DEPLOYMENT GUIDE DEPLOYING F5 WITH MICROSOFT WINDOWS SERVER 2008

Transcription

1 DEPLOYMENT GUIDE DEPLOYING F5 WITH MICROSOFT WINDOWS SERVER 2008

2 Table of Contents Table of Contents Deploying F5 with Microsoft Windows Server 2008 Prerequisites and configuration notes Deploying F5 with Microsoft IIS 7.0 Prerequisites and configuration notes Configuration example Configuring the BIG-IP LTM system for IIS Creating the HTTP health monitor Creating the pool Creating profiles Creating the virtual server Configuring the BIG-IP LTM to offload SSL from IIS Using SSL certificates and keys Creating a Client SSL profile Creating the Redirect irule Modifying the HTTP virtual server Creating the HTTPS virtual server Synchronizing the BIG-IP configuration if using a redundant system Appendix A: Configuring the F5 WebAccelerator with Microsoft IIS Prerequisites and configuration notes Configuration example Configuring the WebAccelerator module Connecting to the BIG-IP LTM device Creating an HTTP Class profile Modifying the Virtual Server to use the Class profile Creating an Application Deploying the BIG-IP LTM and Microsoft Windows Server 2008 Terminal Services Prerequisites and configuration notes Configuration example Configuring the BIG-IP LTM with Windows Server 2008 Terminal Services, including RemoteApp Connecting to the BIG-IP LTM device Creating the TCP health monitor Creating the pool Creating profiles Creating the virtual server Deploying the BIG-IP LTM for internal users of Windows Terminal services Configuring the BIG-IP LTM system for deployment with the Gateway server role Prerequisites and configuration notes Connecting to the BIG-IP LTM device Importing keys and certificates Creating the HTTP health monitor Creating the pool Creating the irule Creating profiles Creating the virtual server Configuring the BIG-IP LTM system with the Web Access server role Importing keys and certificates Creating the HTTP health monitor Creating the pool F5 Deployment Guide i

3 Table of Contents Creating profiles Creating the virtual server Synchronizing the BIG-IP configuration if using a redundant system Appendix A: Backing up and restoring the BIG-IP LTM system configuration Backing up and restoring the BIG-IP LTM configuration Deploying the BIG-IP LTM with Microsoft Secure Socket Tunneling Protocol Prerequisites and configuration notes Configuration example Deploying the BIG-IP LTM in a basic configuration for SSTP Creating the HTTP health monitor Creating the pool Using SSL certificates and keys Creating profiles Creating the virtual server Deploying the BIG-IP LTM in an advanced configuration for SSTP Creating the health monitor Creating the pool Using SSL certificates and keys Creating the profiles Creating the irule Creating the virtual server Synchronizing the BIG-IP configuration if using a redundant system ii

4 1 Deploying F5 with Microsoft Windows Server 2008 Deploying F5 with Microsoft Windows Server 2008 Configuring the BIG-IP LTM system for IIS 7.0 Configuring the BIG-IP LTM to offload SSL from IIS 7.0

5 Deploying F5 with Microsoft Windows Server 2008 Welcome to the F5 Deployment Guide for Microsoft Windows Server This guide gives you step-by-step configuration procedures for deploying F5 products with Windows Server 2008, specifically the Terminal Services and Internet Information Services components. According to Microsoft, Microsoft Windows Server 2008 is the most advanced Windows Server operating system yet, designed to power the next-generation of networks, applications, and Web services. With Windows Server 2008 you can develop, deliver, and manage rich user experiences and applications, provide a secure network infrastructure, and increase technological efficiency and value within your organization. For more information on Microsoft Windows Server 2008, see For more information on F5 products, see This Deployment Guide is broken into the following sections: Deploying F5 with Microsoft IIS 7.0, on page 1-2. Includes configuration for the BIG-IP LTM and WebAccelerator Deploying the BIG-IP LTM system and Microsoft Windows Server 2008 Terminal Services, on page 2-1. Includes configuration for BIG-IP LTM and Windows Server 2008 Terminal Services, including Terminal Server, Session Broker, Gateway Server, and Web Access Server. Prerequisites and configuration notes The following are general prerequisites and configuration notes for deploying F5 with Windows Server Each section contains specific prerequisites. For this Deployment Guide, the BIG-IP LTM system must be running version 9.0 or later. We strongly running version 9.4 or later. Some of the examples in this guide use profiles introduced in version 9.4. To use these profiles you must either be running LTM version 9.4, or refer to the Configuration Guide for BIG-IP Local Traffic Management for version 9.4 (available on AskF5), which shows the configuration differences between the base profiles and the optimized profile types. We assume that the BIG-IP LTM device is already installed in the network, and objects like Self IPs and VLANs have already been created. For more information on configuring these objects, see the BIG-IP LTM manuals. 1-1

6 Deploying F5 with Microsoft Windows Server 2008 Deploying F5 with Microsoft IIS 7.0 F5's BIG-IP system can increase the existing benefits of deploying Microsoft's Internet Information Services (IIS) to provide enterprises, managed service providers, and e-businesses an easy-to-use solution for deploying, managing and securing global and local area traffic. The BIG-IP Local Traffic Manager (LTM), combined with the WebAccelerator module, provides a number of ways to accelerate, optimize, and scale Microsoft IIS deployments. When BIG-IP LTM relieves IIS 7.0 servers from tasks such as compression, caching, and SSL processing, each server is able to devote more resources to running applications and can service more user requests. For WebAccelerator configuration, see Appendix A: Configuring the F5 WebAccelerator module with Microsoft IIS 7.0, on page The BIG-IP system's TCP Express feature set incorporates the latest TCP/IP technologies, including full IPv6 support, ensuring compatibility with Microsoft's next-generation TCP/IP stack. For more information on TCP Express, see For information on Microsoft s updated TCP/IP stack, see Prerequisites and configuration notes All of the procedures in this Deployment Guide are performed on the BIG-IP system. The following are prerequisites for this solution: We recommend the latest version of Microsoft IIS. This Deployment Guide has been tested with IIS 7.0, which ships with Microsoft Windows Server Again, the BIG-IP LTM system must be running version 9.0 or later. We strongly running version 9.4 or later. Some of the examples in this guide use profiles introduced in version 9.4. To use these profiles you must either be running LTM version 9.4, or refer to the Configuration Guide for BIG-IP Local Traffic Management for version 9.4 (available on AskF5), which shows the configuration differences between the base profiles and the optimized profile types. If you are using the BIG-IP LTM system to offload SSL traffic from the IIS servers, you must already have obtained an SSL Certificate (but not necessarily installed it on the BIG-IP LTM system). For more information about offloading SSL traffic, see Configuring the BIG-IP LTM to offload SSL from IIS 7.0, on page F5 Deployment Guide 1-2

7 Configuration example In this Deployment Guide, the BIG-IP system is optimally configured to optimize and direct traffic to IIS servers. Figure 1 shows a logical configuration example with a redundant pair of BIG-IP LTM devices running the WebAccelerator module, in front of a group of IIS servers. Internet Firewalls BIG-IP Local Traffic Manager WebAccelerator Available as a module on the BIG-IP LTM Microsoft IIS 7.0 Servers Figure 1 Logical configuration example 1-3

8 Deploying F5 with Microsoft Windows Server 2008 Configuring the BIG-IP LTM system for IIS 7.0 To configure the BIG-IP LTM system to load balance IIS servers, you need to complete the following tasks: Creating the HTTP health monitor Creating the pool Creating profiles Creating the virtual server Configuring the BIG-IP LTM to offload SSL from IIS 7.0 (optional) Creating the HTTP health monitor The first step is to set up health monitors for the IIS devices. This procedure is optional, but very strongly recommended. In our example, we create a simple HTTP health monitor. Although the monitor in the following example is quite simple, you can configure optional settings such as Send and Receive Strings to make the monitor much more specific. To create a health monitor 1. On the Main tab, expand Local Traffic, and then click Monitors. 2. Click the Create button. The New Monitor screen opens. 3. In the Name box, type a name for the Monitor. In our example, we type iis-http-monitor. 4. From the Type list, select http. 5. In the Configuration section, in the Interval and Timeout boxes, type an Interval and Timeout. We recommend at least a 1:3 +1 ratio between the interval and the timeout (for example, the default setting has an interval of 5 and an timeout of 16). In our example, we use a Interval of 30 and a Timeout of 91 (see Figure 2). F5 Deployment Guide 1-4

9 6. In the Send String and Receive Rule sections, you can add a Send String and Receive Rule specific to the device being checked. Figure 2 Creating the HTTP Monitor 7. Click the Finished button. The new monitor is added to the Monitor list. Creating the pool The first step is to define a load balancing pool for the IIS servers. A BIG-IP pool is a set of devices grouped together to receive traffic according to a load balancing method. This pool uses the monitor you just created. To create the IIS pool 1. On the Main tab, expand Local Traffic, and then click Pools. The Pool screen opens. 2. In the upper right portion of the screen, click the Create button. The New Pool screen opens. 3. In the Name box, type a name for your pool. In our example, we use iis-http-pool. 1-5

10 Deploying F5 with Microsoft Windows Server In the Health Monitors section, select the name of the monitor you created in the Creating the HTTP health monitor section, and click the Add (<<) button. In our example, we select iis-http-monitor. 5. From the Load Balancing Method list, choose your preferred load balancing method (different load balancing methods may yield optimal results for a particular network). In our example, we select Least Connections (node). 6. In this pool, we leave the Priority Group Activation Disabled. 7. In the New Members section, make sure the New Address option button is selected. 8. In the Address box, add the first Microsoft IIS server to the pool. In our example, we type In the Service Port box, type 80 or select HTTP from the list. 10. Click the Add button to add the member to the list. 11. Repeat steps 8-10 for each server you want to add to the pool. In our example, we repeat these steps five times for the remaining servers, Click the Finished button (see Figure 3). Figure 3 Creating the pool for the IIS servers F5 Deployment Guide 1-6

11 Creating profiles Creating an HTTP profile BIG-IP version 9.0 and later use profiles. A profile is an object that contains user-configurable settings for controlling the behavior of a particular type of network traffic, such as HTTP connections. Using profiles enhances your control over managing network traffic, and makes traffic-management tasks easier and more efficient. Although it is possible to use the default profiles, we strongly recommend you create new profiles based on the default parent profiles, even if you do not change any of the settings initially. Creating new profiles allows you to easily modify the profile settings specific to this deployment, and ensures you do not accidentally overwrite the default profile. For the Microsoft IIS configuration, we create five new profiles: an HTTP profile, two TCP profiles, a persistence profile, and a OneConnect profile. If you plan on using the BIG-IP LTM system to offload SSL from the IIS devices, make sure to see Creating a Client SSL profile. These profiles use new optimized profiles available in BIG-IP LTM version 9.4 and later. If you are using a BIG-IP LTM version prior to 9.4, the Configuration Guide for BIG-IP Local Traffic Management for version 9.4 (available on AskF5) shows the differences between the base profiles and the optimized profile types. Use this guide to manually configure the optimization settings. The first new profile we create is an HTTP profile. The HTTP profile contains numerous configuration options for how the BIG-IP LTM system handles HTTP traffic. For deployments where the majority of users accessing the IIS devices are connecting across a WAN, F5 recommends enabling compression and caching on the BIG-IP LTM by using a profile introduced in BIG-IP version 9.4 called http-wan-optimized-compression-caching. This profile uses specific compression and caching (among other) settings to optimize traffic over the WAN. Note that to properly use this profile, you need to have compression and caching licensed on the BIG-IP LTM. For more information on licensing, contact your sales representative. If you are not using version 9.4, or do not have compression or caching licensed, you can choose the default HTTP parent profile, or one of the other optimized HTTP parent profiles. Important If you are using BIG-IP LTM version or later with the WebAccelerator module, use the http-acceleration parent profile. To create a new HTTP profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 1-7

12 Deploying F5 with Microsoft Windows Server 2008 Creating the TCP profiles Creating the LAN optimized TCP profile 2. In the upper right portion of the screen, click the Create button. The New HTTP Profile screen opens. 3. In the Name box, type a name for this profile. In our example, we type iis-http-opt. 4. From the Parent Profile list, select http-wan-optimized-compression-caching. 5. Optional: If you using the BIG-IP LTM to offload SSL, in the Settings section, check the Custom box for Redirect Rewrite, and from the Redirect Rewrite list, select Match. See Configuring the BIG-IP LTM to offload SSL from IIS 7.0, on page 1-14 for more information. 6. Check the Custom box for Content Compression, and leave Content List selected. 7. In the Content List section, add the following items to the existing entries in the Content Type box one at a time, each followed by clicking Include: application/pdf application/vnd.ms-powerpoint application/vnd.ms-excel application/msword application/vnd.ms-publisher We add these MIME types to ensure these highly compressible document types are compressed. 8. Modify any of the other settings as applicable for your network. In our example, we leave the settings at their default levels. 9. Click the Finished button. The next profiles we create are the TCP profiles. If most of the Microsoft IIS users are accessing the devices via a Local Area Network, we recommend using the tcp-lan-optimized (for server-side TCP connections) parent profile. If the majority of the users are accessing the system from remote or home offices, we recommend using an additional TCP profile, called tcp-wan-optimized (for client side TCP connections). In our example, we leave these profiles at their default levels; you can configure any of the options as applicable for your network. First we configure the LAN optimized profile. If you are not using version 9.4 or do not want to use this optimized profile, you can choose the default TCP parent profile. F5 Deployment Guide 1-8

13 To create a new TCP profile Creating the WAN optimized TCP profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. On the Menu bar, from the Protocol menu, click tcp. 3. In the upper right portion of the screen, click the Create button. The New TCP Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type iis-tcp-lan. 5. From the Parent Profile list, select tcp-lan-optimized if you are using BIG-IP LTM version 9.4 or later; otherwise select tcp. 6. Modify any of the settings as applicable for your network. In our example, we leave the settings at their default levels. 7. Click the Finished button. Now we configure the WAN optimized profile. Remember, if most of the users are accessing the system over the LAN or other low latency links, you do not need to create this profile. To create a new TCP WAN optimized profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. On the Menu bar, from the Protocol menu, click tcp. 3. In the upper right portion of the screen, click the Create button. The New TCP Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type iis-tcp-wan. 5. From the Parent Profile list, select tcp-wan-optimized. 6. Modify any of the settings as applicable for your network. In our example, we leave the settings at their default levels. 7. Click the Finished button. Creating persistence profile The next profile we create is a Persistence profile. We recommend using persistence for Microsoft IIS devices, although the type of persistence depends on your configuration. In our example, use cookie persistence (HTTP cookie insert). 1-9

14 Deploying F5 with Microsoft Windows Server 2008 To create a new cookie persistence profile based on the default profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. On the Menu bar, click Persistence. The Persistence Profiles screen opens. 3. In the upper right portion of the screen, click the Create button. The New Persistence Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type iis-cookie. 5. From the Persistence Type list, select Cookie. The configuration options for cookie persistence appear. 6. Modify any of the settings as applicable for your network. In our example, we leave the settings at their default levels. 7. Click the Finished button. Figure 4 Creating the cookie persistence profile Creating a OneConnect profile The final profile we create is a OneConnect profile. With OneConnect enabled, client requests can utilize existing, server-side connections, thus reducing the number of server-side connections that a server must negotiate to service those requests. This can provide significant performance improvements for IIS implementations. For more information on OneConnect, see the BIG-IP LTM documentation. In our example, we leave all the options at their default settings. You can configure these options as appropriate for your network. F5 Deployment Guide 1-10

15 To create a new OneConnect profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. On the Menu bar, from the Other menu, click OneConnect. The Persistence Profiles screen opens. 3. In the upper right portion of the screen, click the Create button. The New HTTP Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type iis-oneconnect. 5. From the Parent Profile list, ensure that oneconnect is selected. 6. Modify any of the other settings as applicable for your network. In our example, we leave the settings at their default levels. 7. Click the Finished button. Creating the virtual server Next, we configure a virtual server that references the profiles and pool you created in the preceding procedures. To create the virtual server 1. On the Main tab, expand Local Traffic, and then click Virtual Servers. The Virtual Servers screen opens. 2. In the upper right portion of the screen, click the Create button. The New Virtual Server screen opens. 3. In the Name box, type a name for this virtual server. In our example, we type iis-http-vs. 4. In the Destination section, select the Host option button. 5. In the Address box, type the IP address of this virtual server. In our example, we use In the Service Port box, type 80, or select HTTP from the list. Figure 5 Creating the IIS virtual server 1-11

16 Deploying F5 with Microsoft Windows Server From the Configuration list, select Advanced. The Advanced configuration options appear. 8. Leave the Type list at the default setting: Standard. 9. From the Protocol Profile (Client) list select the name of the profile you created in the Creating the WAN optimized TCP profile section. If you did not create a WAN optimized profile, select the LAN optimized profile as in the following Step. In our example, we select iis-tcp-wan. 10. From the Protocol Profile (Server) list, select the name of the profile you created in the Creating the LAN optimized TCP profile section. In our example, we select iis-tcp-lan. 11. From the OneConnect Profile list, select the name of the profile you created in Creating a OneConnect profile. In our example, we select iis-oneconnect. 12. From the HTTP Profile list, select the name of the profile you created in the Creating an HTTP profile section. In our example, we select iis-http-opt. Figure 6 Selecting the Microsoft IIS profiles for the virtual server 13. In the Resources section, from the Default Pool list, select the pool you created in the Creating the pool section. In our example, we select iis-http-pool. F5 Deployment Guide 1-12

17 14. From the Default Persistence Profile list, select the persistence profile you created in the Creating persistence profile section. In our example, we select iis-cookie. Figure 7 Adding the Pool and Persistence profile to the virtual server 15. Click the Finished button. The BIG-IP LTM HTTP configuration for the Microsoft IIS 7.0 deployment is now complete. 1-13

18 Deploying F5 with Microsoft Windows Server 2008 Configuring the BIG-IP LTM to offload SSL from IIS 7.0 If you are using the BIG-IP LTM system to offload SSL from the Microsoft IIS devices, there are additional configuration procedures you must perform on the BIG-IP LTM system. In the following configuration, the BIG-IP LTM redirects all incoming traffic to the HTTP virtual server to the HTTPS virtual server. This is useful if a user types a URL in a browser, but forgets to change the protocol to HTTPS. If your deployment does not require all traffic to be redirected to HTTPS, you do not need to configure the irule or modify the HTTP virtual server as described below, nor configure the Rewrite Redirect setting in the HTTP profile in Step 5 of Creating an HTTP profile. You can have both an HTTP and HTTPS virtual server on the same address with the appropriate ports. Important This section is optional, and only necessary if you are using the BIG-IP LTM system for offloading SSL. Using SSL certificates and keys Importing keys and certificates Before you can enable the BIG-IP LTM system to act as an SSL proxy, you must install a SSL certificate on the virtual server that you wish to use for Microsoft IIS connections on the BIG-IP LTM device. For this Deployment Guide, we assume that you already have obtained an SSL certificate, but it is not yet installed on the BIG-IP LTM system. For information on generating certificates, or using the BIG-IP LTM to generate a request for a new certificate and key from a certificate authority, see the Managing SSL Traffic chapter in the Configuration Guide for Local Traffic Management. Once you have obtained a certificate, you can import this certificate into the BIG-IP LTM system using the Configuration utility. By importing a certificate or archive into the Configuration utility, you ease the task of managing that certificate or archive. You can use the Import SSL Certificates and Keys screen only when the certificate you are importing is in Privacy Enhanced Mail (PEM) format. To import a key or certificate 1. On the Main tab, expand Local Traffic. 2. Click SSL Certificates. The list of existing certificates displays. 3. In the upper right corner of the screen, click Import. 4. From the Import Type list, select the type of import (Certificate or Key). F5 Deployment Guide 1-14

19 5. In the Certificate (or Key) Name box, type a unique name for the certificate or key. 6. In the Certificate (or Key) Source box, choose to either upload the file or paste the text. 7. Click Import. If you imported the certificate, repeat this procedure for the key. Creating a Client SSL profile The next step in this configuration is to create a Client SSL profile. This profile contains the SSL certificate and Key information for decrypting the SSL traffic on behalf of the servers. To create a new Client SSL profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. On the Menu bar, from the SSL menu, select Client. The Client SSL Profiles screen opens. 3. In the upper right portion of the screen, click the Create button. The New Client SSL Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type iis-clientssl. 5. In the Configuration section, check the Certificate and Key Custom boxes. 6. From the Certificate list, select the name of the Certificate you imported in the Importing keys and certificates section. 7. From the Key list, select the key you imported in the Importing keys and certificates section. 8. Click the Finished button. Creating the Redirect irule The Redirect irule takes incoming HTTP requests (non-secure) and redirects them to the correct HTTPS (secure) virtual server, without user interaction. To create the Redirect irule 1. On the Main tab, expand Local Traffic, and then click irules. The irule screen opens. 2. In the upper right portion of the screen, click the Create button. The New irule screen opens. 1-15

20 Deploying F5 with Microsoft Windows Server In the Name box, enter a name for your irule. In our example, we use iis-httptohttps. 4. In the Definition section, copy and paste the following irule: when HTTP_REQUEST { } 5. Click the Finished button (see Figure 8). Figure 8 Creating the irule Modifying the HTTP virtual server The next task is to modify the HTTP virtual server you created in Creating the virtual server, on page 1-11 to use the irule you just created. To modify the existing IIS virtual server 1. On the Main tab, expand Local Traffic, and then click Virtual Servers. The Virtual Servers screen opens. 2. From the Virtual Server list, click the IIS virtual server you created in the Creating the virtual server section. In our example, we click iis-http-vs. 3. On the menu bar, click Resources. The Resources page for the virtual server opens. 4. From the Default Pool list, select None. This virtual server no longer requires the load balancing pool, as traffic is redirected to the HTTPS virtual server we create in the following procedure. 5. Click the Update button. 6. In the irules section, click the Manage button. The Resource Management screen opens. F5 Deployment Guide 1-16

21 7. From the Available list, select the irule you created in the Creating the Redirect irule section, and click the Add (<<) button. In our example, we select iis-httptohttps. 8. Click the Finished button. Creating the HTTPS virtual server The final task in this section is to create a HTTPS virtual server. To create a new HTTPS virtual server 1. On the Main tab, expand Local Traffic, and then click Virtual Servers. The Virtual Servers screen opens. 2. In the upper right portion of the screen, click the Create button. The New Virtual Server screen opens. 3. In the Name box, type a name for this virtual server. In our example, we type iis-https-vs. 4. In the Destination section, select the Host option button. 5. In the Address box, type the IP address of this virtual server. In our example, we use In the Service Port box, type 443 or select HTTPS from the list. 7. From the Configuration list, select Advanced. The Advanced configuration options appear. 8. Leave the Type list at the default setting: Standard. 9. From the Protocol Profile (Client) list select the name of the profile you created in the Creating the WAN optimized TCP profile section. If you did not create a WAN optimized profile, select the LAN optimized profile as in the following Step. In our example, we select iis-tcp-wan. 10. From the Protocol Profile (Server) list, select the name of the profile you created in the Creating the LAN optimized TCP profile section. In our example, we select iis-tcp-lan. 11. From the OneConnect Profile list, select the name of the profile you created in Creating a OneConnect profile. In our example, we select iis-oneconnect. 12. From the HTTP Profile list, select the name of the profile you created in the Creating an HTTP profile section. In our example, we select iis-http-opt. Make sure you have the Rewrite Redirect box checked in the HTTP profile as described in Step 5 of Creating an HTTP profile. 13. From the SSL Profile (Client) list, select the name of the SSL profile you created in the Creating a Client SSL profile section. In our example, we select iis-clientssl. 1-17

22 Deploying F5 with Microsoft Windows Server From the Default Pool list, select the pool you created in the Creating the pool section. In our example, we select iis-http-pool. 15. From the Default Persistence Profile list, select the persistence profile you created in the Creating persistence profile. In our example, we select iis-cookie. 16. Click the Finished button. Synchronizing the BIG-IP configuration if using a redundant system If you are using a redundant BIG-IP configuration, the final step is to synchronize the configuration to the peer BIG-IP device. To synchronize the configuration using the Configuration utility 1. On the Main tab, expand System. 2. Click High Availability. The Redundancy screen opens. 3. On the Menu bar, click ConfigSync. 4. Click the Self --> Peer button. The configuration synchronizes with its peer. F5 Deployment Guide 1-18

23 Appendix A: Configuring the F5 WebAccelerator module with Microsoft IIS 7.0 In this section, we configure the WebAccelerator module for the IIS 7.0 devices to increase performance for end users. The F5 WebAccelerator is an advanced web application delivery solution that provides a series of intelligent technologies designed to overcome problems with browsers, web application platforms and WAN latency issues which impact user performance. For more information on the F5 WebAccelerator, see Prerequisites and configuration notes The following are prerequisites for this section: We assume that you have already configured the BIG-IP LTM system for directing traffic to the IIS deployment as described in this Deployment Guide. You must have purchased and licensed the WebAccelerator module on the BIG-IP LTM system, version 9.4 or later. If you are using the BIG-IP LTM version or later, you must have created an HTTP profile on the BIG-IP LTM system that has RAM Cache enabled. In our example (Creating an HTTP profile, on page 1-7) we use a parent profile that includes RAM Cache. If you did not create an HTTP profile with RAM Cache enabled, you must create a new HTTP profile, based on a parent profile that uses RAM Cache (we recommend HTTP Acceleration) and associate it with the virtual server. This is only required for BIG-IP LTM version and later. This document is written with the assumption that you are familiar with the BIG-IP LTM system, WebAccelerator and Microsoft IIS 7.0. Consult the appropriate documentation for detailed information. Configuration example Using the configuration in this section, the BIG-IP LTM system with WebAccelerator module is optimally configured to accelerate traffic to Microsoft IIS servers. The BIG-IP LTM with WebAccelerator module both increases end user performance as well as offloads the servers from serving repetitive and duplicate content. In this configuration, a remote client with WAN latency accesses an IIS server via the WebAccelerator. The user s request is accelerated on repeat visits by the WebAccelerator instructing the browser to use the dynamic or 1-19

24 Deploying F5 with Microsoft Windows Server 2008 static object that is stored in its local cache. Additionally, dynamic and static objects are cached at the WebAccelerator so that they can be served quickly without requiring the server to re-serve the same objects. Configuring the WebAccelerator module Configuring the WebAccelerator module requires creating an HTTP class profile and creating an Application. The WebAccelerator device has a large number of other features and options for fine tuning performance gains, see the WebAccelerator Administrator Guide for more information. Connecting to the BIG-IP LTM device Use the following procedure to access the BIG-IP LTM system s web-based Configuration utility using a web browser. To connect to the BIG-IP LTM system using the Configuration utility 1. In a browser, type the following URL: IP address of the BIG-IP device> A Security Alert dialog box appears, click Yes. The authorization dialog box appears. 2. Type your user name and password, and click OK. The Welcome screen opens. Creating an HTTP Class profile The first procedure is to create an HTTP class profile. When incoming HTTP traffic matches the criteria you specify in the WebAccelerator class, the system diverts the traffic through this class. In the following example, we create a new HTTP class profile, based on the default profile. To create a new HTTP class profile 1. On the Main tab, expand WebAccelerator, and then click Classes. The HTTP Class Profiles screen opens. 2. In the upper right portion of the screen, click the Create button. The New HTTP Class Profile screen opens. 3. In the Name box, type a name for this Class. In our example, we type iis-class. 4. From the Parent Profile list, make sure httpclass is selected. 5. In the Configuration section, from the WebAccelerator row, make sure Enabled is selected. F5 Deployment Guide 1-20

25 6. In the Hosts row, from the list select Match Only. The Host List options appear. a) In the Host box, type the host name that your end users use to access the IIS devices. In our example, we type iis-application.f5.com (see Figure 9). b) Leave the Entry Type at Pattern String. c) Click the Add button. d) Repeat these sub-steps for any other host names users might use to access the IIS deployment. 7. The rest of the settings are optional, configure them as applicable for your deployment. 8. Click the Finished button. The new HTTP class is added to the list. Figure 9 Creating a new HTTP Class profile 1-21

26 Deploying F5 with Microsoft Windows Server 2008 Modifying the Virtual Server to use the Class profile The next step is to modify the virtual server for your IIS deployment on the BIG-IP LTM system to use the HTTP Class profile you just created. To modify the Virtual Server to use the Class profile 1. On the Main tab, expand Local Traffic, and then click Virtual Servers. The Virtual Servers screen opens. 2. From the Virtual Server list, click the name of the virtual server you created for the IIS servers. In our example, we click iis-http-vs. The General Properties screen for the Virtual Server opens. 3. On the Menu bar, click Resources. The Resources screen for the Virtual Server opens. 4. In the HTTP Class Profiles section, click the Manage button. 5. From the Available list, select the name of the HTTP Class Profile you created in the preceding procedure, and click the Add (<<) button to move it to the Enabled box. In our example, we select iis-class (see Figure 10). 6. Click the Finished button. The HTTP Class Profile is now associated with the Virtual Server. Figure 10 Adding the HTTP Class to the Virtual Server Important If you are using the BIG-IP LTM version or later, you must have created an HTTP profile on the BIG-IP LTM system that has RAM Cache enabled. In our example (Creating an HTTP profile, on page 1-7) we use a parent profile that includes RAM Cache. If you did not create an HTTP profile with RAM Cache enabled, you must create a new HTTP profile, based on a parent profile that uses RAM Cache (such as HTTP Acceleration), and modify the virtual server to use this new profile. This is only required for BIG-IP LTM version and later. To create the HTTP profile, use Creating an HTTP profile, on page 1-7, selecting the HTTP Acceleration parent profile. You must leave RAM Cache enabled; all other settings are optional. To modify the virtual server, follow F5 Deployment Guide 1-22

27 Steps 1 and 2 from the preceding procedure to access the virtual server, and then from the HTTP Profile list, select the name of the new profile you just created and click Update. Creating an Application The next procedure is to create a WebAccelerator Application. The Application provides key information to the WebAccelerator so that it can handle requests to your application appropriately. To create a new Application 1. On the Main tab, expand WebAccelerator, and then click Applications. The Application screen of the WebAccelerator UI opens in a new window. 2. Click the New Application button. 3. In the Application Name box, type a name for your application. In our example, we type Microsoft IIS. 4. In the Description box, you can optionally type a description for this application. 5. From the Local Policies list, select Microsoft Internet Information Services (IIS). This is a pre-defined policy created specifically for Microsoft IIS devices (see Figure 11). 6. In the Requested Host box, type the host name that your end users use to access the IIS deployment. This should be the same host name you used in Step 6a in the preceding procedure. In our example, we type iisapplication.f5.com. If you have additional host names, click the Add Host button and enter the host name(s). 7. Click the Save button. 1-23

28 Deploying F5 with Microsoft Windows Server 2008 Figure 11 Configuring an Application on the WebAccelerator The rest of the configuration options on the WebAccelerator are optional, configure these as applicable for your network. With this base configuration, your end users will notice a marked improvement in performance after their first visit. F5 Deployment Guide 1-24

29 1-25

30 2 Deploying the BIG-IP LTM with Microsoft Windows Server 2008 Terminal Services Configuring the BIG-IP LTM with Windows Server 2008 Terminal Services, including RemoteApp Configuring the BIG-IP LTM system for deployment with the Gateway server role Configuring the BIG-IP LTM system with the Web Access server role

31 Deploying the BIG-IP LTM system and Microsoft Windows Server 2008 Terminal Services This chapter gives you step-by-step configuration procedures for configuring the BIG-IP LTM (Local Traffic Manager) system for directing traffic and maintaining persistence to Microsoft Terminal Services devices. Terminal Services in Windows Server 2008 enables users to remotely access full Windows desktops, or individual Windows-based applications, on Terminal Server computers. In an environment using BIG-IP LTM system, a farm of terminal servers have incoming connections distributed in a balanced manner across the servers in the farm. Additionally, BIG-IP LTM can offload SSL processing and distribute load for the new Gateway and Web Access roles in Terminal Services. For more information on Microsoft Windows Server 2008, including Windows Terminal Services, see For more information on the BIG-IP LTM system, see This Deployment Guide is broken up into three sections: Configuring the BIG-IP LTM with Windows Server 2008 Terminal Services, including RemoteApp, on page 2-5 Configuring the BIG-IP LTM system for deployment with the Gateway server role, on page 2-14 Configuring the BIG-IP LTM system with the Web Access server role, on page 2-24 Prerequisites and configuration notes The following are prerequisites for this deployment: The BIG-IP LTM system should be running version or later. This Deployment Guide is written for Windows Server 2008 Terminal Services. If you are using Windows Server 2003 Terminal Services, see Briefly review the basic configuration tasks and the few pieces of information, such as IP addresses, that you should gather in preparation for completing this configuration. You should be familiar with both the BIG-IP LTM system and Windows Server 2008 Terminal Services. For more information on configuring these products, consult the appropriate documentation. If you are using IPv6 addresses, you must have the IPv6 Gateway module licensed on the BIG-IP LTM system. 2-1

32 Deploying the BIG-IP LTM with Microsoft Windows Server 2008 Terminal Services Special note about Session Broker Servers The Session Broker role, new to Windows Server 2008 Terminal Servers, provides simple load balancing and user persistence to farms of Terminal Server computers. BIG-IP LTM, used in conjunction with a Session Broker server, fully supports Session Broker persistence tokens. The BIG-IP LTM also provides additional options and scalability beyond that which Session Broker offers alone: Microsoft documentation states that the Session Broker "provides significant value to farms of two to five servers." The BIG-IP LTM can scale efficiently to much higher numbers of servers. The BIG-IP LTM offers additional load balancing methods beyond just least connections or predetermined ratios; for instance, an administrator can choose to send new connections to those servers that are observed to be exhibiting the fastest response. Complete instructions for installing and configuring Session Broker servers can be found in this Microsoft TechNet article. There are a few configuration notes you must make sure to follow. Each Terminal Server computer in this deployment should be enrolled in a session broker farm. You must disable Session Broker load balancing on each of the Session Broker farm members. Clear the Use IP Address Redirection box on each Session Broker farm member. You must select a single IP address on each farm member that will be used for reconnection. The IP address you select must be the same address that you configure as a pool member on the BIG-IP LTM, as described in Creating the pool, on page 2-7. In Figure 2.1, on page 2-3, you see a screen shot of the TS Session Broker properties. In this example, the farm member has been properly configured to work with BIG-IP LTM. The server has IPv4 address of , which is also configured as a pool member address on the BIG-IP LTM system. Also notice that Participate in Session Broker Load-Balancing and Use IP Address Redirection are not checked, as described in the preceding configuration notes. Refer to the Microsoft documentation for information on how to configure the TS Session Broker properties. F5 Deployment Guide 2-2

33 Figure 2.1 Configuring the TS Session Broker properties Configuration example In the scenario used in this Deployment Guide, users connect to a virtual server (single IP address) on the BIG-IP LTM system using the Microsoft Remote Desktop Connection client. The connections are load balanced to a farm of devices running Microsoft Windows Terminal Server. The farm is managed by a Session Broker server, which works in conjunction with the BIG-IP LTM system to ensure that each client connects to the same member of the farm (using persistence on the BIG-IP LTM), across multiple sessions, in order to keep consistent application and data presented to each user. 2-3

34 Deploying the BIG-IP LTM with Microsoft Windows Server 2008 Terminal Services Figure 2.2 Logical configuration example Note The example in Figure 1 is a logical representation of this deployment. Your configuration may be dramatically different than the one shown. F5 Deployment Guide 2-4

35 Configuring the BIG-IP LTM with Windows Server 2008 Terminal Services, including RemoteApp In this section of this Deployment Guide, we configure the BIG-IP LTM system for full Terminal Server sessions, which also supports RemoteApp programs that are accessed through the Terminal Services Remote Desktop Protocol. Unlike full Terminal Server sessions, RemoteApp programs run side-by-side with local programs, and do not require a full remote desktop environment. BIG-IP LTM can direct traffic to servers providing traditional Terminal Services sessions, and those that provide RemoteApp programs, in exactly in the same manner. More information on deploying RemoteApp programs can be found in this Microsoft TechNet article. To configure the BIG-IP LTM system for integration with Windows Terminal Services, you must complete the following procedures: Connecting to the BIG-IP LTM device Creating the HTTP health monitor Creating the pool Creating profiles Creating the virtual server These procedures assume that the Terminal Services clients are coming in from outside the corporate network. If users are also connecting from inside the corporate network, be sure to see Deploying the BIG-IP LTM for internal users of Windows Terminal services, on page Tip We recommend you save your existing BIG-IP configuration before you begin the procedures in this Deployment Guide. To save your BIG-IP configuration, see Appendix A: Backing up and restoring the BIG-IP LTM system configuration, on page The BIG-IP LTM system offers both web-based and command line configuration tools, so that users can work in the environment that they are most comfortable with. This Deployment Guide contains procedures to configure the BIG-IP LTM system using the BIG-IP web-based Configuration utility only. If you are familiar with using the bigpipe command line interface you can use the command line to configure the BIG-IP device; however, we recommend using the Configuration utility. Connecting to the BIG-IP LTM device Use the following procedure to access the BIG-IP web-based Configuration utility using a web browser. 2-5

36 Deploying the BIG-IP LTM with Microsoft Windows Server 2008 Terminal Services To connect to the BIG-IP LTM system using the Configuration utility 1. In a browser, type the following URL: IP address of the BIG-IP device> A Security Alert dialog box appears, click Yes. The authorization dialog box appears. 2. Type your user name and password, and click OK. The Welcome screen opens. Once you are logged onto the BIG-IP LTM system, the Welcome screen of the new Configuration utility opens. From the Configuration utility, you can configure and monitor the BIG-IP LTM system, as well as access online help, download SNMP MIBs and Plug-ins, and even search for specific objects. Creating the TCP health monitor The first step in this configuration is to set up a health monitor for the Windows Terminal Services devices. This procedure is optional, but very strongly recommended. To create a health monitor 1. On the Main tab, expand Local Traffic, and then click Monitors. The Monitors screen opens. 2. Click the Create button. The New Monitor screen opens. 3. In the Name box, type a name for the Monitor. In our example, we type wts-tcp. 4. From the Type list, select tcp. The TCP Monitor configuration options appear. 5. In the Configuration section, in the Interval and Timeout boxes, type an Interval and Timeout. We recommend at least a 1:3 +1 ratio between the interval and the timeout (for example, the default setting has an interval of 5 and an timeout of 16). In our example, we use a Interval of 30 and a Timeout of In the Send String and Receive Rule sections, you can add an optional send string and receive rule specific to the device being checked. 7. Click the Finished button (see Figure 2.3). The new monitor is added to the Monitor list. F5 Deployment Guide 2-6

37 Figure 2.3 Creating the TCP Monitor Creating the pool The next step in this configuration is to create a pool on the BIG-IP LTM system for the Windows Terminal Servers. A BIG-IP pool is a set of devices grouped together to receive traffic according to a load balancing method. In this configuration, we create one pool for the Windows Terminal Servers. To create the Terminal Services pool 1. On the Main tab, expand Local Traffic, and then click Pools. The Pool screen opens. 2. In the upper right portion of the screen, click the Create button. The New Pool screen opens. Note: For more (optional) pool configuration settings, from the Configuration list, select Advanced. Configure these settings as applicable for your network. 3. In the Name box, enter a name for your pool. In our example, we use wts-rdp-pool. 4. In the Health Monitors section, select the name of the monitor you created in the Creating the HTTP health monitor section, and click the Add (<<) button. In our example, we select wts-tcp. 5. From the Load Balancing Method list, choose your preferred load balancing method (different load balancing methods may yield optimal results for a particular network). In our example, we select Least Connections (node). 2-7

38 Deploying the BIG-IP LTM with Microsoft Windows Server 2008 Terminal Services 6. For this pool, we leave the Priority Group Activation Disabled. 7. In the New Members section, make sure the New Address option button is selected. 8. In the Address box, add the first server to the pool. In our example, we type In the Service Port box, type the service number you want to use for this device, or specify a service by choosing a service name from the list. In our example, we type 3389, the default port for RDP. 10. Click the Add button to add the member to the list. 11. Repeat steps 8-10 for each server you want to add to the pool. In our example, we repeat these steps twice for the remaining servers, and Click the Finished button (see Figure2.4). Figure 2.4 Creating the pool in the BIG-IP Configuration utility F5 Deployment Guide 2-8

39 Creating profiles Creating a persistence profile BIG-IP version 9.0 and later uses profiles. A profile is an object that contains user-configurable settings, with default values, for controlling the behavior of a particular type of network traffic, such as HTTP connections. Using profiles enhances your control over managing network traffic, and makes traffic-management tasks easier and more efficient. Although it is possible to use the default profiles, we strongly recommend you create new profiles based on the default parent profiles. Creating new profiles allows you to easily modify the profile settings specific to this deployment, and ensures you do not accidentally overwrite the default profile. These profiles use new optimized profiles available in BIG-IP LTM version 9.4 and later. If you are using a BIG-IP LTM version prior to 9.4, the Configuration Guide for BIG-IP Local Traffic Management for version 9.4 (available on AskF5) shows the differences between the base profiles and the optimized profile types. Use this guide to manually configure the optimization settings. The first profile we create is a persistence profile. The BIG-IP LTM system includes a profile specifically designed for Microsoft Terminal Services: Microsoft Remote Desktop persistence. In this profile, we suggest choosing a suitably long timeout to accommodate Remote Desktop Protocol client usage patterns. In our example, we've selected seconds (24 hours); you may find that longer or shorter timeouts are appropriate for your environment. To create a new persistence profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. On the Menu bar, click Persistence. The Persistence Profiles screen opens. 3. In the upper right portion of the screen, click the Create button. The New Persistence Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type wts-rdp. 5. From the Persistence Type list, select Microsoft Remote Desktop (see Figure 2.5). The configuration options for Microsoft Remote Desktop persistence appear. 6. In the Timeout row, click the Custom box. In the Seconds box, type Modify any of the settings as applicable for your network. 2-9

40 Deploying the BIG-IP LTM with Microsoft Windows Server 2008 Terminal Services 8. Click the Finished button. Figure 2.5 Configuring Microsoft Remote Desktop persistence Creating the TCP profiles Creating the WAN optimized TCP profile The next profiles we create are the TCP profiles. We recommend two TCP profiles for this configuration: a WAN optimized TCP profile for the clients, and a LAN optimized profile for the server. First we configure the WAN optimized profile. To create a new TCP WAN optimized profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. On the Menu bar, from the Protocol menu, click tcp. 3. Cclick the Create button. The New TCP Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type wts-rdp-wan. 5. From the Parent Profile list, select tcp-wan-optimized. 6. In the Idle Timeout row, click the Custom box. In the Seconds box, type In the Nagle s Algorith row, click the Custom box. Clear the check from the box to disable Nagle s Algorithm. 8. Modify any of the settings as applicable for your network. In our example, we leave the settings at their default levels. 9. Click the Finished button. F5 Deployment Guide 2-10

41 Creating the LAN optimized TCP profile First we configure the LAN optimized profile. If you are not using version 9.4 or do not want to use this optimized profile, you can choose the default TCP parent profile. To create a new TCP profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. On the Menu bar, from the Protocol menu, click tcp. 3. In the upper right portion of the screen, click the Create button. The New TCP Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type wts-rdp-lan. 5. From the Parent Profile list, select tcp-lan-optimized if you are using BIG-IP LTM version 9.4 or later; otherwise select tcp. 6. In the Idle Timeout row, click the Custom box. In the Seconds box, type Modify any of the settings as applicable for your network. In our example, we leave the settings at their default levels. 8. Click the Finished button. Creating the virtual server Next, we configure a virtual server that references the profiles and pool you created in the preceding procedures. To create the virtual server 1. On the Main tab, expand Local Traffic, and then click Virtual Servers. The Virtual Servers screen opens. 2. In the upper right portion of the screen, click the Create button. The New Virtual Server screen opens. 3. In the Name box, type a name for this virtual server. In our example, we type wts-rdp-vs. 4. In the Destination section, select the Host option button. 5. In the Address box, type the IP address of this virtual server. In our example, we use

42 Deploying the BIG-IP LTM with Microsoft Windows Server 2008 Terminal Services 6. In the Service Port box, type Figure 2.6 Adding the Terminal Services virtual server 7. From the Protocol Profile (Client) list, select the profile you created in the Creating the WAN optimized TCP profile section. In our example, we select wts-rdp-wan. 8. From the Protocol Profile (Server) list, select the profile you created in the Creating the LAN optimized TCP profile section. In our example, we select wts-rdp-lan. 9. In the Resources section, from the Default Pool list, select the pool you created in the Creating the pool section. In our example, we select wts-rdp-pool. 10. From the Default Persistence Profile list, select the persistence profile you created in the Creating a persistence profile section. In our example, we select wts-rdp. 11. Click the Finished button. Figure 2.7 Resources section of the add virtual server page F5 Deployment Guide 2-12

43 Deploying the BIG-IP LTM for internal users of Windows Terminal services Creating the health monitor Creating the pool Creating the profiles Creating the virtual server If your deployment includes internal users of Windows Server 2008 Terminal Services, you must create another virtual server and the associated objects for these users which will be optimized for LAN traffic. To create the health monitor, follow Creating the HTTP health monitor, on page You can alternatively use the same health monitor you created previously, however we recommend creating a new health monitor. To create the pool, follow Creating the pool, on page 2-7. When configuring the pool, add the health monitor you created in the preceding procedure. For internal users, we create two profiles, a persistence profile and a LAN optimized TCP profile. Again, you can use the same profiles you created previously, however we recommend creating new profiles. To create the persistence profile, follow Creating a persistence profile, on page 2-9. To create the LAN optimized TCP profile, follow Creating the LAN optimized TCP profile, on page To create the virtual server, follow Creating the virtual server, on page Use the appropriate IP address. From the Protocol Profile (Client) list, select the LAN optimized profile you created in the preceding procedure. Leave the Protocol Profile (Server) list at the default setting (Use Client Profile). Add the pool and persistence profile you created for the internal users. This completes the configuration for the internal users of Windows 2008 Terminal Services. 2-13

