F5 Networks client-authentication

一、F5配置步骤：1、F5组网规划(1)组网拓朴图（具体到网络设备物理端口的分配和连接，服务器网卡的分配与连接）(2)IP地址的分配（具体到网络设备和服务器网卡的IP地址的分配）(3)F5上业务的VIP、成员池、节点、负载均衡算法、策略保持方法的确定2、F5配置前的准备工作(1)版本检查f5-portal-1:~# b versionKernel:BIG-IP Kernel 4.5PTF-07 Build18(2)时间检查－－如不正确，请到单用户模式下进行修改f5-portal-1:~# dateThu May 20 15:05:10 CST 2004(3)申请license－－现场用的F5都需要自己到F5网站上申请license3、F5的通用配置(1)在安全要求允许的情况下，在setup菜单中可以打开telnet及ftp功能，便于以后方便维护(2)配置vlan unique_mac选项，此选项是保证F5上不同的vlan 的MAC地址不一样。

在缺省情况下，F5的各个vlan的MAC地址是一样的，建议在配置时，把此项统一选择上。

可用命令ifconfig –a来较验具体是system/Advanced Properties/vlan unique_mac(3)配置snat any_ip选项选项，此选项为了保证内网的机器做了snat后，可以对ping 的数据流作转换。

Ping是第三层的数据包，缺省情况下F5是不对ping的数据包作转换，也就是internal vlan的主机无法ping external vlan的机器。

（注意：还可以采用telnet来验证。

）具体是system/Advanced Properties/snat any_ip4、F5 的初始化配置建议在对F5进行初始时都用命令行方式来进行初始化（用Web页面初始化的方式有时会有问题）。

登录到命令行上，运行config或setup命令可以进行初始化配置。

F5 BIG-IP负载均衡器配置指导书目录一、网络结构与IP地址规划 (4)二、配置BIGIP3400负载均衡设备 (8)2.1旁路/直连的选择 (8)2.1.1路由/直连模式的介绍 (8)2.1.2旁路模式的介绍 (8)2.1.3 路由/直连模式同旁路模式的比较 (9)2.2设置负载均衡器管理网口地址 (11)2.3登录BIGIP的WEB管理界面 (12)2.4激活License (13)2.5初始化设置 (14)2.5.1BIG-IP 1上的平台(Platform)通用属性设置 (14)2.5.2修改系统时间 (16)2.5.3设置缺省管理权限策略 (16)2.5.4重新启动bigip (17)2.6配置网络层 (17)2.6.1划分vlan (17)2.6.2定义IP地址 (18)2.6.3配置路由 (20)2.7配置双机设置(High Availability) (21)2.7.1配置Redundant Pair的IP地址 (21)2.7.2配置双机自动切换机制FailSafe配置 (22)2.8配置服务器负载均衡 (23)2.8.1配置Monitor (24)2.8.2配置Profile (25)2.7.3配置负载均衡Pool (26)2.8.4创建iRule负载均衡控制规则以根据源地址选择服务器 (27)2.8.5建立Virtual server,实现对服务器的负载均衡 (28)2.8.5设置SNAT (30)2.9两台BIGIP配置同步 (33)2.10备份配置 (34)三、系统运行状态检查及维护 (35)3.1检查系统日志信息： (35)3.2检查Node状态 (35)3.3查看流量信息 (36)3.4查看系统当前性能参数 (37)3.5密码的更改 (37)3.6添加“只读”权限的管理员帐号 (38)3.7如何查询设备的序列号： (38)3.8如何采集信息提供他人进行故障诊断 (39)3.8对某一Virtual Server用TCPDUMP命令无法抓到包如何处理？ (40)一、网络结构与IP地址规划本手册以移动W AP/彩信网关为例这里部署负载均衡器的目的主要是为了增加服务器的数量，以提升系统的处理能力。

bigstart Restarts the SNMP agent bigsnmpd. bigtop Displays real-time statistics.Config Configures the IP address, network mask, and gateway on the management (MGMT) port.Use this command at the BIG-IP system prompt prior to licensing the the BIG-IP system, and do not confuse it with the bigpipe config command or the BIG-IP Configuration utility.halt Shuts down the BIG-IP software application.hostname Displays the name you have given to the BIG-IP system.printdb Prints the values of one or more entries in the bigdbTM database. reboot Reboots the BIG-IP system.ssh and scp Access command line interfaces on other SSH-enabled devices, and copy files to or from a BIG-IP system.自定义Bigpipe shell名称bp> shell prompt <string>bp> shell prompt BIG-IP>系统Shell名称将变成:BIG-IP>此特性避开此限制,在Linux命令前加”!”.BIG-IP>!ls //查看目录BIG-IP>!ifconfig //查看接口配置•Routes•Self IP addresses•Packet Filters•Trunks (802.3ad Link Aggregation)•Spanning Tree Protocol (STP)•VLANs and VLAN groups•ARP配置Packet Filtering命令: bigpipe packet filter你可以定义一个包过滤规则来提供访问控制,速率shaping,审计. 配置路由命令:route (<route key list> | all | inet | inet6)F5的Show Tech[root@XXXX:Standby] config # qkviewGetting systemwide backup configuration files.Getting AOM information.Getting last 175 lines of log files.Getting last 175 lines of gzipped log files.Getting md5 sum information.Getting core file list.Getting Public Certificate information.Getting tmctl information.completed... 6 of 161 checks produced no dataDiagnostic information has been saved in file /var/tmp/-tech.out Please send this file to **************.bigtop - display real-time statistics-bytes display counts in bytes (vs bits)-pkts display counts in packets (vs bits)-reqs display counts in requests (vs connections)-vips <n> number of virtual servers to print-nodes <n> number of nodes to print-once print once and exit-delay <n> number of seconds between samples (default 4)-scroll disable full-screen mode-nosort disable sorting-conn sort by connection count (vs byte count)-delta sort by count since last sample (vs total)-n print IP address and services in numeric format-vname display virtual servers by name (vs IP address)-help, -h print this message日志文件系统1. Access the BIG-IP system prompt.2. Stop the BIG-IP system or put the system into