F5: Setup Basic Web Load Balancing

KB ID 0001698

Problem

In past articles I’ve got my F5 BIG IP appliance up and running, and I’ve built some web servers to test load balancing. Now to actually connect things together and start testing things. Below is my lab setup, I will be deploying simple web load balancing (Static: Round Robin) between three web servers, each serving a simple HTTP web site.

Test F5 to Web Server Connectivity

For obvious reasons the F5 needs to be able to speak to the web servers, so it needs to be on the same network/VLAN and have connectivity. To test that we can log onto the the F5 console directly, and ‘ping’ the web servers.

So connectivity is good, let’s make sure we can actually see the web content on those boxes, the best tool for that is to use curl, which will make a web request, and the wen server ‘should’ return some HTML.

[box]curl http://10.2.0.11[/box]

F5 BIG-IP Load Balancing Terminology

Yeah I said ‘load balancing‘ and not ADC sue me! There are a number of building blocks that F5 uses, and you need to understand the terminology to put things together, firstly lets look at things BEHIND the F5 appliance;

  • Node: An actual machine/appliance, (be that physical or virtual.) That provides some sort of service or a collections of services e.g. a web server, telnet server, FTP site etc.
  • Pool Member: Is a combination of a Node AND a Port/Service, e.g. 192.168.1.100:80 (IP address and TCP port 80 (or HTTP)).
  • Pool: A Logical collection on Pool Members, that provide the same service e.g a collection of pool members offering a website on TCP port 80.

F5 BIG-IP Adding Nodes

While connected to the web management portal > Local Traffic > Nodes > Create (Note: You can also press the green ‘add’ button on the Node pop-out on newer versions).

Specify a name > Description (optional) > IP address (or FQDN) > ‘Repeat‘ > Continue to add Nodes as required, then click ‘Finished‘.

F5 BIG-IP Adding Pools

Now we have our Nodes, We need to create a Pool. Local Traffic > Pools > Create, (again on newer versions theres a green add button on the pop-out).

Add a Name > Description (Optional) > Add an applicable Health Monitor (in our case http) > Select the ‘Node List’ radio button > Select your first Node > Set the Port/Service  > Add  > Continue to Add the remaining Nodes.

Note: Here is where you add the IPs to the Port/Service and create the Pool Members.

Sorry! Busy Screenshot

When all the Nodes are added > ‘Finished‘.

Your web pool ‘should‘ show healthy, Note: that does not mean ALL the nodes are online!

To make sure ‘all’ the Nodes are healthy > Go to the Members Tab.

F5 BIG-IP Virtual Servers

I’m not a fan of using this term ‘Virtual Server‘ I prefer Virtual IP (or VIP,) but we are where we are! Above we’ve looked at things BEHIND the F5, now we need to present those services IN FRONT of the F5 (Note: I don’t say publicly, because we deploy plenty of BIIG-IP solutions inside  networks). So a Virtual Server is the outside IP address or FQDN of that a ‘consumer’ will connect to;

Local Traffic > Virtual Servers > Create.

Supply a name > Description (optional)  > Destination Address (the ‘available outside’) IP address > Set the service/port > Scroll down to the bottom.

Set the ‘Default Pool’ to the pool you created (above) > ‘Finished‘.

For a brief overview or check what you have created  > Click Local Traffic > Network Map Note: This will look different on older versions of the F5.

Then test the service form the outside, here each web server serves a different colour page so I can test it’s working properly.

My Web Page Does Not Change? If you keep seeing the same colour/page then it’s probably because you chose browser is ‘caching’ web content on your test machine, you may need to disable caching on your chosen web browser, for an accurate test.

So that’s Static Round Robin (Equal Ratio) Based Load Balancing. In the next article I’ll look at how you can manipulate the ratios, to better serve your hardware, and requirements.

Related Articles, References, Credits, or External Links

NA

TinyCore Linux: Build a ‘Persistent’ Web Server

KB ID 0001697

Problem

Recently I was building a lab for testing load balancing, and needed some web servers, I could have built three Windows servers, but I wanted to run them in EVE-NG, so they had to be as light as I could make them. I chose TinyCore Linux, (I know there are smaller options, but it’s light enough for me to run, and work with).

The problem occurs when you reboot the TinyCore host, it (by default) reverts back to its vanilla state, (that’s not strictly true, a couple of folders are persistent).

So I had to build a server that would let me SFTP some web content into it and allow me to reboot it without losing the web content, settings, and IP address.