44 Deploying the BIG-IP LTM with Microsoft Windows Server 2008 Terminal Services Configuring the BIG-IP LTM system for deployment with the Gateway server role The Gateway role, new to Windows Server 2008 Terminal Servers, allows authorized users to tunnel Remote Desktop Protocol (RDP) connections over HTTPS, using the standard Terminal Services client. Benefits of Gateway servers include: remote access without the use of a VPN solution; the ability to connect from remote networks that do not allow RDP connections (TCP port 3389) through their firewalls; comprehensive control over user access policies; and publication of a single name and address to the public networks, rather than one for each internal Terminal Server resource. More information on deploying Gateway Servers can be found in this Microsoft TechNet article. Prerequisites and configuration notes The following are prerequisites for this section: Administrators must enable HTTPS-HTTP Bridging on Gateway servers to enable offloading of SSL/TLS. Administrators must add each Gateway Server to a TS Gateway Server farm. The list of farm members must be identical on each Gateway server. In the following screenshots, we show an example of a Gateway server that has been properly configured to participate in a TS Gateway server farm. In Figure 2.8, you can see that HTTPS-HTTP Bridging has been enabled. Figure 2.9 shows that two members have been added to the farm. In this example, we show the IPv6 addresses for the farm members, but the procedure is the same for IPv4 addressing. Figure 2.8 Configuring HTTPS-HTTP briding on the TS Gateway server F5 Deployment Guide 2-14

45 Figure 2.9 Configuring the Server Farm properties For more information on configuring the Gateway Server role, see the Microsoft documentation. Connecting to the BIG-IP LTM device Use the following procedure to access the BIG-IP web-based Configuration utility using a web browser. To connect to the BIG-IP LTM system using the Configuration utility 1. In a browser, type the following URL: IP address of the BIG-IP device> A Security Alert dialog box appears, click Yes. The authorization dialog box appears. 2. Type your user name and password, and click OK. The Welcome screen opens. Once you are logged onto the BIG-IP LTM system, the Welcome screen of the new Configuration utility opens. From the Configuration utility, you can configure and monitor the BIG-IP LTM system, as well as access online help, download SNMP MIBs and Plug-ins, and even search for specific objects. 2-15

46 Deploying the BIG-IP LTM with Microsoft Windows Server 2008 Terminal Services Importing keys and certificates Before you can enable the BIG-IP LTM system to offload SSL traffic from Gateway servers, you must install a SSL certificate and key on the BIG-IP LTM system. For this Deployment Guide, we assume that you already have obtained an SSL certificate, but it is not yet installed on the BIG-IP LTM system. For information on generating certificates, or using the BIG-IP LTM system to generate a request for a new certificate and key from a certificate authority, see the Managing SSL Traffic chapter in the Configuration Guide for Local Traffic Management. Once you have obtained a certificate, you can import this certificate into the BIG-IP LTM system using the Configuration utility. You can use the Import SSL Certificates and Keys screen only when the certificate you are importing is in Privacy Enhanced Mail (PEM) format. To import a key or certificate 1. On the Main tab, expand Local Traffic. 2. Click SSL Certificates. This displays the list of existing certificates. 3. In the upper right corner of the screen, click Import. 4. From the Import Type list, select the type of import (Certificate or Key). 5. In the Certificate (or Key) Name box, type a unique name for the certificate or key. 6. In the Certificate (or Key) Source box, choose to either upload the file or paste the text. 7. Click Import. If you imported the certificate, repeat this procedure for the key. Creating the HTTP health monitor The next step in this configuration is to set up a health monitor for the Gateway servers. This procedure is optional, but very strongly recommended. To create a health monitor 1. On the Main tab, expand Local Traffic, and then click Monitors. The Monitors screen opens. 2. Click the Create button. The New Monitor screen opens. 3. In the Name box, type a name for the Monitor. In our example, we type wts-gateway-http. 4. From the Type list, select http. The TCP Monitor configuration options appear. F5 Deployment Guide 2-16

47 5. In the Configuration section, in the Interval and Timeout boxes, type an Interval and Timeout. We recommend at least a 1:3 +1 ratio between the interval and the timeout (for example, the default setting has an interval of 5 and an timeout of 16). In our example, we use a Interval of 30 and a Timeout of In the Send String and Receive Rule sections, you can add an optional send string and receive rule specific to the device being checked. 7. Click the Finished button. The new monitor is added to the Monitor list. Creating the pool The next step in this configuration is to create a pool on the BIG-IP LTM system for the Windows Terminal Servers. In the following example, we use IPv6 addresses for the nodes. This is not a requirement, and is done to show how to configure a pool using IPv6 addresses. Enter the IP address type appropriate for your configuration. Note When using different address types for virtual servers and nodes (for example. when the BIG-IP LTM provides an IPv4 virtual server for IPv6 nodes), the LTM performs source-nating of the client IP address regardless of whether or not a SNAT policy has been set. By default, the SNAT is set to the local self-ip of the LTM on the network that communicates with the destination nodes, and is of the same format as the destination. For instance, an IPv6 node results in incoming client connections being SNATed to the IPv6 self-ip of the LTM on the network which carries that IPv6 traffic. To override the SNAT behavior with your own selection of addresses, which still must be of the appropriate address type, configure a SNAT profile and apply it to the virtual server. To create the Gateway Server pool 1. On the Main tab, expand Local Traffic, and then click Pools. The Pool screen opens. 2. In the upper right portion of the screen, click the Create button. The New Pool screen opens. Note: For more (optional) pool configuration settings, from the Configuration list, select Advanced. Configure these settings as applicable for your network. 3. In the Name box, enter a name for your pool. In our example, we use wts-gateway-ipv

48 Deploying the BIG-IP LTM with Microsoft Windows Server 2008 Terminal Services 4. In the Health Monitors section, select the name of the monitor you created in the Creating the HTTP health monitor section, and click the Add (<<) button. In our example, we select wts-gateway-http. 5. From the Load Balancing Method list, choose your preferred load balancing method (different load balancing methods may yield optimal results for a particular network). In our example, we select Least Connections (node). 6. For this pool, we leave the Priority Group Activation Disabled. 7. In the New Members section, make sure the New Address option button is selected. 8. In the Address box, add the first server to the pool. In our example, we type the following IPv6 address: 2001:db8:0:0:0:0:0:a85: In the Service Port box, type the service number you want to use for this device, or specify a service by choosing a service name from the list. In our example, we type Click the Add button to add the member to the list. 11. Repeat steps 8-10 for each server you want to add to the pool. In our example, we repeat these steps once for 2001:db8:0:0:0:0:0:a85: Click the Finished button (see Figure 2.10). Figure 2.10 Creating the Gateway IPv6 pool F5 Deployment Guide 2-18

49 Creating the irule The next object we configure is an irule that is used for persistence. This irule is necessary because Microsoft Remote Desktop protocol does not support HTTP cookies, so the BIG-IP LTM persists based on this rule. In some cases you may be able to use other persistence methods such as Source Address Affinity, which bases persistence on the IP address of the client. However, because proxy servers or NAT (network address translation) devices may aggregate clients behind a single IP address, such methods are not always effective. To ensure reliable persistence, we recommend using the following irule and associated persistence profile. To create the irule 1. On the Main tab, expand Local Traffic, and then click irules. The Virtual Servers screen opens. 2. In the upper right portion of the screen, click the Create button. The New irule screen opens. 3. In the Name box, type a name for this irule. In our example, we type PersistRule. 4. In the Definition box, copy and paste the following irule: when HTTP_REQUEST { if { [ exists "Authorization"] } { persist uie [ "Authorization"] } } 5. Click the Finished button. Creating profiles Creating the persistence profile For the Gateway servers, we create five profiles: persistence, HTTP, two TCP profiles, and a Client SSL profile. As previously mentioned, you can use the default profiles if you are not changing any of the settings; however we strongly recommend creating new profiles. The first profile we create is a persistence profile. This profile uses the irule you created in Creating the irule, on page To create a new cookie persistence profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. On the Menu bar, click Persistence. The Persistence Profiles screen opens. 2-19

50 Deploying the BIG-IP LTM with Microsoft Windows Server 2008 Terminal Services 3. In the upper right portion of the screen, click the Create button. The New Persistence Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type wts-gateway-persist. 5. From the Persistence Type list, select Universal. The configuration options for universal persistence appear. 6. Click the Custom boxes for irule and Timeout. 7. From the irule list, select the name of the irule you created in Creating the irule, on page In our example, we select PersistRule. 8. In the Timeout box, type 3600 seconds (one hour). 9. Click the Finished button. Figure 2.11 Configuring the persistence profile Creating an HTTP profile The next profile we create is an HTTP profile. In the following example, we base our HTTP profile off of a new profile included with BIG-IP LTM version 9.4, called http-wan-optimized-compression-caching. This profile includes some default optimization settings that increase performance over the WAN. There are a couple of caveats for using this profile: You must have Compression and RAM Cache licensed on your BIG-IP LTM system. Contact your Sales Representative for more information. This profile is only available in BIG-IP LTM version 9.4 and later. F5 Deployment Guide 2-20

51 To create a new HTTP profile 1. On the Main tab, expand Local Traffic. 2. Click Profiles. The HTTP Profiles screen opens. 3. In the upper right portion of the screen, click the Create button. The new HTTP Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type wts-gateway-http. 5. From the Parent Profile list, select http-wan-optimized-compression-caching. 6. Modify any of the other options as applicable for your configuration. See the online help for more information on the configuration options. 7. Click the Finished button. Creating the TCP profiles Creating the WAN optimized TCP profile The next profiles we create are the TCP profiles. For this configuration, we recommend two different TCP profiles, one for the client and one for the server. We recommend a WAN optimized TCP profile for the client, and a LAN optimized profile for the server. In our example, we leave these profiles at their default levels; you can configure any of the options as applicable for your network. First we configure the WAN optimized profile. To create a new TCP WAN optimized profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. On the Menu bar, from the Protocol menu, click tcp. 3. In the upper right portion of the screen, click the Create button. The New TCP Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type wts-gateway-wan. 5. From the Parent Profile list, select tcp-wan-optimized. 6. Modify any of the settings as applicable for your network. In our example, we leave the settings at their default levels. 7. Click the Finished button. 2-21

52 Deploying the BIG-IP LTM with Microsoft Windows Server 2008 Terminal Services Creating the LAN optimized TCP profile First we configure the LAN optimized profile. If you are not using version 9.4 or do not want to use this optimized profile, you can choose the default TCP parent profile. To create a new TCP profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. On the Menu bar, from the Protocol menu, click tcp. 3. In the upper right portion of the screen, click the Create button. The New TCP Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type wts-gateway-lan. 5. From the Parent Profile list, select tcp-lan-optimized if you are using BIG-IP LTM version 9.4 or later; otherwise select tcp. 6. Modify any of the settings as applicable for your network. In our example, we leave the settings at their default levels. 7. Click the Finished button. Creating a Client SSL profile The next step in this configuration is to create an SSL profile. This profile contains the SSL certificate and Key information for offloading the SSL traffic. To create a new Client SSL profile 1. On the Main tab, expand Local Traffic. 2. Click Profiles. The HTTP Profiles screen opens. 3. On the Menu bar, from the SSL menu, select Client. The Client SSL Profiles screen opens. 4. In the upper right portion of the screen, click the Create button. The New Client SSL Profile screen opens. 5. In the Name box, type a name for this profile. In our example, we type wts-gateway-ssl. 6. In the Configuration section, click a check in the Certificate and Key Custom boxes. 7. From the Certificate list, select the name of the Certificate you imported in the Importing keys and certificates section. 8. From the Key list, select the key you imported in the Importing keys and certificates section. 9. Click the Finished button. F5 Deployment Guide 2-22

