Manual Chapter : BIG-IP Reference guide v4.0: BIG-IP Controller Base Configuration Tools

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 4.0 PTF-04, 4.0 PTF-03, 4.0 PTF-02, 4.0 PTF-01, 4.0.0
Manual Chapter


3

BIG-IP Controller Base Configuration Tools



Introducing the BIG-IP Controller base configuration tools

The BIG-IP Controller includes a set of special tools for configuring the controller itself, or its redundant partner, as opposed to the larger network. One of these tools, config, you will normally run when the controller is first installed as part of the installation procedure. You may also use config, as well as the other special configuration utilities, to change existing settings at any time.

The following configuration utilities are available on the BIG-IP Controller:

  • config
    This utility is also known as the First-Time Boot utility. This utility runs all the other utilities required to configure or reconfigure the BIG-IP Controller, including most of the utilities in this list.
  • config combo
    Use this utility to select the feature set you want to use on the combined product platform. You can choose from the following feature sets: BIG-IP Controller LoadBalancer, BIG-IP Cache Controller, or BIG-IP FireGuard Controller.
  • config dns
    Use this utility to configure or reconfigure an optional DNS proxy.
  • config ftpd
    Use this utility to configure or reconfigure FTP.
  • config httpd
    Use this utility to reconfigure the web server on the BIG-IP Controller.
  • config password
    Use this utility to change your password.
  • config redundant
    Use this utility to configure or reconfigure redundant system settings.
  • config remote
    Use this utility to prepare a new redundant system for remote access. This utility also prepares the controller for the commands that synchronize redundant controllers.
  • config rshd
    Use this utility to configure or reconfigure RSH.
  • config sshd
    Use this utility to configure or reconfigure SSH.
  • config telnetd
    Use this utility to configure or reconfigure Telnet and FTP.
  • config timezone
    Use this utility to set or change your time zone.

    config

    This utility starts automatically the first time you boot up a BIG-IP Controller. The config utility, referred to as the First-Time Boot utility, is a wizard that walks you through a brief series of required configuration tasks. These tasks include defining a root password and configuring IP addresses for the interfaces. You can also run the First-Time Boot utility to reconfigure a controller.

    The First-Time Boot utility is organized into three phases: configure, confirm, and commit.

    When using the config utility, you first configure all of the required information, then you have the opportunity to confirm each individual setting or correct it if necessary, and finally your confirmed settings are committed and saved to the system. Note that the screens you see are tailored to the specific hardware and software configuration that you have.

    If you have a stand-alone system, for example, the First-Time Boot utility skips the redundant system screens.

    To run the First-Time Boot utility, type in the following command:

    config

Selecting a keyboard

Select the type of keyboard you want use with the BIG-IP Controller. The following options are available:

  • Belgian
  • Bulgarian MIK
  • French
  • German
  • Japanese - 106 key
  • Norwegian
  • Spanish
  • Swedish
  • US + Cyrillic
  • US - Standard 101 key
  • United Kingdom

Product selection

If you are configuring a BIG-IP Cache Controller, FireGuard, or Load Balancer, you must now select one of these three as your product. When you have made your selection, the features supported by that product will be enabled.

Note: You may change your product selection at a later time using the config combo command.

Warning: Once you have configured your system based on one of the three product selections (BIG-IP Cache Controller, FireGuard, or Load Balancer), changing the product selection will most likely invalidate that configuration. Therefore you will need to change and update your configuration after you have rebooted the system under the new product selection.

Defining a root password

A root password allows you command line administrative access to the BIG-IP Controller system. The password must contain a minimum of 6 characters, but no more than 32 characters. Passwords are case-sensitive, and we recommend that your password contain a combination of upper- and lower-case characters, as well as numbers and punctuation characters. Once you enter a password, the First-Time Boot utility prompts you to confirm your root password by typing it again. If the two passwords match, your password is immediately saved. If the two passwords do not match, the First-Time Boot utility provides an error message and prompts you to re-enter your password.