Step 1: Configure TinyCore IP & Web Server

This is a two step procedure, firstly I’m going to give it a static IP.

[box]

sudo ifconfig eth0 192.168.100.110 netmask 255.255.255.0
sudo route add default gw 192.168.100.1

[/box]

I don’t need DNS, if you do, then simply edit the resolve.conf file;

[box]

sudo vi /etc/resolv.conf
Add a value e.g.
Nameserver 8.8.8.8

[/box]

If you are scared of  the VI editor see Using the VI Editor (For Windows Types)

To connect via SSH/SFTP you will need opnessh installing, and to run the website, we will use Busybox, to install those, do the following;

[box]

tce-load -wi busybox-httpd.tcz
tce-load -wi openssh

[/box]

You will now need to set a password for the root account, (so you can log on and trasfer web files in!)

[box]

su
passwd
Type in, and confirm a new password!

[/box]

Start the OpenSSH, and TFTP services;

[box]

cd /usr/local/etc/init.d/
./openssh start
cd /etc/init.d/services/
./tftpd start

[/box]

Now create a basic web page, (index.html) which you can update later. Setup the website, then copy that file to a location that will be persistent (you will see why later).

[box]

cd /usr/local/httpd/bin
sudo ./busybox httpd -p 80 -h /usr/local/httpd/bin/
sudo vi index.html {ENTER SOME TEXT TO TEST, AND SAVE}
sudo mkdir /mnt/sda1/wwwsite/
sudo cp /usr/local/httpd/bin/index.html /mnt/sda1/wwwsite/index.html

[/box]

At this point, (if you want) you can use your favourite SFTP client, (I recommend FileZilla or WinSCP) and copy in some live web content to /mnt/sda1/wwwsite/ But ensure the home/landing page is still index.html though!

Step 2: Make TinyCore Settings ‘Persistent’

There may be better ways to do this, this just worked for me, and made sense! There’s a shell script that is executed as the TinyCore machine boots (bootlocal.sh) so if you edit that file and put in the commands to configure the IP, copy the website files from the permanent mount folder, start the web server, then start SSH and TFTP, you end up with a server doing what you want, every time the server boots.

[box]

sudo vi /opt/bootlocal.sh

ADD THE FOLLOWING TO THE BOTTOM OF THE FILE;

sudo ifconfig eth0 192.168.100.110 netmask 255.255.255.0 
sudo route add default gw 192.168.100.1
cp /mnt/sda1/wwwsite/index.html /usr/local/httpd/bin/index.html
cd /usr/local/httpd/bin/
Sudo ./busybox httpd -p 80 -h /usr/local/httpd/bin/
cd /usr/local/etc/init.d/
./openssh start
cd /etc/init.d/services/
./tftpd start

[/box]

Save and exit the file, then finally BACKUP THE CHANGES with the following command;

[box]

filetool.sh -b

[/box]

Related Articles, References, Credits, or External Links

NA

World Wide Web Service Wont Start, Because Windows Process Activation Service Wont Start.

KB ID 0000878

Problem

This problem started when a client attempted to add a ‘distribution point’ for System Center onto the server. This process failed, then Outlook Web Access stopped working. First line found that the World Wide Web service was not running, when they attempted to start it, this happened;

Windows could not start the World Wide Web Publishing Service
service on Local Computer.
Error 1068: The dependency service or group failed to start.

Fair enough, the dependency in question was the Windows Process Activation Service. When they attempted to start that, this happened;

Windows could not start the Windows Process Activation Service
service on Local Computer.
Error 183: Cannot create a file when that file already exists.

Solution

This was a nightmare of a problem to troubleshoot, and IIS architecture is not my subject of choice. I was pretty much convinced the error was in a config file or a setting had been changed but where?

I restored the IIS config files from the servers own backup, and from before the error started, still the services refused to start.

Time to spin up Process Monitor. If you’re unfamiliar with Process Monitor, it is to Windows what Wireshark is to network traffic. Here I’m using it to get a ‘snapshot’ of everything that’s going on when the error occurs.

1. Run Process Monitor > Start it capturing data > Attempt to start the Windows Process Activation Service > Wait for the error > Stop the capture.

2. You will have a LOT of data, so lets narrow it down. On the properties of the service, you can see to launch, it runs ‘svchost.exe -k iissvcs’. Add in the Command Line Column, then add a filter to show only results for that command.