a safe condition such as standby mode using the bigstart stop command.3. Type the following command:resize-logFSThis command prompts you for the desired file size in gigabytes.4. At the prompt, type an integer.The minimum allowed value is 1, and the maximum allowed value is 10.A prompt appears that allows you to confirm the specified file size.5. Type Y.A message appears, notifying you of the need for the BIG-IP system to perform a reboot, followed by a prompt, which allows you to permit the reboot operation. Note: Prior to rebooting, the BIG-IP system verifies that the integer you typed in step 3 is within the allowed range, and checks to ensure that enough disk space exists for the specified size.6. Type Y.A confirmation prompt appears.7. Type Y.The system displays messages indicating that the reboot operation is about to occur.8. Wait for the reboot operation to finish.When the system becomes available again, the newly-specified disk space for the log file will be in effect.WARNINGDo not delete the files: /shared/.LoopbackLogFS and /shared/LogFS_README, because this action deletes all of your log files.启用/禁用虚拟服务或虚拟地To enable or disable a virtual server, use the appropriate command syntax:bp> virtual <virtual addr>:<virtual port> enable | disableTo enable or disable a virtual address, use the appropriate command syntax:bp> virtual address <virtual addr> enable | disable从服务中移出单个的NodeYou can remove an individual node from service, or return an individual node to service from the bigpipe shell command line.To remove an individual node from service, use the following command:bp> node <node addr>:<node port> downTo return an individual node to service, use this command:bp> node <node addr>:<node port> up查看修改F5系统配置文件器来编辑或者查看这些文件,当你没有条件使用浏览器时,有时候修改配置文件很有必要.这就需要F5的无浏览器配置模式和命令行配置模式Important:在你编辑完bigip.conf or bigip_base.conf 重启MCPD service之前, 你必须运行bigpipe load 确保MCPD service 使用的是当前的配置数据alert.conf Stores definitions of SNMP traps (system default alerts).user_alert.conf Stores definitions of SNMP traps (user-defined alerts)./config/bigip.conf Stores all configuration objects for managing local application traffic, such as virtual servers, load balancing pools, profiles, and SNATs.Note that after you edit bigip.conf, and before you restart the MCPD service, you must run the bigpipe load command./config/bigip_base.conf Stores BIG-IP self IP addresses and VLAN and interface configurations. Note that after you edit bigip_base.conf, and before you restart the MCPD service, you must run the bigpipe load command./config/bigip.license Stores authorization information for the BIG-IP system./etc/bigconf.conf Stores the user preferences for the Configuration utility./config/bigconfig/openssl.conf Holds the configuration information for how the SSL library interacts with browsers, and how key information is generated./config/user.db Holds various configuration information. This file is known as the bigdb database. /config/bigconfig/httpd.conf Holds configuration information for the web server./config/bigconfig/users The web server password file. Contains the user names and passwords of the people permitted to access whatever is provided by the webserver./etc/hosts Stores the hosts table for the BIG-IP system./etc/hosts.allow Stores the IP addresses of workstations that are allowed to make administrative shell connections to the BIG-IP system./etc/hosts.deny Stores the IP addresses of workstations that are not allowed to make administrative shell connections to the BIG-IP system./etc/rateclass.conf Stores rate class definitions./etc/ipfwrate.conf Stores IP filter settings for filters that also use rate classes. /etc/snmpd.conf Stores SNMP configuration settings./etc/snmptrap.conf Stores SNMP trap configuration settings./config/ssh Contains the SSH configuration and key files./etc/sshd_config This is the configuration file for the secure shell server (SSH). It contains all the access information for people trying to get into the system by using SSH./config/routes Contains static route information.