Warning: The root password and keyboard selection are the only settings that are saved immediately, rather than confirmed and committed at the end of the First-Time Boot utility process. You cannot change the root password until the First-Time Boot utility completes and you reboot the BIG-IP Controller (see the BIG-IP Administration Guide, Monitoring and Administration). Note that you can change other system settings when the First-Time Boot utility prompts you to confirm your configuration settings.

Defining a host name

The host name identifies the BIG-IP Controller itself. Host names must be fully qualified domain names (FQDNs). The host portion of the name must start with a letter, and must be at least two characters.

Configuring a default route

If a BIG-IP Controller does not have a predefined route for network traffic, the controller automatically sends traffic to the IP address that you define as the default route. Typically, a default route is set to a router's IP address.

Setting up a redundant system

On the Configure BIG-IP Interfaces screen, select Yes if you have a redundant system.

Selecting a unit ID

If you are configuring a redundant system, the First-Time Boot utility prompts you to provide a unit ID and the IP address for fail-over for the BIG-IP Controller. The default unit ID number is 1. If this is the first controller in the redundant system, use the default. When you configure the second controller in the system, type 2. These unit IDs are used for active-active redundant controller configuration.

Choosing a fail-over IP address

If you are configuring a redundant system, after you type in a unit number, the First-Time Boot utility prompts you to provide an IP address for fail-over. Type in the IP address configured on the internal interface of the other BIG-IP Controller.

Configuring interfaces

Configure media settings for each interface. The media type options depend on the network interface card included in your hardware configuration. The First-Time Boot utility prompts you with the settings that apply to the interface installed in the controller. The BIG-IP Controller supports the following types:

  • auto
  • 10baseT
  • 10baseT,FDX
  • 100baseTX
  • 100baseTX,FDX
  • Gigabit Ethernet

    Note: If you do not know the correct setting for your switch or hub, you can set the media type to auto and change it later when you know the correct setting. Check your switch or hub documentation for this information.

Warning: The configuration utility lists only the network interface devices that it detects during boot up. If the utility lists only one interface device, the network adapter may have come loose during shipping. Check the LED indicators on the network adapters to ensure that they are working and are connected.

Defining VLANs and IP addresses

You can create a new VLAN or use the default internal and external VLANs to create the BIG-IP Controller configuration.

Determine whether you want to have security turned on or off for a VLAN. Then, type the IP address settings for the VLAN. The IP address settings include:

  • Security settings
  • IP address, netmask, and broadcast
  • Floating self IP address, netmask, and broadcast

We recommend that you set the floating self IP address as the default route for target devices, such as servers. The floating self IP address is owned by the active controller in an active/standby configuration.

Note: The IP address of the external VLAN is not the IP address of your site or sites. The IP addresses of the sites themselves are specified by the virtual IP addresses associated with each virtual server you configure.

Assigning interfaces to VLANs

After you configure the VLANs you want to use on the controller, you can assign interfaces to the VLANs. If you use the default internal and external VLANs, we recommend that you assign at least one interface to the external VLAN, and at least one interface to the internal VLAN. The external VLAN is the one on which the BIG-IP Controller receives connection requests. The internal VLAN is typically the one that is connected to the network of servers, firewalls, or other equipment that the BIG-IP Controller load balances.

Selecting the primary IP address

After you assign interfaces to VLANs, you can choose one VLAN/IP address combination as the primary IP address to associate with the controller host name.

Configuring settings for remote web access

The BIG-IP web server provides the ability to set up remote web access on each VLAN. When you set up web access on a VLAN, you can connect to the web-based configuration utility through the VLAN. To enable web access, specify a fully qualified domain name (FQDN) for each VLAN. The BIG-IP web server configuration also requires that you define a user ID and password. If SSL is available, the configuration also generates authentication certificates.

The First-Time Boot utility guides you through a series of screens to set up remote web access.

