Forum Discussion

Binoy_185523's avatar
Binoy_185523
Icon for Nimbostratus rankNimbostratus
Feb 03, 2015

APM - AD integration

Dear All,

 

I'm new to F5 products and technology and trying to get some inputs on the below scenario. I'm planning to host an application in cloud, I do expect around 1000 organizations to use my application, from each organization there will be 5 to 10 users using this application.

 

these users will be coming to my web server through internet. What is the best way to authenticate these users? this application is in Windows environment and in domain. now my queries are below..

 

  1. can I create the username passwords for these users ( coming through internet) in my AD and through APM shall I provide the login page and the credentials verified in the AD? is this possible? any specific settings required at AD side if I have AD cluster?

     

  2. Our application is accessible through browser, any additional settings required at user end browser? we do not have any idea about the end user environment, they may have their own AD some of them may not.

     

  3. if I have to off load the SSL and terminate it on BIG IP LTM, shall I buy the SSL certificate for the expected number of concurrent users and do the configuration and upload the certificate in LTM?

     

Appreciate your guidance. BS

 

APM
cloud
deployment
design
security
vmware

2 Replies

Sort By
  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Feb 03, 2015

    first of all if you plan this for like 5.000 till 10.000 users you might look into getting an F5 partner who can help you out with this. doing this on yourself for the first time might be quite a challenge and lead to suboptimal results.

     

    as for your questions:

     

    1) sure, you can add them in your AD (wouldn't be my first choice for webpage auth) and auth against that AD. for a cluster you can add several AAA server in the APM. in general no specific config on the AD is needed.

     

    2) if you are going to do authentication with a logon page where the user has to enter its username and password. and after authentication allow access to your web application then the client / browser needs nothing special

     

    3) you don't buy SSL certificates based on concurrent users. you just buy one for a number of years. and yes you want to do this because else your users will get a nasty warning message.

     

    the APM itself is licensed on concurrent users so be sure to think about this well and choose the correct appliance.

     

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Feb 03, 2015

    the general idea is this, the user tries to login into your application via a browser. the BIG-IP with APM is before your application. the APM sees this access attempt and shows a logon page. there the user enters its username and password manually. after these are validated the traffic is send through to your application. i assume your application doesnt do anything with authentication itself so the single sign on question is kinda unclear.

     

    in this case you would use the APM+LTM model were things like webtops and such aren't used. you just add your application webserver in a pool and attached it to a virtual server (both BIG-IP terms) and add the authentication which when successful simply allows access.