Transcript F5 Networks TMG Migration Strategy

Securely delivering Microsoft applications
Paul Dignan
F5 Networks
The Evolution of F5
3
2
1
© F5 Networks, Inc
• Hypervisor/Cloud ubiquity
• Multi-tenancy, all-active
• Identity access management
• Security
• Mobility/LTE
• Domain Name Services
• Traffic management
• Optimization
• Acceleration
2
The Evolution of F5
4
3
2
1
© F5 Networks, Inc.
Inc
Software Defined Application Services
Cloud Ready
Broadened Application Services
Application Delivery Controller
3
High-Performance Services Fabric
Programmability
Data Plane
Virtual Edition
Network
© F5 Networks, Inc
Control Plane
Appliance
Management Plane
Chassis
[Physical • Overlay • SDN]
4
High-Performance Services Fabric
Programmability
Data Plane
Virtual Edition
Network
© F5 Networks, Inc
Control Plane
Appliance
Management Plane
Chassis
[Physical • Overlay • SDN]
5
© F5 Networks, Inc
6
F5 | Microsoft Strategic Relationship
Joint investment, shared thought leadership
and strategic planning
F5 International Technology Centers
give customers who use Microsoft technologies access to the
experts
Microsoft Technology Center Alliance Partner
Microsoft Partner Solution Center Partner with
office and lab space
F5 training for Microsoft field, services, and
support teams
Visual Studio Industry Partner and VSIP
Member
“
SSTP
RDS/Terminal Services
IIS/ASP.NET
Solution development
across products and technologies
We’re impressed with F5’s holistic view of the application…the comprehensive architecture F5 has designed
will optimize application performance for Microsoft customers.” –Greg Kirchoff, Microsoft Director of ISV Group
Threat Management Gateway vs F5
Before f5
with f5
Devices
Internet
Internet
[Hardware
Firewall]
[Hardware
Firewall]
Data Center
Load Balancing,
DDoS Protection,
Firewall
Exchange
© F5 Networks, Inc
Lync
Web Servers
SharePoint
Exchange
Lync
Web Servers
SharePoint
8
TMG – Traffic Management
Before f5
TMG included a basic Traffic Management feature set, which was primarily built for handling http
traffic.
• Load Balancing: Primarily HTTP/HTTPs
• Monitoring: 3 Options: Simple get, ICMP, TCP port check
• Persistence: 2 Options: Source, Cookie
• SSL Engine: Offloading / Bridging / Rewrite Redirect Support
with f5
F5 includes the industries widest, deepest, and most flexible Traffic Management engine. True
application switching with full proxy support & the power of iRules.
• Load Balancing: Full Proxy, Multi Protocol
• Monitoring: Application aware health and availability, Synthetic client transactions
• Persistence: Multiple options with custom abilities
• SSL Engine: Full hardware based PKI support with advanced functionality
Traffic Management is a core focus of F5, and the TM feature set found in
BIG-IP LTM far exceeds anything else in the market today.
© F5 Networks, Inc
9
TMG – Client Authentication
Before f5
TMG offered customers a broad spectrum of authentication schemes (KCD, Basic, NTLM,
Negotiate, Kerb, LDAP, Radius, AD, OTP, Client Cert, etc) with support for authentication
translation.
• Landing Pages: Customized
• Cross forest: Supported
• Single Sign On: Limited
with f5
The BIG-IP matches up well against TMGs range of supported authentication schemes and
translation functionality.
• Landing Pages: Customized
• Cross forest: Supported
• Single Sign On: Full
© F5 Networks, Inc
Customers migrating to F5 will be able to take advantage of a rich set of authentication
and authorization features unique to F5. Endpoint inspection, AD interrogation, &
layered auth are compelling capabilities that will be new to your customer.
Management through the Visual Policy Editor will also make managing the advanced
functionality even easier.
10
TMG – Network Layer (3,4) Firewall
Before f5
TMG is a certified (CC EAL4+) network firewall suitable for placement at the perimeter of
any network. DOS prevention is supported via a set of connection (TCP, Half Open, UDP,
HTTP RPS, non-TCP) limits per IP per second.
