Manual Chapter :
Common elements for virtual servers
Applies To:
Show VersionsBIG-IP AAM
- 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP APM
- 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP Link Controller
- 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP LTM
- 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP AFM
- 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP ASM
- 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Common elements for virtual servers
A virtual server represents a destination IP
address and filtering mechanism for client application traffic. A primary use of virtual
servers is to methodically distribute traffic across a pool of servers on an internal
network.
- On the Main tab, click.The Virtual Server List screen opens.
- On the Main tab, click.The Virtual Server List screen opens.
- Click the name of the virtual server you want to modify.
- In the Name column, click the name of the relevant virtual server.This displays the properties of the virtual server.
- Click the name of the virtual server, pool, or node you want to modify.
- ClickCreate.The New Virtual Server screen opens.
- ClickUpdateto save the changes.
- ClickFinished.
- In theNamefield, type a unique name for the virtual server.
- In theNamefield, type a unique name for the virtual server.For this example, typevs for ISP2.
- In theNamefield, type a unique name for the virtual server.For this example, typeforward_outbound.
- In theNamefield, type a unique name for the virtual server.For this example, typeoutbound.
- In theNamefield, type a unique name for the virtual server.For this example, typeVS for Link Alpha.
- From theTypelist, selectForwarding (IP).
- From theTypelist, selectPerformance (Layer 4).
- From theTypelist, selectStandard.
- For theTypesetting, verify thatStandardis selected.
- From theTypelist, selectMessage Routing.
- In theDestination Addressfield, type the IP address you want to use for the virtual server.
- For theDestinationsetting, in theAddressfield, type the IP address you want to use for the virtual server.The IP address for this field needs to be on the same subnet as the external self-IP.
- In theDestination Addressfield, type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address for this field needs to be on the same subnet as the external self-IP.
- For theDestinationsetting, ensure that theHostoption is enabled, and in theAddressfield, type the IP address specified in the traffic destined for this virtual server.
- In theDestination Address/Maskfield:
- If you want to specify a single IP address, confirm that theHostbutton is selected, and type the IP address in CIDR format.
- If you want to specify multiple IP addresses, select theAddress Listbutton, and confirm that the address list that you previously created appears in the box.
The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address or addresses for this field must be on the same subnet as the external self-IP address. - In theDestination Addressfield, type the IP address for a host virtual server.This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
- In theDestination Addressfield, type the IP address for a host virtual server.This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.Type a destination address in this format:162.160.15.20.
- For theDestinationsetting, in theAddressfield, type the IP address you want to use for the virtual server.The IP address you type must be available and not in the loopback network.
- For theDestination Address/Masksetting, confirm that theHostbutton is selected, and type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address you type must be available and not in the loopback network.
- In theDestination Addressfield, type the IP address in CIDR format, such as0.0.0.0/0for IPv4 or::/0for IPv6.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address you type must be available and not in the loopback network.
- In theDestination Addressfield, type the IP address for a host virtual server.The IP address you type must be available and not in the loopback network.This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
- For theDestinationsetting, in theAddressfield, type the IP address you want to use for the virtual server. This is the address to which the FIX clients send their FIX transmissions.The IP address you type must be available and not in the loopback network.
- In theDestination Addressfield, type the IP address in CIDR format. This is the address to which the FIX clients send their FIX transmissions.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address you type must be available and not in the loopback network.
- For theDestinationsetting, in theAddressfield, type the IP address you want to use for the virtual server.This address must be on a separate network available only through routing (instead of through a directly-connected network).In our example, this address is30.1.1.10.
- In theDestination Address/Maskfield, type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.This address must be on a separate network available only through routing (instead of through a directly-connected network).In our example, this address is30.1.1.10.
- For theDestinationsetting, in theAddressfield, type0.0.0.0to allow all traffic to be translated.
- For a network, in theDestination Addressfield, type an IPv4 or IPv6 address in CIDR format to allow all traffic to be translated.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is0.0.0.0/0, and an IPv6 address/prefix is::/0.
- In theDestination Addressfield, type an IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, to select all IP addresses, an IPv4 address/prefix is0.0.0.0/0, and an IPv6 address/prefix is::/0. To specify a network, an IPv4 address/prefix is10.07.0.0or10.07.0.0/24, and an IPv6 address/prefix isffe1::/64or2001:ed8:77b5::/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.For best results, F5 recommends that you enter the subnet that matches your destination server network.