53 Creating the virtual server Next, we configure a virtual server that references the profiles and pool you created in the preceding procedures. To create the virtual server 1. On the Main tab, expand Local Traffic, and then click Virtual Servers. The Virtual Servers screen opens. 2. In the upper right portion of the screen, click the Create button. The New Virtual Server screen opens. 3. In the Name box, type a name for this virtual server. In our example, we type wts-gateway-vs. 4. In the Destination section, select the Host option button. 5. In the Address box, type the IP address of this virtual server. In our example, we use In the Service Port box, type From the Protocol Profile (Client) list, select the profile you created in Creating the WAN optimized TCP profile, on page In our example, we select wts-gateway-wan. 8. From the Protocol Profile (Server) list, select the profile you created in Creating the LAN optimized TCP profile, on page In our example, we select wts-gateway-lan. 9. From the HTTP Profile list, select the profile you created in Creating an HTTP profile, on page In our example, we select wts-gateway-http. 10. From the SSL Profile (Client) list, select the profile you created in Creating a Client SSL profile, on page In our example, we select wts-gateway-ssl. 11. In the Resources section, from the Default Pool list, select the pool you created in Creating the pool, on page In our example, we select wts-gateway-ipv From the Default Persistence Profile list, select the persistence profile you created in Creating the persistence profile, on page In our example, we select wts-gateway-persist. 13. Click the Finished button. This concludes the Windows Server 2008 Terminal Services Gateway Server configuration. 2-23

54 Deploying the BIG-IP LTM with Microsoft Windows Server 2008 Terminal Services Configuring the BIG-IP LTM system with the Web Access server role In this section, we configure the BIG-IP LTM for the Web Access server component of Windows Server 2008 Terminal Services. The Web Access role, new to Windows Server 2008 Terminal Servers, allows authorized users to connect to a web site that presents pre-configured icons for access to Terminal Servers, Terminal Server farms, or individual applications that have been made available via RemoteApp functionality. The applications may be made available either directly via RDP, or through a Gateway server. Note that the Web Access Servers should use a separate LTM virtual server that used for the Gateway servers, whether or not the Gateway roles are installed on the same devices. Importing keys and certificates The first step in this configuration is to import the key and certificate. To import a key or certificate 1. On the Main tab, expand Local Traffic. 2. Click SSL Certificates. This displays the list of existing certificates. 3. In the upper right corner of the screen, click Import. 4. From the Import Type list, select the type of import (Certificate or Key). 5. In the Certificate (or Key) Name box, type a unique name for the certificate or key. 6. In the Certificate (or Key) Source box, choose to either upload the file or paste the text. 7. Click Import. If you imported the certificate, repeat this procedure for the key. Creating the HTTP health monitor The next step is to set up health monitors for the Web Access devices. This procedure is optional, but very strongly recommended. In our example, we create a simple HTTP health monitor. Although the monitor in the following example is quite simple, you can configure optional settings such as Send and Receive Strings to make the monitor much more specific. F5 Deployment Guide 2-24

55 To create a health monitor 1. On the Main tab, expand Local Traffic, and then click Monitors. 2. Click the Create button. The New Monitor screen opens. 3. In the Name box, type a name for the Monitor. In our example, we type wts-wa-http. 4. From the Type list, select http. 5. In the Configuration section, in the Interval and Timeout boxes, type an Interval and Timeout. We recommend at least a 1:3 +1 ratio between the interval and the timeout (for example, the default setting has an interval of 5 and an timeout of 16). In our example, we use a Interval of 30 and a Timeout of In the Send String and Receive Rule sections, you can add a Send String and Receive Rule specific to the device being checked. 7. Click the Finished button. The new monitor is added to the Monitor list. Creating the pool The next step is to define a load balancing pool for the Web Access servers. To create the Web Access pool 1. On the Main tab, expand Local Traffic, and then click Pools. The Pool screen opens. 2. In the upper right portion of the screen, click the Create button. The New Pool screen opens. 3. In the Name box, type a name for your pool. In our example, we use wts-wa-pool. 4. In the Health Monitors section, select the name of the monitor you created in the Creating the HTTP health monitor section, and click the Add (<<) button. In our example, we select wts-wa-http. 5. From the Load Balancing Method list, choose your preferred load balancing method (different load balancing methods may yield optimal results for a particular network). In our example, we select Least Connections (node). 6. In this pool, we leave the Priority Group Activation Disabled. 7. In the New Members section, make sure the New Address option button is selected. 8. In the Address box, add the first Web Access server to the pool. In our example, we type In the Service Port box, type 80 or select HTTP from the list. 10. Click the Add button to add the member to the list. 2-25

56 Deploying the BIG-IP LTM with Microsoft Windows Server 2008 Terminal Services 11. Repeat steps 8-10 for each server you want to add to the pool. 12. Click the Finished button. Creating profiles Creating an HTTP profile Creating the TCP profiles For the Web Access configuration, we create the following profiles: an HTTP profile, two TCP profiles, a persistence profile, a Client SSL profile, and a OneConnect profile. The first new profile we create is an HTTP profile. For deployments where the majority of users accessing the Web Access devices are connecting across a WAN, F5 using a profile introduced in BIG-IP version 9.4 called http-wan-optimized-compression-caching. This profile uses specific compression and caching (among other) settings to optimize traffic over the WAN. If you are not using version 9.4, or do not have compression or caching licensed, you can choose the default HTTP parent profile, or one of the other optimized HTTP parent profiles. To create a new HTTP profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. In the upper right portion of the screen, click the Create button. The New HTTP Profile screen opens. 3. In the Name box, type a name for this profile. In our example, we type wts-wa-http. 4. From the Parent Profile list, select http-wan-optimized-compression-caching. 5. Check the Custom box for Redirect Rewrite, and from the Redirect Rewrite list, select Match. 6. Modify any of the other settings as applicable for your network. In our example, we leave the settings at their default levels. 7. Click the Finished button. The next profiles we create are the TCP profiles. If most of the Microsoft IIS users are accessing the devices via a Local Area Network, we recommend using the tcp-lan-optimized (for server-side TCP connections) parent profile. If the majority of the users are accessing the system from remote or home offices, we recommend using an additional TCP profile, F5 Deployment Guide 2-26

57 Creating the LAN optimized TCP profile called tcp-wan-optimized (for client side TCP connections). In our example, we leave these profiles at their default levels; you can configure any of the options as applicable for your network. First we configure the LAN optimized profile. If you are not using version 9.4 or do not want to use this optimized profile, you can choose the default TCP parent profile. To create a new TCP profile Creating the WAN optimized TCP profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. On the Menu bar, from the Protocol menu, click tcp. 3. In the upper right portion of the screen, click the Create button. The New TCP Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type wts-wa-tcp-lan. 5. From the Parent Profile list, select tcp-lan-optimized if you are using BIG-IP LTM version 9.4 or later; otherwise select tcp. 6. In the Idle Timeout row, click the Custom box. In the Seconds box, type Modify any of the settings as applicable for your network. In our example, we leave the settings at their default levels. 8. Click the Finished button. Now we configure the WAN optimized profile. Remember, if most of the users are accessing the system over the LAN or other low latency links, you do not need to create this profile. To create a new TCP WAN optimized profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. On the Menu bar, from the Protocol menu, click tcp. 3. In the upper right portion of the screen, click the Create button. The New TCP Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type wts-wa-tcp-wan. 5. From the Parent Profile list, select tcp-wan-optimized. 6. In the Idle Timeout row, click the Custom box. In the Seconds box, type

58 Deploying the BIG-IP LTM with Microsoft Windows Server 2008 Terminal Services 7. Modify any of the settings as applicable for your network. In our example, we leave the settings at their default levels. 8. Click the Finished button. Creating persistence profile The next profile we create is a Persistence profile. We recommend using cookie persistence (HTTP cookie insert). To create a new cookie persistence profile based on the default profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. On the Menu bar, click Persistence. The Persistence Profiles screen opens. 3. In the upper right portion of the screen, click the Create button. The New Persistence Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type wts-wa-cookie. 5. From the Persistence Type list, select Cookie. The configuration options for cookie persistence appear. 6. Modify any of the settings as applicable for your network. In our example, we leave the settings at their default levels. 7. Click the Finished button. Creating a Client SSL profile The next step in this configuration is to create an SSL profile. This profile contains the SSL certificate and Key information for offloading the SSL traffic. To create a new Client SSL profile 1. On the Main tab, expand Local Traffic. 2. Click Profiles. The HTTP Profiles screen opens. 3. On the Menu bar, from the SSL menu, select Client. The Client SSL Profiles screen opens. 4. In the upper right portion of the screen, click the Create button. The New Client SSL Profile screen opens. 5. In the Name box, type a name for this profile. In our example, we type wts-wa-ssl. F5 Deployment Guide 2-28

59 6. In the Configuration section, click a check in the Certificate and Key Custom boxes. 7. From the Certificate list, select the name of the Certificate you imported in the Importing keys and certificates section. 8. From the Key list, select the key you imported in the Importing keys and certificates section. 9. Click the Finished button. Creating a OneConnect profile The final profile we create is a OneConnect profile. With OneConnect enabled, client requests can utilize existing, server-side connections, thus reducing the number of server-side connections that a server must negotiate to service those requests. This can provide significant performance improvements for Web Access implementations. For more information on OneConnect, see the BIG-IP LTM documentation. In our example, we leave all the options at their default settings. You can configure these options as appropriate for your network. Important If you configure a OneConnect profile, you must disable Windows Authentication and enable Basic authentication within IIS for the Terminal Server virtual servers on each Web Access node. To create a new OneConnect profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. On the Menu bar, from the Other menu, click OneConnect. The Persistence Profiles screen opens. 3. In the upper right portion of the screen, click the Create button. The New HTTP Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type wts-wa-oneconnect. 5. From the Parent Profile list, ensure that oneconnect is selected. 6. Modify any of the other settings as applicable for your network. In our example, we leave the settings at their default levels. 7. Click the Finished button. Creating the virtual server Next, we configure a virtual server that references the profiles and pool you created in the preceding procedures. 2-29

60 Deploying the BIG-IP LTM with Microsoft Windows Server 2008 Terminal Services To create the virtual server 1. On the Main tab, expand Local Traffic, and then click Virtual Servers. The Virtual Servers screen opens. 2. In the upper right portion of the screen, click the Create button. The New Virtual Server screen opens. 3. In the Name box, type a name for this virtual server. In our example, we type wts-wa-vs. 4. In the Destination section, select the Host option button. 5. In the Address box, type the IP address of this virtual server. In our example, we use In the Service Port box, type 443, or select HTTPS from the list. Creating the IIS virtual server 7. From the Configuration list, select Advanced. The Advanced configuration options appear. 8. Leave the Type list at the default setting: Standard. 9. From the Protocol Profile (Client) list select the name of the profile you created in Creating the WAN optimized TCP profile, on page If you did not create a WAN optimized profile, select the LAN optimized profile as in the following Step. In our example, we select wts-wa-tcp-wan. 10. From the Protocol Profile (Server) list, select the name of the profile you created in Creating the LAN optimized TCP profile, on page In our example, we select wts-wa-tcp-lan. 11. From the OneConnect Profile list, select the name of the profile you created in Creating a OneConnect profile, on page In our example, we select wts-wa-oneconnect. 12. From the HTTP Profile list, select the name of the profile you created in Creating an HTTP profile, on page In our example, we select wts-wa-http. 13. From the SSL Profile (Client) list, select the profile you created in Creating a Client SSL profile, on page In our example, we select wts-wa-ssl. 14. In the Resources section, from the Default Pool list, select the pool you created in Creating the pool, on page In our example, we select wts-wa-pool. 15. From the Default Persistence Profile list, select the persistence profile you created in Creating persistence profile, on page In our example, we select wts-wa-cookie. 16. Click the Finished button. The BIG-IP LTM configuration for the Microsoft Windows Server 2008 Terminal Services is now complete. F5 Deployment Guide 2-30

61 Synchronizing the BIG-IP configuration if using a redundant system If you are using a redundant BIG-IP configuration, the final step is to synchronize the configuration to the peer BIG-IP device. To synchronize the configuration using the Configuration utility 1. On the Main tab, expand System. 2. Click High Availability. The Redundancy screen opens. 3. On the Menu bar, click ConfigSync. 4. Click the Self --> Peer button. The configuration synchronizes with its peer. 2-31

