F5 Configuration Guide for BeyondInsight · The BeyondInsight Event Collector service is used by...
Transcript of F5 Configuration Guide for BeyondInsight · The BeyondInsight Event Collector service is used by...
F5 Configuration Guide for
BeyondInsight
Examples for Active/Active configuration of F5 Local Traffic
Managers
Subtitle
Process
2
© 2016. BeyondTrust Software, Inc. Development Process
Table of Contents
Executive Summary .................................................................................... 3
Deployment Methodologies ........................................................................ 3
Design Overview ......................................................................................... 5
HA State Detection for Active/Passive Deployments ................................... 5
PowerBroker Password Safe ...................................................................... 6
CONFIGURATION OVERVIEW .................................................................................. 6
CONFIGURATION COMPONENTS ............................................................................ 6
CONFIGURATION EXAMPLE ..................................................................................... 7
BeyondInsight Management Console ....................................................... 12
CONFIGURATION OVERVIEW ................................................................................ 12
CONFIGURATION EXAMPLE ................................................................................... 12
BeyondInsight Event Collector Service ..................................................... 15
CONFIGURATION OVERVIEW ................................................................................ 15
CONFIGURATION EXAMPLE ................................................................................... 15
SNAT Pools .............................................................................................. 17
About BeyondTrust ................................................................................... 18
3
© 2016. BeyondTrust Software, Inc. Development Process
Executive Summary
BeyondInsight / PowerBroker Password Safe supports a number of configuration
methodologies for high availability, redundancy, and scalability. The solution may be installed
as software, or delivered as a ready to run security appliance, called a UVM; the latter being the
more common deployment method. Most configurations require the use of an external load
balancer to help end-users and software endpoints continue to connect to the BeyondInsight
system when a primary IP address goes offline in a failure. This document will help explain
some of these configuration options using F5 LTM Load Balancers.
Deployment Methodologies
Active/Passive Two appliances are required for active/passive. The internal databases are replicated, and a heartbeat sent from the primary indicates to the secondary if it should take over operations.
Secondary -> Primary
Site A
Primary -> Secondary
Site BSync
5022 TCP (Default)
443 TCP Heartbeat (130s)
Load Balancer
Or DNS CNAME
Active/Passive is for UVM appliances only. It will failover to a mirrored appliance in the event
the primary appliance is not available. Failover is automatic. This method will involve 2
appliances configured as a ‘pair’. Note that appliance pairs have to be identical i.e. UVMv20 ->
UVMv20, UVM50 –> UVM50, UVM20 -> UVM20 etc.
4
© 2016. BeyondTrust Software, Inc. Development Process
Active/Active Sometimes called multi-active, this deployment type allows multiple nodes (Password Safe instances) to be active at one time. Each node is connected directly to the database.
SAN
DC1
SQL AlwaysOn Availability Group
UVM50Worker Node / Backup MgmtAdmin Console*Password PortalRetina ScannerSession RecordingPassword Mgmt
UVM50Primary MgmtAdmin ConsoleRetina Scanner
2012R2 Physical ServerSQL 2012
2012R2 Physical ServerSQL 2012
MS 2012R2 Cluster
F5
Std UserAdmin User
UVMV20Worker NodeRetina ScannerPassword PortalSession RecordingPassword Mgmt
In this scenario, a pair of replicas are configured for synchronous commit within an external
AlwaysOn Availability Group - this provides database redundancy. Three appliances are
connected to the external address of the Availability Group. One is configured with a
management console role, the other two are ‘worker nodes’. Access to appliances may be
made directly, or via the load balancer. Both appliances may be used simultaneously.
5
© 2016. BeyondTrust Software, Inc. Development Process
Design Overview
The BeyondInsight / Password Safe solution has several different network endpoints that must
be balanced differently.
• The PowerBroker Password Safe HTTPS website and API, its session recording endpoints
o webconsole/api/configuration/feature/passwordsafe
• The BeyondInsight Management Console
o webconsole/api/configuration/feature/managementconsole
• The BI Event Collector for PowerBroker Windows and PowerBroker Unix/Linux logs.