- For theDestinationsettingTypeoption, selectNetwork.
- In theAddressfield, type a network address, such as192.168.30.0.
- For theDestinationsetting, in theAddressfield, type the IPv6 IP address, based on the 96-bit prefix.
- In theDestination Addressfield, type the IPv6 address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv6 address/prefix is64:ff9b::/64or2001:ed8:77b5:2::/64.
- For theDestinationsetting, in theMaskfield, type the subnet mask for the IPv6 IP address.For example, for an IPv6 IP address of2002:0123:0000:0000:0000:0000::, a mask offf:ff:ff:ff:ff:ff::applies.
- In theDestination Addressfield, type the IPv6 address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv6 address/prefix is2001:ed8:77b5:2:10:10:100:42/64orffe1::0020/64.
- In theDestination Addressfield, type the IP address for the SCTP client in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.This destination address supports the initial SCTP control connection, providing the initial handshake and transfer of valid destination addresses.
- Specify theDestinationsettings.
- For a host, in theAddressfield, type0.0.0.0for the virtual server address.
- For a network, in theAddressfield, type0.0.0.0for the virtual server address, and in theMaskfield, type0.0.0.0for the mask.
- For a network, in theDestination Addressfield, type an IPv4 or IPv6 address in CIDR format to allow all traffic to be translated.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is0.0.0.0/0, and an IPv6 address/prefix is::/0.
- For theDestinationsetting, selectHost, and type0.0.0.0in theAddressfield.
- For a host, in theDestination Addressfield, type an IPv4 or IPv6 address in CIDR format to allow all traffic to be translated.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is0.0.0.0/0, and an IPv6 address/prefix is::/0.
- For theDestinationsetting, in theAddressfield, type the IP address you want to use for the virtual server.For this example, type10.10.10.80.
- For theDestinationsetting, in theAddressfield, type the IP address you want to use for the virtual server.For this example, type10.20.20.80.
- In theDestination Addressfield, type the IP address you want to use for the virtual server.For this example, type10.20.20.80.
- For theDestinationsetting, in theAddressfield, type the IP address you want to use for the virtual server.For this example, type10.10.5.5.
- In theDestination Addressfield, type the IP address you want to use for the virtual server.For this example, type10.10.5.5.
- For theDestinationsetting, in theAddressfield, type the IP address you want to use for the virtual server.For this example, type10.10.5.6.
- In theDestination Addressfield, type the IP address you want to use for the virtual server.For this example, type10.10.5.6.
- For theDestinationsetting, selectNetwork, and type0.0.0.0in theAddressfield and0.0.0.0in theMaskfield.
- For a network, in theDestination Addressfield, type an IPv4 or IPv6 address in CIDR format to allow all traffic to be translated.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is0.0.0.0/0, and an IPv6 address/prefix is::/0.
- In theDestination Addressfield, type a wildcard network address in CIDR format, such as0.0.0.0/0for IPv4 or::/0for IPv6, to accept any traffic.
- In theDestination Addressfield, type0.0.0.0to accept any IPv4 traffic.
- In theDestination Addressfield, type the destination address found in the destination IP address header of specific HTTP traffic that gets mirrored to the BIG-IP passive monitoring system.For example, if client traffic is destined for the IP address10.10.10.30, the BIG-IP passive monitoring system can listen for mirrored traffic with this destination address in its header in order to receive and analyze the mirrored traffic.
- In theDestination Addressfield, type0.0.0.0/0to translate all IPv4 traffic.
- In theDestination Addressfield, type::/0to accept any IPv6 traffic.
- For theDestinationsetting, selectNetwork, and type::in theAddressfield, and::in theMaskfield.
- In theDestination Addressfield, typeff0::1:1/128.
- For theDestinationsetting, in theAddressfield, type the network IP address that you want to use for the virtual server.The IP address you type must be available and not in the loopback network.
- In theDestination Addressfield, type the network IP address that you want to use for the virtual server.The IP address you type must be available and not in the loopback network.
- For theDestinationsetting, in theAddressfield, type the host IP address that you want to use for the virtual server.This is the IP address on the BIG-IP system to which inbound application traffic is destined.
- In theDestination Addressfield, type the host IP address that you want to use for the virtual server.This is the IP address on the BIG-IP system to which inbound application traffic is destined.