62 Deploying the BIG-IP LTM with Microsoft Windows Server 2008 Terminal Services Appendix A: Backing up and restoring the BIG-IP LTM system configuration We recommend saving your BIG-IP configuration before you begin this configuration. When you save the BIG-IP configuration, it collects the following critical data and compress it into a single User Configuration Set (UCS) file: BIG-IP configuration files BIG-IP license and passwords SSL certificates SSH keys Backing up and restoring the BIG-IP LTM configuration The Configuration Management screen allows you to save and restore all configuration files that you may edit to configure a BIG-IP LTM system. These configuration files are called a User Configuration Set (UCS). The Configuration Management screen contains sections for saving and restoring a configuration. The list boxes in these sections display only files in the /usr/local/ucs directory. If you want to save or restore files from another directory, you must type the full path in the box. To save the BIG-IP configuration using the Configuration utility 1. In the navigation pane, click System Admin. The User Administration screen displays. 2. Click the Configuration Management tab. The Configuration Management screen displays. 3. In the Save Current Configuration section, type the path where you want your configuration file saved or choose a path from the list box. If no path is specified, the BIG-IP saves files to /usr/local/ucs. The BIG-IP appends the extension.ucs to file names without it. In our example, we type pre_wts_backup.ucs. 4. Click the Save button to save the configuration file. To restore a BIG-IP configuration 1. In the navigation pane, click System Admin. The User Administration screen displays. 2. Click the Configuration Management tab. The Configuration Management screen displays. F5 Deployment Guide 2-32

63 3. In the Restore a Configuration section, choose the configuration file you want to restore from the list box, or type the path where your configuration files were saved. 4. Click the Restore button. To check the status of the restoration, click the View Log button. You should wait a few moments for the log file to start generating before you click View Log. Repeated clicking of this button will update your screen with the most current log file information until the restoration is complete. 2-33

64 3 Deploying the BIG-IP LTM with Microsoft Secure Socket Tunneling Protocol (SSTP) Deploying F5 with Microsoft Windows Server 2008 Secure Socket Tunneling Protocol Deploying the BIG-IP LTM in a basic configuration for SSTP Deploying the BIG-IP LTM in an advanced configuration for SSTP

65 Deploying F5 with Microsoft Windows Server 2008 Secure Socket Tunneling Protocol This chapter gives you step-by-step configuration procedures for deploying the BIG-IP LTM system with Microsoft s new Secure Socket Tunneling Protocol (SSTP) for high availability and SSL offload. Microsoft s Secure Socket Tunneling Protocol (SSTP) creates a VPN tunnel that travels over Secure-HTTP, eliminating issues associated VPN connections based on the Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP) that can be blocked by some Web proxies, firewalls and Network Address Translation (NAT) routers that sit between clients and servers. By deploying BIG-IP Local Traffic Manager (LTM) in front of a pool of SSTP servers, you gain the following advantages: You can offload SSL processing to the BIG-IP LTM devices, significantly reducing CPU and memory utilization on the SSTP servers and allowing them to handle a larger number of connections. You can use advanced load balancing techniques on the LTM to direct traffic to the most appropriate SSTP server. If you have licensed the optional IPv6 Gateway module of the BIG-IP LTM, you can intermingle IPv4 and IPv6 clients and servers. For instance, an IPv4 virtual server on the BIG-IP can direct traffic to SSTP servers running either IPv4 or IPv6. Prerequisites and configuration notes All of the procedures in this Deployment Guide are performed on the BIG-IP system. The following are prerequisites for this solution: Microsoft has provided a step-by-step guide to deploying SSTP. That documentation is appropriate for a lab environment, and makes note of several adjustments necessary for production environments. On the Public interface of each SSTP server, you need to appropriately configure Windows Firewall to permit ICMP Echo Requests and TCP access on port 80. Refer to the Microsoft documentation for details. Follow the steps detailed in the Microsoft document How to deploy an SSTP-based VPN server behind a SSL load balancer in Windows Server As noted in the Microsoft document, the SSL certificate on the BIG-IP LTM and on each SSTP server must match. Even though decryption occurs on the BIG-IP, the SSTP server compares the certificate hash values to ensure that an authorized device is performing the SSL offload. If you ever change the original SSL certificate on the BIG-IP LTM that is used for the SSTP clientssl profile, you must also modify each of the SSTP servers to use a matching certificate. 3-1

66 Deploying the BIG-IP LTM with Microsoft Secure Socket Tunneling Protocol (SSTP) Although the examples in the following procedures demonstrate SSTP servers running IPv4, the optional IPv6 Gateway Module on the BIG-IP LTM system allows for deployment of IPv6 servers, IPv6 clients, or a combination of IPv4 and IPv6 at any location in your SSTP environment supported by the rest of your network infrastructure. Configuration example The following configuration example shows a logical representation of a deployment with a BIG-IP LTM system in front of Microsoft SSTP devices. The BIG-IP LTM system offloads SSL transactions and distributes the traffic to the appropriate SSTP server. Figure 3.1 Logical configuration example F5 Deployment Guide 3-2

67 Configuring the BIG-IP LTM system for SSTP There are two suggested methods for configuring the BIG-IP LTM system for SSTP: Basic If the SSTP server pool is the only resource that will be accessed using the fully-qualified host name and IP address of the virtual server, follow the procedures in Deploying the BIG-IP LTM in a basic configuration for SSTP, on page 3-3 to create a standard SSL-offloading virtual server with a TCP profile. Advanced If more than one resource will be access through the virtual server, follow the procedures in Deploying the BIG-IP LTM in an advanced configuration for SSTP, on page 3-14 to use an irule to direct clients to either the SSTP pool or the other resource. Examples of other resources that you may wish to access through the same virtual server include: A pool of F5 FirePass controllers to provide pre-login checks and SSL VPN connectivity to clients that do not support SSTP. To configure the BIG-IP LTM with FirePass devices, refer to the deployment guide F5 FirePass controller with BIG-IP LTM and GTM. A pool of Terminal Services Gateway servers to provide RDP-over-HTTP access to internal resources, or a pool of Terminal Services Web Access Servers that presents a web site containing pre-configured icons for access to Terminal Servers, Terminal Server farms, or RemoteApp application. See Deploying the BIG-IP LTM system and Microsoft Windows Server 2008 Terminal Services, on page 2-1. A web page that explains the connectivity requirements for SSTP. Deploying the BIG-IP LTM in a basic configuration for SSTP This section gives procedures for deploying the BIG-IP LTM system in a basic configuration for SSTP as described previously. To configure the basic configuration, you need to complete the following procedures: Creating the HTTP health monitor Creating the pool Using SSL certificates and keys Creating profiles Creating the virtual server 3-3

68 Deploying the BIG-IP LTM with Microsoft Secure Socket Tunneling Protocol (SSTP) Creating the HTTP health monitor The first step is to set up health monitors for the SSTP devices. This procedure is optional, but very strongly recommended. In our example, we create an advanced HTTP health monitor in which the monitor uses a specific Send String to the SSTP servers, and marks the node down if it does not return the Receive String. To create a health monitor 1. On the Main tab, expand Local Traffic, and then click Monitors. 2. Click the Create button. The New Monitor screen opens. 3. In the Name box, type a name for the Monitor. In our example, we type sstp-http. 4. From the Type list, select http. 5. In the Configuration section, in the Interval and Timeout boxes, type an Interval and Timeout. We recommend at least a 1:3 +1 ratio between the interval and the timeout (for example, the default setting has an interval of 5 and an timeout of 16). In our example, we use a Interval of 30 and a Timeout of In the Send String box, use the following syntax to create the Send String: SSTP_DUPLEX_POST /sra_{ba cd49-458b-9e23-c84ee0adcd75}/ HTTP/1.1 \r\nhost: <FQDN that matches the SSL Cert on the LTM and SSTP servers>\r\n\r\n In our example, we type: SSTP_DUPLEX_POST /sra_{ba cd49-458b-9e23-c84ee0adcd75}/ HTTP/1.1 \r\nhost: vpn.sstp.tc.f5net.com\r\n\r\n 7. In the Receive String box, type Microsoft-HTTPAPI/ Click the Finished button (see Figure 3.2). The new monitor is added to the Monitor list. F5 Deployment Guide 3-4

69 Figure 3.2 Creating the HTTP Monitor Creating the pool The first step is to define a load balancing pool for the SSTP servers. A BIG-IP LTM pool is a set of devices grouped together to receive traffic according to a load balancing method. This pool uses the monitor you just created. To create the SSTP pool 1. On the Main tab, expand Local Traffic, and then click Pools. The Pool screen opens. 2. In the upper right portion of the screen, click the Create button. The New Pool screen opens. 3. In the Name box, type a name for your pool. In our example, we use sstp-http-pool. 4. In the Health Monitors section, select the name of the monitor you created in the Creating the HTTP health monitor section, and click the Add (<<) button. In our example, we select sstp-http-monitor. 3-5

70 Deploying the BIG-IP LTM with Microsoft Secure Socket Tunneling Protocol (SSTP) 5. From the Load Balancing Method list, choose your preferred load balancing method.in our example, we select Least Connections (member). Note: If you are running your SSTP servers in dynamic virtual environments that may have unpredictable resource contentions, you may wish to select Observed (member) or Predictive (member) so that the LTM makes load balancing decisions based on actual performance of the SSTP servers rather than the number of connections, which may not reflect actual load on the members. 6. In the New Members section, make sure the New Address option button is selected. 7. In the Address box, add the first Microsoft SSTP server to the pool. In our example, we type In the Service Port box, type 80 or select HTTP from the list. 9. Click the Add button to add the member to the list. 10. Repeat steps 8-10 for each server you want to add to the pool. In our example, we repeat these steps once for the remaining server, Click the Finished button (see Figure 3.3). Figure 3.3 Creating the pool for the SSTP servers F5 Deployment Guide 3-6

71 Using SSL certificates and keys Importing keys and certificates Before you can enable the BIG-IP LTM system to act as an SSL proxy, you must install a SSL certificate on the virtual server that you wish to use for SSTP connections on the BIG-IP LTM device. For this Deployment Guide, we assume that you already have obtained an SSL certificate, but it is not yet installed on the BIG-IP LTM system. For information on generating certificates, or using the BIG-IP LTM to generate a request for a new certificate and key from a certificate authority, see the Managing SSL Traffic chapter in the Configuration Guide for Local Traffic Management. Once you have obtained a certificate, you can import this certificate into the BIG-IP LTM system using the Configuration utility. By importing a certificate or archive into the Configuration utility, you ease the task of managing that certificate or archive. You can use the Import SSL Certificates and Keys screen only when the certificate you are importing is in Privacy Enhanced Mail (PEM) format. To import a key or certificate 1. On the Main tab, expand Local Traffic. 2. Click SSL Certificates. The list of existing certificates displays. 3. In the upper right corner of the screen, click Import. 4. From the Import Type list, select the type of import (Certificate or Key). 5. In the Certificate (or Key) Name box, type a unique name for the certificate or key. 6. In the Certificate (or Key) Source box, choose to either upload the file or paste the text. 7. Click Import. If you imported the certificate, repeat this procedure for the key. Creating profiles BIG-IP version 9.0 and later use profiles. A profile is an object that contains user-configurable settings for controlling the behavior of a particular type of network traffic, such as HTTP connections. Using profiles enhances your control over managing network traffic, and makes traffic-management tasks easier and more efficient. Although it is possible to use the default profiles, we strongly recommend you create new profiles based on the default parent profiles, even if you do not change any of the settings initially. Creating new profiles allows you to easily modify the profile settings specific to this deployment, and ensures you do not accidentally overwrite the default profile. 3-7

