F5 BIG-IP for Microsoft Brian McHenry Field Systems Engineer, F5 Networks email@example.com
F5 and Microsoft • F5 enjoys a long-standing global partnership with Microsoft, extending the availability, reliability, scalability and security of Microsoft’s enterprise software. • Solution development across Windows platform, business productivity applications, systems management and virtualization • Key alliance memberships such as System Center Alliance and Dynamic Datacenter Alliance represent joint investment, shared thought leadership and strategic planning • F5 educates and trains Microsoft technical field, services and support teams on the BIG-IP platform and F5 solutions for Microsoft applications Dynamics SharePoint Exchange Lync System Center DirectAccess | Branch Cache RDS | SSTP | IPsec | IIS/ASP.NET Windows Availability | Reliability | Scalability |Security | Visibility | Manageability
Microsoft Partnership • Globally managed technology partner since 2001 • One of 52 MTC Alliance partners • Office and lab in MPSC. Building 25, Redmond campus
F5 + Microsoft = Better Together F5 offers solutions for a wide range of Microsoft products and technologies F5 is a key infrastructure building block for the Microsoft software + services platform Windows Server Forefront SharePoint Exchange Lync Server MS CRM SQL BizTalk Commerce Server Elastic computing Systems Management Data center orchestration Virtual Desktop (VDI) Private cloud Public cloud Hybrid cloud SharePoint Hyper-V | System Center | PowerShell | Visual Studio | .NET
Application delivery F5 devices manage traffic within the context of the applications running on the network, optimizing user experience and providing visibility and control to IT.
Benefits • Increased availability, capacity • Seamless disaster recovery • Flexible security options
What’s new in Exchange Server 2010? • Elevation of Client Access Server (CAS) role • All client connections, regardless of protocol, are with CAS servers • CAS servers rely on ADC for high-availability CAS is critical
Exchange 2010 Architecture Enterprise Network Phone system (PBX or VoIP) Hub Transport Routing and policy Edge Transport Routing and AV/AS External SMTPservers Unified Messaging Voice mail and voice access Mailbox Storage of mailbox items Mobile phone Client Access Client connectivity Web services Web browser Outlook (remote user) Line of business application Outlook (local user)
What’s new in Exchange Server 2010? ADC for highest availability • Elevation of Client Access Server (CAS) role • All client connections, regardless of protocol, are with CAS servers • CAS servers rely on ADC for high-availability CAS is critical • Microsoft recommends hardware load balancing for every Exchange 2010 deployment • ADC recommended over NLB • Includes multi-role Exchange server installations • Includes installations with Microsoft clustering services
The F5 Solution for Exchange Server 2010 • Prevent these pains • Dropped sessions re-authentication, reconnection • Failed network connections retries, delay • Slow response trapped users • These capabilities • Health monitoring and intelligent load-balancing • Client persistence • Server off-load • Availability of servers, arrays and sites
NLB and Hardware-Based Load Balancing… Which way to go?... For Exchange 2010, the choice is clear… Microsoft internal Exchange design: http://technet.microsoft.com/en-us/library/ff829232.aspx TechNet guidance for high-availability: http://technet.microsoft.com/en-us/library/ff625247.aspx
The F5 Solution for Exchange Server 2010 • User - Client to CAS server • Mail - Mail flow through Edge Farms
Availability • Health monitoring • Port/protocol requests • Real-time in memory connection tables • Intelligent load-balancing • BIG-IP always knows the most available server • Least connection method • See application template • Cross site availability • Site level health • Prioritized decision tree
Persistence • Also known as affinity, or sticky sessions, persistence can help enhance a user’s application experience • Different types of persistence: • Source IP • Cookie • SSL ID • Each Exchange client connection type has a recommended persistence method
Configuring persistence profiles in BIG-IP LocalTrafficProfilesPersistenceCreate Source IP and SSL ID Cookie
Performance - SSL termination • Reduce cost and overhead of managing certificates by moving them to BIG-IP • BIG-IP is designed with dedicated chipset for encryption/decryption calculations • Increase Exchange server CPU utilization and network connections per second
Security • Bi-directional proxy • Secure remote access • Pre-authentication • Application layer security for web clients • SPAM filtering
Introduction:Exchange ActiveSync • ActiveSync protocolis used between smartphones and Microsoft Exchange for synchronizationof Mail, Callendar and Contacts • Username and Password are normally used for security. • One Time Password (OTP) or token is not used because it is not user friendly. • Client SSL certificate causing managment issue when trying to manage client certificate on 100s of different devices. • Using BIG-IP Access Policy Manager (APM) can be used to improve security for ActiveSync solutions.
