Manual Chapter : Common elements for virtual servers

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP APM

  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP Link Controller

  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP LTM

  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP AFM

  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP ASM

  • 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Common elements for virtual servers

A virtual server represents a destination IP address and filtering mechanism for client application traffic. A primary use of virtual servers is to methodically distribute traffic across a pool of servers on an internal network.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. On the Main tab, click
    Carrier Grade NAT
    Virtual Servers
    .
    The Virtual Server List screen opens.
  3. Click the name of the virtual server you want to modify.
  4. In the Name column, click the name of the relevant virtual server.
    This displays the properties of the virtual server.
  5. Click the name of the virtual server, pool, or node you want to modify.
  6. Click
    Create
    .
    The New Virtual Server screen opens.
  7. Click
    Update
    to save the changes.
  8. Click
    Finished
    .
  9. In the
    Name
    field, type a unique name for the virtual server.
  10. In the
    Name
    field, type a unique name for the virtual server.
    For this example, type
    vs for ISP2
    .
  11. In the
    Name
    field, type a unique name for the virtual server.
    For this example, type
    forward_outbound
    .
  12. In the
    Name
    field, type a unique name for the virtual server.
    For this example, type
    outbound
    .
  13. In the
    Name
    field, type a unique name for the virtual server.
    For this example, type
    VS for Link Alpha
    .
  14. From the
    Type
    list, select
    Forwarding (IP)
    .
  15. From the
    Type
    list, select
    Performance (Layer 4)
    .
  16. From the
    Type
    list, select
    Standard
    .
  17. For the
    Type
    setting, verify that
    Standard
    is selected.
  18. From the
    Type
    list, select
    Message Routing
    .
  19. In the
    Destination Address
    field, type the IP address you want to use for the virtual server.
  20. For the
    Destination
    setting, in the
    Address
    field, type the IP address you want to use for the virtual server.
    The IP address for this field needs to be on the same subnet as the external self-IP.
  21. In the
    Destination Address
    field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    The IP address for this field needs to be on the same subnet as the external self-IP.
  22. For the
    Destination
    setting, ensure that the
    Host
    option is enabled, and in the
    Address
    field, type the IP address specified in the traffic destined for this virtual server.
  23. In the
    Destination Address/Mask
    field:
    • If you want to specify a single IP address, confirm that the
      Host
      button is selected, and type the IP address in CIDR format.
    • If you want to specify multiple IP addresses, select the
      Address List
      button, and confirm that the address list that you previously created appears in the box.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    The IP address or addresses for this field must be on the same subnet as the external self-IP address.
  24. In the
    Destination Address
    field, type the IP address for a host virtual server.
    This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
  25. In the
    Destination Address
    field, type the IP address for a host virtual server.
    This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
    Type a destination address in this format:
    162.160.15.20
    .
  26. For the
    Destination
    setting, in the
    Address
    field, type the IP address you want to use for the virtual server.
    The IP address you type must be available and not in the loopback network.
  27. For the
    Destination Address/Mask
    setting, confirm that the
    Host
    button is selected, and type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    The IP address you type must be available and not in the loopback network.
  28. In the
    Destination Address
    field, type the IP address in CIDR format, such as
    0.0.0.0/0
    for IPv4 or
    ::/0
    for IPv6.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    The IP address you type must be available and not in the loopback network.
  29. In the
    Destination Address
    field, type the IP address for a host virtual server.
    The IP address you type must be available and not in the loopback network.
    This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
  30. For the
    Destination
    setting, in the
    Address
    field, type the IP address you want to use for the virtual server. This is the address to which the FIX clients send their FIX transmissions.
    The IP address you type must be available and not in the loopback network.
  31. In the
    Destination Address
    field, type the IP address in CIDR format. This is the address to which the FIX clients send their FIX transmissions.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    The IP address you type must be available and not in the loopback network.
  32. For the
    Destination
    setting, in the
    Address
    field, type the IP address you want to use for the virtual server.
    This address must be on a separate network available only through routing (instead of through a directly-connected network).
    In our example, this address is
    30.1.1.10
    .
  33. In the
    Destination Address/Mask
    field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    This address must be on a separate network available only through routing (instead of through a directly-connected network).
    In our example, this address is
    30.1.1.10
    .
  34. For the
    Destination
    setting, in the
    Address
    field, type
    0.0.0.0
    to allow all traffic to be translated.
  35. For a network, in the
    Destination Address
    field, type an IPv4 or IPv6 address in CIDR format to allow all traffic to be translated.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    0.0.0.0/0
    , and an IPv6 address/prefix is
    ::/0
    .
  36. In the
    Destination Address
    field, type an IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, to select all IP addresses, an IPv4 address/prefix is
    0.0.0.0/0
    , and an IPv6 address/prefix is
    ::/0
    . To specify a network, an IPv4 address/prefix is
    10.07.0.0
    or
    10.07.0.0/24
    , and an IPv6 address/prefix is
    ffe1::/64
    or
    2001:ed8:77b5::/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    For best results, F5 recommends that you enter the subnet that matches your destination server network.
