4

Using an SSL Accelerator Half Sandwich

Introducing the SSL accelerator half sandwich configuration

This chapter explains how to set up a scalable SSL accelerator configuration. This configuration is useful for any enterprise that handles a large amount of encrypted traffic.

With this configuration, you can increase the scale of the network by adding new SSL accelerators to the configuration. You can use this configuration to load balance encrypted traffic to the SSL accelerators while standard HTTP traffic is sent directly to a second BIG-IP Controller which load balances the connections to the content servers.

Figure 4.1 shows a configuration of an SSL accelerator half-sandwich. The following sections refer to Figure 4.1 as an example of how you can set up such a configuration.

Note: The IP addresses shown in the example configuration are fictitious. When implementing your configuration, choose IP addresses that are consistent with your network or networks.

Figure 4.1 An SSL accelerator half-sandwich.

Configuration tasks

First, complete the following tasks on the BIG-IP Controllers 1a and 1b that you want to use to load balance traffic coming into your network:

• Create two load balancing pools. One pool load balances HTTP connections using the IP address of a virtual server on the second BIG-IP Controller (10.3.0.251), and another pool that load balances SSL connections to the SSL accelerators.
• Create two virtual servers. One virtual server references the pool that contains the IP address of the virtual server on the other controller. The second virtual server references the pool for load balancing the SSL accelerators.
• Enable port 80 and port 443 on the controller.

  Next, complete the following tasks on each SSL accelerator in the half-sandwich:

• Configure interfaces on each SSL accelerator.
• Set up an SSL gateway that points to the virtual server that handles HTTP requests on the BIG-IP Controller (10.3.0.251).

  Next, complete the following tasks on the BIG-IP Controller (10.3.0.251) that load balances HTTP requests from the SSL accelerators and HTTP requests from the BIG-IP Controllers 1a and 1b:

• Configure interfaces on the second BIG-IP Controller.
• Create a pool of web servers that handle HTTP connections.
• Create a pool of devices from which the controller receives HTTP connections.
• Create one virtual server that handles connections for the content servers.
• Creating a last hop pool of devices from which the controller receives requests
• Adding the last hop pool from which this controller recieves HTTP connections to the virtual server
• Enable port 80.

  Next, complete the following tasks on each content server:

• Set the default route on each node in the cell to point to the internal IP address of the second BIG-IP Controller.

Configuring the BIG-IP Controllers handling inbound traffic

First, complete the following tasks on the BIG-IP Controllers 1a and 1b that you want to use to load balance traffic coming into your network:

• Create two load balancing pools. One pool load balances HTTP connections using the IP address of a virtual server on the second BIG-IP Controller (10.3.0.251), and another pool load balances SSL connections to the SSL accelerators.
• Create two virtual servers. One virtual server references the pool that contains the IP address of the virtual server on the other controller. The second virtual server references the pool for load balancing the SSL accelerators.
• Enable port 80 and port 443 on the controller.

Create load balancing pools for HTTP and SSL requests

Create two load balancing pools. One pool load balances HTTP connections using the IP address of a virtual server on the second BIG-IP Controller (10.3.0.251), and another pool load balances SSL connections to the SSL accelerators.

This section describes how to create the load balancing pools required for the SSL accelerator configuration described in Figure 4.1. The two pools you need to create are:

• A load balancing pool that load balances HTTP connections using the IP address of a virtual server on the second BIG-IP Controller (10.3.0.251). For this example, the HTTP pool is named http_virtual. This pool contains the member 10.1.0.101:80.
• A load balancing pool for SSL connections to the SSL accelerators. For this example, the SSL accelerator is named ssl_gateways. This pool contains the following members:
  accelerator1 (10.1.0.111:443)
  accelerator2 (10.1.0.112:443)

To create a pool using the Configuration utility

1. In the navigation pane, click Pools.
   The Pools screen opens.
2. In the toolbar, click the Add Pool button.
   The Add Pool screen opens.
3. In the Add Pool screen, configure the load balancing method, persistence attributes, and members for the pool.
   
   Configuration notes

   · For this example, you could create an HTTP pool named http_virtual. This pool contains the following member:
   10.1.0.101:80

   · For this example, you could create an SSL accelerator pool named ssl_gateways. This pool contains the following members:
   accelerator1 (10.1.0.111:443)
   accelerator2 (10.1.0.112:443)

   · For additional information about configuring a pool, click the Help button.

