F5
®
- AppDome Partnership
F5 and AppDome share a vision that BYOD users should benefit from secure access to enterprise internal portals for increased productivity.
With the exponential growth of mobile devices and the adoption of BYOD program, users are more productive and have access to enterprise data at any time and from any device. Although increased productivity is desirable for any organization allowing users to access backend web applications and internal portals poses a significant potential security threat that cannot be overlooked by IT departments that are responsible for data and infrastructure integrity, security and compliance.
The joint F5 and AppDome Secure Web Access interoperability benefits enterprise IT Managers, the BYOD and COPE mobile workforce and the enterprise at large with access to a native browser that securely accesses corporate portals. With the interoperability, enterprise IT Managers can conveniently manage policies based on business needs, define blacklist and whitelist sites and gain a two sided security validation that protects data-in-transit and at-rest on the mobile device. Users gain a seamless user experience when accessing the enterprise intranet portal as no VPN or special configuration is required.
The Secure Web Access Solution Includes:
•
A truly native user experience with a native browser such as Google Chrome•
Enhanced productivity•
Backend access from managed & unmanaged devices•
Seamless connection to the enterprise with Certificate Base Authentication•
Complete access control to internal portals and documents•
Whitelist & blacklist for URLs•
Extension of enterprise compliance to mobile
Secure Web Access with AppDome & F5 BIG-IP
®: How it works
The joint solution consolidates AppDome’s Secure Web Access to an enterprise internal portal through F5 BIG-IP via a native browser such as Google Chrome, for both Android and iOS users. F5 BIG-BIG-IP’s technology seamlessly delivers secure access to the enterprise via SSL traffic, firewalls, credentials and policy management. With the F5 BIG-IP interoperability, the AppDome Secure Web Access technology provides a bidirectional security inspection that enables mobile corporate data protection and prevents man-in-the-middle attacks, malware and data leakage. With the F5 BIG-IP and AppDome Secure Web Access solution, enterprise users can seamlessly and securely connect to intranet portals and access files, corporate data and enterprise applications such as ERP systems, CRM systems and payment solutions with zero overhead and without compromising IT infrastructure.
Users are automatically authenticated upon accessing corporate internal portal resources located behind the F5 BIG-IP via a AppDome issued security certificate.
Only AppDome protected applications contain the AppDome certificate and allow enterprise users to view or download enterprise data. Any other applications on the device cannot gain access to the AppDome certificate and are blocked by F5 BIG-IP.
The AppDome protected browser is also capable of restricting access to a closed set of URLs so that users can access secured corporate websites only. IT is able to determine access policies based on business needs without blocking devices. This AppDome capability further protects enterprise data by preventing malware from untrusted websites from infiltrating into the corporate network.
Prerequisite Hardware and Software Connectivity
F5 BIG-IP Configuration
1. You must obtain a license for on your F5 BIG-IP 2. Log in to the F5 BIG-IP web UI console
3. Create VLANs by clicking Network → VLANs → Create then fill the details below:
Create
two
VLANs:Name VLAN For HOST VLAN For Server
External Interface Internal Interface
Untagged Interface 1.2 1.3
The external interface associated with the VLAN should be the same interface associated with the web client. The internal interface associated with the VLAN should be connected to the same interface associated with the web server.
Set IP addresses on the F5 BIG-IP box. Click Network → Self IP → Create:
Client Interface Server Interface
IP Address 192.168.2.1 192.168.3.1
Netmask 255.255.255.0 255.255.255.0
Proxy server for F5 BIG-IP
In order to allow HTTP traffic from client to server, a proxy is required. Create a Server pool
1. Click Local TrafficàPools 2. Click Create.
3. Give the pool a name, for instance "portal_server_pool", and add a description. 4. Configure health monitoring on F5 BIG-IP and select http.
5. In the Resources list add nodes. Fill in the Address (the server's internal IP) and Port (80 if this is a HTTP server). Finally, click Add.
Create a Virtual Server
A virtual server is an entity that represents a real web server facing towards the external network. When the Virtual server receives a request it directs it to one of the servers in the pool that is associated with it
1. Click LocalTrafficàVirtual Servers 2. Click Create.
3. Give the server a name and a description.
4. Source - this is the subnet of addresses that can access this server, you can specify 0.0.0.0/0 to allow anyone to access it.
9. Click Finish.
SSL Certificate Enforcement
SSL Certificate is required in order for the server to certify that only approved clients can pass through the box
SSL Configuration
1. Add the certificates and keys to the F5 BIG-IP :
1. Go to SystemàFile ManagementàSSL Certificate ListàImport
2. Import the server's certificate, private key and the CA certificate. 2. Create an SSL profile
1. Go to Local TrafficàSSLà Client.
2. Click Create.
3. Specify a name for the client profile.
4. Check the Custom check box after the Parent Profile line.
5. In the Certificate specify the Server Certificate previously imported. 6. In the Key specify the Server Private Key previously imported. 7. Click Add.
3. Apply the SSL profile to the virtual server:
1. Go to the virtual server you have created (Local TrafficàVirtual Serversàselect your server).
2. Change the Service Port to HTTPS (443)
3. In SSL Profile (client) move the profile you created to the "selected" column. 4. Click Update.
Configure SSL Client Authentication
1. Open SSL Profile that was created (Local TrafficàProfilesàSSLàClient)
2. Click Custom on Client Authentication. 3. Change "Client Certificate"àRequired. 4. Change FrequencyàOnce.
5. Change "Certificate Chain Traversal Depth" to 2 (certificate for the client and CA). 6. Change "Trusted Certificate Authorities" to the CA certificate you imported earlier. 7. Click Finish.
