Manual Chapter : BIG-IP Installation Guide v4.1: Creating the Initial Software Configuration

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 4.1.1 PTF-06, 4.1.1 PTF-05, 4.1.1 PTF-04, 4.1.1 PTF-03, 4.1.1 PTF-02, 4.1.1 PTF-01, 4.1.1, 4.1.0
Manual Chapter


2

Creating the Initial Software Configuration



Gathering the information

Once you install and connect the hardware, the next step in the installation process is to turn the system on and run the First-Time Boot utility. The First-Time Boot utility defines the initial configuration settings required to install the BIG-IP into the network. You can run the First-Time Boot utility remotely from a web browser, or from an SSH or Telnet client, or you can run it directly from the console.

Before you connect to the unit, we recommend that you gather the list of information outlined in the following section. Note that the screens you see are tailored to the specific hardware and software configuration that you have. For example, if you have a stand-alone system, the First-Time Boot utility skips the redundant system screens.

Once you have gathered the information and are ready to run the utility, refer to Starting the First-Time Boot utility, on page 2-10.

First-Time Boot utility settings

The following sections provide detailed information about the settings that you define in the First-Time Boot utility.

Tip: A list is provided at the end of this section where you can fill in this information. See First-Time Boot utility configuration list, on page 2-8.

Keyboard type

Select the type of keyboard you want use with the BIG-IP. The following options are available:

  • Belgian
  • Bulgarian MIK
  • French
  • German
  • Japanese - 106 key
  • Norwegian
  • Spanish
  • Swedish
  • US + Cyrillic
  • US - Standard 101 key
  • United Kingdom

Product selection

If you are configuring a BIG-IP Cache Controller, BIG-IP FireGuard, or BIG-IP LB Controller, you must now select one of these three as your product. When you have made your selection, the features supported by that product will be enabled.

Note: You may change your product selection at a later time using the config combo command.

Warning: Once you have configured your system based on one of the three product selections (BIG-IP Cache Controller, BIG-IP FireGuard, or BIG-IP LB Controller), changing the product selection will most likely invalidate that configuration. Therefore, you need to change and update your configuration after you have rebooted the system under the new product selection.

Root password

A root password allows you command line administrative access to the BIG-IP system. The password must contain a minimum of 6 characters, but no more than 32 characters. Passwords are case-sensitive, and we recommend that your password contain a combination of upper- and lower-case characters, as well as numbers and punctuation characters. Once you enter a password, the First-Time Boot utility prompts you to confirm your root password by typing it again. If the two passwords match, your password is immediately saved. If the two passwords do not match, the First-Time Boot utility provides an error message and prompts you to re-enter your password.

Warning: The root password and keyboard selection are the only settings that are saved immediately, rather than confirmed and committed at the end of the First-Time Boot utility process. You cannot change the root password until the First-Time Boot utility completes and you reboot the BIG-IP (see the BIG-IP Reference Guide, Monitoring and Administration). Note that you can change other system settings when the First-Time Boot utility prompts you to confirm your configuration settings.

Host name

The host name identifies the BIG-IP itself. Host names must be fully qualified domain names (FQDNs). The host portion of the name must start with a letter, and must be at least two characters.

Default route

If a BIG-IP does not have a predefined route for network traffic, the unit automatically sends traffic to the IP address that you define as the default route. Typically, a default route is set to a router's IP address.

Redundant system settings

There are two types of settings you need to define for redundant systems: unit IDs, and fail-over IP addresses.

Unit IDs

The default unit ID number is 1. If this is the first unit in the redundant system, use the default. When you configure the second unit in the system, type 2. These unit IDs are used for active-active redundant configuration.

Choosing a fail-over IP address

A fail-over IP address is the IP address of the unit which will take over if the current unit fails. Type in the IP address configured on the internal interface of the other BIG-IP in the redundant pair.

Interface media settings

Configure media settings for each interface. The media type options depend on the network interface card included in your hardware configuration. The First-Time Boot utility prompts you with the settings that apply to the interface installed in the unit. The BIG-IP supports the following types:

  • auto
  • 10baseT
  • 10baseT, FDX
  • 100baseTX
  • 100baseTX, FDX
  • Gigabit Ethernet

    Note: If you do not know the correct setting for your switch or hub, you can set the media type to auto and change it later when you know the correct setting. Check your switch or hub documentation for this information.