  37. For the
    Destination
    setting
    Type
    option, select
    Network
    .
  38. In the
    Address
    field, type a network address, such as
    192.168.30.0
    .
  39. For the
    Destination
    setting, in the
    Address
    field, type the IPv6 IP address, based on the 96-bit prefix.
  40. In the
    Destination Address
    field, type the IPv6 address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv6 address/prefix is
    64:ff9b::/64
    or
    2001:ed8:77b5:2::/64
    .
  41. For the
    Destination
    setting, in the
    Mask
    field, type the subnet mask for the IPv6 IP address.
    For example, for an IPv6 IP address of
    2002:0123:0000:0000:0000:0000::
    , a mask of
    ff:ff:ff:ff:ff:ff::
    applies.
  42. In the
    Destination Address
    field, type the IPv6 address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv6 address/prefix is
    2001:ed8:77b5:2:10:10:100:42/64
    or
    ffe1::0020/64
    .
  43. In the
    Destination Address
    field, type the IP address for the SCTP client in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    This destination address supports the initial SCTP control connection, providing the initial handshake and transfer of valid destination addresses.
  44. Specify the
    Destination
    settings.
    • For a host, in the
      Address
      field, type
      0.0.0.0
      for the virtual server address.
    • For a network, in the
      Address
      field, type
      0.0.0.0
      for the virtual server address, and in the
      Mask
      field, type
      0.0.0.0
      for the mask.
  45. For a network, in the
    Destination Address
    field, type an IPv4 or IPv6 address in CIDR format to allow all traffic to be translated.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    0.0.0.0/0
    , and an IPv6 address/prefix is
    ::/0
    .
  46. For the
    Destination
    setting, select
    Host
    , and type
    0.0.0.0
    in the
    Address
    field.
  47. For a host, in the
    Destination Address
    field, type an IPv4 or IPv6 address in CIDR format to allow all traffic to be translated.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    0.0.0.0/0
    , and an IPv6 address/prefix is
    ::/0
    .
  48. For the
    Destination
    setting, in the
    Address
    field, type the IP address you want to use for the virtual server.
    For this example, type
    10.10.10.80
    .
  49. For the
    Destination
    setting, in the
    Address
    field, type the IP address you want to use for the virtual server.
    For this example, type
    10.20.20.80
    .
  50. In the
    Destination Address
    field, type the IP address you want to use for the virtual server.
    For this example, type
    10.20.20.80
    .
  51. For the
    Destination
    setting, in the
    Address
    field, type the IP address you want to use for the virtual server.
    For this example, type
    10.10.5.5
    .
  52. In the
    Destination Address
    field, type the IP address you want to use for the virtual server.
    For this example, type
    10.10.5.5
    .
  53. For the
    Destination
    setting, in the
    Address
    field, type the IP address you want to use for the virtual server.
    For this example, type
    10.10.5.6
    .
  54. In the
    Destination Address
    field, type the IP address you want to use for the virtual server.
    For this example, type
    10.10.5.6
    .
  55. For the
    Destination
    setting, select
    Network
    , and type
    0.0.0.0
    in the
    Address
    field and
    0.0.0.0
    in the
    Mask
    field.
  56. For a network, in the
    Destination Address
    field, type an IPv4 or IPv6 address in CIDR format to allow all traffic to be translated.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    0.0.0.0/0
    , and an IPv6 address/prefix is
    ::/0
    .
  57. In the
    Destination Address
    field, type a wildcard network address in CIDR format, such as
    0.0.0.0/0
    for IPv4 or
    ::/0
    for IPv6, to accept any traffic.
  58. In the
    Destination Address
    field, type
    0.0.0.0
    to accept any IPv4 traffic.
  59. In the
    Destination Address
    field, type the destination address found in the destination IP address header of specific HTTP traffic that gets mirrored to the BIG-IP passive monitoring system.
    For example, if client traffic is destined for the IP address
    10.10.10.30
    , the BIG-IP passive monitoring system can listen for mirrored traffic with this destination address in its header in order to receive and analyze the mirrored traffic.
  60. In the
    Destination Address
    field, type
    0.0.0.0/0
    to translate all IPv4 traffic.
  61. In the
    Destination Address
    field, type
    ::/0
    to accept any IPv6 traffic.
  62. For the
    Destination
    setting, select
    Network
    , and type
    ::
    in the
    Address
    field, and
    ::
    in the
    Mask
    field.
  63. In the
    Destination Address
    field, type
    ff0::1:1/128
    .
  64. For the
    Destination
    setting, in the
    Address
    field, type the network IP address that you want to use for the virtual server.
    The IP address you type must be available and not in the loopback network.
  65. In the
    Destination Address
    field, type the network IP address that you want to use for the virtual server.
    The IP address you type must be available and not in the loopback network.
  66. For the
    Destination
    setting, in the
    Address
    field, type the host IP address that you want to use for the virtual server.
    This is the IP address on the BIG-IP system to which inbound application traffic is destined.