  • The first screen prompts you to select the VLAN you want to configure for web access. After you select an interface to configure, the utility prompts you to type a fully qualified domain name (FQDN) for the interface. You can configure web access on one or more interfaces.
  • After you configure the interface, the utility prompts you for a user name and password. After you type a user name and password, the utility prompts you for a vendor support account. The vendor support account is not required.
  • The certification screen prompts you for country, state, city, company, and division.

Warning: If you ever change the IP addresses or host names on the BIG-IP Controller interfaces, you must reconfigure the BIG-IP web server to reflect your new settings. You can run the re-configuration utility from the command line using the following command:

reconfig-httpd

You can also add users to the existing password file, change a password for an existing user, or recreate the password file, without actually repeating the remote web server configuration process.

Warning: If you have modified the remote web server configuration outside of the configuration utility, be aware that some changes may be lost when you run the reconfig httpd utility. This utility overwrites the httpd.conf file and openssl.conf, but does not warn you before doing so.

Configuring a time zone

Next, you need to specify your time zone. This ensures that the clock for the BIG-IP Controller is set correctly, and that dates and times recorded in log files correspond to the time zone of the system administrator. Scroll through the list to find the time zone at your location. Note that one option may appear with multiple names. Select the time zone you want to use, and press the Enter key to continue.

Configuring the DNS forwarding proxy settings

You only need to complete this step if you want machines inside your BIG-IP Controller managed network to use DNS servers outside of that network (for example, for reverse DNS lookup from a web server).

Specify the DNS name server and domain name for DNS proxy forwarding by the BIG-IP Controller. For more information on DNS proxy forwarding see the BIG-IP Installation Guide.

Configuring remote command line access

After you configure remote web access, the First-Time Boot utility prompts you to configure remote command line access. On most BIG-IP Controllers, the first screen you see is the Configure SSH screen, which prompts you to type an IP address for SSH command line access. If SSH is not available, you are prompted to configure access through Telnet and FTP instead.

When you configure shell access, the First-Time Boot utility prompts you to create a support account for that method. You can use this support account to provide a support engineer access to the BIG-IP Controller.

When the First-Time Boot utility prompts you to enter an IP address for administration, you can type a single IP address or a range of IP addresses, from which the BIG-IP Controller will accept administrative connections (either remote shell connections, or connections to the BIG-IP web server). To specify a range of IP addresses, you can use the asterisk (*) as a wildcard character in the IP addresses.

The following example allows remote administration from all hosts on the 192.168.2 network:

192.168.2.*

Note: For administration purposes, you can connect to the BIG-IP Controller floating self IP address, which always connects you to an active controller in an active/standby redundant system. To connect to a specific controller, simply connect directly to the IP address of that BIG-IP Controller.

NTP support

You can synchronize the time on the controller to a public time server by using Network Time Protocol (NTP). NTP is built on top of TCP/IP and assures accurate, local timekeeping with reference to clocks located on the Internet. This protocol is capable of synchronizing distributed clocks, within milliseconds, over long periods of time. If you choose to enable NTP, make sure UDP port 123 is open in both directions when the controller is behind a firewall.

NameSurfer

If you have the 3-DNS module installed, you can configure NameSurfer to handle DNS zone file management for the controller. We strongly recommend that you configure NameSurfer to handle zone file management by selecting NameSurfer to be the master on the controller. If you select NameSurfer as the master, NameSurfer converts the DNS zone files on the controller and handles all changes and updates to these files. (You can access the NameSurfer application directly from the Configuration utility for the 3-DNS module).

config combo

The config combo utility repeats the segment of config in which you select BIG-IP Cache Controller, BIG-IP FireGuard, or BIG-IP Load Balancer as your product. The config combo command is used primarily to change an existing product selection.

Warning: Once you have configured your system based on one of the three product selections (BIG-IP Cache Controller, BIG-IP FireGuard, or BIG-IP Load Balancer), changing the product selection will most likely invalidate that configuration. Therefore you will need to change and update your configuration after you have rebooted the system under the new product selection.

config dns

Runs only the Configure DNS Proxy segment of config, assuming you want machines inside your BIG-IP Controller managed network to use DNS servers outside of that network (for example, for reverse DNS lookup from a web server).

