Les solutions F5 Networks permettent de simplifier les architectures au service des applications Microsoft. Qu'elles soient dans votre Datacenter ou dans le Cloud, les technologies F5 apportent des fonctionnalités pour accélérer, sécuriser et assurer une haute disponibilité de vos ressources. L'intégration aux solutions d'administration Microsoft SCVMM, et System Center permettent de garder le contrôle sur l'ensemble de l'infrastructure.
Migrer de 2003 à 2012 R2, adopter HyperV ou Microsoft Azure : comment réalise...
Facilitez vos déploiements d’applications Microsoft et répondez aux nouvelles contraintes de mobilité.
1. Facilitez le déploiement des
applications Microsoft et la
Mobilité
Laurent PETROQUE
Responsable Avant Vente F5 France
2. F5 pour les Solutions Microsoft
Custom
Applications
Point de contrôle stratégique
Productive Teams Safer Apps Innovation
3. F5 Overview
400,000
350,000
Publicly traded on F5 Networks is the
NASDAQ leading provider of
application and data 300,000
delivery networking
250,000
$ Thousands
200,000
3,000+ employees Our products sit at 150,000
strategic points of
control in any
infrastructure 100,000
1,380,000,000
50,000
-
IPO in 1999 Fiscal Year 2012
Q108 Q308 Q109 Q309 Q110 Q310 Q111 Q311 Q112
Revenue US$1.38B
4. F5 MAKES THE
CONNECTED WORLD
RUN BETTER
8 of the Fortune 10 companies • 44 of the Fortune 50 companies • 18 of the top 20 U.S. co
destinations • 16 of the top 20 cloud infrastructure and web hosting companies
5. 50 Milliards de Le Cloud Computing est
terminaux connectés dans le Top 3 des
en 2020 priorités CIO en 2012
71% de tout le travail
sera mobile
ou web d’ici 2020
Plus de mécanismes
Plus de
de services contraintes sur
l’infrastructure IT
185 milliards
d’application
s
téléchargées
Plus
en 2014
d’utilisateurs et
plus de choix
6. Application Delivery Networking
Users Data Center
Application
Delivery
Network
Anytime, Anywhere, Application
Any Device Services
8. High availability for Microsoft Exchange
Availability, scalability and security
• Tests de vie applicatifs - L7
• Répartition de charge dynamique
• SSL offload
• Haute disponibilité de Datacenter
• Gestion de traffic personnalisée
• Optimisations de trafic LAN / WAN
• Disponibilité maintenue par la sécurité
9. Notions Application Delivery Networking
F5 BIG-IP Local Traffic Manager (LTM)
Test de vie applicatif Offload SSL
User/Application 7 HTTP – Bad
2048-bit 1024-bit
6
5
Transport 4 TCP – Good
Gestion du trafic et PRA/PCA F5 iApps
Application Network
Admin iApps Admin
Application Delivery Controller
10. Déployer Exchange avec les iApps
App Security Firewall
optimization services
services
• Fournit une contiguration • Modifications rapides et
Remot Portable entre équipements
• SSL APP
conforme et automatique appliquées e F5 facilitant les
VPN Firewalmigrations
automatiquement Access l
11. Sécuriser Exchange
Déployer un périmètre de service
• Exchange peut être
publié à travers 4 OWA
services OA
AS
EWS
• Le trafic SSL ne peut
être inspecté par les
firewall traditionnels
• Etendre le périmètre
de sécurité pour
contrôler chacun de
ces services
12. Pré-Authentifier les accès Exchange
F5 BIG-IP Access Policy Manager (APM)
Authentification Conformité Endpoint Autorisation Accès
Vérifier que l’utilisateur Authentification multi- Vérifier les droits de Single sign-on
est référencé facteurs l’utilisateur
13. Exchange 2010 publié avec TMG
DMZ Data Center
Auth GW MS Exchange (CAS)
MS TMG (ISA)
AD
• Scalabilité ?
• Disponibilité des composants serveur TMG ?
