Presentation is loading. Please wait.

Presentation is loading. Please wait.

F5 BIG-IP for Microsoft Brian McHenry

Similar presentations


Presentation on theme: "F5 BIG-IP for Microsoft Brian McHenry"— Presentation transcript:

1 F5 BIG-IP for Microsoft Brian McHenry
Field Systems Engineer, F5 Networks

2 DirectAccess | Branch Cache
F5 and Microsoft F5 enjoys a long-standing global partnership with Microsoft, extending the availability, reliability, scalability and security of Microsoft’s enterprise software. Solution development across Windows platform, business productivity applications, systems management and virtualization Key alliance memberships such as System Center Alliance and Dynamic Datacenter Alliance represent joint investment, shared thought leadership and strategic planning F5 educates and trains Microsoft technical field, services and support teams on the BIG-IP platform and F5 solutions for Microsoft applications Dynamics SharePoint Exchange Lync System Center Ten-year global partnership dating back to F5 is a Microsoft Gold Certified partner with Systems Management competency. Microsoft is also an important F5 customer. Microsoft GNS (global networking services) standardize on F5 as their Tier 1 ADC platform vendor for internal applications. F5 is also core component in the architectural designs for MSN/Live, MSNBC, Xbox Live, BPOS and Azure. F5 is a Microsoft customers, using Windows client/server, Active Directory, MS SQL Server, Office client, Exchange, SharePoint and Office Communications Server (now known as Lync Server). F5 engages in solution development across the Windows platform, business productivity applications, systems management and virtualization. F5 engages during Microsoft design and development, architecting F5 solutions and validating them jointly with Microsoft prior to Microsoft product launch so that customers can deploy them with an F5 solution immediately. For more information: f5.com/microsoft Key alliance memberships such as System Center Alliance and Dynamic Datacenter Alliance represent joint investment, shared thought leadership and strategic planning that ensure customers can confidently invest in both Microsoft and F5 platforms because they work together. The Microsoft Technology Alliance (MTC) is an industry unique program whereby F5 and Microsoft engage customers together to discuss visions, business goals, create architectural designs and even formal proofs of concept. These engagements occur within MTC centers located around the world where F5 has placed BIG-IP ADC equipment for customer testing and solution design verification with Microsoft. F5 educates and trains Microsoft technical field, services and support teams on the BIG-IP platform and F5 solutions for Microsoft applications. Microsoft and F5 also have formal customer support communication and businesses processes in place through TSANET (http://tsanet.org/) and cordial working relationships. F5 maintains offices and lab space in Redmond as part of the Microsoft Partner Solution Center in building 25. https://partner.microsoft.com/ DirectAccess | Branch Cache RDS | SSTP | IPsec | IIS/ASP.NET Windows Availability | Reliability | Scalability | Security | Visibility | Manageability

3 Microsoft Partnership
Globally managed technology partner since 2001 One of 52 MTC Alliance partners Office and lab in MPSC. Building 25, Redmond campus https://partner.microsoft.com/

4 F5 + Microsoft = Better Together
F5 offers solutions for a wide range of Microsoft products and technologies F5 is a key infrastructure building block for the Microsoft software + services platform Windows Server Forefront SharePoint Exchange Lync Server MS CRM SQL BizTalk Commerce Server Elastic computing Systems Management Data center orchestration Virtual Desktop (VDI) Private cloud Public cloud Hybrid cloud The message on this slide is that F5 offers a wide range of solutions across Microsoft applications and technologies, and we have made additional investments to ensure that as customers look to modernize their datacenters and take advantage of the efficiencies offered by virtualization, integration of F5 devices with their systems management platform further sets us apart from other vendors in our space. SharePoint Hyper-V | System Center | PowerShell | Visual Studio | .NET

5 Application delivery F5 devices manage traffic within the context of the applications running on the network, optimizing user experience and providing visibility and control to IT. Acceleration TCP Caching Compression Availability Intelligent health monitoring and load-balancing Horizontal scaling SSL offloading Security operation offloading Cross-site load-balancing and resilience Security Application layer protection SPAM Manageability Templates that reduce deployment times Fully extensible platform System Center integration Dynamic computing

6 F5 Solution for Microsoft Exchange

7 Benefits Increased availability, capacity Seamless disaster recovery
Flexible security options Increased service availability/responsiveness Increased server capacity Streamlined certificate management Scale out Maintenance mode Seamless disaster recovery Flexible authentication/authorization options

8 What’s new in Exchange Server 2010?
CAS is critical Elevation of Client Access Server (CAS) role All client connections, regardless of protocol, are with CAS servers CAS servers rely on ADC for high-availability Database Availability Group (DAG) is now an org level object. Resilience achieved through multiple copies of the DAG across the organization. The DAG replication time savings is based on TMOS 10.1 testing done with TCP optimizations and adaptive compression with replication from a source store out to a replica. Here are the actual test times: 25:33-21:35 = 3:58 | 3:58/25:33 = 16% less time 25:33-13:26 = 12:07 | 12:07/25:33 = 47% less time  This 47% less time is where the 2X acceleration factor comes from. When any confusion arises around “X times” improvement versus “X%” improvement, fall back to the times. Reading out the times clears up the ambiguity. DAG optimization features are not in the primary slide at this time.

