Merge pull request #20 from f5devcentral/dev

SSL VPN lab

docs/class1/module1/lab3.rst

@@ -4,14 +4,16 @@ Lab 1.3 - Test Application
 Test Connectivity to the Application
 ************************************
 
-1. In a new Chrome browser window type the following URL: https://signed.example.com
+1. Open an RDP session to Windows-Client-Testing VM
+
+2. In a new Firefox browser window type the following URL: https://signed.example.com
 
 You may get a security warning **Your Connection is Not Private**, this is because we're using a self-signed certificate. It is safe to proceed. 
 
 .. image:: images/lab4-warn.png
     :width: 600 px
 
-2. When prompted for Okta authentication enter the following username/password: user1/user1
+3. When prompted for Okta authentication enter the following username/password: user1/user1
 
 .. image:: images/lab4-logon.png
     :width: 600 px

docs/class1/module2/lab4.rst

@@ -4,14 +4,16 @@ Lab 2.4 - Test Application
 Test Connectivity to the Application
 ************************************
 
-1. Open a new Chrome browser or tab and type: https://mbip-1.f5access.onmicrosoft.com 
+1. Open an RDP session to Windows-Client-Testing VM
+
+2. Open a new Firefox browser or tab and type: https://mbip-1.f5access.onmicrosoft.com 
 
 You may get a security warning **Your Connection is Not Private**, this is because we're using a self-signed certificate. It is safe to proceed. 
 
 .. image:: images/lab2-loginwin.png
     :width: 600 px
 
-2. Log in with the following username/password: 
+3. Log in with the following username/password: 
 - **username:** [email protected]
 - **password:** user
 

docs/class1/module3/lab3.rst

@@ -16,18 +16,12 @@ Creating an application and assign an Access policy to the application
 
 3. Click on **Start Adding Apps** button to create an Application.
 
-.. image:: images/lab3-addapp.png
-    :width: 600 px
-
 4. In the **Add Application** screen, set the following parameters:
 
 - In **Application Service Name** type: *cert_app*
 - Under **What kind of Application Service are you creating?**: select Standard
 - Click on **Start Creating** button
 
-.. image:: images/lab3-createapp1.png
-    :width: 600 px
-
 5. In the Application Services Properties, click **Start Creating**.
 
 .. image:: images/lab3-createapp2.png

docs/class1/module3/lab4.rst

@@ -4,11 +4,13 @@ Lab 3.4 - Test Application
 Test Connectivity to Application
 ********************************
 
-1. Open a new Firefox browser or tab and type: https://client-cert.example.com
+1. Open an RDP session to Windows-Client-Testing VM
 
-2. You will get a pop up to Select a user certificate pop in the browser, select the user-cert certificate , click **Ok**. 
+2. Open a new Firefox browser or tab and type: https://client-cert.example.com
 
-3. You should see the F5 Demo App after a successful login. 
+3. You will get a pop up to Select a user certificate pop in the browser, select the user-cert certificate , click **Ok**. 
+
+4. You should see the F5 Demo App after a successful login. 
 
 .. image:: images/lab3-end.png
     :width: 600 px

docs/class1/module4/lab1.rst

@@ -1,2 +1,40 @@
-Lab 2.1 - Create DNS Resolver
+Lab 4.1 - Create DNS Resolver
 #############################
+
+.. note:: If you already ran through the Lab 2 - SAML Azure authentication with Kerberos SSO, you can skip this section of the lab. The DNS resolver is already created.
+
+
+1. Access **BIG-IP Next Central Manager** if you're not already logged in.
+
+.. image:: images/lab2-cmlogin.png
+    :width: 600 px
+
+2. Click on the Workspace icon and select Infrastructure
+
+.. image:: images/lab2-infrastructure.png
+    :width: 600 px
+
+3. In the My Instances dashboard, click on *big-ip-next-03.example.com* instance.
+
+.. image:: images/lab2-myinstances.png
+    :width: 600 px
+
+4. This will open the Instance Settings screen. On the left side, click on **Routing & Forwarding**. Click on **Default** VRF. 
+
+.. image:: images/lab2-routingforwarding.png
+    :width: 600 px
+
+5. Enable **DNS Resolver** and add a new entry
+
+* Name : global_f5_internal_net_resolver
+* Forward Zone : create a new zone
+
+  * forwardZone : . <- this is a period or single dot
+  * nameserver : 10.1.1.6:53
+
+.. image:: images/lab2-dnsresolver.png
+    :width: 600 px
+
+9. Click **Save** and **Save**, and then click **Cancel & Exit** to exit out of the Instance Setting screen.
+
+This ends this section of the lab, onto the next. 