• Accès SSL VPN? (UAG – Whale)
14. Exchange 2010 – Accès Unifiés et sécurisés
DMZ Data Center
MS Exchange (CAS)
LTM/APM
AD
• Forte densité d’utilisateurs
• Point de contrôle pour l’ensemble des accès
• Accès SSL VPN pluri-plateformes et conformité
15. Méthodes d’Authentification Multifacteur
BIG-IP Application Policy Manager (APM)
• Commencer avec un login/mdp User authentication
User authorization
• Propriétés Active Directory User certificates
• Propriété de profile ActiveSync Device certificates
Device ID
• Certificats
• Device ID
Réaliser une politique qui renforce
plusieurs méthodes en une passe
Android WP 7 iPhone
16. Portail de ressources dynamique
• Affichage dynamique des ressources
• Adapté aux plateformes mobiles
• Améliore l’expérience utilisateur
17. Solutions pour
Active Directory Federation Services
F5 BIG-IP Local Traffic Manager (LTM) et Access Policy Manager (APM)
Active ADFS BIG-IP LTM ADFS Proxy BIP-IP LTM + BIG- Federation
Directory IP APM Gateway
• Haute Disponibilité pour Active Directory FS
• Haute Disponibilité, Accélération et SSL Offload pour ADFS proxy
• Pré-authentification, SAML et SSL offload pour ADFS
18. Architecture SAML d’une application publique
Un utilisateur fait une requête pour une ressource supportant SAML
University App DMZ
IdP
End User
BIG-IP as SP
Partner School
Public/Private
Research
IdP App
End User
Partner School
IdP
End User
Partner School
19. Architecture SAML d’une application publique
APM identifie l’IdP associé à l’utilisateur et le redirige vers celui ci
University App DMZ
IdP
End User
BIG-IP as SP
Partner School
Public/Private
Research
IdP App
End User
Partner School
IdP
End User
Partner School
20. Architecture SAML d’une application publique
L’utilisateur se connecte a son IDP par redirection
University App DMZ
IdP
ADFS
End User
BIG-IP as SP
Partner School
Public/Private
Research
IdP App
End User
Partner School
IdP
End User
Partner School
21. Architecture SAML d’une application publique
L’IDP redirige l’utilisateur vers la ressource demandée en ajoutant une assertion SAML
University App DMZ
IdP
End User
BIG-IP as SP
Partner School
Public/Private
Research
IdP App
End User
Partner School
IdP
End User
Partner School
22. Architecture SAML d’une application publique
APM valide l’assertion et transfert la requête au service… un filtrage complémentaire peut être fait
University App DMZ
IdP LDAP
End User
BIG-IP as SP
Partner School
Public/Private
Research
IdP App
End User
Partner School
IdP
End User
Partner School
24. Solution Orientée Services pour Microsoft
Sécurité consolidée en une plateforme BIG-IP ADC
IP Intelligence
Network Firewall DNS Appliances
Reverse Proxy SSL Acceleration
App Firewall Load Balancing
DDos Appliances Geolocation
BIG-IP system
25. “
F5 BIG-IP products enabled us to improve
security for an existing application instead of
having to invest time and money into
developing a new, more secure application.”
Application Manager,
Global 500 Media and Entertainment Company
TechValidate 0C0-126-2FB
26. Customer Example
Customer Reliance Protectron Security Services
Environment Primary and secondary data centers
Needs
• Business continuity for critical software applications
• Consolidated application delivery infrastructure
• Access control
Solution
Microsoft Exchange Server for email and calendaring
F5 BIG-IP LTM, APM
Result
• Automatic failover of applications to secondary data center
• Improved availability and user responsiveness
• Custom access control using device specific inspection
27. Platforme F5 BIG-IP
Fédération de services et Cloud Hybrid
Disponibilité Sécurité Agilité
Assurer un accès Publier des services Accès SSO pour les
permanent aux services sécurisés utilisateurs sur les
toutes les applications
Services de fédération Pre-authentifier les publiées
hautement disponibles utilisateurs
• Consolider l’accès, la disponibilité et la sécurité sur une seule plateforme
• Simplifier l’accès des utilisateurs entre les sites et les applications
• Maintenir la sécurité des applications lors des déplacements
28.
29. Et la sécurité des
applications
Microsoft en
HTTP?
