Presentation on theme: "F5 BIG-IP for Microsoft Brian McHenry"— Presentation transcript:
1F5 BIG-IP for Microsoft Brian McHenry Field Systems Engineer, F5 Networks
2DirectAccess | Branch Cache F5 and MicrosoftF5 enjoys a long-standing global partnership with Microsoft, extending the availability, reliability, scalability and security of Microsoft’s enterprise software.Solution development across Windows platform, business productivity applications, systems management and virtualizationKey alliance memberships such as System Center Alliance and Dynamic Datacenter Alliance represent joint investment, shared thought leadership and strategic planningF5 educates and trains Microsoft technical field, services and support teams on the BIG-IP platform and F5 solutions for Microsoft applicationsDynamicsSharePointExchangeLyncSystem CenterTen-year global partnership dating back to F5 is a Microsoft Gold Certified partner with Systems Management competency.Microsoft is also an important F5 customer. Microsoft GNS (global networking services) standardize on F5 as their Tier 1 ADC platform vendor for internal applications. F5 is also core component in the architectural designs for MSN/Live, MSNBC, Xbox Live, BPOS and Azure. F5 is a Microsoft customers, using Windows client/server, Active Directory, MS SQL Server, Office client, Exchange, SharePoint and Office Communications Server (now known as Lync Server).F5 engages in solution development across the Windows platform, business productivity applications, systems management and virtualization. F5 engages during Microsoft design and development, architecting F5 solutions and validating them jointly with Microsoft prior to Microsoft product launch so that customers can deploy them with an F5 solution immediately. For more information: f5.com/microsoftKey alliance memberships such as System Center Alliance and Dynamic Datacenter Alliance represent joint investment, shared thought leadership and strategic planning that ensure customers can confidently invest in both Microsoft and F5 platforms because they work together. The Microsoft Technology Alliance (MTC) is an industry unique program whereby F5 and Microsoft engage customers together to discuss visions, business goals, create architectural designs and even formal proofs of concept. These engagements occur within MTC centers located around the world where F5 has placed BIG-IP ADC equipment for customer testing and solution design verification with Microsoft.F5 educates and trains Microsoft technical field, services and support teams on the BIG-IP platform and F5 solutions for Microsoft applications. Microsoft and F5 also have formal customer support communication and businesses processes in place through TSANET (http://tsanet.org/) and cordial working relationships.F5 maintains offices and lab space in Redmond as part of the Microsoft Partner Solution Center in building 25.https://partner.microsoft.com/DirectAccess | Branch CacheRDS | SSTP | IPsec |IIS/ASP.NETWindowsAvailability | Reliability | Scalability | Security | Visibility | Manageability
3Microsoft Partnership Globally managed technology partner since 2001One of 52 MTC Alliance partnersOffice and lab in MPSC. Building 25, Redmond campushttps://partner.microsoft.com/
4F5 + Microsoft = Better Together F5 offers solutions for a wide range of Microsoft products and technologiesF5 is a key infrastructure building block for the Microsoft software + services platformWindows ServerForefrontSharePointExchangeLync ServerMS CRMSQLBizTalkCommerce ServerElastic computingSystems ManagementData center orchestrationVirtual Desktop (VDI)Private cloudPublic cloudHybrid cloudThe message on this slide is that F5 offers a wide range of solutions across Microsoft applications and technologies, and we have made additional investments to ensure that as customers look to modernize their datacenters and take advantage of the efficiencies offered by virtualization, integration of F5 devices with their systems management platform further sets us apart from other vendors in our space.SharePointHyper-V | System Center | PowerShell | Visual Studio | .NET
5Application deliveryF5 devices manage traffic within the context of the applications running on the network, optimizing user experience and providing visibility and control to IT.AccelerationTCPCachingCompressionAvailabilityIntelligent health monitoring and load-balancingHorizontal scalingSSL offloadingSecurity operation offloadingCross-site load-balancing and resilienceSecurityApplication layer protectionSPAMManageabilityTemplates that reduce deployment timesFully extensible platformSystem Center integrationDynamic computing
8What’s new in Exchange Server 2010? CAS is criticalElevation of Client Access Server (CAS) roleAll client connections, regardless of protocol, are with CAS serversCAS servers rely on ADC for high-availabilityDatabase Availability Group (DAG) is now an org level object. Resilience achieved through multiple copies of the DAG across the organization. The DAG replication time savings is based on TMOS 10.1 testing done with TCP optimizations and adaptive compression with replication from a source store out to a replica. Here are the actual test times:25:33-21:35 = 3:58 | 3:58/25:33 = 16% less time25:33-13:26 = 12:07 | 12:07/25:33 = 47% less time This 47% less time is where the 2X acceleration factor comes from. When any confusion arises around “X times” improvement versus “X%” improvement, fall back to the times. Reading out the times clears up the ambiguity.DAG optimization features are not in the primary slide at this time.
