Applies To:

Show Versions Show Versions

Manual Chapter: Customizing Settings
Manual Chapter
Table of Contents   |   << Previous Chapter

Overview: Customizing settings

After you activate the license, complete the initial setup, and specify your network configuration options, you can customize settings for other Enterprise Manager features.

About storing configuration data

The configuration details of managed devices (including Enterprise Manager itself) are contained in a compressed user configuration set (UCS) file with the extension of .ucs. This file contains all of the information required to restore a device's configuration, and consists of these elements:

  • System-specific configuration files
  • License
  • User account and password information
  • DNS zone files
  • NameSurfer configuration
  • SSL certificates and keys

Enterprise Manager saves UCS files to a UCS archive. You can create a task to save UCS archives for devices at regularly scheduled intervals. Archives that are created and saved on a schedule are called, rotating archives. When the system creates rotating archives, it compares the most recently stored UCS archive file to the current configuration on the device at the specified interval. If there are any differences, Enterprise Manager stores a copy of the current configuration in a UCS archive. If there are no differences, Enterprise Manager does not store an additional copy of the current configuration, which leaves you room to store a higher number of unique historical UCS archives. When Enterprise Manager reaches the maximum number of archives specified to store, it deletes the oldest archive in the rotating archive list. By default, Enterprise Manager stores up to 10 rotating archives each, for itself and every managed device.

Another option for archive storage is to create an archive of a specific UCS for a device, referred to as a pinning an archive. Enterprise Manager also creates a pinned archive of a device's current configuration before it installs new software. Pinned archives are stored until you delete them.

Creating a rotating UCS archive schedule

A device must be listed on the Device List screen before you can create a rotating archive schedule for it.
It is best practice to create a rotating archive schedule for each device in your network so that you always have a copy of a recent configuration. The UCS archive provides your network with added stability in the event that a configuration change results in a need for a system restore. You can create a customized schedule for a specific device, or create several schedules and assign any number of devices to each schedule.
  1. On the Main tab, click Enterprise Management > Tasks > Schedules > Archive Collection. The Archive Collection screen opens.
  2. Click the Create button. The New Scheduled Task screen opens.
  3. In the Archive File Name field, type a name for the rotating archive schedule.
  4. From the Check for Changes list, select the frequency that you want Enterprise Manager to check for configuration changes. Depending on your selection, the screen refreshes to display associated options.
  5. Click Finished to save the settings.
The Archive Collection list screen opens and the new rotating archive schedule appears in the list. If a device in the Assigned list changes its configuration during the interval you specified, Enterprise Manager creates an archive of the device's configuration and adds it to the rotating archives on the Archives Collection screen.

Changing private key archive settings

When Enterprise Manager creates a UCS archive, it stores the private keys in the archive by default. If you would prefer not to have the system store the private keys in the UCS archive, you can change this default behavior.
Important: If you choose not to have Enterprise Manager store the private keys in the UCS archive, you must manually restore the keys if you restore the archive.
  1. On the Main tab, click Enterprise Management > Options > Certificates > SSL Private Keys.
  2. From the Private Keys in Archives list, select an option:
    Option Description
    Include Select this option if you want the system to store private key data when it creates a configuration archive. This is the default setting.
    Exclude Select this option if you do not want the system to store private key data when it creates a configuration archive. Note that if you select this option, you must manually restore the keys if you restore the archive.
  3. Click Save Changes.

About refreshing device configurations

To ensure that the stored configuration for each managed device is up-to-date, Enterprise Manager compares it with the device's current configuration at regular intervals. If a configuration change has occurred, Enterprise Manager updates the stored configuration with those changes.

Changing the device refresh interval

By default, Enterprise Manager contacts its managed devices to check for configuration changes once every 60 minutes. You can reduce the amount of management traffic by increasing this interval or you can more closely monitor the state of devices by decreasing the interval.

Tip: You can refresh device information immediately at any time, by selecting devices and clicking the Update Status button on the Device list screen or on the General Properties screen of a specific device.
  1. On the Main tab, click Enterprise Management > Options > Devices > Communications.
  2. In the Refresh Interval field, type an interval value to specify the number of minutes that Enterprise Manager waits before requesting new information from each managed devices. This interval is superseded if a configuration change prompts an automatic refresh before the interval is reached, unless the Send Event Notifications to EM setting is disabled.
  3. Select Disable for the setting in these circumstances:
    Setting Disable this option if:
    Contact F5 During Refresh Enterprise Manager is behind a firewall and cannot contact F5 licensing servers for updated license information
    Send Event Notifications to EM You want to reduce management traffic and refresh only at the interval defined in the Refresh Interval field
    Check Connectivity From Device to EM There is a firewall between Enterprise Manager and the managed device, and communication is only allowed unilaterally from Enterprise Manager to the device
  4. Click Save Changes.

