Applies To:

Show Versions Show Versions

Archived Manual Chapter: BIG-IP Installation guide v4.0: Additional Setup Options
Manual Chapter
Table of Contents   |   << Previous Chapter

This article has been archived, and is no longer maintained.



3

Additional Setup Options



Overview of additional setup options

This chapter contains details about additional setup options you may want to configure for the controller. The options described in this chapter include:

  • Defining additional host names
  • Preparing workstations for command line access
  • Addressing general networking issues
  • Using a serial terminal with the BIG-IP Controller
  • Configuring RADIUS authentication

Defining additional host names

Once you complete the First-Time Boot utility, you may want to insert additional host names and IP addresses for network devices into the /etc/hosts file to allow for more user-friendly system administration. In particular, you may want to create host names for the IP addresses that you will assign to virtual servers. You may also want to define host names for standard devices such as your routers, network interface cards, and the servers or other equipment that you are load balancing.

The /etc/hosts file, as created by the First-Time Boot utility, is similar to the example shown in Figure 3.1.

Figure 3.1 The /etc/hosts file created by the First-Time Boot utility

 # BIG-IP(R) Hosts Table   Generated by FTBU on Fri Apr 27 11:03:03 PDT 2001    

# localhost entry
127.1 localhost

# default gateway entry
11.11.11.10 router


# Local name
11.11.11.2 bigip1.mynet.net

# Peer name (state mirror)
11.12.11.1 peer

#
# vlans
#
11.11.11.2 external
11.12.11.2 internal

#
# VIPS and NODES ( add below - do not delete this line )
#

This sample hosts file lists the IP addresses for the default router, the internal VLAN, and the external VLAN, and it contains place holders for both the virtual servers and the content servers that the BIG-IP Controller will manage.

Warning: If you have modified the /etc/hosts file with something other than the First-Time Boot utility, such as vi or pico, be aware that your changes may be lost when you run the First-Time Boot utility (config file). The First-Time Boot utility overwrites the /etc/hosts file and openssl.conf, but it does not warn you before doing so.

Downloading the SSH client to your administrative workstation

From BIG-IP Controllers that support encrypted communications, you can download the SSH client to your administrative workstation in preparation for remote command line access. In addition to running BIG-IP command line utilities, you can also use the SSH suite for file transfer to and from the BIG-IP Controller, as well as for remote backups.

The SSH client is available for both Windows and UNIX platforms, and you can download your preferred client either from the web server or using an FTP connection. You can find detailed information about the SSH client in the F-Secure SSH manual, provided with your BIG-IP Administrator Kit.

Note: If your BIG-IP Controller does not support encrypted connections, you can use a Telnet shell for remote command line access.

Warning: The F-Secure SSH license agreement allows you to use two copies of the F-Secure SSH client. If you require additional licenses, you need to contact Data Fellows. For information about contacting Data Fellows, as well as information about working with the SSH client, refer to the F-Secure manual included with your BIG-IP Controller.

Downloading the F-Secure SSH client from the web server

Connect to the controller using https:// rather than http:// in the URL. In the Additional Software Downloads section, click the SSH Clients link. From the SSH Clients page, you can choose the SSH Client appropriate to your operating system.

Setting up the F-Secure SSH client on a Windows 95 or Windows NT workstation

The F-Secure SSH client installation file for Windows platforms is compressed in ZIP format. You can use standard ZIP tools, such as PKZip or WinZip to extract the file.

To unzip and install the SSH client

  1. Log on to the Windows workstation.
  2. Navigate to the directory to which you transferred the F-Secure installation file. Run PKZip or WinZip to extract the files.
  3. The set of files extracted includes a Setup program. Run the Setup program to install the client.
  4. Start the F-Secure SSH client.
  5. In the SSH Client window, from the Edit menu choose Properties.
    The Properties dialog box opens.
  6. In the Connection tab, in the Remote Host section, type the following items:

    · In the Host Name box, type the BIG-IP Controller IP address or host name.

    · In the User Name box, type the root user name.

  7. In the Options section, check Compression and set the Cipher option to Blowfish.
  8. Click the OK button.

Setting up the F-Secure SSH client on a UNIX workstation

The F-Secure installation file for UNIX platforms is compressed in tar/gzip format.

To untar and install the SSH client

  1. Log on to the workstation and navigate to the directory into which you transferred the F-Secure SSH client tar file.
  2. Untar the file and follow the instructions in the install file to build the F-Secure SSH client for your workstation.
  3. Start the SSH client.
  4. Open a connection to the BIG-IP Controller:

    ssh -l root [BIG-IP IP address]

  5. Type the root password and press the Enter key.

Addressing general networking issues

You must address several network issues when you place a BIG-IP Controller in your network. These networking issues include routing, DNS configuration, and special e-mail considerations. You need to address these issues based on the type of hardware and software in your network. This section describes the following networking issues:

  • Addressing routing issues
    There are a variety of routing configuration issues that you need to address. If you did not create a default route with the First-Time Boot utility, you must now configure a default route for the BIG-IP Controller. You also must set up routes for the nodes that the BIG-IP Controller manages. You may also want to configure GateD, which allows dynamic routing information to automatically be updated on the BIG-IP Controller.
  • Configuring DNS on the BIG-IP Controller
    You may need to configure the BIG-IP Controller for DNS resolution or for DNS proxy, and you may even need to convert from rotary or round robin DNS.
  • Configuring email on the BIG-IP Controller
    There are some special requirements that you need to take into account when configuring email on the BIG-IP Controller.

Addressing routing issues

The BIG-IP Controller must communicate properly with network routers, as well as with the servers, firewalls, and other routers that it manages. Because there is a variety of router configurations, and varying levels of direct control an administrator has over each router, you need to carefully review the router configurations in your own network. You may need to change some routing configurations before you put the BIG-IP Controller into production.

The BIG-IP Controller supports static route configurations, dynamic routing (via BGP4, RIP1, RIP2, and OSPF), and subnetting. However, the BIG-IP Controller is also designed to eliminate the need for you to modify routing tables on a router that routes to a BIG-IP Controller. Instead, the BIG-IP Controller uses Address Resolution Protocol (ARP) to notify routers of the IP addresses that it uses on each interface, as well as on its virtual servers.

The following sections address these common routing issues:

  • Routing from a BIG-IP Controller to a gateway to the external network
  • Routing from content servers to the BIG-IP Controller
  • Routing between a BIG-IP Controller to content servers that are on different logical networks
  • Setting up dynamic routing with GateD

Routing from a BIG-IP Controller to a gateway to the external net

The BIG-IP Controller needs a route to the external network. For most configurations, this should be configured as the default route on the BIG-IP Controller.

During installation, you were prompted to configure a default route for the BIG-IP Controller. If you need to change the default route at this time, you can set a new default route by editing the /etc/hosts file.

To change the default route

  1. Open the /etc/hosts file in a text editor, such as vi or pico.
  2. Change the default gateway entry using the following syntax, where <router IP> is the IP address of the router:

    <router IP> router

  3. Save and close the file.
  4. Reboot the BIG-IP Controller.

Routing from content servers to the BIG-IP Controller

The content servers being load balanced by the BIG-IP Controller need to have a default route set to the internal IP alias (source processing) of the BIG-IP Controller. For most configurations, this should be configured as the default route on the content server.

For information about setting the default route for your content servers, refer to the product documentation for your server.

Routing between a BIG-IP Controller and content servers on different logical networks

If you need to configure the BIG-IP Controller to use one or more nodes that actually sit on a different logical network from the BIG-IP Controller, you need to assign one or more additional routes to get to those nodes. Set each node's default route so that traffic goes back through the BIG-IP Controller internal interface.

In the following examples, the nodes are on 192.168.6.0/24 and the BIG-IP Controller internal interface is on 192.168.5.0/24. There are two possible situations which you may have to address:

  • 192.168.5.0/24 and 192.168.6.0/24 are on the same LAN (either sharing media or with a switch or hub between them).
  • 192.168.5.0/24 and 192.168.6.0/24 are on two different LANs with a router between them.

Case 1: Same LAN

If the nodes are on the same LAN as the BIG-IP Controller, you simply need to add an interface route for 192.168.6.0/24 to the BIG-IP Controller's internal interface. You can add this route to the bottom of the /etc/rc.local file using the following syntax, where <ip addr> is the IP address on the internal interface:

route add -net 192.168.6 -interface <ip addr>

Note: You must have the interface defined correctly in the /etc/hosts file in order to use this syntax.

Case 2: Different LANs

If you have nodes on different LANs from the BIG-IP Controller, you need to add a static gateway route on the BIG-IP Controller itself. If, for example, the router that connects the 192.168.5 network and the 192.168.6 network has IP addresses: 192.168.5.254 and 192.168.6.254, then you could use the following command to create the necessary static route on the BIG-IP Controller:

route add -net 192.168.6.0 -gateway 192.168.5.254

You should add this command to the end of the file /etc/netstart so that it runs each time the BIG-IP Controller boots.

You may also need to set the default route on the nodes to point to the router between the LANs. For example:

route add default -gateway 192.168.6.254

Finally, you need to set the default route on the router between the LANs to the BIG-IP Controller's shared alias. For example, type the command:

route add default -gateway 192.168.5.200

Note: These examples assume you are using a UNIX-based router. The exact syntax for your router may be different.

It is not necessary to set the default route for nodes directly to the BIG-IP Controller, as long as the default path eventually routes through the BIG-IP Controller.

Setting up dynamic routing with GateD

The GateD daemon allows the BIG-IP Controller to exchange dynamic routing updates with your routers. Setting up the GateD daemon is a three-part task:

  • You need to create the GateD configuration file, /config/gated.conf.
  • You need to start the GateD daemon.
  • You need to edit the /etc/netstart file.

Tip: You are not required to configure GateD on the BIG-IP Controller. The BIG-IP Controller can meet most routing requirements without using GateD.

Note: Additional documentation for GateD is available through the web server on the BIG-IP Controller.

To create the GateD configuration file

GateD relies on a configuration file, typically named /config/gated.conf, which can be relatively simple, or can be very complex, depending on the routing needs of your network. The BIG-IP web server includes the GateD online documentation (in the Configuration utility home screen, under the Online Documentation section, click GateD). Note that the GateD configuration guide details the process of creating the GateD configuration file, and also provides samples of common protocol configurations.

To immediately start the GateD daemon on the BIG-IP Controller

Once you create the GateD configuration file, you need to start the GateD daemon on the command line using the following command:

bigip# gated

Configuring DNS on the BIG-IP Controller

If you plan to use DNS in your network, you can configure DNS on the BIG-IP Controller. There are three different DNS issues that you may need to address when setting up the BIG-IP Controller:

  • Configuring DNS resolution on the BIG-IP Controller
  • Configuring DNS proxy
  • Converting from rotary or round robin DNS

Configuring DNS resolution

When entering virtual addresses, node addresses, or any other addresses on the BIG-IP Controller, you can use the address, host name, or fully qualified domain name (FQDN).

The BIG-IP Controller looks up host names and FQDNs in the /etc/hosts file. If it does not find an entry in that file, then it uses DNS to look up the address. In order for this to work, you need to create an /etc/resolv.conf file. The file should have the following format:

nameserver <DNS_SERVER_1>

search <DOMAIN_NAME_1> <DOMAIN_NAME_2>

In place of the <DNS_SERVER_1> parameter, use the IP address of a properly configured name server that has access to the Internet. You can specify additional name servers as backups by inserting an additional nameserver line for each backup name server.

If you configure the BIG-IP Controller itself as a DNS proxy server, then we suggest that you choose its loopback address (127.0.0.1) as the first name server in the /etc/resolv.conf file.

Replace the <DOMAIN_NAME_1> and <DOMAIN_NAME_2> parameters with a list of domain names to use as defaults. The DNS uses this list to resolve hosts when the connection uses only a host name, and not an FQDN. When you enter domain names in this file, separate each domain name with a space, as shown in Figure 3.2.

Figure 3.2 Sample /etc/resolv.conf file

 ; example /etc/resolv.conf    
nameserver 127.0.0.1
nameserver 127.16.112.2 ;ip address of main DNS server
search mysite.com store.mysite.com

You can also configure the order in which name resolution checks are made by configuring the /etc/irs.conf file. You should set this file so that it checks the /etc/hosts file first, and then checks for DNS entries. See Figure 3.3, for an example of how to make the entry in the /etc/irs.conf file.

Figure 3.3 Sample entry for the /etc/irs.conf file

 hosts           local   continue    
hosts dns

Configuring DNS proxy

The BIG-IP Controller is automatically configured as a DNS proxy or forwarder. This is useful for providing DNS resolution for servers and other equipment load balanced by the BIG-IP Controller. This can be set in the First-Time Boot utility.

To re-configure DNS proxy, you simply edit the /etc/named.boot file that contains these two lines:

forwarders <DNS_SERVERS>

options forward-only

In place of the <DNS_SERVER> parameter, use the IP addresses of one or more properly configured name servers that have access to the Internet.

You can also configure the BIG-IP Controller to be an authoritative name server for one or more domains. This is useful when DNS is needed in conjunction with internal domain names and network addresses for the servers and other equipment behind the BIG-IP Controller. Refer to the BIND documentation for more details.

Converting from rotary or round robin DNS

If your network is currently configured to use rotary DNS, your node configuration may not need modification. However, you need to modify your DNS zone tables to map to a single IP address instead of to multiple IP addresses.

For example, if you had two Web sites with domain names of www.SiteOne.com and www.SiteTwo.com, and used rotary DNS to cycle between two servers for each Web site, your zone table might look like the one in Figure 3.4.

Figure 3.4 Sample zone table with two Web sites and four servers

 www.SiteOne.com  IN A 192.168.1.1    
IN A 192.168.1.2
www.SiteTwo.com IN A 192.168.1.3
IN A 192.168.1.4

In the BIG-IP Controller configuration, the IP address of each individual node used in the original zone table becomes hidden from the Internet. We recommend that you use the Internet reserved address range as specified by RFC 1918 for your nodes. In place of multiple addresses, simply use a single virtual server associated with your site's domain name.

Using the above example, the DNS zone table might look like the zone table shown in Figure 3.5.

Figure 3.5 Sample zone table with two Web sites and two servers.

 www.SiteOne.com  IN A 192.168.100.231    
www.SiteTwo.com IN A 192.168.100.232

Configuring email

Another optional feature you can set up when you configure the BIG-IP Controller is email. You can configure the BIG-IP Controller to send email notifications to you, or to other administrators. The BIG-IP Controller uses Sendmail as its mail transfer agent. The BIG-IP Controller includes a sample Sendmail configuration file that you can use to start with, but you will have to customize the Sendmail setup for your network environment before you can use it.

Before you begin setting up Sendmail, you may need to look up the name of the mail exchanger for your domain. If you already know the name of the mail exchanger, continue with the following section, Setting up Sendmail.

Setting up Sendmail

When you actually set up Sendmail, you need to open and edit a couple of configuration files. Note that the BIG-IP Controller does not accept email messages, and that you can use the crontab utility to purge unsent or returned messages, and that you can send those messages to yourself or another administrator.

To set up and start Sendmail

  1. Copy /config/sendmail.cf.off to /config/sendmail.cf.
  2. To set the name of your mail exchange server, open the /config/sendmail.cf and set the DS variable to the name of your mail exchanger. The syntax for this entry is:

    DS<MAILHUB_OR_RELAY>

  3. Save and close the /config/sendmail.cf file.
  4. If you want to allow Sendmail to flush outgoing messages from the queue for mail that cannot be delivered immediately:
  5. Open the /config/crontab file, and change the last line of the file to read:
    0,15,30,45 * * * * root /usr/sbin/sendmail -q > /dev/null 2>&1
  6. Save and close the /config/crontab file.
  7. If you want to prevent returned or undelivered email from going unnoticed:
  8. Open the /config/aliases file and create an entry for root to point to you or another administrator at your site:
    root: networkadmin@SiteOne.com
  9. Save and close the /config/aliases file.
  10. Run the newaliases command to generate a new aliases database that incorporates the information you added to the /config/aliases file.
  11. To turn Sendmail on, either reboot the system or type the following command:

    /usr/sbin/sendmail -bd -q30m

Using a serial terminal with the BIG-IP Controller

There are a couple of different ways to add a serial terminal to the BIG-IP Controller. You can add a serial terminal in addition to the console, or you can add a serial terminal as the console. The difference between the two is:

  • A serial terminal configured as a terminal displays a simple login. You can log in and run commands and edit files. In this case, you can use the serial terminal in addition to the keyboard and monitor.
  • A serial terminal configured as the console displays system messages and warnings in addition to providing a login prompt. In this case, the serial terminal replaces the keyboard and monitor.

To connect the serial terminal to the BIG-IP Controller

Connect a serial line cable between the terminal device and the BIG-IP Controller. On the back of BIG-IP is a male, 9-Pin RS232C connector labeled "Terminal". (Be sure not to confuse this with the fail-over connection which is also a male, 9-pin connector.)

Warning: Do not use the fail-over cable to connect the serial terminal to the BIG-IP Controller. A null modem cable is required

The connector is wired as a DTE device, and uses the signals described in Table 3.1.

Serial line cable signals
Pin Source Usage
1 External Carrier detect
2 External Received data
3 Internal Transmitted data
4 Internal Data terminal ready
5 Both Signal ground
7 Internal Request to send
8 External Clear to send

The connector is wired for direct connection to a modem, with receipt of a Carrier Detect signal generating transmission of a login prompt by the BIG-IP Controller. If you are planning to connect to a terminal or to connect a PC and utilize a terminal emulation program such as HyperTerminalTM, you will need a null modem cable with the wiring to generate the signals shown in Table 3.1.

Note: You can achieve acceptable operation by wiring pins 7 to 8 and pins 1 to 4 at the back of BIG-IP Controller (and turning hardware flow control off in your terminal or terminal emulator).

Configuring a serial terminal in addition to the console

You can configure a serial terminal for the BIG-IP Controller in addition to the standard console.

To configure the serial terminal in addition to the console

  1. Connect the serial terminal to the BIG-IP Controller.
  2. Configure the serial terminal settings in your terminal or terminal emulator or modem as follows:

    · 9600 baud

    · 8 bits

    · 1 stop bit

    · No parity

  3. Open the /etc/ttys file and find the line that reads tty00 off. Modify it as shown here:

    # PC COM ports (tty00 is DOS COM1)

    tty00 "/usr/libexec/getty default" vt100 in secure

  4. Save the /etc/ttys file and close it.
  5. Reboot the BIG-IP Controller.

Configuring a serial terminal as the console

You can configure the serial terminal as the console.

To configure the serial terminal as the console

  1. Disconnect the keyboard from the BIG-IP Controller.
  2. Connect the serial terminal to the BIG-IP Controller. When there is no keyboard connected to the BIG-IP Controller, the BIG-IP Controller defaults to using the serial port for the console.
  3. Configure the serial terminal settings in your terminal or terminal emulator or modem as follows:

    · 9600 baud

    · 8 bits

    · 1 stop bit

    · No parity

  4. Reboot the BIG-IP Controller.

Forcing a serial terminal to be the console

In the case where you have not yet connected the serial terminal or it is not active when the BIG-IP Controller is booted, as it might be if you are using a terminal server or dial-up modem, you can force the controller to use the serial terminal as a console. Note that you do not need to disconnect the keyboard if you use this procedure to force the serial line to be the console.

To force a serial terminal to be the console

  1. Edit the /etc/boot.default file.
    Find the entry -console auto. Change this entry to -console com.
  2. Save the /etc/boot.default file and exit the editor.
  3. Plug the serial terminal into the serial port on the BIG-IP Controller.
  4. Turn on the serial terminal.
  5. Reboot the controller.

Warning: Once you configure a serial terminal as the console for the BIG-IP Controller, the following conditions apply:

Keyboard/monitor access is disabled, and logging in is only possible via Secure Telnet (SSH), if configured, or the serial line.

If the boot.default file is corrupted, the system will not boot at all. Save a backup copy of the original file and keep a bootable CD-ROM on hand.

The boot.default file must contain either the line: "-console com" or the line: "-console auto".

Configuring RADIUS authentication

You can configure the BIG-IP Controller to use a RADIUS server on your network to authenticate users attempting to access the controller with SSH. In this configuration, the RADIUS server can function as a central repository of users that are allowed access to the BIG-IP Controller for administrative purposes.

To do this, configure the BIG-IP Controller to act as a Network Access Server (NAS) for a RADIUS server in your network. When you set up this feature, client connections received by the BIG-IP Controller for users not listed in the local account database are routed to the RADIUS server to be authenticated. If the user is authenticated, the user is logged in as the BIG-IP Controller user that you specify in the RADIUS user setting.

Note: RADIUS authentication through the BIG-IP Controller is based on the username/password only. It does not support challenge-response authentication methods.

You can configure the BIG-IP Controller to use either version 1.x or version 2.x, or both, of the sshd for SSH authentication.

Tip: If you want to support only SSH version 1.x clients, configure sshd version 1.x. Do not configure sshd version 2.x. However, if you want to support version 1.x and version 2.x clients, configure sshd version 2.x.

Using RADIUS ports on the BIG-IP Controller

The BIG-IP Controller uses the ports 1645/udp for communicating with the RADIUS server. If your RADIUS server uses different ports, such as 1812/udp, you must change the ports used by the BIG-IP Controller to these ports. To do this, use a text editor such as vi or pico to change the existing RADIUS port entry in the /etc/services file on each BIG-IP Controller. Figure 3.6 shows a sample file.

Figure 3.6 Alternative ports on the BIG-IP Controller for the RADIUS server

 radius          1812/tcp                      # Radius               
radacct 1813/udp # Radius Accounting

Configuring sshd version 2.x

You can configure version 2.x of the sshd by editing the /etc/ssh2/sshd2_config on the BIG-IP Controller with pico or vi. The following entries must be in the sshd2_config file:

  • RadiusServer
    This entry is the host name or IP address of the RADIUS server.
  • RadiusKey
    This entry is the shared secret key of the RADIUS server. This key should be at least 16 characters long.
  • RadiusNasIP
    This is the host name or IP address of the interface on the BIG-IP Controller connected to the network that hosts the RADIUS server. Note that you can only use interfaces set to admin port open for RADIUS authentication.
  • RadiusUser
    This entry is the user name of the local BIG-IP Controller user, such as root. When the RADIUS user is authenticated, the user is logged into the controller as this user.

    Note: The most secure method for using RADIUS with the BIG-IP Controller is to create a RadiusUser entry that has a low level of privileges. After you are authenticated and you log in to the
    BIG-IP Controller as the low privilege user, use the su command to gain root privileges.

    To support SSH version 1.x clients, you must add the following entries to the /etc/ssh2/sshd2_config file.

  • Ssh1Compatibility
    This parameter must be set to yes.
  • Sshd1Path
    This entry is the path to sshd version 1. In this case, the path is /usr/local/sbin/sshd1.

    Figure 3.7 is an example of the entries you might make in the sshd2_config file on the BIG-IP Controller.

    Figure 3.7 Example entries from the sshd2_config file

     RadiusServer 12.34.56.78    
    RadiusKey my_radius_server.key
    RadiusNasIP 172.16.42.200
    RadiusUser radius_user

    Sshd1Compatibility yes
    Sshd1Path /usr/local/bin/sshd1

Configuring sshd version 1.x

You can configure version 1.x of the sshd by editing the /etc/sshd_config on the BIG-IP Controller with pico or vi. The following entries must be in the sshd_config file:

  • RadiusServer
    This entry is the host name or IP address of the RADIUS server.
  • RadiusKey
    This entry is the shared secret key of the RADIUS server. This key should be at least 16 characters long.
  • RadiusNasIP
    This is the host name or IP address of the interface on the BIG-IP Controller connected to the network that hosts the RADIUS server. Note that you can only use interfaces set to admin port open for RADIUS authentication.
  • RadiusUser
    This entry is the user name of the local BIG-IP Controller user, such as root. When the RADIUS user is authenticated, the user is logged into the controller as this user.

    Note: The most secure method for using RADIUS with the BIG-IP Controller is to create a RadiusUser entry that has a low level of privileges. After you are authenticated and you log in to the BIG-IP Controller as the low privilege user, use the su command to gain root privileges.

Warning: For security reasons, we recommend that you use IP addresses instead of host names for the entries in this file. If you specify a host name for an entry, we recommend that you add the host name to the /etc/hosts file.

Figure 3.8 is an example of the entries you might make in the sshd_config file on the BIG-IP Controller.

Figure 3.8 Example entries from the sshd_config file

 RadiusServer 12.34.56.78    
RadiusKey my_radius_server.key
RadiusNasIP 172.16.42.200
RadiusUser radius_user
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)