Applies To:
Show VersionsBIG-IP versions 1.x - 4.x
- 4.1.1 PTF-06, 4.1.1 PTF-05, 4.1.1 PTF-04, 4.1.1 PTF-03, 4.1.1 PTF-02, 4.1.1 PTF-01, 4.1.1, 4.1.0
6
BIG-IP Base Configuration Tools
Introducing the BIG-IP base configuration tools
The BIG-IP includes a set of special tools for configuring the software itself, or its redundant partner, as opposed to the larger network. One of these tools, config, you will normally run when the unit is first installed as part of the installation procedure. You may also use config, as well as the other special configuration utilities, to change existing settings at any time.
The following configuration utilities are available on the BIG-IP:
- config
This utility is also known as the First-Time Boot utility. This utility runs all the other utilities required to configure or reconfigure the BIG-IP, including most of the utilities in this list. - config combo
Use this utility to select the feature set you want to use on the combined product platform. You can choose from the following feature sets: BIG-IP Load Balancer, BIG-IP Cache Controller, or BIG-IP FireGuard Controller. - config dns
Use this utility to configure or reconfigure an optional DNS proxy. - config ftpd
Use this utility to configure or reconfigure FTP. - config httpd
Use this utility to reconfigure the web server on the BIG-IP. - config password
Use this utility to change your password. - config redundant
Use this utility to configure or reconfigure redundant system settings. - config remote
Use this utility to prepare a new redundant system for remote access. This utility also prepares the BIG-IP for the commands that synchronize redundant units. - config rshd
Use this utility to configure or reconfigure RSH. - config sshd
Use this utility to configure or reconfigure SSH. - config telnetd
Use this utility to configure or reconfigure Telnet and FTP. - config timezone
Use this utility to set or change your time zone.
config
This utility starts automatically the first time you boot up a BIG-IP. The config utility, referred to as the First-Time Boot utility, is a wizard that walks you through a brief series of required configuration tasks. These tasks include defining a root password and configuring IP addresses for the interfaces. You can also run the First-Time Boot utility to reconfigure a BIG-IP.
The First-Time Boot utility is organized into three phases: configure, confirm, and commit.
When using the config utility, you first configure all of the required information, then you have the opportunity to confirm each individual setting or correct it if necessary, and finally your confirmed settings are committed and saved to the system. Note that the screens you see are tailored to the specific hardware and software configuration that you have.
If you have a stand-alone system, for example, the First-Time Boot utility skips the redundant system screens.
To run the First-Time Boot utility, type in the following command:
config
Selecting a keyboard
Select the type of keyboard you want use with the BIG-IP. The following options are available:
- Belgian
- Bulgarian MIK
- French
- German
- Japanese - 106 key
- Norwegian
- Spanish
- Swedish
- US + Cyrillic
- US - Standard 101 key
- United Kingdom
Product selection
If you are configuring a BIG-IP Cache Controller, FireGuard, or Load Balancer, you must now select one of these three as your product. When you have made your selection, the features supported by that product will be enabled.
Note: You may change your product selection at a later time using the config combo command.
Warning: Once you have configured your system based on one of the three product selections (BIG-IP Cache Controller, FireGuard, or Load Balancer), changing the product selection will most likely invalidate that configuration. Therefore you will need to change and update your configuration after you have rebooted the system under the new product selection.
Defining a root password
A root password allows you command line administrative access to the BIG-IP system. The password must contain a minimum of 6 characters, but no more than 32 characters. Passwords are case-sensitive, and we recommend that your password contain a combination of upper- and lower-case characters, as well as numbers and punctuation characters. Once you enter a password, the First-Time Boot utility prompts you to confirm your root password by typing it again. If the two passwords match, your password is immediately saved. If the two passwords do not match, the First-Time Boot utility provides an error message and prompts you to re-enter your password.