• Layer 3,4 Firewall Rules Supported
• Layer 3,4 DOS Prevention Connection Limits
with f5
BIG-IP is an ICSA & CC certified network firewall suitable for placement at the perimeter of
any network as well.
• Layer 3,4 Firewall Rules Supported
• Layer 3,4 DOS Prevention Advanced with DDOS prevention
With historically strong DOS & DDOS mitigation technology (syn cookies, connection
limits, resource thresholds/watermarks, etc), recent certifications (ICSA) give credibility
to F5s posture as a perimeter security device. Add to that BIG-IPs global address map &
filtering capabilities, and you have firewalling with geographic awareness.
© F5 Networks, Inc
11
TMG – Remote Access & VPN
Before f5
TMG included an RA/VPN engine with several access protocols.
• Access Protocols L2TP, PPTP, SSTP
• Methods Site to Site (IPSec) , Remote User
• Quarantine Supported
• Authentication Username/Password, Certificate
with f5
APM delivers a rich & full remote access & site to site feature set that provides
clientless or client based options, endpoint inspection, quarantining. Providing client access over
browser based HTTPS connections means that client management will no longer be an
administrative burden. Management through APMs VPE (Virtual Policy Editor) makes
management of complex security rules easy.
© F5 Networks, Inc
Customers migrating to F5 will be able to take advantage of a rich set of
authentication and authorization features unique to F5.
12
TMG – Application Layer 7 Firewall
Before f5
TMG offered L7 firewalling in a set of application filters that covered several protocols
• Protocol filters HTTP, SMTP, ……
• Added Protection Virus Scanning, SPAM filtering
• TMGs L7 firewalling does rely on subscription services to keep maintained.
with f5
F5’s ASM is designed with a focus on HTTP, SMTP, FTP, & XML security, with the flexibility to build
policies specific to applications leveraging those protocols & data types. An automatic policy
building engine will adapt to application updates, and visibility/analytics are presented through a
web based real time dashboard. Pre-built policies ship for popular applications such as
SharePoint and Exchange.
© F5 Networks, Inc
F5 provides bespoke security policies for a broad range of Microsoft
Applications and Services
13
Reverse Proxy / Pre-Authentication
“Much like a nightclub bouncer working the door, the ADC isolates internal resources from external access, allowing only
authenticated and authorized users to enter the corporate LAN and use internal resources.”
A Strategic Point of Control for Application Delivery
• An application delivery controller provides a strategic point of control where corporate applications
can be deployed more securely and policy can be implemented consistently.
• BIG-IP provides a central point from which to administer access to multiple applications. Without
this central management point solution, access must be configured and managed separately at
each internal resource, such as Exchange and SharePoint.
• Single Sign-On, (SSO) across multiple on-premise and cloud-based applications.
• Endpoint Inspection
• With the BIG-IP® Access Policy Manager® (APM), administrators can manage access to corporate
resources based upon the device that is trying to connect. Administrators can also ensure that the
approved device adheres to corporate policies for AV status, OS versions, patch levels, and more.
© F5 Networks, Inc
14
Reverse Proxy / Pre-Authentication
• Multi-factor Authentication and Authorization
• Remote access solutions provide a much more secure authentication mechanism than what can be
natively found on most applications.
• The BIG-IP with APM, (Access Policy Manager) integrates with a number of authentication
mechanisms including RSA SecurID, RADIUS OTP, and client-side certificates.
• Using the flexibility of the BIG-IP APM Visual Policy Editor (see below) and BIG-IP iRules®,
administrators can integrate with a variety of authentication providers and technologies.
Figure 1: BIG-IP APM Visual Policy Editor.
• Ability to query Active Directory for user attributes such as AD group membership, assigned mailbox
database, and device IDs. Attributes, along with deep packet inspection, can then be used to
dynamically apply policy further enhancing device security.
© F5 Networks, Inc
15
Questions?