Applies To:

Show Versions Show Versions

Archived Manual Chapter: BIG-IP Administrator guide v3.3: Configuring an SSL Accelerator
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

This article has been archived, and is no longer maintained.



4

Configuring an SSL Accelerator



Introducing the SSL Accelerator

The SSL Accelerator feature allows the BIG-IP Controller to accept HTTPS connections (HTTP over SSL), connect to a web server, retrieve the page, and then send the page to the client.

A key component of the SSL Accelerator feature is that the BIG-IP Controller can retrieve the web page using an unencrypted HTTP request to the content server. With the SSL Accelerator feature, you can configure an SSL gateway on the BIG-IP Controller that decrypts HTTP requests that are encrypted with SSL. Decrypting the request offloads SSL processing from the servers to the BIG-IP Controller. This also allows the BIG-IP Controller to use the header of the HTTP request to intelligently control how the request is handled.

When the SSL gateway on the BIG-IP Controller connects to the content server, it uses the original client's IP address and port as its source address and port, so that it appears to be the client (for logging purposes).

This chapter describes the following features of the BIG-IP Controller SSL Accelerator:

  • Hardware accelerator options
  • Configuring an SSL Accelerator
  • Enabling and disabling an SSL Accelerator
  • Viewing the configuration of an SSL Accelerator
  • Optional SSL Accelerator configuration
  • Using an SSL Accelerator cell configuration
  • Introducing the SSL Accelerator half sandwich

Figure 4.1 An incoming SSL connection received by an SSL Accelerator configured on a redundant BIG-IP Controller system

Hardware acceleration options

Because the SSL Accelerator feature is computationally intensive, you should only use this feature on a BIG-IP Controller with an encryption accelerator installed.

The BIG-IP Controller detects the accelerator card at boot up and starts the server for the card.

Note: Hardware acceleration greatly increases the number of SSL transactions the BIG-IP Controller can handle.

Configuring the SSL Accelerator

There are several steps required to set up the SSL Accelerator on the BIG-IP Controller. These steps include:

  • Generating a key and obtaining a certificate
  • Configuring the BIG-IP Controller with the certificate and key
  • Creating an HTTP virtual server
  • Creating the gateway for the SSL Accelerator

    An additional configuration option you can use with the SSL Accelerator is a last hop pool. You can use this option if the SSL Accelerator accepts connections from multiple firewalls or routers. For additional information about this option, see Optional SSL Accelerator configuration on page 4-18.

Generating a key and obtaining a certificate

In order to use the SSL Accelerator feature you must obtain a valid x509 certificate from an authorized certification authority (CA). The following list contains some companies that are certification authorities:

  • Verisign (http://www.verisign.com)
  • Digital Signature Trust Company (http://secure.digsigtrust.com)
  • GlobalSign (http://www.globalsign.com)
  • GTE Cybertrust (http://www.cybertrust.gte.com)
  • Entrust (http://www.entrust.net)

    You can generate a key, a temporary certificate, and a certificate request form with the Configuration utility or from the command line.

    We recommend using the Configuration utility for this process. The certification process is generally handled through a web page. Parts of the process require you to cut and paste information from a browser window in the Configuration utility to another browser window on the web site of the CA.

Additional information about keys and certificates

You must have a separate certificate for each domain name on each redundant pair of BIG-IP Controllers, regardless of how many non-SSL web servers are load balanced by the BIG-IP Controller.

If you are already running an SSL server you can use your existing keys to generate temporary certificates and request files. However, you must obtain new certificates if the ones you have are not for the following web server types:

  • Apache + OpenSSL
  • Stronghold

Generating a key and obtaining a certificate in the Configuration utility

To obtain a valid certificate, you must have a private key. If you do not have a key, you can use the Configuration utility on the BIG-IP Controller to generate a key and a temporary certificate. You can also use the Configuration utility to create a request file you can submit to a certification authority (CA). You must complete three tasks in the Configuration utility to create a key and generate a certificate request.

  • Generate a certificate request
  • Submit the certificate request to a CA and generate a temporary certificate
  • Install the SSL certificate from the CA

    Each of these tasks is described in detail in the following section.

Creating a new certificate request in the Configuration utility

  1. In the navigation pane, click Proxies.
    The Proxies screen opens.
  2. On the toolbar, click Create SSL Certificate Request.
    The New SSL Certificate Request screen opens.
  3. In the Key Information section, select a key length and key file name.

    a) Key Length
    Select the key length you want to use for the key. You can choose either 512 or 1024 bytes.

    b) Keyfile Name
    Type in the name of the key file. This should be the fully qualified domain name of the server for which you want to request a certificate. You must add the .key file extension to the name.

  4. In the Certificate Information section, type the information specific to your company. This information includes:

    · Country
    Type the two letter ISO code for your country, or select it from the list. For example, the two-letter code for the United States is US.

    · State or Province
    Type the full name of your state or province, or select it from the list. You must enter a state or province.

    · Locality
    Type the city or town name.

    · Organization
    Type the name of your organization.

    · Organizational Unit
    Type the division name or organizational unit.

    · Domain Name
    Type the name of the domain upon which the server is installed.

    · Email Address
    Type the email address of a person who can be contacted about this certificate.

    · Challenge Password
    Type the password you want to use as the challenge password for this certificate. The CA uses the challenge password to verify any changes you make to the certificate at a later date.

    · Retype Password
    Retype the password you entered for the challenge password.

  5. Click the Generate Certificate Request button.
    After a short pause, the SSL Certificate Request screen opens.
  6. In the SSL Certificate Request screen, you can start the process of obtaining a certificate from a CA and you can generate and install a temporary certificate:

    · Begin the process for obtaining a certificate from CA
    Click on the URL of a CA to begin the process of obtaining a certificate for the server. After you select a CA, follow the directions on their web site to submit the certificate request. After your certificate request is approved, and you receive a certificate back from the CA, see Installing certificates from the CA in the Configuration utility on page 4-10, for information about installing it on the BIG-IP Controller.

    · Generate and install a temporary certificate
    Click the Generate Self-Signed Certificate button to create a self-signed certificate for the server. We recommend that you use the temporary certificate for testing only. You should only take your site live after you receive a properly-signed certificate from a certification authority. When you click this button, a temporary certificate is created and installed on the
    BIG-IP Controller. This certificate is valid for 30 days. This temporary certificate allows you to set up an SSL gateway for the SSL Accelerator while you wait for a CA to return a permanent certificate.

Generating a key and obtaining a certificate from the command line

To obtain a valid certificate, you must have a private key. If you do not have a key, you can use the genconf and genkey utilities on the BIG-IP Controller to generate a key and a temporary certificate. The genkey and gencert utilities automatically generate a request file you can submit to a certification authority (CA). If you have a key, you can use the gencert utility to generate a temporary certificate and request file. These utilities are described in the following list:

  • genconf
    This utility creates a key configuration file that contains specific information about your organization. The genkey utility uses this information to generate a certificate.
  • genkey
    After you run the genconf utility, run this utility to generate a temporary 30 day certificate for testing the SSL Accelerator on the BIG-IP Controller. This utility also creates a request file that you can submit to a certification authority (CA) to obtain a certificate.
  • gencert
    If you already have a key, run this utility to generate a temporary certificate and request file for the SSL Accelerator.