  67. In the
    Destination Address
    field, type the host IP address that you want to use for the virtual server.
    This is the IP address on the BIG-IP system to which inbound application traffic is destined.
  68. For the
    Destination
    setting, select the type, and type an address, or an address and mask, as appropriate for your network.
  69. In the
    Destination Address/Mask
    field, type an address, as appropriate for your network.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
  70. For the
    Destination
    setting, in the
    Address
    field, type the network IP address that you want to use for the virtual server.
    This is the network for which inbound application traffic is destined.
  71. In the
    Destination Address
    field, type the network IP address that you want to use for the virtual server.
    This is the network for which inbound application traffic is destined.
  72. In the
    Mask
    field, type the netmask, such as
    255.255.255.0
    .
  73. For the
    Destination
    setting, select
    Host
    and in the
    Address
    field, type the IP address for the virtual server.
  74. In the
    Destination Address
    field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
  75. In the
    Service Port
    field, type
    53
    .
  76. In the
    Service Port
    field:
    • If you want to specify a single service port or all ports, confirm that the
      Port
      button is selected, and type or select a service port.
    • If you want to specify multiple ports other than all ports, select the
      Port List
      button, and confirm that the port list that you previously created appears in the box.
  77. In the
    Service Port
    field, type
    1443
    .
  78. In the
    Service Port
    field, type
    21
    or select
    FTP
    from the list.
  79. In the
    Service Port
    field, type
    25
    or select
    SMTP
    from the list.
  80. In the
    Service Port
    field, type
    22
    or select
    SSH
    from the list.
  81. From the
    SSH Proxy Profile
    list, select the SSH proxy profile to attach to the virtual server.
  82. In the
    Service Port
    field, type
    50
  83. In the
    Service Port
    field, type
    500
    or select
    ISAKMP
    from the list.
  84. In the
    Service Port
    field, do one of the following:
    • Type
      500
      or select
      ISAKMP
      from the list to configure UDP.
    • Type
      0
      or select (
      * All Ports
      ) from the list to configure Protocol 50 (IPsec ESP).
  85. In the
    Service Port
    field, type
    389
    or select
    LDAP
    from the list.
  86. In the
    Service Port
    field, type
    80
    , or select
    HTTP
    from the list.
  87. In the
    Service Port
    field, type
    443
    or select
    HTTPS
    from the list.
  88. In the
    Service Port
    field, type
    80
    (for HTTP) or
    443
    (for HTTPS), or select
    HTTP
    or
    HTTPS
    from the list.
  89. In the
    Service Port
    field, type the port number used for the FIX message.
  90. In the
    Service Port
    field, type the port number used for the GTP connection.
    Port
    2123
    is the default GTP-C port, and port
    2152
    is the default GTP-U port.
  91. In the
    Service Port
    field, type
    5060
    .
  92. In the
    Service Port
    field, type
    3868
    .
  93. In the
    Service Port
    field, type
    1723
    or select
    PPTP
    from the list.
  94. In the
    Service Port
    field, type
    69
    or select
    TFTP
    from the list.
  95. In the
    Service Port
    field, type
    *
    or select
    * All Ports
    from the list.
  96. In the
    Service Port
    field, type
    0
    .
    Port
    0
    defines a wildcard virtual server that handles all types of services. If you specify a port number, you create a port-specific wildcard virtual server. In that case, the wildcard virtual server handles traffic only for the specified port.
  97. In the
    Service Port
    field, type the port number for the service.
  98. From the
    Configuration
    list, select
    Advanced
    .
  99. Click the
    Properties
    tab.
  100. On the menu bar, from the Security menu, choose Policies.
  101. From the
    Protocol Security
    list, select
    Enabled
    .
  102. From the
    Profile
    list, select
    http_security
    .
    This configures the virtual server with the default HTTP protocol security profile.
  103. From the
    Anti-Fraud Profile
    list, select
    Enabled
    , and then from the
    Profile
    list, select the profile you created previously.
  104. From the menu bar, click
    Security
    Event Logs
    .
  105. From the menu bar, click
    Security
    Reporting
    .
  106. Scroll to the Resources area.
  107. On the menu bar, click
    Resources
    .
  108. In the Policies area, click the
    Manage
    button.
  109. For the
    Policies
    setting, select the local traffic policy you created from the
    Available
    list and move it to the
    Enabled
    list.
  110. From the
    Configuration
    list, select
    Basic
    .
  111. From the
    Configuration
    list, select
    Advanced
    .
  112. For virtual servers only, from the
    Configuration
    list, select
    Advanced
    .
  113. On the Main tab, expand
    Local Traffic
    , and then click
    Virtual Servers
    ,
    Pools
    , or
    Nodes
    .
  114. Optionally, from the
    OneConnect Profile
    list, select a custom OneConnect profile.
  115. From the
    HTTP Compression Profile
    list, select one of the following options:
    Setting
    Description
    httpcompression
    wan-optimized-compression
  116. From the
    HTTP Compression Profile
    list, select one of the following options:
    Setting
    Description
    httpcompression
    wan-optimized-compression
  117. From the
    Web Acceleration Profile
    list, select one of the following options.
