Silverback by Matrix42
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
Version 1.0.2
15. December 2015
Copyright © 2000 - 2014 Matrix42 AG
This documentation is copyright protected. All rights are reserved by Matrix42 AG.
Any other use, in particular the disclosure to third parties, storage in a data system,
dissemination, processing, presentation, performance and demonstration are prohibited.
This applies to the entire document, as well as parts thereof.
Subject to change. Reprint, also in excerpts, is permitted only with the written consent of
Matrix42 AG.
The software described in this document is subject to a permanent development due to
which there may be differences in the documentation and the actual software. This
documentation is not entitled to the actual functionality of the software.
Apple and Mac OS X are registered trademarks of Apple Inc.
Citrix® software or Citrix® server are Trademarks and Registered Trademarks of Citrix
Systems, Inc. in the United States and other countries.
cygwin is copyrighted by Red Hat Inc. 1996-2003.
expat is copyrighted by Thai Open Source Software Center Ltd.
gSOAP is copyrighted by Robert A. van Engelen, Genivia, Inc. All rights reserved.
Iconv is copyrighted by 1999-2003 Free Software Foundation, Inc.
Iperf is copyrighted by the University of Illinois, except for the gnu_getopt.c,
gnu_getopt_long.c, gnu_getopt.h files, and inet_aton.c, which are under the GNU General
Public License.
Libmspack (C) 2003-2004 by Stuart Caie <kyzer@4u.net>.
OpenSSL This product includes software developed by the OpenSSL Project for use in
the OpenSSL Toolkit.
PuTTY is copyrighted by Simon Tatham. Portions copyright Robert de Bath, Joris van
Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry,
Justin Bradford, Ben Harris, Malcolm Smith, Ahmad Khalifa, Markus Kuhn, and CORE SDI
S.A.
RSA Data Security, Inc. MD5 Message-Digest Algorithm is copyrighted by RSA Data
Security Inc. Created 1991. All rights reserved.
rsync is an open source utility that provides fast incremental file transfer. rsync is freely
available under the GNU General Public License version 2.
runcontrol The Initial Developer of the Original Code is James Clark. Portions created by
James Clark are Copyright (c) 1998 James Clark. All rights reserved.
SNMP++ Copyright (c) 1996 Hewlett-Packard Company.
VMware, the VMware "boxes" logo and design, Virtual SMP, VMotion vSphere,
vSphere Hypervisor (ESXi), ESX, View, ThinApp, vCenter and vCloud are registered
trademarks or trademarks of VMware, Inc. in the United States and/or other jurisdictions.
Windows, Windows 2000, Windows XP, Windows Server 2003, Windows Vista,
Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and
Windows Server 2012 are registered trademarks of Microsoft Corporation.
Others, at this point not explicitly listed, company, brand and product names are
trademarks or registered trademarks of their respective owners and are subject to
trademark protection.
Author: Matrix42 Cloud & Mobile Management
15. December 2015
-2-
Contents
1. Introduction _________________________________________________________ 4
2. Prerequisites ________________________________________________________ 5
2.1. Account requirements and Permissions ________________________________ 5
2.2. Network and System Requirements ___________________________________ 5
3. Initial Setup & Activation of your F5 BIG-IP APM __________________________ 6
3.1. Connecting to your F5 BIG-IP APM ___________________________________ 6
3.2. Using the Setup Utility to Begin Activation ______________________________ 7
3.2.1. Begin Activation of your F5 BIG-IP APM. ____________________________ 7
3.2.2. Enter Base Registration Key _____________________________________ 8
3.2.1. Approving your Dossier with the F5 BIG-IP APM Product Licensing Page __ 9
3.2.2. Successful Licensing and Activation of your F5 BIG-IP APM ___________ 10
4. Configuring Networks and Device IP Addresses _________________________ 11
4.1. Network Configuration Wizard _______________________________________ 11
4.1.1. Device Redundancy ___________________________________________ 11
4.1.2. Internal Network Configuration___________________________________ 12
4.1.3. External Network Configuration __________________________________ 13
4.1.4. Network Time Protocol Configuration _____________________________ 14
4.1.5. Domain Name Server Configuration ______________________________ 14
4.1.6. Complete Networks ___________________________________________ 15
5. Working with SSL Certificates_________________________________________ 16
5.1. Importing the Silverback Website SSL Certificate ________________________ 16
5.2. Importing any Intermediate SSL Certificates ____________________________ 17
5.3. Building the Client SSL Profile ______________________________________ 18
6. Publishing The Silverback Website ____________________________________ 20
6.1. Silverback Nodes, Pools and Virtual Servers ___________________________ 20
6.1.1. Building the Silverback Node ____________________________________ 20
6.1.2. Building the Silverback Pool_____________________________________ 21
6.1.3. Configuring the Silverback Virtual Server __________________________ 22
6.2. Protecting the Silverback Website using F5 BIG-IP iRules® ________________ 24
6.2.1. Creating a F5 BIG-IP Data Group List _____________________________ 24
6.2.2. Creating a F5 BIG-IP Data Group List _____________________________ 25
6.2.3. Applying the F5 BIG-IP iRule® to the Silverback Virtual Server __________ 26
7. Appendix __________________________________________________________ 27
7.1. Silverback Admin Access F5 BIG-IP iRule® ____________________________ 27
Author Matrix42 Cloud & Mobile Management
15. December 2015
-3-
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
1. Introduction
This guide will help you deploy a Silverback Instance using an F5 BIG-IP Access Policy
Manager (APM®) application delivery controller. This allows you to add multiple Silverback
Servers to provide horizontal scaling. This horizontal scaling allows each service to have
its own pool of servers, or share resources across multiple nodes. This allows us to restrict
portions of the website to certain IP Addresses for added security. It simplifies the
integration of F5 BIG-IP APM with an Internal Certificate Authority for authentication
services that can be configured by Silverback (Such as Client Certificate Exchange
ActiveSync and VPN).
Author: Matrix42 Cloud & Mobile Management
15. December 2015
-4-
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
2. Prerequisites
You need to make sure your computer is configured to be on the same network as the F5
BIG-IP APM as the configuration of the device is done via a Web Browser or via an SSH
Client (such as Putty for Windows or Terminal for Mac).
2.1.
Account requirements and Permissions
The F5 BIG-IP APM will come with a default 'admin' account, but if these credentials are
not available you will need to have an Administrative account to do the necessary
configuration.
2.2.
Network and System Requirements
The F5 BIG-IP APM is configured across a network using either a Web Browser to
communicate via HTTPS (TCP Port 443) or using an SSH Client (TCP Port 22).
The BIG-IP APM can be connected to a specific Management Network to isolate the
management traffic from the data plane. You can configure the Management Portal to be
accessible from the forwarding plane or the data plane.
Author Matrix42 Cloud & Mobile Management
15. December 2015
-5-
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
3. Initial Setup & Activation of your F5 BIG-IP APM
This will guide you through publishing a Single Silverback Server to the Internet via the F5
BIG-IP APM.
3.1.
Connecting to your F5 BIG-IP APM
If you are configuring your F5 BIG-IP APM from factory settings it should ship with a
default IP Address of 192.168.1.245 - otherwise your F5 BIG-IP APM is already in place
and you will need to speak to your Network Administrator to obtain access.
Once you have the Network Address (or IP of the F5 BIG-IP APM) you can connect to it
using either a Web Browser (such as Internet Explorer or Safari) or via SSH. The defaults
passwords (At the time this document was written) are admin / admin and root / default).
Please refer to the F5 BIG-IP APM documentation for default admin and root accounts.
Enter the username and password and click ‘Log In’
Author: Matrix42 Cloud & Mobile Management
15. December 2015
-6-
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
3.2.
