Silverback by Matrix42 F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback Version 1.0.2 15. December 2015 Copyright © 2000 - 2014 Matrix42 AG This documentation is copyright protected. All rights are reserved by Matrix42 AG. Any other use, in particular the disclosure to third parties, storage in a data system, dissemination, processing, presentation, performance and demonstration are prohibited. This applies to the entire document, as well as parts thereof. Subject to change. Reprint, also in excerpts, is permitted only with the written consent of Matrix42 AG. The software described in this document is subject to a permanent development due to which there may be differences in the documentation and the actual software. This documentation is not entitled to the actual functionality of the software. Apple and Mac OS X are registered trademarks of Apple Inc. Citrix® software or Citrix® server are Trademarks and Registered Trademarks of Citrix Systems, Inc. in the United States and other countries. cygwin is copyrighted by Red Hat Inc. 1996-2003. expat is copyrighted by Thai Open Source Software Center Ltd. gSOAP is copyrighted by Robert A. van Engelen, Genivia, Inc. All rights reserved. Iconv is copyrighted by 1999-2003 Free Software Foundation, Inc. Iperf is copyrighted by the University of Illinois, except for the gnu_getopt.c, gnu_getopt_long.c, gnu_getopt.h files, and inet_aton.c, which are under the GNU General Public License. Libmspack (C) 2003-2004 by Stuart Caie <kyzer@4u.net>. OpenSSL This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. PuTTY is copyrighted by Simon Tatham. Portions copyright Robert de Bath, Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, Justin Bradford, Ben Harris, Malcolm Smith, Ahmad Khalifa, Markus Kuhn, and CORE SDI S.A. RSA Data Security, Inc. MD5 Message-Digest Algorithm is copyrighted by RSA Data Security Inc. Created 1991. All rights reserved. rsync is an open source utility that provides fast incremental file transfer. rsync is freely available under the GNU General Public License version 2. runcontrol The Initial Developer of the Original Code is James Clark. Portions created by James Clark are Copyright (c) 1998 James Clark. All rights reserved. SNMP++ Copyright (c) 1996 Hewlett-Packard Company. VMware, the VMware "boxes" logo and design, Virtual SMP, VMotion vSphere, vSphere Hypervisor (ESXi), ESX, View, ThinApp, vCenter and vCloud are registered trademarks or trademarks of VMware, Inc. in the United States and/or other jurisdictions. Windows, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 are registered trademarks of Microsoft Corporation. Others, at this point not explicitly listed, company, brand and product names are trademarks or registered trademarks of their respective owners and are subject to trademark protection. Author: Matrix42 Cloud & Mobile Management 15. December 2015 -2- Contents 1. Introduction _________________________________________________________ 4 2. Prerequisites ________________________________________________________ 5 2.1. Account requirements and Permissions ________________________________ 5 2.2. Network and System Requirements ___________________________________ 5 3. Initial Setup & Activation of your F5 BIG-IP APM __________________________ 6 3.1. Connecting to your F5 BIG-IP APM ___________________________________ 6 3.2. Using the Setup Utility to Begin Activation ______________________________ 7 3.2.1. Begin Activation of your F5 BIG-IP APM. ____________________________ 7 3.2.2. Enter Base Registration Key _____________________________________ 8 3.2.1. Approving your Dossier with the F5 BIG-IP APM Product Licensing Page __ 9 3.2.2. Successful Licensing and Activation of your F5 BIG-IP APM ___________ 10 4. Configuring Networks and Device IP Addresses _________________________ 11 4.1. Network Configuration Wizard _______________________________________ 11 4.1.1. Device Redundancy ___________________________________________ 11 4.1.2. Internal Network Configuration___________________________________ 12 4.1.3. External Network Configuration __________________________________ 13 4.1.4. Network Time Protocol Configuration _____________________________ 14 4.1.5. Domain Name Server Configuration ______________________________ 14 4.1.6. Complete Networks ___________________________________________ 15 5. Working with SSL Certificates_________________________________________ 16 5.1. Importing the Silverback Website SSL Certificate ________________________ 16 5.2. Importing any Intermediate SSL Certificates ____________________________ 17 5.3. Building the Client SSL Profile ______________________________________ 18 6. Publishing The Silverback Website ____________________________________ 20 6.1. Silverback Nodes, Pools and Virtual Servers ___________________________ 20 6.1.1. Building the Silverback Node ____________________________________ 20 