Applies To:

Show Versions Show Versions

Manual Chapter: Licensing and Basic Configuration
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

After you review Chapter 2, Planning Your Implementation, and have configured one or more BIG-IP® systems in your network, you license the Enterprise Management system.
To activate the Enterprise Manager license, you must have the base registration key. The base registration key is a character string that informs the license server about which, and how many, F5 products you are entitled to license. If you have other BIG-IP modules, you may also be required to enter their base registration keys. If you do not already have a base registration key, contact the F5 Networks Sales group (http://www.f5.com).
Note: For specific information about installing and configuring network settings on the MGMT interface, see the BIG-IP® Systems: Getting Started Guide.
1.
From a workstation attached to the network on which you configured the management port, type the following URL in the browser, where <IP address> is the address you configured for the management port (MGMT):
2.
At the password prompt, type the user name admin and the password admin, and click OK.
The Licensing screen of the Configuration utility opens (Figure 3.1). The Setup utility appears the first time you run the Configuration utility.
3.
Click Activate.
Follow the on-screen prompts to license the system. For additional information, click the Help tab.
After you activate the system license, the setup utility prompts you to provide the basic configuration information from the Platform screen, as shown in Figure 3.2. For specific information about each setting, click the Help tab in the navigation pane.
Tip: If you need to reconfigure any system settings in the future, you can run the setup utility again by clicking the Run the Setup utility link from the Configuration utility Welcome screen.
Important: Enterprise Manager high availability systems do not have all the high availability features of a BIG-IP system. The main function of Enterprise Manager high availability is to provide an updated backup of the configuration of the active Enterprise Manager system. For more information, see Configuring Enterprise Manager as a high availability system.
Once you license the system and configure the basic management system settings, the network configuration options screen opens in the Configuration utility. The two options for creating the enterprise management network configuration are:
Basic Network Configuration
To select this option, click Next. The Basic Network Configuration wizard guides you through a basic network configuration that includes an internal and external VLAN and interface.
Advanced Network Configuration
To create a network with a custom VLAN configuration, click Finished.
When you click Next to configure a basic network configuration, the Basic Network Configuration wizard screen displays as show in Figure 3.3.
You can use the Basic Network Configuration wizard to configure two default VLANs for the system, internal and external. For information about specific settings, click the Help tab.
If you clicked Finished to create an advanced network configuration, the Configuration utility displays the Welcome screen. On the Main tab, click Network, and then VLANs to configure your network.
For information about configuring VLANs, see the TMOS® Management Guide for BIG-IP® Systems. For information about specific settings, click the Help tab.
Tip: You can update your network configuration at any time using the screens available, by clicking Network or System on the Main tab.
When you start Enterprise Manager for the first time, the Welcome screen displays by default. You may find another screen more useful to display upon start up, so you can customize Enterprise Manager to open that screen instead.
Table 3.1, describes the screen options that you can configure Enterprise Manager to display upon startup.
To open the Device List screen, on the Main tab, expand Enterprise Management, and click Devices.
To open the task list screen, on the Main tab, expand Enterprise Management, and click Tasks.
To open the device statistics screen, on the Main tab, expand Enterprise Management, click Devices, then on the menu bar, click Statistics.
1.
On the Main tab, expand System and click Preferences.
2.
From the Start Screen list, select a screen.
3.
Click Update to save your changes.
Enterprise Manager can send email alerts, log events in a remote syslog file, or SNMP traps and log each alert event in the alert history. Depending on how many alerts you need to track over time, you can also specify the maximum size for the alert log. We recommend that you configure the alert defaults before enabling alert instances that use any of these options.
Note: For information about configuring alerting process works in Enterprise Manager and how to configure alerts for managed devices in the network, see Chapter 11, Monitoring and Alerts.
1.
On the Main tab, expand Enterprise Management, and click Alerts.
The Device Alerts screen opens.
2.
On the menu bar, click Options.
The Alert Options screen opens.
3.