Using the Setup Utility to Begin Activation
Once you have logged into your F5 BIG-IP APM, you will be taken to the setup utility
wizard where you can begin the initial configuration of your F5 BIG-IP APM. Click ‘Next’.
Notice the ‘No License Exists for this Device’ banner at the top of the UI, to begin licensing
this device click ‘Next’ on the Setup Utility.
3.2.1.
Begin Activation of your F5 BIG-IP APM.
The first screen the Setup Utility will display will begin the Licensing and Activation Wizard
for your F5 BIG-IP APM. Click the ‘Activate’ button to begin.
Author Matrix42 Cloud & Mobile Management
15. December 2015
-7-
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
3.2.2.
Enter Base Registration Key
To Begin, Enter your Base Registration Key – this should either be provided by F5 or your
Matrix 42 channel partner.
Choose a Manual Activation Method and click ‘Next’ to continue.
Note: We will not be covering Add-On Registration Keys, these are beyond scope of this
document.
Author: Matrix42 Cloud & Mobile Management
15. December 2015
-8-
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
3.2.1.
Approving your Dossier with the F5 BIG-IP APM Product Licensing
Page
Next we will download and submit our F5 BIG-IP Dossier to F5 themselves for approval.
Once completed we will be given a license that we can upload into the F5 BIG-IP APM to
complete licensing.
Change Manual Method to Download/Upload File.
Click the ‘Click Here to Download Dossier File’ button.
Visit the F5 Licensing Server and submit your F5 BIG-IP Dossier, you will be asked to
download a License for your F5 BIG-IP APM.
Browse to your Downloaded License and click the ‘Next’ button to complete licensing of
your F5 BIG-IP APM.
Upon Successful Licensing of your F5 BIG-IP APM, you will be notified that the system is
due to reboot to accept the configuration changes.
Author Matrix42 Cloud & Mobile Management
15. December 2015
-9-
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
3.2.2.
Successful Licensing and Activation of your F5 BIG-IP APM
Upon successful licensing of your F5 BIG-IP APM, you will be notified that the system is
due to reboot to accept the configuration changes.
Once the F5 BIG-IP APM has rebooted and you have logged in you will be presented with
the following screen, click ‘Next’ to continue basic configuration of the device (covered in
Section 4).
Author: Matrix42 Cloud & Mobile Management
15. December 2015
- 10 -
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
4. Configuring Networks and Device IP Addresses
Continuing from the Previous Section, once the F5 BIG-IP APM has rebooted from being
successfully licensed we can log in and begin configuring our Networks and appropriate IP
Addresses. Click Next on the following screen to continue.
4.1.
Network Configuration Wizard
To continue with the Standard Network Configuration, Click ‘Next’, If you are more familiar
with the network setup you can click ‘Finished’ and set the network settings manually.
4.1.1.
Device Redundancy
As we are configuring a single F5 BIG-IP APM and not a cluster, uncheck both ‘Config
Sync‘ and ‘High Availability‘ and click ‘Next‘ to continue.
Author Matrix42 Cloud & Mobile Management
15. December 2015
- 11 -
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
4.1.2.
Internal Network Configuration
For the Internal Network we will use the First Network Interface on the F5 BIG-IP APM
(Ethernet 1.1) and it will be configured with our Internal Network Details.
Internal Network Configuration
Address: The Internal IP Address of the F5 BIG-IP APM.
Netmask: The Netmask for the Internal Network.
Port Lockdown: Allow Default (essentially, this allows F5 BIG-IP APM Management
from the Internal Interface as well as the MGMT Interface).
Internal VLAN Configuration
VLAN Tag ID: auto
VLAN Interfaces: Select ‘1.1’, leave it Untagged and click Add.
Click Next to Continue.
Author: Matrix42 Cloud & Mobile Management
15. December 2015
- 12 -
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
4.1.3.
External Network Configuration
For the Internal Network we will use the Second Network Interface on the F5 BIG-IP APM
(Ethernet 1.2) and it will be configured with our External Network Details.