To generate a key configuration file using the genconf utility

If you do not have a key, you can generate a key and certificate with the genconf and genkey utilities. First, run the genconf utility from the root (/) with the following commands:

cd /

/var/asr/gateway/bin/genconf

The utility prompts you for information about the organization for which you are requesting certification. This information includes:

  • The fully qualified domain name (FQDN) of the server
  • The two-letter ISO code for your country
  • The full name of your state or province
  • The city or town name
  • The name of your organization
  • The division name or organizational unit

    For example, Figure 4.2 contains entries for the server my.server.net:

    Figure 4.2 Example entries for the genconf utility

     Common Name (full qualified domain name): my.server.net    
    Country Name (ISO 2 letter code): US
    State or Province Name (full name): WASHINGTON
    Locality Name (city, town, etc.): SEATTLE
    Organization Name (company): MY COMPANY
    Organizational Unit Name (division): WEB UNIT

    After you run the genconf utility, you can run the genkey utility to create a temporary certificate and a request file.

To generate a key using the genkey utility

After you run the genconf utility, you can generate a key with the genkey utility. Type the following command from the root (/) to run the genkey utility:

cd /

/var/asr/gateway/bin/genkey <server_name>

For the <server_name>, type the FQDN of the server to which the certificate applies. After the utility starts, it prompts you to verify the information created by the genconf utility. After you run this utility, a certification request form is created in the following directory:

/var/asr/gateway/requests/<fqdn>.req

The <fqdn> is the fully qualified domain name of the server. Please contact your CA and follow their instructions for submitting this request form.

In addition to creating a request form you can submit to a certification authority, this utility also generates a temporary certificate. The temporary certificate is located in:

/var/asr/gateway/certs/<fqdn>.cert

The <fqdn> is the fully qualified domain name of the server.

Note that you must copy the key and certificate to the other controller in a redundant system.

This temporary certificate is good for thirty days, after which time you should have a valid certificate from your CA. If you do not have a certificate within 30 days, you can re-run this program.

Warning: Be sure to keep your previous key if you are still undergoing certification. The certificate you receive is valid only with the key that originally generated the request.

To generate a certificate with an existing key with the gencert utility

To generate a temporary certificate and request file to submit to the certification authority with the gencert utility, you must first copy an existing key for a server into the following directory on the BIG-IP Controller:

/var/asr/gateway/private/

After you copy the key into this directory, type the following command at the command line:

cd /

/var/asr/gateway/bin/gencert <server_name>

For the <server_name>, type the FQDN of the server to which the certificate applies. After the utility starts, it prompts you for various information. After you run this utility, a certification request form is created in the following directory:

/var/asr/gateway/requests/<fqdn>.req

The <fqdn> is the fully qualified domain name of the server. Please contact your certification authority (CA) and follow their instructions for submitting this request form.

Installing certificates from the certification authority (CA)

After you obtain a valid x509 certificate from a certification authority (CA) for the SSL Accelerator, you must copy it onto each BIG-IP Controller in the redundant configuration. You can configure the accelerator with certificates from the Configuration utility or from the command line.

Installing certificates from the CA in the Configuration utility

  1. In the navigation pane, click Proxies.
    The Proxies screen opens.
  2. On the toolbar, click Install SSL Certificate.
    The Install SSL Certificate screen opens.
  3. In the Certfile Name box, type the fully qualified domain name of the server with the file extension .cert. Note that if you generated a temporary certificate when you submitted a request to the CA, select the name of the certificate from the drop down list. This allows you to overwrite the temporary certificate with the certificate from the CA.
  4. Paste the text of the certificate into the Install SSL Certificate window. Make sure you include the Begin Certificate line and the End Certificate line. For an example of a certificate, see Figure 4.3.
  5. Click the Write Certificate File button.

Figure 4.3 An example of a certificate

 -----BEGIN CERTIFICATE-----    
MIIB1DCCAX4CAQAwDQYJKoZIhvcNAQEEBQAwdTELMAkGA1UEBhMCVVMxCzAJBgNV
BAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMRQwEgYDVQQKEwtGNSBOZXR3b3JrczEc
MBoGA1UECxMTUHJvZHVjdCBEZXZlbG9wbWVudDETMBEGA1UEAxMKc2VydmVyLm5l
dDAeFw0wMDA0MTkxNjMxNTlaFw0wMDA1MTkxNjMxNTlaMHUxCzAJBgNVBAYTAlVT
MQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHU2VhdHRsZTEUMBIGA1UEChMLRjUgTmV0
d29ya3MxHDAaBgNVBAsTE1Byb2R1Y3QgRGV2ZWxvcG1lbnQxEzARBgNVBAMTCnNl
cnZlci5uZXQwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAsfCFXq3Jt+FevxUqBZ9T
Z7nHx9uaF5x9V5xMZYgekjc+LrF/yazhmq4PCxrws3gvJmgpTsh50YJrhJgfs2bE
gwIDAQABMA0GCSqGSIb3DQEBBAUAA0EAd1q6+u/aMaM2qdo7EjWx14TYQQGomYoq
eydlzb/3FOiJAynDXnGnSt+CVvyRXtvmG7V8xJamzkyEpZd4iLacLQ==
-----END CERTIFICATE-----

After the certificate is installed, you can continue with the next step to creating an SSL gateway for the server.

Installing certificates from the CA on the command line

Copy the certificate into the following directory on each BIG-IP Controller in a redundant system:

/var/asr/gateway/certs/

Note: The certificate you receive from the certification authority (CA) should overwrite the temporary certificate generated by genkey or gencert.

If you used the genkey or gencert utilities to generate the request file, a copy of the corresponding key should already be in the following directory on the BIG-IP Controller:

/var/asr/gateway/private/

Warning: The keys and certificates must be in place on both controllers in a redundant system before you configure the SSL Accelerator. You must do this manually; the configuration synchronization utilities do not perform this function.

Create an HTTP virtual server

After you configure the BIG-IP Controller with the certificates and keys, the next step is to create a virtual server that references a pool containing the HTTP servers for which the SSL Accelerator handles connections. Note that before you create the HTTP virtual server, you can use a pool or rule that references your HTTP servers. The example in this section describes how to create a virtual server that references a pool that contains the HTTP virtual servers. For more information about creating a pool, see Defining a pool for the servers on page 5-8.

Creating an HTTP virtual server in the Configuration utility

  1. In the navigation pane, click Virtual Severs.
    The Virtual Servers screen opens.
  2. On the tool bar, click Add Virtual Server.
    The Add Virtual Server screen opens.
  3. Add the attributes you want for the virtual server such as Address, Port, Unit ID (active-active only), and Interface.
  4. In the Resources section, click Pool.
  5. In the Pool list, select the pool of HTTP servers you want to use with the virtual server.
  6. Click Apply.

Creating an HTTP virtual server from the command line

Note that before you create the HTTP virtual server, you must configure a pool that contains your HTTP servers. For more information about creating pools, see Defining a pool for the servers, on page 5-8. After you have defined a pool that contains the HTTP servers, use the following syntax to create a virtual server that references the pool:

bigpipe vip <virt ip>:<port> use pool <pool_name>

For example, if you want to create a virtual server 20.1.1.1:80, that references a pool of HTTP servers named http_pool, you would type the following command:

bigpipe vip 20.1.1.1:80 use pool http_pool

After you create the virtual server that references the pool of HTTP servers, you can create an SSL gateway. The following section describes how to create an SSL gateway.