    • optimized-acceleration
    • optimized-caching
    • webacceleration
    • A customized profile
  118. From the
    Web Acceleration Profile
    list, select one of the following options.
    Setting
    Description
    optimized-acceleration
    optimized-caching
    webacceleration
  119. From the
    Web Acceleration Profile
    list, select
    optimized-acceleration
    .
  120. For the
    SSL Profile (Client)
    setting, from the
    Available
    list, select
    clientssl
    , and using the Move button, move the name to the
    Selected
    list.
  121. For the
    SSL Profile (Client)
    and the
    SSL Profile (Server)
    settings, from the
    Available
    list, select the name of the SSL profile you previously created, and move the name to the
    Selected
    list:
    Using the
    SSL Profile (Server)
    setting is optional.
  122. For the
    SSL Profile (Client)
    setting, from the
    Available
    list, select the name of the custom Client SSL proxy profile you previously created, and using the Move button, move the name to the
    Selected
    list.
    To enable proxy SSL functionality, you can either:
    • Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the Proxy SSL settings.
    • Create new Client SSL and Server SSL profiles and configure the Proxy SSL settings.
    Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable proxy SSL functionality.
  123. For the
    SSL Profile (Client)
    setting, from the
    Available
    list, select the name of the Client SSL forward proxy profile you previously created, and using the Move button, move the name to the
    Selected
    list.
    To enable SSL forward proxy functionality, you can either:
    • Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
    • Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
    Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL forward proxy functionality.
  124. For the
    SSL Profile (Client)
    setting, in the
    Available
    box, select a profile name, and using the Move button, move the name to the
    Selected
    box.
  125. For the
    SSL Profile (Server)
    setting, select the
    serverssl-insecure-compatible
    profile.
  126. For the
    SSL Profile (Server)
    setting, select a server SSL profile.
  127. For the
    SSL Profile (Server)
    setting, select
    pcoip-default-serverssl
    .
  128. For the
    SSL Profile (Server)
    setting, from the
    Available
    list, select
    serverssl
    , and using the Move button, move the name to the
    Selected
    list.
  129. For the
    SSL Profile (Client)
    setting, from the
    Available
    list, select the name of the Client SSL profile you previously created and move the name to the
    Selected
    list.
  130. For the
    SSL Profile (Server)
    setting, from the
    Available
    list, select the name of the Server SSL profile you previously created and move the name to the
    Selected
    list.
  131. For the
    SSL Profile (Server)
    setting, from the
    Available
    list, select the name of the custom Server SSL proxy profile you previously created and move the name to the
    Selected
    list.
    To enable SSL proxy functionality, you can either:
    • Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the Proxy SSL settings.
    • Create new Client SSL and Server SSL profiles and configure the Proxy SSL settings.
    Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL proxy functionality.
  132. For the
    SSL Profile (Server)
    setting, from the
    Available
    list, select the name of the Server SSL forward proxy profile you previously created, and using the Move button, move the name to the
    Selected
    list.
    To enable SSL forward proxy functionality, you can either:
    • Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
    • Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
    Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL forward proxy functionality.
  133. For the
    SSL Profile (Server)
    setting, from the
    Available
    list, select the applicable Server SSL profile names, and using the Move button, move the names to the
    Selected
    list.
  134. For the
    Stream Profile
    setting, select the default profile,
    stream
    .
  135. In the General Properties area, in the
    Address
    field, type any IP address that you want to use as long as it is available and not in the loopback network.
  136. From the
    DNS Profile
    list, select the profile you created to manage IPv6 to IPv4 address mapping.
  137. From the
    DNS Profile
    list, select
    dns_express
    .
  138. From the
    DNS Profile
    list, select either
    dns
    or the custom DNS profile you created for DNS Express.
  139. From the
    DNS Profile
    list, select the custom DNS profile you created.
  140. From the
    DNS Profile
    list, select a DNS Logging profile.
  141. From the
    DNS Profile
    list, select a custom DNS profile that is associated with a DNS Logging profile.
  142. From the
    DNS Profile
    list, select a DNS profile configured with an AVR sampling rate.
  143. From the
    DNS Profile
    list, select the profile you want to assign to the virtual server.
  144. From the
    FIX Profile
    list, select the FIX profile you want to assign to the virtual server.
  145. From the
    FIX Profile
    list, select the FIX profile you want to assign to the virtual server.
    In order to log FIX messages, ensure that you configure the selected FIX profile Report Log Publisher or Message Log Publisher settings, as applicable.
  146. Optional: If you are using SNATs on your network, from the
    Source Address Translation
    list, select
    SNAT
    .
  147. From the
    Source Address Translation
    list, select
    None
    .
  148. From the
    Source Address Translation
    list, select
    Auto Map
    .
  149. From the
    Source Address Translation
    list, select the appropriate translation.
  150. From the
    Source Address Translation
    list, select
    SNAT
    .
  151. From the
    SNAT pool
    list, select the name of an existing SNAT pool.
