Deploying the BIG-IP System with CA SiteMinder

Similar documents
Archived. Deploying the BIG-IP LTM with IBM Cognos Insight. Deployment Guide Document version 1.0. What s inside: 2 Products and versions tested

Deploying the BIG-IP System v11 with DNS Servers

Deploying the BIG-IP System with Oracle Hyperion Applications

Archived. h h Health monitoring of the Guardium S-TAP Collectors to ensure traffic is sent to a Collector that is actually up and available,

Deploying the BIG-IP LTM with IBM QRadar Logging

Archived. Configuring a single-tenant BIG-IP Virtual Edition in the Cloud. Deployment Guide Document Version: 1.0. What is F5 iapp?

Deploying the BIG-IP LTM with Oracle JD Edwards EnterpriseOne

Deploying WAN-Optimized Acceleration for VMware vmotion Between Two BIG-IP Systems

Document version: 1.0 What's inside: Products and versions tested Important:

Archived. Deploying the BIG-IP LTM with IBM Lotus inotes BIG-IP LTM , 10.1, 11.2, IBM Lotus inotes 8.5 (applies to 8.5.

Archived. For more information of IBM Maximo Asset Management system see:

VMware vcenter Site Recovery Manager

DESIGN GUIDE. VMware NSX for vsphere (NSX-v) and F5 BIG-IP Design Guide

Prompta volumus denique eam ei, mel autem

Meeting the Challenges of an HA Architecture for IBM WebSphere SIP

Deploying the BIG-IP System for LDAP Traffic Management

APM Cookbook: Single Sign On (SSO) using Kerberos

Deploying the BIG-IP LTM and APM with VMware View 4.6

Converting a Cisco ACE configuration file to F5 BIG IP Format

Enhancing VMware Horizon View with F5 Solutions

Load Balancing 101: Nuts and Bolts

F5 in AWS Part 3 Advanced Topologies and More on Highly Available Services

Large FSI DDoS Protection Reference Architecture

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP System v9.x with Microsoft IIS 7.0 and 7.5

Validating Microsoft Exchange 2010 on Cisco and NetApp FlexPod with the F5 BIG-IP System

Citrix Federated Authentication Service Integration with APM

Optimize and Accelerate Your Mission- Critical Applications across the WAN

Deploying the BIG-IP System with Oracle WebLogic Server

Improving VDI with Scalable Infrastructure

Enabling Long Distance Live Migration with F5 and VMware vmotion

DEPLOYMENT GUIDE Version 1.0. Deploying F5 with Oracle Fusion Middleware WebCenter 11gR1

Deploying a Next-Generation IPS Infrastructure

F5 iapps: Moving Application Delivery Beyond the Network

Data Center Virtualization Q&A

Load Balancing 101: Nuts and Bolts

Deploying the BIG-IP System v10 with Oracle s BEA WebLogic

Optimizing NetApp SnapMirror Data Replication with F5 BIG-IP WAN Optimization Manager

The F5 Application Services Reference Architecture

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP System v10 with Microsoft IIS 7.0 and 7.5

Server Virtualization Incentive Program

Deploying the BIG-IP System with Microsoft IIS

Deploying a Next-Generation IPS Infrastructure

The Programmable Network

Deploying the BIG-IP System with Oracle E-Business Suite

Deploying the BIG-IP System with HTTP Applications

DEPLOYMENT GUIDE Version 1.1. Deploying F5 with IBM WebSphere 7

Deploying F5 with Microsoft Remote Desktop Services

BIG IQ Reporting for Subscription and ELA Programs

Geolocation and Application Delivery

Resource Provisioning Hardware Virtualization, Your Way

F5 and Nuage Networks Partnership Overview for Enterprises

Managing BIG-IP Devices with HP and Microsoft Network Management Solutions

v.10 - Working the GTM Command Line Interface

Addressing Security Loopholes of Third Party Browser Plug ins UPDATED FEBRUARY 2017

