Deployment Guide Document version 1.0

What's inside: 2 Prerequisites and configuration notes 2 Configuration example

Deploying the BIG-IP System with CA SiteMinder

3 Configuring the BIG-IP LTM for the SiteMinder Administrative User Interface servers

Welcome to the F5 deployment guide for CA SiteMinder®. This guide describes how to achieve high availability by deploying the BIG-IP Local Traffic Manager (LTM) with CA SiteMinder, load balancing the Administrative User Interface, the Policy Server and the User Directory Servers.

5 Configuring the BIG–IP LTM for the SiteMinder Policy Servers

For more information on CA SiteMinder, see: http://www.ca.com/us/web-access-management.aspx

SiteMinder enables better control access to Web applications and portals for employees, customers and business partners — securely and efficiently — with powerful Web access management. For more information on the BIG-IP LTM system, see http://www.f5.com/products/bigip/ltm/.

7 Next Steps 7 Optional: Configuring your directory servers for high availability with BIG-IP 8 Document Revision History

Why F5 CA SiteMinder is mission critical to the uptime and availability of entire websites . If SiteMinder is unavailable, so are the web servers that SiteMinder serves. Therefore, high availability and proactive health monitoring is critical to the success of all SiteMinder deployments. Organizations using SiteMinder receive the benefits immediately after deploying the BIG-IP LTM: • H  igh availability of CA SiteMinder Policy Servers at the network layer. Instead of configuring IP Addresses manually in the SiteMinder Configuration files and relying on manual intervention, the BIG-IP system automatically directs users to the most available CA SiteMinder server. • H  igh availability of CA Administrative UI servers. Equally as important as the Policy Servers, if an Administrative server goes down, users are no longer able to maintain, manage or troubleshoot policy servers. Load balancing the Administrative UI is often overlooked, but is extremely important. • W  ith the BIG-IP system, organizations can configure an architecture that solves the many different pieces of a CA Architecture entirely on one platform, the BIG-IP LTM. Specifically, the BIG-IP LTM addresses the high availability needs of Policy Servers, Directory Servers, Administrative Servers, and the content servers themselves. Products and versions tested Product

Version

BIG-IP LTM

11.2 HF-1

CA SiteMinder

12.0 SP 3

DEPLOYMENT GUIDE CA SiteMinder

Important: M  ake sure you are using the most recent version of this deployment guide, available at www.f5.com/pdf/deployment-guides/ca-siteminder-dg.pdf

Prerequisites and configuration notes hh The BIG-IP LTM system must be running version 11.2 HF 1 or later. hh E ach SiteMinder Administrative UI server must be registered directly with a SiteMinder Policy server before it is configured for load balancing. Register your Administrative UI servers directly with a policy server instead of using the BIG-IP Virtual IP Address (VIP). After initial registration you may point to the BIG-IP system's virtual server address. See Configuring the SiteMinder devices on page 3.

Configuration example SiteMinder is a critical component of any infrastructure in which it is deployed, so being able to achieve high availability is critical. The BIG-IP system can bring high availability through monitoring to CA SiteMinder environments. The CA SiteMinder environment has several locations where scaling and high availability are critical: • The BIG-IP system is deployed in front of multiple redundant Administrative User Interfaces • The BIG-IP system is deployed in front of multiple redundant Policy Servers • The BIG-IP system is deployed in front of the entitlement and user stores (LDAP) After the deployment of BIG-IP these are the traffic scenarios: 1. A  dministrators use the Administrative UI virtual server on the BIG-IP system to manage and administer CA SiteMinder. This virtual server is typically not externally accessible. 2. A  gents, configured on web servers and application servers, communicate through a virtual server on the BIG-IP system to the Policy Server. This virtual server is also not typically externally accessible. 3. T he Policy Server communicates to a virtual server on the BIG-IP system to reach the LDAP servers. SiteMinder Web Agent on web servers

Policy Servers BIG-IP LTM

Web site users BIG-IP LTM

Administrative users

Administrative UI

Report Servers

Audit Database

Figure 1: Logical configuration example

2

Report Database

DEPLOYMENT GUIDE CA SiteMinder

Configuring the BIG-IP LTM for the SiteMinder Administrative User Interface servers The SiteMinder Administrative User Interface must be used to manage and configure the CA SiteMinder environment. If anything happens to the machine running the Administrative User Interface, management of the CA environment becomes difficult and it could lead to a complete site-wide outage. CA recommends the deployment of multiple redundant Administrative User Interface servers. Each Administrative User Interface device must be registered with a Policy server. In the case of multiple identical policy servers, it is important that each Administrative User Interface machine is registered before configuring the BIG-IP system for load balancing.