Warning: The root password and keyboard selection are the only settings that are saved immediately, rather than confirmed and committed at the end of the First-Time Boot utility process. You cannot change the root password until the First-Time Boot utility completes and you reboot the BIG-IP (see Monitoring and administration utilities, on page 11-1). Note that you can change other system settings when the First-Time Boot utility prompts you to confirm your configuration settings.
Defining a host name
The host name identifies the BIG-IP itself. Host names must be fully qualified domain names (FQDNs). The host portion of the name must start with a letter, and must be at least two characters.
Configuring a default route
If a BIG-IP does not have a predefined route for network traffic, the unit automatically sends traffic to the IP address that you define as the default route. Typically, a default route is set to a router's IP address.
Setting up a redundant system
On the Configure BIG-IP Interfaces screen, select Yes if you have a redundant system.
Selecting a unit ID
If you are configuring a redundant system, the First-Time Boot utility prompts you to provide a unit ID and the IP address for fail-over for the BIG-IP. The default unit ID number is 1. If this is the first unit in the redundant system, use the default. When you configure the second unit in the system, type 2. These unit IDs are used for active-active redundant system configuration.
Choosing a fail-over IP address
If you are configuring a redundant system, after you type in a unit number, the First-Time Boot utility prompts you to provide an IP address for fail-over. Type in the IP address configured on the internal interface of the other BIG-IP.
Configuring interfaces
Configure media settings for each interface. The media type options depend on the network interface card included in your hardware configuration. The First-Time Boot utility prompts you with the settings that apply to the interface installed in the unit. The BIG-IP supports the following types:
- auto
- 10baseT
- 10baseT,FDX
- 100baseTX
- 100baseTX,FDX
- Gigabit Ethernet
Note: If you do not know the correct setting for your switch or hub, you can set the media type to auto and change it later when you know the correct setting. Check your switch or hub documentation for this information.
Warning: The configuration utility lists only the network interface devices that it detects during boot up. If the utility lists only one interface device, the network adapter may have come loose during shipping. Check the LED indicators on the network adapters to ensure that they are working and are connected.
Defining VLANs and IP addresses
You can create a new VLAN or use the default internal and external VLANs to create the BIG-IP configuration.
Determine whether you want to have security turned on or off for a VLAN. Then, type the IP address settings for the VLAN. The IP address settings include:
- Security settings
- IP address, netmask, and broadcast
- Floating self IP address, netmask, and broadcast
We recommend that you set the floating self IP address as the default route for target devices, such as servers. The floating self IP address is owned by the active unit in an active/standby configuration.
Note: The IP address of the external VLAN is not the IP address of your site or sites. The IP addresses of the sites themselves are specified by the virtual IP addresses associated with each virtual server you configure.
Assigning interfaces to VLANs
After you configure the VLANs you want to use on the unit, you can assign interfaces to the VLANs. If you use the default internal and external VLANs, we recommend that you assign at least one interface to the external VLAN, and at least one interface to the internal VLAN. The external VLAN is the one on which the BIG-IP receives connection requests. The internal VLAN is typically the one that is connected to the network of servers, firewalls, or other equipment that the BIG-IP load balances.
Selecting the primary IP address
After you assign interfaces to VLANs, you can choose one VLAN/IP address combination as the primary IP address to associate with the unit host name.
Configuring settings for remote web access
The BIG-IP web server provides the ability to set up remote web access on each VLAN. When you set up web access on a VLAN, you can connect to the web-based configuration utility through the VLAN. To enable web access, specify a fully qualified domain name (FQDN) for each VLAN. The BIG-IP web server configuration also requires that you define a user ID and password. If SSL is available, the configuration also generates authentication certificates.
The First-Time Boot utility guides you through a series of screens to set up remote web access.
- The first screen prompts you to select the VLAN you want to configure for web access. After you select an interface to configure, the utility prompts you to type a fully qualified domain name (FQDN) for the interface. You can configure web access on one or more interfaces.
