Applies To:

Show Versions Show Versions

Manual Chapter: Enterprise Manager Administrator Guide: Licensing and Configuring the System
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


3

Licensing and Configuring the System


Setting up Enterprise Manager for the first time

Enterprise Manager fits into your existing network configuration in a similar manner to your other F5 Networks devices. The Enterprise Manager Quick Start Instructions included with the device introduce the basic steps required to set up and start working with the Enterprise Manager system.

This chapter details the process of licensing and configuring the system, including setting up management network defaults, default self IPs and VLANs, and setting general preferences for working with Enterprise Manager.

This chapter assumes that you have previously set up, licensed, and configured one or more BIG-IP systems in your network, and that you have connected the Enterprise Manager system to a management workstation or network.

The initial licensing, platform setup, and network configuration procedures in the following sections are based on the procedures described in the Installation, Licensing, and Upgrades for BIG-IP Systems guide. Consult that guide if you require additional information not described in this chapter.

Licensing the Enterprise Manager software using the Configuration utility

To activate the license for the system, you must have a base registration key. The base registration key is a 33-character string that lets the license server know which F5 products you are entitled to license. If you do not already have a base registration key, you can obtain one from the sales group (http://www.f5.com).

If the system is not yet licensed, the Configuration utility prompts you to enter the base registration key. Certain systems may require you to enter keys for additional modules in the Add-On Registration Key List box.

After you configure an IP address, net mask, and gateway on the management port, you can access the Configuration utility (graphical user interface) through the management port.

For more information on how to work with a console connection, and how to configure network settings on the MGMT interface, see the Connecting a Management Workstation or Network chapter in the Installation, Licensing, and Upgrades for BIG-IP Systems guide.

To license the system using the Configuration utility

  1. Open a web browser on a work station attached to the network on which you configured the management port.
  2. Type the following URL in the browser, where <IP address> is the address you configured for the management port (MGMT):
  3. https://<IP address>/
  4. At the password prompt, type the user name admin and the password admin, and click OK.
  5. The Licensing screen of the Configuration utility opens (Figure 3.1 ). The Setup utility appears the first time you run the Configuration utility.

  6. To begin the licensing process, click the Activate button.
    Follow the on-screen prompts to license the system. For additional information, click the Help tab.


Figure 3.1 The Licensing screen in the Setup utility

Note that you can update the license at any time by using the Licensing option that is available in the System area on the Main tab.

Creating the platform management configuration

After you have activated the license on the system, the Configuration utility prompts you for the basic configuration information for managing the system (Figure 3.2 ). This required information includes the following settings.

  • Management interface settings such as the IP address, netmask, and default gateway
  • Host name and IP address
  • High availability settings
  • Time zone settings
  • User account settings, such as the root and admin passwords
  • Support access
  • SSH access

 

 

Figure 3.2 The Platform Setup screen

Platform setup screen settings

Each heading in this section provides a basic description to assist you in choosing settings on the Platform Setup screen.

Management port

You can specify an IP address for the management (administrative) port. If you set the management interface IP address using the LCD screen that is available on some platforms, you do not need to configure this setting. You can also specify a network mask for the administrative port's IP address and the IP address of the default route for the management port.

Host name

You must enter a fully qualified domain name (FQDN) for the system. Only letters, numbers, and the characters dash ( - ) and period
( . ) are allowed.

Host IP address

The host IP address is the IP address that you want to associate with the host name:

    • Select Use Management Port IP Address to associate the host name with the management port's IP address. This is the default setting.
    • Select Custom Host IP Address to type an IP address other than the management port's IP address.

High availability

A high availability system consists of two units that share configuration information:

    • Select Single Device if the system is not a unit in a high availability system.
    • Select Redundant Pair if the system is a unit in a high availability system.
Warning

Enterprise Manager high availability systems do not support many of the high availability features of a BIG-IP system. The main function of Enterprise Manager high availability is to provide an updated back up of the configuration of the active Enterprise Manager system. For more information on how Enterprise Manager works in a high availability configuration, see Configuring Enterprise Manager as a high availability system .

