F5 Configuration Guide for BeyondInsight · The BeyondInsight Event Collector service is used by PowerBroker Windows (PBW) and PowerBroker Unix/Linux (PBUL) clients to send events

F5 Configuration Guide for

BeyondInsight

Examples for Active/Active configuration of F5 Local Traffic

Managers

Subtitle

Process

2

© 2016. BeyondTrust Software, Inc. Development Process

Table of Contents

Executive Summary .................................................................................... 3

Deployment Methodologies ........................................................................ 3

Design Overview ......................................................................................... 5

HA State Detection for Active/Passive Deployments ................................... 5

PowerBroker Password Safe ...................................................................... 6

CONFIGURATION OVERVIEW .................................................................................. 6

CONFIGURATION COMPONENTS ............................................................................ 6

CONFIGURATION EXAMPLE ..................................................................................... 7

BeyondInsight Management Console ....................................................... 12

CONFIGURATION OVERVIEW ................................................................................ 12

CONFIGURATION EXAMPLE ................................................................................... 12

BeyondInsight Event Collector Service ..................................................... 15

CONFIGURATION OVERVIEW ................................................................................ 15

CONFIGURATION EXAMPLE ................................................................................... 15

SNAT Pools .............................................................................................. 17

About BeyondTrust ................................................................................... 18

3


Executive Summary

BeyondInsight / PowerBroker Password Safe supports a number of configuration

methodologies for high availability, redundancy, and scalability. The solution may be installed

as software, or delivered as a ready to run security appliance, called a UVM; the latter being the

more common deployment method. Most configurations require the use of an external load

balancer to help end-users and software endpoints continue to connect to the BeyondInsight

system when a primary IP address goes offline in a failure. This document will help explain

some of these configuration options using F5 LTM Load Balancers.

Deployment Methodologies

Active/Passive Two appliances are required for active/passive. The internal databases are replicated, and a heartbeat sent from the primary indicates to the secondary if it should take over operations.

Secondary -> Primary

Site A

Primary -> Secondary

Site BSync

5022 TCP (Default)

443 TCP Heartbeat (130s)

Load Balancer

Or DNS CNAME

Active/Passive is for UVM appliances only. It will failover to a mirrored appliance in the event

the primary appliance is not available. Failover is automatic. This method will involve 2

appliances configured as a ‘pair’. Note that appliance pairs have to be identical i.e. UVMv20 ->

UVMv20, UVM50 –> UVM50, UVM20 -> UVM20 etc.

4


Active/Active Sometimes called multi-active, this deployment type allows multiple nodes (Password Safe instances) to be active at one time. Each node is connected directly to the database.

SAN

DC1

SQL AlwaysOn Availability Group

UVM50Worker Node / Backup MgmtAdmin Console*Password PortalRetina ScannerSession RecordingPassword Mgmt

UVM50Primary MgmtAdmin ConsoleRetina Scanner

2012R2 Physical ServerSQL 2012

2012R2 Physical ServerSQL 2012

MS 2012R2 Cluster

F5

Std UserAdmin User

UVMV20Worker NodeRetina ScannerPassword PortalSession RecordingPassword Mgmt

In this scenario, a pair of replicas are configured for synchronous commit within an external

AlwaysOn Availability Group - this provides database redundancy. Three appliances are

connected to the external address of the Availability Group. One is configured with a

management console role, the other two are ‘worker nodes’. Access to appliances may be

made directly, or via the load balancer. Both appliances may be used simultaneously.

5


Design Overview

The BeyondInsight / Password Safe solution has several different network endpoints that must

be balanced differently.

• The PowerBroker Password Safe HTTPS website and API, its session recording endpoints

o webconsole/api/configuration/feature/passwordsafe

• The BeyondInsight Management Console

o webconsole/api/configuration/feature/managementconsole

• The BI Event Collector for PowerBroker Windows and PowerBroker Unix/Linux logs.

Each endpoint has different networking and SSL requirements and must be set up as a separate

virtual server in the F5 Load Balancer. Additionally, each endpoint provides a different URI

endpoint, and therefore requires different configuration for availability monitoring. For an

Active/Passive high availability configuration, the goal is to have a faster and efficient failover,

even if it requires an end user to re-login to the application.

HA State Detection for Active/Passive Deployments

The UVM appliance has an API endpoint URL that allows an external device to determine the

current HA state:

https://UVMaddress/UVMInterface/api/HighAvailability

A GET to this address will return a result (JSON by default) that can be controlled by the request

header.

For example: {"Role":"Active"}.

You can see the JSON by opening the URL in a web browser. As the API endpoint is being

created by the Microsoft WebAPI platform, it supports other formats for the returned object

controlled by the header of the request. For example, you will see xml returned if the URL is

opening in Chrome.

6


PowerBroker Password Safe

CONFIGURATION OVERVIEW

As well as the BeyondInsight web site, PowerBroker Password Safe (Password Safe) requires

support for additional interfaces:

• HTML5 web endpoint for user access to check out passwords

• JSON RESTful API interface

• Listening ports for session recording

o 4489 (default) for RDP sessions

o 4422 (default) for SSH sessions

The HTML5 web endpoint and session recording listeners need to have the same persistence,

so that the Password Safe node which starts the session recording service for a user is the node

that the F5 sends that user to.

Note on API use cases

The API uses client IP addresses as one of its authenticators, so SSL termination at the F5 will

hide those IP addresses from the Password Safe server. For this reason, a separate virtual

server for the Password Safe API will need to be set up that does NOT terminate the SSL

connections.

CONFIGURATION COMPONENTS

The configuration for Password Safe consists of multiple virtual servers connected to a single

pool with wildcard (all services enabled) nodes, using source_addr as the primary persistence

method, so that persistence can be maintained across all virtual servers. This is documented by

F5 on DevCentral at: https://devcentral.f5.com/articles/persisting-across-virtual-servers

The Password Safe Configuration also terminates SSL connections, allowing the separation of

the name and IP address of the Password Safe and BeyondInsight Management Console logon

sites.

https://devcentral.f5.com/articles/persisting-across-virtual-servers

7


CONFIGURATION EXAMPLE

ltm default-node-monitor {

rule /Common/https_443

}

ltm node /Common/PS1 {

address 192.168.1.20

}


address 192.168.1.30

}

ltm pool /Common/PSafe {

description "Two Password Safe machines 192.168.1.20 & 192.168.1.30"

load-balancing-mode least-connections-member

members {

/Common/PS1:0 {

address 192.168.1.20

description "PasswordSafe Node"