External Network Configuration
External VLAN: Create VLAN external.
Address: The External IP Address of the F5 BIG-IP APM.
Netmask: The subnet mask for the Internal Network.
Port Lockdown: Allow None. This prevents the F5 BIG-IP APM from being
administered from any External Network.
Default Gateway: Add the External Default Gateway to route to the internet.
External VLAN Configuration
VLAN Tag ID: auto
VLAN Interfaces: Select ‘1.2’, leave it Untagged and click Add.
Click Next to Continue.
Author Matrix42 Cloud & Mobile Management
15. December 2015
- 13 -
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
4.1.4.
Network Time Protocol Configuration
NTP Configuration. Add each NTP server and click ‘Add’.
4.1.5.
Domain Name Server Configuration
DNS Configuration. Add each DNS server and click ‘Add”.
Author: Matrix42 Cloud & Mobile Management
15. December 2015
- 14 -
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
4.1.6.
Complete Networks
Once the Network Configuration Wizard is complete, you will be presented with the list of
Configured Networks as displayed below.
Your F5 BIG-IP APM should now be ready to begin configuring Silverback and other
Websites.
Author Matrix42 Cloud & Mobile Management
15. December 2015
- 15 -
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
5. Working with SSL Certificates
As Silverback requires a Trusted Third-Party SSL Certificate to provide encryption, we will
need to import the same SSL Certificate onto the F5 BIG-IP APM to publish Silverback.
This is the same certificate being used in IIS (Internet Information Services) on the
Silverback Application Server to present the Silverback Website.
5.1.
Importing the Silverback Website SSL Certificate
Log into the F5 BIG-IP APM Configuration Utility
Navigate to System à File Management à SSL Certificate List.
Click the Import Button and change the Import Type to PKCS12 (IIS) then fill out the
following details:
Certificate Name: The 'Friendly Name' of the Certificate to be referenced by the F5
BIG-IP APM.
Source: Where the PKCS12 file is physically located or the import.
Password: The Password for the PKCS12 file.
Click the Import button.
NOTE: The F5 BIG-IP APM will not import the Intermediate Certificates when using the
PKCS12 Import Method. When this happens it is recommended you change the Import
Type to be 'Certificate' then import a PEM File that contains the Intermediate and Client
Certificates.
Author: Matrix42 Cloud & Mobile Management
15. December 2015
- 16 -
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
5.2.
Importing any Intermediate SSL Certificates
Log into the F5 BIG-IP APM Configuration Utility
Navigate to System à File Management à SSL Certificate List.
Click the Import Button and change the Import Type to Certificate then fill out the
following details:
Certificate Name: The 'Friendly Name' of the Certificate to be referenced by the F5
BIG-IP APM.
Certificate Source: Where the Certificate file is physically located or the import.
Click the Import Button.
Author Matrix42 Cloud & Mobile Management
15. December 2015
- 17 -
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
5.3.
Building the Client SSL Profile
Log into the F5 BIG-IP APM Configuration Utility
Navigate to Local Traffic à Profilesà SSL à Client.
Click the Create Button and populate the following information
Name: The 'Friendly Name' of the SSL Client Profile to be referenced by the F5
BIG-IP APM.
Parent Profile: This should be set to clientssl, it is safe to leave this.
Configuration: Advanced, because we want to configure SSL Options.
Mode: Enabled.
Certificate: In this drop-down menu you should be able to select the SSL
Certificate Imported in 4.3.1.
Key: Again, in this drop down men you should be able to select the SSL Certificate
Private Key imported in 4.3.1.
Chain: If necessary, specify the Intermediate Certificates required by your SSL
Certificate.
Click the Add Button to confirm both of the SSL Certificate and Private Key.
Options List: Under Available Options, select both 'No SSLv3' and 'No SSLv2' to
disable these cyphers.
Click the Finished button to save this SSL Client Profile.