Configuring the SiteMinder devices Use the following guidance for configuring SiteMinder devices. Refer to the CA documentation for specific instructions. 1. Setup two identical servers and install the CA Administrative User Interface servers 2. Initiate the setup scripts according to CA's instructions and register the Administrative User Interface with the Policy server's direct IP address. 3. Repeat step 2 to register the Policy Server with the other Policy servers in your environments. 4. Configure the BIG-IP LTM system for the Administrative UI servers. 5. Configure the BIG-IP LTM for the Policy Servers. 6. A  djust the IP address on the Administrative User Interface to point to the BIG-IP LTM virtual server IP address for the Policy Servers. Following these steps ensures that each Administrative UI device is properly registered with each Policy Server. If your Administrative UI devices are already registered, these steps can be skipped.

Configuration table for the Administrative User Interface The following table contains a list of BIG-IP LTM configuration objects along with any nondefault settings you should configure as a part of the User Interface configuration. Unless otherwise specified, settings not mentioned in the table can be configured as applicable for your configuration. For specific instructions on configuring individual objects, see the online help or product manuals.

BIG-IP LTM Object

Health Monitor (Main tab-->Local Traffic -->Monitors)

3

Non-default settings/Notes Name

Type a unique name

Type

HTTP

Interval

30 (recommended)

Timeout

91 (recommended)

Send String

GET /iam/siteminder/console HTTP/1.0\r\n\r\n

Receive String

SiteMinder

DEPLOYMENT GUIDE CA SiteMinder

BIG-IP LTM Object

Non-default settings/Notes Name

Type a unique name

Health Monitor

Select the monitor you created above

Load Balancing Method

Choose a load balancing method. We recommend Least Connections (Member)

Address

Type the IP Address of an Administrative User Interface server

Service Port

Type the service port, typically 8080. Click Add, and repeat Address and Port for all servers.

TCP (Profiles-->Protocol)

Name

Type a unique name

Parent Profile

tcp-lan-optimized1.

Name

Type a unique name

Parent Profile

HTTP

Redirect Rewrite

All

Name

Type a unique name

Parent Profile

clientssl

Certificate

Select the certificate you imported

Key

Select the associated key

Server SSL (Profiles-->SSL)

Name

Type a unique name

Parent Profile

serverssl

Persistence (Profiles-->Persistence)

Name

Type a unique name

Persistence Type

Cookie

Name

Type a unique name for this fallback persistence profile

Persistence Type

Source Address Affinity

Pool (Main tab-->Local Traffic -->Pools)

HTTP (Profiles-->Services)

Profiles (Main tab-->Local Traffic -->Profiles)

Client SSL (Profiles-->SSL)

2

Persistence (Profiles-->Persistence)

Virtual Server (Main tab-->Local Traffic -->Virtual Servers)

4

Name

Type a unique name.

Address

Type the IP Address for the virtual server

Service Port

Type the appropriate port, typically 8080, 80, or 443

Protocol Profile (client) 2

Select the TCP profile you created

HTTP Profile

Select the HTTP profile you created

SSL Profile (Client) SSL Profile (Server)

Select the Client SSL profile you created 3

If you are configuring SSL Bridging only: Select the Server SSL profile you created

SNAT Pool 4

Automap (optional; see footnote 4 )

Default Pool

Select the pool you created

Default Persistence Profile

Select the Cookie Persistence profile you created

Fallback Persistence Profile

Select the Persistence profile you created

1

If you have users connecting to the administrative interface primarily over a WAN connection, use the tcp-wan-optimized parent profile.

2

You must select Advanced from the Configuration list for this option to appear

3

Only create a Server SSL profile if you are configuring the BIG-IP LTM for SSL Bridging.

4

If want to use SNAT, and you have a large deployment expecting more than 64,000 simultaneous connections, you must configure a SNAT Pool with an IP address for each 64,000 simultaneous connections you expect. See the BIG-IP documentation on configuring SNAT Pools.

