and then I'm going to ask you a question about the pictures when we're done so I'm gonna give you a few minutes a few seconds to look at each one what time if you if you think got all four of those together is there a word or something that comes to mind about the mound anything color what did you say vivid okay vivid visually appealing dramatic what could be say it's visually appealing is that fair peeling to the eyes we like things that are visual is that true we like things that are visually appealing I think I'd much rather look at something that's visually appealing as something as gray and voila even though I'm wearing black and gray today I usually wear color that I like color for the same reason I think it's more vibrant and visual and so when we can create things that are visual that is typically going to be a little bit more of interest and so luckily what we're going to talk about today with a p.m. we're gonna have a little element of visual in here as well every to know what that is anybody know what I'm referring to it's got the word visual in it if nobody knows that's great you're gonna learn something really fun today mmm-hmm not visualization the good guess very good guess it's more exciting than that so a p.m. we're going to talk about four things throughout the day as I've done with AFM and ASM we'll talk a little bit about what the product is and you know how we use it how we sell it then we'll talk about some of the key aspects of setting up something an APM and then we're gonna really do two main there's a lot of use cases with APM like samo Federation and all of this but it all really boils down to a couple of key things resources and authentication so unless an - we're going to talk about some of the resource types that we have including a webtop somebody in their presentation brought up the webtop forgive me I always forget I forget who does it but I remember the concept of it being done so fear okay okay and then lesson three we're gonna cover the real one of the real reasons we use APM the reason we we'll support this in our product line its authentication and authorization and also what we call endpoint checking and then after lunch we will cover using APM as an SSL VPN for network access which is I think one of the key things about using APM why we do it so let's start off with our overview so how many of you are familiar with VPNs what does it stand for you'll want to know that in your exam Virtual Private Network and throughout the last 20 years what was what's probably been the most commonly used VPN IPSec so what are some of the challenges of maintaining IPSec VPNs for your clients accessing your network [Music] so IPSec requires some very specific ports and protocols and so if you're behind a firewall at a customer site and you need to VPN you may find that you cannot what else there's one other thing exactly yes what else might be a challenge with an IPSec VPN for an administrator anyone the set up the set up specifically the set up on the client side you have to have a client program and it needs to be configured and so if you're doing if you're trying to connect from anything other than your own corporate laptop that could be a challenge so APM is one of the SSL VPN on the market I worked ten years ago for a company called aventail it's anybody ever heard about aventail I've until we were just primarily an SSL VPN vendor got acquired by SonicWALL back when I was still working there in the late 2000s and I don't know if they just sort of left this one I don't even know what the state of this product was but I really enjoyed it ever they liked this product and so when I first got here at f5 I was very excited that we had a very similar product and it does a lot of similar things the key to any VPN solution is we give our users access to resources that's really what it's all about users getting access to resources so we have all these users out there variety of different kinds of devices we can include authentication using a variety of a variety of authentication methods then we can also do authorizations so we can ensure that the people connecting are only in specific Active Directory groups and then we also can do endpoint checking where I can verify that their device meets some minimal requirements for for our remote access like they can only be on a Windows device I have very specific requirements for my network because of all the challenges that youth Mac users have used and I say sorry Mac OS not allowed in my network go find somewhere else and then we give the users access to different kinds of resources one of the resource types we can give is an entire network everything inside the network then we can also just give access to a single website in fact we can lock that down to giving access to just one single webpage if we wanted to we can also give access to what I call a client-server application it's not the same as the whole network but it does require more than a website it requires some different ports to be enabled for that particular resource type and then finally we can give access to Windows terminal servers to do an RDP session or Citrix clients to connect to or VMware View desktops so our virtual virtualization solution there as well so that's what we we really have here that's what we're providing is access for our users they don't even have to be remote users call it secure remote access but they could actually be internal as well in fact I think we can get access to an El Tiempo we're gonna talk about all this throughout the next couple of lessons so when we're positioning a p.m. this is a this is a set of features that an organization either needs or they don't need if they don't need a VPN it's gonna be hard for us to go in there and sell them a VPN try to try to encourage them to have remote access remote users doing stuff they may not allow they may not allow users to travel or work from home and so you know lost opportunity authentication is a great selling feature but they just may not require it who knows but if we are out there trying to compete for an SSL VPN solution well what I have found is that a lot of the SSL VPN vendors are very similar you know I call it kind of an apples to apples comparison they might have a feature that we don't have we'll have a feature too that they don't have but I'll bet you in the next releases we'll have each other's features especially if they were a popular feature so what sets us apart well one of the main things is the fact that we can support far more concurrent users through the VPN than our competitors for example to get the kind of throughput on the old aventail appliance that we could do on a you know of 10000 series they would have to have I don't know 10 or 20 appliances in their data center just for the same thing so we can support a lot more users than our competitors we also can take advantage of everything this is this runs on the big IP so it's another product that runs in T mas so we can use all of our optimisation TCP profiles caching compression all the things that we could you guys have already learned how to do and because of the fact that it is in T mas and it runs on the big IP it's part of our consolidation story so we can do this on the same that they don't need another vendor they can don't even need another administrator really if certainly knows how to go in and minister the big IP then it's it's not a huge learning curve to be able to now support some of these services that we're going to do in fact you're gonna find in my opinion this is one of the easiest products to use that we have very simple the only product that I would say is easier as you will discover tomorrow is web safe product is very easy to use believe it or not now this is actually a big deal I think I brought this up last week that when I first started we couldn't do this on our platforms we definitely couldn't do this because we were limited on how many modules also when I started we actually had two SSL VPN and you know what Amy didn't know what our other SSL VPN was fire pass yeah so we had acquired two different SL VPNs I was this happened before I started here so I don't really know exactly why if I went this route but fire paths never ran on the big IP so it was always a separate appliance which is why it really it didn't fit into our portfolio at all we also had another product called a rx which is a like a file management system that also ran on its own hardware what we have found is when we try to buy products that need its own hardware it's just not gonna it's not gonna fly for us so APM was always written into our team Oz and fire paths had some really good features so what we've done over the last six seven years is incorporate those features from fire pass into APM and said bye-bye to fire paths we don't have that anymore so what you guys are going to learn about through lessons 2 & 3 today is what we call dynamic resource assignment here's what I'm talking about so I've got my laptop and I'm connecting through my VPN at the corporate office which is completely viable not all organizations do that but we could do that and I find out that when I log on using my username and password I have access to the whole network I can access all of our different I can access outlook directly I can access certain went too far there I can access file servers I can get all my shared folders question does that mean that I can log on to the sequel server and play around with it no just because I have network access doesn't mean I do whatever I want on the network I could only do what I inherently could already do but that's the key is I can do pretty much whatever I could have done if I wasn't going to the VPN then I take my laptop home with me and I connect to my VPN from home same username same password but I find that I don't have network access anymore so I can't access my file shares I can't access client-server applications I still have access to outlook I can because I'm an administrator or a part-time administer here I can still log on to a couple of Windows servers through RDP only through RDP so I can manage them and I have access to some web apps as well and then I go over to my mom's house I don't have my laptop so I I connect to the VPN from my mother's computer and I find that no longer do I have access to Outlook but I can still get outlook web access and that's really what I was trying to do is I needed to check my email so I can check Outlook Web Access and I have access to a couple of other of our back-end web applications that we use and then on the way home I connect to the VPN through my phone and I find that I only have access to Outlook Web Access and nothing else so my resources that I'm getting are changing based on the environment that I'm in that can whatever condition I'm in the date and time could change it where I'm at physically could change it any other number of conditions the type of computer I'm connecting from could change it because I'm still using the same username and password and all of this can be done in a single access policy which is what we're going to cover today a single access policy what do you suppose I'm going to attach an access policy to virtual server going back to everything we've talked about I can give different access policies to every application that we have which is really nice single access policy so we're going to cover some very specific resource types throughout the day later on today we're gonna cover network access with network access I give access as I said to an entire network when they connect whenever our users connect they will basically do their connection and establish a VPN tunnel created using SSL when I used to talk about this back in the aventail days I used to hear companies you know certain users concerned about giving access to our our confidential applications through a VPN and I would always ask them well do you do online banking at all any kind of online banking yourself personally and they usually would say yes so I'd say well how do you I mean this is your own money your money and you're comfortable managing that across the internet well it uses SSL great so does this so if you trust SSL for your own confidential money you trust SSL and everything we do is gonna be very secure we always are going to get an IP address assigned to us by APM and we'll configure the IP addresses and when you think about this IP address you want to think about it like in a client is actually connected to the network they're in the network and they can do as I said a few moments ago they can do