9Exchange 2010 Architecture Enterprise NetworkPhone system (PBX or VoIP)Edge TransportRouting and AV/ASHub TransportRouting and policyExternalSMTP serversMailboxStorage of mailbox itemsUnified MessagingVoice mail and voice accessMobile phoneClient AccessClient connectivityWeb servicesWeb browserOutlook (remote user)Line of business applicationOutlook (local user)
10What’s new in Exchange Server 2010? CAS is criticalElevation of Client Access Server (CAS) roleAll client connections, regardless of protocol, are with CAS serversCAS servers rely on ADC for high-availabilityMicrosoft recommends hardware load balancing for every Exchange 2010 deploymentADC recommended over NLBIncludes multi-role Exchange server installationsIncludes installations with Microsoft clustering servicesADC for highest availabilityDatabase Availability Group (DAG) is now an org level object. Resilience achieved through multiple copies of the DAG across the organization. The DAG replication time savings is based on TMOS 10.1 testing done with TCP optimizations and adaptive compression with replication from a source store out to a replica. Here are the actual test times:25:33-21:35 = 3:58 | 3:58/25:33 = 16% less time25:33-13:26 = 12:07 | 12:07/25:33 = 47% less time This 47% less time is where the 2X acceleration factor comes from. When any confusion arises around “X times” improvement versus “X%” improvement, fall back to the times. Reading out the times clears up the ambiguity.DAG optimization features are not in the primary slide at this time.
11The F5 Solution for Exchange Server 2010 Prevent these painsDropped sessions re-authentication, reconnectionFailed network connections retries, delaySlow response trapped usersThese capabilitiesHealth monitoring and intelligent load-balancingClient persistenceServer off-loadAvailability of servers, arrays and sitesThese 4 solution characteristics map directly back to clear business value: Make more money and spend less.Layer-7 attacks: (Cross-site scripting, parameter tampering, brute force attacks, and other known or unknown threats)
12NLB and Hardware-Based Load Balancing… Which way to go?...For Exchange 2010, the choice is clear…Technical reasons to use HWLB vs NLB:Health monitoringConnection proxySpecialized persistence beyond source IPIntelligent load-balancingInternal server network efficiencyMicrosoft internal Exchange design:TechNet guidance for high-availability:
13The F5 Solution for Exchange Server 2010 User - Client to CAS serverMail - Mail flow through Edge FarmsAvailabilityPerformanceSecurityConfigurationIntelligent load balancingServer and site level health monitoringSSL offloadCross-site resilienceRobust persistenceServer optimizationCaching and compression for Web clientsReduced bandwidth useBi-directional proxyAuthN/AuthZ from the perimeterProtection against application layer attacksSPAM filterApplication template for error-free, fast configurationDevCentral online user communityIntegration with systems managementThese 4 solution characteristics map directly back to clear business value: Make more money and spend less.Layer-7 attacks: (Cross-site scripting, parameter tampering, brute force attacks, and other known or unknown threats)
14Availability Health monitoring Intelligent load-balancing Port/protocol requestsReal-time in memory connection tablesIntelligent load-balancingBIG-IP always knows the most available serverLeast connection methodSee application templateCross site availabilitySite level healthPrioritized decision tree
15PersistenceAlso known as affinity, or sticky sessions, persistence can help enhance a user’s application experienceDifferent types of persistence:Source IPCookieSSL IDEach Exchange client connection type has a recommended persistence method
16Configuring persistence profiles in BIG-IP LocalTrafficProfilesPersistenceCreateCookieSource IP and SSL ID
17Performance - SSL termination Reduce cost and overhead of managing certificates by moving them to BIG-IPBIG-IP is designed with dedicated chipset for encryption/decryption calculationsIncrease Exchange server CPU utilization and network connections per secondSaves on cost of SSL certificates—put one on each Big-IP instead of one on each serverManagement of certificates becomes much easierExpiry date shows up in the GUIFewer copies to manageThe Big-IP has specialized chips and software to handle computationally expensive decryptionCiphers can be specifiedAble to decrypt, manage, and re-encrypt traffic if neededMost customers decrypt at Big-IP and send on unencrypted
18Security Bi-directional proxy Secure remote access Pre-authentication Application layer security for web clientsSPAM filteringExplain that Edge Gateway is comprised of APM + WOM, so explain that the SSL VPN is distinct from AuthN/AuthZ features.
19Introduction: Exchange ActiveSync ActiveSync protocol is used between smartphones and Microsoft Exchange for synchronization of Mail, Callendar and ContactsUsername and Password are normally used for security.One Time Password (OTP) or token is not used because it is not user friendly.Client SSL certificate causing managment issue when trying to manage client certificate on 100s of different devices.Using BIG-IP Access Policy Manager (APM) can be used to improve security for ActiveSync solutions.ActiveSync protocol are used to synchronize mail between mobile devices and Microsoft Exchange.
20Exchange marked shareMore than 200 Million installed Exchange mailboxesBIG-IP LTM and APM is a flexible tool and can be configured to improve security for ActiveSync users.ActiveSync protocol can also be used to syncronize mail from Google mail:ActiveSync support are also planned for hotmail.