To define a pool from the command line

To define a pool from the command line, use the following syntax:

bigpipe pool <pool_name> {lb_method <lb_method> member <member_definition> ... member <member_definition>}

For example, if you want to create the pool http_virtual and the pool ssl_gateways, you would type the following command:

bigpipe pool http_virtual { lb_mode rr member 11.1.0.101:80 }

bigpipe pool ssl_gateways { lb_mode rr member 10.1.0.111:443 member 10.1.0.112:443 }

Creating the virtual servers that reference the HTTP and SSL pools

Create a virtual server that references the pool load balancing the SSL connections, and another virtual server that references the pool that load balances the HTTP connections to the SSL accelerators.

To define a standard virtual server that references a pool using the Configuration utility

1. In the navigation pane, click Virtual Servers.
2. On the toolbar, click Add Virtual Server.
   The Add Virtual Server screen opens.
3. Fill in the attributes for the virtual server.
   
   Configuration notes

   · To create the configuration described in Figure 4.1, create a virtual server 10.0.0.101 on port 443 that references the pool of SSL accelerators.

   · To create the configuration described in Figure 4.1, create a virtual server 10.0.0.101 on port 80 that references the pool of content servers.

   · For additional information about this screen, click the Help button on the tool bar.

To define a standard virtual server mapping from the command line

Type the bigpipe vip command as shown below. Also, you can use host names in place of IP addresses, and you can use standard service names in place of port numbers.

bigpipe vip <virt IP>:<port> use pool <pool_name>

To create the virtual servers for the configuration in Figure 4.1, you could type the following commands, where the pool of SSL accelerators is named ssl_gateways and the pool for HTTP requests is named http_virtual:

bigpipe vip 10.0.0.101:443 use pool ssl_gateways

bigpipe vip 10.0.0.101:80 use pool http_virtual

Enable ports 80 and 443

For security reasons, the BIG-IP Controller ports do not accept traffic until you enable them. In this configuration, the BIG-IP Controller accepts traffic on port 443 for SSL, and port 80 for HTTP. For this configuration to work, you must enable port 80 and port 443. Use the following command to enable these ports:

bigpipe port 80 443 enable

Configuring each SSL accelerator

Next, complete the following tasks on each SSL accelerator in the half-sandwich:

• Configure interfaces on each SSL accelerator.
• Set up an SSL gateway that points to the virtual server that handles HTTP requests on the BIG-IP Controller (10.3.0.251).
• Set the idle connection timer for port 443.

Configuring interfaces on each SSL accelerator

You must configure the interfaces on the each SSL accelerator to process source and destination addresses. In a basic controller configuration, one interface is configured as an internal interface (source processing), and the other interface is configured as an external interface (destination processing).

In order for the SSL accelerator half sandwich to work, you must turn destination processing on for the internal interface, and source processing on for the external interface.

To configure source and destination processing using the Configuration utility

1. In the navigation pane, click NICs.
   The Network Interface Cards screen opens. You can view the current settings for each interface in the Network Interface Card table.
2. In the Network Interface Card table, click the name of the interface you want to configure.
   The Network Interface Card Properties screen opens.

   · To enable source processing for this interface, click the Enable Source Processing check box.

   · To enable destination processing for this interface, click the Enable Destination Processing check box.

3. Click the Apply button.

To configure source and destination processing from the command line

Use the following syntax to configure source and destination processing on the specified interface:

bigpipe interface <interface> dest [ enable | disable ]

bigpipe interface <interface> source [ enable | disable ]

The following example command enables destination processing on the interface exp0:

bigpipe interface exp0 dest enable

The following example command enables source processing on the interface exp1:

bigpipe interface exp1 source enable

Setting up an SSL gateway that points to the HTTP virtual server on the second BIG-IP Controller

The next step is to set up an SSL gateway that points to the virtual server that handles HTTP requests on the BIG-IP Controller (10.3.0.251). The SSL gateway passes the HTTP request to the BIG-IP Controller which then load balances them to the content servers.

The first task you must complete on the SSL accelerator it to set up an SSL gateway for each node for which the SSL accelerator handles connections. Using the example for creating an SSL Accelerator cell in Figure 4.1, you create an SSL gateway on accelerator1 and an SSL gateway on accelerator2:

• An SSL gateway on accelerator1 that has the virtual server 10.1.0.101:80 as a target
• An SSL gateway on accelerator2 that has the virtual server 10.1.0.101:80 as a target

  The following section includes procedures for adding an SSL gateway to the SSL Accelerator configuration.

