Lightboard Lessons: Introducing the F5 ACI ServiceCenter
F5 and Cisco are reinvigorating the Application Centric Infrastructure (ACI) and BIG-IP joint solution to give customers L4-L7 capabilities within APIC with speed and flexibility, via the ACI App Center. As the leading SDN solution, Cisco ACI uses a policy driven, data center approach that allows IT teams to rapidly provision and scale network services. Cisco’s ACI App Center is an innovative platform enabling its technology partners to build ACI applications that simplify and enhance joint solutions. The new F5 ACI ServiceCenter is powered by the ACI AppCenter. F5’s app provides a direct, fluid, and efficient way to provision application services in ACI and BIG-IP deployments. The F5 ACI ServiceCenter runs natively in APIC, providing the administrator a single point of automation and visibility for L2-L3, plus L4-L7 infrastructures. With this solution, F5 enables enhanced ACI-to-BIG-IP visibility, network stitching capability, and application services to ACI workloads. Check out the video to learn more! Related Resources: Link to F5 ACI ServiceCenter App:https://dcappcenter.cisco.com/f5-aci-servicecenter.htmlLightboard Lessons: Device Services Clustering
In this episode of Lightboard Lessons, I cover the basics of F5’s high availability architecture called Device Services Clustering, or DSC for short. Update - step by step configuration of an example deployment shown below. So let’s take the overall theory and break make some stuff! In this article we'll add four BIG-IP devices into a peer relationship, establish 2 sync-failover device groups, establish 2 traffic groups on one of the sync failover groups, and then create some failover objects for each of the traffic groups. For each device, we’ll start by preparing them for peering. First, make sure your device certificate matches your fqdn. For each of my devices, that’s bigip_ha(n).test.local, where (n) is the device number in my lab. You can do this at System->Device Certificates->Device Certificate. I’m just using a self signed certificate for this article. Next, go to Device Management -> Devices, and click on the (Self) device as shown below In the device view, you’ll need to click Device Connectivity and set each of Config Sync, Failover Network, and Mirroring. I’m choosing my HA network for all three and foregoing a backup option, though in production you might want to consider using one. Make sure your port lockdown settings are configured to allow for your HA traffic. Allow default should be sufficient. Repeat these steps for your remaining devices. Now that the devices are all configured, let’s add some peers! For this lab, I will use device bigip_ha1 to add the other three peers. First, we supply an IP address, which I specify as the HA self IP address, and credentials. Verify the information the BIG-IP pulled in about that peer, then click finish. Repeat for the remaining devices. Now in the device list, I see all four BIG-IPs. Moving on, let’s create a a couple sync-failover groups, putting bigip_ha1/2 in the first and bigip_ha3/4 in the second. Shown below is the first, just repeat the steps for the second. After the second is created, you can see both in the device group list Next do an initial sync by selecting a device to sync to group for each failover group So at this point we have two pairs of sync-failover groups, all synced, all in the sync-only device_trust group. By default, all traffic for each sync group will now be active standby since the only floating traffic group is traffic-group-1. Let’s add a traffic group to our first sync-failover pair. Now, instead of having an active/standby pair of devices, you have an active/active pair! And if we had a third device in this failover group, and created a third traffic group, we would transition from active/active/standby to active/active/active. Cool stuff! Now if you add failover objects, you’ll notice they all add to traffic-group-1 by default. This is because the /Common partition defaults to traffic-group-1. Let’s create a specific partition for both traffic groups so we can be explicit with the traffic. Now we can add a failover object like a snatpool in each partition So now if we look at the traffic groups and select All partitions, we can see that each traffic group has two failover objects (the two snat addresses we added to the snat pools.) And if we click into one of them, we can see the actual failover objects attached to that traffic group. This is just the tip of the iceberg, there is plenty more to cover on the failover methods, which we will touch on next week. Resources Configuring BIG-IP Local Traffic Manager (LTM)Lightboard Lessons: What is a TLS Cipher Suite?
When a web client (Internet browser) connects to a secure website, the data is encrypted. But, how does all that happen? And, what type of encryption is used? And, how does the Internet browser know what type of encryption the web server wants to use? This is all determined by what is known as a TLS Cipher Suite. In this video, John outlines the components of a TLS Cipher Suite and explains how it all works. Enjoy! Related Resources: TLS ciphers supported on BIG-IP platforms How Certificates Use Digital Signatures - Joshua DaviesLightboard Lessons: What is "The Cloud"?
