Transcription
F5 Technical BriefSecure iPhone Access toCorporate Web ApplicationsThe way corporations operate around mobile devices iscurrently shifting—employees are starting to use theirown devices for business purposes, rather than companyowned devices. With no direct control of the endpoints,IT departments have generally had to prohibit this or riskinsecure access inside the firewall. But as more mobiledevices appear on the corporate network, mobile devicemanagement has become a key IT initiative.by Peter SilvaTechnical Marketing Manager, Security
Technical BriefSecure iPhone Access to Corporate Web ApplicationsContentsIntroduction3Getting Down to Business3iPhone and BIG-IP4The F5 BIG-IP Edge Apps4Conclusion9References102
Technical BriefSecure iPhone Access to Corporate Web ApplicationsIntroductionMobile devices have become computers in their own right, with a huge arrayof applications, significant processing capacity, and the ability to handle highbandwidth connections. They are the primary communications device for many, forboth personal and business purposes.Many IT executives are planning to make internal business applications available toemployees from their smartphones or mobile devices. This goes beyond email andincludes CRM applications, ERP systems, and even proprietary in-house applications.Because personal mobile devices are so prevalent, many organizations are movingfrom corporate ownership of devices to allowing employees to use their owndevices for business purposes. Some companies view this as a cost-saving measure,but identifying these personal devices as legitimate endpoints is still a challenge,especially when it comes to security and compliance. In addition to smartphones,tablet devices like the Apple iPad and a whole new array of computing devices arerequesting access to corporate resources.The 2007 launch of the iPhone changed the way people perceive and use mobiledevices. The iPhone isn’t just for the tech-savvy—parents, celebrities, retailers, andeveryone in between love to use the iPhone for personal purposes and for work.The first iPhone was missing a few important features that would have made it abusiness-capable device. But as new generations hit the market and iOS matured,the iPhone became a viable business device. iOS 4 is compatible with MicrosoftExchange ActiveSync accounts and Exchange Server, so users can configure multipleemail accounts for secure access on their iPhones. Business apps like Documents ToGo enable iPhone users to not only view Microsoft Word and Excel documents, butto create and edit them as well. Companies like Salesforce, SAP, and Oracle havereleased general business apps and business intelligence and HR apps.Mobile Worforce IncreasingAccording to IDC, the worldwidemobile worker population is setto increase from 919.4 million in2008, accounting for 29% of theworldwide workforce, to 1.19billion in 2013, accounting for34.9% of the workforce1.Getting Down to BusinessIT infrastructure and helpdesk staff have been inundated with requests to supportboth managed and unmanaged Apple iPads and iPhones in the corporateenvironment. With no direct control of the endpoints, IT has had to turn theserequests away to avoid risking insecure access inside the firewall. Mobile devices,personal or not, have always presented a challenge to IT. Provisioning a mobiledevice and determining which applications and services are allowed/enabled can bedaunting. Despite impressive computing power, a mobile device is not a opsis.jsp?containerId 221309§ionId null&elementId null&pageType SYNOPSIS3
Technical BriefSecure iPhone Access to Corporate Web Applicationslaptop or desktop and functionality can differ greatly. Even capabilities among thevarious mobile devices differ based on make, model, and OS. Many IT organizationshave solved some of their security and compliance issues and now allow personalhome computers to access business resources; providing access to personal mobiledevices is the next piece of the puzzle.Technologies like SSL VPN have made it easier for organizations to inspect the host,know its security posture, and allow a certain level of access based on those checks.With mobile platforms, it can be hard to determine if the latest patches are up todate, if it is free of malware, if it is free of otherwise unauthorized programs, andif it abides by the corporate access policy. Different security policies may apply tomobile computing devices than to traditional devices. Can the corporation disablethe personal device if it is compromised and contains sensitive information?If VPN access is allowed, IT must ensure the authentication and authorizationmechanisms are configured properly. There may also be issues with usage tracking,license compliance, and session persistence as users roam among various mobilenetworks. Many companies also use portals, proxies, and IDS/IPS to control access.Even GPS data could pose a risk to an organization, especially for governmentand military deployments. Increased network traffic also needs to be monitored.As more employee-owned mobile devices appear on the corporate network, ITdepartments must make mobile device management a key initiative.iPhone and BIG-IPBusiness users are increasingly looking to take advantage of Apple iOS devices inthe corporate environment, and accordingly, IT organizations are looking for waysto allow access without compromising security or losing endpoint control. ManyIT departments that have been slow to accept the iPhone are now looking for aremote access solution to balance the need for mobile access and user productivitywith the ability to keep corporate resources secure.The F5 BIG-IP Edge AppsF5 has created two apps for the iPhone and iPad: F5 BIG-IP Edge Portal andBIG-IP Edge Client .4
