Load balance an HTTPS web site with BIG-IP F5

I have configured an Active/Standby BIG-IP F5 pair in my other post, you can take a look at the network configuration there. This post will walk you through setting up a basic load balancer between two web servers in my VMware Workstation LAB.

The F5 has two networks one Internal and one External. Clients will come in through the External interface where they will be forwarded to the Internal VIP IP which will load balance the two web servers behind it.

Details

mysite.mylab.local
|
Load Balancing VIP IP (192.168.245.11)
/                \
WebServer-1 (192.168.245.20)               WebServer-2 (192.168.245.30)

Import SSL certificate into F5

You need to import the cert into the BIG-IP F5 and then create a profile with the certificate so that it’s visible in different drop downs.

1.  System > File Management > SSL Certificates List > Import
2.  PKCS 12 (IIS) if you have a .pfx file, enter name of the cert
3.  Create a profile for the cert: Traffic > Policies > SSL > Client, Create (right side), give the profile a name: mysite.mylab.local  

Create a Node

You need to add the servers that will be hosting the web site here and also add the Default monitor that will monitor if the server is up or down.

1.  Make sure you are on the Active F5 Node
2.  Local Traffic > Nodes > Node List, Click Create (right corner)
3.  Add both nodes, for Health Monitor leave Node Default:
Name: mysite_WebNode1 Address 192.168.245.20
Name: mysite_WebNode2 Address 192.168.245.30
4.  Configure Default Health Monitor, Nodes > Default Monitor, choose icmp
5.  Click on Nodes > Node List, they should be green
6.  Now you will create a pool and attach the nodes to it.

Create a Pool

This step will create the pool, then you will add two web servers (nodes) here and specify which port the nodes will listen on.

1.  Local Traffic > Pools > Pool List, click Create (Top right corner)
2.  Add the two web serves to the pool and specify the port
Name: mysite.mylab.local-pool
Health Monitors: https, Priority Group Activation: Node List, from drop down select both nodes with Service port 443/HTTPS and add to New Members section.
3.  Your Pool is created it should be green, you can click on it and select Members tab to see details, both nodes should be green as well.
4.  Now you will create a VIP and add link it to the pool.

Create a Virtual Server (VIP)

This step will create the Virtual IP, specify which port it will listen on. Then you can configure what certificate you want to the client to see. You can also specify if you want the F5 to use a certificate to talk to the Web Serves behind the VIP.

1.  Local Traffic > Virtual Servers > Click Create (Right corner)
Type: Standard
Source Address: 0.0.0.0/0
Destination Address/Mask: 192.168.245.11
Service Port: 443/HTTPS
SSL Profile (Client): mysite.mylab.local
SSL Profile (Server): serverssl
Source Address Translation: Auto Map
2.  Resources TAB, attach VIP to the pool
Default Pool: mysite.mylab.local-pool
Default Persistence Profile: source_addr
3.  Make sure the pool shows up green

Browse the sites through the VIP

https://192.168.245.11/

Create a Node Walkthrough

Here are some screenshots that walk you through adding the web servers so that they will show up as available nodes.

Make sure you are on the correct node

Local Traffic > Nodes > Node List, click Create (Right side)

Add both nodes, for Health Monitor leave Node Default:
Name: mysite_WebNode1 Address 192.168.245.20
Name: mysite_WebNode2 Address 192.168.245.30

Adding the second WebNode

We can see both web nodes created but they are not green, you need to configure the default monitor as we specified it above.

Add the default monitors, the above nodes don’t show green. Choose basic icmp for the lab environment.

Create a pool Walkthrough

Local Traffic > Pools > Pool List, click Create (Top right corner)

Add the two nodes to the pool
Name: mysite.mylab.local-pool Health Monitors: https, Priority Group Activation: Node List, from drop down select both nodes with Service port 443/HTTPS and add to New Members section.

The pool list has been created

Click on it and click on Members, make sure they show up green

i shut down one of my servers and i can see the node went down and turned red

Create a Virtual server VIP

You will create a Virtual IP and then link it to the pool which has the two web serves behind it.

Local Traffic > Virtual Servers > Click Create (Right corner)

Assign an IP to the VIP 192.168.245.11
Type: Standard Source Address: 0.0.0.0/0
Destination Address/Mask: 192.168.245.11
Service Port: 443/HTTPS
SSL Profile (Client): mysite.mylab.local
SSL Profile (Server): serverssl
Source Address Translation: Auto Map

SSL Profile (Client)
When the client connects to the VIP this is the certificate that they will se
SSL Profile (Server)
When the F5 connects to the Web servers this is the certificate that they will see.
Source Address Translation: Auto Map

Assign the VIP to the pool
Default Persistence Profile: source_addr

The VIP is all set up and shows up green

Testing the VIP

Access it by the VIP IP. I created a web.html with “Web Server One” or “Web Server Two” so that I know which node I am being redirected to.

Web server one goes down, the second web server picks up.

Sync Up the F5 nodes

Sync the device to group. I have been doing all of these changes through the Active node bigip1.mylab.local. Now for the second node bigip2.mylab.local to pick up the changes I have to click on bigip1.mylab.local and sync it to the group (Sync Device to Group).

Both F5 Nodes are now synced

This entry was posted in Networking and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *