Getting Started With BIG-IP APM SWG Follow-Along Lab Guide
2y ago
64 Views
1 Downloads
687.93 KB
9 Pages
Report/dmca
Download PDF

Transcription

Getting Started with BIG-IP APM SWGFollow-Along Lab GuideINTRODUCTIONThe following lab instructions are meant to be used alongside the BIG-IP APM SWG Web-Based Training.Although there is currently no formal lab associated with the WBT, it is hoped that you—the viewer—have access to a BIG-IP with APM and SWG licenses and that you would follow along on your BIG-IP. TheWBT has been designed so you can follow along without these instructions, but the author is hopingthese instructions will make it easier and will encourage you to take a hands-on approach to the WBT.LESSON 3 LAB, PART 1: CERTIFICATE CONFIGURATIONIn this section of the lab we’re going to create a self-signed Certification Authority cert that we will thenuse to sign our host cert.Step 1: We’re going to shorten the BASH and TMSH prompts, so the command lines will be easier toreadPS1 "bash1# "tmshedit cli preference all-propertiesChange the prompt value to the keyword none, like this: prompt noneStep 2: Create a temporary workspacemkdir /tmp/certcd /tmp/certStep 3: Create a random number and use that number to create a key for the CA certopenssl rand -out random1 2048openssl genrsa -rand random1 -out ca-f5trn-com.key 2048Step 4: Create a CA certThe following command will prompt you for a number of values. You can either provide values or leavethem blank. You must enter a value of ca.f5trn.com for Common Nameopenssl req -x509 -new -key ca-f5trn-com.key -out ca-f5trn-com.crt -days 365

Follow-Along Lab GuideStep 5: Install the CA key and cert on BIG-IPtmsh install sys crypto keyca-f5trn-com.key from-local-file ca-f5trn-com.keytmsh install sys crypto cert ca-f5trn-com.crt from-local-file ca-f5trn-com.crtStep 6: Create a CA cert and import it into the Windows clientYou will be prompted for an export password. Make it blank by pressing return at the prompt and theverification prompt.openssl pkcs12 -export -in ca-f5trn-com.crt -inkey ca-f5trn-com.key-out ca-f5trn-com.p12 -name "f5trn CA"A CA cert is only useful if a browser trusts the CA. Copy the cert to the Windows client. Double click thecert to import it into Windows. When prompted, place the cert in the Trusted Root CertificationAuthorities certificate storeStep 7: Create a random number and use that to create a key for the logon certopenssl rand -out random2 2048openssl genrsa -rand random2 -out logon-f5trn-com.key 2048Step 8: Create a request for the logon certThe following command will prompt you for a number of values. You can either provide values or leavethem blank. You must enter a value of logon.f5trn.com for Common Name and leave the “extra”attributes blank, including the challenge password, by pressing return at the promptopenssl req -new -out logon-f5trn-com.req -key logon-f5trn-com.keyStep 9: Sign the logon cert request with the f5trn CA certopenssl x509 -req -in logon-f5trn-com.req -out logon-f5trn-com.crt-CAkey ca-f5trn-com.key -CA ca-f5trn-com.crt -days 365-CAcreateserial -CAserial serialStep 10: Install the key and cert on BIG-IPtmsh install sys crypto key logon-f5trn-com.keyfrom-local-file logon-f5trn-com.keytmsh install sys crypto cert logon-f5trn-com.crtfrom-local-file logon-f5trn-com.crt2Getting Started with BIG-IP APM SWG

Follow-Along Lab GuideLESSON 3 LAB, PART 2: CLIENT SSL PROFILE CONFIGURATIONIn this section of the lab we’re going to create both a client and a server SSL profile to be used with thevirtual servers that will be created lated.Step 1: Create a client-facing SSL profile using the CA cert with SSL forward proxy bypass enabledNavigate to Local Traffic ›› Profiles ›› SSL ›› ClientNameSSL Forward Proxy (Mode)SSL Forward ProxyCA CertificateCA KeySSL Forward Proxy -com.crtca-f5trn-com.keyEnabled.Step 2: Create server-facing SSL profiles with forward proxy bypass enabledNavigate to Local Traffic ›› Profiles ›› SSL ›› ServerNameSSL Forward ProxySSL Forward Proxy Bypasstransp-prx-server.sslEnabled.Enabled.Step 3: Create a client-facing SSL profile for the captive logon pageNavigate to Local Traffic ›› Profiles ›› SSL ›› llogon-f5trn-com.crtlogon-f5trn-com.keyLESSON 3 LAB, PART 3: NETWORK CONFIGURATIONIn this section of the lab we’re going to add static host entries, configure DNS and default routes to boththe BIG-IP and the Windows clientStep 1: Add the logon.f5trn.com static hostname to BIG-IPNavigate to System ›› Configuration ›› Devices ›› HostsIP AddressHostname172.16.1.101logon.f5trn.comStep 2: Add a DNS server to BIG-IPNavigate to System ›› Configuration ›› Devices ›› DNSDNS Lookup Server AddressGetting Started with BIG-IP APM SWG172.16.1.2543

