Applies To:

Show Versions Show Versions

Manual Chapter: Securing and Accelerating HTTP Traffic with
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

29 
This implementation describes the tasks that configure the BIG-IP® Application Security Manager and the BIG-IP® WebAccelerator system to run on the same virtual server.
For this implementation, you must perform the following tasks before the system can secure connectivity and accelerate HTTP traffic to your applications.
Complete basic configuration on the BIG-IP Local Traffic Manager
Before you can begin this implementation, you must complete the basic configuration requirements on the BIG-IP Local Traffic Manager. See Completing basic configuration tasks on the Local Traffic Manager, for more information.
Perform initial configuration tasks on the BIG-IP Local Traffic Manager
To prepare the BIG-IP Local Traffic Manager to run the Application Security Manager and the WebAccelerator system on the same virtual server, there are initial configuration tasks you must complete. See Performing initial configuration tasks on the Local Traffic Manager, for more information.
Create an application profile for the WebAccelerator system
An application profile provides all of the basic information required for the WebAccelerator system to begin expediting traffic to your applications. See Creating an application profile for the WebAccelerator system, for more information.
Run the Application Security Manager Deployment Wizard
The Deployment Wizard automates the fundamental tasks required to initially build and deploy a security policy for your applications. See Running the Application Security Manager Deployment Wizard, for more information.
Before you can begin the processes required to run the Application Security Manager and the WebAccelerator system on the same virtual server, you must have already completed some basic configuration tasks on the BIG-IP Local Traffic Manager. The following tasks must be completed:
Licensing and provisioning for the Application Security Manager and the WebAccelerator system
For more information, see the BIG-IP® Systems: Getting Started Guide.
Configuring virtual server settings
For more information, see the Configuration Guide for BIG-IP® Local Traffic Management.
Configuring name resolution (DNS or entries to the host file)
For more information, see the TMOS Management Guide for BIG-IP® Systems.
Once you have performed the basic configuration tasks on the BIG-IP Local Traffic Manager, you can complete the initial configuration tasks required to prepare the BIG-IP Local Traffic Manager to run both the Application Security Manager and the WebAccelerator system on the same virtual server.
Creating an HTTP class profile for the Application Security Manager and the WebAccelerator system
The HTTP class profile uses the HTTP header, cookie, host, and path, and other HTTP properties, to specify the HTTP traffic to which the system applies security and acceleration. See Creating the HTTP class profile, following, for more information.
Defining a virtual server and pool
The virtual server load balances traffic to one or more pools that are hosting the web application. A pool is made up of members, which are the servers that host the web application resources that you want to protect with the Application Security Manager, and whose traffic you want to expedite with the WebAccelerator system. See Defining a virtual server and pool on the BIG-IP Local Traffic Manager, for more information.
Configuring a Network Time Protocol (NTP) server
To properly maintain its cache and synchronize configurations, the system requires that the time on the application servers and the time on the BIG-IP system be the same. See Defining an NTP server, for more information.
The first task required to prepare the BIG-IP Local Traffic Manager to run the Application Security Manager and the WebAccelerator system, is to create an HTTP class profile. An HTTP class profile uses the HTTP header, cookie, host, and path, and other HTTP properties, to specify the HTTP traffic to which the system applies security and acceleration. For this implementation, you create one HTTP class profile that enables both the Application Security Manager and the WebAccelerator system.
Important: When you enable application security for an HTTP class profile, the system automatically creates a web application configuration and default security policy for Application Security Manager.
1.
On the Main tab of the navigation pane, expand Application Security, and click Classes.
The HTTP Class screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
3.
In the Name box, type a unique name for the HTTP class profile.
4.
From the Parent Profile list, select httpclass.
5.
In the Configuration area, check the Custom box (on the right) to activate the WebAccelerator setting, and then select Enabled from the list.
6.
Verify that the Application Security setting is also enabled.
7.
Click the Finished button.
The system adds the new HTTP class profile, and displays the HTTP Class Profiles screen.
In the Configuration utility, you can create HTTP class profiles from more than one section of the navigation pane. When you create an HTTP class profile from the Local Traffic section, by default both the WebAccelerator setting and the Application Security setting are disabled. In this case, you must explicitly enable both of these settings if you want the HTTP class to accelerate and secure your traffic. When you create an HTTP class profile from either the Application Security section or the WebAccelerator section of the Configuration utility, then in the HTTP class profile configuration, the respective setting is enabled by default. In this case, you must explicitly enable only one of the corresponding settings.
The second task you need to perform is to define a virtual server and pool. As part of the definition, you associate the HTTP class profile that you created in the previous procedure with the virtual server. The virtual server then processes and routes incoming traffic according to the settings that you configure in the associated HTTP class profile. The pool hosts the web application content that clients are accessing.
Note: The following procedure outlines only the basic virtual server and pool configuration. For detailed information about virtual servers, pools, and the other local traffic components, see the Configuration Guide for BIG-IP® Local Traffic Management.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
The Virtual Servers list screen displays.
2.
Click the Create button.
The New Virtual Server screen displays.