21ActiveSync, Microsoft Solution DMZData CenterMS ExchangeMS TMG or ISAImplementation of ActiveSync are done using two common design.Client connecting to a Microsoft TMG (ISA) server that are doing autentication of user.Client connecting direct to Microsoft Exchange CAS serverMicrosoft SolutionAuthenticate user before client accessing Exchange serverExchange 2007/2010 can verify deviceidAD group check and basic url filter can be implemented on TMGAD
22ActiveSync, F5 BIG-IP LTM & APM Solution DMZData CenterMS ExchangeSSL OffloadVerify and enable access based onUser /password, AD group membershipIP location, Deviceid , Devicestype , UseragentBrute force detectionActiveSync commands usedURI (allow acces request to /Microsoft-Server-Activesync)User home serverWe can add multiple layer of security when using BIG-IP and APM.Example:Verify that user use member of group that are allowed to use activesync before trying to authenticate. This can prevent brute force password guessing using random username.BIG-IP can verify source IP address from mobile provider and prevent access from unknown mobile providersUsing information in user agent send from device, we can allow access from known mobile phones vendor and known version of OS on mobile phones.BIG-IP can verify deviceid sent from mobile device and compare this information with deviceid registered in AD, using this method only approved devices are allowed to connect.BIG-IP can track number of failed logon attempt from one ip address (brute force detection), and temporary disable source ip detected as source for brute force of username/password.AD
23BIG-IP example of security options that can be enabled for ActiveSync SSL OffloadURI Check (/Microsoft-Server-ActiveSync and /autodiscover)Agent Whitelist, Only Allow access from known devices type (based on agent information). Agent information also contains information about software version on phone.Verify source IP address and enable access from known mobile carrierDeviceid verification, Verify user AD attribute with information about provisioned Device id.Login Bruteforce detection, Disable source IP address for 90 second after 3 failed logonAD Group membership, only Allow Access for users member of ActiveSync GroupVerify ActiveSync command sent from Smart Phone with white list of approved ActiveSync commandsFor large installation, verify AD information and route request to user home serverVerify Username and PasswordSingle or multiple security options can be enabled depening on the security requirement.
24Access Policy in Visual Policy Editor Visual Policy Editor enables easy configuration of Access Policies for ActiveSync, without scripting.This APM policy show a policy where ”AD Query” is used to verify that user are member of ActiveSync group in AD, and that DeviceID used from SmartPhone are registered as AD attribute for user. If AD group check and deviceid check is ok, then username and password are verified.
25Summary of APM Benefits Security for ActiveSync users can be improved using BIG-IP Access Policy ManagerVerification of ActiveSync URI and User-AgentAD group membership verificationAD user Deviceid attribute compared with deviceid from mobile phoneAuthentication of user after verification of URI, UserAgent, AD Group and AD DeviceidDetect and blacklist bruteforce IP addressVerify ActiveSync commands from devices whith whitelist of approved commandsSSO for other Microsoft services such as SharePoint
27BIG-IP deployment topology CALoad balancing message is that it’s smart load-balancing. Need types described in these notes.Spam filter message: We were first in market and if you can filter 70% of spam based on known offenders, why not leverage that functionality before maEnhance availability and scale up through load balancingClient to CAS and Edge farmsRecommended for multi-role Exchange servers, deployments with more than 8 CAS servers and “brick” deployments with clustering services.AccelerateTPC optimizationCaching 154 of 160 OWA objectsCompression of attachments with up to 90% faster file downloadsOff-load SSL (25% savings of server CPU utilization)Reduce SSL connections by RPC over HTTPExchange Database Availability Group (DAG) replication time savingsSecurePre/post logon checks for Web clientsRemove 70% of spam before it reaches Exchangeil gets to any of your Exchange servers or spam filters at all? Increases capacity (reduces load) on all messaging elements.D
28BIG-IP Hardware Line-up 2 x Hex core CPU16 10/100/ x 10 SFP+ 10Gbps2x 320 GB HD (S/W RAID) + 8GB CF32 GB memory100K TPS / 15Gb bulk12 Gbps max software compression40 Gbps TrafficBIG-IP 8950BIG-IP 89002 x Quad core CPU16 10/100/ x 1GB SFP + 2x 10Gb SFP+2x 320 GB HD (S/W RAID) + 8GB CF ?16 GB memory56K TPS / 9.6Gb bulk8 Gbps max software compression20 Gbps TrafficBIG-IP 69002 x Quad core CPU16 10/100/ x 1Gb SFP + 2x 10Gb SFP+2x 320 GB HD (S/W RAID) + 8GB CF16 GB memory58K TPS / 9.6Gb bulk8 Gbps max hardware compression12 Gbps TrafficBIG-IP 39002 x Dual core CPU16 10/100/ x 1Gb SFP2x 320 GB HD (S/W RAID) + 8GB CF8 GB memory25K TPS / 4 Gb bulk5 Gbps max hardware compression6 Gbps TrafficQuad core CPU8 10/100/ x 1Gb SFP1x 300 GB HD + 8GB CF8 GB memory15K TPS / 3.8 Gb bulk3.8 Gbps max software compression4 Gbps TrafficBIG-IP 3600Dual core CPU8 10/100/ x 1Gb SFP1x 160 GB HD + 8GB CF4 GB memory10K TPS / 2 Gb bulk1 Gbps max software compression2 Gbps TrafficBIG-IP 1600Dual core CPU4 10/100/ x 1Gb SFP1x 160GB HD4 GB memory 5K TPS / 1 Gb Bulk1 Gbps max software compression1 Gbps Traffic
29Summary Highest availability Dramatically increase server capacity Cross-site availability and resiliencePre-authenticate users in the perimeter networkSeamless integration with systems managementF5 devices can be controlled using PowerShell and Management Packs
30Exchange related resources F5 Solution page for Exchange ServerF5 Deployment Guide for Exchange Server 2010Technical white paper by Microsoft on their internal deploymentLoad-balancing requirements from TechNetF5 developer/IT admin user community