9 Exchange 2010 Architecture
Enterprise Network Phone system (PBX or VoIP) Edge Transport Routing and AV/AS Hub Transport Routing and policy External SMTP servers Mailbox Storage of mailbox items Unified Messaging Voice mail and voice access Mobile phone Client Access Client connectivity Web services Web browser Outlook (remote user) Line of business application Outlook (local user)

10 What’s new in Exchange Server 2010?
CAS is critical Elevation of Client Access Server (CAS) role All client connections, regardless of protocol, are with CAS servers CAS servers rely on ADC for high-availability Microsoft recommends hardware load balancing for every Exchange 2010 deployment ADC recommended over NLB Includes multi-role Exchange server installations Includes installations with Microsoft clustering services ADC for highest availability Database Availability Group (DAG) is now an org level object. Resilience achieved through multiple copies of the DAG across the organization. The DAG replication time savings is based on TMOS 10.1 testing done with TCP optimizations and adaptive compression with replication from a source store out to a replica. Here are the actual test times: 25:33-21:35 = 3:58 | 3:58/25:33 = 16% less time 25:33-13:26 = 12:07 | 12:07/25:33 = 47% less time  This 47% less time is where the 2X acceleration factor comes from. When any confusion arises around “X times” improvement versus “X%” improvement, fall back to the times. Reading out the times clears up the ambiguity. DAG optimization features are not in the primary slide at this time.

11 The F5 Solution for Exchange Server 2010
Prevent these pains Dropped sessions  re-authentication, reconnection Failed network connections  retries, delay Slow response  trapped users These capabilities Health monitoring and intelligent load-balancing Client persistence Server off-load Availability of servers, arrays and sites These 4 solution characteristics map directly back to clear business value: Make more money and spend less. Layer-7 attacks: (Cross-site scripting, parameter tampering, brute force attacks, and other known or unknown threats)

12 NLB and Hardware-Based Load Balancing…
Which way to go?... For Exchange 2010, the choice is clear… Technical reasons to use HWLB vs NLB: Health monitoring Connection proxy Specialized persistence beyond source IP Intelligent load-balancing Internal server network efficiency Microsoft internal Exchange design: TechNet guidance for high-availability:

13 The F5 Solution for Exchange Server 2010
User - Client to CAS server Mail - Mail flow through Edge Farms Availability Performance Security Configuration Intelligent load balancing Server and site level health monitoring SSL offload Cross-site resilience Robust persistence Server optimization Caching and compression for Web clients Reduced bandwidth use Bi-directional proxy AuthN/AuthZ from the perimeter Protection against application layer attacks SPAM filter Application template for error-free, fast configuration DevCentral online user community Integration with systems management These 4 solution characteristics map directly back to clear business value: Make more money and spend less. Layer-7 attacks: (Cross-site scripting, parameter tampering, brute force attacks, and other known or unknown threats)

14 Availability Health monitoring Intelligent load-balancing
Port/protocol requests Real-time in memory connection tables Intelligent load-balancing BIG-IP always knows the most available server Least connection method See application template Cross site availability Site level health Prioritized decision tree

15 Persistence Also known as affinity, or sticky sessions, persistence can help enhance a user’s application experience Different types of persistence: Source IP Cookie SSL ID Each Exchange client connection type has a recommended persistence method

16 Configuring persistence profiles in BIG-IP
LocalTrafficProfilesPersistenceCreate Cookie Source IP and SSL ID

17 Performance - SSL termination
Reduce cost and overhead of managing certificates by moving them to BIG-IP BIG-IP is designed with dedicated chipset for encryption/decryption calculations Increase Exchange server CPU utilization and network connections per second Saves on cost of SSL certificates—put one on each Big-IP instead of one on each server Management of certificates becomes much easier Expiry date shows up in the GUI Fewer copies to manage The Big-IP has specialized chips and software to handle computationally expensive decryption Ciphers can be specified Able to decrypt, manage, and re-encrypt traffic if needed Most customers decrypt at Big-IP and send on unencrypted

18 Security Bi-directional proxy Secure remote access Pre-authentication
Application layer security for web clients SPAM filtering Explain that Edge Gateway is comprised of APM + WOM, so explain that the SSL VPN is distinct from AuthN/AuthZ features.

19 Introduction: Exchange ActiveSync
ActiveSync protocol is used between smartphones and Microsoft Exchange for synchronization of Mail, Callendar and Contacts Username and Password are normally used for security. One Time Password (OTP) or token is not used because it is not user friendly. Client SSL certificate causing managment issue when trying to manage client certificate on 100s of different devices. Using BIG-IP Access Policy Manager (APM) can be used to improve security for ActiveSync solutions. ActiveSync protocol are used to synchronize mail between mobile devices and Microsoft Exchange.

20 Exchange marked share More than 200 Million installed Exchange mailboxes BIG-IP LTM and APM is a flexible tool and can be configured to improve security for ActiveSync users. ActiveSync protocol can also be used to syncronize mail from Google mail: ActiveSync support are also planned for hotmail.