Creating an SSL gateway using the Configuration utility

1. In the navigation pane, click Proxies.
   The Proxies screen opens.
2. On the toolbar, click Add Proxy.
   The Add Proxy screen opens.
3. In the Proxy Address box, type the IP address for the SSL gateway. For accelerator1 SSL accelerator, the IP address for the gateway is 10.1.0.111:443. When you create the second SSL gateway for accelerator2, the IP address for the gateway is 10.1.0.112:443.
4. In the Proxy Port box, type the port number that the proxy server uses, or select a service from the list box. Note that if you select a service, the Configuration utility uses the default port number associated with that service.
5. For Interface, select the destination processing interface on which you want to create the SSL gateway. Select default to allow the Configuration utility to select the interface based on the network address of the SSL gateway.
6. In the Destination Address box, type the IP address or host name of the node to which the SSL gateway maps. In this example, the destination should be the virtual server 10.1.0.101 on the second BIG-IP Controller.
7. In the Destination Port box, type a port name or number, such as port 80 or http, or select the service name from the drop-down list.
8. In the SSL Certificate box, type the name of the SSL certificate you installed on the BIG-IP Controller. You can select the certificate you want to use from the drop down list.
9. In the SSL Key box, type the name of the SSL key for the certificate you installed on the BIG-IP Controller. You can select the key from the drop down list. It is important that you select the key used to generate the certificate you selected in the SSL Certificate box.
10. Click Apply.

Creating an SSL gateway from the command line

Use the following command syntax to create an SSL gateway. Use this syntax if you want to configure a gateway:

bigpipe proxy <ip>:<port> [<ifname>] netmask <ip> [broadcast <ip>] target server <ip>:<port> ssl enable key <key> cert <cert>

For example, to create the SSL gateways for the accelerator1 SSL accelerator cell, you would use the following commands:

bigpipe proxy 10.1.0.111:443 exp0 { netmask 255.255.255.0 broadcast 10.1.0.255 target server 10.1.0.101:80 ssl enable key my.server.net.key cert my.server.net.cert }

bigpipe proxy 10.1.0.112:443 exp0 { netmask 255.255.255.0 broadcast 10.1.0.255 target server 10.1.0.101:80 ssl enable key my.server.net.key cert my.server.net.cert }

Configuring the BIG-IP Controller that load balances the content servers

Next, complete the following tasks on the BIG-IP Controller (10.3.0.251) that load balances HTTP requests from the SSL accelerators and HTTP requests from the BIG-IP Controllers 1a and 1b:

• Configure interfaces on the second BIG-IP Controller.
• Create a pool of web servers that handle HTTP connections.
• Create a virtual server that handles connections for the content servers.
• Creating a last hop pool of devices from which the controller receives requests
• Adding the last hop pool from which this controller recieves HTTP connections to the virtual server
• Enable port 80.
• Set the default route on the controller to the internal IP alias of the BIG-IP Controllers 1a and 1b.

Configure interfaces for the BIG-IP Controller

You must configure the interfaces on the redundant BIG-IP Controller system (1a and 1b, in Figure 4.1) to process source and destination addresses. Note that in a basic controller configuration, one interface is configured as an internal interface (source processing), and the other interface is configured as an external interface (destination processing).

In order for the SSL accelerator cell load balancing to work, you must turn destination processing on for the internal interface, and source processing on for the external interface.

To configure source and destination processing in the Configuration utility

1. In the navigation pane, click NICs.
   The Network Interface Cards screen opens. You can view the current settings for each interface in the Network Interface Card table.
2. In the Network Interface Card table, click the name of the interface you want to configure.
   The Network Interface Card Properties screen opens.

   · To enable source processing for this interface, click the Enable Source Processing check box.

   · To enable destination processing for this interface, click the Enable Destination Processing check box.

3. Click the Apply button.

To configure source and destination processing from the command line

Use the following syntax to configure source and destination processing on the specified interface:

bigpipe interface <interface> dest [ enable | disable ]

bigpipe interface <interface> source [ enable | disable ]

The following example command enables destination processing on the interface exp0:

bigpipe interface exp0 dest enable

The following example command enables source processing on the interface exp1:

bigpipe interface exp1 source enable

Creating a pool for the content servers

This section describes how to create the load balancing pools required for the SSL accelerator configuration described in Figure 4.1.

The pool you need to create is a load balancing pool for connections using the IP addresses of the web server. For this example, the HTTP pool is named http_virtual. This pool contains the following members:
Server1 (10.3.0.11)
Server2 (10.3.0.12)

To create a pool using the Configuration utility

1. In the navigation pane, click Pools.
   The Pools screen opens.
2. In the toolbar, click the Add Pool button.
   The Add Pool screen opens.
3. In the Add Pool screen, configure the load balancing method, persistence attributes, and members for the pool.
   
