Skip to content

Deploying to a BIG IP running 12.1 or 13.0

Jump to bottom
Bill Church edited this page Jan 31, 2018 · 3 revisions

Deploying to a BIG-IP running 12.1 - 13.0

Step 1: iRules LX Import and Plugin Configuration

  1. Navigate to iRules > LX Workspaces > Import
  2. Name: WebSSH2-x.y.z (it's a good idea to include the version in the name for future updates)
  3. Source: BIG-IP-ILX-WebSSH2-date-x.y.z.tgz found in the latest release. You may also import the most recent version from URI directly from github by specifying the raw url (https://raw.githubusercontent.com/billchurch/WebSSH2/master/bin/BIG-IP-ILX-WebSSH2-current.tgz)
  4. Import
  5. Navigate to iRules > LX Plugins > Create
  6. Name: WebSSH2_plugin (important, name must be identical, imported iRule relies on this)
  7. From Workspace: WebSSH2-x.y.z

iRulesLX Screenshot

Step 2: Virtual Server

Ideally we want this VIP to be SSL, but for the initial testing we can keep it cleartext so it's easier to troubleshoot.

  1. Create a VIP with the following, non-default settings:
  • Name: webssh_vs
  • Destination Address/Mask: ip_address
  • Service Port: 80
  • HTTP Profile: http
  • VLANs and Tunnels (for now we’ll keep this open, in production we’ll switch it to “portal-connectivity” to restrict it to only clients accessing through an APM webtop)
  • iRule: WebSSH2

Step 3: Test WebSSH VIP

Fire up a browser and navigate to http://ip_address/ssh/host/127.0.0.1 you should be greeted with HTTP basic authentication. This is the user name and password you would be using for your SSH session (in this case an account on the BIG-IP). If you notice the URL “/ssh/host/ip” the ip portion is obviously the IP address (v4 or v6 supported) or hostname/FQDN of the SSH server/router you want to connect to.

Basic Auth Screenshot

Session Screenshot

Step 4: Assign clientssl profile and change vlan to whatever your client facing VLAN should be.

  1. Navigate to Local Traffic > Virtual Servers > webssh_vs
  2. Modify the following settings in the virtual server (it may be helpful to have 2 virtual servers for this VIP, one for portal and one for testing):
  • Service Port: 443
  • SSL Profile (Client): clientssl
  • VLANs and Tunnel Traffic: Enabled On…VLANs and Tunnels:
    • This application should be protected by APM, using either an LTM+APM profile or a WebTop. If LTM+APM profile you should chose your client facing VLAN and be sure to have an existing LTM+APM profile assigned that is doing strong authentication.
    • If using this for WebTop, utilize the portal-connectivity VLAN to restrict access only as an APM portal resource
Clone this wiki locally