Not having a default monitor to turn to in this situation and having only tinkered with external monitors before, I began searching around for a way to setup an external monitor that could log on to the SharePoint sites to perform the health check.  Naturally I turned to DevCentral and did a little digging around on the forums.   That is where I found a wonderful post by stp1978 that laid out the basics of what I needed to do.

I will try to write this post in a way that will explain to someone who has never setup an external monitor how to set one up and who knows there may be someone out there who is looking for a way to monitor a SharePoint 2010 web site that uses NTLM.

The basic installation steps are:

1.  Prepare the script that will run.
2.  Create a service account so the BIG-IP can log on to the SharePoint Farm.  This will be used by the monitor to log into the various websites.
2.  Copy the script over to your BIG-IP and change the permissions so that it can be executed 0777.
3.  Log on to the BIG-IP GUI and create the external monitor.
4.  Apply the monitor to the pool.

If you are running a highly available pair in a sync group, it is ok to do this on the active unit and when you are done run a config sync.  This will copy the monitor and script over to the standby unit and you will be good to go if you have a failover event.  You don’t have to manually copy this over to the other unit.

The script (code supplied by stp1978)

#!/bin/sh
# This removes the IPv6/IPv4 compatibility prefix.  This has to be done because the LTM passes addresses in IPv6 format.
IP=`echo ${1} | sed 's/::ffff://'`
IP=${1}
PORT=${2}
PIDFILE="/var/run/`basename ${0}`.${IP}_${PORT}.pid"
# This will kill off the last instance of this monitor if it is hung and logs current PID
if [ -f $PIDFILE ]
then
kill -9 `cat $PIDFILE` > /dev/null 2>&1
fi
echo "$$" > $PIDFILE
# This is the meat of the code, it is responsible for sending the request & checking for the expected response.
curl -fNs --ntlm -k -v --user 'YourUsername@YourDomain.com:YourPassword' http://${IP}:${PORT}/_layouts/RecycleBin.aspx -H "Host: YourWebsite.com" | grep -i "deleted" 2>&1 > /dev/null
# This part of the code will mark the node UP if the expected response was received.
if [ $? -eq 0 ]
then
echo "UP"
fi
rm -f $PIDFILE
exit

The code above is commented very well and explains what each step does so I will not reiterate it here.  The parts that you will have to modify are of course your username, password and domain.  I created a service account in the domain and I use it to log onto the site with.  That way you don’t have to worry about the password expiring and you can limit your security risk by giving the service account only enough access to be able to get to the recycle bin on the SharePoint 2010 site in question.

You will also need to modify the URL string and the text that the BIG-IP searches for when it logs in and opens the page.  I thought it would be good to search for something simple and something that will likely never change.  In SharePoint 2010, your safest bet is probably to utilize the RecycleBin.aspx and search for the word “deleted”.  The way I see it this is the safest thing to check for.  This way it doesn’t matter what content gets changed or deleted on the site by the users, they can’t accidentally delete the recycle bin!

A small suggestion at this point… I HIGHLY recommend that you use something like Textpad to edit the file.  Using wordpad can have unintended consequences and may even mess the file up so much that the monitor will not work correctly.  Also be sure not to include a file extension on the end as it does not need one to work properly.

Using a program like WINSCP, copy the script over to the BIG-IP into the /usr/bin/monitors folder.  Then right click the file you just copied over and click properties.  Edit the permissions on the file to allow root to execute the file.  I just set the permissions on the file to 0777 as seen in the screenshot below.

Then log on to the BIG-IP GUI and create a new monitor.  Click create new monitor, select external monitor from the drop down menu, give it a name and then in the “External Program” field type the name of the file you copied over.  You don’t need to include the directory or a file extension, just the name.  Adjust the timing settings to your preferred time settings, I use 10/32 as seen in the screen shot below:

Then go and apply the monitor to your pool.  That’s it!  Now you have a fully functional external monitor that can check the health of your NTLM SharePoint 2010 web sites.

Thanks again to stp1978 for his hard work on this and for putting it out there in the community for others to utilize.

TMOS is gaining a wealth of new functionality with each release and word of what you can achieve through using iRules is spreading even to those unfamiliar with the BIG-IP product line.  I have personally seen this discussion pop up more than once and we even grappled with it at the MVP Summit in Chicago. 

I can’t help but reflect back on the book “The Art of War” by Sun Tzu when thinking about this subject.  During the summit I realized that we were pretty much attempting to do the same thing that Sun Tzu did.  To come up with tactics and lay out truths that could be relied upon to come to a logical decision about how to proceed.

With Sun Tzu, his end goal was to win the battle or war that he was fighting.  He wrote roughly 80 pages of tactics and guidelines for fighting war.  I think the same thing could be done simply to answer the question to use an iRule or to not.  The problem is that for those of us in the F5 community, is that generally speaking, we all have our own goals.

That makes setting guidelines to follow a little harder unless you first define two very important aspects.  I think the first question you should ask yourself is what is your role in your organization?  Secondly, what is the role of the F5 BIG-IP device(s) in your organization?

Something that I know without a doubt is that we all fill different roles in our respective companies and so do our BIG-IP devices.  There is no one size fits all answer to this unfortunately.  For those of you who are new to working the BIG-IP product line and those of you who have yet to set any real company policies regarding your use of iRules I have one small word of advice.  I urge you to sit down with your boss and talk about what you stance will be regarding iRules moving forward.  If you ARE the boss then I suggest thinking about this matter in depth and reflect not just on how it effects you but also your team.  I have no doubt that doing this in advance will save you a lot of trouble.

What are the topics you should think about?  What are all the possible gotchas that might come up?  It is again different for us all.  After having pondered this question myself, here are a few things I think one should keep in mind and discuss with their peers/boss:

1.  K.I.S.S. – That’s right, keep it simple stupid.  It’s a best practice that we should all follow.  The question though is this, will using an iRule make something simpler for you or more complex?  If it makes something simple it’s a no-brainer right?  It it makes things more complex?  Where do you draw the line?

2.  If you do use an iRule and you decide to do some complex logic in it, are you legally required to keep track of that code in an application code repository?  Different regulatory items will obviously apply depending on the nature of your business.  I know that in a lot of places that if one were to write complex iRules that changed the data that a customer see’s, then they would most certainly have to keep track of that.  Sometimes though, it is not external regulatory compliance but INTERNAL regulatory compliance that you have to think about.

3.  Who will support it?  If you write a really complex iRule who will support it in the future?  Are you prepared to redo an iRule at two o’clock in the morning because of a production update that a developer pushed out changed the code that your iRule relies upon?

4.  Let’s say that an opportunity to use an iRule has already presented itself.  Is it more cost productive for the business for the iRule writer to craft an iRule to fix the problem or to have the application programmers fix the problem in the code?

5.  What about your physical environment variables?  Can you implement this new iRule code without slowing down everyone else’s application traffic (provided you delivering multiple apps through it of course)?

6.  Perhaps it will come down to your boss looking at you and saying, “How comfortable are you writing an iRule to try to do this?”.  If that is the case and you are uncertain, then by all means head on over to the DevCentral forums and create a post about it!  You would be AMAZED at the things that people have done with iRules and AMAZED at how simple some of those things are to pull off!  iRules, it slices, it dices, it… well you get the idea.  Use the community to bounce ideas around because it can definitely help make that decision much easier for you to make.

7.  What approach should you take in general to iRule or not to iRule?  Should you take the look before you leap approach, always say yes or always say no?  I am sure that most will pick the look before you leap approach just to make certain they can do what they need to do using an iRule programmatically, that they can do it efficiently and that doing so meets their other preset criteria.  It also may be that your role in the company and the role of your F5 BIG-IP device is strictly that of a networking device and iRules are not to be used or developed.  If that is the case, I would urge you to reconsider that stance and at least consider using some of the simpler iRules… please see comment #6 above.

I am sure there are a million more questions you can think of to ask that might be relevant to your current working conditions, this post is by no means a definitive guide.  Please feel free to add a comment to this post regarding things that may have helped you and your organization define your policy towards using or not using iRules.  I really would love to hear them.

It is wise to remember what Sun Tzu said of laying plans, “The general who wins a battle makes many calculations in his temple before the battle is fought.  The general who loses a battle makes but few calculations beforehand.  Thus do many calculations lead to victory, and few calculations to defeat; how much more no calculation at all.”

I have had the pleasure and honor of attending the DevCentral MVP Summit that was held in Chicago over the last few days and I am just blown away at how awesome it was.  Even the picture on the right doesn’t do it justice!

Whew!

The folks over at F5 Networks did an amazing job of putting together an outstanding series of events and the DevCentral folks put together one heck of a summit for all of us MVP’s.  I had such an outstanding time I want to extend my thanks to all of you involved and to all of my fellow MVP members.

Now to break things down a bit.  After flying up via American Airlines from Fort Worth to Chicago, I was finally able to locate my ride to the Chicago Swissotel.  We had a very pleasant conversation on the way to the hotel, the driver having previously driven Nelson Mandella around Chicago.  So we talked about that some and we talked about the downsides to film making, as they were currently shooting scenes for the movie “Transformers 3″ on the route that we needed to use to quickly get to the hotel!  I believe one MVP member saw Optimus Prime going down the road at one point and Colin mentioned looking out of his cab and seeing a guy with a high powered rifle crouching by some shrubbery!  I am sure the first was Transformers 3 related, the other well… we will assume it was to.

Upon arriving at the hotel I was really amazed at how nice the place was.  It was easily the nicest hotel I have ever stayed at and the veiw from my room was incredible.  I didn’t get any pictures of the room, but I did take several pictures of the surrounding buildings and landscape.  I will try to get a few of those uploaded sometime soon for everyone to check out.

The next morning we kicked off the MVP Summit close to 8:00 A.M., even though it was scheduled to begin at 8:30 A.M.  We were all pretty eager and excited and no one minded one bit.  We then proceeded to have deep dive technical conversations with all sorts of people.  We covered everything from the guts of the physical hardware, to the guts of the software responsible for squeezing every ounce of performance out of those units.  I can tell you without a doubt that F5 Networks is commited to delivering the best product that can be delivered on the market today.

