass controller includes Network Access support for MacOS and Linux remote clients.
Standalone VPN client and APIs
FirePass controller includes a standalone VPN client and APIs for building FirePass controller remote access services into applications.
FirePass 1000
The FirePass 1000 (Figure 1.1) is a 1U rack-mounted controller designed for small to medium enterprises, supporting up to 100 concurrent users.
FirePass 1200
The FirePass 1200 (Figure 1.2) is a 1U rack-mounted controller designed for small to medium enterprises, supporting up to 100 concurrent users.
FirePass 4100 and 4300
The FirePass 4100 and 4300 (Figure 1.3) are 2U rack-mounted controllers designed for large enterprises, supporting up to 2000 concurrent users, with clustering expanding support to 20,000.
The FirePass 4100 and 4300 controllers also support clustering, which provides increased numbers of connections and load balancing. For more information, see Chapter 12, Using FirePass Controllers in Clusters.
Figure 1.1 The FirePass 1000
Figure 1.2 The FirePass 1200
When you work with F5 Networks technical support, you might need to have the version number of the software running on your FirePass controller. You can find the software version number on the Welcome screen, available from the navigation pane by clicking Device Management and then clicking Welcome. The screen presents the version numbers below the introductory graphic. Following is an example of the version numbers.
Version - FirePass 6.0.3
Tue, 22 Jul 2008 23:58 PST
The FirePass controller offers remote connection support for Windows®, Macintosh®, and Linux® clients. The controller supports IP applications on all three platforms, and includes an open API that third-party application vendors can use to build secure remote access solutions into their client applications.
Unlike IPsec VPNs, the web-based remote access of the FirePass controller works over all ISP connections, and from behind other firewalls. ISPs cannot detect and block FirePass controller conversations as they might with detected IPsec traffic. Failover and clustering options provide high availability and high capacity. You can cluster FirePass controllers to support up to 20,000 concurrent connections on a single logical URL without performance degradation.
Endpoint security
The FirePass controller provides a broad set of endpoint security features such as a protected workspace, client integrity checking, browser cache cleaner, secure virtual keyboard, and support for 100+ versions of antivirus and firewall software. Configurable remediation helps end-users that fail compliance checks to automatically download the needed client software to meet endpoint security requirements, for example, the latest antivirus signature files, operating system updates, and others. The FirePass controller can display a custom message containing a download link, so end-users can perform their own remediation, meet compliance requirements, and get access without requiring having to call the IT help desk.
You can get several levels of encryption, depending on the capability of the client browser and the configuration of FirePass controller security settings. The controller supports high encryption standards such as Triple DES and AES, as well as FIPS and hardware encryption accelerator options.
The FirePass controller supports a number of authentication methods.
As an administrator, you can choose to require different authentication methods for different groups. Because the FirePass controller supports RSA SecurID® token-based authentication, you can configure two-factor authentication.
Access Control
You can use the FirePass controller to grant users access to specific applications on an individual level or on a group level, enabling role-based access. With FirePass controllers access controls, you can restrict individuals and groups to particular internal resources. For example, partners can have access restricted to an extranet server, while sales staff are allowed to connect to email, the company intranet, and the internal customer-tracking system. The FirePass controller administrative realms allow you to configure administrators access by restricting access to different features.
Application security
The FirePass controller provides web application protection that guards against targeted web application attacks such as SQL injection, cross site scripting (CSS), and cookie manipulation. Built-in antivirus protection scans email attachments and files uploaded to the FirePass controller.
Full network access
Full network access provides a connection that is always available, assuming the client machine supports it. Full network access virtually puts the client machine inside the company network, so that clients perform operations exactly as if they sat at their corporate computers.
Typically, an administrator would choose full network access as the deployment method for client computers that are from a well-known or trusted source, such as company-provided laptops.
Application tunnel access
Application tunnel access (also called App Tunnels) provides access to TCP applications that support fixed ports or a range of ports. The client experience is similar to full network access, but it exposes only specific functionality available on the local machine.
Typically, an administrator would choose application tunnel access as the deployment method for client computers that are from a somewhat trusted source, such as employee-owned equipment.