In the Email Recipient box, type the email address of the user or alias that you want to set as the default mail recipient for an alert.
4.
In the Syslog Server Address box, type the IP address of the remote server that you want to set as the default if you opt to log an event in a servers syslog file.
5.
In the Alert History area, in the Maximum History Entries box, type the maximum number of alerts that you want logged in the Alert History.
If the alert history reaches the limit you set, the system deletes the oldest entries to create room for newer entries.
6.
Click Save Changes.
Tip: If you do not want to use the email or syslog defaults for a particular alert, you can specify a unique email address or syslog server address when you create a new alert.
You can configure the system to send email messages to a specified user when that alert is triggered. To enable this feature, you must configure the Enterprise Manager system to deliver locally generated email messages by completing the following procedures.
Ensure that the postfix service is running
Note: To configure internal email, you must have root access to the command console and Administrator privileges for the Configuration utility.
By default, the postfix mail server service is enabled when you install the Enterprise Manager software, but you may need to confirm this by performing the following steps.
1.
On the Main tab, expand System and click Services.
The Services screen opens displaying the available system services and how long each service has been running.
3.
If postfix is down, check the box next to postfix, and click Start or Restart below the list.
1.
On the Main tab, expand System and click Configuration.
The Device: General screen opens.
2.
From the Device menu, choose DNS.
The Device: DNS screen opens.
3.
For the DNS Lookup Server List setting, in the Address box, type the IP address of your DNS server(s).
4.
Click Add.
The address moves to the box below the Add button.
5.
Click Update.
1.
Log in as root at the command line.
2.
Verify the DNS resolution for the domain to which you will be sending email, by typing the following command:
For example, to query type MX and siterequest.com, which is where email is delivered, you would type the following command:
You should receive a response similar to that shown in Figure 3.4, indicating that Enterprise Manager is able to resolve the mail exchanger.
By default, the postfix mail server is started when you start Enterprise Manager. If you need to modify postfix files, perform the following steps from the command line of the Enterprise Manager system, then restart the postfix service.
1.
Using a text editor, such as vi or pico, edit the /etc/postfix/main.cf file.
2.
Find the mydomain variable and change it to specify your site's domain. For example, if your domain is siterequest.com, change the variable to:
3.
Set the relayhost variable as in the following example:
4.
If you want email sent only from localhost, set the inet_interfaces variable by typing the following:
6.
Edit the /etc/hosts file to create a record for the fully qualified domain name of your mailserver, by typing the following command:
echo "<your_mailserver_IP_address> <your_mailserver_fqdn>" >> /etc/hosts
11.
In the /etc/postfix/aliases file, locate the following entry:
12.
Change the root alias mapping to the email account to which you want mail to be sent.
When configured, the alerting features of Enterprise Manager can send SNMP traps to a remote SNMP server. Simple Network Management Protocol (SNMP) is an industry-standard protocol that gives a standard SNMP management system the ability to remotely manage a device on the network. The SNMP versions that the Enterprise Manager system supports are: SNMP v1, SNMP v2c, and SNMP v3.
If you elect to send SNMP traps when configuring alerts, you must configure the SNMP agent and SNMP client access to the Enterprise Management system. Because the Enterprise Manager system shares the same operating system as a BIG-IP system, you can configure SNMP on the Enterprise Manager system in the same way that you do on a BIG-IP system. See the TMOS® Management Guide for BIG-IP® Systems for detailed information about how to configure SNMP traps.
The main function of the Enterprise Manager high availability configuration is to provide a warm backup of an active system. A warm backup is a system that duplicates the configuration information of its peer device, and can perform all of the functions of its peer, but requires manual intervention to maintain the integrity of the backup configuration information.
The primary benefit of an Enterprise Manager high availability system is to have an active/standby configuration where you back up the Enterprise Manager configuration (including device, alert, archive, certificate, and software repository information). This ensures that you can maintain a backup of all the network management information stored in the Enterprise Manager database, as long as you run regular ConfigSync tasks whenever you change the Enterprise Manager configuration.
