API tools faq
paste
Advertisement
aurangze

APM Fundamental

aurangze
Jun 19th, 2018
241
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.83 KB | None | 0 0
raw download clone embed print report
  1. =APM Getting Started III=
  2. *<b>Create a Portal Access Resource</b>
  3. *APM can provide Portal Access to internal web app for remote users.
  4. *User logs onto APM and clicks a portal access resource on APM landing page.
  5. *APM is configured with a starting URL for that resource and sends the request to the internal server.
  6. *That server responds to APM with a web page that contains HTML links to another page on that server, as well as a page on a different server.
  7. *Hostnames are encoded and sent to client.
  8. *Portal Access is referred to HTTP tunneling because it can be used to connect to any internal web app.
  9. [[File:apm_23423.png]]
  10. *When Access Policy performs an AD Auth, it sends username and password collected in the Logon Page action to the AD DC.
  11. *If they are correct, AD Auth performs AD Query, it sends the username to DC and requests info about that user.
  12. *Advanced Resource Assign action can use that info to dynamically assign resources, that is resources only assigned to a specific class of users.
  13. *If a user were a member of OWA, Bob, Carol and Dave would receive the OWA portal access resource while users Alice and Eve would not.
  14. [[File:apm235.png]]
  15. *Added AD Query.
  16. *Added Portal Access resource in Advanced Resource Assign.
  17. *VS need to have Rewrite Profile.
  18. *#Modify VS to add Rewrite Profile.
  19. *#Create Portal Access Resource.
  20. *#Edit Access Policy AD Query.
  21. *#Edit Access Policy Resource Assign.
  22. *#Edit Access Policy Wrap-Up.
  23.  
  24. =APM Getting Started II=
  25. *<b>Allowing VPN Access</b>
  26. **By default, split tunneling is disabled.
  27. **Address space must be configured for every VPN tunnel, if APM licensed for 250 concurrent users, 250 IP addresses are required in the VPN lease pool.
  28. **Default VPN SNAT Pool is set to none and could set to Automap but port exhaustion may become an issue.
  29. *<b>Access Policy review</b>
  30. **Has one-to-one mapping with its Access Profile.
  31. **Built with the Visual Policy Editor.
  32. **Looks like a flow chart.
  33. **Configured the Policy Enforcement Point.
  34. **Has 6 categories of actions:
  35. ***Logon
  36. ***Authentication
  37. ***Assignment
  38. ***Endpoint Security (Server-Side)
  39. ***Endpoint Security (Client-Side)
  40. ***General Purpose
  41. [[File:APM_2.png]]
  42. *Need additional items:
  43. **Full webtop landing page
  44. **Network access resource
  45. **Lease pool
  46. **Connectivity profile
  47. *<b>Configuration Overview</b>
  48. **Adds a Windows File check action, if file is not present on the client Windows PC, then the user is denied access.
  49. **Also adds an Advanced Resource Assign action to provide the user with a landing page and an option to open an SSL VPN.
  50. **If LTM pool was specified in VS, no need to assign resource.
  51. **#Create Full Webtop
  52. **#Create Lease pool
  53. **#Create Network Access Resource
  54. **#Create Connectivity Profile
  55. **#Edit Access Policy Overview
  56. **#List Access Profiles
  57. **#Copy Existing Access Policy
  58. **#Edit Access Policy: Resource Assign
  59. **#Edit Access Policy: Windows Files
  60. **#Edit Access Policy: Wrap-Up
  61. **#Create a new VS
  62.  
  63. =APM Getting Started I=
  64. *2 applications rolled up into a single product.
  65. *#SSL VPN concentrator and web app reverse proxy engine, also app tunnel for app remote access such as SSH and RDP.
  66. *#Policy Enforcement Point supports AAA, client-side endpoint inspection, ACL, dynamic resource, single sign-on such as OAM, Kerberos, SAML and OAth.
  67. *Primary use cases for APM are policy enforcement layered on LTM and policy enforcement used with remote access methods, Network Access, Portal Access and Application Access.
  68. *Support on various platform but Mobile platforms do not support all access methods or endpoint security checks.
  69. *LTM+APM overview
  70. *#Customer first navigates to BIGIP, APM responds to the user with a logon page.
  71. *#After user enters credentials, APM passes the credentials to AD which tell APM if they are valid.
  72. *#Assuming valid credentials, original request is passed to LTM for intelligent app delivery.
  73. [[File:LTM+APM.png]]
  74. #Confirm pool exists.
  75. #Create a AAA server.
  76. #Create Access profile.
  77. #Edit an Access Policy overview.
  78. #Edit an Access Policy Logon Page.
  79. #Edit an Access Policy AD Auth.
  80. #Edit an Access Policy Wrap-Up.
  81. #Create a VS.
  82.  
  83.  
  84. =F5 University Configuring Network Access=
  85. *APM provides SSL VPN network access from remote users via 2 methods.
  86. *Web browser is clientless method or Edge Client needs to be installed on the user's device.
  87. *APM may then verify the user's credentials in addition to verifying that user's device meets corporate requirements.
  88. *Once verified, ActiveX or Java agent installed on the user's browser which sets up a network tunnel enabling the user to access corporate resources.
  89. *DNS and NTP are necessary for APM.
  90. *Need to setup a lease pool, a group of IP addresses.
  91. **When a user becomes a network tunnel client, APM uses a lease pool to assign a IP to client connection.
  92. **Lease pool is associated with network access resource.
  93. **If a user has established 2 simultaneous connections, will be using 2 IP addresses from the lease pool.
  94. **Support both IPv4 and IPv6.
  95. *Network access resource, to grant users access using APM.
  96. **"caption" and "image" are only important if will be making several resources available to users, such as portal resources and app tunnels.
  97. **Will never been seen by users if only making a single network tunnel resource.
  98. *"Network Settings" could specify IP version, lease pool, compression, Full Tunnel or Split Tunnel.
  99. *"Optimization" can set compression for specific apps.
  100. *"DNS/Hosts" can specify DNS settings for users as well as static hosts.
  101. *"Drive Mappings" can setup mapped drives which will be available only while the client connection is active, for Windows clients only.
  102. **APM does not verify accuracy of the UNC path.
  103. **Mapping a drive does not automatically grant users access to the shared folder.
  104. *"Launch Applications" specify any client-side app that should be launched auto as soon as tunnel session is established for a user.
  105. **Can choose to warn user before launching an app.
  106. **Specify the full app path, can use "%ProgramFiles%" variable.
  107. **Can specify different app for client devices running Windows, Macintosh or UNIX.
  108. *<b>Network Access Webtop</b> is successful endpoint for a web browser-based network access connection.
  109. **Can only be used with a network access resource.
  110. **When a user logs in to access the corporate network using a network access webtop, first the credentials are validated.
  111. **When the user successfully connects, the browser window minimizes to the system tray.
  112. **An icon fro the VPN connection is displayed in the system tray.
  113. **Can restore the browser window at any point.
  114. **When restore the browser window, can see compression statistics about the connection.
  115. **Can see additional info, including viewing the routing table and IP config details.
  116. *<b>Access Profile</b>
  117. **Access profile is the config object that assign to VS, can be LTM VS hosting a web app using a pool or VS used for providing network access for users.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!