Specialized application access
Specialized application access provides browser-based interaction with a set of commonly used functions:
Typically, an administrator would choose specialized application access as the deployment method for client computers that are from a public or untrusted source, such as computers that are publicly accessible (for example, systems in public libraries, at internet cafes, and from other public portals).
Web application access
Web application access enables interaction to proprietary and custom applications using the reverse-proxy technology. Essentially, you can use web application access to create a specialized application, similar to the ones listed in the Specialized application access list. Because there is no overarching protocol for web applications, the degree of support available for any given application varies based on its content and method of implementation.
For example, applications that use HTML over HTTP integrate relatively seamlessly. However, if your application contains a lot of customized script or applets, you may have to work with your interim application to support web application access.
You can install and configure the FirePass controller quickly. An intuitive, browser-based client interface means you do not have to train remote access users. You can upgrade the FirePass controller remotely, over the Internet, using browser-based administration. Automatic notifications about release updates prompt you to download new versions when they become available. You can also add FirePass controller features and capacity over the Internet.
Whether you maintain users externally or internally, you can specify several levels of security, as determined by the governing master group and the resources you want the users to access. Specifying security requirements ensures that unauthorized users do not have access while authorized users do. For example, you can:
Require that the clients logging on have a specific certificate. If the certificate you define is not present, you can prevent or provide access to a restricted set of resources. For more information about certificates, see Setting up client-certificate-based authentication.
Gather information about the client environment and grant or restrict access based on the antivirus software type and update time, the presence of a firewall, the operating system and browser version, and other factors. For more information about pre-logon inspection of client systems, see Implementing client system checking.
Define protected configurations, a set of safety checks to protect resources. Protected configurations focus on a specific aspect of protection, such as unauthorized access, information leaks, virus attacks, and keystroke loggers. For each criterion, the FirePass controller provides specific safety measures. For example, to prevent information leaks, you might specify that the user run inside the protected workspace or download the cache cleaner to remove cached files when the user logs off. For more information about protected configurations, see Creating protected configurations. At the resource level, you can apply a definition in one of the following ways:
To the entire feature
Users must meet certain requirements to use the functionality.
To one or more resources
Users must meet certain requirements to access a specific resource.
To the master group
Users must belong to a specific master group to get access to certain resources.
To applications and files
Users must meet certain requirements to have access to specific applications or files.
The FirePass controller is a multi-featured appliance that you can configure from any location. You can follow guidelines in The recommended path, following, to set up your FirePass controller, or you can elect to travel your own path, choosing from the options described in Possible configuration scenarios.
If you are new to the FirePass controller, you can follow the path outlined in this section. This recommended path is designed to guide you through the most common operations, and includes descriptions to help you complete the task, as well as links to other sections with related functionality.
The FirePass controller supports two types of authentication: external and internal. For each type, you can select from a number of authentication methods, depending on your security setup. These include Active Directory, RADIUS, LDAP, and others.
Test user connectivity.
This is a good place to stop and test to make sure that users can connect to the FirePass controller. To do so, open a new browser window and log on using a logon account that you know exists.
Configure resource groups with the applications and functionality you want to provide.
For more information, you can review content in several sections:
Test connectivity and access.
For more information, see various sections in Chapter 8, Managing and Monitoring the FirePass Controller.
There are several ways you can begin the configuration process. You can start with existing groups, even if you want to manage user authentication internally.
To authenticate users from an external server
If you already have an authentication mechanism in place and you want to use it for verifying user identity, you can read more at Managing user information in an external data store.
To authenticate users from a database on the FirePass controller
If you want to use the FirePass controller database to authenticate users, you can read more at Managing users in the FirePass controller data store.
To gather information from client systems
If you want to specify requirements for client systems to determine authentication (whether to grant user access) and authorization (which resources to grant access to), you can read more at Implementing client system checking.
To configure the resources, applications, and functionality you want to provide
If you prefer to start with the resources, applications, and functionality that you want to provide to your users, you can read more at the access-type specific sections:
To configure the internal networking parameters
If you want to prepare the FirePass controller for all of the network interaction and availability required, such as specifying IP addresses for web services and setting up failover and clustering members, you can read more at Maintaining the network configuration settings, Introducing failover configuration, and Configuring FirePass controller clusters.