whatever they could do while they were connected to the network we can set this up which you'll do later today using a wizard that we have we have three wizards as you can see this is our network access setup wizard for secure remote access something like that for remote access very easy to do we're gonna cover that later today then we have another resource type called a portal resource this is a very common SSL VPN term always means the same thing first up we still connect with SSL connection a portal resource is any kind of a web application a website a web app the only condition could be a single web page the only condition is it has to be only an HTTP based application no other ports protocols supported not for a portal resource now there's a reason why a lot of organizations still use portal resources with their VPN and the reason is our VPN our SSL VPN and all of our competitors VPNs typically requires some sort of agent on the client device to do something and these agents can sometimes be a little problematic the agents are always running in a browser and our newer browsers as as our browsers get updated they try to protect the browsers from agents running and that causes some issues with our product and our competitors products no way around it but portal resources do not require any agents at all so it makes it very easy for us to support giving application access to a variety of different device types out there so that can still be very valuable now we can set up an access policy very easily for this as well using the portal access setup wizard and this will cover after this lesson do this in lesson 2 and you'll do that in your exercise and then the other thing that really sets us apart is we can give access to pools so what you've been doing for the last several weeks since you started with LTM fundamentals however long ago you started that is you've been working with virtual servers giving them access to pools and adding you know different kinds of load balancing methods adding monitors adding ASM adding afm we've done all this great stuff but one thing we've never done is control who can access it so we can now add that to these virtual servers by applying a PM to that same device that we have with LT m and now we can say oh you want to connect to my virtual server pool application you need to authenticate first and so we can add the same authentication maybe authorization maybe in point checking and we can do that for pools and as a cell which no tunnel tunnel is only for Network Network correct everything else just treats it like any HTTP virtual server really SSL is used between client server and then we decrypt when the packets arrive now this is my favorite wizard because the name is so clear and simple to find web application setup wizard for local traffic virtual servers I've been waiting for several years for them to just simplify the name of that wizard and make it a little bit more clear this were actually gonna cover later today I'm sorry later in this lesson you guys will do this now here's what I love about this it's very easy to do you already in your in your first exercise you're gonna already have a virtual server in a pool set up for the intranet of Lorex and you're gonna add authentication as long as you know the authentication server details for example the Active Directory IP address and so forth as long as you know that you can set that up in about a minute authentication in about a minute that's all it takes you're gonna use the wizard we have our device wizard section there on the navigation we're gonna use the third option for this feature and what you'll see here is it just requires a few steps the main step is what's the authentication server LDAP radius Active Directory we have several we'll cover those later today so that's the first thing little overview second thing we're going to talk about in this lesson is some licensing requirements we haven't really talked about any kind of licensing and any of our modules except for maybe IP intelligence we talked about it a little bit but this is a different kind of licensing to talk about the license scene I want to talk about two different ways that you typically will deploy a PM in the environment and I bring this up because this has everything to do with the licensing requirements so the first deployment scenario is using the APM as a true SSL VPN just like any of our SSL VPN competitors we're using it to give our remote users access to typically a network through a VPN tunnel or maybe to a portal resource either one of those is what I call an APM resource these are resources that are only created when you're using a p.m. the second deployment scenario we just talked about is when I have my virtual server in pool and all I'm doing is adding authentication to it we call this our user identity and access management solution here this pool this is not an APM resource I've had this pool available forever using LTM so APM is not being used to give out that resource now of course we can have our consolidation story and have ASM here as well afm and you name it whatever we need to have on there so that's the first thing you want to think about in terms of Licensing is kind of which what what what is my use of this APM VPN or just authentication the second we second thing we need to think about when it comes to potential licensing requirements is how many users sessions are we anticipating so we'll talk briefly here about a user session yes concurrent user sessions concurrent so let's talk about what a user session is and we're gonna use bob is the example bob smith so bob connects to the ssl VPN solution up at the table authenticates as soon as bob is authenticated and he's holding he's now holding a user access session an access session and he'll continue to hold that even if he now uses his phone to connect as well so now that he's used his phone he's logged on used in username and password same thing but because he's connecting from a second device he now has a second access session and then he connects from his tablet simultaneously and he's now created a third access session and he'll continue to hold those access sessions as long as he stays connected until he logs out or an administrator could force them out if they wanted now by default