Applies To:

Show Versions Show Versions

Manual Chapter: Optional Configuration
Manual Chapter
Table of Contents   |   << Previous Chapter

About configuring customization options

After you activate the license, complete the initial setup, and specify your network configuration options, you can customize settings for other Enterprise Manager™ features.

About UCS archive storage

The configuration details of managed devices (including Enterprise Manager itself) are contained in a compressed user configuration set (UCS) file with the extension of .ucs. This file contains all of the information required to restore a device's configuration, and consists of these elements:

  • System-specific configuration files
  • License
  • User account and password information
  • DNS zone files
  • NameSurfer configuration
  • SSL certificates and keys

Enterprise Manager saves UCS files to a UCS archive. You can create a task to save UCS archives for devices at regularly scheduled intervals. Archives that are created and saved on a schedule are called, rotating archives. When the system creates rotating archives, it compares the most recently stored UCS archive file to the current configuration on the device at the specified interval. If there are any differences, Enterprise Manager stores a copy of the current configuration in a UCS archive. If there are no differences, Enterprise Manager does not store an additional copy of the current configuration, which leaves you room to store a higher number of unique historical UCS archives. When Enterprise Manager reaches the maximum number of archives specified to store, it deletes the oldest archive in the rotating archive list. By default, Enterprise Manager stores up to 10 rotating archives each, for itself and every managed device.

Another option for archive storage is to create an archive of a specific UCS for a device, referred to as a pinning an archive. Enterprise Manager also creates a pinned archive of a device's current configuration before it installs new software. Pinned archives are stored until you delete them.

Creating a rotating UCS archive schedule

A device must be listed on the Device List screen before you can create a rotating archive schedule for it.
It is best practice to create a rotating archive schedule for each device in your network so that you always have a copy of a recent configuration. The UCS archive provides your network with added stability in the event that a configuration change results in a need for a system restore. You can create a customized schedule for a specific device, or create several schedules and assign any number of devices to each schedule.
  1. On the Main tab, click Enterprise Management > Tasks > Schedules > Archive Collection. The Archive Collection screen opens.
  2. Click the Create button. The New Scheduled Task screen opens.
  3. In the Archive File Name field, type a name for the rotating archive schedule.
  4. From the Check for Changes list, select the frequency that you want Enterprise Manager to check for configuration changes. Depending on your selection, the screen refreshes to display associated options.
  5. Click Finished to save the settings.
The Archive Collection list screen opens and the new rotating archive schedule appears in the list. If a device in the Assigned list changes its configuration during the interval you specified, Enterprise Manager creates an archive of the device's configuration and adds it to the rotating archives on the Archives Collection screen.

Changing private key archive settings

When Enterprise Manager™ creates a UCS archive, it stores the private keys in the archive by default. If you would prefer not to have the system store the private keys in the UCS archive, you can change this default behavior.
Important: If you choose not to have Enterprise Manager™ store the private keys in the UCS archive, you must manually restore the keys if you restore the archive.
  1. On the Main tab, click Enterprise Management > Options > Certificates > SSL Private Keys.
  2. From the Private Keys in Archives list, select an option:
    Option Description
    Include Select this option if you want the system to store private key data when it creates a configuration archive. This is the default setting.
    Exclude Select this option if you do not want the system to store private key data when it creates a configuration archive. Note that if you select this option, you must manually restore the keys if you restore the archive.
  3. Click Save Changes.

About the startup screen

Each time you log in to Enterprise Manager™ a startup screen displays. By default, the startup screen is the Welcome screen, but you have the option to change this screen if you find an alternative screen more useful.

Changing the default startup screen

You can customize your system to display a specific screen upon startup.

  1. On the Main tab, click System > Preferences.
  2. From the Start Screen list, select the default screen that you want displayed at startup.
Default startup screen options

You can use this table to determine which screens are most relevant to your needs.

