3

Using an SSL Accelerator Cell Configuration

Introducing the SSL accelerator cell configuration

This chapter explains how to set up a scalable SSL accelerator configuration. This configuration is useful for any enterprise that handles a large amount of encrypted traffic.

With this configuration, you can increase the scale of the network by adding a new cell. A cell consists of an SSL accelerator and one or more nodes for which it proxies SSL connections.

Figure 3.1 shows a configuration of an SSL acclerator cell. The SSL accelerator cell described in this chapter includes BIG-IP Controllers 1a and 1b, the SSL accelerator accelerator1, and Node1 and Node2.

The following sections refer to Figure 3.1 as an example of how you can set up such a configuration.

Note: The IP addresses shown in the example configuration are fictitious. When implementing your configuration, choose IP addresses that are consistent with your network or networks.

Figure 3.1 An SSL accelerator cell configuration. The cell is outlined by the dashed line.

Configuration tasks

To configure an SSL accelerator cell, you must configure the BIG-IP Controller redundant pair that load balances the SSL accelerators, each SSL accelerator, and each node that handles connections from the SSL accelerator.

First, complete the following tasks on the BIG-IP Controller that you want to use to load balance connections to the SSL accelerators:

• Configure interfaces on the BIG-IP Controller redundant system.
• Modify the /etc/netstart file on the BIG-IP Controller that you want to use to load balance the SSL accelerators.
• Create two load balancing pools. One pool load balances HTTP connections using the IP addresses of the web servers, the other pool load balances SSL connections to the SSL accelerators.
• Create virtual servers that reference the load balancing pools. Create one virtual server for the pool load balancing the SSL connections, and another virtual server that references the pool that load balances the HTTP connections to the SSL accelerators.
• Enable port 80 and port 443 on the controller.

  Next, complete the following tasks for the SSL accelerator in the cell:

• Set up an SSL gateway for each node for which the SSL accelerator handles connections.
• Enable port 443.
• Set the idle connection timer for port 443.
• Turn on IP forwarding.

  Finally, complete the following task on each node in the cell:

• Set the default route on each node in the cell to point to the internal interface (source processing) of the SSL accelerator serving that cell.

Configuring the BIG-IP Controller which load balances the SSL accelerator cells

To configure the BIG-IP Controller which load balances the SSL accelerator cells, complete the following tasks on the BIG-IP Controller. This section describes how to complete each task.

• Configure interfaces on the BIG-IP Controller.
• Modify the /etc/netstart file on the BIG-IP Controller that you want to use to load balance the SSL accelerators.
• Create two load balancing pools One pool load balances HTTP connections using the IP addresses of the web servers, the other pool load balances SSL connections from the SSL accelerators.
• Create virtual servers that reference the load balancing pools.
• Enable port 80 and port 443 on the controller.

Configuring interfaces on the BIG-IP Controller

You must configure the interfaces on the redundant BIG-IP Controller system (1a and 1b, in Figure 3.1) to process source and destination addresses. Note that in a basic controller configuration, one interface is configured as an internal interface (source processing), and the other interface is configured as an external interface (destination processing).

In order for the SSL accelerator cell load balancing to work, you must turn destination processing on for the internal interface, and source processing on for the external interface.

To configure source and destination processing using the Configuration utility

1. In the navigation pane, click NICs.
   The Network Interface Cards screen opens. You can view the current settings for each interface in the Network Interface Card table.
2. In the Network Interface Card table, click the name of the interface you want to configure.
   The Network Interface Card Properties screen opens.

   · To enable source processing for this interface, click the Enable Source Processing check box.

   · To enable destination processing for this interface, click the Enable Destination Processing check box.

3. Click the Apply button.

To configure source and destination processing from the command line

Use the following syntax to configure source and destination processing on the specified interface:

bigpipe interface <interface> dest [ enable | disable ]

bigpipe interface <interface> source [ enable | disable ]

The following example command enables destination processing on the interface exp0:

bigpipe interface exp0 dest enable

The following example command enables source processing on the interface exp1:

bigpipe interface exp1 source enable

Add routes for nodes to /etc/netstart

In order for traffic to pass through this configuration correctly, you must configure routes for the nodes in the SSL accelerator cell configuration on the BIG-IP Controller. Add the routes for the nodes to the end of /etc/netstart. In the example shown in Figure 3.1, you must add routes for Node1, Node2, Node3, and Node4. The entries look like this in the /etc/netstart file:

route add -host 10.3.0.11 -gateway 10.1.0.11

route add -host 10.3.0.12 -gateway 10.1.0.11

route add -host 10.3.0.13 -gateway 10.1.0.12

route add -host 10.3.0.14 -gateway 10.1.0.12

Create load balancing pools

This section describes how to create the load balancing pools required for the SSL accelerator configuration described in Figure 3.1. The two pools you need to create are:

• A load balancing pool for connections using the IP addresses of the web server. For this example, the HTTP pool is named http_virtual. This pool contains the following members:
  Node1 (10.3.0.11)
  Node2 (10.3.0.12)
  Node3 (10.3.0.13)
  Node4 (10.3.0.14)
• A load balancing pool for SSL connections from the SSL accelerators. For this example, the SSL accelerator is named ssl_gateways. This pool contains the following member:
  accelerator1 (10.1.0.111)
  accelerator2 (10.1.0.112)
  accelerator3 (10.1.0.113)
  accelerator4 (10.1.0.114)

  Note: Note that the SSL accelerator pool should contain the SSL accelerator for each SSL accelerator cell.