Technical BriefSecure iPhone Access to Corporate Web ApplicationsThe BIG-IP Edge PortalThe BIG-IP Edge Portal app for iOS devices streamlines secure mobile access tocorporate web applications that reside behind BIG-IP Access Policy Manager (APM),BIG-IP Edge Gateway , and FirePass SSL VPN solution. With the BIG-IP Edge Portalapp, users can access internal web pages and web applications securely.BIG-IP Edge Portal, in combination with customers’ existing BIG-IP Edge Gatewayand BIG-IP APM or FirePass SSL VPN solutions, provides portal access to internalweb applications such as intranet sites, wikis, and Microsoft SharePoint. This portalaccess provides a launchpad that IT administrators can use to allow mobile accessto specific web resources, but without risking full network access connections fromunmanaged, unknown devices. iPhone users can sync their email, calendar, andcontacts directly to the corporate Microsoft Exchange Server via FirePass and theActiveSync protocol. This solution also enables corporate IT to grant secure iPhoneand iPad access to web-based resources.IT administrators can also create and manage layer 7 access control lists (ACLs) tolimit access to certain resources. For instance, administrators can specifically createwhite lists or blacklists of sites that users can access. Administrators can even specifya particular path within a web application like /contractors or /partners. Based onthe device check and the authenticated user group, that device would only be ableto navigate to those assigned resource paths. Even if a contractor happens to guessthe partner path, if he or she tries to navigate to it, access is denied. Administratorscan also configure BIG-IP Edge Gateway to provide and push policies to the client,such as allowing a user to save credentials on the device.If the system is configured to require a client certificate, users can add it from aweb location or through iTunes. Users can add bookmarks to save sites they wantto connect to again and specify a keyword to open a page. For example, users canspecify the keyword “intra” to go to the company’s intranet page. If users specify akeyword when they bookmark a site, they can later launch that bookmark by typingthe keyword in the BIG-IP Edge Portal address bar.The BIG-IP Edge Portal app allows users to access internal web applications securelyand offers the following features: User name/password authentication Client certificate support Saving credentials and sessions5
Technical BriefSecure iPhone Access to Corporate Web Applications SSO capability with BIG-IP APM for various corporate web applications Saving local bookmarks and favorites Accessing bookmarks with keywords Embedded web viewer Display of all file types supported by native Mobile SafariThe F5 BIG-IP Edge ClientAssuming an iPhone is a trusted device and/or network access from an iPhone/iPadis allowed, then the BIG-IP Edge Client app offers all the BIG-IP Edge Portal featureslisted above, plus the ability to create an encrypted, optimized SSL VPN tunnel to thecorporate network. BIG-IP Edge Client offers a complete network access connectionto corporate resources from an iOS device—a comprehensive VPN solution for boththe iPhone and iPad. With full VPN access, iPhone/iPad users can run applicationssuch as RDP, SSH, Citrix, VMware View, VoIP/SIP, and other enterprise applications.BIG-IP Edge Client and Edge Portal work in tandem with BIG-IP Edge Gateway andFirePass SSL VPN solutions to drive managed access to corporate resources andapplications, and to centralize application access control for mobile users. Enablingaccess to corporate resources is key to user productivity, which is central to F5’sdynamic services model that delivers on-demand IT.Figure 1: BIG-IP Edge Portal on Apple iPhone6
