Professional Documents
Culture Documents
Implementations
version 10.0.0
MAN-0293-00
Product Version
This manual applies to version 10.0.0 of the BIG-IP® product family.
Publication Date
This guide was published on March 11, 2009.
Legal Notices
Copyright
Copyright 2008-2009, F5 Networks, Inc. All rights reserved.
F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5
assumes no responsibility for the use of this information, nor any infringement of patents or other rights of
third parties which may result from its use. No license is granted by implication or otherwise under any
patent, copyright, or other intellectual property right of F5 except as specifically described by applicable
user licenses. F5 reserves the right to change specifications at any time without notice.
Trademarks
F5, F5 Networks, the F5 logo, BIG-IP, 3-DNS, Acopia, Acopia Networks, Application Accelerator, Ask
F5, Application Security Manager, ASM, ARX, Data Guard, Enterprise Manager, EM, FirePass,
FreedomFabric, Global Traffic Manager, GTM, iControl, Intelligent Browser Referencing, Internet
Control Architecture, IP Application Switch, iRules, Link Controller, LC, Local Traffic Manager, LTM,
Message Security Module, MSM, NetCelera, OneConnect, Packet Velocity, SSL Accelerator, SYN Check,
Traffic Management Operating System, TMOS, TrafficShield, Transparent Data Reduction, uRoam,
VIPRION, WANJet, WebAccelerator, and ZoneRunner are trademarks or service marks of F5 Networks,
Inc., in the U.S. and other countries, and may not be used without F5's express written consent.
Patents
This product protected by U.S. Patents 6,374,300; 6,473,802; 6,970,933; 7,051,126; 7,102,996; 7,146,354;
7,197,661; 7,206,282; 7,287,084. Other patents pending.
RF Interference Warning
This is a Class A product. In a domestic environment this product may cause radio interference, in which
case the user may be required to take adequate measures.
FCC Compliance
This equipment has been tested and found to comply with the limits for a Class A digital device pursuant
to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful
interference when the equipment is operated in a commercial environment. This unit generates, uses, and
can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual,
may cause harmful interference to radio communications. Operation of this equipment in a residential area
is likely to cause harmful interference, in which case the user, at his own expense, will be required to take
whatever measures may be required to correct the interference.
Any modifications to this device, unless expressly approved by the manufacturer, can void the user's
authority to operate this equipment under part 15 of the FCC rules.
Acknowledgments
This product includes software developed by Bill Paul.
This product includes software developed by Jonathan Stone.
This product includes software developed by Manuel Bouyer.
This product includes software developed by Paul Richards.
This product includes software developed by the NetBSD Foundation, Inc. and its contributors.
This product includes software developed by the Politecnico di Torino, and its contributors.
This product includes software developed by the Swedish Institute of Computer Science and its
contributors.
This product includes software developed by the University of California, Berkeley and its contributors.
This product includes software developed by the Computer Systems Engineering Group at the Lawrence
Berkeley Laboratory.
This product includes software developed by Christopher G. Demetriou for the NetBSD Project.
This product includes software developed by Adam Glass.
This product includes software developed by Christian E. Hopps.
This product includes software developed by Dean Huxley.
This product includes software developed by John Kohl.
This product includes software developed by Paul Kranenburg.
This product includes software developed by Terrence R. Lambert.
This product includes software developed by Philip A. Nelson.
This product includes software developed by Herb Peyerl.
This product includes software developed by Jochen Pohl for the NetBSD Project.
This product includes software developed by Chris Provenzano.
This product includes software developed by Theo de Raadt.
This product includes software developed by David Muir Sharnoff.
This product includes software developed by SigmaSoft, Th. Lockert.
This product includes software developed for the NetBSD Project by Jason R. Thorpe.
This product includes software developed by Jason R. Thorpe for And Communications,
http://www.and.com.
This product includes software developed for the NetBSD Project by Frank Van der Linden.
This product includes software developed for the NetBSD Project by John M. Vinopal.
This product includes software developed by Christos Zoulas.
This product includes software developed by the University of Vermont and State Agricultural College and
Garrett A. Wollman.
This product includes software developed by Balazs Scheidler <bazsi@balabit.hu>, which is protected
under the GNU Public License.
This product includes software developed by Niels Mueller <nisse@lysator.liu.se>, which is protected
under the GNU Public License.
In the following statement, "This software" refers to the Mitsumi CD-ROM driver: This software was
developed by Holger Veit and Brian Moore for use with "386BSD" and similar operating systems.
"Similar operating systems" includes mainly non-profit oriented systems for research and education,
including but not restricted to "NetBSD," "FreeBSD," "Mach" (by CMU).
This product includes software developed by the Apache Group for use in the Apache HTTP server project
(http://www.apache.org/).
This product includes software licensed from Richard H. Porter under the GNU Library General Public
License (© 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html.
This product includes the standard version of Perl software licensed under the Perl Artistic License (©
1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current
standard version of Perl at http://www.perl.com.
This product includes software developed by Jared Minch.
ii
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
This product contains software based on oprofile, which is protected under the GNU Public License.
This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html)
and licensed under the GNU General Public License.
This product contains software licensed from Dr. Brian Gladman under the GNU General Public License
(GPL).
This product includes software developed by the Apache Software Foundation <http://www.apache.org/>.
This product includes Hypersonic SQL.
This product contains software developed by the Regents of the University of California, Sun
Microsystems, Inc., Scriptics Corporation, and others.
This product includes software developed by the Internet Software Consortium.
This product includes software developed by Nominum, Inc. (http://www.nominum.com).
This product contains software developed by Broadcom Corporation, which is protected under the GNU
Public License.
1
Introducing Implementations for BIG-IP Local Traffic Manager
Introducing BIG-IP system implementations ............................................................................1-1
Getting started .......................................................................................................................1-1
Using the Configuration utility ............................................................................................1-1
About this guide ..............................................................................................................................1-2
Additional information ..........................................................................................................1-2
Stylistic conventions ..............................................................................................................1-3
Finding help and technical support resources ..........................................................................1-5
2
Configuring nPath Routing
Introducing nPath routing .............................................................................................................2-1
Configuring nPath routing .............................................................................................................2-2
Creating a custom Fast L4 profile ......................................................................................2-3
Creating a server pool for nPath routing .........................................................................2-4
Creating a virtual server ......................................................................................................2-4
Configuring the virtual server on the content server loopback interface ................2-5
Setting the route for inbound traffic .................................................................................2-5
Enabling the connection.autolasthop bigdb key ..............................................................2-5
Setting timers for nPath configurations .....................................................................................2-6
Guidelines for configuring timeouts for UDP traffic .....................................................2-6
Guidelines for configuring timeouts for TCP traffic ......................................................2-6
3
Basic Web Site and E-Commerce Configuration
Working with a basic web site and e-commerce configuration ..........................................3-1
Configuring a basic e-commerce site .........................................................................................3-2
Creating load balancing pools .............................................................................................3-2
Creating virtual servers ........................................................................................................3-3
4
Installing a BIG-IP System without Changing the IP Network
Installing a BIG-IP system without changing IP networks ......................................................4-1
Configuring the BIG-IP system for the same IP network ......................................................4-3
Removing the self IP addresses from the individual VLANs ........................................4-3
Creating a VLAN group .......................................................................................................4-4
Creating a self IP address for the VLAN group ..............................................................4-5
Creating a pool of web servers ..........................................................................................4-5
Creating a virtual server ......................................................................................................4-6
5
Web Hosting for Multiple Customers
Introducing multiple customer hosting ......................................................................................5-1
Hosting multiple customers using an external switch ............................................................5-2
Creating VLANs with tagged interfaces ...........................................................................5-2
Creating load balancing pools .............................................................................................5-3
Creating virtual servers ........................................................................................................5-3
Directly hosting multiple customers ..........................................................................................5-5
Creating VLANs with untagged interfaces .......................................................................5-6
6
A Simple Intranet Configuration
Working with a simple intranet configuration .........................................................................6-1
Creating the simple intranet configuration ...............................................................................6-2
Creating pools ........................................................................................................................6-2
Creating virtual servers ........................................................................................................6-3
7
Load Balancing ISPs
Introducing ISP load balancing ......................................................................................................7-1
Configuring ISP load balancing .....................................................................................................7-2
Creating pools for an additional Internet connection ...................................................7-2
Creating virtual servers for an additional Internet connection ..................................7-3
Configuring address translation for outbound traffic .............................................................7-5
8
Load Balancing HTTP Traffic with Source Address Affinity Persistence
Introducing basic HTTP load balancing ......................................................................................8-1
Configuring HTTP load balancing with source address affinity persistence ......................8-2
Creating a pool .......................................................................................................................8-2
Creating a virtual server ......................................................................................................8-3
9
Load Balancing HTTP Traffic with Cookie Persistence
Introducing basic HTTP load balancing ......................................................................................9-1
Configuring HTTP load balancing with cookie persistence ..................................................9-2
Creating a custom persistence profile ..............................................................................9-2
Creating a pool .......................................................................................................................9-3
Creating a virtual server ......................................................................................................9-3
10
Compressing HTTP Responses
Introducing HTTP data compression ...................................................................................... 10-1
Creating a custom HTTP profile .............................................................................................. 10-2
Creating a virtual server ............................................................................................................. 10-3
11
Configuring HTTPS Load Balancing
Introducing HTTPS load balancing ........................................................................................... 11-1
Creating an SSL key and certificate ......................................................................................... 11-2
Creating a custom SSL profile ................................................................................................... 11-3
Creating a pool ............................................................................................................................. 11-5
Creating a virtual server ............................................................................................................. 11-6
viii
Table of Contents
12
Configuring HTTPS Load Balancing with Data Compression
Introducing HTTPS load balancing with compression ......................................................... 12-1
Creating an SSL key and certificate ......................................................................................... 12-2
Creating a custom Client SSL profile ...................................................................................... 12-3
Creating a custom HTTP profile for compression .............................................................. 12-4
Creating a pool ............................................................................................................................. 12-6
Creating a virtual server ............................................................................................................. 12-7
13
Using RAM Cache for HTTP Traffic
Introducing HTTP RAM Cache ................................................................................................. 13-1
Creating a custom HTTP profile .............................................................................................. 13-2
Creating a virtual server ............................................................................................................. 13-3
14
Load Balancing Passive Mode FTP Traffic
Introducing FTP load balancing ................................................................................................. 14-1
Creating a custom FTP monitor ............................................................................................... 14-2
Creating a pool ............................................................................................................................. 14-3
Creating a virtual server ............................................................................................................. 14-4
15
Load Balancing Passive Mode FTP Traffic with Rate Shaping
Introducing FTP load balancing with rate shaping ................................................................ 15-1
Creating a custom FTP monitor ............................................................................................... 15-2
Creating a pool ............................................................................................................................. 15-3
Creating a rate class .................................................................................................................... 15-4
Creating a virtual server ............................................................................................................. 15-5
16
Setting up a One-IP Network Topology
Introducing the one-IP network topology ............................................................................. 16-1
Creating a pool for a one-IP network topology ................................................................... 16-2
Creating a virtual server ............................................................................................................. 16-3
Defining a default route .............................................................................................................. 16-4
Configuring a client SNAT ......................................................................................................... 16-5
17
Using Link Aggregation with Tagged VLANs
Introducing link aggregation with tagged VLAN interfaces ................................................ 17-1