Warning: The configuration utility lists only the network interface devices that it detects during system boot. If the utility lists only one interface device, the network adapter may have come loose during shipping. Check the LED indicators on the network adapters to ensure that they are working and are connected.

VLANs and IP addresses

You can create a new VLAN or use the default internal and external VLANs to create the BIG-IP configuration.

Determine whether you want to have security turned on for a VLAN, or off for the VLAN. Then, type the IP address settings for the VLAN. The IP address settings include:

  • Security settings
  • IP address, netmask, and broadcast
  • Floating self IP address, netmask, and broadcast

    We recommend that you set the floating self IP address as the default route for target devices, such as servers. The floating self IP address is owned by the active unit in an active/standby configuration.

    Note: The IP address of the external VLAN is not the IP address of your site or sites. The IP addresses of the sites themselves are specified by the virtual IP addresses associated with each virtual server you configure.

Interfaces assigned to VLANs

After you configure the VLANs you want to use on the BIG-IP, you can assign interfaces to the VLANs. If you use the default internal and external VLANs, we recommend that you assign at least one interface to the external VLAN, and at least one interface to the internal VLAN. The external VLAN is the one on which the BIG-IP receives connection requests. The internal VLAN is typically the one that is connected to the network of servers, firewalls, or other equipment that the BIG-IP load balances.

Primary IP address/VLAN association for host name

After you assign interfaces to VLANs, you can choose one VLAN/IP address combination as the primary IP address to associate with the unit host name.

Remote web server access

The BIG-IP web server provides the ability to set up remote web access on each VLAN. When you set up web access on a VLAN, you can connect to the web-based configuration utility through the VLAN. To enable web access, specify a fully qualified domain name (FQDN) for each VLAN. The BIG-IP web server configuration also requires that you define a user ID and password. If SSL is available, the configuration also generates authentication certificates.

The First-Time Boot utility guides you through a series of screens to set up remote web access.

  • The first screen prompts you to select the VLAN you want to configure for web access. After you select an interface to configure, the utility prompts you to type a fully qualified domain name (FQDN) for the interface. You can configure web access on one or more interfaces.
  • After you configure the interface, the utility prompts you for a user name and password. After you type a user name and password, the utility prompts you for a vendor support account. The vendor support account is not required.
  • The certification screen prompts you for country, state, city, company, and division.

Warning: If you ever change the IP addresses or host names on the BIG-IP interfaces, you must reconfigure the BIG-IP web server to reflect your new settings. You can run the re-configuration utility from the command line using the following command:

reconfig_httpd

You can also add users to the existing password file, change a password for an existing user, or recreate the password file, without actually repeating the remote web server configuration process. For more information, see the BIG-IP Reference Guide, BIG-IP Base Configuration Tools.

Warning: If you have modified the remote web server configuration outside of the configuration utility, be aware that some changes may be lost when you run the reconfig_httpd utility. This utility overwrites the httpd.conf file and openssl.conf, but does not warn you before doing so.

Time zone

Next, you need to specify your time zone. This ensures that the clock for the BIG-IP is set correctly, and that dates and times recorded in log files correspond to the time zone of the system administrator. Scroll through the list to find the time zone at your location. Note that one option may appear with multiple names. Select the time zone you want to use, and press the Enter key to continue.

DNS proxy forwarding settings

You only need to complete this step if you want machines inside your BIG-IP managed network to use DNS servers outside of that network (for example, for reverse DNS lookup from a web server).

Specify the DNS name server and domain name for DNS proxy forwarding by the BIG-IP. For more information on DNS proxy forwarding see Configuring DNS on the BIG-IP, on page 3-8.

Remote administrative access

After you configure remote web access, the First-Time Boot utility prompts you to configure remote command line access. On most BIG-IP units, the first screen you see is the Configure SSH screen, which prompts you to type an IP address for SSH command line access. If SSH is not available, you are prompted to configure access through Telnet and FTP instead.

When you configure shell access, the First-Time Boot utility prompts you to create a support account for that method. You can use this support account to provide a support engineer access to the BIG-IP.

When the First-Time Boot utility prompts you to enter an IP address for administration, you can type a single IP address or a list of IP addresses, from which the BIG-IP will accept administrative connections (either remote shell connections, or connections to the web server on the BIG-IP). To specify a range of IP addresses, you can use the asterisk (*) as a wildcard character in the IP addresses.