[root@ISAG-2:Standby] config # find_keysISAG-2 koradsatn. omtitra eodISAG-2 junl trig Cmi nevl5scnsdt md.6koradsatn. omtitra eodFound license key JTPBO-CHRSX-DGBIO-HOAHJ-MOZJEVALicense file location is: /sda.1/config/bigip.licenseFound license key JTPBO-CHRSX-DGBIO-HOAHJ-MOZJEVAUnmounting unneeded partitions... ISAG-2 junl trig Cmi nevl5scnsn Cmi nevl5scnsree aamd.<>junl trig Cmi nevl5scns<6>EXT3-fs: mounted filesystem with ordered data mode.ISAG-2 junl trig Cmi nevl5scns<6>kjournald starting. Commit interval 5 secondscompleteAbove information can be found in /tmp/keys.outManaging Local Application Traffic•Setting up load balancing•Controlling HTTP traffic•Implementing HTTP and TCP optimization profiles•Authenticating application traffic•Implementing persistence•Enhancing the performance of the BIG-IP system•Managing health and performance monitors•Implementing iRules设置VirtualServer负载均衡1. Decide what types of traffic you want the BIG-IP system to manage, as well as whether you want to implement session persistence, connection persistence, and remote authentication.2. For each decision in step 1, decide whether you want to use the corresponding default profile that the BIG-IP system provides, or whether you want to create a custom profile.3. Access the bigpipe shell.4. If you want to create custom profiles, use the profile command, specifying the appropriate type of profile as an argument. If you do not want to create custom profiles, skip this step.5. Create one or more load balancing pools, using the pool command.6. Create a virtual server, using the virtual command, and assign to it any profiles and pools that you created. If you are using default profiles, some of those profiles might already be assigned to the virtual server by default.配置克隆Pool克隆Pool设计是用于入侵检测,你可以针对一个VS设置一个克隆Pool,这个克隆的VS接收世的流量和普通Pool一样,你就可以复制流量到入侵检测系统中.1. Access the bigpipe shell.2. Use the virtual command, to create or modify a virtual server, specifying a value for the clone pool argument.配置最后一跳Pool默认,BIG-IP系统自动启用最后一跳特性是,如果你想禁用这个特性.然后自己手工定义一个最后一跳路由器,你可以建立一个最后一跳pool并且指定其属于某个VS当中.1. Access the bigpipe shell.2. Use the pool command to create a last hop pool that contains the router inside addresses.3. Use the lasthop pool argument with the virtual command to assign the last hop pool to a virtual server.If you have not assigned an SSL profile to the virtual server, use the profile argument with the virtual command to assign the profile to the virtual server.配置SNATs这里有两种基础方法来建议一个SNAT,你可以直接将一个转换地址委派给一个或多个源IP地址,或者你可以配置一个SNAT pool,然后委派这个SNAT pool到某个源IP地址,在较新的版本中,BIG-IP自动从SNAT Pool中选择一个转换地址Note that you can assign these types of mappings from within an iRule.To map a single translation address to an original address1. Access the bigpipe shell.2. Designate an IP address as a translation address, using the snat translation command.3. Map the translation address to one or more original IP addresses, using the snat command or the rule command.To map a SNAT pool to an original address1. Access the bigpipe shell.2. Create a pool of translation addresses (that is, SNAT pool), using the snatpool command.3. Map the SNAT pool to one or more original IP addresses, using either the snat command or the rule command.配置HTTP traffic你可以配置BIG-IP来控制HTTP流量:配置HTTP压缩,HTTP请求重定向,HTTP请求重写,插入和插除HTTP头,启用或者禁用cookie加密和SYN cookie支持,配置HTTP 类Profile, HTTP响应数据组块控制.Configuring HTTP compression配置BIG-IP系统压缩HTTP 服务响应1. Access the bigpipe shell.2. Configure the compression-related settings of an HTTP profile,using the profile http command.3. Assign the HTTP profile to a virtual server, using the virtual command.Redirecting HTTP requests你可以配置HTTP Profile来重定向HTTP请求,并且在这个Profile中定义一个Fallback主机1. Access the bigpipe shell.2. Using the profile http command, create or modify an HTTP profile, specifying a value for the fallback argument. You can specify either a URI or the default fallback host, or you can specify that you want no HTTP redirection.3. Verify that the HTTP profile you created or modified is assigned to a virtual server.Rewriting HTTP