KASM Workspaces Integration with F5 BIG-IP Access Policy Manager (APM)

Introduction

F5 BIG-IP Access Policy Manager (APM) is a key asset to securing containerized platforms like KASM Workspaces.  In this article I’ll show you how to secure your Kasm Workspace using F5 BIG-IP APM.  APM is a key component of the F5 Application Delivery and Security Platform (ADSP).  APM covers both Application Delivery, Security and is a key component of Zero Trust.

Kasm Workspaces

Kasm Workspaces is a containerized streaming platform designed for secure, web-based access to desktops, applications, and web browsing. It leverages container technology to deliver virtualized environments directly to users' browsers, enhancing security, scalability, and performance. Commonly used for remote work, cybersecurity, and DevOps workflows, Kasm Workspaces provides a flexible and customizable solution for organizations needing secure and efficient access to virtual resources.

As noted in the Kasm Documentation, the Kasm Workspaces Web App Role servers should not be exposed directly to the public.  That’s where F5 BIG-IP APM can help.

 

Demo Video

Deployment Prerequisites

• F5 BIG-IP version 17.x
• Access version 10.x
• Kasm Workspaces version 1.17 installed and configured properly

 

Configure using Automation Toolchain with AS3 and FAST Templates

The F5 BIG-IP Automation Toolchain is a suite of tools designed to automate the deployment, configuration, and management of F5 BIG-IP devices. It enables efficient and consistent management using declarative APIs, templates, and integrations with popular automation frameworks.  Application services (FAST) templates are predefined configurations that streamline the deployment and management of applications by providing consistent and repeatable setups.

NOTE: The configuration using the Automation Toolchain is well-documented in this DevCentral article, which also includes demo videos: 

How I did it - “Delivering Kasm Workspaces three ways”

 

Configure Manually Using a Virtual Server

This article will focus on the manual configuration of the BIG-IP using a Virtual Server.  Configuring it this way will give you a deeper understanding of how all the components work together to create a cohesive solution.

 

Network Environment

Linux “External” client IP: 10.1.10.4

BIG-IP “External” Self IP: 10.1.10.10

BIG-IP “Internal” Self IP: 10.1.20.10

Kasm Workspace IP: 10.1.20.23

 

BIG-IP Configuration

Create HTTP Monitor: First, let’s create the HTTP Monitor for the Kasm Workspace server.  From Local Traffic > Monitors > click the green plus sign to add a new one.

Give it a name, “Kasm-Monitor” in this example

Set the Type to HTTP

Enter the following for the Send String:

GET /api/__healthcheck\r\n

Enter the following for the Receive String:

OK

It should look like this:

Set Reverse to Yes and click Finished

Create Pool: Next we’ll create the Pool

From Local Traffic > Pools > Pool List > click the plus sign to add a new one

Give it a name, “Kasm-Pool” in this example

Select the Health Monitor you created previously and click the arrows to move it to Active

Under Resources specify a Node Name, “Kasm-Server” in this example

Specify the IP Address, “10.1.20.23” in this example

Set the Service Port to 443, then click Add

Click Finished

Create Virtual Server: Next we’ll create the Virtual Server

From Local Traffic > Virtual Servers > Virtual Server List > click the plus sign to add a new one

Give it a Name, “vs_kasm” in this example.  Keep the Type as Standard.

Set the Destination to the IP Address you want the BIG-IP to listen on for connections to the Kasm server, “10.1.10.100” in this example.

Set the Service Port to HTTPS, port 443.

Click Finished at the bottom

Click on the Virtual Server you just created

Click Resources

Set the Default Pool to kasm_pool, then click Update

The Kasm Virtual Server Status should eventually change to Green when the Health Monitor is successful.

NOTE: The Virtual Server configuration in this example has been simplified for demonstration purposes.  Additional configuration options will be covered later in this article.

 

Kasm Workspaces Configuration

The Kasm Workspace will need a Zone configured with the default settings.

Login as Admin and check this from Infrastructure > Zones.

You will need at least one Workspace.

In this example, I have a Workspace with Chrome, Firefox, Terminal and Ubuntu Jammy

Click the WORKSPACES Tab at the top of the screen to see what the Workspace looks like

Your view should look like this:

 

Test Kasm Workspaces

Login as a User

NOTE: The IP Address used to connect to the Kasm Workspaces through the BIG-IP is the Virtual Server listening IP Address 10.1.10.100

When the Workspace loads, click Firefox

Choose the option to Launch Session in a new Tab

After a moment, Firefox will load

Here you can see the F5.com website displayed

NOTE: The browser pop-up blocker can prevent the Kasm Workspace applications from successfully launching.  You can disable the pop-up blocker or create an exception for the BIG-IP Virtual IP (10.1.10.100).

 

Enable SSL Decryption

Enabling SSL Decryption allows you to fully inspect the requests and payloads passing through BIG-IP.

From Local Traffic > Virtual Servers > click Virtual Server List

Then click the name of your Virtual Server, “vs_kasm” in this example

In the Configuration section, set the Protocol Profile (Client) to http

Set the SSL Profile (Client) to clientssl

Set the SSL Profile (Server) to serverssl

NOTE: If you have created your own Client and Server SSL Profiles, you should add them here.  The instructions above are for demonstration purposes only.

Scroll to the bottom and click Update

You’re done!

 

Conclusion

F5 BIG-IP Access Policy Manager (APM) is a key asset to securing containerized platforms like KASM Workspaces.  In this article, you learned how to secure your Kasm Workspace using F5 BIG-IP APM. 

 

Related Content

How I did it - “Delivering Kasm Workspaces three ways”

Download Kasm Workspaces

Kasm Documentation