Forum Discussion

Marieme's avatar
Marieme
Icon for Cirrus rankCirrus
May 03, 2021

VPN SSL Users migration

Hi,

We have our F5 4000 platform that will be replaced.

we have on that platform 2000 VPN SSL users , and reverse proxy / Load balancer

I would like to have any idea for these migration.

Could we migrate all users at the same time? how can we process?

Public addresses also change for VIP how can we take in account this change.

Since new F5 will be install, could we export ucs config file and import it on the new one?

 

Thanks for your help and for your quick reply

 

Regards

application delivery
BIG-IP Access Policy Manager (APM)
  • Marieme's avatar
    Marieme
    May 10, 2021

    Thank you very much for your helpful feeback and explanation.

    I will apply your recommandation then and keep you posted.

     

    Regards,

  • KeesvandenBos's avatar
    KeesvandenBos
    Icon for MVP rankMVP
    May 10, 2021

    Hi,

     

    You can create a active/standby cluster of 4 BIG-IP's (old and new). Sync the configuration and do a failover to the new hardware.

    Later you can remove the old hardware from the cluster.

    Your users won't notice you did the failover (if the setup is done correctly).

     

    Cheers,

     

    Kees

    • Marieme's avatar
      Marieme
      Icon for Cirrus rankCirrus
      May 10, 2021

      Hi,

      Thanks for your feedback. I did not mentionned it but the new cluster is on cloud Azure.

      Should we proceed the same?

      Regards

  • KeesvandenBos's avatar
    KeesvandenBos
    Icon for MVP rankMVP
    May 10, 2021

    Hi,

     

    No you did not. Then I would create the new cluster, ssl vpn configuration. Test it with a small group of testers and then migrate all users to the new solution. (DNS change).

    I would not use a UCS backup, I would use parts of a SCF to create the virtual servers on the Azure hosted BIG-IP's.

     

    Cheers

    • Marieme's avatar
      Marieme
      Icon for Cirrus rankCirrus
      May 10, 2021

      Thanks for this reply.

      Without importing UCS, which way is the good one to import/ modify VIP configuration since pubic IP addresses change.

       

      Regards

  • KeesvandenBos's avatar
    KeesvandenBos
    Icon for MVP rankMVP
    May 10, 2021

    In Azure you can not configure a public IP on the BIG-IP. Only private IP's.

    I would export the SSL VPN policy from APM. Install the same version of TMOS in Azure.

    Take a SCF backup and extract the parts of the SSL VPN Virtual server. Modify the destination IP.

    First import the Access Policy.

    On the CLI in Azure perform a 

    tmsh load sys configure merge from-terminal

    And past you virtual server configuration, end with Ctrl D

    Cheers,

    Kees

    • Marieme's avatar
      Marieme
      Icon for Cirrus rankCirrus
      May 10, 2021

      Thank you very much for your helpful feeback and explanation.

      I will apply your recommandation then and keep you posted.

       

      Regards,