Lab 1: Configure Identity Aware Proxy(16.0)

The Zero Trust Architecture shifts many of the objects that would exist in a per-session policy to the per-request policy thereby creating a more secure authentication and authorization scheme. The authenticity of each request is further enhanced through the use of F5’s Access Guard agent installed on a client. This agent provides a PKI signed report of the posture assessment performed on the client real-time rather than the historical way plug-ins reported status. Previously, after a user connected to an application they would experience a delay in access as the agent performed the posture assessment to provide an unsigned report to the BIG-IP.

Topics Covered

  • Real-time Posture Assessments
  • Per-Request Frameworks
  • Contextual Access
  • HTTP Connector

Expected time to complete: 1 hour

Setup Lab Environment

To access your dedicated student lab environment, you will need a web browser and Remote Desktop Protocol (RDP) client software. The web browser will be used to access the Unified Demo Framework (UDF) Training Portal. The RDP client will be used to connect to the jumphost, where you will be able to access the BIG-IP management interfaces (HTTPS, SSH).

  1. Click DEPLOYMENT located on the top left corner to display the environment

  2. Click ACCESS next to jumphost.f5lab.local

    image90

  3. Select your RDP resolution.

  4. The RDP client on your local host establishes a RDP connection to the Jump Host.

  5. Login with the following credentials:

    • User: f5lab\user1
    • Password: user1

  6. After successful logon the Chrome browser will auto launch opening the site https://portal.f5lab.local. This process usually takes 30 seconds after logon.

    image91

  7. Click the Classes tab at the top of the page.

  8. Scroll down the page until you see 201- 16.0 Zero Trust - Identity Aware Proxy on the left

    image87

  9. Hover over tile Configure Identity Aware Proxy(16.0). A start and stop icon should appear within the tile. Click the Play Button to start the automation to build the environment

    image88

  10. The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you you experience errors try running the automation a second time or open an issue on the Access Labs Repo.

    image89

  11. Close Chrome.

Section 1.1 - Access Guided Configuration

The first step in deploying the IAP is accessing Guided Configuration

Task 1 - Access the Zero Trust IAP guided configuration

  1. Open Firefox, and navigate to https://bigip1.f5lab.local

  2. Login with username admin and password admin

    image2

  3. Click on the Access tab located on the left side

    image3

  4. Click Guided Configuration

    image4

  5. Click Zero Trust

    image5

  6. Click Identity Aware Proxy

    image6

  7. Click Next

    Note

    Review the design considerations for deploying IAP in a Single Proxy versus a Multi-proxy solution.

    image7

Section 1.2 - General Properties

In this section, you will configure the IAP policy to perform posture assessment from client devices.

Task 1 - Select the component to configure for Lab 1

  1. Define the configuration name IAP_DEMO

  2. Click Device Posture

  3. Click Multi Factor Authentication

  4. Click Single Sign-On (SSO)& HTTP Header

  5. Click Webtop

  6. Click Save & Next

    image8

Section 1.3 - Device Posture

Task 1 - Enable Posture Checks

  1. Check Enable F5 Client Posture Check

  2. select ca.f5lab.local from the CA Trust Certificate dropdown list

  3. Select Add to create a posture assessment group

    image9

Task 2 - Define a firewall Posture Assessment

  1. Define the Posture Group Name FW_CHECK

  2. Check the Firewall box

  3. Check the Domain Managed Devices box

  4. Enter the Domain Name f5lab.local

  5. Click Done

    image10

Task 3 - Verify the posture assessment

  1. The Posture Settings box should contain FW_CHECK

  2. Click Save & Next

    image11

Section 1.4 - Virtual Server

In this section, you will define the virtual server IP address and its SSL profile settings

Task 1 - Create a virtual server

  1. Enable Advanced Settings located in the top left corner

  2. Enter the IP address 10.1.10.100 in Destination Address

  3. In the Client SSL Profile section, move clientssl profile to Available side

  4. Double click the acme.com-wildcard to move the profile to Selected

    image12

  5. In the Server SSL Profile section, double-click the serverssl SSL Profile to move it to the Selected side (or select it and then click the right-arrow to move)

  6. Click Save & Next

    image13

Section 1.5 - User Identity

In this section you will configure a single User Identity using Active Directory.

Task 1 - Configure Active Directory AAA

  1. Click Add

    image14

  2. Enter “ad” for the name

  3. Ensure the Authentication Type is AAA

  4. Ensure the Choose Authentication Server Type is set to Active Directory

  5. Select ad-servers from the Choose Authentication Server dropdown box

  6. Check Active Directory Query Properties

    image15

  7. Double-click memberOf in the Required Attributes box

  8. Click Save

    image16

Section 1.6 - MFA

In this section you will configure a RADIUS server to enable simulated MFA capabilities.

Task 1 - Configure a RADIUS AAA Server

  1. Click the MFA tab

    image17

  2. Click Add

    image18

  3. Double click Custom Radius Based

    image19

  4. Select Create New from the Choose RADIUS Server dropdown

    image20

  5. Enter the Server Pool Name radius_pool

  6. Enter the Server Address 10.1.20.8

  7. Enter the Secret secret

  8. Click Save

    image21

  9. Verify Custom RADIUS based Authentication appears

  10. Click Save & Next

    image22

Section 1.7 - SSO & HTTP Header

In this section you will configure HTTP Basic SSO.

