Applies To:

Show Versions Show Versions

Archived Manual Chapter: Installing and Licensing BIG-IP Secure Access Manager
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

This article has been archived, and is no longer maintained.

An address forwarded by your router or firewall from the publicly routable IP address above to support end user logon and SSL VPN services. This IP address is configured as a virtual server in Secure Access Manager.
A second private address configured as a self IP address. This address is used for internal traffic, and to access the HTTPS web Configuration utility. If you are using a two-arm configuration for Secure Access Manager, you must configure another private address for the second internal VLAN.
The Secure Access Manager management port requires a private address on a separate network for direct access to the browser-based Configuration utility.
To configure access to the Secure Access Manager, you need to be able to configure your Internet router or firewall to send traffic to the Secure Access Manager using either Network Address Translation (NAT), or port forwarding.
If you plan to use NAT, configure your Internet router or firewall to map the public IP address to the private IP address assigned to the Secure Access Manager for end user logon and SSL VPN services (the IP address and port). For information on configuring NAT, see your router or firewall documentation.
Important: You must configure packet filters or firewall rules to permit connections to the Secure Access Manager on TCP port 443. Optionally, you can also permit TCP port 80 for connections that occur when a user accesses the Secure Access Manager with a URL beginning with http:// rather than https://.
If you use the Secure Access Setup wizard, you can easily configure the Secure Access Manager to automatically redirect clients from port 80 to port 443.
If you plan to use port forwarding, configure the Internet router or firewall to forward TCP port 443 to port 443 of the private IP address assigned to the Secure Access Manager. Optionally, also forward TCP port 80, for connections that occur when a user accesses the Secure Access Manager with a URL that starts with http:// rather than https://. Refer to your router or firewall documentation for information on configuring port forwarding.
To allow access from the Internet to the Secure Access Manager using a fully qualified domain name (FQDN), such as secureaccess.siterequest.com, you must configure a publicly resolvable host name on your DNS server for the public IP address used by the Secure Access Manager. To do this, you must have a registered Internet domain name, such as siterequest.com, and you must be able to add a host name, such as secureaccess, to the public DNS server that is authoritative for the zone that contains your registered Internet domain name. You can administer the DNS server, or your ISP can administer the DNS server on your behalf.
Optionally, you might want to configure DNS name resolution for your private (internal) network. This would permit administrators on the internal network to connect to the Secure Access Manager using a FQDN. To do this, add the appropriate entry into the DNS server that is authoritative for the zone that contains your private domain namespace. For more information, refer to Understanding name resolution issues with private IP addresses, following.
Note: Domain Name System (DNS) is the Active Directory® locator in Microsoft® Windows® 2000, 2003, and 2008. Configure the internal DNS server to support the SRV RR (RFC 2052) and the dynamic update protocol (RFC 2136). For Active Directory authentication with Secure Access Manager, realm-to-server lookups are performed using DNS SRV records. Forward lookup capability for forward and reverse lookup zones is required.
If the Secure Access Manager is installed on a private (internal) network, where the router or firewall performs NAT or port forwarding, then the Secure Access Manager might have two different DNS mappings: one public name that resolves to the public (external) IP address, and a second, private name mapped to a private (internal) IP address. The private name might be the same as the public name, or it could be different.
To enable internal users (those on the local network) to connect to the Secure Access Manager using its private name, make one of the following configuration changes:
If you have both an internal and external DNS server, or a DNS server that maintains separate zones for public and private namespaces, add an A record to the zone that resolves to the Secure Access Managers private IP address (such as 10.0.0.8). An A record is an address record, the basic DNS record type, and is used to associate a domain name with an IP address.
 
Alternatively, if your router or firewall supports configuration of aliases on your DNS server, set up the router or firewall to redirect internal Secure Access Manager traffic (traffic originating on the local network) to the Secure Access Managers private IP address.
 
If the router or firewall alters the destination address of packets from the public address of the Secure Access Manager to the private address.
Figure 2.1 shows the placement of the Secure Access Manager in a typical network configuration, or one-arm configuration. In this network configuration, the preconfigured external VLAN configured on port 1.1 has both a self IP address and a virtual server (with a different IP address) configured. The Internet router or firewall is configured to forward traffic to the IP address associated with the virtual server.
The management port is used for direct access to the Configuration utility through HTTPS, and requires an IP address on a separate network. The management port can be connected directly to a management workstation or to a wider management network.
This section describes the different installation methods available for installing the software. There are four main installation methods available. Each of these methods has particular hardware requirements and is useful in particular situations. These methods include:
Microsoft® Windows® hosted installation
Warning: You must be logged in as root to use these installation methods.
Note: BIG-IP Secure Access Manager ships with software pre-installed. You may skip this section if you do not need to update the software that is pre-installed on your Secure Access Manager platform.
The local installation provides the ability to copy an IM package onto the system you intend to upgrade. You can apply this installation method to any system with a hard drive that has sufficient capacity.
Warning: Do not attempt to mount this IM package in a RAM file system as you may have with previous releases. This release does not support that installation method.
For details about this installation method, including supported platforms, and any other system requirements, please refer to the Installation, Licensing, and Upgrades for BIG-IP® Systems guide in the AskF5SM Knowledge Base (https://support.f5.com).
The PXE installation method requires you to set up a server with the installation image you want to install. You can use this upgrade method when you are directly connected to the system you intend to upgrade. You can use this installation method to perform a system recovery installation, or to upgrade from specific earlier versions of the BIG-IP software.
For details about this installation method, including supported platforms, and any other system requirements, please refer to the Installation, Licensing, and Upgrades for BIG-IP® Systems guide in the AskF5SM Knowledge Base (https://support.f5.com).
The remote installation method provides the ability to run the upgrade from a management workstation that is not directly connected to the system you intend to upgrade.
For details about this installation method, including supported platforms, and any other system requirements, please refer to the Installation, Licensing, and Upgrades for BIG-IP® Systems guide in the AskF5SM Knowledge Base (https://support.f5.com).
The Windows hosted installation method provides the ability to mount the BIG-IP system installation image on a system running Microsoft® Windows® and perform the installation on the BIG-IP system.
For details about this installation method, including supported platforms, and any other system requirements, please refer to the Installation, Licensing, and Upgrades for BIG-IP® Systems guide in the AskF5SM Knowledge Base (https://support.f5.com).
Before you can configure and manage the system, you need to connect the unit to a management workstation or network. There are three ways to attach a management workstation or network to the traffic management system.
Use a Serial console
You can connect a null modem cable to the port marked CONSOLE on the unit, and access the command line with a terminal emulator.
Add a network to the management interface
You can configure an IP address on the Ethernet interface labeled Management and access the browser-based Configuration utility to configure the traffic management software.
Use the default network to connect to the management interface
You can connect a cable to the Ethernet interface labeled Management and access the browser-based Configuration utility to configure the traffic management software and use the default network for setup.
You can use a terminal emulator through a null modem cable attached to the serial port labeled CONSOLE on the unit during the installation process, to configure the management port. To connect through the serial port, you must have a DB9 null modem cable, and a vt100-capable terminal emulator available on a computer in close proximity to the unit you want to configure.
3.
Start the terminal emulator.
Set the emulator to 19200 baud and choose the correct serial device.
4.
Turn on the hardware.
It may take a moment for the terminal emulator to connect.
5.
At the login prompt, type the user name root with the password default.
You must configure an IP address and netmask before you can use the Ethernet management interface, or you must use the default network on the management interface to connect. You should install software upgrades and perform management tasks on the BIG-IP system through the management interface.
If you have a serial console configured, you can configure the management IP address through the serial console.
If you want to connect directly to the management interface, you can use the default network configuration on the management interface.
Note: Any self IP addresses you add to the system cannot be on the same network as the management interface. The management interface functions separately from other system functions and cannot share the same network.
You can use the LCD panel to configure the management IP address with this procedure. When you configure the management IP address, you first add an IP address, then you add a netmask address. Optionally, you can add a default gateway.
2.
Press the X button on the display.
4.
Using the up and down arrow buttons, navigate to the Management menu item, and press the check mark button.
5.
Using the up and down arrow buttons, navigate to the Mgmt IP menu item, and press the check mark button.
The default management IP address, 192.168.1.245, appears.
6.
To change the management IP address, navigate to the number you want to change with the right and left arrow buttons, then press the up and down arrow buttons to change that number.
8.
To commit the change to the unit, scroll to the Commit menu item with the up and down arrow keys, and press the check mark button.
2.
To change the management mask, navigate to the number you want to change with the right and left arrow buttons, then press the up and down arrow buttons to change that number.
4.
To commit the change to the unit, scroll to the Commit menu item with the up and down arrow keys, and press the check mark button.
2.
To change the management gateway, navigate to the number you want to change with the right and left arrow buttons, then press the up and down arrow buttons to change that number.
4.
To commit the change to the unit, scroll to the Commit menu item with the up and down arrow keys, and press the check mark button.
