Applies To:

Show Versions Show Versions

Archived Manual Chapter: Working with BIG-IP Secure Access Manager
Manual Chapter
Table of Contents   |   << Previous Chapter

This article has been archived, and is no longer maintained.

After you license the BIG-IP® Secure Access Manager, you see the Platform Setup wizard screen.
On the first Platform Setup screen, you can configure general platform properties and user administration settings. The following section provides procedures and information to use when you configure these settings.
1.
In the General Properties area of the wizard screen, for the Management Port setting, type an IP address, a netmask, and a management route address, in the appropriate boxes.
2.
In the Host Name box, type a unique name for the BIG-IP system.
Every BIG-IP system has a management port, or interface, named MGMT. The management interface is a special interface that the BIG-IP system uses to receive or send certain types of administrative traffic.
Configuring the management interface of a BIG-IP system means assigning an IP address to the interface, supplying a netmask for the IP address, and specifying an IP address for the BIG-IP system to use as a default route. The IP address that you assign to the management interface must be on a different network than the self IP addresses that you assign to VLANs. Note that specifying a default route for the management interface is only necessary if you intend to manage the BIG-IP system from a node on a different subnetwork.
To configure the management interface, you use the Management Port setting on the General screen. There are no default values for this setting.
Tip: You can also configure the management port using the LCD menu on the IP switch hardware. If you configure the management port using the LCD menu, you do not need to configure the port with the Configuration utility.
Every BIG-IP system must have a host name. Using the Host Name setting, type a fully qualified domain name for the BIG-IP system. An example of a host name is mybigip.siterequest.net.
Every BIG-IP system must have a host IP address. This IP address can be the same as the address that you used for the management port, or you can assign a unique address.
To assign the host IP address, locate the Host IP Address setting and select either Use Management Port IP Address or Custom Host IP address. The default value is Use Management Port IP Address.
You can use the general properties screen to specify whether the BIG-IP system is to operate as a single device or as part of a redundant system. The default value is Single Device.
To designate the BIG-IP system as being part of a redundant system, use the High Availability setting to select Redundant Pair. Then use the Unit ID setting to select the unit ID that you want to assign to the BIG-IP system (1 or 2).
Another of the general platform properties that you can specify is the time zone. The many time zones that you can choose from are grouped into these categories: Africa, America, Antarctica, Arctic, Asia, Atlantic, Australia, Europe, Indian, and Pacific.
To set the time zone, use the Time Zone setting to select a time zone from the list. Select the time zone that most closely represents the location of the BIG-IP system you are configuring.
Part of managing platform-related properties is maintaining passwords for the system accounts, as well as enabling the support account. You can also configure the system to allow certain IP addresses to access the BIG-IP system through SSH.
1.
In the User Administration section of the wizard screen, type the root account password and password confirmation, and the administrative account password and password confirmation in the appropriate boxes.
2.
Configure settings for the Support Account and SSH Access, as required.
You use the Setup utility to specify passwords for some administrative accounts. Specifically, you set up the root, admin, and support accounts. The root and administrative accounts are for use by BIG-IP system administrators, while the support account is for F5 Networks support personnel who require access to the customers system for troubleshooting purposes.
Users logging in with the root account have console-only access to the BIG-IP system. Users logging in with the administrative account have browser-only access to the BIG-IP system.
You can use the General screen of the platform properties to change the passwords for root and administrative accounts on a regular basis. To change a password, locate the Root Account or Admin Account setting, and in the Password box, type a new password. In the Confirm box, retype the same password.
The support account is an optional account that you can enable on the BIG-IP system. When you enable this account, authorized F5 Networks support personnel can access the BIG-IP system to perform troubleshooting.
To enable the support account, find the Support Account setting and select Enabled. Then, in the fields that appear, type a password, once in the Password box and again in the Confirm box.
When you configure SSH access, you enable user access to the BIG-IP system through SSH. Also, only the IP addresses that you specify are allowed access to the system using SSH.
To configure SSH access, locate the SSH Access setting and check the Enabled box. Then use the SSH IP Allow setting to select either All Addresses or Specify Range, which allows you to specify a range of addresses.
In Overview of BIG-IP network management features, we described the BIG-IP system as being a multilayer switch instead of a standard IP router. This allows you to create and deploy virtual local area networks (VLANs). A VLAN is a logical subset of hosts on a local area network (LAN) that operate in the same IP address space. Grouping hosts together in a VLAN has distinct advantages. For example, with VLANs, you can:
Reduce system and network maintenance tasks substantially. Functionally-related hosts no longer need to physically reside together to achieve optimal network performance.
The way that you group hosts into VLANs is by using the Configuration utility to create a VLAN and associate physical interfaces with that VLAN. In this way, any host that sends traffic to a BIG-IP system interface is logically a member of the VLAN or VLANs to which that interface belongs.
The BIG-IP system is a port-based switch that includes multilayer processing capabilities. These capabilities enhance standard VLAN behavior, in these ways:
You can associate physical interfaces on the BIG-IP system directly with VLANs. In this way, you can associate multiple interfaces with a single VLAN, or you can associate a single interface with multiple VLANs.
You do not need physical routers to establish communication between separate VLANs. Instead, the BIG-IP system can process messages between VLANs.
You can incorporate a BIG-IP system into existing, multi-vendor switched environments, due to the BIG-IP systems compliance with the IEEE 802.1q VLAN standard.
You can combine two or more VLANs into an object known as a VLAN group. With a VLAN group, a host in one VLAN can communicate with a host in another VLAN using a combination of Layer 2 forwarding and IP routing. This offers both performance and reliability benefits.
By default, the BIG-IP system is configured with two VLANs, named internal and external. Each of these VLANs has a BIG-IP system interface assigned to it. When you initially run the Setup utility, you assign self IP addresses, VLAN tags, and one or more BIG-IP system interfaces.
With Secure Access Manager, if you plan on deploying in a one-arm configuration, that is, with a single interface handling both SSL VPN external traffic and internal traffic, you can use the existing VLAN named external, configured on port 1.1.
If you plan to deploy in a two-arm configuration, you can use the existing VLAN named external, configured on port 1.1, for SSL VPN traffic from the outside, and the VLAN interface named internal, configured on port 1.2, for directing internal traffic. In either case, the Secure Access Manager is located behind an Internet firewall or router, with traffic forwarded to port 443 on the Secure Access Manager external VLAN and interface.
Every VLAN must have a static self IP address associated with it. The self IP address of a VLAN represents an address space, that is, the range of IP addresses that apply to the hosts in that VLAN. The BIG-IP system uses this address as the source IP address when sending requests to hosts in a VLAN, and hosts in a VLAN use this IP address as the destination IP address when sending responses to the BIG-IP system. When you ran the Setup utility earlier, you assigned one static self IP address to the configured VLANs. When sending a request to a destination server, the BIG-IP system can use these self IP addresses to determine the specific VLAN that contains the destination server.
With Secure Access Manager, self IP addresses are used when forwarding terminated network access SSL VPN traffic to the internal network, and when initiating traffic to authentication and logging servers. Configured self IP addresses are also used to allow access to the BIG-IP Configuration utility over HTTPS (in addition to the IP address assigned to the management port).
Note: Self IP addresses are not used for the client SSL VPN logon page and network access connection. One or more virtual servers must be configured to handle client SSL VPN services. The IP address assigned to a virtual server is typically exposed to the Internet for SSL VPN services. A self IP address on the external VLAN can optionally be exposed to the Internet to support external HTTPS web access to the Configuration utility, for remote management. We do not recommend that you use the same IP address for the self IP address and the virtual server address.
When you create a VLAN, you assign a name and an identifying tag to the VLAN. Then you associate one or more BIG-IP system interfaces with the VLAN. Also, if the BIG-IP system is a unit of a redundant system, you can specify a special MAC address that the two units share, as a way to ensure that connections are successfully processed when failover occurs. Finally, you can specify that you want the BIG-IP system to use VLAN-related events to trigger failover in a redundant-system configuration.
Specifies the VLAN ID. If you do not specify a VLAN ID, the BIG-IP system assigns an ID automatically. The value of a VLAN tag can be between 1 and 4094.
Causes the BIG-IP system to verify that the return path of an initial packet is through the same VLAN from which the packet originated.
Use the following procedure to create a VLAN. For detailed information about each setting, see the topics following the procedure.
Important: In addition to configuring the settings listed in Table 3.1, you must also assign a self IP address to the VLAN. For more information, see Using self IP addresses.
1.
On the Main tab of the navigation pane, expand Network and click VLANs.
This displays a list of all existing VLANs.