The high availability features for Enterprise Manager are not the same as the redundant system features associated with a BIG-IP system. It is important to keep the following facts in mind when using a high availability Enterprise Manager system.
Enterprise Manager can use only an active/standby configuration for high availability.
When you define the high availability settings on the Platform Setup screen during the initial system configuration, you must use the active/standby configuration and not the active-active configuration.
The failover function on Enterprise Manager is different than on a BIG-IP system.
Enterprise Manager system cannot synchronize, in real time, user-configured or scheduled tasks, such as a software installation or archiving task. To successfully failover, you must run a ConfigSync operation after each major configuration change.
After a failover, the newly active system maintains the last known configuration before any user-initiated or scheduled task if the systems were properly synchronized. If a failover occurs during a running task, you must reconfigure and re-start the task.
The ConfigSync process requires much more time on an Enterprise Manager system, than on a BIG-IP system.
Enterprise Managers database contains considerably more configuration data than a typical BIG-IP system because it stores data for a large number of devices. Therefore, a ConfigSync procedure takes more time than a similar process on a typical BIG-IP system. Also, when you start a ConfigSync task for Enterprise Manager, the system may report that the task is complete, although it is still running.
To ensure that the configurations are synchronized after you start a ConfigSync task, check the status of devices on the target device where you are copying the configuration. If a Maintenance Task appears in the task list, the ConfigSync task is not complete.
Additionally, if a task is running during a failover, the task does not continue when a standby peer becomes the active peer. If this occurs, re-configure the task and restart it.
You cannot make configuration changes on an Enterprise Manager system that is in standby mode.
When an Enterprise Manager system is in standby mode, you cannot make configuration changes such as adding devices, importing software, or configuring alerts on the standby device. If you attempt to make changes on a system in standby mode, you may incur an error.
To ensure that you do not initiate tasks on a standby system, check for an Active or Standby status message in the upper left corner of the screen.
Tip: To maintain the best possible backup capabilities of an Enterprise Manager pair, you must start a ConfigSync task after any major configuration change.
Before you can set up a high availability Enterprise system, you must prepare your network for a high availability system, using the following procedure.
An Enterprise Manager system manages information about other systems, so it requires some changes to the network topology to work successfully with certain tasks such as software upgrades. For two peer systems to properly communicate information about managed devices, perform the following procedures before you start configuring initial settings for the high availability system.
1.
Configure at least one static self IP address (instead of using the MGMT interface to connect the devices), because a TMM port can support both static and floating self IP addresses. Use of a floating self IP address is necessary to ensure that the managed devices can communicate with the active device of an Enterprise Manager redundant system configuration.
3.
Configure a default gateway or route on the same network as each of the two self IP addresses that you configured.
To configure two Enterprise Manager systems as a high availability system, you must run an initial configuration synchronization for the systems to work properly. Additionally, you must specify the same password for the admin user on each device in the redundant system configuration.
For specific instructions, see the Configuring High Availability chapter in the TMOS® Management Guide for BIG-IP® Systems.
You can manage the ConfigSync task on the Enterprise Manager device in the same way that you manage high availability managed devices. See Using high availability systems, for more information.
Additionally, you can monitor the synchronization status of the Enterprise Manager pair from the devices general properties screen, or by looking at the status displayed in the upper left corner of the screen above the navigation pane.
If the Enterprise Manager system is configured as a high availability system, you can back up your systems monitoring information by regularly running the ConfigSync task. See Configuring Enterprise Manager as a high availability system, for more information.
In the high availability configuration, you can schedule and configure the inclusion or exclusion of statistics data on the Enterprise Manager system. For more information about this process, see Setting up a high availability Enterprise Manager system.
When you initially set up Enterprise Manager, you configure a default administrator-level user account that permits you to configure and start working with the system through the web interface. Enterprise Manager classifies user role permissions as two types, restricted and non-restricted. These user roles are defined as follows.