6.1.2. Building the Silverback Pool_____________________________________ 21 6.1.3. Configuring the Silverback Virtual Server __________________________ 22 6.2. Protecting the Silverback Website using F5 BIG-IP iRules® ________________ 24 6.2.1. Creating a F5 BIG-IP Data Group List _____________________________ 24 6.2.2. Creating a F5 BIG-IP Data Group List _____________________________ 25 6.2.3. Applying the F5 BIG-IP iRule® to the Silverback Virtual Server __________ 26 7. Appendix __________________________________________________________ 27 7.1. Silverback Admin Access F5 BIG-IP iRule® ____________________________ 27 Author Matrix42 Cloud & Mobile Management 15. December 2015 -3- F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback 1. Introduction This guide will help you deploy a Silverback Instance using an F5 BIG-IP Access Policy Manager (APM®) application delivery controller. This allows you to add multiple Silverback Servers to provide horizontal scaling. This horizontal scaling allows each service to have its own pool of servers, or share resources across multiple nodes. This allows us to restrict portions of the website to certain IP Addresses for added security. It simplifies the integration of F5 BIG-IP APM with an Internal Certificate Authority for authentication services that can be configured by Silverback (Such as Client Certificate Exchange ActiveSync and VPN). Author: Matrix42 Cloud & Mobile Management 15. December 2015 -4- F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback 2. Prerequisites You need to make sure your computer is configured to be on the same network as the F5 BIG-IP APM as the configuration of the device is done via a Web Browser or via an SSH Client (such as Putty for Windows or Terminal for Mac). 2.1. Account requirements and Permissions The F5 BIG-IP APM will come with a default 'admin' account, but if these credentials are not available you will need to have an Administrative account to do the necessary configuration. 2.2. Network and System Requirements The F5 BIG-IP APM is configured across a network using either a Web Browser to communicate via HTTPS (TCP Port 443) or using an SSH Client (TCP Port 22). The BIG-IP APM can be connected to a specific Management Network to isolate the management traffic from the data plane. You can configure the Management Portal to be accessible from the forwarding plane or the data plane. Author Matrix42 Cloud & Mobile Management 15. December 2015 -5- F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback 3. Initial Setup & Activation of your F5 BIG-IP APM This will guide you through publishing a Single Silverback Server to the Internet via the F5 BIG-IP APM. 3.1. Connecting to your F5 BIG-IP APM If you are configuring your F5 BIG-IP APM from factory settings it should ship with a default IP Address of 192.168.1.245 - otherwise your F5 BIG-IP APM is already in place and you will need to speak to your Network Administrator to obtain access. Once you have the Network Address (or IP of the F5 BIG-IP APM) you can connect to it using either a Web Browser (such as Internet Explorer or Safari) or via SSH. The defaults passwords (At the time this document was written) are admin / admin and root / default). Please refer to the F5 BIG-IP APM documentation for default admin and root accounts. Enter the username and password and click ‘Log In’ Author: Matrix42 Cloud & Mobile Management 15. December 2015 -6- F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback 3.2. Using the Setup Utility to Begin Activation Once you have logged into your F5 BIG-IP APM, you will be taken to the setup utility wizard where you can begin the initial configuration of your F5 BIG-IP APM. Click ‘Next’. Notice the ‘No License Exists for this Device’ banner at the top of the UI, to begin licensing this device click ‘Next’ on the Setup Utility. 3.2.1. Begin Activation of your F5 BIG-IP APM. The first screen the Setup Utility will display will begin the Licensing and Activation Wizard for your F5 BIG-IP APM. Click the ‘Activate’ button to begin. Author Matrix42 Cloud & Mobile Management 15. December 2015 -7- F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback 3.2.2. Enter Base Registration Key To Begin, Enter your Base Registration Key – this should either be provided by F5 or your Matrix 42 channel partner. Choose a Manual Activation Method and click ‘Next’ to continue. Note: We will not be covering Add-On Registration Keys, these are beyond scope of this document. Author: Matrix42 Cloud & Mobile Management 15. December 2015 -8- F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback 3.2.1. Approving your Dossier with the F5 BIG-IP APM Product Licensing Page Next we will download and submit our F5 BIG-IP Dossier to F5 themselves for approval. Once completed we will be given a license that we can upload into the F5 BIG-IP APM to complete licensing. Change Manual Method to