2.
In the upper-right corner, click Create.
The VLANs screen opens.
Note: If the Create button is unavailable, you do not have permission to create a VLAN. You must have the Administrator role assigned to your user account.
3.
Locate the General Properties area, and in the Name box, type a unique name for the VLAN.
4.
In the Tag box, type a tag for the VLAN, or leave the box blank.
If you do not specify a tag, the BIG-IP system assigns one automatically.
5.
In the Resources area, for the Interfaces setting, click an interface number or trunk name in the Available box, and using a Move button (<< or >>), move the interface number to the Untagged or Tagged box. Repeat this step as necessary.
For more information on tagged and untagged interfaces, see Assigning interfaces to a VLAN.
7.
For the MTU setting, use the default value or type a new value.
8.
In the MAC Masquerade box, type a MAC address.
9.
For the Fail-safe setting, check the box if you want to base redundant-system failover on VLAN-related events.
For more information, see Setting up a Redundant System in the BIG-IP® Network and System Management Guide.
10.
Click Finished.
When creating a VLAN, you must assign it a unique name. Once you have finished creating the VLAN, the VLAN name appears in the list of existing VLANs.
A VLAN tag is a unique ID number that you assign to a VLAN. If you do not explicitly assign a tag to a VLAN, the BIG-IP system assigns a tag automatically. The value of a VLAN tag can be between 1 and 4094. Once you or the BIG-IP assigns a tag to a VLAN, any message sent from a host in that VLAN includes this VLAN tag as a header in the message.
A VLAN tag is useful when an interface has multiple VLANs associated with it; that is, when the interfaces you assigned to the VLAN are assigned as tagged interfaces. In this case, the BIG-IP system can read the VLAN tag in the header of a message to determine the specific VLAN in which the source or destination host resides.
Important: If the device connected to a BIG-IP system interface is another switch, the VLAN tag that you assign to the VLAN on the BIG-IP system interface must match the VLAN tag assigned to the VLAN on the interface of the other switch.
For each VLAN that you create, you must assign one or more BIG-IP system interfaces to that VLAN, using the Interfaces setting. When you assign an interface to a VLAN, you indirectly control the hosts from which the BIG-IP system interface sends or receives messages.
Tip: You can use the Interfaces setting to assign not only individual interfaces to the VLAN, but also trunks. Any trunks that you create are automatically included for selection in the list of available interfaces. For more information, see the BIG-IP® Network and System Management Guide.
For example, if you assign interface 1.11 to VLAN A, and you then associate VLAN A with a virtual server, then the virtual server sends its outgoing traffic through interface 1.11, to a destination host in VLAN A. Similarly, when a destination host sends a message to the BIG-IP system, the hosts VLAN membership determines the BIG-IP system interface that should receive the incoming traffic.
Each VLAN has a MAC address. The MAC address of a VLAN is the same MAC address of the lowest-numbered interface assigned to that VLAN.
The BIG-IP system supports two methods for sending and receiving messages through an interface that is a member of one or more VLANs. These two methods are port-based access to VLANs and tag-based access to VLANs. The method used by a VLAN is determined by the way that you add a member interface to a VLAN.
A self IP address is an IP address that you associate with a VLAN to access hosts in that VLAN. By virtue of its netmask, a self IP address represents an address space, that is, a range of IP addresses spanning the hosts in the VLAN, rather than a single host address. You can associate self IP addresses not only with VLANs, but also with VLAN groups.
Self IP addresses serve two purposes. First, when sending a message to a destination server, the BIG-IP system uses the self IP addresses of its VLANs to determine the specific VLAN in which a destination server resides. For example, if VLAN internal has a self IP address of 10.10.10.100, with a netmask of 255.255.255.0, and the destination servers IP address is 10.10.10.20 (with a netmask of 255.255.255.255), the BIG-IP system recognizes that the servers IP address falls within the range of VLAN internals self IP address, and therefore sends the message to that VLAN. More specifically, the BIG-IP system sends the message to the interface that you assigned to that VLAN. If more than one interface is assigned to the VLAN, the BIG-IP system takes additional steps to determine the correct interface, such as checking the Layer 2 forwarding table.
Second, a self IP address serves as the default route for each destination server in the corresponding VLAN. In this case, the self IP address of a VLAN appears as the destination IP address in the packet header when the server sends a response to the BIG-IP system. For more information on configuring the default route of a destination server, see Setting up a Redundant System in the BIG-IP® Network and System Management Guide.
You normally assign self IP addresses to a VLAN when you initially run the Setup utility on a BIG-IP system. More specifically, you assign one static self IP address and one floating self IP address to each of the default VLANs (internal and external). Later, using the Configuration utility, you can create self IP addresses for other VLANs that you create.
A self IP address is the communication source and destination for connections initiated by the BIG-IP system, for example, RADIUS, LDAP, or Active Directory® authentication connections, packets forwarded for load balancing, or unencrypted network traffic.
With the routing table, a self IP address determines the VLAN to which incoming packets belong. Packets coming in to an interface are forwarded out to ports only if the address space defined by the self IP addresses, or routing table, matches the packet destination.
You configure self IP addresses for a VLAN or a VLAN group. Multiple self IP addresses can be configured for each VLAN, if required. You must create at least one self IP address.
1.
On the main tab of the navigation pane, expand Network, and click Self IPs.
The Self IP List screen opens.
2.
Click the Create button.
The Self IP configuration screen opens.
3.
In the IP Address box, type the IP address for the self IP address.
4.
In the Netmask box, type the subnet mask for the self IP address.
5.
From the VLAN list, select the VLAN to associate with the self IP address.
6.
Click Finished.
This section describes the configuration of a network access connection with the Secure Access Setup wizard. You complete the following tasks to configure network access with the wizard.
The Secure Access Setup wizard guides you through the tasks to create a fully functioning network access connection, including basic settings and a virtual server. We recommend that you use this wizard to familiarize yourself with the process and steps required to create a network access configuration. We do not recommend that you use the Secure Access Setup wizard for complex or significantly customized network access implementations.
We recommend that you use a unique descriptive prefix when naming settings each time you use the wizard. We recommend this because if the wizard fails, or you stop the wizard before it is complete, the wizard has already created objects up to the point you have reached in the wizard process, and you must manually remove them from the configuration. Using a specific descriptive prefix, like wiztest_, for every object that you are required to name, later helps you to easily find those objects created during a wizard attempt, and modify or remove them.
The Secure Access Setup wizard provides the option to cancel, but there is no option to go back to a previous step in the wizard. As mentioned in the previous section, the system creates objects as each step in the wizard is completed. To cancel the wizard, or go back and reconfigure a wizard step, you must restart the wizard. If you cancel the wizard, to then clean up the system, we recommend that you delete items created up to that point by the wizard.
In the wizard, when you reach a setting that must be configured to complete a wizard step, that setting is marked with a blue bar on the left side. We recommend that you do not configure optional items in the wizard (items that are not marked with a blue bar) unless you have a specific understanding and need for that configuration. If you incorrectly modify optional wizard items, the configuration may not function.
The Secure Access Setup wizard configures a working network access connection with a basic user policy. Your clients can use the configuration created with the wizard as is, or you can modify configuration components after the wizard is completed.
If you just completed the Platform Setup wizard, the Secure Access Setup wizard is available as an option on Setup Utility > Options screen. You can also start the wizard from the navigation pane by expanding Overview, clicking Welcome, and clicking the Run Secure Access Wizard link.
1.
Connect to the BIG-IP Secure Access Manager using the address https://<hostname>, where <hostname> is the name specified in the setup utility. See Supplying a host name for more information.
If you have not yet added a DNS record for the BIG-IP Secure Access Manager management host name, you may use the IP address to connect.
4.
Under Wizards, click Run the Secure Access Setup Wizard.
DNS and NTP are required for Active Directory logon and authentication to work. The times for the Active Directory server and BIG-IP Secure Access Manager system must be synchronized within five minutes of each other, or Active Directory authentication will fail.
Note: NTP and DNS are system settings that are used by the BIG-IP Secure Access Manager, not specific to network access clients.
2.
Click Add to add the NTP server to the Time Server List.
3.
Click Next.
4.
On the DNS screen, type the DNS server IP address.
5.
Click Add to add the DNS server to the DNS Lookup Server List.
6.
Click Next.
The Secure Access Manager uses the concept of access policies to authenticate and authorize users on the system. Configuring an authentication server adds it to the Secure Access Manager, which makes it available for you to use later in particular policies. You must add the authentication server to an access policy using an authentication action, in order to complete the authentication process. This configuration is completed automatically in the Secure Access Setup wizard. For more information, see the BIG-IP® Secure Access Manager Administrator Guide.
Authentication is the process of verifying the identity of a user logging on to a network. In a typical authentication process, a system requires that users provide logon information such as user name and password. The system then checks those credentials against information maintained remotely or locally on a server or in a database.
Authorization is the process of enabling users with access to resources, applications, and network shares.
The stringent nature of the authentication mechanism you use for the Secure Access Manager should match your local network. That is, you should use equally high standards for the Secure Access Manager authentication as you do for your local network.
RADIUS server
Uses the server at your site that supports authentication using the RADIUS protocol. If you want to use RSA SecurID over the RADIUS protocol, select this option.
LDAP server
Uses the server at your site that supports authentication using LDAP.
Active Directory
Uses the server at your site that supports Kerberos authentication against a Windows 2000 or later server.
For RADIUS authentication, changing the NAS IP Address, Retries, or Service Type settings
1.
On the Authentication Server screen of the wizard, type a name for the server, and select the server type, RADIUS, from the Server Type list.
3.
You can optionally configure the service port, NAS IP address, timeout, number of retries, and select a service type.
1.
On the Authentication Server screen of the wizard, type a name for the server, and select the server type, LDAP, from the Server Type list.
2.
Type the Server IP Address, and change the Service Port if required.
3.
Type and verify the Admin Password.
4.
You can optionally type the administrators distinguished name, select to follow referrals, and change the timeout.
5.
Select the User DN or Search DN for the authentication option.
6.
If you selected User DN, type the users distinguished name. If you selected Search DN, type the search distinguished name and the search filter.
1.
On the Authentication Server screen, type a name for the server, and select the server type, Active Directory, from the Server Type list.
2.
Type the Domain Name for the server.
3.
You can optionally specify a key distribution center (KDC), the administrator name, password, and password verification, and the server timeout.
A lease pool is a collection of IP addresses that are used on the internal network for users who make SSL VPN connections through the Secure Access Manager. These IP addresses are assigned to end user client machines as part of the network access connection process, for the client PPP interface.
Important: You must create lease pools that contain enough IP addresses to support your total number of expected concurrent network access users. You must also ensure that there is no overlap between the IP addresses defined and other networks within your organization.
You can choose whether to have client network access connections using these IP addresses routed to your internal network or treated as an SNAT pool, where the IP addresses are translated to the configured self IP address. Treating these IP addresses as part of an SNAT pool allows for a simpler initial deployment, as a return route to the IP lease pool from your network is not required. You can configure use of SNAT auto mapping when you configure a network access resource. For more information on this option, see the BIG-IP® Secure Access Manager Administrator Guide.
To add a range of consecutive IP addresses, select IP Address Range and type a start IP address and an end IP address, then click Add.
The Secure Access Manager network access feature provides secure access to corporate applications and data using a standard web browser. Using network access, employees, partners, and customers can have access to corporate resources anywhere that an organization requires secure access. Sending connections through the Secure Access Manager helps keep them secure.
The Secure Access Manager network access feature provides users with the functionality of a traditional IPsec VPN client. Unlike IPsec, however, network access does not require any pre-installed software or configuration on the remote users computer. It is also much more robust than IPsec VPN against router and firewall incompatibilities.
Changing the Lease Pool setting
Checking the Integrated IP filtering engine check box
Checking the Client for Microsoft Networks check box
Checking the File and printer sharing for Microsoft Networks check box
Enable the resource with file and printer sharing for Microsoft Networks (doing this is not recommended in the wizard).
Specifying a Primary WINS Server
Specifying a Secondary WINS Server
These are the IP addresses of the DNS servers that network access assigns to remote users. These should represent a DNS server or servers that the internal company network uses.
2.
Type the primary and secondary WINS server addresses in the boxes. We do not recommend configuring these items with the wizard.
This is the DNS suffix to use on client computers. If this field is not specified, network access uses the first suffix from the name servers configured on the DNS tab.
You can configure a list of static hosts for the network access client to use. The static hosts you configure modify a client computers local hosts table and override the configured DNS server, so you should use them only when you need to augment or override the existing DNS.
A resource group contains one network access resource. You can assign a resource group to an access policy using the visual policy editor with the Resource Assign action. In the Secure Access Setup wizard, this resource assignment is configured automatically.