Create an SSL gateway

After you create the HTTP virtual server for which the SSL Accelerator handles connections, the next step is to create an SSL gateway.

Creating an SSL gateway in the Configuration utility

  1. In the navigation pane, click Proxies.
    The Proxies screen opens.
  2. On the toolbar, click Add Proxy.
    The Add Proxy screen opens.
  3. In the Proxy Address box, type the IP address for the SSL gateway.
  4. In the Proxy Netmask box, type the netmask you want to use for the SSL gateway. If you leave this setting blank, the BIG-IP Controller creates a default based on the network class of the IP address on the external (destination processing) interface. Type a user-defined netmask only if necessary.
  5. In the Proxy Broadcast box, type the broadcast address you want to use for this SSL gateway. The BIG-IP Controller automatically generates a broadcast address if you do not type one. Type a user-defined broadcast address only if necessary.
  6. In the Proxy Port box, type the port number that the proxy server uses, or select a service from the list box. Note that if you select a service, the Configuration utility uses the default port number associated with that service.
  7. In the Unit ID list, select the unit number you want to assign this SSL gateway. Connections served by this SSL gateway are managed by the controller assigned to this unit ID. This only applies if this controller is running in active-active mode.
  8. For Interface, select the destination processing interface on which you want to create the SSL gateway. Select default to allow the Configuration utility to select the interface based on the network address of the SSL gateway. If you choose None, the BIG-IP Controller does not create an alias and generates no ARPs for the virtual IP address.
  9. In the Destination Address box, type the IP address or host name of the node or virtual server to which the SSL gateway maps. This should be the virtual server you created that references the pool of HTTP servers on your network that will respond to requests handled by the SSL gateway.
  10. In the Destination Port box, type a port name or number, such as port 80 or http, or select the service name from the drop-down list.
  11. In the Destination Target list, select the type of target to which the proxy sends connections:

    · External Node
    Select External Node if the SSL gateway handles connections for an IP address of a server that resides on the network instead of a virtual server.

    · Local Virtual Server
    Select Local Virtual Server if the SSL accelerator gateway handles connections for a virtual server located on the BIG-IP Controller.

  12. In the SSL Certificate box, type the name of the SSL certificate you installed on the BIG-IP Controller. You can select the certificate you want to use from the drop-down list.
  13. In the SSL Key box, type the name of the SSL key for the certificate you installed on the BIG-IP Controller. You can select the key from the drop-down list. It is important that you select the key used to generate the certificate you selected in the SSL Certificate box.
  14. In the Last Hop Pool list, select the last hop pool that contains other network devices from which the BIG-IP Controller receives connections. This feature is optional. You need to use this feature only if the SSL gateway is accepting connections from multiple network devices.
  15. Click Apply.

Creating an SSL gateway from the command line

Use the following command syntax to create an SSL gateway. Use this syntax if you want to configure a gateway by specifying a bitmask instead of a netmask and broadcast address:

bigpipe proxy <ip>:<port> [/bitmask] [<ifname>] [<unit id>] target
<server | vip> <ip>:<port> ssl enable key <key> cert <cert>

Use this syntax if you want to configure a gateway by specifying a netmask and broadcast address instead of a bitmask:

bigpipe proxy <ip>:<port> [<ifname>] [<unit id>] netmask <ip>
[broadcast <ip>] target <server | vip> <ip>:<port> ssl enable
key <key> cert <cert>

For example, you can create an SSL gateway from the command line that looks like this:

bigpipe proxy 10.1.1.1:443 exp0 unit 1 { netmask 255.255.255.0
broadcast 10.1.1.255 target vip 20.1.1.1:80 ssl enable key
my.server.net.key cert my.server.net.cert }

Note that when the configuration is written out in the bigip.conf file, the line ssl enable is automatically added. When the SSL gateway is written in the /etc/bigip.conf file, it looks like this:

Figure 4.4 An example SSL gateway configuration

 proxy 10.1.1.1:443 exp0 unit 1 {     
netmask 255.255.255.0
broadcast 10.1.1.255
target vip 20.1.1.1:80
ssl enable
key my.server.net.key
cert my.server.net.cert
}

Enabling, disabling, or deleting an SSL gateway

After you have created an SSL gateway, you can enable it, disable it, or delete it using the Configuration utility or from the command line.

Enabling or disabling an SSL gateway in the Configuration utility

  1. In the navigation pane, click Proxies.
    The Proxies screen opens.
  2. In the Proxies list, select the SSL gateway you want to enable or disable.
    The Proxy Properties screen opens.
  3. In the Proxy Properties screen, clear the Enable box to disable the Proxy, or check the Enable box to enable the SSL gateway.
  4. Click Apply.

Deleting an SSL gateway in the Configuration utility

  1. In the navigation pane, click Proxies.
    The Proxies screen opens.
  2. In the Proxies list, select the SSL gateway you want to delete.
    The Proxy Properties screen opens.
  3. On the toolbar, click Delete.

Enabling, disabling, or deleting an SSL gateway from the command line

You can enable, disable, or delete an SSL gateway with the following syntax:

bigpipe proxy <ip>:<port> enable

bigpipe proxy <ip>:<port> disable

bigpipe proxy <ip>:<port> delete

For example, if you want to enable the SSL gateway 209.100.19.22:443, type the following command:

bigpipe proxy 209.100.19.22:443 enable

For example, if you want to disable the SSL gateway 209.100.19.22:443, type the following command:

bigpipe proxy 209.100.19.22:443 disable

For example, if you want to delete the SSL gateway 209.100.19.22:443, type the following command:

bigpipe proxy 209.100.19.22:443 delete

Displaying the configuration for an SSL gateway from the command line

You can view the configuration information for an SSL gateway from the command line with the show keyword.

Displaying configuration information for an SSL accelerator gateway from the command line

Use the following syntax to view the configuration for the specified SSL gateway:

bigpipe proxy <ip>:<port> show

For example, if you want to view configuration information for the SSL gateway 209.100.19.22:80, type the following command:

bigpipe proxy 209.100.19.22:80 show

Figure 4.5 Output from the bigpipe proxy show command

 SSL PROXY +---> 11.12.1.200:443 -- Originating Address -- Enabled   Unit 1     
| Key File Name balvenie.scotch.net.key
| Cert File Name balvenie.scotch.net.cert
| LastHop Pool Name
+===> 11.12.1.100:80 -- Destination Address -- Server


SSL PROXY +---> 11.12.1.120:443 -- Originating Address -- Enabled Unit 1
| Key File Name balvenie.scotch.net.key
| Cert File Name balvenie.scotch.net.cert
| LastHop Pool Name
+===> 11.12.1.111:80 -- Destination Address -- Vip

Optional SSL Accelerator configuration

Depending on your network configuration, the SSL Accelerator may require additional configuration. For example, in cases where the BIG-IP Controller receives connections from several devices, such as routers or firewalls, you can configure a last hop pool for the SSL Accelerator. The last hop pool must contain the IP addresses of the routers or firewalls from which the BIG-IP Controller receives connections.

Create a last hop pool that includes additional network devices

If the SSL gateway accepts connections from multiple firewalls or routers, you can configure a last hop pool for the SSL gateway. This last hop pool can contain any other devices, such as firewalls or routers, through which connections are received by the BIG-IP Controller.

