Automatically Configuring an F5 BIG-IP Load Balancer for PSC 6.0 HA

In this post I’ll explain how to deploy and configure an F5 Load Balancer for use with PSC 6.0 High Availability using a script to configure the F5. I got tired of manually configuring F5 Load Balancers for testing and lab building so I scripted the configuration and am sharing it here.

Disclaimer: The configuration of a 3rd Party Load Balancer is not supported by VMware. The 3rd party vendor should be engaged for support. The script in this post is not supported by VMware. Use at your own risk.

I used F5 BIG-IP v12 but have also tested on v11. Other versions may or may not work.

Overview of PSC 6.0 HA

psc-ha-pitch_009

  • In the above diagram we have two PSC nodes behind a Load Balancer.
  • The PSC Nodes must exist in the same SSO Domain and also in the same Site. Any other
  • PSCs in the same SSO Domain should exist in a separate site.
  • Ports 389, 636, 443, 2012, 2014 and 2020 are created as VIP Endpoints on the Load Balancer.
  • A unique individual SSL Certificate will be used on both PSC Nodes.
  • A unique SSL Certificate will be used on the Load Balancer.
  • All solutions that interact with a PSC must be pointed/registered via the PSC HA VIP FQDN.
  • Requests from solutions will be sent to the PSC HA VIP and the Load Balancer will direct these requests to a PSC.
  • All requests from the same session should be “sticky” to the same PSC.

Deploy F5 BIG-IP Virtual Load Balancer

If you don’t have a physical F5 BIG-IP you can use a Virtual Appliance version. Very handy for testing or for labs. The only downside is the trial 45 day license needs renewing every 45 days.

  1. Download the BIGIP-12.1.1.0.0.184.ALL-scsi.ova from HERE. (You will need to create a free F5 Login Account)
  2. Deploy the OVA to a vCenter or ESXi Host and power it on
  3. Open a Console to the F5 Appliance and once you have a command prompt login as root with password default
  4. Run the config command and follow the prompts to configure the F5 Management Network.

Note: Ensure this is on a different subnet to your PSC Management Network.

Configure initial F5 BIG-IP setup

  1. With the F5 Management Network configured, open a browser to https://f5_mgmt_ip
  2. Log in using username admin and the default password of admin
  3. Select Platform and change the root and admin user passwords if you wish
  4. Select Platform a provide a hostname for the F5 BIG-IP
  5. Select Network and then choose Finished

Licensing the F5 BIG-IP

Obtaining a trial License for F5 BIG-IP

  1. Create an account on f5.com if you have not already done so
  2. Navigate to https://secure.f5.com/partnervekeys/modules.jsp and log in
  3. Select Eval Key Duration 45 Days
  4. F5 Eval Key Generator SKU: F5-BIG-LTM-VE-1G-LIC
  5. Select Next
  6. Select Next
  7. An email will be sent with the Evaluation License Key

Licensing the F5 BIG-IP

  1. Log into the Mgmt Web Interface of the F5 BIG-IP
  2. Navigate to License > Activate
  3. In Base Registration Key enter in your License Key
  4. As Activation Method select Manual
  5. Click Next
  6. Copy the contents of Dossier to your clip-board
  7. Open the link Click here to access F5 Licensing Server in a new Browser Window/Tab
  8. Paste the copied contents into the text box
  9. Click Next
  10. Agree to the terms of license and Click Next
  11. Copy the contents of the text box to your clip-board
  12. Paste the contents into the License Text Box back on the F5 Licensing Setup
  13. Click Next
  14. Click Continue once the license is applied

Configuring the F5 BIP-IP for use with PSC 6.0 HA

I have created a setup script for F5 BIG-IP to configure it for PSC 6.0 HA

http://pastebin.com/NRm92rEu

The scripts assume that this is a clean un-configured F5. All that is setup is the License and F5 Management Network as outlined above.

It also assumes you have your PSC HA VIP Certificate and Key prepared as per VMware’s Documentation https://kb.vmware.com/kb/2113315 (Do Steps A, B, C)

Upload the certificate and key somewhere to the F5 BIG-IP using WinSCP or similar (i.e. put the certificate and key in /tmp )

To use the F5 Script you need to do the following:

1. SSH to the F5 LB as root

2. Change the to the tmsh shell by running:

 # tmsh

3. Run the following command to create an F5 Script for PSC HA 6.0

Note: The tmsh shell seems to sandboxed so you can’t just upload the script as a file, you must create it from tmsh on the F5.

# edit cli script psc-ha-60.tcl

This will launch a VI type editor (I’ll assume your familiar with VI)

4. Delete the default created lines

5. Copy the entire contents of the Pastebin link above

6. Save the file

:wq

7. Press Y to save again

8. Run the script using the following Syntax

# run cli script psc-ha-60.tcl <node 1 IP> <node 2 IP> <VIP> <F5 Self IP/mask> <LB Cert Path> <LB Key Path>

For example:

# run cli script psc-ha-60.tcl 192.168.2.101 192.168.2.102 192.168.2.99 192.168.2.98/24 /tmp/lb.crt /tmp/lb.key

9. The intended output should be as follows.

As you can see, the script will create the VLAN, disable the un-used interfaces, create the Self-IP, upload the PSC HA 6.0 Certificate and Key, Create the SSL Profiles, Create the Persistence Profile, Create the Nodes, Create the Pools and Create the VIPs.

Creating VLAN psc-ha-vlan
Disabling interfaces 1.2 and 1.3
Creating Self IP psc-ha-self 192.168.2.98/24
Uploading Certificate /tmp/lb.crt
Uploading Private Key /tmp/lb.key
Creating SSL Client and Server Profiles
Creating Persistence Profile
Creating PSC Nodes 192.168.2.101 and 192.168.2.102
Creating Pools for ports 443, 389, 636, 2012, 2014, 2020
Creating VIPs for ports 443, 389, 636, 2012, 2014, 2020
Completed Setup

10. Logging into the F5 Web Mgmt Interface again you should see the nodes, pools and VIPs created.

f5-complete

11. You should now be able to continue with your PSC 6.0 HA setup https://kb.vmware.com/kb/2113315 (From Step E)

Advertisements