21 ActiveSync, Microsoft Solution
DMZ Data Center MS Exchange MS TMG or ISA Implementation of ActiveSync are done using two common design. Client connecting to a Microsoft TMG (ISA) server that are doing autentication of user. Client connecting direct to Microsoft Exchange CAS server Microsoft Solution Authenticate user before client accessing Exchange server Exchange 2007/2010 can verify deviceid AD group check and basic url filter can be implemented on TMG AD

22 ActiveSync, F5 BIG-IP LTM & APM Solution
DMZ Data Center MS Exchange SSL Offload Verify and enable access based on User /password, AD group membership IP location, Deviceid , Devicestype , Useragent Brute force detection ActiveSync commands used URI (allow acces request to /Microsoft-Server-Activesync) User home server We can add multiple layer of security when using BIG-IP and APM. Example: Verify that user use member of group that are allowed to use activesync before trying to authenticate. This can prevent brute force password guessing using random username. BIG-IP can verify source IP address from mobile provider and prevent access from unknown mobile providers Using information in user agent send from device, we can allow access from known mobile phones vendor and known version of OS on mobile phones. BIG-IP can verify deviceid sent from mobile device and compare this information with deviceid registered in AD, using this method only approved devices are allowed to connect. BIG-IP can track number of failed logon attempt from one ip address (brute force detection), and temporary disable source ip detected as source for brute force of username/password. AD

23 BIG-IP example of security options that can be enabled for ActiveSync
SSL Offload URI Check (/Microsoft-Server-ActiveSync and /autodiscover) Agent Whitelist, Only Allow access from known devices type (based on agent information). Agent information also contains information about software version on phone. Verify source IP address and enable access from known mobile carrier Deviceid verification, Verify user AD attribute with information about provisioned Device id. Login Bruteforce detection, Disable source IP address for 90 second after 3 failed logon AD Group membership, only Allow Access for users member of ActiveSync Group Verify ActiveSync command sent from Smart Phone with white list of approved ActiveSync commands For large installation, verify AD information and route request to user home server Verify Username and Password Single or multiple security options can be enabled depening on the security requirement.

24 Access Policy in Visual Policy Editor
Visual Policy Editor enables easy configuration of Access Policies for ActiveSync, without scripting. This APM policy show a policy where ”AD Query” is used to verify that user are member of ActiveSync group in AD, and that DeviceID used from SmartPhone are registered as AD attribute for user. If AD group check and deviceid check is ok, then username and password are verified.

25 Summary of APM Benefits
Security for ActiveSync users can be improved using BIG-IP Access Policy Manager Verification of ActiveSync URI and User-Agent AD group membership verification AD user Deviceid attribute compared with deviceid from mobile phone Authentication of user after verification of URI, UserAgent, AD Group and AD Deviceid Detect and blacklist bruteforce IP address Verify ActiveSync commands from devices whith whitelist of approved commands SSO for other Microsoft services such as SharePoint

26 Configuration - We have a template for that!

27 BIG-IP deployment topology
C A Load balancing message is that it’s smart load-balancing. Need types described in these notes. Spam filter message: We were first in market and if you can filter 70% of spam based on known offenders, why not leverage that functionality before ma Enhance availability and scale up through load balancing Client to CAS and Edge farms Recommended for multi-role Exchange servers, deployments with more than 8 CAS servers and “brick” deployments with clustering services. Accelerate TPC optimization Caching 154 of 160 OWA objects Compression of attachments with up to 90% faster file downloads Off-load SSL (25% savings of server CPU utilization) Reduce SSL connections by RPC over HTTP Exchange Database Availability Group (DAG) replication time savings Secure Pre/post logon checks for Web clients Remove 70% of spam before it reaches Exchange il gets to any of your Exchange servers or spam filters at all? Increases capacity (reduces load) on all messaging elements. D

28 BIG-IP Hardware Line-up
2 x Hex core CPU 16 10/100/ x 10 SFP+ 10Gbps 2x 320 GB HD (S/W RAID) + 8GB CF 32 GB memory 100K TPS / 15Gb bulk 12 Gbps max software compression 40 Gbps Traffic BIG-IP 8950 BIG-IP 8900 2 x Quad core CPU 16 10/100/ x 1GB SFP + 2x 10Gb SFP+ 2x 320 GB HD (S/W RAID) + 8GB CF ? 16 GB memory 56K TPS / 9.6Gb bulk 8 Gbps max software compression 20 Gbps Traffic BIG-IP 6900 2 x Quad core CPU 16 10/100/ x 1Gb SFP + 2x 10Gb SFP+ 2x 320 GB HD (S/W RAID) + 8GB CF 16 GB memory 58K TPS / 9.6Gb bulk 8 Gbps max hardware compression 12 Gbps Traffic BIG-IP 3900 2 x Dual core CPU 16 10/100/ x 1Gb SFP 2x 320 GB HD (S/W RAID) + 8GB CF 8 GB memory 25K TPS / 4 Gb bulk 5 Gbps max hardware compression 6 Gbps Traffic Quad core CPU 8 10/100/ x 1Gb SFP 1x 300 GB HD + 8GB CF 8 GB memory 15K TPS / 3.8 Gb bulk 3.8 Gbps max software compression 4 Gbps Traffic BIG-IP 3600 Dual core CPU 8 10/100/ x 1Gb SFP 1x 160 GB HD + 8GB CF 4 GB memory 10K TPS / 2 Gb bulk 1 Gbps max software compression 2 Gbps Traffic BIG-IP 1600 Dual core CPU 4 10/100/ x 1Gb SFP 1x 160GB HD 4 GB memory 5K TPS / 1 Gb Bulk 1 Gbps max software compression 1 Gbps Traffic

29 Summary Highest availability Dramatically increase server capacity
Cross-site availability and resilience Pre-authenticate users in the perimeter network Seamless integration with systems management F5 devices can be controlled using PowerShell and Management Packs