Technical BriefSecure iPhone Access to Corporate Web ApplicationsA VPN connection can be user-initiated, either explicitly through BIG-IP EdgeClient or implicitly through iOS’s VPN On Demand functionality. For example,administrators can configure a connection to be automatically triggered whenevera certain domain or host name pattern is matched. VPN On Demand configurationis allowed if the client certificate authentication type is used. A user name andpassword can be used along with the client certificate, but they are optional. Nouser intervention is necessary for connections initiated by VPN On Demand (forexample, a connection will fail if a password is not supplied in the configuration butis needed for authentication).The BIG-IP Edge Gateway controller optimizes and accelerates client traffic betweengateways and data centers. With the addition of the BIG-IP Edge Client app, thatoptimization is extended to the iOS device, improving mobile user performancewith accelerated client access. BIG-IP Edge Client, when used in tandem with BIG-IPEdge Gateway, provides secure and optimized application access to iOS devices. Ifa user is on a high-latency mobile network and needs to download a file from thecorporate infrastructure, the unique, adaptable compression algorithms ensure thefile arrives quickly. Now users experience secure LAN-like performance, even whenthey are mobile.Like the BIG-IP Edge Portal app, BIG-IP Edge Client also adheres to the ACLs limitingaccess to certain resources, as well as access polices defined by the administratorlike credential caching. For BIG-IP Edge Client, administrators can create both layer7 and layer 3/4 ACLs. Even if the iPhone is a trusted device and IT has allowednetwork access from that device, IT might still want to restrict those users to certainsubnets within the infrastructure based on organization, role, or other criteria.If there are compliance requirements for corporate access and when user accessand application logging is required, BIG-IP APM and BIG-IP Edge Gateway providedetailed logging and accounting, so IT can meet regulatory requirements even whenapplications are accessed from unmanaged devices not owned by IT.Policy and access management are created and controlled by F5’s unique VisualPolicy Editor (VPE). Using the advanced VPE, administrators can easily create secure,granular access control policies on an individual or group basis. The flowchart-likeGUI gives administrators point-and-click control to seamlessly add iPhone and iPaddevices to an existing system or to create a new macro policy exclusively for iOSdevices.7
Technical BriefSecure iPhone Access to Corporate Web ApplicationsFigure 2: BIG-IP Edge Portal configuration page on Apple iPhoneThe BIG-IP Edge Client app offers additional features such as Smart Reconnect,which enhances mobility when there are network outages, when users roamingfrom one network to another (like going from a mobile to Wi-Fi connection),or when a device comes out of hibernate/standby mode. Split tunneling modeis also supported, allowing users to access the Internet and internal resourcessimultaneously.Figure 3: BIG-IP Edge Client on Apple iPad8
Technical BriefSecure iPhone Access to Corporate Web ApplicationsUsers can easily add any of their corporate BIG-IP access controllers (BIG-IP APM,Edge Gateway) or FirePass SSL VPN as a secure gateway on their iOS device. A usersimply starts BIG-IP Edge Client and in the Server field, types the IP address or fullyqualified domain name of a FirePass SSL VPN controller, a BIG-IP APM, or BIG-IPEdge Gateway. They can also type a name for this server in the Description field tomake it easier to locate. To minimize helpdesk calls, adding user credentials is aseasy as typing the user name and password, and then clicking Save and Done.ConclusionThe BIG-IP Edge Portal app for iOS devices provides simple, streamlined access toweb applications that reside behind BIG-IP APM, without requiring full VPN access,to simplify login for users and provide a new layer of control for administrators.Using BIG-IP Edge Portal, users can access internal web pages and web applicationssecurely, and administrators can seamlessly add iPhone and iPad mobile devicemanagement to their already existing BIG-IP infrastructure.The BIG-IP Edge Client app provides not only full SSL VPN access from iPhones andiPads, but also accelerated application performance when it’s used with BIG-IP EdgeGateway. Administrators can maintain granular control with F5’s Visual Policy Editor,and users experience fast downloads and quick web access with the integratedoptimization and acceleration technologies built into BIG-IP Edge Gateway. ITno longer has to provision and manage multiple units to ensure their corporateapplications are available, fast, and secure to iPhone and iPad users.9
Technical BriefSecure iPhone Access to Corporate Web ApplicationsReferencesiPhone in BusinessF5 BIG-IP Edge Client Users GuideF5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119F5 Networks, Inc.Corporate [email protected] [email protected] Networks .comF5 NetworksJapan [email protected] 2010 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, BIG‑IP, FirePass, iControl, TMOS, and VIPRION are trademarksor registered trademarks of F5 Networks, Inc. in the U.S. and in certain other countries.PME10002-JORJ
Secure iPhone Access to . and Microsoft SharePoint. This portal access provides a launchpad that IT administrators can use to allow mobile access to specific web resources, but without risking full network access connections from unmanaged, unknown devices. iPhone users can sync their email, calendar, and contacts directly to the corporate .
