Archived: Deploying BIG-IP GTM With APM For Global Remote Access
Archived: Deploying BIG-IP GTM With APM For Global Remote Access
Archived: Deploying BIG-IP GTM With APM For Global Remote Access
ed
Welcome to the F5® deployment guide for BIG-IP® Global Traffic Manager® (GTM) and BIG-IP Access Policy Manager (APM). This
guide shows administrators how to configure the BIG-IP GTM and APM together to provide high availability and secure remote
access to corporate resources from anywhere in the world.
In this solution, the BIG-IP GTM intelligently directs traffic to the closest available branch office to the user. The BIG-IP APM uses
iv
one of several options to authenticate the user, and then creates a secure session between the user and the remote office.
For more information on the F5 BIG-IP system and the modules described in this guide, see http://www.f5.com/products/big-ip/.
ch
Product Version
Ar
ake sure you are using the most recent version of this deployment guide, available at
Important: M
http://www.f5.com/pdf/deployment-guides/f5-apm-gtm-dg.pdf.
DEPLOYMENT GUIDE
BIG-IP GTM and APM for Global Remote Access
Contents
Prerequisites and configuration notes 3
Configuration examples 3
Preparation Worksheet 5
ed
Configuring the BIG-IP system 7
Configuring the BIG-IP APM virtual servers 7
2
DEPLOYMENT GUIDE
BIG-IP GTM and APM for Global Remote Access
hh T
his guide does not cover the deployment or guidance for any specific application, as such we strongly recommend deploying
your application prior to proceeding.
hh A
ll routes between the GTM and the data centers should be in place before performing the configuration in this guide. See the
BIG-IP documentation for more information on configuring routes.
hh If one ore more data centers contain multiple APM devices performing the same function, please refer to Appendix A for
additional configuration.
Configuration examples
ed
This guide contains two ways of configuring this deployment, a high availability configuration, and a topology-based configuration.
F5 Edge LDNS
Client
GTM
vpn.example.com vpn.example.com
ch
10.10.10.1 10.10.10.1
vpn.example.com
10.10.10.1
Ar
vpn.example.com
20.20.20.1
US Data Center UK Data Center 20.20.20.2
uk1.vpn.example.com
vpn.example.com
302 10.10.10.1
Redirect
10.10.10.2
us1.vpn.example.com LTM APM
LTM APM
vpn.example.com
10.10.10.3
VS Score
LB method 10.10.10.4
us2.vpn.example.com
LTM APM
3
DEPLOYMENT GUIDE
BIG-IP GTM and APM for Global Remote Access
Topology-based configuration
With topology-based configuration, the BIG-IP GTM module is used to provide intelligent distribution based on geolocation and application
load, providing the highest level of transparency and performance to users. Once connected to the appropriate APM device based on
geolocation the BIG-IP APM is able to provide Secure Authentication and SSL VPN access to corporate resources.
F5 Edge LDNS
Client
GTM
vpn.example.com vpn.example.com
10.10.10.1 10.10.10.1
vpn.example.com
10.10.10.1
ed
vpn.example.com vpn.example.com
302 10.10.10.1 20.20.20.1
Redirect
10.10.10.2 US Data Center UK Data Center 20.20.20.2
us1.vpn.example.com uk1.vpn.example.com
4
DEPLOYMENT GUIDE
BIG-IP GTM and APM for Global Remote Access
Preparation Worksheet
Before beginning the configuration, it is helpful to gather some information, such as IP addresses and certificate/key information. This
worksheets contains the information that is helpful to have in advance. You might find it useful to print the table and then enter the
information.
This table shows space to enter your information on top of each cell, and our example on the bottom.
Public WAN
VLAN + (tag)
vlan-public-WAN1 (1192) vlan-public-WAN2 (1072)
ed
60.168.111.250
In our example, APM has two virtual servers that provide
Application public virtual server
60.168.111.100 70.168.111.100 VPN access, which are on the DMZ / Public WAN
Private WAN
This network is used for Interconnectivity between APM
iv
Network and GTM. In our example, the private WAN is separated
192.168.111.0 from the public WAN. However this is not required.