Follow-Along Lab GuideStep 3: Add a default route to BIG-IPNavigate to Network ›› RoutesNameDestination / NetmaskGateway IP Addressdefault.rt0.0.0.0 / 0.0.0.010.10.1.254Step 4: Add the logon.f5trn.com static hostname to the Windows clientLogged in as Administrator, use Notepad to edit C:\Windows\System32\drivers\etc\hostsAdd the following line:172.16.1.101logon.f5trn.comStep 5: Add the following default route and DNS server to the Windows clientLESSON 4 LAB: HTTP AND HTTPS FORWARDING VIRTUAL SERVER CONFIGURATIONIn this lab we’re going create two forwarding virtual servers for our transparent proxyStep 1: Create a forwarding virtual server for port 80Navigate to Local Traffic ›› Virtual ServersNameDestination NetworkDestination PortConfiguration (Mode)HTTP ProfileSource Address TranslationAddress httpAuto MapDisabledGetting Started with BIG-IP APM SWG

Follow-Along Lab GuideStep 2: Create a forwarding virtual server for port 443Navigate to Local Traffic ›› Virtual ServersNameDestination NetworkDestination PortConfiguration (Mode)HTTP ProfileSSL Profile (Client)SSL Profile (Server)Source Address TranslationAddress o MapDisabledStep 3: TestLESSON 5 LAB, PART 1: USER DATABASE AND USER CONFIGURATIONIn this section of the lab we’re going to create a local user database instance and create a local user inthat database.Step 1: Create a local user database instanceNavigate to Access Policy ›› Local User DB ›› Manage InstancesNameuser.dbStep 2: Create a local userNavigate to Access Policy ›› Local User DB ›› Manage UsersUser bLESSON 5 LAB, PART 2: ACCESS POLICY CONFIGURATIONIn this section of the lab we’re going to create an access profile and then edit the associated accesspolicy to provide captive portal functionalityStep 1: Create an access profileNavigate to Access Policy ›› Access ProfileNameProfile TypeCaptive PortalsPrimary Authentication URIAccepted LanguageGetting Started with BIG-IP APM n.f5trn.comEnglish (en)5

Follow-Along Lab GuideStep 2: Edit the access policy to look like the followingLESSON 5 LAB, PART 3: CAPTIVE PORTAL VIRTUAL SERVER CONFIGURATIONIn this section of the lab we’re going to create a captive portal virtual serverStep 1: Create a virtual serverNavigate to Local Traffic ›› Virtual ServersNameDestination NetworkDestination PortHTTP ProfileSSL Profile (Client)Access -prx-logon-client.ssltransp-prx.apStep 2: Modify virtual server transp-prx-fw-80.vsNavigate to Local Traffic ›› Virtual ServersAccess Policytransp-prx.apStep 3: Modify virtual server transp-prx-fw-443.vsNavigate to Local Traffic ›› Virtual ServersAccess Policytransp-prx.apStep 4: Test6Getting Started with BIG-IP APM SWG

Follow-Along Lab GuideLESSON 6 LAB, PART 1: WEBSENSE IPI DATABASE CONFIGURATION AND CONFIRMATIONIn this section of the lab we’re going to download the WebSense database and test to confirm it hasloaded correctlyStep 1: Download the databaseNavigate to Access Policy ›› Secure Web Gateway ›› Database Settings ›› Database DownloadOnce the database download has completed, you should see the above download resultsStep 2: Test several URLsNavigate to Access Policy ›› Secure Web Gateway ›› Database Settings ›› URL Category LookupTry several URLs and determine if they are categorized correctlyLESSON 6 LAB, PART 2: URL FILTER CONFIGURATIONIn this section of the lab we’re going to create and edit a URL filter that will block traffic that does notmatch our fictitious corporate Internet Acceptable Use Policy.Step 1: Create a URL FilterNavigate to Access Policy ›› Secure Web Gateway ›› URL FiltersNameblock-non-acceptable.urlfStep 2: Note the filtering actions already assigned to Adult Material, Drugs, Extended Protection, etc.For most categories, either Allowed or Blocked, you can drill into sub-categories by click the plus signnext to the categoryStep 3: Select the checkbox next to the Bandwidth categoryStep 4: Scroll to the bottom of the list and click BlockStep 5: Now click the plus sign next to the Bandwidth categoryStep 6: Select the checkbox next to the Educational Video sub categoryStep 7: Scroll to the bottom of the list and click AllowStep 8: Review the categories and sub-categories of your newly created URL FilterGetting Started with BIG-IP APM SWG7

Follow-Along Lab GuideLESSON 6 LAB, PART 3: PER-REQUEST POLICY CONFIGURATIONIn this section of the lab we’re going to create and edit a per-request policy that will inspect eachrequest and determine if it should be allowed or rejectedStep 1: Create a per-request policyNavigate to Access Policy ›› Per-Request PolicyNametransp-prx.prpStep 2: Edit the per-request policy to look like the followingNote the HTTPS and HTTP Category Lookup agents were originally name Category LookNote the HTTPS and HTTP URL Filter Assign agents were originally named URL Filter AssignNote if you are using version 12.1, delete the “Confirm” branches from the URL Filter Assign agents8Getting Started with BIG-IP APM SWG

Follow-Along Lab GuideLESSON 6 LAB, PART 4: VIRTUAL SERVER CONFIGURATIONIn this section of the lab we’re going to modify the forwarding virtual servers to use the per-requestpolicyStep 1: Modify virtual server transp-prx-fw-80.vsNavigate to Local Traffic ›› Virtual ServerPer-Request Policytransp-prx.prpStep 2: Modify virtual server transp-prx-fw-443.vsNavigate to Local Traffic ›› Virtual ServersPer-Request Policytransp-prx.prpStep 3: TestLESSON 7 LAB: SSL BYPASS CONFIGURATIONIn this lab we’re going to modify the per-request policy to include an SSL bypass for URLs that arecategorized as banking or healthStep 1: Modify the existing per-request policy to look like the followingStep 2: TestGetting Started with BIG-IP APM SWG9

Follow-Along Lab Guide 4 Getting Started with BIG-IP APM SWG Step 3: Add a default route to BIG-IP Navigate to Network ›› Routes Name default.rt Destination / Netmask 0.0.0.0 / 0.0.0.0 Gateway IP Address 10.10.1.254 Step 4: Add the logon.f5trn.com static hostname to the Windows client Logged in as Administrator,

Related Books

GETTING OLDER GETTING FIT GETTING HEALTHY GETTING IT .

GETTING OLDER GETTING FIT GETTING HEALTHY GETTING IT .

BIG-IP Application Security Manager: Getting Started

BIG-IP Application Security Manager: Getting Started

Getting Started with BIG-IP Lab Guide - advanxer

Getting Started with BIG-IP Lab Guide - advanxer

Getting Started with BIG-IP Programmability

Getting Started with BIG-IP Programmability

Getting started with BB-8. User instructions. getting .

Getting started with BB-8. User instructions. getting .

Business Intelligence and Analytics: From Big Data to Big .

Business Intelligence and Analytics: From Big Data to Big .

From Big Data to Big Knowledge Optimizing Medication .

From Big Data to Big Knowledge Optimizing Medication .

Deploying the BIG-IP Edge Gateway and BIG-IP LTM with .

Deploying the BIG-IP Edge Gateway and BIG-IP LTM with .

Does Big Data Mean Big Storage - education.emc

Does Big Data Mean Big Storage - education.emc

Building Your Big Data Team - Big Data and Business .

Building Your Big Data Team - Big Data and Business .

Hadoop : Big Data or Big Deal

Hadoop : Big Data or Big Deal

Getting Started with Business Chat - Apple Inc.

Getting Started with Business Chat - Apple Inc.

PopularTags

Recent Views