Do not change the name or make any changes in the Manage Resources area in this step in the wizard. Changing the name or the selected network access resource in the Manage Resources area will cause the connection to fail.
Click Next to continue to the next topic and create an access profile.
An access profile binds together verification information and resource information for a network access connection. The access profile allows a client user to see a logon page, add information, have the computer configuration verified, and then either get a network access connection or be denied a network access connection. Access profiles contain access policies, which present the visual representation of the network access connection process.
General purpose actions
Configure logons, assign resources and variables, and route policies to different VLANs.
Authentication actions
Configure authentication through an authentication server.
Client-side checks
Check client computer settings to enforce your security policy.
Server-side checks
Check the interface mode of the client access device and the client operating systems from the server side, and allow or deny access based on the results.
In addition, you can use preconfigured Macrocalls in your Access Policy. Macrocalls are collections of actions that are preconfigured to provide common access policy functions.
Changing the Parent Profile setting
Changing any of the Accepted Languages
Although you can edit optional settings for the access profile, we do not recommend that you change any optional settings.
Using the Secure Access Setup wizard, you can create a virtual server. Users can access the network access connection by connecting to the virtual server address with a web browser. The following sections contain the procedures for creating and modifying virtual servers.
To understand individual virtual server properties and settings, see the Configuring Virtual Servers chapter in the Configuration Guide for BIG-IP® Local Traffic Management.
With the wizard, you can create a virtual server that uses default values for most settings. We recommend that with the wizard you configure only the destination address field.
With Secure Access Manager, virtual servers are configured to handle end-client SSL VPN services (end user logon and the SSL VPN network access service). The IP address assigned to a virtual server is the one that is typically exposed to the Internet for SSL VPN services.
When creating a virtual server, specify that the virtual server is a host virtual server for Secure Access Manager, and not a network virtual server. (For more information on host and network virtual servers, see the Configuring Virtual Servers chapter in the Configuration Guide for BIG-IP® Local Traffic Management.) In either case, you need only configure a few settings: a unique name for the virtual server, a destination address, and a service port.
Important: When you create a virtual server, the BIG-IP system places the virtual server into your current administrative partition. For information on partitions, see the BIG-IP® Network and System Management Guide.
For production deployment of your configuration, you should either edit the clientssl profile to use your imported certificate and key, or create a new profile based on the clientssl profile that uses your own certificate and key. For more information, see Configuring a client SSL profile for Secure Access Manager. For initial evaluation of Secure Access Manager, you may select the default clientssl profile in the SSL Profile (Client) list. This default profile does not contain a valid SSL server certificate, but it can be used for initial Secure Access Manager evaluation and testing.
Changing the Service Port setting to a value other than 443
Changing the State setting
Changing the Type setting
Changing the Protocol setting
Changing the OneConnect Profile setting
Changing the HTTP Profile setting
Changing the Access Profile setting
Changing the SSL Profile (Client) setting.
Changing the VLAN Traffic setting
1.
On the Virtual Server screen of the wizard, type a unique name for the virtual server.
2.
For the destination type, specify Host, and for the Address, specify an available IP address on your network.
This is the IP address provided to users for Secure Access Manager login and network access connections. This IP address must be allowed through your firewall or router for user SSL VPN services.
4.
Click Next.
An HTTP redirect allows clients to connect for secure access by typing HTTP as part of the URL instead of HTTPS (for example, http://secureaccess.siterequest.com). This service redirects users to the HTTPS address (for example, https://secureaccess.siterequest.com). You must allow port 80, in addition to port 443, on your firewall or router to use the automatic redirect service.
Changing the Destination Type setting
Changing the Destination Address setting
Changing the Service Port setting
Changing the State setting
Changing the Type setting
Changing the State setting
Changing the OneConnect Profile setting
Changing the HTTP Profile setting
Changing the Access Profile setting
Changing the SSL Profile (Client) setting.
Changing the SSL Profile (Server) setting.
Changing the iRules setting
Changing the VLAN Traffic setting
1.
On the Virtual Server Redirect (HTTP connection) screen of the wizard, configure the details for the HTTP redirect.
2.
Click Next.
On the next screen, you can view the details of the configured network access connection.
The easiest way to verify your logon settings is to log on to a network access tunnel.
If you do not yet have a DNS entry for the virtual server configured, you can connect using the IP address configured for the virtual server. If you are connecting from outside your firewall, you should use the external IP address mapped to the Secure Access Manager virtual server.