VLAN + (tag)
ch
vlan-private-WAN1 (3192) vlan-private-WAN2 (3072)
Private LAN
VLAN + (tag)
vlan-private-LAN1 (1010) vlan-private-LAN2 (1020)
5
DEPLOYMENT GUIDE
BIG-IP GTM and APM for Global Remote Access
SSL Configuration
You must import and use SSL certificates that match all names in use. If you choose to use one certificate per site, (e.g., us1.vpn.example.
com and uk1.vpn.example.com), you must ensure that both generated certificates contain the Subject Alternative Name matching the main
site name – in this case, vpn.example.com. It is acceptable to generate one certificate with all names in the Subject Alternative Name field if
this is acceptable under your organization’s security guidelines.
Wildcard certificates can also be used provided the wildcard matches ALL possible names. Please note that wildcard certificates only
match the first subdomain from the wildcard: *.vpn.example.com will match uk1.vpn.example.com or us1.vpn.example.com, but will not
match vpn.example.com.
You will need to import the certificates before moving forward with the BIG-IP APM wizard as these objects will be requested during the
configuration. To import SSL certificates, on the Main tab, click System > File Management > SSL Certificate List > Import. For
specific information on how to import SSL certificates, see the online help or product manuals.
ed
Configuring BIG-IP APM using the Network Access Setup Wizard
This table contains guidance on using the Network Access Setup Wizard for Remote Access to configure the BIG-IP APM.
To start the wizard, from the Main tab of the Configuration utility, click Wizards, and then click Device Wizards. In the Wizard section, click
iv
the Network Access Setup Wizard for Remote Access option button.
Authentication Domain Name Click the appropriate button. In our example, we the click RADIUS option button.
Ar
The options in this section depend on the authentication method you choose. Configure the AAA Server options as appropriate for your
AAA Server
environment and authentication method. Use the Help tab for assistance.
Type Click the option button for a single IP address or an address range. We click IP Address Range.
Type an IP address. If you selected a range, type both the start and end IP addresses. We recommend using
Lease Pool
Address(es) enough addresses for the highest number of concurrent network access connections you anticipate.
You must ensure the network the lease pool members reside in provide access to the application.
Click the button for Forcing all traffic through the tunnel or split tunneling. If you chose split tunneling, configure
Network Access Client Settings
the split tunneling options as applicable for your configuration. We click Force all traffic through tunnel.
DTLS Check this box to enable DTLS. Leave the default port of 4443 unless you have changed the DTLS port.
DNS Hosts Primary Name Server Type the IP address of the Active Directory Server in the network; all other settings are optional.
Virtual Server IP address Type the IP address to use for this virtual server. This address must be in the Public WAN network .
Virtual Server Leave this box checked. This redirects users who attempt to connect to the virtual server address using http://
Redirect Server
to the correct https:// IP address.
Repeat this configuration on each BIG-IP APM that is a part of this configuration.
The wizard creates three virtual servers, one on port 443 that contains the Access Policy, one on port 80 that redirects users to the port 443
virtual server, and one on port 4443 for DTLS.
6
DEPLOYMENT GUIDE
BIG-IP GTM and APM for Global Remote Access
ed
TCP WAN Name Type a unique name
(Main tab-->
(Profiles-->Protocol) Parent Profile tcp-wan-optimized
Local Traffic-->Profiles)
TCP LAN Name Type a unique name
(Profiles-->Protocol) Parent Profile tcp-lan-optimized
If deploying the High Availability configuration (default)
Name Type a unique name
iv
Definition when CLIENT_ACCEPTED {
ACCESS::restrict_irule_events disable
}
iRules when HTTP_REQUEST {
ch
(Local Traffic-->Rules) HTTP::respond 302 Location "https://<FQDN of the local name of the APM
instance>[HTTP::uri]"
Create one of these iRules, }
depending on which scenario
If deploying the Topology-based configuration
you are deploying.
Name Type a unique name
Definition
Ar
when HTTP_REQUEST {
HTTP::respond 302 Location "https://<FQDN for the IP address of the local
APM virtual server created by the wizard2>[HTTP::uri]"
}
Virtual Server Protocol Profile (server) 3 Select the LAN optimized TCP profile you created
(Main tab-->Local Traffic HTTP Profile Select the HTTP profile you created
-->Virtual Servers)
Source Address Translation Auto Map
Access Profile High Availability configuration (default): S
elect the Access Profile created by the wizard in Configuring BIG-
IP APM using the Network Access Setup Wizard on page 6
Topology-based configuration: If deploying a Topology-based configuration, do not select the Access Profile.