Administrator (non-restricted)
Administrator-level user can perform all management functions available in Enterprise Manager, including managing other user accounts and roles.
Operator and Application Editor (restricted)
The Operator and Application Editor roles can, by default, perform fewer management tasks on the system than the Administrator. You can customize each role by specifying the tasks the role is allowed to perform.
You cannot assign user-management or administrator-level permissions to restricted user roles. You can, however, define other types of device management actions to restricted users. The individuals to whom you assign restricted user roles inherit the permissions that you specified.
By specifying user role permissions, you define which users can perform certain device management tasks. Because each user is assigned a different role, you can manage user permissions by changing the permissions for the role.
For example, if you want UserOne and UserTwo to manage device configurations differently, you complete the following tasks:
Assign UserOne to the Application Editor role.
Assign UserTwo to the Operator role.
You can specify up to eight different types of permissions for each restricted user role. Table 3.2, outlines all of the user role permissions that you can assign to the restricted user roles, Operator and Application Editor.
Archive Device Configurations
Browse Device Configurations
Users can view device configuration settings using the Enterprise Manager configuration browser.
Compare Device Configuration Archives
Deploy Staged Changesets
Users can deploy a staged changeset, whether it was created by that user or another user.
Synchronize Device Configuration with Peer
Users can start a fail over process from one managed device to the devices failover peer. Additionally, users can initiate a fail back process for an active-active configuration.
1.
On the Main tab, click Permissions.
The Permissions screen opens.
3.
Click Apply to save the changes to the user role permissions.
Important: By default, only certain staged changeset permissions are enabled for Operators. To fully implement user role access control, you must enable roles on the Permissions screen prior to assigning users device configuration management tasks.
To use Enterprise Manager to discover and manage devices in your network, you must also configure an administrator user account (Administrator or Operator) that matches the administrator-level user name on the devices that you want to manage.
The User list displays all users who have Administrator role (non-restricted) privileges to managed devices in your network. Each managed device authenticates the stored user names in order to authorize Enterprise Manager to perform device management tasks.
Warning: When you add users, you must use the same administrator-level user name that you currently use for managing BIG-IP systems in your network. This ensures that you can successfully manage devices as soon as Enterprise Manager discovers them and adds them to the Device List screen.
1.
On the Main tab, expand System and click Users.
The Users list screen opens.
2.
Click Create.
The New User screen opens.
3.
In the User Name box, type the administrative-level user name that you are currently using to manage BIG-IP systems in your network.
4.
For Password, in the New and Confirm boxes, type the password for the user you just entered and confirm the password.
5.
From the Role list, select Administrator, Operator, or Application Editor.
Note: If you select another user role, managed devices cannot authorize the user to perform management tasks, and the user cannot initiate tasks using the Enterprise Manager system.
6.
From the Partition Access list, select an option to determine which administrative partitions the new user can access.
The default is All partitions.
7.
To allow the user to access the Enterprise Manager from the command line, from the Terminal Access list, select Enabled.
8.
To add a new user, click Repeat, and repeat steps 3 through 7.
The system adds the user settings you just configured, then clears the User Name and Password boxes.
9.
Click the finished Finished to return to the user list, or click Repeat to add another use.
1.
On the Main tab, expand System and click Users.
The Users list screen opens.
2.
a)
To change the user password:
For Password, in the New and Confirm boxes, type the new password for the user.
b)
To change the user role:
From the Role list, select Administrator or Operator.
c)
To change the users partition access setting:
From the Partition Access list, select an option to determine which administrative partitions the new user can access.
The Partition box indicates the current setting for this users partition access.
d)
To allow the user access to the command console:
From the Terminal Access list, select Enabled to permit the user to access the Enterprise Manager device from the command line.
4.
Click Update to save the changes to the user account properties.
By default, Enterprise Manager uses a local database to authenticate users. Enterprise Manager maintains a local authentication list of users, but you can choose to use a remote LDAP, Active Directory, RADIUS, or TACACS+ authentication source.
