F5 101 – Application Delivery Controller (ADC) Part 2

  1. Configuring Heatlh Monitors Part 1

I’m here in our f five GUI and I have two tabs. The first one is dedicated for pool and monitor configuration. The second tab will be dedicated for Network Map so we can monitor the status of our objects easier. So under local traffic I’m going to click Network Map and as you can see we have two applications. The first one is an Http application. We have three pool members added in our pool that is associated to the Vs. We also have Shy Same. We have three pool members on a pool associated to the Vs. Now both application has only one symbol which is the blue square, also known as Unknown. Now we’re going to enable the monitor onto our pools.

So under local traffic I will select Pools and I’m going to first configure Http pool. Under Http pool I am going to select a system defined monitor and it is all available here in the select box. Before that let’s go to Monitors first. Under Monitor here you will see a system defined monitor and if I click Http, this system defined monitor cannot be deleted or edited. Later I’m going to show you how to create a custom monitor. But for now, let us use this system defined monitor first. Under Http pool I will select TCP and click the Shift run sign.

To move this monitor under Active, I’m going to click Update. But before I click Update as you can see the availability or the status is Blue square also known as Unknown. As I click Update in a few seconds you will see the status will turn to Green Circle which is also known as Available. Let’s go to my second tab and if I click Network Map, see that the pool members one and two and three are now available green Circle and it requires only one pool member to be available to make our pool available or a green circle and this status will be inherited by our virtual server. Okay, so if I click members under our pool configuration and select not all three but I will select them one by one.

And I just selected pool number one. Under configuration. If I select advance under Help Monitor it’s telling us that we are using the default inherited from the pool. Whatever monitor or help monitors configured in the pool. This will be inherited by the pool members and that is by default. If I click another member, let’s say pool member two, it also has the same configuration inherited from pool member or excuse me, inherit from pool. And maybe you’re thinking can we use a different monitor to one or more of the pool members? Definitely. So for the second pool member I will select member specific monitor and this time I will select a different monitor. Let’s say UDP.

Okay, going to move it under Active and I’m going to click Update. Right now if I hit the members you will see that this pull member is marked Red Diamond. Red diamond means offline. Okay, maybe because this server not maybe it is guaranteed that this server doesn’t run any UDP based application and it’s not responding by the big IP or to the big IP. That’s why it is smart. Red diamond or offline. Now, I’m going to click the third pool member, and this time I’m not going to select a monitor, nor I will not select the default inherited from Pull. Rather, I will select none. Okay? None. Zero. If I click Network Map Refresh, you will see every single member under our Http pool has a different status available for pool number one red diamond or Offline for pool member two and unknown for pool member three. Okay? Now that is a system defined monitor that we associated to our pool members.

  1. Configuring Heatlh Monitors Part 2

Let’s create a custom base monitor. So our status, we have three different status for our pool. We have green circle or online for our pool number one. Offline for pool member two and unknown for pool member three. Now I’m going to put back the status of all pool three pool members. So under Http pool, I’m going to deselect TCP help monitors. And under members, I’m going to also deselect the UDP help monitors configure specifically to pool number one. And for pool number three, I will select the default configuration option inherit from Pool. Now I will go to monitors. Now, what you see here are system default help monitors. If I click Http, for example, all of these parameters cannot be edited. Even if I select advance, you cannot edit it. And also you cannot delete any of these system defined help monitors. Now, to create a custom based monitor, all you need to do is click Create and select type of monitor. In this case, I’m going to use Http. I’m going to name it my Http. And as you can see, all of the values here can be changed. We have interval and timeout, which is by default five and 16 seconds. I can change this to three. And for the timeout value, so is time three of the internal value times our plus one. So three times three plus one, we have ten.

We’re also going to add received string with a string of server space three. Now, before I hit Finish, let me just test our current status for our Http virtual server. And before we do that, let’s check the network map. So all three pool members are unknown or the entire application, including virtual servers and pools are unknown because we remove the help monitor configuration. All right, so we are now here in the client TC and let’s run 1010 10. As you can see, it’s connected to server three. If I hit refresh, it’s now connecting to server two. And if I hit refresh, again, server two, server one, server one, again, server three. So you are seeing the connections are load balance. You may disregard the images.

These are all based on cache. That’s why you are seeing three as an image for the entire page. But just to verify, it is now load balancing. Server one and two are seen on this specific part of the web page. Now what I will do next is I will go back to our my Http monitor configuration, verify the string is server space three. Now I’m going to click finish. What will happen on this custom Http monitor is it will examine the Http response and the big IP will look for that specific stream, server space three. That is the string. If the pool members or pool member doesn’t have that specific stream, the big IP will mark that pool member offline. So let’s go ahead and associate our newly configured pool, our newly created monitor to our pool. The name is my http and I’m going to click update.

Now, if I go to our network map, you will see that our Http pool is now online as well as the VNS. And the reason why the pool member one and two are still unknown because it means that the first time you associated a monitor, they didn’t respond or the response was not successful, is invalid and they are given 16 more seconds. If it’s five, the first 511 more seconds to comply. If they didn’t comply within the timeout settings, oh, by the way, we changed the timeout settings to 10 seconds. So the first 3 seconds, that’s what they get. Okay? And they will be given another 7 seconds to comply. Okay, so the ten second has lapsed and if we refresh the network map, you will see that pool numbers one and two are now Red Diamond, which is offline. Why is that? Because the server three is the only pool member that has responded with a string of server space three.

And if we go back to our Windows client and if I hit refresh, you will see that the connection only goes to server three. This one, server three. And if I keep refreshing this page, it doesn’t change. It’s always server three. Now, if we check our monitors, okay, and if we select our My Http, we can actually make the pool member one and pool member two available. We have few options. One of the options is to create a dedicated help monitor for server one and two. And we will add receive string with a value of server space one and server space two. But that may be difficult to configure, especially if you have many pool members.

Now, if we want to have a pattern of string, let’s say we want to examine and we are looking for specific string server space one, server space two, server space three. You don’t need to create multiple help monitors. In this case, we’re going to use a regular expression under receive string. Instead of creating multiple receive string from a multiple monitor configuration, I will just use a rag X value inside the square brackets. I will add one three and this will validate the Http response and look for a string server space one, server space two, or server space three. I’m going to click Update now, okay? And if we verify our network map, our expectation will be all pool members will become online. So as you can see, all three pool members are online with the green circle as the symbol. Now let’s go back to our Windows client and from here you see server three is the only connected pool members. If I hit refresh, you will see that the client sends traffic to all three pool members. So load balancing to all three pool members are working correctly.

  1. Configuring Heatlh Monitors Part 3

Now I’m back here in our statistics page. And as you can see, objects like virtual servers, pools, and these three pool members shows us the status are all online. But for the node, it has a different configuration versus the pool or pool numbers. And I will show you that on the node perspective, it’s still under unknown. Okay? So I will hover my mouse to the node or even pull members. And it’s telling us that the node 170, 216, 212-2123 are still status unknown. As I mentioned, for the node, it has a different monitor configuration. So we’ll go to the node configuration under local traffic. You click nodes. And as you see, we have the three IP addresses. And for us to associate a held monitor, we have two ways we can associate a monitor under this tab default node.

And what I’m going to do is I’m going to associate ICMP, click Update. Okay? Now if I hit nodes list, you will see the status all green or online. If I go back to my network map and I hover my mouse to the pool number, you will see the node has a green circle status. Now maybe you’re thinking, oh, for the pool number, you can associate a help monitor for a specific pool number. Can we do that also on a node? Yes, you can. So if I click the node or one of the nodes, let’s say 172, dot, 1620, dot three, by default, the help monitors is node specific. Excuse me, node default. I can select node specific and I can actually select an available health monitors. I can also select none. If I hit Update, this will give me an unknown status for one of the pool members and that is pool member three. Now if I go back to my node list, pool member three is now blue square or unknown.