Each endpoint has different networking and SSL requirements and must be set up as a separate
virtual server in the F5 Load Balancer. Additionally, each endpoint provides a different URI
endpoint, and therefore requires different configuration for availability monitoring. For an
Active/Passive high availability configuration, the goal is to have a faster and efficient failover,
even if it requires an end user to re-login to the application.
HA State Detection for Active/Passive Deployments
The UVM appliance has an API endpoint URL that allows an external device to determine the
current HA state:
https://UVMaddress/UVMInterface/api/HighAvailability
A GET to this address will return a result (JSON by default) that can be controlled by the request
header.
For example: {"Role":"Active"}.
You can see the JSON by opening the URL in a web browser. As the API endpoint is being
created by the Microsoft WebAPI platform, it supports other formats for the returned object
controlled by the header of the request. For example, you will see xml returned if the URL is
opening in Chrome.
6
© 2016. BeyondTrust Software, Inc. Development Process
PowerBroker Password Safe
CONFIGURATION OVERVIEW
As well as the BeyondInsight web site, PowerBroker Password Safe (Password Safe) requires
support for additional interfaces:
• HTML5 web endpoint for user access to check out passwords
• JSON RESTful API interface
• Listening ports for session recording
o 4489 (default) for RDP sessions
o 4422 (default) for SSH sessions
The HTML5 web endpoint and session recording listeners need to have the same persistence,
so that the Password Safe node which starts the session recording service for a user is the node
that the F5 sends that user to.
Note on API use cases
The API uses client IP addresses as one of its authenticators, so SSL termination at the F5 will
hide those IP addresses from the Password Safe server. For this reason, a separate virtual
server for the Password Safe API will need to be set up that does NOT terminate the SSL
connections.
CONFIGURATION COMPONENTS
The configuration for Password Safe consists of multiple virtual servers connected to a single
pool with wildcard (all services enabled) nodes, using source_addr as the primary persistence
method, so that persistence can be maintained across all virtual servers. This is documented by
F5 on DevCentral at: https://devcentral.f5.com/articles/persisting-across-virtual-servers
The Password Safe Configuration also terminates SSL connections, allowing the separation of
the name and IP address of the Password Safe and BeyondInsight Management Console logon
sites.
7
© 2016. BeyondTrust Software, Inc. Development Process
CONFIGURATION EXAMPLE
ltm default-node-monitor {
rule /Common/https_443
}
ltm node /Common/PS1 {
address 192.168.1.20
}
ltm node /Common/PS2 {
address 192.168.1.30
}
ltm pool /Common/PSafe {
description "Two Password Safe machines 192.168.1.20 & 192.168.1.30"
load-balancing-mode least-connections-member
members {
/Common/PS1:0 {
address 192.168.1.20
description "PasswordSafe Node"
monitor /Common/https_443
}
/Common/PS2:0 {
address 192.168.1.30
}
}
monitor /Common/https_443
service-down-action reselect
}
ltm virtual /Common/pbpsapi {
destination /Common/10.200.30.156:443
ip-protocol tcp
mask 255.255.255.255
persist {
/Common/source_addr {
default yes
}
}
pool /Common/PSafe
8
© 2016. BeyondTrust Software, Inc. Development Process
profiles {
/Common/tcp { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vlans-disabled
}
ltm snat /Common/psafe {
origins {
0.0.0.0/0 { }
}
snatpool /Common/psafe
}
ltm snat-translation /Common/192.168.1.11 {
address 192.168.1.11
inherited-traffic-group true
traffic-group /Common/traffic-group-1
}
ltm snatpool /Common/psafe {
members {
/Common/192.168.1.11
}
}
ltm virtual /Common/PBPS-RDP {
destination /Common/10.200.31.68:4489
fallback-persistence /Common/dest_addr
ip-protocol tcp
mask 255.255.255.255
persist {
/Common/source_addr {
default yes
}
}
pool /Common/PSafe
profiles {
/Common/tcp { }
9
© 2016. BeyondTrust Software, Inc. Development Process
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vlans-disabled
}
ltm virtual /Common/PBPS-SSH {
destination /Common/10.200.31.68:4422
fallback-persistence /Common/dest_addr
ip-protocol tcp
mask 255.255.255.255
persist {
/Common/source_addr {
default yes
}
}
pool /Common/PSafe
profiles {
/Common/tcp { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vlans-disabled
}
ltm virtual /Common/psafe {
destination /Common/10.200.31.68:443
fallback-persistence /Common/dest_addr
ip-protocol tcp
mask 255.255.255.255
persist {
/Common/source_addr {
default yes
}
}
pool /Common/PSafe
profiles {
10
© 2016. BeyondTrust Software, Inc. Development Process
/Common/http { }
/Common/psafe {
context serverside
}
/Common/psafe_client {
context clientside
}
/Common/tcp { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vlans-disabled
}
ltm virtual-address /Common/10.200.31.68 {
address 10.200.31.68
mask 255.255.255.255
traffic-group /Common/traffic-group-1
}
ltm profile client-ssl /Common/psafe_client {
alert-timeout 10
allow-non-ssl disabled
app-service none
cache-size 262144
cache-timeout 3600
cert /Common/psafe
chain none
ciphers DEFAULT
defaults-from /Common/clientssl
handshake-timeout 10
key /Common/psafe.key
mod-ssl-methods disabled
options none
proxy-ssl disabled
renegotiate-max-record-delay 10
renegotiate-period indefinite
renegotiate-size indefinite
11
© 2016. BeyondTrust Software, Inc. Development Process
renegotiation enabled
secure-renegotiation require
server-name none
session-ticket disabled
sni-default false
sni-require false
strict-resume disabled
unclean-shutdown enabled
}
ltm profile server-ssl /Common/psafe {
alert-timeout 10
app-service none
authenticate once
authenticate-depth 9
authenticate-name none
ca-file none
cache-size 262144
cache-timeout 3600
cert /Common/psafe
chain none
ciphers DEFAULT
crl-file none
defaults-from /Common/serverssl
expire-cert-response-control ignore
handshake-timeout 10
key /Common/psafe.key
mod-ssl-methods disabled
peer-cert-mode ignore
proxy-ssl disabled
renegotiate-period indefinite
renegotiate-size indefinite
renegotiation enabled
secure-renegotiation require-strict
server-name none
session-ticket disabled
sni-default false
sni-require false
12
© 2016. BeyondTrust Software, Inc. Development Process
ssl-forward-proxy disabled
strict-resume disabled
unclean-shutdown enabled
untrusted-cert-response-control ignore
}
sys file ssl-cert /Common/psafe {
cache-path /config/filestore/files_d/Common_d/certificate_d/:Common:psafe_48505_1
revision 1
}
sys file ssl-key /Common/psafe.key {
cache-path
/config/filestore/files_d/Common_d/certificate_key_d/:Common:psafe.key_48502_1
revision 1
}
BeyondInsight Management Console
CONFIGURATION OVERVIEW
There will only ever be a single instance of the BeyondInsight Management Console (BI) in an
environment, therefore the checks for availability need to be different, necessitating a different
pool configuration.
CONFIGURATION EXAMPLE
ltm default-node-monitor {
rule /Common/https_443
}
ltm node /Common/PS1 {
address 192.168.1.20
}
ltm node /Common/PS2 {
address 192.168.1.30
}
ltm pool /Common/bi-management {
description "management console"
members {
13
© 2016. BeyondTrust Software, Inc. Development Process
/Common/PS1:443 {
address 192.168.1.20
}
/Common/PS2:443 {
address 192.168.1.30
}
}
monitor /Common/https_mgmt
service-down-action reset
}
ltm virtual /Common/MGMT_Console {
destination /Common/10.200.31.69:443
fallback-persistence /Common/source_addr
ip-protocol tcp
mask 255.255.255.255
persist {
/Common/cookie {
default yes
}
}
pool /Common/bi-management
profiles {
/Common/http { }
/Common/psafe {
context serverside
}
/Common/psafe_client {
context clientside
}
/Common/tcp { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vlans-disabled
}
ltm virtual-address /Common/10.200.31.69 {
14
© 2016. BeyondTrust Software, Inc. Development Process
address 10.200.31.69
mask 255.255.255.255
traffic-group /Common/traffic-group-1
}
ltm monitor https /Common/https_mgmt {
cipherlist DEFAULT:+SHA:+3DES:+kEDH
compatibility enabled
defaults-from /Common/https
destination *:*
interval 5
recv .*BeyondInsight
send "GET webconsole/api/configuration/feature/managementconsole\\r\\n"
time-until-up 0
timeout 16
}
sys file ssl-key /Common/server.key {
cache-path
/config/filestore/files_d/Common_d/certificate_key_d/:Common:server.key_48493_1
revision 1
}
sys file ssl-key /Common/unencrypted.key {
cache-path
/config/filestore/files_d/Common_d/certificate_key_d/:Common:unencrypted.key_48496_1
revision 1
}
15
© 2016. BeyondTrust Software, Inc. Development Process
BeyondInsight Event Collector Service
CONFIGURATION OVERVIEW
The BeyondInsight Event Collector service is used by PowerBroker Windows (PBW) and
PowerBroker Unix/Linux (PBUL) clients to send events into BeyondInsight.
