Professional Documents
Culture Documents
version 10.0.0
MAN-0293-00
Product Version
This manual applies to version 10.0.0 of the BIG-IP product family.
Publication Date
This guide was published on March 11, 2009.
Legal Notices
Copyright
Copyright 2008-2009, F5 Networks, Inc. All rights reserved. F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any time without notice.
Trademarks
F5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, Acopia, Acopia Networks, Application Accelerator, Ask F5, Application Security Manager, ASM, ARX, Data Guard, Enterprise Manager, EM, FirePass, FreedomFabric, Global Traffic Manager, GTM, iControl, Intelligent Browser Referencing, Internet Control Architecture, IP Application Switch, iRules, Link Controller, LC, Local Traffic Manager, LTM, Message Security Module, MSM, NetCelera, OneConnect, Packet Velocity, SSL Accelerator, SYN Check, Traffic Management Operating System, TMOS, TrafficShield, Transparent Data Reduction, uRoam, VIPRION, WANJet, WebAccelerator, and ZoneRunner are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written consent.
Patents
This product protected by U.S. Patents 6,374,300; 6,473,802; 6,970,933; 7,051,126; 7,102,996; 7,146,354; 7,197,661; 7,206,282; 7,287,084. Other patents pending.
RF Interference Warning
This is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures.
FCC Compliance
This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This unit generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will be required to take whatever measures may be required to correct the interference. Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules.
Standards Compliance
This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information Technology products at the time of manufacture.
Acknowledgments
This product includes software developed by Bill Paul. This product includes software developed by Jonathan Stone. This product includes software developed by Manuel Bouyer. This product includes software developed by Paul Richards. This product includes software developed by the NetBSD Foundation, Inc. and its contributors. This product includes software developed by the Politecnico di Torino, and its contributors. This product includes software developed by the Swedish Institute of Computer Science and its contributors. This product includes software developed by the University of California, Berkeley and its contributors. This product includes software developed by the Computer Systems Engineering Group at the Lawrence Berkeley Laboratory. This product includes software developed by Christopher G. Demetriou for the NetBSD Project. This product includes software developed by Adam Glass. This product includes software developed by Christian E. Hopps. This product includes software developed by Dean Huxley. This product includes software developed by John Kohl. This product includes software developed by Paul Kranenburg. This product includes software developed by Terrence R. Lambert. This product includes software developed by Philip A. Nelson. This product includes software developed by Herb Peyerl. This product includes software developed by Jochen Pohl for the NetBSD Project. This product includes software developed by Chris Provenzano. This product includes software developed by Theo de Raadt. This product includes software developed by David Muir Sharnoff. This product includes software developed by SigmaSoft, Th. Lockert. This product includes software developed for the NetBSD Project by Jason R. Thorpe. This product includes software developed by Jason R. Thorpe for And Communications, http://www.and.com. This product includes software developed for the NetBSD Project by Frank Van der Linden. This product includes software developed for the NetBSD Project by John M. Vinopal. This product includes software developed by Christos Zoulas. This product includes software developed by the University of Vermont and State Agricultural College and Garrett A. Wollman. This product includes software developed by Balazs Scheidler <bazsi@balabit.hu>, which is protected under the GNU Public License. This product includes software developed by Niels Mueller <nisse@lysator.liu.se>, which is protected under the GNU Public License. In the following statement, "This software" refers to the Mitsumi CD-ROM driver: This software was developed by Holger Veit and Brian Moore for use with "386BSD" and similar operating systems. "Similar operating systems" includes mainly non-profit oriented systems for research and education, including but not restricted to "NetBSD," "FreeBSD," "Mach" (by CMU). This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/). This product includes software licensed from Richard H. Porter under the GNU Library General Public License ( 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html. This product includes the standard version of Perl software licensed under the Perl Artistic License ( 1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current standard version of Perl at http://www.perl.com. This product includes software developed by Jared Minch.
ii
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product contains software based on oprofile, which is protected under the GNU Public License. This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html) and licensed under the GNU General Public License. This product contains software licensed from Dr. Brian Gladman under the GNU General Public License (GPL). This product includes software developed by the Apache Software Foundation <http://www.apache.org/>. This product includes Hypersonic SQL. This product contains software developed by the Regents of the University of California, Sun Microsystems, Inc., Scriptics Corporation, and others. This product includes software developed by the Internet Software Consortium. This product includes software developed by Nominum, Inc. (http://www.nominum.com). This product contains software developed by Broadcom Corporation, which is protected under the GNU Public License.
iii
iv
Table of Contents
Table of Contents
1
Introducing Implementations for BIG-IP Local Traffic Manager
Introducing BIG-IP system implementations ............................................................................1-1 Getting started .......................................................................................................................1-1 Using the Configuration utility ............................................................................................1-1 About this guide ..............................................................................................................................1-2 Additional information ..........................................................................................................1-2 Stylistic conventions ..............................................................................................................1-3 Finding help and technical support resources ..........................................................................1-5
2
Configuring nPath Routing
Introducing nPath routing .............................................................................................................2-1 Configuring nPath routing .............................................................................................................2-2 Creating a custom Fast L4 profile ......................................................................................2-3 Creating a server pool for nPath routing .........................................................................2-4 Creating a virtual server ......................................................................................................2-4 Configuring the virtual server on the content server loopback interface ................2-5 Setting the route for inbound traffic .................................................................................2-5 Enabling the connection.autolasthop bigdb key ..............................................................2-5 Setting timers for nPath configurations .....................................................................................2-6 Guidelines for configuring timeouts for UDP traffic .....................................................2-6 Guidelines for configuring timeouts for TCP traffic ......................................................2-6
3
Basic Web Site and E-Commerce Configuration
Working with a basic web site and e-commerce configuration ..........................................3-1 Configuring a basic e-commerce site .........................................................................................3-2 Creating load balancing pools .............................................................................................3-2 Creating virtual servers ........................................................................................................3-3
4
Installing a BIG-IP System without Changing the IP Network
Installing a BIG-IP system without changing IP networks ......................................................4-1 Configuring the BIG-IP system for the same IP network ......................................................4-3 Removing the self IP addresses from the individual VLANs ........................................4-3 Creating a VLAN group .......................................................................................................4-4 Creating a self IP address for the VLAN group ..............................................................4-5 Creating a pool of web servers ..........................................................................................4-5 Creating a virtual server ......................................................................................................4-6
5
Web Hosting for Multiple Customers
Introducing multiple customer hosting ......................................................................................5-1 Hosting multiple customers using an external switch ............................................................5-2 Creating VLANs with tagged interfaces ...........................................................................5-2 Creating load balancing pools .............................................................................................5-3 Creating virtual servers ........................................................................................................5-3 Directly hosting multiple customers ..........................................................................................5-5 Creating VLANs with untagged interfaces .......................................................................5-6
vii
Table of Contents
6
A Simple Intranet Configuration
Working with a simple intranet configuration .........................................................................6-1 Creating the simple intranet configuration ...............................................................................6-2 Creating pools ........................................................................................................................6-2 Creating virtual servers ........................................................................................................6-3
7
Load Balancing ISPs
Introducing ISP load balancing ......................................................................................................7-1 Configuring ISP load balancing .....................................................................................................7-2 Creating pools for an additional Internet connection ...................................................7-2 Creating virtual servers for an additional Internet connection ..................................7-3 Configuring address translation for outbound traffic .............................................................7-5
8
Load Balancing HTTP Traffic with Source Address Affinity Persistence
Introducing basic HTTP load balancing ......................................................................................8-1 Configuring HTTP load balancing with source address affinity persistence ......................8-2 Creating a pool .......................................................................................................................8-2 Creating a virtual server ......................................................................................................8-3
9
Load Balancing HTTP Traffic with Cookie Persistence
Introducing basic HTTP load balancing ......................................................................................9-1 Configuring HTTP load balancing with cookie persistence ..................................................9-2 Creating a custom persistence profile ..............................................................................9-2 Creating a pool .......................................................................................................................9-3 Creating a virtual server ......................................................................................................9-3
10
Compressing HTTP Responses
Introducing HTTP data compression ...................................................................................... 10-1 Creating a custom HTTP profile .............................................................................................. 10-2 Creating a virtual server ............................................................................................................. 10-3
11
Configuring HTTPS Load Balancing
Introducing HTTPS load balancing ........................................................................................... 11-1 Creating an SSL key and certificate ......................................................................................... 11-2 Creating a custom SSL profile ................................................................................................... 11-3 Creating a pool ............................................................................................................................. 11-5 Creating a virtual server ............................................................................................................. 11-6
viii
Table of Contents
12
Configuring HTTPS Load Balancing with Data Compression
Introducing HTTPS load balancing with compression ......................................................... 12-1 Creating an SSL key and certificate ......................................................................................... 12-2 Creating a custom Client SSL profile ...................................................................................... 12-3 Creating a custom HTTP profile for compression .............................................................. 12-4 Creating a pool ............................................................................................................................. 12-6 Creating a virtual server ............................................................................................................. 12-7
13
Using RAM Cache for HTTP Traffic
Introducing HTTP RAM Cache ................................................................................................. 13-1 Creating a custom HTTP profile .............................................................................................. 13-2 Creating a virtual server ............................................................................................................. 13-3
14
Load Balancing Passive Mode FTP Traffic
Introducing FTP load balancing ................................................................................................. 14-1 Creating a custom FTP monitor ............................................................................................... 14-2 Creating a pool ............................................................................................................................. 14-3 Creating a virtual server ............................................................................................................. 14-4
15
Load Balancing Passive Mode FTP Traffic with Rate Shaping
Introducing FTP load balancing with rate shaping ................................................................ 15-1 Creating a custom FTP monitor ............................................................................................... 15-2 Creating a pool ............................................................................................................................. 15-3 Creating a rate class .................................................................................................................... 15-4 Creating a virtual server ............................................................................................................. 15-5
16
Setting up a One-IP Network Topology
Introducing the one-IP network topology ............................................................................. 16-1 Creating a pool for a one-IP network topology ................................................................... 16-2 Creating a virtual server ............................................................................................................. 16-3 Defining a default route .............................................................................................................. 16-4 Configuring a client SNAT ......................................................................................................... 16-5
17
Using Link Aggregation with Tagged VLANs
Introducing link aggregation with tagged VLAN interfaces ................................................ 17-1 Using the two-network aggregated tagged interface topology ......................................... 17-2 Aggregating the links .......................................................................................................... 17-3 Assigning a trunk to the VLANs ...................................................................................... 17-3 Creating a pool of web servers to load balance .......................................................... 17-4 Creating a virtual server to load balance the web servers ....................................... 17-5 Using the one-network aggregated tagged interface topology ......................................... 17-6 Removing the self IP addresses from the VLANs ....................................................... 17-7 Creating a VLAN group .................................................................................................... 17-7 Creating a self IP for the VLAN group .......................................................................... 17-8
ix
Table of Contents
18
Setting Up Packet Filtering
Introducing packet filtering ........................................................................................................ 18-1 Configuring packet filtering ........................................................................................................ 18-2 Creating a SNAT ................................................................................................................. 18-2 Creating a gateway pool .................................................................................................... 18-2 Creating a forwarding virtual server .............................................................................. 18-3 Creating a packet filter rule ............................................................................................. 18-4
19
Implementing Health and Performance Monitors
Introducing health and performance monitors ..................................................................... 19-1 Creating a custom monitor ....................................................................................................... 19-3 Creating a pool ............................................................................................................................. 19-4 Assigning a monitor to a pool .......................................................................................... 19-4 Excluding a pool member from a monitor .................................................................... 19-5 Creating a virtual server ............................................................................................................. 19-6
20
Load Balancing Traffic to IPv6 Nodes
Configuring the radvd service ................................................................................................... 20-1 Configuring IPv4-to-IPv6 load balancing ................................................................................. 20-2 Creating a pool of IPv6 nodes ......................................................................................... 20-2 Creating a virtual server ................................................................................................... 20-3
21
Implementing Overlapping IP Addresses
Introducing overlapping IP addresses ...................................................................................... 21-1 What is a route domain? ................................................................................................... 21-1 Specifying route domain IDs ............................................................................................ 21-1 Configuring route domains ........................................................................................................ 21-2 Creating VLANs for route domains ............................................................................... 21-3 Creating self IP addresses for route domains .............................................................. 21-5 Creating route domain objects ........................................................................................ 21-6 Creating pool members for route domains ................................................................. 21-7 Creating static routes ........................................................................................................ 21-8 Creating virtual servers for route domains .................................................................. 21-9
22
Mitigating Denial of Service and Other Attacks
Basic denial of service security overview ............................................................................... 22-1 Configuring adaptive connection reaping ............................................................................... 22-2 Logging adaptive reaper activity ...................................................................................... 22-3 Simple DoS prevention configuration ..................................................................................... 22-4 Setting the TCP and UDP connection timers .............................................................. 22-4 Creating an IP rate class and applying it to a virtual server ...................................... 22-5 Setting connection limits on the main virtual server .................................................. 22-6 Filtering out attacks with iRules ............................................................................................... 22-7 Filtering out a Code Red attack ...................................................................................... 22-7 Filtering out a Nimda attack ............................................................................................. 22-7
Table of Contents
How the BIG-IP system handles several common attacks ................................................. 22-8 SYN flood ............................................................................................................................. 22-8 ICMP flood (Smurf) ............................................................................................................ 22-9 UDP flood ............................................................................................................................. 22-9 UDP fragment .................................................................................................................... 22-10 Ping of Death ..................................................................................................................... 22-10 Land attack ......................................................................................................................... 22-10 Teardrop ............................................................................................................................. 22-11 Data attacks ....................................................................................................................... 22-11 WinNuke ............................................................................................................................ 22-11 Sub 7 .................................................................................................................................... 22-11 Back Orifice ........................................................................................................................ 22-12
23
Configuring Administrative Domains
Introducing administrative domains ......................................................................................... 23-1 Creating a partition ..................................................................................................................... 23-2 Configuring user access to a partition .................................................................................... 23-3 Viewing, managing, and creating objects in a partition ........................................................ 23-4 Viewing and managing system objects ........................................................................... 23-4 Creating BIG-IP system objects ....................................................................................... 23-5
24
Configuring Remote Authentication and Authorization for Administrative Traffic
Introducing remote authentication and authorization for BIG-IP system user accounts .... 24-1 Configuring the BIG-IP system to use remote authentication of user accounts .......... 24-2 Configuring access control for BIG-IP system users ........................................................... 24-6 Understanding the remoterole command .................................................................... 24-7 Using the remote role command .................................................................................... 24-7 Using variable substitution ................................................................................................ 24-8 Propagating remote authentication and authorization data to multiple BIG-IP devices ..... 24-11
25
Configuring Remote Authentication for Application Traffic
Introducing remote authentication for application traffic .................................................. 25-1 Configuring authentication that uses a remote LDAP or Active Directory server ..... 25-2 Creating an LDAP configuration object ........................................................................ 25-2 Creating an LDAP authentication profile ...................................................................... 25-5 Modifying a virtual server for LDAP authentication ................................................... 25-5 Configuring authentication that uses a remote RADIUS server ....................................... 25-7 Creating a RADIUS server object ................................................................................... 25-7 Creating a RADIUS configuration object ...................................................................... 25-8 Creating a RADIUS profile ............................................................................................... 25-9 Modifying a virtual server for RADIUS authentication .............................................. 25-9 Configuring authentication that uses a remote TACACS+ server ................................ 25-11 Creating a TACACS+ configuration object ................................................................ 25-11 Creating a TACACS+ profile ......................................................................................... 25-12 Modifying a virtual server for TACACS+ authentication ........................................ 25-13
xi
Table of Contents
Configuring SSL-based authorization using a remote LDAP server ............................... 25-14 Creating an SSL CLient Certificate LDAP configuration object ............................ 25-14 Creating an SSL Client Certificate LDAP authentication profile ........................... 25-15 Modifying a virtual server for SSL Client Certificate LDAP authorization .......... 25-16 Configuring SSL certificate revocation using an OCSP responder ................................. 25-17 Creating an SSL OCSP responder object ................................................................... 25-17 Creating an SSL OCSP configuration object .............................................................. 25-18 Creating an SSL OCSP profile ....................................................................................... 25-18 Modifying a virtual server for SSL OCSP authentication ......................................... 25-19 Configuring a CRLDP authentication module ..................................................................... 25-20 Creating a CRLDP server object .................................................................................. 25-20 Creating a CRLDP configuration object ...................................................................... 25-21 Creating a CRLDP profile ............................................................................................... 25-22 Modifying a virtual server for CRLDP authentication .............................................. 25-23
26
Configuring Kerberos Delegation
Introducing Kerberos delegation infrastructure ................................................................... 26-1 Configuring the BIG-IP system for Kerberos delegation .................................................... 26-2 Adding a DNS server to the BIG-IP system ................................................................. 26-2 Joining the BIG-IP system to the trusted domain ........................................................ 26-3 Creating the Kerberos delegation configuration .................................................................. 26-5 Configuring Kerberos delegation using the Configuration utility ............................ 26-5 Configuring Kerberos delegation from the command line ....................................... 26-8 Authenticating Client Traffic ................................................................................................... 26-10
27
Configuring Multiple Authentication Servers
Introducing multiple authentication server configuration .................................................. 27-1 Meeting prerequisites .................................................................................................................. 27-2 Configuring BIG-IP system objects .......................................................................................... 27-2
28
Implementing Paired Tunneling
Introducing paired tunneling ...................................................................................................... 28-1 What is paired tunneling? .................................................................................................. 28-1 About data compression ................................................................................................... 28-2 Before you begin ................................................................................................................. 28-3 Configuring the client-side system ........................................................................................... 28-4 Creating a client-side endpoint pool .............................................................................. 28-4 Creating the client-side iSession profile ........................................................................ 28-5 Creating the client-side virtual server ........................................................................... 28-6 Configuring the server-side system ......................................................................................... 28-9 Creating the server-side virtual server ........................................................................ 28-10 Specifying service ports ................................................................................................... 28-11 Viewing data compression statistics ...................................................................................... 28-12
xii
Table of Contents
29
Securing and Accelerating HTTP Traffic with ASM and WA
Overview of the configuration tasks ....................................................................................... 29-1 Completing basic configuration tasks on the Local Traffic Manager ................................ 29-2 Performing initial configuration tasks on the Local Traffic Manager ................................ 29-3 Creating the HTTP class profile ...................................................................................... 29-3 Defining a virtual server and pool on the BIG-IP Local Traffic Manager ............... 29-4 Defining an NTP server ..................................................................................................... 29-6 Creating an application profile for the WebAccelerator system ..................................... 29-7 Selecting an acceleration policy ....................................................................................... 29-7 Planning your host map ..................................................................................................... 29-8 Assigning the WebAccelerator application profile to the security policy in Application Security Manager ........................................................................................................................ 29-12 Running the Application Security Manager Deployment Wizard ................................... 29-13
30
Securing and Accelerating HTTP Traffic with PSM and WA
Overview of the configuration tasks ....................................................................................... 30-1 Completing basic configuration tasks on the Local Traffic Manager ................................ 30-2 Performing initial configuration tasks on the Local Traffic Manager ................................ 30-3 Creating the WebAccelerator HTTP class profile ..................................................... 30-4 Creating an HTTP service profile ................................................................................... 30-4 Creating a virtual server and pool on the BIG-IP Local Traffic Manager .............. 30-5 Creating an application profile for the WebAccelerator system ..................................... 30-7 Selecting an acceleration policy ....................................................................................... 30-7 Planning your host map ..................................................................................................... 30-8 Creating an HTTP security profile in the Protocol Security Module configuration ... 30-12
Glossary Index
xiii
Table of Contents
xiv
1
Introducing Implementations for BIG-IP Local Traffic Manager
Introducing BIG-IP system implementations About this guide Finding help and technical support resources
BIG-IP Local Traffic Manager is one of several products that constitute the BIG-IP product family. All products in the BIG-IP product family run on the powerful Traffic Management Operating System, commonly referred to as TMOSTM. For an overview of the complete BIG-IP product offering, see the introductory chapter of the TMOSTM Management Guide for BIG-IP Systems.
