test

Deployment Example 2: Federation Using SAML v2

ProcedureTo Configure the Web Policy Agents Load Balancer

  1. Go to URL for the Big IP load balancer login page and log in.

    https://ls-f5.siroe.com

  2. Log in using the following information:

    User name:

    username

    Password:

    password

  3. Request an SSL Certificate for Load Balancer 11.

    1. Log in to the BIG-IP load balancer.

    2. Click Proxies in the left pane.

    3. Click the Cert Admin tab, and then click the “Generate New Key Pair/ Certificate Request” button.

    4. In the Create Certificate Request page, provide the following information:

      Key Identifier:

      LoadBalancer-11.siroe.com

      Organization:

      siroe.com

      Domain Name:

      LoadBalancer-11.siroe.com

      Email Address:

      jdoe@siroe.com

    5. Click the Generate Request button.

    6. In the Generate Request page, copy the request that looks similar to this:


      -----BEGIN CERTIFICATE REQUEST-----
UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU
AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0
EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC
xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u
IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0
wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz
ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC
FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU
ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0
GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo
2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2
-----END CERTIFICATE REQUEST-----

    7. Paste this text into a request form provided by a root certificate authority (CA) such as Verisign or Thwarte.

      See the certificate authority website such as http://www.verisign.com/ or http://www.thawte.com/ for detailed instructions on submitting a certificate request.

  4. After you receive the certificate from the issuer, install the SSL Certificate.

    1. In the BIG-IP load balancer console, click the Cert Admin tab.

    2. On the Cert Admin tab, click Install Certificate.

    3. In the Install SSL Certificate page, paste the certificate text you received from the certificate issuer. Example:


      -----BEGIN CERTIFICATE REQUEST-----
UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU
AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0
EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC
xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u
IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0
wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz
ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC
FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU
ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0
GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo
2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2
-----END CERTIFICATE REQUEST-----

    4. Click Install Certificate.

  5. Create a Pool.

    A pool contains all the backend server instances.

    1. Open the Configuration Utility.

      Click “Configure your BIG-IP (R) using the Configuration Utility.”

    2. In the left pane, click Pools.

    3. On the Pools tab, click the Add button.

    4. In the Add Pool dialog, provide the following information:

      Pool Name

      federation_web_agents

      Load Balancing Method

      Round Robin

      Resources

      192.18.72.151:2080 (for Protected Resource 3)

      192.18.72.152:2080 (for Protected Resource 4)

      Click Done.

  6. Configure the load balancer for simple persistence.

    1. In the left frame, click Pools.

    2. Click the name of the pool you want to configure.

      In this example, federation_web_agents.

    3. Click the Persistence tab.

    4. On the Persistence tab, under Persistence Type, select the Simple.

    5. Set the timeout interval.

      In the Timeout field, enter 300 seconds.

      Click Apply.

  7. Add a Virtual Server.

    If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.

    1. In the left frame, Click Virtual Servers.

    2. On the Virtual Servers tab, click the Add button.

    3. In the Add Virtual Server dialog box, provide the following information:

      Address

      192.18.69.14 (for LoadBalancer-11.siroe.com )

      Service

      5080

      Click Next.

    4. Continue to click Next until you reach the Select Physical Resources dialog box.

      Pool

      federation_web_agents

    5. In the Pool Selection dialog box, assign the Pool (federation_web_agents) that you have just created.

    6. Click the Done button.

  8. Create proxies.

    1. In the left frame, click Proxies.

    2. On the Proxies tab, click Add.

    3. In the Add Proxy page, provide the following information:

      Proxy Type:

      Mark the SSL checkbox.

      Proxy Address:

      192.18.69.14

      Proxy Service:

      6443

      Destination Address:

      192.18.69.14

      Destination Service:

      5080

      SSL Certificate:

      LoadBalancer-11.siroe.com

      SSL Key:

      LoadBalancer-11.siroe.com

      Server SSL Certificate:

      LoadBalancer-11.siroe.com

      Server SSL Key:

      LoadBalancer-11.siroe.com

      Click Done.

  9. Add Monitors.

    1. Click the Monitors tab, and then click the Add button.

      In the Add Monitor dialog provide the following information:

      Name:

      WebAgent-http

      Inherits From:

      Choose http.

    2. Click Next.

      In the Configure Basic Properties page, click Next.

    3. In the Configure ECV HTTP Monitor, in the Send String field, enter the following:

      GET /launch.html

      Click Next.

    4. In the Destination Address and Service (Alias) page, click Done.

      On the Monitors tab, the monitor you just added is now contained in the list of monitors.

    5. Click the Basic Associations tab.

      Look for the IP addresses for ProtectedResource-3:2080 and ProtectedResourece-4:1080.

    6. Mark the Add checkbox for ProtectedResource-3 and ProtectedResource-4.

    7. At the top of the Node column, choose the monitor that you just added, WebAgent-http.

    8. Click Apply.