1.
On the Main tab, expand System and click Users.
The Users list screen opens.
2.
On the menu bar, click Authentication.
The Authentication Source screen opens.
3.
Below the Authentication area, click Change.
The User Directory box changes to a list.
4.
From the User Directory list, select the type of remote source to use to authenticate users:
5.
In the Authentication area, specify the configuration settings for the remote authentication server.
See the online help for detailed information about the Authentication area.
6.
Click Finished to save your changes.
The Enterprise Manager system ships with default set for certain preferences. You can change these defaults and customize how the system handles certain scenarios, such as:
When Enterprise Manager creates a configuration archive, by default the system stores private keys in the archive. You can change this default behavior so that private keys are not stored in an archive, but if you restore this archive, you may have to manually restore the keys if they have changed.
1.
On the Main tab, expand Enterprise Management, and click Tasks.
The Task List screen opens.
2.
On the menu bar, click Options.
The Task Options screen opens.
3.
From the Private Keys in Archives list select one of the following options:
Include: When the system creates a configuration archive, it stores private key data in the archive stored on the Enterprise Manager system.
Exclude: When the system creates a configuration archive, it does not store any private key data associated with the archive on the Enterprise Manager system.
4.
Click Save Changes.
Although Enterprise Manager communicates with managed devices and F5 servers though a secure HTTPS connection, you may want to use your own proxy server for certain communications.
Enterprise Manager can use an SSL proxy for downloading licensing information, support information, or Application Security Manager attack signature files from F5 servers to a managed device. Additionally, you can use an FTP or SFTP (secure file transfer protocol) proxy to send support data in a Support Data Collection task. Enterprise Manager can also use an SSL proxy server for communications between Enterprise Manager and a managed device, such as when performing tasks.
When you specify a proxy server, it applies only to tasks configured through Enterprise Manager task wizards, such as the Licensing wizard. For example, if you update the licensing information about a device using the License option from the System menu on the navigation pane, Enterprise Manager does not send licensing information through the proxy.
For more information about licensing management tasks, see Managing licenses. To learn about Application Security Manager attack signature management, see Viewing installation task progress. For more information about gathering support data, see Collecting information for F5 support.
Note: Enterprise Manager does not support proxies for communication between peer Enterprise Managers configured in a high availability pair.
To specify a proxy server for Enterprise Management to use to manage device licensing, support data, and ASM attack signature files
1.
On the Main tab, expand Enterprise Management, and click Tasks.
The Task List Screen opens.
2.
On the menu bar, click Options.
The Task Options screen opens.
4.
For SSL Proxy Address, type the IP address and port of the proxy server that you want to use for SSL communications.
a)
Clear the Also use this proxy address for the FTP protocol box.
The FTP Proxy Address box displays.
b)
In the FTP Proxy Address box, type the IP address and port number of the FTP proxy server.
6.
Click Save Changes.
To specify a proxy server to use for connections between Enterprise Manager and managed devices
1.
On the Main tab, expand Enterprise Management, and click Tasks.
The Task List Screen opens.
4.
In the EM-side SSL Proxy Address box, type the IP address and the port number of the SSL proxy that Enterprise Manager connects through, to reach the managed device.
5.
If you want to specify a separate proxy for device connections, clear the Also use this proxy address for the device-side connections box.
6.
In the Device-side Proxy Address box, type the IP address and port number of the SSL proxy server that the managed device connects through, to reach Enterprise Manager.
7.
Click Save Changes.
When you perform an archive comparison task, Enterprise Manager compares certain configuration files by default.
1.
On the Main tab, expand Enterprise Management, and click Tasks.
The Task List Screen opens.
2.
On the menu bar, click Options.
The Task Options screen opens. The Archive Comparison area lists the configuration files compared in an archive comparison task.
3.
Modify the Files to Compare list, as required:
To add a configuration file to compare, in the File Name box, type the path and file name of the configuration file, and click Add.
4.
Click Save Changes.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)