   Configuration notes

   · For this example, you could create an HTTP pool named http_virtual. This pool contains the following members:
   server1 (10.3.0.11)
   server2 (10.3.0.12)

   · For additional information about configuring a pool, click the Help button.

To define a pool from the command line

To define a pool from the command line, use the following syntax:

bigpipe pool <pool_name> {lb_mode <lb_mode> member <member_definition> ... member <member_definition>}

For example, if you want to create the pool http_virtual, you would type the following command:

bigpipe pool http_virtual { lb_mode rr member 10.3.0.11:80 member 10.3.0.12:80 }

Creating a virtual server that references the HTTP pool

Next, create a virtual server that references the pool load balancing HTTP connections.

To define a standard virtual server that references a pool using the Configuration utility

1. In the navigation pane, click Virtual Servers.
2. On the toolbar, click Add Virtual Server.
   The Add Virtual Server screen opens.
3. Fill in the attributes for the virtual server.
   
   Configuration notes

   · To create the configuration described in Figure 4.1, create a virtual server 10.0.0.101 on port 80 that references the pool of content servers.

   · For additional information about this screen, click the Help button on the tool bar.

To define a standard virtual server mapping from the command line

Type the bigpipe vip command as shown below. Also, remember that you can use host names in place of IP addresses, and that you can use standard service names in place of port numbers.

bigpipe vip <virt IP>:<port> use pool <pool_name>

To create the virtual server for the configuration in Figure 4.1, you could type the following command, where the pool for HTTP requests is named http_virtual:

bigpipe vip 10.0.0.101:80 use pool http_virtual

Creating a last hop pool of devices from which the controller receives requests

This section describes how to create the load balancing pools required for the SSL accelerator configuration described in Figure 4.1.

The pool you need to create is a load balancing pool you can use for a last hop pool for connections received from other devices by the controller. For this example, the HTTP pool is named http_sources. This pool contains the following members:
BIG-IP 1a and 1binternal alias (10.1.0.251)
accelerator1 (10.1.0.111)
accelerator (10.1.0.112)

To create a pool using the Configuration utility

1. In the navigation pane, click Pools.
   The Pools screen opens.
2. In the toolbar, click the Add Pool button.
   The Add Pool screen opens.
3. In the Add Pool screen, configure the load balancing method, persistence attributes, and members for the pool.
   
   Configuration notes

   · For this example, you could create an HTTP pool named http_sources. This pool contains the following members:
   BIG-IP 1a and 1binternal alias (10.1.0.251:any)
   accelerator1 (10.1.0.111:any)
   accelerator (10.1.0.112:any)

   · Specify any for the port for each member.

   · For additional information about configuring a pool, click the Help button.

To define a pool from the command line

To define a pool from the command line, use the following syntax:

bigpipe pool <pool_name> {lb_mode <lb_mode> member <member_definition> ... member <member_definition>}

For example, if you want to create the pool http_sources, you would type the following command:

bigpipe pool http_sources { lb_mode rr member 10.1.0.251:any member 10.1.0.112:any member 10.1.0.112:any }

Adding the last hop pool from which this controller recieves HTTP connections to the virtual server

The next step is to add the last hop pool of all the devices (http_sources) from which the controller recieves HTTP connections. This pool includes each SSL accelerator that passes on HTTP connections to the second BIG-IP Controller.

To configure a last hop pool using the Configuration utility

1. In the navigation pane, click Virtual Servers.
   The Virtual Servers screen opens.
2. In the Virtual Servers Current List, select the virtual server configured for HTTP connections. In this example the virtual server is 10.1.0.101:80.
   The Virtual Server Properties screen opens.
3. In the Last Hop Pool section, select the pool for load balancing HTTP connections from all devices. In this example, the pool is http_sources.
4. Click the Apply button.

To configure a last hop pool from the command line

To configure a last hop pool, you must first create a pool that contains the routers for the BIG-IP Controller. Use the following command to configure a last hop pool for the virtual server 10.1.0.101:80 that uses the pool http_sources.

bigpipe vip 10.1.0.101:80 lasthop pool http_sources

Enable port 80

For security reasons, the BIG-IP Controller ports do not accept traffic until you enable them. In this configuration, the BIG-IP Controller accepts traffic on port 80 for HTTP. For this configuration to work, you must enable port 80. Use the following command to enable this port:

bigpipe port 80 enable

Configuring the content servers

The final task you must complete for this configuration is to set the default route on each server to point to the internal interface (source processing) of the second BIG-IP Controller (10.3.0.251).

In the configuration described in Figure 4.1, the default routes for the content servers should be set like this:

You should set the default route on Server1 and Server2 to the internal address of the second BIG-IP Controller, which is 10.3.0.251.