APM does not control how many access sessions a user can have at one time we can we can pull that but by default it's unlimited so we have to think about that now Bob uses his laptop to also connect here he's now creating enough access session but on this APM down here the only thing that cannot happen is Bob cannot have two access sessions from the same device to the same APM with the only exception is if they're running some sort of VMware virtualization and they have a different access session from a different VM of some sort so that's our access sessions then we have a second kind of session called a connectivity session or a CCU concurrent connection use I don't know what the CCU stands for I always forget it's not that it well he he couldn't connect - he couldn't you just can't like if you're going to the sslvpn VIP on ab web browser you and it's in its running you can't open up a web browser and go to that same ssl VPN VIP it just wouldn't work I don't know what you'd get I've never tried it before but you wouldn't be able to log on again so a connectivity session is going to be consumed anytime a user accesses one of these APM resources like a network resource so when Bob goes through the APM up there to the network he consumes an Access session and then he consumes a connectivity session now once he has that connectivity session established he can access any of the resources available from this APM each one of these resources doesn't consume a second and a third connectivity session now this is not an APM resource so getting access to this does not use a connectivity session or a CCU so here we consume an access session to be authenticated and that was it but we still needed the access session anytime you use a PM it's going to require an access session but if you're using a PM as a VPN tunnel then it's also going to require an CCU session a CCU license go ahead the difference from which correct it's not the way I like to summarize it is if I'm accessing an APM resource a resource available because we have a p.m. that requires the connectivity session this is not a resource that we need a p.m. for it's a pool that is being used by LTM so it doesn't use the CCU so like I said if you a moment ago Bob from his laptop can't-can't in can't consume to access sessions at the same EPM and he also can't consume to CCU's through the same APM however he could connect from his laptop consume an Access session and a CCU and then connect from his phone and consume a second access session and a second CCU connectivity session license so what we have what you guys have to think about when you're talking with your customer about using APM is hey do we need to you've already licensed APM you bought the license you have which bundle goes with APM best so we've already got best because we're using ASM so do we need to purchase in addition to that some licenses and I asked my white board group this on Wednesday I was giving them a little challenge because they were suggesting using APM as part of the solution for administrators to access and I said oh does that is that doesn't cost us anything else it can't cost us anything else it's impossible for it to cause anything else I was trying to get to this point so here's how you think about this there's a couple factors first what device are we on what what big IP are we on so in this case 4,200 and you need to know what the maximum user throughput is for your hardware device what is the maximum number of users that we can push through this piece of hardware they may know what the max users for 4200 is guesses 500 it's a 10,000 so here's the good news as soon as our customer has a PM provisioned licensed because they have the best bundle we give them 10,000 access sessions for free so all those acts potential access sessions they need they don't have to pay anything else for that at all we also give them five hundred of those CCU's for free this next customer they're running a 10000 series any guesses on what we can get through that device 60,000 so in this case we give them 60,000 access sessions when they have a PM provisioned they still only get 500 free CC use in this case we have a maxed out VIP Breann max out blades best blades we can get our maximum user throughput available is what two hundred thousand I think I heard it we got to know that so it is possible probably not likely but it is possible we could get two hundred thousand remote access users through on one hardware device competitors can't do that still only give them 500cc use and then this is the scenario where they're using LTM with a PM and they're only using a PM for authentication purposes not VPN and this hardware supports sixty thousand users and it still gets 500 so for each one of these four scenarios I have to go and talk to my customer and say what are our needs the first customer they are going to be using this as a VPN so we need to know how many users concurrent users and remember Bob can have two or three sessions possibly so how many concurrent sessions are we expecting and they're assuming around 5,000 concurrent users plus they want a little bit of room for growth so they've decided to purchase an additional 7,000 CCU's they don't have to buy any access sessions our competitors don't a lot of our competitors don't give access sessions for free so they charge for both access sessions and connectivity session licenses this makes us no different by the way from any of our competitors all of our competitors charge for this we're pretty competitively priced as well this customer has a bigger global VPN strategy so they need 15,000 sessions plus room for growth so they're gonna buy an additional 20,000 giving them twenty thousand five hundred now for any one of our hardware platforms a customer can purchase the number of CCU's up to the number of available access sessions but not more than so this customer here wants to max out they want as many CCU's as they can get how many they can how many can they buy how much is it mmm they can't buy 200,000 they only buy a hundred nine thousand five hundred which will give them 200 thousand probably not likely you're gonna come across that that would be a big sale now in this case they are not using this as a VPN they're only using this for user Identity and Access Management