monitor /Common/https_443

}

/Common/PS2:0 {

address 192.168.1.30

}

}

monitor /Common/https_443

service-down-action reselect

}

ltm virtual /Common/pbpsapi {

destination /Common/10.200.30.156:443

ip-protocol tcp

mask 255.255.255.255

persist {

/Common/source_addr {

default yes

}

}

pool /Common/PSafe

8


profiles {

/Common/tcp { }

}

source 0.0.0.0/0

translate-address enabled

translate-port enabled

vlans-disabled

}

ltm snat /Common/psafe {

origins {

0.0.0.0/0 { }

}

snatpool /Common/psafe

}

ltm snat-translation /Common/192.168.1.11 {

address 192.168.1.11

inherited-traffic-group true

traffic-group /Common/traffic-group-1

}

ltm snatpool /Common/psafe {

members {

/Common/192.168.1.11

}

}

ltm virtual /Common/PBPS-RDP {


fallback-persistence /Common/dest_addr

ip-protocol tcp

mask 255.255.255.255

persist {


default yes

}

}

pool /Common/PSafe

profiles {

/Common/tcp { }

9


}

source 0.0.0.0/0



vlans-disabled

}

ltm virtual /Common/PBPS-SSH {



ip-protocol tcp

mask 255.255.255.255

persist {


default yes

}

}

pool /Common/PSafe

profiles {

/Common/tcp { }

}

source 0.0.0.0/0



vlans-disabled

}

ltm virtual /Common/psafe {



ip-protocol tcp

mask 255.255.255.255

persist {


default yes

}

}

pool /Common/PSafe

profiles {

10


/Common/http { }

/Common/psafe {

context serverside

}

/Common/psafe_client {

context clientside

}

/Common/tcp { }

}

source 0.0.0.0/0



vlans-disabled

}

ltm virtual-address /Common/10.200.31.68 {

address 10.200.31.68

mask 255.255.255.255


}

ltm profile client-ssl /Common/psafe_client {

alert-timeout 10

allow-non-ssl disabled

app-service none

cache-size 262144

cache-timeout 3600

cert /Common/psafe

chain none

ciphers DEFAULT

defaults-from /Common/clientssl

handshake-timeout 10

key /Common/psafe.key

mod-ssl-methods disabled

options none

proxy-ssl disabled

renegotiate-max-record-delay 10

renegotiate-period indefinite

renegotiate-size indefinite

11


renegotiation enabled

secure-renegotiation require

server-name none

session-ticket disabled

sni-default false

sni-require false

strict-resume disabled

unclean-shutdown enabled

}

ltm profile server-ssl /Common/psafe {

alert-timeout 10

app-service none

authenticate once

authenticate-depth 9

authenticate-name none

ca-file none

cache-size 262144

cache-timeout 3600

cert /Common/psafe

chain none

ciphers DEFAULT

crl-file none

defaults-from /Common/serverssl

expire-cert-response-control ignore

handshake-timeout 10

key /Common/psafe.key

mod-ssl-methods disabled

peer-cert-mode ignore

proxy-ssl disabled

renegotiate-period indefinite

renegotiate-size indefinite

renegotiation enabled

secure-renegotiation require-strict

server-name none

session-ticket disabled

sni-default false

sni-require false

12


ssl-forward-proxy disabled

strict-resume disabled

unclean-shutdown enabled

untrusted-cert-response-control ignore

}

sys file ssl-cert /Common/psafe {

cache-path /config/filestore/files_d/Common_d/certificate_d/:Common:psafe_48505_1

revision 1

}

sys file ssl-key /Common/psafe.key {

cache-path

/config/filestore/files_d/Common_d/certificate_key_d/:Common:psafe.key_48502_1

revision 1

}

BeyondInsight Management Console


There will only ever be a single instance of the BeyondInsight Management Console (BI) in an

environment, therefore the checks for availability need to be different, necessitating a different

pool configuration.


ltm default-node-monitor {

rule /Common/https_443

}


address 192.168.1.20

}


address 192.168.1.30

}

ltm pool /Common/bi-management {

description "management console"

members {

13


/Common/PS1:443 {

address 192.168.1.20

}

/Common/PS2:443 {

address 192.168.1.30

}

}

monitor /Common/https_mgmt

service-down-action reset

}

ltm virtual /Common/MGMT_Console {


fallback-persistence /Common/source_addr

ip-protocol tcp

mask 255.255.255.255

persist {

/Common/cookie {

default yes

}

}

pool /Common/bi-management

profiles {

/Common/http { }

/Common/psafe {

context serverside

}

/Common/psafe_client {

context clientside

}

/Common/tcp { }

}

source 0.0.0.0/0



vlans-disabled

}


14


address 10.200.31.69

mask 255.255.255.255


}

ltm monitor https /Common/https_mgmt {

cipherlist DEFAULT:+SHA:+3DES:+kEDH

compatibility enabled

defaults-from /Common/https

destination *:*

interval 5

recv .*BeyondInsight

send "GET webconsole/api/configuration/feature/managementconsole\\r\\n"

time-until-up 0

timeout 16

}

sys file ssl-key /Common/server.key {

cache-path

/config/filestore/files_d/Common_d/certificate_key_d/:Common:server.key_48493_1

revision 1

}

sys file ssl-key /Common/unencrypted.key {

cache-path

/config/filestore/files_d/Common_d/certificate_key_d/:Common:unencrypted.key_48496_1

revision 1

}

15


BeyondInsight Event Collector Service


The BeyondInsight Event Collector service is used by PowerBroker Windows (PBW) and

PowerBroker Unix/Linux (PBUL) clients to send events into BeyondInsight.