Maintain Your F5 Solution with Fast, Reliable Support

Webshells. Webshell Examples. How does a webshell attack work? Nir Zigler,

NGIPS Recommended Practices

DEPLOYMENT GUIDE DEPLOYING F5 WITH ORACLE ACCESS MANAGER

Deploying F5 for Microsoft Office Web Apps Server 2013

Complying with PCI DSS 3.0

Unified Application Delivery

Secure Mobile Access to Corporate Applications

Deploying the BIG-IP Data Center Firewall

The F5 Intelligent DNS Scale Reference Architecture

WHITE PAPER. F5 and Cisco. Supercharging IT Operations with Full-Stack SDN

Cookies, Sessions, and Persistence

Deploying the BIG-IP System with HTTP Applications

Deploying the BIG-IP System v11 with Microsoft SharePoint 2010 and 2013

F5 icontrol. In this white paper, get an introduction to F5 icontrol service-enabled management API. F5 White Paper

SNMP: Simplified. White Paper by F5

Configuring the BIG-IP APM as a SAML 2.0 Identity Provider for Microsoft Office 365

Deploying F5 with Microsoft Active Directory Federation Services

Securing the Cloud. White Paper by Peter Silva

Load Balancing VMware App Volumes

Deploying F5 with Microsoft Active Directory Federation Services

DEPLOYMENT GUIDE. Load Balancing VMware Unified Access Gateway

One Time Passwords via an SMS Gateway with BIG IP Access Policy Manager

DEPLOYMENT GUIDE DEPLOYING THE BIG-IP SYSTEM WITH BEA WEBLOGIC SERVER

Deploying the BIG-IP System v10 with Microsoft Exchange Outlook Web Access 2007

F5 Networks F5LTM12: F5 Networks Configuring BIG-IP LTM: Local Traffic Manager. Upcoming Dates. Course Description. Course Outline

Deploying the BIG-IP LTM v11 with Microsoft Lync Server 2010 and 2013

Enhancing Exchange Mobile Device Security with the F5 BIG-IP Platform

DEPLOYMENT GUIDE. Deploying F5 for High Availability and Scalability of Microsoft Dynamics 4.0

Providing Security and Acceleration for Remote Users

Session Initiated Protocol (SIP): A Five-Function Protocol

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Access Policy Manager v with Oracle Access Manager

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP Access Policy Manager with IBM, Oracle, and Microsoft

F5 Reference Architecture for Cisco ACI

Deploying BIG-IP LTM with Microsoft Lync Server 2010 and 2013

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Access Policy Manager with Oracle Access Manager

Deploying F5 with Microsoft Remote Desktop Session Host Servers

Deploying the BIG-IP System v11 with Microsoft Exchange 2010 and 2013 Client Access Servers

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

Deploying the BIG-IP System with Microsoft SharePoint

Deploying the BIG-IP LTM with Microsoft Skype for Business

Deploying the BIG-IP System v11 with Microsoft Exchange 2010 and 2013 Client Access Servers

Deploying F5 with Citrix XenApp or XenDesktop

Managing the Migration to IPv6 Throughout the Service Provider Network White Paper

Deploying F5 with Citrix XenApp or XenDesktop

Deploying the BIG-IP LTM and APM with Citrix XenApp or XenDesktop

Transcription:

Deployment Guide Document version 1.0 What's inside: 2 Prerequisites and configuration notes 2 Configuration example 3 Configuring the BIG-IP LTM for the SiteMinder Administrative User Interface servers 5 Configuring the BIG IP LTM for the SiteMinder Policy Servers 7 Next Steps 7 Optional: Configuring your directory servers for high availability with BIG-IP 8 Document Revision History Deploying the BIG-IP System with Welcome to the F5 deployment guide for. This guide describes how to achieve high availability by deploying the BIG-IP Local Traffic Manager (LTM) with, load balancing the Administrative User Interface, the Policy Server and the User Directory Servers. SiteMinder enables better control access to Web applications and portals for employees, customers and business partners securely and efficiently with powerful Web access management. For more information on, see: http://www.ca.com/us/web-access-management.aspx For more information on the BIG-IP LTM system, see http://www.f5.com/products/bigip/ltm/. Why F5 is mission critical to the uptime and availability of entire websites. If SiteMinder is unavailable, so are the web servers that SiteMinder serves. Therefore, high availability and proactive health monitoring is critical to the success of all SiteMinder deployments. Organizations using SiteMinder receive the benefits immediately after deploying the BIG-IP LTM: High availability of Policy Servers at the network layer. Instead of configuring IP es manually in the SiteMinder Configuration files and relying on manual intervention, the BIG-IP system automatically directs users to the most available server. High availability of CA Administrative UI servers. Equally as important as the Policy Servers, if an Administrative server goes down, users are no longer able to maintain, manage or troubleshoot policy servers. Load balancing the Administrative UI is often overlooked, but is extremely important. With the BIG-IP system, organizations can configure an architecture that solves the many different pieces of a CA Architecture entirely on one platform, the BIG-IP LTM. Specifically, the BIG-IP LTM addresses the high availability needs of Policy Servers, Directory Servers, Administrative Servers, and the content servers themselves. Products and versions tested Product Version BIG-IP LTM 11.2 HF-1 12.0 SP 3

Important: Make sure you are using the most recent version of this deployment guide, available at www.f5.com/pdf/deployment-guides/ca-siteminder-dg.pdf Prerequisites and configuration notes h h The BIG-IP LTM system must be running version 11.2 HF 1 or later. h h Each SiteMinder Administrative UI server must be registered directly with a SiteMinder Policy server before it is configured for load balancing. Register your Administrative UI servers directly with a policy server instead of using the BIG-IP Virtual IP (VIP). After initial registration you may point to the BIG-IP system's virtual server address. See Configuring the SiteMinder devices on page 3. Configuration example SiteMinder is a critical component of any infrastructure in which it is deployed, so being able to achieve high availability is critical. The BIG-IP system can bring high availability through monitoring to environments. The environment has several locations where scaling and high availability are critical: The BIG-IP system is deployed in front of multiple redundant Administrative User Interfaces The BIG-IP system is deployed in front of multiple redundant Policy Servers The BIG-IP system is deployed in front of the entitlement and user stores (LDAP) After the deployment of BIG-IP these are the traffic scenarios: 1. Administrators use the Administrative UI virtual server on the BIG-IP system to manage and administer. This virtual server is typically not externally accessible. 2. Agents, configured on web servers and application servers, communicate through a virtual server on the BIG-IP system to the Policy Server. This virtual server is also not typically externally accessible. 3. The Policy Server communicates to a virtual server on the BIG-IP system to reach the LDAP servers. SiteMinder Web Agent on web servers BIG-IP LTM Policy Servers Web site users BIG-IP LTM Administrative users Administrative UI Report Servers Report Database Audit Database Figure 1: Logical configuration example 2

Configuring the BIG-IP LTM for the SiteMinder Administrative User Interface servers The SiteMinder Administrative User Interface must be used to manage and configure the CA SiteMinder environment. If anything happens to the machine running the Administrative User Interface, management of the CA environment becomes difficult and it could lead to a complete site-wide outage. CA recommends the deployment of multiple redundant Administrative User Interface servers. Each Administrative User Interface device must be registered with a Policy server. In the case of multiple identical policy servers, it is important that each Administrative User Interface machine is registered before configuring the BIG-IP system for load balancing. Configuring the SiteMinder devices Use the following guidance for configuring SiteMinder devices. Refer to the CA documentation for specific instructions. 1. Setup two identical servers and install the CA Administrative User Interface servers 2. Initiate the setup scripts according to CA's instructions and register the Administrative User Interface with the Policy server's direct IP address. 3. Repeat step 2 to register the Policy Server with the other Policy servers in your environments. 4. Configure the BIG-IP LTM system for the Administrative UI servers. 5. Configure the BIG-IP LTM for the Policy Servers. 6. Adjust the IP address on the Administrative User Interface to point to the BIG-IP LTM virtual server IP address for the Policy Servers. Following these steps ensures that each Administrative UI device is properly registered with each Policy Server. If your Administrative UI devices are already registered, these steps can be skipped. Configuration table for the Administrative User Interface The following table contains a list of BIG-IP LTM configuration objects along with any nondefault settings you should configure as a part of the User Interface configuration. Unless otherwise specified, settings not mentioned in the table can be configured as applicable for your configuration. For specific instructions on configuring individual objects, see the online help or product manuals. BIG-IP LTM Object -->Monitors) Type Interval Timeout Send String Receive String Non-default settings/notes HTTP 30 (recommended) 91 (recommended) GET /iam/siteminder/console HTTP/1.0\r\n\r\n SiteMinder 3

BIG-IP LTM Object Non-default settings/notes Pool (Main tab-->local Traffic -->Pools) Profiles -->Profiles) Virtual Server -->Virtual Servers) Load Balancing Method Select the monitor you created above Choose a load balancing method. We recommend Least Connections (Member) Type the IP of an Administrative User Interface server Service Port Type the service port, typically 8080. Click Add, and repeat and Port for all servers. TCP (Profiles-->Protocol) HTTP (Profiles-->Services) Client SSL (Profiles-->SSL) Server SSL 2 (Profiles-->SSL) Persistence (Profiles-->Persistence) Persistence (Profiles-->Persistence) Parent Profile tcp-lan-optimized 1. Parent Profile Redirect Rewrite Parent Profile Certificate Key Parent Profile Persistence Type Persistence Type. HTTP All clientssl Select the certificate you imported Select the associated key serverssl Cookie for this fallback persistence profile Source Affinity Type the IP for the virtual server Service Port Type the appropriate port, typically 8080, 80, or 443 Protocol Profile (client) 2 HTTP Profile SSL Profile (Client) SSL Profile (Server) 3 Select the TCP profile you created Select the HTTP profile you created Select the Client SSL profile you created If you are configuring SSL Bridging only: Select the Server SSL profile you created SNAT Pool 4 Automap (optional; see footnote 4 ) Default Pool Default Persistence Profile Fallback Persistence Profile Select the pool you created Select the Cookie Persistence profile you created Select the Persistence profile you created 1 If you have users connecting to the administrative interface primarily over a WAN connection, use the tcp-wan-optimized parent profile. 2 You must select Advanced from the Configuration list for this option to appear 3 Only create a Server SSL profile if you are configuring the BIG-IP LTM for SSL Bridging. 4 If want to use SNAT, and you have a large deployment expecting more than 64,000 simultaneous connections, you must configure a SNAT Pool with an IP address for each 64,000 simultaneous connections you expect. See the BIG-IP documentation on configuring SNAT Pools. 4

Configuring the BIG IP LTM for the SiteMinder Policy Servers In this section, you configure the BIG-IP LTM for the SiteMinder Policy Servers. Configuration table for the Policy Servers The table on the following page contains a list of BIG-IP LTM configuration objects along with any non-default settings you should configure as a part of the User Interface configuration. Unless otherwise specified, settings not mentioned in the table can be configured as applicable for your configuration. For specific instructions on configuring individual objects, see the online help or product manuals. BIG-IP LTM Object -->Monitors) Pool (Main tab-->local Traffic -->Pools) Profiles: Persistence -->Profiles-->Persistence) Type Interval Timeout 44441 Policy server pool Load Balancing Method Non-default settings/notes TCP 30 (recommended) 91 (recommended) Select the monitor you created above Choose a load balancing method. We recommend Least Connections (Member) Type the IP of a Policy Server Service Port 44441 Click Add, and repeat and Port for all servers. 44442 Policy server pool Load Balancing Method Select the monitor you created above Choose a load balancing method. We recommend Least Connections (Member) Type the IP of a Policy Server Service Port 44442 Click Add, and repeat and Port for all servers. 44443 Policy server pool Load Balancing Method Select the monitor you created above Choose a load balancing method. We recommend Least Connections (Member) Type the IP of a Policy Server Service Port 44443 Click Add, and repeat and Port for all servers. Persistence Type Match Across Virtual Servers Source Affinity Enabled (Click a check in the box) 5

BIG-IP LTM Object Non-default settings/notes Virtual Server -->Virtual Servers) 44441 virtual server Service Port 44441. Type the IP for the virtual server. All Policy Server virtual servers must have the same IP address. SNAT Pool 1 Automap (optional; see footnote 1 ) Default Pool Select the pool you created using port 44441 Default Persistence Profile 44442 virtual server Service Port 44442 Select the Persistence profile you created.. Type the IP for the virtual server. All Policy Server virtual servers must have the same IP address. SNAT Pool 1 Automap (optional; see footnote 1 ) Default Pool Select the pool you created using port 44442 Default Persistence Profile 44443 virtual server Service Port 44443 Select the Persistence profile you created.. Type the IP for the virtual server. All Policy Server virtual servers must have the same IP address. SNAT Pool 1 Automap (optional; see footnote 1 ) Default Pool Select the pool you created using port 44443 Default Persistence Profile Select the Persistence profile you created. 1 If want to use SNAT, and you have a large deployment expecting more than 64,000 simultaneous connections, you must configure a SNAT Pool with an IP address for each 64,000 simultaneous connections you expect. See the BIG-IP documentation on configuring SNAT Pools. 6

Next Steps After completing the BIG-IP LTM configuration, perform the following tasks on your SiteMinder servers. See the SiteMinder documentation for specific instructions. 1. Adjust your SmHosts.conf files on every webagent to point to the BIG-IP virtual server address for Policy Server. 2. Adjust your Administrative User Interface to point to the appropriate BIG-IP virtual server for Policy Server 3. Advertise the BIG-IP virtual server address for the Administrative User Interface so that users can administer CA using this implementation. 4. Adjust the User Directory settings with the Configuration to point to the BIG-IP virtual server IP address for the LDAP servers. Optional: Configuring your directory servers for high availability with BIG-IP We strongly recommend configuring BIG-IP LTM for your directory servers. You can find deployment guides for configuring directory servers on f5.com (http://www.f5.com/products/documentation/deployment-guides/ ). In this section, we show you how to use the BIG-IP LTM iapp template for LDAP servers. For more information on iapps, see http://www.f5.com/pdf/white-papers/f5-iapp-wp.pdf To configure the iapp for LDAP 1. Log on to the BIG-IP system. 2. On the Main tab, expand iapp, and then click Application Services. 3. Click Create. The Template Selection page opens. 4. In the box, type a name. In our example, we use SiteMInder_LDAP_. 5. From the Template list, select f5.ldap. The LDAP template opens. 6. Complete the template as appropriate for your LDAP configuration. 7. Click the Finished button. 8. Adjust your policy server to point to the BIG-IP virtual server for your directory servers. For more information on configuring the BIG-IP LTM for LDAP servers, including manual configuration procedures, see http://www.f5.com/pdf/deployment-guides/ldap-iapp-dg.pdf 7

8 DEPLOYMENT GUIDE Document Revision History Version Description Date 1.0 New Version 09-11-2012 F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119 888-882-4447 www.f5.com F5 Networks, Inc. Corporate Headquarters F5 Networks Asia-Pacific F5 Networks Ltd. Europe/Middle-East/Africa F5 Networks Japan K.K. info@f5.com apacinfo@f5.com emeainfo@f5.com f5j-info@f5.com 2012 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, and IT agility. Your way., are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback