F5 Big-IP LTM Configuration: HTTPS / WSS Offloading

F5 Big-IP LTM Configuration: HTTPS / WSS Offloading

Warning This document contains confidential information that is proprietary to CaféX Communications Inc. No part of its contents may be used, disclosed or conveyed to any party, in any manner whatsoever, without prior written permission from CaféX Communications Inc. Copyright 4/30/15, CaféX Communications Inc. All rights reserved. April 30, 2015 F5 Configuration HTTPS/WSS Offloading 1

Table of Contents 1 Document Control 3 2 Introduction 4 3 VLANs 5 4 SNAT 6 5 Self IP 7 6 Network Routes 8 7 Virtual Servers 9 7.1 Health Monitor 9 7.2 Virtual Server Pools 10 7.2.1 HTTP Pool Properties 11 7.2.2 HTTP Pool Members 12 7.2.3 Media Pool Properties 13 7.2.4 Media Pool Members 14 7.3 Virtual Server Properties 15 7.3.1 HTTPS Virtual Service 15 7.3.2 Media Virtual Service 17 7.4 Virtual Server Resources 18 7.4.1 HTTP Virtual Server 18 7.4.2 Media Virtual Server 18 8 irule - Restricting URI Access & Enabling Websockets 20 8.1 Application URIs 20 8.1.1 Fusion Web Gateway URIs 20 8.1.2 Fusion Palettes Admin URIs 21 8.1.3 Fusion Live Assist Server URIs 22 8.1.4 Fusion Sample Application URIs 23 8.2 Websocket URIs 24 8.3 The irule 24 9 Contact information 27 F5 Configuration HTTPS/WSS Offloading 2

1 Document Control Version Author Issue Date Description / Change History 10.0 Solutions Engineering 28 May 2014 Updated with reference to Live Assist 1.1.8 and Palettes 2.0.11 11.0 Solutions Engineering 30 April 2014 Updated Live Assist 1.2.9+ and FCSDK 2.1.21+ F5 Configuration HTTPS/WSS Offloading 3

2 Introduction This guide walks through the configuration needed on F5 Big-IP LTM (Local Traffic Manager) to offload inbound HTTPS and Secure Websockets (WSS) requests. The environment this configuration relates to is: A non-ha Fusion Application Server (FAS) installation Fusion Client SDK (FCSDK) installed onto the FAS o o The FCSDK installation consists of a co-hosted Fusion Web Gateway instance and a Fusion Media Broker The FCSDK web-based sample application has been deployed onto this same FAS instance Fusion Palettes installed onto the FAS Fusion Live Assist installed onto the FAS The configuration described will terminate the HTTPS/WSS connection at F5, and will then NAT and load balance the decrypted connection across a pool of back end application servers. The configuration also describes the steps required to restrict specific URIs to only allow access to the required REST services for FCSDK and Fusion Palettes. Once the secure connection has been decrypted, F5 is able to translate the original source IP address of a packet to a configured IP address. This feature is known as Secure Network Address Translation (SNAT). The configuration illustrates how F5 can be configured to perform SNAT automapping i.e. enabling F5 to automatically choose a translation address which will be an existing Self IP address. The instructions in this guide are based on a non-ha evaluation version of F5 (v10.2.4 build 577) and should be used as an example of what configuration is required to achieve HTTPS/WSS offloading. As such, some configuration may vary depending on the local environment and policies. F5 Configuration HTTPS/WSS Offloading 4

3 VLANs Assuming F5 has 2 network interfaces (one for the public side and the other for F5 s private side), the following illustration defines 2 VLANs and associates appropriate interfaces with each. Note that in this environment, both network interfaces were untagged. F5 Configuration HTTPS/WSS Offloading 5

4 SNAT As SNAT automapping is being implemented, there are no SNATs explicitly defined. F5 Configuration HTTPS/WSS Offloading 6

5 Self IP Self IP address for F5 s private interface as well as public interface should be defined in Network > Self IPs menu. It can be created by specifying the address, netmask and finally selecting the appropriate VLAN. See below: F5 Configuration HTTPS/WSS Offloading 7

6 Network Routes A network gateway address is required to be created by specifying a particular router that the BIG-IP system should use when forwarding packets to the destination host or network. F5 Configuration HTTPS/WSS Offloading 8

7 Virtual Servers A virtual server must be created for each service exposed by F5. In the screenshots below, there is a service for handling HTTPS traffic and another for RTP traffic. As both FCSDK and Fusion Palettes are co-hosted on the same server, the configuration only defines one Virtual Server. 7.1 Health Monitor By default, the BIG-IP system uses HTTP 0.9 for HTTP monitor requests. When a HTTP 0.9 request is sent to a HTTP 1.1 server, the server may not respond as expected. Therefore, using the default HTTP health monitor may fail even though the server is running. To prevent the monitor from incorrectly marking the server as inaccessible, it is possible to either create a custom health monitor based on the default HTTP monitor or change the default HTTP monitor and change only its Send String property to send a HTTP 1.1 request by explicitly specifying the HTTP version as follows: GET / HTTP/1.1\r\nHost: \r\nconnection: Close\r\n\r\n This health monitor should be used when defining the back end server pool associated with the virtual server. In this example the name of the monitor is: fcsdk_http F5 Configuration HTTPS/WSS Offloading 9