After you add an IP address, net mask, and gateway to your management port, you can log on to the Configuration utility with a web browser, and configure the unit. For instructions on accessing the Configuration utility through the management port (Management), see Licensing the Secure Access Manager software.
You can add a management IP address to the management interface using a serial console connection. To connect to the Secure Access Manager over the serial console, see Connecting with a null modem cable to the serial console.
After you complete the installation of the software, run the config command to configure an IP address, net mask, and gateway on the management port (Management). The config command is a command line utility created for this purpose. You can run the config command from the serial console you used during installation.
To run the config command, type the following command:
After you run this utility and add an IP address, net mask, and gateway to your management port, you can log on to the Configuration utility (graphical user interface) and configure the unit. For instructions on accessing the Configuration utility through the management port (Management), see Licensing the Secure Access Manager software.
You can run the Configuration utility remotely only from a workstation that is on a properly configured private network. To allow remote connections for the Configuration utility, the traffic management software comes with two pre-defined IP addresses, and a pre-defined root password. The default root password is default, and the preferred default IP address is 192.168.1.245. If this IP address is unsuitable for your network, the traffic management software uses an alternate IP address, 192.168.245.245.
However, if you define an IP alias on an administrative workstation in the same IP network as the system, the unit detects the network of the alias and uses the corresponding default IP address. Once the utility finishes and the system reboots, these default IP addresses are replaced by the information that you entered in the initial configuration you create with the Configuration utility.
You can use this method if you do not want to configure the management interface before you connect to the browser-based Configuration utility. All BIG-IP systems ship with a default network configured on the management interface. You can access the browser-based Configuration utility through the management port, and configure the unit directly.
1.
Open a web browser on a workstation connected to the same IP network as the management interface IP address.
2.
Type the following URL, where <default IP> is the IP address in use on the management interface IP address.
The preferred default IP address is 192.168.1.245. If this IP address is unsuitable for your network, the traffic management software provides an alternate IP address, 192.168.245.245.
3.
At the logon prompt, type admin for the user name, and admin for the password.
The Licensing screen of the Configuration utility opens.
The IP address alias must be in the same network as the default IP address you want the system to use. For example, on a UNIX® workstation, you might create one of the following aliases.
If you want the BIG-IP Secure Access Manager unit to use the default IP address 192.168.1.245, then add an IP address alias to the computer you want to use to connect to the unit using the following command:
If you want to use the default Secure Access Manager IP address of 192.168.245.245, then add an IP address alias to your local computer such as:
Note: On a system running Microsoft Windows® or Windows NT®, you must use a static IP address, not DHCP. Within the network configuration, add an IP alias in the same network as the IP address in use on the unit. For information about adding a static IP address on a system running Microsoft Windows, please refer to the vendors documentation.
After you configure an IP address alias on the administrative workstation in the same IP network as the BIG-IP system and you turn the system on, the BIG-IP system sends Address Resolution Protocol responses (ARPs) on the management interface to see if the preferred 192.168.1.245 IP address is in use. If the address is appropriate for the network and is currently available, the BIG-IP system assigns it to the management interface. You can immediately use it to connect to the unit and start the Configuration utility.
If the alternate network is present on the network 192.168.245.0/24, or if the node address 192.168.1.245 is in use, then the BIG-IP software assigns the alternate IP address 192.168.245.245 to the management interface instead.
After you get the management workstation connected to the management interface, you can open the Configuration utility and begin licensing the system. When you start the Configuration utility from a web browser, you use the selected default IP address as the application URL.
1.
Open a web browser on a workstation connected to the same IP network as the management interface IP address.
2.
Type the following URL, where <default IP> is the IP address in use on the management interface IP address.
3.
At the logon prompt, type admin for the user name, and admin for the password.
The Licensing screen of the Configuration utility opens.
4.
Click the Activation button to begin the licensing process.
For details about licensing and configuring the system, see Licensing the Secure Access Manager software.
To activate the license for the system, you must have a base registration key. The base registration key is a 27-character string that lets the license server know which F5 products you are entitled to license. The base registration key is preinstalled on your system. If you do not already have a base registration key, you can obtain one from the Sales group (http://www.f5.com).
If the system is not yet licensed, the Configuration utility prompts you to enter the base registration key. Certain systems may require you to enter keys for additional modules in the Add-On Registration Key List box.
Before you can license the system, you need to consider the method you want to use to access the management interface on the system. For more information, see Understanding management connection options.
After you configure an IP address, net mask, and gateway on the management port, you can access the browser-based Configuration utility through the management port.
1.
2.
Type the following URL in the browser, where <IP address> is the address you configured for the management port (Management):
3.
At the password prompt, type the user name admin and the password admin, and click OK.
The Configuration utility opens. If this is the first time you have run the Configuration utility, the system presents the Licensing screen of the Setup utility. Figure 2.2 shows the Licensing screen.
4.
To begin the licensing process, click the Activate button.
Follow the on-screen prompts to license the system. For additional information, click the Help tab on the navigation pane.
Note that you can update the license at any time. To update the license, under the System section of the navigation pane, click License.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)