The following example allows remote administration from all hosts on the 192.168.2.0/24 network:

192.168.2.*

Note: For administration purposes, you can connect to the BIG-IP floating self IP address, which always connects you to the active unit in an active/standby redundant system. To connect to a specific unit, connect directly to the IP address of that BIG-IP.

NTP support

You can synchronize the time on the unit to a public time server by using Network Time Protocol (NTP). NTP is built on top of TCP/IP and assures accurate, local timekeeping with reference to clocks located on the Internet. This protocol is capable of synchronizing distributed clocks, within milliseconds, over long periods of time. If you choose to enable NTP, make sure UDP port 123 is open in both directions when the unit is behind a firewall.

NameSurfer

If you have the 3-DNS module installed, you can configure NameSurfer to handle DNS zone file management for the unit. We strongly recommend that you configure NameSurfer to handle zone file management by selecting NameSurfer to be the master on the unit. If you select NameSurfer as the master, NameSurfer converts the DNS zone files on the unit and handles all changes and updates to these files. (You can access the NameSurfer application directly from the Configuration utility for the 3-DNS module).

First-Time Boot utility configuration list

The following list outlines the settings that the First-Time Boot utility prompts you to enter. For detailed information about these settings, see the previous section.

Type of keyboard

_____________________________________________

Root password for the BIG-IP

_____________________________________________

Fully qualified hostname for the BIG-IP

_____________________________________________

Default route for the BIG-IP

_____________________________________________

Redundant system settings

  • Unit ID number
    Unit 1 ____________________________________
    Unit 2 ___________________________________
  • Fail-over IP address
    Unit 1 ____________________________________
    Unit 2 ___________________________________

Interface media settings

_____________________________________________

VLANs and IP addresses

  • Use default internal and external VLANs? Yes ___ No___
  • Security settings
    Internal VLAN __________________________________
    External VLAN _________________________________
    Admin VLAN (optional) _________________________
  • IP address, netmask, and broadcast for each VLAN
    External VLAN _____-_____-_____-_____
    _____-_____-_____-_____
    _____-_____-_____-_____

    Internal VLAN _____-_____-_____-____
    _____-_____-_____-____
    _____-_____-_____-____

    Admin VLAN _____-_____-_____-____
    _____-_____-_____-____
    _____-_____-_____-____
  • Shared IP alias, netmask, and broadcast (redundant system)
    _____-_____-_____-_____
    _____-_____-_____-_____
    _____-_____-_____-_____

Assigning interfaces to VLANs

  • External VLAN _________________________________
  • Internal VLAN __________________________________
  • Admin VLAN __________________________________

Select the primary VLAN/IP address to associate with host name

_____-_____-_____-_____ on VLAN __________________

Remote administrative web access

  • External VLAN
    FQDN _________________________________________
  • Internal VLAN
    FQDN _______________________________________
  • Admin VLAN (option on some units)
    FQDN _______________________________________
  • Certificate information
    User name ____________________________________
    Password ____________________________________
    Country_______________________________________
    State _________________________________________
    City _________________________________________
    Company _____________________________________
    Division ______________________________________

Time zone

_________________________________________________

DNS forwarding proxy settings

DNS server_________________________________________

FQDN_____________________________________________

Remote administrative command line access (single IP or multiple IPs)

_____-_____-_____-_____

Configure NTP support

Public clock server(s)_______________________________

3-DNS software module settings (optional)

Configure NameSurfer
User name _______________________________________
Password ________________________________________
Set NameSurfer as master zone file_____________________

Starting the First-Time Boot utility

The First-Time Boot utility prompts you to enter the same information, whether you run the utility from a web browser, or from the command line. When the utility completes we recommend that you reboot the unit. This automatically removes the default IP address and root password provided specifically for the purposes of running the First-Time Boot utility remotely. The BIG-IP replaces the default IP address and root password with the password and IP addresses that you define while running the utility.

Running the utility from the console or serial terminal

Before you can run the First-Time Boot utility from either the console or a serial terminal, you must first log in. Use the following default user name and password to log in.

Username: root

Password: default

After you log in, you can start the utility directly from the console or serial terminal by typing the command config. Once you complete the utility, we recommend that you reboot the BIG-IP.