32F5 Solution BenefitsPerformance = Scalability, Availability and ResiliencySecure monitoringDeployment assistancePerformanceSecurityConfigurationManagementIntelligent load-balancing of signaling trafficOff-load SSL between clients and Communicator Web Access serversScale out as neededSession level and site level resilienceSSL off-loading for Communicator Web Access (CWA)TLS-based SIP monitor to check the health of servers in LTM pools.Detailed deployment guide available fromBuilt in application policy and template wizardLeverage the DevCentral user communitySimplify management with a single control point in the data centerTLS-based SIP monitorMicrosoft Premier Support teams trained on BIG-IPPerformance:Load-balance client connections into Consolidated Edge serversLoad-balance client connections into Consolidated Lync servers as well as Director poolsOff load SSL for web services regardless of Lync server role (web services and A/V are spread across servers versus having their own role in Lync 2010.SecuritySSL off-load (LTM can re-encrypt outbound traffic or pass-through entirely)TLS is a secure (encrypted protocol for encapsulating SIP traffic)ConfigurationBest in class deployment guideOCS policy built into v10 and later of LTM and will be updated in Spring 2011Only ADC vendor with an online user/dev community with forums, additional content, etcManagementIntelligent health monitoring of the application over and above just generic server response.Option to use the TLS monitor, giving a secure application layer health monitor for SIP serversF5 partners with Microsoft from solution design all the way through product support. Microsoft Premier support engineers are trained on BIG-IP and have devices in their troubleshooting labs so that F5 configuration does not need to be removed from the configuration in order to establish repro case. In addition, F5 support engineers work together with Microsoft support engineers to solve customer issues which provides additional assurance to the customer that an investment in both Microsoft and F5 is secure and trustworthy.
33Improve security and ease of management BIncrease performance, scale and availability throughIntelligent load-balancing of signaling trafficTCP optimizationSSL off-load for web trafficSession and site resilienceImprove security and ease of managementTemplate for auto-configuration of BIG-IPTLS-based SIP monitoriControl API and iRulesLeverage the ADC as a strategic data center control pointAvailabilityLeast connection method of LB (by node versus pool member)Multiple distinct TCP configuration modifications that improve application performance.Security and ManagementF5 believes that greater value is realized in enabling IT admins to manage health of application servers versus physical servers or IP nodes
34Best practices Use Microsoft guidance for sizing Resiliency For F5 devices, key off of throughput, numbers of concurrent users, features to be used, ratio of external versus internal usersResiliencySite resiliency through BIG-IP Global Traffic Manager (GTM)Client session resiliency through TCP idle timeoutBIG-IP resiliency through LTM mirroringContact your local F5 field engineering team for assistanceF5 Sizing guidance is in process (output is not a BIG-IP model number, this is guidance, not a calculator)
35New considerationsDNS LB is available. Verify customer requirements for availability and resilienceADCs are still a critical component for managing both web and real-time communications.Advanced ADCs offer DNS-based connection redirects for site-level resilienceGlobal traffic management is an option for site-level resilience that does not require SANWAN redundancy is an option versus a survivable branch appliance for voice resilienceRegarding DNS LB that is being introduced as an out-of-the-box feature of Lync Server 2010, customers should consider that Lync clients make a DNS request and receive a block of 4 IP addresses for Lync servers. Then the client selects one of those IP addresses at random and tries it. If the connection fails, it randomly selects another (and continues until all 4 are tried then moves to site failover). DNS LB requires the client send network requests to a server without knowing if its available, and since server selection is random, the client is not aware of the server side application or its availability, leading to failed connections, extra network traffic and delayed user response. On the server side connections “clump” on servers instead of being evenly distributed and users begin to be connected to a server that is responding to network requests at one level of the protocol stack but is effectively too busy to handle the additional user. In contrast, ADCs keep a real-time, in memory record of availability by server, ensuring the most available server is used for each user connection – as well as being able to persist a user connection to a user for the duration of a session. ADCs don’t send connection requests to unavailable servers. Customers should therefore evaluate their availability and reliability requirements to decide if using built-in DNS LB instead of hardware load balancers.
36SummaryLync Server 2010 needs ADCs for highest availability, scale and reliabilityReal-time communications need intelligent, line-speed traffic managementOne ADC covers multiple deployment pointsSession-level and site-level resilience are network challenges F5 can help you solve.F5 Sizing guidance is in process (output is not a BIG-IP model number, this is guidance, not a calculator)
37Lync Server Resources F5 solution for Lync Customer reference and pressF5 online community for Microsoft solutionsF5 Press ReleaseMicrosoft Lync qualified ADC list
39SharePointSharePoint is a business collaboration platform that can be deployed with specific roles in these areas:Web portals and Web content managementBusiness Intelligence and AnalysisCollaborationDocument managementEnterprise SearchCustom .NET Web application developmentF5 supports each of these server capabilities, providing performance, availability and security enhancements over the network and seamless to the application.