About proxy servers for Enterprise Manager

If you do not want to expose the IP address of the Enterprise Manager system or devices, you can use a proxy server specific to the type of communication.

Proxy server Description
Internet proxy server For outbound communication from the Enterprise Manager to F5 Networks for download licensing information, support information, and Application Security Manager attack signature files
Device proxy server For communication between Enterprise Manager and managed devices in your network
iControl proxy server For inbound communication to managed devices, required for authentication, pass-through, and device inventory
SMTP proxy server For alert email notification

You can configure Enterprise Manager to use a single proxy for SSL and FTP connections, or to use a unique proxy for each protocol.

Specifying a device proxy server for communication between Enterprise Manager and devices

By default, Enterprise Manager communicates with devices through HTTPS. You have the option to specify a proxy server for communication between Enterprise Manager and your network devices.
  1. On the Main tab, click Enterprise Management > Options > Servers.
  2. In the Device Proxy Server area, select the Use Proxy check box. The screen refreshes, displaying additional options.
  3. In the EM-side SSL Proxy Address field, type the SSL proxy server address that you want to use for Enterprise Manager.
  4. If you want to use the same SSL proxy address for the device side, select the Also use this proxy address for the device-side connections check box.
  5. To specify a separate device-side SSL proxy address, clear the Also use this proxy address for the device-side connections check box and type an IP address in the Device-side SSL Proxy Address field.
  6. Click Save Changes.

Specifying a proxy for iControl communication

When you specify an iControl proxy, Enterprise Manager acts as a proxy to support authentication, pass-through, and device inventory using iControl
  1. On the Main tab, click Enterprise Management > Options > Servers.
  2. In the iControl Proxy area, select the Use Proxy check box.
  3. Click the Save Changes button.

Specifying a proxy server for downloading files and information

When you specify an Internet proxy, Enterprise Manager uses that proxy for tasks configured through its task wizards, such as the Licensing wizard.

For example, if you create a task to update the licensing information for a device, Enterprise Manager sends the licensing information through the specified proxy. Conversely, if instead of using the Licensing wizard, you select License option from the System menu on the Main tab to update the licensing information for a device, Enterprise Manager does not send the licensing information through the configured proxy.

  1. On the Main tab, click Enterprise Management > Options > Servers.
  2. On the menu bar, click Options.
  3. In the Internet Proxy Server area, select the Use Proxy check box. The screen refreshes, displaying additional options.
  4. In the SSL Proxy Address field, type the address of the SSL proxy server.
  5. If you want to use the same SSL proxy address for FTP connections, select the Always use this proxy address for the FTP protocol check box.
  6. To specify a separate SSL proxy for FTP connections, clear the Always use this proxy address for the FTP protocol check box and type an IP address in the FTP Proxy Address field.
  7. Click Save Changes.

About using a web proxy for ASM IP Address Intelligence Service database updates

You can use Enterprise Manager to obtain updates to the IP Address Intelligence Service database for managed BIG-IP Application Security Manager (ASM) devices, without requiring that those devices connect directly to the public internet.

To do this, you configure Enterprise Manager to communicate with a web proxy connected to the internet. The ASM devices request and receive IP Address Intelligence Service updates transparently, through the Enterprise Manager system.

Configuring Enterprise Manager to forward connections from ASM devices to a web proxy

Before you perform this configuration, you must first:

  • Get the IP address, proxy port, and any required credentials for the web proxy.
  • Configure BIG-IP Application Security Manager devices to use either no authentication, or HTTP basic authentication.
  • Verify that the Enterprise Manager system allows communication through port 3128.
Once all of the prerequisites are met, you can configure Enterprise Manager to act as an additional proxy between the internet and the managed Application Security Manager devices.
  1. Log into the Enterprise Manager system’s command line and edit the /config/em/emforwardd.conf file as follows: EMFORWARD_PROXY_IP=<web proxy IPv4 address> EMFORWARD_PROXY_PORT =<web proxy port>
  2. Type the following command to restart the daemon. tmsh start sys service emforwardd
  3. Log into the command line of each Application Security Manager device for which you want to provide this proxy service, and type the following commands: tmsh modify sys db proxy.username { value <web proxy-username> } tmsh modify sys db proxy.password { value <web proxy-password> } tmsh modify sys db proxy.host { <self-IP address that can reach Enterprise Manager> } tmsh modify sys db proxy.port { value 3128 }
The managed Application Security Manager devices now send requests for IP Address Intelligence Service database updates through Enterprise Manager.
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)