30 Exchange related resources
F5 Solution page for Exchange Server F5 Deployment Guide for Exchange Server 2010 Technical white paper by Microsoft on their internal deployment Load-balancing requirements from TechNet F5 developer/IT admin user community

31 F5 Solution for Microsoft Lync Server

32 F5 Solution Benefits Performance = Scalability, Availability and Resiliency Secure monitoring Deployment assistance Performance Security Configuration Management Intelligent load-balancing of signaling traffic Off-load SSL between clients and Communicator Web Access servers Scale out as needed Session level and site level resilience SSL off-loading for Communicator Web Access (CWA) TLS-based SIP monitor to check the health of servers in LTM pools. Detailed deployment guide available from Built in application policy and template wizard Leverage the DevCentral user community Simplify management with a single control point in the data center TLS-based SIP monitor Microsoft Premier Support teams trained on BIG-IP Performance: Load-balance client connections into Consolidated Edge servers Load-balance client connections into Consolidated Lync servers as well as Director pools Off load SSL for web services regardless of Lync server role (web services and A/V are spread across servers versus having their own role in Lync 2010. Security SSL off-load (LTM can re-encrypt outbound traffic or pass-through entirely) TLS is a secure (encrypted protocol for encapsulating SIP traffic) Configuration Best in class deployment guide OCS policy built into v10 and later of LTM and will be updated in Spring 2011 Only ADC vendor with an online user/dev community with forums, additional content, etc Management Intelligent health monitoring of the application over and above just generic server response. Option to use the TLS monitor, giving a secure application layer health monitor for SIP servers F5 partners with Microsoft from solution design all the way through product support. Microsoft Premier support engineers are trained on BIG-IP and have devices in their troubleshooting labs so that F5 configuration does not need to be removed from the configuration in order to establish repro case. In addition, F5 support engineers work together with Microsoft support engineers to solve customer issues which provides additional assurance to the customer that an investment in both Microsoft and F5 is secure and trustworthy.

33 Improve security and ease of management
B Increase performance, scale and availability through Intelligent load-balancing of signaling traffic TCP optimization SSL off-load for web traffic Session and site resilience Improve security and ease of management Template for auto-configuration of BIG-IP TLS-based SIP monitor iControl API and iRules Leverage the ADC as a strategic data center control point Availability Least connection method of LB (by node versus pool member) Multiple distinct TCP configuration modifications that improve application performance. Security and Management F5 believes that greater value is realized in enabling IT admins to manage health of application servers versus physical servers or IP nodes

34 Best practices Use Microsoft guidance for sizing Resiliency
For F5 devices, key off of throughput, numbers of concurrent users, features to be used, ratio of external versus internal users Resiliency Site resiliency through BIG-IP Global Traffic Manager (GTM) Client session resiliency through TCP idle timeout BIG-IP resiliency through LTM mirroring Contact your local F5 field engineering team for assistance F5 Sizing guidance is in process (output is not a BIG-IP model number, this is guidance, not a calculator)

35 New considerations DNS LB is available. Verify customer requirements for availability and resilience ADCs are still a critical component for managing both web and real-time communications. Advanced ADCs offer DNS-based connection redirects for site-level resilience Global traffic management is an option for site-level resilience that does not require SAN WAN redundancy is an option versus a survivable branch appliance for voice resilience Regarding DNS LB that is being introduced as an out-of-the-box feature of Lync Server 2010, customers should consider that Lync clients make a DNS request and receive a block of 4 IP addresses for Lync servers. Then the client selects one of those IP addresses at random and tries it. If the connection fails, it randomly selects another (and continues until all 4 are tried then moves to site failover). DNS LB requires the client send network requests to a server without knowing if its available, and since server selection is random, the client is not aware of the server side application or its availability, leading to failed connections, extra network traffic and delayed user response. On the server side connections “clump” on servers instead of being evenly distributed and users begin to be connected to a server that is responding to network requests at one level of the protocol stack but is effectively too busy to handle the additional user. In contrast, ADCs keep a real-time, in memory record of availability by server, ensuring the most available server is used for each user connection – as well as being able to persist a user connection to a user for the duration of a session. ADCs don’t send connection requests to unavailable servers. Customers should therefore evaluate their availability and reliability requirements to decide if using built-in DNS LB instead of hardware load balancers.

36 Summary Lync Server 2010 needs ADCs for highest availability, scale and reliability Real-time communications need intelligent, line-speed traffic management One ADC covers multiple deployment points Session-level and site-level resilience are network challenges F5 can help you solve. F5 Sizing guidance is in process (output is not a BIG-IP model number, this is guidance, not a calculator)

37 Lync Server Resources F5 solution for Lync
Customer reference and press F5 online community for Microsoft solutions F5 Press Release Microsoft Lync qualified ADC list

38 F5 Solution for Microsoft SharePoint

39 SharePoint SharePoint is a business collaboration platform that can be deployed with specific roles in these areas: Web portals and Web content management Business Intelligence and Analysis Collaboration Document management Enterprise Search Custom .NET Web application development F5 supports each of these server capabilities, providing performance, availability and security enhancements over the network and seamless to the application.