redirections你可以配置HTTP Profile来重写HTTP的重定向规则1. Access the bigpipe shell.2. Using the profile http command, create or modify an HTTP profile, specifying a value for the redirect rewrite argument.For example, to create a profile that only rewrites URIs matching the originally requested URI (minus an optional training slash), use the following syntax:profile http myHTTPprofile { redirect rewrite matching }3. Verify that the HTTP profile you created or modified is assigned to a virtual server.Inserting and erasing HTTP headers你可以配置HTTP Profile来插入一个头文件到HTTP请求,或者从HTTP请求中移出一个头文件1. Access the bigpipe shell.2. Using the profile http command, create or modify an HTTP profile, specifying a value for either the header insert, header erase, or insert xforwarded for options.3. Verify that the HTTP or Fast HTTP profile you created or modified is assigned to a virtual server.Enabling or disabling cookie encryption你可以使用Profile http中的两个选项来启用或者禁用cookie加密1. Access the bigpipe shell.2. Using the profile http command, create or modify an HTTP profile, specifying a value for the encrypt cookie and cookie secret options.3. Verify that the HTTP profile you created or modified is assigned to a virtual server.Enabling or disabling SYN cookie support为了管理DOS攻击,你可以在一个Fast L4 Profile中配置SYN Cookie选项启用或者禁用SYN Cookie支持功能◆如果BIG-IP系统包含了Packet Velocity ASIC (PVA)技术,使用profile fastl4命令,定义一个hardware syncookie(enable | disable | default)选项,同样,你可以根据需求设置以下的变量通过db命令.•pva.SynCookies.Full.ConnectionThreshold (default: 500000)•pva.SynCookies.Assist.ConnectionThreshold (default: 500000)•pva.SynCookies.ClientWindow (default: 0)值得注意的是这个hardware syncookie 特性目前只可用于D84和D88平台.在其实平台设备这个特性无效.所以如果你在D84和D88上设置software syncookie 特性,SYN Cookie只通过软件处理◆如果BIG-IP系统不包含Packet Velocity ASIC(PVA)技术,使用profile fastl4 命令,指定为software syncookie (enable | disable | default) option.Configuring the HTTP Class profileBIG-IP系统包含一种Profile叫做HTTP Class Profile,你可以使用你定义的标准来用分类HTTP流量,当你分类流量的时候,你转地流量的原则是根据审查目标流量的头文件或者内容来定.如果BIG-IP系统包含Application Security Manager (ASM)或者WebAcclerator模块,你可以配置系统来先发送HTTP流量到那个模块,然后再发送到最终目标,例如,你可以使用HTTP Class Profile来对Virtual Server下命令,要求它发送流量先经过ASM然后再转发到负载均衡Pool.Unchunking and rechunking HTTP response data如果你想要监控内容你可以取消或者重新对HTTP响应进行组块操作,只需要配置HTTP Profile来启用unchunking功能.1. Access the bigpipe shell.2. Using the profile http command, create or modify an HTTP profile and specify the response argument.3. Make sure that you have assigned the HTTP profile to a virtual server, using the virtual command.你能够设备的保持有以下几种:实施Session保持•Cookie•Destination Address Affinity•Microsoft Remote Desktop Protocol (MSRDP)•Hash•Session Initiation Protocol (SIP)•Source Address Affinity•SSL•Universal具体操作:1. Access the bigpipe shell.2. Create a persistence profile, using the profile command, that corresponds to the type of persistence you want to implement.3. Assign the persistence profile to a virtual server, using the persist and fallback persist arguments with the virtual command.实施连接保持为了实施连接保持,你可以添加一个Keep-Alive头文件到HTTP /1.0头文件里(如果不存在).(默认HTTP/1.1连接包含Keep-Alive支持),你同样可以启用connection pooling特性,它可以保持服务器端的连接打开,重新用来供其它客户端请求所使用.你可以通过修改HTTP或者Fast HTTP Profile文件来启用keep-alive支持和Connection pools.同样可以修改OncConnect Profile来实现.To add Keep-Alive headers into HTTP requests1. Access the bigpipe shell.2. To ensure that HTTP connections stay open, use the profile http command and specify the oneconnect transformations argument. This ensures that the BIG-IP system inserts aConnection:Keep-Alive header into any HTTP /1.0 request that does not already contain one.3. Make sure that you have assigned the HTTP or Fast HTTP profile to a virtual server, using the virtual command.To enable connection pooling1. Access the bigpipe shell.2. Using the profile oneconnect command, configure a profile for connection pooling.3. Assign the profile to a virtual server, using the profile argument with the virtual command.小提示:你同样可以通过配置Fast HTTP Profile来配置连接保持,在BIGPIPE SHEEL中使用fasthttp命令.加强BIG-IP性能BIG-IP系统.