Introduction

The F5 Access Policy Manager offers an enterprise-wide proxy solution to ensure that applications and authentication are locked down securely, enabling employees and clients to access appropriate resources without compromising security. The package has been designed by F5 Networks, a Seattle-based networking company which has been helping medium and large-scale businesses build secure systems since 1996.

Many of its products are based around the F5 TMOS OS, which allows various F5 apps to work together – one of which is the F5 VPN and Access Policy Manager.

Security features

F5 has long been renowned for its security features, so we would expect the F5 Access manager to be pretty solid in this regard. But what about the VPN? Some packages are slick when it comes to application management, permissions, and firewalls, but cut corners with Virtual Private Networks. Is that the case with the F5 VPN?

Here’s what the Access Policy has to offer:

  • An SSL based VPN:the VPN bundled with the APM is based around the Secure Sockets Layer protocol (as opposed to IPSec or IKEv2). This can sometimes result in speed sacrifices, but it means that the F5 VPN client isn’t required. As long as applications used on the network are TCP/IP compliant, the APM can anonymize users and encrypt data being transmitted.
  • SAML authentication: Security Assertion Markup Language is used to authenticate users via certified XML documents. Network managers can alter certification settings for specific users, giving them variable access levels, and this also extends to Cloud-based resources. This delivers a high level of control and flexibility.
  • Dynamic Access Control Lists: The central APM can also dynamically analyze devices that attempt to connect to the network, looking at their security settings and behavior. It can run real-time antivirus checks, block suspicious users, and generally lock down endpoints to keep rogue actors at bay.

You may have noticed that the second two security features aren’t directly related to the VPN. That’s because the F5 Access Policy Manager is much more than a Virtual Private Network – and you can’t use the VPN as a stand-alone app. It’s a holistic gateway tool to manage connections and user communities.

The VPN slots on top of that gateway, ensuring that users can confidently access sensitive databases or apps wherever they are. And with SSL encryption in place, it should do so pretty effectively – putting F5 on par with Cisco and other key competitors.

Privacy features

The F5 Secure Web Gateway is designed to secure corporate assets against external threats. That’s the core aim of the F5 BIG-IP application suite – not shielding companies and staff against leaking data to F5.

It’s normal for corporate VPNs to gather customer data, so the F5 privacy policy shouldn’t hold too many surprises. It turns out that the company collects customer email addresses, names, phone numbers, customer service interactions, and forum postings. However, the somewhat vaguely phrased “information about actual or prospective users’ interests” was a bit more concerning. The privacy statement doesn’t explain how F5 would find out that information.

Data is used for conventional purposes, such as testing software, marketing, and of course checking that users are respecting licensing agreements. Hardcore privacy fans will note the clear statement that data will be used “to follow the law.” F5 is a US-based corporation, so that could mean that client data finds its way to the state.

None of this means that F5 will snoop on everything passing over your network. It’s just a reminder that corporate VPN providers are very, very data-hungry. You can opt out of a lot of the collection processes here, but that’s a complex operation, and not all customers will have the time or expertise to do so. That’s something to keep in mind when deciding whether to go for F5.

Features, installation, and deployment

The F5 Access Policy Manager is not designed to use a separate F5 VPN client, so there’s no need to list the various platforms that the client can be used with. That’s actually one of the virtues of adopting an SSL-based VPN. It means that all devices can interact with the F5 Secure Web Gateway, as long as they have the correct authentication information.

The APM itself can be downloaded for Windows, macOS, or Linux, so most corporate networks should be catered for. However, the Windows version is far more feature-rich, so Linux or Mac users may want to check compatibility lists carefully before making a decision.

The VPN is fairly easy to set up, as long as the F5 Access Policy Manager is in place. And additional training is available via a service called “F5 University” – which helps with the implementation. F5’s VPN also integrates with a variety of existing access solutions from brands like Citrix and Microsoft, easing the process of beefing up security, without needing total overhauls.

User numbers can be scaled up seamlessly, from tens of users to as many as 200,000 simultaneous sessions. That’s a major plus point for larger organizations. And all APM implementations combine security features with traffic management, allowing companies to balance loads and secure their traffic.

As we touched on earlier, authentication is another strong area of the F5 Access Policy Manager. The APM is compatible with authentication systems like RADIUS, LDAP, and RSA Native SecurID, allowing managers to tightly regulate who gains access.

