Providing Secure, Fast and Available SharePoint with F5 BIG-IP

John Lee, Federal Systems Engineer

Version 3.0

© F5 Networks, Inc 2

Traffic Manager Operating System (TMOS)

SS

L

Co

mp

res

sio

n

Client

Side

Server

Side

TC

P E

xp

res

s

Server TC

P E

xp

res

s

Ca

ch

ing

Microkernel

TMOS Traffic Plugins

High-performance Networking Microkernel

Powerful Application Protocol Support

iControl – External monitoring and control

iRules – Network Programming Language

High Performance HW

iRules

Client

iControl API

TCP Proxy

On

eC

on

ne

ct

XM

L

Ra

te S

ha

pin

g

AS

M

We

b A

cc

el

3rd

Pa

rty

Application

Delivery

Network

© F5 Networks, Inc 3

© F5 Networks, Inc 4

Too much, too fast…

© F5 Networks, Inc 6

Most Common: CMS, Workflow, KPI/BI

© F5 Networks, Inc 7

Weak points

© F5 Networks, Inc 8

Standard Topologies = Complex, VM & Storage Sprawl

© F5 Networks, Inc 9

© F5 Networks, Inc 10

• SSL Acceleration (& Termination) • DHE, RSA, DSA, ECC, TLS

1.3 & PFS

• Protocol Optimization • TCP & HTTP

• Fast Cache (Limited)

• TCP Queuing

• Compression

• Application Availability & Redundancy

• Intelligent Application Monitors

• DDoS Protection (Core)

• SSL Visibility

• ICAP

Performance, Redundancy, DDoS Protection

© F5 Networks, Inc 11

• Host Named Site Collections

• More FQDN’s

• Request management

• L7: Throttling & Routing

• Static Weight

• Health Weight

• Disabled by Default

• Criteria

• CustomHeader

• Host

• HttpMethod

• IP

• SoapAction

New Features in 2013

© F5 Networks, Inc 12

Application Security Manager

© F5 Networks, Inc 13

© F5 Networks, Inc 14

• HTML Content Streaming & PII Protection

• OWASP Top 10

• A1 Injection

• A2 Broken Authentication and Session Management

• A3 Cross-Site Scripting (XSS)

• A4 Insecure Direct Object References

• A5 Security Misconfiguration

• A6 Sensitive Data Exposure

• A7 Missing Function Level Access Control

• A8 Cross-Site Request Forgery (CSRF)

• A9 Using Components with Known Vulnerabilities

• A10 Unvalidated Redirects and Forwards

Protect your Apps

Automate

Signature

Updates

Industry Partnerships

• Layer 5 – 7 Application Protection

• PCI DSS Compliance

• Positive + Negative Security Models

• ICSA Certified Web App Firewall

• Integrated into the BIG-IP ADC

Application Security

© F5 Networks, Inc 15

Access Policy Manager

© F5 Networks, Inc 17

BIG-IP Access Policy Manager Identify, authenticate, and control user access to your applications

• Secure and accelerate application access from any

device and location

• Consolidate AAA and SSO services for enterprise

applications

• RDP, View, Citrix Xen Support

• Federate via SAML

Single Sign On

• Scalable SSL VPN

• Advanced Endpoint checks

• BYOD: IOS, Win8, Android Support

Mobile User Access

© F5 Networks, Inc 18

Protocol Optimization + SSL Acceleration & Offloading + Authentication Offloading Faster Deployment + Added Security + Happier Users

The impact of LTM+APM for SharePoint?

Clients SharePoint Farm External System

Classic (Windows Auth)

Claims

Claims

Classic (Windows Auth)

Claims

Incoming

Authentication

Intra/Inter Farm

Authentication

Outgoing

Authentiction

But wait, there’s more…

© F5 Networks, Inc 19

Application Accelerator Manager

© F5 Networks, Inc 20

• Workflow Manager

• Doesn’t support IPv6

• UX Improvements

• HTML5

• Caching (AppFabric Distributed Cache)

• Feeds

• Logon Tokens

• Search

• Mobile Support

• Minimal Download Strategy

• Browser Support

SharePoint Acceleration, More New stuff?

© F5 Networks, Inc 21

Application Delivery Optimization

Holistic approach to improving performance throughout the application delivery chain

Network

• Connect applications and

users in a global enterprise

• Provide the fastest network at

the lowest cost

• Increase network efficiency to

best utilize resources

Client

• Improve the user experience

for traditional and mobile

users

• Deliver the right content to

the right user in the fastest

time

Data center

• Improve availability of

enterprise applications

• Increase application server

capacity

• Integrate new technologies

without recoding applications

© F5 Networks, Inc 22

Accelerating the Client

Content control

• Deliver content to clients with

minimal network overhead

Data reduction

• Optimize images and files for

mobile browsers to improve

page load times

© F5 Networks, Inc 23

Accelerating the Network

Compression and deduplication

• Reduce amount of data transmitted

• Improve network throughput and response

• Increase bandwidth efficiency

• Adaptive / Client Aware Compression

Protocol optimization

• Tune TCP and HTTP parameters to

adapt to changing network conditions

Loss correction

• Correct for high-loss networks to

decrease transmission time and

improve user experience

© F5 Networks, Inc 24

Acceleration in the Data Center

Load balance

• Distribute application load

across multiple servers to

increase availability

Offload

• Increase server capacity

• Accelerate SSL processing

• Manage TCP connections

more efficiently

SPDY gateway

• Leverage SPDY and other

protocols without recoding

applications

Fast cache

• Offload repetitive traffic from

web and application servers

to increase server capacity

Core / LTM

© F5 Networks, Inc 25

Image Optimization? That too…

• Convert from JPEG or PNG to WebP

• Reduces file size by up to 73%

• Preserve copyright before stripping EXIF headers.

• Retries if optimization skipped due to load.

• Improved dashboard stats

What

Why

• Reduce size of web page

• Especially useful for mobile browsers.

What does it mean? Faster load times

Better user experience

Reduced bandwidth

Reduce VM Sprawl

Reduce Storage Requirements

Reduce Complexity

Low Level Test Case: LTM + APM + WA, 20 Concurrent Users, SSL Offload >89% Decrease in average page load time.

>36% Decrease in outbound Bandwidth consumption.

>50% Decrease in per user Bandwidth consumption.

Don’t just take my word for it…

https://f5.com/support/tools/f5-application-speed-tester

© F5 Networks, Inc 29

• TMG End of Life

• Simplification of the current Architecture

• Complex Authentication requirements

• Cross-Domain Solution; Multiple SharePoint Farms, Multiple Active Directory Forests, External users

• LTM+APM+WA for NIPR and SIPR

• Streamlined farm migration

• Elimination of point solutions

Use Cases

© F5 Networks, Inc 30

• FIPS 140-2, DNSSEC, IPV6

• NIAP CCC

• C&A

• DISA ATO

• NMCI

• JWIC’s

• SOCOM & CENTCOM

• TIC PKE Certification

• DISA UC-APL (TN#1312201)

• US Army’s IA- APL

DoD Certifications

© F5 Networks, Inc 31

Know your FIPS levels?

Level 1

•Evaluated crypto algorithms and/or random number generators

•No physical security requirements, can be software only

Level 2 (L1+)

•Physical enclosures with pick-resistant locks or tamper-evident stickers

•Enclosures “opaque in the visible spectrum”

Level 3 (L2+)

•Automatic deletion

Level 4 (L3+)

•Kevlar jacketing and EMP-like deletion

•Hermetically sealed enclosure