40 F5 Solution for SharePoint 2010
Improve end-user experience through better response Offload operations to free up CPU, increasing server availability Leverage a single point and platform for security and delivery Performance Availability Security Management Seamless acceleration of client experience Accelerate both Web content and file upload/download Increase transactions per second on Web servers Load-balance front-end servers Offload SSL Cross-site resilience Fastest application layer security on the market Application layer protection PCI compliance SharePoint template built into BIG-IP System Center Management Pack available for download from DevCentral Streamline maintenance and operations using file virtualization The talking points for this slide need to start with the primary features with references to availability, perform, security and config as they naturally relate. Don’t deliver by column because there would be a lot of repetition. Just explain the features and say something like “note the positive implications for availability and performance in an intelligent caching mechanism and security benefit of a soution that supports caching of HTTPS delivered content. Note flexible and powerful configuration options of BIG-IP that enable customers to setup the caching, hash calc as they see fit, serving the needs of any Web server environment that needs to support BC with Windows 7 clients. Bridging technology that leverages the some core capabilities of the F5 ADC to enable the best experience for Win7 users across Web server platforms and compliments BC if the customer wants to off-load the hash calculation, getting the beneifts of server-based BC without taxing the W2K8 server if it needs to be performing other key services in that network segment.

41 Availability Acceleration Security Management
Port/protocol health monitoring Load-balancing SSL offload Site resilience Acceleration TCP Optimizations Caching Compression De-duplication Security Application layer protection Policy engine with defaults Management Template-based configuration Best-in-class Management Pack F D

42 F5 Solution for SharePoint 2010
Availability Port/protocol health monitoring Load-balancing SSL offload Site resilience Acceleration TCP Optimizations Caching Compression De-duplication Security Application layer Policy engine Management Template-based configuration Best-in-class Management Pack

43 Considerations for availability
BIG-IP LTM (Local Traffic Manager) Increased server availability = increased user productivity Availability should be measured per server and across servers BIG-IP GTM (Global Traffic Manager) Per server, availability can be measured by increased connections per second Across servers, availability can be measured by aggregated resource utilization as well as uptime Performing a failover to a DR site is a one-time, one-way movement of application services. Achieving that level of infrastructure agility could be the first step for some customers toward a loftier goal of fully dynamic computing across sites. Cross-site computing expands the possibilities for further resilience and achieving real-time load-balancing across an entire organization’s available resources. Another important feature provided by F5 is geo-location services. Through GTM, BIG-IP can identify the source location of in-coming users and factor that into the decision about where to direct the user. This information is commonly used to ensure end users are reaching their closest data center or compared to application pool response times across multiple sites to determine whether physical proximity or server responsiveness is the best way to direct user traffic. Cross-site load-balancing increases infrastructure ROI Implementing disaster recovery could be a first step toward real-time site resilience

44 Considerations for acceleration
BIG-IP WA (Web Accelerator Module) Application delivery (ADC) benefits start with asymmetric deployment WA improves end user experience for repeat visitors by eliminating network chatter Best in class caching Intelligent Browser Referencing (IBR) is unique WOM reduces file load time by 95% Explore Windows Server 2008 R2 BranchCache to reduce bandwidth use Asymmetric ADC deployment means one pair of BIG-IP devices in your primary data center (between end users and SharePoint front end servers). Health monitoring, TCP optimizations, load-balancing, offloading operations such as SSL and basic caching/compression are all delivered in this, the most simplistic deployment. Beyond this, explore the range of acceleration benefits through symmetric WA/WOM Improved end user experience for repeat visitors by eliminating the 304s  generated from the non-layout components.  For some deployments this can be the majority of the objects. Server off-load as not all users are accessing the application with a primed cache.  Symmetric deployments to stage all content closer to the end users. New policy on DevCentral Management Pack: Interact with BIG-IP through MP and SCOM console to perform tasks such as Discover nodes, add/remove and enable/disable them. PRO Pack brings BIG-IP network health stats into SCOM so that this data. PRO tips in the VMM UI give admins ability to automatically respond/remediate issues.

45 Considerations for security
BIG-IP ASM (Application Security Module) Security or performance? Fastest layer 7 (application layer) security product Compliance regulations PCI DSS, SOX, Basel II, HIPAA compliance New malicious behavior Built-in security policy for SharePoint Beyond HTTP protection ICSA Web Application Firewall Certification ASM product overview: Application security white paper: Line 1: ASM, TMOS, F5 hardware advantages Line 2: ASM enables customers to comply with these regulatory standards Line 3: Starting with a security policy customized by F5 for SharePoint, ASM also contains a real-time policy engine that can “learn” proper application behavior then switched over to “protection” mode. It can also be used to build and deploy specific protections on the fly. Line 4: Some application layer firewalls handle HTTP traffic only. ASM, built on F5’s traffic management operating system (TMOS) understands and handles additional protocols SC Magazine's 2010 Reader Trust Award for Best Web Application Security solution

46 Considerations for storage
F5 ARX file virtualization Leveraging 3rd party solutions such as StoragePoint Reduce the size of your SharePoint content databases by 95% SharePoint Storage Devices ARX MS SQL In SharePoint 2010 Microsoft has enhanced RBS and EBS for remote BLOB (binary large object) storage. This has paved the way for 3rd party specialists in storage and SharePoint operations to create customized solutions to enable customers to specify certain content/files to be stored as unstructured data instead of MS SQL. This is a powerful option for customers who store extremely large numbers of files and relatively large files such as multimedia heavy content, videos, images, audio, etc. The solutions vary in details, but at the core they are a replacement of a file stream provider which lies between SharePoint and MS SQL, effectively redirecting the file location to another place – usually file-server like hard disks exposed via a NAS interface. For end users the SharePoint access and interface is unchanged (whether via web browser or and Office client application), but on the back end there is a significant difference in the efficiency of MS SQL processing. The greater the size of the content store the greater the impact, but in general you can image the additional scale, the faster backup times, and the ease of migration and upgrade this option provides for customers with the appropriate requirements profile. F5 has deployed and tested the storage solution built by StoragePoint – one of the most popular and experienced SharePoint storage partners. Actually it’s imporant to note that StoragePoint the company, was purchased recently by Metalogix. So StoragePoint the solution is available from Metalogix. Streamline SharePoint performance and backup Decrease storage costs