设置连接Qos和数据包TOS等级你可以使用bigpipe工具来设置QoS和TOS等级,你不仅可以对所有具有目标负载均衡Pool的流量做,同时你也可以对自定义的流量做,例如:Layer 4 ,TCP 和UDP流量.1. Decide whether you want to set QoS and ToS levels for traffic targeted for an entire pool or for specific types of traffic, or both.•If you want to set the QoS and ToS levels for an entire pool, access the bigpipe shell and use the pool command with one or more of the following arguments: link qos to client, link qos toserver, ip tos to client, and ip tos to server.•If you want to set the QoS and ToS levels for certain types of traffic, access the bigpipe shell and use the profile command to create or modify a Fast L4, TCP, or UDP profile.2. Verify that the pool or the profile that you created or modified is assigned to a virtual server. To do this, use the following syntax:bp> virtual <virtual server name> list设置空闲超时时间(Idle timeout time)或者修改一个Fast L4,Fast HTTP,TCP,或者UDP Profile.1. Create or modify a Fast L4, Fast HTTP, TCP, or UDP profile, by accessing the bigpipe shell and using the profile command.2. Specify the idle timeout argument to set a timeout value.3. Verify that the profile you created or modified is assigned to a virtual server.实施速率整形Virtual Server或者Packet Filter规则中.1. Access the bigpipe shell.2. Create one or more rate classes, using the rate class command.3. Assign the rate classes to a virtual server or a packet filter rule, using either the virtual command or the packet filter command.Implementing iRulesiRule特性强大而灵活,值得注意的是它可以增强BIG-IP系统能力.一个iRule可以引用任意object,它不管这个被引用的object处理哪个分区里.例如;一个iRule属于分区A,但包含指定一个Pool属于分区B的语句.1. Access the bigpipe shell.2. Create an iRule using the rule command. You must include the name of the Tcl script and the script itself as arguments for the command.3. Assign the iRule to a virtual server, using the virtual command in one of the following ways:•To associate multiple iRules with a virtual server, use this syntax:bp> virtual <virtual_server_name> rule <iRule1_name> \ <iRule2_name> ...•To remove the assignment of an iRule from a virtual server, use this syntax:bp> virtual <virtual_server_name> rule none•To remove the iRule assignments from multiple virtual servers, use the following syntax. Note that you can remove the iRule assignments only from virtual servers that reside in the current Write partition or in partition Common.bp> virtual all rule none•To associate an existing iRule with multiple virtual servers, use the following syntax. Note that you can associate an iRule only with virtual servers that reside in the current Write partition or in partition Common. bp> virtual all rule <iRule_name>Important: In this case, the iRule becomes the only iRule that is associated with each virtual server in the current Write partition. Because this command overwrites all previous iRuleassignments, we do not recommend use of this command.。

VIPRIONDATASHEETThe On-Demand ApplicationDelivery ControllerYour organization’s growing infrastructure puts more pressure on the network—from risingnumbers of users to data center consolidation to the deployment of more feature-richapplications. Scaling the Application Delivery Network (ADN) to meet these evolving needsmeans increased operational cost and complexity. The resulting strain on resources can limityour organization’s ability to react quickly to developing needs.VIPRION 2400 ChassisThe VIPRION chassis has field replaceable parts and redundant power supplies, significantly reducing the possibility of downtime.VIPRION PlatformsEach VIPRION system consists of a chassis and one to four blades.VIPRION 4480 ChassisVIPRION 4300 Blade VIPRION 4200 BladeVIPRION 2400 ChassisVIPRION 2100 BladeOrdering InformationThe VIPRION 4480 chassis includes these options:• VIPRION 4300 or 4200 blade (one required)• P erformance Extreme Pack—Includes maximum SSL acceleration, maximum compression, advanced client authentication, and advanced routing• BIG-IP® Application Security Manager™—Web application firewall module• Virtual Clustered Multiprocessing (vCMP) license (option for 4200 blade only)• B IG-IP Global Traffic Manager™—Global load balancing module(option for 4200 blade only)• B IG-IP Access Policy