- For theDestinationsetting, select the type, and type an address, or an address and mask, as appropriate for your network.
- In theDestination Address/Maskfield, type an address, as appropriate for your network.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.
- For theDestinationsetting, in theAddressfield, type the network IP address that you want to use for the virtual server.This is the network for which inbound application traffic is destined.
- In theDestination Addressfield, type the network IP address that you want to use for the virtual server.This is the network for which inbound application traffic is destined.
- In theMaskfield, type the netmask, such as255.255.255.0.
- For theDestinationsetting, selectHostand in theAddressfield, type the IP address for the virtual server.
- In theDestination Addressfield, type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.
- In theService Portfield, type53.
- In theService Portfield:
- If you want to specify a single service port or all ports, confirm that thePortbutton is selected, and type or select a service port.
- If you want to specify multiple ports other than all ports, select thePort Listbutton, and confirm that the port list that you previously created appears in the box.
- In theService Portfield, type1443.
- In theService Portfield, type21or selectFTPfrom the list.
- In theService Portfield, type25or selectSMTPfrom the list.
- In theService Portfield, type22or selectSSHfrom the list.
- From theSSH Proxy Profilelist, select the SSH proxy profile to attach to the virtual server.
- In theService Portfield, type50
- In theService Portfield, type500or selectISAKMPfrom the list.
- In theService Portfield, do one of the following:
- Type500or selectISAKMPfrom the list to configure UDP.
- Type0or select (* All Ports) from the list to configure Protocol 50 (IPsec ESP).
- In theService Portfield, type389or selectLDAPfrom the list.
- In theService Portfield, type80, or selectHTTPfrom the list.
- In theService Portfield, type443or selectHTTPSfrom the list.
- In theService Portfield, type80(for HTTP) or443(for HTTPS), or selectHTTPorHTTPSfrom the list.
- In theService Portfield, type the port number used for the FIX message.
- In theService Portfield, type the port number used for the GTP connection.Port2123is the default GTP-C port, and port2152is the default GTP-U port.
- In theService Portfield, type5060.
- In theService Portfield, type3868.
- In theService Portfield, type1723or selectPPTPfrom the list.
- In theService Portfield, type69or selectTFTPfrom the list.
- In theService Portfield, type*or select* All Portsfrom the list.
- In theService Portfield, type0.Port0defines a wildcard virtual server that handles all types of services. If you specify a port number, you create a port-specific wildcard virtual server. In that case, the wildcard virtual server handles traffic only for the specified port.
- In theService Portfield, type the port number for the service.
- From theConfigurationlist, selectAdvanced.
- Click thePropertiestab.
- On the menu bar, from the Security menu, choose Policies.
- From theProtocol Securitylist, selectEnabled.
- From theProfilelist, selecthttp_security.This configures the virtual server with the default HTTP protocol security profile.
- From theAnti-Fraud Profilelist, selectEnabled, and then from theProfilelist, select the profile you created previously.
- From the menu bar, click.
- From the menu bar, click.
- Scroll to the Resources area.
- On the menu bar, clickResources.
- In the Policies area, click theManagebutton.
- For thePoliciessetting, select the local traffic policy you created from theAvailablelist and move it to theEnabledlist.
- From theConfigurationlist, selectBasic.
- From theConfigurationlist, selectAdvanced.
- For virtual servers only, from theConfigurationlist, selectAdvanced.
- On the Main tab, expandLocal Traffic, and then clickVirtual Servers,Pools, orNodes.
- Optionally, from theOneConnect Profilelist, select a custom OneConnect profile.
- From theHTTP Compression Profilelist, select one of the following options:SettingDescriptionhttpcompressionwan-optimized-compression
- From theHTTP Compression Profilelist, select one of the following options:SettingDescriptionhttpcompressionwan-optimized-compression
- From theWeb Acceleration Profilelist, select one of the following options.
- optimized-acceleration
- optimized-caching
- webacceleration
- A customized profile
- From theWeb Acceleration Profilelist, select one of the following options.SettingDescriptionoptimized-accelerationoptimized-cachingwebacceleration
- From theWeb Acceleration Profilelist, selectoptimized-acceleration.
- For theSSL Profile (Client)setting, from theAvailablelist, selectclientssl, and using the Move button, move the name to theSelectedlist.
- For theSSL Profile (Client)and theSSL Profile (Server)settings, from theAvailablelist, select the name of the SSL profile you previously created, and move the name to theSelectedlist:Using theSSL Profile (Server)setting is optional.