Download/Upload File. Click the ‘Click Here to Download Dossier File’ button. Visit the F5 Licensing Server and submit your F5 BIG-IP Dossier, you will be asked to download a License for your F5 BIG-IP APM. Browse to your Downloaded License and click the ‘Next’ button to complete licensing of your F5 BIG-IP APM. Upon Successful Licensing of your F5 BIG-IP APM, you will be notified that the system is due to reboot to accept the configuration changes. Author Matrix42 Cloud & Mobile Management 15. December 2015 -9- F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback 3.2.2. Successful Licensing and Activation of your F5 BIG-IP APM Upon successful licensing of your F5 BIG-IP APM, you will be notified that the system is due to reboot to accept the configuration changes. Once the F5 BIG-IP APM has rebooted and you have logged in you will be presented with the following screen, click ‘Next’ to continue basic configuration of the device (covered in Section 4). Author: Matrix42 Cloud & Mobile Management 15. December 2015 - 10 - F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback 4. Configuring Networks and Device IP Addresses Continuing from the Previous Section, once the F5 BIG-IP APM has rebooted from being successfully licensed we can log in and begin configuring our Networks and appropriate IP Addresses. Click Next on the following screen to continue. 4.1. Network Configuration Wizard To continue with the Standard Network Configuration, Click ‘Next’, If you are more familiar with the network setup you can click ‘Finished’ and set the network settings manually. 4.1.1. Device Redundancy As we are configuring a single F5 BIG-IP APM and not a cluster, uncheck both ‘Config Sync‘ and ‘High Availability‘ and click ‘Next‘ to continue. Author Matrix42 Cloud & Mobile Management 15. December 2015 - 11 - F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback 4.1.2. Internal Network Configuration For the Internal Network we will use the First Network Interface on the F5 BIG-IP APM (Ethernet 1.1) and it will be configured with our Internal Network Details. Internal Network Configuration Address: The Internal IP Address of the F5 BIG-IP APM. Netmask: The Netmask for the Internal Network. Port Lockdown: Allow Default (essentially, this allows F5 BIG-IP APM Management from the Internal Interface as well as the MGMT Interface). Internal VLAN Configuration VLAN Tag ID: auto VLAN Interfaces: Select ‘1.1’, leave it Untagged and click Add. Click Next to Continue. Author: Matrix42 Cloud & Mobile Management 15. December 2015 - 12 - F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback 4.1.3. External Network Configuration For the Internal Network we will use the Second Network Interface on the F5 BIG-IP APM (Ethernet 1.2) and it will be configured with our External Network Details. External Network Configuration External VLAN: Create VLAN external. Address: The External IP Address of the F5 BIG-IP APM. Netmask: The subnet mask for the Internal Network. Port Lockdown: Allow None. This prevents the F5 BIG-IP APM from being administered from any External Network. Default Gateway: Add the External Default Gateway to route to the internet. External VLAN Configuration VLAN Tag ID: auto VLAN Interfaces: Select ‘1.2’, leave it Untagged and click Add. Click Next to Continue. Author Matrix42 Cloud & Mobile Management 15. December 2015 - 13 - F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback 4.1.4. Network Time Protocol Configuration NTP Configuration. Add each NTP server and click ‘Add’. 4.1.5. Domain Name Server Configuration DNS Configuration. Add each DNS server and click ‘Add”. Author: Matrix42 Cloud & Mobile Management 15. December 2015 - 14 - F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback 4.1.6. Complete Networks Once the Network Configuration Wizard is complete, you will be presented with the list of Configured Networks as displayed below. Your F5 BIG-IP APM should now be ready to begin configuring Silverback and other Websites. Author Matrix42 Cloud & Mobile Management 15. December 2015 - 15 - F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback 5. Working with SSL Certificates As Silverback requires a Trusted Third-Party SSL Certificate to provide encryption, we will need to import the same SSL Certificate onto the F5 BIG-IP APM to publish Silverback. This is the same certificate being used in IIS (Internet Information Services) on the Silverback Application Server to present the Silverback Website. 