Manager™—Global access and security module(up to 100,000 concurrent users) (option for 4200 blade only)• D NS module (option for 4200 blade only)• D NSSEC module (requires BIG-IP Global Traffic Manager) (option for 4200 blade only) The VIPRION 2400 chassis includes these options:• VIPRION 2100 blade (one required)• P erformance Extreme Pack—Includes maximum SSL acceleration, maximum compression, advanced client authentication, and advanced routing• BIG-IP Application Security Manager—Web application firewall module• Virtual Clustered Multiprocessing (vCMP) license• BIG-IP Global Traffic Manager™—Global load balancing module• B IG-IP Access Policy Manager—Global access and security module(up to 60,000 concurrent users)• DNS module• DNSSEC module (requires BIG-IP Global Traffic Manager)11F5 Networks, Inc.Corporate Headquartersinfo@ F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119888-882-4447 F5 Networks Asia-Pacific apacinfo@ F5 Networks Ltd.Europe/Middle-East/Africa emeainfo@F5 Networks Japan K.K.f5j-info@ ©2012 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, and IT agility. Your way., are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at . Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. CS02-00020 0212F5 ServicesF5 Services offers world-class support, training, and consulting to help you get themost from your F5 investment. Whether it’s providing fast answers to questions,training internal teams, or handling entire implementations from design to deployment,F5 Services can help you achieve IT agility. For more information about F5 Services,contact consulting@ or visit /services .More InformationFor more information about VIPRION, use the search function on to find theseresources. For the latest product specifications, see the applicable platform guideon .DatasheetsBIG-IP Local Traffic ManagerBIG-IP Application Security ManagerBIG-IP Global Traffic ManagerBIG-IP Access Policy ManagerWhite papersClustered Multiprocessing: Changing the Rules of the Performance GameVIPRION: The Cost of ManagementVirtual Clustered Multiprocessing (vCMP)The New Data Center Firewall ParadigmPodcastVIPRION: Unboxed。

F5 配置手册F5的缺省登录方式有两种：1.web页面方式登录（只支持https）admin/admin2.命令行方式登录（只支持ssh）root/default可以通过external，internal的selfip地址进行管理也可以在物理设备前通过左上角的mgmt口（带外管理口）进行配置管理，该管理口缺省地址为192.168.1.245一.设备激活先生成dossier的文件到 网站去激活设备,将之前的dossier文件上传一步步则生成license回到之前的页面(见下方),再将license文件导入,到此则激活设备激活license后转向以下页面,显示激活的license模块(目前是ltm)下一步进入platform设置,该页面也可以由system-platform进入设置主要功能为配置管理口地址,设置主机名(hostname),配置单双机以及配置root和admin两个帐号的密码到此设备基本初始化完成.二.进行网络部分设置1.先配置trunk，注意f5上trunk的概念与网络设备中trunk是有区别的，这里的trunk类似于网络设备中的portchannel，ethchannel，即多端口的捆绑。

在network中选择trunk，直接点右边的create 按钮新建trunk时，我们只需要配置name，以及该trunk捆绑的端口即可，以下图为例，该trunk名称为trunk_internal, 捆绑1.3与1.4 接口同理二．配置vlan （network-vlan）一样我们只需要配置name，以及该vlan关联的物理接口或者trunk以下图为例，该vlan名称为internal , 关联trunk_internal,并且是untagged同理建立external三．配置ip地址Network-selfip步骤很简单，只需要填写ip，掩码以及关联的vlan即可接下来再配置浮动地址（floating ip），配置方式同上，只需要注意在floating前面打上勾，并且两台设备的unit id都是1.这里的unit id与前面platform中的unit id 是不一样的，只是名称一样而已。

F5 PARTNERSHIP SOLUTION GUIDEDeploying a service-orientedperimeter for Microsoft ExchangeWHAT'S INSIDEPre-Authentication Mobile Device Security Web Application Security 3 5 7Go Beyond Network Firewalls to Protect Microsoft ExchangeBusiness need and user demand for access to email anytime, anywhere,and from any device has created challenges for IT departments to keepthis business-critical application secure, fast, available, and compliant.Extending your security perimeter outward can improve security andavailability for Microsoft Exchange email services published over theInternet (Outlook Web App, Exchange ActiveSync, Outlook Anywhere,and Exchange Web Services). F5® Application Delivery Controllers(ADCs) offer an ICSA Labs certified network and application firewallsolution that creates a service-oriented perimeter for Exchange. Withintelligent monitoring of traffic, pre-authentication, and access controlfor mobile devices, F5 helps you deploy highly available and