72 Deploying the BIG-IP LTM with Microsoft Secure Socket Tunneling Protocol (SSTP) Creating the TCP profiles Creating the LAN optimized TCP profile For the basic Microsoft SSTP configuration, we create four new profiles: two TCP profiles, a persistence profile, and a client SSL profile. These profiles use new optimized profiles available in BIG-IP LTM version 9.4 and later. If you are using a BIG-IP LTM version prior to 9.4, the Configuration Guide for BIG-IP Local Traffic Management for version 9.4 (available on AskF5) shows the differences between the base profiles and the optimized profile types. Use this guide to manually configure the optimization settings. The next profiles we create are the TCP profiles. If most of the Microsoft SSTP users are accessing the devices via a Local Area Network, we recommend using the tcp-lan-optimized (for server-side TCP connections) parent profile. If the majority of the users are accessing the system from remote or home offices, we recommend using an additional TCP profile, called tcp-wan-optimized (for client side TCP connections). In our example, we leave these profiles at their default levels; you can configure any of the options as applicable for your network. First we configure the LAN optimized profile. If you are not using version 9.4 or do not want to use this optimized profile, you can choose the default TCP parent profile. To create a new TCP profile Creating the WAN optimized TCP profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. On the Menu bar, from the Protocol menu, click tcp. 3. In the upper right portion of the screen, click the Create button. The New TCP Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type sstp-tcp-lan. 5. From the Parent Profile list, select tcp-lan-optimized if you are using BIG-IP LTM version 9.4 or later; otherwise select tcp. 6. Modify any of the settings as applicable for your network. In our example, we leave the settings at their default levels. 7. Click the Finished button. Now we configure the WAN optimized profile. Remember, if most of the users are accessing the system over the LAN or other low latency links, you do not need to create this profile. F5 Deployment Guide 3-8

73 To create a new TCP WAN optimized profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. On the Menu bar, from the Protocol menu, click tcp. 3. In the upper right portion of the screen, click the Create button. The New TCP Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type sstp-tcp-wan. 5. From the Parent Profile list, select tcp-wan-optimized. 6. Modify any of the settings as applicable for your network. In our example, we leave the settings at their default levels. 7. Click the Finished button. Creating the persistence profile The next profile we create is a Persistence profile. In this deployment, we use the Source Address Affinity parent persistence profile. To create a new cookie persistence profile based on the default profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. On the Menu bar, click Persistence. The Persistence Profiles screen opens. 3. In the upper right portion of the screen, click the Create button. The New Persistence Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type sstp-source. 5. From the Persistence Type list, select Source Address Affinity. The configuration options appear. 6. Modify any of the settings as applicable for your network. In our example, we leave the settings at their default levels. 3-9

74 Deploying the BIG-IP LTM with Microsoft Secure Socket Tunneling Protocol (SSTP) 7. Click the Finished button. Figure 3.4 Creating the persistence profile Creating a Client SSL profile The next step in this configuration is to create a Client SSL profile. This profile contains the SSL certificate and Key information for decrypting the SSL traffic on behalf of the servers. To create a new Client SSL profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. On the Menu bar, from the SSL menu, select Client. The Client SSL Profiles screen opens. 3. In the upper right portion of the screen, click the Create button. The New Client SSL Profile screen opens. 4. In the Name box, type a name for this profile. In our example, we type sstp-clientssl. 5. In the Configuration section, check the Certificate and Key Custom boxes. 6. From the Certificate list, select the name of the Certificate you imported in the Importing keys and certificates section. 7. From the Key list, select the key you imported in the Importing keys and certificates section. 8. Click the Finished button. F5 Deployment Guide 3-10

75 Creating the virtual server Next, we configure a virtual server that references the profiles and pool you created in the preceding procedures. To create the virtual server 1. On the Main tab, expand Local Traffic, and then click Virtual Servers. The Virtual Servers screen opens. 2. In the upper right portion of the screen, click the Create button. The New Virtual Server screen opens. 3. In the Name box, type a name for this virtual server. In our example, we type sstp-basic. 4. In the Destination section, select the Host option button. 5. In the Address box, type the IP address of this virtual server. In our example, we use In the Service Port box, type 443, or select HTTPS from the list. Figure 3.5 Creating the SSTP virtual server 7. From the Configuration list, select Advanced. The Advanced configuration options appear. 8. Leave the Type list at the default setting: Standard. 9. From the Protocol Profile (Client) list select the name of the profile you created in the Creating the WAN optimized TCP profile section. If you did not create a WAN optimized profile, select the LAN optimized profile as in the following Step. In our example, we select sstp-tcp-wan. 10. From the Protocol Profile (Server) list, select the name of the profile you created in the Creating the LAN optimized TCP profile section. In our example, we select sstp-tcp-lan. 3-11

76 Deploying the BIG-IP LTM with Microsoft Secure Socket Tunneling Protocol (SSTP) 11. From the SSL Profile (Client) list, select the name of the profile you created in the Creating a Client SSL profile section. In our example, we select sstp-clientssl. Figure 3.6 Selecting the Microsoft SSTP profiles for the virtual server 12. In the Resources section, from the Default Pool list, select the pool you created in the Creating the pool section. In our example, we select sstp-http-pool. 13. From the Default Persistence Profile list, select the persistence profile you created in the Creating the persistence profile section. In our example, we select sstp-source. F5 Deployment Guide 3-12

77 Figure 3.7 Adding the Pool and Persistence profile to the virtual server 14. Click the Finished button. The BIG-IP LTM basic configuration for the Microsoft SSTP deployment is now complete. 3-13

78 Deploying the BIG-IP LTM with Microsoft Secure Socket Tunneling Protocol (SSTP) Deploying the BIG-IP LTM in an advanced configuration for SSTP This section details the additional procedures you need to perform for the advanced BIG-IP LTM configuration for SSTP, as described in Configuring the BIG-IP LTM system for SSTP, on page 3-3. For the advanced configuration, in addition to the procedures from the basic configuration, we create an HTTP profile and an irule. Creating the health monitor To create the health monitor, follow Creating the HTTP health monitor, on page 3-4. Creating the pool To create the pool, follow Creating the pool, on page 3-5. When configuring the pool, add the health monitor you created in the preceding procedure. In this configuration, we assume you have (or will create) other pools for non SSTP traffic. See the details in Configuring the BIG-IP LTM system for SSTP, on page 3-3 for examples of other types of pools that might be useful. Using SSL certificates and keys To import the SSL certificate and key, follow Using SSL certificates and keys, on page 3-7. Creating the profiles For the advanced configuration, we create the four profiles described in the basic configuration, as well as a new HTTP profile. The HTTP profile is used for non-sstp traffic in this advanced configuration. First, configure the TCP, persistence and client SSL profiles: To create the TCP profiles, follow Creating the TCP profiles, on page 3-8. To create the persistence profile, follow Creating the persistence profile, on page 3-9. To create the Client SSL profile, follow Creating a Client SSL profile, on page F5 Deployment Guide 3-14

79 Now we create the HTTP profile. The HTTP profile contains numerous configuration options for how the BIG-IP LTM system handles HTTP traffic. For deployments where the majority of users are connecting across a WAN, F5 recommends enabling compression and caching on the BIG-IP LTM by using a profile introduced in BIG-IP version 9.4 called http-wan-optimized-compression-caching. This profile uses specific compression and caching (among other) settings to optimize traffic over the WAN. Note that to properly use this profile, you need to have compression and caching licensed on the BIG-IP LTM. For more information on licensing, contact your sales representative. If you are not using version 9.4 or later, or do not have compression or caching licensed, you can choose the default HTTP parent profile, or one of the other optimized HTTP parent profiles. To create a new HTTP profile 1. On the Main tab, expand Local Traffic, and then click Profiles. The HTTP Profiles screen opens. 2. In the upper right portion of the screen, click the Create button. The New HTTP Profile screen opens. 3. In the Name box, type a name for this profile. In our example, we type sstp-http-opt. 4. From the Parent Profile list, select http-wan-optimized-compression-caching. 5. Check the Custom box for Content Compression, and leave Content List selected. 6. Modify any of the other settings as applicable for your network. In our example, we leave the settings at their default levels. 7. Click the Finished button. Creating the irule The next step in the advanced configuration is to create an irule that detects SSTP requests. If the irule inspects incoming requests. If it finds an SSTP request, it disables the HTTP profile. If the request is not SSTP, it does not disable the profile and processes the request. In our example, the irule takes the following actions: 1. After an incoming request has been decrypted, the irule detects if the request is for an SSTP resource. 2. If an SSTP request is detected, the irule directs that request to a pool of SSTP servers and disables HTTP profiles for the remainder of the connection. Because SSTP is not strict HTTP, it is necessary to inform the BIG-IP LTM that the session should not be treated as an HTTP session. 3-15

80 Deploying the BIG-IP LTM with Microsoft Secure Socket Tunneling Protocol (SSTP) 3. If a request is detected that is not for an SSTP resource, that request is maintained within an HTTP profile and directed to an appropriate pool. In this specific example, we direct traffic to a resource named VPN-Firepass-pool. You must adjust that pool name or action to match your environment and requirements. Consult the irules documentation at for more information on irules syntax and capabilities. To create the irule 1. On the Main tab, expand Local Traffic, and then click irules. The Virtual Servers screen opens. 2. In the upper right portion of the screen, click the Create button. The New irule screen opens. 3. In the Name box, type a name for this irule. In our example, we type sstp-irule. 4. In the Definition box, copy and paste the following irule: when HTTP_REQUEST { if { ([ eq "SSTP_DUPLEX_POST") and ([ eq "/sra_{ba cd49-458b-9e23-c84ee0adcd75}/") } { pool SSTP-HTTP-pool } else { pool VPN-Firepass-pool } } Important: Be sure to change VPN-Firepass-pool in this example to the name of the appropriate BIG-IP LTM pool. 5. Click the Finished button. Creating the virtual server Next, we configure a virtual server that references the profiles and pool you created in the preceding procedures. To create the virtual server 1. On the Main tab, expand Local Traffic, and then click Virtual Servers. The Virtual Servers screen opens. 2. In the upper right portion of the screen, click the Create button. The New Virtual Server screen opens. F5 Deployment Guide 3-16

81 3. In the Name box, type a name for this virtual server. In our example, we type sstp-advanced. 4. In the Destination section, select the Host option button. 5. In the Address box, type the IP address of this virtual server. In our example, we use In the Service Port box, type 443, or select HTTPS from the list. 7. From the Configuration list, select Advanced. The Advanced configuration options appear. 8. From the Protocol Profile (Client) list select the name of the profile you created in the Creating the profiles section. If you did not create a WAN optimized profile, select the LAN optimized profile as in the following Step. In our example, we select sstp-tcp-wan. 9. From the Protocol Profile (Server) list, select the name of the profile you created in the Creating the profiles section. In our example, we select sstp-tcp-lan. 10. From the SSL Profile (Client) list, select the name of the profile you created in the Creating the profiles section. In our example, we select sstp-clientssl. 11. In the Resources section, from the Default Pool list, select the pool you created in the Creating the pool section. In our example, we select sstp-http-pool. 12. From the Default Persistence Profile list, select the persistence profile you created in the Creating the persistence profile section. In our example, we select sstp-source. Figure 3.8 Adding the irule and persistence profile to the virtual server 3-17

82 Deploying the BIG-IP LTM with Microsoft Secure Socket Tunneling Protocol (SSTP) 13. Click the Finished button. The BIG-IP LTM advanced configuration for the Microsoft SSTP deployment is now complete. Synchronizing the BIG-IP configuration if using a redundant system If you are using a redundant BIG-IP LTM configuration, the final step is to synchronize the configuration to the peer BIG-IP device. To synchronize the configuration using the Configuration utility 1. On the Main tab, expand System. 2. Click High Availability. The Redundancy screen opens. 3. On the Menu bar, click ConfigSync. 4. Click the Self --> Peer button. The configuration synchronizes with its peer. F5 Deployment Guide 3-18