Introducing the FirePass Controller
The FirePass controller remote access solution
The FirePass® controller is a network appliance that provides remote users with secure access to corporate networks, using most standard Web browsers. The FirePass controller can be installed in a few hours, and it requires no modifications to existing corporate applications. No configuration or setup is required at the user's remote location. If the user's Web browser can connect to Web sites on the Internet, then that browser can connect to the the FirePass controller.
The FirePass controller provides a web-based alternative to traditional remote-access technologies such as modem pools, RAS servers, and IPSec-layer Virtual Private Networks (VPNs). By leveraging the browser as a standard thin client, the FirePass controller enables your corporation or organization to extend secure remote access easily and cost-effectively to anyone connected to the Internet with no special software or configuration on the remote device. You do not need to make any additions or changes to the back-end resources being accessed. This approach eliminates the IPSec VPN support burden, and adds application functionality well beyond mere connectivity.
The FirePass controller provides full access to network and desktop resources, including:
The FirePass controller models
The FirePass controller is available in three models, the FirePass 1000, the FirePass 4000, and the FirePass 4100. The FirePass 1000 is a 1U rack-mounted controller designed for small to medium enterprises. The FirePass 4000 and 4100 are 2U rack-mounted controllers designed for large enterprises.
All three models support failover configuration for high availability. For more information, see Chapter 8, Using FirePass Controllers for Failover .
The FirePass 4000 and 4100 controllers support clustering, which provides increased numbers of connections and load balancing. For more information, see Chapter 9, Using FirePass Controllers in Clusters .
An overview of the FirePass controller
The FirePass controller is a network appliance that provides remote users with secure access to corporate networks through most standard Web browsers. You can install the controller in a matter of hours, and you do not need to make any modifications to your corporate applications or your remote user's computers. (You may need to configure your firewall to allow specific network traffic through. For more information, see Overview of the firewall configuration process .)
The FirePass controller, version 5.0 offers Secure Sockets Layer (SSL) virtual private networking (VPN) for Windows®, Macintosh®, and Linux®. The controller supports IP applications on all three platforms, and includes an open API that third-party application vendors can use to build secure remote access solutions into their client applications.
The FirePass controller was built from the ground up to adhere to the highest standards of security best practices. These include:
You can get several levels of encryption, depending on the capability of the client browser and the configuration of optional security settings on the FirePass controller. The controller supports high encryption standards such as 3DES and AES, as well as FIPS and hardware encryption accelerator options.
The FirePass controller includes an internal user database for password authentication, and it can use existing RADIUS, LDAP, and Windows domain servers for authentication. As an administrator, you can choose to require different authentication methods for different groups. If you want to use two-factor authentication, the FirePass controller supports RSA SecurID® token-based authentication, and also offers an optional, built-in implementation of VASCO Digipass®.
- Access Control
You can use the FirePass controller to grant users access to specific applications on an individual level or on a group level. With FirePass controller's access controls, you can restrict individuals and groups to particular internal resources. For example, partners can have access restricted to an extranet server, while sales staff are allowed to connect to email, the company Intranet, and the CRM system.
Unlike IPSec VPNs, the Web-based remote access of the FirePass controller works over all ISP connections, and from behind other firewalls. ISPs cannot detect and block FirePass controller conversations as they might with detected IPSec traffic. Failover and clustering options provide high availability and high capacity. You can cluster FirePass controllers to support up to 10,000 concurrent connections on a single logical URL without performance degradation.
Ease of use, deployment, maintenance, and management
You can install and configure the FirePass controller in a few hours. An intuitive, browser-based client interface means you do not have to train remote access users. You can upgrade the FirePass controller over the Web, from the field. Automatic notifications about release updates prompt you to download new versions when they become available. You can also add FirePass features and capacity over the Web.
FirePass controller features
All FirePass controller models include the following features:
- Standard Web browser support
FirePass controllers can be used with most standard browsers supporting secure HTTP (also known as HTTPS). These include Internet Explorer®, Netscape Navigator®, Opera®, Mozilla®, Safari™, and Konqueror.
- WAN security
The FirePass controller supports common encryption technologies, including RC4, 3DES, and AES. It uses standard SSL encryption from the client browser to the FirePass controller.
The FirePass controller performs basic authentication using an internal database. It also supports two-factor (token-based) authentication methods like RSA SecurID and VASCO Digipass.
The controller uses signed digital certificates to authenticate devices.
You can integrate the FirePass controller with LDAP directories and Windows Domain Servers.
