Zero Trust with F5 BIG-IP APM, SSLO & WAF

The basic premise of this use case is that an SSL Orchestrator security policy is built on top of a set of "stateless" Access per-session and per-request policies. Access Policy Manager (APM) is the module you use on a BIG-IP to perform client authentication, and this requires "stateful" per-session and per-request policies. Therefore, as an application virtual server can only contain ONE access policy, the APM and SSL Orchestrator policies cannot coexist. In other words, you cannot add APM authentication to an SSL Orchestrator virtual server (or SSL Orchestrator security policy to an APM virtual server). SSL Orchestrator technically allows for authentication in outbound (forward proxy) topologies, because the explicit or transparent forward proxy authentication policy does not sit on the same virtual server as the SSL Orchestrator security policy.

There are fundamentally two ways to address this challenge:

• Layering virtual servers - often referred to as "VIP targeting", or "VIP-target-VIP", this is where one (external) virtual server uses an iRule command to push traffic to another internal virtual server. This is the simple approach. You put your authentication policy and client-side SSL offload on the external virtual, and an iRule to do the VIP targeting. The targeted internal virtual contains the SSL Orchestrator security policies, the application server pool, and optionally server SSL if you need to re-encrypt.
• Connector profile - a connector profile is a proxy element that was added to BIG-IP in 14.1, and that inserts itself in the client-side proxy flow after layer 5/6 (SSL decryption) and before layer 7 (HTTP). The connector is flow-based, so can be assigned once at flow initiation. Essentially, the connector can "tee" traffic out of the original proxy flow, and then back. The connector itself points to an internal virtual server that can perform any number of functions before returning back to the original proxy flow.

Having the power of F5 Access Policy Manager (APM) as an Identity Aware Proxy and F5 SSLO allows to have a flexible organization-wide secure access layer.

In this lab we are going to assume company ABC need to have different SSLO topologies for different organzation functions,

• User Authenticate through F5 APM.
• F5 APM then query user identity to fetch its group.
• Then F5 APM assigns the proper pool (SSLO Topology Pool) to this user (or Group).

In this lab we will walk you through the BIG-IP Configuration steps which covers the following:

• Configure SSL Orchestrator
• Creating Virtual server in SSL Orchestrator
• Checking access policy in SSL Orchestrator
• Configure APM Virtual Server
• Test the lab

1 x Ubuntu Virtual Machines (v18.0.4)

1 x F5 BIG-IP (v16.0.1) [APM]

1 x F5 BIG-IP (v17.1) [SSLO]

1 X Windows AD Server