Now I’m going to put this back to no default. I’m going to click update. Help monitors are good, but it can be dangerous, especially if the result are all pool members are offline. Is there a way where we can test the monitor first before associating it to a resource such as pool or pool members? Yes, there is. So what I will do is I’m going to create a new monitor and I’m going to select Http. I’m going to name it, let’s say my Http underscore server One or s one and under received string. I will type server space One. I will hit finish. After hitting finish, let’s click this newly created custom monitor. You will see a tab here named Test. Going to click it and this allows us to test if this monitor will pass to a specific pool member. Okay, so I’m going to type in the address of that pool member. Let’s say 172 dot, 1620, dot three. Okay, so this is the third pool member. If I hit test, you will see now that is starting the checking. Last result is test bending, and it has elapsed 5 seconds. Now it’s done. Right.

So by default, this is 16 seconds. After 15 seconds, we will now see the result. And as you can see, test is completed. No successful response. The status for this result is down. Now, if I change this to 22, we are expecting the same result because our string is decide for server one or pool number one. But let’s wait for another few seconds. Okay, 11 seconds. Five more seconds to go. And as you can see, there’s no successful response. Test completed. Resolve is down. Now let’s change this to 21. Test completed. The result is up because again, our custom Http monitor is designed for pool member one. Because of the received string, we added server space one.

Let’s create another custom monitor. Now, before we create our new help monitor, let’s go to our F five big Ipcli. Okay, we are here in the advanced shell, and we can use standard Linux tools such as FTP. And I’m going to FTP of a specific node. 170, 216, dot 21. I’m going to log in a student with a password of student. Now I’m logged in successfully. We’re also going to verify what files are existing. So we have README text. We also have test text. So I will verify also which directory are we in? It’s home student. And again, the file name is test text. I will go back to my GUI and we’re going to create an FTP monitor. I’m going to name this as my FTP, and under type, I’m going to select FTP. Obviously. Take note on FTP monitors, the default interval and timeout values are ten and 31 seconds. Now, for FTP help monitor, it’s not like Http monitor where we have strings like receive strings or disabled strings.

There are many different values that we can add in our Http help monitor. For FTP monitors, we are required to add our username and password because the help monitor will log in and verify a specific file. That’s what we’re going to add. The file that we are verifying is test text under home userdirectory. I’m going to click finish now. Okay, so we just created our new FTP help monitor. Now, to test this, I’m going to associate this to a pool. We haven’t created an FTP pool. Let’s add it. Now. I’m going to create an FTP pool. We did the aim of FD underscore pool.

We also going to add our newly created monitor, my FTP. I added under the active selections here. And I’m going to add only one pool number. Okay? 170, 216, 21. I’m going to click add, hit finish. And again, after associate the help monitor and creating the pool, we have now a successful help monitor configuration. It will not appear under network map, though, because we haven’t associated a pool to LDS. Okay, but you will see the difference. Our FTP pool is now marked as online.

  1. Profiles Part 1

What I have here is a client and a server. I’m going to assign the server with an IP address of 172 dot 16, dot 20 dot one. And since this is an FTP server, I’m going to assign port 21. Now, for the client, I’m going to assign an IP address of 172 dot 16 dot zero, dot one. Now, both are using slash prefix. So they are in the same network. And then they can also communicate to each other. So what will happen next is the client will send an initial traffic. This is an empty traffic targeting the IP address of the server with the port 21. Now, the client is also using a port, but this is a client side port, so it would be random. Let’s say this is 13 one. This is what we call in FTP, the command channel. Okay? As soon as the FTP server respond, it will create the first channel, which is again called the command channel. Now, FTP is a special type of application. It doesn’t end there.

What will happen next is the client same client with the same IP address will again initialize a traffic to the same server. 170, 216, 21. But this time it will be a different port. It’s not FTP port 21 anymore. This will be a random port. Let’s say this is 2001. Now for the client, it will be the same IP address. 170, 216 one. And this time it’s another port. It’s not 13 one anymore. Let’s say it’s 13 two. The server will respond and this will be the data channel. Now once established, the transfer of data will be done here from the client and the server ports. This is the normal passive FTP. But what happens if we add a big IP device in the middle, in between the client and the server? And since we have a big IP which is acting a full proxy device, we will create a virtual server. And the virtual server, this is what will be contacted by the client. I’m going to name this as FTP Vs with an IP address of 1010 one three. And since this is FTP, we’re going to assign port 21.