40F5 Solution for SharePoint 2010 Improve end-user experience through better responseOffload operations to free up CPU, increasing server availabilityLeverage a single point and platform for security and deliveryPerformanceAvailabilitySecurityManagementSeamless acceleration of client experienceAccelerate both Web content and file upload/downloadIncrease transactions per second on Web serversLoad-balance front-end serversOffload SSLCross-site resilienceFastest application layer security on the marketApplication layer protectionPCI complianceSharePoint template built into BIG-IPSystem Center Management Pack available for download from DevCentralStreamline maintenance and operations using file virtualizationThe talking points for this slide need to start with the primary features with references to availability, perform, security and config as they naturally relate. Don’t deliver by column because there would be a lot of repetition. Just explain the features and say something like “note the positive implications for availability and performance in an intelligent caching mechanism and security benefit of a soution that supports caching of HTTPS delivered content. Note flexible and powerful configuration options of BIG-IP that enable customers to setup the caching, hash calc as they see fit, serving the needs of any Web server environment that needs to support BC with Windows 7 clients. Bridging technology that leverages the some core capabilities of the F5 ADC to enable the best experience for Win7 users across Web server platforms and compliments BC if the customer wants to off-load the hash calculation, getting the beneifts of server-based BC without taxing the W2K8 server if it needs to be performing other key services in that network segment.
41Availability Acceleration Security Management Port/protocol health monitoringLoad-balancingSSL offloadSite resilienceAccelerationTCP OptimizationsCachingCompressionDe-duplicationSecurityApplication layer protectionPolicy engine with defaultsManagementTemplate-based configurationBest-in-class Management PackFD
42F5 Solution for SharePoint 2010 AvailabilityPort/protocol health monitoringLoad-balancingSSL offloadSite resilienceAccelerationTCP OptimizationsCachingCompressionDe-duplicationSecurityApplication layerPolicy engineManagementTemplate-based configurationBest-in-class Management Pack
43Considerations for availability BIG-IP LTM (Local Traffic Manager)Increased server availability = increased user productivityAvailability should be measured per server and across serversBIG-IP GTM (Global Traffic Manager)Per server, availability can be measured by increased connections per secondAcross servers, availability can be measured by aggregated resource utilization as well as uptimePerforming a failover to a DR site is a one-time, one-way movement of application services. Achieving that level of infrastructure agility could be the first step for some customers toward a loftier goal of fully dynamic computing across sites. Cross-site computing expands the possibilities for further resilience and achieving real-time load-balancing across an entire organization’s available resources.Another important feature provided by F5 is geo-location services. Through GTM, BIG-IP can identify the source location of in-coming users and factor that into the decision about where to direct the user. This information is commonly used to ensure end users are reaching their closest data center or compared to application pool response times across multiple sites to determine whether physical proximity or server responsiveness is the best way to direct user traffic.Cross-site load-balancing increases infrastructure ROIImplementing disaster recovery could be a first step toward real-time site resilience
44Considerations for acceleration BIG-IP WA (Web Accelerator Module)Application delivery (ADC) benefits start with asymmetric deploymentWA improves end user experience for repeat visitors by eliminating network chatterBest in class cachingIntelligent Browser Referencing (IBR) is uniqueWOM reduces file load time by 95%Explore Windows Server 2008 R2 BranchCache to reduce bandwidth useAsymmetric ADC deployment means one pair of BIG-IP devices in your primary data center (between end users and SharePoint front end servers). Health monitoring, TCP optimizations, load-balancing, offloading operations such as SSL and basic caching/compression are all delivered in this, the most simplistic deployment.Beyond this, explore the range of acceleration benefits through symmetric WA/WOMImproved end user experience for repeat visitors by eliminating the 304s generated from the non-layout components. For some deployments this can be the majority of the objects.Server off-load as not all users are accessing the application with a primed cache. Symmetric deployments to stage all content closer to the end users.New policy on DevCentralManagement Pack:Interact with BIG-IP through MP and SCOM console to perform tasks such as Discover nodes, add/remove and enable/disable them.PRO Pack brings BIG-IP network health stats into SCOM so that this data. PRO tips in the VMM UI give admins ability to automatically respond/remediate issues.
45Considerations for security BIG-IP ASM (Application Security Module)Security or performance?Fastest layer 7 (application layer) security productCompliance regulationsPCI DSS, SOX, Basel II, HIPAA complianceNew malicious behaviorBuilt-in security policy for SharePointBeyond HTTP protectionICSA Web Application Firewall CertificationASM product overview:Application security white paper:Line 1: ASM, TMOS, F5 hardware advantagesLine 2: ASM enables customers to comply with these regulatory standardsLine 3: Starting with a security policy customized by F5 for SharePoint, ASM also contains a real-time policy engine that can “learn” proper application behavior then switched over to “protection” mode. It can also be used to build and deploy specific protections on the fly.Line 4: Some application layer firewalls handle HTTP traffic only. ASM, built on F5’s traffic management operating system (TMOS) understands and handles additional protocolsSC Magazine's 2010 Reader Trust Award for Best Web Application Security solution