Author: Matrix42 Cloud & Mobile Management
15. December 2015
- 18 -
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
Author Matrix42 Cloud & Mobile Management
15. December 2015
- 19 -
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
6. Publishing The Silverback Website
Now that the F5 BIG-IP APM has its networks configured we can now tell it where
Silverback Exists on the Internal Network and build the necessary elements required to
publish it via the F5 BIG-IP APM.
6.1. Silverback Nodes, Pools and Virtual Servers
6.1.1.
Building the Silverback Node
A 'Node' in an F5 BIG-IP APM is a way of specifying a Computer or Service that is acting
as a service on your network - in this instance it is the Silverback Server's Website.
Log into the F5 BIG-IP APM Configuration Utility
Navigate to Local Traffic à Nodes.
Click the Create Button and input the following details for the Silverback Node:
Name: The 'Friendly Name' of the Server Node to be referenced by the F5 BIG-IP
APM.
Description: A description of the Server Node.
Address: Can be specified as either an IP address or FQDN.
Click the Finished button - we are not covering Health Monitors at this stage.
Author: Matrix42 Cloud & Mobile Management
15. December 2015
- 20 -
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
6.1.2.
Building the Silverback Pool
A 'Pool' in an F5 BIG-IP APM can be a single server, or multiple servers that can be setup
in a load balancing configuration (such as Round Robin) for improved performance.
Log into the F5 BIG-IP APM Configuration Utility
Navigate to Local Traffic à Pools.
Click the Create Button and input the following details for the Silverback Pool:
Name: The 'Friendly Name' of the Silverback Pool to be referenced by the F5 BIGIP APM.
Description: A description of the Silverback Node.
Health Monitors: We are going to set this as 'https' so the F5 BIG-IP APM is
checking the Silverback Website.
Ensure that Load Balancing Method is set to 'Round Robin'
New Members: Select Node List and select the Silverback Node we created in
4.3.1.
Change the Service Port to 443 and click Add.
Click the Finished button.
Author Matrix42 Cloud & Mobile Management
15. December 2015
- 21 -
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
6.1.3.
Configuring the Silverback Virtual Server
A 'Virtual Server' is what the F5 BIG-IP APM uses to listen for incoming requests.
Essentially this is what listens on the Internet for traffic to be passed through to the
Silverback Server.
Log into the F5 BIG-IP APM Configuration Utility
Navigate to Local Traffic à Virtual Servers.
Click the Create Button and input the following details for the Silverback Virtual Server:
General Properties:
Name: The 'Friendly Name' of the Silverback Virtual Server to be referenced by
the F5 BIG-IP APM.
Description: A description of the Silverback Virtual Server.
Type: Standard.
Source Address: 0.0.0.0/0 as the source is the Internet.
Destination Address: This should be the corresponding IP Address for Silverback
on the Internal Network.
Service Port: 443 or HTTPS.
Notify Status to Virtual Address: Enabled.
State: Enabled.
Configuration:
Configuration: Advanced.
Protocol: TCP
Protocol Profile (Client): tcp
Protocol Profiles (Server): (User Client Profile)
HTTP Profiles: http
SSL Profile (Client): silverbackmdm_ssl (Created in Section 5.3)
SSL Profile (Server): serverssl
VLAN and Tunnel Traffic: Enabled on…
VLANs and Tunnels: external
Source Address Translation: Auto Map.
Resources:
Default Pool: SilverbackMDM_Pool (Created in Section 6.1.2)
Click the Finished button.
Author: Matrix42 Cloud & Mobile Management
15. December 2015
- 22 -
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
Author Matrix42 Cloud & Mobile Management
15. December 2015
- 23 -
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
6.2.
Protecting the Silverback Website using F5 BIG-IP iRules®
The F5 BIG-IP iRule feature allows an administrator to apply a carefully written script to a
Virtual Server that can manipulate both inbound and outbound traffic.
We are going to use this technology to ‘Lock Down‘ the Silverback Management Interface
using an iRule accompanied by a F5 BIG-IP ‘Data Group List‘.
6.2.1.
Creating a F5 BIG-IP Data Group List
A F5 BIG-IP Data Group List is way of creating a Variable that can then be referenced by
an iRule containing a list of IP Addresses or other information.
Log into the F5 BIG-IP APM Configuration Utility
Navigate to Local Traffic à iRules à Data Group Lists.
Click the Create Button.
General Properties
Name: The Name of the Data Group List you are creating.
Type: Change this to Address
Records
Address: Enter in all necessary IP Addresses
Value: Leave this Blank
Click Add.
Click ‘Finished’ once you’ve added in all necessary IP Addresses.
Author: Matrix42 Cloud & Mobile Management
15. December 2015
- 24 -
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
6.2.2.
Creating a F5 BIG-IP Data Group List
A F5 BIG-IP Data Group List is way of creating a Variable that can then be referenced by
an iRule containing a list of IP Addresses or other information.
Log into the F5 BIG-IP APM Configuration Utility
Navigate to Local Traffic à iRules à iRule List.
Click the Create Button.
Properties
Name: The name of your iRules.
Definition: The iRule itself. (Please see the Appendix for the Supplied iRule).
Click Finished to save your iRule.
Author Matrix42 Cloud & Mobile Management
15. December 2015
- 25 -
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
6.2.3.
Applying the F5 BIG-IP iRule® to the Silverback Virtual Server
Log into the F5 BIG-IP APM Configuration Utility
Navigate to Local Traffic à Virtual Servers.
Click on the Virtual Server created in Section 6.1.3
Click on the Resources Display Option.
Under iRules click Manage.
In the Available list, select the iRule created in Section 6.2.2 and click the ‘<<’ button
to enable it for the Virtual Server.
Click Finished to apply your iRule to the Silverback Virtual Server.
Author: Matrix42 Cloud & Mobile Management
15. December 2015
- 26 -
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
7. Appendix
7.1.
Silverback Admin Access F5 BIG-IP iRule®
This iRule will reference a Data Group List called ‘sb_admin‘ that contains a list of IP
Addresses that are allowed to reach the /admin /syncadmin and /ssp portions of the
Silverback Website. Be careful Cut and Pasting the irule.
when HTTP_REQUEST {
# log local0. "Method - [HTTP::method]"
if {[HTTP::method] eq "TRACE" || [HTTP::method] eq "OPTION" || [HTTP::method] eq
"HEAD"}{
drop
}
# Check the requested URI
# log local0. "Path - [HTTP::path]"
switch -glob [string tolower [HTTP::path]] {
"/ssp*" {
# Reset the request if if the source IP is not allowed
if {not ([matchclass [IP::client_addr] equals sb_admin])}{
reject
log local0. "Deny SSP - [IP::client_addr]"
} else {
#log local0. "IP [IP::client_addr]"
}
}
"/admin*" "/syncadmin*" {
# Reset the request if the source IP is not allowed
if {not ([matchclass [IP::client_addr] equals sb_admin])}{
reject
log local0. "Deny Admin - [IP::client_addr]"
} else {
#log local0. "IP [IP::client_addr]"
}
}
"/" "/activate*" "/apps*" "/checkin*" "/companyhub*" "/enrollmentserver*" "/epic*" "/integration*" "/mdm*" "/pfm*" "/sharepoint*" "/syncdata*" "/syncmetadata*" "/tunnel*" {
Author Matrix42 Cloud & Mobile Management
15. December 2015
- 27 -
F5® BIG-IP® Access Policy Manager® Guide to Publishing Silverback
# log local0. "Allow Access"
}
default {
# Reset the request
reject
log local0. "Bot - [HTTP::path]"
}
}
#log local0. "-----------------"
}
when HTTP_RESPONSE {
# Header Sanitiser
HTTP::header remove Server
HTTP::header remove X-Powered-By
HTTP::header remove Date
}
Author: Matrix42 Cloud & Mobile Management
15. December 2015
- 28 -