Lab 2: SSL VPN SAML Authentication

Section 1.1 - Setup Lab Environment

To access your dedicated student lab environment, you will need a web browser and Remote Desktop Protocol (RDP) client software. The web browser will be used to access the Unified Demo Framework (UDF) Training Portal. The RDP client will be used to connect to the jumphost, where you will be able to access the BIG-IP management interfaces (HTTPS, SSH).

1. Click DEPLOYMENT located on the top left corner to display the environment

2. Click ACCESS next to jumphost.f5lab.local

   

3. Select your RDP resolution.

4. The RDP client on your local host establishes a RDP connection to the jumphost.

5. Login with the following credentials:

   • User: f5lab\user1
   • Password: user1

6. After successful logon the Chrome browser will auto launch opening the site https://portal.f5lab.local. This process usually takes 30 seconds after logon.

7. Click the Classes tab at the top of the page.

   

8. Scroll down the page until you see 309 SSL VPN on the left

   

9. Hover over tile SSL VPN - SAML Authentication. A start and stop icon should appear within the tile. Click the Play Button to start the automation to build the environment

10. The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you experience errors try running the automation a second time or open an issue on the Access Labs Repo.

    

Task 1 - Review Network Access Components

Note

The network access components were built in Lab01 and have been recreated in Lab02

1. While in the jumphost, launch Chrome and click on the bigip1 bookmark.

2. Log in to bigip1.f5lab.local

   • User: admin
   • Password: admin

3. Navigate to Access –> Connectivity/VPN –> Network Access (VPN) –> Network Access Lists

4. Click the vpn-lab01-vpn network access resource

   

5. Click on the Network Settings tab

6. We are using the vpn-lab01-vpn_pool lease pool

7. Split tunneling is enabled for only the internal network traffic

   

   Note

   For the purposes of this lab we are only going to use a single IP address for the lease pool. In a production environment you should set this range to as many as you need.

8. Navigate to Access –> Connectivity/VPN –> Connectivity –> Profiles

9. Click on vpn-lab01-cp then scroll to the bottom and click Edit

10. Profile name is /Common/vpn-lab01-cp and Parent Profile /Common/connectivity

11. Click OK

    

12. Navigate to Access –> Webtops –> Webtop Sections

13. Click vpn-lab01-network_access

    

14. Navigate to Access –> Webtops –> Webtop Lists

15. Click vpn-lab01-webtop

16. This is a type Full and using Modern customization type.

    

Task 2 - SAML Auth objects

Note

For the lab the objects needed in Azure AD have already been created for the Azure Tenant. For complete instructions on integrating Azure AD with SAML to APM SSL-VPN see: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/f5-aad-password-less-vpn

1. Navigate to Access –> Federation –> SAML Service Provider –> Local SP Services

   

2. Click Create from the far right

3. Give the local SP service a name and identify the entity ID

   Note

   The Entity ID is the fully qualified domain name (FQDN) of your application. This is the FQDN that was configured in the Azure Portal and will be the FQDN used to access the application or in this case vpn.

   Name	AAD_VPN_SP
   Entity ID	https://sp.acme.com
   Host	sp.acme.com

4. Click OK

5. From the drop down menu under SAML Service Provider select External IDP Connector

   

6. Click on the drop down next to Create button and choose From Metadata

   

7. Click Browse from and choose the sp.acme.com.xml file

8. Click Open

9. Give this object a name AAD_SAML_IDP and Click OK

   

10. Click on the drop down menu for SAML Service Provider and select Local SP Services

    

11. Select the checkbox next to the AAD_VPN_SP object and click Bind/Unbind IdP Connector at the bottom of the screen (you may need to scroll down)

12. Click Add New Row select the AAD_SAML_IDP

13. Click Update

14. Click OK

    

Task 3 - Per Session Access Policy

1. Navigate to Access –> Profiles/Policies –> Access Profiles (Per-Session Policies)

2. Click Create to create a new per session policy for VPN

   Name	vpn-lab02-psp
   Profile Type	All
   Customization Type	Modern

3. Scroll to the bottom choose English from the right menu and slide move it to the left and click Finished

   

4. Locate profile vpn-lab02-psp and click on Edit. This opens the Visual Policy Editor (VPE) and we can take a look at the policy

5. Click the + between Start and Deny

   

6. Click on the Authentication tab, scroll to SAML Auth and click Add Item

   

7. Click the drop down next to AAA Server and choose /Common/AAD_VPN_SP then click Save

   

8. Click the + between SAML Auth and Deny on the Successful branch

9. Click the Assignment tab and choose Advanced Resource Assign then Add Item

10. Click Add new entry button then the Add/Delete link

    

11. Click the Network Acces tab and choose the object, then the Webtop tab, then the webtop setion.

12. Click Update

13. Click Save

14. Click the Deny end point on the fallback branch from from Advanced Resource Assign*. Choose Allow and Save

    

15. Click Apply Access Policy

    

Task 4 - Apply Policy and profiles to Virtual Server

1. Navigate to Local Traffic –> Virtual Servers –> Virtual Server List

2. From the Partition menu in the upper right choose vpn-lab01

3. Click on vpn-lab01 Virtual Server

4. Scroll down to the Access Policy section

5. Select the vpn-lab02-psp from the Access Profile drop down menu

6. Click the drop down for “”Connectivity Profle** and choose the vpn-lab01-cp from the menu

   

7. Scroll down and click Update*

Task 4 - Test VPN Access

1. The connects to https://sp.acme.com with the following credentials

   Username:	user1@f5access.onmicrosoft.com
   Password:	F5twister$

   

2. Click Next and enter the password and click Sign in* then **Yes

3. Once authenticated the user is presented a Webtop with a single VPN icon.

   

4. Assuming the VPN has already been installed the user is notified that the client is attempting to start

   

   Note

   You may be prompted to download the VPN update. This is what a user will experience if you have auto-update enabled in the VPN Connectivity Profile. Click Download and wait for the components to update.

5. A popup opens displaying the status of the VPN connection. The status will eventually become Connected

   

   Note

   If you lose the pop-up check the system tray for the little red ball. Right click and choose restore

6. Click Disconnect