5.1. Importing the Silverback Website SSL Certificate Log into the F5 BIG-IP APM Configuration Utility Navigate to System à File Management à SSL Certificate List. Click the Import Button and change the Import Type to PKCS12 (IIS) then fill out the following details: Certificate Name: The 'Friendly Name' of the Certificate to be referenced by the F5 BIG-IP APM. Source: Where the PKCS12 file is physically located or the import. Password: The Password for the PKCS12 file. Click the Import button. NOTE: The F5 BIG-IP APM will not import the Intermediate Certificates when using the PKCS12 Import Method. When this happens it is recommended you change the Import Type to be 'Certificate' then import a PEM File that contains the Intermediate and Client Certificates. Author: Matrix42 Cloud & Mobile Management 15. December 2015 - 16 - F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback 5.2. Importing any Intermediate SSL Certificates Log into the F5 BIG-IP APM Configuration Utility Navigate to System à File Management à SSL Certificate List. Click the Import Button and change the Import Type to Certificate then fill out the following details: Certificate Name: The 'Friendly Name' of the Certificate to be referenced by the F5 BIG-IP APM. Certificate Source: Where the Certificate file is physically located or the import. Click the Import Button. Author Matrix42 Cloud & Mobile Management 15. December 2015 - 17 - F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback 5.3. Building the Client SSL Profile Log into the F5 BIG-IP APM Configuration Utility Navigate to Local Traffic à Profilesà SSL à Client. Click the Create Button and populate the following information Name: The 'Friendly Name' of the SSL Client Profile to be referenced by the F5 BIG-IP APM. Parent Profile: This should be set to clientssl, it is safe to leave this. Configuration: Advanced, because we want to configure SSL Options. Mode: Enabled. Certificate: In this drop-down menu you should be able to select the SSL Certificate Imported in 4.3.1. Key: Again, in this drop down men you should be able to select the SSL Certificate Private Key imported in 4.3.1. Chain: If necessary, specify the Intermediate Certificates required by your SSL Certificate. Click the Add Button to confirm both of the SSL Certificate and Private Key. Options List: Under Available Options, select both 'No SSLv3' and 'No SSLv2' to disable these cyphers. Click the Finished button to save this SSL Client Profile. Author: Matrix42 Cloud & Mobile Management 15. December 2015 - 18 - F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback Author Matrix42 Cloud & Mobile Management 15. December 2015 - 19 - F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback 6. Publishing The Silverback Website Now that the F5 BIG-IP APM has its networks configured we can now tell it where Silverback Exists on the Internal Network and build the necessary elements required to publish it via the F5 BIG-IP APM. 6.1. Silverback Nodes, Pools and Virtual Servers 6.1.1. Building the Silverback Node A 'Node' in an F5 BIG-IP APM is a way of specifying a Computer or Service that is acting as a service on your network - in this instance it is the Silverback Server's Website. Log into the F5 BIG-IP APM Configuration Utility Navigate to Local Traffic à Nodes. Click the Create Button and input the following details for the Silverback Node: Name: The 'Friendly Name' of the Server Node to be referenced by the F5 BIG-IP APM. Description: A description of the Server Node. Address: Can be specified as either an IP address or FQDN. Click the Finished button - we are not covering Health Monitors at this stage. Author: Matrix42 Cloud & Mobile Management 15. December 2015 - 20 - F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback 6.1.2. Building the Silverback Pool A 'Pool' in an F5 BIG-IP APM can be a single server, or multiple servers that can be setup in a load balancing configuration (such as Round Robin) for improved performance. Log into the F5 BIG-IP APM Configuration Utility Navigate to Local Traffic à Pools. Click the Create Button and input the following details for the Silverback Pool: Name: The 'Friendly Name' of the Silverback Pool to be referenced by the F5 BIGIP APM. Description: A description of the Silverback Node. Health Monitors: We are going to set this as 'https' so the F5 BIG-IP APM is checking the Silverback Website. Ensure that Load Balancing Method is set to 'Round Robin' New Members: Select Node List and select the Silverback Node we created in 4.3.1. Change the Service Port to 443 and click Add. Click the Finished button. Author Matrix42 Cloud & Mobile Management 15. December 2015 - 21 - F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback 6.1.3. Configuring the Silverback Virtual Server A 'Virtual Server' is what the F5 BIG-IP APM uses to listen for incoming requests. Essentially this is what listens on the Internet for traffic to be passed through to the Silverback Server. Log into the F5 BIG-IP APM Configuration Utility Navigate to Local Traffic à Virtual Servers. Click the Create Button and input the following details for the Silverback Virtual Server: General Properties: Name: The 'Friendly Name' of the Silverback Virtual Server to be referenced by the F5 BIG-IP APM. Description: A description of the Silverback