WIXLIB

ProcessF5 Configuration Guide forBeyondInsightExamples for Active/Active configuration of F5 Local TrafficManagersSubtitle

Table of ContentsExecutive Summary . 3Deployment Methodologies . 3Design Overview. 5HA State Detection for Active/Passive Deployments . 5PowerBroker Password Safe . 6CONFIGURATION OVERVIEW . 6CONFIGURATION COMPONENTS . 6CONFIGURATION EXAMPLE . 7BeyondInsight Management Console . 12CONFIGURATION OVERVIEW . 12CONFIGURATION EXAMPLE . 12BeyondInsight Event Collector Service . 15CONFIGURATION OVERVIEW . 15CONFIGURATION EXAMPLE . 15SNAT Pools . 17About BeyondTrust . 18Development Process 2016. BeyondTrust Software, Inc.2

Executive SummaryBeyondInsight / PowerBroker Password Safe supports a number of configurationmethodologies for high availability, redundancy, and scalability. The solution may be installedas software, or delivered as a ready to run security appliance, called a UVM; the latter being themore common deployment method. Most configurations require the use of an external loadbalancer to help end-users and software endpoints continue to connect to the BeyondInsightsystem when a primary IP address goes offline in a failure. This document will help explainsome of these configuration options using F5 LTM Load Balancers.Deployment MethodologiesActive/PassiveTwo appliances are required for active/passive. The internal databases are replicated, and aheartbeat sent from the primary indicates to the secondary if it should take over operations.Site ASecondary - PrimarySync5022 TCP (Default)443 TCP Heartbeat(130s)Site BPrimary - SecondaryLoad BalancerOr DNS CNAMEActive/Passive is for UVM appliances only. It will failover to a mirrored appliance in the eventthe primary appliance is not available. Failover is automatic. This method will involve 2appliances configured as a ‘pair’. Note that appliance pairs have to be identical i.e. UVMv20 - UVMv20, UVM50 – UVM50, UVM20 - UVM20 etc.Development Process 2016. BeyondTrust Software, Inc.3

Active/ActiveSometimes called multi-active, this deployment type allows multiple nodes (Password Safeinstances) to be active at one time. Each node is connected directly to the database.DC1Admin UserStd UserF5UVM50Primary MgmtAdmin ConsoleRetina ScannerUVM50Worker Node/ Backup MgmtAdmin Console*Password PortalRetina ScannerSession RecordingPassword Mgmt2012R2 Physical Server 2012R2 Physical ServerSQL 2012SQL 2012UVMV20Worker NodeRetin a Scann erPassword PortalSession RecordingPassword MgmtSQL AlwaysOn Availability GroupMS 2012R2 ClusterSANIn this scenario, a pair of replicas are configured for synchronous commit within an externalAlwaysOn Availability Group - this provides database redundancy. Three appliances areconnected to the external address of the Availability Group. One is configured with amanagement console role, the other two are ‘worker nodes’. Access to appliances may bemade directly, or via the load balancer. Both appliances may be used simultaneously.Development Process 2016. BeyondTrust Software, Inc.4

Design OverviewThe BeyondInsight / Password Safe solution has several different network endpoints that mustbe balanced differently. The PowerBroker Password Safe HTTPS website and API, its session recording endpointso webconsole/api/configuration/feature/passwordsafe The BeyondInsight Management Consoleo sole The BI Event Collector for PowerBroker Windows and PowerBroker Unix/Linux logs.Each endpoint has different networking and SSL requirements and must be set up as a separatevirtual server in the F5 Load Balancer. Additionally, each endpoint provides a different URIendpoint, and therefore requires different configuration for availability monitoring. For anActive/Passive high availability configuration, the goal is to have a faster and efficient failover,even if it requires an end user to re-login to the application.HA State Detection for Active/Passive DeploymentsThe UVM appliance has an API endpoint URL that allows an external device to determine thecurrent HA labilityA GET to this address will return a result (JSON by default) that can be controlled by the requestheader.For example: {"Role":"Active"}.You can see the JSON by opening the URL in a web browser. As the API endpoint is beingcreated by the Microsoft WebAPI platform, it supports other formats for the returned objectcontrolled by the header of the request. For example, you will see xml returned if the URL isopening in Chrome.Development Process 2016. BeyondTrust Software, Inc.5

PowerBroker Password SafeCONFIGURATION OVERVIEWAs well as the BeyondInsight web site, PowerBroker Password Safe (Password Safe) requiressupport for additional interfaces: HTML5 web endpoint for user access to check out passwords JSON RESTful API interface Listening ports for session recordingo 4489 (default) for RDP sessionso 4422 (default) for SSH sessionsThe HTML5 web endpoint and session recording listeners need to have the same persistence,so that the Password Safe node which starts the session recording service for a user is the nodethat the F5 sends that user to.Note on API use casesThe API uses client IP addresses as one of its authenticators, so SSL termination at the F5 willhide those IP addresses from the Password Safe server. For this reason, a separate virtualserver for the Password Safe API will need to be set up that does NOT terminate the SSLconnections.CONFIGURATION COMPONENTSThe configuration for Password Safe consists of multiple virtual servers connected to a singlepool with wildcard (all services enabled) nodes, using source addr as the primary persistencemethod, so that persistence can be maintained across all virtual servers. This is documented byF5 on DevCentral at: ss-virtual-serversThe Password Safe Configuration also terminates SSL connections, allowing the separation ofthe name and IP address of the Password Safe and BeyondInsight Management Console logonsites.Development Process 2016. BeyondTrust Software, Inc.6

CONFIGURATION EXAMPLEltm default-node-monitor {rule /Common/https 443}ltm node /Common/PS1 {address 192.168.1.20}ltm node /Common/PS2 {address 192.168.1.30}ltm pool /Common/PSafe {description "Two Password Safe machines 192.168.1.20 & 192.168.1.30"load-balancing-mode least-connections-membermembers {/Common/PS1:0 {address 192.168.1.20description "PasswordSafe Node"monitor /Common/https 443}/Common/PS2:0 {address 192.168.1.30}}monitor /Common/https 443service-down-action reselect}ltm virtual /Common/pbpsapi {destination /Common/10.200.30.156:443ip-protocol tcpmask 255.255.255.255persist {/Common/source addr {default yes}}pool /Common/PSafeDevelopment Process 2016. BeyondTrust Software, Inc.7

profiles {/Common/tcp { }}source 0.0.0.0/0translate-address enabledtranslate-port enabledvlans-disabled}ltm snat /Common/psafe {origins {0.0.0.0/0 { }}snatpool /Common/psafe}ltm snat-translation /Common/192.168.1.11 {address 192.168.1.11inherited-traffic-group truetraffic-group /Common/traffic-group-1}ltm snatpool /Common/psafe {members {/Common/192.168.1.11}}ltm virtual /Common/PBPS-RDP {destination /Common/10.200.31.68:4489fallback-persistence /Common/dest addrip-protocol tcpmask 255.255.255.255persist {/Common/source addr {default yes}}pool /Common/PSafeprofiles {/Common/tcp { }Development Process 2016. BeyondTrust Software, Inc.8

}source 0.0.0.0/0translate-address enabledtranslate-port enabledvlans-disabled}ltm virtual /Common/PBPS-SSH {destination /Common/10.200.31.68:4422fallback-persistence /Common/dest addrip-protocol tcpmask 255.255.255.255persist {/Common/source addr {default yes}}pool /Common/PSafeprofiles {/Common/tcp { }}source 0.0.0.0/0translate-address enabledtranslate-port enabledvlans-disabled}ltm virtual /Common/psafe {destination /Common/10.200.31.68:443fallback-persistence /Common/dest addrip-protocol tcpmask 255.255.255.255persist {/Common/source addr {default yes}}pool /Common/PSafeprofiles {Development Process 2016. BeyondTrust Software, Inc.9

/Common/http { }/Common/psafe {context serverside}/Common/psafe client {context clientside}/Common/tcp { }}source 0.0.0.0/0translate-address enabledtranslate-port enabledvlans-disabled}ltm virtual-address /Common/10.200.31.68 {address 10.200.31.68mask 255.255.255.255traffic-group /Common/traffic-group-1}ltm profile client-ssl /Common/psafe client {alert-timeout 10allow-non-ssl disabledapp-service nonecache-size 262144cache-timeout 3600cert /Common/psafechain noneciphers DEFAULTdefaults-from /Common/clientsslhandshake-timeout 10key /Common/psafe.keymod-ssl-methods disabledoptions noneproxy-ssl disabledrenegotiate-max-record-delay 10renegotiate-period indefiniterenegotiate-size indefiniteDevelopment Process 2016. BeyondTrust Software, Inc.10

renegotiation enabledsecure-renegotiation requireserver-name nonesession-ticket disabledsni-default falsesni-require falsestrict-resume disabledunclean-shutdown enabled}ltm profile server-ssl /Common/psafe {alert-timeout 10app-service noneauthenticate onceauthenticate-depth 9authenticate-name noneca-file nonecache-size 262144cache-timeout 3600cert /Common/psafechain noneciphers DEFAULTcrl-file nonedefaults-from /Common/serversslexpire-cert-response-control ignorehandshake-timeout 10key /Common/psafe.keymod-ssl-methods disabledpeer-cert-mode ignoreproxy-ssl disabledrenegotiate-period indefiniterenegotiate-size indefiniterenegotiation enabledsecure-renegotiation require-strictserver-name nonesession-ticket disabledsni-default falsesni-require falseDevelopment Process 2016. BeyondTrust Software, Inc.11

ssl-forward-proxy disabledstrict-resume disabledunclean-shutdown enableduntrusted-cert-response-control ignore}sys file ssl-cert /Common/psafe {cache-path /config/filestore/files d/Common d/certificate d/:Common:psafe 48505 1revision 1}sys file ssl-key /Common/psafe.key {cache-path/config/filestore/files d/Common d/certificate key d/:Common:psafe.key 48502 1revision 1}BeyondInsight Management ConsoleCONFIGURATION OVERVIEWThere will only ever be a single instance of the BeyondInsight Management Console (BI) in anenvironment, therefore the checks for availability need to be different, necessitating a differentpool configuration.CONFIGURATION EXAMPLEltm default-node-monitor {rule /Common/https 443}ltm node /Common/PS1 {address 192.168.1.20}ltm node /Common/PS2 {address 192.168.1.30}ltm pool /Common/bi-management {description "management console"members {Development Process 2016. BeyondTrust Software, Inc.12

/Common/PS1:443 {address 192.168.1.20}/Common/PS2:443 {address 192.168.1.30}}monitor /Common/https mgmtservice-down-action reset}ltm virtual /Common/MGMT Console {destination /Common/10.200.31.69:443fallback-persistence /Common/source addrip-protocol tcpmask 255.255.255.255persist {/Common/cookie {default yes}}pool /Common/bi-managementprofiles {/Common/http { }/Common/psafe {context serverside}/Common/psafe client {context clientside}/Common/tcp { }}source 0.0.0.0/0translate-address enabledtranslate-port enabledvlans-disabled}ltm virtual-address /Common/10.200.31.69 {Development Process 2016. BeyondTrust Software, Inc.13

address 10.200.31.69mask 255.255.255.255traffic-group /Common/traffic-group-1}ltm monitor https /Common/https mgmt {cipherlist DEFAULT: SHA: 3DES: kEDHcompatibility enableddefaults-from /Common/httpsdestination *:*interval 5recv .*BeyondInsightsend "GET sole\\r\\n"time-until-up 0timeout 16}sys file ssl-key /Common/server.key {cache-path/config/filestore/files d/Common d/certificate key d/:Common:server.key 48493 1revision 1}sys file ssl-key /Common/unencrypted.key {cache-path/config/filestore/files d/Common d/certificate key d/:Common:unencrypted.key 48496 1revision 1}Development Process 2016. BeyondTrust Software, Inc.14