docs/class1/module4/lab2.rst

@@ -1,2 +1,3 @@
-Lab 2.2 - Create an Access Security Policy
+Lab 4.2 - Create an Access Security Policy
 ##########################################
+

docs/class1/module4/lab3.rst

@@ -1,2 +1,2 @@
-Lab 2.3 - Create an Application
+Lab 4.3 - Create an Application
 ###############################

docs/class1/module4/lab4.rst

@@ -1,2 +1,2 @@
-Lab 2.4 - Test Application
+Lab 4.4 - Test Application
 ##########################

docs/class1/module4/module4.rst

@@ -1,8 +1,17 @@
 Lab 4 - OIDC Azure authentication with Kerberos SSO (under construction)
 ########################################################################
 
-DO NOT RYN THROUGH THIS LAB
+DO NOT RUN THIS LAB !!!!!
 
+Estimate time to complete: 20 minutes.
+
+In this lab we will explore how to setup Oauth OIDC authentication with EntraID (Azure AD) 
+
+**Learning Objectives:**
+
+- Create Policy via Visual Policy Designer (VPD).  
+- Assign Flows and rules to the policy.  
+- Create Application and associate it with policy
 
 .. toctree::
    :maxdepth: 1

docs/class2/module1/lab1.rst

@@ -1,2 +1,177 @@
 Lab 1.1 - Create an Access Security Policy
 ##########################################
+
+1. Access **BIG-IP Next Central Manager** if you're not already logged in.
+
+.. image:: images/lab1-cmlogin.png
+    :width: 600 px
+
+2. Click on the Workspace icon and select Security
+
+.. image:: images/lab1-securitybtn.png
+    :width: 600 px
+
+3. Click on **Access** from the Security menu, this should default to Policies.
+
+.. image:: images/lab1-accessbtn.png
+    :width: 600 px
+
+4. Click **Start Creating** button to create a new Access policy, or click on **Create** if you have already several policy created.
+
+.. image:: images/lab1-createapbtn.png
+    :width: 600 px
+
+5. This will open Access Visual Policy Design screen. Choose a **Per-Session Policy** and **Start from Scratch**, click Next
+
+.. image:: images/lab1-persession.png
+    :width: 600 px
+
+6. In the **Create Policy** screen, this is where you set the different properties of the policy, such as, logging, language, Single Sign On, etc… Let’s start configuring the policy Start Selecting policy name and adjust policy parameters.
+
+In the **General Properties** screen set the following parameters, for the rest of the settings you may leave it as default.
+
+- **Policy Name:** ssl-vpn
+- **Cookie Option:** check the **Secure** box
+- Click **Continue** 
+
+.. note:: As you continue the rest of the policy creation process, see the screen shot in each section for a visual example of the configuration.
+
+7. In **Session Properties**, keep the default settings, click **Continue**.
+
+.. image:: images/lab1-session.png
+    :width: 600 px
+
+8. **Logging screen** you can adjust the logging level to help with debugging or troubleshooting. For this lab we will keep the default settings. Click **Continue**. 
+
+.. image:: images/lab1-logging.png
+    :width: 600 px
+
+9. **Single Sign On** screen, you can set the Single Sign On configuration with an IDP. For this lab we will not use any SSO. Click **Continue**.
+
+.. image:: images/lab1-sso.png
+    :width: 600 px
+
+10. **Endpoint Security** screen, you can setup Endpoint Security such as ensuring firewall is enabled on a client workstation before access is granted. For this lab we will not use this feature. Click **Continue**.
+
+.. image:: images/lab1-endpoint.png
+    :width: 600 px
+
+11. **Resources** This is where we will create the Networkl Access resource and also the Webtop resource.
+
+* Click **Start Creating**, and create a **Network Access** resource. Configure as below
+
+  * Change to split tunneling
+
+    .. image:: images/lab1-networkaccess.png
+       :width: 800 px
+
+  * Give a name to the lease pool : leasepool1
+  * DNS/Host, set IPv4 primary Name Server to : 10.1.20.6
+  * Click **continue** till end and **Finish**
+
+* Click **Create** and create a new resource type **Webtop**
+
+  * Keep default settings
+  * Finish
+
+
+12.  Click **Continue** to continue to **Connectivity**. We will set the SSL VPN (Network Access) connectivity settings.  
+
+* **Edit** the BIG-IP Edge Client config
+
+  .. image:: images/lab1-edgeclient-conn.png
+     :width: 600 px
+
+* **Add** a new Server List entry
+
+  * Alias: next-vpn
+  * Host Name: vpn.example.com
+
+    .. image:: images/lab1-serverlist.png
+       :width: 600 px
+
+  * Click **Finish** and **Continue**
+
+13.  **Policy Endings** you can define additional policy ending logic as needed for your use case here. For this lab we will accept the default. Click **Finish**.
+
+.. image:: images/lab1-policyendings.png
+    :width: 600 px
+
+After clicking on **Finish** it should bring you back to the Create Policy screen. Now, we will use the Visual Policy Designer (VPD) to build the policy.
+
+.. image:: images/lab1-createpolicy2.png
+    :width: 600 px
+
+14. Under **Flows**, drag and drop **Empty** flow to the VPD. You will need click on the little dots to the right of the flow type to grab the flow and drop into the VPD. 
+
+.. image:: images/lab1-emptyflow.png
+    :width: 600 px
+
+When dropping the flow type onto the VPD, you will want to make sure the flow type box is over the plus sign and the plus sign turns blue.
+
+.. image:: images/lab1-emptydd.png
+
+The result should look like the following screen shot.
+
+.. image:: images/lab1-emptyok.png
+    :width: 600 px
+
+15. Click inside the Flow type box. This show 3 buttons; **Delete**, **Edit**, and **Collapse** buttons. Click on the **Collapse** button to start adding Rules to the Flow and Editing settings.
+
+.. image:: images/lab1-allthebtns.png
+    :width: 600 px
+
+16. Click on the **pen** to edit the Empty box. Change the name to **client-cert-auth** and add a new ending branch called **Allow**
+
+.. image:: images/lab1-empty-branch.png
+    :width: 600 px
+
+17. On the left hand side menu, select the **R** (Rules) button, and scroll down on the **Rules** till you find **On-Demand Certificate Authentication**.
+
+.. image:: images/lab1-rules1.png
+    :width: 600 px
+
+17. Click and drag **On-Demand Certificate Authenticate** to the VPD.
+
+.. image:: images/lab1-rules2.png
+    :width: 600 px
+
+18. Edit the **On-Demand Certificate** rule by clicking on the edit button.
+
+.. image:: images/lab1-rules3.png
+    :width: 600 px
+
+19. In the **Rule Configurations**, **Rule Properties**, change **Authentication Mode** to **Require**. Click **Continue** and **Finish**
+
+.. image:: images/lab1-rules4.png
+    :width: 600 px
+
+20. Change the **Deny** ending of the successful branch by the **Allow** ending
+
+.. image:: images/lab1-change-ending-allow.png
+    :width: 600 px
+
+21. Add a new rule **Advanced Resource Assign** next to the Successful branch, **edit** it, and add your **webtop** and **network access** resources.
+
+* Do not select any context, keep it empty
+* Add your webtop and Network Access
+
+.. image:: images/lab1-context.png
+    :width: 600 px
+
+.. image:: images/lab1-resources2.png
+    :width: 600 px
+
+* Click **finish** and save your Advanced Resource Assign rule (by clicking to **continue**).
+
+
+22.   Click on the **Collapse** button to close the **Rules and Flow** box so you’re back to the main VPD. S
+
+23. On the **Allow** branch, change the ending to **Allow**.
+
+.. image:: images/lab1-final-allow.png
+    :width: 600 px
+
+24.  **Save** the policy and close the VPD by clicking on **Exit**.
+
+You have completed creating a security policy. Next we will deploy an Application and assigned the access policy.