For the client. It will be different. Why? Because the client we have here is using 172,016 IP address, and it should use an IP address of 1010 130. Now we’re just copying what’s in our lab. And this allows the client to communicate directly to the Vs. Let’s check what’s going to happen if we have a big IP device in between the client and the server. So the client sends traffic to the Ftpbs 1010, 1103, listening to port 21, and the big IP will forward it to the pool member. We only have one, by the way. The pool member will reply. And since this is a return traffic, the big IP will allow it. Okay? So it will reply to the client. 1010 dot one, dot 30 with let’s say a port of 13, dot zero one.

Okay, guys, we’re not we can disregard this. By the way, it’s not related to our second example. What is related though, is we have already established the command channel. Okay? Command channel is done. Now, if we’re going to repeat the same process after the command channel, we do the second one, the data channel where the client sends traffic or initialize traffic to the FTP server. But now it’s in a different port. Okay, the question is, will be this accessible? Well, it shouldn’t be. Not because we don’t have a Vs listening to port 2001 or this data channel. Even if we create another Vs for the data channel, we don’t even know what this port is because this is a random port and this is created during the FTP connection. Now, to make this works, all we need to do is enable application layer or application profile. Specifically, FTP profile.

What is an FTP profile? Well, FTP profile or a profile is an object that is configured in our big IP appliance that enables a special behavior of a specific application or a specific protocol. In this case, we enable FTP profile. It’s telling the Vs this Vs here that if you see this kind of traffic FTP, that is initialized ten 103 for 21, you should do this, allow this succeeding port, you do the state transfer and so forth. So, meaning this Vs will add a new skill, a new knowledge, a new behavior for a specific application. In this specific case, it’s FTP. I have here a client in an Http server. The client has an IP address of 170 2160 one and the server 170 216 21 listening on port 80. Now, if the client sends traffic or Http requests to this IP address via port 80, the server will respond. And again, we’ll have a client port. Let’s say this is for 2001. Okay, so good. We will be able to process Http requests directly to the Http server. What if we have an F five big IP sitting in the middle? This is our F five device and we have an IP address, or should I say virtualserver address 1010 100, listening on 480.

Now, since this is a 1010 network, I will change the client IP address also with 1010 130. So this set up is almost like or exactly like our lab environment. Now, if the client sends an Http request to our Http VBS, it will of course do the load balancing. But prior to that, can it process this feature? We have here Http compression. We also have cookie persistence. And let’s say for iRule, it needs to inspect Http header. The question now is, can this DS process all of this feature? Think about it. Everything is default. Our Http DS is only listening to 1010 10, port 80 and it has associated a default pool where this pool member 170 216 21 listening to port 80 is added. The answer to that question is no. The Httpbs will not be able to process all this feature because it lapse knowledge. The Http vs here is a default http is a default vs that can only do not so advanced processing. It lacks full knowledge of Http so it cannot do further Http inspection.

Now to solve this issue and to allows us to enable Http compression cookie persistence and I rule checking the Http header we should enable Http profile. Now http profile allows the vs to know how Http traffic behaves. This includes it can check Http header, it can enable cookies and it also can do Http compression functions. Cookie persistence requires Http profile and Http profile also requires layer for profile such as TCP. This is what we call the profile dependencies where a special feature such as persistence requires a layer seven or application profile service such as Http profile. But Http profile is an application layer that requires TCP layer for port. So this four profile needs to work together and we’re going to show you this in our lab demonstration later.

  1. Profiles Part 2

I have a client and an Https server with IP addresses of 170 2160 dot one for the client and 172 1621 for the server. Both are slash 16 so they can communicate with each other because they are in the same network. Now, what happens here is clients sends Https request to the server and it’s listening to port four four three, which is the port for Https. The Https server will respond back to the client and the client is using port 1024 and up. Now, Https as a protocol is designed to create a secure communication channel and by design it is also using the same format of Http web application. So what it will do is it will create a secure communication channel and this is what we called the end to end secured or encrypted traffic. So Https is skewed because clients is designed or the ad as the client sends Https secure traffic to the servers application. Now, the servers has extra configuration.