46Considerations for storage F5 ARX file virtualizationLeveraging 3rd party solutions such as StoragePointReduce the size of your SharePoint content databases by 95%SharePointStorageDevicesARXMS SQLIn SharePoint 2010 Microsoft has enhanced RBS and EBS for remote BLOB (binary large object) storage. This has paved the way for 3rd party specialists in storage and SharePoint operations to create customized solutions to enable customers to specify certain content/files to be stored as unstructured data instead of MS SQL. This is a powerful option for customers who store extremely large numbers of files and relatively large files such as multimedia heavy content, videos, images, audio, etc. The solutions vary in details, but at the core they are a replacement of a file stream provider which lies between SharePoint and MS SQL, effectively redirecting the file location to another place – usually file-server like hard disks exposed via a NAS interface. For end users the SharePoint access and interface is unchanged (whether via web browser or and Office client application), but on the back end there is a significant difference in the efficiency of MS SQL processing. The greater the size of the content store the greater the impact, but in general you can image the additional scale, the faster backup times, and the ease of migration and upgrade this option provides for customers with the appropriate requirements profile. F5 has deployed and tested the storage solution built by StoragePoint – one of the most popular and experienced SharePoint storage partners. Actually it’s imporant to note that StoragePoint the company, was purchased recently by Metalogix. So StoragePoint the solution is available from Metalogix.Streamline SharePoint performance and backupDecrease storage costs
47Considerations for dynamic computing and systems management Integrate F5 device management into systems managementHealth monitoringAutomatic provisioningControl BIG-IP using PowerShellF5 Management Pack offering for System CenterOperations ManagerVirtual Machine ManagerSharePoint Application Designer
48System Center Integration F5 Management Pack for Operations Manager BEDHealthbased load balancing video:Add features here to call out in talk trackDevice discoveryLTM, GTM supported160+ health statisticsFully integrated with SCOM rules and event engineiRule-driven events supportedMaintenance modeF5 device tasks: discover devices, standby, failover, configuration sync, helpC
49System Center Integration F5 PRO enabled Management Pack for Virtual Machine Manager
50Dynamic computing summary Prepare your network for dynamic computingBIG-IP is a natural choice for deploying virtualized infrastructureServer and data center consolidationEstablishing business continuityUnify health monitoring viewsEnable your infrastructure to manage itself
51F5 Application Designer Management Pack for SharePoint Server 2010 Auto discovery of application instancesAuto configuration of System Center Operations ManagerApplication VMs are auto-configured using BIG-IP application templatesLive Migration and Maintenance supportedHealth roll-up identifies the source component of the application instance that is failing
52Summary Faster application experience for LAN and WAN users Increased server computing capacityHigh-availability for SharePoint server servicesStreamlined SharePoint operations and maintenanceAutomatic, error-free configurationSystem Center integration for unified network and application service management
53Network – Datacenter Integration F5 offerings Integration with System CenterMP for SCOMPRO Pack for VMMMigration Pack and Application Designer PacksOpen management interface (iControl API)Enables integration with your management platformPowerShell and .NETManagement Pack for SCOM PRO Pack for SCVMMPRO Pack extensionsThese examples are built upon the completely extensible tool set (native API set, PowerShell commandlets giving power and flexibility to orchestrate any scenarioPossible to reinforce the site resilience message by virtue of GTM
54System Center Integration F5 Management Pack for Operations Manager BEDHealthbased load balancing video:Add features here to call out in talk trackDevice discoveryLTM, GTM supported160+ health statisticsFully integrated with SCOM rules and event engineiRule-driven events supportedMaintenance modeF5 device tasks: discover devices, standby, failover, configuration sync, helpC
55System Center Integration F5 PRO enabled Management Pack for Virtual Machine Manager Network monitoringInstruct BIG-IPPRO enabledReportsHost level performance
56F5 Application Designer Management Pack for SharePoint Server 2010 Auto discovery of application instancesAuto configuration of System Center Operations ManagerApplication VMs are auto-configured using BIG-IP application templatesLive Migration and Maintenance supportedHealth roll-up identifies the source component of the application instance that is failing
57Hyper-V and BIG-IP working together User connection handling during Live MigrationLive Migration over distance via BIG-IP Global Traffic Manager (GTM)
58Vision for the dynamic datacenter Enable companies to dynamically…IT infrastructure as a serviceLower the operational costs for delivering ITIncrease flexibility and variety services to tenantsPoolAllocateManage
59F5 for a more dynamic network ElasticAvailablePortablePatternedService orientedIntelligenceF5’s best in class application specific load-balancing and acceleration combined with the Microsoft management platform (specifically System Center Operations Manager and Virtual Machine Manager) provide the basic building blocks for a dynamic network.Network traffic management devices that are openly extensible with systems managementSystem Center determines that more resources are needed and configures for it…hardware, VMs, and the networkFault avoidance: Site resiliency, re-allocation of resources based on network situationsNetwork is one more key source of data to make smart resource allocation decisionsNetwork related health information: detailed enough to provide multiple sets of port/protocol level pair detail under each application serviceUnificationUnifies VM changes and network changes (elastic computing)Fault avoidanceHigh-availability of application servicesReallocation of resources based on network situationApplication-specific network traffic managementPortableTraverse network boundariesFree from spacial constraints (geography and hardware)Increase efficiency and specializationPatternedPartitioned for 1:manyRepeatable deployment and operationsLowers cost barrier to entry - every service available to all customersElasticSteady state is a constant state of fluxScale out and in as neededIncreases economies of scale of hosting modelService orientedStrong controlDefined and custom service levelsOpportunity to sell additional value servicesCustom thresh hold determination and operationCustom levels of automation versus human intervention in decisions and operational tasksControl
60SharePoint related resources F5 NetworksSolution page for SharePoint Server 2010Solution OverviewApplication Ready Solution GuideDeployment GuideF5 Management Pack on DevCentralMicrosoft user forms on DevCentralMicrosoftSharePoint public Web sites
62F5 Solution for Forefront Unified Access Gateway – DirectAccess Optimize secure remote accessScale UAG servers for high-availabilityEnsure best performance for new connectionsPersist existing client connectionsLoad balancing message is that it’s smart load-balancing. Need types described in these notes.Spam filter message: We were first in market and if you can filter 70% of spam based on known offenders, why not leverage that functionality before mail gets to any of your Exchange servers or spam filters at all? Increases capacity (reduces load) on all messaging elements.