- After you configure the interface, the utility prompts you for a user name and password. After you type a user name and password, the utility prompts you for a vendor support account. The vendor support account is not required.
- The certification screen prompts you for country, state, city, company, and division.
Warning: If you ever change the IP addresses or host names on the BIG-IP interfaces, you must reconfigure the BIG-IP web server to reflect your new settings. You can run the re-configuration utility from the command line using the following command:
reconfig-httpd
You can also add users to the existing password file, change a password for an existing user, or recreate the password file, without actually repeating the remote web server configuration process.
Warning: If you have modified the remote web server configuration outside of the configuration utility, be aware that some changes may be lost when you run the reconfig httpd utility. This utility overwrites the httpd.conf file and openssl.conf, but does not warn you before doing so.
Configuring a time zone
Next, you need to specify your time zone. This ensures that the clock for the BIG-IP is set correctly, and that dates and times recorded in log files correspond to the time zone of the system administrator. Scroll through the list to find the time zone at your location. Note that one option may appear with multiple names. Select the time zone you want to use, and press the Enter key to continue.
Configuring the DNS forwarding proxy settings
You only need to complete this step if you want machines inside your BIG-IP managed network to use DNS servers outside of that network (for example, for reverse DNS lookup from a web server).
Specify the DNS name server and domain name for DNS proxy forwarding by the BIG-IP. For more information on DNS proxy forwarding, see the BIG-IP Installation Guide.
Configuring remote command line access
After you configure remote web access, the First-Time Boot utility prompts you to configure remote command line access. On most BIG-IP units, the first screen you see is the Configure SSH screen, which prompts you to type an IP address for SSH command line access. If SSH is not available, you are prompted to configure access through Telnet and FTP instead.
When you configure shell access, the First-Time Boot utility prompts you to create a support account for that method. You can use this support account to provide a support engineer access to the BIG-IP.
When the First-Time Boot utility prompts you to enter an IP address for administration, you can type a single IP address or a range of IP addresses, from which the BIG-IP will accept administrative connections (either remote shell connections, or connections to the BIG-IP web server). To specify a range of IP addresses, you can use the asterisk (*) as a wildcard character in the IP addresses.
The following example allows remote administration from all hosts on the 192.168.2 network:
192.168.2.*
Note: For administration purposes, you can connect to the BIG-IP floating self IP address, which always connects you to an active unit in an active/standby redundant system. To connect to a specific unit, simply connect directly to the IP address of that BIG-IP.
NTP support
You can synchronize the time on the BIG-IP to a public time server by using Network Time Protocol (NTP). NTP is built on top of TCP/IP and assures accurate, local timekeeping with reference to clocks located on the Internet. This protocol is capable of synchronizing distributed clocks, within milliseconds, over long periods of time. If you choose to enable NTP, make sure UDP port 123 is open in both directions when the BIG-IP is behind a firewall.
NameSurfer
If you have the 3-DNS module installed, you can configure NameSurfer to handle DNS zone file management for the platform. We strongly recommend that you configure NameSurfer to handle zone file management by selecting NameSurfer to be the primary name server. If you select NameSurfer as the primary name server, NameSurfer converts the DNS zone files on the unit and handles all changes and updates to these files. (You can access the NameSurfer application directly from the Configuration utility for the 3-DNS module. See the 3-DNS Administrator Guide for more information).
config combo
The config combo utility repeats the segment of config in which you select BIG-IP Cache Controller, BIG-IP FireGuard, or BIG-IP Load Balancer as your product. The config combo command is used primarily to change an existing product selection.
Warning: Once you have configured your system based on one of the three product selections (BIG-IP Cache Controller, BIG-IP FireGuard, or BIG-IP Load Balancer), changing the product selection will most likely invalidate that configuration. Therefore you will need to change and update your configuration after you have rebooted the system under the new product selection.
config dns
Runs only the Configure DNS Proxy segment of config, assuming you want machines inside your BIG-IP managed network to use DNS servers outside of that network (for example, for reverse DNS lookup from a web server).