which as we just covered on the last slide does not require any CC use so as long as they have a PM licensed they get the 60,000 access sessions that's all they need for this solution is access sessions they don't need to buy anything else so that's why this is important too for you to understand too things three things number one are they using this at all as a VPN which includes network resources or portal resources portal resources also requires CC use so are they using it for that if the answer is yes what hardware platform are we on so I know how many total users are available and then number three what do they anticipate as their need for number of concurrent users at any time and then we can put the math together pretty quickly and determine how many licenses they're gonna have to buy questions on this because this is the last slide for this topic you can't consume more than one CCU but when I have that one CCU I can access all the resources that are available through that APM I can access all the resources that are available to me so remember that slide where I took my laptop home and stuff any of those resources that were made available to me I can access at the same time using the one CCU [Music] if you're going through the same ap m11 if I have to go through now here's an important fact is I cannot have two SSL VPN tunnels running at the same time on my computer so if I've got an APM in Spokane Washington that I can connect through and I have another APM SSL VPN in Seattle that I can connect to I can't connect to both of them at the same time again unless I'm running a virtual machine inside of my computer so I cannot even really consume to access sessions as I said earlier I can't consume to access sessions from my same device and it'll just use that one yeah you can self-terminate your sessions as well so it's it's it's just not going to let you do it it won't make a mistake and a lot of people ask this question you know is it an actual limit or is it like a grace period you know do we give a grace value or something like that no it's an actual limit so a user will just be told can't connect the user will really just get a message that says can't connect they don't get a special dialogue you know a notification we can find out as an administrator and here's the thing another thing about an APM policy is there are some unlimited settings I already mentioned one how many sessions one user can have at a time right by default it's unlimited another setting is how long a user session can last that is also unlimited so it's possible that remain is getting ready to go on his two-week vacation and he connects to his VPN to check his email before he leaves but he never closes this session and so he consumes that session for two weeks that's possible we can go in and monitor that on the APM and we could terminate those sessions if we wanted to you can also add maximum timeouts as well so users might just get bumped off and then they have to reallocate if they were actually using the VPN what do you mean [Music] oh so we can control I don't know if we can control it via bandwidth but we can control the user sessions how many user sessions can be used by a policy at one time and I'll actually cover that on the whiteboard in just a moment but I don't know if we can do it via megabits or you know per it's possible I just had never seen it okay and I don't know yeah I don't know if there's if there's any kind I've never seen anything like that with APM and I'm the first to say that doesn't mean it doesn't exist I just have never seen that it's a configuration but we'll look at the configuration settings in a moment for an access profile and we'll just see if that's something there's it might just be a setting I've never acknowledged before it's the menu item is access session yep you guys I don't know if you'll play with it on this but if you ever all right I don't have a lot of demos anymore but I'll see if I can show it to you if I see it a picture of it in the slide you had a question earlier absolutely we'll cover that more in less than three unlimited options when it comes to authentication yes to your closest wonder if you need to do you would need to do DNS it's treated just like well that's no it could work when when I have a configured like a client we do have our edge client even if you're not using the edge client you go to it you go to a URL you go to VPN f5 comm where does that take you however it's resolved so yes DNS would definitely come into play if I wanted to route them some people just have Seattle VPN the f5 com Spokane VPN f5 comm or something like it and and so the user has to pick themselves I'm not saying that's how you have to do it but I know a lot of organizations do it that way is you decide which VP and you want to connect to but you can definitely do it through a DNS as your as your VPN to connect Tim which actually is not bad I don't think Sam I think something close to San Jose probably isn't going to be noticeable but you definitely want to try to connect to the VPN closest to you always alright so here is the top level object with a p.m. it's called an access profile now you might have heard me earlier used the term access policy I'll talk about that in just a second but in the access profile itself this is where we're gonna set some of those limits that we talked about so let me give you a possible scenario here and this kind of goes along with what Matt was talking about so I've got my APM that I'm using for remote access and I have two two VIPs I have one VIP that my employees use and I have another VIP then I have partners that they can access so each one of these VIPs has its own access profile and we have a total of five thousand CC use on this APM the whole APM has five thousand CC use and I'm getting phone calls from my employees saying that they can't connect they can't connect they can't connect so now we go in and monitor these access sessions and we find out that these guys are consuming forty five hundred of my CC use and a lot of them in sitting open for 24 48 hours or so that's another setting that it's not doesn't have a limit by default how many access sessions can be consumed by one profile so we can actually now configure that this access profile can have no more than 3000 CC use and this one can have no more than 2,000 so that I can ensure that no longer happens and we are gonna do that on this screen here along with a few other of our settings so first off our profile we're gonna give it a name under this type for now I would always recommend just choosing all it means you have access to all of the APM features so we're not necessarily limiting ourselves or hurting ourselves it just means there might be extra features that we may or may not know if we even need I can live with that it's easier and then down here this is where we have some of these settings we want to configure such as an inactivity timeout if they're not using it we can also do a maximum timeout so either those will prevent enrollment from leaving is VPN running for two weeks right up sorry and then we have our maximum concurrent users that's where I set the number we were just talking about up on the board so 2,000 for my for my partners and then maximum users per session so instead of letting Bob open 20 sessions he can only open 3 and no more at that time so you'll see here so I'm not seeing anything in terms of size of traffic just amount of traffic well this still gives us some good control of what we're going to do once I've created this profile very simple not a lot to creating the profile the profile is what we now attached to the virtual server you'll see it is specified somewhere in here it's actually not attached right now to a virtual server so this is what we're going to attach to the virtual server now I talked a little bit ago about an access policy and this gets just slightly confusing so I'll explain it we have one access profile we attach to the virtual server an access profile has one access policy and one access policy only so an access profile an access policy are one to one why are they not the same thing I don't know I just wish this was all called the same thing make life a little bit easier no because they are connected I can't separate them somehow and mix and match the profile contains the policy so the policy is where all the magic happens the magic and we're gonna get to the policy with that little edit link for the profile and when I click on that edit link that's what pulls up the visual policy editor here's our visual excitement this is what gets customers excited about a PM that visually appealing aspect that we talked about a little bit earlier this is so exciting that it's the one time I create a exciting flashing animation but you wouldn't normally see that in my head my slides so remember what I was mentioning earlier about having my laptop at work then I take my laptop home go to my mom's house all of those decisions are made in the access policy so we can do several kinds of things within the access policy we can determine things about their computer do they have antivirus software running do they have firewall software running do they have a client certificate identifying them as a corporate issued device we can also identify aspects about their environment what is their IP address what is the date and time I can limit this to work hours if I wanted to and then I can gather credentials and do an authentication against a variety of authentication servers and then I can use their account that I have their user account and go check group membership from something like an Active Directory server I can authenticate them and then what what are we using this for we're using it to give access to resources so I define all my resource access there in the advanced resource assign and then finally I can clean up their session so in other words if they're connecting from a public computer maybe I don't want to leave evidence of their session on that computer so I can clean up the stuff that was created we're going to talk about all this throughout the day everything we put in here if you're going to demo a p.m. in any way you're gonna bring them in here and show them aspects of the visual policy editor this is something our competitors don't have is this visual this ability to see what is happening in a visual way which is really cool and then we can also give users information so in other words if the user doesn't have our required antivirus software instead of just killing them we can bill them why they and give them some guidance on what they need to do so we have one VIP one VIP has one access profile that one access profile is attached to one access policy and the one access policy has one start point that means every user that's going to this VIP starts at the same place and then they go through branches based on whatever environment they're in and then we have several different ending points and we have three configurable ending points one is the allow one is the deny and the third is not remediation the third is a redirect it's called a redirect ending and I can redirect them to any URL so instead of just giving them a denied dead ending I can send them to a website inside of our you know environment or anywhere that gives them instructions on how to set up their antivirus or whatever it is I want to do so it's kind of cool a lot of stuff we can do in here so let's talk about how a user ends up somewhere along here in the branching so as I said earlier all of our users start in the same place and whenever there's a fallback branch what that means is all users go there when there is a excuse me let me rephrase that when there's only a single fallback branch and nothing else all users go there and that's usually for one of two reasons in this first example everybody is gonna fill in login credentials I'm not making a decision here I'm only gathering information from the user so when I gather information from a user typically all users move on on the one fallback branch the other situation is where I have a message box now I'm not gathering information I'm telling information I'm not making a decision I'm just telling information and typically after a message box we just have the one fallback branch but now we come to an item one of our mini item types that typically have two branches a successful branch and then a fallback branch and these items were typically checking for one thing do you have this because the answer is always either yes or no did you authenticate successfully yes or no