Take advantage of your BIG-IP APM to replace existing Virtual Private Networks (VPNs), Web Application Portals, Remote Desktop gateways and Single Sign-On (SSO) functions. Replacing these functions saves you vendor maintenance costs as well as specialized staff to support them. Additionally, you can use the BIG-IP APM to authentication for your DMZ facing applications such as, Microsoft Exchange, Mobile Device Management (MDM — AirWatch), Microsoft Lync and VDI platforms. We have expert-level experience with deploying the following functions on the BIG-IP APM.
Web Application Portals
Use the BIG-IP APM to provide a unique webtop experience for individuals or groups of users, providing granular application access, based on Windows Active Directory account or Organization Unit (OU) group settings.
We design custom webtops that contain any of the following resources, ensuring your users only ever login once — the BIG-IP APM will automatically authenticate your users into all of your application resources thereafter, such as:
- Local Web applications – For your in-house web applications, we can configure the BIG-IP APM to use server-side NTLMv2 or Kerberos SSO to suppress pesky HTTP basic login prompts. Your applications will typically prompt external users in this manner who want to access your applications from computers that are not joined to your Microsoft Active Directory (AD).
- Cloud Applications – Using Security Assertion Markup Language (SAML), we can provide client-side Single-Sign-on (SSO) Federation services for Could applications, such as ServiceNow, Workday, Salesforce, Microsoft Outlook 365, or any other cloud-based employee service.
- Virtual Desktop/Application Security Gateways – We have extensive experience deploying the F5 BIG-IP APM to replace the security gateway function of major virtual desktop and application vendors, including the two most popular — Citrix Storefront / Access Gateway and VMware Horizon View Unified Access Gateways (UAG). We can provide HTML5, ICA Proxy, PCoIP proxy capabilities for your thick client applications or web browser access needs.
- Traditional SSL VPNs – If you are currently using your Cisco ASA, Checkpoint or F5 Fire pass, for traditional remote access VPNs, we can provide seamless migration to the BIG-IP APM, while also providing more granular access to your users with any of the Authentication features mentioned previously.
Cloud Federation / Single Sign On (SSO)
Use the BIG-IP APM to obfuscate and offload your application authentication functions – fronting applications with your BIG-IP APM will prevent attackers from attempting logins directly against your application servers. Examples of applications that BIG-IP APM can offload authentication are Exchange Outlook Web Access (OWA), Exchange Web Services (EWS), Outlook Anywhere (OA), Outlook Offline Address Book (OAB), Mobile Device
Management (MDM) and Microsoft Lync authentication. NGNX can configure your BIGIP APM to offloading the authentication function, using LDAP, AD, certificate Authentication, and OAuth from these application servers.
Multi-factor Authentication (MFA)
You may have enforced complex password selection requirements for your users, but security experts have shown that your systems are still susceptible to brute force password guessing attacks. Providing an additional layer of login security with MFA can prove to greatly reduce your risk of malicious logins to your systems.
NGNX has experience integrating BIG-IP APM with Various vendors including RSA SecurID, Secure Auth, PingID, Duo Security token and traditional hard token MFA solutions. However, what distinguishes NGNX from our competitors is our experience integrating your applications with cloud-based MFA solutions. Cloud MFA solutions allow users to use their mobile phones for your MFA requirements instead of expensive hardware token or on-premise software token solutions. With cloud-based MFA users can utilize SMS, phone-calls or push notifications to prove they are who they claim to be.
- Some of the vendors we’ve successfully integrated the BIG-IP APM with are:
- RSA SecurID
- Microsoft Azure MFA
- Amazon Web Services (AWS) MFA
- OneLogin Security
- DUO Security
- Secure AUTH
Migrating from Microsoft’s End-of-Life (TMG)
Migrating Microsoft’s retired TMG product to the BIG-IP APM module is a popular use of the BIG-IP APM. Whether you’re currently using the TMG as a reverse proxy or for your Microsoft Exchange Outlook Web Access (OWA) gateway, we can migrate your TMG system to the BIG-IP APM with zero impact to your users.