F5 APM - SSL VPN - OTP Authentication

Coronavirus is changing the world. It’s changing the way we work. It’s opening barriers. Teleworkers can work as they were in the office. Companies want people work from house. However, security engineers should stay alert. They should install and configure security tools, such as SSL VPN, for teleworkers. They should also think about how to secure the remote access to the company. Security engineers should enable secure protocols such as TLS 1.2 and TLS 1.3 for remote access. They can configure host checking to allow only updated computers. What’s more, we can enable two-factor authentication (2FA) to get remote access with something we know (password) and something we have (token).

I configured 2FA in F5 APM last week and I would like to share this configuration with you. We can send the one time password (OTP) by SMS or by mail. Sending the OTP by SMS is a little bit more complex because we have to configure HTTP Authentication. In addition, if we have to protect the HTTP Auth with SSL, we’ll have to setup a virtual server with the SMS API’s destination IP address listening on port 80 and a SSL server profile, we’ll have to create a pool with a member on service port 443, and we’ll also have to create a node using the API’s hostname with FQDN auto populate. Therefore, HTTP Authentication will be on port 80 and when F5 APM wants to send a POST action to the HTTP Auth server, actually, it will be sent on port 443 with SSL. I said, it’s a little bit more complex!

OTP Macro

However, sending the OTP by mail is much easier. Firstly, we have to configure the mail server in APM. Secondly, we have to configure the OTP Generate box with the OTP length and OTP timeout in seconds. Thirdly, we have to configure the Email box to send the OTP password to the remote user. Fourthly, we have to configure the OTP logon page where users have to insert the password received by mail. Finally, we have to configure the OTP Verify box to check if the password inserted is the same than the password sent by mail. Therefore, you can watch, it’s easy to configure and it’s easy to add security to your remote users.

Regards my friends! Have you added extra security to your SSL VPN with 2FA?