Specify the DNS name server and domain name for DNS proxy forwarding by the BIG-IP Controller. For more information on DNS proxy forwarding see the BIG-IP Installation Guide.

config ftpd

Use this utility to configure FTP on the BIG-IP Controller. This utility prompts you for an IP address from which administrators may access the BIG-IP Controller with FTP. You can use wildcard characters (*) to include all addresses from a specific part of the network. This utility also prompts you to create a support account for access by technical support.

If the service port for FTP is closed, this script opens the service port to permit FTP connections to the BIG-IP Controller.

To run the secure shell configuration utility, type in the following command:

config ftpd

Note: Re-running config sshd again replaces the current configuration.

config httpd

Use the reconfig httpd configuration utility to reconfigure the HTTPD server on a BIG-IP Controller.

This script enables you to assign an FQNN to your internal and external VLANs. This utility also prompts you to create a support account for access by technical support.

If the service port for the web server on the BIG-IP controller (httpd) is closed, this script automatically opens the service port to permit access to the web server.

config password

Runs only the config segment for configuring the password.

config redundant

config redundant is identical to config except that it skips the initial steps for setting keyboard type and root password. config redundant is for re-configuration of a standalone unit as one of a redundant pair, or for the addition of a second unit to complete a redundant pair.

config remote

Runs only the config segment for configuring each controller in a redundant system in order to share keys with the peer BIG-IP Controller.

The script prompts you for the root password of the other controller in the redundant system. After confirming your input, the config remote script attempts to access the peer system and configure both systems to communicate with one another. This provides the secure communication channel that the controllers use to exchange configuration data when you run the bigpipe configsync option, or use the Config Sync button in the Configuration utility.

To run the config remote script, type the following command on the command line:

config remote

config rshd

Use the config rshd configuration utility to configure the remote shell (rshd) server on a BIG-IP Controller. This utility prompts you for an IP address from which administrators may access the BIG-IP Controller. You can use wildcard characters (*) to include all addresses from a specific part of the network. This utility also prompts you to create a support account for access by technical support.

If inetd is not currently configured, this script configures inetd for the remote shell server (rshd). If the service port for rsh is closed, this utility opens the service port to permit rsh connections to the BIG-IP Controller.

To run the rsh configuration utility, type in the following command:

config rshd

Note: Running config rshd again replaces the current configuration.

config sshd

Runs only the config segment for configuring secure shell server (sshd) on a BIG-IP Controller. This utility prompts you for an IP address from which administrators may access the BIG-IP Controller with SSH. You can use wildcard characters (*) to include all addresses from a specific part of the network. This utility also prompts you to create a support account for access by technical support.

If the service port for SSH is closed, this script opens the service port to permit SSH connections to the BIG-IP Controller.

To run the secure shell configuration utility, type in the following command:

config sshd

Note: Re-running config sshd again replaces the current configuration.

config telnetd

Runs only the config segment for configuring the Telnet and FTP servers on a BIG-IP Controller. The script prompts you to configure each service independently. This allows you to enable Telnet but not FTP, for example.

The script prompts you for a configuration address for each service from which administrators may access the BIG-IP Controller. You can use wildcard characters (*) to include all addresses from a specific part of the network. This utility also prompts you to create a support account for access by technical support.

If inetd is not currently configured, this script configures inetd for the requested services. If the ports for Telnet or FTP are closed, this script opens the ports to permit Telnet or FTP connections to the BIG-IP Controller.

To run the Telnet/FTP configuration utility, type in the following command:

config telnetd

Note: Running config telnetd again replaces the current configuration.

config timezone

Runs only the config segment for configuring the time zone. The time zone setting ensures that the clock for the BIG-IP Controller is set correctly, and that dates and times recorded in log files correspond to the time zone of the system administrator. Scroll through the list to find the time zone at your location. Note that one option may appear with multiple names. Select the time zone you want to use, and press the Enter key to continue.