3.
In the General Properties area, for the Name setting, type a unique name for the virtual server.
4.
For the Destination setting, click the Host button, and type an IP address in the Address box.
5.
For the Service Port setting, type the appropriate service port for your application. For example, for HTTP, the port is 80. Alternatively, you can select a service type from the list.
6.
From the State list, select Enabled.
7.
Above the Configuration area, select Advanced.
The screen refreshes to display the additional configuration options.
8.
In the Configuration area, from the HTTP Profile list, select http-acceleration.
Important: We strongly recommend that you leave RAM Cache enabled for the http-acceleration service profile, and that you do not make any modifications to the RAM Cache default settings for Minimum Object Size, Maximum Object Size, URI Caching, and Ignore Headers. Doing so will adversely affect the way the BIG-IP WebAccelerator system manages HTTP traffic for your site.
9.
For the Port Translation setting, ensure that the setting is enabled (checked).
Important: If the Port Translation setting is disabled for the virtual server, the WebAccelerator system cannot properly accelerate traffic.
10.
For the SNAT Pool setting, select Auto Map.
11.
In the Resources area, for the HTTP Class Profiles setting, in the Available list, select the Application Security Manager/WebAccelerator-enabled HTTP class profile that you created, and click the Move button (<<) to add the profile to the Enabled list.
12.
Next to the Default Pool setting, click the Add (+) button.
The New Pool screen opens.
13.
In the Configuration area, for the Name setting, type a unique name for the pool.
14.
For the Health Monitors setting, from the Available list, select a health monitor or monitors, and click the Move button (<<) to add the monitor to the Active list.
15.
In the Resources area, from the Load Balancing Method list, select a load balancing option.
16.
Leave the Priority Group Activation setting at the default, Disabled.
17.
For the New Members setting, select New Address, and in the Address and Service Port boxes, type the address and port for the pool members. Alternately, you can select Node List, and select nodes to add to the New Members list.
18.
Click the Add button.
19.
Click Finished.
The screen refreshes, and returns to the New Virtual Server screen, where you see the new pool in the Default Pool list.
20.
Click Finished again.
The system updates the configuration, and displays the Virtual Server list screen, where you can see the virtual server that you created.
Next, you need to define a Network Time Protocol (NTP) server. NTP is a protocol that synchronizes the clocks on your network with a defined NTP server. This synchronization ensures that the Local Traffic Manager properly maintains its cache, and synchronizes configuration changes for optional symmetric deployments in the WebAccelerator system.
1.
On the Main tab of the navigation pane, expand System, and then click Configuration.
The General screen displays.
2.
From the Device menu, choose NTP.
The NTP screen displays.
3.
For the Time Server List setting, in the Address box, type either the IP address or the fully-qualified domain name for an NTP server.
4.
Click the Add button to add the server to the list.
5.
Click Update to save the changes.
Once you have completed the first series of tasks that set up the local area network, you create an application profile for the WebAccelerator system. The application profile provides the key information that the WebAccelerator system needs to appropriately handle requests to your sites web applications. Creating an application profile consists of the following tasks:
To begin the process of creating an application profile, you must first decide which acceleration policy you want to associate with your application. One option is to select a pre-defined acceleration policy that is associated with your specific application publisher.
If you do not want to use an acceleration policy that is specific to a certain application publisher, you may use one of the two pre-defined general delivery acceleration policies. Both work well for most sites that use Java 2 Platform Enterprise Edition (J2EE) applications.
Level 1 Delivery
This pre-defined acceleration policy is compliant with HTML version 2.0. For this acceleration policy, the WebAccelerator system:
Ignores any no-cache directives included in HTTP Cache-Control request header, and uses the cache response directives that it receives from the origin web server.
Level 2 Delivery
This pre-defined acceleration policy is compliant with HTML version 3.0 and later. For this acceleration policy, the WebAccelerator system:
Caches HTML pages and assigns a lifetime setting of 0, which prompts the WebAccelerator system to provide fresh content by making subsequent requests for that content, using a conditional GET.
Ignores any no-cache directives included in HTTP Cache-Control request header, and uses the cache response directives that it receives from the origin web server.
In addition to these application-specific and general delivery acceleration policies, the WebAccelerator system also provides a deployment-specific acceleration policy, called Symmetric Deployment. You can select this option if you are configuring an optional symmetric deployment. For more information about this option, see the Configuration Guide for the BIG-IP® WebAccelerator System.
If, however, you have a unique application for which you cannot use a pre-defined acceleration policy, you can customize the WebAccelerator systems behavior by creating a user-defined acceleration policy. In most cases, you do this by copying a pre-defined acceleration and modifying it as required. You also have the option of importing a signed acceleration policy that is created, certified, and encrypted by its author, such as a consultant or vendor.
For information about acceleration policy features, and instructions about how to create user-defined acceleration policies or import signed acceleration policies, see the Policy Management Guide for the BIG-IP® WebAccelerator System.
When the WebAccelerator system receives an HTTP request, it compares the host on the request to those in its host map to determine which application profile to apply. Once it matches to an application profile, it can use the associated acceleration policy to handle the request.
