Manual Chapter : Additional tasks for isolated guests in Appliance mode

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP APM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP LTM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP AFM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP DNS

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0

BIG-IP ASM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0
Manual Chapter

Additional tasks for isolated guests in Appliance mode

To ensure that guest administrators can access an isolated guest and manage the BIG-IP® software within the guest, you must create the isolated guest with Appliance mode disabled, perform some additional tasks, and then modify the guest to enable Appliance mode. These additional tasks are:
  • Creating a self IP address for guest administrators to use to access the guest, and granting
    tmsh
    access to the guest's
    admin
    user account.
  • Enabling Appliance mode on the guest.
After performing these tasks, administrators for an isolated guest are restricted to using either the BIG-IP® Configuration utility or
tmsh
to manage BIG-IP modules within the guest (when port lockdown settings on the self IP address allow such traffic).

Additional tasks for isolated guests in Appliance mode

To ensure that guest administrators can access an isolated guest and manage the BIG-IP® software within the guest, you must create the isolated guest with Appliance mode disabled, perform some additional tasks, and then modify the guest to enable Appliance mode. These additional tasks are:
  • Creating a self IP address for guest administrators to use to access the guest, and granting
    tmsh
    access to the guest's
    admin
    user account.
  • Enabling Appliance mode on the guest.
After performing these tasks, administrators for an isolated guest are restricted to using either the BIG-IP® Configuration utility or
tmsh
to manage BIG-IP modules within the guest (when port lockdown settings on the self IP address allow such traffic).

Preparing an isolated guest for Appliance mode

You use this task to prepare an isolated guest to operate in Appliance mode. Specifically, you use this task to:
  • Grant access to the Traffic Management Shell (
    tmsh
    ) for the
    admin
    user account within a vCMP guest. Because the
    admin
    user for an isolated guest in Appliance mode is restricted to using
    tmsh
    , you must first grant the
    admin
    account permission to use
    tmsh
    . By default, the
    admin
    account for a guest has no access to
    tmsh
    .
  • Create a self IP address for guest administrators to use to access the guest. This is necessary because an isolated guest is not connected to the management network and therefore has no management IP address assigned to it.
You perform this task by accessing the guest from the vCMP host.
  1. From the vCMP host, access the Bash shell by typing
    vconsole
    guest_name
    .
    For example, you can type
    vconsole guest_A
    The system prompts you to enter a user name and password.
  2. Type the
    root
    account and the password
    default
    .
    The system logs you into the guest and displays the guest's system prompt.
  3. Type the command
    tmsh modify auth user admin shell tmsh
    .
    This command grants
    tmsh
    access to the
    admin
    user account.
  4. Type the command
    tmsh create net self address
    ip_address/netmask
    vlan
    vlan_name
    allow-service default
    .
    This creates the specified IP address on the guest and makes required adjustments to the port lockdown settings.
  5. At the prompt, exit the guest by typing
    exit
    .
  6. At the Bash prompt, log out of the Linux system by typing
    exit
    , if necessary.
  7. Exit the vConsole utility by typing the key sequence
    ctrl-]
    .
    This displays the prompt
    telnet>
    .
  8. Type
    q
    .

Enabling Appliance mode on an isolated guest

You use this task to enable Appliance mode on an existing guest that is isolated from the management network.
You can perform this task while the guest is in the Deployed or Provisioned state; there is no need to set the guest state to Configured prior to performing this task.
  1. Use a browser to log in to the vCMP host, using the primary cluster management IP address.
  2. On the Main tab, click
    vCMP
    Guest List
    .
    This displays a list of guests on the system.
  3. In the Name column, click the name of the guest that you want to modify.
    This displays the configured properties of the guest.
  4. For the
    Appliance Mode
    setting, select the check box.
    When you enable
    Appliance Mode
    for an isolated guest, the system enhances security by denying access to the
    root
    account and the
    Bash
    shell for all guest administrators.
  5. Click
    Update
    .
The guest is now running in Appliance mode. All guest administrators are restricted to using the BIG-IP Configuration utility and
tmsh
to manage the guest.