63F5 iRules Rules for customized network traffic management Used on the internal BIG-IP configurationsConnection tracking (server persistence)Sets the session key as the source IP addressAssociates the Source IP with the originating MAC of the UAG serverAdds it to a table on the BIG-IP to maintain persistencePre-selection iRule (outbound persistence)Ensures that outbound client connection returns to the server to which the client is attachedTunnel between the client and UAG server is reused for server-originated traffic to the clientWe can make even more granular load balancing decisions using iRules, which will key off specific data that’s found within the packet. In our Direct Access solution, the rules we use are creating a persistence record on the bigip, and then using that persistence record to reuse the already established tunnel. Let’s have a look at the rules.
64Common QuestionsWhat load-balancing method does F5 recommend for DirectAccess client connections?F5 recommends an intelligent load-balancing method based on numbers of client connections over ports 3544 and 443. The F5 built-in load-balancing method called “least connections” ensures that each new client is directed to the DA server with the lowest number of current connections.How does F5 achieve “stickiness” needed to persist existing connections?F5 has written and tested a set of custom iRules to persist client connections to one DA server within each user session.How can one obtain the F5 iRules for this solution?The connection tracking iRule and the Persistence iRule are available as part of the solution deployment guide.How would F5 support a multi-site deployment of DirectAccess?Currently F5 recommends that customers design DirectAccess sever deployments by geographic region and scale out within each region as needed.Additional questions?Now is your chance to ask!
65Benefits summary Optimize secure remote access Monitoring protocol healthScaling out effectivelyProviding best end user experience
66F5 Solution for Forefront Unified Access Gateway – DirectAccess Optimize secure remote accessScale UAG servers for high-availabilityEnsure best performance for new connectionsPersist existing client connectionsLoad balancing message is that it’s smart load-balancing. Need types described in these notes.Spam filter message: We were first in market and if you can filter 70% of spam based on known offenders, why not leverage that functionality before mail gets to any of your Exchange servers or spam filters at all? Increases capacity (reduces load) on all messaging elements.
67DirectAccess related resources F5 solution for DirectAccessDeployment GuideDevCentral online community posts by F5Microsoft resourcesRead more about DirectAccess
69BranchCache Customer benefits BranchCache is a technology in Windows 7 and Windows Server 2008 R2 that makes it easier and faster for users to obtain Web and file share content across WAN links.Customer benefitsIncreased employee productivityReduced WAN bandwidth usage and Branch IT operational costsHosted or Distributed Cache deployment optionsFlexible deploymentHosted Windows Server 2008 R2 cachesDistributed Windows 7 clients cacheMulti-protocol access [HTTP, HTTPS, SMB, Signed SMB]Optimizes content delivery via caching in a distributed environment
70F5 Solution For BranchCache Secure Hash Algorithm - 256
71F5 Solution for BranchCache Increase server availabilityOff-load content hash calculations, increasing server CPU computing capacityExtend the use of existing BIG-IP devicesSame hardware used to manage Windows Server farm trafficDownload the iRule from F5 DevCentralWeb content supportHTTP/HTTPSSHA-256
72BranchCache related resources F5 NetworksF5 iRule for configuring BranchCacheMicrosoftRead more about BranchCacheMicrosoft customer evidence
74F5’s Dynamic Control Plane Architecture UsersControlDynamicAvailabilityScaleHA / DRBurstingLoad-BalancingOptimizationNetworkApplicationStorageOffloadSecurityNetworkApplicationDataAccessManagementIntegrationVisibilityOrchestrationApplication and Data Delivery NetworkF5 has been working toward a unified architecture for some time. Something we pioneered called the application delivery network beginning with our BIG-IP Local Traffic Manager product, an advanced application delivery controller to the most recent announcement of our BIG-IP Edge Delivery Controller, the first advanced ADC focused on converging and consolidating edge application delivery services. Over the years we’ve built out a rich product portfolio focused exclusively on the successful delivery of applications and data to end users regardless of where they are coming from, what device, and where the application and data resources may live. Today, we’re announcing several key functions of our architecture and product portfolio that leverage enterprise’s existing infrastructure extending and reusing what they already own to enable a common cloud architectural model regardless of where those resources may reside. Whether internal to the enterprise or taking advantage of external cloud services.Enterprise first! Design internal enterprise resources for on-demand mobility, orchestration, and automationLook to outsource infrastructure, platforms, or applications but never outsource enterprise controlThe cloud is simply an iteration of a platform and operational modelResourcesPrivatePublicCloudPhysicalVirtualMulti-Site DCs
75F5 Management Pack on DevCentral Core PackPRO PackMigration PackApplication DesignersIISSharePoint
