How to configure F5 BIG-IP Local Traffic Manager to work with the ITMS Cloud-enabled Management traffic?
search cancel

How to configure F5 BIG-IP Local Traffic Manager to work with the ITMS Cloud-enabled Management traffic?

book

Article ID: 178549

calendar_today

Updated On:

Products

IT Management Suite Server Management Suite Client Management Suite

Issue/Introduction

The current Cloud-enabled Management (CEM) feature in IT Management Suite requires firewall to redirect all inbound CEM traffic directly to the Symantec Management Platform (SMP) Internet Gateway.

However, in some scenarios all inbound traffic (incl. CEM traffic) must be routed through the organization's load balancer.

Resolution

Use Case 1

If the load balancer does not perform the load balancing or certificate validation but serves only as a Network Address Translation (NAT) device, you need to create a Virtual Server for each Internet Gateway and pools to link each Internet Gateway to its dedicated Virtual Server (see the scheme below). Virtual Servers then redirect the inbound CEM traffic to the SMP Internet Gateways.

To configure the F5 BIG-IP Local Traffic Manager to work with the IT Management Suite CEM traffic, take the following steps:

  1. Set up two or more SMP Internet Gateways.
    In this example, the IP addresses of the Internet Gateways are 172.16.10.15-17. The port for incoming connections is 443.
  2. Create a pool with the internal IP address of the SMP Internet Gateway.
    Note that each pool contains only one Internet Gateway.
    In Local Traffic Manager, navigate to Local Traffic > Pools: Pool List > New Pool…
    Add Internet Gateway to the New Members or select it from Node List if you have already added the nodes. Add TCP to Health Monitors for getting the status of members. Select preferred Load Balancing Method. (see the screen below)

    Repeat this step to create as many pools as you need.
  3. Create Virtual Servers that are associated with the pools.
    In the Local Traffic Manager, navigate to Local Traffic > Virtual Servers: Virtual Server List > New Virtual Server.
    In this example, the IP addresses of the Virtual Servers are 100.100.100.100-102 and the port 443.
    Select Type as Standard. Add the IP address of the Virtual server and port for incoming connection. Select TCP for Protocol and NONE for HTTP Profile. As Default Pool select the previously created pool SMP_GW1. (see the screen below)

    Repeat this step to create as many Virtual Servers as you need.
    4. Add the IP address (or external FQDN), port of previously created Virtual server, and thumbprint from the certificate that was installed on all Internet Gateways in Pool And apply this policy to desired computers.
  4. In the Symantec Management Console, navigate to Settings > Notification Server > Cloud-enabled Management > Policy > Cloud-enabled Management Settings.
    Add the IP address (or external FQDN), port of the previously created Virtual Server, and the thumbprint of the certificate that is installed on all Internet gateways in Pool. Apply the policy to desired computers.

 

Use Case 2

If the load balancer performs the load balancing of the connections to the Internet Gateway, you need to create a pool that contains all SMP Internet Gateways and link all Internet Gateways to one Virtual Server (see the scheme below)

This configuration lets you have a single public IP address and a single FQDN host for all inbound IT Management Suite CEM traffic.

The SSL handshake authentications are still done by the Internet Gateways using a common third-party certificate.

In this case, HTTP Responder needs to be disabled in the profile on the load balancer because all SSL handshake authentication will be performed by the Internet Gateway servers and not the load balancer.

To configure the F5 BIG-IP Local Traffic Manager to work with the IT Management Suite CEM traffic, take the following steps:

  1. Set up two or more Internet Gateways and install the third-party certificate on each Internet Gateway.
    (For more information about installing a third-party certificate on the Internet gateway, see the CEM Whitepaper.)
    In this example, the IP addresses of the Internet Gateways are 172.16.10.15-17. The port for incoming connections is 443.
  2. Create a pool with the internal IP address of the SMP Internet Gateway. One pool contains all Internet Gateways.
    In the BIG-IP Local Traffic Manager, navigate to Local Traffic > Pools: Pool List > New Pool…
    Add all Internet Gateways to the New Members or select them from Node List if you have already added the nodes. Add TCP to Health Monitors for getting the status of members. Select preferred Load Balancing Method. (see the screen below)
  3. Create a Virtual Server that is associated with the pools.
    In this example, the IP address of the Virtual Server is 100.100.100.100 and the port is 443.
    In the BIG-IP Local Traffic Manager, navigate to Local Traffic > Virtual Servers: Virtual Server List > New Virtual Server.
    Select Type as Standard. Add the IP address of the Virtual server and port for incoming connection. Select TCP for Protocol and NONE for HTTP Profile. As Default Pool select the previously created pool SMP_GW. (see the screen below)
  4. In the Symantec Management Console, navigate to Settings > Notification Server > Cloud-enabled Management > Policy > Cloud-enabled Management Settings.
    Add the IP address (or external FQDN), port of the previously created Virtual Server, and the thumbprint of the certificate that is installed on all Internet gateways in Pool. Apply the policy to desired computers.

Note that these configurations are suitable for IT Management Suite 8.x.

In one particular situation, the customer had to remove cookie persistence, which allowed me to remove blank x-forwarders.

Powered by Wolken Software