Applies To:

Show Versions Show Versions

Manual Chapter: Securing and Accelerating HTTP Traffic with
Manual Chapter
Table of Contents   |   << Previous Chapter

30 
This implementation describes the tasks that configure the BIG-IP Protocol Security Module and the BIG-IP WebAccelerator system to run on the same virtual server.
For this implementation, you must perform the following tasks before the system can secure connectivity and accelerate HTTP traffic to your applications.
Complete basic configuration on the BIG-IP Local Traffic Manager.
Before you can begin this implementation, you must complete the basic configuration requirements on the BIG-IP Local Traffic Manager. See Completing basic configuration tasks on the Local Traffic Manager, for more information.
Perform initial configuration tasks on the BIG-IP Local Traffic Manager.
To prepare the BIG-IP Local Traffic Manager to run the Protocol Security Module and the WebAccelerator system on the same virtual server, there are initial configuration tasks you must complete. See Performing initial configuration tasks on the Local Traffic Manager, for more information.
Create an application profile for the WebAccelerator system.
An application profile provides all of the basic information required for the WebAccelerator system to begin expediting traffic to your applications. See Creating an application profile for the WebAccelerator system, for more information.
Create an HTTP security profile in the Protocol Security Module configuration.
The final task is to create a custom HTTP security profile in the Protocol Security Module configuration, and associate the WebAccelerator application profile with it. See Creating an HTTP security profile in the Protocol Security Module configuration, for more information.
Before you can begin the configuration tasks to set up and run the Protocol Security Module and the WebAccelerator system on the same virtual server, you must perform basic configuration tasks on the BIG-IP Local Traffic Manager. Ensure that the following tasks have been completed:
License and provision the Protocol Security Module and the WebAccelerator system.
When you add new modules to a BIG-IP system, you activate add-on license keys, and also provision the system for the new software. Provisioning reallocates system resources, such as disk storage and memory. For more information, see the BIG-IP® Systems: Getting Started Guide.
Configure at least one DNS server.
You configure a DNS server to enable name resolution for your virtual servers and applications. For more information, see the TMOS Management Guide for BIG-IP® Systems.
Configure at least one NTP server.
The WebAccelerator system relies on the NTP protocol to keep system clocks synchronized. This synchronization ensures that the system properly maintains its cache, and synchronizes configuration changes for optional symmetric deployments. For more information, see the TMOS Management Guide for BIG-IP® Systems.
Once you have performed the basic configuration tasks on the BIG-IP Local Traffic Manager, you complete the initial configuration tasks required to prepare the BIG-IP Local Traffic Manager to run both the Protocol Security Module and the WebAccelerator system on the same virtual server. The virtual server load balances pools that host the web application for which the Protocol Security Module is checking security and the WebAccelerator system is expediting traffic. The virtual server is also the bridge that connects the Protocol Security Module and WebAccelerator, by using their respective profiles.
Create a WebAccelerator HTTP class profile.
The first step in configuring the Protocol Security Module and WebAccelerator is to create the WebAccelerator class profile. See Creating the WebAccelerator HTTP class profile, for more information.
Create an HTTP service profile
After you create the WebAccelerator profile, you create a custom HTTP service profile. This profile enables the protocol security checking that is performed on incoming HTTP traffic. See Creating an HTTP service profile, for more information.
Create a virtual server and pool.
In this step, you configure the virtual server, including assigning the HTTP class profile and the HTTP service profile to the virtual server, and define one or more pools. See Creating a virtual server and pool on the BIG-IP Local Traffic Manager, for more information.
The first task required to prepare the BIG-IP Local Traffic Manager to run the Protocol Security Module and the WebAccelerator system together is to create the WebAccelerator HTTP class profile.
1.
On the Main tab of the navigation pane, expand WebAccelerator, and then click Class Profiles.
The HTTP Class screen opens.
2.
Click the Create button.
The New HTTP Class Profile screen opens.
3.
In the General Properties area, for the Name setting, type a unique name for the HTTP class profile.
4.
From the Parent Profile list, select httpclass.
5.
In the Configuration area, verify that the WebAccelerator setting is enabled.
6.
Click the Finished button.
The system adds the new HTTP class profile, and displays the HTTP Class Profiles screen.
The second task that you perform is to create an HTTP service profile. The HTTP service profile (in the Local Traffic configuration) uses the HTTP security profile (in the Protocol Security Module configuration) to scan for vulnerabilities specific to the protocol. For more information about security profiles, see Creating an HTTP security profile in the Protocol Security Module configuration.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Profiles.
The Profiles:Services:HTTP screen opens.
2.
Click the Create button.
The New HTTP Profile screen opens.
3.
In the General Properties area, for the Name setting, type a unique name for the profile.
4.
For the Parent Profile setting, select the existing HTTP protocol from which you want the new profile to inherit settings. The default setting is http.
5.