76BIG-IP Hardware Line-up 2 x Hex core CPU16 10/100/ x 10 SFP+ 10Gbps2x 320 GB HD (S/W RAID) + 8GB CF32 GB memory100K TPS / 15Gb bulk12 Gbps max software compression40 Gbps TrafficBIG-IP 8950BIG-IP 89002 x Quad core CPU16 10/100/ x 1GB SFP + 2x 10Gb SFP+2x 320 GB HD (S/W RAID) + 8GB CF ?16 GB memory56K TPS / 9.6Gb bulk8 Gbps max software compression20 Gbps TrafficBIG-IP 69002 x Quad core CPU16 10/100/ x 1Gb SFP + 2x 10Gb SFP+2x 320 GB HD (S/W RAID) + 8GB CF16 GB memory58K TPS / 9.6Gb bulk8 Gbps max hardware compression12 Gbps TrafficBIG-IP 39002 x Dual core CPU16 10/100/ x 1Gb SFP2x 320 GB HD (S/W RAID) + 8GB CF8 GB memory25K TPS / 4 Gb bulk5 Gbps max hardware compression6 Gbps TrafficQuad core CPU8 10/100/ x 1Gb SFP1x 300 GB HD + 8GB CF8 GB memory15K TPS / 3.8 Gb bulk3.8 Gbps max software compression4 Gbps TrafficBIG-IP 3600Dual core CPU8 10/100/ x 1Gb SFP1x 160 GB HD + 8GB CF4 GB memory10K TPS / 2 Gb bulk1 Gbps max software compression2 Gbps TrafficBIG-IP 1600Dual core CPU4 10/100/ x 1Gb SFP1x 160GB HD4 GB memory 5K TPS / 1 Gb Bulk1 Gbps max software compression1 Gbps Traffic
78Infrastructure Optimization BasicStandardizedRationalizedDynamicUncoordinated, manualinfrastructureManaged ITinfrastructure with limited automationManaged andconsolidated ITinfrastructure with maximum automationFully automatedmanagement,dynamic resourceusage, businesslinked SLAsTo fix the 80/20 issue is a journey. Infrastructure Optimization is how we suggest you take the journey. Know where you are in the maturity model, best practices to move you to the right, etc.We have a strategy that enables you to get to the dynamic state – Dynamic IT.Microsoft has engaged with customers in a way that allows them to think through how best to make investments in their environment, to help them get to a better level of maturity. To help them get to a lower-cost state, a more flexible and more agile state.To support this effort, Microsoft has developed the Infrastructure Optimization models. Today we’re focused on the Core Infrastructure Optimization (Core IO) model. The Core IO model is a maturity model that helps us engage with you to understand where you are today and what are the best practices you can implement to help you optimize your infrastructure.The key thing about this model is number one, it's about best practices. It's not just about technology. But underlying all of this is a set of technology investments that Microsoft is making to help you achieve that dynamic state. What we call that technology strategy that pervades all of the investments we make is Dynamic IT.More Efficient Cost CenterCost CenterBusiness EnablerStrategic AssetManage Complexity and Achieve Agility
79Dynamic Services Model: What’s NeededUsersDynamic Services Model:Reusable services that understand context and can provide control regardless of application, virtualization, user, device, platform or locationWhats needed is a Modern IT Delivery Model – one that is Dynamic Fluid and App/User CentricIt must respond to a world with Unknown Users Resources and Applications out of our control.What’s required? A new paradigm in data center and networking design that allows the customer, on their terms, to add, remove, grow, and shrink application and data/storage services on-demand.The type of network that can understand the context of the user, location, situation, device, & application & dynamically adjust to those conditions. It’s the type of network which can be provisioned in hours not weeks or months to support new business applications.It’s the type of network where it’s not just application fluent but can serve as a centralized computational engine to more rapidly deliver services in support of the users, applications, and data and do it more cost-effectively than any other alternative.ResourcesPrivatePublicCloudPhysicalVirtualMulti-Site DCs
80Visibility Action Context Functions of Unified Application and Data Delivery Enabling the Dynamic InfrastructureIntegrationAll strategic points of control synchronize, communicate and leverage functions & intelligenceIntegration within the ecosystem and open, standards-based API for cross product integration.Intercept bi-directional application and data stream at all points of controlCommon proxy architecture for each network device and ability to see all protocolsReporting, notification, trendingVisibilityIT AgilityActionRelate visibility and content to predetermined business policy to take actionDetermine and direct appropriate response, access, acceleration, or securityPut user application and data stream in contextUnderstand and relate the context of the user, device, location, network, application, virtualization, and resourceContextThis new intelligent fabric must intercept the stream of interactions between users and resources without impacting performance or availability. It provides an important new vantage point to see and report on these interactions.It must understand a vast array of variables that put the interactions in context – user profile, location, interface device, application, file meta-data, etc.It must be able to apply business policies to the interaction – determining that a particular user/application combination should be afforded enhanced QoS, for exampleFinally, it must be able to affect changes to enforce these decisions – routing traffic, rate shaping, replicating files, blocking DoS attackers, etc.
81The Leader in Application Delivery Networking UsersApplicationDeliveryNetworkData CenterAt HomeIn the OfficeOn the RoadMicrosoftBusiness Goal: Achieve These Objectives in the Most Operationally Efficient Manner
82Architected for Integration iControl for Application IntegrationF5 ProductsTMOSOperating SystemShared Application ServicesShared Network ServicesApplicationOptimizationSecurityAvailability
83Dynamic Datacenter = On Demand IT Microsoft’s vision of the dynamic datacenter aligns with F5’s vision of on demand IT whereSoftware is delivered as a serviceResources are dynamically allocated as neededManagement decisions are made based on holistic network and application health metricsManagement operations are automated, even predictive, to avoid poor serviceSystems ManagementComputeNetworkStorageSystems ManagementWDTDIT-SC