DEPLOYMENT GUIDE CA SiteMinder

Configuring the BIG–IP LTM for the SiteMinder Policy Servers In this section, you configure the BIG-IP LTM for the SiteMinder Policy Servers.

Configuration table for the Policy Servers The table on the following page contains a list of BIG-IP LTM configuration objects along with any non-default settings you should configure as a part of the User Interface configuration. Unless otherwise specified, settings not mentioned in the table can be configured as applicable for your configuration. For specific instructions on configuring individual objects, see the online help or product manuals. BIG-IP LTM Object Health Monitor (Main tab-->Local Traffic -->Monitors)

Non-default settings/Notes Name

Type a unique name

Type

TCP

Interval

30 (recommended)

Timeout

91 (recommended)

44441 Policy server pool Name

Type a unique name

Health Monitor

Select the monitor you created above

Load Balancing Method

Choose a load balancing method. We recommend Least Connections (Member)

Address

Type the IP Address of a Policy Server

Service Port

44441 Click Add, and repeat Address and Port for all servers.

44442 Policy server pool

Pool (Main tab-->Local

Name

Type a unique name

Health Monitor

Select the monitor you created above

Load Balancing Method

Choose a load balancing method. We recommend Least Connections (Member)

Address

Type the IP Address of a Policy Server

Service Port

44442 Click Add, and repeat Address and Port for all servers.

Traffic -->Pools)

44443 Policy server pool

5

Name

Type a unique name

Health Monitor

Select the monitor you created above

Load Balancing Method

Choose a load balancing method. We recommend Least Connections (Member)

Address

Type the IP Address of a Policy Server

Service Port

44443 Click Add, and repeat Address and Port for all servers.

Profiles: Persistence

Name

Type a unique name

(Main tab-->Local Traffic -->Profiles-->Persistence)

Persistence Type

Source Address Affinity

Match Across Virtual Servers

Enabled (Click a check in the box)

DEPLOYMENT GUIDE CA SiteMinder

BIG-IP LTM Object

Non-default settings/Notes 44441 virtual server Name

Type a unique name.

Address

Type the IP Address for the virtual server. All Policy Server virtual servers must have the same IP address.

Service Port

44441

SNAT Pool 1

Automap (optional; see footnote 1)

Default Pool

Select the pool you created using port 44441

Default Persistence Profile

Select the Persistence profile you created.

44442 virtual server Name

Type a unique name.

Address

Type the IP Address for the virtual server. All Policy Server virtual servers must have the same IP address.

Service Port

44442

SNAT Pool 1

Automap (optional; see footnote 1)

Default Pool

Select the pool you created using port 44442

Default Persistence Profile

Select the Persistence profile you created.

Virtual Server (Main tab-->Local Traffic -->Virtual Servers)

44443 virtual server

1

6

Name

Type a unique name.

Address

Type the IP Address for the virtual server. All Policy Server virtual servers must have the same IP address.

Service Port

44443

SNAT Pool 1

Automap (optional; see footnote 1)

Default Pool

Select the pool you created using port 44443

Default Persistence Profile

Select the Persistence profile you created.

If want to use SNAT, and you have a large deployment expecting more than 64,000 simultaneous connections, you must configure a SNAT Pool with an IP address for each 64,000 simultaneous connections you expect. See the BIG-IP documentation on configuring SNAT Pools.

DEPLOYMENT GUIDE CA SiteMinder

Next Steps After completing the BIG-IP LTM configuration, perform the following tasks on your SiteMinder servers. See the SiteMinder documentation for specific instructions. 1. Adjust your SmHosts.conf files on every webAgent to point to the BIG-IP virtual server address for Policy Server. 2. A  djust your Administrative User Interface to point to the appropriate BIG-IP virtual server for Policy Server 3. A  dvertise the BIG-IP virtual server address for the Administrative User Interface so that users can administer CA using this implementation. 4. A  djust the User Directory settings with the CA SiteMinder Configuration to point to the BIG-IP virtual server IP address for the LDAP servers.

Optional: Configuring your directory servers for high availability with BIG-IP We strongly recommend configuring BIG-IP LTM for your directory servers. You can find deployment guides for configuring directory servers on f5.com (http://www.f5.com/products/documentation/deployment-guides/ ). In this section, we show you how to use the BIG-IP LTM iApp template for LDAP servers. For more information on iApps, see http://www.f5.com/pdf/white-papers/f5-iapp-wp.pdf To configure the iApp for LDAP 1. Log on to the BIG-IP system. 2. On the Main tab, expand iApp, and then click Application Services. 3. Click Create. The Template Selection page opens. 4. In the Name box, type a name. In our example, we use SiteMInder_LDAP_. 5. From the Template list, select f5.ldap. The LDAP template opens. 6. Complete the template as appropriate for your LDAP configuration. 7. Click the Finished button. 8. Adjust your policy server to point to the BIG-IP virtual server for your directory servers. For more information on configuring the BIG-IP LTM for LDAP servers, including manual configuration procedures, see http://www.f5.com/pdf/deployment-guides/ldap-iapp-dg.pdf

7

8 DEPLOYMENT GUIDE CA SiteMinder

Document Revision History Version 1.0

F5 Networks, Inc. 401 Elliott Avenue West, Seattle, WA 98119

Description New Version

888-882-4447

Date 09-11-2012

www.f5.com

F5 Networks, Inc. Corporate Headquarters

F5 Networks Asia-Pacific

F5 Networks Ltd. Europe/Middle-East/Africa

F5 Networks Japan K.K.

[email protected]

[email protected]

[email protected]

[email protected]

©2012 F5 Networks, Inc. All rights reserved. F5, F5 Networks, the F5 logo, and IT agility. Your way., are trademarks of F5 Networks, Inc. in the U.S. and in certain other countries. Other F5 trademarks are identified at f5.com. Any other products, services, or company names referenced herein may be trademarks of their respective owners with no endorsement or affiliation, express or implied, claimed by F5.

Deploying the BIG-IP LTM with CA SiteMinder - F5 Networks

Sep 11, 2012 - proactive health monitoring is critical to the success of all SiteMinder .... 2 You must select Advanced from the Configuration list for this option to ...

555KB Sizes 22 Downloads 438 Views

Recommend Documents

Deploying the BIG-IP LTM with JD Edwards ... - F5 Networks
In a JD Edwards One environment, the BIG-IP LTM provides intelligent traffic ... Virtual server IP address: Service Port: WebLogic Server IPs:Port. 1: 2: 3: 4: 5: 6:.

Deploying the BIG-IP LTM with Microsoft Remote ... - F5 Networks
Aug 16, 2013 - Remote Desktop Services, one for the Remote Desktop Gateway Servers, .... and precludes exposing required services in the DMZ network.

Deploying the BIG-IP LTM with Oracle ATG - F5 Networks
Sep 13, 2013 - h You must have access to both DNS and NTP network services; for name ... 1 You must select Advanced from the Configuration list for these ...

Deploying the BIG-IP LTM with Microsoft Remote ... - F5 Networks
Aug 16, 2013 - Configuring the DNS settings. 28 ..... Name must correspond to the fully-qualified DNS name that is associated with the Client SSL profile that you create on the BIG- ...... This monitor checks the CPU, memory, and disk usage of the no

Deploying the BIG-IP LTM with Citrix XenDesktop - F5 Networks
To import the script using Linux/Unix/MacOS systems. 1. Download the script: http://devcentral.f5.com/wiki/default.aspx/tmsh/CitrixXenDesktopMonitor.html. 2.

Deploying the BIG-IP LTM with Oracle Enterprise ... - F5 Networks
May 1, 2012 - http://www.oracle.com/us/products/enterprise-manager/index.html ... 2. Prerequisites and configuration notes. The following are general ...

Deploying the BIG-IP LTM with Microsoft Remote ... - F5 Networks
Aug 16, 2013 - Visit the Microsoft page of F5's online developer community, .... selecting applications that have been published on that page, users initiate new ...... Any other products, services, or company names referenced herein may be ...

Deploying the BIG-IP LTM with Citrix XenApp - F5 Networks
Welcome to the F5 deployment guide for Citrix® XenApp® and BIG-IP 10.2.1. This shows ... and accessed over the network or by using web protocols, with just keyboard strokes, mouse movements and .... address and a service. Clients on an ...

Deploying the BIG-IP LTM for Diameter Traffic ... - F5 Networks
www.f5.com/products/big-ip/product-modules/local-traffic-manager.html ... 2. Click the Create button. The New Monitor screen opens. 3. In the Name box, type a ...

Deploying the BIG-IP LTM for Diameter Traffic ... - F5 Networks
In the Address box, type the IP address of this virtual server. In our example, we use 10.133.81.12. 6. In the Service Port box, type 3868. Figure 4 General Properties of the virtual server. 7. From the Configuration list, select Advanced. . The Adv

Deploying the BIG-IP LTM with the VMware Zimbra ... - F5 Networks
find the table does not contain enough information for you to configure an individual .... In the Domain box, type the domain name you want the monitor to check.

Deploying the BIG-IP LTM with multiple BIG-IP ... - F5 Networks
h You must be running BIG-IP version 10.x. ... The LTM then intelligently directs the request to the best available web application server. You can host both the internal and external virtual servers on the same BIG-IP LTM, or you may.

Deploying the BIG-IP LTM v11 with Citrix XenDesktop - F5 Networks
May 7, 2012 - Address. Type the IP Address of the Web Interface nodes .... In the Host name box, type the host name or IP address of your BIG-IP system. 4.

Deploying the BIG-IP LTM and APM v11 with Citrix ... - F5 Networks
Jan 17, 2014 - For more information on iApp, see the F5 iApp: Moving Application Delivery ... BIG-IP Platform ...... already done so, you can either exit the template now and then restart the configuration after creating the pool, or complete and.

Deploying the BIG-IP APM VE and LTM VE v10.2.1 with ... - F5 Networks
schemes and various back-end directory services. BIG-IP APM VE can also ... Configuring the BIG-IP APM VE for View 4.5, on page 3-1. For more information on ...

Deploying the BIG-IP APM VE and LTM VE v10.2.1 with ... - F5 Networks
3. Click the Edit button. 4. Clear the check from the Require SSL for client connections box. ..... appropriate for your installation (you must type a Domain Name at.

Deploying the BIG-IP LTM and APM v11 with Citrix ... - F5 Networks
Jan 17, 2014 - 3. DEPLOYMENT GUIDE. Citrix XenApp and XenDesktop. Why F5 .... On the Main tab, expand iApp, and then click Application Services. 3.

Deploying the BIG-IP LTM and APM v11 with Citrix ... - F5 Networks
Jul 24, 2012 - point interface for building, managing, and monitoring these Citrix ...... At the What is the App name prompt, type the name of an available ...

Deploying the BIG-IP LTM with Oracle Database Firewall - F5 Networks
Sep 19, 2012 - managing connections to the Database Firewall Proxy services running in .... 1. On the Main tab, expand Network, and then click Interfaces. 2.

Deploying the BIG-IP LTM with IBM InfoSphere Guardium - F5 Networks
Oct 22, 2012 - h For Windows Database hosts, it is a networking requirement of Guardium up-to and ... show the BIG-IP LTM in front of web servers/applications to provide a ... The BIG-IP LTM makes the best load balancing decision at the .... 10. Conf

Deploying the BIG-IP LTM System with VMware View - F5 Networks
3. Under View Servers, select a View Connection Server entry and click Edit. 4. In the ... In the Service Port box, type the appropriate port, or select it from the list.

Deploying the BIG-IP LTM with multiple BIG-IP ... - F5 Networks
Nov 3, 2011 - devices, resulting in the best possible user experience. For more ... h You must be running BIG-IP version 10.x. ... In the configuration described in this guide, a client requests a web application. ... You can host the the virtual ser

Deploying the BIG-IP LTM with IBM WebSphere MQ - F5 Networks
Jun 13, 2012 - guidance for deploying the BIG-IP Local Traffic Manager (LTM) with IBM ... The BIG-IP LTM brings high availability, SSL offload and TCP ...

Deploying the BIG-IP LTM with IBM InfoSphere Guardium - F5 Networks
Oct 22, 2012 - To achieve the levels of uptime demanded by advanced solutions, F5 ... h Reduced total cost of ownership through easier configuration and management, ... IBM Guardium see: http://www-01.ibm.com/software/data/guardium/.