Using the two-network aggregated tagged interface topology ......................................... 17-2
Aggregating the links .......................................................................................................... 17-3
Assigning a trunk to the VLANs ...................................................................................... 17-3
Creating a pool of web servers to load balance .......................................................... 17-4
Creating a virtual server to load balance the web servers ....................................... 17-5
Using the one-network aggregated tagged interface topology ......................................... 17-6
Removing the self IP addresses from the VLANs ....................................................... 17-7
Creating a VLAN group .................................................................................................... 17-7
Creating a self IP for the VLAN group .......................................................................... 17-8
18
Setting Up Packet Filtering
Introducing packet filtering ........................................................................................................ 18-1
Configuring packet filtering ........................................................................................................ 18-2
Creating a SNAT ................................................................................................................. 18-2
Creating a gateway pool .................................................................................................... 18-2
Creating a forwarding virtual server .............................................................................. 18-3
Creating a packet filter rule ............................................................................................. 18-4
19
Implementing Health and Performance Monitors
Introducing health and performance monitors ..................................................................... 19-1
Creating a custom monitor ....................................................................................................... 19-3
Creating a pool ............................................................................................................................. 19-4
Assigning a monitor to a pool .......................................................................................... 19-4
Excluding a pool member from a monitor .................................................................... 19-5
Creating a virtual server ............................................................................................................. 19-6
20
Load Balancing Traffic to IPv6 Nodes
Configuring the radvd service ................................................................................................... 20-1
Configuring IPv4-to-IPv6 load balancing ................................................................................. 20-2
Creating a pool of IPv6 nodes ......................................................................................... 20-2
Creating a virtual server ................................................................................................... 20-3
21
Implementing Overlapping IP Addresses
Introducing overlapping IP addresses ...................................................................................... 21-1
What is a route domain? ................................................................................................... 21-1
Specifying route domain IDs ............................................................................................ 21-1
Configuring route domains ........................................................................................................ 21-2
Creating VLANs for route domains ............................................................................... 21-3
Creating self IP addresses for route domains .............................................................. 21-5
Creating route domain objects ........................................................................................ 21-6
Creating pool members for route domains ................................................................. 21-7
Creating static routes ........................................................................................................ 21-8
Creating virtual servers for route domains .................................................................. 21-9
22
Mitigating Denial of Service and Other Attacks
Basic denial of service security overview ............................................................................... 22-1
Configuring adaptive connection reaping ............................................................................... 22-2
Logging adaptive reaper activity ...................................................................................... 22-3
Simple DoS prevention configuration ..................................................................................... 22-4
Setting the TCP and UDP connection timers .............................................................. 22-4
Creating an IP rate class and applying it to a virtual server ...................................... 22-5
Setting connection limits on the main virtual server .................................................. 22-6
Filtering out attacks with iRules ............................................................................................... 22-7
Filtering out a Code Red attack ...................................................................................... 22-7
Filtering out a Nimda attack ............................................................................................. 22-7
x
Table of Contents
How the BIG-IP system handles several common attacks ................................................. 22-8
SYN flood ............................................................................................................................. 22-8
ICMP flood (Smurf) ............................................................................................................ 22-9
UDP flood ............................................................................................................................. 22-9
UDP fragment .................................................................................................................... 22-10
Ping of Death ..................................................................................................................... 22-10
Land attack ......................................................................................................................... 22-10
Teardrop ............................................................................................................................. 22-11
Data attacks ....................................................................................................................... 22-11
WinNuke ............................................................................................................................ 22-11
Sub 7 .................................................................................................................................... 22-11
Back Orifice ........................................................................................................................ 22-12
23
Configuring Administrative Domains
Introducing administrative domains ......................................................................................... 23-1
Creating a partition ..................................................................................................................... 23-2
Configuring user access to a partition .................................................................................... 23-3
Viewing, managing, and creating objects in a partition ........................................................ 23-4
Viewing and managing system objects ........................................................................... 23-4
Creating BIG-IP system objects ....................................................................................... 23-5
24
Configuring Remote Authentication and Authorization for Administrative Traffic
Introducing remote authentication and authorization for BIG-IP system user accounts ....
24-1
Configuring the BIG-IP system to use remote authentication of user accounts .......... 24-2
Configuring access control for BIG-IP system users ........................................................... 24-6
Understanding the remoterole command .................................................................... 24-7
Using the remote role command .................................................................................... 24-7
Using variable substitution ................................................................................................ 24-8
Propagating remote authentication and authorization data to multiple BIG-IP devices .....
24-11
25
Configuring Remote Authentication for Application Traffic
Introducing remote authentication for application traffic .................................................. 25-1
Configuring authentication that uses a remote LDAP or Active Directory server ..... 25-2
Creating an LDAP configuration object ........................................................................ 25-2
Creating an LDAP authentication profile ...................................................................... 25-5
Modifying a virtual server for LDAP authentication ................................................... 25-5
Configuring authentication that uses a remote RADIUS server ....................................... 25-7
Creating a RADIUS server object ................................................................................... 25-7
Creating a RADIUS configuration object ...................................................................... 25-8
Creating a RADIUS profile ............................................................................................... 25-9
Modifying a virtual server for RADIUS authentication .............................................. 25-9
Configuring authentication that uses a remote TACACS+ server ................................ 25-11
Creating a TACACS+ configuration object ................................................................ 25-11
Creating a TACACS+ profile ......................................................................................... 25-12
Modifying a virtual server for TACACS+ authentication ........................................ 25-13
26
Configuring Kerberos Delegation
Introducing Kerberos delegation infrastructure ................................................................... 26-1
Configuring the BIG-IP system for Kerberos delegation .................................................... 26-2
Adding a DNS server to the BIG-IP system ................................................................. 26-2
Joining the BIG-IP system to the trusted domain ........................................................ 26-3
Creating the Kerberos delegation configuration .................................................................. 26-5
Configuring Kerberos delegation using the Configuration utility ............................ 26-5
Configuring Kerberos delegation from the command line ....................................... 26-8
Authenticating Client Traffic ................................................................................................... 26-10
27
Configuring Multiple Authentication Servers
Introducing multiple authentication server configuration .................................................. 27-1
Meeting prerequisites .................................................................................................................. 27-2
Configuring BIG-IP system objects .......................................................................................... 27-2
28
Implementing Paired Tunneling
Introducing paired tunneling ...................................................................................................... 28-1
What is paired tunneling? .................................................................................................. 28-1
About data compression ................................................................................................... 28-2
Before you begin ................................................................................................................. 28-3
Configuring the client-side system ........................................................................................... 28-4
Creating a client-side endpoint pool .............................................................................. 28-4
Creating the client-side iSession profile ........................................................................ 28-5
Creating the client-side virtual server ........................................................................... 28-6
Configuring the server-side system ......................................................................................... 28-9
Creating the server-side virtual server ........................................................................ 28-10
Specifying service ports ................................................................................................... 28-11
Viewing data compression statistics ...................................................................................... 28-12
xii
Table of Contents
29
Securing and Accelerating HTTP Traffic with ASM and WA
Overview of the configuration tasks ....................................................................................... 29-1
Completing basic configuration tasks on the Local Traffic Manager ................................ 29-2
Performing initial configuration tasks on the Local Traffic Manager ................................ 29-3
Creating the HTTP class profile ...................................................................................... 29-3
Defining a virtual server and pool on the BIG-IP Local Traffic Manager ............... 29-4
Defining an NTP server ..................................................................................................... 29-6
Creating an application profile for the WebAccelerator system ..................................... 29-7
Selecting an acceleration policy ....................................................................................... 29-7
Planning your host map ..................................................................................................... 29-8
Assigning the WebAccelerator application profile to the security policy in Application
Security Manager ........................................................................................................................ 29-12
Running the Application Security Manager Deployment Wizard ................................... 29-13
30
Securing and Accelerating HTTP Traffic with PSM and WA
Overview of the configuration tasks ....................................................................................... 30-1
Completing basic configuration tasks on the Local Traffic Manager ................................ 30-2
Performing initial configuration tasks on the Local Traffic Manager ................................ 30-3
Creating the WebAccelerator HTTP class profile ..................................................... 30-4
Creating an HTTP service profile ................................................................................... 30-4
Creating a virtual server and pool on the BIG-IP Local Traffic Manager .............. 30-5
Creating an application profile for the WebAccelerator system ..................................... 30-7
Selecting an acceleration policy ....................................................................................... 30-7
Planning your host map ..................................................................................................... 30-8
Creating an HTTP security profile in the Protocol Security Module configuration ... 30-12
Glossary
Index
xiv
1
Introducing Implementations for BIG-IP
Local Traffic Manager
Note
Getting started
Before you begin implementing a solution in this guide, we recommend that
you familiarize yourself with additional resources such as other BIG-IP
system guides and online help, and review the stylistic conventions that
appear in this chapter. For more information, see About this guide, on page
1-2.
Then, we recommend that you run the Setup utility on the BIG-IP system to
configure basic network and network elements such as static and floating
self IP addresses, interfaces, and VLANs. After running the Setup utility,
you can use this guide to implement specific configuration scenarios. For
information on running the Setup utility, see BIG-IP® Systems: Getting
Started Guide.
Additional information
In addition to this guide, there are other sources of the documentation you
can use in order to work with the BIG-IP system. The following guides are
available in PDF format from the Ask F5SM web site,
https://support.f5.com:
◆ BIG-IP® Systems: Getting Started Guide
This guide provides detailed information about licensing and
provisioning the BIG-IP system, as well as installing upgrades.
◆ TMOSTM Management Guide for BIG-IP® Systems
This guide contains any information you need to configure and maintain
the network and system-related components of the BIG-IP system, such
as routes, VLANs, and user accounts.
◆ Configuration Guide for BIG-IP® Local Traffic Management
This guide contains any information you need for configuring specific
features of the BIG-IP system to manage local network traffic.
◆ BIG-IP® Application Security Manager: Getting Started Guide
This guide describes how to set up BIG-IP Application Security Manager
to configure security policies.
◆ Configuration Guide for BIG-IP® Application Security Management
This guide provides configuration procedures to protect Web
applications from both generalized and targeted application layer attacks.
• Configuration Guide for BIG-IP® Protocol Security Module
This guide provides the procedures for configuring BIG-IP Protocol
Security Module.
• Configuration Guide for the BIG-IP® WebAcceleratorTM System
This guide describes the core BIG-IP WebAccelerator concepts and
provides the procedures for configuring and monitoring the
WebAccelerator system.
◆ Bigpipe Utility Reference Guide
This guide contains information about using the bigpipe utility
commands to manage the BIG-IP system.
◆ Traffic Management Shell (tmsh) Reference Guide
This guide contains information about using the Traffic Management
Shell (tmsh) commands to manage the BIG-IP system.
1-2
Introducing Implementations for BIG-IP Local Traffic Manager
Stylistic conventions
To help you easily identify and understand important information, all of our
documentation uses the stylistic conventions described here.
\ Indicates that the command continues on the following line, and that users should type the entire
command without typing a line break.
< > Identifies a user-defined parameter. For example, if the command has <your name>, type in your
name, but do not include the brackets.
1-4
Introducing Implementations for BIG-IP Local Traffic Manager
1-6
2
Configuring nPath Routing
Note
The type of virtual server that processes the incoming traffic must be a
transparent, non-translating type of virtual server.
In bypassing the BIG-IP system on the return path, nPath routing departs
significantly from a typical load-balancing configuration. In a typical
load-balancing configuration, the destination address of the incoming packet
is translated from that of the virtual server to that of the server being load
balanced to, which then becomes the source address of the returning packet.
A default route set to the BIG-IP system then sees to it that packets returning
to the originating client return through the BIG-IP system, which translates
the source address back to that of the virtual server. The nPath configuration
differs from the typical load-balancing configuration, as you can see in the
following section.
Note
Do not attempt to use nPath routing for Layer 7 traffic. Certain traffic
features do not work properly if Layer 7 traffic bypasses the BIG-IP system
on the return path. An example of such a feature is HTTP response
compression.
You need to complete the following tasks to configure the BIG-IP system to
use nPath routing:
• Create a custom Fast L4 profile.
• Create a pool that contains the content servers.
• Define a virtual server with port and address translation disabled and
assign the custom Fast L4 profile to it.
• Configure the virtual server address on each server loopback interface.
• Set the default route on your servers to the router’s internal IP address.
2-2
Configuring nPath Routing
For background information on profiles, pools, and virtual servers, see the
Configuration Guide for BIG-IP® Local Traffic Management.
Note
You perform the tasks contained in this guide using the Configuration
utility; however, the procedures do not include the step of logging on to the
Configuration utility. Before you begin the tasks, log on to the Configuration
utility.
To create a pool
1. On the Main tab of the navigation pane, expand Local Traffic, and
click Pools.
The Pools screen opens.
2. To create a new pool, click Create.
The New Pool screen opens.
Note: If the Create button is unavailable, this indicates that your
user role does not grant you permission to create a pool.
3. Type a pool name and add the member addresses for each of the
servers.
4. Click Finished.
2-4
Configuring nPath Routing
Note
You need to set this route only if the virtual server is on a different subnet
than the router.
For information about how to define this route, please refer to the
documentation provided with your router.
2-6
3
Basic Web Site and E-Commerce
Configuration
To set up load balancing for these sites, you need to create two pools that are
referenced by two virtual servers, one for each site. Even though the sites
are related and they may even share the same IP address, each requires its
own virtual server because it uses a different port to support its particular
protocol: port 80 for the HTTP traffic going to www.siterequest.com, and
port 443 for the SSL traffic going to store.siterequest.com. Note that this is
true even when there is a port 80 and port 443 on the same physical server,
as in the case of Server2.
Note
All examples in this document use only private class IP addresses. When you
set up the configurations we describe, you must use valid IP addresses
suitable to your own network in place of our sample addresses.
3-2
Basic Web Site and E-Commerce Configuration
3-4
4
Installing a BIG-IP System without Changing
the IP Network
The existing data center structure does not support load balancing or high
availability. Figure 4.2, on page 4-2 is an example of the data center
topology after you add the BIG-IP system.
Both the internal and external interfaces of the BIG-IP system are on the
same IP network, 10.0.0.0, but they are effectively on different LANs.
Figure 4.2 introduces a second switch.
4-2
Installing a BIG-IP System without Changing the IP Network
Note
This example assumes that you are using the default internal and external
VLAN configuration with self IP addresses on each of the VLANs that are on
the same IP network on which you are installing the BIG-IP system.
Important
The default route on each content server should be set to the IP address of
the router. In this example, you set the default route to 10.0.0.2.
WARNING
We recommend that you perform this step from the console or from a self IP
address you are not going to delete. If you are connected from a remote
workstation through a self IP address that you are going to delete, you will
be disconnected when you delete it.
4-4
Installing a BIG-IP System without Changing the IP Network
To create a pool
1. On the Main tab of the navigation pane, expand Local Traffic, and
click Pools.
The Pools screen opens.
2. In the upper-right corner of the screen, click Create.
The New Pool screen opens.
Note: If the Create button is unavailable, this indicates that your
user role does not grant you permission to create a pool.
3. In the Name box, type a name for the pool, such as myweb_pool.
4. In the Resources area of the screen, use the New Members setting
to add the pool members.
In our example, pool members are 10.0.0.3:80 and 10.0.0.4:80.
5. Click Finished.
4-6
5
Web Hosting for Multiple Customers
5-2
Web Hosting for Multiple Customers
4. For the Interfaces setting, from the Available box select the name
of an interface on your internal network, and click the Move button
(<<) to move the interface name to the Tagged box.
This assigns the selected interface to the VLAN, as a tagged
interface. In our example, the interface is 5.1.
5. Click Finished.
To create a pool
1. On the Main tab of the navigation pane, expand Local Traffic, and
click Pools.
The Pools screen opens.
2. In the upper-right corner of the screen, click Create.
The New Pool screen opens.
Note: If the Create button is unavailable, this indicates that your
user role does not grant you permission to create a pool.
3. In the Name box, type a name for the pool, such as
customerA_pool.
4. In the Resources area of the screen, use the New Members setting
to add the pool members.
For example, in Figure 5.1, on page 5-1, the pool members for
vlanA are 10.1.1.1:80 and 10.1.1.2:80. The pool members for
vlanB are 10.1.2.1:80 and 10.1.2.2:80, and the pool members for
vlanC are 10.1.3.1:80 and 10.1.3.2:80.
5. Click Finished.
3. In the Name box, type a name for the virtual server, such as
vs_customerA.
4. In the Destination box, verify that the type of virtual server is Host,
and in the Address box, type an IP address for the virtual server,
such as 10.1.10.10:80.
5. In the Service Port box, type 80, or select HTTP from the list.
6. In the Configuration area of the screen, locate the HTTP Profile
setting and select http.
7. In the Resources area of the screen, locate the Default Pool setting
and select the pool corresponding to the virtual server you are
creating.
For example, for vs_customerA, you would select the pool
customerA_pool. For vs_customerB, you would select the pool
customerB_pool, and so on.
8. Click Finished.
5-4
Web Hosting for Multiple Customers
In Figure 5.2, two BIG-IP system interfaces are assigned to each VLAN. For
example, interfaces 1.1 and 1.2 are assigned to the vlanA VLAN. Each
interface is assigned to a VLAN as an untagged interface.
The first scenario, shown in Figure 5.1, on page 5-1, requires an additional
switch, but requires the use of only one interface on the internal network.
The second scenario, shown in Figure 5.2, removes the need for an
additional switch, but requires the use of multiple BIG-IP system interfaces.
Once you have created your VLANs and assigned untagged interfaces to
them, you can create the pools and virtual servers, just as you did in the
section Hosting multiple customers using an external switch, on page 5-2.
5-6
6
A Simple Intranet Configuration
As Figure 6.1, on page 6-1 shows, the non-intranet connections are handled
by wildcard virtual servers, that is, servers with the IP address 0.0.0.0. The
wildcard virtual server that is handling traffic to the cache servers is port
specific, specifying port 80 for HTTP requests. This way all HTTP requests
not matching an IP address on the intranet are directed to the cache server.
The wildcard virtual server handling non-HTTP requests is a default
wildcard server. A default wildcard virtual server is one that uses only port
0. This makes it a catch-all match for outgoing traffic that does not match
any standard virtual server or any port-specific wildcard virtual server.
Creating pools
The first task in a basic configuration is to define the two load balancing
pools: a pool for the intranet content servers, and a pool for the Internet
cache servers.
To create pool
1. On the Main tab of the navigation pane, expand Local Traffic, and
click Pools.
The Pools screen opens.
2. In the upper-right corner of the screen, click Create.
The New Pool screen opens.
Note: If the Create button is unavailable, this indicates that your
user role does not grant you permission to create a pool.
3. In the Name box, type a name for the pool, such as http_pool.
4. In the Resources area of the screen, use the New Members setting
to add the pool members.
For example, in Figure 6.1, on page 6-1, the pool members for
http_pool are 192.168.100.10:80 and 192.168.100.11:80. The pool
members for specificport_pool are 192.168.100.20:80 and
192.168.100.21:80.
5. Click Finished.
6-2
A Simple Intranet Configuration
6-4
7
Load Balancing ISPs
To create a pool
1. On the Main tab of the navigation pane, expand Local Traffic, and
click Pools.
The Pools screen opens.
2. In the upper-right corner of the screen, click Create.
The New Pool screen opens.
Note: If the Create button is unavailable, this indicates that your
user role does not grant you permission to create a pool.
3. In the Name box, type a name for the pool, such as content_pool or
router_pool.
4. In the Resources area of the screen, use the New Members setting
to add the pool members.
For example, in Figure 7.1, on page 7-1, the pool members for pool
content_pool are 10.1.1.1:80, 10.1.1.2:80, and 10.1.1.3:80. The
pool members for pool router_pool are 192.168.100.1:0 and
192.168.200.1:0.
5. Click Finished.
7-2
Load Balancing ISPs
4. In the Destination box, verify that the type of virtual server is Host,
and in the Address box, type an IP address for the virtual server.
For example, you can assign the IP address 0.0.0.0:0 to the virtual
server, making it a wildcard virtual server.
5. In the Resources area of the screen, locate the Default Pool setting
and select the pool corresponding to the virtual server you are
creating.
For example, for vs_routers, you would select the pool
router_pool.
6. Click Finished.
7-4
Load Balancing ISPs
Note
7-6
8
Load Balancing HTTP Traffic with Source
Address Affinity Persistence
Creating a pool
The first task in a basic configuration is to create a load balancing pool to
load balance HTTP connections. Use the Configuration utility to create this
pool.
8-2
Load Balancing HTTP Traffic with Source Address Affinity Persistence
8-4
9
Load Balancing HTTP Traffic with Cookie
Persistence
9-2
Load Balancing HTTP Traffic with Cookie Persistence
Creating a pool
The next task is to create a load balancing pool to which to load balance
HTTP connections.
Note
You can also use HTTP Cookie Insert persistence wtih a Performance
(HTTP) type of virtual server.
9-4
10
Compressing HTTP Responses
Tip
If you want to enable HTTP compression for specific connections, you can
write an iRule that specifies the HTTP:compress enable command.
Using the BIG-IP system HTTP compression feature, you can include or
exclude certain types of URIs or files that you specify. This is useful
because some URI or file types might already be compressed. F5 does not
recommend using CPU resources to compress already-compressed data
because the cost of compressing the data usually outweighs the benefits.
Examples of regular expressions that you might want to specify for
exclusion are .*\.pdf, .*\.gif, or .*\.html.
To configure HTTP data compression, you need to:
• Create a custom HTTP profile.
• Create a virtual server to process compressed HTTP responses.
10 - 2
Compressing HTTP Responses
9. For all other settings in the Compression area of the screen, retain
the default values, or configure them to suite your needs.
10. Click Finished.
After you have created a custom HTTP profile and a virtual server, you can
test the configuration by attempting to pass HTTP traffic through the virtual
server. Check to see that the BIG-IP system includes and excludes the
responses that you specified in the custom profile, and that the system
compresses the data as specified.
10 - 4
11
Configuring HTTPS Load Balancing
• Creating a pool
11 - 2
Configuring HTTPS Load Balancing
11 - 4
Configuring HTTPS Load Balancing
Creating a pool
The next task in this process is to create a load balancing pool to load
balance HTTPS connections. After you create the pool, you assign it to a
virtual server that you create.
After you have created the required SSL key/certificate pairs, one or two
custom SSL profiles, a load balancing pool, and a virtual server, you can test
the configuration by attempting to pass HTTPS traffic through the virtual
server to the pool.
11 - 6
12
Configuring HTTPS Load Balancing with
Data Compression
• Creating a pool
Note
12 - 2
Configuring HTTPS Load Balancing with Data Compression
12 - 4
Configuring HTTPS Load Balancing with Data Compression
Creating a pool
The next task in the process is to create a load balancing pool to load
balance HTTPS connections. After you create the pool, you assign it to a
virtual server that you create.
12 - 6
Configuring HTTPS Load Balancing with Data Compression
You can now test the configuration by attempting to pass HTTPS traffic
through the virtual server. Check to see that the BIG-IP system includes and
excludes the responses that you specified in the custom HTTP profile, and
that the system compresses the data as specified.
12 - 8
13
Using RAM Cache for HTTP Traffic
13 - 2
Using RAM Cache for HTTP Traffic
13 - 4
14
Load Balancing Passive Mode FTP Traffic
• Creating a pool
When you create the virtual server, you can configure it to use the default
FTP profile. An FTP profile determines the way that the BIG-IP system
processes FTP traffic.
This chapter describes how to create the objects listed above, using the
default FTP profile. For more detailed information on managing FTP traffic,
see the Configuration Guide for BIG-IP® Local Traffic Management.
14 - 2
Load Balancing Passive Mode FTP Traffic
Creating a pool
To load balance passive mode FTP traffic, you create a load balancing pool.
When you create the pool, you assign the custom FTP monitor that you
created in the previous task.
After creating the pool, you assign it to the virtual server that you create.
14 - 4
15
Load Balancing Passive Mode FTP Traffic
with Rate Shaping
• Creating a pool
When you create the virtual server, you can configure it to use the default
FTP profile. An FTP profile determines the way that the BIG-IP system
processes FTP traffic.
This chapter describes how to create the objects listed above, using the
default FTP profile. For more detailed information on managing FTP traffic,
see the Configuration Guide for BIG-IP® Local Traffic Management.
Note that the rate shaping feature is optional on the BIG-IP system.
Therefore, you must have purchased a license for the rate shaping feature
before you can use rate shaping to control the load balancing of passive FTP
traffic.
15 - 2
Load Balancing Passive Mode FTP Traffic with Rate Shaping
Creating a pool
To load balance passive mode FTP traffic, you create a load balancing pool.
When you create the pool, you assign the custom FTP monitor that you
created in the previous task.
After you create the pool, you assign it to the virtual server that you create in
the next task.
Note
15 - 4
Load Balancing Passive Mode FTP Traffic with Rate Shaping
15 - 6
16
Setting up a One-IP Network Topology
To set up this configuration, you need to complete the following tasks on the
BIG-IP system:
• Create a load balancing pool for the content servers.
• Create a virtual server to load balance traffic to the content server pool.
• Define a default route for the external VLAN.
• Configure a SNAT for the client.
To create a pool
1. On the Main tab of the navigation pane, expand Local Traffic, and
click Pools.
The Pools screen opens.
2. In the upper-right corner of the screen, click Create.
The New Pool screen opens.
Note: If the Create button is unavailable, this indicates that your
user role does not grant you permission to create a pool.
3. From the Configuration list, select Advanced.
4. In the Name box, type a name for the pool, such as server_pool.
5. For the Health Monitors setting, from the Available box select
http, and click the Move button (<<) to move the monitor name to
the Active box.
6. For the Allow SNAT setting, verify that the value is Yes.
7. For the remaining settings in the Configuration area of the screen,
retain the default values.
8. In the Resources area of the screen, use the default values for the
Load Balancing Method and Priority Group Activation settings.
9. For the New Members setting, add the pool members:
a) Click the New Address option.
b) In the Address box, type the IP address of a server in the pool.
c) In the Service Port box, type 80, or select HTTP.
d) Click Add.
e) Repeat steps b, c, and d for each server in the pool.
10. Click Finished.
16 - 2
Setting up a One-IP Network Topology
Note
If you are defining a default route for a route domain other than route
domain 0 (the default route domain), the procedure varies slightly. For
more information, see the TMOSTM Management Guide for BIG-IP®
Systems.
16 - 4
Setting up a One-IP Network Topology
16 - 6
17
Using Link Aggregation with Tagged VLANs
The examples in this chapter show you how to use link aggregation in two
configurations, a two-network configuration and a single-network
configuration.
Figure 17.1 An example of an aggregated two-interface load balancing configuration with two IP networks
Note
This example assumes that you are using the default internal and external
VLAN configuration. It also assumes that the self IP addresses on each
VLAN are on the same IP networks as the BIG-IP system.
17 - 2
Using Link Aggregation with Tagged VLANs
To aggregate links
1. On the Main tab of the navigation pane, expand Network, and click
Trunks.
The Trunks screen opens.
2. On the upper-right corner of the screen, click Create.
The New Trunk screen opens.
Note: If the Create button is unavailable, this indicates that your
user role does not grant you permission to create a trunk.
3. In the Name box, type a name for the trunk, such as trunk1.
4. For the Interfaces setting, locate the Available box and select an
interface.
Note: The lowest-numbered interface is the controlling or reference
interface.
5. Using the Move button, move the interface number to the Members
box.
6. Repeat step 5 for all interfaces that you want to include as trunk
members.
7. For the LACP setting, check the box.
This enables dynamic link aggregation.
8. Click Finished.
WARNING
You should perform this task from the management interface; otherwise you
will be disconnected from the BIG-IP system.
3. For the Interfaces setting, locate the Available box and select the
name of the trunk that you created in the previous procedure.
4. Click the Move button to move the trunk name to the Tagged box.
This assigns the trunk to the VLAN, as a tagged interface.
5. Click Update.
6. Return to the list of existing VLANs.
7. Repeat steps 2 - 5 for VLAN external.
8. Click Update.
To create a pool
1. On the Main tab of the navigation pane, expand Local Traffic, and
click Pools.
The Pools screen opens.
2. In the upper-right corner of the screen, click Create.
The New Pool screen opens.
Note: If the Create button is unavailable, this indicates that your
user role does not grant you permission to create a pool.
3. In the Name box, type a name for the pool, such as myweb_pool.
4. For the New Members setting, add the pool members:
a) Click the New Address option.
b) In the Address box, type the IP address of a web server in the
pool.
c) From the Service Port list, select a service.
d) Click Add.
e) Repeat steps b, c, and d for each server in the pool.
5. Click Finished.
17 - 4
Using Link Aggregation with Tagged VLANs
Figure 17.2 An example of an aggregated two-interface load balancing configuration with one IP network
You configure the one-network topology in exactly the same way as the
two-network topology (allowing for the fact that the virtual server address
will now belong to the same network as the servers), with one additional
step: the internal and external VLANs need to be grouped. Therefore, to
configure the BIG-IP system for this implementation, you must complete
the following tasks:
• Configure the tagged interfaces, load balancing pool, virtual server, and
trunk exactly as in the two-network configuration.
For more information, see Using the two-network aggregated tagged
interface topology, on page 17-2.
• Remove the self IP addresses from the internal and external VLANs.
• Combine the internal and external VLANs into a VLAN group.
• Assign a self IP address to the VLAN group.
17 - 6
Using Link Aggregation with Tagged VLANs
WARNING
You should perform this task from the management interface; otherwise you
will be disconnected from the BIG-IP system.
Tip
A VLAN group name can be used anywhere that a VLAN name can be used.
17 - 8
18
Setting Up Packet Filtering
Note
You can also configure global packet filtering that applies to all packet filter
rules that you create. The following sections describe how to set global
packet filtering options, and how to create and manage individual packet
filters rules.
By setting up some basic IP routing and configuring packet filtering,
specific hosts on the internal VLAN can connect to the internal VLAN’s self
IP address. These hosts can also use common Internet services such as
HTTP, HTTPS, DNS, FTP, and SSH. Traffic from all other hosts in the
internal VLAN is rejected.
To configure this implementation, you must:
• Create a SNAT.
• Create a pool of routers (also known as a gateway pool).
• Create a forwarding virtual server.
• Create a packet filter rule.
Creating a SNAT
The first task in implementing packet filtering is to create a SNAT.
To create a SNAT
1. On the Main tab of the navigation pane, expand Local Traffic, and
click SNATs.
The SNATs screen opens.
2. In the upper-right corner, click Create.
The New SNAT screen opens.
Note: If the Create button is unavailable, this indicates that your
user role does not grant you permission to create a SNAT.
3. In the Name box, type a unique name for the SNAT.
4. From the Translation list, select Automap.
5. From the VLAN Traffic list, select Enabled On.
This displays the VLAN List setting.
6. For the VLAN List setting, from the Available box select internal
and external, and click the Move button (<<) to move the VLAN
names to the Selected box.
7. Click Finished.
18 - 2
Setting Up Packet Filtering
4. In the Resources area of the screen, use the New Members setting
to add the pool members.
The members you add are router IP addresses.
5. Click Finished.
18 - 4
19
Implementing Health and Performance
Monitors
• Creating a pool
Name my_icmp
Type ICMP
Interval 5
Timeout 16
Transparent No
Alias Address * All Addresses
Note
19 - 2
Implementing Health and Performance Monitors
Creating a pool
When you create the pool to load balance traffic, you assign the custom
monitor that you created in the previous section to a load balancing pool.
Then, after creating the pool, you assign it to the virtual server that you
create in the next section.
19 - 4
Implementing Health and Performance Monitors
4. In the Members column, click the address of the pool member for
which you want to assign a unique monitor.
This displays the properties of that pool member.
5. From the Configuration list, select Advanced.
This displays the Health Monitors setting.
6. From the Health Monitors list, select Member Specific.
7. Click Update.
19 - 6
20
Load Balancing Traffic to IPv6 Nodes
7. Verify that the IPv6 nodes have auto-configured their addresses for
this prefix.
8. Take note of the addresses of the HTTP service IPv6 nodes.
These addresses are required for the next step in the process,
configuring IPv4-to-IPv6 load balancing.
20 - 2
Load Balancing Traffic to IPv6 Nodes
20 - 4
21
Implementing Overlapping IP Addresses
You can configure route domains using the Configuration utility, the
bigpipe utility, or tmsh.
For any of these BIG-IP objects that require an IP address, you must include
the relevant route domain ID in the address, using the %ID format. (For
information on route domain IDs, see Specifying route domain IDs, on page
21-1.)
Figure 21.1 shows an example of configuring two distinct route domains for
the purpose of using overlapping IP addresses on your network. Note in this
example that the same IP addresses for objects in route domain 1 are used
for objects in route domain 2. The only difference in the duplicate IP
addresses is the distinct route ID.
21 - 2
Implementing Overlapping IP Addresses
Note
For information on the syntax for bigpipe or tmsh commands, see the
Bigpipe Utility Reference Guide and the Traffic Management Shell (tmsh)
Reference Guide.
21 - 4
Implementing Overlapping IP Addresses
route domain 1, except for the route ID. In our example, the self IP
addresses for route domain 2 are 12.1.1.254%2 and 10.2.1.254%2, and you
assign the VLANs vlan_clientside2 and vlan_serverside2 to these
addresses.
21 - 6
Implementing Overlapping IP Addresses
21 - 8
Implementing Overlapping IP Addresses
21 - 10
22
Mitigating Denial of Service and Other
Attacks
WARNING
The adaptive reaper settings do not apply to SSL connections. However, you
can set TCP and UDP connection timeouts that reap idle SSL connections.
For more information see Setting the TCP and UDP connection timers, on
page 22-4.
Tip
There is generally no need to change these values as they represent an
optimal solution for most BIG-IP system deployments.
Important
Setting both of the adaptive reaper values to 100 disables this feature.
22 - 2
Mitigating Denial of Service and Other Attacks
Important
When the adaptive reaper high water limit is reached, the LCD displays the
message Blocking DoS Attack.
3. Choose the logging level for the adaptive reaper. The following
levels display the message Blocking DoS Attack on the LCD when
the Reaper High Water Mark is exceeded:
• Emergency
• Alert
• Critical
• Error
• Warning
The following levels do not display the Blocking DoS Attack
message on the LCD.
• Notice
• Informational
4. Type the following command to set the adaptive reaper logging
level, where <log level> is the logging level:
bp db Log.DosProtect.Level "<log level>"
22 - 4
Mitigating Denial of Service and Other Attacks
Important
The rate class module requires a license key. If you do not have this
functionality and you would like to purchase a license key, contact F5
Networks.
After you create a rate class, you can apply it to the virtual servers in the
configuration.
22 - 6
Mitigating Denial of Service and Other Attacks
when HTTP_REQUEST {
if {string tolower [HTTP::uri] contains "default.ida" } {
discard
} else {
pool RealServerPool
}
}
Figure 22.1 A sample iRule for filtering out a Code Red attack
when HTTP_REQUEST {
set uri [string tolower [HTTP::uri]]
if { ($uri contains "cmd.exe") or ($uri contains
"root.exe") or ($uri contains "admin.dll") } {
discard
} else {
pool ServerPool
}
}
WARNING
Take care any time you lower the idle session reaping time outs. It is
possible that valid connections will be reaped if the application cannot
respond in time.
SYN flood
A SYN flood is an attack against a system for the purpose of exhausting that
system’s resources. An attacker launching a SYN flood against a target
system attempts to occupy all available resources used to establish TCP
connections by sending multiple SYN segments containing incorrect IP
addresses. Note that the term SYN refers to a type of connection state that
occurs during establishment of a TCP/IP connection.
More specifically, a SYN flood is designed to fill up a SYN queue. A SYN
queue is a set of connections stored in the connection table in the
SYN-RECEIVED state, as part of the standard three-way TCP handshake. A
SYN queue can hold a specified maximum number of connections in the
SYN-RECEIVED state.
Connections in the SYN-RECEIVED state are considered to be half-open
and waiting for an acknowledgement from the client. When a SYN flood
causes the maximum number of allowed connections in the
SYN-RECEIVED state to be reached, the SYN queue is said to be full, thus
preventing the target system from establishing other legitimate connections.
A full SYN queue therefore results in partially-open TCP connections to IP
addresses that either do not exist or are unreachable. In these cases, the
connections must reach their timeout before the server can continue
fulfilling other requests.
22 - 8
Mitigating Denial of Service and Other Attacks
The SYN Check feature complements the existing adaptive reaper feature in
the BIG-IP system. While the adaptive reaper handles established
connection flooding, SYN Check prevents connection flooding altogether.
That is, while the adaptive reaper must work overtime to flush connections,
the SYN Check feature prevents the SYN queue from becoming full, thus
allowing the target system to continue to establish TCP connections.
You can configure the BIG-IP system to activate the SYN Check feature
when some threshold of connections has been reached on the system.
UDP flood
The UDP flood attack is most commonly a distributed denial-of-service
attack (DDoS), where multiple remote systems are sending a large flood of
UDP packets to the target.
The BIG-IP system handles these attacks similarly to the way it handles a
SYN flood. If the port is not listening, the BIG-IP system drops the packets.
If the port is listening, the reaper removes the false connections.
Setting the UDP idle session timeout to between 5 and 10 seconds reaps
these connections quickly without impacting users with slow connections.
However, with UDP this may still leave too many open connections, and
your situation may require a setting of between 2 and 5 seconds.
UDP fragment
The UDP fragment attack is based on forcing the system to reassemble
huge amounts of UDP data sent as fragmented packets. The goal of this
attack is to consume system resources to the point where the system fails.
The BIG-IP system does not reassemble these packets, it sends them on to
the server if they are for an open UDP service. If these packets are sent with
the initial packet opening the connection correctly, then the connection is
sent to the back-end server. If the initial packet is not the first packet of the
stream, the entire stream is dropped.
You do not need to make any changes to the BIG-IP system configuration
for this type of attack.
Ping of Death
The Ping of Death attack is an attack with ICMP echo packets that are
larger than 65535 bytes. Since this is the maximum allowed ICMP packet
size, this can crash systems that attempt to reassemble the packet.
The BIG-IP system is hardened against this type of attack. However, if the
attack is against a virtual server with the Any IP feature enabled, then these
packets are sent on to the server. It is important that you apply the latest
update patches to your servers.
You do not need to make any changes to the BIG-IP system configuration
for this type of attack.
Land attack
A Land attack is a SYN packet sent with the source address and port the
same as the destination address and port.
The BIG-IP system is hardened to resist this attack. The BIG-IP system
connection table matches existing connections so that a spoof of this sort is
not passed on to the servers. Connections to the BIG-IP system are checked
and dropped if spoofed in this manner.
You do not need to make any changes to the BIG-IP system configuration
for this type of attack.
22 - 10
Mitigating Denial of Service and Other Attacks
Teardrop
A Teardrop attack is carried out by a program that sends IP fragments to a
machine connected to the Internet or a network. The Teardrop attack
exploits an overlapping IP fragment problem present in some common
operating systems. The problem causes the TCP/IP fragmentation
re-assembly code to improperly handle overlapping IP fragments.
The BIG-IP system handles these attacks by correctly checking frame
alignment and discarding improperly aligned fragments.
You do not need to make any changes to the BIG-IP system configuration
for this type of attack.
Data attacks
The BIG-IP system can also offer protection from data attacks to the servers
behind the BIG-IP system. The BIG-IP system acts as a port-deny device,
preventing many common exploits by simply not passing the attack through
to the server.
For information about iRule examples for thwarting two common data
attacks, see Filtering out attacks with iRules, on page 22-7.
WinNuke
The WinNuke attack exploits the way certain common operating systems
handle data sent to the NetBIOS ports. NetBIOS ports are 135, 136, 137 and
138, using TCP or UDP. The BIG-IP system denies these ports by default.
On the BIG-IP system, do not open these ports unless you are sure your
servers have been patched against this attack.
Sub 7
The Sub 7 attack is a Trojan horse that is designed to run on certain common
operating systems. This Trojan horse allows the system to be controlled
remotely.
This Trojan horse listens on port 27374 by default. The BIG-IP system does
not allow connections to this port from the outside, so a compromised server
cannot be controlled remotely.
Do not open high ports (ports above 1024) without explicit knowledge of
what applications will be running on these ports.
Back Orifice
Back Orifice is a Trojan horse that is designed to run on certain common
operating systems. This Trojan horse allows the system to be controlled
remotely.
This Trojan horse listens on UDP port 31337 by default. The BIG-IP system
does not allow connections to this port from the outside, so a compromised
server cannot be controlled remotely. Do not open high ports (ports above
1024) without explicit knowledge of what will be running on these ports.
22 - 12
23
Configuring Administrative Domains
• Creating a partition
Creating a partition
When you first install the BIG-IP system, a default partition exists, known
as partition Common. Partition Common contains certain objects that the
system automatically creates during installation, such as the admin user
account, the default profiles, and the pre-configured health and performance
monitors.
Some types of BIG-IP system objects reside in partitions, while others do
not. In general, most local-traffic objects reside in partitions. Network
objects, such as self IP addresses, VLANs, interfaces, and so on, cannot
reside in partitions.
At a minimum, most BIG-IP system user accounts have Read access to
objects in partition Common, regardless of their user roles. User accounts
that have the Administrator and Resource Administrator roles assigned
to them not only can view the objects in Common, but also can create,
modify, and delete objects in that partition.
While managing partition Common is useful as a starting point for
controlling user access to BIG-IP system objects, creating other partitions
offers a much finer degree of access control for administrative users.
The first step in giving a user the authority to manage objects in a specific
partition is to create the partition. Once you have created the partition, you
choose the user that you want to manage the objects in the new partition.
Finally, you modify the properties of that user’s account, to assign both the
appropriate user role and the partition that you want to authorize the user to
manage. Once you have granted authority to the user to manage the
partition, the user can then manage those objects in certain ways, such as
creating HTTP virtual servers and profiles, within that partition.
Important
To create a partition, you must have the Administrator or Resource
Administrator user role assigned to your user account. For the admin
account, the BIG-IP system automatically assigns the Administrator role.
To create a partition
1. On the main tab of the navigation pane, expand System, and click
Users,
The Users screen opens.
2. On the menu bar, click Partitions List.
This displays the list of partitions that you are allowed to view.
3. On the upper-right corner of the screen, click Create.
4. In the Name box, type a unique name for the partition, such as
partition_App1.
23 - 2
Configuring Administrative Domains
You can configure user access to a partition either when you first create the
user account or when you modify the user account properties. The following
procedure shows how to configure partition access to an existing user
account.
Note
23 - 4
Configuring Administrative Domains
23 - 6
24
Configuring Remote Authentication and
Authorization for Administrative Traffic
By using all of the above features together, you can define user privileges on
a group-wise basis, and you can centrally manage all BIG-IP user accounts,
thus negating any need to create and manage user accounts separately on
each individual BIG-IP device on the network.
24 - 2
Configuring Remote Authentication and Authorization for Administrative Traffic
24 - 4
Configuring Remote Authentication and Authorization for Administrative Traffic
3. Click Change.
4. From the User Directory list, select Remote - TACACS+.
5. From the Configuration list, select Advanced.
Additional settings appear on the screen.
6. In the Servers box, type an IP address and click Add.
7. In the Secret box, type the TACACS+ secret.
8. In the Confirm Secret box, re-type the TACACS+ secret that you
specified in the Secret box.
9. From the Encryption list, retain the default value (Enabled) or
select Disabled. This setting is optional.
10. In the Service Name box, type the name of a service.
11. In the Protocol Name box, type the name of a protocol. This setting
is optional.
12. From the Authentication list, select either Authenticate to first
server or Authenticate to each server until success.
13. From the Accounting Information list, select either Send to first
available server or Send to all servers.
14. From the Debug Logging list, select either Disabled or Enabled.
15. Click Finished.
Note
You can use the Configuration utility to change the values that the BIG-IP
system uses as the default values when assigning privileges to remote user
accounts.
If you want to use non-default values for all of the user accounts represented
by Other External Users, you have two options:
◆ Use the remoterole command (recommended).
This allows you to assign privileges on a group basis. Using the
remoterole command gives you flexibility and granularity in controlling
access to BIG-IP system resources by remote user accounts. For more
information, see Understanding the remoterole command, on page 24-7.
◆ Use the Configuration utility to assign privileges on a per-user basis.
Using the Configuration utility, you can assign non-default privileges to
any individual user account that is stored remotely. If you do this, you
must first duplicate the user account on the BIG-IP system. For more
information, see the TMOSTM Management Guide for BIG-IP®
Systems.
Note
For detailed descriptions of the user roles that you can assign to accounts,
see the TMOSTM Management Guide for BIG-IP® Systems.
24 - 6
Configuring Remote Authentication and Authorization for Administrative Traffic
For example, suppose that your BIG-IP system user accounts are stored on
an LDAP remote authentication server and that those accounts are divided
between the groups BigIPOperatorsGroup and BigIPManagersGroup. In
this case, you can type the following remoterole command sequence to
define the privileges for those groups:
bigpipe remoterole role info BigIPOperatorsGroup { attribute
"memberOF=cn=BigIPOperatorsGroup,cn=users,dc=dev,dc=net" console disable line order 1
role operator user partition App_A } role info BigIPManagersGroup { attribute
"MemberOF=cn=BigIPManagersGroup,cn=users,dc=dev,dc=net" console enable line order 2
role manager user partition App_B }
Table 24.1 shows the resulting configuration, where each group has a set of
privileges assigned to it:
Note
Example
Suppose that you configure a remote RADIUS authentication server to
return a vendor-specific attribute and three variables, and their values.
• F5-LTM-User-Info-1 = DC1
• F5-LTM-User-Role = 400
Note: See Considerations for variable evaluation, on page 24-9 for more
information.
• F5-LTM-User-Partition = App_C
• F5-LTM-User-Console = 1
24 - 8
Configuring Remote Authentication and Authorization for Administrative Traffic
◆ No matching attributes
If the user is properly authenticated but there is no match on any of the
remoterole attributes, the system assigns the default privileges. For more
information on default privileges for remote user accounts, see
Configuring access control for BIG-IP system users, on page 24-6.
24 - 10
Configuring Remote Authentication and Authorization for Administrative Traffic
To create an SCF
1. Access the bigpipe shell.
2. Run the command export, and include a name for the SCF, for
example:
bp> export myConfiguration053107
24 - 12
25
Configuring Remote Authentication for
Application Traffic
Note
25 - 2
Configuring Remote Authentication for Application Traffic
Once you have performed these preliminary SSL tasks, you can enable
SSL-based remote server authentication. You do this as part of creating the
LDAP configuration object, which includes these Advanced settings:
• SSL CA Certificate
This represents the name of the certificate that normally resides on the
remote authentication server.
• SSL Client Key
This represents the name of the SSL key that the client sends to the
BIG-IP system. This key specification is only necessary when the remote
server requires a client certificate.
• SSL Client Certificate
This represents the name of the SSL certificate that the client sends to the
BIG-IP system. This certificate specification is only necessary when the
remote server requires a client certificate.
Important
When specifying key and certificate files while creating an LDAP
configuration object, be sure to specify the full path name of the storage
location on the BIG-IP system. For example, if the certificate is stored in the
directory /config/ssl/ssl.crt, type the value /config/ssl/ssl.crt.
After you create the custom LDAP configuration object, you create a
custom LDAP profile, and then assign the custom profile to an HTTP virtual
server.
7. In the Remote LDAP Tree box, type the file location (tree) of the
user authentication database on the LDAP or Active Directory
server.
At a minimum, you must specify a domain component (that is,
dc=<value>).
8. For the Hosts setting:
a) Type the IP address of the remote LDAP or Active Directory
server.
b) Click Add.
The IP address appears in the text window.
9. Retain or change the Service Port value.
10. Retain or change the LDAP Version value.
11. If you selected a basic configuration in step 6, click Finished. If you
selected an advanced configuration in step 6, configure the
remaining settings and then click Finished.
Note
25 - 4
Configuring Remote Authentication for Application Traffic
Note
The virtual server to which you assign the profiles and the iRule must be a
Standard type of virtual server.
25 - 6
Configuring Remote Authentication for Application Traffic
25 - 8
Configuring Remote Authentication for Application Traffic
Note
25 - 10
Configuring Remote Authentication for Application Traffic
Once you have created the TACACS+ configuration object, you must create
a custom TACACS+ profile and modify an HTTP virtual server.
25 - 12
Configuring Remote Authentication for Application Traffic
Note
The virtual server to which you assign an authentication profile and iRule
must be a Standard type of virtual server.
25 - 14
Configuring Remote Authentication for Application Traffic
Note
The virtual server to which you assign the profiles and the iRule must be a
Standard type of virtual server.
25 - 16
Configuring Remote Authentication for Application Traffic
25 - 18
Configuring Remote Authentication for Application Traffic
Note
25 - 20
Configuring Remote Authentication for Application Traffic
25 - 22
Configuring Remote Authentication for Application Traffic
Note
25 - 24
26
Configuring Kerberos Delegation
If the test is successful, the system displays a list of the root name servers.
26 - 2
Configuring Kerberos Delegation
For example, if you want to add the DNS name server IP addresses
192.168.10.20 and 192.168.10.22 to the BIG-IP system, type the
following command:
bigpipe dns nameservers 192.168.10.20 192.168.10.22 add
This command prompts you for a password. Typically, the value of the
admin_principal argument is administrator; however, you can use any
administrator name. The host argument specifies the FQDN of the virtual
server you configure for traffic. Run this command for each virtual server
you plan to configure.
Important
For additional information about these commands, see the domaintool man
page.
26 - 4
Configuring Kerberos Delegation
Important
The Kerberos delegation profile includes a set-cookie operation. To ensure
that an attacker cannot intercept this set-cookie header, always use the
Kerberos Delegation profile in conjunction with a Client SSL profile.
6. In the Client Principal Name box, type the client principal name.
The client principal name is the name of the virtual server on the
BIG-IP system. Use the following format, where <name> is the
admin_principal name that you previously added to the domain:
HTTP/<name>
7. In the Server Principal Name box, type the server principal name.
The server principal name is the name of the web server. Use the
following format, where <FQDN> is the fully-qualified domain
name of the web server in the pool:
HTTP/<FQDN>
8. Click Finished.
26 - 6
Configuring Kerberos Delegation
For the server principal, use the FQDN of the web server.
For each client principal, use the FQDN of the virtual server you plan to
create on the BIG-IP system.
Note
The Cookie Key value is an encryption key that encrypts cookie data. A
default value is supplied; however, you should change the default value so
that attackers who know this value cannot decrypt cookie data and
impersonate trusted users.
26 - 8
Configuring Kerberos Delegation
26 - 10
27
Configuring Multiple Authentication Servers
• Meeting prerequisites
Note
As an alternative to associating the pool with the virtual server, you can
associate the pool with each proxy or authentication source directly.
Meeting prerequisites
Before continuing, you must ensure that the following requirements are met:
• The RADIUS secret must be the same for all RADIUS servers.
• The address of the virtual server that you create to reference the RADIUS
pool cannot be a loopback address.
• The virtual server that references the RADIUS pool must be in the same
VLAN as the RADIUS servers.
For example, if the RADIUS server addresses are 10.1.1.10 and
10.1.1.11 and reside in the VLAN internal, then you must associate the
RADIUS pool with a virtual server that is routable to those addresses
(such as 10.1.1.99). This causes the source address of the RADIUS
traffic to be the self IP address of VLAN internal, rather than the virtual
server address.
Configuration
Object utility screen
27 - 2
Configuring Multiple Authentication Servers
monitor my_radius_monitor {
defaults from radius
password "jdoe"
secret "testing123"
username "jdoe"
}
radius server system_auth_name1 {
host "10.1.1.99"
service 1645
secret "testing123"
}
auth radius system-auth {
server system_auth_name1
}
pool radius_pool {
monitor all my_radius_monitor
member 10.1.1.10:1812
member 10.1.1.12:1645
}
virtual radius_virtual_server {
destination 10.1.1.99:1645
ip protocol udp
pool radius_pool
Once you have added entries to the bigip.conf file that are similar to those
in the above example, you can use the virtual server as a virtual remote
authentication server.
27 - 4
28
Implementing Paired Tunneling
The client-side system is the system closest to the client node that initiates a
request over the WAN for data that resides on a server node. The server-side
system is the system closest to the server node that services the request.
You can configure paired tunneling using either the Configuration utility or
the bigpipe utility.
WARNING
You should ensure that the data that a BIG-IP system sends through the
iSession tunnel is not already compressed or encrypted through some other
mechanism. Data targeted for the tunnel that has been already optimized
cannot be optimized any further and could produce adverse effects.
28 - 2
Implementing Paired Tunneling
For more information on these topics, see the TMOSTM Management Guide
for BIG-IP® Systems.
28 - 4
Implementing Paired Tunneling
d) Click Add.
This adds the specified IP address and service to the pool as a
pool member.
5. Click Finished.
28 - 6
Implementing Paired Tunneling
Note
As an option, you can use the RAM Cache feature. The result is that the
client-side BIG-IP system can process some client requests without needing
to connect to a backend server on the other side of the WAN.
28 - 8
Implementing Paired Tunneling
Note
For the server-side BIG-IP system, you do not need to create an endpoint
pool or a custom iSession profile.
28 - 10
Implementing Paired Tunneling
Enabled The same service port that is configured If the client-side service port is set to HTTP,
(the default setting) on the client-side virtual server. then the server-side virtual server listens on
port 80.
Disabled iSession port 3701. If the client-side service port is set to HTTP,
then the server-side virtual server listens on
port 3701.
Table 28.1 Effect of the client-side Port Transparency setting on server-side virtual server
28 - 12
29
Securing and Accelerating HTTP Traffic with
ASM and WA
29 - 2
Securing and Accelerating HTTP Traffic with ASM and WA
Important
When you enable application security for an HTTP class profile, the system
automatically creates a web application configuration and default security
policy for Application Security Manager.
Note
The following procedure outlines only the basic virtual server and pool
configuration. For detailed information about virtual servers, pools, and the
other local traffic components, see the Configuration Guide for BIG-IP®
Local Traffic Management.
29 - 4
Securing and Accelerating HTTP Traffic with ASM and WA
15. In the Resources area, from the Load Balancing Method list, select
a load balancing option.
16. Leave the Priority Group Activation setting at the default,
Disabled.
17. For the New Members setting, select New Address, and in the
Address and Service Port boxes, type the address and port for the
pool members. Alternately, you can select Node List, and select
nodes to add to the New Members list.
18. Click the Add button.
19. Click Finished.
The screen refreshes, and returns to the New Virtual Server screen,
where you see the new pool in the Default Pool list.
20. Click Finished again.
The system updates the configuration, and displays the Virtual
Server list screen, where you can see the virtual server that you
created.
29 - 6
Securing and Accelerating HTTP Traffic with ASM and WA
• Level 2 Delivery
This pre-defined acceleration policy is compliant with HTML version 3.0
and later. For this acceleration policy, the WebAccelerator system:
• Caches HTML pages and assigns a lifetime setting of 0, which
prompts the WebAccelerator system to provide fresh content by
making subsequent requests for that content, using a conditional GET.
• Uses the Intelligent Browser Referencing feature only for documents
and includes.
• Ignores any no-cache directives included in HTTP Cache-Control
request header, and uses the cache response directives that it receives
from the origin web server.
Tip
You can change the selected acceleration policy at any time after you create
the application profile.
Note
29 - 8
Securing and Accelerating HTTP Traffic with ASM and WA
Following are examples of valid requested host names that use wildcards.
◆ *.sales.siterequest.com maps to the following (all to the same
destination host):
• direct.sales.siterequest.com
• marketing.sales.siterequest.com
• marcom.marketing.sales.siterequest.com
◆ *.com maps all incoming requests that end in .com to one destination
host.
29 - 10
Securing and Accelerating HTTP Traffic with ASM and WA
You should see the page that you would have received if your
browser had accessed the origin web servers directly. If the browser
times out the request, it means that either the WebAccelerator
system is not running, or the firewall is blocking access to port 80
on the WebAccelerator system.
3. If you receive an Access denied by intermediary. Domain not
recognized. error, perform the following tasks:
• Verify that the hosts file is correct.
• Verify that the host map for the application profile is correct.
• Verify that you used a domain in the request that matches a
requested host in the host map, and that it maps to the destination
host.
4. After you confirm the host mapping, remove any entries that you
changed or added.
29 - 12
Securing and Accelerating HTTP Traffic with ASM and WA
29 - 14
30
Securing and Accelerating HTTP Traffic with
PSM and WA
30 - 2
Securing and Accelerating HTTP Traffic with PSM and WA
30 - 4
Securing and Accelerating HTTP Traffic with PSM and WA
Note
For more information about HTTP service profiles in general, see the
Configuration Guide for BIG-IP® Local Traffic Management.
Note
The following procedure outlines only the basic virtual server configuration.
For detailed information on virtual servers, including SSL virtual servers,
and other local traffic components, see the Configuration Guide for
BIG-IP® Local Traffic Management.
9. In the Resources area, for the HTTP Class Profiles setting, from
the Available list, select the HTTP class profile that you created,
and click the Move button (<<) to add the class to the Enabled list.
10. Next to the Default Pool list, click the Add (+) button.
The New Pool screen opens.
11. In the Name box, type a name for the pool.
12. For Health Monitors, from the Available list, select a health
monitor or monitors and click the Move button (<<) to add the
monitor to the Active list.
13. In the Resources area, from the Load Balancing Method list, select
a load balancing option.
14. Leave the Priority Group Activation setting at the default,
Disabled.
15. For the New Members setting, select New Address, and in the
Address and Service Port boxes, type the address and port for the
pool members. Alternately, you can select Node List, and select
nodes to add to the New Members list.
16. Click the Add button.
17. Click Finished.
The screen refreshes and opens the New Virtual Server screen,
where you see the new pool in the Default Pool list.
18. Click Finished again.
The system updates the configuration, displays the Virtual Server
list screen, where you can see the virtual server that you created.
30 - 6
Securing and Accelerating HTTP Traffic with PSM and WA
• Level 2 Delivery
This pre-defined acceleration policy is compliant with HTML version 3.0
and later. For this acceleration policy, the WebAccelerator system:
• Caches HTML pages and assigns a lifetime setting of 0, which
prompts the WebAccelerator system to provide fresh content by
making subsequent requests for that content, using a conditional GET.
• Uses the Intelligent Browser Referencing feature only for documents
and includes.
• Ignores any no-cache directives included in HTTP Cache-Control
request header, and uses the cache response directives that it receives
from the origin web server.
Tip
You can change the selected acceleration policy at any time after you create
the application profile.
Note
30 - 8
Securing and Accelerating HTTP Traffic with PSM and WA
Following are examples of valid requested host names that use wildcards.
◆ *.sales.siterequest.com maps to the following (all to the same
destination host):
• direct.sales.siterequest.com
• marketing.sales.siterequest.com
• marcom.marketing.sales.siterequest.com
◆ *.com maps all incoming requests that end in .com to one destination
host.
30 - 10
Securing and Accelerating HTTP Traffic with PSM and WA
Important
The following task assumes that you have already set up a remote logging
configuration for security profile log files. For more information on remote
logging and Protocol Security Module, refer to the Configuration Guide for
BIG-IP® Protocol Security Module.
30 - 12
Securing and Accelerating HTTP Traffic with PSM and WA
30 - 14
Glossary
Glossary
active unit
In a redundant system, the active unit is the system that currently load
balances connections. If the active unit in the redundant system fails, the
standby unit assumes control and begins to load balance connections. See
also redundant system.
authentication
Authentication is the process of verifying a user’s identity when the user is
attempting to log on to a system.
authentication iRule
An authentication iRule is a system-supplied or user-created iRule that is
necessary for implementing a PAM authentication module on the BIG-IP
system. See also iRule, PAM (Pluggable Authentication Module).
authentication module
An authentication module is a PAM module that you create to perform
authentication or authorization of client traffic. See also PAM (Pluggable
Authentication Module).
authentication profile
An authentication profile is a configuration tool that you use to implement a
PAM authentication module. Types of authentication modules that you can
implement with an authentication profile are: LDAP, RADIUS, TACACS+,
SSL Client Certificate LDAP, and OCSP. See also PAM (Pluggable
Authentication Module).
authorization
Authorization is the process of identifying the level of access that a
logged-on user has been granted to system resources.
certificate
A certificate is an online credential signed by a trusted certificate authority
and used for SSL network traffic as a method of authentication.
chain
A chain is a series of filtering criteria used to restrict access to an IP address.
The order of the criteria in the chain determines how the filter is applied,
from the general criteria first, to the more detailed criteria at the end of the
chain.
configuration object
A configuration object is a user-created object that the BIG-IP system uses
to implement a PAM authentication module. There is one type of
configuration object for each type of authentication module that you create.
See also PAM (Pluggable Authentication Module).
Configuration utility
The Configuration utility is the browser-based application that you use to
configure the BIG-IP system.
connection persistence
Connection persistence is an optimizing technique whereby a network
connection is intentionally kept open for the purpose of reducing
handshaking.
cookie persistence
Cookie persistence is a mode of persistence where the BIG-IP system stores
persistent connection information in a cookie.
Glossary - 2
Glossary
custom profile
A custom profile is a profile that you create. A custom profile can inherit its
default settings from a parent profile that you specify. See also parent
profile and profile.
default profile
A default profile is a profile that the BIG-IP system supplies with default
setting values. You can use a default profile as is, or you can modify it. You
can also specify it as a parent profile when you create a custom profile. You
cannot create or delete a default profile. See also profile, custom profile.
default route
A default route is the route that the system uses when no other route
specified in the routing table matches the destination address or network of
the packet to be routed.
default VLAN
The BIG-IP system is configured with two default VLANs, one for each
interface. One default VLAN is named internal and one is named external.
See also VLAN (Virtual Local Area Network).
domain name
A domain name is a unique name that is associated with one or more IP
addresses. Domain names are used in URLs to identify particular Web
pages. For example, in the URL http://www.siterequest.com/index.html,
the domain name is siterequest.com.
external VLAN
The external VLAN is a default VLAN on the BIG-IP system. In a basic
configuration, this VLAN has the administration ports locked down. In a
normal configuration, this is typically a VLAN on which external clients
request connections to internal servers.
failover
Failover is the process whereby a standby unit in a redundant system takes
over when a software failure or a hardware failure is detected on the active
unit.
gateway pool
A gateway pool is a pool of routers that you can create to forward traffic.
After creating a gateway pool, you can specify the pool as a gateway, within
a TMM routing table entry.
health monitor
A health monitor checks a node to see if it is up and functioning for a given
service. If the node fails the check, it is marked down. Different monitors
exist for checking different services.
interface
The physical port on a BIG-IP system is called an interface.
internal VLAN
The internal VLAN is a default VLAN on the BIG-IP system. In a basic
configuration, this VLAN has the administration ports open. In a normal
configuration, this is a network interface that handles connections from
internal servers.
iRule
An iRule is a user-written script that controls the behavior of a connection
passing through the BIG-IP system. iRules™ are an F5 Networks feature
and are frequently used to direct certain connections to a non-default load
balancing pool. However, iRules can perform other tasks, such as
implementing secure network address translation and enabling session
persistence.
Glossary - 4
Glossary
Kerberos protocol
The Kerberos protocol is a network authentication protocol that allows
individuals communicating over a non-secure network to prove their
identity to one another in a secure manner. Kerberos is aimed primarily at a
client-server model, providing mutual authentication; both the user and the
server verify each other's identity.
link aggregation
Link aggregation is the process of combining multiple links in order to
function as though it were a single link with higher bandwidth. Link
aggregation occurs when you create a trunk. See also trunk and LACP (Link
Aggregation Control Protocol).
management interface
The management interface is a special port on the BIG-IP system, used for
managing administrative traffic. Named MGMT, the management interface
does not forward user application traffic, such as traffic slated for load
balancing.
monitor
The BIG-IP system uses monitors to determine whether nodes are up or
down. There are several different types of monitors and they use various
methods to determine the status of a server or service. You can associate
monitors with nodes, pools, and individual pool members. See also node,
pool, and pool member.
monitor instance
You create a monitor instance when a health monitor is associated with a
pool member or node. It is the monitor instance that actually performs the
health check, not the monitor.
node
A node is a logical object on the BIG-IP system that identifies the IP address
of a physical resource on the network. Nodes are directly associated with
pool members and monitors. See also pool member and monitor.
Glossary - 6
Glossary
OCSP responder
An OCSP responder is an external server used for communicating SSL
certificate revocation status to an authentication server such as the BIG-IP
system.
parent profile
A parent profile is a profile that can propagate its values to another profile.
A parent profile can be either a default profile or a custom profile. See also
profile.
partition
A partition is a logical container that you create, containing a defined set of
BIG-IP system objects. You use partitions to control user access to the
BIG-IP system. See also user role.
performance monitor
A performance monitor gathers statistics and checks the state of a target
device.
persistence profile
A persistence profile is a configuration tool for implementing a specific type
of session persistence. An example of a persistence profile type is a cookie
persistence profile.
pool
A pool is a logical group of pool members. The BIG-IP system load
balances requests to the pool members within a pool, based on the load
balancing method and persistence method you choose when you configure
the pool. See also node and pool member.
pool member
A pool member is one of the members of a load balancing pool. A pool
member name indicates a node IP address and a service number. See also
node.
port
A port can be represented by a number that is associated with a specific
service supported by a host. Refer to the Services and Port Index for a list of
port numbers and corresponding services.
pre-configured monitor
A pre-configured monitor is a system-supplied health or performance
monitor. You can use a pre-configured monitor as is, but you cannot modify
or delete one. See also monitor.
profile
A profile is a configuration tool containing settings for defining the behavior
of network traffic. The BIG-IP system contains profiles for managing
FastL4, HTTP, TCP, FTP, SSL traffic, as well as for implementing
persistence and application authentication.
profile setting
A profile setting is a configuration attribute within a profile that has a value
associated with it. You can configure a profile setting to customize the way
that the BIG-IP system manages a type of traffic.
profile type
A profile type is a category of profile that you use for a specific purpose. An
example of a profile type is an HTTP profile, which you configure to
manage HTTP network traffic.
Glossary - 8
Glossary
protocol profile
A protocol profile is a profile that you create for controlling the behavior of
FastL4, TCP, UDP traffic.
RAM cache
A RAM cache is a cache of HTTP objects stored in the BIG-IP system’s
RAM that subsequent connections reuse to reduce the amount of load on the
back-end servers.
rate class
You create a rate filter from the Configuration utility or command line
utility. When you assign a rate class to a rate filter, a rate class determines
the volume of traffic allowed through a rate filter. See also rate shaping.
rate shaping
Rate shaping is a type of extended IP filter. Rate shaping uses the same IP
filter method but applies a rate class, which determines the volume of
network traffic allowed. See also rate class.
redundant system
Redundant system refers to a pair of units that are configured for fail-over.
In a redundant system, there are two units, one running as the active unit and
one running as the standby unit. If the active unit fails, the standby unit takes
over and manages connection requests.
responder object
See OCSP responder object.
router
A router is a Layer 3 networking device. If no VLANs are defined on the
network, a router defines a broadcast domain.
self IP address
Self IP addresses are the IP addresses owned by the BIG-IP system that you
use to access the internal and external VLANs.
service
Service refers to services such as TCP, UDP, HTTP, and FTP.
session persistence
A series of related connections received from the same client, having the
same session ID. When persistence is enabled, a BIG-IP system sends all
connections having the same session ID to the same node, instead of load
balancing the connections. Session persistence is not to be confused with
connection persistence.
Setup utility
The Setup utility guides you through the initial system configuration
process. You can run the Setup utility from the Configuration utility start
page.
simple persistence
See source address affinity persistence.
spanning tree
A spanning tree is a logical tree structure of Layer 2 devices on a network,
created by a spanning tree protocol algorithm and used for resolving
network loops.
SSH
SSH is a protocol for secure remote login and other secure network services
over a non-secure network.
Glossary - 10
Glossary
SSL profile
An SSL profile is a configuration tool that you use to terminate and initiate
SSL connections from clients and servers.
standby unit
A standby unit in a redundant system is a unit that is always prepared to
become the active unit if the active unit fails.
TACACS+
TACACS+ is an authentication mechanism designed as a replacement for
the older TACACS protocol. There is little similarity between the two
protocols, however, and they are therefore not compatible.
tagged interface
A tagged interface is an interface that you assign to a VLAN in a way that
causes the system to add a VLAN tag into the header of any frame passing
through that interface. Tagged interfaces are used when you want to assign a
single interface to multiple VLANs. See also VLAN (virtual local area
network).
transparent node
A transparent node appears as a router to other network devices, including
the BIG-IP system.
trunk
A trunk is a combination of two or more interfaces and cables configured as
one link.
tunnel
A tunnel is a network configuration in which two local traffic management
systems can pass optimized traffic over a wide-area network.
user role
A user role is a type and level of access that you assign to a BIG-IP system
user account. By assigning user roles, you can control the extent to which
BIG-IP system administrators can view or modify the BIG-IP system
configuration.
virtual address
A virtual address is an IP address associated with one or more virtual servers
managed by the BIG-IP system. See also virtual server.
virtual port
A virtual port is the port number or service name associated with one or
more virtual servers managed by the BIG-IP system. A virtual port number
should be the same TCP or UDP port number to which client programs
expect to connect.
virtual server
Virtual servers are a specific combination of virtual address and virtual port,
associated with a content site that is managed by a BIG-IP system or other
type of host server.
VLAN group
A VLAN group is two or more VLANs that you put together into a VLAN
group. A primary use of a VLAN group is to successfully route traffic when
both the source and the destination hosts reside on the same network.
VLAN name
A VLAN name is the symbolic name used to identify a VLAN. For
example, you might configure a VLAN named marketing, or a VLAN
named development. See also VLAN (virtual local area network).
VLAN tag
An IEEE standard, a VLAN tag is an identification number inserted into the
header of a frame that indicates the VLAN to which the destination device
belongs. VLAN tags are used when a single interface forwards traffic for
multiple VLANs.
Glossary - 12
Glossary
Glossary - 14
Index
Index
Administrator role
/config/bigip.conf file 27-3 and object management 23-4
/etc/radvd.conf file 20-1 Administrator role access 23-2
aggregation, of links 17-1
application profile verification 30-10
A application profiles
acceleration and host maps 29-8, 30-8
and application to traffic 29-3 assigning to security policies 29-12
enabling 29-4 configuring 29-9, 30-9
acceleration policies creating 30-1
and Level 1 Delivery 29-7, 30-7 defined 29-7, 30-7
and Level 2 Delivery 29-7, 30-7 for WebAccelerator 29-7
and signed acceleration policies 29-8, 30-8 application security
and Symmetric Deployment 29-8, 30-7 enabling 29-4
and user-defined acceleration policies 29-8, 30-8 Application Security Manager
customizing 29-8 and HTTP class profiles 29-3
for WebAccelerator 30-10 applications
access and acceleration policies 29-7
for client hosts 29-10 ARP protocol 2-5
to partitions 23-5 authentication
access control for remote user accounts 24-1
configuring 24-7 authentication attributes 24-9, 24-10
tailoring 23-1 authentication module types 25-7
access control combinations 24-8 authentication server types 24-2
access control groups authentication servers
See partitions. as pool members 27-1
access control process authorization data
See authorization steps. propagating 24-1
access levels authorization failure 24-9
for partition Common 23-2 authorization levels
See also user access. determining 23-3
access-control properties authorization properties
configuring 24-6 configuring 24-6
Access-Request packets 25-8 authorization steps 23-2
ACK packets 2-2, 2-6
Active Directory remote authentication 24-2
adaptive connection reaping 22-2, 22-3 B
adaptive method 28-2 Back Orifice attacks 22-12
adaptive reaper 22-9 BIG-IP system
additional information adding to network 4-1
for Bigpipe Utility Reference Guide 1-2 configuring for same network 4-3
for Configuration Guide for BIG-IP Local Traffic to replace switches 4-2
Management 1-2 BIG-IP system bypass 2-1
for Configuration Worksheet 1-2 BIG-IP system objects 23-1
for Installation, Licensing, and Upgrades for BIG-IP bigpipe -? command 24-8
Systems 1-2 bigpipe shell
for Platform Guide 1-2 and user roles 23-2
for TMOS Management Guide for BIG-IP Systems broadcast addresses 2-4
1-2 built-in switching
address translation 2-1, 2-2, 7-5 for multiple customer hosting 5-5
admin account 23-2
administrative domains
defined 23-1
administrative partitions
and tunneling 28-3
C content compression
cache directives 29-7 and RAM Cache 13-1
cache servers 6-1 content requests 29-7
certificate installation 12-1 cookie encryption and decryption 26-6
Certificate Revocation List Distribution Point protocol cookie persistence 9-1
See CRLDP authentication module. cookie persistence profiles 9-2
client authentication cookies 22-8
and Kerberos delegation 26-10 corporate intranet 6-1
client credentials 25-7 credential fetching 26-10
client hosts credential passing 26-10
and application access 30-10 credential verification 26-10
client principal names 26-6 CRLDP authentication module
client requests defined 25-20
and BIG-IP system 2-6 CRLDP configuration objects
decrypting 11-6 defined 25-21
Client SSL profiles CRLDP profile type
and Kerberos delegation 26-5 defined 25-22
assigning 11-6, 12-7 CRLDP responder objects
creating 11-3, 12-3 defined 25-20
defined 11-1, 12-1 CRLDP server objects
for tunneling 28-9 defined 25-20
clock synchronization 29-6 cross-domain authentication 26-3
command line interface cross-realm authentication
See bigpipe shell. setting 26-1
common configuration 6-1 custom HTTP profiles
compression described 9-1
and iRules 10-1 using 8-1
and RAM Cache 13-1 custom monitors 19-1
configuring 12-4 custom persistence profiles
for dynamically-generated data 28-2 described 9-1
over a WAN 28-1 using 8-1
turning off 28-2 custom RADIUS profiles
compression methods assigning 25-9
defined 28-2 customers
compression statistics hosting for 5-1
for tunneling 28-12
compression tasks 10-1 D
configuration data
data attacks 22-11
importing and exporting 24-11
data center topology 4-1
configuration examples, Internet 3-1
data compression
Configuration utility
and RAM Cache 13-1
and online help 1-5
over a WAN 28-1
and Welcome screen 1-5
data compression statistics
Configuration Worksheet 1-2
for tunneling 28-12
connection flooding 22-9
data encryption
connection request types 6-1
and tunneling 28-1
connection timeout 2-6, 22-8
data optimization
connections
through tunneling 28-1
adding 7-1
data propagation 24-7, 24-11
authenticating 25-7
data types
reaping 22-2
and tunneling 28-2
See also Internet connections.
data verification
content
and WebAccelerator 29-10, 30-10
demand for 13-1
static 13-1
Index - 2
Index
Index - 4
Index
Index - 6
Index
Index - 8
Index
V W
variable substitution web application content
for access control 24-8 hosting 29-4, 30-5
vendor-specific attributes 24-7, 24-8 web applications
virtual authentication servers and hosted content 29-4, 30-5
and VLANs 27-2 web server arrays 3-1
defined 27-1 web server pools
virtual server creating 4-5
defining 30-5 web servers
virtual server addresses 2-2 and Kerberos authentication 26-1
virtual server modification 25-10 and server principal names 26-6
virtual servers WebAccelerator
and FQDNs 26-3 and HTTP class profiles 29-3
and HTTP class profiles 29-4 WebAccelerator application profiles
and Kerberos delegation 26-9 and protocol security 30-12
WebAccelerator system
and application profiles 30-1
and NTP protocol 30-2
and security profiles 30-1
running with Protocol Security Manager 30-3
Welcome screen 1-5
wide area networks
optimizing traffic for 28-1
wildcard virtual servers
defined 6-2
WIndows Integrated Authentication 26-1
WinNuke attacks 22-11
Index - 10