"The Cloud" is an often misunderstood term, but it's an important part of web application delivery today. Cloud providers can deliver significant advantages (cost, security, performance, etc) over traditional hosted environments. This video outlines the basics of the cloud and discusses why it might be beneficial to move your applications to the cloud. Look for more cloud-related videos in the future as well...enjoy! Related Resources: BIG-IP in the public cloud DevCentral Cloud ResourcesLightboard Lessons: Remote Desktop Solution Using BIG-IP APM and Remote Spark
The Microsoft Remote Desktop Protocol (RDP) is used by many people who want to remotely connect to desktops, printers, servers, etc.One of the issues with this is that each machine has to install a proprietary remote desktop client software to make the connection happen.These types of solutions introduce many security vulnerabilities and configuration complexities. Just last month, a critical Remote Desktop Services Remote Code Execution Vulnerability was introduced (CVE-2019-0708).In addition to that critical vulnerability, a CVE database search shows that 26 other vulnerabilities exist in with Microsoft RDP solutions dating back to 2002. Remote Spark developed the SparkView gateway to "translate" the proprietary RDP protocol to HTML5 using WebSockets for data transport and JavaScript for client logic.Using Spark View for translation and BIG-IP APM (and optionally LTM as well), you can gain access to remote services using any Internet browser that is HTML5 capable (which all modern browsers are). Imagine you have a big class of remote students and they all need access to remote desktop services.Instead of loading a bunch of proprietary client software on all their machines, you can now tell them to simply access a website with their Internet browser, and they are up and running!Check out the video below to learn more. Related Resources: HTML5 Solution - one ultimate solution for all OS and devicesLightboard Lesson: What is vCMP?
F5's Virtual Clustered Multiprocessing, or vCMP for short, is virtualization technology that couples a custom hypervisor running on the BIG-IP host with a hardware-specific scalable number of guest virtual machines running TMOS. This article wraps a short series of Lightboard Lessons Jason filmed to introduce the high level vCMP concepts. What is vCMP? In this first video, Jason covers the differences between multi-tenancy and virtualization and discusses how the vCMP system works. vCMP Guest Networking and High Availability In part 2, Jason covers the great flexibility in guest provisioning, guest networking concepts, and a high availability overview for guests versus chassis. vCMP Security (coming soon!) In part 3, Jason concludes the series with a discussion on network security, guest deployment security, and secure memory management. Resources vCMP Admin (appliances) vCMP Admin (VIPRION) VIPRION Systems: Configuration K15930: Overview of vCMP configuration considerations K16947: Best practices for the HA group feature K14088: vCMP host and compatible guest matrix K14218: vCMP guest memory/CPU core allocation matrix K14727: BIG-IP vCMP hosts and guests configuration optionsLightboard Lessons: Kerberos Authentication on BIG-IP Access Policy Manager
In this third and final Lightboard Lesson on the Kerberos Authentication Protocol, Jason Rahm transitions from the protocol itself to the implementation strategy on BIG-IP Access Policy Manager. Resources Kerberos Basic Authentication (Lightboard Lesson) Kerberos Delegation & Protocol Transition (Lightboard Lesson) How Kerberos Works Active Directory Security Risk #101: Kerberos Unconstrained Delegation Understanding Kerberos Double HopLightboard Lessons: What is OpenShift?
The OpenShift Container Platform from RedHat is a platform as a service leveraging Docker and Kubernetes to provide app developers an easy button for application management, deployment, and scale. In this episode of Lightboard Lessons, Jason Rahm builds on his earlier videos on Docker and Kubernetes to discuss the value-added building blocks that OpenShift brings to the container table. Resources What are Containers? (video) What is Kubernetes? (video) What is Kubernetes? (DevCentral Basics article) Introduction to F5 Container Ingress ServicesLightboard Lessons: SSL Outbound Visibility
You’ve been having trouble sleeping because of the SSL visibility problem with all the fancy security tools that don’t do decryption. Put down that ambien, because this Lightboard Lesson solves it. In episode, David Holmes diagrams the Right Way (tm) to decrypt and orchestrate outbound SSL traffic, improving SSL visibility, decreasing failures and improving network performance.Lightboard Lessons: Silverline Architecture
In this edition of Lightboard Lessons, I cover the architectural overview of F5’s Silverline managed security services proxy and routed modes. The granular details of the scrubbing center architecture, as well as the overall DDoS and WAF architectures, are available via the links below. Resources Silverline DDoS Architecture Silverline WAF Architecture Silverline Threat Intelligence Technorati Tags: security, silverline, lightboard lessons