Getting started
Before you begin implementing a solution in this guide, we recommend that you familiarize yourself with additional resources such as other BIG-IP system guides and online help, and review the stylistic conventions that appear in this chapter. For more information, see About this guide, on page 1-2. Then, we recommend that you run the Setup utility on the BIG-IP system to configure basic network and network elements such as static and floating self IP addresses, interfaces, and VLANs. After running the Setup utility, you can use this guide to implement specific configuration scenarios. For information on running the Setup utility, see BIG-IP Systems: Getting Started Guide.
1-1
Chapter 1
Additional information
In addition to this guide, there are other sources of the documentation you can use in order to work with the BIG-IP system. The following guides are available in PDF format from the Ask F5SM web site, https://support.f5.com:
BIG-IP Systems: Getting Started Guide This guide provides detailed information about licensing and provisioning the BIG-IP system, as well as installing upgrades. TMOSTM Management Guide for BIG-IP Systems This guide contains any information you need to configure and maintain the network and system-related components of the BIG-IP system, such as routes, VLANs, and user accounts. Configuration Guide for BIG-IP Local Traffic Management This guide contains any information you need for configuring specific features of the BIG-IP system to manage local network traffic. BIG-IP Application Security Manager: Getting Started Guide This guide describes how to set up BIG-IP Application Security Manager to configure security policies. Configuration Guide for BIG-IP Application Security Management This guide provides configuration procedures to protect Web applications from both generalized and targeted application layer attacks.
Configuration Guide for BIG-IP Protocol Security Module This guide provides the procedures for configuring BIG-IP Protocol Security Module. Configuration Guide for the BIG-IP WebAcceleratorTM System This guide describes the core BIG-IP WebAccelerator concepts and provides the procedures for configuring and monitoring the WebAccelerator system.
Bigpipe Utility Reference Guide This guide contains information about using the bigpipe utility commands to manage the BIG-IP system. Traffic Management Shell (tmsh) Reference Guide This guide contains information about using the Traffic Management Shell (tmsh) commands to manage the BIG-IP system.
1-2
Stylistic conventions
To help you easily identify and understand important information, all of our documentation uses the stylistic conventions described here.
1-3
Chapter 1
For example, the following command shows the configuration of the specified pool name:
bigpipe self <ip_address> show
or
b self <ip_Address> show
Table 1.1 explains additional special conventions used in command line syntax.
Item in text \ Description Indicates that the command continues on the following line, and that users should type the entire command without typing a line break. Identifies a user-defined parameter. For example, if the command has <your name>, type in your name, but do not include the brackets. Separates parts of a command. Indicates that syntax inside the brackets is optional. Indicates that you can type a series of items.
< >
| [] ...
1-4
Online help for local traffic management The Configuration utility has online help for each screen. The online help contains descriptions of each control and setting on the screen. Click the Help tab in the left navigation pane to view the online help for a screen. Welcome screen in the Configuration utility The Welcome screen in the Configuration utility contains links to many useful web sites and resources, including: The F5 Networks Technical Support web site The F5 Solution Center The F5 DevCentral web site Plug-ins, SNMP MIBs, and SSH clients
F5 Networks Technical Support web site The F5 Networks Technical Support web site, https://support.f5.com, provides the latest documentation for the product, including: Release notes for the BIG-IP system, current and past Updates for guides (in PDF form) Technical notes Answers to frequently asked questions The Ask F5SM Knowledge Base To access this site, you need to register at https://support.f5.com.
1-5
Chapter 1
1-6
2
Configuring nPath Routing
Introducing nPath routing Configuring nPath routing Setting timers for nPath configurations
Note
The type of virtual server that processes the incoming traffic must be a transparent, non-translating type of virtual server. In bypassing the BIG-IP system on the return path, nPath routing departs significantly from a typical load-balancing configuration. In a typical load-balancing configuration, the destination address of the incoming packet is translated from that of the virtual server to that of the server being load balanced to, which then becomes the source address of the returning packet. A default route set to the BIG-IP system then sees to it that packets returning
BIG-IP Local Traffic Manager: Implementations 2-1
Chapter 2
to the originating client return through the BIG-IP system, which translates the source address back to that of the virtual server. The nPath configuration differs from the typical load-balancing configuration, as you can see in the following section.
Note
Do not attempt to use nPath routing for Layer 7 traffic. Certain traffic features do not work properly if Layer 7 traffic bypasses the BIG-IP system on the return path. An example of such a feature is HTTP response compression.
The default route on the content servers must be set to the routers internal address (10.1.1.1 in Figure 2.1, on page 2-1) rather than to the BIG-IP systems floating self-IP address (10.1.1.10). This causes the return packet to bypass the BIG-IP system. If you plan to use an nPath configuration for TCP traffic, you must create a Fast L4 profile with the following custom settings: Enable the Loose Close setting. When you enable the Loose Close setting, the TCP protocol flow expires more quickly, once a TCP FIN packet is seen. (A FIN packet indicates the tearing down of a previous connection.) Set the TCP Close Timeout setting to the same value as the profile idle timeout if you expect half closes. If not, you can set this value to 5 seconds.
Because address translation and port translation have been turned off, when the incoming packet arrives at the pool member it is load balanced to the virtual server address (176.16.1.1 in Figure 2.1, on page 2-1), not to the address of the server. For the server to respond to that address, that address must be configured on the loopback interface of the server and configured for use with the server software.
You need to complete the following tasks to configure the BIG-IP system to use nPath routing: Create a custom Fast L4 profile. Create a pool that contains the content servers. Define a virtual server with port and address translation disabled and assign the custom Fast L4 profile to it. Configure the virtual server address on each server loopback interface. Set the default route on your servers to the routers internal IP address.
2-2
Ensure that the bigdb configuration key connection.autolasthop is enabled. Alternatively, on each content server, you can add a return route to the client. For background information on profiles, pools, and virtual servers, see the Configuration Guide for BIG-IP Local Traffic Management.
Note
You perform the tasks contained in this guide using the Configuration utility; however, the procedures do not include the step of logging on to the Configuration utility. Before you begin the tasks, log on to the Configuration utility.
2-3
Chapter 2
To create a pool
1. On the Main tab of the navigation pane, expand Local Traffic, and click Pools. The Pools screen opens. 2. To create a new pool, click Create. The New Pool screen opens. Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a pool. 3. Type a pool name and add the member addresses for each of the servers. 4. Click Finished.
2-4
d) Clear the Port Translation check box to disable port translation. e) In the Resources section, choose the pool you created that contains the content servers. 6. Click Finished.
You need to set this route only if the virtual server is on a different subnet than the router. For information about how to define this route, please refer to the documentation provided with your router.
2-5
Chapter 2
2-6
3
Basic Web Site and E-Commerce Configuration
Working with a basic web site and e-commerce configuration Configuring a basic e-commerce site
To set up load balancing for these sites, you need to create two pools that are referenced by two virtual servers, one for each site. Even though the sites are related and they may even share the same IP address, each requires its own virtual server because it uses a different port to support its particular protocol: port 80 for the HTTP traffic going to www.siterequest.com, and port 443 for the SSL traffic going to store.siterequest.com. Note that this is true even when there is a port 80 and port 443 on the same physical server, as in the case of Server2.
Note
All examples in this document use only private class IP addresses. When you set up the configurations we describe, you must use valid IP addresses suitable to your own network in place of our sample addresses.
3-1
Chapter 3
3-2
Chapter 3
3-4
4
Installing a BIG-IP System without Changing the IP Network
Installing a BIG-IP system without changing IP networks Configuring the BIG-IP system for the same IP network
The existing data center structure does not support load balancing or high availability. Figure 4.2, on page 4-2 is an example of the data center topology after you add the BIG-IP system.
4-1
Chapter 4
Both the internal and external interfaces of the BIG-IP system are on the same IP network, 10.0.0.0, but they are effectively on different LANs. Figure 4.2 introduces a second switch.
4-2
Remove the self IP addresses from the individual VLANs Routing is handled by the self IP address you create for the VLAN group. Create a VLAN group Create a VLAN group that includes the internal and external VLANs. This enables Layer 2 forwarding. (Layer 2 forwarding causes the two VLANs to behave as a single network.) Create a self IP for the VLAN group The self IP for the VLAN group provides a route for packets destined for the network. Create a pool of web servers Create a pool that contains the web servers that you want to load balance. Create a virtual server Create a virtual server that load balances the web servers.
Note
This example assumes that you are using the default internal and external VLAN configuration with self IP addresses on each of the VLANs that are on the same IP network on which you are installing the BIG-IP system.
Important
The default route on each content server should be set to the IP address of the router. In this example, you set the default route to 10.0.0.2.
We recommend that you perform this step from the console or from a self IP address you are not going to delete. If you are connected from a remote workstation through a self IP address that you are going to delete, you will be disconnected when you delete it.
4-3
Chapter 4
4-4
To create a pool
1. On the Main tab of the navigation pane, expand Local Traffic, and click Pools. The Pools screen opens. 2. In the upper-right corner of the screen, click Create. The New Pool screen opens. Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a pool. 3. In the Name box, type a name for the pool, such as myweb_pool. 4. In the Resources area of the screen, use the New Members setting to add the pool members. In our example, pool members are 10.0.0.3:80 and 10.0.0.4:80. 5. Click Finished.
4-5
Chapter 4
4-6
5
Web Hosting for Multiple Customers
Introducing multiple customer hosting Hosting multiple customers using an external switch Directly hosting multiple customers
5-1
Chapter 5
5-2
4. For the Interfaces setting, from the Available box select the name of an interface on your internal network, and click the Move button (<<) to move the interface name to the Tagged box. This assigns the selected interface to the VLAN, as a tagged interface. In our example, the interface is 5.1. 5. Click Finished.
To create a pool
1. On the Main tab of the navigation pane, expand Local Traffic, and click Pools. The Pools screen opens. 2. In the upper-right corner of the screen, click Create. The New Pool screen opens. Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a pool. 3. In the Name box, type a name for the pool, such as customerA_pool. 4. In the Resources area of the screen, use the New Members setting to add the pool members. For example, in Figure 5.1, on page 5-1, the pool members for vlanA are 10.1.1.1:80 and 10.1.1.2:80. The pool members for vlanB are 10.1.2.1:80 and 10.1.2.2:80, and the pool members for vlanC are 10.1.3.1:80 and 10.1.3.2:80. 5. Click Finished.
Chapter 5
3. In the Name box, type a name for the virtual server, such as vs_customerA. 4. In the Destination box, verify that the type of virtual server is Host, and in the Address box, type an IP address for the virtual server, such as 10.1.10.10:80. 5. In the Service Port box, type 80, or select HTTP from the list. 6. In the Configuration area of the screen, locate the HTTP Profile setting and select http. 7. In the Resources area of the screen, locate the Default Pool setting and select the pool corresponding to the virtual server you are creating. For example, for vs_customerA, you would select the pool customerA_pool. For vs_customerB, you would select the pool customerB_pool, and so on. 8. Click Finished.
5-4
In Figure 5.2, two BIG-IP system interfaces are assigned to each VLAN. For example, interfaces 1.1 and 1.2 are assigned to the vlanA VLAN. Each interface is assigned to a VLAN as an untagged interface. The first scenario, shown in Figure 5.1, on page 5-1, requires an additional switch, but requires the use of only one interface on the internal network. The second scenario, shown in Figure 5.2, removes the need for an additional switch, but requires the use of multiple BIG-IP system interfaces.
5-5
Chapter 5
Once you have created your VLANs and assigned untagged interfaces to them, you can create the pools and virtual servers, just as you did in the section Hosting multiple customers using an external switch, on page 5-2.
5-6
6
A Simple Intranet Configuration
Working with a simple intranet configuration Creating the simple intranet configuration
HTTP connections to the companys intranet web site. The BIG-IP system load balances the two web servers that host the corporate intranet web site, Corporate.main.net. HTTP connections to Internet content. These are handled through a pair of cache servers that are also load balanced by the BIG-IP system. Non-HTTP connections to the Internet.
6-1
Chapter 6
As Figure 6.1, on page 6-1 shows, the non-intranet connections are handled by wildcard virtual servers, that is, servers with the IP address 0.0.0.0. The wildcard virtual server that is handling traffic to the cache servers is port specific, specifying port 80 for HTTP requests. This way all HTTP requests not matching an IP address on the intranet are directed to the cache server. The wildcard virtual server handling non-HTTP requests is a default wildcard server. A default wildcard virtual server is one that uses only port 0. This makes it a catch-all match for outgoing traffic that does not match any standard virtual server or any port-specific wildcard virtual server.
Creating pools
The first task in a basic configuration is to define the two load balancing pools: a pool for the intranet content servers, and a pool for the Internet cache servers.
To create pool
1. On the Main tab of the navigation pane, expand Local Traffic, and click Pools. The Pools screen opens. 2. In the upper-right corner of the screen, click Create. The New Pool screen opens. Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a pool. 3. In the Name box, type a name for the pool, such as http_pool. 4. In the Resources area of the screen, use the New Members setting to add the pool members. For example, in Figure 6.1, on page 6-1, the pool members for http_pool are 192.168.100.10:80 and 192.168.100.11:80. The pool members for specificport_pool are 192.168.100.20:80 and 192.168.100.21:80. 5. Click Finished.
6-2
6-3
Chapter 6
6-4
7
Load Balancing ISPs
Introducing ISP load balancing Configuring ISP load balancing Configuring address translation for outbound traffic
This type of configuration requires you to configure network address translation (NAT) on your routers. If your routers cannot perform NAT, you can use the VLAN SNAT automap feature on the BIG-IP system.
7-1
Chapter 7
Create two load balancing pools Define one pool that load balances the content servers. Define another pool that load balances the inside addresses of the routers. Configure virtual servers for inbound and outbound traffic Configure virtual servers to load balance inbound connections across the servers, and one to load balance outbound connections across the routers. Configure NATs or a SNAT automap for outbound traffic Configure NATs or SNAT automap for outbound traffic so that replies arrive though the same ISP the request went out on.
To create a pool
1. On the Main tab of the navigation pane, expand Local Traffic, and click Pools. The Pools screen opens. 2. In the upper-right corner of the screen, click Create. The New Pool screen opens. Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a pool. 3. In the Name box, type a name for the pool, such as content_pool or router_pool. 4. In the Resources area of the screen, use the New Members setting to add the pool members. For example, in Figure 7.1, on page 7-1, the pool members for pool content_pool are 10.1.1.1:80, 10.1.1.2:80, and 10.1.1.3:80. The pool members for pool router_pool are 192.168.100.1:0 and 192.168.200.1:0. 5. Click Finished.
7-2
7-3
Chapter 7
4. In the Destination box, verify that the type of virtual server is Host, and in the Address box, type an IP address for the virtual server. For example, you can assign the IP address 0.0.0.0:0 to the virtual server, making it a wildcard virtual server. 5. In the Resources area of the screen, locate the Default Pool setting and select the pool corresponding to the virtual server you are creating. For example, for vs_routers, you would select the pool router_pool. 6. Click Finished.
7-4
For instructions on configuring routers to perform network address translation, see the vendor documentation that pertains to your router. To configure address translation for outbound traffic, you must: Assign IP-specific self IP addresses to the BIG-IP system external VLAN, corresponding to the IP networks of the two routers. Enable SNAT automap for each of the external VLAN self IP addresses and the internal VLAN.
7-5
Chapter 7
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a SNAT. 3. In the Name box, type a unique name for the SNAT. 4. From the Translation list, select Automap. 5. From the VLAN Traffic list, select Enabled On. This displays the VLAN List setting. 6. For the VLAN List setting, from the Available box select the internal and external VLAN names, and click the Move button (<<) to move the VLAN names to the Selected box. 7. Click Finished.
7-6
8
Load Balancing HTTP Traffic with Source Address Affinity Persistence
Introducing basic HTTP load balancing Configuring HTTP load balancing with source address affinity persistence
8-1
Chapter 8
Creating a pool
The first task in a basic configuration is to create a load balancing pool to load balance HTTP connections. Use the Configuration utility to create this pool.
8-2
8-3
Chapter 8
8-4
9
Load Balancing HTTP Traffic with Cookie Persistence
Introducing basic HTTP load balancing Configuring HTTP load balancing with cookie persistence
9-1
Chapter 9
9-2
Creating a pool
The next task is to create a load balancing pool to which to load balance HTTP connections.
9-3
Chapter 9
4. In the Destination box: a) Verify that the type of virtual server is Host b) In the Address box, type an IP address for the virtual server. 5. In the Service Port box, type 80, or select HTTP from the list. 6. In the Configuration area of the screen, retain the value of the Protocol setting, TCP. 7. From the HTTP Profile list, select http. This assigns the default HTTP profile to the virtual server. 8. In the Resources area of the screen, locate the Default Pool setting and select the name of the HTTP pool you created in the previous section (for example, http_pool). 9. From the Default Persistence Profile list, select the name of the custom cookie profile you created earlier, such as mycookie_profile. This implements cookie persistence, using the custom cookie profile. 10. Click Finished.
Note
You can also use HTTP Cookie Insert persistence wtih a Performance (HTTP) type of virtual server.
9-4
10
Compressing HTTP Responses
Introducing HTTP data compression Creating a custom HTTP profile Creating a virtual server
If you want to enable HTTP compression for specific connections, you can write an iRule that specifies the HTTP:compress enable command. Using the BIG-IP system HTTP compression feature, you can include or exclude certain types of URIs or files that you specify. This is useful because some URI or file types might already be compressed. F5 does not recommend using CPU resources to compress already-compressed data because the cost of compressing the data usually outweighs the benefits. Examples of regular expressions that you might want to specify for exclusion are .*\.pdf, .*\.gif, or .*\.html. To configure HTTP data compression, you need to: Create a custom HTTP profile. Create a virtual server to process compressed HTTP responses. For more detailed, background information on configuring compression and virtual servers, see the Configuration Guide for BIG-IP Local Traffic Management.
10 - 1
Chapter 10
10 - 2
9. For all other settings in the Compression area of the screen, retain the default values, or configure them to suite your needs. 10. Click Finished.
After you have created a custom HTTP profile and a virtual server, you can test the configuration by attempting to pass HTTP traffic through the virtual server. Check to see that the BIG-IP system includes and excludes the responses that you specified in the custom profile, and that the system compresses the data as specified.
10 - 3
Chapter 10
10 - 4
11
Configuring HTTPS Load Balancing
Introducing HTTPS load balancing Creating an SSL key and certificate Creating a custom SSL profile Creating a pool Creating a virtual server
Client-side SSL A common way to configure the BIG-IP system is to enable client-side SSL. This enables the system to decrypt client requests before sending them on to a server, and encrypt server responses before sending them back to the client. In this case, you need to install only one key/certificate pair on the system. Server-side SSL Another way to configure the BIG-IP system is to enable server-side SSL. This enables the system to encrypt requests that the BIG-IP system sends to the target web server, and decrypt server responses before sending them back to the client. In this case, you need to install a second key/certificate pair on the system (in addition to the key/certificate pair that you install for client-side SSL).
The first step in the configuration is to install the required key/certificate pairs. Then you can create a custom Client SSL profile, and optionally, a custom Server SSL profile. Client SSL and Server SSL profiles are traffic profiles that determine the way that the BIG-IP system processes client requests or server responses that are sent by way of a fully SSL-encapsulated protocol (in this case, HTTPS). Next, you create a pool of servers for load balancing the HTTPS requests. Finally, you must create a virtual server to process the HTTPS traffic, according to the settings you configured in the custom Client SSL and Server profiles. For more detailed, background information on SSL certificates, SSL profiles, load balancing pools, and virtual servers, see the Configuration Guide for BIG-IP Local Traffic Management.
11 - 1
Chapter 11
11 - 2
11 - 3
Chapter 11
11 - 4
Creating a pool
The next task in this process is to create a load balancing pool to load balance HTTPS connections. After you create the pool, you assign it to a virtual server that you create.
11 - 5
Chapter 11
After you have created the required SSL key/certificate pairs, one or two custom SSL profiles, a load balancing pool, and a virtual server, you can test the configuration by attempting to pass HTTPS traffic through the virtual server to the pool.
11 - 6
12
Configuring HTTPS Load Balancing with Data Compression
Introducing HTTPS load balancing with compression Creating an SSL key and certificate Creating a custom Client SSL profile Creating a custom HTTP profile for compression Creating a pool Creating a virtual server
For information on configuring server-side SSL processing, see Chapter 11, Configuring HTTPS Load Balancing.
12 - 1
Chapter 12
12 - 2
12 - 3
Chapter 12
12 - 4
b) Specify values for content you want to include or exclude from compression. Examples of content types that you can specify are application/pdf and image/**. 9. For all other settings in the Compression area of the screen, retain the default values, or configure them to suite your needs. 10. Click Finished.
12 - 5
Chapter 12
Creating a pool
The next task in the process is to create a load balancing pool to load balance HTTPS connections. After you create the pool, you assign it to a virtual server that you create.
12 - 6
You can now test the configuration by attempting to pass HTTPS traffic through the virtual server. Check to see that the BIG-IP system includes and excludes the responses that you specified in the custom HTTP profile, and that the system compresses the data as specified.
12 - 7
Chapter 12
12 - 8
13
Using RAM Cache for HTTP Traffic
Introducing HTTP RAM Cache Creating a custom HTTP profile Creating a virtual server
High demand objects This feature is useful if a site has periods of high demand for specific content. With RAM Cache configured, the content server only has to serve the content to the BIG-IP system once per expiration period. Static content This feature is also useful if a site consists of a large quantity of static content such as CSS, javascript, or images and logos. Content compression For compressible data, the RAM Cache can store data for clients that can accept compressed data. When used in conjunction with the compression feature on the BIG-IP system, the RAM Cache takes stress off of the BIG-IP system and the content servers.
13 - 1
Chapter 13
13 - 2
13 - 3
Chapter 13
13 - 4
14
Load Balancing Passive Mode FTP Traffic
Introducing FTP load balancing Creating a custom FTP monitor Creating a pool Creating a virtual server
14 - 1
Chapter 14
14 - 2
Creating a pool
To load balance passive mode FTP traffic, you create a load balancing pool. When you create the pool, you assign the custom FTP monitor that you created in the previous task. After creating the pool, you assign it to the virtual server that you create.
14 - 3
Chapter 14
14 - 4
15
Load Balancing Passive Mode FTP Traffic with Rate Shaping
Introducing FTP load balancing with rate shaping Creating a custom FTP monitor Creating a pool Creating a rate class Creating a virtual server
15 - 1
Chapter 15
15 - 2
Creating a pool
To load balance passive mode FTP traffic, you create a load balancing pool. When you create the pool, you assign the custom FTP monitor that you created in the previous task.
To create a pool for load balancing FTP traffic with rate shaping
1. On the Main tab of the navigation pane, expand Local Traffic, and click Pools. The Pools screen opens. 2. In the upper-right corner of the screen, click Create. The New Pool screen opens. Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a pool. 3. In the Name box, type a name for the pool, such as ftp_pool. 4. For the Health Monitors setting, from the Available box select the name of the custom FTP monitor, such as my_ftp_monitor, and click the Move button (<<) to move the monitor name to the Active box. 5. Ensure that the Priority Group Activation setting is set to Disabled. 6. For the New Members setting, add the pool members: a) Click the New Address option. b) In the Address box, type the IP address of a server in the pool. c) From the Service Port list, select FTP. d) Click Add. e) Repeat steps b, c, and d for each server in the pool. 7. Click Finished.
After you create the pool, you assign it to the virtual server that you create in the next task.
15 - 3
Chapter 15
Rate shaping is an optional feature of the BIG-IP system. Before attempting to implement rate shaping, verify that you are licensed to use the feature.
15 - 4
15 - 5
Chapter 15
15 - 6
16
Setting up a One-IP Network Topology
Introducing the one-IP network topology Creating a pool for a one-IP network topology Creating a virtual server Defining a default route Configuring a client SNAT
To set up this configuration, you need to complete the following tasks on the BIG-IP system: Create a load balancing pool for the content servers. Create a virtual server to load balance traffic to the content server pool. Define a default route for the external VLAN. Configure a SNAT for the client.
16 - 1
Chapter 16
To create a pool
1. On the Main tab of the navigation pane, expand Local Traffic, and click Pools. The Pools screen opens. 2. In the upper-right corner of the screen, click Create. The New Pool screen opens. Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a pool. 3. From the Configuration list, select Advanced. 4. In the Name box, type a name for the pool, such as server_pool. 5. For the Health Monitors setting, from the Available box select http, and click the Move button (<<) to move the monitor name to the Active box. 6. For the Allow SNAT setting, verify that the value is Yes. 7. For the remaining settings in the Configuration area of the screen, retain the default values. 8. In the Resources area of the screen, use the default values for the Load Balancing Method and Priority Group Activation settings. 9. For the New Members setting, add the pool members: a) Click the New Address option. b) In the Address box, type the IP address of a server in the pool. c) In the Service Port box, type 80, or select HTTP. d) Click Add. e) Repeat steps b, c, and d for each server in the pool. 10. Click Finished.
16 - 2
16 - 3
Chapter 16
Note
If you are defining a default route for a route domain other than route domain 0 (the default route domain), the procedure varies slightly. For more information, see the TMOSTM Management Guide for BIG-IP Systems.
16 - 4
16 - 5
Chapter 16
16 - 6
17
Using Link Aggregation with Tagged VLANs
Introducing link aggregation with tagged VLAN interfaces Using the two-network aggregated tagged interface topology Using the one-network aggregated tagged interface topology
17 - 1
Chapter 17
Figure 17.1 An example of an aggregated two-interface load balancing configuration with two IP networks
To configure the BIG-IP system for the two-network implementation, you must complete the following tasks: Create a trunk to aggregate the links. Add the trunk as a tagged interface to VLAN internal and VLAN external. Create a pool of web servers that you want to load balance. Create a virtual server that load balances the web servers.
Note
This example assumes that you are using the default internal and external VLAN configuration. It also assumes that the self IP addresses on each VLAN are on the same IP networks as the BIG-IP system.
17 - 2
To aggregate links
1. On the Main tab of the navigation pane, expand Network, and click Trunks. The Trunks screen opens. 2. On the upper-right corner of the screen, click Create. The New Trunk screen opens. Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a trunk. 3. In the Name box, type a name for the trunk, such as trunk1. 4. For the Interfaces setting, locate the Available box and select an interface. Note: The lowest-numbered interface is the controlling or reference interface. 5. Using the Move button, move the interface number to the Members box. 6. Repeat step 5 for all interfaces that you want to include as trunk members. 7. For the LACP setting, check the box. This enables dynamic link aggregation. 8. Click Finished.
You should perform this task from the management interface; otherwise you will be disconnected from the BIG-IP system.
17 - 3
Chapter 17
3. For the Interfaces setting, locate the Available box and select the name of the trunk that you created in the previous procedure. 4. Click the Move button to move the trunk name to the Tagged box. This assigns the trunk to the VLAN, as a tagged interface. 5. Click Update. 6. Return to the list of existing VLANs. 7. Repeat steps 2 - 5 for VLAN external. 8. Click Update.
To create a pool
1. On the Main tab of the navigation pane, expand Local Traffic, and click Pools. The Pools screen opens. 2. In the upper-right corner of the screen, click Create. The New Pool screen opens. Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a pool. 3. In the Name box, type a name for the pool, such as myweb_pool. 4. For the New Members setting, add the pool members: a) Click the New Address option. b) In the Address box, type the IP address of a web server in the pool. c) From the Service Port list, select a service. d) Click Add. e) Repeat steps b, c, and d for each server in the pool. 5. Click Finished.
17 - 4
17 - 5
Chapter 17
Figure 17.2 An example of an aggregated two-interface load balancing configuration with one IP network
You configure the one-network topology in exactly the same way as the two-network topology (allowing for the fact that the virtual server address will now belong to the same network as the servers), with one additional step: the internal and external VLANs need to be grouped. Therefore, to configure the BIG-IP system for this implementation, you must complete the following tasks: Configure the tagged interfaces, load balancing pool, virtual server, and trunk exactly as in the two-network configuration. For more information, see Using the two-network aggregated tagged interface topology, on page 17-2. Remove the self IP addresses from the internal and external VLANs. Combine the internal and external VLANs into a VLAN group. Assign a self IP address to the VLAN group.
17 - 6
You should perform this task from the management interface; otherwise you will be disconnected from the BIG-IP system.
A VLAN group name can be used anywhere that a VLAN name can be used.
17 - 7
Chapter 17
Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a VLAN group. 4. In the Name box, type the name myvlangroup. 5. For the VLANs setting, use the Move button to move the internal and external VLAN names from the Available box to the Members box. 6. Click Finished.
17 - 8
18
Setting Up Packet Filtering
Packet filter rules are unrelated to iRulesTM. You can also configure global packet filtering that applies to all packet filter rules that you create. The following sections describe how to set global packet filtering options, and how to create and manage individual packet filters rules. By setting up some basic IP routing and configuring packet filtering, specific hosts on the internal VLAN can connect to the internal VLANs self IP address. These hosts can also use common Internet services such as HTTP, HTTPS, DNS, FTP, and SSH. Traffic from all other hosts in the internal VLAN is rejected. To configure this implementation, you must: Create a SNAT. Create a pool of routers (also known as a gateway pool). Create a forwarding virtual server. Create a packet filter rule.
18 - 1
Chapter 18
Creating a SNAT
The first task in implementing packet filtering is to create a SNAT.
To create a SNAT
1. On the Main tab of the navigation pane, expand Local Traffic, and click SNATs. The SNATs screen opens. 2. In the upper-right corner, click Create. The New SNAT screen opens. Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a SNAT. 3. In the Name box, type a unique name for the SNAT. 4. From the Translation list, select Automap. 5. From the VLAN Traffic list, select Enabled On. This displays the VLAN List setting. 6. For the VLAN List setting, from the Available box select internal and external, and click the Move button (<<) to move the VLAN names to the Selected box. 7. Click Finished.
18 - 2
4. In the Resources area of the screen, use the New Members setting to add the pool members. The members you add are router IP addresses. 5. Click Finished.
18 - 3
Chapter 18
Note: Replace <internal self IP address> with the actual self IP address of VLAN internal. Also, see the tcpdump man page for general information about building expresssions. 14. Click Finished.
18 - 4
19
Implementing Health and Performance Monitors
Introducing health and performance monitors Creating a custom monitor Creating a pool Creating a virtual server
Monitor types Every monitor, whether pre-configured or custom, is a certain type of monitor. Each type of monitor checks the status of a particular protocol, service, or application. For example, one type of monitor is HTTP. An HTTP type of monitor allows you to monitor the availability of the HTTP service on a pool, pool member, or node. A WMI type of monitor allows you to monitor the performance of a pool, pool member, or node that is running the Windows Management Instrumentation (WMI) software. An ICMP type of monitor simply determines whether the status of a node is up or down. Monitor settings Every monitor consists of settings with values. The settings and their values differ depending on the type of monitor. In some cases, the BIG-IP system assigns default values. For example, Figure 19.1 shows the settings and default values of an ICMP-type monitor.
Name my_icmp Type ICMP Interval 5 Timeout 16 Transparent No Alias Address * All Addresses
19 - 1
Chapter 19
To implement a health monitor, you complete these tasks: Create a custom monitor or decide to use a pre-configured monitor. Create a pool for load balancing traffic, and assign a monitor to the pool. Create a virtual server for processing traffic. The remainder of this chapter describes how to create these objects.
Note
If you want to monitor the performance of a RealNetworks RealServer server or a Windows server equipped with Windows Management Instrumentation (WMI), you must first download a special plug-in file onto the BIG-IP system. For more information, see the Configuration Guide for BIG-IP Local Traffic Management.
19 - 2
19 - 3
Chapter 19
Creating a pool
When you create the pool to load balance traffic, you assign the custom monitor that you created in the previous section to a load balancing pool. Then, after creating the pool, you assign it to the virtual server that you create in the next section.
19 - 4
19 - 5
Chapter 19
4. In the Members column, click the address of the pool member for which you want to assign a unique monitor. This displays the properties of that pool member. 5. From the Configuration list, select Advanced. This displays the Health Monitors setting. 6. From the Health Monitors list, select Member Specific. 7. Click Update.
19 - 6
20
Load Balancing Traffic to IPv6 Nodes
7. Verify that the IPv6 nodes have auto-configured their addresses for this prefix. 8. Take note of the addresses of the HTTP service IPv6 nodes. These addresses are required for the next step in the process, configuring IPv4-to-IPv6 load balancing.
20 - 1
Chapter 20
20 - 2
20 - 3
Chapter 20
20 - 4
21
Implementing Overlapping IP Addresses
21 - 1
Chapter 21
21 - 2
The sample configuration in Figure 21.1, on page 21-2 contains these objects:
Two route domains The route domains are named 1 and 2. Two VLANs per route domain For route domain 1, these VLANs are named vlan_clientside1 and vlan_serverside1. For route domain 2, these VLANs are named vlan_clientside2 and vlan_serverside2. Two self IP addresses per route domain For route domain 1, the self IP addresses are 12.1.1.254%1 and 10.2.1.254%1). For route domain 2, the self IP addresses are 12.1.1.254%2 and 10.2.1.254%2. Two client nodes per route domain For route domain 1, the client IP addresses are 12.1.1.101%1 and 12.1.1.102%1. For route domain 2, the client IP addresses are 12.1.1.101%2 and 12.1.1.102%2. Two server nodes per route domain For route domain 1, the server node IP addresses are 10.2.1.101%1 and 10.2.1.102%1. For route domain 2, the server node IP addresses are 10.2.1.101%2 and 10.2.1.102%2. Two virtual addresses per route domain For route domain 1, the virtual addresses are 12.1.1.253%1 and 10.2.1.253%1. For route domain 2, the virtual addresses are 12.1.1.253%2 and 10.2.1.253%2.
Note
For information on the syntax for bigpipe or tmsh commands, see the Bigpipe Utility Reference Guide and the Traffic Management Shell (tmsh) Reference Guide.
21 - 3
Chapter 21
21 - 4
21 - 5
Chapter 21
route domain 1, except for the route ID. In our example, the self IP addresses for route domain 2 are 12.1.1.254%2 and 10.2.1.254%2, and you assign the VLANs vlan_clientside2 and vlan_serverside2 to these addresses.
21 - 6
21 - 7
Chapter 21
21 - 8
c) A route to the other client-side node in route domain 1. In this case, still using our example, the destination address is 12.1.1.102%1, and the gateway address and VLAN name are the same as in the previous step (12.1.1.254%1 and vlan_clientside1, respectively).
Two routes corresponding to each of the two server-side nodes in pool_rd2 (nodes 10.2.1.101%2 and 10.2.1.102%2), specifying either the gateway address 10.2.1.254%2 or the VLAN name vlan_serverside2. Two routes corresponding to each of the two client-side nodes (nodes 12.1.1.101%2 and 12.1.1.102%2), where the gateway address and VLAN name are 12.1.1.254%2 and vlan_clientside2, respectively).
21 - 9
Chapter 21
7. From the Configuration list, select Advanced and do the following: a) From the Type list, select Performance (Layer 4). For information on this virtual server type, see the Configuration Guide for BIG-IP Local Traffic Management. b) Except for the Default Pool setting, retain all default values. 8. From the Default Pool list, select the name of the pool for route domain 1. In our example, this name is pool_rd1. 9. Click Finished. 10. Repeat this procedure to create a client-side virtual server for route domain 1. In our example, the virtual server name is vs_clientside_rd1 and the virtual server address is 12.1.1.253%1. You can skip step 8, selecting a default pool name.
Create a virtual server with a name such as vs_serverside_rd2 with an IP address of 10.2.1.253%2. Create a virtual server with a name such as vs_clientside_rd2 with an IP address of 12.1.1.253%2. You can skip step 8, selecting a default pool name.
