Manual Chapter :
Additional tasks for isolated guests in Appliance mode
Applies To:
Show VersionsBIG-IP AAM
- 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP APM
- 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP LTM
- 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP AFM
- 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP DNS
- 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
BIG-IP ASM
- 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
Additional tasks for isolated guests in Appliance mode
To ensure that guest administrators can access an isolated guest and manage the BIG-IP® software within the guest, you must create the isolated guest with Appliance mode
disabled, perform some additional tasks, and then modify the guest to enable Appliance mode.
These additional tasks are:
- Creating a self IP address for guest administrators to use to access the guest, and grantingtmshaccess to the guest'sadminuser account.
- Enabling Appliance mode on the guest.
After performing these tasks, administrators for an isolated guest are restricted to using
either the BIG-IP® Configuration utility or
tmsh
to
manage BIG-IP modules within the guest (when port lockdown settings on the self IP address allow
such traffic).Additional tasks for isolated guests in Appliance mode
To ensure that guest administrators can access an isolated guest and manage the BIG-IP® software within the guest, you must create the isolated guest with Appliance mode
disabled, perform some additional tasks, and then modify the guest to enable Appliance mode.
These additional tasks are:
- Creating a self IP address for guest administrators to use to access the guest, and grantingtmshaccess to the guest'sadminuser account.
- Enabling Appliance mode on the guest.
After performing these tasks, administrators for an isolated guest are restricted to using
either the BIG-IP® Configuration utility or
tmsh
to
manage BIG-IP modules within the guest (when port lockdown settings on the self IP address allow
such traffic).Preparing an isolated guest for Appliance mode
You use this task to prepare an isolated guest to operate in Appliance mode.
Specifically, you use this task to:
- Grant access to the Traffic Management Shell (tmsh) for theadminuser account within a vCMP guest. Because theadminuser for an isolated guest in Appliance mode is restricted to usingtmsh, you must first grant theadminaccount permission to usetmsh. By default, theadminaccount for a guest has no access totmsh.
- Create a self IP address for guest administrators to use to access the guest. This is necessary because an isolated guest is not connected to the management network and therefore has no management IP address assigned to it.
You perform this task by
accessing the guest from the vCMP host.
- From the vCMP host, access the Bash shell by typingvconsole.guest_nameFor example, you can typevconsole guest_AThe system prompts you to enter a user name and password.
- Type therootaccount and the passworddefault.The system logs you into the guest and displays the guest's system prompt.
- Type the commandtmsh modify auth user admin shell tmsh.This command grantstmshaccess to theadminuser account.
- Type the commandtmsh create net self address.ip_address/netmaskvlanvlan_nameallow-service defaultThis creates the specified IP address on the guest and makes required adjustments to the port lockdown settings.
- At the prompt, exit the guest by typingexit.
- At the Bash prompt, log out of the Linux system by typingexit, if necessary.
- Exit the vConsole utility by typing the key sequencectrl-].This displays the prompttelnet>.
- Typeq.
Enabling Appliance mode on an isolated guest
You use this task to enable Appliance mode on an existing guest that is isolated from
the management network.
You can perform this task while the guest is in the Deployed or Provisioned state; there is no need to set the guest state to Configured prior to performing this task.
- Use a browser to log in to the vCMP host, using the primary cluster management IP address.
- On the Main tab, click.This displays a list of guests on the system.
- In the Name column, click the name of the guest that you want to modify.This displays the configured properties of the guest.
- For theAppliance Modesetting, select the check box.When you enableAppliance Modefor an isolated guest, the system enhances security by denying access to therootaccount and theBashshell for all guest administrators.
- ClickUpdate.
The guest is now running in Appliance mode. All guest administrators are restricted
to using the BIG-IP Configuration utility and
tmsh
to manage the guest.