  152. Optional: From the
    SNAT pool
    list, select the name of an existing SNAT pool.
  153. From the
    SNAT Pool
    list, select
    None
    .
  154. In the
    Connection Limit
    field, type a number that specifies the maximum number of concurrent open connections.
  155. In the
    Connection Rate Limit
    field, type a number that specifies the number of new connections accepted per second for the virtual server.
  156. In the Resources area of the screen, for the
    Default Pool
    setting, click the
    Create (+)
    button.
    The New Pool screen opens.
  157. In the Resources area of the screen, from the
    Default Pool
    list, select the relevant pool name.
  158. If this type of virtual server forwards traffic to a pool, then in the Resources area of the screen, from the
    Default Pool
    list, select the relevant pool name.
  159. In the Resources area of the screen, from the
    Default Pool
    list, select the pool name for FIX streams.
    This pool is for streams that do not match your iRule(s).
  160. In the Resources area, from the
    Default Pool
    list, select
    default_gateway_pool
    .
  161. In the Resources area of the screen, from the
    Default Pool
    list, select the name of the pool you created previously.
    In our example, the name of this pool is
    external-pool
    .
  162. In the Resources area of the screen, from the
    Default Pool
    list, select the name of the pool that contains the IPv6 servers.
  163. For the
    Default Pool
    setting, either select an existing pool from the list, or click the Create (+) button and create a new pool.
  164. From the
    Default Pool
    list, select a pool name that is configured with pool members for request logging.
  165. In the Resources area, from the
    Default Pool
    list, select the name of the pool that you created previously.
  166. From the
    Default Pool
    list, select the pool that is configured for application security.
  167. From the
    Default Pool
    list, select the pool that is configured for the application server.
  168. From the
    Default Pool
    list, select the read-only pool of database servers.
  169. From the
    Default Pool
    list, select the pool of database servers.
  170. From the
    Default Pool
    list, select a pool that is configured for an HTTP/2 profile.
  171. From the
    Default Pool
    list, select a pool that is configured for a SPDY profile.
  172. From the
    LSN Pool
    list, select an LSN pool.
  173. In the
    Name
    field, type a unique name for the pool.
  174. In the Resources area, for the
    New Members
    setting, select the type of new member you are adding, then type the information in the appropriate fields, and click
    Add
    to add as many pool members as you need.
  175. For the
    HTTP Class Profiles
    setting, from the
    Available
    list, select a profile, and using the Move button, move the profile to the
    Enabled
    list.
  176. In the Resources area, for the
    HTTP Class Profiles
    setting, move the application security class that you created into the
    Enabled
    list.
  177. From the Classification list, select
    Enabled
    , for the BIG-IP system to enable classification for virtual servers when a policy enforcement listener is created.
  178. From the
    Policy Enforcement Profile
    list, select the name of the policy enforcement profile that you previously created.
  179. From the
    Diameter Endpoint Profile
    list, select a diameter endpoint profile you want to assign for policy enforcement. Select
    None
    if you do not want to assign a diameter endpoint profile.
  180. In the
    Description
    field, type a description of the virtual server.
  181. In the
    Description
    field, type a description of the virtual server.
    For example:
    This virtual server ensures HTTP request and response modification through the use of the
    service_name
    ICAP service.
    .
  182. From the
    Response Adapt Profile
    list, select the ICAP profile that you previously created for handling HTTP responses.
  183. From the
    Request Adapt Profile
    list, select the ICAP profile that you previously created for handling HTTP requests.
  184. From the
    Source Address Translation
    list, select
    Auto Map
    .
    The BIG-IP system uses all of the self IP addresses as the translation addresses for the pool.
  185. If you configured Application Lookup or Application Filtering in your per-request policy, from the
    Classification Profile
    list, select
    classification_apm_swg
    .
    A per-request policy uses application filtering when it runs an Application Lookup action.
  186. From the
    Request Logging Profile
    list, select the profile you want to assign to the virtual server.
  187. From the
    Request Logging Profile
    list, select the custom request logging profile that you created earlier.
  188. From the
    Default Persistence Profile
    list, select
    source_addr
    .
    This implements simple persistence, using the default source address affinity profile.
  189. For the
    HTTP Profile
    setting, verify that the default HTTP profile,
    http
    , is selected.
  190. From the
    HTTP Profile
    list:
    1. If you previously created an HTTP profile, then select the profile you created.
    2. Otherwise, select
      http
      .
  191. For the
    HTTP Connect Profile
    setting, be sure to retain the default value
    None
    .
  192. If you plan to use this virtual server for proxy chaining from APM, from the
    HTTP Proxy Connect Profile
    list, select a profile that you configured previously or select
    http-proxy-connect
    .
  193. In the iRules area, click the
    Manage
    button.
  194. In the Resources area, for the
    iRules
    setting, from the
    Available
    list, select the name of the iRule that you want to assign, and move the name into the
    Enabled
    list.
    This step is optional.
  195. In the Resources area, for the
    iRules
    setting, from the
    Available
    list, select the name of the iRule that you want to assign, and move the name into the
    Enabled
    list.
  196. In the Resources area, for the
    iRules
    setting, from the
    Available
    list, select the name of the QoE iRule that you want to assign, and move the name into the
    Enabled
    list.
  197. For the
    iRules
    setting, from the
    Available
    list, select the name of the iRule that you want to assign, and move the name into the
    Enabled
    list.
    For example, you can assign an application-specific iRule that allows or denies traffic based on the source IP address.
  198. For the
    iRules
    setting, from the
    Available
    list, select the name of the iRule that you created for remote logging, and move the name into the
    Enabled
    list.
    This step is optional.
  199. For the
    iRules
    setting, from the
    Available
    list, select the name of the iRule that you created for the Late Binding feature and move it to the
    Enabled
    list.
    The iRule enables load balancing based on the Layer-7 (FIX) fields at the head of each stream.
  200. For the
    iRules
    setting, from the
    Available
    list, select the name of the iRule that creates custom IPFIX logs. Move the name into the
    Enabled
    list.
  201. From the
    HTTP Profile (Client)
    list, select a previously-created HTTP/2 profile for client-side traffic.
  202. From the
    HTTP Profile (Client)
    list, select a previously-created HTTP/2 profile for server-side traffic.
  203. Scroll to the Access Policy area.
  204. In the Access Policy area, from the
    Access Profile
    list, select the access profile that you configured earlier.
  205. In the API protection area, from the
    API Protection Profile
    list, select the protection profile that you configured earlier.
  206. In the Access Policy area, from the
    Per-Request Policy
    list, select the policy that you configured earlier.
  207. In the Access Policy area, for
    ADFS Proxy
    select the
    Enabled
    check box.
  208. From the
    HTTP Profile
    list, select the HTTP profile you configured earlier.
  209. From the
    FTP Profile
    list, select an FTP ALG profile for the virtual server to use.
  210. From the
    PPTP Profile
    list, select a PPTP ALG profile for the virtual server to use.
  211. From the
    SIP Profile
    list, select a SIP ALG profile for the virtual server to use.
  212. From the
    RTSP Profile
    list, select an RISP ALG profile for the virtual server to use.
  213. From the
    TFTP Profile
    list, select an TFTP ALG profile for the virtual server to use.
  214. To enable denial-of-service protection, from the
    DoS Protection Profile
    list, select
    Enabled
    , and then, from the
    Profile
    list, select the DoS profile to associate with the virtual server.
  215. From the
    Per-Request Policy
    list, select the per-request policy that you configured earlier.
  216. Scroll down to the
    VLAN and Tunnel Traffic
    setting and select
    Enabled on
    .
  217. For the
    VLANs and Tunnels
    setting, move the secure connectivity interface to the
    Selected
    list.
  218. For the
    VLANs and Tunnels
    setting, move the tunnel to the
    Selected
    list.
    The tunnel name must match the tunnel specified in the HTTP profile for the forward proxy virtual server. The default tunnel is
    http-tunnel
    .
  219. From the
    VLAN and Tunnel Traffic
    list, select
    Enabled on
    . Then, for the
    VLANs and Tunnels
    setting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from the
    Available
    list to the
    Selected
    list.
  220. From the
    VLAN and Tunnel Traffic
    list, select
    Enabled on
    .
  221. To enforce rules from a firewall policy on the virtual server, in the Network Firewall area, from the
    Enforcement
    list, select
    Enabled
    , then select the firewall policy to enforce from the
    Policy
    list.
  222. To enforce any inline rules that apply to the virtual server, and not apply a firewall policy, in the Network Firewall area, from the
    Enforcement
    list, select
    Inline Rules
    .
  223. To stage rules from a firewall policy on the virtual server, in the Network Firewall area, from the
    Staging
    list, select
    Enabled
    , then select the firewall policy to stage from the
    Policy
    list.
  224. From the
    SIP Profile
    list, select the name of the SIP profile that you previously created.
  225. If you want to provide connections to Java RDP clients for application access, allow Java rewriting for portal access, or support a per-app VPN connection that is configured on a mobile device, select the
    Application Tunnels (Java & Per-App VPN)
    check box.
    You must enable this setting to make socket connections from a patched Java applet. If your applet does not require socket connections, or only uses HTTP to request resources, this setting is not required.
  226. If you want to provide native integration with an OAM server for authentication and authorization, select the
    OAM Support
    check box.
    You must have an OAM server configured in order to enable OAM support.
  227. In the Access Policy area, from the
    Connectivity Profile
    list, select the connectivity profile.
  228. From the
    Connectivity Profile
    list, select the connectivity profile.
  229. From the
    VDI Profile
    list, select a VDI profile.
    You can select the default profile,
    vdi
    .
  230. In the Access Policy area, from the
    VDI Profile
    list, select a VDI profile.
    You can select the default profile,
    vdi
    .
  231. In the
    Service Port
    field, type
    554
    for the service.
  232. Click
    Finished
    to create the pool.
    The screen refreshes, and reopens the New Virtual Server screen. The new pool name appears in the
    Default Pool
    list.
  233. From the
    SPDY Profile
    list, select
    spdy
    , or a user-defined SPDY profile.
  234. From the
    HTTP/2 Profile (Client)
    list, select
    http2
    , or a user-defined HTTP/2 profile.
    This profile is applied to client-side traffic.
  235. From the
    HTTP/2 Profile (Server)
    list, select
    http2
    , or a user-defined HTTP/2 profile.
    This profile is applied to server-side traffic.
  236. On the menu bar, click
    Security
    Policies
    .
    The screen displays policy settings for the virtual server.
  237. In the
    IP Intelligence
    setting, select
    Enabled
    , and then from the
    Policy
    list, select a policy.
  238. To use the global Firewall NAT policy, in the Network Address Translation area, click
    Use Device Policy
    .
    The most specific Firewall NAT policy is applied to the context, so a policy applied at the virtual server takes precedence over a route domain policy, which takes precedence over the global policy.
  239. To use the route domain Firewall NAT policy, in the Network address translation area, click
    Use Route Domain Policy
    .
    The most specific Firewall NAT policy is applied to the context, so a policy applied at the virtual server takes precedence over a route domain policy, which takes precedence over the global policy.
  240. From the
    Policy
    list, select the Firewall NAT policy to apply to the context.
  241. From the
    DoS Protection Profile
    list, select
    Enabled
    , and then from the
    Profile
    list, select a profile.
  242. From the
    Service policy
    list, select the service policy.
  243. From the
    Eviction Policy
    list, select an eviction policy to apply to the virtual server.
  244. In the
    Log Profile
    setting, select
    Enabled
    . Then, select one or more profiles, and move them from the
    Available
    list to the
    Selected
    list.
  245. In the
    Log Profile
    setting, select
    Enabled
    . Then, select one or more profiles, and move them from the
    Available
    list to the
    Selected
    list.
    If you do not have a custom profile configured, select the predefined logging profile
    global-network
    to log Advanced Firewall Manager events. Note that to log global, self IP, and route domain contexts, you must enable a Publisher in the
    global-network
    profile.
  246. In the
    Log Profile
    setting, select
    Enabled
    . Then, select one or more profiles that log specific events to IPFIX collectors, and move them from the
    Available
    list to the
    Selected
    list.
    To log global, self IP, and route domain contexts, you must enable a Publisher in the
    global-network
    profile.
  247. In the
    Log Profile
    setting, select
    Disabled
    .
  248. In the
    Description
    field, type a description of the virtual server.
    For example:
    This virtual server ensures HTTP request modification through the use of the
    service_name
    ICAP service.
    .
  249. In the
    Description
    field, type a description of the virtual server.
    For example:
    This virtual server ensures HTTP response modification through the use of the
    service_name
    ICAP service.
    .
  250. From the
    Type
    list, select
    Internal
    .
  251. For the
    State
    setting, verify that the value is set to
    Enabled
    .
  252. From the
    ICAP Profile
    list, select the ICAP profile that you previously created for handling HTTP requests.
  253. From the
    ICAP Profile
    list, select the ICAP profile that you previously created for handling HTTP responses.
  254. From the
    Default Pool
    list, select the pool of ICAP servers that you previously created.
  255. From the
    Request Adapt Profile
    list, select the name of the Request Adapt profile that you previously created.
  256. From the
    Response Adapt Profile
    list, select the name of the Response Adapt profile that you previously created.
  257. From the
    MS SQL Profile
    list, select either the default or a custom MS SQL profile.
  258. From the
    Default Pool
    list, select the name of the HTTP server pool that you previously created.
  259. For the
    Destination
    setting, in the
    Address
    field, type the IP address that you want to use as a destination for client traffic destined for a pool of HTTP web servers.
    The IP address you type must be available and not in the loopback network.
  260. In the
    Destination Address
    field, type the IP address that you want to use as a destination for client traffic destined for a pool of HTTP web servers.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    The IP address you type must be available and not in the loopback network.
  261. From the
    Type
    list, select
    Performance (Layer 4)
    .
  262. From the
    Type
    list, retain the default setting
    Standard
    .
  263. In the
    Source Address
    field, type
    0.0.0.0/0
    for the source address and prefix length.
  264. From the
    Protocol
    list, choose the protocol you want the system to use to direct traffic on this virtual server.
  265. From the
    Protocol
    list, select
    * All Protocols
    .
  266. From the
    Protocol
    list, select one of the following:
    • UDP
    • TCP
    • *All Protocols
  267. From the
    Protocol
    list, select one of the following:
    • UDP
    • TCP
  268. From the
    Protocol
    list, select one of the following:
    • UDP
    • TCP
    • SCTP
  269. From the
    Protocol
    list, select
    TCP
    .
  270. From the
    Protocol
    list, select
    UDP
    .
  271. From the Protocol list, select one of the following:
    • UDP
    • IPsecESP
  272. From the
    Protocol
    list, select
    SCTP
    .