Default startup screen option Description To access
Welcome Contains links to setup, support, plug-ins, and additional downloads. Click Overview and Welcome.
Performance Displays statistics related to the Enterprise Manager system performance. Click Overview and Performance.
Device List Displays a list of all of the devices you are managing with Enterprise Manager. Click Enterprise Management and Devices.
Task List Displays a list of running and completed tasks. Click Enterprise Management and Tasks.
Custom Lists Displays a customizable list of objects. Click Enterprise Management and Custom Lists.

About user roles and authentication

A user role specifies the type of management tasks that a user can perform on managed devices in your network. Permissions for user roles are classified as either non-restricted or restricted. The user roles are defined as:

Administrator
This (non-restricted) role can perform all management functions available to Enterprise Manager, including managing other user accounts and roles.
Operator and Application Editor
By default, these (restricted) roles perform fewer management tasks than the Administrator. You can customize each role by specifying the tasks that the role is allowed to perform.

Users are authenticated through Enterprise Manager's local database.

Customizing user role permissions

When you complete the initial setup tasks for Enterprise Manager™ , you specify a default administrator-level user account that permits you to configure and start working with the system through the web interface. You can use this procedure to customize permissions for users, defining which user role (Operator or Application Editor) can perform specific device management tasks.
  1. On the Main tab, click Enterprise Management > Access Control > Role Permissions.
  2. For each restricted user role, select or clear the check box next to the permission you want to modify.
  3. Click Apply to save your changes.
User role permissions and management tasks

There are eight different types of permissions that you can specify for each restricted user role. You can specify any of these management task permissions to the Operator and Application Editor user roles.

Permission Management task
Manage Device Configuration Archives Create and manage UCS archives for all managed devices
Browse Device Configurations View configurations from the Enterprise Manager configuration browser
Compare Device Configuration Archives Compare UCS configuration files between two devices
Stage Changesets for Deployment from Published Templates Create a new staged changeset from a published template
Deploy Staged Changesets Deploy a staged changeset created by a user
Administer Device Lists Manage device list members
Synchronize Device Configuration with Peer Synchronize peer device configurations
Failover Devices Initiate a failover to a peer managed device

Adding new users

All users and their privileges are displayed in the User list.

Important: When you add users, you must use the same administrator-level user name that you currently use for managing BIG-IP devices in your network. This ensures that you can successfully manage devices as soon as Enterprise Manager discovers them and adds them to the Device List screen.
  1. In the navigation pane, click System > Users. The Users list screen opens.
  2. Click the Create button. The New User screen opens.
  3. In the User Name field, type the administrative-level user name that you are currently using to manage the BIG-IP devices in your network.
  4. In the New and Confirm fields, type the password for the user.
  5. From the Role list, select one of the following roles.
    Option Description
    Administrator Grants user complete access to all objects on the system and permission to perform configuration synchronization on a redundant system.
    Operator Grants user permission to enable or disable existing nodes and pool members.
    Application Editor Grants user permission to modify existing nodes, pools, pool members, and monitors.
    If you select another user role, managed devices cannot authorize the user to perform management tasks, and the user cannot initiate tasks using the Enterprise Manager system.
  6. From the Partition Access list, select an option to specify which administrative partitions the new user can access.
  7. From the Terminal Access list, select Enabled to allow the user command-line access to Enterprise Manager.
  8. Click the Repeat button to add another user, or click the Finished button to return to the User list.

Changing user authentication source

By default, Enterprise Manager uses a local database to authenticate users, but you can choose to use a remote LDAP, Active Directory, RADIUS, or TACACS+ authentication source.
  1. In the navigation pane, click System > Users. The Users list screen opens.
  2. On the menu bar, click Authentication. The Authentication screen opens.
  3. Click the Change button.
  4. From the User Directory list, select an option. The screen refreshes to display options specific to the authentication source you selected.
  5. Specify the configuration settings for the remote authentication server. Refer to the online help for information specific to each authentication setting.
  6. Click the Finished button to save your changes.