Virtual Server. Type: Standard. Source Address: 0.0.0.0/0 as the source is the Internet. Destination Address: This should be the corresponding IP Address for Silverback on the Internal Network. Service Port: 443 or HTTPS. Notify Status to Virtual Address: Enabled. State: Enabled. Configuration: Configuration: Advanced. Protocol: TCP Protocol Profile (Client): tcp Protocol Profiles (Server): (User Client Profile) HTTP Profiles: http SSL Profile (Client): silverbackmdm_ssl (Created in Section 5.3) SSL Profile (Server): serverssl VLAN and Tunnel Traffic: Enabled on… VLANs and Tunnels: external Source Address Translation: Auto Map. Resources: Default Pool: SilverbackMDM_Pool (Created in Section 6.1.2) Click the Finished button. Author: Matrix42 Cloud & Mobile Management 15. December 2015 - 22 - F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback Author Matrix42 Cloud & Mobile Management 15. December 2015 - 23 - F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback 6.2. Protecting the Silverback Website using F5 BIG-IP iRules® The F5 BIG-IP iRule feature allows an administrator to apply a carefully written script to a Virtual Server that can manipulate both inbound and outbound traffic. We are going to use this technology to ‘Lock Down‘ the Silverback Management Interface using an iRule accompanied by a F5 BIG-IP ‘Data Group List‘. 6.2.1. Creating a F5 BIG-IP Data Group List A F5 BIG-IP Data Group List is way of creating a Variable that can then be referenced by an iRule containing a list of IP Addresses or other information. Log into the F5 BIG-IP APM Configuration Utility Navigate to Local Traffic à iRules à Data Group Lists. Click the Create Button. General Properties Name: The Name of the Data Group List you are creating. Type: Change this to Address Records Address: Enter in all necessary IP Addresses Value: Leave this Blank Click Add. Click ‘Finished’ once you’ve added in all necessary IP Addresses. Author: Matrix42 Cloud & Mobile Management 15. December 2015 - 24 - F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback 6.2.2. Creating a F5 BIG-IP Data Group List A F5 BIG-IP Data Group List is way of creating a Variable that can then be referenced by an iRule containing a list of IP Addresses or other information. Log into the F5 BIG-IP APM Configuration Utility Navigate to Local Traffic à iRules à iRule List. Click the Create Button. Properties Name: The name of your iRules. Definition: The iRule itself. (Please see the Appendix for the Supplied iRule). Click Finished to save your iRule. Author Matrix42 Cloud & Mobile Management 15. December 2015 - 25 - F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback 6.2.3. Applying the F5 BIG-IP iRule® to the Silverback Virtual Server Log into the F5 BIG-IP APM Configuration Utility Navigate to Local Traffic à Virtual Servers. Click on the Virtual Server created in Section 6.1.3 Click on the Resources Display Option. Under iRules click Manage. In the Available list, select the iRule created in Section 6.2.2 and click the ‘<<’ button to enable it for the Virtual Server. Click Finished to apply your iRule to the Silverback Virtual Server. Author: Matrix42 Cloud & Mobile Management 15. December 2015 - 26 - F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback 7. Appendix 7.1. Silverback Admin Access F5 BIG-IP iRule® This iRule will reference a Data Group List called ‘sb_admin‘ that contains a list of IP Addresses that are allowed to reach the /admin /syncadmin and /ssp portions of the Silverback Website. Be careful Cut and Pasting the irule. when HTTP_REQUEST { # log local0. "Method - [HTTP::method]" if {[HTTP::method] eq "TRACE" || [HTTP::method] eq "OPTION" || [HTTP::method] eq "HEAD"}{ drop } # Check the requested URI # log local0. "Path - [HTTP::path]" switch -glob [string tolower [HTTP::path]] { "/ssp*" { # Reset the request if if the source IP is not allowed if {not ([matchclass [IP::client_addr] equals sb_admin])}{ reject log local0. "Deny SSP - [IP::client_addr]" } else { #log local0. "IP [IP::client_addr]" } } "/admin*" "/syncadmin*" { # Reset the request if the source IP is not allowed if {not ([matchclass [IP::client_addr] equals sb_admin])}{ reject log local0. "Deny Admin - [IP::client_addr]" } else { #log local0. "IP [IP::client_addr]" } } "/" "/activate*" "/apps*" "/checkin*" "/companyhub*" "/enrollmentserver*" "/epic*" "/integration*" "/mdm*" "/pfm*" "/sharepoint*" "/syncdata*" "/syncmetadata*" "/tunnel*" { Author Matrix42 Cloud & Mobile Management 15. December 2015 - 27 - F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback # log local0. "Allow Access" } default { # Reset the request reject log local0. "Bot - [HTTP::path]" } } #log local0. "-----------------" } when HTTP_RESPONSE { # Header Sanitiser HTTP::header remove Server HTTP::header remove X-Powered-By HTTP::header remove Date } Author: Matrix42 Cloud & Mobile Management 15. December 2015 - 28 -