F5 APM - SSL VPN - Edge Client

I remember when I finished the University, I didn’t know anything about VPN. Nobody told me about how it works, till I started working at Ariadnex. I’ve worked with many VPN since then. I’ve configured layer 2, layer 3 and layer 4 VPN. I’ve configured MPLS VPN, IPsec VPN and SSL VPN. MPLS is used a lot by Internet providers, IPsec is right for LAN to LAN VPN, and SSL VPN is the best technology for endpoints.

I really like SSL VPN for endpoints because it’s easy to configure for a non-technological user. I mean, I think everybody would be able to configure a SSL VPN in a laptop. Actually, there are two kinds of SSL VPN: Web mode and Tunnel mode. The first one is easiest to configure than the second one because we only need a browser. However, tunnel mode is also widely used although it requires a client software.

BIG-IP Edge Client is the SSL VPN software of F5 Networks. I’ve configured a Network Access profile and a Secure Connectivity profile in F5 APM to show you how to install and use this SSL VPN software. You will watch it’s really easy!!

Regards my friends! What kind of SSL VPN do you use in your company?

F5 APM - SSL VPN - OTP Authentication

Coronavirus is changing the world. It’s changing the way we work. It’s opening barriers. Teleworkers can work as they were in the office. Companies want people work from house. However, security engineers should stay alert. They should install and configure security tools, such as SSL VPN, for teleworkers. They should also think about how to secure the remote access to the company. Security engineers should enable secure protocols such as TLS 1.2 and TLS 1.3 for remote access. They can configure host checking to allow only updated computers. What’s more, we can enable two-factor authentication (2FA) to get remote access with something we know (password) and something we have (token).

I configured 2FA in F5 APM last week and I would like to share this configuration with you. We can send the one time password (OTP) by SMS or by mail. Sending the OTP by SMS is a little bit more complex because we have to configure HTTP Authentication. In addition, if we have to protect the HTTP Auth with SSL, we’ll have to setup a virtual server with the SMS API’s destination IP address listening on port 80 and a SSL server profile, we’ll have to create a pool with a member on service port 443, and we’ll also have to create a node using the API’s hostname with FQDN auto populate. Therefore, HTTP Authentication will be on port 80 and when F5 APM wants to send a POST action to the HTTP Auth server, actually, it will be sent on port 443 with SSL. I said, it’s a little bit more complex!

OTP Macro

However, sending the OTP by mail is much easier. Firstly, we have to configure the mail server in APM. Secondly, we have to configure the OTP Generate box with the OTP length and OTP timeout in seconds. Thirdly, we have to configure the Email box to send the OTP password to the remote user. Fourthly, we have to configure the OTP logon page where users have to insert the password received by mail. Finally, we have to configure the OTP Verify box to check if the password inserted is the same than the password sent by mail. Therefore, you can watch, it’s easy to configure and it’s easy to add security to your remote users.

 

Regards my friends! Have you added extra security to your SSL VPN with 2FA?

F5 APM - Configuring Host Checking

Teleworking is used a lot these days due to Coronavirus. There are lots of companies that have configured SSL VPN services for employees to work from home. In fact, I worked a lot last week to configure a SSL VPN service where users can access to the office’s computer from home. It is a secure web portal where users log in with the corporate credentials and, once inside the web portal, there is a bookmark which is used to access to the office’s computer. I’ve configured LDAP Authentication, LDAP Query and SSO in this web portal.

However, security is really important. We don’t know if users’ computers, which are in their house, are compromised. Therefore, security measures should be applied in the SSL VPN. For instance, we only allow Windows computers which have an antivirus enabled as well as firewall enabled. Nevertheless, there are no security checks for Linux computers. There are many more security measures which can be applied for improving the security of SSL VPN services such as 2 Factor Authentication (2FA), checking updated antivirus, etc.

Regards my friends! Have you configured host checking in your SSL VPN?

F5 APM- SSL VPN – Network Access

I’m used to working with Virtual Private Networks (VPN). I’ve learnt how to improve SSL VPN performance with DTLS and I’ve even configured layer 2 VPN with E-Line VPWS and E-LAN VPLS. I think, VPNs are really useful because we can connect branch offices to the datacenter easily and cheaper than leased lines. In addition, VPNs are also used to connect remote workers or teleworkers to the office. Today, this is quite used due to the coronavirus!

IPsec VPN is a layer 3 VPN which is increasingly used to connect branch offices to the datacenter because broadband networks, such as FTTH, are really reliable. What’s more, there are broadband networks till 1 Gbps which is enough for most companies. Thanks to IPsec VPN and the reliable broadband networks, along with SD-WAN, we can connect branch offices to the datacenter securely, reliable and cheaper than leased lines.

SSL VPN is a layer 7 VPN which is increasingly used to connect remote users to the datacenter because it’s easy to use and easier to configure than IPsec VPN. Mainly, there are two configuration modes. Tunnel Mode, which requires a VPN client software installed in the user laptops, and Portal Mode, which is clientless. You can watch in the next video how to configure a SSL VPN in Portal Mode with F5 APM.

Regards my friends! What kind of VPN do you use to connect to your office?

F5 - Redirect users to a maintenance page

When we have a load balancer where lots of websites going through, it’s a best practice to redirect users to a maintenance page containing text and images when pool’s members are down. Configuring this feature is really easy and useful. I think, this configuration should be mandatory for most companies in all production virtual servers because users should see a maintenance page when the website is down. This is the best way for users to know something is wrong with the website and they are going to wait accordingly for a while.

One of the most used configuration is with an iRule. Firstly, we have to upload images and logos to the F5 device. Secondly, we have to create an iRule with the HTML maintenance page. Finally, we have to add the iRule to the Virtual Server. I think, this is the best configuration to send a maintenance page, hosted into the load balancer, to users when there are no members online. You will watch in the next video it's really easy to develop a basic maintenance page in a iRule.

There is another useful configuration for redirecting users to a maintenance page. The Fallback Host feature send an HTTP 302 response to users when all nodes are down. Therefore, users are redirected to another website or maintenance page when pool’s members are down. This is easier to configure than the iRule because we only have to insert an URL where users are redirected. Therefore, this is the easier and the faster configuration to have a maintenance page.

HTTP 302 response

Regards my friends! Do you have maintenance pages in your virtual servers?