secureemail services.2Preventing invalid and potentially malicious traffic from entering your data centercan be challenging. Traditional network firewalls are designed to perform a basiclevel of filtering based on port, but are not designed to inspect and enforce highlyintelligent security policies using surrounding contextual knowledge about theuser, the application service being requested, or the device being used.In fact, SSL encrypted application traffic needs to pass through the networkfirewall and on to another device near or on an internal data center networkfor termination—usually a hardware load balancer or even a specific applicationserver itself. The challenge lies in enforcing effective security measures before thetraffic reaches the internal network when the information needed to make accessdecisions is encrypted.Relying on your servers to process the unnecessary and potentially maliciousrequests wastes valuable resources, slows performance, and leaves your businessvulnerable to attacks, so the next choice is the hardware load balancer. T H E C H A L L E N G E SK E Y B E N E F I T S ·Improve your security posture ·Ensure only authorized traffic reaches Exchange servers ·Reduce cost to operate and maintain security infrastructure3T H E S O L U T I O NF5 BIG-IP ® Access Policy Manager ® (APM) extends your security perimeter so that threatsare eliminated before they reach your data center. BIG-IP APM is certified by ICSA Labs as afirewall device, but it is different from traditional network firewalls because it can intelligentlyinspect traffic for information about users, devices, and applications to increase security.For Microsoft email services, including Outlook Web App (OWA), Exchange ActiveSync(EAS), and Outlook Anywhere (OA), BIG-IP APM prevents invalid traffic from ever reachingExchange Server through pre-authentication, authorization, and device access control.User credentials are cached by BIG-IP APM, which proxies connections to Windows ActiveDirectory and the Exchange Client Access server (CAS) array. These connections are madeup of a set of customized verifications. For example, user name and password are used toprove the authenticity of the user. This user account can then be used to determine whetherpermissions are granted to access a given corporate resource such as Microsoft Exchange.Pre-authentication ensures that only authenticated and authorized traffic reaches the internalnetwork where Exchange Client Access servers are located. Since only necessary traffic entersthat network, processing load on servers is reduced, which helps their performance.Using BIG-IP APM Visual Policy Editor, a workflow-like access path can be designed withforked logic and causal relationships to exactly represent corporate constraints for approvedaccess and customized responses for validation failures. BIG-IP APM provides supportfor dozens of types of queries out of the box, such as collecting different types of logoninformation from users and performing queries into Microsoft Active Directory to verifyspecific information about users, security group memberships, and profile settings.After Mobile Users Client Access ServersHub MailboxServersAttackerAttacker OWAOA EAS EWS BIG-IPLocal Traffic Manager Mobile Users Client AccessServersHub MailboxServersReverse ProxyAttackerAttacker OWAOA EAS EWS BIG-IPLocal Traffic Manager Effective Security Perimeter on Internal NetworkEffective SecurityPerimeter on Network EdgeBIG-IP Access Policy Manager Before4The consumerization of IT and bring-your-own-device (BYOD) work policies havecreated a huge increase in access to corporate email from mobile devices. Intoday’s world, email must be accessible to known trusted devices as well as anever increasing assortment of unknown and untrusted devices.According to a 2011 report, network security breaches, possible loss ofcustomer enterprise data, potential theft of intellectual property, and difficultymeeting compliance requirements are among the top concerns IT departmentshave about employees