Exchange marked share • More than 200 Million installed Exchange mailboxes • http://download.microsoft.com/download/E/8/A/E8A154BF-CC35-4340-BD26-6265CDB06B6E/ExStats.doc • BIG-IP LTM and APM is a flexible tool and can be configured to improve security for ActiveSync users.
ActiveSync, Microsoft Solution • Microsoft Solution • Authenticate user before client accessing Exchange server • Exchange 2007/2010 can verify deviceid • AD group check and basic url filter can be implemented on TMG DMZ Data Center MS Exchange MS TMG or ISA AD
ActiveSync, F5 BIG-IP LTM & APM Solution DMZ Data Center • SSL Offload • Verify and enable access based on • User /password, AD group membership • IP location, Deviceid , Devicestype , Useragent • Brute force detection • ActiveSync commands used • URI (allow acces request to /Microsoft-Server-Activesync) • User home server MS Exchange AD
BIG-IP example of security options that can be enabled for ActiveSync • SSL Offload • URI Check (/Microsoft-Server-ActiveSync and /autodiscover) • Agent Whitelist, Only Allow access from known devices type (based on agent information). Agent information also contains information about software version on phone. • Verify source IP address and enable access from known mobile carrier • Deviceid verification, Verify user AD attribute with information about provisioned Device id. • Login Bruteforce detection, Disable source IP address for 90 second after 3 failed logon • AD Group membership, only Allow Access for users member of ActiveSync Group • Verify ActiveSync command sent from Smart Phone with white list of approved ActiveSync commands • For large installation, verify AD information and route request to user home server • Verify Username and Password
Access Policy in Visual Policy Editor • Visual Policy Editor enableseasyconfigurationof Access Policies for ActiveSync, withoutscripting.
Summaryof APM Benefits • Security for ActiveSync users can be improved using BIG-IP Access Policy Manager • Verification of ActiveSync URI and User-Agent • AD group membership verification • AD user Deviceid attribute compared with deviceid from mobile phone • Authentication of user after verification of URI, UserAgent, AD Group and AD Deviceid • Detect and blacklist bruteforce IP address • Verify ActiveSync commands from devices whith whitelist of approvedcommands • SSO for otherMicrosoft services such as SharePoint
BIG-IP deployment topology B C A D
Summary • Highest availability • Dramatically increase server capacity • Cross-site availability and resilience • Pre-authenticate users in the perimeter network • Seamless integration with systems management
Exchange related resources • F5 Solution page for Exchange Server • http://www.f5.com/solutions/microsoft/exchange • F5 Deployment Guide for Exchange Server 2010 • http://www.f5.com/pdf/deployment-guides/f5-exchange-2010-dg.pdf • Technical white paper by Microsoft on their internal deployment • Load-balancing requirements from TechNet • http://technet.microsoft.com/en-us/library/ff625247.aspx • F5 developer/IT admin user community • http://devcentral.f5.com/microsoft
F5 Solution Benefits • Performance = Scalability, Availability and Resiliency • Secure monitoring • Deployment assistance
C A B
Best practices • Use Microsoft guidance for sizing • For F5 devices, key off of throughput, numbers of concurrent users, features to be used, ratio of external versus internal users • Resiliency • Site resiliency through BIG-IP Global Traffic Manager (GTM) • Client session resiliency through TCP idle timeout • BIG-IP resiliency through LTM mirroring • Contact your local F5 field engineering team for assistance
New considerations • DNS LB is available. Verify customer requirements for availability and resilience • ADCs are still a critical component for managing both web and real-time communications. • Advanced ADCs offer DNS-based connection redirects for site-level resilience • Global traffic management is an option for site-level resilience that does not require SAN • WAN redundancy is an option versus a survivable branch appliance for voice resilience
Summary • Lync Server 2010 needs ADCs for highest availability, scale and reliability • Real-time communications need intelligent, line-speed traffic management • One ADC covers multiple deployment points • Session-level and site-level resilience are network challenges F5 can help you solve.
