#cloud Today’s post is brought to you by the Law of Diminishing Returns The conflation of “pay-as-you-grow” with “on-demand” tends to cause confusion in the realm of networking and hardware. This is because of the way in which networking vendors have attempted to address the demand of organizations to pay only for what you use and to expand on-demand. The premise is that costs grow proportionally with capacity. In cloud computing organizations achieve this. As more capacity (resources from ha...
|
|
|
#F5 does #VDI, and it does it better. There are three core vendors and protocols supporting VDI today. Microsoft with RDP, Citrix with ICA, and VMware with PCoIP. For most organizations a single vendor approach has been necessary, primarily because the costs associated with the supporting network and application delivery network infrastructure required to deliver VDI with the appropriate levels of security while meeting performance expectations of users and the need to maintain high availabili...
|
|
|
We tend to assume characteristics upon hearing the term #mobile. We probably shouldn’t… There are – according to about a bazillion studies - 4 billion mobile devices in use around the globe. It is interesting to note that nearly everyone who notes this statistic and then attempts to break it down into useful data (usually for marketing) that they almost always do so based on OS or device type – but never, ever, ever based on connectivity. Consider the breakdown offered by W3C for Octobe...
|
|
|
Is it Linux? Is it third-party? Is it proprietary? Isn’t #vcmp just a #virtualization platform? Just what is inside an F5 BIG-IP that makes it go vroom? Over the years I’ve seen some pretty wild claims about what, exactly, is “inside” a BIG-IP that makes it go. I’ve read articles that claim it’s Linux, that it’s based on Linux, that it’s voodoo magic. I’ve heard competitors make up information about just about every F5 technology – TMOS, vCMP, iRules – that enables a BIG-IP to do what it doe...
|
|
|
#infosec #DNS #v11 DNS is like your mom, remember? Sometimes she knows better. Generally speaking, blackhole routing is a problem, not a solution. A route to nowhere is not exactly a good thing, after all. But in some cases it’s an approved and even recommended solution, usually implemented as a means to filter out bad packets at the routing level that might be malformed or are otherwise dangerous to pass around inside the data center. This technique is also used at the DNS layer as a means...
|
|
|
Scaling MySQL just got a whole lot easier load balancing MySQL – any database, really – is not a trivial task. Generally speaking one does not simply round robin your way through a cluster of MySQL databases as a means to achieve scalability. It is databases, in fact, that have driven a wide variety of scalability patterns such as sharding and partitioning to achieve the ultimate goal of high-performance and scalability simultaneously. Unfortunately, most folks don’t architect their applica...
|
|
|
#devops An ecosystem-based data center approach means accepting the constancy of change… It is an interesting fact of life for aquarists that the term “stable” does not actually mean a lack of change. On the contrary, it means that the core system is maintaining equilibrium at a constant rate. That is, the change is controlled and managed automatically either by the system itself or through the use of mechanical and chemical assistance. Sometimes, those systems need modifications or break (us...
|
|
|
#iApp #v11 If you were wondering what these three things have to do with F5, read on … What has a strange sense of humor, an unhealthy love of bacon and donuts, and has held a wide variety IT roles and responsibilities for a whole lot of years? If you were said “the F5 Product Management Engineering team” give yourself a cookie (or better yet some bacon). The question is, why should you care? To understand that, you first have to understand the role that “PME” has within F5. Many of the...
|
|
|
#v11 ScaleN breaks out of the traditional infrastructure scalability mold We previously introduced ScaleN but we didn’t really dig into how it’s enabled, other than to mention it’s been made possible in part by leveraging F5’s vCMP (virtual Clustered Multi-Processing) technology, which puts the “virtual” in “virtual networking.” The basic premise of infrastructure scalability is that if the component providing the scalability fails, well, the service for which it provides HA fails. That’s ...
|
|
|
#v11 A robust and diverse set of management tools enabling a variety of infrastructure integration options is essential to architecting a dynamic data center In the continuing quest for a more dynamic data center, infrastructure integration must necessarily take center stage. While virtualization has enabled fluidity of server infrastructure, it has not done so for the network and may never be wholly suitable for the task for a variety of reasons. But the agility resulting from virtualizat...
|
|
Introduction Two-factor authentication (TFA) has been around for many years and the concept far pre-dates computers. The application of a keyed padlock and a combination lock to secure a single point would technically qualify as two-factor authentication: “something you have,” a key, and “something you know,” a combination. Until the past few years, two-factor authentication in its electronic form has been reserved for high security environments: government, banks, large companies, etc. The mos...
|
|
Introduction This article highlights F5 ARX Tiering over the WAN via ARX tiering-policies and Big-IP (v11.1) WAN Optimization Manager (WOM). When an administrator wishes to utilize storage from another corporate location, they can create an ARX managed-volume that contains local storage as well as non-local storage and effectively tier data between data centers. To the end-user (remote/local), this tiering policy is completely transparent. The tiering policy is optimized via the WAN Optimizati...
|
|
|
Introduction Datagroups and tables are the two primary methods we have in iRules for organizing key and value pairs. Both can be reused for subsequent connections. Datagroups have the advantage of being directly editable from the BIG-IP user interface, however they cannot be modified from within an iRule. This would open a potential security hole by allowing BIG-IP filesystem access from an iRule. Tables on the other hand must be populated from within an iRule, which allows for tracking...
|
|
Version 11 of BIG-IP brought with it many enhancements and new features ranging across the entire product. iRules improvements and features were among the cooler things changed, in the opinion of this avid iRuler. Between sideband connections, iFiles and improvements of already existing functionality, it's hard to imagine there is more yet to discuss in v11 iRules goodness, but there is. iStats were introduced in v11, and are worth talking about, as they can dramatically change the way you are s...
|
|
Several months ago I wrote up the v10 formatting for internal and external datagroups: iRules Data Group Formatting Rules. In v11, however, there is a change to the format of the internal data group and the data group reference to external class files (the formatting in the external class file itself is unchanged). The formatting rules in v11 for data groups more closely resembles the tmsh commands necessary to build the class at the CLI (these command attributes are masked if you are using the ...
|
|
|
The iRules CodeShare on DevCentral is an amazingly powerful, diverse collection of iRules that perform a myriad of tasks ranging from credit card scrubbing to form based authentication to, as in today's example, limiting the number of HTTP sessions allowed. While the codeshare is outstanding, it is a collection of code that has been contributed over the last several years. As such, some of it is written for older versions, like 9.x, where we didn't have some of the powerful, efficient commands a...
|
|
|
F5 has been in the DNS business for quite some time, beginning with the 3-DNS GSLB product introduced in 1998. While steadily growing the GSLB market through product advances, the platform is incredibly feature rich now, offering far more than GSLB services. Some of the other services added over the years (articles written on services in parentheses): Standard name services via BIND, as a fallback or as primary domain auth Local SLB for DNS DNSSEC (Configuring GTM’s DNS Security...
|
|
|
Introduction In our last Tech Tip, v11: DNS Express – Part 1, we discussed configuring DNS Express as an authoritative slave DNS server. We also discussed the advantages of using DNS Express in place of a pool of BIND servers. In this part of the series we will be discussing using a Transactional SIGnatures (TSIG) to secure zone transfers form our BIND server to the GTM. By implementing TSIGs for our zone transfers, we can ensure that no one could potentially poison the zone date of our DNS Ex...
|
|
|
Introduction Among the many features released with GTM version 11, DNS Express has to be near the top of the list for many DNS administrators. DNS Express is a high performance in-memory authoritative DNS server. GTM has always been able to serve DNS records from its local BIND instance, but this left it subject to many of the same performance limitations as other BIND servers. In addition to its ability to far outperform most any DNS server (125k queries per second per core), DNS Express als...
|
|
|
In Part 1, I configured a full Webtop in APM with a static RDP host. In Part 2 ,I modified that configuration to allow users to specify their RDP destination. In this article, I’ll make a couple changes to the final configuration in Part 2 to have the last hostname “remembered” across sessions. Add an iRule Event Yes! Finally an iRule in this series. In order for an iRule to be triggered, however, I need to add an iRule event to the policy. Why do I need an iRule? Well, in order to recall the ...
|
|
Bucket Way back in time (well, not so way back), configuration objects were stored in one location in the configuration. For the sake of this article, we’ll call this the root “bucket”. This worked fine for small organizations but we found that as companies grew and, as a consequence, the number of applications they needed to support increased, it became more difficult to manage all the objects in a single “bucket”. vs_1 vs_2 pool_1 pool_2 monitor_1 monitor_2...
|
|
|
In the first article in this series, I configured a full Webtop in APM with a static RDP host. In this article, I’ll make some changes to the original configuration to allow users to specify an RDP host destination. Modify the Access Policy Immediately after the active directory authentication on the successful branch, click the “+” and add a logon page. In the logon page configuration, change the name (optional) to RDP Hostname, set the field 1 post variable and sessi...
|
|
|
I wrote an article several months back on auto-launching Remote Desktop sessions with APM. With the introduction of BIG-IP APM v11, there is a new built-in capability to support a full webtop. This means that server, desktop, or other resources can be placed on the webtop for users to select once logging in. In this first example, I’ll set up a static internal resource for users to connect to after logging in. Create the Webtop After logging in to the BIG-IP, open up the Acce...
|
|
|
Introduction One of the most commonly requested features for iControl we’ve seen recently has been for transaction support. It was implemented in TMSH for Version 10 and is now available for iControl in Version 11. Transactions are super handy and anyone who has used them on other networking devices or databases can attest to their usefulness. There are many occasions where we want to make large sweeping changes, but want to interrupt the changes if any of them fails. This ensures that any chan...
|
|
|
Introduction Version 11 introduces the concept of iControl sessions. iControl sessions are a stateful set of attributes (at this time, active folder and transaction) that persist across multiple requests for a single user. This allows a user to set remote session attributes on the BIG-IP and reuse them in subsequent requests. In addition, it also segregates iControl requests from other clients using the same credentials. An iControl session by default is identified only by the user making the ...
|
|
|
Beginning with BIG-IP version 11, the idea of templates has not only changed in amazing and powerful ways, it has been extended to be far more than just templates. The replacement for templates is called iAppTM. But to call the iAppTM just a template would be woefully inaccurate and narrow. It does templates well, and takes the concept further by allowing you to re-enter a templated application and make changes. Previously, deploying an application via a template was sort...
|
|