SSL server verification is required by the clients, and the BeyondInsight server authenticates the

clients from the SSL certificate that they present. As a result, the client SSL authentication

needs to be passed through to the BeyondInsight server. Additionally, the eEyeEMSClient.cer

certificate needs to be loaded into BeyondInsight so that it can perform true endpoint checking

of Event Collector service availability.



address 192.168.1.20

}


address 192.168.1.30

}

ltm pool /Common/Event_Collector {

load-balancing-mode least-connections-member

members {

/Common/PS1:443 {

address 192.168.1.20

}

/Common/PS2:443 {

address 192.168.1.30

session user-disabled

state user-down

}

}

monitor /Common/event_client

}

ltm virtual /Common/Event_Collector {


ip-protocol tcp

16


mask 255.255.255.255

persist {


default yes

}

}

pool /Common/Event_Collector

profiles {

/Common/tcp { }

}

source 0.0.0.0/0



vlans-disabled

}


address 10.200.30.118

mask 255.255.255.255


}

ltm monitor https /Common/event_client {

cert /Common/eEyeclient.crt

cipherlist DEFAULT:+SHA:+3DES:+kEDH

compatibility enabled

defaults-from /Common/https

destination *:*

interval 5

key /Common/eEyeclient.key

recv "Server Error in"

send "GET /EventServer/Service.svc\\r\\n"

time-until-up 0

timeout 16

}

sys file ssl-cert /Common/eEyeclient.crt {

cache-path

/config/filestore/files_d/Common_d/certificate_d/:Common:eEyeclient.crt_48905_1

revision 1

17


source-path /config/ssl/ssl.crt/eEyeclient.crt

}

sys file ssl-key /Common/eEyeclient.key {

cache-path

/config/filestore/files_d/Common_d/certificate_key_d/:Common:eEyeclient.key_48902_1

revision 1

source-path /config/ssl/ssl.key/eEyeclient.key

}

SNAT Pools

BeyondTrust does not officially support the use of SNAT pools. However, many customers have

confirmed that SNAT pool configuration is possible.

An example to the Event Collector pool follows:

source 0.0.0/0

source-address-translation {

pool /Common/EventCollector

type snat

}



18


About BeyondTrust

BeyondTrust® is a global security company that believes preventing data breaches requires

the right visibility to enable control over internal and external risks.

We give you the visibility to confidently reduce risks and the control to take proactive,

informed action against data breach threats. And because threats can come from

anywhere, we built a platform that unifies the most effective technologies for addressing

both internal and external risk: Privileged Account Management and Vulnerability

Management. Our solutions grow with your needs, making sure you maintain control no

matter where your organization goes.

BeyondTrust's security solutions are trusted by over 4,000 customers worldwide, including

over half of the Fortune 100. To learn more about BeyondTrust, please visit

www.beyondtrust.com.

http://www.beyondtrust.com/Products/BeyondInsight

http://www.beyondtrust.com/Products/PrivilegedAccountManagement

http://www.beyondtrust.com/Products/VulnerabilityManagement

http://www.beyondtrust.com/Products/VulnerabilityManagement

http://www.beyondtrust.com/

Documents

F5 Configuration Guide for BeyondInsight · The BeyondInsight Event Collector service is used by PowerBroker Windows (PBW) and PowerBroker Unix/Linux (PBUL) clients to send events