We weren’t given sales presentations or anything remotely close to that.  We were given introductions to the very people responsible for doing the motherboard and chip designs, the folks responsible for creating new attack signatures for the ASM module and even the folks responsible for programming TMOS!  They came in, gave us intro’s to who they are, what they do and then it was an open floor to discuss EVERYTHING we and they could think of.  Can you imagine having unfettered access to tweak the brains of the folks creating the technology that you interact with daily?  To say it was exciting, fun and technical would be a severe understatement.  What really stood out beyond the all of this to me though was the fact that these very people were intensly interested in our feedback on their ideas.  I don’t know how many times we would break up into small side conversations where we could take turns extracting tidbits of information from one another.

Yes, there is more (like the fun little contests we had in between each major discussion) but most of it is covered by a NDA agreement so I can’t spill the beans about it.  It’s safe to say F5 Networks has a good future ahead of it and not just because of the plans they have already laid.  I walked away from the MVP Summit that evening feeling much more knowledgable and I have no doubt that several of the F5 folks walked away feeling the same way and making plans in their minds to tweak things based on things we discovered in our talks.

Then as it turns out, they had more surprises in store for us that evening!  We scored some awesome loot earlier at the MVP Summit, thanks again guys for the gear it is all fantastic (and will be featured in another post!).  So after we carried our loot upstairs we all walked over to a local pizza place and into a nice area that F5 Networks had reserved for us all to grab an adult beverage and chow down on some authentic Chicago style deep dish pizza!  The food was great and so were the conversations.  I am certain a good time was had by all.

The next day was just as great.  We were provided access to customer sessions, I met all kinds of people from F5 Networks and I even got a few compliments on my cowboy hat!  Hehehe… Each of the MVP’s also had a chance to do an interview and George from F5 Networks was kind enough to interview me.  You can check that out here:  http://devcentral.f5.com/weblogs/dctv/archive/2010/08/04/f5-customer-summit-ndash-nathan-abbott.aspx

The customer sessions “Meeting Users’ Needs”, “Managing Scale and Growth” and “Security and Control” were all very good that afternoon.  I can’t say that I saw them all, but I did hear from others that they were generally quite exceptional.  I bounced around a lot that afternoon talking with different people so I did miss out on some workshop goodness I guess, but I just couldn’t help myself.  Later that evening we where all jumped on a bus, a few busses actually, and went to The Field Museum Chicago.  F5 Networks reserved the whole museum so we had free run of the place!  I really enjoyed walking around talking about BIG-IP stuff, looking at mummies and Sue the T-Rex!

Two interesting facts I picked up at the museum, Sue’s head is actually on display on the second level of the building because it was just to heavy to mount with the rest of the skeleton.  Her head alone weighs over 600 pounds!  Second, they are still using Mac OS 9 on some of the interactive kiosks in the museum and I will leave it at that….

To cap the evening and the whole experience off, F5 Networks brought in reknown blues guitarist and singer Robert Cray.  I am not really into music, I do enjoy some classical and country music on occasion, but Robert Crays performance was outstanding.  We happen to be coming out of one of the exhibits as his keyboardist was just shredding it and it was great getting to see him tear it up.  The band was into it, the crowd was into it and it just made for a great time all around.

The last day finished up with a great general session for all.

That pretty much sums up my experience there at the DevCentral MVP Summit.  I do want to mention that on the plane ride home I happened to end up sitting by very nice fella that is a Product Manager for Alcatel-Lucent.  I apologize for not remembering your name, but I remember you said you would check out my blog and I wanted to tell you thank you for the great conversation!

It was mentioned at a few different points during the summit that we will hopefully get to perhaps hold another summit sometime in the future.  I certainly hope that I am lucky enough to be chosen to participate when the time comes.  Again, to all of you folks there at F5 Networks, the DevCentral Team and my fellow MVP’s, Thank You. My hat is off to you for making this such a grand MVP Summit!

For those of you wanting to view more pictures please feel free to go over to my Mobile Me gallery for more: http://gallery.me.com/nathanabbott/100130

One way to do this is called transparent header modification. How it works is a user will enter a URL in their browser such as “www.mycompany.com/bus/”, the request will come in to your BIG-IP and the information sent to your web servers can be redirected or rewritten to whatever you like. Here is an example:


when HTTP_REQUEST {
switch -glob [string tolower [HTTP::uri] ] {
"/bus/*" {
HTTP::uri "/greyhound/bus"
}
}
}


Using the iRule above, this is what happens to your incoming HTTP request. The request comes in and the URI is converted to lower case and then inspected to see if it begins with “/bus/”. The asterisk indicates a wildcard, so anything could come after “/bus/”. If it does begin with “/bus/” then the URI will be transparently modified or changed to “/greyhound/bus”. The clients browser will not be updated, but the URI that the BIG-IP passes on to the server will be “/greyhound/bus”. Basically it turns a request for this “www.mycompany.com/bus/myrequest” INTO “www.mycompany.com/greyhound/bus” Pretty cool huh?