- Application access using standard Connectors
The FirePass controller provides access to virtually all corporate and desktop applications, including email, file, and Intranet access, client-server application access, legacy host application access (mainframe, AS/400, X-Windows, and Telnet), and Terminal Services/Citrix® application access.
- Mobile device access
The FirePass controller provides email, file, and Intranet access from mini-browsers on mobile devices. These include Internet-enabled (WAP and iMode) telephones, PDAs (PalmOS® and Pocket PC), and RIM Blackberries™.
The FirePass controller provides a web-based Administrative Console. The console includes tools for installing and managing the FirePass controller, managing user and group enrollment, configuring clustering and failover, certificate generation and installation, and customization of the remote client user interface.
- Audit trail
The FirePass controller provides audit tools including full-session audit trails, drill-down session queries, and customizable reports and queries.
- Client/Server application support
The FirePass controller provides application-specific tunnels for client-server applications like Microsoft® Outlook®, ERP package applications, and custom TCP/IP applications.
The FirePass controller also includes Network Access which gives remote clients full network access comparable to that offered by a traditional IPSec VPN connection.
- Desktop Access
The FirePass controller gives users web-based access to authorized desktops with support for remote control, lightweight email/file access, guest access, and Web conferencing.
- High availability
You can configure FirePass controllers to fail over to hot standby controllers.
FirePass controller clusters support up to 10,000 users on a single logical controller (4000 and 4100 controllers only).
- Macintosh and Linux support
FirePass controller, version 5.0 includes Network Access support for Macintosh and Linux remote clients.
- Standalone VPN client and APIs
FirePass controller, version 5.0 includes a standalone VPN client and APIs for building FirePass remote access services into applications.
About this handbook
This handbook provides overview information about the FirePass controller, version 5.0, and step-by-step instructions for key features.
This handbook is available as an Adobe Acrobat file (.pdf) on the FirePass Resource CD. It is also available on the F5 Networks Technical Support Web site, http://tech.F5.com.
This guide is intended for system and network administrators who install and configure IT equipment and software. This guide assumes that administrators have experience installing software and working with network configurations.
To help you easily identify and understand certain types of information, this documentation uses the following stylistic conventions.
Using the solution examples
All examples in this documentation use only non-routable IP addresses. When you set up the solutions we describe, you must use IP addresses suitable to your own network in place of our sample IP addresses.
Identifying new terms
When we first define a new term, the term is shown in bold italic text. For example, HTTPS is HyperText Transport Protocol (Secure), or secure HTTP.
Identifying references to objects, names, and commands
We apply bold text to a variety of items to help you easily pick them out of a block of text. These items include web addresses, IP addresses, utility names, and portions of commands such as variables and keywords. For example, the ping command requires that you include at least one <ip_address> or <fully qualified domain name> variable.
Identifying command syntax
We show actual, complete commands in bold Courier text. Note that we do not include the corresponding screen prompt, unless the command is shown in a figure that depicts an entire command line screen. For example, to log on to the maintenance console, enter the user name:
Table 1.1 explains additional special conventions used in command line syntax.
Table 1.1 Command line conventions used in this manual Item in text Description \ Continue to the next line without typing a line break. < > You enter text for the enclosed item. For example, if the command has <your name>, type your name. | Separates parts of a command. [ ] Syntax inside the brackets is optional. ... Indicates that you can type a series of items.
A Tip suggests ways to make administration easier or faster. For example:
An easy way to enter a user agent string is to copy and paste the string from the Logons report.
A Note or Important contains important information. For example:Note
If you are starting up a controller cluster, always start the primary controller first.Important
If your superuser password is lost, contact Technical Support.
A Warning describes actions that can cause data loss or problems. For example:Warning
Do not turn the FirePass controller off by using the Power switch on the front panel.
Finding help and technical support resources
You can find additional technical documentation about the FirePass controller using the following resources:
- Release notes
Release notes containing the latest information for the current version of the FirePass controller are available from the Administrative Console. On the navigation pane, click Device Management, expand Maintenance, and then click Online Update. A link to Release notes for the current release is at the top of the screen. Release notes include a list of new features and enhancements, a list of fixes, and a list of known issues.
- Online help for FirePass features
You can find help online for virtually all screens on the Administrative Console. Click the Help button in the upper right of the panel.
- Technical support through the World Wide Web
The F5® Networks Technical Support web site, http://tech.f5.com, provides the latest technical notes, answers to frequently asked questions, updates for the release notes, and the AskF5 natural language question and answer engine. You can also find Release notes here, and all the guides in PDF format.