To learn about monitoring and maintaining the FirePass controller
If you want to get a head start on understanding the ongoing operations and logging functionality provided with the FirePass controller, review content in Monitoring the FirePass controller, and Backing up and restoring the FirePass controller.
To set up certificates on the server
If you are ready to set up and install server certificates for the FirePass controller, read more in Chapter 4, Using Server Certificates.
To see how-to information on various subjects
If you want exposure to sample configurations that use step-by-step examples, see Appendix A, How-To Examples.
This guide provides overview information about the FirePass controller, and step-by-step instructions for key features.
This guide is available as an Adobe Acrobat file (.pdf) and as an HTML file on the F5 Networks Technical Support Web site,
This guide is intended for system and network administrators who configure and maintain IT equipment and software. This guide assumes that administrators have experience working with network configurations.
To help you easily identify and understand certain types of information, this documentation uses the following stylistic conventions.
All examples in this documentation use only private class IP addresses. When you set up the solutions we describe, you must use valid IP addresses suitable to your own network in place of our sample addresses.
When we first define a new term, the term is shown in bold italic text. For example, HTTPS is HyperText Transport Protocol (Secure), or secure HTTP.
We apply bold text to a variety of items to help you easily pick them out of a block of text. These items include web addresses, IP addresses, utility names, and portions of commands such as variables and keywords. For example, the ping command requires that you include at least one <ip_address> or <fully qualified domain name> variable.
We use italic text to denote a reference to a specific section or another document. In references where we provide the name of a book as well as a specific chapter or section in the book, we show the book name in bold, italic text, and the chapter/section name in italic text to help quickly differentiate the two.
For example, you can find information about various FirePass controller models in the FirePass Controller Getting Started Guide, Chapter 1, Getting Started with the FirePass Controller.
We show actual, complete commands in bold Courier text. Note that we do not include the corresponding screen prompt, unless the command is shown in a figure that depicts an entire command line screen. For example, to log on to the Maintenance Console, type the user name:
Table 1.1 explains additional special conventions used in command line syntax.
A Tip suggests ways to make administration easier or faster. For example:
A Note provides supplemental, helpful information. For example:
Note: If you want users to be able to define their own personal webtop favorites or preferences, then you must use internal user management.
An Important note contains important information. For example:
Important: If you are starting up a controller cluster, always start the primary controller first, and then the remaining secondary cluster controllers thereafter. Otherwise, the controllers will not start properly.
A Warning describes actions that can cause data loss or problems. For example:
Warning: If you are configuring failover in a production environment, the order in which the pair of controllers restart is very important, and can result in data loss if the two controllers do not restart in the correct order. For more information, see Introducing failover configuration.
Getting Started Guide
The FirePass® Controller Getting Started Guide is provided as a printed document in the box with the FirePass controller. The Getting Started Guide contains all of the information you need to set up and install a new FirePass controller. You can find a copy of the guide (in PDF and HTML formats) on the F5 Networks Technical Support Web site,
Release notes
Release notes containing the latest information for the current version of the FirePass controller are available from the Administrative Console. In the navigation pane, click Device Management, expand Maintenance, and then click Online Update. A link to Release notes for the current release is at the top of the screen. Release notes include a list of new features and enhancements, a list of fixes, and a list of known issues.
You can also find release notes for the FirePass controller in HTML format on the F5 Networks Technical Support web site, This site includes release notes for the current, and all previous versions of the FirePass controller.
Online help for FirePass features
You can find help online for virtually all screens on the Administrative Console. To open the context-sensitive online help, click the Help button in the upper right of the screen.
Technical support through the World Wide Web
The F5® Networks Technical Support web site,, provides the latest technical notes, answers to frequently asked questions, release notes and release note updates, and the AskF5SM database. You can also find Release notes there, and all the guides in PDF format. To navigate to the AskF5 site, click the Ask button in the upper right of any screen on the FirePass controller Administrative Console.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)