Lab 2: Deploy PUA Alternate Webtop

Overview

In this lab, we will focus on configuring and testing an ALT webtop with F5 APM (Access Policy Manager).

The ALT webtop creates a single tile (webtop link), that launches a portal containing more endpoints specified from a .csv configuration file. This will allow us to configure multiple endpoints faster and more efficiently.

We will also leverage the Smartcard Client Authentication (created in Lab 1) for authentication to the webtop.

We will begin the lab by adding the .csv file as a resource and deploying the ALT webtop. Next, we will need to update the Access Policy to include the new ALT webtop tile (webtop link) to the webtop.

This lab will commence with testing and validating user access.

Expected time to complete: 15 minutes

Note

This is an add-on playbook that works with an existing PUA deployment (such as Lab 1: Deploy PUA with Client Certificate Authentication)

Add PUA Ressources

Task 1 - Add Ressource

  1. In PUA UI, Click Ressources in left hand navigation bar and in the main panel, Click Add Ressource button.

    image_chrome_pua_ressources

  2. In the resulting window, click Choose File button.

    image_chrome_pua_add_ressource

  3. In the File explorer that window, Under This PC select Desktop and double click on PUA LabFiles

    image_chrome_pua_add_ressource_filebrowser

  4. Select pua.csv file and click Open

    image_chrome_pua_add_ressource_csv

  5. Click Upload

    image_chrome_pua_add_ressource_upload

  6. Confirm pua.csv is listed in Ressources table.

    image_chrome_pua_add_ressource_csv_success

Warning

If you don’t see the pua.csv in PUA UI Ressources go back to Task 1 - Add Ressource.

Deploy PUA ALT Webtop

Task 1 - Add Deployment

  1. In PUA UI, Click Deployments in left hand navigation bar and in the main panel, Click Add Deployment button.

    image_chrome_pua_deployments

  2. In the resulting window, enter the following data:

  • Add Deployment
    • Name : alt_webtop
    • Device IP/Hostname : 10.1.1.4
    • Playbook: ALT WEBTOP

image_chrome_pua_add_deployment_alt_webtop

Task 2 - Enter Deployment details

  1. When the ALT WEBTOP playbook is selected, the editor values are updated to show the following inputs (Enter the associated values as specified below)
  • Add Deployment
    • CSV Ressource File: pua.csv

image_chrome_pua_add_deployment_alt_webtop_details

Note

You can also switch to Raw JSON input and paste this JSON object to get the input fields populated.

image_chrome_pua_add_deployment_raw

{
   "name": "alt_webtop",
   "device_ip": "10.1.1.4",
   "forceDeploy": false,
   "configuration": {
      "playbook": "ALT WEBTOP",
      "user_input": {
         "CSV_RESOURCE_FILE": "pua.csv"
      }
   }
}

Task 3 - Review Deployment details and Deploy

  1. Review Deployment details and Click Deploy

    image_chrome_pua_add_deployment_alt_webtop_raw

Task 4 - Track Deployment progress

If you go back to the PUA Deploy Agent WebSSH tab in your local browser, you should see the logs generated by the deployment of the PUA ALT WEBTOP Playbook.

  1. Confirm that the deployment is successful by looking for Playbook deployed successfully log.

    image_pua_webshell_docker_logs_deployment_alt_webtop

  2. Confirm that alt_webtop is listed in the PUA UI Deployments.

    image_chrome_pua_add_deployment_alt_webtop_success

Warning

If you don’t see the Playbook deployed successfully in the logs and the alt_webtop does not appear in PUA UI Deployments go back to Task 2 - Enter Deployment details.

Connect PUA Alternate Webtop to PUA Smartcard

Task 1 - Access BIG-IP 1

Access BIG-IP 1 TMUI

  1. Click ACCESS next to big-ip1

  2. Select TMUI from the lists

    image_udf_bigip1_access

  3. In the new browser Tab, Login with the following credentials:

    • User: admin
    • Password: admin

    image_bigip1_tmui_login_details

Task 2 - Edit PUA Smartcard Access Policy

  1. Navigate to Access, Profiles/Policies.

    image_bigip1_tmui_access_profiles_policies

  2. Click the Edit link for the pua_smartcard Access Profile to open the Visual Policy Editor.

    image_bigip1_tmui_access_profiles

Task 4 - Apply Access Policy

  1. Click Apply Access Policy

image_bigip1_tmui_access_profiles_pua_smartcard_ressources_apply

Warning

Don’t forget to click on Apply Access Policy.

Test PUA ALT Webtop

Task 1 - Acces PUA Webtop as user1

  1. Right click on the PUA Webtop Bookmark and click on Open in Incognito window

    image_chrome_incognito_pua_webtop

  2. Select certificate associated with User1 in the Select a certificate dialog box and Click Ok.

    image_chrome_incognito_pua_webtop_user1_cert

  3. Click Click here to continue

    image_chrome_incognito_pua_webtop_banner

  4. The Alternate Webtop link should now be listed in the Applications and Links section of the Webtop.

    image_chrome_incognito_pua_webtop_links_alt_webtop

Task 2 - Validate user1 Access

  1. In the Applications and Links section of the Webtop

    • Click on alt_webtoplink to launch the updated Privileged User Access Web Application.

      image_chrome_incognito_pua_webtop_user1_altwebtop

    • Click on the >_ icon of bigip15 and observe the username at the bottom left corner

      image_chrome_incognito_pua_webtop_user1_altwebtop_bigip15_arrow

      image_chrome_incognito_pua_webtop_user1_altwebtop_bigip15

    • Click on the >_ icon of bigip17 and observe the username at the bottom left corner

      image_chrome_incognito_pua_webtop_user1_altwebtop_bigip17_arrow

      image_chrome_incognito_pua_webtop_user1_altwebtop_bigip17

Warning

Close the Incognito window before going to the next task.

Delete PUA Smartcard

Task 1 - Delete Deployment

  1. In PUA UI, Click Deployments in left hand navigation bar, then in the main panel :

    • tick the checkbox beside pua_smartcard and
    • click Delete button.

    image_chrome_pua_delete_deployment_smartcard

  2. Click Confirm.

    image_chrome_pua_delete_deployment_smartcard_confirm

  3. After a few moment, pua_smartcard deployment should have been deleted successful.

    image_chrome_pua_delete_deployment_smartcard_success

Attention

The PUA Smartcard deployment need to be deleted before going to the next lab.

image_end_of_lab