SSL server verification is required by the clients, and the BeyondInsight server authenticates the
clients from the SSL certificate that they present. As a result, the client SSL authentication
needs to be passed through to the BeyondInsight server. Additionally, the eEyeEMSClient.cer
certificate needs to be loaded into BeyondInsight so that it can perform true endpoint checking
of Event Collector service availability.
CONFIGURATION EXAMPLE
ltm node /Common/PS1 {
address 192.168.1.20
}
ltm node /Common/PS2 {
address 192.168.1.30
}
ltm pool /Common/Event_Collector {
load-balancing-mode least-connections-member
members {
/Common/PS1:443 {
address 192.168.1.20
}
/Common/PS2:443 {
address 192.168.1.30
session user-disabled
state user-down
}
}
monitor /Common/event_client
}
ltm virtual /Common/Event_Collector {
destination /Common/10.200.30.118:443
ip-protocol tcp
16
© 2016. BeyondTrust Software, Inc. Development Process
mask 255.255.255.255
persist {
/Common/source_addr {
default yes
}
}
pool /Common/Event_Collector
profiles {
/Common/tcp { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vlans-disabled
}
ltm virtual-address /Common/10.200.30.118 {
address 10.200.30.118
mask 255.255.255.255
traffic-group /Common/traffic-group-1
}
ltm monitor https /Common/event_client {
cert /Common/eEyeclient.crt
cipherlist DEFAULT:+SHA:+3DES:+kEDH
compatibility enabled
defaults-from /Common/https
destination *:*
interval 5
key /Common/eEyeclient.key
recv "Server Error in"
send "GET /EventServer/Service.svc\\r\\n"
time-until-up 0
timeout 16
}
sys file ssl-cert /Common/eEyeclient.crt {
cache-path
/config/filestore/files_d/Common_d/certificate_d/:Common:eEyeclient.crt_48905_1
revision 1
17
© 2016. BeyondTrust Software, Inc. Development Process
source-path /config/ssl/ssl.crt/eEyeclient.crt
}
sys file ssl-key /Common/eEyeclient.key {
cache-path
/config/filestore/files_d/Common_d/certificate_key_d/:Common:eEyeclient.key_48902_1
revision 1
source-path /config/ssl/ssl.key/eEyeclient.key
}
SNAT Pools
BeyondTrust does not officially support the use of SNAT pools. However, many customers have
confirmed that SNAT pool configuration is possible.
An example to the Event Collector pool follows:
source 0.0.0/0
source-address-translation {
pool /Common/EventCollector
type snat
}
translate-address enabled
translate-port enabled
18
© 2016. BeyondTrust Software, Inc. Development Process
About BeyondTrust
BeyondTrust® is a global security company that believes preventing data breaches requires
the right visibility to enable control over internal and external risks.
We give you the visibility to confidently reduce risks and the control to take proactive,
informed action against data breach threats. And because threats can come from
anywhere, we built a platform that unifies the most effective technologies for addressing
both internal and external risk: Privileged Account Management and Vulnerability
Management. Our solutions grow with your needs, making sure you maintain control no
matter where your organization goes.
BeyondTrust's security solutions are trusted by over 4,000 customers worldwide, including
over half of the Fortune 100. To learn more about BeyondTrust, please visit
www.beyondtrust.com.