Unit ID

Select 1 or 2 to identify the system's unit ID number in the redundant system. The default unit ID number is 1. If this is the first unit in the redundant system, use the default. When you configure the second unit in the system, type 2.

Note

If the device is not a part of a high availability system, you do not need to specify the Unit ID.

Time zone

Select the time zone that most closely represents the location of the system. This ensures that the clock for the Enterprise Manager system is set correctly, and that dates and times recorded in log files correspond to the time zone of the system administrator. Scroll through the list to find the time zone at your location.

Root account

The root account provides access to this system from the console.

    • In the Password box, type the password for the built-in account, root.
    • In the Confirm box, retype the password that you typed in the Password box.
      If you mistype the password confirmation, the system prompts you to retype both entries.

Admin account

The admin account provides access to the system through a browser.

    • Type the password for the built-in account, admin.
    • In the Confirm box, retype the password that you typed in the Password box.
      If you mistype the password confirmation, the system asks you to retype both entries.

Support account

This setting enables the built-in account, support, for access to the system's command line interface and browser interface. If you activate the account, you must also supply a password and password confirmation. The technical support staff uses the support account to analyze the system if you need assistance with troubleshooting issues.

SSH access

Check the Enabled box if you want to activate SSH access to the Enterprise Manager system.

SSH IP allow range

If you have enabled SSH access, you can specify the IP address or address range for other systems that can use SSH to communicate with the system. To grant unrestricted SSH access to all IP addresses select *All Addresses. To specify a range, select Specify Range, and then type an address or address range in the box, to restrict SSH access to a block of IP addresses. For example, to restrict access to only systems on the 192.168.0.0 network, type 192.168.*.*.

Rerunning the Setup utility

Once you have configured the system, if you need to reconfigure any system settings, you can run the Setup portion of the Configuration utility again by clicking the Run the Setup utility link on the Welcome screen. As you proceed through the Setup utility, click the Help tab for information about the settings on each screen.

Configuring the enterprise management network

Once you have licensed the system, and configured the basic management system settings, the Options screen opens in the Configuration utility. The Options screen contains two options for creating the enterprise management configuration.

  • Basic Network Configuration
    Click the Next button to start the basic network configuration wizard. This wizard guides you through a basic network configuration that includes an internal and external VLAN and interface configuration.
  • Advanced Network Configuration
    If you want to create a custom management configuration, click the Finished button to exit to the Main tab. Choose this option if you want to create a custom VLAN configuration. If you choose this option, after you click the Finished button, you should click the Network option on the Main tab.

Tip


Although the advanced option is available, you do not need to create an advanced network configuration for enterprise management purposes.

 

 

Figure 3.3 The Options screen for configuring the enterprise management network

Using the Basic Network Configuration wizard

You can use the Basic Configuration wizard to configure two default VLANs for the system, internal and external. Note that you can update the network configuration at any time by using the options that are available under the Network or System sections on the Main tab.

Consult the online help if you need detailed information about specific settings when configuring the default VLANs and self IPs.

Configuring Enterprise Manager defaults and preferences

To successfully manage devices, you must set up Enterprise Manager preferences. These preferences determine how Enterprise Manager handles such features as high availability, software management, device configuration archiving, certificate management, alerting, logging, and user management.

Configuring Enterprise Manager as a high availability system

You can configure Enterprise Manager as a part of a high availability system, but the high availability features are not the same as a BIG-IP system high availability that you may be familiar with. Enterprise Manager high availability mainly provides a warm backup of an active system. A warm backup is a system that duplicates the configuration information of it's peer device, and can perform all of the functions of its peer, but requires manual intervention to maintain the integrity of the backup configuration information.

The primary advantage of an Enterprise Manager high availability system is that you can maintain an active-standby configuration where you back up the Enterprise Manager configuration, including device, alert, archive, certificate, and software repository information. This ensures that once you manage multiple devices with Enterprise Manager, you can maintain a back up of all the network management information stored in the Enterprise Manager database as long as you run regular ConfigSync tasks whenever you change the Enterprise Manager configuration.

You can manage the ConfigSync task on the Enterprise Manager device in the same way that you manage high availability managed devices. See Working with high availability systems, on page 4-6 for more information.