Note: If you want to set up a terminal connection directly to the BIG-IP, see Using a serial terminal with the BIG-IP, on page 3-12.

Running the utility remotely

You can run the First-Time Boot utility remotely only from a workstation that is on the same LAN as the unit. To allow remote connections for the First-Time Boot utility, the BIG-IP comes with two pre-defined IP addresses, and a pre-defined root password. The default root password is default, and the preferred default IP address is 192.168.1.245. If this IP address is unsuitable for your network, the BIG-IP uses an alternate IP address, 192.168.245.245. However, if you define an IP alias on an administrative workstation in the same IP network as the BIG-IP, the unit detects the network of the alias and uses the corresponding default IP address.

Once the utility finishes and the system reboots, these default IP addresses and root password are replaced by the information that you entered in the First-Time Boot utility.

Setting up an IP alias for the default IP address before you start the unit

You must set up an IP alias for your remote workstation before you turn on the unit and start the First-Time Boot utility. The remote workstation must be on the same IP network as the unit. If you add this alias prior to booting up the BIG-IP, the unit detects the alias and uses the corresponding address.

To set up an IP alias for the alternate IP address

The IP alias must be in the same network as the default IP address you want the BIG-IP to use. For example, on a UNIX workstation, you might create one of the following aliases:

  • If you want the unit to use the default IP address 192.168.1.245, then add an IP alias to the machine you want to use to connect to the unit using the following command:

    ifconfig exp0 add 192.168.1.1

  • If you want to use the default IP address 192.168.245.245, then add an IP alias such as:

    ifconfig exp0 add 192.168.245.1

Warning: On Microsoft Windows® or Windows NT® machines, you must use a static IP address, not DHCP. Within the network configuration, add an IP alias in the same network as the IP in use on the unit. For information about adding a static IP address to a Microsoft Windows operating system, please refer to your vendor's documentation.

Determining which default IP address is in use

After you configure an IP alias on the administrative workstation in the same IP network as the BIG-IP and you turn the system on, the BIG-IP sends ARPs on the internal VLAN to see if the preferred 192.168.1.245 IP address is in use. If the address is appropriate for your network and is currently available, the BIG-IP assigns it to the internal VLAN. You can immediately use it to connect to the unit and start the First-Time Boot utility.

If the alternate network is present on the LAN, 192.168.245.0/24, or if the node address 192.168.1.245 is in use, then the BIG-IP assigns the alternate IP address 192.168.245.245 to the internal VLAN instead.

Starting the utility from a web browser

When you start the utility from a web browser, you use the selected default IP address as the application URL.

To start the First-Time Boot utility in a web browser

  1. Open a web browser on a workstation connected to the same IP network as the internal VLAN of the unit.
  2. Type the following URL, where <default IP> is the IP address in use on the BIG-IP internal VLAN.
    https://<default IP>
  3. At the login prompt, type root for the user name, and default for the password.
    The Configuration Status screen opens.
  4. On the Configuration Status screen, click Start Wizard.
  5. Fill out each screen using the information from the First-Time Boot utility configuration list. After you complete the First-Time Boot utility, the BIG-IP reboots and uses the new settings you defined.



    Note: You can rerun the First-Time Boot utility from a web browser at any time by clicking the First-Time Boot utility link on the home screen.

Starting the utility from the command line

You can run the command line version of the First-Time Boot utility from a remote SSH client or from a Telnet client.

To start the First-Time Boot utility from the command line

  1. Start an SSH client on a workstation connected to the same IP network as the internal VLAN of the unit. (See Downloading the SSH client to your administrative workstation, on page 3-3, for information on downloading the SSH client from the BIG-IP.)
  2. Type the following command, where <default IP> is the IP address in use on the BIG-IP internal VLAN.
    ssh <default IP>
  3. At the login prompt, type root for the user name, and default for the password.
  4. At the BIG-IP prompt, type the following command to start the command-line based First-Time Boot utility.
    config
  5. Fill out each screen using the information from the First-Time Boot utility configuration list. After you complete the First-Time Boot utility, the BIG-IP reboots and uses the new settings you defined.

    Note: You can rerun the First-Time Boot utility at any time using the config command. For more information about rerunning this utility, refer to the BIG-IP Reference Guide.