Now lets say you want to do something a little more exotic. Lets use the iRule from above in a different way.


when HTTP_REQUEST {
set uri [HTTP::uri]
switch -glob [string tolower [HTTP::uri] ] {
"/bus/*" {
HTTP::uri "/greyhound/searchBus.do?stationName=[string range $uri 5 end]"
}
}
}


What is this one doing? Let say an HTTP request comes in for “www.mycompany.com/bus/texas”. Using the iRule above the web server would actually receive a request for “www.mycompany.com/greyhound/searchBus.do?stationName=texas”. The clients browser would still read “www.mycompany.com/bus/texas”. Like I said powerful and flexible.

If you are interested in more content regarding transparent header modifications a.k.a. redirecting users without changing their URL, then I recommend reading this article by Joe Pruitt on the DevCentral website http://devcentral.f5.com/weblogs/Joe/archive/2005/07/27/ModifyingUriWithoutRedirect.aspx

Setting Up BIG-IP and Live Meeting Portal Server

Prerequisites:

Please consult the Live Meeting Portal Server documentation and ensure that your servers meet all the perquisites before installation. All the examples in this guide are setup so that you will end up with a website at this URL: https://livemeeting.mycompany.com/lmportal. Please feel free to substitute your company’s name for “mycompany”.

IIS Setup:
1. Download the latest version of Office Live Meeting Service Portal. As of 4/20/2010 that can be found here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=429bb528-fd1b-45b7-af2b-cbbf4a8e65ff&displaylang=en

2. Create a basic website in IIS and name it Live Meeting. This empty shell of a website will be used by the Live Meeting installer and will basically be taken over by it after you run through the installation.

3. Create a folder named “Livemeeting” in the directory of your choice. In this example we will use ”E:\web\content\”

4. Double click the lmportal.exe to begin the installation and choose custom when the option appears. Then select the directory you created above so the files will be placed in your normal custom web content location.

5. Remote Desktop (RDP) to the web server and open IIS. DO NOT USE THE IIS CONSOLE ON YOUR LOCAL MACHINE as you will not have access to everything that you need.

6. The screenshots below will help guide you through the configuration of the web site in IIS. Things that do need to be changed:
a. Add 443 to the SSL port and select the unique IP address for the site to use. We will be terminating SSL on the F5 BIG-IP and then re-encrypting before sending it back on to the server.

b. Allow Scripts and Executables under execute permissions. Verify application pool is set to Live Meeting Intranet Portal AppPool.

c. Verify that ASP.NET is set to version 1.1.4.322.

d. Under Directory Security, click Edit and make sure there is a check mark on the “Enable anonymous access” and “Integrated Windows authentication” box.

e. Go to the application pool, right click and go to properties. Click the Health tab and uncheck “Enable Rapid-Fail protection”. Not including a screenshot of this one.

7. Navigate to “E:\web\content\Livemeeting\Portal” on the server. Then find the file named “Portal.config”, right-click it and click the Security tab. Click Add and then add the “Network Service” user account and give it full control. You have to do this or you cannot modify the configuration settings from the GUI.

8. Do the same thing listed in step 7 for the “PortalExport” folder located in the directory you should currently be in: “E:\web\content\Livemeeting\Portal”

9. Now you have to import the SSL certificate that you are going to use into IIS website that you just set up. You will need to obtain the .crt file for the SSL certificate and the .key file for that certificate. We terminate our SSL on the BIG-IP so these can both be obtained from there. I will skip the steps regarding purchasing an SSL certificate for a site if you do not already have one. It kind of falls outside the scope of this guide.

10. Use a search engine and search for OpenSSL. You should find their homepage at: http://www.openssl.org/

11. Download OpenSSL and install it on your Local machine. I don’t recommend installing it on the server for a wide variety of reasons. I installed my copy of OpenSSL into “C:\OpenSSL”.

12. Take the .key file and the .crt file and put them into OpenSSL’s “bin” directory. It’s just a folder inside of your OpenSSL folder called bin.

13. Open a command line and change directory over to C:\OpenSSL\bin. The example I am going to provide is for a fictitious company named “MyCompany” that is using a wildcard ssl certificate on a few of their websites.

14. Then type in the following command:

This all needs to be on one line. Spaces are ok, but no carriage returns or anything like that. This command is modeled after this example for future reference:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

certificate.pfx = the name of the new pfx file you want to create
privateKey.key = the private key you got off of the F5 BIG-IP
certificate.crt = the crt file that you got off the F5 BIG-IP
CACert.crt = the crt file that you got off the F5 BIG-IP

15. After you type the command and hit enter, you will be prompted for a password. You can use any password that you like but you will need to remember it because IIS asks you for the same password when you go to import it.

16. OpenSSL will compile a new .pfx file for you in the C:/OpenSSL/bin directory. Take that SSL certificate and copy it over to your web server.

17. RDP over to the server and open IIS. Again here is the disclaimer, DO NOT USE THE IIS CONSOLE ON YOUR LOCAL MACHINE. Right-click on the Live Meeting web site that you created and click on the Directory Security tab. Under “Secure Communications”, click the “Server Certificate…” button.

18. Click Next and then click the “Import a certificate from a .pfx file” radio button and click next. Browse to the .pfx file that you uploaded to the web server. Click next and enter your password information that you used when you created the certificate. Then finish clicking through the wizard. Then restart IIS on the server and delete the certificate off of your local machine. This completes the IIS setup. Now move on to the Live Meeting Portal setup.
Live Meeting Portal Setup

19. Navigate to the URL:

https://livemeeting.mycompany.com/LMPortal/settings.aspx

Where livemeeting.mycompany.com is the name of the website you setup. The screen will look like the one shown on the next page. This is the Settings-Portal Configuration page. You will want to use the following settings which are also pictured in the screenshot on the next page.

