Introducing the FirePass Controller
Introducing the FirePass controller
The F5® Networks FirePass® controller is a network appliance that provides remote users with secure access to corporate networks, using most standard Web browsers. The FirePass controller is easy to set up with proper planning, and installation requires no modification to existing corporate applications. No configuration or set up is required at the user's remote location. If the user's Web browser can connect to Web sites on the Internet, then that browser can connect to the FirePass controller.
The FirePass controller provides a web-based alternative to traditional remote-access technologies such as modem pools, RAS servers, and IPsec-layer Virtual Private Networks (VPNs). By leveraging the browser as a standard thin client, the FirePass controller enables your corporation or organization to extend secure remote access easily and cost-effectively to anyone connected to the Internet with no special software or configuration on the remote device. You do not need to make any additions or changes to the back-end resources being accessed. This approach eliminates the IPsec VPN support burden, and adds application functionality well beyond mere connectivity.
The FirePass controller enables full access to network resources, and provides broad application support, including:
- File servers
- Intranet and Web applications
- Terminal servers
- Legacy mainframe, AS/400, and Telnet applications
- Proprietary corporate applications
- Client/server applications
Introducing FirePass controller features
All FirePass controller models include the following features:
- Standard Web browser support
FirePass controllers can be used with most standard browsers supporting secure HTTP (also known as HTTPS). These include Internet Explorer®, Netscape Navigator®, Mozilla®, Safari™, and Firefox.
- WAN security
The FirePass controller supports common encryption technologies, including RC4, Triple DES, and AES. It uses standard SSL encryption from the client browser to the FirePass controller.
The FirePass controller can perform authentication using your own authentication method, including LDAP directories, Active Directory and Microsoft® Windows® Domain servers, RADIUS servers, to support two-factor (token-based) authentication, support for RSA SecurID, and integration with single sign-on (SSO) systems such as Oracle® COREid®, eTrust™ SiteMinder®, and others. The FirePass controller can also perform basic authentication using its internal data base. In addition, the controller uses signed digital certificates to authenticate devices.
- Broad application support
The FirePass controller provides access to virtually all corporate and desktop applications, including email applications such as Outlook Web Access (OWA) and iNotes, file and intranet server access, client-server application access, legacy host application access (mainframe, AS/400, and Telnet), and Terminal Services/Citrix® application access.
- Mobile device access
The FirePass controller provides email (OWA and iNotes), file, and intranet server access from mini-browsers on mobile devices. These include Internet-enabled (WAP and iMode) telephones, PDAs (PalmOS® and Pocket PC), and RIM Blackberries™.
- Endpoint security
The FirePass controller provides a broad set of endpoint security features such as a protected workspace, client integrity checking, browser cache cleaner, secure virtual keyboard, and support for 100+ versions of antivirus and firewall software.
- Visual policy editor
To facilitate policy definition, the FirePass controller provides a built-in policy editor that is graphically based, which eases management and supports a visual audit of endpoint security policies.
The FirePass controller provides a web-based Administrative Console. The console includes tools for installing and managing the FirePass controller, managing user and group enrollment, configuring clustering and failover, certificate generation and installation, and customization of the remote client user interface.
- Audit trail
The FirePass controller provides audit tools including full-session audit trails, drill-down session queries, and customizable reports and queries.
- Client/Server application support
The FirePass controller provides application-specific tunnels for client-server applications like Microsoft® Outlook®, ERP package applications, and custom TCP/IP applications.
The FirePass controller also includes Network Access which gives remote clients full network access comparable to that offered by a traditional IPsec VPN connection.
- High availability
You can configure FirePass controllers to fail over to standby controllers, ensuring availability for users.
FirePass controller cluster nodes support up to 20,000 users with built-in load balancing support (4000 and 4100 controllers only). In addition, the FirePass controller integrates with BIG-IP to support large-scale, high-performance clustering, which offers universal, secure access for remote, wireless, and internal network users.
- Integration with BIG-IP system
Integration between the FirePass controller and BIG-IP system provides a uniform framework, an architecture that provides remote, WLAN, and LAN access control as a unified solution, rather than having to manage access control and security policies in three different places. For information about BIG-IP, see the F5 Networks web site at http://www.f5.com.
- Macintosh and Linux support
The FirePass controller includes Network Access support for Macintosh and Linux remote clients.
- Standalone VPN client and APIs
FirePass controller includes a standalone VPN client and APIs for building FirePass controller remote access services into applications.
Reviewing the FirePass controller models
The FirePass controller is available in the following models:
- FirePass 1000
The FirePass 1000 (Figure 1.1 ) is a 1U rack-mounted controller designed for small to medium enterprises, supporting up to 100 concurrent users.
- FirePass 1200
The FirePass 1200 (Figure 1.2 ) is a 1U rack-mounted controller designed for small to medium enterprises, supporting up to 100 concurrent users.
- FirePass 4100
The FirePass 4100 (Figure 1.3 ) is a 2U rack-mounted controller designed for large enterprises, supporting up to 2000 concurrent users, with clustering expanding support to 20,000.
The 1000, 1200, and 4100 models support failover configuration for high availability. For more information, see Chapter 11, Using FirePass Controllers for Failover .
The FirePass 4100 controller also supports clustering, which provides increased numbers of connections and load balancing. For more information, see Chapter 12, Using FirePass Controllers in Clusters .
The FirePass 1000
The FirePass 1200
The FirePass 4100
Finding the FirePass controller software version number
When you work with F5 Networks technical support, you might need to have the version number of the software running on your FirePass controller. You can find the software version number on the Welcome page, available by clicking Device Management and then clicking Welcome from the navigation pane. The screen presents the version numbers below the introductory graphic. Following is an example of the version numbers.
Version - FirePass 6.0
Tue, 6 Jun 2006 00:48 PST
Understanding the FirePass controller
The FirePass controller offers remote connection support for Windows®, Macintosh®, and Linux® clients. The controller supports IP applications on all three platforms, and includes an open API that third-party application vendors can use to build secure remote access solutions into their client applications.
Unlike IPsec VPNs, the web-based remote access of the FirePass controller works over all ISP connections, and from behind other firewalls. ISPs cannot detect and block FirePass controller conversations as they might with detected IPsec traffic. Failover and clustering options provide high availability and high capacity. You can cluster FirePass controllers to support up to 20,000 concurrent connections on a single logical URL without performance degradation.
The FirePass controller adheres to the highest standards of security.
- Endpoint security
The FirePass controller provides a broad set of endpoint security features such as a protected workspace, client integrity checking, browser cache cleaner, secure virtual keyboard, and support for 100+ versions of antivirus and firewall software. Configurable remediation helps end-users that fail compliance checks to automatically download the needed client software to meet endpoint security requirements, for example, the latest antivirus signature files, operating system updates, and others. The FirePass controller can display a custom message containing a download link, so end-users can perform their own remediation, meet compliance requirements, and get access without requiring having to call the IT help desk
You can get several levels of encryption, depending on the capability of the client browser and the configuration of FirePass controller security settings. The controller supports high encryption standards such as Triple DES and AES, as well as FIPS and hardware encryption accelerator options.
The FirePass controller supports a number of authentication methods.
- An internal user database for user name and password authentication
- Basic HTTP and forms-based authentication methods
- Authentication based on client certificates
- Authentication based on your existing Active Directory, RADIUS, LDAP, and Windows domain servers
As an administrator, you can choose to require different authentication methods for different groups. Because the FirePass controller supports RSA SecurID® token-based authentication, you can configure two-factor authentication.
- Access Control
You can use the FirePass controller to grant users access to specific applications on an individual level or on a group level, enabling role-based access. With FirePass controller's access controls, you can restrict individuals and groups to particular internal resources. For example, partners can have access restricted to an extranet server, while sales staff are allowed to connect to email, the company intranet, and the internal customer-tracking system. The FirePass controller administrative realms allow you to configure administrators access by restricting access to different features.
- Application security
The FirePass controller provides web application protection that guards against targeted web application attacks such as SQL injection, cross site scripting (CSS), and cookie manipulation. Built-in antivirus protection scans email attachments and files uploaded to the FirePass controller.
The FirePass controller provides a range of accessibility options.
- Full network access
Full network access provides a connection that is always available, assuming the client machine supports it. Full network access virtually puts the client machine inside the company network, so that clients perform operations exactly as if they sat at their corporate computers.
Typically, an administrator would choose full network access as the deployment method for client computers that are from a well-known or trusted source, such as company-provided laptops.
- Application tunnel access
Application tunnel access (also called App Tunnels) provides access to TCP applications that support fixed ports or a range of ports. The client experience is similar to full network access, but it exposes only specific functionality available on the local machine.
Typically, an administrator would choose application tunnel access as the deployment method for client computers that are from a somewhat trusted source, such as employee-owned equipment.
- Specialized application access
Specialized application access provides browser-based interaction with a set of commonly used functions:
- Mobile email
- Legacy hosts
- Windows files
- Terminal Servers
Each application was specifically developed for use on the FirePass controller.
Typically, an administrator would choose specialized application access as the deployment method for client computers that are from a public or untrusted source, such as computers that are publicly accessible (for example, systems in public libraries, at internet cafes, and from other public portals).
- Web application access
Web application access enables interaction to proprietary and custom applications using the reverse-proxy technology. Essentially, you can use web application access to create a specialized application, similar to the ones listed in the Specialized application access list. Because there is no overarching protocol for web applications, the degree of support available for any given application varies based on its content and method of implementation.
For example, applications that use HTML over HTTP integrate relatively seamlessly. However, if your application contains a lot of customized script or applets, you may have to work with your interim application to support web application access.
Ease of use, deployment, maintenance, and management
You can install and configure the FirePass controller quickly. An intuitive, browser-based client interface means you do not have to train remote access users. You can upgrade the FirePass controller remotely, over the Internet, using browser-based administration. Automatic notifications about release updates prompt you to download new versions when they become available. You can also add FirePass controller features and capacity over the Internet.
Determining security requirements for users
Whether you maintain users externally or internally, you can specify several levels of security, as determined by the governing master group and the resources you want the users to access. Specifying security requirements ensures that unauthorized users do not have access while authorized users do. For example, you can:
- Require that the clients logging on have a specific certificate. If the certificate you define is not present, you can prevent logon or provide access to a restricted set of resources. For more information about certificates, see Setting up client-certificate-based authentication .
- Gather information about the client environment and grant or restrict access based on the antivirus software type and update time, the presence of a firewall, the operating system and browser version, and other factors. For more information about pre-logon inspection of client systems, see Implementing client system checking .
- Define protected configurations, a set of safety checks to protect resources. Protected configurations focus on a specific aspect of protection, such as unauthorized access, information leaks, virus attacks, and keystroke loggers. For each criterion, the FirePass controller provides specific safety measures. For example, to prevent information leaks, you might specify that the user run inside the protected workspace or download the cache cleaner to remove cached files when the user logs off. For more information about protected configurations, see Creating protected configurations . At the resource level, you can apply a definition in one of the following ways:
- To the entire feature
Users must meet certain requirements to use the functionality.
- To one or more resources
Users must meet certain requirements to access a specific server
- To the master group
Users must belong to a specific master group to get access to certain resources.
- To applications and files
Users must meet certain requirements to have access to specific applications or files.
Getting started with the FirePass controller
The FirePass controller is a multi-featured appliance whose interface allows configuration from any location. You can follow guidelines in The recommended path to set up your FirePass controller, or you can elect to travel your own path, choosing from the options described in Possible configuration scenarios .
The recommended path
If you are new to the FirePass controller, you can follow the path outlined in this section. This recommended path is designed to guide you through the most common operations, and includes descriptions to help you complete the task, as well as links to other sections with related functionality.
- Identify authentication mechanism
The FirePass controller supports two types of authentication: external and internal. For each type, you can select from a number of authentication methods, depending on your security setup. These include Active Directory, RADIUS, LDAP, and others.
- Test user connectivity.
This is a good place to stop and test to make sure that users can connect to the FirePass controller. To do so, open a new browser window and log on using a logon account that you know exists.
- Configure resource groups with the applications and functionality you want to provide
For more information, you can review content in several sections:
Possible configuration scenarios
There are several ways you can begin the configuration process. You can start with existing groups, even if you want to manage user authentication internally.
- To gather information from client systems
If you want to specify requirements for client systems to determine authentication (whether to grant user access) and authorization (which resources to grant access to), you can read more at Implementing client system checking .
- To configure the resources, applications, and functionality you want to provide
If you prefer to start with the resources, applications, and functionality that you want to provide to your users, you can read more at the access-type specific sections:
- To set up certificates on the server
If you are ready to set up and install server certificates for the FirePass controller, read more in Chapter 4, Using Server Certificates .
- To see how-to information on various subjects
If you want exposure to sample configurations that use step-by-step examples, see Appendix A, How-To Examples .
Using this guide
This guide provides overview information about the FirePass controller, and step-by-step instructions for key features.
This guide is available as an Adobe Acrobat file (.pdf) and as an HTML file on the F5 Networks Technical Support Web site, http://tech.F5.com.
This guide is intended for system and network administrators who configure and maintain IT equipment and software. This guide assumes that administrators have experience working with network configurations.
Stylistic conventions in this document
To help you easily identify and understand certain types of information, this documentation uses the following stylistic conventions.
Using the solution examples
All examples in this documentation use only private class IP addresses. When you set up the solutions we describe, you must use valid IP addresses suitable to your own network in place of our sample addresses.
Identifying new terms
When we first define a new term, the term is shown in bold italic text. For example, HTTPS is HyperText Transport Protocol (Secure), or secure HTTP.
Identifying references to objects, names, and commands
We apply bold text to a variety of items to help you easily pick them out of a block of text. These items include web addresses, IP addresses, utility names, and portions of commands such as variables and keywords. For example, the ping command requires that you include at least one <ip_address> or <fully qualified domain name> variable.
Identifying references to other documents
We use italic text to denote a reference to a specific section or another document. In references where we provide the name of a book as well as a specific chapter or section in the book, we show the book name in bold, italic text, and the chapter/section name in italic text to help quickly differentiate the two.
For example, you can find information about various FirePass controller models in the FirePass Controller Getting Started Guide, Chapter 1, Getting Started with the FirePass Controller.
Identifying command syntax
We show actual, complete commands in bold Courier text. Note that we do not include the corresponding screen prompt, unless the command is shown in a figure that depicts an entire command line screen. For example, to log on to the Maintenance Console, type the user name:
Table 1.1 explains additional special conventions used in command line syntax.
Table 1.1 Command line conventions used in this manual
Item in text
Continue to the next line without typing a line break.
You enter text for the enclosed item. For example, if the command has <your name>, type your name.
Separates parts of a command.
Syntax inside the brackets is optional.
Indicates that you can type a series of items.
We use a conspicuous note format for a variety of information, ranging from supplemental to critical.
A Tip suggests ways to make administration easier or faster. For example:
An easy way to enter a user agent string is to copy and paste the string from the Logons report.
A Note provides supplemental, helpful information. For example:
If you want users to be able to define their own personal webtop favorites or preferences, then you must use internal user management.
An Important note contains important information. For example:
If you are starting up a controller cluster, always start the primary controller first, or the remaining cluster controllers cannot start properly.
A Warning describes actions that can cause data loss or problems. For example:
If you are configuring failover in a production environment, the order in which the pair of controllers restart is very important, and can result in data loss if the two controllers do not restart in the correct order. For more information, see Introducing a failover member into a production environment .
Finding help and technical support resources
You can find additional technical documentation about the FirePass controller using the following resources:
- Getting Started Guide
The FirePass Controller Getting Started Guide is provided as a printed document in the box with the FirePass controller. The Getting Started Guide contains all of the information you need to set up and install a new FirePass controller. You can find a copy of the guide (in PDF and HTML formats) on the F5 Networks Technical Support Web site, http://tech.F5.com.
- Release notes
Release notes containing the latest information for the current version of the FirePass controller are available from the Administrative Console. In the navigation pane, click Device Management, expand Maintenance, and then click Online Update. A link to Release notes for the current release is at the top of the screen. Release notes include a list of new features and enhancements, a list of fixes, and a list of known issues.
You can also find release notes for the FirePass controller in HTML format on the F5 Networks Technical Support web site, http://tech.f5.com/home/firepass/. This site includes release notes for the current, and all previous versions of the FirePass controller.
- Online help for FirePass features
You can find help online for virtually all screens on the Administrative Console. To open the context-sensitive online help, click the Help button in the upper right of the screen.
- Technical support through the World Wide Web
The F5® Networks Technical Support web site, http://tech.f5.com, provides the latest technical notes, answers to frequently asked questions, release notes and release note updates, and the AskF5 natural language question and answer engine. You can also find Release notes there, and all the guides in PDF format. To navigate to the AskF5 site, click the Ask button in the upper right of any screen on the FirePass controller Administrative Console.