47 Considerations for dynamic computing and systems management
Integrate F5 device management into systems management Health monitoring Automatic provisioning Control BIG-IP using PowerShell F5 Management Pack offering for System Center Operations Manager Virtual Machine Manager SharePoint Application Designer

48 System Center Integration F5 Management Pack for Operations Manager
B E D Healthbased load balancing video: Add features here to call out in talk track Device discovery LTM, GTM supported 160+ health statistics Fully integrated with SCOM rules and event engine iRule-driven events supported Maintenance mode F5 device tasks: discover devices, standby, failover, configuration sync, help C

49 System Center Integration F5 PRO enabled Management Pack for Virtual Machine Manager

50 Dynamic computing summary
Prepare your network for dynamic computing BIG-IP is a natural choice for deploying virtualized infrastructure Server and data center consolidation Establishing business continuity Unify health monitoring views Enable your infrastructure to manage itself

51 F5 Application Designer Management Pack for SharePoint Server 2010
Auto discovery of application instances Auto configuration of System Center Operations Manager Application VMs are auto-configured using BIG-IP application templates Live Migration and Maintenance supported Health roll-up identifies the source component of the application instance that is failing

52 Summary Faster application experience for LAN and WAN users
Increased server computing capacity High-availability for SharePoint server services Streamlined SharePoint operations and maintenance Automatic, error-free configuration System Center integration for unified network and application service management

53 Network – Datacenter Integration F5 offerings
Integration with System Center MP for SCOM PRO Pack for VMM Migration Pack and Application Designer Packs Open management interface (iControl API) Enables integration with your management platform PowerShell and .NET Management Pack for SCOM PRO Pack for SCVMM PRO Pack extensions These examples are built upon the completely extensible tool set (native API set, PowerShell commandlets giving power and flexibility to orchestrate any scenario Possible to reinforce the site resilience message by virtue of GTM

54 System Center Integration F5 Management Pack for Operations Manager
B E D Healthbased load balancing video: Add features here to call out in talk track Device discovery LTM, GTM supported 160+ health statistics Fully integrated with SCOM rules and event engine iRule-driven events supported Maintenance mode F5 device tasks: discover devices, standby, failover, configuration sync, help C

55 System Center Integration F5 PRO enabled Management Pack for Virtual Machine Manager
Network monitoring Instruct BIG-IP PRO enabled Reports Host level performance

56 F5 Application Designer Management Pack for SharePoint Server 2010
Auto discovery of application instances Auto configuration of System Center Operations Manager Application VMs are auto-configured using BIG-IP application templates Live Migration and Maintenance supported Health roll-up identifies the source component of the application instance that is failing

57 Hyper-V and BIG-IP working together
User connection handling during Live Migration Live Migration over distance via BIG-IP Global Traffic Manager (GTM)

58 Vision for the dynamic datacenter
Enable companies to dynamically… IT infrastructure as a service Lower the operational costs for delivering IT Increase flexibility and variety services to tenants Pool Allocate Manage

59 F5 for a more dynamic network
Elastic Available Portable Patterned Service oriented Intelligence F5’s best in class application specific load-balancing and acceleration combined with the Microsoft management platform (specifically System Center Operations Manager and Virtual Machine Manager) provide the basic building blocks for a dynamic network. Network traffic management devices that are openly extensible with systems management System Center determines that more resources are needed and configures for it…hardware, VMs, and the network Fault avoidance: Site resiliency, re-allocation of resources based on network situations Network is one more key source of data to make smart resource allocation decisions Network related health information: detailed enough to provide multiple sets of port/protocol level pair detail under each application service Unification Unifies VM changes and network changes (elastic computing) Fault avoidance High-availability of application services Reallocation of resources based on network situation Application-specific network traffic management Portable Traverse network boundaries Free from spacial constraints (geography and hardware) Increase efficiency and specialization Patterned Partitioned for 1:many Repeatable deployment and operations Lowers cost barrier to entry - every service available to all customers Elastic Steady state is a constant state of flux Scale out and in as needed Increases economies of scale of hosting model Service oriented Strong control Defined and custom service levels Opportunity to sell additional value services Custom thresh hold determination and operation Custom levels of automation versus human intervention in decisions and operational tasks Control

60 SharePoint related resources
F5 Networks Solution page for SharePoint Server 2010 Solution Overview Application Ready Solution Guide Deployment Guide F5 Management Pack on DevCentral Microsoft user forms on DevCentral Microsoft SharePoint public Web sites

61 F5 Solution for Microsoft DirectAccess

62 F5 Solution for Forefront Unified Access Gateway – DirectAccess
Optimize secure remote access Scale UAG servers for high-availability Ensure best performance for new connections Persist existing client connections Load balancing message is that it’s smart load-balancing. Need types described in these notes. Spam filter message: We were first in market and if you can filter 70% of spam based on known offenders, why not leverage that functionality before mail gets to any of your Exchange servers or spam filters at all? Increases capacity (reduces load) on all messaging elements.