- For theSSL Profile (Client)setting, from theAvailablelist, select the name of the custom Client SSL proxy profile you previously created, and using the Move button, move the name to theSelectedlist.To enable proxy SSL functionality, you can either:
- Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the Proxy SSL settings.
- Create new Client SSL and Server SSL profiles and configure the Proxy SSL settings.
Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable proxy SSL functionality. - For theSSL Profile (Client)setting, from theAvailablelist, select the name of the Client SSL forward proxy profile you previously created, and using the Move button, move the name to theSelectedlist.To enable SSL forward proxy functionality, you can either:
- Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
- Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL forward proxy functionality. - For theSSL Profile (Client)setting, in theAvailablebox, select a profile name, and using the Move button, move the name to theSelectedbox.
- For theSSL Profile (Server)setting, select theserverssl-insecure-compatibleprofile.
- For theSSL Profile (Server)setting, select a server SSL profile.
- For theSSL Profile (Server)setting, selectpcoip-default-serverssl.
- For theSSL Profile (Server)setting, from theAvailablelist, selectserverssl, and using the Move button, move the name to theSelectedlist.
- For theSSL Profile (Client)setting, from theAvailablelist, select the name of the Client SSL profile you previously created and move the name to theSelectedlist.
- For theSSL Profile (Server)setting, from theAvailablelist, select the name of the Server SSL profile you previously created and move the name to theSelectedlist.
- For theSSL Profile (Server)setting, from theAvailablelist, select the name of the custom Server SSL proxy profile you previously created and move the name to theSelectedlist.To enable SSL proxy functionality, you can either:
- Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the Proxy SSL settings.
- Create new Client SSL and Server SSL profiles and configure the Proxy SSL settings.
Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL proxy functionality. - For theSSL Profile (Server)setting, from theAvailablelist, select the name of the Server SSL forward proxy profile you previously created, and using the Move button, move the name to theSelectedlist.To enable SSL forward proxy functionality, you can either:
- Disassociate existing Client SSL and Server SSL profiles from a virtual server and configure the SSL Forward Proxy settings.
- Create new Client SSL and Server SSL profiles and configure the SSL Forward Proxy settings.
Then with either option, select the Client SSL and Server SSL profiles on a virtual server. You cannot modify existing Client SSL and Server SSL profiles while they are selected on a virtual server to enable SSL forward proxy functionality. - For theSSL Profile (Server)setting, from theAvailablelist, select the applicable Server SSL profile names, and using the Move button, move the names to theSelectedlist.
- For theStream Profilesetting, select the default profile,stream.
- In the General Properties area, in theAddressfield, type any IP address that you want to use as long as it is available and not in the loopback network.
- From theDNS Profilelist, select the profile you created to manage IPv6 to IPv4 address mapping.
- From theDNS Profilelist, selectdns_express.
- From theDNS Profilelist, select eitherdnsor the custom DNS profile you created for DNS Express.
- From theDNS Profilelist, select the custom DNS profile you created.
- From theDNS Profilelist, select a DNS Logging profile.
- From theDNS Profilelist, select a custom DNS profile that is associated with a DNS Logging profile.
- From theDNS Profilelist, select a DNS profile configured with an AVR sampling rate.
- From theDNS Profilelist, select the profile you want to assign to the virtual server.
- From theFIX Profilelist, select the FIX profile you want to assign to the virtual server.
- From theFIX Profilelist, select the FIX profile you want to assign to the virtual server.In order to log FIX messages, ensure that you configure the selected FIX profile Report Log Publisher or Message Log Publisher settings, as applicable.
- Optional: If you are using SNATs on your network, from theSource Address Translationlist, selectSNAT.
- From theSource Address Translationlist, selectNone.
- From theSource Address Translationlist, selectAuto Map.
- From theSource Address Translationlist, select the appropriate translation.
- From theSource Address Translationlist, selectSNAT.
- From theSNAT poollist, select the name of an existing SNAT pool.
- Optional: From theSNAT poollist, select the name of an existing SNAT pool.
- From theSNAT Poollist, selectNone.
- In theConnection Limitfield, type a number that specifies the maximum number of concurrent open connections.
- In theConnection Rate Limitfield, type a number that specifies the number of new connections accepted per second for the virtual server.
- In the Resources area of the screen, for theDefault Poolsetting, click theCreate (+)button.The New Pool screen opens.
- In the Resources area of the screen, from theDefault Poollist, select the relevant pool name.
- If this type of virtual server forwards traffic to a pool, then in the Resources area of the screen, from theDefault Poollist, select the relevant pool name.
- In the Resources area of the screen, from theDefault Poollist, select the pool name for FIX streams.This pool is for streams that do not match your iRule(s).
- In the Resources area, from theDefault Poollist, selectdefault_gateway_pool.
- In the Resources area of the screen, from theDefault Poollist, select the name of the pool you created previously.In our example, the name of this pool isexternal-pool.
- In the Resources area of the screen, from theDefault Poollist, select the name of the pool that contains the IPv6 servers.
- For theDefault Poolsetting, either select an existing pool from the list, or click the Create (+) button and create a new pool.
- From theDefault Poollist, select a pool name that is configured with pool members for request logging.
- In the Resources area, from theDefault Poollist, select the name of the pool that you created previously.
- From theDefault Poollist, select the pool that is configured for application security.
- From theDefault Poollist, select the pool that is configured for the application server.
- From theDefault Poollist, select the read-only pool of database servers.
- From theDefault Poollist, select the pool of database servers.
- From theDefault Poollist, select a pool that is configured for an HTTP/2 profile.
- From theDefault Poollist, select a pool that is configured for a SPDY profile.
- From theLSN Poollist, select an LSN pool.
- In theNamefield, type a unique name for the pool.
- In the Resources area, for theNew Memberssetting, select the type of new member you are adding, then type the information in the appropriate fields, and clickAddto add as many pool members as you need.
- For theHTTP Class Profilessetting, from theAvailablelist, select a profile, and using the Move button, move the profile to theEnabledlist.
- In the Resources area, for theHTTP Class Profilessetting, move the application security class that you created into theEnabledlist.
- From the Classification list, selectEnabled, for the BIG-IP system to enable classification for virtual servers when a policy enforcement listener is created.
- From thePolicy Enforcement Profilelist, select the name of the policy enforcement profile that you previously created.
- From theDiameter Endpoint Profilelist, select a diameter endpoint profile you want to assign for policy enforcement. SelectNoneif you do not want to assign a diameter endpoint profile.
- In theDescriptionfield, type a description of the virtual server.
- In theDescriptionfield, type a description of the virtual server.For example:This virtual server ensures HTTP request and response modification through the use of the.service_nameICAP service.
- From theResponse Adapt Profilelist, select the ICAP profile that you previously created for handling HTTP responses.
- From theRequest Adapt Profilelist, select the ICAP profile that you previously created for handling HTTP requests.
- From theSource Address Translationlist, selectAuto Map.The BIG-IP system uses all of the self IP addresses as the translation addresses for the pool.
- If you configured Application Lookup or Application Filtering in your per-request policy, from theClassification Profilelist, selectclassification_apm_swg.A per-request policy uses application filtering when it runs an Application Lookup action.
- From theRequest Logging Profilelist, select the profile you want to assign to the virtual server.
- From theRequest Logging Profilelist, select the custom request logging profile that you created earlier.
- From theDefault Persistence Profilelist, selectsource_addr.This implements simple persistence, using the default source address affinity profile.
- From theDefault Persistence Profilelist, select the name of the custom cookie profile you created earlier, such asmycookie_profile.This implements cookie persistence, using a custom cookie persistence profile.
- For theHTTP Profilesetting, verify that the default HTTP profile,http, is selected.
- From theHTTP Profilelist:
- If you previously created an HTTP profile, then select the profile you created.
- Otherwise, selecthttp.
- For theHTTP Connect Profilesetting, be sure to retain the default valueNone.
- If you plan to use this virtual server for proxy chaining from APM, from theHTTP Proxy Connect Profilelist, select a profile that you configured previously or selecthttp-proxy-connect.
- In the iRules area, click theManagebutton.
- In the Resources area, for theiRulessetting, from theAvailablelist, select the name of the iRule that you want to assign, and move the name into theEnabledlist.This step is optional.
- In the Resources area, for theiRulessetting, from theAvailablelist, select the name of the iRule that you want to assign, and move the name into theEnabledlist.
- In the Resources area, for theiRulessetting, from theAvailablelist, select the name of the QoE iRule that you want to assign, and move the name into theEnabledlist.
- For theiRulessetting, from theAvailablelist, select the name of the iRule that you want to assign, and move the name into theEnabledlist.For example, you can assign an application-specific iRule that allows or denies traffic based on the source IP address.
- For theiRulessetting, from theAvailablelist, select the name of the iRule that you created for remote logging, and move the name into theEnabledlist.This step is optional.
- For theiRulessetting, from theAvailablelist, select the name of the iRule that you created for the Late Binding feature and move it to theEnabledlist.The iRule enables load balancing based on the Layer-7 (FIX) fields at the head of each stream.
- For theiRulessetting, from theAvailablelist, select the name of the iRule that creates custom IPFIX logs. Move the name into theEnabledlist.
- From theHTTP Profile (Client)list, select a previously-created HTTP/2 profile for client-side traffic.
- From theHTTP Profile (Client)list, select a previously-created HTTP/2 profile for server-side traffic.
- Scroll to the Access Policy area.
- In the Access Policy area, from theAccess Profilelist, select the access profile that you configured earlier.
- In the API protection area, from theAPI Protection Profilelist, select the protection profile that you configured earlier.
- In the Access Policy area, from thePer-Request Policylist, select the policy that you configured earlier.
- In the Access Policy area, forADFS Proxyselect theEnabledcheck box.
- From theHTTP Profilelist, select the HTTP profile you configured earlier.
- From theFTP Profilelist, select an FTP ALG profile for the virtual server to use.
- From thePPTP Profilelist, select a PPTP ALG profile for the virtual server to use.
- From theSIP Profilelist, select a SIP ALG profile for the virtual server to use.
- From theRTSP Profilelist, select an RISP ALG profile for the virtual server to use.
- From theTFTP Profilelist, select an TFTP ALG profile for the virtual server to use.
- To enable denial-of-service protection, from theDoS Protection Profilelist, selectEnabled, and then, from theProfilelist, select the DoS profile to associate with the virtual server.
- From thePer-Request Policylist, select the per-request policy that you configured earlier.
- Scroll down to theVLAN and Tunnel Trafficsetting and selectEnabled on.
- For theVLANs and Tunnelssetting, move the secure connectivity interface to theSelectedlist.
- For theVLANs and Tunnelssetting, move the tunnel to theSelectedlist.The tunnel name must match the tunnel specified in the HTTP profile for the forward proxy virtual server. The default tunnel ishttp-tunnel.
- From theVLAN and Tunnel Trafficlist, selectEnabled on. Then, for theVLANs and Tunnelssetting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from theAvailablelist to theSelectedlist.
- From theVLAN and Tunnel Trafficlist, selectEnabled on.
- To enforce rules from a firewall policy on the virtual server, in the Network Firewall area, from theEnforcementlist, selectEnabled, then select the firewall policy to enforce from thePolicylist.
- To enforce any inline rules that apply to the virtual server, and not apply a firewall policy, in the Network Firewall area, from theEnforcementlist, selectInline Rules.
- To stage rules from a firewall policy on the virtual server, in the Network Firewall area, from theStaginglist, selectEnabled, then select the firewall policy to stage from thePolicylist.
- From theSIP Profilelist, select the name of the SIP profile that you previously created.
- If you want to provide connections to Java RDP clients for application access, allow Java rewriting for portal access, or support a per-app VPN connection that is configured on a mobile device, select theApplication Tunnels (Java & Per-App VPN)check box.You must enable this setting to make socket connections from a patched Java applet. If your applet does not require socket connections, or only uses HTTP to request resources, this setting is not required.
- If you want to provide native integration with an OAM server for authentication and authorization, select theOAM Supportcheck box.You must have an OAM server configured in order to enable OAM support.
- In the Access Policy area, from theConnectivity Profilelist, select the connectivity profile.
- From theConnectivity Profilelist, select the connectivity profile.
- From theVDI Profilelist, select a VDI profile.You can select the default profile,vdi.
- In the Access Policy area, from theVDI Profilelist, select a VDI profile.You can select the default profile,vdi.
- Locate the Resources area of the screen; for theRelated iRulessetting, from theAvailablelist, select the name of the iRule that you want to assign and move the name to theEnabledlist.This setting applies to virtual servers that reference a profile for a data channel protocol, such as FTP or RTSP.
- In the Resources area of the screen, for theiRulessetting, select the name of the iRule that you want to assign and using the Move button, move the name from theAvailablelist to theEnabledlist.
- In theService Portfield, type554for the service.
- ClickFinishedto create the pool.The screen refreshes, and reopens the New Virtual Server screen. The new pool name appears in theDefault Poollist.
- From theSPDY Profilelist, selectspdy, or a user-defined SPDY profile.
- From theHTTP/2 Profile (Client)list, selecthttp2, or a user-defined HTTP/2 profile.This profile is applied to client-side traffic.
- From theHTTP/2 Profile (Server)list, selecthttp2, or a user-defined HTTP/2 profile.This profile is applied to server-side traffic.
- On the menu bar, click.The screen displays policy settings for the virtual server.
- In theIP Intelligencesetting, selectEnabled, and then from thePolicylist, select a policy.
- To use the global Firewall NAT policy, in the Network Address Translation area, clickUse Device Policy.The most specific Firewall NAT policy is applied to the context, so a policy applied at the virtual server takes precedence over a route domain policy, which takes precedence over the global policy.
- To use the route domain Firewall NAT policy, in the Network address translation area, clickUse Route Domain Policy.The most specific Firewall NAT policy is applied to the context, so a policy applied at the virtual server takes precedence over a route domain policy, which takes precedence over the global policy.
- From thePolicylist, select the Firewall NAT policy to apply to the context.
- From theDoS Protection Profilelist, selectEnabled, and then from theProfilelist, select a profile.
- From theService policylist, select the service policy.
- From theEviction Policylist, select an eviction policy to apply to the virtual server.
- In theLog Profilesetting, selectEnabled. Then, select one or more profiles, and move them from theAvailablelist to theSelectedlist.
- In theLog Profilesetting, selectEnabled. Then, select one or more profiles, and move them from theAvailablelist to theSelectedlist.If you do not have a custom profile configured, select the predefined logging profileglobal-networkto log Advanced Firewall Manager events. Note that to log global, self IP, and route domain contexts, you must enable a Publisher in theglobal-networkprofile.
- In theLog Profilesetting, selectEnabled. Then, select one or more profiles that log specific events to IPFIX collectors, and move them from theAvailablelist to theSelectedlist.To log global, self IP, and route domain contexts, you must enable a Publisher in theglobal-networkprofile.
- In theLog Profilesetting, selectDisabled.
- In theDescriptionfield, type a description of the virtual server.For example:This virtual server ensures HTTP request modification through the use of the.service_nameICAP service.
- In theDescriptionfield, type a description of the virtual server.For example:This virtual server ensures HTTP response modification through the use of the.service_nameICAP service.
- From theTypelist, selectInternal.
- For theStatesetting, verify that the value is set toEnabled.
- From theICAP Profilelist, select the ICAP profile that you previously created for handling HTTP requests.
- From theICAP Profilelist, select the ICAP profile that you previously created for handling HTTP responses.
- From theDefault Poollist, select the pool of ICAP servers that you previously created.
- From theRequest Adapt Profilelist, select the name of the Request Adapt profile that you previously created.
- From theResponse Adapt Profilelist, select the name of the Response Adapt profile that you previously created.
- From theMS SQL Profilelist, select either the default or a custom MS SQL profile.
- From theDefault Poollist, select the name of the HTTP server pool that you previously created.
- For theDestinationsetting, in theAddressfield, type the IP address that you want to use as a destination for client traffic destined for a pool of HTTP web servers.The IP address you type must be available and not in the loopback network.
- In theDestination Addressfield, type the IP address that you want to use as a destination for client traffic destined for a pool of HTTP web servers.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address you type must be available and not in the loopback network.
- From theTypelist, selectPerformance (Layer 4).
- From theTypelist, retain the default settingStandard.
- In theSource Addressfield, type0.0.0.0/0for the source address and prefix length.
- From theProtocollist, choose the protocol you want the system to use to direct traffic on this virtual server.
- From theProtocollist, select* All Protocols.
- From theProtocollist, select one of the following:
- UDP
- TCP
- *All Protocols
- From theProtocollist, select one of the following:
- UDP
- TCP
- From theProtocollist, select one of the following:
- UDP
- TCP
- SCTP
- From theProtocollist, selectTCP.
- From theProtocollist, selectUDP.
- From the Protocol list, select one of the following:
- UDP
- IPsecESP
- From theProtocollist, selectSCTP.
