Manual Chapter : BIG-IP Devices HA Pairs and Clusters

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 6.0.0
Manual Chapter

BIG-IP Devices, HA Pairs, and Clusters

Preliminary tips for putting an Access group together

As you start to think about how to group BIG-IP® devices into Access groups that share a configuration, there are a few things you might want to keep in mind. When you select a device for an Access group, you are selecting the shared configuration for all of the devices in the group.

When you add BIG-IP devices to an Access group, Access evaluates the differences between the devices in the group. Access reports the differences for your information. If you need to make configuration changes on any of the devices, Access lets you know which device to change, and which object to update, delete, or add.

Things to know about machine accounts

Machine accounts support Microsoft Exchange clients that use NTLM authentication. An NTLM Auth Configuration object refers to a machine account. If the APM® configurations on the BIG-IP® systems include machine accounts, you might want to be aware of the following information.

In an Access group, the machine accounts on the devices must each have been created with the same name. If this is not the case, the deployment fails. The deployment differences will include the names of the devices on which you must reconfigure the machine accounts before you can successfully deploy.

Configure a machine account

You configure a machine account so that Access can establish a secure channel to a domain controller.
  1. Log in to the BIG-IQ system with your user name and password.
  2. At the top of the screen, select Configuration, then on the left side of the screen, clickACCESS > Access Groups.
  3. Click the name of the Access group that interests you.
    A new screen displays the group's properties.
  4. Expand Authentication > NTLM and click Machine Account > Create.
    The New Machine Account screen displays.
  5. In the Name field, type a name for the configuration..
  6. From Device, select the associated BIG-IP device. This only displays when you create a device-specific OCSP Responder server.
  7. In the Configuration area, in the Machine Account Name field, type a name.
  8. In the Domain FQDN field, type the fully qualified domain name (FQDN) for the domain that you want the machine account to join.
  9. Optional: In the Domain Controller FQDN field, type the FQDN for a domain controller.
  10. In the Admin User field, type the name of a user who has administrator privilege.
  11. In the Admin Password field, type the password for the admin user.
    Access uses these credentials to create the machine account on the domain controller. However, Access does not store the credentials and you do not need them to update an existing machine account configuration later.
  12. Click Join.
This creates a machine account and joins it to the specified domain. This also creates a non-editable NetBIOS Domain Name field that is automatically populated.
Note: If the NetBIOS Domain Name field on the machine account is empty, delete the configuration and recreate it. The field populates.

Things to know about bandwidth controller configurations

On a BIG-IP® device, bandwidth controller configuration objects (policies and priority groups) are configured at the system level. In APM ®, they are used to provide traffic shaping for Citrix clients that support MultiStream ICA. In an access policy, a BWC policy item refers to a bandwidth controller policy. If the APM configurations on the BIG-IP systems refer to bandwidth controller objects, you should be aware of the following information.

The bandwidth controller configuration objects on the device are treated as if they were part of the Access shared configuration. That means when you import the APM service configuration from a device, the bandwidth controller objects are imported and cannot be updated in the BIG-IQ® system. When you deploy the configuration, deployment creates the bandwidth controller objects on the devices.

Access requirements for HA pairs and clusters

For BIG-IP® system high availability, APM ® supports two devices in a Sync-Failover group; these devices can also be referred to as an HA pair.

Access has these requirements for HA pairs on BIG-IQ® system configuration:

  • If you import a device that is part of an HA pair, you must import the other device in the pair as well. Access must manage the configuration for both devices.
  • When you import the devices that are an HA pair, you must place both devices in a cluster that contains only that pair.
    Note: This is not enforced when you add devices to a cluster. But when you try to deploy the configuration, Access reports errors and deployment fails.
  • When you add devices to an Access group, you must add both members of a cluster to the same Access group. (You can add all clusters to one Access group or add clusters to multiple Access groups.)
    Note: Access enforces this requirement.

To avoid problems after you create Access configurations on the BIG-IQ system, you should know which devices constitute each HA pair.

Important: F5® recommends that you make a list of HA pairs, and keep it available for ready reference while you work in the BIG-IQ system.