Additionally, you can monitor the sync status of the Enterprise Manager pair from the device's general properties screen, or by looking at the status displayed in the upper left corner of the screen above the navigation pane.

Tip


To maintain the best possible backup capabilities of an Enterprise Manager pair, we recommend that you start a ConfigSync task after major configuration changes.

Understanding the Enterprise Manager high availability differences

There are four main differences between high availability on an Enterprise Manager system and a BIG-IP system. The first is that Enterprise Manager can only use an active-standby configuration for high availability. The second is that the failover function on Enterprise Manager does not work in the same way that it does on a BIG-IP system. The third is that the ConfigSync process requires much more time on an Enterprise Manager system. Finally, you cannot make configuration changes on an Enterprise Manager system in standby mode.

Setting the high availability configuration

When you configure the settings on the Platform Setup screen during the initial system setup, you can specify the type of high availability system, if appropriate. If you use Enterprise Manager in a high availability configuration, you can only use the active-standby configuration, and not the active-active configuration.

Working with the failover function

In an Enterprise Manager high availability system, if the active device fails over, the standby device becomes active. However, if any processes are running, such as a software installation or device archiving task, this process is not continued by the new active device.

Because the Enterprise Manager system is designed to manage enterprise devices instead of traffic, it cannot synchronize user-configured or scheduled tasks in real time. Instead, for a failover to be successful, Enterprise Manager requires a ConfigSync operation after each major configuration change.

After a failover, the newly active system maintains the last known configuration before any user-initiated or scheduled task if the systems were properly synchronized. If a failover occurs during a running task, you must reconfigure and re-start the task.

Working with the ConfigSync process

The Enterprise Manager database contains considerably more configuration data than a typical BIG-IP system because it stores configuration data for a large number of devices. The main effect of this is that a ConfigSync process requires much more time than a similar process on a typical BIG-IP system. Also, when you start a ConfigSync task for Enterprise Manager, the system may report that the task is complete, although it is still running.

To ensure that the configurations are synchronized after you start a ConfigSync task, you should check the status of devices on the target device where you are copying the configuration. If a Maintenance Task appears in the task list, then the ConfigSync task is not complete.

Additionally in a failover scenario, if a task is running, the task does not continue when a standby peer becomes the active peer. If you encounter this situation, you should re-configure the task and restart it.

Making configuration changes on a standby system

When an Enterprise Manager system is in standby mode, you cannot make configuration changes such as adding devices, importing software, or configuring alerts on the standby device. If you attempt to make changes on a system in standby mode, you receive an error.

To ensure that you do not initiate tasks on a standby system, check for an Active or Standby status message in the upper left corner of the screen.

Configuring initial settings for an Enterprise Manager pair

If you choose to configure two Enterprise Manager systems in a high availability configuration, you must run an initial configuration synchronization in order for the systems to work properly. Additionally, you must specify the same password for the admin user on each device in the redundant configuration.

To initialize an Enterprise Manager pair

This procedure describes the basic steps necessary to set up an Enterprise Manager high availability system. To configure these settings, you must have already configured two Enterprise Manager systems and set each device as a Redundant Pair on the Platform Setup screen in the Setup utility.

  1. On the Main tab of the Navigation pane, expand System and click High Availability.
    The System Redundancy Properties screen opens.
  2. For the Primary Failover Address, specify in the appropriate boxes, the Self and Peer IP addresses for each Enterprise Manager system.
  3. In the Redundancy State Preference list, select whether you prefer the current device to be the Active or Standby system. Select None, if you have no preference.
  4. In the Network Failover box, if you want the standby system to use the network to check the state of the active system, check the Select box to enable network failover detection.
  5. Click Update to save your changes.
  6. On the menu bar, click ConfigSync.
    The System ConfigSync screen opens.
  7. In the Configuration list above the table, select Advanced.
    The table changes to show additional options.
  8. In the ConfigSync User list, select a user account that has Administrator privileges and can perform the ConfigSync operation. Important: The user account and password must be the same on both units in the redundant system.
  9. In the Detect ConfigSync Status box, check the Select box to enable this unit to regularly compare its configuration status with that of its peer.
  10. In the Synchronize row, click either Synchronize TO Peer or Synchronize FROM Peer to perform an initial configuration synchronization.

