Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- =APM Getting Started III=
- *<b>Create a Portal Access Resource</b>
- *APM can provide Portal Access to internal web app for remote users.
- *User logs onto APM and clicks a portal access resource on APM landing page.
- *APM is configured with a starting URL for that resource and sends the request to the internal server.
- *That server responds to APM with a web page that contains HTML links to another page on that server, as well as a page on a different server.
- *Hostnames are encoded and sent to client.
- *Portal Access is referred to HTTP tunneling because it can be used to connect to any internal web app.
- [[File:apm_23423.png]]
- *When Access Policy performs an AD Auth, it sends username and password collected in the Logon Page action to the AD DC.
- *If they are correct, AD Auth performs AD Query, it sends the username to DC and requests info about that user.
- *Advanced Resource Assign action can use that info to dynamically assign resources, that is resources only assigned to a specific class of users.
- *If a user were a member of OWA, Bob, Carol and Dave would receive the OWA portal access resource while users Alice and Eve would not.
- [[File:apm235.png]]
- *Added AD Query.
- *Added Portal Access resource in Advanced Resource Assign.
- *VS need to have Rewrite Profile.
- *#Modify VS to add Rewrite Profile.
- *#Create Portal Access Resource.
- *#Edit Access Policy AD Query.
- *#Edit Access Policy Resource Assign.
- *#Edit Access Policy Wrap-Up.
- =APM Getting Started II=
- *<b>Allowing VPN Access</b>
- **By default, split tunneling is disabled.
- **Address space must be configured for every VPN tunnel, if APM licensed for 250 concurrent users, 250 IP addresses are required in the VPN lease pool.
- **Default VPN SNAT Pool is set to none and could set to Automap but port exhaustion may become an issue.
- *<b>Access Policy review</b>
- **Has one-to-one mapping with its Access Profile.
- **Built with the Visual Policy Editor.
- **Looks like a flow chart.
- **Configured the Policy Enforcement Point.
- **Has 6 categories of actions:
- ***Logon
- ***Authentication
- ***Assignment
- ***Endpoint Security (Server-Side)
- ***Endpoint Security (Client-Side)
- ***General Purpose
- [[File:APM_2.png]]
- *Need additional items:
- **Full webtop landing page
- **Network access resource
- **Lease pool
- **Connectivity profile
- *<b>Configuration Overview</b>
- **Adds a Windows File check action, if file is not present on the client Windows PC, then the user is denied access.
- **Also adds an Advanced Resource Assign action to provide the user with a landing page and an option to open an SSL VPN.
- **If LTM pool was specified in VS, no need to assign resource.
- **#Create Full Webtop
- **#Create Lease pool
- **#Create Network Access Resource
- **#Create Connectivity Profile
- **#Edit Access Policy Overview
- **#List Access Profiles
- **#Copy Existing Access Policy
- **#Edit Access Policy: Resource Assign
- **#Edit Access Policy: Windows Files
- **#Edit Access Policy: Wrap-Up
- **#Create a new VS
- =APM Getting Started I=
- *2 applications rolled up into a single product.
- *#SSL VPN concentrator and web app reverse proxy engine, also app tunnel for app remote access such as SSH and RDP.
- *#Policy Enforcement Point supports AAA, client-side endpoint inspection, ACL, dynamic resource, single sign-on such as OAM, Kerberos, SAML and OAth.
- *Primary use cases for APM are policy enforcement layered on LTM and policy enforcement used with remote access methods, Network Access, Portal Access and Application Access.
- *Support on various platform but Mobile platforms do not support all access methods or endpoint security checks.
- *LTM+APM overview
- *#Customer first navigates to BIGIP, APM responds to the user with a logon page.
- *#After user enters credentials, APM passes the credentials to AD which tell APM if they are valid.
- *#Assuming valid credentials, original request is passed to LTM for intelligent app delivery.
- [[File:LTM+APM.png]]
- #Confirm pool exists.
- #Create a AAA server.
- #Create Access profile.
- #Edit an Access Policy overview.
- #Edit an Access Policy Logon Page.
- #Edit an Access Policy AD Auth.
- #Edit an Access Policy Wrap-Up.
- #Create a VS.
- =F5 University Configuring Network Access=
- *APM provides SSL VPN network access from remote users via 2 methods.
- *Web browser is clientless method or Edge Client needs to be installed on the user's device.
- *APM may then verify the user's credentials in addition to verifying that user's device meets corporate requirements.
- *Once verified, ActiveX or Java agent installed on the user's browser which sets up a network tunnel enabling the user to access corporate resources.
- *DNS and NTP are necessary for APM.
- *Need to setup a lease pool, a group of IP addresses.
- **When a user becomes a network tunnel client, APM uses a lease pool to assign a IP to client connection.
- **Lease pool is associated with network access resource.
- **If a user has established 2 simultaneous connections, will be using 2 IP addresses from the lease pool.
- **Support both IPv4 and IPv6.
- *Network access resource, to grant users access using APM.
- **"caption" and "image" are only important if will be making several resources available to users, such as portal resources and app tunnels.
- **Will never been seen by users if only making a single network tunnel resource.
- *"Network Settings" could specify IP version, lease pool, compression, Full Tunnel or Split Tunnel.
- *"Optimization" can set compression for specific apps.
- *"DNS/Hosts" can specify DNS settings for users as well as static hosts.
- *"Drive Mappings" can setup mapped drives which will be available only while the client connection is active, for Windows clients only.
- **APM does not verify accuracy of the UNC path.
- **Mapping a drive does not automatically grant users access to the shared folder.
- *"Launch Applications" specify any client-side app that should be launched auto as soon as tunnel session is established for a user.
- **Can choose to warn user before launching an app.
- **Specify the full app path, can use "%ProgramFiles%" variable.
- **Can specify different app for client devices running Windows, Macintosh or UNIX.
- *<b>Network Access Webtop</b> is successful endpoint for a web browser-based network access connection.
- **Can only be used with a network access resource.
- **When a user logs in to access the corporate network using a network access webtop, first the credentials are validated.
- **When the user successfully connects, the browser window minimizes to the system tray.
- **An icon fro the VPN connection is displayed in the system tray.
- **Can restore the browser window at any point.
- **When restore the browser window, can see compression statistics about the connection.
- **Can see additional info, including viewing the routing table and IP config details.
- *<b>Access Profile</b>
- **Access profile is the config object that assign to VS, can be LTM VS hosting a web app using a pool or VS used for providing network access for users.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement