providing fast, secure, and available sharepoint with f5...
TRANSCRIPT
Providing Fast, Secure, and Available SharePoint with F5 BIG-IP Michael Coleman, Federal System Engineer (USMC-Vet) Version 3.0
© F5 Networks, Inc 2
• USMC-Vet (NCOIC Net Management 2D FSSG G6, NCOIC Net Management JTF-160, NCOIC Net Management JTF-170)
• ITILv3, Net+, Security+, Linux+, Server+, A+, CCNA, MCSE + Security
• MCPD C# .NET SharePoint 2010 (Developer) & MCITP SharePoint 2010 (Architect)
• Former Director of IT, Senior Solutions Architect (Portal Dynamics)
• F5 Certified Engineer, F5 Certified Administrator, APM Specialist, UA & MS SME
• Past 3 years @ F5 covering USMC & DHA
Michael Coleman
© F5 Networks, Inc 3
Before we move on…
© F5 Networks, Inc 4
History
© F5 Networks, Inc 5
Traffic Manager Operating System (TMOS)
SS
L
Co
mp
res
sio
n
Client
Side
Server
Side
TC
P E
xp
res
s
Server TC
P E
xp
res
s
Ca
ch
ing
Microkernel
TMOS Traffic Plugins
High-performance Networking Microkernel
Powerful Application Protocol Support
iControl – External monitoring and control
iRules – Network Programming Language
High Performance HW
iRules
Client
iControl API
TCP Proxy
On
eC
on
ne
ct
XM
L
Ra
te S
ha
pin
g
AS
M
We
b A
cc
el
3rd
Pa
rty
Application
Delivery
Network
© F5 Networks, Inc 6
© F5 Networks, Inc 7
Too much, too fast…
© F5 Networks, Inc 8
• SharePoint On Prem is NOT dead.
Just a quick note…
© F5 Networks, Inc 9
Most Common: CMS, Workflow, KPI/BI
© F5 Networks, Inc 10
Weak points
© F5 Networks, Inc 11
Standard Topologies = Complex, VM & Storage Sprawl
© F5 Networks, Inc 12
© F5 Networks, Inc 13
• SSL Acceleration (& Termination) • DHE, RSA, DSA, ECC, TLS
1.3 & PFS
• Protocol Optimization • TCP & HTTP
• Fast Cache (Limited)
• TCP Queuing
• Compression
• Application Availability & Redundancy
• Intelligent Application Monitors
• DDoS Protection (Core)
• SSL Visibility
• ICAP
Performance, Redundancy, DDoS Protection
© F5 Networks, Inc 14
• Host Named Site Collections
• More FQDN’s
• Request management
• L7: Throttling & Routing
• Static Weight
• Health Weight
• Disabled by Default
• Criteria
• CustomHeader
• Host
• HttpMethod
• IP
• SoapAction
New Features in 2013
© F5 Networks, Inc 15
Application Security Manager
© F5 Networks, Inc 16
• HTML Content Streaming & PII Protection
• OWASP Top 10
• A1 Injection
• A2 Broken Authentication and Session Management
• A3 Cross-Site Scripting (XSS)
• A4 Insecure Direct Object References
• A5 Security Misconfiguration
• A6 Sensitive Data Exposure
• A7 Missing Function Level Access Control
• A8 Cross-Site Request Forgery (CSRF)
• A9 Using Components with Known Vulnerabilities
• A10 Unvalidated Redirects and Forwards
Protect your Apps
Automate
Signature
Updates
Industry Partnerships
• Layer 5 – 7 Application Protection
• PCI DSS Compliance
• Positive + Negative Security Models
• ICSA Certified Web App Firewall
• Integrated into the BIG-IP ADC
Application Security
© F5 Networks, Inc 17
Access Policy Manager
© F5 Networks, Inc 18
• As with SharePoint 2010, with SharePoint 2013 you can create web applications to use either classic or claims-based authentication. With either type of web application, claims authentication is used for authentication flow within the farm. The authentication type of the web application only affects the authentication flow into and out of the SharePoint farm.
• What does that mean? In SharePoint 2013…
• Kerberos is still required.
• Claims based does NOT mean SAML 1 or 2, nor WS-Fed OOTB.
• Sign-In happens with integrated windows authentication challenge (NTLM/Kerberos). However, after the Windows Identity object (representing the user) is created, SharePoint converts the object into a Claims Identity Object.
• When accessing other SharePoint Services, the claim-based token is then translated back into Kerberos.
• Examples? (MCEITS, DoDIG, etc…)
SAML, Claims, & Kerberos…
© F5 Networks, Inc 19
BIG-IP Access Policy Manager Identify, authenticate, and control user access to your applications
• Secure and accelerate application access from any
device and location
• Consolidate AAA and SSO services for enterprise
applications
• RDP, View, Citrix Xen Support
• Federate via SAML
Single Sign On
• Scalable SSL VPN
• Advanced Endpoint checks
• BYOD: IOS, Win8, Android Support
Mobile User Access
© F5 Networks, Inc 20
Protocol Optimization + SSL Acceleration & Offloading + Authentication Offloading Faster Deployment + Added Security + Happier Users
The impact of LTM+APM for SharePoint?
Clients SharePoint Farm External System
Classic (Windows Auth)
Claims
Claims
Classic (Windows Auth)
Claims
Incoming
Authentication
Intra/Inter Farm
Authentication
Outgoing
Authentiction
But wait, there’s more…
© F5 Networks, Inc 21
Application Accelerator Manager
© F5 Networks, Inc 22
• Workflow Manager
• Doesn’t support IPv6
• UX Improvements
• HTML5
• Caching (AppFabric Distributed Cache)
• Feeds
• Logon Tokens
• Search
• Mobile Support
• Minimal Download Strategy
• Browser Support
SharePoint Acceleration, More New stuff?
© F5 Networks, Inc 23
Application Delivery Optimization
Holistic approach to improving performance throughout the application delivery chain
Network
• Connect applications and
users in a global enterprise
• Provide the fastest network at
the lowest cost
• Increase network efficiency to
best utilize resources
Client
• Improve the user experience
for traditional and mobile
users
• Deliver the right content to
the right user in the fastest
time
Data center
• Improve availability of
enterprise applications
• Increase application server
capacity
• Integrate new technologies
without recoding applications
© F5 Networks, Inc 24
Accelerating the Data Center
Load balance
• Distribute application load
across multiple servers to
increase availability
Offload
• Increase server capacity
• Accelerate SSL processing
• Manage TCP connections
more efficiently
SPDY gateway
• Leverage SPDY and other
protocols without recoding
applications
Fast cache
• Offload repetitive traffic from
web and application servers
to increase server capacity
Core / LTM
© F5 Networks, Inc 25
Accelerating the Network
Compression and deduplication
• Reduce amount of data transmitted
• Improve network throughput and response
• Increase bandwidth efficiency
• Adaptive / Client Aware Compression
Protocol optimization
• Tune TCP and HTTP parameters to
adapt to changing network conditions
Loss correction
• Correct for high-loss networks to
decrease transmission time and
improve user experience
© F5 Networks, Inc 26
Accelerating the Client
Content control
• Deliver content to clients with
minimal network overhead
Data reduction
• Optimize images and files for
mobile browsers to improve
page load times
© F5 Networks, Inc 27
Image Optimization? That too…
• Convert from JPEG or PNG to WebP
• Reduces file size by up to 73%
• Preserve copyright before stripping EXIF headers.
• Retries if optimization skipped due to load.
• Improved dashboard stats
What
Why
• Reduce size of web page
• Especially useful for mobile browsers.
What does it mean? Faster load times
Better user experience
Reduced bandwidth
Reduce VM Sprawl
Reduce Storage Requirements
Reduce Complexity
Low Level Test Case: LTM + APM + WA, 20 Concurrent Users, SSL Offload >89% Decrease in average page load time.
>36% Decrease in outbound Bandwidth consumption.
>50% Decrease in per user Bandwidth consumption.
Don’t just take my word for it…
https://f5.com/support/tools/f5-application-speed-tester
© F5 Networks, Inc 31
• ISA/TMG/UAG End of Life (WAP…)
• Simplification of the current Architecture
• Complex Authentication requirements made simple; CAC/PIV/ECA, Kerberos, SAML
• Cross-Domain Solution; Multiple SharePoint Farms, Multiple Active Directory Forests, External users
• LTM+APM+AAM for NIPR and SIPR
• Streamlined farm migration
• Elimination of point solutions
Use Cases
© F5 Networks, Inc 32
© F5 Networks, Inc 33
• FIPS 140-2, DNSSEC, IPV6
• NIAP CCC
• C&A
• DISA ATO
• NMCI
• JWIC’s
• SOCOM & CENTCOM
• TIC PKE Certification
• DISA UC-APL (TN#1312201)
• US Army’s IA- APL
DoD Certifications
© F5 Networks, Inc 34
Know your FIPS levels?
Level 1
•Evaluated crypto algorithms and/or random number generators
•No physical security requirements, can be software only
Level 2 (L1+)
•Physical enclosures with pick-resistant locks or tamper-evident stickers
•Enclosures “opaque in the visible spectrum”
Level 3 (L2+)
•Automatic deletion
Level 4 (L3+)
•Kevlar jacketing and EMP-like deletion
•Hermetically sealed enclosure
© F5 Networks, Inc 35
Arguing with an Engineer is a lot like wrestling in the mud with a pig, after a couple of hours you realize the pig likes it…
Questions?
© F5 Networks, Inc 36
Demos
© F5 Networks, Inc 38
• Rick ‘Trombone’ Watt Navy Account Manager [email protected] (720) 951-4697
• John ‘Bruce’ Lee Navy Systems Engineer [email protected] (562) 355-1011
Navy Account Team