Conference Center URL = https://www.livemeeting.com/cc/mycompany
Conference Center Administrator
User Id =
Password =
Email address for escalation =
Enabled Portal Services = Check the Account Create, Account Login, Account Update and Web Method Calls
Ticket Timeout = 300 Seconds
Directory Service Parameters = AccountNamePolicy=LogonUsername

20. Then click Save. If you receive an error at this point, refer back to step #7.

21. Click on the Roles link on the left side of the page. This will take you to the Roles-Portal Configuration page. Under “Live Meeting Administrators” add the users who will be the Live Meeting Administrators. Use domain\name format. IE: mydomain\username
22. Then under the “Live Meeting Organizers” settings I recommend adding the “Domain Users” from the varies domains on your network. So if you have three domains on you network named ABC, 123 and XYZ you would list ABC\Domain Users, 123\Domain Users and XYZ\Domain Users.

23. Then click the “Export Configurations Settings” link on the left hand side of the page. This is not really labeled right because what it actually does is back up your configuration. If you mess something up in the running configuration, simply click on the “Import Configuration Settings” to restore the last configuration that you exported.

24. Then click on the “Events” link on the left side of the page. Change the log file directory to a directory that you want to have all the logs written into. In this example I chose the E: drive of the server I was working on. Whether you create a new one or use an existing one you must make sure that the “Network Service” account has permissions on that folder to Read, Write and Modify. Otherwise you will receive a nasty .NET error when you go to save the changes you just made. Click Save.

Live Meeting Portal Server BIG-IP LTM Setup

The BIG-IP LTM set up for this can be very easy to configure. You will need to create nodes for each of your web servers, assign them to a pool named “Live_Meeting_Pool” and then create a Virtual Server for the application. I named my virtual server “Live Meeting” in the example pictured below. You may need to customize it to match your environment, but the basic settings are:

Service Port: 443
Type: Standard
Protocol: TCP
Protocol Profile (Client): tcp
HTTP Profile: http
SSL Profile (Client): wildcard
SSL Profile (Server): serverssl

I also assigned the Live_Meeting_Pool to the Virtual Server, set the Default Persistence Profile to “Cookie” and Fallback Persistence Profile to “source_addr”.

Like a lot folks around the country I pre-ordered a 32 GIG iPad a few weeks ago and have been waiting eagerly to check out the new device.  I already have two Apple branded products in the house, so it was easy for me to drink the Kool-Aid and purchase another .

However, I was very disappointed with Apple on the day that I finally received my iPad.  I had updated my MacBook the night before and ensured it was ready to go, only to have my hard drive crash moments before I was able to sync up my new iPad!  There I was sitting in my cubicle at work shaking my fists in the air and screaming “NOooooo!!!!” In my mind anyways…

Well all was not lost and I do mean that literally.  I had my data backed up, but I did have to send the MacBook in for repair.  Thankfully I was still covered under my Apple Care plan.  As it turns out, I also received a new logic board, heat pipe assembly and top case replacement.  Evidently the now three year old MacBook had more wrong with it than I had guessed.

I decided it would be fun to post the User Agent String for the iPad and to list a few of the apps that I have enjoyed using so far.  I aimed the iPad over to a BIG-IP 6400 with an iRule that logs out the User Agent String and this is what was returned:


Mozilla/5.0 iPad U CPU OS 3_2 like Mac OS X en-us AppleWebKit/531.21.10 KHTML, like Gecko Version/4.0.4 Mobile/7B367 Safari/531.21.10

At least it mentions “iPad” in the User Agent String! This will make it a bit easier for traffic direction via an iRule if your company has a site that hosts content specifically for the iPad.

I have had the opportunity to check out a lot of different applications and games as well.  Some of my favorite applications so far are:

Plants Vs. Zombies HD – Addictive game
Fieldrunners – Nice tower defense game
Netflix – Great for streaming movies
Fargoal – Old School Dungeon Crawler
AirVideo – Great for streaming movies “Backed Up” on my Mac
TouchTerm – Decent for SSH
WinAdmin – Great app for Windows RDP functionality
MochaVNC – Decent app for Mac RDP functionality
Dragon Dictation – I was surprised by this one.
GoodReader – Hands down one of my favorite apps. I was able to pull down a lot of F5 BIG-IP manuals using this app!
The Weather Channel – You have to know what it is doing outside after all.
Citrix Receiver – Proven to be great for connecting to the Citrix Farm at work.
Backgrounds – A nice app to grab new backgrounds for your iPad.

Before I came to the class I could build a security policy and assign it to a website and do some minor tweaking.  Now I can say with confidence that I can build a web application security policy that is PCI compliant and has a solid foundation.

One of the main ingredients for a successful training session/class is you really need an excellent instructor.  If the instructor doesn’t know his stuff or doesn’t really enjoy the subject matter it can have a negative and direct impact on the course.  The class I took was lead by a gentlemen named Keith Bowers who has worked for f5 Networks for 10+ years.  Granted, I could be wrong about number of years, but I think I am close.  I can say for certain thought that Mr. Bowers knows the material and he seemed to really enjoy teaching the class.