Default Pool Select the pool you created
2
This is the fully qualified domain name that resolves to the IP address of the BIG-IP APM virtual server created by the wizard. Your DNS administrator may have to add this record
3
You must select Advanced from the Configuration list for these options to appear
Repeat this configuration on the BIG-IP system in the secondary data center
7
DEPLOYMENT GUIDE
BIG-IP GTM and APM for Global Remote Access
Configure an application virtual server on the BIG-IP system in each data center.
i Important
The IP address you use for this internal application virtual server must be accessible by the Lease Pool
members (the IP addresses or range you specified in the Lease Pool section while running the BIG-IP APM
Network Access Wizard). It can either be on the same network or on a routed network.
ed
iv
ch
Ar
8
DEPLOYMENT GUIDE
BIG-IP GTM and APM for Global Remote Access
Data Center
(Main tab-->Global Name Type a unique name. Configure other options as applicable for your environment.
ed
Traffic -->Data Centers)
Name Type a unique name
Product Select the either BIG-IP System (Single) or BIG-IP System (Redundant). Redundant is only used when the
GTM is also an LTM/GTM combo and specifically configured for LTM failover of the listener. Otherwise use BIG-IP
System (Single).
Servers Address List: Address Type the Self IP address of this GTM.
(Main tab-->Global
iv
Data Center Select the Data Center you created
Traffic -->Servers)
Health monitors Optional: Select bigip
Virtual Server Discovery Enabled (We strongly recommend Enabling Discovery, however you can leave this set to Disabled and manually
configure the virtual server information)
ch
Repeat this procedure to create the GTM Server objects for each of the BIG-IP APMs
When adding a remote BIG-IP LTM server, you must make sure the big3d agent is on the same version on the BIG-IP APM and GTM. If you have
never registered the BIG-IP APM systems with BIG-IP GTM before, you should perform the following steps from GTM using the management IP
address(es) of each of the APM hosts.
From the GTM device command line, type: big3d_install <IP address of target system>
Ar
Enabling where the target system is the BIG-IP APM that you want to add as a server on the GTM. This pushes out the newest version of big3d.
connectivity with Next, type: bigip_add
remote BIG-IP to exchange SSL keys with the BIG-IP APM. Type the password at the prompt, and then type iqdump <ip address of remote box>.
systems If the boxes are communicating over iQuery, you see a list of configuration information from the remote BIG-IP.
(Command line ) The bigip_add command must be run for every BIG-IP in the configuration.
Pools Load Balancing Method Preferred: VS Score1 (if using Topology-based GTM configuration, select Topology here)
(Main tab-->Global Alternate: VS Capacity
Traffic -->Wide IPs -->
Return to DNS: VS Score
Pools)
Member List Virtual Server Select the BIG-IP APM virtual server IP address and port you created in Configuring the BIG-IP
APM virtual servers on page 7 and then click Add.
Repeat for each BIG-IP APM virtual server you created for use with GTM that is a part of this configuration.
Name Type a unique name
Wide IPs
(Main tab-->Global Load Balancing Method Topology
Traffic -->Wide IPs)
Pool List Select the pool you created.
1
For a description of the VS Score load balancing method, see Appendix: About VS Score load balancing on page 10
9
DEPLOYMENT GUIDE
BIG-IP GTM and APM for Global Remote Access
• O
ne usage score is based on the BIG-IP system licensed maximum access concurrent sessions and the sum of the current active
sessions on all the access profiles configured on the system.
• T
he other usage score is based on the maximum concurrent user sessions configured on the access profile attached to the virtual
server and the current active sessions count on the access profile.
A value of 0 indicates no capacity and a value of 100 means full capacity available on the device.
Note
ed
The GTM global load balancing method VS Score load balances APM users based on the virtual server score only.
Example calculation
iv
The following is an example of how the VS Score is calculated
hh Score A – Compute total number of access sessions used on all access policies configured on the system:
hh Score B – Compute the total number of access sessions used on the access policy for the current virtual server:
»» You have an access policy configured for a maximum number of 10,000 sessions.
• When attached to the virtual server, you have 5,000 active concurrent access sessions established.
Because 74% is greater than 50%, the VS Score in this example would be 74.
10
11
DEPLOYMENT GUIDE
BIG-IP GTM and APM for Global Remote Access
ed
iv
ch
Ar
F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 www.f5.com
©2014 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, and IT agility. Your way., are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified
at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. 0412