7.2 Virtual Server Pools For each of the two services (HTTP and media), a group of member devices should be defined that will receive and process traffic. F5 Configuration HTTPS/WSS Offloading 10

Note that as SSL offloading is taking place, the back end server pool associated with the HTTPS Virtual Service is defined as being insecure. 7.2.1 HTTP Pool Properties A pool of backend servers is required to enable F5 to load balance the appropriate service. Note the use of the Health Monitor (fcsdk_http) created earlier. F5 Configuration HTTPS/WSS Offloading 11

7.2.2 HTTP Pool Members Although for simplicity this pool has only 1 member, there may be any number of members in a pool. When defining a member, along with its IP address, the port on which the service resides is also required. F5 Configuration HTTPS/WSS Offloading 12

7.2.3 Media Pool Properties The properties of the media pool are shown below. F5 Configuration HTTPS/WSS Offloading 13

7.2.4 Media Pool Members There is 1 Media Broker in the media pool as shown below. F5 Configuration HTTPS/WSS Offloading 14

7.3 Virtual Server Properties The NAT configuration of both the HTTPS and media Virtual Servers are as follows: Auto-SNAT is enabled meaning that F5 will automatically choose which address to translate the source IP into based on the list of Self IPs. o Following best practice, the name of the VLAN for which the virtual server is enabled has been changed from its default to being explicitly defined via the VLANs and Tunnels property. 7.3.1 HTTPS Virtual Service The virtual server has been configured with the following: The HTTP profile that is defined is the default HTTP profile without any changes. o In order for F5 to correctly process Websockets, the HTTP profile needs to be disabled via irules during the processing of the Websockets request, allowing the TCP communication to be proxied through the BIG-IP. irules will be discussed in a later section within this document. For the purposes of this exercise, F5 has been configured to use a client-side self signed certificate, and as such the SSL Profile (Client) property has been set to clientssl. o An alternative to this would be to import a CA signed certificate and define that in the SSL Profile (Client) property field. Note that the port exposed for the HTTPS service is defined here as being 8443. This should be configured to a value appropriate to the environment. F5 Configuration HTTPS/WSS Offloading 15

F5 Configuration HTTPS/WSS Offloading 16

7.3.2 Media Virtual Service F5 Configuration HTTPS/WSS Offloading 17

7.4 Virtual Server Resources 7.4.1 HTTP Virtual Server The following shows the default load balancing pool associated with the HTTPS virtual server, which was defined earlier. Note that this is the insecure pool defined earlier. 7.4.2 Media Virtual Server The following screenshot shows the configured load balancing pool associated with the media virtual server, which was defined earlier. F5 Configuration HTTPS/WSS Offloading 18

F5 Configuration HTTPS/WSS Offloading 19

8 irule - Restricting URI Access & Enabling Websockets Access to application URIs can be restricted by defining an F5 irule associated with the virtual server. Define an irule (e.g. named FusionHttpsUriRule ) that will restrict access to specific URIs by only allowing those in pre-defined Data Group Lists. For simplicity, the URIs in the Data Group Lists must only contain the URIs that web clients are allowed to access. Websocket URIs must be explicitly defined in the irule itself. In order to separate the URIs on a per application basis, the configuration described below defines a Data Group List for each application together with a list for the URIs associated with some sample applications: Fusion Web Gateway e.g. FusionGatewayUris Fusion Palettes admin URIs e.g. FusionPalettesAdminUris Fusion Live Assist server URIs e.g. FusionLiveAssistServerUris URIs of all the sample applications e.g. FusionSampleAppUris When configuring the URI Data Group Lists, they must be entered as String-Value pairs. The sections below show the URIs within each of the groups defined above. Note: The URIs may be different to those used in the enterprise s environment, and therefore may need updating appropriately. Note: The URIs relating to the Websocket connections MUST NOT be in these lists. Note: The Javascript URIs are only relevant for browser clients. 8.1 Application URIs 8.1.1 Fusion Web Gateway URIs String /gateway/adapter.js /gateway/csdk-aed.js /gateway/csdk-common.js /gateway/csdk-phone.js Value /gateway/adapter.js /gateway/csdk-aed.js /gateway/csdk-common.js /gateway/csdk-phone.js F5 Configuration HTTPS/WSS Offloading 20