63 F5 iRules Rules for customized network traffic management
Used on the internal BIG-IP configurations Connection tracking (server persistence) Sets the session key as the source IP address Associates the Source IP with the originating MAC of the UAG server Adds it to a table on the BIG-IP to maintain persistence Pre-selection iRule (outbound persistence) Ensures that outbound client connection returns to the server to which the client is attached Tunnel between the client and UAG server is reused for server-originated traffic to the client We can make even more granular load balancing decisions using iRules, which will key off specific data that’s found within the packet. In our Direct Access solution, the rules we use are creating a persistence record on the bigip, and then using that persistence record to reuse the already established tunnel. Let’s have a look at the rules.

64 Common Questions What load-balancing method does F5 recommend for DirectAccess client connections? F5 recommends an intelligent load-balancing method based on numbers of client connections over ports 3544 and 443. The F5 built-in load-balancing method called “least connections” ensures that each new client is directed to the DA server with the lowest number of current connections. How does F5 achieve “stickiness” needed to persist existing connections? F5 has written and tested a set of custom iRules to persist client connections to one DA server within each user session. How can one obtain the F5 iRules for this solution? The connection tracking iRule and the Persistence iRule are available as part of the solution deployment guide. How would F5 support a multi-site deployment of DirectAccess? Currently F5 recommends that customers design DirectAccess sever deployments by geographic region and scale out within each region as needed. Additional questions? Now is your chance to ask!

65 Benefits summary Optimize secure remote access
Monitoring protocol health Scaling out effectively Providing best end user experience

66 F5 Solution for Forefront Unified Access Gateway – DirectAccess
Optimize secure remote access Scale UAG servers for high-availability Ensure best performance for new connections Persist existing client connections Load balancing message is that it’s smart load-balancing. Need types described in these notes. Spam filter message: We were first in market and if you can filter 70% of spam based on known offenders, why not leverage that functionality before mail gets to any of your Exchange servers or spam filters at all? Increases capacity (reduces load) on all messaging elements.

67 DirectAccess related resources
F5 solution for DirectAccess Deployment Guide DevCentral online community posts by F5 Microsoft resources Read more about DirectAccess

68 F5 Solution for Microsoft BranchCache

69 BranchCache Customer benefits
BranchCache is a technology in Windows 7 and Windows Server 2008 R2 that makes it easier and faster for users to obtain Web and file share content across WAN links. Customer benefits Increased employee productivity Reduced WAN bandwidth usage and Branch IT operational costs Hosted or Distributed Cache deployment options Flexible deployment Hosted  Windows Server 2008 R2 caches Distributed  Windows 7 clients cache Multi-protocol access [HTTP, HTTPS, SMB, Signed SMB] Optimizes content delivery via caching in a distributed environment

70 F5 Solution For BranchCache
Secure Hash Algorithm - 256

71 F5 Solution for BranchCache
Increase server availability Off-load content hash calculations, increasing server CPU computing capacity Extend the use of existing BIG-IP devices Same hardware used to manage Windows Server farm traffic Download the iRule from F5 DevCentral Web content support HTTP/HTTPS SHA-256

72 BranchCache related resources
F5 Networks F5 iRule for configuring BranchCache Microsoft Read more about BranchCache Microsoft customer evidence

73

74 F5’s Dynamic Control Plane Architecture
Users Control Dynamic Availability Scale HA / DR Bursting Load-Balancing Optimization Network Application Storage Offload Security Network Application Data Access Management Integration Visibility Orchestration Application and Data Delivery Network F5 has been working toward a unified architecture for some time. Something we pioneered called the application delivery network beginning with our BIG-IP Local Traffic Manager product, an advanced application delivery controller to the most recent announcement of our BIG-IP Edge Delivery Controller, the first advanced ADC focused on converging and consolidating edge application delivery services. Over the years we’ve built out a rich product portfolio focused exclusively on the successful delivery of applications and data to end users regardless of where they are coming from, what device, and where the application and data resources may live. Today, we’re announcing several key functions of our architecture and product portfolio that leverage enterprise’s existing infrastructure extending and reusing what they already own to enable a common cloud architectural model regardless of where those resources may reside. Whether internal to the enterprise or taking advantage of external cloud services. Enterprise first! Design internal enterprise resources for on-demand mobility, orchestration, and automation Look to outsource infrastructure, platforms, or applications but never outsource enterprise control The cloud is simply an iteration of a platform and operational model Resources Private Public Cloud Physical Virtual Multi-Site DCs