Specify the DNS name server and domain name for DNS proxy forwarding by the BIG-IP. For more information on DNS proxy forwarding see the BIG-IP Installation Guide.
config ftpd
Use this utility to configure FTP on the BIG-IP. This utility prompts you for an IP address from which administrators may access the BIG-IP with FTP. You can use wildcard characters (*) to include all addresses from a specific part of the network. This utility also prompts you to create a support account for access by technical support.
If the service port for FTP is closed, this script opens the service port to permit FTP connections to the BIG-IP.
To run the secure shell configuration utility, type in the following command:
config ftpd
Note: Re-running config sshd again replaces the current configuration.
config httpd
Use the reconfig httpd configuration utility to reconfigure the HTTPD server on a BIG-IP.
This script enables you to assign an FQNN to your internal and external VLANs. This utility also prompts you to create a support account for access by technical support.
If the service port for the web server on the BIG-IP (httpd) is closed, this script automatically opens the service port to permit access to the web server.
config password
Runs the config segment for configuring the password only.
config redundant
config redundant is identical to config except that it skips the initial steps for setting keyboard type and root password. config redundant is for re-configuration of a standalone unit as one of a redundant pair, or for the addition of a second unit to complete a redundant pair.
config remote
Runs the config segment only for configuring each unit in a redundant system in order to share keys with the peer BIG-IP.
The script prompts you for the root password of the other unit in the redundant system. After confirming your input, the config remote script attempts to access the peer system and configure both systems to communicate with one another. This provides the secure communication channel that the units use to exchange configuration data when you run the bigpipe configsync option, or use the Config Sync button in the Configuration utility.
To run the config remote script, type the following command on the command line:
config remote
config rshd
Use the config rshd configuration utility to configure the remote shell (rshd) server on a BIG-IP. This utility prompts you for an IP address from which administrators may access the BIG-IP. You can use wildcard characters (*) to include all addresses from a specific part of the network. This utility also prompts you to create a support account for access by technical support.
If inetd is not currently configured, this script configures inetd for the remote shell server (rshd). If the service port for rsh is closed, this utility opens the service port to permit rsh connections to the BIG-IP.
To run the rsh configuration utility, type in the following command:
config rshd
Note: Running config rshd again replaces the current configuration.
config sshd
Runs the config segment for configuring secure shell server (sshd) on a BIG-IP only. This utility prompts you for an IP address from which administrators may access the BIG-IP with SSH. You can use wildcard characters (*) to include all addresses from a specific part of the network. This utility also prompts you to create a support account for access by technical support.
If the service port for SSH is closed, this script opens the service port to permit SSH connections to the BIG-IP.
To run the secure shell configuration utility, type in the following command:
config sshd
Note: Re-running config sshd again replaces the current configuration.
config telnetd
Runs the config segment for configuring the Telnet and FTP servers on a BIG-IP only. The script prompts you to configure each service independently. This allows you to enable Telnet but not FTP, for example.
The script prompts you for a configuration address for each service from which administrators may access the BIG-IP. You can use wildcard characters (*) to include all addresses from a specific part of the network. This utility also prompts you to create a support account for access by technical support.
If inetd is not currently configured, this script configures inetd for the requested services. If the ports for Telnet or FTP are closed, this script opens the ports to permit Telnet or FTP connections to the BIG-IP.
To run the Telnet/FTP configuration utility, type in the following command:
config telnetd
Note: Running config telnetd again replaces the current configuration.
config timezone
Runs the config segment only for configuring the time zone. The time zone setting ensures that the clock for the BIG-IP is set correctly, and that dates and times recorded in log files correspond to the time zone of the system administrator. Scroll through the list to find the time zone at your location. Note that one option may appear with multiple names. Select the time zone you want to use, and press the Enter key to continue.