/gateway/csdk-presence.js /gateway/csdk-sdk.js /gateway/csdk-presence.js /gateway/csdk-sdk.js 8.1.2 Fusion Palettes Admin URIs String /palettes_admin/rickshaw.min.css /palettes_admin/style.css /palettes_admin/images/fusion-logo.png /palettes_admin/vendor/d3.min.js /palettes_admin/rickshaw.min.js /palettes_admin/admin.js /palettes_server/adminapi/alerts Value /palettes_admin/rickshaw.min.css /palettes_admin/style.css /palettes_admin/images/fusion-logo.png /palettes_admin/vendor/d3.min.js /palettes_admin/rickshaw.min.js /palettes_admin/admin.js /palettes_server/adminapi/alerts F5 Configuration HTTPS/WSS Offloading 21

8.1.3 Fusion Live Assist Server URIs String /assistserver/ Value /assistserver/ F5 Configuration HTTPS/WSS Offloading 22

8.1.4 Fusion Sample Application URIs String /basic_ivrb_sample_client_js/ /dummy_callcenter_adapter/ /dummy_callcenter/ /csdk-sample/ /assist-agent-console/ /assistsample/ /assist-resourcemanager/ Value /basic_ivrb_sample_client_js/ /dummy_callcenter_adapter/ /dummy_callcenter/ /csdk-sample/ /assist-agent-console/ /assistsample/ /assist-resourcemanager/ Note: The Palettes adapter component is accessed directly by the client and is therefore required to be added to the list of URIs managed by the reverse proxy. F5 Configuration HTTPS/WSS Offloading 23

8.2 Websocket URIs Only FCSDK and Live Assist utilise Websockets for call control and screen-share functionality and their URIs have been listed below: Application FCSDK Live Assist Websocket URI /gateway/websocketcall /assistserver/share 8.3 The irule The code below shows the irule used to restrict access to URIs using the Data Group Lists defined above, while also showing how to allow Websockets access. Note: The URIs relating to the Websocket connections for FCSDK and Live Assist MUST be explicitly defined in the irule. F5 Configuration HTTPS/WSS Offloading 24

when CLIENT_ACCEPTED { HTTP::enable log local0. "http profile enabled" } when HTTP_REQUEST { log local0. "URI --- [HTTP::uri]" # Only allow following URLs if { ([HTTP::uri] starts_with "/gateway/websocketcall") } { log local0. "http profile - disabled" HTTP::disable } elseif { ([HTTP::uri] starts_with "/assistserver/share") } { log local0. "http profile - disabled" HTTP::disable } elseif { ([HTTP::uri] starts_with "/assistserver/topic") } { log local0. "http profile - disabled" HTTP::disable } elseif { ([HTTP::uri] equals "/csdk-sample") ([HTTP::uri] equals "/palettes_admin") ([HTTP::uri] equals "/basic_ivrb_sample_client_js") ([HTTP::uri] equals "/assistsample") ([HTTP::uri] equals "/assist-agent-console") } { # Change it to end with '/' HTTP::redirect "[HTTP::uri]/" } elseif { ([class match [HTTP::uri] starts_with FusionGatewayUris]) ([class match [HTTP::uri] starts_with FusionPalettesAdminUris]) ([class match [HTTP::uri] starts_with FusionLiveAssist1.2ServerUris]) ([class match [HTTP::uri] starts_with FusionSampleAppUris]) ([HTTP::uri] equals "/palettes_server/palettes?serviceid=basicivrbsamplerules") } { # Leave HTTP profile enabled and pass traffic through log local0. "Passing it through" } else { # Drop the request log local0. "Dropping the request" drop } } F5 Configuration HTTPS/WSS Offloading 25

This irule will drop any requests to any URI outside of the defined Data Group Lists. This irule should be associated with the virtual server as shown earlier. The SSL offloading process will decrypt requests from clients and apply this irule, allowing or rejecting access to the back end servers. NOTE: An open F5 issue: SOL12938, states that calling the 'HTTP::disable' function from within an irule may result in a TMM core. However, this issue occurs when ALL of the following conditions are met: 1. The Cache Setting feature is enabled within the HTTP profile. 2. OneConnect is enabled within the HTTP profile. 3. An irule is configured and calls the HTTP::disable function. Note that the configuration described within this document does NOT meet the required conditions for this issue to be relevant in this deployment. Although 'HTTP::disable' has been invoked in the irule, the default HTTP profile that has been used when defining the HTTPS Virtual Server has its OneConnect property enabled, but the RAM Cache disabled. F5 has been tested with the OneConnect property both enabled and disabled, without any change in application behaviour. F5 Configuration HTTPS/WSS Offloading 26

9 Contact information For technical support or other queries, contact CaféX Communications Support at: support@cafex.com For our worldwide corporate office addresses, please visit: http://www.cafex.com F5 Configuration HTTPS/WSS Offloading 27