using personal devices for work.T H E C H A L L E N G E SK E Y B E N E F I T S ·Seamlessly support access to corporate resources from various types of mobile devices ·Implement advanced multi-factorauthentication5F5 BIG-IP Access Policy Manager (APM) provides a strategic point of control inthe data center, supporting a variety of approaches for granting or denying emailaccess to mobile devices. Building on its user authentication and authorizationcapabilities, BIG-IP APM also supports the use of user and device securitycertificates, Exchange ActiveSync User Policy settings, and other information storedin Active Directory, as well as device information provided in the packet flow, suchas device type and device ID, to enforce multi-factor validation.In Exchange Server, the Client Access server (CAS) role functions as the accesspoint for all client traffic, including mobile devices that use the ExchangeActiveSync (EAS) protocol to access mailbox information over HTTPS. UsingBIG-IP APM, traffic management decisions can be made and enforced at thenetwork perimeter on a group and or individual basis while still allowing for theuse of built-in Exchange security functionality such as ActiveSync policies andremote device wipe.BIG-IP APM enables customers to enforce a customized security policy forExchange access by mobile devices using a flexible set of pre-defined actionsthat represent their organizations’ requirements for access approval—even fromdevices employees bring from home.T H E S O L U T I O NAfter Mobile Users Client AccessServersHub MailboxServersAttackerAttacker OWAOA EAS EWS BIG-IPLocal Traffic Manager Mobile Users Client AccessServersHub MailboxServersReverse ProxyAttackerAttacker OWAOA EAS EWS BIG-IPLocal Traffic Manager Effective Security Perimeter on Internal NetworkEffective Security Perimeter onNetwork Edge BIG-IP Access Policy Manager Before6Network-level attacks are highly visible and disruptive, but application-level attacksare what threaten the core of a business. According to Gartner, 95 percent ofsecurity investments are focused on the network while 75 percent of attackshappen at the application level. These attacks can leave sensitive data—such asemployee records, confidential information, intellectual property, and financialrecords—vulnerable to theft.In addition, resolving application-level breaches can be time-consuming andexpensive. According to a WhiteHat security report, the top 10 applicationattacks are cross-site scripting, information leakage, content spoofing, insufficientauthorization, SQL injects, predictable resource location, session fixation, cross-site request forgery, insufficient authentication, and HTTP response splitting. Theaverage time reported to resolve these vulnerabilities is 77 days. During thoseweeks or months, a business must take down the application or risk its securitybeing compromised.The prevalence of application-layer attacks against critical business applicationsmakes securing those applications and verifying compliance with securityand privacy regulations of paramount importance. Even those organizationsthat employ dedicated staff to review compliance and the security posture ofapplications prefer deploying solutions that automatically and continually providecompliance and reporting over manual human activity to achieve the same results. T H E C H A L L E N G E SK E Y B E N E F I T S ·Implement cost-effective PCI compliance and reporting ·Provide continual protection and built-in remediation ·Reduce OpEx by using the ADC platform7L E A R N M O R ETo learn more about F5 solutions for Microsoft,please visit /microsoft.Tech tips, discussion forums, free samples,and more can be found on DevCentral,™F5’s global technical community, by visiting/microsoft.F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 ©2012 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, and IT agility. Your way., are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at . Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5. CS21-00006 0912。