Changing the device refresh interval

When you start up Enterprise Manager, one device option is already set by default: the rate at which Enterprise Manager requests updated metrics from each managed device. When you discover devices and add them to the device list, Enterprise Manager refreshes the device information at a default interval of once every 10 minutes. You can reduce the amount of management traffic by increasing the interval, or you can more closely monitor the state of devices by decreasing the interval. For more information about discovering and managing devices, see Chapter 4, Discovering and Managing Devices .

To change the device refresh interval

  1. On the Main tab of the navigation pane, expand Enterprise Management and click Devices.
    The Device List screen opens.
  2. On the menu bar, click Options.
    The Device Options screen opens.
  3. In the Device Communication table, in the Refresh Interval box, change the value to adjust the regular interval at which Enterprise Manager requests new information from each managed device.
  4. Click Save Changes.

Tip


If you need immediately updated device information at any time, you can refresh device information using the Update Status button for any number of devices that you select on the Device List screen, or on an individual device General Properties screen.

Changing the device archive options

Enterprise Manager provides a secure location to store device configuration archives for all managed devices. You can set up a rotating schedule for archiving, and you can save multiple archives in the Enterprise Manager database.

When you first start Enterprise Manager, the number of rotating archives or pinned archives Enterprise Manager can store in its database is set by default. Enterprise Manager is initially set to store up to 10 rotating device archives and 10 saved, or pinned, archives per device in its database.

Enterprise Manager manages rotating archives in its database in a first in, first out manner. That is, once the database reaches the maximum number or archives, it deletes the oldest archive in the rotating archive list.

Conversely, pinned archives require manual intervention once Enterprise Manager reaches the maximum. When a user attempts to create a pinned archive that exceeds the limit, the system warns that it cannot create a new pinned archive until the users deletes at least one from the current list or increases the maximum limit.

If you want to maintain more device configuration for backup and restore flexibility, you can increase this value as needed, but the number of stored archives can affect the disk space on the Enterprise Manager device. For detailed information about how Enterprise Manager works with device archives, including setting up rotating archive schedules or saving multiple configuration archives, see Chapter 6, Managing Device Configuration Archives .

To change the device configuration archive options

  1. On the Main tab of the navigation pane, expand Enterprise Management and click Devices.
    The Device List screen opens.
  2. On the menu bar, click Options.
    The Device Options screen opens.
  3. In the Configuration Archives table, in either the Maximum Rotating Archives box, or the Maximum Pinned Archives box, change the maximum number of archives that Enterprise Manager saves in its database.
  4. Click Save Changes.
Note

If you reduce the maximum number of rotating archives on a system where the number of archives exceeds the new value, the system deletes the oldest archives to reach the new limit. If you set a lower pinned archive limit, the system does not automatically delete pinned archives. You must delete pinned archives manually.

Setting alerting system options

Because Enterprise Manager can send email alerts, log events in a remote syslog file, or send SNMP traps, you should configure these defaults before enabling alert instances that use any of these options. Additionally, Enterprise Manager can log each alert event in the alert history. Depending on how many alerts you need to track over time, you can control the maximum size of this alert log.

For information on how the alerting process works in Enterprise Manager and how to configure alerts for managed devices in the network, see Chapter 7, Monitoring and Alerting .

To set alert defaults

  1. On the Main tab of the navigation pane, expand Enterprise Management and click Alerts.
    The Device Alerts screen opens.
  2. On the menu bar, click Options.
    The Alert Options screen opens.
  3. In the Email Recipient box, type the email address of the user or alias that you want to set as the default mail recipient for an alert.
  4. In the Syslog Server Address box, type the IP address of the remote server that you want to set as the default if you opt to log an event in a server's syslog file.
  5. In the Alert History table, in the Maximum History Entries box, type the maximum number of alerts that you want logged in the Alert History.
    If the alert history reaches the limit you set, the system deletes the oldest entries to create room for newer entries.
  6. Click Save Changes.