21 - 10
22
Mitigating Denial of Service and Other Attacks
Basic denial of service security overview Configuring adaptive connection reaping Simple DoS prevention configuration Filtering out attacks with iRules How the BIG-IP system handles several common attacks
Hardened and dedicated kernel The BIG-IP kernel has a mechanism built in to protect against SYN Flood attacks by limiting simultaneous connections, and tearing down connections that have unacknowledged SYN/ACK packets after some time period as passed. (A SYN/ACK packet is a packet that is sent as part of the TCP three-way handshake). High performance BIG-IP system can handle tens of thousands of Layer 4 (L4) connections per second. It would take a very determined attack to affect either the BIG-IP system itself, or the site, if sufficient server resources and bandwidth are available. Large amount of available memory SYN floods, or denial-of-service (DoS) attacks, can consume all available memory. The BIG-IP system supports a large amount of memory to help it resist DoS attacks.
This chapter describes several configurations that help mitigate DoS attacks. The configurations described include: How to configure the adaptive reapers to allow the BIG-IP system to respond to attacks, following. A basic configuration to defend against denial of service attacks, on page 22-4. Several examples of iRulesTM syntax you can use to filter out specific known attacks, on page 22-7. For more information about these tasks, click the Help tab in the Configuration utility, or see the Configuration Guide for BIG-IP Local Traffic Management.
22 - 1
Chapter 22
The adaptive reaper settings do not apply to SSL connections. However, you can set TCP and UDP connection timeouts that reap idle SSL connections. For more information see Setting the TCP and UDP connection timers, on page 22-4.
Tip
There is generally no need to change these values as they represent an optimal solution for most BIG-IP system deployments.
Important
Setting both of the adaptive reaper values to 100 disables this feature.
22 - 2
When the adaptive reaper high water limit is reached, the LCD displays the message Blocking DoS Attack.
To set the adaptive reaper logging level from the command line
1. Open a console on the BIG-IP system. 2. Type the following command to view the adaptive reaper logging level:
bp db Log.DosProtect.Level list
3. Choose the logging level for the adaptive reaper. The following levels display the message Blocking DoS Attack on the LCD when the Reaper High Water Mark is exceeded: Emergency Alert Critical Error Warning The following levels do not display the Blocking DoS Attack message on the LCD. Notice Informational 4. Type the following command to set the adaptive reaper logging level, where <log level> is the logging level:
bp db Log.DosProtect.Level "<log level>"
22 - 3
Chapter 22
22 - 4
The rate class module requires a license key. If you do not have this functionality and you would like to purchase a license key, contact F5 Networks.
After you create a rate class, you can apply it to the virtual servers in the configuration.
22 - 5
Chapter 22
22 - 6
Figure 22.1 A sample iRule for filtering out a Code Red attack
22 - 7
Chapter 22
Take care any time you lower the idle session reaping time outs. It is possible that valid connections will be reaped if the application cannot respond in time.
SYN flood
A SYN flood is an attack against a system for the purpose of exhausting that systems resources. An attacker launching a SYN flood against a target system attempts to occupy all available resources used to establish TCP connections by sending multiple SYN segments containing incorrect IP addresses. Note that the term SYN refers to a type of connection state that occurs during establishment of a TCP/IP connection. More specifically, a SYN flood is designed to fill up a SYN queue. A SYN queue is a set of connections stored in the connection table in the SYN-RECEIVED state, as part of the standard three-way TCP handshake. A SYN queue can hold a specified maximum number of connections in the SYN-RECEIVED state. Connections in the SYN-RECEIVED state are considered to be half-open and waiting for an acknowledgement from the client. When a SYN flood causes the maximum number of allowed connections in the SYN-RECEIVED state to be reached, the SYN queue is said to be full, thus preventing the target system from establishing other legitimate connections. A full SYN queue therefore results in partially-open TCP connections to IP addresses that either do not exist or are unreachable. In these cases, the connections must reach their timeout before the server can continue fulfilling other requests.
22 - 8
The SYN Check feature complements the existing adaptive reaper feature in the BIG-IP system. While the adaptive reaper handles established connection flooding, SYN Check prevents connection flooding altogether. That is, while the adaptive reaper must work overtime to flush connections, the SYN Check feature prevents the SYN queue from becoming full, thus allowing the target system to continue to establish TCP connections. You can configure the BIG-IP system to activate the SYN Check feature when some threshold of connections has been reached on the system.
UDP flood
The UDP flood attack is most commonly a distributed denial-of-service attack (DDoS), where multiple remote systems are sending a large flood of UDP packets to the target. The BIG-IP system handles these attacks similarly to the way it handles a SYN flood. If the port is not listening, the BIG-IP system drops the packets. If the port is listening, the reaper removes the false connections.
22 - 9
Chapter 22
Setting the UDP idle session timeout to between 5 and 10 seconds reaps these connections quickly without impacting users with slow connections. However, with UDP this may still leave too many open connections, and your situation may require a setting of between 2 and 5 seconds.
UDP fragment
The UDP fragment attack is based on forcing the system to reassemble huge amounts of UDP data sent as fragmented packets. The goal of this attack is to consume system resources to the point where the system fails. The BIG-IP system does not reassemble these packets, it sends them on to the server if they are for an open UDP service. If these packets are sent with the initial packet opening the connection correctly, then the connection is sent to the back-end server. If the initial packet is not the first packet of the stream, the entire stream is dropped. You do not need to make any changes to the BIG-IP system configuration for this type of attack.
Ping of Death
The Ping of Death attack is an attack with ICMP echo packets that are larger than 65535 bytes. Since this is the maximum allowed ICMP packet size, this can crash systems that attempt to reassemble the packet. The BIG-IP system is hardened against this type of attack. However, if the attack is against a virtual server with the Any IP feature enabled, then these packets are sent on to the server. It is important that you apply the latest update patches to your servers. You do not need to make any changes to the BIG-IP system configuration for this type of attack.
Land attack
A Land attack is a SYN packet sent with the source address and port the same as the destination address and port. The BIG-IP system is hardened to resist this attack. The BIG-IP system connection table matches existing connections so that a spoof of this sort is not passed on to the servers. Connections to the BIG-IP system are checked and dropped if spoofed in this manner. You do not need to make any changes to the BIG-IP system configuration for this type of attack.
22 - 10
Teardrop
A Teardrop attack is carried out by a program that sends IP fragments to a machine connected to the Internet or a network. The Teardrop attack exploits an overlapping IP fragment problem present in some common operating systems. The problem causes the TCP/IP fragmentation re-assembly code to improperly handle overlapping IP fragments. The BIG-IP system handles these attacks by correctly checking frame alignment and discarding improperly aligned fragments. You do not need to make any changes to the BIG-IP system configuration for this type of attack.
Data attacks
The BIG-IP system can also offer protection from data attacks to the servers behind the BIG-IP system. The BIG-IP system acts as a port-deny device, preventing many common exploits by simply not passing the attack through to the server. For information about iRule examples for thwarting two common data attacks, see Filtering out attacks with iRules, on page 22-7.
WinNuke
The WinNuke attack exploits the way certain common operating systems handle data sent to the NetBIOS ports. NetBIOS ports are 135, 136, 137 and 138, using TCP or UDP. The BIG-IP system denies these ports by default. On the BIG-IP system, do not open these ports unless you are sure your servers have been patched against this attack.
Sub 7
The Sub 7 attack is a Trojan horse that is designed to run on certain common operating systems. This Trojan horse allows the system to be controlled remotely. This Trojan horse listens on port 27374 by default. The BIG-IP system does not allow connections to this port from the outside, so a compromised server cannot be controlled remotely. Do not open high ports (ports above 1024) without explicit knowledge of what applications will be running on these ports.
22 - 11
Chapter 22
Back Orifice
Back Orifice is a Trojan horse that is designed to run on certain common operating systems. This Trojan horse allows the system to be controlled remotely. This Trojan horse listens on UDP port 31337 by default. The BIG-IP system does not allow connections to this port from the outside, so a compromised server cannot be controlled remotely. Do not open high ports (ports above 1024) without explicit knowledge of what will be running on these ports.
22 - 12
23
Configuring Administrative Domains
Introducing administrative domains Creating a partition Configuring user access to a partition Viewing, managing, and creating objects in a partition
Partitions Partitions represent containers for BIG-IP system objects. You can use partitions to limit user access to certain objects. For more information on partitions, see the TMOSTM Management Guide for BIG-IP Systems. User accounts User accounts grant administrative access to the BIG-IP system. The properties that you set on a user account determine that users permissions for administering BIG-IP system resources. For more information on user accounts, see the TMOSTM Management Guide for BIG-IP Systems. User roles One of the properties that you set on a user account is the user role. A user role determines that users permissions, that is, the specific objects that the user can access and the tasks that the user can perform. The user roles that you can assign to a user account are: Administrator, Resource Administrator, User Manager, Manager, Application Editor, Application Security Policy Editor, Operator, or Guest.You can also specify that a user account has no access to system resources. For descriptions of these user roles, see the TMOSTM Management Guide for BIG-IP Systems. BIG-IP system objects BIG-IP system objects are the entities that you can manage on the BIG-IP system. Examples of objects that you can place into partitions are pools, virtual servers, and profiles. When objects reside in partitions, you can control the type and amount of administrative user access to those objects. Most local traffic objects, as well as user accounts, can reside in partitions. For descriptions of local traffic objects, see the Configuration Guide for BIG-IP Local Traffic Management.
By combining all of these components, you can finely-tune administrative access to many of your BIG-IP system resources. This chapter describes the procedure for configuring the administration domains feature on the BIG-IP system.
23 - 1
Chapter 23
Creating a partition
When you first install the BIG-IP system, a default partition exists, known as partition Common. Partition Common contains certain objects that the system automatically creates during installation, such as the admin user account, the default profiles, and the pre-configured health and performance monitors. Some types of BIG-IP system objects reside in partitions, while others do not. In general, most local-traffic objects reside in partitions. Network objects, such as self IP addresses, VLANs, interfaces, and so on, cannot reside in partitions. At a minimum, most BIG-IP system user accounts have Read access to objects in partition Common, regardless of their user roles. User accounts that have the Administrator and Resource Administrator roles assigned to them not only can view the objects in Common, but also can create, modify, and delete objects in that partition. While managing partition Common is useful as a starting point for controlling user access to BIG-IP system objects, creating other partitions offers a much finer degree of access control for administrative users. The first step in giving a user the authority to manage objects in a specific partition is to create the partition. Once you have created the partition, you choose the user that you want to manage the objects in the new partition. Finally, you modify the properties of that users account, to assign both the appropriate user role and the partition that you want to authorize the user to manage. Once you have granted authority to the user to manage the partition, the user can then manage those objects in certain ways, such as creating HTTP virtual servers and profiles, within that partition.
Important
To create a partition, you must have the Administrator or Resource Administrator user role assigned to your user account. For the admin account, the BIG-IP system automatically assigns the Administrator role.
To create a partition
1. On the main tab of the navigation pane, expand System, and click Users, The Users screen opens. 2. On the menu bar, click Partitions List. This displays the list of partitions that you are allowed to view. 3. On the upper-right corner of the screen, click Create. 4. In the Name box, type a unique name for the partition, such as partition_App1.
23 - 2
5. In the Description box, type a description of the partition, for example, This partition contains objects for managing traffic for the App1 application. 6. Click Create.
This procedure pertains to local user accounts only. For information on configuring partition access to remote user accounts, see the TMOSTM Management Guide for BIG-IP Systems.
23 - 3
Chapter 23
4. From the Partition Access list, select a partition name. You can select a single partition name, or All. Note: For user accounts to which you assign the Administrator role, this value is automatically set to All. 5. Click Finished.
23 - 4
23 - 5
Chapter 23
23 - 6
24
Configuring Remote Authentication and Authorization for Administrative Traffic
Introducing remote authentication and authorization for BIG-IP system user accounts Configuring the BIG-IP system to use remote authentication of user accounts Configuring access control for BIG-IP system users Propagating remote authentication and authorization data to multiple BIG-IP devices
Introducing remote authentication and authorization for BIG-IP system user accounts
The BIG-IP system includes a comprehensive solution for managing BIG-IP administrative accounts on your network. With this solution, you can:
Use a remote server for storing BIG-IP user accounts The BIG-IP system includes support for using a remote authentication server to store BIG-IP system user accounts. After creating BIG-IP system accounts on the remote server, you configure the BIG-IP system to use remote user authentication, using either the browser-based Configuration utility or the command-line-based bigpipe utility. For more information, see Configuring the BIG-IP system to use remote authentication of user accounts, on page 24-2. Assign group-based access control The BIG-IP system includes a remoterole command within the bigpipe utility. You use the remoterole command to specify access control data on a group-wide basis for remotely-stored BIG-IP system user accounts. The remoterole command can use the existing group definitions assigned to those remote accounts to define access control properties (privileges) for those users. The remoterole command not only provides more granularity and flexibility in assigning user privileges, but also removes any need to duplicate remote user accounts on the BIG-IP system for the purpose of assigning those privileges. For more information, see Configuring access control for BIG-IP system users, on page 24-6. Propagate a set of authorization data to multiple BIG-IP devices The BIG-IP system includes a tool for propagating user access control data easily to multiple BIG-IP devices on the network. This access control data includes user role specifications, partition access, and BIG-IP system console access. To propagate user authorization data to multiple BIG-IP devices, you use the Single Configuration File feature within the bigpipe utility. For more information, see Propagating remote authentication and authorization data to multiple BIG-IP devices, on page 24-11.
By using all of the above features together, you can define user privileges on a group-wise basis, and you can centrally manage all BIG-IP user accounts, thus negating any need to create and manage user accounts separately on each individual BIG-IP device on the network.
24 - 1
Chapter 24
4. From the User Directory list, select Remote - Active Directory or Remote - LDAP. 5. In the Host box, type the IP address of the remote server. 6. For the Port setting, retain the default port number (389) or type a new port number in the box. This setting represents the port number that the BIG-IP system uses to access the remote server. 7. In the Remote Directory Tree box, type the file location (tree) of the user authentication database on the LDAP or Active Directory server. At minimum, you must specify a domain component (that is, dc=<value>). 8. For the Scope setting, retain the default value (Sub) or select a new value. This setting specifies the level of the remote server database that the BIG-IP system searches for to authenticate users. For more information on this setting, see the online help. 9. For the Bind setting, specify a user ID login for the remote server: a) In the DN box, type the Distinguished Name for the remote user ID. b) In the Password box, type the password for the remote user ID. c) In the Confirm box, re-type the password that you typed in the Password box. 10. If you want to enable SSL-based authentication, click the SSL box and, if necessary, configure the following settings. Important: Be sure to specify the full path name of the storage location on the BIG-IP system. For example, if the certificate is stored in the directory /config/ssl/ssl.crt, type the value /config/ssl/ssl.crt. a) In the SSL CA Certificate box, type the name of a chain certificate, that is, the third-party CA or self-signed certificate that normally resides on the remote authentication server. b) In the SSL Client Key box, type the name of the client SSL key. Use this setting only in the case where the remote server requires that the client present a certificate. If a client certificate is not required, you do not need to configure this setting. c) In the SSL Client Certificate box, type the name of the client SSL certificate. Use this setting only in the case where the remote server requires that the client present a certificate. If a client certificate is not required, you do not need to configure this setting. 11. Click Finished.
24 - 3
Chapter 24
24 - 4
3. Click Change. 4. From the User Directory list, select Remote - TACACS+. 5. From the Configuration list, select Advanced. Additional settings appear on the screen. 6. In the Servers box, type an IP address and click Add. 7. In the Secret box, type the TACACS+ secret. 8. In the Confirm Secret box, re-type the TACACS+ secret that you specified in the Secret box. 9. From the Encryption list, retain the default value (Enabled) or select Disabled. This setting is optional. 10. In the Service Name box, type the name of a service. 11. In the Protocol Name box, type the name of a protocol. This setting is optional. 12. From the Authentication list, select either Authenticate to first server or Authenticate to each server until success. 13. From the Accounting Information list, select either Send to first available server or Send to all servers. 14. From the Debug Logging list, select either Disabled or Enabled. 15. Click Finished.
24 - 5
Chapter 24
You can use the Configuration utility to change the values that the BIG-IP system uses as the default values when assigning privileges to remote user accounts. If you want to use non-default values for all of the user accounts represented by Other External Users, you have two options:
Use the remoterole command (recommended). This allows you to assign privileges on a group basis. Using the remoterole command gives you flexibility and granularity in controlling access to BIG-IP system resources by remote user accounts. For more information, see Understanding the remoterole command, on page 24-7. Use the Configuration utility to assign privileges on a per-user basis. Using the Configuration utility, you can assign non-default privileges to any individual user account that is stored remotely. If you do this, you must first duplicate the user account on the BIG-IP system. For more information, see the TMOSTM Management Guide for BIG-IP Systems.
Note
For detailed descriptions of the user roles that you can assign to accounts, see the TMOSTM Management Guide for BIG-IP Systems.
24 - 6
For example, suppose that your BIG-IP system user accounts are stored on an LDAP remote authentication server and that those accounts are divided between the groups BigIPOperatorsGroup and BigIPManagersGroup. In this case, you can type the following remoterole command sequence to define the privileges for those groups:
bigpipe remoterole role info BigIPOperatorsGroup { attribute "memberOF=cn=BigIPOperatorsGroup,cn=users,dc=dev,dc=net" console disable line order 1 role operator user partition App_A } role info BigIPManagersGroup { attribute "MemberOF=cn=BigIPManagersGroup,cn=users,dc=dev,dc=net" console enable line order 2 role manager user partition App_B }
24 - 7
Chapter 24
Table 24.1 shows the resulting configuration, where each group has a set of privileges assigned to it:
Group Name BigIPOperatorsGroup Assigned Privileges console disable role operator user partition App_A BigIPManagersGroup console enable role manager user partition App_B
Note
After you use the remoterole command to configure group-based privileges, any user who logs on to the BIG-IP system and does not have a group assignment on the remote server is denied access to the BIG-IP system. Also, whenever you change the user role or partition assignment (or both) for a remote account, all remote users are immediately logged off the system, including those logged in as Other External Users.
Example
Suppose that you configure a remote RADIUS authentication server to return a vendor-specific attribute and three variables, and their values. F5-LTM-User-Info-1 = DC1 F5-LTM-User-Role = 400 Note: See Considerations for variable evaluation, on page 24-9 for more information. F5-LTM-User-Partition = App_C F5-LTM-User-Console = 1
24 - 8
The remoterole command can use the first attribute (F5-LTM-User-Info-1) on which to match. The command can then read the role, user partition, and console values from the remaining three variables, rather than you specifying them explicitly. The command does this when you specify each of the three variables on the command line, preceded by the string %, as arguments. The following shows a sample use of the remoterole command. This particular command matches on the vendor-specific attribute F5-LTM-User-Info-1 and then assigns the access-control values listed above (Operator, App_C, and 1) to any user accounts that are part of Datacenter 1 (DC1):
b remoterole role info DC1 { attribute "F5-LTM-User-Info-1=DC1" console "%F5-LTM-User-Console" role "%F5-LTM-User-Role" user partition "%F5-LTM-User-Partition" line order 1 }
Incorrect variable values If the value of a variable is incorrect, the user is not authorized. For example, if the %F5-LTM-User-Partition variable evaluates to p1, but the p1 partition does not exist or the partition is named P1 instead of p1, the user receives an error message when attempting to log on. The role variable The variable that you specify on the command line with the role argument (for example, %F5-LTM-User-Role) must evaluate to one of these values: 0 (Administrator) 20 (Resource Administrator) 40 (User Manager) 100 (Manager) 300 (Application Editor) 400 (Operator) 700 (Guest) 800 (Application Security Policy Editor) 900 (None) Missing variables When a variable does not exist in the authentication attributes, the system assigns these privileges to the user account: Role = No Access Partition = None Terminal access = Disabled
24 - 9
Chapter 24
No matching attributes If the user is properly authenticated but there is no match on any of the remoterole attributes, the system assigns the default privileges. For more information on default privileges for remote user accounts, see Configuring access control for BIG-IP system users, on page 24-6.
24 - 10
To create an SCF
1. Access the bigpipe shell. 2. Run the command export, and include a name for the SCF, for example:
bp> export myConfiguration053107
The system creates the file, myConfiguration053107.scf, in the /var/local/scf directory. To create the SCF in another location, specify a full path for the file. For example, the command export /config/myConfiguration creates the SCF in the /config directory.
24 - 11
Chapter 24
c) If necessary, change the passwords for the root and admin accounts using the command user <name> password none newpassword <password>. Important: When configuring a unit that is part of a redundant system using the SCF from the other unit in the system, do not modify the root and admin accounts. These accounts must be identical on both units of a redundant system. d) Save the edited SCF. 3. On the BIG-IP system that you want to configure, use the import command to import the SCF:
bp> import myConfiguration
The system saves a backup of the running configuration in the /var/local/scf directory, and then resets the running configuration with the configuration contained in the SCF you are importing. 4. To save the new running configuration to the stored configuration, use the save all command. The system saves the running configuration to the stored configuration.
24 - 12
25
Configuring Remote Authentication for Application Traffic
Introducing remote authentication for application traffic Configuring authentication that uses a remote LDAP or Active Directory server Configuring authentication that uses a remote RADIUS server Configuring authentication that uses a remote TACACS+ server Configuring SSL-based authorization using a remote LDAP server Configuring SSL certificate revocation using an OCSP responder Configuring a CRLDP authentication module
25 - 1
Chapter 25
To configure remote user authentication for application traffic, you must create both a configuration object and an authentication profile. Each authentication server type requires a different configuration object and profile. For example, to configure the BIG-IP system to use an LDAP authentication server, you must create an LDAP configuration object and a custom LDAP profile. When implementing a RADIUS, SSL OCSP, or CRLDP authentication module, you must also create a third type of object. For RADIUS and CRLDP authentication, this object is referred to as a server object. For SSL OCSP authentication, this object is referred to as an OCSP responder.
Note
Once you have performed these preliminary SSL tasks, you can enable SSL-based remote server authentication. You do this as part of creating the LDAP configuration object, which includes these Advanced settings: SSL CA Certificate This represents the name of the certificate that normally resides on the remote authentication server. SSL Client Key This represents the name of the SSL key that the client sends to the BIG-IP system. This key specification is only necessary when the remote server requires a client certificate. SSL Client Certificate This represents the name of the SSL certificate that the client sends to the BIG-IP system. This certificate specification is only necessary when the remote server requires a client certificate.
Important
When specifying key and certificate files while creating an LDAP configuration object, be sure to specify the full path name of the storage location on the BIG-IP system. For example, if the certificate is stored in the directory /config/ssl/ssl.crt, type the value /config/ssl/ssl.crt. After you create the custom LDAP configuration object, you create a custom LDAP profile, and then assign the custom profile to an HTTP virtual server.
25 - 3
Chapter 25
Note
For information about enabling SSL authentication, see the beginning of this section, Creating an LDAP configuration object, on page 25-2.
25 - 4
The virtual server to which you assign the profiles and the iRule must be a Standard type of virtual server.
25 - 5
Chapter 25
25 - 6
25 - 7
Chapter 25
25 - 8
The virtual server to which you assign an authentication profile must be a Standard type of virtual server.
25 - 9
Chapter 25
25 - 10
25 - 11
Chapter 25
7. In the Servers box, type the IP address of the remote TACACS+ server and click Add. The IP address appears in the text box. 8. For the Hosts setting, type the IP address of the remote LDAP or Active Directory server and click Add. The IP address appears in the text window. 9. In the Secret box, type a TACACS+ secret. key to be used for encrypting or decrypting packets sent to or from the server. 10. In the Confirm Secret box, re-type the secret key you typed in the Secret box. 11. If you selected a basic configuration in step 6, click Finished. If you selected an advanced configuration in step 6, configure the remaining settings and then click Finished.
Once you have created the TACACS+ configuration object, you must create a custom TACACS+ profile and modify an HTTP virtual server.
25 - 12
7. From the Configuration list, select the name of the TACACS+ configuration object that you previously created. 8. For all remaining settings, retain the default values. 9. Click Finished.
The virtual server to which you assign an authentication profile and iRule must be a Standard type of virtual server.
25 - 13
Chapter 25
7. For the Hosts setting: a) Type the IP address of the remote LDAP. b) Click Add. The IP address appears in the text window. 8. From the Search Type list, select User, Certificate Map, or Certificate. 9. In the User Base DN box, type the search base for the sub tree that the LDAP server uses to perform a User or Certificate search type. 10. In the User Key box, type the attribute that the LDAP server uses to designate a user ID. 11. If you selected a basic configuration in step 6, click Finished. If you selected an advanced configuration in step 6, configure the remaining settings and then click Finished.
25 - 15
Chapter 25
7. From the Configuration list, select the name of the LDAP configuration object that you previously created. 8. For all remaining settings, retain the default values. 9. Click Finished.
The virtual server to which you assign the profiles and the iRule must be a Standard type of virtual server.
25 - 16
25 - 17
Chapter 25
25 - 18
The virtual server to which you assign an authentication profile must be a Standard type of virtual server.
25 - 19
Chapter 25
4. From the Authentication Profiles list, from the Available box select the name of the custom SSL OCSP profile that you previously created, and click the Move button (<<). This moves the profile name to the Enabled box. Note: If the Authentication Profiles list is unavailable for modification, this indicates that your user role does not grant you permission to modify a virtual server. 5. Click Update.
25 - 20
4. In the upper right corner of the screen, click Create. This displays the New CRLDP Server screen. Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a CRLDP responder object. 5. For the Name setting, type a unique name for the CRLDP server object, such as my_crldp_server. 6. Type or retain all configuration values. 7. Click Finished.
25 - 21
Chapter 25
25 - 22
The virtual server to which you assign an authentication profile must be a Standard type of virtual server.
25 - 23
Chapter 25
25 - 24
26
Configuring Kerberos Delegation
Introducing Kerberos delegation infrastructure Configuring the BIG-IP system for Kerberos delegation Creating the Kerberos delegation configuration Authenticating Client Traffic
Configuration Requirements This Kerberos delegation scenario uses a Microsoft primary domain controller (PDC) The time on the PDC must be synchronized with the time on the client and web servers. The primary domain controller must be a DNS server and have knowledge of the web servers.
Client
Client machines must be in the domain. The time on the client must be synchronized with the time on the web servers and PDC. The client must be using Windows Internet Explorer version 3.x or later.
Web server
The Web servers must be set up to use Windows Integrated Authentication with anonymous access disabled. Please refer to the Microsoft documentation for more information about load balancing Kerberos web servers if you plan to set up more than one server in your server pool. The time on the web server must be synchronized with the time on the client and PDC.
BIG-IP system
The BIG-IP system must be in a domain with the PDC. The BIG-IP system must be able to process secure traffic between the client and its web server. The BIG-IP system must use a DNS server that knows about the PDC. The BIG-IP system must have its time synchronized with the PDC.
26 - 1
Chapter 26
To test the DNS server before you define it on the BIG-IP system
Before you configure the DNS server on the BIG-IP system, you can test the DNS server(s) that you want to define on the BIG-IP system by typing the following command at the Linux prompt:
dig @<DNS_Server_IP_Address>
If the test is successful, the system displays a list of the root name servers.
26 - 2
For example, if you want to add the DNS name server IP addresses 192.168.10.20 and 192.168.10.22 to the BIG-IP system, type the following command:
bigpipe dns nameservers 192.168.10.20 192.168.10.22 add
The local /etc/resolv.conf file is now configured with the following entries:
nameserver nameserver 192.168.10.20 192.168.10.22
If you are setting up cross-domain authentication, use the --dnsdomain option to this command. All hosts found in a certain DNS domain are automatically in the correct Kerberos realm. Use the domaintool --add command for each realm that the BIG-IP system may contact. Now that the BIG-IP system is configured with the domains it may contact, you must use the domaintool command to create service principals within the domain. These service principals are named after the FQDN of the virtual servers you create:
domaintool --join <domainname> --admin_principal <admin principal> --host <hostname>
26 - 3
Chapter 26
This command prompts you for a password. Typically, the value of the admin_principal argument is administrator; however, you can use any administrator name. The host argument specifies the FQDN of the virtual server you configure for traffic. Run this command for each virtual server you plan to configure.
Important
For additional information about these commands, see the domaintool man page.
26 - 4
The Kerberos delegation profile includes a set-cookie operation. To ensure that an attacker cannot intercept this set-cookie header, always use the Kerberos Delegation profile in conjunction with a Client SSL profile.
26 - 5
Chapter 26
6. In the Client Principal Name box, type the client principal name. The client principal name is the name of the virtual server on the BIG-IP system. Use the following format, where <name> is the admin_principal name that you previously added to the domain:
HTTP/<name>
7. In the Server Principal Name box, type the server principal name. The server principal name is the name of the web server. Use the following format, where <FQDN> is the fully-qualified domain name of the web server in the pool:
HTTP/<FQDN>
8. Click Finished.
26 - 6
3. In the upper-right corner of the screen, click Create. The New Client SSL Profile screen opens. Note: If the Create button is unavailable, this indicates that your user role does not grant you permission to create a pool. 4. In the Name box, type a unique name for the profile. 5. On the far right side of the screen, click the Custom box. 6. From the Certificate list, select the name of an existing certificate. 7. From the Key list, select the name of an existing key. 8. At the bottom of the screen, click Finished.
To create a virtual server and add the Kerberos delegation and Client SSL profiles to the virtual server
1. On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers. The Virtual Servers screen opens. 2. In the upper-right corner of the screen, click Create. The New Virtual Server screen opens. 3. For the Name setting, type a unique name for the virtual server, such as my_kerberos_virtual. 4. For the Destination setting, click Host and type an IP address. 5. For the Service Port setting, type 80, or from the service list, select HTTP. 6. From the Configuration list, select Advanced.
26 - 7
Chapter 26
7. For the Type setting, select Standard. 8. For the Protocol setting, select TCP. 9. For the HTTP Profile setting, select http. 10. From the SSL Profile (Client) list, select the name of the Client SSL profile you created previously. 11. For Authentication Profiles setting, use the Move button (<< or >>) to enable the profile you created for Kerberos delegation. 12. In the Resources area of the screen, from the Default Pool list, select the pool you created that contains the web servers. 13. Click Finished.
For the server principal, use the FQDN of the web server. For each client principal, use the FQDN of the virtual server you plan to create on the BIG-IP system.
To create the Kerberos delegation profile object from the command line
After you create the Kerberos delegation configuration object, you can create the profile for the configuration. Be sure to set a cookie name and strong password for the cookie encryption key on the profile. In this example, the cookie name is kerbc and the key is kerbc.
profile auth my_kerberos_profile { defaults from krbdelegate config my_kerberos_config type krbdelegate cookie name kerbc cookie key "kerbc" }
Note
The Cookie Key value is an encryption key that encrypts cookie data. A default value is supplied; however, you should change the default value so that attackers who know this value cannot decrypt cookie data and impersonate trusted users.
26 - 8
To create the Kerberos delegation virtual server from the command line
To complete the configuration of the BIG-IP system for Kerberos delegation, create the virtual server for the configuration. Type the following command to create the virtual server, where <ip addr>:http is the virtual server address, webserverpool is the pool of webservers, my_client_profile is the Client SSL profile you created, and my_kerberos_profile is the profile you created for Kerberos delegation:
virtual my_kerberos_virtual { snat automap pool webserverpool destination <ip addr>:http ip protocol tcp profiles http tcp my_clientssl_profile auth my_kerberos_profile }
26 - 9
Chapter 26
The process for authenticating client traffic with Kerberos delegation is as follows: 1. The user logs on to the domain. 2. The client browser connects to the BIG-IP virtual server and passes Windows Integrated Authentication credentials, as well as SSL credentials. 3. The BIG-IP system verifies the credentials and uses those credentials to fetch credentials from domain 2 on behalf of the user from domain 1. 4. The BIG-IP system passes the credentials obtained in step 3 to the application server in domain 2. 5. The application server responds. 6. The BIG-IP system passes the response to the client.
26 - 10
27
Configuring Multiple Authentication Servers
Introducing multiple authentication server configuration Meeting prerequisites Configuring BIG-IP system objects
As an alternative to associating the pool with the virtual server, you can associate the pool with each proxy or authentication source directly. The remainder of this chapter describes how to successfully create a multiple authentication server configuration. For example purposes only, the information is written for RADIUS servers, but it applies to LDAP or TACACS+ servers also, except for some minor differences: If your servers are LDAP or TACACS+ servers, any information about RADIUS secrets does not apply. Also, you should replace any mention of a RADIUS
27 - 1
Chapter 27
configuration object with an LDAP or TACACS+ configuration object. Finally, you can ignore any information that pertains to a RADIUS server object.
Meeting prerequisites
Before continuing, you must ensure that the following requirements are met: The RADIUS secret must be the same for all RADIUS servers. The address of the virtual server that you create to reference the RADIUS pool cannot be a loopback address. The virtual server that references the RADIUS pool must be in the same VLAN as the RADIUS servers. For example, if the RADIUS server addresses are 10.1.1.10 and 10.1.1.11 and reside in the VLAN internal, then you must associate the RADIUS pool with a virtual server that is routable to those addresses (such as 10.1.1.99). This causes the source address of the RADIUS traffic to be the self IP address of VLAN internal, rather than the virtual server address.
Object RADIUS health monitor A RADIUS server object A Radius configuration object that references the RADIUS server object A load-balancing pool that references the RADIUS health monitor A virtual server that references the load-balancing pool
Pools
Virtual Servers
27 - 2
Figure 27.1 Example of relevant entries in the bigip.conf file As seen in Figure 27.1, you configure these BIG-IP system objects: A RADIUS monitor named my_radius_monitor. A RADIUS server object named system_auth_name1 with IP address and port 10.1.1.99:1645. A RADIUS configuration object named system-auto that references the RADIUS server object. A pool named radius_pool that references the RADIUS monitor and contains two pool members (10.1.1.10:1812 and 10.1.1.12:1645). Note that port 1812 is the registered port number for the RADIUS service. A virtual authentication server named radius_virtual_server that references the pool radius_pool and uses the same IP address and port as the RADIUS server object. Note that this virtual server is defined on the same VLAN as the RADIUS servers in the pool. Once you have added entries to the bigip.conf file that are similar to those in the above example, you can use the virtual server as a virtual remote authentication server.
27 - 3
Chapter 27
27 - 4
28
Implementing Paired Tunneling
Introducing paired tunneling Configuring the client-side system Configuring the server-side system Viewing data compression statistics
The client-side system is the system closest to the client node that initiates a request over the WAN for data that resides on a server node. The server-side system is the system closest to the server node that services the request. You can configure paired tunneling using either the Configuration utility or the bigpipe utility.
28 - 1
Chapter 28
deflate This is a higher-quality compression algorithm that is typically slower than the lzo algorithm, unless the system is also using hardware acceleration. The deflate algorithm is ideal for achieving better compression through slower links (for example, a T1 or DS3 link). lzo This is a fast, medium-quality compression algorithm with low latency. The Lempel-Ziv-Oberhumer (lzo) algorithm is ideal for interactive protocols (such as Telnet) or high-bandwidth protocols that compress easily (such as data replication). adaptive This is a compression method that chooses the best algorithm (deflate, lzo, or off) as traffic conditions change. The adaptive method is both the recommended and the default compression method. off When the compression method is set to off, no compression occurs for traffic passing between the two BIG-IP systems. This option is ideal for protocols that cannot be compressed, such as streaming media (already compressed), or encrypted protocols.
The compression methods that you configure on the two BIG-IP systems must match, unless one of them is set to adaptive compression. For example: If you configure one system to use the deflate method and the other to use the lzo method, any connections currently passing through the tunnel are reset, and no further traffic is allowed. If you configure one system to use deflate and the other to use adaptive compression, the data is compressed using the deflate method. If you configure both systems to use the adaptive method (the default setting), the systems uses either deflate, lzo, or off, depending on traffic conditions. This is the recommended configuration.
WARNING
You should ensure that the data that a BIG-IP system sends through the iSession tunnel is not already compressed or encrypted through some other mechanism. Data targeted for the tunnel that has been already optimized cannot be optimized any further and could produce adverse effects.
28 - 2
28 - 3
Chapter 28
28 - 4
d) Click Add. This adds the specified IP address and service to the pool as a pool member. 5. Click Finished.
28 - 5
Chapter 28
If the virtual address you specify is an address representing a subnet, the BIG-IP systems in the paired tunneling configuration optimize traffic for the entire subnet on which the destination server resides. When you create the virtual server, you configure it to reference these profiles:
The default TCP optimization profiles By configuring the virtual server to reference two default TCP optimization profiles, you ensure optimal system performance when processing both local and wide-area TCP traffic. The default Server SSL profile The BIG-IP system provides a default profile named serverssl, which enables server-side SSL processing. The serverssl profile ensures that traffic sent from the client-side BIG-IP system to the server-side BIG-IP system is encrypted. The custom iSession profile This profile, which you created in the previous step, specifies the endpoint pool that you previously created, which in turn references the server-side virtual server address.
28 - 6
Note
As an option, you can use the RAM Cache feature. The result is that the client-side BIG-IP system can process some client requests without needing to connect to a backend server on the other side of the WAN.
28 - 7
Chapter 28
13. For the iSession Profile setting: a) From the list on the left, select the name of the custom iSession profile you created previously on this system. In our example, this is clientside_isession_profile. b) From the Context list, select Server. Selecting Server specifies that the local endpoint of the tunnel is located on the server-side of the virtual server you are creating. 14. Click Finished.
28 - 8
The default TCP optimization profiles By configuring the virtual server to reference two default TCP optimization profiles, you ensure optimal system performance when processing both local and wide-area TCP traffic. The default Client SSL profile The BIG-IP system provides a default profile named clientssl, which enables client-side SSL processing. The clientssl profile ensures that traffic sent from the client-side BIG-IP system to the server-side BIG-IP system is authenticated and decrypted. The default iSession profile Assigning this profile to the virtual server implements the server-side endpoint for the paired tunneling configuration.
28 - 9
Chapter 28
Note
For the server-side BIG-IP system, you do not need to create an endpoint pool or a custom iSession profile.
28 - 10
13. For the iSession Profile setting: a) From the list on the left, select isession. b) From the Context list, select Client. Selecting Client specifies that the local endpoint of the tunnel is located on the client-side of the virtual server you are creating. 14. Click Finished.
If the client-side service port is set to HTTP, then the server-side virtual server listens on port 80. If the client-side service port is set to HTTP, then the server-side virtual server listens on port 3701.
Disabled
Table 28.1 Effect of the client-side Port Transparency setting on server-side virtual server
28 - 11
Chapter 28
28 - 12
29
Securing and Accelerating HTTP Traffic with ASM and WA
Overview of the configuration tasks Completing basic configuration tasks on the Local Traffic Manager Performing initial configuration tasks on the Local Traffic Manager Creating an application profile for the WebAccelerator system Assigning the WebAccelerator application profile to the security policy in Application Security Manager Running the Application Security Manager Deployment Wizard
Complete basic configuration on the BIG-IP Local Traffic Manager Before you can begin this implementation, you must complete the basic configuration requirements on the BIG-IP Local Traffic Manager. See Completing basic configuration tasks on the Local Traffic Manager, on page 29-2, for more information. Perform initial configuration tasks on the BIG-IP Local Traffic Manager To prepare the BIG-IP Local Traffic Manager to run the Application Security Manager and the WebAccelerator system on the same virtual server, there are initial configuration tasks you must complete. See Performing initial configuration tasks on the Local Traffic Manager, on page 29-3, for more information. Create an application profile for the WebAccelerator system An application profile provides all of the basic information required for the WebAccelerator system to begin expediting traffic to your applications. See Creating an application profile for the WebAccelerator system, on page 29-7, for more information. Run the Application Security Manager Deployment Wizard The Deployment Wizard automates the fundamental tasks required to initially build and deploy a security policy for your applications. See Running the Application Security Manager Deployment Wizard, on page 29-13, for more information.
29 - 1
Chapter 29
Licensing and provisioning for the Application Security Manager and the WebAccelerator system For more information, see the BIG-IP Systems: Getting Started Guide. Configuring virtual server settings For more information, see the Configuration Guide for BIG-IP Local Traffic Management. Configuring name resolution (DNS or entries to the host file) For more information, see the TMOS Management Guide for BIG-IP Systems.
29 - 2
Creating an HTTP class profile for the Application Security Manager and the WebAccelerator system The HTTP class profile uses the HTTP header, cookie, host, and path, and other HTTP properties, to specify the HTTP traffic to which the system applies security and acceleration. See Creating the HTTP class profile, following, for more information. Defining a virtual server and pool The virtual server load balances traffic to one or more pools that are hosting the web application. A pool is made up of members, which are the servers that host the web application resources that you want to protect with the Application Security Manager, and whose traffic you want to expedite with the WebAccelerator system. See Defining a virtual server and pool on the BIG-IP Local Traffic Manager, on page 29-4, for more information. Configuring a Network Time Protocol (NTP) server To properly maintain its cache and synchronize configurations, the system requires that the time on the application servers and the time on the BIG-IP system be the same. See Defining an NTP server, on page 29-6, for more information.
When you enable application security for an HTTP class profile, the system automatically creates a web application configuration and default security policy for Application Security Manager.
29 - 3
Chapter 29
Defining a virtual server and pool on the BIG-IP Local Traffic Manager
The second task you need to perform is to define a virtual server and pool. As part of the definition, you associate the HTTP class profile that you created in the previous procedure with the virtual server. The virtual server then processes and routes incoming traffic according to the settings that you configure in the associated HTTP class profile. The pool hosts the web application content that clients are accessing.
Note
The following procedure outlines only the basic virtual server and pool configuration. For detailed information about virtual servers, pools, and the other local traffic components, see the Configuration Guide for BIG-IP Local Traffic Management.
29 - 4
29 - 5
Chapter 29
15. In the Resources area, from the Load Balancing Method list, select a load balancing option. 16. Leave the Priority Group Activation setting at the default, Disabled. 17. For the New Members setting, select New Address, and in the Address and Service Port boxes, type the address and port for the pool members. Alternately, you can select Node List, and select nodes to add to the New Members list. 18. Click the Add button. 19. Click Finished. The screen refreshes, and returns to the New Virtual Server screen, where you see the new pool in the Default Pool list. 20. Click Finished again. The system updates the configuration, and displays the Virtual Server list screen, where you can see the virtual server that you created.
29 - 6
29 - 7
Chapter 29
In addition to these application-specific and general delivery acceleration policies, the WebAccelerator system also provides a deployment-specific acceleration policy, called Symmetric Deployment. You can select this option if you are configuring an optional symmetric deployment. For more information about this option, see the Configuration Guide for the BIG-IP WebAccelerator System. If, however, you have a unique application for which you cannot use a pre-defined acceleration policy, you can customize the WebAccelerator systems behavior by creating a user-defined acceleration policy. In most cases, you do this by copying a pre-defined acceleration and modifying it as required. You also have the option of importing a signed acceleration policy that is created, certified, and encrypted by its author, such as a consultant or vendor. For information about acceleration policy features, and instructions about how to create user-defined acceleration policies or import signed acceleration policies, see the Policy Management Guide for the BIG-IP WebAccelerator System.
Tip
You can change the selected acceleration policy at any time after you create the application profile.
The WebAccelerator system is also capable of managing requests for unmapped domains, which are called unmapped requests. For more information, see the Configuration Guide for the BIG-IP WebAccelerator System.
29 - 8
Following are examples of valid requested host names that use wildcards.
*.sales.siterequest.com maps to the following (all to the same destination host): direct.sales.siterequest.com marketing.sales.siterequest.com marcom.marketing.sales.siterequest.com
*siterequest.com maps to the following (all to the same destination host): www.siterequest.com engineering.siterequest.com direct.sales.siterequest.com marketing.sales.siterequest.com marcom.marketing.sales.siterequest.com
*.com maps all incoming requests that end in .com to one destination host. * maps all incoming requests to one destination host.
If the WebAccelerator system can map multiple requested host names to a request, it chooses the host name that most closely matches the request. Consider the following defined host names: a.com www.a.com *.b.a.com *.a.com If the WebAccelerator system receives requests that contain these URLs, it maps to the requested hosts as follows: A request to www.a.com maps to www.a.com, and does not map to *.a.com. A request to a.com maps to a.com. Requests to c.a.com and b.a.com both map to *.a.com. A request to c.b.a.com maps to *.b.a.com.
29 - 9
Chapter 29
4. In the Description box, type an optional description. 5. From the Central Policy list, select the acceleration policy that you want the WebAccelerator system to use when requesting information from the associated application. If you have configured an optional symmetric deployment, we recommend that you select the Symmetric Deployment pre-defined acceleration policy, because it is specifically designed to manage content assembly in a symmetric deployment. For more information, see the Configuration Guide for the BIG-IP WebAccelerator System. 6. If you have a symmetric deployment, from the Remote Policy list, select an acceleration policy for the remote WebAccelerator system. We recommend that you select Symmetric Deployment. If you do not have a symmetric deployment, do not select a remote policy. 7. In the Hosts section at the bottom of the screen, click the Add Host button. 8. In the Requested Host box, type a valid host name for each client host that you want to allow access to the application. 9. Click the Save button.
All network traffic from the web browser machine for www.siterequest.com subsequently goes to the virtual server. 2. From the web browser machine, request a page from www.siterequest.com.
29 - 10
You should see the page that you would have received if your browser had accessed the origin web servers directly. If the browser times out the request, it means that either the WebAccelerator system is not running, or the firewall is blocking access to port 80 on the WebAccelerator system. 3. If you receive an Access denied by intermediary. Domain not recognized. error, perform the following tasks: Verify that the hosts file is correct. Verify that the host map for the application profile is correct. Verify that you used a domain in the request that matches a requested host in the host map, and that it maps to the destination host. 4. After you confirm the host mapping, remove any entries that you changed or added.
29 - 11
Chapter 29
Assigning the WebAccelerator application profile to the security policy in Application Security Manager
Before you run the Deployment Wizard for the Application Security Manager, you must assign the WebAccelerator application profile to the security policy. If you have more than one application profile configured, you can change the assignment on the Policy Properties screen in the Application Security Manager.
29 - 12
29 - 13
Chapter 29
29 - 14
30
Securing and Accelerating HTTP Traffic with PSM and WA
Overview of the configuration tasks Completing basic configuration tasks on the Local Traffic Manager Performing initial configuration tasks on the Local Traffic Manager Creating an application profile for the WebAccelerator system Creating an HTTP security profile in the Protocol Security Module configuration
Complete basic configuration on the BIG-IP Local Traffic Manager. Before you can begin this implementation, you must complete the basic configuration requirements on the BIG-IP Local Traffic Manager. See Completing basic configuration tasks on the Local Traffic Manager, on page 30-2, for more information. Perform initial configuration tasks on the BIG-IP Local Traffic Manager. To prepare the BIG-IP Local Traffic Manager to run the Protocol Security Module and the WebAccelerator system on the same virtual server, there are initial configuration tasks you must complete. See Performing initial configuration tasks on the Local Traffic Manager, on page 30-3, for more information. Create an application profile for the WebAccelerator system. An application profile provides all of the basic information required for the WebAccelerator system to begin expediting traffic to your applications. See Creating an application profile for the WebAccelerator system, on page 30-7, for more information. Create an HTTP security profile in the Protocol Security Module configuration. The final task is to create a custom HTTP security profile in the Protocol Security Module configuration, and associate the WebAccelerator application profile with it. See Creating an HTTP security profile in the Protocol Security Module configuration, on page 30-12, for more information.
30 - 1
Chapter 30
License and provision the Protocol Security Module and the WebAccelerator system. When you add new modules to a BIG-IP system, you activate add-on license keys, and also provision the system for the new software. Provisioning reallocates system resources, such as disk storage and memory. For more information, see the BIG-IP Systems: Getting Started Guide. Configure at least one DNS server. You configure a DNS server to enable name resolution for your virtual servers and applications. For more information, see the TMOS Management Guide for BIG-IP Systems. Configure at least one NTP server. The WebAccelerator system relies on the NTP protocol to keep system clocks synchronized. This synchronization ensures that the system properly maintains its cache, and synchronizes configuration changes for optional symmetric deployments. For more information, see the TMOS Management Guide for BIG-IP Systems.
30 - 2
Create a WebAccelerator HTTP class profile. The first step in configuring the Protocol Security Module and WebAccelerator is to create the WebAccelerator class profile. See Creating the WebAccelerator HTTP class profile, on page 30-4, for more information. Create an HTTP service profile After you create the WebAccelerator profile, you create a custom HTTP service profile. This profile enables the protocol security checking that is performed on incoming HTTP traffic. See Creating an HTTP service profile, on page 30-4, for more information. Create a virtual server and pool. In this step, you configure the virtual server, including assigning the HTTP class profile and the HTTP service profile to the virtual server, and define one or more pools. See Creating a virtual server and pool on the BIG-IP Local Traffic Manager, on page 30-5, for more information.
30 - 3
Chapter 30
30 - 4
6. Check the Protocol Security check box to enable HTTP security checks. 7. Modify any other settings on the screen as required by your configuration. 8. Click Finished. The screen refreshes and displays the new HTTP service profile in the list.
Note
For more information about HTTP service profiles in general, see the Configuration Guide for BIG-IP Local Traffic Management.
Creating a virtual server and pool on the BIG-IP Local Traffic Manager
The next configuration task is to create a virtual server and pool on the local area network. The virtual server processes the incoming traffic, which includes applying the protocol security checks and the acceleration policy. The pool hosts the web application content that clients are accessing.
Note
The following procedure outlines only the basic virtual server configuration. For detailed information on virtual servers, including SSL virtual servers, and other local traffic components, see the Configuration Guide for BIG-IP Local Traffic Management.
30 - 5
Chapter 30
9. In the Resources area, for the HTTP Class Profiles setting, from the Available list, select the HTTP class profile that you created, and click the Move button (<<) to add the class to the Enabled list. 10. Next to the Default Pool list, click the Add (+) button. The New Pool screen opens. 11. In the Name box, type a name for the pool. 12. For Health Monitors, from the Available list, select a health monitor or monitors and click the Move button (<<) to add the monitor to the Active list. 13. In the Resources area, from the Load Balancing Method list, select a load balancing option. 14. Leave the Priority Group Activation setting at the default, Disabled. 15. For the New Members setting, select New Address, and in the Address and Service Port boxes, type the address and port for the pool members. Alternately, you can select Node List, and select nodes to add to the New Members list. 16. Click the Add button. 17. Click Finished. The screen refreshes and opens the New Virtual Server screen, where you see the new pool in the Default Pool list. 18. Click Finished again. The system updates the configuration, displays the Virtual Server list screen, where you can see the virtual server that you created.
30 - 6
30 - 7
Chapter 30
option if you are configuring an optional symmetric deployment. For more information about this option, see the Configuration Guide for the BIG-IP WebAccelerator System. If, however, you have a unique application for which you cannot use a pre-defined acceleration policy, you can customize the WebAccelerator systems behavior by creating a user-defined acceleration policy. In most cases, you do this by copying a pre-defined acceleration policy and modifying it as required. You also have the option of importing a signed acceleration policy that is created, certified, and encrypted by its author, such as a consultant or vendor. For information about acceleration policy features, and instructions about how to create user-defined acceleration policies or import signed acceleration policies, see the Policy Management Guide for the BIG-IP WebAccelerator System.
Tip
You can change the selected acceleration policy at any time after you create the application profile.
The WebAccelerator system is also capable of managing requests for unmapped domains, which are called unmapped requests. For more information, see the Configuration Guide for the BIG-IP WebAccelerator System.
30 - 8
Following are examples of valid requested host names that use wildcards.
*.sales.siterequest.com maps to the following (all to the same destination host): direct.sales.siterequest.com marketing.sales.siterequest.com marcom.marketing.sales.siterequest.com
*siterequest.com maps to the following (all to the same destination host): www.siterequest.com engineering.siterequest.com direct.sales.siterequest.com marketing.sales.siterequest.com marcom.marketing.sales.siterequest.com
*.com maps all incoming requests that end in .com to one destination host. * maps all incoming requests to one destination host.
If the WebAccelerator system can map multiple requested host names to a request, it chooses the host name that most closely matches the request. Consider the following defined host names: a.com www.a.com *.b.a.com *.a.com If the WebAccelerator system receives requests that contain these URLs, it maps to the requested hosts as follows: A request to www.a.com maps to www.a.com, and does not map to *.a.com. A request to a.com maps to a.com. Requests to c.a.com and b.a.com both map to *.a.com. A request to c.b.a.com maps to *.b.a.com.
30 - 9
Chapter 30
4. In the Description box, type an optional description. 5. From the Central Policy list, select the acceleration policy that you want the WebAccelerator system to use when requesting information from the associated application. If you have configured an optional symmetric deployment, we recommend that you select the Symmetric Deployment pre-defined acceleration policy, because it is specifically designed to manage content assembly in a symmetric deployment. For more information, see the Configuration Guide for the BIG-IP WebAccelerator System. 6. If you have a symmetric deployment, from the Remote Policy list, select an acceleration policy for the remote WebAccelerator system. We recommend that you select the Symmetric Deployment pre-defined acceleration policy. If you do not have a symmetric deployment, do not select a remote policy. 7. In the Hosts section at the bottom of the screen, in the Requested Host box, type a valid host name 8. To add additional client hosts that you want to allow access to the application, in the Hosts section at the bottom of the screen, click the Add Host button. The screen refreshes and displays another Requested Host box, where you can type the name of an additional client host. 9. When you finish adding client hosts, click the Save button.
All network traffic from the web browser machine for www.siterequest.com subsequently goes to the virtual server.
30 - 10
2. From the web browser machine, request a page from www.siterequest.com. You should see the page that you would have received if your browser had accessed the origin web servers directly. If the browser times out the request, it means that either the WebAccelerator system is not running, or the firewall is blocking access to port 80 on the WebAccelerator system. 3. If you receive an Access denied by intermediary error, perform the following tasks: Verify that the hosts file is correct. Verify that the host map for the application profile is correct. Verify that you used a domain in the request that matches a requested host in the host map. 4. After you confirm the host mapping, remove any entries that you changed or added.
30 - 11
Chapter 30
The following task assumes that you have already set up a remote logging configuration for security profile log files. For more information on remote logging and Protocol Security Module, refer to the Configuration Guide for BIG-IP Protocol Security Module.
30 - 12
8. For WebAccelerator Cache Clear Settings option, from the Available WA Applications list, select the WebAccelerator profile and click the Move button (<<) to add it to the Assigned WA Applications list. 9. Click Create. The screen refreshes, and you see the new security profile in the list.
30 - 13
Chapter 30
30 - 14
Glossary
Glossary
active unit In a redundant system, the active unit is the system that currently load balances connections. If the active unit in the redundant system fails, the standby unit assumes control and begins to load balance connections. See also redundant system. ARP (Address Resolution Protocol) ARP is an industry-standard protocol that determines a hosts Media Access Control (MAC) address based on its IP address. authentication Authentication is the process of verifying a users identity when the user is attempting to log on to a system. authentication iRule An authentication iRule is a system-supplied or user-created iRule that is necessary for implementing a PAM authentication module on the BIG-IP system. See also iRule, PAM (Pluggable Authentication Module). authentication module An authentication module is a PAM module that you create to perform authentication or authorization of client traffic. See also PAM (Pluggable Authentication Module). authentication profile An authentication profile is a configuration tool that you use to implement a PAM authentication module. Types of authentication modules that you can implement with an authentication profile are: LDAP, RADIUS, TACACS+, SSL Client Certificate LDAP, and OCSP. See also PAM (Pluggable Authentication Module). authorization Authorization is the process of identifying the level of access that a logged-on user has been granted to system resources. BIND (Berkeley Internet Name Domain) BIND is the most common implementation of the Domain Name System (DNS). BIND provides a system for matching domain names to IP addresses. For more information, refer to http://www.isc.org/products/BIND. certificate A certificate is an online credential signed by a trusted certificate authority and used for SSL network traffic as a method of authentication.
Glossary - 1
Glossary
certificate authority (CA) A certificate authority is an external, trusted organization that issues a signed digital certificate to a requesting computer system for use as a credential to obtain authentication for SSL network traffic. certificate revocation list (CRL) See CRL (certificate revocation list). Certificate Revocation List Distribution Point (CRLDP) See CRLDP (Certificate Revocation List Distribution Point). chain A chain is a series of filtering criteria used to restrict access to an IP address. The order of the criteria in the chain determines how the filter is applied, from the general criteria first, to the more detailed criteria at the end of the chain. configuration object A configuration object is a user-created object that the BIG-IP system uses to implement a PAM authentication module. There is one type of configuration object for each type of authentication module that you create. See also PAM (Pluggable Authentication Module). Configuration utility The Configuration utility is the browser-based application that you use to configure the BIG-IP system. connection persistence Connection persistence is an optimizing technique whereby a network connection is intentionally kept open for the purpose of reducing handshaking. cookie persistence Cookie persistence is a mode of persistence where the BIG-IP system stores persistent connection information in a cookie. CRL (certificate revocation list) A CRL is a list that an authenticating system checks to see if the SSL certificate that the requesting system presents for authentication has been revoked. CRLDP (Certificate Revocation List Distribution Point) CRLDP is an industry-standard protocol that manages SSL certificate revocation for devices on a network.
Glossary - 2
Glossary
CRLDP authentication module A CRLDP authentication module is a user-created module that you implement on a BIG-IP system to authenticate client traffic using the CRLDP protocol. The purpose of a CRLDP authentication module is to manage the revocation of client SSL certificates on a network. custom profile A custom profile is a profile that you create. A custom profile can inherit its default settings from a parent profile that you specify. See also parent profile and profile. default profile A default profile is a profile that the BIG-IP system supplies with default setting values. You can use a default profile as is, or you can modify it. You can also specify it as a parent profile when you create a custom profile. You cannot create or delete a default profile. See also profile, custom profile. default route A default route is the route that the system uses when no other route specified in the routing table matches the destination address or network of the packet to be routed. default VLAN The BIG-IP system is configured with two default VLANs, one for each interface. One default VLAN is named internal and one is named external. See also VLAN (Virtual Local Area Network). default wildcard virtual server A default wildcard virtual server has an IP address and port number of 0.0.0.0:0. or *:* or "any":"any". This virtual server accepts all traffic that does not match any other virtual server defined in the configuration. domain name A domain name is a unique name that is associated with one or more IP addresses. Domain names are used in URLs to identify particular Web pages. For example, in the URL http://www.siterequest.com/index.html, the domain name is siterequest.com. external VLAN The external VLAN is a default VLAN on the BIG-IP system. In a basic configuration, this VLAN has the administration ports locked down. In a normal configuration, this is typically a VLAN on which external clients request connections to internal servers.
Glossary - 3
Glossary
failover Failover is the process whereby a standby unit in a redundant system takes over when a software failure or a hardware failure is detected on the active unit. floating self IP address A floating self IP address is an additional self IP address for a VLAN that serves as a shared address by both units of a BIG-IP redundant system. forwarding virtual server A forwarding virtual server is a virtual server that has no pool members to load balance. The virtual server simply forwards the packet directly to the destination IP address specified in the client request. See also virtual server. gateway pool A gateway pool is a pool of routers that you can create to forward traffic. After creating a gateway pool, you can specify the pool as a gateway, within a TMM routing table entry. health monitor A health monitor checks a node to see if it is up and functioning for a given service. If the node fails the check, it is marked down. Different monitors exist for checking different services. ICMP (Internet Control Message Protocol) ICMP is an Internet communications protocol used to determine information about routes to destination addresses. interface The physical port on a BIG-IP system is called an interface. internal VLAN The internal VLAN is a default VLAN on the BIG-IP system. In a basic configuration, this VLAN has the administration ports open. In a normal configuration, this is a network interface that handles connections from internal servers. iRule An iRule is a user-written script that controls the behavior of a connection passing through the BIG-IP system. iRules are an F5 Networks feature and are frequently used to direct certain connections to a non-default load balancing pool. However, iRules can perform other tasks, such as implementing secure network address translation and enabling session persistence.
Glossary - 4
Glossary
Kerberos protocol The Kerberos protocol is a network authentication protocol that allows individuals communicating over a non-secure network to prove their identity to one another in a secure manner. Kerberos is aimed primarily at a client-server model, providing mutual authentication; both the user and the server verify each other's identity. LACP (Link Aggregation Control Protocol) LACP is an industry-standard protocol that aggregates links in a trunk, to increase bandwidth and provide for link failover. Layer 1 through Layer 7 Layers 1 through 7 refer to the seven layers of the Open System Interconnection (OSI) model. Thus, Layer 2 represents the data-link layer, Layer 3 represents the IP layer, and Layer 4 represents the transport layer (TCP and UDP). Layer 7 represents the application layer, handling traffic such as HTTP and SSL. LDAP (Lightweight Directory Access Protocol) LDAP is an Internet protocol that email programs use to look up contact information from a server. LDAP authentication module An LDAP authentication module is a user-created module that you implement on a BIG-IP system to authenticate client traffic using a remote LDAP server. LDAP client certificate SSL authentication module An LDAP client certificate SSL authentication module is a user-created module that you implement on a BIG-IP system to authorize client traffic using SSL client credentials and a remote LDAP server. link aggregation Link aggregation is the process of combining multiple links in order to function as though it were a single link with higher bandwidth. Link aggregation occurs when you create a trunk. See also trunk and LACP (Link Aggregation Control Protocol). Link Aggregation Control Protocol (LACP) See LACP (Link Aggregation Control Protocol). load balancing method A load balancing method is an algorithm that determines how to distribute connections across a load balancing pool.
Glossary - 5
Glossary
load balancing pool See pool. load balancing virtual server A load balancing virtual server is a virtual server that directs client traffic to a load balancing pool. This is the most basic type of virtual server. See also virtual server. local traffic management Local traffic management is the process of managing network traffic that comes into or goes out of a local area network (LAN), including an intranet. You can manage local traffic using BIG-IP Local Traffic Manager. MAC (Media Access Control) MAC is a protocol that defines the way workstations gain access to transmission media, and is most widely used in reference to LANs. For IEEE LANs, the MAC layer is the lower sublayer of the data link layer protocol. management interface The management interface is a special port on the BIG-IP system, used for managing administrative traffic. Named MGMT, the management interface does not forward user application traffic, such as traffic slated for load balancing. monitor The BIG-IP system uses monitors to determine whether nodes are up or down. There are several different types of monitors and they use various methods to determine the status of a server or service. You can associate monitors with nodes, pools, and individual pool members. See also node, pool, and pool member. monitor instance You create a monitor instance when a health monitor is associated with a pool member or node. It is the monitor instance that actually performs the health check, not the monitor. NAT (Network Address Translation) A NAT is an alias IP address that identifies a specific node managed by the BIG-IP system to the external network. node A node is a logical object on the BIG-IP system that identifies the IP address of a physical resource on the network. Nodes are directly associated with pool members and monitors. See also pool member and monitor.
Glossary - 6
Glossary
OCSP (Online Certificate Status Protocol) OCSP is a protocol that authenticating systems can use to check on the revocation status of digitally-signed SSL certificates. The use of OCSP is an alternative to the use of a certificate revocation list (CRL). See also CRL (certificate revocation list). OCSP authentication module An OCSP authentication module is a user-created module that you implement on a BIG-IP system to authenticate client traffic using a remote OCSP responder. The purpose of an OCSP authentication module is to check on the revocation status of a client SSL certificate. OCSP responder An OCSP responder is an external server used for communicating SSL certificate revocation status to an authentication server such as the BIG-IP system. OCSP responder object A responder object is a software application on the BIG-IP system that communicates with an OCSP responder, for the purpose of checking revocation status of a client or server SSL certificate. PAM (Pluggable Authentication Module) A PAM module is a software module that a server application uses to authenticate client traffic. The modular design of a PAM module allows an organization to add, replace, or remove that authentication mechanism from a server application with minimal impact to that application. An example of a PAM module is an application that uses a remote Lightweight Directory Access Protocol (LDAP) server to authenticate client traffic. See also LDAP (Lightweight Directory Access Protocol). parent profile A parent profile is a profile that can propagate its values to another profile. A parent profile can be either a default profile or a custom profile. See also profile. partition A partition is a logical container that you create, containing a defined set of BIG-IP system objects. You use partitions to control user access to the BIG-IP system. See also user role. performance monitor A performance monitor gathers statistics and checks the state of a target device.
Glossary - 7
Glossary
persistence profile A persistence profile is a configuration tool for implementing a specific type of session persistence. An example of a persistence profile type is a cookie persistence profile. pool A pool is a logical group of pool members. The BIG-IP system load balances requests to the pool members within a pool, based on the load balancing method and persistence method you choose when you configure the pool. See also node and pool member. pool member A pool member is one of the members of a load balancing pool. A pool member name indicates a node IP address and a service number. See also node. port A port can be represented by a number that is associated with a specific service supported by a host. Refer to the Services and Port Index for a list of port numbers and corresponding services. port-specific wildcard virtual server A port-specific wildcard virtual server is a wildcard virtual server that uses a port number other than 0. See also wildcard virtual server. pre-configured monitor A pre-configured monitor is a system-supplied health or performance monitor. You can use a pre-configured monitor as is, but you cannot modify or delete one. See also monitor. profile A profile is a configuration tool containing settings for defining the behavior of network traffic. The BIG-IP system contains profiles for managing FastL4, HTTP, TCP, FTP, SSL traffic, as well as for implementing persistence and application authentication. profile setting A profile setting is a configuration attribute within a profile that has a value associated with it. You can configure a profile setting to customize the way that the BIG-IP system manages a type of traffic. profile type A profile type is a category of profile that you use for a specific purpose. An example of a profile type is an HTTP profile, which you configure to manage HTTP network traffic.
Glossary - 8
Glossary
protocol profile A protocol profile is a profile that you create for controlling the behavior of FastL4, TCP, UDP traffic. RADIUS (Remote Authentication Dial-in User Service) RADIUS is a service that performs remote user authentication and accounting. Its primary use is for Internet Service Providers, though it can also be used on any network that needs a centralized authentication and/or accounting service for its workstations. RADIUS authentication module A RADIUS authentication module is a user-created module that you implement on a BIG-IP system to authenticate client traffic using a remote RADIUS server. RAM cache A RAM cache is a cache of HTTP objects stored in the BIG-IP systems RAM that subsequent connections reuse to reduce the amount of load on the back-end servers. rate class You create a rate filter from the Configuration utility or command line utility. When you assign a rate class to a rate filter, a rate class determines the volume of traffic allowed through a rate filter. See also rate shaping. rate shaping Rate shaping is a type of extended IP filter. Rate shaping uses the same IP filter method but applies a rate class, which determines the volume of network traffic allowed. See also rate class. redundant system Redundant system refers to a pair of units that are configured for fail-over. In a redundant system, there are two units, one running as the active unit and one running as the standby unit. If the active unit fails, the standby unit takes over and manages connection requests. responder object See OCSP responder object. router A router is a Layer 3 networking device. If no VLANs are defined on the network, a router defines a broadcast domain. secure network address translation (SNAT) See SNAT (secure network address translation).
Glossary - 9
Glossary
self IP address Self IP addresses are the IP addresses owned by the BIG-IP system that you use to access the internal and external VLANs. service Service refers to services such as TCP, UDP, HTTP, and FTP. session persistence A series of related connections received from the same client, having the same session ID. When persistence is enabled, a BIG-IP system sends all connections having the same session ID to the same node, instead of load balancing the connections. Session persistence is not to be confused with connection persistence. Setup utility The Setup utility guides you through the initial system configuration process. You can run the Setup utility from the Configuration utility start page. simple persistence See source address affinity persistence. SNAT (Secure Network Address Translation) A SNAT is a feature you can configure on the BIG-IP system. A SNAT defines a routable alias IP address that one or more nodes can use as a source IP address when making connections to hosts ona network. SNMP (Simple Network Management Protocol) SNMP is the Internet standard protocol, defined in STD 15, RFC 1157, developed to manage nodes on an IP network. source address affinity persistence Also known as simple persistence, source address affinity persistence supports TCP and UDP protocols, and directs session requests to the same server based solely on the source IP address of a packet. spanning tree A spanning tree is a logical tree structure of Layer 2 devices on a network, created by a spanning tree protocol algorithm and used for resolving network loops. SSH SSH is a protocol for secure remote login and other secure network services over a non-secure network.
Glossary - 10
Glossary
SSL (Secure Sockets Layer) SSL is a network communications protocol that uses public-key technology as a way to transmit data in a secure manner. SSL profile An SSL profile is a configuration tool that you use to terminate and initiate SSL connections from clients and servers. standby unit A standby unit in a redundant system is a unit that is always prepared to become the active unit if the active unit fails. TACACS (Terminal Access Controller Access Control System) TACACS is an older authentication protocol common to UNIX systems. TACACS allows a remote access server to forward a users login password to an authentication server. TACACS+ TACACS+ is an authentication mechanism designed as a replacement for the older TACACS protocol. There is little similarity between the two protocols, however, and they are therefore not compatible. TACACS+ authentication module A TACACS+ authentication module is a user-created module that you implement on a BIG-IP system to authenticate client traffic using a remote TACACS+ server. tagged interface A tagged interface is an interface that you assign to a VLAN in a way that causes the system to add a VLAN tag into the header of any frame passing through that interface. Tagged interfaces are used when you want to assign a single interface to multiple VLANs. See also VLAN (virtual local area network). TMM (Traffic Management Microkernel) service The TMM service is the process running on the BIG-IP system that performs most traffic management for the product. transparent node A transparent node appears as a router to other network devices, including the BIG-IP system. trunk A trunk is a combination of two or more interfaces and cables configured as one link.
Glossary - 11
Glossary
tunnel A tunnel is a network configuration in which two local traffic management systems can pass optimized traffic over a wide-area network. user role A user role is a type and level of access that you assign to a BIG-IP system user account. By assigning user roles, you can control the extent to which BIG-IP system administrators can view or modify the BIG-IP system configuration. virtual address A virtual address is an IP address associated with one or more virtual servers managed by the BIG-IP system. See also virtual server. virtual port A virtual port is the port number or service name associated with one or more virtual servers managed by the BIG-IP system. A virtual port number should be the same TCP or UDP port number to which client programs expect to connect. virtual server Virtual servers are a specific combination of virtual address and virtual port, associated with a content site that is managed by a BIG-IP system or other type of host server. VLAN (virtual local area network) A VLAN is a logical grouping of interfaces connected to network devices. You can use a VLAN to logically group devices that are on different network segments. Devices within a VLAN use Layer 2 networking to communicate and define a broadcast domain. VLAN group A VLAN group is two or more VLANs that you put together into a VLAN group. A primary use of a VLAN group is to successfully route traffic when both the source and the destination hosts reside on the same network. VLAN name A VLAN name is the symbolic name used to identify a VLAN. For example, you might configure a VLAN named marketing, or a VLAN named development. See also VLAN (virtual local area network). VLAN tag An IEEE standard, a VLAN tag is an identification number inserted into the header of a frame that indicates the VLAN to which the destination device belongs. VLAN tags are used when a single interface forwards traffic for multiple VLANs.
Glossary - 12
Glossary
wildcard virtual server A wildcard virtual server is a virtual server that uses an IP address of 0.0.0.0, * or "any". A wildcard virtual server accepts connection requests for destinations outside of the local network. Wildcard virtual servers are included only in Transparent Node Mode configurations.