3. Normally at this point you would go through the results column and look for errors, e.g. access denied, not found, etc, but they all looked OK. However it was apparent that it was parsing the WebDAV_schema.xml file as it should, but before it did that, it also was reading WebDAV_schema – Copy.xml.

The copy was ‘moved elsewhere’.

4. At this point, the good folk at Microsoft came back and said they had been thought the applicationHost.config file and the bindings ‘didn’t look right either’. So we took a backup.

5. The bindings for port 80 (http) and 443 (https) were set to the default.

At this point the services could be started without error, and the problem was resolved.

Conclusion

Which of the two changes fixed the problem? The honest answer is “I don’t know”, what I do know is there was nothing I could find on the internet that helped in any way. As I had a backup of the applicationHost.config file I could compare the two see see what Microsoft meant by the bindings ‘not looking right’.

 

Related Articles, References, Credits, or External Links

Kudos to Mark Russinovich and Bryce Cogswell for Process Monitor

SBS Exchange Certificate Expired

KB ID 0000535

Problem

When you setup SBS2008 (and Exchange 2007) it creates and uses a self signed certificate, which is fine. But by default it only lasts two years. The best option is to buy a proper certificate, but if you simply want to generate a new one here’s how to do it.

Solution

1. Here you can see your certificate has expired.

2. Normally you need to access your certificate services web enrolment console to carry this procedure out. But when you navigate to https://localhost/certsrv you will probably see this:

Server Error in Application “SBS WEB APPLICATIONS”

Note: If web enrolment is installed, and you still cant access certificate services (CertSrv) then click here

3. You are seeing this error because certificate services might be installed, but the “Certificate Authority Web Enrolment” role service is not, you can add it from server manager.

4. Select it and follow the on screen prompts > Go and have a coffee.

5. Now you should be able to access the web front end.

6. To get a certificate we need a certificate request, you can write the powershell yourself like so:

[box] New-ExchangeCertificate -GenerateRequest -Path c:mail_yourpublicdomianname_co.csr -KeySize 2048 -SubjectName “c=gb, s=Your State COunty, l=Your City, o=Your Org, ou=Your Department, cn=mail.yourpublicdomianname.com” -PrivateKeyExportable $True [/box]

OR simply go here and let the good folk at Digicert do the heavy lifting for you.

7. Now you have the code, generate the request, on the Exchange server >  Start > All Programs > Microsoft Exchange Server 2007 > Exchange Management Shell > Execute the command you copied above.

8. This will dump the request on the C: drive (because in your command above you set the path to C:mail_yourpublicdomianname_co.csr) Locate it and open it with Notepad. Then select and copy ALL the text (copy as shown no extra spaces etc.)

9. If you have closed it down log into certificate services web access. Select “Request Certificate” > We will be submitting an advanced certificate request.

10. “Submit a certificate request by using………..”.

11. Paste in the text you copied at step 8, change the certificate template to “Web Server” > Submit.

12. Download the certificate.

13. Save it somewhere you can find it (the root of the C: drive is easiest, as you are going to be referencing it in a command shortly).

14. Job done, close the browser window.

15. Back at the Exchange Management Shell issue the following command:

[box] Import-ExchangeCertificate -Path c:the-name-of-your-cert.cer [/box]

As it imports it shows you the thumbprint of the certificate, mark this and copy it to the clipboard.

16. Now you have the certificate imported you can enable it, issue the following command:

[box] Enable-ExchangeCertificate -Services “SMTP,POP,IMAP,IIS” [/box]

It will ask you for the thumbprint > paste it in > when prompted enter “A” to confirm all.

17. That’s the job finished.

SBS2008 Unable to access Certificate Services

I’ve seen this on a few SBS2008 Servers, when you install the web enrolment service it installs into the servers “Default Web Site”, For any other Windows/Exchange combo that’s fine but SBS likes to do things its own way. It creates another web site called “SBS Web Applications” and uses that. That’s fine, but only one can be up and running at a time.

CertSrv The Webpage cannot be found

1. Warning: You are about to stop things like OWA briefly. From Administrative tools launch the Internet Information Services (IIS) Manager > Locate the SBS Web Applications site and click stop (right hand column) > then select the Default Web site and start it.

2. Select the CertSrv virtual directory.

3. You can now browse via http/https and this will open the site in your default browser. Don’t forget to stop the Default website, and restart the SBS Web Applications site when you are finished.

 

Related Articles, References, Credits, or External Links

NA