Tip


If you do not want to use the email or syslog defaults for a particular alert, you have the option to specify a unique email address or syslog server address when you create a new alert.

Setting up SNMP options

If you use the alerting features of Enterprise Manager, you can send SNMP traps to a remote SNMP server. Simple Network Management Protocol (SNMP) is an industry-standard protocol that gives a standard SNMP management system the ability to remotely manage a device on the network. The SNMP versions that the Enterprise Manager system supports are: SNMP v1, SNMP v2c, and SNMP v3.

Enterprise Manager works with SNMP is the same way that a BIG-IP system works with SNMP. If you elect to send SNMP traps when configuring alerts, you must configure the SNMP agent and SNMP client access to the Enterprise Management system.

Because the Enterprise Manager system shares the same operating system as a BIG-IP system, you can configure SNMP on the Enterprise Manager system in the same way that you do on a BIG-IP system. See the Configuring SNMP chapter in the BIG-IP Network and System Management Guide for detailed information on how to configure SNMP information.

Tip


The System section on the Main tab of the navigation pane contains most of the same configuration options as it does for a BIG-IP system.

Configuring internal email options

When you configure alerts, you have the option for the system to send email messages to a user that you specify when the alert is triggered. In order to enable this feature, you must configure the Enterprise Manager system to deliver locally generated email messages.

To configure Enterprise Manager to deliver locally generated email messages complete the following steps:

  • Ensure that the postfix service is running.
  • Configure DNS on the system.
  • Verify DNS resolution.
  • Configure email notification.

To configure internal email requires root access to the command console and Administrator privileges for the Configuration utility.

To enable the postfix service

By default, the postfix mail server service is enabled when you install the Enterprise Manager software, but you may need to confirm this.

  1. On the Main tab of the navigation pane, expand System and click Services.
    The System Services screen opens displaying the available system services and how long each service has been running.
  2. Confirm that the postfix service is running by at the message in the History column next to the postfix service.
  3. If you need to start or restart the postfix service, check the Select box next to the postfix service, and click the Start or Restart button below the list.

To configure DNS

  1. On the Main tab of the navigation pane, expand System and click General Properties.
    The System: General Properties screen opens.
  2. From the Device menu, choose DNS.
    The System: DNS screen opens.
  3. In the DNS Lookup Server List section, in the Address box, type the IP address of your DNS server(s).
  4. Click Add.
    The address moves to the box below the Add button.
  5. Click the Update button.

Verify DNS resolution

  1. Log in as root at the command line.
  2. Verify the DNS resolution for the domain to which you will be sending email, by typing the following command:
  3. dig <domain> mx

    For example, to query type MX and siterequest.com, which is where email is delivered, you would type the following command:

    dig siterequest.com mx

    You should receive a response similar to the following figure, indicating that Enterprise Manager is able to resolve the mail exchanger.

    Figure 3.4 A sample reply from the mail exchanger
    ; <<>> DiG 9.2.2 <<>> siterequest.com mx
    
    ;; global options:  printcmd
    
    ;; Got answer:
    
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16174
    
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    
    ;siterequest.com.                     IN      MX
    
    ;; ANSWER SECTION:
    
    siterequest.com.              86400   IN      MX      10 mail.siterequest.com.
    
    ;; Query time: 65 msec
    
    ;; SERVER: 172.16.100.1#53(172.16.100.1)
    
    ;; WHEN: Mon Nov  8 14:32:07 2002
    
    ;; MSG SIZE  rcvd: 51
    

     

To configure email notification

By default, the postfix mail server is started when you start Enterprise Manager. If you need to modify postfix files, perform the following steps from the command line of the Enterprise Manager system, then restart the postfix service.