However, there are some criticisms to note. For instance, if you want to customize an F5 implementation, you’ll need to purchase licenses before downloading extra apps. You can’t choose the app from a central dashboard and be billed later. Payment comes first, making the customization process more cumbersome than it needs to be. Similar enterprise solutions like Netscaler from Citrix are a bit more streamlined here – so if you want the most user-friendly solution around, that’s the brand to go for.

Overall, the features available place F5’s APM and its onboard VPN in the top ranks of enterprise-wide security systems. It’s flexible, powerful, scalable, and effective. There may be some implementation issues, and payments could be more intuitive, but it’s a strong option for medium and larger enterprises.

Plans and pricing

As with most enterprise security solutions, the F5 Access Policy Manager must be purchased on a licensing model. And it also needs to be integrated into a wider BIG-IP setup. This could be a very costly operation, but the burden can be reduced via F5’s various “bundle” deals. These are divided as follows:

  • Good: Includes the BIG-IP Traffic Manager and advanced routing, but not the APM
  • Better: Features all of the above, plus DNS routing, an advanced firewall, and threat detection software.
  • Best: The only bundle which comes with the Access Policy Manager, the “Best” bundle also features the Application Security Manager, with DDoS protection. It’s a strong option for businesses that need solid solutions for remote working and application access.

Customers have the option of signing up for 1, 2, or 3-year subscriptions for the bundle of their choice. Alternatively, perpetual licenses are available. But what about prices?

Well, this may be F5’s Achilles Heel. The company is known for its high-quality security solutions, but not for budget deals. To get started with the BIG-IP platform, many companies will spend over $80,000 on an ADC router like the i5800, before installing any software. And even software-only implementations come with significant outlays. APM bundles are charged on top of that, resulting in hefty annual bills.

On the plus side, F5 knows that its products aren’t cheap, so it offers 30-day trials for the basic BIG-IP service. However, that doesn’t include the APM or the VPN service, but it does at least give an idea of how user-friendly the software can be.

From a financial standpoint, F5 lies at the higher end of the VPN range. It offers bespoke solutions for companies with the resources to implement them, but won’t be affordable for most smaller or even medium-sized enterprises.

Performance

Speed isn’t usually the strongest element of an SSL-based VPN, and this applies to F5’s Access Policy Manager as well. Many clients have commented on speed issues in recent years, most of which stem from network configuration issues, and aren’t related to the VPN itself.

This often results in 90% speed decreases, which could devastate some networks. Then again, many companies use the software as a load balancing tool, which helps to optimize network performance, so there are benefits, even if the VPN isn’t the fastest around.

Customer support

F5 offers a wide variety of support options for clients, and is right up there with the best in this department:

  • Telephone and live chat support are available 24/7 from F5 technicians, at Standard, Premium, and Premium Plus levels. Premium Plus offers a significantly higher level of expertise and close support for business clients, but the assistance level for lower tiers is more than satisfactory.
  • The AskF5 Knowledge Base features a huge archive of PDFs and tutorials, so it may be possible to self-diagnose issues and resolve them without contacting F5 at all.
  • Customers can raise support tickets at will via the F5 online support pages, resulting in prompt assistance whenever required.
  • The F5 University provides in-person tuition for network technicians at a supplementary fee, providing a great way for businesses to ease into complex implementations.

The overall support infrastructure is as good as it gets for business security providers, which is what you’d expect at premium prices. Waiting times are low, staff are uniformly well-informed, and it’s rare for APM users to be left without some kind of solution if they need it.

So, if you are concerned about implementing the F5 VPN, don’t be. Achieving technical solutions is F5’s specialty, and that includes creating specialist remote working systems.

Pros: 

  • Exceptional support system with live chat, phone contacts, tuition, FAQs – everything users could need.
  • Solid SSL-based encryption via the F5 VPN, with no need to install clients on every device.
  • Compatibility with a vast array of authentication systems, ensuring that access control can be optimized at all times.
  • Integrates with the BIG-IP security framework, which allows enterprise-wide application solutions, going way beyond VPN capabilities.

Cons

  • The high quality of F5 products come with a commensurate price tag. Expect to pay significant prices for large-scale VPN solutions.
  • Adding extra modules to the BIG-IP platform can be cumbersome at times, and isn’t as smooth as rivals like Citrix.
  • Some users will prefer the option for separate mobile or laptop clients, but this isn’t provided by F5
  • Speed won’t be as fast as with IPSec-based VPNs.

Bottom line

So, what can we say about the F5 Access Policy Manager and VPN? If your company has the resources to fund an upscale mobile access solution, F5 has the tools required, and it offers strong support and flexible products. But there are faster and cheaper solutions for smaller organizations.