F5 Viprion

VoiceTone VNI F5 Viprion ConfigurationFirst-Time Configuration

SyslogSNMPNTPHTTPS Security

HealthChecksDNS-monitorhttp-ImAlive (Content and Audio servers)Watson_WirelineNatural Language Text-to-SpeechSIP_Proxy

ProfilesNodesPoolsVirtual Servers

First-Time Configuration

Login over console and configure mgmt IP and host name.

initial console login , . root default

initial web login , . admin admin

Whenever issuing bigpipe commands, save the configuration.

bigpipe save

Under Construction run the command and follow the instructions to enter the Viprion Management IP Address, the Network Mask, and Management Defaultconfig

Gateway and specific routes. -or-

bigpipe mgmt 10.18.1.216 netmask 255.255.255.128bigpipe mgmt route default gateway 10.18.1.129bigpipe mgmt route 135.25.231.0/24 gateway 10.18.1.129

Next the Viprion must be licensed. Use a web browser to connect to the Viprion's management IP using HTTPS ( https:// ), and follow the initialsetup prompts.

End Under Construction

run the command to configure the fully qualified domain name.bigpipe system hostname

bigpipe system { hostname x275240bvprns0001.ops.vni.ec.att.com }

Syslog

copy to the /config directory or create a file syslog.inc in the /config directory:syslog.inc

destination d_loghost { # The priority is the result of facility * 8 + severity. # So priority = 19 (facility local5) * 8 + 5 (Severity NOTICE) = 157 udp("135.201.104.65" port(514) template("<157>$DATE $HOST $MSG\n")); udp("132.201.226.83" port(514) template("<157>$DATE $HOST $MSG\n"));};log { source(s_syslog_pipe); source(s_cluster); destination(d_loghost);};

Then run

bp syslog include nonebpsh < syslog.inc

SNMP

run the following command within :bpsh

bpshbp snmpd community CompuLert { access ro community name "CompuLert" ipv6 disable oid none source "default"}bp snmpd allow { 127. 135.201.104.65 135.201.104.67 135.201.104.69 132.201.226.83 132.201.226.86 132.201.226.89}

NTP

Configure NTP and time zone. Note that "America/Swift Current" is equivalent to NWT/CST with no daylight savings time, and will be displayed asCST in both the top of the F5 Web GUI and from a console session to the F5.

bp ntp timezone "America/Swift_Current"bp ntp servers 135.25.231.14 addbp ntp servers 135.25.231.15 add

HTTPS Security

Since the Big-IP can be managed through HTTPS, and since SSL certificates expire, create a self-signed certificate with an expiration date in 10years (3,650 days in this case).

openssl x509 -x509toreq -in /config/httpd/conf/ssl.crt/server.crt -out/config/httpd/conf/ssl.crt/server.csr -signkey /config/httpd/conf/ssl.key/server.keyopenssl x509 -sha1 -req -in /config/httpd/conf/ssl.crt/server.csr -signkey/config/httpd/conf/ssl.key/server.key -days 3650 -out/config/httpd/conf/ssl.crt/server.crtbigstart restart httpd

Record the fingerprint of the SSL certificate. Run the following two commands and store the output in a safe place. When accessing the Viprionfor the first time via web browser, compare the fingerprints to ensure that the SSL session has not been highjacked.

openssl x509 -fingerprint -in /config/httpd/conf/ssl.crt/server.crt|grep Fingerprintopenssl x509 -fingerprint -sha1 -in /config/httpd/conf/ssl.crt/server.crt|grepFingerprint

In order to restrict less secure algorithms (refer to for more detail) modifyhttps://support.f5.com/kb/en-us/solutions/public/6000/700/sol6768.htmlthe cipher string.

bigpipe httpd sslciphersuite 'ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW'bigpipe save all

HealthChecks

In F5 nomenclature, healthchecks are undertaken by "monitors". Several monitors are included, and some we have added or customized.

DNS-monitor

The DNS-monitor health-check uses an located at /usr/bin/monitors/DNS-monitor. It takes 2 parameters - a DNS name to lookup,external scriptand the expected answer.Example:

monitor DNS-monitor { defaults from external args "wr01000ldns0001.vni.ec.att.com 10.198.111.212" run "DNS-monitor"}

http-ImAlive (Content and Audio servers)

The http-ImAlive healthcheck fetches /ImAlive/ImAlive.jsp over HTTP, and expects an HTTP 200/OK response.

monitor http-ImAlive { defaults from http recv "200 OK" send "GET /ImAlive/ImAlive.jsp HTTP"}

Watson_Wireline

The Watson_Wireline monitor open up a connection to TCP port 8889 on an ASR, and sends the string "HealthCheck", and expects the reply tobe the string "HealthAvailable".

monitor Watson_Wireline { defaults from tcp dest *:8889 recv "HealthAvailable" send "HealthCheck"}

Natural Language Text-to-Speech

This service uses the built-in tcp monitor to make sure that ASR servers are accepting TCP connections on port 5950.

SIP_Proxy

The SIP_Proxy monitor sends a SIP OPTIONS request to an SPX and expects a valid SIP response code. Note that any response code isconsidered as a success.

monitor SIP_Proxy { defaults from sip debug "no" filter "\x2a" mode "tcp"}

Profiles

Nodes

node 10.198.111.212 { monitor icmp screen wr01000ldns0001}

Pools

pool DNS { monitor all DNS-monitor members { 10.198.111.212:domain {} 10.198.111.213:domain {} }}

Virtual Servers

virtual AAS-1 { pool AAS-1 destination 10.198.111.11:http ip protocol tcp profiles fastL4 {}}

virtual ASR-1 { pool ASR-1 destination 10.198.111.13:any ip protocol tcp profiles fastL4 {}}

virtual CAS-1 { pool CAS-1 destination 10.198.111.12:http ip protocol tcp profiles fasthttp {}}

virtual DNS { pool DNS destination 10.198.111.53:domain ip protocol udp}

virtual TDD-1 { pool TDD-1 destination 10.198.111.13:22000 ip protocol tcp profiles fastL4 {}}

virtual TTS-1 { pool TTS-1 destination 10.198.111.13:5950 ip protocol tcp profiles fastL4 {}}

virtual SPX-1 { pool SPX-1 destination 10.198.111.14:5060 ip protocol udp persist sip_proxy_persist profiles udp_sip {}}