Creating a last hop pool with additional network devices in the Configuration utility

  1. In the navigation pane, click Pools.
    The Pools screen opens.
  2. On the toolbar, click Add Pool.
    The Add Pool screen opens.
  3. In the Pool Name box, type the name you want to use for the pool.
  4. From the load balancing method list, select the load balancing mode you want to use for this pool.
  5. Use the resources options to add the devices from which the BIG-IP Controller receives connections. To add devices to the pool, type the IP address in the Node Address box, type the port number in the Port box, and then type in the ratio or priority for this node. Finally, to add the node to the list, click the add ( >>) button.

    · Node Address
    Type the IP addresses of routers or other devices from which the BIG-IP Controller receives connections.

    · Port
    Type the port number of the port you want to use for this node in the pool.

    · Ratio
    Type a number to assign a ratio to this node within the pool. For example, if you are using the ratio load balancing method and you type a 1 in this box, the node will receive fewer connections from the load-balancing pool than a node marked 2.

    · Priority
    Type a number to assign a priority to this node within the pool. For example, if you are using a priority load-balancing method and you type a 1 in this box, the node will have a lower priority in the load-balancing pool than a node marked 2.

    · Current Members
    This is a list of the member nodes that are part of the load balancing pool.

  6. Click Apply.

Creating a last hop pool with additional network devices from the command line

Use the following syntax to configure a last hop pool for the SSL gateway that contains the additional network devices:

bigpipe pool <pool_name> {lb_mode <lb_mode_specification> member
<member_definition>... <member_definition>}

For example, you might use the following command to create a last hop pool that contains three routers:

bigpipe pool ssllasthop_pool {lb_mode ratio_member member
11.12.1.100:80 ratio 1 priority 1 member 11.12.1.101:80 ratio 1
priority 1 11.12.1.102:80 ratio 1 priority 1}

After you create the last hop pool, you must modify the SSL gateway so that it references the last hop pool. The next section describes how to do this with the Configuration utility or from the command line.

Modify the SSL gateway so that it references the last hop pool

After you create the last hop pool that contains other devices, such as firewalls or routers, you can reference it from the SSL gateway using either the Configuration utility or the command line.

Adding a last hop pool to an SSL gateway in the Configuration utility

  1. In the navigation pane, click Proxies.
    The Proxies screen opens.
  2. In the Proxies list, select the SSL gateway to which you want to assign the last hop pool.
    The Proxy Properties screen opens.
  3. In the Last Hop Pool list, select the last hop pool that contains additional network devices.
  4. Click Apply.

Adding a last hop pool to an SSL gateway from the command line

Use the following syntax to reference a last hop pool from an SSL gateway:

bigpipe proxy <ip>:<port> lasthop pool <pool_name>

For example, if you want to assign the last hop pool named ssllasthop_pool to the SSL gateway 11.12.1.200:443, type the following command:

bigpipe proxy 11.12.1.200:443 lasthop pool ssllasthop_pool

Introducing the SSL accelerator cell configuration

This chapter explains how to set up a scalable SSL accelerator configuration. This configuration is useful for any enterprise that handles a large amount of encrypted traffic.

With this configuration, you can increase the scale of the network by adding a new cell. A cell consists of an SSL accelerator and one or more nodes for which it proxies SSL connections.

Figure 4.6 shows a configuration of an SSL acclerator cell. The SSL accelerator cell described in this chapter includes BIG-IP Controllers 1a and 1b, the SSL accelerator accelerator1, and Node1 and Node2.

The following sections refer to Figure 4.6 as an example of how you can set up such a configuration.

Note: The IP addresses shown in the example configuration are fictitious. When implementing your configuration, choose IP addresses that are consistent with your network or networks.

Figure 4.6 An SSL accelerator cell configuration. The cell is outlined by the dashed line.

Configuration tasks

To configure an SSL accelerator cell, you must configure the BIG-IP Controller redundant pair that load balances the SSL accelerators, each SSL accelerator, and each node that handles connections from the SSL accelerator.

First, complete the following tasks on the BIG-IP Controller that you want to use to load balance connections to the SSL accelerators:

  • Configure interfaces on the BIG-IP Controller redundant system.
  • Modify the /etc/netstart file on the BIG-IP Controller that you want to use to load balance the SSL accelerators.
  • Create two load balancing pools. One pool load balances HTTP connections using the IP addresses of the web servers, the other pool load balances SSL connections to the SSL accelerators.
  • Create virtual servers that reference the load balancing pools. Create one virtual server for the pool load balancing the SSL connections, and another virtual server that references the pool that load balances the HTTP connections to the SSL accelerators.
  • Enable port 80 and port 443 on the controller.

    Next, complete the following tasks for the SSL accelerator in the cell:

  • Set up an SSL gateway for each node for which the SSL accelerator handles connections.
  • Enable port 443.
  • Set the idle connection timer for port 443.
  • Turn on IP forwarding.

    Finally, complete the following task on each node in the cell:

  • Set the default route on each node in the cell to point to the internal interface (source processing) of the SSL accelerator serving that cell.

Configuring the BIG-IP Controller which load balances the SSL accelerator cells

To configure the BIG-IP Controller which load balances the SSL accelerator cells, complete the following tasks on the BIG-IP Controller. This section describes how to complete each task.

  • Configure interfaces on the BIG-IP Controller.
  • Modify the /etc/netstart file on the BIG-IP Controller that you want to use to load balance the SSL accelerators.
  • Create two load balancing pools One pool load balances HTTP connections using the IP addresses of the web servers, the other pool load balances SSL connections from the SSL accelerators.
  • Create virtual servers that reference the load balancing pools.
  • Enable port 80 and port 443 on the controller.

Configuring interfaces on the BIG-IP Controller

You must configure the interfaces on the redundant BIG-IP Controller system (1a and 1b, in Figure 4.6) to process source and destination addresses. Note that in a basic controller configuration, one interface is configured as an internal interface (source processing), and the other interface is configured as an external interface (destination processing).

In order for the SSL accelerator cell load balancing to work, you must turn destination processing on for the internal interface, and source processing on for the external interface.

To configure source and destination processing using the Configuration utility

  1. In the navigation pane, click NICs.
    The Network Interface Cards screen opens. You can view the current settings for each interface in the Network Interface Card table.
  2. In the Network Interface Card table, click the name of the interface you want to configure.
    The Network Interface Card Properties screen opens.

    · To enable source processing for this interface, click the Enable Source Processing check box.

    · To enable destination processing for this interface, click the Enable Destination Processing check box.

  3. Click the Apply button.

To configure source and destination processing from the command line

Use the following syntax to configure source and destination processing on the specified interface:

bigpipe interface <interface> dest [ enable | disable ]

bigpipe interface <interface> source [ enable | disable ]

The following example command enables destination processing on the interface exp0:

bigpipe interface exp0 dest enable

The following example command enables source processing on the interface exp1:

bigpipe interface exp1 source enable

Add routes for nodes to /etc/netstart

In order for traffic to pass through this configuration correctly, you must configure routes for the nodes in the SSL accelerator cell configuration on the BIG-IP Controller. Add the routes for the nodes to the end of /etc/netstart. In the example shown in Figure 4.6, you must add routes for Node1, Node2, Node3, and Node4. The entries look like this in the /etc/netstart file:

route add -host 10.3.0.11 -gateway 10.1.0.11

route add -host 10.3.0.12 -gateway 10.1.0.11

route add -host 10.3.0.13 -gateway 10.1.0.12

route add -host 10.3.0.14 -gateway 10.1.0.12

Create load balancing pools

This section describes how to create the load balancing pools required for the SSL accelerator configuration described in Figure 4.6. The two pools you need to create are:

  • A load balancing pool for connections using the IP addresses of the web server. For this example, the HTTP pool is named http_virtual. This pool contains the following members:
    Node1 (10.3.0.11)
    Node2 (10.3.0.12)
    Node3 (10.3.0.13)
    Node4 (10.3.0.14)
  • A load balancing pool for SSL connections from the SSL accelerators. For this example, the SSL accelerator is named ssl_gateways. This pool contains the following member:
    accelerator1 (10.1.0.111)
    accelerator2 (10.1.0.112)
    accelerator3 (10.1.0.113)
    accelerator4 (10.1.0.114)

    Note: Note that the SSL accelerator pool should contain the SSL accelerator for each SSL accelerator cell.

To create a pool using the Configuration utility

  1. In the navigation pane, click Pools.
    The Pools screen opens.
  2. In the toolbar, click the Add Pool button.
    The Add Pool screen opens.
  3. In the Add Pool screen, configure the load balancing method, persistence attributes, and members for the pool.

    Configuration note

    · For this example, you could create an HTTP pool named http_virtual. This pool contains the following members:
    Node1 (10.3.0.11)
    Node2 (10.3.0.12)
    Node3 (10.3.0.13)
    Node4 (10.3.0.14)

    · For this example, you could create an SSL accelerator pool named ssl_gateways. This pool contains the following member:
    accelerator1 (10.1.0.111)
    accelerator2 (10.1.0.112)
    accelerator3 (10.1.0.113)
    accelerator4 (10.1.0.114)

    · For additional information about configuring a pool, click the Help button.

To define a pool from the command line

To define a pool from the command line, use the following syntax:

bigpipe pool <pool_name> {lb_mode <lb_mode> member
<member_definition> ... member <member_definition>}

For example, if you want to create the pool http_virtual and the pool ssl_gateways, you would type the following commands:

bigpipe pool http_virtual { lb_mode rr member 10.3.0.11:80 member
10.3.0.12:80 member 10.3.0.13:80 member 10.3.0.14:80 }

bigpipe pool ssl_gateways { lb_mode rr member 10.1.0.111:80 member
10.1.0.112:80 member 10.1.0.113:80 member 10.1.0.114:80 }

Create the virtual servers

Create a virtual server that references the pool load balancing the SSL connections, and another virtual server that references the pool that load balances the HTTP connections through the SSL accelerators.

To define a standard virtual server that references a pool using the Configuration utility

  1. In the navigation pane, click Virtual Servers.
  2. On the toolbar, click Add Virtual Server.
    The Add Virtual Server screen opens.
  3. Fill in the attributes for the virtual server.

    Configuration notes

    · To create the configuration described in Figure 4.6, create a virtual server 10.0.0.101 on port 443 that references the pool of SSL accelerators.

    · To create the configuration described in Figure 4.6, create a virtual server 10.0.0.101 on port 80 that references the pool of content servers.

    · For additional information about this screen, click the Help button on the tool bar.

To define a standard virtual server mapping from the command line

Type the bigpipe vip command as shown below. Also, note that you can use host names in place of IP addresses, and that you can use standard service names in place of port numbers.

bigpipe vip <virt IP>:<port> use pool <pool_name>

To create the virtual servers for the configuration in Figure 4.6, you could type the following commands, where the pool of SSL accelerators is named ssl_gateways and the pool for HTTP requests is named http_virtual:

bigpipe vip 10.0.0.101:443 use pool ssl_gateways

bigpipe vip 10.0.0.101:80 use pool http_virtual

Enable ports 80 and 443 on the BIG-IP Controller

For security reasons, the BIG-IP Controller ports do not accept traffic until you enable them. In this configuration, the BIG-IP Controller accepts traffic on port 443 for SSL, and port 80 for HTTP. For this configuration to work, you must enable port 80 and port 443.

Use the following command to enable these ports:

bigpipe port 80 443 enable

Configuring an SSL accelerator for use in a cell

The next part of the process in configuring an SSL accelerator cell is to configure the SSL accelerator. Complete the following tasks on each SSL accelerator in the cell:

  • Set up an SSL gateway for each node for which the SSL accelerator handles connections.
  • Enable port 443.
  • Set the idle connection timer for port 443.
  • Turn on IP forwarding.

Set up an SSL gateway for each node in the SSL accelerator cell

The first task you must complete on the SSL accelerator it to set up an SSL gateway for each node for which the SSL accelerator handles connections. Using the example for creating an SSL Accelerator cell in Figure 4.6, you create two SSL gateways on accelerator1:

  • An SSL gateway (10.1.0.111) with Node1 (10.3.0.11) as a target
  • An SSL gateway (10.1.0.112) with Node2 (10.3.0.12) as a target

    The following section includes procedures for adding an SSL gateway to the SSL Accelerator configuration.

Creating an SSL gateway using the Configuration utility

  1. In the navigation pane, click Proxies.
    The Proxies screen opens.
  2. On the toolbar, click Add Proxy.
    The Add Proxy screen opens.
  3. In the Proxy Address box, type the IP address for the SSL gateway. For accelerator1 SSL accelerator cell, the IP address for the gateway is 10.1.0.111. For accelerator2 SSL accelerator cell, the IP address for the gateway is 10.1.0.112.
  4. In the Proxy Netmask box, type the netmask you want to use for the SSL gateway. If you leave this setting blank, the BIG-IP Controller creates a default based on the network class of the IP address on the external (destination processing) interface. Type a user-defined netmask only if necessary.
  5. In the Proxy Broadcast box, type the broadcast address you want to use for this SSL gateway. The BIG-IP Controller automatically generates a broadcast address if you do not type one. Type a user-defined broadcast address only if necessary.
  6. In the Proxy Port box, type the port number that the proxy server uses, or select a service from the list box. Note that if you select a service, the Configuration utility uses the default port number associated with that service.
  7. For Interface, select the destination processing interface on which you want to create the SSL gateway. Select default to allow the Configuration utility to select the interface based on the network address of the SSL gateway.
  8. In the Destination Address box, type the IP address or host name of the node to which the SSL gateway maps.
  9. In the Destination Port box, type a port name or number, such as port 80 or http, or select the service name from the drop-down list.
  10. In the SSL Certificate box, type the name of the SSL certificate you installed on the BIG-IP Controller. You can select the certificate you want to use from the drop down list.
  11. In the SSL Key box, type the name of the SSL key for the certificate you installed on the BIG-IP Controller. You can select the key from the drop down list. It is important that you select the key used to generate the certificate you selected in the SSL Certificate box.
  12. Click Apply.

Creating an SSL gateway from the command line

Use the following command syntax to create an SSL gateway. Use this syntax if you want to configure a gateway

bigpipe proxy <ip>:<port> [<ifname>] netmask <ip> [broadcast <ip>]
target server <ip>:<port> ssl enable key <key> cert <cert>

For example, to create the SSL gateways for the accelerator1 SSL accelerator cell, you would use the following commands:

bigpipe proxy 10.1.0.111:443 exp0 { netmask 255.255.255.0
broadcast 10.1.0.255 target server 10.3.0.11:80 ssl enable key
my.server.net.key cert my.server.net.cert }

bigpipe proxy 10.1.0.111:443 exp0 { netmask 255.255.255.0
broadcast 10.1.0.255 target server 10.3.0.12:80 ssl enable key
my.server.net.key cert my.server.net.cert }

Enable port 443

For security reasons, the ports on the SSL accelerator do not accept traffic until you enable them. In this configuration, the SSL accelerator accepts traffic on port 443 for SSL. For this configuration to work, you must enable port 443. Use the following command to enable this port:

bigpipe port 443 enable

Set the idle connection timer for port 443

In the SSL accelerator cell configuration, you should set the idle connection timer to clean up closed connections on port 443. You need to set an appropriate idle connection time-out value so that valid connections are not disconnected, and closed connections are cleaned up in a reasonable time.

To set the idle connection time-out using the Configuration utility

  1. In the navigation pane, click Virtual Servers.
  2. In the Virtual Servers list, click the virtual server you configured for SSL connections.
    The Virtual Server Properties screen opens.
  3. In the Port box, click the port. For the example in this section, choose 443.
    The Global Virtual Port Properties screen opens.
  4. In the Idle connection timeout TCP (seconds) box, type a time-out value for TCP connections. The recommended time-out setting is 10 seconds.
  5. In the Idle connection timeout UDP (seconds) box, type a time-out value for TCP connections. The recommended time-out setting is 10 seconds.
  6. Click Apply.

To set the idle connection time-out in the /etc/bigip.conf file

To set the idle connection time-out in the /etc/bigip.conf file, edit the following lines:

treaper <port> <seconds>

udp <port> <seconds>

For the example in Figure 4.6, the entries look like this:

treaper 443 10

udp 443 10

The <seconds> value is the number of seconds a connection is allowed to remain idle before it is terminated. The <port> value is the port on the wildcard virtual server for which you are configuring out of path routing. The recommended value for the TCP and UDP connection timeouts is 10 seconds.

Turn on IP forwarding

In order for traffic from the nodes to be routed back to the client correctly, you must turn on IP forwarding for the SSL accelerator in the cell.

IP forwarding is a property of the BIG-IP Controller system, and it is controlled by the system control variable net.inet.ip.forwarding.

To set the IP forwarding system control variable using the Configuration utility

  1. In the navigation pane, click the BIG-IP Controller icon.
    The BIG-IP System Properties screen opens.
  2. On the toolbar, click Advanced Properties.
    The BIG-IP System Control Variables screen opens.
  3. Check the Allow IP Forwarding box.
  4. Click the Apply button.

To set the IP forwarding system control variable from the command line

Use the standard sysctl command to set the variable. The default setting for the variable is 0, which is off. You want to change the setting to 1, which is on:

sysctl -w net.inet.ip.forwarding=1

To permanently set this value, you can use a text editor, such as vi or pico, to manually edit the /etc/rc.sysctl file. For additional information about editing this file, see BIG-IP Controller Reference Guide, System Control Variables.

Setting the default route on each node in a cell

The final task you must complete for this configuration is to set the default route on each node in the cell to point to the internal interface (source processing) of the SSL accelerator serving that cell.

In the configuration described in Figure 4.6, the default routes for the content servers should be set like this:

  • You should set the default route on Server1 and Server2 to the internal address of accelerator1, which is 10.3.0.251.
  • You should set the default route on Server3 and Server4 to the internal address of accelerator2, which 10.3.0.252.

    Note: For information about how to set the default route on the content servers in your network, refer to the documentation provided with the content server.

Introducing the SSL accelerator half sandwich configuration

This chapter explains how to set up a scalable SSL accelerator configuration. This configuration is useful for any enterprise that handles a large amount of encrypted traffic.

With this configuration, you can increase the scale of the network by adding new SSL accelerators to the configuration. You can use this configuration to load balance encrypted traffic to the SSL accelerators while standard HTTP traffic is sent directly to a second BIG-IP Controller which load balances the connections to the content servers.

Figure 4.7 shows a configuration of an SSL accelerator half-sandwich. The following sections refer to Figure 4.7 as an example of how you can set up such a configuration.

Note: The IP addresses shown in the example configuration are fictitious. When implementing your configuration, choose IP addresses that are consistent with your network or networks.

Figure 4.7 An SSL accelerator half-sandwich.

Configuration tasks

First, complete the following tasks on the BIG-IP Controllers 1a and 1b that you want to use to load balance traffic coming into your network:

  • Create two load balancing pools. One pool load balances HTTP connections using the IP address of a virtual server on the second BIG-IP Controller (10.3.0.251), and another pool that load balances SSL connections to the SSL accelerators.
  • Create two virtual servers. One virtual server references the pool that contains the IP address of the virtual server on the other controller. The second virtual server references the pool for load balancing the SSL accelerators.
  • Enable port 80 and port 443 on the controller.

    Next, complete the following tasks on each SSL accelerator in the half-sandwich:

  • Configure interfaces on each SSL accelerator.
  • Set up an SSL gateway that points to the virtual server that handles HTTP requests on the BIG-IP Controller (10.3.0.251).

    Next, complete the following tasks on the BIG-IP Controller (10.3.0.251) that load balances HTTP requests from the SSL accelerators and HTTP requests from the BIG-IP Controllers 1a and 1b:

  • Configure interfaces on the second BIG-IP Controller.
  • Create a pool of web servers that handle HTTP connections.
  • Create a pool of devices from which the controller receives HTTP connections.
  • Create one virtual server that handles connections for the content servers.
  • Creating a last hop pool of devices from which the controller receives requests
  • Adding the last hop pool from which this controller recieves HTTP connections to the virtual server
  • Enable port 80.

    Next, complete the following tasks on each content server:

  • Set the default route on each node in the cell to point to the internal IP address of the second BIG-IP Controller.

Configuring the BIG-IP Controllers handling inbound traffic

First, complete the following tasks on the BIG-IP Controllers 1a and 1b that you want to use to load balance traffic coming into your network:

  • Create two load balancing pools. One pool load balances HTTP connections using the IP address of a virtual server on the second BIG-IP Controller (10.3.0.251), and another pool load balances SSL connections to the SSL accelerators.
  • Create two virtual servers. One virtual server references the pool that contains the IP address of the virtual server on the other controller. The second virtual server references the pool for load balancing the SSL accelerators.
  • Enable port 80 and port 443 on the controller.

Create load balancing pools for HTTP and SSL requests

Create two load balancing pools. One pool load balances HTTP connections using the IP address of a virtual server on the second BIG-IP Controller (10.3.0.251), and another pool load balances SSL connections to the SSL accelerators.

This section describes how to create the load balancing pools required for the SSL accelerator configuration described in Figure 4.7. The two pools you need to create are:

  • A load balancing pool that load balances HTTP connections using the IP address of a virtual server on the second BIG-IP Controller (10.3.0.251). For this example, the HTTP pool is named http_virtual. This pool contains the member 10.1.0.101:80.
  • A load balancing pool for SSL connections to the SSL accelerators. For this example, the SSL accelerator is named ssl_gateways. This pool contains the following members:
    accelerator1 (10.1.0.111:443)
    accelerator2 (10.1.0.112:443)

To create a pool using the Configuration utility

  1. In the navigation pane, click Pools.
    The Pools screen opens.
  2. In the toolbar, click the Add Pool button.
    The Add Pool screen opens.
  3. In the Add Pool screen, configure the load balancing method, persistence attributes, and members for the pool.

    Configuration notes

    · For this example, you could create an HTTP pool named http_virtual. This pool contains the following member:
    10.1.0.101:80

    · For this example, you could create an SSL accelerator pool named ssl_gateways. This pool contains the following members:
    accelerator1 (10.1.0.111:443)
    accelerator2 (10.1.0.112:443)

    · For additional information about configuring a pool, click the Help button.

To define a pool from the command line

To define a pool from the command line, use the following syntax:

bigpipe pool <pool_name> {lb_method <lb_method> member
<member_definition> ... member <member_definition>}

For example, if you want to create the pool http_virtual and the pool ssl_gateways, you would type the following command:

bigpipe pool http_virtual { lb_mode rr member 11.1.0.101:80 }

bigpipe pool ssl_gateways { lb_mode rr member 10.1.0.111:443 member
10.1.0.112:443 }

Creating the virtual servers that reference the HTTP and SSL pools

Create a virtual server that references the pool load balancing the SSL connections, and another virtual server that references the pool that load balances the HTTP connections to the SSL accelerators.

To define a standard virtual server that references a pool using the Configuration utility

  1. In the navigation pane, click Virtual Servers.
  2. On the toolbar, click Add Virtual Server.
    The Add Virtual Server screen opens.
  3. Fill in the attributes for the virtual server.

    Configuration notes

    · To create the configuration described in Figure 4.7, create a virtual server 10.0.0.101 on port 443 that references the pool of SSL accelerators.

    · To create the configuration described in Figure 4.7, create a virtual server 10.0.0.101 on port 80 that references the pool of content servers.

    · For additional information about this screen, click the Help button on the tool bar.

To define a standard virtual server mapping from the command line

Type the bigpipe vip command as shown below. Also, you can use host names in place of IP addresses, and you can use standard service names in place of port numbers.

bigpipe vip <virt IP>:<port> use pool <pool_name>

To create the virtual servers for the configuration in Figure 4.7, you could type the following commands, where the pool of SSL accelerators is named ssl_gateways and the pool for HTTP requests is named http_virtual:

bigpipe vip 10.0.0.101:443 use pool ssl_gateways

bigpipe vip 10.0.0.101:80 use pool http_virtual

Enable ports 80 and 443

For security reasons, the BIG-IP Controller ports do not accept traffic until you enable them. In this configuration, the BIG-IP Controller accepts traffic on port 443 for SSL, and port 80 for HTTP. For this configuration to work, you must enable port 80 and port 443. Use the following command to enable these ports:

bigpipe port 80 443 enable

Configuring each SSL accelerator

Next, complete the following tasks on each SSL accelerator in the half-sandwich:

  • Configure interfaces on each SSL accelerator.
  • Set up an SSL gateway that points to the virtual server that handles HTTP requests on the BIG-IP Controller (10.3.0.251).
  • Set the idle connection timer for port 443.

Configuring interfaces on each SSL accelerator

You must configure the interfaces on the each SSL accelerator to process source and destination addresses. In a basic controller configuration, one interface is configured as an internal interface (source processing), and the other interface is configured as an external interface (destination processing).

In order for the SSL accelerator half sandwich to work, you must turn destination processing on for the internal interface, and source processing on for the external interface.

To configure source and destination processing using the Configuration utility

  1. In the navigation pane, click NICs.
    The Network Interface Cards screen opens. You can view the current settings for each interface in the Network Interface Card table.
  2. In the Network Interface Card table, click the name of the interface you want to configure.
    The Network Interface Card Properties screen opens.

    · To enable source processing for this interface, click the Enable Source Processing check box.

    · To enable destination processing for this interface, click the Enable Destination Processing check box.

  3. Click the Apply button.

To configure source and destination processing from the command line

Use the following syntax to configure source and destination processing on the specified interface:

bigpipe interface <interface> dest [ enable | disable ]

bigpipe interface <interface> source [ enable | disable ]

The following example command enables destination processing on the interface exp0:

bigpipe interface exp0 dest enable

The following example command enables source processing on the interface exp1:

bigpipe interface exp1 source enable

Setting up an SSL gateway that points to the HTTP virtual server on the second BIG-IP Controller

The next step is to set up an SSL gateway that points to the virtual server that handles HTTP requests on the BIG-IP Controller (10.3.0.251). The SSL gateway passes the HTTP request to the BIG-IP Controller which then load balances them to the content servers.

The first task you must complete on the SSL accelerator it to set up an SSL gateway for each node for which the SSL accelerator handles connections. Using the example for creating an SSL Accelerator cell in Figure 4.7, you create an SSL gateway on accelerator1 and an SSL gateway on accelerator2:

  • An SSL gateway on accelerator1 that has the virtual server 10.1.0.101:80 as a target
  • An SSL gateway on accelerator2 that has the virtual server 10.1.0.101:80 as a target

    The following section includes procedures for adding an SSL gateway to the SSL Accelerator configuration.

Creating an SSL gateway using the Configuration utility

  1. In the navigation pane, click Proxies.
    The Proxies screen opens.
  2. On the toolbar, click Add Proxy.
    The Add Proxy screen opens.
  3. In the Proxy Address box, type the IP address for the SSL gateway. For accelerator1 SSL accelerator, the IP address for the gateway is 10.1.0.111:443. When you create the second SSL gateway for accelerator2, the IP address for the gateway is 10.1.0.112:443.
  4. In the Proxy Port box, type the port number that the proxy server uses, or select a service from the list box. Note that if you select a service, the Configuration utility uses the default port number associated with that service.
  5. For Interface, select the destination processing interface on which you want to create the SSL gateway. Select default to allow the Configuration utility to select the interface based on the network address of the SSL gateway.
  6. In the Destination Address box, type the IP address or host name of the node to which the SSL gateway maps. In this example, the destination should be the virtual server 10.1.0.101 on the second BIG-IP Controller.
  7. In the Destination Port box, type a port name or number, such as port 80 or http, or select the service name from the drop-down list.
  8. In the SSL Certificate box, type the name of the SSL certificate you installed on the BIG-IP Controller. You can select the certificate you want to use from the drop down list.
  9. In the SSL Key box, type the name of the SSL key for the certificate you installed on the BIG-IP Controller. You can select the key from the drop down list. It is important that you select the key used to generate the certificate you selected in the SSL Certificate box.
  10. Click Apply.

Creating an SSL gateway from the command line

Use the following command syntax to create an SSL gateway. Use this syntax if you want to configure a gateway:

bigpipe proxy <ip>:<port> [<ifname>] netmask <ip> [broadcast <ip>]
target server <ip>:<port> ssl enable key <key> cert <cert>

For example, to create the SSL gateways for the accelerator1 SSL accelerator cell, you would use the following commands:

bigpipe proxy 10.1.0.111:443 exp0 { netmask 255.255.255.0
broadcast 10.1.0.255 target server 10.1.0.101:80 ssl enable key
my.server.net.key cert my.server.net.cert }

bigpipe proxy 10.1.0.112:443 exp0 { netmask 255.255.255.0
broadcast 10.1.0.255 target server 10.1.0.101:80 ssl enable key
my.server.net.key cert my.server.net.cert }

Configuring the BIG-IP Controller that load balances the content servers

Next, complete the following tasks on the BIG-IP Controller (10.3.0.251) that load balances HTTP requests from the SSL accelerators and HTTP requests from the BIG-IP Controllers 1a and 1b:

  • Configure interfaces on the second BIG-IP Controller.
  • Create a pool of web servers that handle HTTP connections.
  • Create a virtual server that handles connections for the content servers.
  • Creating a last hop pool of devices from which the controller receives requests
  • Adding the last hop pool from which this controller recieves HTTP connections to the virtual server
  • Enable port 80.
  • Set the default route on the controller to the internal IP alias of the BIG-IP Controllers 1a and 1b.

Configure interfaces for the BIG-IP Controller

You must configure the interfaces on the redundant BIG-IP Controller system (1a and 1b, in Figure 4.7) to process source and destination addresses. Note that in a basic controller configuration, one interface is configured as an internal interface (source processing), and the other interface is configured as an external interface (destination processing).

In order for the SSL accelerator cell load balancing to work, you must turn destination processing on for the internal interface, and source processing on for the external interface.

To configure source and destination processing in the Configuration utility

  1. In the navigation pane, click NICs.
    The Network Interface Cards screen opens. You can view the current settings for each interface in the Network Interface Card table.
  2. In the Network Interface Card table, click the name of the interface you want to configure.
    The Network Interface Card Properties screen opens.

    · To enable source processing for this interface, click the Enable Source Processing check box.

    · To enable destination processing for this interface, click the Enable Destination Processing check box.

  3. Click the Apply button.

To configure source and destination processing from the command line

Use the following syntax to configure source and destination processing on the specified interface:

bigpipe interface <interface> dest [ enable | disable ]

bigpipe interface <interface> source [ enable | disable ]

The following example command enables destination processing on the interface exp0:

bigpipe interface exp0 dest enable

The following example command enables source processing on the interface exp1:

bigpipe interface exp1 source enable

Creating a pool for the content servers

This section describes how to create the load balancing pools required for the SSL accelerator configuration described in Figure 4.7.

The pool you need to create is a load balancing pool for connections using the IP addresses of the web server. For this example, the HTTP pool is named http_virtual. This pool contains the following members:
Server1 (10.3.0.11)
Server2 (10.3.0.12)

To create a pool using the Configuration utility

  1. In the navigation pane, click Pools.
    The Pools screen opens.
  2. In the toolbar, click the Add Pool button.
    The Add Pool screen opens.
  3. In the Add Pool screen, configure the load balancing method, persistence attributes, and members for the pool.

    Configuration notes

    · For this example, you could create an HTTP pool named http_virtual. This pool contains the following members:
    server1 (10.3.0.11)
    server2 (10.3.0.12)

    · For additional information about configuring a pool, click the Help button.

To define a pool from the command line

To define a pool from the command line, use the following syntax:

bigpipe pool <pool_name> {lb_mode <lb_mode> member
<member_definition> ... member <member_definition>}

For example, if you want to create the pool http_virtual, you would type the following command:

bigpipe pool http_virtual { lb_mode rr member 10.3.0.11:80 member
10.3.0.12:80 }

Creating a virtual server that references the HTTP pool

Next, create a virtual server that references the pool load balancing HTTP connections.

To define a standard virtual server that references a pool using the Configuration utility

  1. In the navigation pane, click Virtual Servers.
  2. On the toolbar, click Add Virtual Server.
    The Add Virtual Server screen opens.
  3. Fill in the attributes for the virtual server.

    Configuration notes

    · To create the configuration described in Figure 4.7, create a virtual server 10.0.0.101 on port 80 that references the pool of content servers.

    · For additional information about this screen, click the Help button on the tool bar.

To define a standard virtual server mapping from the command line

Type the bigpipe vip command as shown below. Also, remember that you can use host names in place of IP addresses, and that you can use standard service names in place of port numbers.

bigpipe vip <virt IP>:<port> use pool <pool_name>

To create the virtual server for the configuration in Figure 4.7, you could type the following command, where the pool for HTTP requests is named http_virtual:

bigpipe vip 10.0.0.101:80 use pool http_virtual

Creating a last hop pool of devices from which the controller receives requests

This section describes how to create the load balancing pools required for the SSL accelerator configuration described in Figure 4.7.

The pool you need to create is a load balancing pool you can use for a last hop pool for connections received from other devices by the controller. For this example, the HTTP pool is named http_sources. This pool contains the following members:
BIG-IP 1a and 1b internal alias (10.1.0.251)
accelerator1 (10.1.0.111)
accelerator (10.1.0.112)

To create a pool using the Configuration utility

  1. In the navigation pane, click Pools.
    The Pools screen opens.
  2. In the toolbar, click the Add Pool button.
    The Add Pool screen opens.
  3. In the Add Pool screen, configure the load balancing method, persistence attributes, and members for the pool.

    Configuration notes

    · For this example, you could create an HTTP pool named http_sources. This pool contains the following members:
    BIG-IP 1a and 1b internal alias (10.1.0.251:any)
    accelerator1 (10.1.0.111:any)
    accelerator (10.1.0.112:any)

    · Specify any for the port for each member.

    · For additional information about configuring a pool, click the Help button.

To define a pool from the command line

To define a pool from the command line, use the following syntax:

bigpipe pool <pool_name> {lb_mode <lb_mode> member
<member_definition> ... member <member_definition>}

For example, if you want to create the pool http_sources, you would type the following command:

bigpipe pool http_sources { lb_mode rr member 10.1.0.251:any member
10.1.0.112:any member 10.1.0.112:any }

Adding the last hop pool from which this controller recieves HTTP connections to the virtual server

The next step is to add the last hop pool of all the devices (http_sources) from which the controller recieves HTTP connections. This pool includes each SSL accelerator that passes on HTTP connections to the second BIG-IP Controller.

To configure a last hop pool using the Configuration utility

  1. In the navigation pane, click Virtual Servers.
    The Virtual Servers screen opens.
  2. In the Virtual Servers Current List, select the virtual server configured for HTTP connections. In this example the virtual server is 10.1.0.101:80.
    The Virtual Server Properties screen opens.
  3. In the Last Hop Pool section, select the pool for load balancing HTTP connections from all devices. In this example, the pool is http_sources.
  4. Click the Apply button.

To configure a last hop pool from the command line

To configure a last hop pool, you must first create a pool that contains the routers for the BIG-IP Controller. Use the following command to configure a last hop pool for the virtual server 10.1.0.101:80 that uses the pool http_sources.

bigpipe vip 10.1.0.101:80 lasthop pool http_sources

Enable port 80

For security reasons, the BIG-IP Controller ports do not accept traffic until you enable them. In this configuration, the BIG-IP Controller accepts traffic on port 80 for HTTP. For this configuration to work, you must enable port 80. Use the following command to enable this port:

bigpipe port 80 enable

Configuring the content servers

The final task you must complete for this configuration is to set the default route on each server to point to the internal interface (source processing) of the second BIG-IP Controller (10.3.0.251).

In the configuration described in Figure 4.7, the default routes for the content servers should be set like this:

You should set the default route on Server1 and Server2 to the internal address of the second BIG-IP Controller, which is 10.3.0.251.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)