- From theProtocollist, selectIPsec ESP.
- From theProtocollist, select one of the following:
- IPsecESP
- IPsec AH
- From theIPsecALG Profilelist, select a profile.
- From theProtocol Profile (Client)list, select a predefined or user-defined profile.
- From theProtocol Profile (Client)list, select a predefined or user-defined TCP profile.
- From theProtocol Profile (Client)list, select a predefined or user-defined UDP profile.
- From theProtocol Profile (Client)list, select a predefined or user-defined SCTP profile.
- From theProtocol Profile (Client)list, select a predefined or user-defined Fast L4 profile.
- From theProtocol Profile (Client)list, select the custom Fast L4 profile you defined for low-latency FIX trading.
- Go to theFIX Profilelist and select the custom FIX profile you defined for low-latency trading.
- From theProtocol Profile (Server)list, select a predefined or user-defined profile.
- From theProtocol Profile (Server)list, select a predefined or user-defined TCP profile.
- From theSource Address Translationlist. selectLSN.
- For theAddress Translationsetting, clear theEnabledcheck box.
- For theAddress Translationsetting, select theEnabledcheck box to enable address translation.
- Optional: If you are using NATs on your network, for theAddress Translationsetting, check theEnabledcheck box.
- For theAddress Translationsetting, clear theEnabledcheck box to implement direct server return (DSR) functionality.
- For thePort Translationsetting, clear theEnabledcheck box.
- Scroll down to thePort Translationsetting and clear theEnabledcheck box.
- For thePort Translationsetting, clear theEnabledcheck box.Clearing theEnabledcheck box disables network address translation (NAT) functionality. If you require NAT, you must select theEnabledcheck box.
- From theSource Portlist, selectChange.
- For theNAT64setting, select theEnabledcheck box.
- For theConnection Mirroringsetting, select the check box.This setting only appears when the BIG-IP device is a member of a device group.
- In the Content Rewrite area, from theRewrite Profilelist, select the relevant Rewrite profile that you created.
- From theSMTPS Profilelist, select the SMTPS profile that you previously created.
- From theClient LDAP Profilelist, select the Client LDAP profile that you previously created.
- From theServer LDAP Profilelist, select the Server LDAP profile that you previously created.
- Configure any other settings that you need.
- Locate thePartitionlist in the upper right area of the BIG-IP Configuration utility screen, to the left of theLog outbutton.
- From thePartitionlist, select the partition in which you want to create local traffic objects.
- From thePartitionlist, confirm or select partitionCommon.
- For theRelated iRulessetting, from theAvailablelist, select the name of the iRule that you want to assign, and move the name to theEnabledlist.In our example, the name of this iRule issnat-pool-select.
- In theService Portfield, type5060to route SIP traffic or5061to route TLS traffic.
- From theApplication Protocollist, selectSIP.
- From theConfigurationlist, selectAdvanced.
- From theSession Profilelist, select a SIP session profile.
- From theSession Profilelist, select a SIP session profile.For a SIP firewall configuration, you can use thesipsession-algprofile.
- From theRouter Profilelist, select a SIP router profile.
- From theRouter Profilelist, select a SIP router profile.For a SIP firewall configuration without mirroring, you can use thesiprouter-algprofile. For a SIP firewall configuration with mirroring, you must use a router profile configured for mirroring.
- Complete the following steps to disable all translation functionality on the virtual server.
- From theSource Address Translationlist, selectNone.
- Clear theAddress Translationcheck box.
- Clear thePort Translationcheck box.
- From theSource Address Translationlist, selectNone.
- Clear theAddress Translationcheck box.
- Clear thePort Translationcheck box.
- From theApplication Protocollist, selectDiameter.
- From theSession Profilelist, select a Diameter session profile.You can specify a different session profile, as needed, when configuring the transport configuration that is assigned to a peer.
- From theRouter Profilelist, select a Diameter router profile.
- In the Name column, locate the virtual server you want to enable.
- Select the check box to the left of the virtual server name.
- Click theEnablebutton.
- In the Name column, locate the virtual server you want to disable.
- Click theDisablebutton.
- Click theCancelbutton.
- Locate theStateproperty and view the selected value.
Create another virtual server with the same IPv4 address and configuration, but select
TCP
from the Protocol
list. Then, create two more
virtual servers, configuring both with the same IPv6 address, but one with the UDP
protocol and one with the TCP protocol.