2.
To test a negative result, type a user name and password that you know is not correct and click Logon.
An error message appears indicating an invalid user name or password.
3.
Type a user name and password you know to be good, and click Logon.
A successful logon message appears.
1.
Start your web browser, and go to the address:
2.
Type a user name and password you know to be good, and click Logon.
A successful logon message appears.
3.
To confirm the connection, in Microsoft® Windows®, from the Start menu, choose Run, and type cmd to start a Windows Command prompt.
4.
In the command prompt window, type ipconfig and press Enter.
If you can connect to a resource, your configuration is working. If you cannot connect, your configuration is not working.
The clientssl profile is used when you create or edit HTTPS-based virtual servers on the Local Traffic, Virtual Servers screen. You must select either the default clientssl profile, or your own profile, based on the clientssl profile, but populated with your own certificate and private key. This is required when creating an HTTPS-based virtual server to support Secure Access Manager user logon and network access connections.
The clientssl profile controls how the SSL session is managed between Secure Access Manager end users and the Secure Access Manager virtual server.
For initial testing and evaluation, you can use the default clientssl profile, but before you fully deploy the Secure Access Manager, you should create a new profile with a proper SSL server certificate.
1.
On the main tab of the navigation pane, expand Local Traffic and click Profiles.
The HTTP Profiles screen opens.
2.
From the SSL menu, choose Client.
The client SSL Profiles screen opens.
3.
Click the Create button.
The New Client SSL Profile screen opens.
4.
In the Name box, type a name for the client SSL profile.
5.
At the top of the Configuration area, check the Custom box to make the Configuration settings available for you to configure.
6.
From the Certificate list, select the certificate.
7.
From the Key list, select the key.
The Secure Access Manager includes a default security certificate, and the ability to generate self-signed certificates. However, we recommend a server certificate signed by a trusted Certificate Authority (CA) such as VeriSign®, Thawte®, Entrust®, or another well-known CA.
If you have transferred a key/certificate pair, a certificate, or a key/certificate archive onto the BIG-IP system from another system, and the certificate or archive is in the form of a file or a base-64 encoded text string, you can import this certificate or archive into the Configuration utility. By importing a certificate or archive into the Configuration utility, you ease the task of managing that certificate or archive. You can use the Import SSL Certificates and Keys screen only when the certificate you are importing is in Privacy Enhanced Mail (PEM) format.
1.
On the Main tab of the navigation pane, expand Local Traffic and click SSL Certificates.
This displays the list of existing certificates.
3.
From the Import Type list, select the type of import (Key, Certificate, or Archive).
This expands the configuration screen to show the settings for that import type.
For key or certificate, configure the Name and Source settings, and click Import.
For archive, configure the Upload Archive File setting, and click Load.
Using the Configuration utility, you can either generate a self-signed certificate (usually used for internal test purposes only) or you can create a request for a certificate/key pair, to be sent to a certificate authority. When you send a request to a certificate authority, the certificate authority returns a signed certificate.
You can copy the text of the newly-generated request from the Configuration utility screen and paste it into a request to the certificate authority.
The way to transmit the request to a certificate authority (either through pasting the text or through a file attachment) is by accessing the certificate authoritys web site. The Configuration utility screen for submitting a request for signature by a certificate authority includes links to various certificate authority web sites.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click SSL Certificates.
This displays the SSL Certificates screen.
2.
On the upper-right portion of the screen, click Create.
The New SSL Certificate screen opens.
3.
In the Name box, type a unique name for the certificate.
4.
From the Issuer list, select Self.
5.
Configure the Common Name setting, and any other settings you want.
7.
Click Finished.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click SSL Certificates.
This displays the SSL Certificates screen.
2.
On the upper-right portion of the screen, click Create.
The New SSL Certificate screen opens.
3.
In the Name box, type a unique name for the certificate.
4.
From the Issuer list, select Certificate Authority.
5.
Add the Common Name setting and any other settings.
6.
When you are done, click Finished.
The Certificate Signing Request screen opens.
Click the Download button in the Request File option.
8.
For the Certificate Authorities setting, click a certificate authority name.
The web site for the certificate authority opens.
9.
Follow the instructions on the web site for either pasting the copied request or attaching the generated request file.
10.
Click Finished.
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)