Search the VMware Knowledge Base (KB)
View by Article ID

Configuring F5 BIG-IP Load Balancer for use with vSphere Platform Services Controller (PSC) 6.0 (2098006)

  • 36 Ratings

Purpose

The purpose of this article is to provide guidance on configuring an F5 BIG-IP Load Balancer with the intention of using it to provide vSphere 6.0 Platform Services Controller (PSC) High Availability.

This article was created using BIG-IP version 11.6. Some aspects may differ depending on the version of BIG-IP you are running.

Important:
If you have upgraded from SSO 5.5 HA using an F5 BIG-IP Load Balancer, portions of the configuration are complete. Some configuration requirements changes with vSphere 6.0. So, it is important that any existing settings are also reviewed.

Note:
VMware does not support the configuration or setup of the load balancer used to provide high availability within a vSphere environment. In the event that a non-certified load balancer is used, VMware reserves the right to not support the environment until a compatible load balancer is used.

Resolution

Prerequisites

These information and files are a prerequisite for configuring an F5 BIG-IP Load Balancer with the intention of using it to provide vSphere 6.0 Platform Services Controller (PSC) High Availability.
 
  1. Ensure the ports are available in the environment for functionality.  For more information, see Required ports for vCenter Server 6.0 (2106283).
  2. Platform Services Controller SSL Certificates.
    In this article, use these directories as the location of the PSC SSL Certificates:
    Location of the PSC Certificates: C:\ha
    Location of the Root Certificate(s): C:\ha

  3. IP Address and FQDNs:
    First PSC Node (psc-node-1.domain.com, 192.168.2.11)
    Additional PSC Node (psc-node-2.domain.com, 192.168.2.12)
    PSC Virtual IP (psc-ha-vip.domain.com, 192.168.2.10)
    F5 BIG-IP Self IP (192.168.2.41)

    VMware has only tested the Self IP configured as follows:
    • The Self IP must be on the same subnet as the SSO IP Addresses.
    • The Self IP cannot be on the same subnet as the F5 Management IP.
 Other configurations may work and the Load Balancer vendor should be engaged.

Note: When configuring the load balancer http profiles should not be enabled.

Uploading Certificates to the F5 BIG-IP

  1. Upload PSC Certificate and Key to the F5 (example uses lb.p12).
    1. Navigate to System > File Management > SSL Certificate List > Import.
    2. Under Import Type, select PKCS 12.
    3. For Certificate Name, select Create New and enter psc-ha-p12 as the name.
    4. For Certificate Source, select Upload File and browse to the lb.p12 file saved in C:\ha

      Note: The password for the lb.p12 file is changeme.

    5. Click Import. The lb.p12 is imported. 
    6. Confirm that the psc-cert shows the Load Balancer FQDN (psc-ha-vip.domain.com) under Common Name.
Note: The p12 file is a package of the certificate, key and issuing certificate(s) and is issued from the VMCA during configuration of the PSCs for High Availability. For more information, see Configuring Windows PSC 6.0 High Availability for vSphere 6.0 (2113085) or Configuring PSC 6.0 High Availability for vSphere 6.0 using vCenter Server 6.0 Appliance (2113315). You can also upload the certificate, key and issuing certificate(s) manually if you are not using VMCA to issue the certificates.

Configure the F5 VLAN and Self IP

  1. Create a VLAN.
    1. Navigate to Network > VLAN > VLAN List > New VLAN (Create).
    2. Provide a Name internal.
    3. Under Resource > Interfaces, move Interface 1.1 to Untagged using the << button.
    4. Click Finished.

  2. Configure the Interface List.
    1. Navigate to Network > Interfaces > Interface List.
    2. Select 1.2 and 1.3 and then click Disable.

      Note: In this guide, we are only using one Interface. You may require more than one active Interface.

  3. Configure a Self-IP.
    1. Navigate to Network > Self-IP > New Self-IP.
    2. Provide a Name, internal.
    3. Enter the IP Address (192.168.2.41) and Netmask (255.255.255.0) for the Self-IP

      Note
      : That the Self-IP cannot exist on the same subnet as the F5 Management IP.

    4. Under VLAN/Tunnel, select Internal.
    5. Under Port Lockdown, select Allow Default.
    6. Click Finished.

Create Load Balancer Pool Member Nodes

  1. Create Member Nodes.
    1. Navigate to Local Traffic > Nodes > Node List > Create.
    2. Provide a Name, psc-node-1.
    3. Provide the IP Address of psc-node-1 (192.168.2.11).
    4. Click Repeat.
    5. Provide a Name, psc-node-2.
    6. Provide the IP Address of psc-node-2 (192.168.2.12).
    7. Click Finished.
    8. Repeat the preceding steps for additional PSC Servers.

  2. Create a Default Monitor.
    1. Navigate to Local Traffic > Nodes > Default Monitor.
    2. Under Health Monitors, move TCP to Active using the << button.

      Note
      : If TCP does not exist, select ICMP.

    Note: If you upgrade from SSO 5.5 HA using an F5 Load Balancer, the Load Balancer Pool Members should be predefined. Some settings differ from the SSO 5.5 HA configuration. Hence, verify the preceding steps.

Create Load Balancer Pools

Create pools for these ports: 443, 389, 636, 2012, 2014, 2020.
  1. Create PSC Pool for port 443.
    1. Navigate to Local Traffic > Pools > Pool List > Create.
    2. Provide a Name, PSC-Pool-443.
    3. Under Health Monitors, move tcp to Active using the << button.
    4. Under Load Balancing Method, select Round Robin.
    5. Under Priority Group Activation, select Less Than and enter the value 1 for Available Member(s).
    6. Under New Members, select Node List.
    7. Under Address, select psc-node-1
    8. Under Service Port, enter 443.
    9. Under Priority, enter the value 10.

      Note
      : The node given the value of 10 will take higher priority and act as your active node

    10. Click Add.
    11. Under Address, select psc-node-2.
    12. Under Service Port, enter 443.
    13. Under Priority, enter a value 1

      Note
      : The node given the value of 1 will take lower priority and act as your passive node

    14. Click Add.
    15. Click Finished.

  2. Repeat preceding steps for ports 389, 636, 2012, 2014, 2020.
Note:
  • If you upgrade from SSO 5.5 HA using an F5 Load Balancer, the Load Balancer Pool for the legacy Port 7444 needs to be present. This should remain until you upgrade all vCenter Server 5.x instances to 6.0.
  • If you are using a product like VDP that explicitly requires connection to port 7444, then you must also create a Pool for port 7444 in the same manner as other pools and also create a Virtual Server for port 7444 in the same manner as the Virtual Server for 443.

SSL Client/Server Profiles

  1. Create SSL Client Profile for PSC 443.
    1. Navigate to Local Traffic > Profiles > SSL > Client > Create.
    2. Provide a Name, psc-client.
    3. Select the Custom checkbox.
    4. Under Certificate, select the certificate psc-ha-p12.
    5. Under Key, select the key psc-ha-p12.
    6. Select Add.
    7. Click Finished.

  2. Create SSL Server Profile for PSC 443.
    1. Navigate to Local Traffic > Profiles > SSL > Server > Create.
    2. Provide a Name, psc-server.
    3. Select the Custom checkbox.
    4. Under Certificate, select the certificate psc-ha-p12.
    5. Under Key, select the key psc-ha-p12.
    6. Click Finished.

Create a Persistence Profile

  1. Create a Source Address Affinity Persistence Profile.
    1. Navigate to Local Traffic > Profiles > Persistence > Create.
    2. Provide a Name, vSphere6.
    3. Select Persistence Type, Source Address Affinity.
    4. Select the Custom checkbox.
    5. Enable Match across services.
    6. Specify the Timeout value to be at least 28800.

      Note: If this value is set too low, you receive 400 SAML errors in the vSphere Web Client after the timeout elapse. Resolve this by refreshing the browser.

    7. Click Finish.

Creating the Virtual Server IP (VIP)

Create Virtual Server IP (VIP) for the Ports: 443, 389, 636, 2012, 2014, 2020.
  1. Create VIP for PSC 443.
    1. Navigate to Local Traffic > Virtual Servers > Virtual Server List > Create.
    2. Provide a Name, PSC-VIP-443.
    3. Under Destination, input the Virtual IP (192.168.2.10) to be used for PSC (psc-ha-vip.domain.com).
    4. Under Service Port, enter a value of 443.
    5. Under SSL Profile (Client), move psc-client to the Selected Box using the << button.
    6. Under SSL Profile (Server), move psc-server to the Selected Box using the << button.
    7. Under Source Address Translation, select Auto Map.
    8. Under Default Pool, select PSC-Pool-443.
    9. Under Default Persistence Profile, select vsphere6.

  2. Create VIP for remaining ports 389, 636, 2012, 2014, 2020.

    Note: Only VIP 443 uses the SSL Profiles.

    1. Navigate to Local Traffic > Virtual Servers Virtual Server List > Create.
    2. Provide a Name, PSC-VIP-389.
    3. Under Destination, input the Virtual IP (192.168.2.10) to be used for PSC (psc-ha-vip.domain.com).
    4. Under Service Port, enter a value of 389.
    5. Under Source Address Translation, select Auto Map.
    6. Under Default Pool, select PSC-Pool-389.
    7. Under Default Persistence Profile, select vsphere6.
    8. Repeat the preceding steps for remaining ports.

    Note: If you upgrade from SSO 5.5 HA using an F5 Load Balancer, the Virtual Service IP (VIP) for the legacy Port 7444 needs to be present. This remains until you upgrade all vCenter Server 5.x instances to 6.0.
This concludes the sample configuration of an F5 BIG-IP Load Balancer for use with vSphere 6.0 Platform Services Controller High Availability.

Additional Information

For additional information, see the Appendix of the vCenter Server 6.0 Deployment Guide.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 36 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 36 Ratings
Actions
KB: