providing fast, secure, and available sharepoint with f5...

Providing Fast, Secure, and Available SharePoint with F5 BIG-IP Michael Coleman, Federal System Engineer (USMC-Vet) Version 3.0

© F5 Networks, Inc 2

• USMC-Vet (NCOIC Net Management 2D FSSG G6, NCOIC Net Management JTF-160, NCOIC Net Management JTF-170)

• ITILv3, Net+, Security+, Linux+, Server+, A+, CCNA, MCSE + Security

• MCPD C# .NET SharePoint 2010 (Developer) & MCITP SharePoint 2010 (Architect)

• Former Director of IT, Senior Solutions Architect (Portal Dynamics)

• F5 Certified Engineer, F5 Certified Administrator, APM Specialist, UA & MS SME

• Past 3 years @ F5 covering USMC & DHA

Michael Coleman


Before we move on…


History


Traffic Manager Operating System (TMOS)

SS

L

Co

mp

res

sio

n

Client

Side

Server

Side

TC

P E

xp

res

s

Server TC

P E

xp

res

s

Ca

ch

ing

Microkernel

TMOS Traffic Plugins

High-performance Networking Microkernel

Powerful Application Protocol Support

iControl – External monitoring and control

iRules – Network Programming Language

High Performance HW

iRules

Client

iControl API

TCP Proxy

On

eC

on

ne

ct

XM

L

Ra

te S

ha

pin

g

AS

M

We

b A

cc

el

3rd

Pa

rty

Application

Delivery

Network


Too much, too fast…


• SharePoint On Prem is NOT dead.

Just a quick note…


Most Common: CMS, Workflow, KPI/BI


Weak points


Standard Topologies = Complex, VM & Storage Sprawl


• SSL Acceleration (& Termination) • DHE, RSA, DSA, ECC, TLS

1.3 & PFS

• Protocol Optimization • TCP & HTTP

• Fast Cache (Limited)

• TCP Queuing

• Compression

• Application Availability & Redundancy

• Intelligent Application Monitors

• DDoS Protection (Core)

• SSL Visibility

• ICAP

Performance, Redundancy, DDoS Protection


• Host Named Site Collections

• More FQDN’s

• Request management

• L7: Throttling & Routing

• Static Weight

• Health Weight

• Disabled by Default

• Criteria

• CustomHeader

• Host

• HttpMethod

• IP

• SoapAction

New Features in 2013


Application Security Manager


• HTML Content Streaming & PII Protection

• OWASP Top 10

• A1 Injection

• A2 Broken Authentication and Session Management

• A3 Cross-Site Scripting (XSS)

• A4 Insecure Direct Object References

• A5 Security Misconfiguration

• A6 Sensitive Data Exposure

• A7 Missing Function Level Access Control

• A8 Cross-Site Request Forgery (CSRF)

• A9 Using Components with Known Vulnerabilities

• A10 Unvalidated Redirects and Forwards

Protect your Apps

Automate

Signature

Updates

Industry Partnerships

• Layer 5 – 7 Application Protection

• PCI DSS Compliance

• Positive + Negative Security Models

• ICSA Certified Web App Firewall

• Integrated into the BIG-IP ADC

Application Security


Access Policy Manager


• As with SharePoint 2010, with SharePoint 2013 you can create web applications to use either classic or claims-based authentication. With either type of web application, claims authentication is used for authentication flow within the farm. The authentication type of the web application only affects the authentication flow into and out of the SharePoint farm.

• What does that mean? In SharePoint 2013…

• Kerberos is still required.

• Claims based does NOT mean SAML 1 or 2, nor WS-Fed OOTB.

• Sign-In happens with integrated windows authentication challenge (NTLM/Kerberos). However, after the Windows Identity object (representing the user) is created, SharePoint converts the object into a Claims Identity Object.

• When accessing other SharePoint Services, the claim-based token is then translated back into Kerberos.

• Examples? (MCEITS, DoDIG, etc…)

SAML, Claims, & Kerberos…


BIG-IP Access Policy Manager Identify, authenticate, and control user access to your applications

• Secure and accelerate application access from any

device and location

• Consolidate AAA and SSO services for enterprise

applications

• RDP, View, Citrix Xen Support

• Federate via SAML

Single Sign On

• Scalable SSL VPN

• Advanced Endpoint checks

• BYOD: IOS, Win8, Android Support

Mobile User Access


Protocol Optimization + SSL Acceleration & Offloading + Authentication Offloading Faster Deployment + Added Security + Happier Users

The impact of LTM+APM for SharePoint?

Clients SharePoint Farm External System

Classic (Windows Auth)

Claims

Claims

Classic (Windows Auth)

Claims

Incoming

Authentication

Intra/Inter Farm

Authentication

Outgoing

Authentiction

But wait, there’s more…


Application Accelerator Manager


• Workflow Manager

• Doesn’t support IPv6

• UX Improvements

• HTML5

• Caching (AppFabric Distributed Cache)

• Feeds

• Logon Tokens

• Search

• Mobile Support

• Minimal Download Strategy

• Browser Support

SharePoint Acceleration, More New stuff?


Application Delivery Optimization

Holistic approach to improving performance throughout the application delivery chain

Network

• Connect applications and

users in a global enterprise

• Provide the fastest network at

the lowest cost

• Increase network efficiency to

best utilize resources

Client

• Improve the user experience

for traditional and mobile

users

• Deliver the right content to

the right user in the fastest

time

Data center

• Improve availability of

enterprise applications

• Increase application server

capacity

• Integrate new technologies

without recoding applications


Accelerating the Data Center

Load balance

• Distribute application load

across multiple servers to

increase availability

Offload

• Increase server capacity

• Accelerate SSL processing

• Manage TCP connections

more efficiently

SPDY gateway

• Leverage SPDY and other

protocols without recoding

applications

Fast cache

• Offload repetitive traffic from

web and application servers

to increase server capacity

Core / LTM


Accelerating the Network

Compression and deduplication

• Reduce amount of data transmitted

• Improve network throughput and response

• Increase bandwidth efficiency

• Adaptive / Client Aware Compression

Protocol optimization

• Tune TCP and HTTP parameters to

adapt to changing network conditions

Loss correction

• Correct for high-loss networks to

decrease transmission time and

improve user experience


Accelerating the Client

Content control

• Deliver content to clients with

minimal network overhead

Data reduction

• Optimize images and files for

mobile browsers to improve

page load times


Image Optimization? That too…

• Convert from JPEG or PNG to WebP

• Reduces file size by up to 73%

• Preserve copyright before stripping EXIF headers.

• Retries if optimization skipped due to load.

• Improved dashboard stats

What

Why

• Reduce size of web page

• Especially useful for mobile browsers.

What does it mean? Faster load times

Better user experience

Reduced bandwidth

Reduce VM Sprawl

Reduce Storage Requirements

Reduce Complexity

Low Level Test Case: LTM + APM + WA, 20 Concurrent Users, SSL Offload >89% Decrease in average page load time.

>36% Decrease in outbound Bandwidth consumption.

>50% Decrease in per user Bandwidth consumption.

Don’t just take my word for it…

https://f5.com/support/tools/f5-application-speed-tester


• ISA/TMG/UAG End of Life (WAP…)

• Simplification of the current Architecture

• Complex Authentication requirements made simple; CAC/PIV/ECA, Kerberos, SAML

• Cross-Domain Solution; Multiple SharePoint Farms, Multiple Active Directory Forests, External users

• LTM+APM+AAM for NIPR and SIPR

• Streamlined farm migration

• Elimination of point solutions

Use Cases


• FIPS 140-2, DNSSEC, IPV6

• NIAP CCC

• C&A

• DISA ATO

• NMCI

• JWIC’s

• SOCOM & CENTCOM

• TIC PKE Certification

• DISA UC-APL (TN#1312201)

• US Army’s IA- APL

DoD Certifications


Know your FIPS levels?

Level 1

•Evaluated crypto algorithms and/or random number generators

•No physical security requirements, can be software only

Level 2 (L1+)

•Physical enclosures with pick-resistant locks or tamper-evident stickers

•Enclosures “opaque in the visible spectrum”

Level 3 (L2+)

•Automatic deletion

Level 4 (L3+)

•Kevlar jacketing and EMP-like deletion

•Hermetically sealed enclosure


Arguing with an Engineer is a lot like wrestling in the mud with a pig, after a couple of hours you realize the pig likes it…

Questions?


Demos


• Rick ‘Trombone’ Watt Navy Account Manager [email protected] (720) 951-4697

• John ‘Bruce’ Lee Navy Systems Engineer [email protected] (562) 355-1011

Navy Account Team

mailto:[email protected]

mailto:[email protected]

providing fast, secure, and available sharepoint with f5...

Documents