Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

F5 BIG-IP Zero Trust Access

F5 BIG-IP Zero Trust Access improves security and the user experience while managing access to your portfolio of corporate applications.

Table of Contents

Introduction

F5 BIG-IP Zero Trust Access, a key component of the F5 Application Delivery and Security Platform (ADSP), helps teams secure apps that are spread across hybrid, multi-cloud and AI environments. In this article, I’ll highlight some of the key features and use cases addressed by BIG-IP Zero Trust Access.

F5 BIG-IP Zero Trust Access improves security and the user experience while managing access to your portfolio of corporate applications.

 

Demo Video

 

What is Zero Trust?

Key Zero Trust Concepts

Zero Trust is a cybersecurity framework built on the following core concepts:

  • Never Trust
  • Similar to human concepts that trust is not given freely, it is earned
  • Always Verify
  • Authenticate and authorize based on all available data points
  • Continuously Monitor
  • Zero Trust is an ongoing security framework that requires monitoring

F5 enables zero-trust architectures that optimize your investments and extend zero-trust security across your entire portfolio.

 

Why is this important?

Securing apps is complex because apps are spread across a hybrid, multi-cloud environment.  Apps themselves have become hybrid in nature, too.  This creates 2 problems: Legacy and custom applications can complicate access security.  Apps residing anywhere increases the attack surface.  F5 BIG-IP Zero Trust Access secures hybrid application access.

Securely managing access to corporate applications is critical to preventing data breaches. Doing it well can also increase efficiencies in business processes and user productivity.

A Zero Trust security model can deliver this business value by enabling users to seamlessly and securely access their applications from anywhere regardless of where the application resides. In today’s world of hybrid, multicloud and AI applications, Zero Trust is a must. Application access control is key to any Zero Trust architecture.

 

How does F5 address Zero Trust?

F5 Zero Trust Begins with Secure Access to All Apps. The F5 Application Delivery and Security Platform (ADSP) is the foundation for Zero Trust Architectures.  F5 ADSP delivers visibility, enforcement, and intelligence where it matters most: the application layer.

While there are many important components to Zero Trust, we will be focusing on Zero Trust Application Access:

Identity-Aware Proxy - Secure access to apps with a fine-grained approach to user authentication and authorization that enables only per-request context- and identity-aware access.

Single Sign-On (SSO) and Access Federation - Integrating with existing SSO and identity federation solutions, users can access all their business apps via a single login, regardless of if the app is SAML enabled or not.

OAuth 2.0 and OIDC Support - Enable social login to simplify access authorization from trusted third-party identity providers like Google, LinkedIn, Okta, Azure AD, and others.

Identity Aware Proxy (IAP) – A Key Component of Zero Trust

Use the Guided Configuration to configure the Identity Aware Proxy.  From the BIG-IP UI, go to Access > Guided Configuration > Zero Trust.

Select the Identity Aware Proxy

You will see a configuration example of Identity Aware Proxy

Click Next at the bottom

For the Config Properties, give it a name, “IAP_DEMO” in this example

Set the below options to On

Click Save & Next

Enable the F5 Client Posture Check

Select your CA Trust Certificate

Click Add

Give it a Name, “FW_Check” in this example

Under Windows, select Firewall and Domain Managed Devices

Enter your domain name, “f5lab.local” in this example

Click Done

Click Save & Next

Configure the Virtual Server Properties

Switch Advanced Settings to On

Set the Destination Address, “10.1.10.100” in this example

For the Client SSL Profile, select the Client SSL Certificate, Private Key and Trusted Certificate Authorities

For the Server SSL Profile, select your Server SSL Certificate and Private Key

Click Save & Next

Click Add under Authentication

Give it a Name, “AD” in this example

Set the Authentication Type to “AAA”

Set the Authentication Server Type to Active Directory

Choose your Authentication Server, “ad-servers” in this example

 

Check the box for Active Directory Query Properties

Under Required Attributes, find “memberOf” and click the arrow to move it to Selected

Click MFA

Click Add

Double click Radius

Under Choose Radius Server, select Create New

Give it a name, “radius_pool” in this example

Enter the Server IP Address, “10.1.20.8” in this example

Enter the Secret in the two fields

Click Save

Click Save & Next

Click Add

Give it a name, “basic_sso” in this example

For the SSO Configuration Object, click Create New

The Username Source and Password Source should be set like the following

Click Save

Click Save & Next

Under Applications click Add

Give it a name, “iap1.acme.com” in this example

Under Application Properties, set the FQDN and Caption to “basic.acme.com”

Set the Pool IP Address to 10.1.20.7, Port 443, HTTPS

Click Save

For the Auth Domain, enter “iap1.acme.com”

Click Save & Next

Set Primary Authentication to “AD”

Click Save & Next

Click Add under Contextual Access

For the Contextual Access Properties, give it a name, “basic.acme.com” in this example

Set the Resource to iap1.acme.com

Set Device Posture to FW_CHECK

Set Single Sign-On to basic_sso

Find the Sales Engineering Group and click Add

Select the box for Additional Checks

Set the Match Action to Step Up

Set Step Up Authentication to Custom Radius based Authentication

Click Save & Next

The Remediation Page must be changed to a real host where users can download and install the EPI updates

In this example, it has been changed to “https://iap1.acme.com/epi/downloads”

Click Save & Next

Click Save & Next

Click Deploy

Click Finish when the deployment completes

Test the functionality by going to a client computer and accessing https://iap1.acme.com

Logon with valid credentials

You should see a page like the following

Click basic.acme.com

Login with valid credentials & click Validate

You should see the basic.acme.com web page and be already logged in

Note: If you disable the Windows Firewall on the client, you should get a block page similar to the following:

 

Conclusion

BIG-IP introduces a powerful access experience.

BIG-IP provides a variety of Authentication, Federation, SSO and MFA protocols allowing for modern to legacy protocol translation.

BIG-IP integrates with 3rd parties to enforce identity aware decisions.

BIG-IP secures identities for any apps and users anywhere in legacy and modern environments, spanning on-prem, hybrid or cloud locations.

The highly scalable and proven Access Security solution that F5 customers know and trust.

 

Related Content

Zero Trust Solution Overview

Secure Corporate Apps with a Zero Trust Security Model

BLOG: F5 BIG-IP Zero Trust Access

Zero Trust Application Access for Federal Agencies

Published Mar 27, 2026
Version 1.0
adsp
APM
big-ip
F5
iap
security
zero trust access
KevinGallaugher's avatar
Icon for Employee rankEmployee
Technical Marketing Engineer for SSL Orchestrator. I have over 25 years experience in Cybersecurity, with over 15 years spent as a Technical Marketing Engineer. Prior to F5 I worked at Blue Coat, Gigamon and Fortinet.
View Profile
No CommentsBe the first to comment