Configuring Remote Access for remote users with F5 BIG-IP APM

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello this is a fight video with Alex and today we're going to configure remote security mode access for them your old colleagues and employees that have to stay home for some reason and we will do it for FF big IP access policing manager technology the goal for this video is not to provide the explanation of comprehensive use cases it's more dedicated for general IT specialist rather than f5 technical specialists what we're going to focus on and what we're going to provide for for the client today is the SSL VPN service as big ApS SSL VPN concentrator and this is that most popular technology for remote access we can simplify the access form and secure access for the web applications that doesn't really require a VPN we can publish them in a secure way for the BJP proxy because we can act as their every DP gateway basically RDP proxy that provided education security encryption for your RDP connections and you don't need to expose windows service outside and we try we'll try to do it as much easy as possible in a shorter time frame okay so this is how we'll go let's move on towards the lab topology I have big ap in a double years and the rest of my servers also there I have two villains external and internal one external one is basically exposed to big IP IP addresses not it to some public IP addresses for my access and I have free servers the internal page is very dummy default web page actually for the service that we will assume as the internal web page that doesn't care about education system management so when they need to be published outside we will here we we have the domain controller for the main in five demo dot com to provide altered if occasion services for us because we need to have a user Alta difficut it right from the some real repository and we will have to we actually have the LTP Remote Desktop Services server that is probably has remote sessions that's it let's move on they've configuration and first of all as you can see on my task list I have tasks on and boarding the big LP what does it really means and why it's important because I assume that you have the absolutely clean yet so you have it for example Greenfield deployment for the big AP and then you need to provide the basic configuration and this is a kind of quite a bunch of tasks that's need to be done you need to create VLANs self IPS we also server license which also is not necessary but license and and and DNS configuration entropy configuration this is this is possible the things that are really mandatory here and what we can do we can use declarative onboarding that allow us to do it all at once first of all we to do that we need a notification token that we'll use for our declarative Cole and Cole is right over here so it's single jason bulb this providing us the license for the big IP dns configuration ntp configuration education and what is important for us networking parameters we hitting sent for this and what we see they see that result is called two hundred all to that is means that task is accepted and status is running doing get requests with parameter shofu basically will create a result for this task it's still running because it's need to apply license to certification policies and so on that so it's pretty much that we that's required to be done so we have to have some patience here but we're doing nothing we just waiting and that's it you can copy-paste the default template for the declarative onboarding right from the five website and task is finished with success result we can go back to our big AP we have to reload in its newly onboard system that now has at least networking addresses and and some basic things that we need to do so let's move on towards SSL VPN configuration first of all we need to create the pool of addresses for your clients as in my apology I have only one IP address and only one clients so for me it's enough you can provide by the pool for show so I P that we need to be done so we put these then we can move on to the so-called network access resource it's basically VPN settings for you for your connection so it will appear on some kind of web portal I'll show you it's later so it should be some kind of name that is recognizable for the users so like VPN to affirm finish then we have some network settings here I have my list pool I'd like to have local access to the subnet and I would like to have a split access I don't want to see the full Internet traffic for myself through the big IP actually so I will - on the lap traffic passing through the VPN and this is it for me you can define in the force DNS and the host files and drive network drives to the users then you starting the VPN and they will be for and connect it automatically on the user side that's it here and we done with this part so far one one that every step that need to be done is so-called connectivity profile that is defining connectivity settings for the for the tunnel the default one is not okay but we need to create a new one but it's really okay but it's really easy just put the parent in and let's make a name like remote connectivity okay and we can click Save what is required to be done next is laptop so as we connecting through the HTTPS towards 4-fold edification we will see the webpage that we need to enter our credentials or need to read the credentials from the big AP so we need to have some kind of the portal that is hosted on big IP this instance is called laptop in the Indiana v term so the one is full is just fine then we need to create identification through our active directory so active directory education domain name domain controller we will connect directly just by address and this is it you don't need admin credentials for identification you need it just for the query and we done with this part and now we need to create access policy itself so remote access let's call it like this type all is just fine here and don't forget to add some language it will it is mandatory that's it now we can click Edit and go to the problem most recognizable part of beginning P access polish manager it's visual polish editor we can click allow for the endings we can define logon page to grab the credentials so I have to type them in default settings are fine just if in case of UPN we get we can automatically split the main name and put it in a domain variable it's always nice to have settings then identification itself we need to out-educate guided credentials against active directory its way and the we close to the end what is missing we just need to assign all the resources in case of successful education so if the education accessible we need to add this portal and that VPN settings in case if you would like to move on with the VPN right that's it now we need to configure networking parts let's start with SSL connection even in this particular lab my laptop will not trust the certificate that I'm going to present it still makes sense to have to have the valid certificate even you're trying to set up as fast as possible remote access that your user should should really trust then we will create so-called virtual service that is basically in this point for your connection so for me the correct network address translation from the AWS in in on the dresse 10 100 port for for free this is HTTP my certificate over here and we need to put rewrite profile for the next setting just not to go back here it's not really required for EPM and these two guys are required to depend actually that once we create that's it besides the lots of settings here this is it you need to do at this very point okay so we are done with VPN server configuration and this is trying to try this in action so we go into the boat I 5 demo we have the logon page that we can figure it user and the password and I see the laptop with the link or button to the VPN if I click it's fire so called client less VPN some components need to be installed if administrative mode and certificate is not really trusted that's why it's asking questions but then it's going to be connected to my internal network and I can type in some internal address to see this dummy page but it's really page that is hosted there and we basically inside the V PC of AWS that is quite interesting I suppose you can also use the H client or a5 access to access directly this remote if I telecom when your domain name it still will work with the same condition so we have the flexibility for the user user can change the type of the client they would like to have or you can define the type of type of the client ok so we can hit disconnect here and try to reload page it should not really works you see that it's painting and site cannot be reached nice let's move on and try to help this very page but access on a secure way so I mean without education session and through the session management through the our our proxy and without any VPN connection so how f5 is approaching to this there is a so called portal access resource that's very similar that we need to do for the VPN but tour now page will call this and we need just provide the internal link for the disciplic ation that's it okay it's shouldn't be in space here okay and our page is created then we need to go back to access policy and add this resource to our portal access to our web top okay then we need to apply the policy you can do it right in the visual policy editor or we can do it right over here and now we can try to access this application once again this webpage for remote access now we see the two links to buttons with internal page let's try to click this one and we see that it's actually now accessed through the big AAP each and every link is and the content is written to access for the big AP so for example we can take engineer slowly here and we see that it's remotely filed and calm so everything is passing through the big ape inside this very session and we've potentially secured connection if certificate could be trusted so this is the way we recommend to access to the web applications and doesn't really require any VPN but it still requires throne identification because you can add some multi-factor notifications group policies to to your access policy nice and finally let's move on to the third part of our demo its remote desktop proxy we need to have some preparation big ap will have to authenticate users to the domain for RDP its world only through until M so we need to help until an account we need to have the full name of the controller how AWS created it for me and some user with right you just fine then we can create until America profile this is also required we can use our domain and our that's it now we can go to the part that create a lot for us automatically again not through the declarative API through the way they five has long long time ago it's called I ops we have I a template for remote access session you can use just the latest version you found on the five download site so we the proxy the name yes would like to have a proxy and configure parameters that is basically clear for the most of the administrators or Microsoft administrator so we create Altaf occasion provide the domain name and then they will binding it's a load the ping is just enough for the check and tell them account is created before and we do need not this is what it's all about we do have a certificate and we can provide the name of the virtual server so in this point for these connections it's important from the networking part and we can allow any host to connect that's it and you can see now how many configuration is that is this template is going to actually create that's awesome that we can bypass it to do manually but we still need to add few things one is our energy resources itself we need to create couple of them so first of all cost that we will use LDP is a protocol we need justice session host very traditional one through the idea trees but we need SS also we need the single connection I don't need to type my credentials to access this host that's it if you have some remote desktop sessions published what's called are these apps and I do have on the very same website on the very same server sorry so you need to provide remote desktop web access and just say click SSO that's it finished and we need to modify the policy itself the one that is directly linked to the virtual server that's been created while the one is the technical one to provide a duplicate or a proxy so we can click Edit here for the visual polish the policy editor and this is the policy Creed for the native client let's enhance it with the web possibilities so we can logon page now we can you enhance it with one more thing like selection of the domain name so users should not really type it if it's required in your domain so text value okay so my page will have a drop-down list of domains the rest part is the same it directly identification we will now have two configurations of fortification for the same server you can use either one and now we need to assign our resources if advanced resources on the same as we did and what we're going to do is just assign all the things that we basically have so we can put even the VPN access that the portal access and our newly created remote desktop connections to the to the our portal okay this is it almost done but we need to do a few more things we need a little server to it rewrite profile for the portal access and SSL on the server side for the remote desktop server server you need to update these done we need to save this now check the ending it should finish now and we right close to the end of this demo we need just apply all the policies applied okay and we need to go I have another hostname test find outcome for this so it's a new virtual server new name so I have a drop down list with only one will you log in and what we're going to see is that UPS is translated to all the services published it's a few applications from the window side and RDP host is published here as an example we can use the windows calculator that is going to be fired from my Mac I can just click it over here the native client is going to be open the certificate is not trusted it is beneficial for us I see the desktop I file demo that comes ODB going through the big IP and not for the server directly so its connection is encrypted and educated through the BJP and we see voila Windows application host it's right over right over my Mac that is totally fine calculating something this is pretty much it we close to the end as a conclusion you can use the BJP as hosting all your remote application you can modify the look and feel this is building out of the box so you can change the design and the pictures here you can define the links over the web top pair user group or pair out education type of the user and location and you can start just right from these instructions that's it thank you very much for attention see you with my next videos alright
Info
Channel: F5 with Alex
Views: 2,817
Rating: 5 out of 5
Keywords: f5, sslvpn, rdp, rds, remoteaccess
Id: oWa1aW45JSE
Channel Id: undefined
Length: 25min 4sec (1504 seconds)
Published: Mon Mar 23 2020
Related Videos
Enable Azure AD Conditional Access + Intune with APM SSL VPN
Matthieu Dierick, F5
616
What is BIG-IP APM?
F5 DevCentral
31K
One of the Greatest Speeches Ever | Steve Jobs
Motivation Ark
10M
F5 Big IP APM Two Factor Authentication
LoginTC
619
Java Project Tutorial - How To Design Login And Dashboard Form In Java Netbeans
1BestCsharp blog
5.5M
Inside the mind of a master procrastinator | Tim Urban
TED
44M
Hacking into Google's Network for $133,337
LiveOverflow
726K
Find Vulnerable Services & Hidden Info Using Google Dorks [Tutorial]
Null Byte
1.2M
F5 BIG IP AFM | Getting Started with BIG IP Advanced Firewall Manager (AFM)
Palo Alto Training Video's
6.4K
🔴Windows 11: Instantly Find Which Computers Meet The Requirements
PDQ.com
3.3K
iOS 15 Settings You Need To Turn Off Now
Payette Forward
1.3M
Oauth2.0 and OpenID Connect with F5 APM - Part 1
Matthieu Dierick, F5
3K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.