When you create a host map, you identify the domain as it appears on the HTTP Host request header. These domains are called requested hosts. When you specify the host name for the requested host in a host map, you can use a wildcard, an asterisk (*) followed by a period, for the first character in the domain. This wildcard can represent one or more subdomains, enabling you to map several subdomains to one origin web server in one step. Using a wildcard saves time if your site has several subdomains.
Note: The WebAccelerator system is also capable of managing requests for unmapped domains, which are called unmapped requests. For more information, see the Configuration Guide for the BIG-IP® WebAccelerator System.
*.sales.siterequest.com maps to the following (all to the same destination host):
*siterequest.com maps to the following (all to the same destination host):
*.com maps all incoming requests that end in .com to one destination host.
* maps all incoming requests to one destination host.
If the WebAccelerator system can map multiple requested host names to a request, it chooses the host name that most closely matches the request. Consider the following defined host names:
A request to www.a.com maps to www.a.com, and does not map to *.a.com.
A request to a.com maps to a.com.
Requests to c.a.com and b.a.com both map to *.a.com.
A request to c.b.a.com maps to *.b.a.com.
1.
On the Main tab of the navigation pane, expand WebAccelerator and click Applications.
The Applications screen displays in a new window.
2.
Click the Create button.
The New Application screen opens.
3.
In the Application Name box, type a name for the application.
4.
In the Description box, type an optional description.
5.
From the Central Policy list, select the acceleration policy that you want the WebAccelerator system to use when requesting information from the associated application. If you have configured an optional symmetric deployment, we recommend that you select the Symmetric Deployment pre-defined acceleration policy, because it is specifically designed to manage content assembly in a symmetric deployment. For more information, see the Configuration Guide for the BIG-IP® WebAccelerator System.
6.
If you have a symmetric deployment, from the Remote Policy list, select an acceleration policy for the remote WebAccelerator system. We recommend that you select Symmetric Deployment. If you do not have a symmetric deployment, do not select a remote policy.
8.
In the Requested Host box, type a valid host name for each client host that you want to allow access to the application.
9.
Click the Save button.
After you create an application profile, you must verify that the WebAccelerator system is able to properly send data to and receive data from the origin web servers.
1.
On a machine separate from the WebAccelerator system, and from which you can run a web browser, open the hosts file and add the host name that you used to access the web site application. The host name must point to the IP address for the virtual server that you configured.
Note: On Microsoft® Windows® 2000 and Windows® XP machines, the hosts file is located at C:\WINDOWS\system32\drivers\etc\hosts
For example, if you can access the web site at the www.siterequest.com domain, and the virtual server is at IP address 11.1.11.3, add the following line to the hosts file on the machine running the browser:
All network traffic from the web browser machine for www.siterequest.com subsequently goes to the virtual server.
You should see the page that you would have received if your browser had accessed the origin web servers directly. If the browser times out the request, it means that either the WebAccelerator system is not running, or the firewall is blocking access to port 80 on the WebAccelerator system.
3.
If you receive an Access denied by intermediary. Domain not recognized. error, perform the following tasks:
Verify that the hosts file is correct.
Verify that you used a domain in the request that matches a requested host in the host map, and that it maps to the destination host.
Assigning the WebAccelerator application profile to the security policy in Application Security Manager
Before you run the Deployment Wizard for the Application Security Manager, you must assign the WebAccelerator application profile to the security policy. If you have more than one application profile configured, you can change the assignment on the Policy Properties screen in the Application Security Manager.
1.
On the Main tab of the Application Security navigation pane, click Policies List.
The Security Policies screen opens.
2.
In the editing context area, ensure that the edited web application and security policy are those that you want to update.
3.
In the Security Policies area, in the Security Policy Name column, click the name of the security policy that you want to edit.
The Security Policy Properties screen opens.
4.
Above the Configuration area, select Advanced.
The screen refreshes, and displays additional configuration options.
5.
For the WebAccelerator Cache Clear Settings option, from the Available WA Applications list, select the WebAccelerator application profile that you created, and click the Move button (<<) to add the profile to the Assigned WA Applications list.
6.
Click the Save button.
Once you have configured the WebAccelerator systems application profile, you can create the Application Security Managers security policy.
The most efficient way to build a security policy for a new web application is to use the Deployment Wizard. The Deployment Wizard automates the fundamental tasks required to initially build and deploy a security policy. The Deployment Wizard uses several deployment scenarios, which represent several typical environments that use application security, to guide you through the configuration process. The deployment scenarios include:
1.
On the Main tab of the navigation pane, expand Application Security and click Web Applications.
The Web Applications screen opens.
2.
Click the Set Language link for the new web application.
The Select Deployment Scenario screen opens.
3.
In the Select Deployment Scenario area, select a deployment scenario.
For more information about deployment scenarios, see the BIG-IP® Application Security Manager: Getting Started Guide guide, which is available on the AskF5SM web site, https://support.f5.com.
4.
Click the Run Deployment Wizard button.
The Application Security Manager Deployment Wizard starts.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)