Above the Settings area, check the Custom check box.
The system activates the editing mode for the individual settings.
6.
Check the Protocol Security check box to enable HTTP security checks.
8.
Click Finished.
The screen refreshes and displays the new HTTP service profile in the list.
Note: For more information about HTTP service profiles in general, see the Configuration Guide for BIG-IP® Local Traffic Management.
The next configuration task is to create a virtual server and pool on the local area network. The virtual server processes the incoming traffic, which includes applying the protocol security checks and the acceleration policy. The pool hosts the web application content that clients are accessing.
Note: The following procedure outlines only the basic virtual server configuration. For detailed information on virtual servers, including SSL virtual servers, and other local traffic components, see the Configuration Guide for BIG-IP® Local Traffic Management.
1.
On the Main tab of the navigation pane, expand Local Traffic, and click Virtual Servers.
The Virtual Server List screen opens.
2.
Click the Create button.
The New Virtual Server screen opens.
3.
In the Name box, type a name for the virtual server.
4.
For the Destination Type setting, click the Host button and type an IP address in the Address box.
5.
In the Service Port box, type 80 or select HTTP from the list.
6.
From the Configuration list, select Advanced.
The screen refreshes to display the advanced configuration options.
7.
In the Configuration area, from the HTTP Profile list, select the HTTP service profile that you created.
8.
For the SNAT Pool setting, select Auto Map.
9.
In the Resources area, for the HTTP Class Profiles setting, from the Available list, select the HTTP class profile that you created, and click the Move button (<<) to add the class to the Enabled list.
10.
Next to the Default Pool list, click the Add (+) button.
The New Pool screen opens.
11.
In the Name box, type a name for the pool.
12.
For Health Monitors, from the Available list, select a health monitor or monitors and click the Move button (<<) to add the monitor to the Active list.
13.
In the Resources area, from the Load Balancing Method list, select a load balancing option.
14.
Leave the Priority Group Activation setting at the default, Disabled.
15.
For the New Members setting, select New Address, and in the Address and Service Port boxes, type the address and port for the pool members. Alternately, you can select Node List, and select nodes to add to the New Members list.
16.
Click the Add button.
17.
Click Finished.
The screen refreshes and opens the New Virtual Server screen, where you see the new pool in the Default Pool list.
18.
Click Finished again.
The system updates the configuration, displays the Virtual Server list screen, where you can see the virtual server that you created.
The application profile provides the key information that the WebAccelerator system needs to appropriately handle requests to your sites web applications. Creating an application profile consists of the following tasks:
To begin the process of creating an application profile, you must first decide which acceleration policy you want to associate with your application. One option is to select a pre-defined acceleration policy that is associated with your specific application publisher.
If you do not want to use an acceleration policy that is specific to a certain application publisher, you may use one of the two pre-defined general delivery acceleration policies. Both work well for most sites that use Java 2 Platform Enterprise Edition (J2EE) applications.
Level 1 Delivery
This pre-defined acceleration policy is compliant with HTML version 2.0. For this acceleration policy, the WebAccelerator system:
Ignores any no-cache directives included in HTTP Cache-Control request headers, and uses the cache response directives that it receives from the origin web server.
Level 2 Delivery
This pre-defined acceleration policy is compliant with HTML version 3.0 and later. For this acceleration policy, the WebAccelerator system:
Caches HTML pages and assigns a lifetime setting of 0, which prompts the WebAccelerator system to provide fresh content by making subsequent requests for that content, using a conditional GET.
Ignores any no-cache directives included in HTTP Cache-Control request header, and uses the cache response directives that it receives from the origin web server.
In addition to these application-specific and general delivery acceleration policies, the WebAccelerator system also provides a deployment-specific acceleration policy, called Symmetric Deployment. You can select this option if you are configuring an optional symmetric deployment. For more information about this option, see the Configuration Guide for the BIG-IP® WebAccelerator System.
If, however, you have a unique application for which you cannot use a pre-defined acceleration policy, you can customize the WebAccelerator systems behavior by creating a user-defined acceleration policy. In most cases, you do this by copying a pre-defined acceleration policy and modifying it as required. You also have the option of importing a signed acceleration policy that is created, certified, and encrypted by its author, such as a consultant or vendor.
For information about acceleration policy features, and instructions about how to create user-defined acceleration policies or import signed acceleration policies, see the Policy Management Guide for the BIG-IP® WebAccelerator System.
When the WebAccelerator system receives an HTTP request, it compares the host on the request to those in its host map to determine which application profile to apply. Once it matches to an application profile, it can use the associated acceleration policy to handle the request.
When you create a host map, you identify the domain as it appears on the HTTP Host request header. These domains are called requested hosts. When you specify the host name for the requested host in a host map, you can use a wildcard, an asterisk (*) followed by a period, for the first character in the domain. This wildcard can represent one or more subdomains, enabling you to map several subdomains to one origin web server in one step. Using a wildcard saves time if your site has several subdomains.