75 F5 Management Pack on DevCentral
Core Pack PRO Pack Migration Pack Application Designers IIS SharePoint

76 BIG-IP Hardware Line-up
2 x Hex core CPU 16 10/100/ x 10 SFP+ 10Gbps 2x 320 GB HD (S/W RAID) + 8GB CF 32 GB memory 100K TPS / 15Gb bulk 12 Gbps max software compression 40 Gbps Traffic BIG-IP 8950 BIG-IP 8900 2 x Quad core CPU 16 10/100/ x 1GB SFP + 2x 10Gb SFP+ 2x 320 GB HD (S/W RAID) + 8GB CF ? 16 GB memory 56K TPS / 9.6Gb bulk 8 Gbps max software compression 20 Gbps Traffic BIG-IP 6900 2 x Quad core CPU 16 10/100/ x 1Gb SFP + 2x 10Gb SFP+ 2x 320 GB HD (S/W RAID) + 8GB CF 16 GB memory 58K TPS / 9.6Gb bulk 8 Gbps max hardware compression 12 Gbps Traffic BIG-IP 3900 2 x Dual core CPU 16 10/100/ x 1Gb SFP 2x 320 GB HD (S/W RAID) + 8GB CF 8 GB memory 25K TPS / 4 Gb bulk 5 Gbps max hardware compression 6 Gbps Traffic Quad core CPU 8 10/100/ x 1Gb SFP 1x 300 GB HD + 8GB CF 8 GB memory 15K TPS / 3.8 Gb bulk 3.8 Gbps max software compression 4 Gbps Traffic BIG-IP 3600 Dual core CPU 8 10/100/ x 1Gb SFP 1x 160 GB HD + 8GB CF 4 GB memory 10K TPS / 2 Gb bulk 1 Gbps max software compression 2 Gbps Traffic BIG-IP 1600 Dual core CPU 4 10/100/ x 1Gb SFP 1x 160GB HD 4 GB memory 5K TPS / 1 Gb Bulk 1 Gbps max software compression 1 Gbps Traffic

77

78 Infrastructure Optimization
Basic Standardized Rationalized Dynamic Uncoordinated, manual infrastructure Managed IT infrastructure with limited automation Managed and consolidated IT infrastructure with maximum automation Fully automated management, dynamic resource usage, business linked SLAs To fix the 80/20 issue is a journey. Infrastructure Optimization is how we suggest you take the journey. Know where you are in the maturity model, best practices to move you to the right, etc. We have a strategy that enables you to get to the dynamic state – Dynamic IT. Microsoft has engaged with customers in a way that allows them to think through how best to make investments in their environment, to help them get to a better level of maturity. To help them get to a lower-cost state, a more flexible and more agile state. To support this effort, Microsoft has developed the Infrastructure Optimization models. Today we’re focused on the Core Infrastructure Optimization (Core IO) model. The Core IO model is a maturity model that helps us engage with you to understand where you are today and what are the best practices you can implement to help you optimize your infrastructure. The key thing about this model is number one, it's about best practices. It's not just about technology. But underlying all of this is a set of technology investments that Microsoft is making to help you achieve that dynamic state. What we call that technology strategy that pervades all of the investments we make is Dynamic IT. More Efficient Cost Center Cost Center Business Enabler Strategic Asset Manage Complexity and Achieve Agility

79 Dynamic Services Model:
What’s Needed Users Dynamic Services Model: Reusable services that understand context and can provide control regardless of application, virtualization, user, device, platform or location Whats needed is a Modern IT Delivery Model – one that is Dynamic Fluid and App/User Centric It must respond to a world with Unknown Users Resources and Applications out of our control. What’s required? A new paradigm in data center and networking design that allows the customer, on their terms, to add, remove, grow, and shrink application and data/storage services on-demand. The type of network that can understand the context of the user, location, situation, device, & application & dynamically adjust to those conditions. It’s the type of network which can be provisioned in hours not weeks or months to support new business applications. It’s the type of network where it’s not just application fluent but can serve as a centralized computational engine to more rapidly deliver services in support of the users, applications, and data and do it more cost-effectively than any other alternative. Resources Private Public Cloud Physical Virtual Multi-Site DCs

80 Visibility Action Context
Functions of Unified Application and Data Delivery Enabling the Dynamic Infrastructure Integration All strategic points of control synchronize, communicate and leverage functions & intelligence Integration within the ecosystem and open, standards-based API for cross product integration. Intercept bi-directional application and data stream at all points of control Common proxy architecture for each network device and ability to see all protocols Reporting, notification, trending Visibility IT Agility Action Relate visibility and content to predetermined business policy to take action Determine and direct appropriate response, access, acceleration, or security Put user application and data stream in context Understand and relate the context of the user, device, location, network, application, virtualization, and resource Context This new intelligent fabric must intercept the stream of interactions between users and resources without impacting performance or availability. It provides an important new vantage point to see and report on these interactions. It must understand a vast array of variables that put the interactions in context – user profile, location, interface device, application, file meta-data, etc. It must be able to apply business policies to the interaction – determining that a particular user/application combination should be afforded enhanced QoS, for example Finally, it must be able to affect changes to enforce these decisions – routing traffic, rate shaping, replicating files, blocking DoS attackers, etc.

81 The Leader in Application Delivery Networking
Users Application Delivery Network Data Center At Home In the Office On the Road Microsoft Business Goal: Achieve These Objectives in the Most Operationally Efficient Manner

82 Architected for Integration
iControl for Application Integration F5 Products TMOS Operating System Shared Application Services Shared Network Services Application Optimization Security Availability

83 Dynamic Datacenter = On Demand IT
Microsoft’s vision of the dynamic datacenter aligns with F5’s vision of on demand IT where Software is delivered as a service Resources are dynamically allocated as needed Management decisions are made based on holistic network and application health metrics Management operations are automated, even predictive, to avoid poor service Systems Management Compute Network Storage Systems Management WDT DIT-SC


Download ppt "F5 BIG-IP for Microsoft Brian McHenry"

Similar presentations


Ads by Google