It’s not as simple if you compare to Http. How we manage servers requires certification or certificates and keys. Why? Because the server do the key exchange and we also need to configure the Https web servers. So this can be Apache or this can be Enginex. Now, Https end to end encrypted traffic is good. But when you’re talking about bulk of servers, let’s say hundreds of servers, the management can be very complicated and it can be very difficult. Why? Imagine every single server, hundreds of server. You need to manage the certificates on keys, plus you also need to redo Https configuration. And we’re not just talking about some kind of automation because certificate configuration may vary and can be very difficult. Now, what we need is to add a device in between the client and the server. I’m going to add here our f five big IP device. And maybe you’re thinking why do we need to add big IP device again? Well, big IP as we know, has a full proxy architecture that separates the client session and the server session.

Not only that, we talk about big IP as a proxy that allows us to centrally manage on behalf of our application. So in this case, we will manage Https configurations such as serves and the keys. But by default our Vs. I’m going to create a Vs here. I’m going to name it Https Vs with an IP address of 1010 100 and it’s listening to port four four three. By default, this virtual server that we create, assuming that this pool member is associated or has been added to a pool that is associated to the Vs, assuming that our objects Vs pool members pools, these are all configured properly and the client sends traffic to the Vs. Okay, using Https as a protocol, the big IP forwards the traffic to the Https pool members.

This is good, you have a big IP device, but again, by default your big IP device is acting like a forwarder for Https or secured communication meaning you are still using the End-to-end encrypted traffic. So the result for this is we only have limited Irull and some of the features we know will not function such as cookie persistence. What else? Compression. Web compression. It will not go to work. What else? Security inspection.

So if you have Firewall or WAV that is enabled in your fibip IP appliance, it’s not going to function. Why? Because again, this is a secured communication channel. And what happens is there is no way the big IP will examine the packet or the traffic because it’s all secured. Now, the solution for this is to terminate the Https session. So the solution is this we’re going to send a traffic to the big IP and the big IP will decrypt. It will terminate the Https session. So this time what we will have is only a secured channel in between the client and the big IP. Now, what I’m using guys, is if you see a red marker or red color for the drawing that means this is encrypted all secured. The big IP will decrypt it. Well, as it decrypts it, it can do the Iro cookie persistent, secure inspection and other features.

As the big IP do its magic, it will proceed with the load balancing and select the pool member and it may now forward the traffic to that pool number selected unencrypted. So on the client side it is encrypted it’s Https but on the server side it is unencrypted. It is only using Http. Now, if I am going to revise this, it will now be Http and this pool member should be listening to port 80 or better yet in our fi VIP configuration just select a pool for Http only. Now, this solution is what we call the client SSL profile. Sometimes it is called SSL termination or sometimes it is also called SSL Offloaded.

Okay? The reason why it’s called a floater because the VIP offloads all of the loads, all of the configuration, all of the complexity that may run in our F five, not F five, sorry, that may run in our servers. Okay? So the idea is to not only manage the certificate, the case, all of the Https configuration VIP, but also to save some resources. Imagine if we have 100 or hundreds of servers running Https. It does a lot of consumption when it comes to resources, CPU memory and the configuration as well. Can you imagine how difficult it is to configure hundreds of servers? Okay, so I’m going to also specify here our main priority is to move the load of our servers to the big IP.

Now, maybe we are thinking since we are sending traffic from the big IP to the pool member listening on Pork 80, you might think that, hey, this is not good because the traffic going to our servers are unsecured. Okay, well, you’re right that’s the design it should be unencrypted so we can save more resources. All right. Is it possible to encrypt the traffic from the big IP to our Https servers? Yes, it is possible, and that is what we call the server SSL profile. But this is not always recommended because you are doing dual load. One is the load from the F five big IP device and the load from your servers. So you’re configuring your Https, including keys, twice the big IP and in your again Https servers. Now, I need to also add another highlight that the big IP device as the hardware has a special SSL hardware that enables SSL axle. So it’s really advisable to just make the big IP do all of the processing, all of the SSL work.

img