Task 1 - Create a HTTP basic SSO object

  1. Click Add

    image23

  2. Enter the name basic_sso

  3. Verify HTTP Basic is selected

  4. Select Create New from the SSO Configuration Object dropdown box

    image24

  5. Verify the Username Source is session.sso.token.last.username

  6. Verify the Password Source is session.sso.token.last.password

  7. Click Save

    image25

  8. Verify the basic_sso object was created

  9. click Save & Next

    image26

Section 1.8 - Applications

In this section you will define a single application

Task 1 - Create basic.acme.com application

  1. Enter Auth Domain iap1.acme.com

  2. Click Add

    image27

  3. Enter basic.acme.com for the application name

  4. Enter basic.acme.com for the FQDN

  5. Enter the IP address 10.1.20.6 for the pool member

  6. Click Save

    image28

  7. Verfiy basic.acme.com application was created

  8. Click Save & Next

    image29

Section 1.9 - Webtop

Task 1 - Modify the Webtop setting

  1. Set the Primary Authentication to ad

  2. Verify basic.acme.com is listed under Application

  3. Click Save & Next

    image30

Section 1.10 - Contextual Access

In this section you will define contextual access for the previously created application. Context access is where all of the previously created objects are put together to provide fine-grain access control.

Task 1 - Create Contextual Access for basic.acme.com

  1. Click Add

    image31

  2. Enter basic.acme.com for the contextual access name

  3. Select basic.acme.com from the Resource dropdown box

  4. Select fw_check from the Device Posture dropdown box

  5. Select ad from the Primary Authentication dropdown box

  6. Select basic_sso from the Single Sign-On dropdown box

  7. Enter Sales Engineering in the Filter by Group Name. This group assignment section controls the display of resources on the Webtop. It does not control the access to the actual resource. That will be covered in lab2.

  8. Click Add beside the Group Name

    image32

  9. Check Additional Checks

  10. For the Default Fallback rule, select Step Up from the dropdown box under Match Action

  11. Select Custom Radius based Authentication (MFA) from the Step Up Authentication box

  12. Click Save

    image33

  13. Verify basic.acme.com Contextual Access

  14. Click Save & Next

    image33-2

Section 1.11 - Customization

The Customization section allows an administrator to define the images, colors, and messages that are presented to a user.

Task 1 - Customize the Remediation Page URL

The default remediation Page URL uses the hostname site request.com. This should be changed to reference a real host where users can download and install the EPI updates.

  1. Scroll down to the Remediation Page Section

    image36

  2. Enter the URL https://iap1.acme.com/epi/downloads

    image37

  3. Click Save & Next

  4. On the Session Management Properties menu, Click Save & Next

Section 1.12 - Summary

The Summary page allows you to review the configuration that is about to be deployed. In the event a change is required anywhere in the configuration the pencil icon on the right side can be selected to quickly edit the appropriate section.

Task 1 - Deploy the configuration

  1. Click Deploy

    image38

  2. Once the deployment is complete, click Finish

Section 1.13 - Testing

In this section you will access the application basic.acme.com and watch how the BIG-IP restricts access when a device fails it’s posture assessment.

Warning

You must use Firefox for testing!

Task 1 - Access basic.acme.com

Note

Posture Assessments in a Per-Request Policy use F5 Access Guard(running on clients) to perform posture assessments prior to accessing an application. This improves the user experience since posture checks do not introduce any delay when accessing the application. This also improves security by allowing posture assessments to occur continuously throughout the life of the session.

  1. From the jumpbox, browse to https://iap1.acme.com

  2. At the logon page enter the Username:user1 and Password:user1

  3. Click Logon

    image39

  4. Click the basic.acme.com tile on the webtop

    image40

  5. The RADIUS logon page, prepopulates the username:user1. Enter the PIN: 123456 in the password field

    image41

  6. The SSO profile passes the username and password to the website for logon.

    image42

  7. Close the browser Window to ensure there is not cached data

Task 2 - Disable Windows Firewall

  1. Right click the computer icon in the taskbar and open Network and Sharing Center

    image43

  2. Click Windows Firewall

    image44

  3. Click Turn Windows Firewall on or off

    image45

  4. Click the radio button Turn off Windows Firewall

  5. Click Ok

    image46

Task 3 - See Deny Page iap1.acme.com

  1. From the jumpbox, browse to https://iap1.acme.com

  2. At the logon page enter the Username:user1 and Password:user1

  3. Click Logon

    image39

  4. Click the basic.acme.com tile on the webtop

    image40

  5. After approximately 15 seconds you will receive a deny page from the IAP stating that you have failed the network firewall check

    image47

  6. Close the browser Window to ensure there is no cached data

Task 4 - Enable Windows Firewall

  1. Right click the computer icon in the taskbar and open Network and Sharing Center

    image43

  2. Click Windows Firewall

    image44

  3. Click Turn Windows Firewall on or off

    image45

  4. Click the radio button Turn on Windows Firewall

  5. Click Ok

    image48

  6. From the jumpbox, connect to https://iap1.acme.com webtop, and then access the basic.acme.com application

  7. This concludes lab 1.

    image100