do you have this antivirus software yes or no that's all I care about I love having that you know the timing could have been a little bit better right when I hit my exciting point and I had the drumroll that's my text notification so in this case the so if they did login successfully they move along that branch if they didn't in this scenario the fallback branch really should say failure success the top failure at the bottom these are the people that failed whatever check we were doing and then these users all get information they all go to the fallback branch and they're all denied access that's how they end up there if they didn't authenticate successfully now after for all the successful users they to a different item type and this item type I'm not checking something yes or no in this item type I'm looking at something about them something about them something about their computer and I'm matching it to a different possible outcome for example what client OS do they have do they have this one if they have this one they go this way they have a different one they go this way another example there's group membership if they're in the employees group they go here if they're in the partners group they go here so now in this case we're going to look at their device and because this users got an Apple phone they'll now follow the Apple branch when you have this kind of a branching system it's always important to remember that we travel the first branch we match and we never follow a branch to the end and then come back and check and go to another branch once you start heading on a branch that's where you're going you're you're not going to ever Traverse back so think about the fact if you're using a group membership branching and you've got the employees branch and then you've got the sales branch well all of my sales users are employees but if I have them ordered that way all of my sales users are gonna go the employees branch because its first they'll never make it to the sales branch so I want to Swit swap those two in this case it's impossible for me to match two branches so all my iphone users are gonna get their resources and then they're allowed access in this case we're gonna scan this device and this user is using one of those strange things called a Windows Phone well I don't have a branch for a Windows Phone so in this case more often than not the fallback branch doesn't signify a failure it just means they didn't match one of the branches up above and I can either say okay all the rest of these users they'll just get these resources and still give them access to stuff in this case I'm telling them we don't support Windows Phones and they are going to be denied so that's sort of how we set this up and there is absolutely no wrong way to do this it's just whatever we need and that's again one of the real benefits of using this is complete flexibility the aventail device was nothing like this it was very rigid on how you gave access to stuff a certain application absolutely well that's kind of what we had there is that each one of these different devices has a different set of resources that I'm giving so what that means is when I'm connecting from my laptop I'm gonna get one set of resources but when I'm connecting from my phone I'll get another set of resources but only if actually I don't have I don't have any Preetam checks I don't have like an anti-virus check over there all right so last thing and then you get to do your first exercise how do we set this up on a VIP level very easy the VIP does need to be an SSL VIP this is an SSL VPN want to remember that we do need an HT profile any time we're doing something at the application layer we need to have HP profile and then we're gonna go down and we have to have our client SSL profile so that we can decrypt these requests and then we have our access policy section now once again our naming here I'm gonna be honest don't like it because we have the access policies section that contains an access profile which contains an access policy I think that's strangely worded but you guys at least now understand it so this is where we'll define the access profile that we created two other things that are going to be taken into consideration if this access profile is going to give out portal resources of any kind we'll need to have a rewrite profile also identify if we're going to give out any kind of application access whether it's a network tunnel or the client server app that we also call an app tunnel we'll talk about that next then we'll need to have a connectivity profile the good news is if you're using the wizard to set this up it'll do all this for you so you don't really even have to worry about it because more often than not you don't necessarily need to customize these very much if at all one new thing that just got added with the third tene is if you're giving any RTP access we talked about being able to do citrix hosts or remote desktops there is another new profile that you have to add to the virtual server and you as will do that in lesson two your exercise so you'll see how where that's at questions ready to try it so again you're gonna see that you can add authentication to your existing application set up your virtual server pool you can add authentication in just a matter of really in a matter of seconds and then so you're gonna do that and then you're going to look at the visual policy editor and you're gonna make your first mild change with the visual policy editor and you'll see the results this should take us no more than a half an hour if you've got your environment running and ready to go I do want to point out one thing very very very very important at the beginning of this exercise so let's all turn to that together we are at page 100 you have to you have to UM reset two clocks the windows clock as you've been doing and you have to unfortunately I don't I've tried to fix this I don't know why it does this in Ravello but you but it always resets the Active Directory clock to like Greenwich Mean Time I think it is so you have to manually configure the Windows Server clock as well if you don't set them properly authentication is going to fail it's not gonna let you authenticate it the clocks are off all right we're good on that 9:45 we'll pick up again