This wasn’t the kind of class where you go and read along with the teacher word by word out of the book.  Keith gave very concise and well thought out lectures regarding each subject that we touched on.  I say concise because he said everything that he needed to in order for you to comprehend the material and to be able to apply in a real world situation.  Then he would provide guidelines for the hands-on portion of the lab for that section and turn us loose on the BIG-IP box that each student gets to all to his or her self.  When a student had trouble getting through a lab he would sit beside them, provide information on things to look for and provide clarification on things until the student got through the lab.  He was really good about teaching you to fish rather than just giving you an answer out of the teachers edition of the manual

So what kind of goodness can one expect to learn at an ASM 10.x course?  Here is a brief list of the things that we covered:

Installation
Web Application Concepts
Web Application Vulnerabilities (with instructions on how to perform a few basic hacks)
ASM Application Configuration
Security Policy Building
Creating Custom Attack Signatures
Reporting
Traffic Learning
Protecting XML and Web Services
And more…

On the second day that I was there I also had the chance to meet up with a few members of the DevCentral Core Team!  I was able to bounce out of class a little early so Joe met me outside the training room and proceeded to give me a tour of the place.  At one point I tried to slip a VIPRION into my cowboy hat and almost made off with it but the 30+ blue ethernet cables sticking out from underneath my hat gave me away.  Alas, I had to put it back.  <Sigh>  Seeing that I was upset though Colin, Jeff and Joe provided me sneak peak of their latest TOP SECRET project to get my spirits up.  After the tour that I was given, my spirits were definitely lifted!  I wish I could tell, I wish I could tell…. but I can’t.  It was awesome though.

We then proceeded down to Buckley’s Pub for some lunch and along the way we went over a little bit of history, talked about things that a tourist like me should do when visiting Seattle, etc…  Jeff kindly wrote up a blog article about it and even included a picture that he took of Colin, Joe and I at the pub.  You can check it out here:

http://devcentral.f5.com/weblogs/JeffB/archive/2010/04/01/1088132.aspx

I can’t provide all the details of what we talked about, I was having to good of a time to remember them all.  I know we talked about Bear Grylls (Man vs. Wild), Mac keyboard shortcuts and the MVP Summit… How those are all interconnected I will leave up to you to ponder… Hehehehe… seriously, thanks for a great time fellas.  And also thanks for what you do every day.

Well, if you have made it this far into my blog post you deserve a treat!  Below is a snippet of some videos that I took on April 1st during the training class, some footage from the TOP SECRET stuff they showed me and some footage from the pub!  I had to try out my f5 Networks MVP branded FlipMINO after all!  Sorry if it is a little choppy in a place or two, I had to compress it before I uploaded it to YouTube.

Camera In Cowboy Hat Video

Now that the naming of the entry has been completed, on to the main topic!  I received said box from FedEX this last Friday from f5 Networks and I felt compelled to write a blog post about it and include some pics for your viewing enjoyment.

I can’t tell you how much I have already enjoyed being a member of the f5 Networks MVP program.  It has been awesome from day one and I look forward to contributing more to the community now that f5 Networks has so graciously supplied all of us f5 MVP’s with the tools to do just that.  Thank you for the great gear and thank you for supporting the community like you do!

Here is a list of what was in “The Box of Awesomeness”:

A SanDisk 16 GB USB Flash Drive
A Logitech QuickCam Deluxe for Notebooks for Business
A Logitech ClearChat Pro USB High Performance Audio Headset
A Blue Polo Shirt with f5 Networks logo on the chest
AND
A flip MinoHD Camcorder with a custom f5 Networks MVP skin!

Both of the previously mentioned deployment guides discuss editing files on the Citrix farms Web Interface servers so that it looks for the client IP address in the X-Forwarded-For HTTP header.  Otherwise, every connection will appear to be originating from the BIG-IP LTM and not from its true IP.  After reading both guides and looking at my current environment I was dismayed to find that the files and locations mentioned were no longer valid.  I then turned to my top three resources on the web in the search for an answer: AskF5, DevCentral and Google.

I struck out on the first two (which seldom happens) but my Google search did turn up some interesting results on the Citrix Forums.  I finally found some code posted by Sam Jacobs back in August 2009 that modifies the way the Citrix farm looks up the client IP address.  His method allows for the use of the X-Forwarded-For header.

The first file that you will want to find and edit is the Include.java file.  You will want to locate and change this file on every Web Interface XenApp server in the farm.  Speaking from experience, save a copy of the original file to a safe location such as your desktop or flash drive.  DO NOT copy the file and rename the original to Include.old and leave it on the server.  It may sound crazy, but doing that will not work.  I’m not a programmer, so I cannot tell you why that will not work, but I can tell you I know for a fact it will not.  That being said, here is the file path for the Include.java file:

“\Inetpub\wwwroot\Citrix\XenApp\app_code\PagesJava\com\citrix\wi\pageutils\Include.java”

Now that you have found the file, open it up with a text editor (I use Textpad) and find the Java routine named “getClientAddress”.  Replace the code for that routine with the code listed below.

public static String getClientAddress(WIContext wiContext) {
String ageClientAddress = AGEUtilities.getAGEClientIPAddress(wiContext);
String userIPAddress = wiContext.getWebAbstraction().getRequestHeader("X-FORWARDED-FOR");
if (userIPAddress == null) {
userIPAddress = wiContext.getWebAbstraction().getUserHostAddress();
}
return (ageClientAddress != null ? ageClientAddress : userIPAddress);
}

Save the file and wash/rinse/repeat this step on every Web Interface server in the farm.  The next thing that you will want to do is to modify the login page so that it displays the client IP address being obtained from the X-Forwarded-For header.  The file you will want to edit is called “loginView.ascx” and can be found in the following file path on your Web Interface Servers:

”\inetpub\wwwroot\Citrix\XenApp\app_data\include\loginView.ascx”

The code you will want to add is:

Client IP: <%= com.citrix.wi.pageutils.Include.getClientAddress(wiContext) %>

I added the code directly below the LoginPageControl viewControl line and it works well for me.  Save the file and repeat this step on every Web Interface server in the farm and reboot each Web Interface Server after you are done.  Then it is time for the moment of truth… fire up your browser of choice and navigate to the Citrix login page.  If you have successfully set everything up and have finished following the rest of the deployment guide you should see a screen similar to the one below:

If you receive an error message or the screen doesn’t load, then you might want to go back and check your settings again.  Then that’s it!  I am aiming to develop some custom monitors for the Web Interface Server and for the XML Broker Servers over the next few weeks.  Once I have those done I will put them out in the Devcentral forums for the community enjoy.

I am very happy to mention that the kind folks over at F5 Networks allowed me to submit this as a Tech Tip article which you can find on their site at:

http://devcentral.f5.com/Default.aspx?tabid=63&articleType=ArticleView&articleId=1082335

No problem, I identified all of the expired certificates, checked the box beside them and hit the delete button at the bottom of the page.  After verifying everything was still happy and the support tickets didn’t start flooding my inbox I decided to run a config sync and push the config changes over to the standby box.

The config sync ran without a problem and the gui showed Config Sync: OK.  I then proceeded to check my changes on the standby unit, just for verification purposes.  And that ladies and gentlemen, is when the fun began….

As I was verifying the changes I noticed something I thought was rather strange.  The old SSL certificates that I deleted on the Active unit, were still there in the Standby units SSL Certificate store!  My first thought, oops, my Trusted Device Certificates must be out of whack.  I then proceeded to delete the trusted device certs and ran the “big_ip add” command from the CLI on each unit.  I checked my trusted device certificates and like magic there they were.  I ran another Config Sync thinking that probably fixed the problem, but wait… no such luck.

The Config Sync ran and didn’t kick out any errors, but the old SSL certificates were still in there in all their expired glory.  Frustrated and humbled once again, I decided to run a quick test by deleting a VS on the Active Unit to see if it would be removed once I ran a Config Sync.  I blew away the VIP I use for testing and ran the Config Sync again.  The VS was deleted off of the Standby Unit.  Not knowing off the top of my head what to do next, I then proceeded to open a ticket with my good friends over at F5 Networks.  I didn’t have a lot of faith in my running configuration at the time so I went ahead and opened the ticket as a level 2 ticket (site at risk).

I quickly received a phone call from a Network Support Engineer named Kevin “CB” Midkiff.  We went through the standard procedure of qkview files and few other tests.  After going over the problem Mr. Midkiff proceeded to explain to me that while the SSL Certificates store is indeed carried over when you run a Config Sync IT DOES NOT DELETE SSL Certificates on the unit that you push the config to.  In my case it was the Standby Unit.  The Config Sync function only appends SSL Certificates.

Moral to the story?  If you are double checking your configurations and happen to see some lingering SSL certificates don’t worry, just select them and let the delete button work its magic on them.  Also as an FYI, “CB” was great to work with and very knowledgeable.  Thanks again for your help Mr. Midkiff.

So that got me to thinking… how can someone do this in an iRule?  I have to admit I haven’t really looked into it that much previously because we utilize an ASM module running on a 4100 unit.  The 4100 can do a lot of different things regarding cookies such as checking if a cookie has been modified and if the cookie was obtained in a previous session.  I figured I would hit the AskF5 database to see what I could turn up and I uncovered this little gem:

when RULE_INIT {
set ::key [AES::key 128]
}
when HTTP_RESPONSE {
set decrypted [HTTP::cookie "MyCookie"]
HTTP::cookie remove "MyCookie"
set encrypted [b64encode [AES::encrypt $::key $decrypted]]
HTTP::cookie insert name "MyCookie" value $encrypted
}
when HTTP_REQUEST {
set encrypted [HTTP::cookie "MyCookie"]
HTTP::cookie remove "MyCookie"
set decrypted [AES::decrypt $::key [b64decode $encrypted]]
HTTP::cookie insert name "MyCookie" value $decrypted
}

There is definitely more to this, so you may want to go check out the full solution article here:  SOL7784.  There is also an awesome 2009 iRule Contest entry that you should check out here. The iRule you will want to look at is the Cookie Tampering Prevention iRule written by Henrik Gyllkrans.