To create a pool using the Configuration utility

1. In the navigation pane, click Pools.
   The Pools screen opens.
2. In the toolbar, click the Add Pool button.
   The Add Pool screen opens.
3. In the Add Pool screen, configure the load balancing method, persistence attributes, and members for the pool.
   
   Configuration note

   · For this example, you could create an HTTP pool named http_virtual. This pool contains the following members:
   Node1 (10.3.0.11)
   Node2 (10.3.0.12)
   Node3 (10.3.0.13)
   Node4 (10.3.0.14)

   · For this example, you could create an SSL accelerator pool named ssl_gateways. This pool contains the following member:
   accelerator1 (10.1.0.111)
   accelerator2 (10.1.0.112)
   accelerator3 (10.1.0.113)
   accelerator4 (10.1.0.114)

   · For additional information about configuring a pool, click the Help button.

To define a pool from the command line

To define a pool from the command line, use the following syntax:

bigpipe pool <pool_name> {lb_mode <lb_mode> member <member_definition> ... member <member_definition>}

For example, if you want to create the pool http_virtual and the pool ssl_gateways, you would type the following commands:

bigpipe pool http_virtual { lb_mode rr member 10.3.0.11:80 member 10.3.0.12:80 member 10.3.0.13:80 member 10.3.0.14:80 }

bigpipe pool ssl_gateways { lb_mode rr member 10.1.0.111:80 member 10.1.0.112:80 member 10.1.0.113:80 member 10.1.0.114:80 }

Create the virtual servers

Create a virtual server that references the pool load balancing the SSL connections, and another virtual server that references the pool that load balances the HTTP connections through the SSL accelerators.

To define a standard virtual server that references a pool using the Configuration utility

1. In the navigation pane, click Virtual Servers.
2. On the toolbar, click Add Virtual Server.
   The Add Virtual Server screen opens.
   
3. Fill in the attributes for the virtual server.
   
   Configuration notes

   · To create the configuration described in Figure 3.1, create a virtual server 10.0.0.101 on port 443 that references the pool of SSL accelerators.

   · To create the configuration described in Figure 3.1, create a virtual server 10.0.0.101 on port 80 that references the pool of content servers.

   · For additional information about this screen, click the Help button on the tool bar.

To define a standard virtual server mapping from the command line

Type the bigpipe vip command as shown below. Also, note that you can use host names in place of IP addresses, and that you can use standard service names in place of port numbers.

bigpipe vip <virt IP>:<port> use pool <pool_name>

To create the virtual servers for the configuration in Figure 3.1, you could type the following commands, where the pool of SSL accelerators is named ssl_gateways and the pool for HTTP requests is named http_virtual:

bigpipe vip 10.0.0.101:443 use pool ssl_gateways

bigpipe vip 10.0.0.101:80 use pool http_virtual

Enable ports 80 and 443 on the BIG-IP Controller

For security reasons, the BIG-IP Controller ports do not accept traffic until you enable them. In this configuration, the BIG-IP Controller accepts traffic on port 443 for SSL, and port 80 for HTTP. For this configuration to work, you must enable port 80 and port 443.

Use the following command to enable these ports:

bigpipe port 80 443 enable

Configuring an SSL accelerator for use in a cell

The next part of the process in configuring an SSL accelerator cell is to configure the SSL accelerator. Complete the following tasks on each SSL accelerator in the cell:

• Set up an SSL gateway for each node for which the SSL accelerator handles connections.
• Enable port 443.
• Set the idle connection timer for port 443.
• Turn on IP forwarding.

Set up an SSL gateway for each node in the SSL accelerator cell

The first task you must complete on the SSL accelerator it to set up an SSL gateway for each node for which the SSL accelerator handles connections. Using the example for creating an SSL Accelerator cell in Figure 3.1, you create two SSL gateways on accelerator1:

• An SSL gateway (10.1.0.111) with Node1 (10.3.0.11) as a target
• An SSL gateway (10.1.0.112) with Node2 (10.3.0.12) as a target

  The following section includes procedures for adding an SSL gateway to the SSL Accelerator configuration.

Creating an SSL gateway using the Configuration utility

1. In the navigation pane, click Proxies.
   The Proxies screen opens.
2. On the toolbar, click Add Proxy.
   The Add Proxy screen opens.
3. In the Proxy Address box, type the IP address for the SSL gateway. For accelerator1 SSL accelerator cell, the IP address for the gateway is 10.1.0.111. For accelerator2 SSL accelerator cell, the IP address for the gateway is 10.1.0.112.
4. In the Proxy Netmask box, type the netmask you want to use for the SSL gateway. If you leave this setting blank, the BIG-IP Controller creates a default based on the network class of the IP address on the external (destination processing) interface. Type a user-defined netmask only if necessary.
5. In the Proxy Broadcast box, type the broadcast address you want to use for this SSL gateway. The BIG-IP Controller automatically generates a broadcast address if you do not type one. Type a user-defined broadcast address only if necessary.
6. In the Proxy Port box, type the port number that the proxy server uses, or select a service from the list box. Note that if you select a service, the Configuration utility uses the default port number associated with that service.
7. For Interface, select the destination processing interface on which you want to create the SSL gateway. Select default to allow the Configuration utility to select the interface based on the network address of the SSL gateway.
8. In the Destination Address box, type the IP address or host name of the node to which the SSL gateway maps.
9. In the Destination Port box, type a port name or number, such as port 80 or http, or select the service name from the drop-down list.
10. In the SSL Certificate box, type the name of the SSL certificate you installed on the BIG-IP Controller. You can select the certificate you want to use from the drop down list.
11. In the SSL Key box, type the name of the SSL key for the certificate you installed on the BIG-IP Controller. You can select the key from the drop down list. It is important that you select the key used to generate the certificate you selected in the SSL Certificate box.
12. Click Apply.

Creating an SSL gateway from the command line

Use the following command syntax to create an SSL gateway. Use this syntax if you want to configure a gateway

bigpipe proxy <ip>:<port> [<ifname>] netmask <ip> [broadcast <ip>] target server <ip>:<port> ssl enable key <key> cert <cert>

For example, to create the SSL gateways for the accelerator1 SSL accelerator cell, you would use the following commands:

bigpipe proxy 10.1.0.111:443 exp0 { netmask 255.255.255.0 broadcast 10.1.0.255 target server 10.3.0.11:80 ssl enable key my.server.net.key cert my.server.net.cert }

bigpipe proxy 10.1.0.111:443 exp0 { netmask 255.255.255.0 broadcast 10.1.0.255 target server 10.3.0.12:80 ssl enable key my.server.net.key cert my.server.net.cert }

Enable port 443

For security reasons, the ports on the SSL accelerator do not accept traffic until you enable them. In this configuration, the SSL accelerator accepts traffic on port 443 for SSL. For this configuration to work, you must enable port 443. Use the following command to enable this port:

bigpipe port 443 enable

Set the idle connection timer for port 443

In the SSL accelerator cell configuration, you should set the idle connection timer to clean up closed connections on port 443. You need to set an appropriate idle connection time-out value so that valid connections are not disconnected, and closed connections are cleaned up in a reasonable time.

To set the idle connection time-out using the Configuration utility

1. In the navigation pane, click Virtual Servers.
2. In the Virtual Servers list, click the virtual server you configured for SSL connections.
   The Virtual Server Properties screen opens.
3. In the Port box, click the port. For the example in this section, choose 443.
   The Global Virtual Port Properties screen opens.
4. In the Idle connection timeout TCP (seconds) box, type a time-out value for TCP connections. The recommended time-out setting is 10 seconds.
5. In the Idle connection timeout UDP (seconds) box, type a time-out value for TCP connections. The recommended time-out setting is 10 seconds.
6. Click Apply.

To set the idle connection time-out in the /etc/bigip.conf file

To set the idle connection time-out in the /etc/bigip.conf file, edit the following lines:

treaper <port> <seconds>

udp <port> <seconds>

For the example in Figure 3.1, the entries look like this:

treaper 443 10

udp 443 10

The <seconds> value is the number of seconds a connection is allowed to remain idle before it is terminated. The <port> value is the port on the wildcard virtual server for which you are configuring out of path routing. The recommended value for the TCP and UDP connection timeouts is 10 seconds.

Turn on IP forwarding

In order for traffic from the nodes to be routed back to the client correctly, you must turn on IP forwarding for the SSL accelerator in the cell.

IP forwarding is a property of the BIG-IP Controller system, and it is controlled by the system control variable net.inet.ip.forwarding.

To set the IP forwarding system control variable using the Configuration utility

1. In the navigation pane, click the BIG-IP Controller icon.
   The BIG-IP System Properties screen opens.
2. On the toolbar, click Advanced Properties.
   The BIG-IP System Control Variables screen opens.
3. Check the Allow IP Forwarding box.
4. Click the Apply button.

To set the IP forwarding system control variable from the command line

Use the standard sysctl command to set the variable. The default setting for the variable is 0, which is off. You want to change the setting to 1, which is on:

sysctl -w net.inet.ip.forwarding=1

To permanently set this value, you can use a text editor, such as vi or pico, to manually edit the /etc/rc.sysctl file. For additional information about editing this file, see BIG-IP Controller Reference Guide, System Control Variables.

Setting the default route on each node in a cell

The final task you must complete for this configuration is to set the default route on each node in the cell to point to the internal interface (source processing) of the SSL accelerator serving that cell.

In the configuration described in Figure 3.1, the default routes for the content servers should be set like this:

• You should set the default route on Server1 and Server2 to the internal address of accelerator1, which is 10.3.0.251.
• You should set the default route on Server3 and Server4 to the internal address of accelerator2, which 10.3.0.252.

  Note: For information about how to set the default route on the content servers in your network, refer to the documentation provided with the content server.