About proxy servers for Enterprise Manager

If you do not want to expose the IP address of the Enterprise Manager system or devices, you can use a proxy server specific to the type of communication.

Proxy server Description
Internet proxy server For outbound communication from the EM to F5 Networks for download licensing information, support information, and Application Security Manager attack signature files
Device proxy server For communication between Enterprise Manager and managed devices in your network
iControl proxy server For inbound communication to managed devices, required for authentication, pass-through, and device inventory
SMTP proxy server For alert email notification

You can configure Enterprise Manager to use a single proxy for SSL and FTP connections, or to use a unique proxy for each protocol.

Specifying a device proxy server for communication between Enterprise Manager and devices

By default, Enterprise Manager™ communicates with devices through HTTPS. You have the option to specify a proxy server for communication between Enterprise Manager and your network devices.
  1. On the Main tab, click Enterprise Management > Options > Servers.
  2. In the Device Proxy Server area, select the Use Proxy check box. The screen refreshes, displaying additional options.
  3. In the EM-side SSL Proxy Address field, type the SSL proxy server address that you want to use for Enterprise Manager.
  4. If you want to use the same SSL proxy address for the device side, select the Also use this proxy address for the device-side connections check box.
  5. To specify a separate device-side SSL proxy address, clear the Also use this proxy address for the device-side connections check box and type an IP address in the Device-side SSL Proxy Address field.
  6. Click Save Changes.

Specifying a proxy for iControl communication

When you specify an iControl proxy, Enterprise Manager acts as a proxy to support authentication, pass-through, and device inventory using iControl
  1. On the Main tab, click Enterprise Management > Options > Servers.
  2. In the iControl Proxy area, select the Use Proxy check box.
  3. Click the Save Changes button.

Creating an SMTP server configuration

Specify the SMTP server details so that you can configure SMTP email notification.
  1. On the Main tab, click System > Configuration > Device > SMTP.
  2. Click the Create button. The New SMTP Configuration screen opens.
  3. In the Name field, type a name for the SMTP server that you are creating.
  4. In the SMTP Server Host Name field, type the fully qualified domain name for the SMTP server host.
  5. In the SMTP Server Port Number field, type a port number. For no encryption or TLS encryption, the default is 25. For SSL encryption, the default is 465.
  6. In the Local Host Name field, type the host name used in the SMTP headers in the form of a fully qualified domain name. This host name is not the same as the BIG-IP system's host name.
  7. In the From Address field, type the email address that you want displayed as the reply-to address for the email.
  8. From the Encrypted Connection list, select the encryption level required for the SMTP server.
  9. To require that the SMTP server validates users before allowing them to send email, select the Use Authentication check box and type the user name and password required to validate the user.
  10. Click the Finish button.
You can now configure the system to use this SMTP server to send emails.

Specifying a proxy server for downloading files and information

When you specify an Internet proxy, Enterprise Manager™ uses that proxy for tasks configured through its task wizards, such as the Licensing wizard.

For example, if you create a task to update the licensing information for a device, Enterprise Manager sends the licensing information through the specified proxy. Conversely, if instead of using the Licensing wizard, you select License option from the System menu on the Main tab to update the licensing information for a device, Enterprise Manager does not send the licensing information through the configured proxy.

  1. On the Main tab, click Enterprise Management > Options > Servers.
  2. On the menu bar, click Options.
  3. In the Internet Proxy Server area, select the Use Proxy check box. The screen refreshes, displaying additional options.
  4. In the SSL Proxy Address field, type the address of the SSL proxy server.
  5. If you want to use the same SSL proxy address for FTP connections, select the Always use this proxy address for the FTP protocol check box.
  6. To specify a separate SSL proxy for FTP connections, clear the Always use this proxy address for the FTP protocol check box and type an IP address in the FTP Proxy Address field.
  7. Click Save Changes.
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)