Mr HAIR VAIX
Responsable Sécurité
30. Croissance des Attaques Applicatives
Menaces réseaux Menaces applicatives
90% des investissements en 75% des attaques portent sur les
sécurité applications
Source: Gartner
31. Web Application Firewall
F5 BIG-IP Application Security Manager (ASM)
Performance Sécurité Simplicité
• Gagner la • Plus précis qu’un • Plateforme consolidée
perfomance, maintenir IDS/IPS
la sécurité • Politique de sécurité
• Protection JSON/AJAX spécifique aux
• Résister aux attaques applications
massives • Trafic anormal rejeté
• Configuration simplifiée
• Conformité PCI et • Support ICAP
rapports fournis • Rémédiation
• Protection contre automatique
rapidement attaques Zero-day
32. F5 BIG-IP Web Application Firewall
BIG-IP Application Security Manager (ASM)
• Politiques pré-définies pour un déploiment rapide
Outlook Web App (OWA) Politique embarquée
Exchange Web Services (EWS) Politique dérivée
Active Sync (EAS) Politique embarquée
33. Solutions F5 pour System Center
Architecture Overview
• F5 Management Pack for
Operations Manager remonte
les informations statistiques
dans SCOM grâce à iControl et
autres APIs.
• .NET habillé dans PowerShell
pour exposer les methods
iControl. Permet la collecte de
statistiques et la gestion des
BIG-IP à travers System Center
Orchestrator
• Load Balancer Provider permet à
VMM de contrôler la gestion du
trafic au lancement des
machines virtuelles
Resources
iControl home F5 Management Pack SCVMM 2012 provider
http://links.f5.com/s7EYtN http://links.f5.com/f5mpdoc http://links.f5.com/f5vmmlbpr
34.
35. F5 Application Delivery Networking
Applications
Data Center Enterprise Manager™ & Storage
Branch Office
BIG-IP® BIG-IP®
BIG-IP®
Global Application
Web-
Traffic BIG-IP Security
BIG-IP® Accelerato
Manager Advanced Manager BIG-IP®
Local r
Firewall Edge
Traffic Gateway
BIG-IP® Manager
Manager BIG-IP® BIG-IP®
WAN Access
Link Optimization
Users Controller Manager
Policy
Manager
iControl®
Data
TMOS®
Mobile Users
39. Conclusion
Améliorer l’évolutivité des applications MS
Sécuriser sans pénaliser l’experience utilisateur
Assurer un service continue
40. Développeurs Pros de l’IT
http://university.f5.com Formez-vous en ligne http://askf5.f5.com
http://www.f5.com/about/news/eve http://www.f5.com/about/new
nts/
Retrouvez nos évènements s/events/
La communauté
Faites-vous accompagner
https://devcentral.f5.com gratuitement
http://www.f5.com/trials Essayer gratuitement nos http://www.f5.com/trials
solutions IT
La section Microsoft
La base de connaissances
https://devcentral.f5.com/communi Retrouver nos experts
ty/group/asg/62 http://askf5.f5.com
Microsoft
Notes de l'éditeur
Key Points:F5 provides serious value to your existing and future Microsoft investmentsOur unique approach to creating intelligence around the application delivery greatly improves app performance, security, and IT productivityBIG-IP is a platform for all your applications!Talk Track:We don’t talk often about the expanse of our relationship with Microsoft. F5 sits in front of every major Microsoft strategic initiative – both externally and internally. Microsoft is one of our largest and most strategic customers and partners. We often hear from our Microsoft clients and colleagues that they’ve bet their business on F5 because we provide the strategic point of control for their most critical applications and services, like Office365 and their internal implementations of SharePoint, Exchange, and other line of business applications. Depend on F5 to be the strategic point of control for your Microsoft investments allowing you to drive your business in new and profound ways. This is possible thanks to our revolutionary approach to intelligent application delivery so your teams are more productive, your apps safer, and possibilities like the web and mobile experiences are within reach.Our unique combination of market leadership, deep integration with Microsoft technologies, and vibrant community allow you and your business to get substantial and unexpected incremental value from our relationship.So how do we turn this fantastic partnership into revenue-generating business for you? F5’s top 3 ISV solutions are from Microsoft. <advance slide>
F5 is the global leader in Application Delivery Networking, and continues to be a solid provider and customer ally as we continue to grow and expand the entire ADC market.
F5 makes the connected world run better. This statement defines our singular goal in providing integrated application delivery services, and we do that across a broad scope of vertical industries with deep penetration in those markets. Such as: 8 of the Fortune 10 companies44 of the Fortune 50 companies18 of the top 20 U.S. commercial banks3 of the top 3 U.S. securities companies6 of the top 6 healthcare companies: pharmacy and other services5 of the top 5 U.S. airlines8 of the top 10 U.S. insurance companies - property and casualty10 of the top 10 fixed and mobile global service providers15 of the 15 executive branches of the US government 6 of the top 10 U.S. Online Video Destinations16 of the top 20 cloud infrastructure and Web hosting companies
What are the challenges that see every day, that our customers – IT decision makers, application architects, network administrators – face throughout their entire IT infrastructure? Device growth at exponential levels means more devices in the Enterprise. These devices bring with them new challenges with management, application delivery, security, and a huge amount of new personal and professional apps from end-users. For the first time in history, people are dictating which apps they use in the Enterprise, and yet IT still has to deal with how to deliver data to mobile users. These are the issues that are keeping IT administrators and decision makers awake at night.
L7 health monitoringDynamic load balancingSSL offloadSite resilienceCustom traffic managementLAN / WAN optimizationsAvailability through security…
F5 iApps is a powerful set of features in the BIG-IP system that can help you deploy 10x-100x faster with 95 percent fewer configuration mistakes. iApps provides a new way to architect application delivery in the data center by unifying, simplifying, and controlling the entire Application Delivery Network with a contextual view – and advanced statistics about the application services supporting your business. An application-centric view means deploying application services that reside in the network—such as authentication, data protection, traffic management, and acceleration—and aligning them to the applications for which they’re being used. Unifying these services, regardless of function, and associating them with Microsoft Exchange or SharePoint, Oracle, or custom applications, enables you to provision network services as rapidly and with the same portability as the applications themselves.By managing application services rather than the individual networking components and configurations, you can dramatically speed up deployment, lower OpEx, and streamline IT operations. You can provision application services in minutes rather than weeks, significantly improving time-to-market and creating a highly efficient and predictable process for successful application delivery.
So to summarize:Application fluency is the key to opening up tremendous revenue potential for you around F5.Application security is an extension of the high availability value proposition for BIG-IP because an application is not available if it’s not secure.Application security using traditional firewalls is flawed. F5 BIG-IP is an ICSA certified firewall device and also differentiates itself through the ability to use intelligence about users, devices, application traffic to increase security, reduce complexity and consolidate datacenter architectures.F5 is here to help you build a business and ready your sales, pre-sales teams.
CAS (Client Access Server)… “Microsoft” suggests putting TMG (rebranded ISA) in front of Exchange… Does it scale? How are the LB Functions? Does it do SSL VPN… This isn’t an enterprise solution
APM is the next generation Remote Access Device for many reasons. Exchange is just one example… Also when discussing Exchange, we must talk about the importance of Scale, Providing Single Namespace, and what about integration with non-Microsoft components?
Editor: I assumed that AD FS referred to ‘Active Directory Federated Services,’ the acronym for which should be formatted as ‘ADFS’. If that’s not correct, can someone clarify what it refers to and spell it out on first ref?
Key Points:F5 differentiation explained in more detail from the perspective of the ways hackers try to access applications.Remember: Not all attacks have a goal of obtaining confidential information or of infecting computer systems. Denial of service is a very common type of attack, the goal of which is to degrade the performance of an application or a network or to bring an application down. Sometimes it is used as means to weaken corporate defenses so that a separate attack to gain unauthorized information can succeed. Either way, denial of service is all about availability.The simplest type of attack simply seeks open ports through which to send traffic. Traditional firewall products that are L1-L3 or L1-L4 aware perform packet filtering operations associated with rule sets used to evaluate every packet that arrives on a specified port. These firewalls are limited in the rules they can apply – a constraint made much worse for SSL encrypted traffic, which is passed through without any inspection on the encrypted portion of the packet. BIG-IP is different. BIG-IP is designed for SSL termination of application traffic and has full visibility into the packets, so deeper inspection is possible. F5 BIG-IP is also a default deny certified firewall device with greater scalability and performance capabilities than traditional firewall products.The second method used by hackers is to find unauthorized access. This can be done by sending anonymous requests to an application, but it’s more common to see brute force attacks attempting to guess or use a known user id in combination with guessing or using a known password. The whole idea here is that a user name and password must be verified (authenticated) to successfully access an application. Then valid credentials can be used by a hacker to try to access *other* applications. Traditional firewalls have no way to validate any access based on user identity. BIG-IP can. Further, BIG-IP can also check for user permissions across multiple applications and grant/deny traffic access to an internal network based on granted rights. This is pre-authentication. Message: with BIG-IP, no traffic reaches your internal network unless it’s been pre-authenticated and authorized for the app requested.Lastly, hackers also seek to use authorized access for bad purposes. In this case, they have one or more sets of valid credentials and use them to send well formed traffic to an application. Key: this traffic appears normal, but it’s not. Traditional firewalls, again, have no capability to distinguish the intent of the traffic from the form. BIG-IP can detect well-formed but malicious traffic and stop it…yet allow normal traffic in.So what about a new type of attack? New vulnerabilities are coming to light continually, yet no one knows what or when. In fact, chances are that your customers’ company’s believe the IT staff have a crystal ball and therefore must be able to deal with any threat that comes in the future. Of course, no one has a crystal ball to tell the future, but F5 can help IT staff appear to have a crystal ball. How? The F5Threat Assessment Team is constantly watching for new vulnerabilities. And we are assisted by our DevCentral community of more than 100,000 BIG-IP experts who share there visibility/experience of attacks. So, F5 is watching, F5 will assess new threats, and if appropriate, create a “virtual patch” for BIG-IP. F5 will create the patch and publish it for you. Are we really doing this? Yes. If a vulnerability was exposed today, I can tell you we would know about it and be working on it. F5 enables you to protect your environment in hours or days (versus average application attack mitigation of 77 days). We keep your data center operating while the official patches are being created, tested and deployed.This is how F5 offers a more effective, differentiated security offering to correct a flawed approach that is giving many customers a false sense of security for their applications.
Editor: Does the text ‘0C0-126-2FB’ belong in this slide? I’m not sure what it refers to.
This is a US-based customer example. State of Florida awarded the project to Xerox (formerly ACS now merged with Xerox and took new name). Xerox and F5 worked together through CentricsIT. CentricsIT designed and implemented the solution to meet the complex customer requirements and performing the mail consolidation and the BIG-IP solution design/implementation. APM was leveraged to design and implemented custom access policies for email across the departments – a clear highlight for this customer.The State of Florida, as all large government bodies, must support a wide variety of local, state and federal government agencies. And like all government bodies, driving down costs is paramount in the current economic climate. In Florida, email was selected for consolidation into the cloud. A 3rd party hoster (formerly ACS, now know under the Xerox name) was awarded the contract. Working with Xerox, F5 brought in CentricsIT, the F5 partner, to engage. The project was email consolidation across over 30 different email systems into Microsoft Exchange. Security was top of mind, and requirements across the agencies, access networks, and allowed devices varied greatly. In addition, they wanted shared address book capability across all member agencies. Regulatory compliance was mandatory. The solution was Microsoft Exchange Server 2010 in a dedicated, hosted environment using F5 BIG-IP Local Traffic Manager (LTM), Access Policy Manager (APM) and Application Security Manager (ASM). The resulting design achieved all requirements: successful consolidation and migration to Exchange, secure access capability integrated with the single sign on provider and 2-factor authentication, as needed. The Shared Address Book was implemented and HIPPA and CJIS (Division of the FBI - Criminal Justice Information Services) compliance achieved.The keystone of this solution was BIG-IP security capabilities provided by APM and ASM. The security solution is a prime example of significant, incremental value extracted by the customer and the F5 partners. Value based solidly upon, but not limited to, the high availability provided by the traditional load balancing capability of BIG-IP.
[note from the editor: I edited these notes a bit to streamline them; also, this is the only slide in this deck with notes, and these notes—is that ok?]NETWORK THREATSToday, the real data security threat is not happening at the network layer.Yes, in the last few years there have been a lot of attacks at the network layer, a lot of money being spent there to prevent viruses, spam, and spyware.And attacks at the network layer are highly visible, they affect productivity, and they are messy & annoying.APPLICATION THREATSBut when you compare that with threats on the application side, it is dramatically different.Application threats affect the very core of your corporation: your sensitive data.This means data such as employee records, confidential information (sometimes intellectual property),and financial records.The key thing to remember is most of the data theft attacks are application level attacks.Your applications are the doorway to your data—not your network.Let me repeat this, it is important: applications are the doorway to your data—not your network.
Editor: 1. Will our audience know what IPS and IDS stand for? If not, we should spell those out. 2. How about ICAP?
Unified application service policies for acceleration, security, and availability are configured and controlled inside BIG-IP using System CenteriControl exposes all BIG-IP objects, health statistics, and management controls to System Center applicationsRegardless of integration method, IT Administrators gain visibility and control from BIG-IP using System Center