Glossary - 13
Glossary
Glossary - 14
Index
Index
A
acceleration and application to traffic 29-3 enabling 29-4 acceleration policies and Level 1 Delivery 29-7, 30-7 and Level 2 Delivery 29-7, 30-7 and signed acceleration policies 29-8, 30-8 and Symmetric Deployment 29-8, 30-7 and user-defined acceleration policies 29-8, 30-8 customizing 29-8 for WebAccelerator 30-10 access for client hosts 29-10 to partitions 23-5 access control configuring 24-7 tailoring 23-1 access control combinations 24-8 access control groups See partitions. access control process See authorization steps. access levels for partition Common 23-2 See also user access. access-control properties configuring 24-6 Access-Request packets 25-8 ACK packets 2-2, 2-6 Active Directory remote authentication 24-2 adaptive connection reaping 22-2, 22-3 adaptive method 28-2 adaptive reaper 22-9 additional information for Bigpipe Utility Reference Guide 1-2 for Configuration Guide for BIG-IP Local Traffic Management 1-2 for Configuration Worksheet 1-2 for Installation, Licensing, and Upgrades for BIG-IP Systems 1-2 for Platform Guide 1-2 for TMOS Management Guide for BIG-IP Systems 1-2 address translation 2-1, 2-2, 7-5 admin account 23-2 administrative domains defined 23-1 administrative partitions and tunneling 28-3
Administrator role and object management 23-4 Administrator role access 23-2 aggregation, of links 17-1 application profile verification 30-10 application profiles and host maps 29-8, 30-8 assigning to security policies 29-12 configuring 29-9, 30-9 creating 30-1 defined 29-7, 30-7 for WebAccelerator 29-7 application security enabling 29-4 Application Security Manager and HTTP class profiles 29-3 applications and acceleration policies 29-7 ARP protocol 2-5 authentication for remote user accounts 24-1 authentication attributes 24-9, 24-10 authentication module types 25-7 authentication server types 24-2 authentication servers as pool members 27-1 authorization data propagating 24-1 authorization failure 24-9 authorization levels determining 23-3 authorization properties configuring 24-6 authorization steps 23-2
B
Back Orifice attacks 22-12 BIG-IP system adding to network 4-1 configuring for same network 4-3 to replace switches 4-2 BIG-IP system bypass 2-1 BIG-IP system objects 23-1 bigpipe -? command 24-8 bigpipe shell and user roles 23-2 broadcast addresses 2-4 built-in switching for multiple customer hosting 5-5
Index - 1
Index
C
cache directives 29-7 cache servers 6-1 certificate installation 12-1 Certificate Revocation List Distribution Point protocol See CRLDP authentication module. client authentication and Kerberos delegation 26-10 client credentials 25-7 client hosts and application access 30-10 client principal names 26-6 client requests and BIG-IP system 2-6 decrypting 11-6 Client SSL profiles and Kerberos delegation 26-5 assigning 11-6, 12-7 creating 11-3, 12-3 defined 11-1, 12-1 for tunneling 28-9 clock synchronization 29-6 command line interface See bigpipe shell. common configuration 6-1 compression and iRules 10-1 and RAM Cache 13-1 configuring 12-4 for dynamically-generated data 28-2 over a WAN 28-1 turning off 28-2 compression methods defined 28-2 compression statistics for tunneling 28-12 compression tasks 10-1 configuration data importing and exporting 24-11 configuration examples, Internet 3-1 Configuration utility and online help 1-5 and Welcome screen 1-5 Configuration Worksheet 1-2 connection flooding 22-9 connection request types 6-1 connection timeout 2-6, 22-8 connections adding 7-1 authenticating 25-7 reaping 22-2 See also Internet connections. content demand for 13-1 static 13-1
content compression and RAM Cache 13-1 content requests 29-7 cookie encryption and decryption 26-6 cookie persistence 9-1 cookie persistence profiles 9-2 cookies 22-8 corporate intranet 6-1 credential fetching 26-10 credential passing 26-10 credential verification 26-10 CRLDP authentication module defined 25-20 CRLDP configuration objects defined 25-21 CRLDP profile type defined 25-22 CRLDP responder objects defined 25-20 CRLDP server objects defined 25-20 cross-domain authentication 26-3 cross-realm authentication setting 26-1 custom HTTP profiles described 9-1 using 8-1 custom monitors 19-1 custom persistence profiles described 9-1 using 8-1 custom RADIUS profiles assigning 25-9 customers hosting for 5-1
D
data attacks 22-11 data center topology 4-1 data compression and RAM Cache 13-1 over a WAN 28-1 data compression statistics for tunneling 28-12 data encryption and tunneling 28-1 data optimization through tunneling 28-1 data propagation 24-7, 24-11 data types and tunneling 28-2 data verification and WebAccelerator 29-10, 30-10
Index - 2
Index
default HTTP profiles described 9-1 using 8-1 default persistence profiles described 9-1 using 8-1 default routes for nPath routing 2-2 setting 2-2, 16-4 default wildcard servers 6-2 deflate method 28-2 Denial-of-Service attacks 22-1, 22-8 Denial-of-Service prevention 22-4 deployment scenarios defined 29-13 Deployment Wizard about 29-13 and deployment scenarios 29-13 starting 29-13 destination address translation 2-1 DNS name resolution configuring 26-3 DNS servers adding and testing 26-2 as primary domain controllers 26-1 configuring 30-2 domain authentication 26-3 domain controllers 26-1 domain verification and mapping 29-11 domains adding BIG-IP systems to 26-3 creating service principals in 26-3 identifying 29-8 domaintool command 26-3 duplicate IP addresses assigning 21-1
F
Fast L4 profiles assigning 2-4 creating 2-2, 2-3 for nPath routing 2-2 files including and excluding 10-1 FIN packets 2-2 flooding 22-9 formatting conventions 1-3 forwarding virtual server for tunneling 28-9 FTP monitors 14-2, 15-2 FTP pools assigning 14-4 creating 14-3, 15-3 FTP profiles assigning 14-4 defined 14-1 FTP traffic 14-1 FTP virtual servers creating 14-4, 15-5
G
gateways and nPath routing 2-5 groups assigning privileges to 24-7 for user access control 24-1 Guest role tasks 23-3
H
health monitors for remote authentication servers 27-1 help, online 1-5 high demand objects 13-1 high-water mark See adaptive connection reaping. host map and requested hosts 29-8, 30-8 host map verification 29-11 host names specifying 29-8 hosts file verification 29-11 HTML pages caching 29-7 HTTP class profile creating for other modules 29-3 HTTP class profiles and configuration options 29-4 and important considerations 29-4 creating 29-4, 30-4 for Application Security Manager 29-3 for WebAccelerator system 29-3
E
e-commerce traffic load balancing 3-1 encryption and tunneling 28-1 encryption keys 26-6 endpoint pools creating 28-4 on server-side systems 28-10 expressions for packet filtering 18-1
Index - 3
Index
HTTP compression tasks 10-1 HTTP connections 9-3 HTTP headers 13-1 HTTP methods 13-1 HTTP pools assigning for compression 10-3 assigning for RAM Cache 13-3 assigning for source address persistence 8-3 creating for cookie persistence 9-3 creating for source address persistence 8-2 HTTP profiles creating for compression 10-2, 12-4 creating for LDAP authentication 25-15 creating for RAM Cache 13-2 defined 9-1 described 8-1 HTTP RAM Cache See RAM Cache. HTTP security profile described 30-12 HTTP service profiles creating 30-4 HTTP traffic controlling for compression 10-1 controlling for cookie persistence 9-1 controlling for source address persistence 8-1 HTTP virtual servers creating for compression 10-3 creating for cookie persistence 9-3 creating for source address persistence 8-3 HTTPS pools assigning 11-6, 12-7 creating 11-5, 12-6 HTTPS traffic 11-6 HTTPS virtual servers creating 11-6, 12-7
IP address translation 2-1 IP addresses and loopback interfaces 2-5 and nPath routing 2-5 assigning 21-1 removing from VLANs 17-7 IP aliases and nPath routing 2-5 IP network changing 4-1 IP network topology with single interface 4-1, 16-1 IP packets recognition by clients 16-5 routing incorrectly 2-5 IPV6 nodes 20-2 iRules for compression 10-1 iSession context 28-8, 28-11 iSession port 3701 28-11 iSession profiles and port transparency 28-11 creating 28-5 for tunneling 28-6, 28-9
J
J2EE and delivery acceleration policies 29-7, 30-7 Java 2 Platform Enterprise Edition See J2EE.
K
KDCs 26-3 Kerberos delegation and Client SSL profiles 26-5 and virtual servers 26-9 defined 26-1 Kerberos Key Distribution Centers (KDCs) 26-3 Kerberos realms and DNS domains 26-3 Kerberos web servers load balancing 26-1 key installation 12-1
I
ICMP floods 22-9 idle timeout values 2-2, 2-3 inbound traffic 7-3 inheritance prevention for monitors 19-5 Intelligent Browser Referencing feature 29-7 interfaces and partitions 23-2 assigning as tagged 5-2 using link aggregation 17-1 Internet connections adding more 7-1 example 7-1 load balancing 7-1 intranet configuration creating 6-2 for corporate intranets 6-1
L
L2 forwarding 4-1 LACP protocol 17-3 Land attacks 22-10 LDAP configuration objects defined 25-2 LDAP profile type defined 25-5 LDAP remote authentication 24-2 Lempel-Ziv-Oberhumer method 28-2 Level 1 Delivery acceleration policy 29-7, 30-7
Index - 4
Index
Level 2 Delivery acceleration policy 29-7, 30-7 link aggregation about 17-1 and network configurations 17-6 and VLAN groups 17-7 configuring 17-2 local endpoints 28-8, 28-11 loopback interfaces 2-2, 2-5 low-water mark See adaptive connection reaping. lzo method 28-2
nodes and Operator role 23-3 in route domains 21-1 nPath routing 2-1, 2-5 nPath routing tasks 2-2 NTP configuring 29-6 defined 29-6 NTP protocol synchronizing system clocks 30-2 numeric values for user privileges 24-9
M
Manager role access 23-2 Manager role tasks 23-3 monitor inheritance 19-4 monitor settings 19-1 monitor types 19-1 monitors assigning to pools 19-4 creating 19-3 creating for FTP servers 14-2, 15-2 defined 19-1 removing 19-5 MS Loopback interface 2-5 multiple customer hosting about 5-1 configuring 5-2 creating pools for 5-3 creating VLAN tags for 5-2 using built-in switching 5-5
O
object creation and partition location 23-5 object re-use 13-1 objects and Guest role 23-3 defined 23-1 demand for 13-1 viewing and managing 23-4 OCSP authentication module See SSL OCSP authentication module. OCSP responder objects creating 25-17 one-network topology 17-6 Online Certificate Status Protocol See SSL OCSP authentication module. online help 1-5 Operator role tasks 23-3 Other External Users account 24-6 outbound throughput increasing 2-1 overlapping IP addresses 21-1
N
name resolution configuring 26-3, 30-2 name servers listing 26-2 NAS-Identifier string 25-8 netmask 2-4 network changing 4-1 network adapter list 2-5 network configurations and link aggregation 17-2, 17-6 for IP network topology 16-1 network prefixes 20-1 Network Time Protocol (NTP) protocol See NTP. network traffic and additional connections 7-1 and packet filters 18-1 managing 2-1 network traffic authentication types 25-1 node configuration and radvd service 20-1 BIG-IP Local Traffic Manager: Implementations
P
packet filter rules creating 18-4 purpose of 18-1 packet filters 18-1, 18-4 packets forwarding and rejecting 18-1 receiving and copying 4-4 recognition by clients 16-5 paired tunneling described 28-1 partition access configuring 23-3 Partition Access list 23-4 partition Common described 23-2 partition contents 23-1 partition property 24-6
Index - 5
Index
partitioned objects creating 23-5 described 23-2 partitions and tunneling 28-3 and user roles 23-2 benefits of 23-2 creating 23-2 defined 23-1 selecting 23-5 password credentials 25-7 PDCs 26-1 performance monitors 19-2 permissions determining 23-1 See also user access. persistence and nPath routing 2-6 implementing 8-1 See also cookie persistence. persistence profiles assigning for compression 12-7 assigning for FTP 14-4 assigning for HTTP 9-4 assigning for HTTPS 11-6 assigning for RAM Cache 13-3 creating 9-2 Ping of Death attacks 22-10 Platform Guide 1-2 pool member exclusion 19-4, 19-5 pool members and Operator role 23-3 and route domains 21-1 as tunnel endpoints 28-10 pools and HTTP class profiles 29-4 configuring 29-5 creating for a basic configuration 6-2 creating for e-commerce 3-1, 3-2 creating for FTP servers 14-3 creating for HTTP 8-2, 9-3 creating for HTTPS 11-5, 12-6 creating for intranet configuration 6-2 creating for ISP load balancing 7-2 creating for link aggregation 17-4 creating for monitors 19-4 creating for multiple customer hosting 5-3 creating for nPath routing 2-4 creating for rate shaping 15-3 creating for routers 18-2 creating for single network 16-2 of web servers 4-5 port translation 2-2 port transparency defined 28-11
ports for e-commerce 3-1 pre-configured monitors 19-1 pre-defined acceleration policies and Level 1 Delivery 29-7, 30-7 and Level 2 delivery 29-7, 30-7 selecting 29-7, 30-7 primary domain controllers (PDCs) 26-1 privileges assigning 24-7 configuring 24-6 for individual accounts 24-6 See also access control. profile verification 30-10 profiles creating for HTTP 10-2, 25-15 protocol security and WebAccelerator application profile 30-12 protocol security checks 30-5 Protocol Security Module and application profiles 30-1 and security profiles 30-1 running with WebAccelerator system 30-3 protocol vulnerabilities scanning for 30-4 protocols for remote authentication servers 25-1 provisioning for modules 30-2
R
RADIUS authentication module implementing 25-7 RADIUS authentication profiles assigning 25-9 RADIUS configuration objects creating 25-8 specifying in profile 25-9 RADIUS configuration overview 25-7 RADIUS profiles creating 25-9 RADIUS secret 25-7 RADIUS server configuration 27-2 RADIUS server objects creating 25-7 specifying in configuration object 25-8 RADIUS servers and authentication 25-7 and traffic authentication 25-7 RADIUS user authorization configuring 24-4 RADIUS-based authentication configuring 24-4 radvd service 20-1
Index - 6
Index
RAM Cache and http-acceleration profile 29-5 and WebAccelerator 29-5 defined 13-1 RAM Cache compliancy 13-1 RAM Cache feature for tunneling 28-7 RAM Cache virtual servers 13-3 rate classes and virtual servers 15-5 creating 15-4 rate shaping and FTP traffic 15-4 as optional feature 15-1 Read access 23-2 realms and DNS domains 26-3 and trust relationships 26-1 regular expressions 10-1 remote attribute mapping 24-7 remote authentication for system user accounts 24-2 remote authentication attributes 24-9, 24-10 remote authentication issues 27-1 remote authentication requirements 27-2 remote authentication server types 24-2, 25-1 remote policies 29-10 remote user authentication configuring 24-1 remoterole command purpose of 24-1, 24-6, 24-7 remoterole command syntax 24-7 request timeout 29-11 Requested Hosts and domains 29-8, 30-8 defined 29-8, 30-8 requests encrypting and decrypting 11-1, 12-1 resource exhaustion 22-8 response types 13-1 responses compressing 10-1 encrypting and decrypting 11-1, 12-1 retransmission timeout See RTO. role property 24-6 roles and tunneling 28-3 root name servers listing 26-2 route configuration for nPath routing 2-2 route domain IDs format of 21-1
route domains and tunneling 28-3 defined 21-1 router pools 18-2 routers increasing throughput 2-1 routes for nPath routing 2-5 for packets 4-5 routing conflicts 4-5 routing tables and route domains 21-1 RTO 2-6
S
SCF and access control 24-1 purpose of 24-11 SCFs creating 24-11 secondary RADIUS servers configuring 24-4 security and application to traffic 29-3 security checks and HTTP security profile 30-12 to HTTP traffic 30-5 security policies and application profiles 29-12 See also tunneling. self IP addresses and partitions 23-2 creating 17-8 creating for VLAN groups 4-5 for external VLAN 7-5 removing 4-3, 17-7 self-signed certificates 11-2, 12-2 server hosting 3-1 server load 13-1 server pools for nPath routing 2-4 server principal names 26-6 server responses encrypting 11-6 encrypting and decrypting 11-1, 12-1 Server SSL profiles for tunneling 28-6 service port 3701 28-11 service ports for tunneling 28-11 service principals creating 26-3
Index - 7
Index
session persistence implementing 8-1 See also cookie persistence. See also source address affinity persistence. signed acceleration policies defined 29-8, 30-8 simple persistence See source address affinity persistence. Single Configuration File (SCF) See SCF. Smurf attack 22-9 SNAT Automap about 7-1 for VLANs 7-5 SNAT source translations 16-1 SNATs creating 18-2 source address affinity persistence 8-1 source address translation 2-1 source IP addresses and session persistence 8-2 SSL certificates importing 24-2 SSL Client Certificate LDAP configuration objects creating 25-14 SSL Client Certificate LDAP profiles creating 25-15 SSL handshaking for compression 12-1, 12-2 for HTTPS 11-1, 11-2, 11-6 SSL keys and certificates creating 11-2, 12-2 installing 12-1 SSL OCSP authentication module defined 25-17 SSL OCSP configuration objects creating 25-18 SSL OCSP profile type defined 25-18 SSL OCSP responder objects creating 25-17 SSL profiles See Client SSL profiles. SSL traffic authentication 24-2 standard pre-defined acceleration policies 29-7, 30-7 state keeping 22-8 static content 13-1 style conventions 1-3 Sub 7 attacks 22-11 subdomains mapping 29-8 symmetric deployment and content assembly 29-10 defined 29-8 Symmetric Deployment acceleration policy 30-7 SYN Check feature, activating 22-9
SYN cookies 22-8, 22-9 SYN floods 22-8 SYN packets 2-2, 2-6 system access controlling 23-1 system object creation and partition location 23-5 system objects viewing and managing 23-4 system resource exhaustion 22-8
T
TACACS+ configuration object defined 25-11 TACACS+ configuration overview 25-11 TACACS+ profiles creating 25-12 tagged interfaces 5-2, 17-1 TCP connections 22-8 TCP optimization profiles for tunneling 28-6, 28-9 TCP timers 2-6 TCP traffic and nPath routing 2-2, 2-6 tcpdump utility 18-1 Teardrop attacks 22-11 terminal access property 24-6 throughput increasing 2-1 throughput optimization 16-5 time synchronization and PDCs 26-1 timers 2-6 topology 4-1 traffic and same network 4-4 returning 2-1 traffic load 13-1 trunk members 17-3 trunks 17-3 trust relationships 26-1 trusted domains adding BIG-IP systems to 26-3 trusted user impersonation 26-6 tunneling for data optimization 28-1 See also endpoint pools. 28-4
Index - 8
Index
U
UDP floods 22-9 UDP fragment attacks 22-10 UDP timers 2-6 UDP traffic and nPath routing 2-6 universal access 23-5 unmapped domains 30-8 See unmapped requests. unmapped requests 30-8 URIs including and excluding 10-1 user access configuring 23-3 denial of 24-8 tailoring 23-1 to partition Common 23-2 user account duplication 24-7 user account objects and manager role 23-3 user account properties modifying 23-3 user accounts defined 23-1 user authentication configuring 24-1 user impersonation 26-6 user name credentials 25-7 user partition property 24-6 user privileges assigning 24-7 user role property 24-6 user roles and partition access 23-2 and tunneling 28-3 defined 23-1 for partition creation 23-2 user-defined acceleration policies described 29-8, 30-8
and SNATs 16-1 and web server pools 4-6 as client principal names 26-6 creating for e-commerce 3-1, 3-3 creating for HTTP 9-3 creating for inbound and outbound traffic 7-3 creating for intranet configuration 6-3 creating for multiple customer hosting 5-3 creating for single network 16-3 for a basic configuration 6-3, 18-3 for compression 10-3 for FTP 14-4 for FTP and rate shaping 15-5 for HTTP 8-3, 29-5 for HTTPS 11-6, 12-7 for IPv6 nodes 20-3 for link aggregation 17-5 for multiple customer hosting 5-3 for nPath routing 2-4 for RAM Cache 13-3 for tunneling 28-6, 28-10 mapping to IP addresses 2-4 modifying for CRLDP authentication 25-23 modifying for RADIUS authentication 25-10 modifying for SSL Client Certificate LDAP authentication 25-16 modifying for SSL OCSP authentication 25-19 modifying for TACACS+ authentication 25-13 VLAN groups creating 4-4, 17-7 VLAN tags creating 5-2, 17-3 VLANs and partitions 23-2 and tagged interfaces 5-2 removing self IP addresses from 4-3, 4-4 using link aggregation 17-1 vulnerabilities scanning for 30-4
V
variable substitution for access control 24-8 vendor-specific attributes 24-7, 24-8 virtual authentication servers and VLANs 27-2 defined 27-1 virtual server defining 30-5 virtual server addresses 2-2 virtual server modification 25-10 virtual servers and FQDNs 26-3 and HTTP class profiles 29-4 and Kerberos delegation 26-9
W
web application content hosting 29-4, 30-5 web applications and hosted content 29-4, 30-5 web server arrays 3-1 web server pools creating 4-5 web servers and Kerberos authentication 26-1 and server principal names 26-6 WebAccelerator and HTTP class profiles 29-3 WebAccelerator application profiles and protocol security 30-12
Index - 9
Index
WebAccelerator system and application profiles 30-1 and NTP protocol 30-2 and security profiles 30-1 running with Protocol Security Manager 30-3 Welcome screen 1-5 wide area networks optimizing traffic for 28-1 wildcard virtual servers defined 6-2 WIndows Integrated Authentication 26-1 WinNuke attacks 22-11
Index - 10