  273. From the
    Protocol
    list, select
    IPsec ESP
    .
  274. From the
    Protocol
    list, select one of the following:
    • IPsecESP
    • IPsec AH
  275. From the
    IPsecALG Profile
    list, select a profile.
  276. From the
    Protocol Profile (Client)
    list, select a predefined or user-defined profile.
  277. From the
    Protocol Profile (Client)
    list, select a predefined or user-defined TCP profile.
  278. From the
    Protocol Profile (Client)
    list, select a predefined or user-defined UDP profile.
  279. From the
    Protocol Profile (Client)
    list, select a predefined or user-defined SCTP profile.
  280. From the
    Protocol Profile (Client)
    list, select a predefined or user-defined Fast L4 profile.
  281. From the
    Protocol Profile (Client)
    list, select the custom Fast L4 profile you defined for low-latency FIX trading.
  282. Go to the
    FIX Profile
    list and select the custom FIX profile you defined for low-latency trading.
  283. From the
    Protocol Profile (Server)
    list, select a predefined or user-defined profile.
  284. From the
    Protocol Profile (Server)
    list, select a predefined or user-defined TCP profile.
  285. From the
    Source Address Translation
    list. select
    LSN
    .
  286. For the
    Address Translation
    setting, clear the
    Enabled
    check box.
  287. For the
    Address Translation
    setting, select the
    Enabled
    check box to enable address translation.
  288. Optional: If you are using NATs on your network, for the
    Address Translation
    setting, check the
    Enabled
    check box.
  289. For the
    Address Translation
    setting, clear the
    Enabled
    check box to implement direct server return (DSR) functionality.
  290. For the
    Port Translation
    setting, clear the
    Enabled
    check box.
  291. Scroll down to the
    Port Translation
    setting and clear the
    Enabled
    check box.
  292. For the
    Port Translation
    setting, clear the
    Enabled
    check box.
    Clearing the
    Enabled
    check box disables network address translation (NAT) functionality. If you require NAT, you must select the
    Enabled
    check box.
  293. From the
    Source Port
    list, select
    Change
    .
  294. For the
    NAT64
    setting, select the
    Enabled
    check box.
  295. For the
    Connection Mirroring
    setting, select the check box.
    This setting only appears when the BIG-IP device is a member of a device group.
  296. In the Content Rewrite area, from the
    Rewrite Profile
    list, select the relevant Rewrite profile that you created.
  297. From the
    SMTPS Profile
    list, select the SMTPS profile that you previously created.
  298. From the
    Client LDAP Profile
    list, select the Client LDAP profile that you previously created.
  299. From the
    Server LDAP Profile
    list, select the Server LDAP profile that you previously created.
  300. Configure any other settings that you need.
  301. Locate the
    Partition
    list in the upper right area of the BIG-IP Configuration utility screen, to the left of the
    Log out
    button.
  302. From the
    Partition
    list, select the partition in which you want to create local traffic objects.
  303. From the
    Partition
    list, confirm or select partition
    Common
    .
  304. In the
    Service Port
    field, type
    5060
    to route SIP traffic or
    5061
    to route TLS traffic.
  305. From the
    Application Protocol
    list, select
    SIP
    .
  306. From the
    Configuration
    list, select
    Advanced
    .
  307. From the
    Session Profile
    list, select a SIP session profile.
  308. From the
    Session Profile
    list, select a SIP session profile.
    For a SIP firewall configuration, you can use the
    sipsession-alg
    profile.
  309. From the
    Router Profile
    list, select a SIP router profile.
  310. From the
    Router Profile
    list, select a SIP router profile.
    For a SIP firewall configuration without mirroring, you can use the
    siprouter-alg
    profile. For a SIP firewall configuration with mirroring, you must use a router profile configured for mirroring.
  311. Complete the following steps to disable all translation functionality on the virtual server.
    1. From the
      Source Address Translation
      list, select
      None
      .
    2. Clear the
      Address Translation
      check box.
    3. Clear the
      Port Translation
      check box.
  312. From the
    Source Address Translation
    list, select
    None
    .
  313. Clear the
    Address Translation
    check box.
  314. Clear the
    Port Translation
    check box.
  315. From the
    Application Protocol
    list, select
    Diameter
    .
  316. From the
    Session Profile
    list, select a Diameter session profile.
    You can specify a different session profile, as needed, when configuring the transport configuration that is assigned to a peer.
  317. From the
    Router Profile
    list, select a Diameter router profile.
  318. In the Name column, locate the virtual server you want to enable.
  319. Select the check box to the left of the virtual server name.
  320. Click the
    Enable
    button.
  321. In the Name column, locate the virtual server you want to disable.
  322. Click the
    Disable
    button.
  323. Click the
    Cancel
    button.
  324. Locate the
    State
    property and view the selected value.
Create another virtual server with the same IPv4 address and configuration, but select
TCP
from the
Protocol
list. Then, create two more virtual servers, configuring both with the same IPv6 address, but one with the UDP protocol and one with the TCP protocol.