This chapter contains details about additional setup options you may want to configure for the controller. The options described in this chapter include:
Once you complete the First-Time Boot utility, you may want to insert additional host names and IP addresses for network devices into the /etc/hosts file to allow for more user-friendly system administration. In particular, you may want to create host names for the IP addresses that you will assign to virtual servers. You may also want to define host names for standard devices such as your routers, network interface cards, and the servers or other equipment that you are load balancing.
The /etc/hosts file, as created by the First-Time Boot utility, is similar to the example shown in Figure 3.1.
# BIG-IP(R) Hosts Table Generated by FTBU on Fri Apr 27 11:03:03 PDT 2001
# localhost entry
# default gateway entry
# Local name
# Peer name (state mirror)
# VIPS and NODES ( add below - do not delete this line )
This sample hosts file lists the IP addresses for the default router, the internal VLAN, and the external VLAN, and it contains place holders for both the virtual servers and the content servers that the BIG-IP Controller will manage.
Warning: If you have modified the /etc/hosts file with something other than the First-Time Boot utility, such as vi or pico, be aware that your changes may be lost when you run the First-Time Boot utility (config file). The First-Time Boot utility overwrites the /etc/hosts file and openssl.conf, but it does not warn you before doing so.
From BIG-IP Controllers that support encrypted communications, you can download the SSH client to your administrative workstation in preparation for remote command line access. In addition to running BIG-IP command line utilities, you can also use the SSH suite for file transfer to and from the BIG-IP Controller, as well as for remote backups.
The SSH client is available for both Windows and UNIX platforms, and you can download your preferred client either from the web server or using an FTP connection. You can find detailed information about the SSH client in the F-Secure SSH manual, provided with your BIG-IP Administrator Kit.
Warning: The F-Secure SSH license agreement allows you to use two copies of the F-Secure SSH client. If you require additional licenses, you need to contact Data Fellows. For information about contacting Data Fellows, as well as information about working with the SSH client, refer to the F-Secure manual included with your BIG-IP Controller.
Connect to the controller using https:// rather than http:// in the URL. In the Additional Software Downloads section, click the SSH Clients link. From the SSH Clients page, you can choose the SSH Client appropriate to your operating system.
The F-Secure SSH client installation file for Windows platforms is compressed in ZIP format. You can use standard ZIP tools, such as PKZip or WinZip to extract the file.
· In the Host Name box, type the BIG-IP Controller IP address or host name.
· In the User Name box, type the root user name.
The F-Secure installation file for UNIX platforms is compressed in tar/gzip format.
ssh -l root [BIG-IP IP address]
You must address several network issues when you place a BIG-IP Controller in your network. These networking issues include routing, DNS configuration, and special e-mail considerations. You need to address these issues based on the type of hardware and software in your network. This section describes the following networking issues:
The BIG-IP Controller must communicate properly with network routers, as well as with the servers, firewalls, and other routers that it manages. Because there is a variety of router configurations, and varying levels of direct control an administrator has over each router, you need to carefully review the router configurations in your own network. You may need to change some routing configurations before you put the BIG-IP Controller into production.
The BIG-IP Controller supports static route configurations, dynamic routing (via BGP4, RIP1, RIP2, and OSPF), and subnetting. However, the BIG-IP Controller is also designed to eliminate the need for you to modify routing tables on a router that routes to a BIG-IP Controller. Instead, the BIG-IP Controller uses Address Resolution Protocol (ARP) to notify routers of the IP addresses that it uses on each interface, as well as on its virtual servers.
The following sections address these common routing issues:
The BIG-IP Controller needs a route to the external network. For most configurations, this should be configured as the default route on the BIG-IP Controller.
During installation, you were prompted to configure a default route for the BIG-IP Controller. If you need to change the default route at this time, you can set a new default route by editing the /etc/hosts file.
<router IP> router
The content servers being load balanced by the BIG-IP Controller need to have a default route set to the internal IP alias (source processing) of the BIG-IP Controller. For most configurations, this should be configured as the default route on the content server.
For information about setting the default route for your content servers, refer to the product documentation for your server.
If you need to configure the BIG-IP Controller to use one or more nodes that actually sit on a different logical network from the BIG-IP Controller, you need to assign one or more additional routes to get to those nodes. Set each node's default route so that traffic goes back through the BIG-IP Controller internal interface.
In the following examples, the nodes are on 192.168.6.0/24 and the BIG-IP Controller internal interface is on 192.168.5.0/24. There are two possible situations which you may have to address:
If the nodes are on the same LAN as the BIG-IP Controller, you simply need to add an interface route for 192.168.6.0/24 to the BIG-IP Controller's internal interface. You can add this route to the bottom of the /etc/rc.local file using the following syntax, where <ip addr> is the IP address on the internal interface:
route add -net 192.168.6 -interface <ip addr>
If you have nodes on different LANs from the BIG-IP Controller, you need to add a static gateway route on the BIG-IP Controller itself. If, for example, the router that connects the 192.168.5 network and the 192.168.6 network has IP addresses: 192.168.5.254 and 192.168.6.254, then you could use the following command to create the necessary static route on the BIG-IP Controller:
route add -net 192.168.6.0 -gateway 192.168.5.254
You should add this command to the end of the file /etc/netstart so that it runs each time the BIG-IP Controller boots.
You may also need to set the default route on the nodes to point to the router between the LANs. For example:
route add default -gateway 192.168.6.254
Finally, you need to set the default route on the router between the LANs to the BIG-IP Controller's shared alias. For example, type the command:
route add default -gateway 192.168.5.200
It is not necessary to set the default route for nodes directly to the BIG-IP Controller, as long as the default path eventually routes through the BIG-IP Controller.
The GateD daemon allows the BIG-IP Controller to exchange dynamic routing updates with your routers. Setting up the GateD daemon is a three-part task:
GateD relies on a configuration file, typically named /config/gated.conf, which can be relatively simple, or can be very complex, depending on the routing needs of your network. The BIG-IP web server includes the GateD online documentation (in the Configuration utility home screen, under the Online Documentation section, click GateD). Note that the GateD configuration guide details the process of creating the GateD configuration file, and also provides samples of common protocol configurations.
Once you create the GateD configuration file, you need to start the GateD daemon on the command line using the following command:
If you plan to use DNS in your network, you can configure DNS on the BIG-IP Controller. There are three different DNS issues that you may need to address when setting up the BIG-IP Controller:
When entering virtual addresses, node addresses, or any other addresses on the BIG-IP Controller, you can use the address, host name, or fully qualified domain name (FQDN).
The BIG-IP Controller looks up host names and FQDNs in the /etc/hosts file. If it does not find an entry in that file, then it uses DNS to look up the address. In order for this to work, you need to create an /etc/resolv.conf file. The file should have the following format:
search <DOMAIN_NAME_1> <DOMAIN_NAME_2>
In place of the <DNS_SERVER_1> parameter, use the IP address of a properly configured name server that has access to the Internet. You can specify additional name servers as backups by inserting an additional nameserver line for each backup name server.
If you configure the BIG-IP Controller itself as a DNS proxy server, then we suggest that you choose its loopback address (127.0.0.1) as the first name server in the /etc/resolv.conf file.
Replace the <DOMAIN_NAME_1> and <DOMAIN_NAME_2> parameters with a list of domain names to use as defaults. The DNS uses this list to resolve hosts when the connection uses only a host name, and not an FQDN. When you enter domain names in this file, separate each domain name with a space, as shown in Figure 3.2.
; example /etc/resolv.conf
nameserver 127.16.112.2 ;ip address of main DNS server
search mysite.com store.mysite.com
You can also configure the order in which name resolution checks are made by configuring the /etc/irs.conf file. You should set this file so that it checks the /etc/hosts file first, and then checks for DNS entries. See Figure 3.3, for an example of how to make the entry in the /etc/irs.conf file.
hosts local continue
The BIG-IP Controller is automatically configured as a DNS proxy or forwarder. This is useful for providing DNS resolution for servers and other equipment load balanced by the BIG-IP Controller. This can be set in the First-Time Boot utility.
To re-configure DNS proxy, you simply edit the /etc/named.boot file that contains these two lines:
In place of the <DNS_SERVER> parameter, use the IP addresses of one or more properly configured name servers that have access to the Internet.
You can also configure the BIG-IP Controller to be an authoritative name server for one or more domains. This is useful when DNS is needed in conjunction with internal domain names and network addresses for the servers and other equipment behind the BIG-IP Controller. Refer to the BIND documentation for more details.
If your network is currently configured to use rotary DNS, your node configuration may not need modification. However, you need to modify your DNS zone tables to map to a single IP address instead of to multiple IP addresses.
For example, if you had two Web sites with domain names of www.SiteOne.com and www.SiteTwo.com, and used rotary DNS to cycle between two servers for each Web site, your zone table might look like the one in Figure 3.4.
www.SiteOne.com IN A 192.168.1.1
IN A 192.168.1.2
www.SiteTwo.com IN A 192.168.1.3
IN A 192.168.1.4
In the BIG-IP Controller configuration, the IP address of each individual node used in the original zone table becomes hidden from the Internet. We recommend that you use the Internet reserved address range as specified by RFC 1918 for your nodes. In place of multiple addresses, simply use a single virtual server associated with your site's domain name.
Using the above example, the DNS zone table might look like the zone table shown in Figure 3.5.
www.SiteOne.com IN A 192.168.100.231
www.SiteTwo.com IN A 192.168.100.232
Another optional feature you can set up when you configure the BIG-IP Controller is email. You can configure the BIG-IP Controller to send email notifications to you, or to other administrators. The BIG-IP Controller uses Sendmail as its mail transfer agent. The BIG-IP Controller includes a sample Sendmail configuration file that you can use to start with, but you will have to customize the Sendmail setup for your network environment before you can use it.
Before you begin setting up Sendmail, you may need to look up the name of the mail exchanger for your domain. If you already know the name of the mail exchanger, continue with the following section, Setting up Sendmail.
When you actually set up Sendmail, you need to open and edit a couple of configuration files. Note that the BIG-IP Controller does not accept email messages, and that you can use the crontab utility to purge unsent or returned messages, and that you can send those messages to yourself or another administrator.
/usr/sbin/sendmail -bd -q30m
There are a couple of different ways to add a serial terminal to the BIG-IP Controller. You can add a serial terminal in addition to the console, or you can add a serial terminal as the console. The difference between the two is:
Connect a serial line cable between the terminal device and the BIG-IP Controller. On the back of BIG-IP is a male, 9-Pin RS232C connector labeled "Terminal". (Be sure not to confuse this with the fail-over connection which is also a male, 9-pin connector.)
The connector is wired as a DTE device, and uses the signals described in Table 3.1.
|4||Internal||Data terminal ready|
|7||Internal||Request to send|
|8||External||Clear to send|
The connector is wired for direct connection to a modem, with receipt of a Carrier Detect signal generating transmission of a login prompt by the BIG-IP Controller. If you are planning to connect to a terminal or to connect a PC and utilize a terminal emulation program such as HyperTerminalTM, you will need a null modem cable with the wiring to generate the signals shown in Table 3.1.
You can configure a serial terminal for the BIG-IP Controller in addition to the standard console.
· 9600 baud
· 8 bits
· 1 stop bit
· No parity
# PC COM ports (tty00 is DOS COM1)
tty00 "/usr/libexec/getty default" vt100 in secure
You can configure the serial terminal as the console.
· 9600 baud
· 8 bits
· 1 stop bit
· No parity
In the case where you have not yet connected the serial terminal or it is not active when the BIG-IP Controller is booted, as it might be if you are using a terminal server or dial-up modem, you can force the controller to use the serial terminal as a console. Note that you do not need to disconnect the keyboard if you use this procedure to force the serial line to be the console.
Warning: Once you configure a serial terminal as the console for the BIG-IP Controller, the following conditions apply:
Keyboard/monitor access is disabled, and logging in is only possible via Secure Telnet (SSH), if configured, or the serial line.
If the boot.default file is corrupted, the system will not boot at all. Save a backup copy of the original file and keep a bootable CD-ROM on hand.
The boot.default file must contain either the line: "-console com" or the line: "-console auto".
You can configure the BIG-IP Controller to use a RADIUS server on your network to authenticate users attempting to access the controller with SSH. In this configuration, the RADIUS server can function as a central repository of users that are allowed access to the BIG-IP Controller for administrative purposes.
To do this, configure the BIG-IP Controller to act as a Network Access Server (NAS) for a RADIUS server in your network. When you set up this feature, client connections received by the BIG-IP Controller for users not listed in the local account database are routed to the RADIUS server to be authenticated. If the user is authenticated, the user is logged in as the BIG-IP Controller user that you specify in the RADIUS user setting.
You can configure the BIG-IP Controller to use either version 1.x or version 2.x, or both, of the sshd for SSH authentication.
Tip: If you want to support only SSH version 1.x clients, configure sshd version 1.x. Do not configure sshd version 2.x. However, if you want to support version 1.x and version 2.x clients, configure sshd version 2.x.
The BIG-IP Controller uses the ports 1645/udp for communicating with the RADIUS server. If your RADIUS server uses different ports, such as 1812/udp, you must change the ports used by the BIG-IP Controller to these ports. To do this, use a text editor such as vi or pico to change the existing RADIUS port entry in the /etc/services file on each BIG-IP Controller. Figure 3.6 shows a sample file.
radius 1812/tcp # Radius
radacct 1813/udp # Radius Accounting
You can configure version 2.x of the sshd by editing the /etc/ssh2/sshd2_config on the BIG-IP Controller with pico or vi. The following entries must be in the sshd2_config file:
Note: The most secure method for using RADIUS with the BIG-IP Controller is to create a RadiusUser entry that has a low level of privileges. After you are authenticated and you log in to the
BIG-IP Controller as the low privilege user, use the su command to gain root privileges.
To support SSH version 1.x clients, you must add the following entries to the /etc/ssh2/sshd2_config file.
Figure 3.7 is an example of the entries you might make in the sshd2_config file on the BIG-IP Controller.
You can configure version 1.x of the sshd by editing the /etc/sshd_config on the BIG-IP Controller with pico or vi. The following entries must be in the sshd_config file:
Note: The most secure method for using RADIUS with the BIG-IP Controller is to create a RadiusUser entry that has a low level of privileges. After you are authenticated and you log in to the BIG-IP Controller as the low privilege user, use the su command to gain root privileges.
Warning: For security reasons, we recommend that you use IP addresses instead of host names for the entries in this file. If you specify a host name for an entry, we recommend that you add the host name to the /etc/hosts file.
Figure 3.8 is an example of the entries you might make in the sshd_config file on the BIG-IP Controller.