  1. Using a text editor, such as vi or pico, edit the /etc/postfix/main.cf file.
  2. Find the mydomain variable and change it to specify your site's domain. For example, if your domain is siterequest.com, change the variable to:
  3. mydomain = siterequest.com
  4. Set the relayhost variable as in the following example:
  5. relayhost = $mydomain
  6. If you want email sent only from localhost, set the inet_interfaces variable by typing the following:
  7. inet_interfaces = localhost
  8. Save and exit the file.
  9. Edit the /etc/hosts file.
  10. Create a record for the fully qualified domain name of your mailserver by typing the following command:
  11. echo "<your_mailserver_IP_address> <your_mailserver_fqdn>" >> /etc/hosts

    For example:

    echo "10.10.65.1 mail.siterequest.com" >> /etc/hosts
  12. Save and exit the file.
  13. From the command line, send a test email by typing the following command:
  14. echo test | mail <your email address>
  15. View the mail queue, by typing the following command:
  16. mailq
    1. To send any unsent mail, type the following command:
    2. postfix flush
  17. Edit the /etc/postfix/aliases file.
  18. Locate the following entry:
------------------------
# Person who should get root's mail.  This alias
# must exist.
# CHANGE THIS LINE to an account of a HUMAN
root:          postfix
------------------------------------------------
  1. Change the root alias mapping to the email account to which you want mail to be sent.
  2. For example:

    root: helpdesk@postfix.fix
  3. Save and exit the file.
  4. Type the following command:
  5. newaliases
  6. From the command line, send a test email by typing the following command:
  7. echo test | mail <your email address>

    If configured properly, the email is delivered to the address that you specified in the /etc/postfix/aliases file.

    For example:

    echo "this is a test" | mail root
  8. From the command line type the following command and press Enter:
  9. service postfix restart

Managing user accounts

When you initially set up Enterprise Manager, you configure a default administrator user account that permits you to set up and start working with the system through the web interface.

In order to discover and manage devices in the network, you must configure an administrator-level user account that matches an administrator-level user name on devices that you want to manage.

Enterprise Manager maintains a local authentication list of users, but you can choose to use a remote LDAP, Active Directory, or RADIUS authentication source.

Tip


When you create an administrator-level user for Enterprise Manager, we recommend that you use the same user name that you currently use to administer F5 Networks devices in your network. This ensures that you can successfully manage devices as soon as Enterprise Manager discovers them and adds them to the device list.

Working with the user list

The Enterprise Manager user list specifies all user accounts that have administrator access to managed devices in the network. Each managed device authenticates the user names stored in the Enterprise Manager User List in order to authorize Enterprise Manager to perform device management tasks.

To add new users to the user list

When you add new users, ensure that you use the same administrator-level user name that you currently use for managing BIG-IP systems in your network.

  1. On the Main tab of the navigation pane, expand System and click Users.
    The Users List screen opens.
  2. Above the list, click Create.
    The New User screen opens.
  3. In the User Name box, type the user name that you want to add to the Enterprise Manager user list.
  4. In the Authentication row, in the Password and Confirm boxes, type the password for the user you just entered and confirm the password.
  5. In the Web User Role box, select Administrator.
    The Allow Console Access box appears in the table.
  6. In the Allow Console Access box, if you want to allow the user to access the command console, check the Select box to permit the user to access the Enterprise Manager device from the command line.
Important

When you define a new user for Enterprise Manager, you must set their Web User Role to Administrator. If you select a user role other than Administrator, managed devices cannot authorize this user to perform management tasks, nor will the user be able to initiate tasks using the Enterprise Manager system.

Selecting the authentication source

By default, Enterprise Manager uses a local database to authenticate users. If you use a remote authentication source, you should configure Enterprise Manager to use your remote database.

To set the authentication source

  1. On the Main tab of the navigation pane, expand System and click Users.
    The Users List screen opens.
  2. On the menu bar, click Authentication Source.
    The Authentication Source screen opens.
  3. Below the table, click Change.
    The User Directory box changes to a list.
  4. In the User Directory list, select the type of remote source:
    • Active Directory: Specifies that the system uses a remote Active Directory server to authenticate users.
    • LDAP: Specifies that the system uses a remote LDAP server to authenticate users.
    • RADIUS: Specifies that the system uses a remote RADIUS server to authenticate users.
    • After you select the type of remote authentication source, the Configuration table appears, where you can enter the remote server information.

  5. In the Configuration table, enter the appropriate settings to configure Enterprise Manager to use a remote authentication server.
    See the online help for detailed information about the Configuration table.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)