Lync Server Resources • F5 solution for Lync • http://www.f5.com/solutions/applications/microsoft/lync-server/ • http://www.f5.com/pdf/application-ready-network-guides/f5-lync-arsg.pdf • http://www.f5.com/pdf/deployment-guides/f5-lync-dg.pdf • Customer reference and press • http://searchunifiedcommunications.techtarget.com/news/1523829/Application-delivery-controllers-ensure-enterprises-OCS-2007-R2-uptime • F5 online community for Microsoft solutions • http://devcentral.f5.com • F5 Press Release • http://www.f5.com/news-press-events/press/2010/20101103.html • Microsoft Lync qualified ADC list • http://technet.microsoft.com/en-us/office/ocs/cc843611.aspx
SharePoint SharePoint is a business collaboration platform that can be deployed with specific roles in these areas: • Web portals and Web content management • Business Intelligence and Analysis • Collaboration • Document management • Enterprise Search • Custom .NET Web application development F5 supports each of these server capabilities, providing performance, availability and security enhancements over the network and seamless to the application.
F5 Solution for SharePoint 2010 • Improve end-user experience through better response • Offload operations to free up CPU, increasing server availability • Leverage a single point and platform for security and delivery
A B E C F D
Considerations for availability BIG-IP LTM (Local Traffic Manager) • Increased server availability = increased user productivity • Availability should be measured per server and across servers BIG-IP GTM (Global Traffic Manager) • Cross-site load-balancing increases infrastructure ROI • Implementing disaster recovery could be a first step toward real-time site resilience
Considerations for acceleration BIG-IP WA (Web Accelerator Module) • Application delivery (ADC) benefits start with asymmetric deployment • WA improves end user experience for repeat visitors by eliminating network chatter • Best in class caching • Intelligent Browser Referencing (IBR) is unique • WOM reduces file load time by 95% • Explore Windows Server 2008 R2 BranchCache to reduce bandwidth use
Considerations for security BIG-IP ASM (Application Security Module) SC Magazine's 2010 Reader Trust Award for Best Web Application Security solution
Considerations for storage F5 ARX file virtualization • Leveraging 3rd party solutions such as StoragePoint • Reduce the size of your SharePoint content databases by 95% SharePoint Storage Devices ARX MS SQL • Streamline SharePoint performance and backup • Decrease storage costs
Considerations for dynamic computing and systems management • Integrate F5 device management into systems management • Health monitoring • Automatic provisioning • Control BIG-IP using PowerShell • F5 Management Pack offering for System Center • Operations Manager • Virtual Machine Manager • SharePoint Application Designer http://devcentral.f5.com/mpack
System Center IntegrationF5 Management Pack for Operations Manager A E B D C
System Center IntegrationF5 PRO enabled Management Pack for Virtual Machine Manager
Dynamic computing summary • Prepare your network for dynamic computing • BIG-IP is a natural choice for deploying virtualized infrastructure • Server and data center consolidation • Establishing business continuity • Unify health monitoring views • Enable your infrastructure to manage itself
F5 Application Designer Management Pack for SharePoint Server 2010 • Auto discovery of application instances • Auto configuration of System Center Operations Manager • Application VMs are auto-configured using BIG-IP application templates • Live Migration and Maintenance supported • Health roll-up identifies the source component of the application instance that is failing
Summary • Faster application experience for LAN and WAN users • Increased server computing capacity • High-availability for SharePoint server services • Streamlined SharePoint operations and maintenance • Automatic, error-free configuration • System Center integration for unified network and application service management