Note: The WebAccelerator system is also capable of managing requests for unmapped domains, which are called unmapped requests. For more information, see the Configuration Guide for the BIG-IP® WebAccelerator System.
*.sales.siterequest.com maps to the following (all to the same destination host):
*siterequest.com maps to the following (all to the same destination host):
*.com maps all incoming requests that end in .com to one destination host.
* maps all incoming requests to one destination host.
If the WebAccelerator system can map multiple requested host names to a request, it chooses the host name that most closely matches the request. Consider the following defined host names:
A request to www.a.com maps to www.a.com, and does not map to *.a.com.
A request to a.com maps to a.com.
Requests to c.a.com and b.a.com both map to *.a.com.
A request to c.b.a.com maps to *.b.a.com.
1.
On the Main tab of the navigation pane, expand WebAccelerator and click Applications.
The Applications screen displays in a new window.
2.
Click the Create button.
The New Application screen opens.
3.
In the Application Name box, type a name for the application.
4.
In the Description box, type an optional description.
5.
From the Central Policy list, select the acceleration policy that you want the WebAccelerator system to use when requesting information from the associated application. If you have configured an optional symmetric deployment, we recommend that you select the Symmetric Deployment pre-defined acceleration policy, because it is specifically designed to manage content assembly in a symmetric deployment. For more information, see the Configuration Guide for the BIG-IP® WebAccelerator System.
6.
If you have a symmetric deployment, from the Remote Policy list, select an acceleration policy for the remote WebAccelerator system. We recommend that you select the Symmetric Deployment pre-defined acceleration policy. If you do not have a symmetric deployment, do not select a remote policy.
7.
In the Hosts section at the bottom of the screen, in the Requested Host box, type a valid host name
8.
To add additional client hosts that you want to allow access to the application, in the Hosts section at the bottom of the screen, click the Add Host button.
The screen refreshes and displays another Requested Host box, where you can type the name of an additional client host.
After you create an application profile, you must verify that the WebAccelerator system is able to properly send data to and receive data from the origin web servers.
1.
On a machine separate from the WebAccelerator system, and from which you can run a web browser, open the hosts file and add the host name that you used to access the web site application. The host name must point to the IP address for the virtual server that you configured.
Note: On Microsoft® Windows® 2000 and Windows® XP machines, the path name for the hosts file is: C:\WINDOWS\system32\drivers\etc\hosts.
For example, if you can access the web site at the www.siterequest.com domain and the virtual server is at IP address 11.1.11.3, add the following line to the hosts file on the machine running the browser:
All network traffic from the web browser machine for www.siterequest.com subsequently goes to the virtual server.
You should see the page that you would have received if your browser had accessed the origin web servers directly. If the browser times out the request, it means that either the WebAccelerator system is not running, or the firewall is blocking access to port 80 on the WebAccelerator system.
3.
If you receive an Access denied by intermediary error, perform the following tasks:
Verify that the hosts file is correct.
In the Protocol Security Module, the HTTP security profile specifies the HTTP security checks that are enforced by the Security Enforcer. You also associate the WebAccelerator application profile with the security profile. For detailed information about configuring protocol security profiles, refer to the Configuration Guide for BIG-IP® Protocol Security Module, which is available at https://support.f5.com.
Important: The following task assumes that you have already set up a remote logging configuration for security profile log files. For more information on remote logging and Protocol Security Module, refer to the Configuration Guide for BIG-IP® Protocol Security Module.
1.
On the Main tab of the navigation pane, expand the Protocol Security section and click Security Profiles.
The HTTP Security Profiles screen opens in a new browser session.
2.
Above the HTTP Security Profiles area, click the Create button.
The New Security Profile screen opens.
3.
In the Profile Properties area, in the Profile Name box, type a unique name for the profile.
4.
For the Remote Logging setting, check the box to enable remote logging for this security profile.
5.
In the Defense Configuration area, you can update the blocking policy settings for the security profile by clicking a tab and modifying the settings as needed. If you do not check either Alarm or Block for a violation, the system does not perform the corresponding security check.
Check Alarm if you want the system to log any requests that trigger the security profile violation.
Check Block if you want the system to block requests that trigger the security profile violation.
Check both Alarm and Block if you want the system to perform both actions.
6.
Click the Blocking Page tab to configure the blocking response page. If you have enabled the Block flag for any violations, the system sends the blocking response page to the offending client, instead of connecting them to the application.
7.
Click theWebAccelerator tab. On this tab, you associate the WebAccelerator application profile with the HTTP security profile.
8.
For WebAccelerator Cache Clear Settings option, from the Available WA Applications list, select the WebAccelerator profile and click the Move button (<<) to add it to the Assigned WA Applications list.
9.
Click Create.
The screen refreshes, and you see the new security profile in the list.
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)