I am also very excited to say that I have been selected to be a F5 Networks MVP!

That’s right, TheF5Guy is now an F5 Networks MVP!  I consider it a great honor and am very excited to say the least!  I go by the alias “naladar” in the DevCentral Forums and you can check out my profile here:  http://devcentral.f5.com/Default.aspx?tabid=2242.  You have to be a member of DevCentral in order to view the page, but it is free to join!

Now that the announcement has been made public I wanted to share a few things about the MVP program.  To start with, what’s all of this mean?  It means F5 Networks takes their user community seriously and they want to give back to that community.  This isn’t just an honorary title.  Far from it actually, as there are a number of perks to being an MVP member.

I can’t go into all of them in detail, but here are a few things that I can share since they are mentioned in the podcast.  We will be having regular meetings or round table discussions to go over a wide variety of things relating to the F5 Networks community.  We are being provided profile pages on the DevCentral site to help increase our visibility in the community.  MVP members will be receiving a MVP Kit that was put together with the goal in mind of providing us tools to help us deliver more content to the community.  We will also be having an MVP Summit sometime this year so that we can all meet face-to-face to kick around issues and provide input into the direction of the BIG-IP product line.  Sounds awesome doesn’t it!

This post would of course not be complete without a complete list of the MVP’s so here it is:

hoolio
bhattman
hamish
hwidjaja
smp
naladar
mikejo

The best news is that they want to continue to grow the MVP program.  Do you want to be an F5 Networks MVP?   How do you get started?  Just join DevCentral and start contributing to the community.  They’re watching…..

I am stating the obvious here I know, but how many of you out there have worked at places where people guard their security knowledge like it’s KFC’s secret recipe for chicken?  Have you ever had to work with a security expert that can tell you every law of governance, but never truly explain WHY those laws are in place?  Ever talk to a business partner not in I.T. that just didn’t get why the web applications needed to be protected by a web application firewall or why ALL the ports on the firewall couldn’t be opened up?  I talked to a large number of people that worked at well known companies and each said that is the case where they work.  Of the group I talked to it was about 50% from the business arena and 50% from the IT side of the house, but they were all there for a common goal….

The SecureWorld Expo is a place where people can go to learn the WHY.  Not just I.T. folks, but people from all aspects of business as well.  They can talk to industry leaders and experts about things that are going down past, present and future.  It is all about translation and communication of the most up-to-date information available.  How up-to-date is the information that is covered?  The second day of the expo, the speaker Dan Greer came out to the podium and started talking about the SSL Man-in-the-Middle Renegotiation story that just broke in the news.  I have to say my hats off to the folks in the DevCentral community to, shortly thereafter, a way to mitigate the attack showed up on DevCentral (Lupo, thanks for your contribution!)… it can be found in the forums at http://devcentral.f5.com/Default.aspx?tabid=53&forumid=5&postid=86456&view=topic

Other than the open sharing and exchange of knowledge, the excellent speakers, free vendor loot and good food, the other thing that is great about the SecureWorld Expo is the fact that you get CPE credits for attending the various events.  Depending on the events that you sign up for you can either earn a 12 CPE or a 16 CPE Certificate of Attendance.  This is outstanding for those that have CPE requirements to meet and keep up with.  Not only can you obtain a lot of CPE’s in a short time, but it is also very cost effective.  You definitely get more bang for your buck at a SecureWorld event than you do at many others.

So what was covered in this “Nexum LTM Workshop”?  Quite a bit actually and it was all very well planned out.  The workshop was lead by a gentlemen named Peter Maag, who is a Senior Security Expert with Nexum.  I believe that part of what made this event so much fun for me was that it was obvious that Mr. Maag knew his stuff and (of course) I like talking about the capabilities of the BIG-IP line. 

Peter began by giving a brief introduction, explaining who he was and the services provided by Nexum.  I have to admit that I was unaware that Nexum was such a versatile company.  I believe it is so versatile and one of the fastest growing private companies because of them hiring and keeping talent like Mr. Maag around.  But that is a different philosophical discussion that perhaps I will touch on at some other time.  If I ever take up being a philosopher.

Then after the intro… it was f5 time!  For those in the audience not familiar with the BIG-IP product line Peter gave an overview of products available from f5 Networks.  He took the time to provide a clear picture of each modules functionality and I feel that he did the products justice.  He then steered the presentation to the real meat of the workshop which was the LTM module.  Virtual Servers, Pool Members and Nodes were all explained as well as the basics of configuring load balancing.  We spent some time discussing the full proxy architecture of the LTM module and we where then guided through a load balancing demo.

This lead into a discussion about monitors, persistence profiles, SSL termination and ended with a demo over those concepts.  There were a few questions at this point, as members of the audience asked questions such as “How long are self signed certificates valid for if they are generated on the f5 BIG-IP?” and “What are the different methods available for Cookie Persistence?”.  All of which were answered concisely and followed up with live demonstrations performed on a BIG-IP unit running TMOS version 10.x.  How cool is that?

We then went into a discussion about iRules.  Peter provided a number of examples of how to use iRules to pull off complicated tasks very easily.  In one example he showed how you could direct web traffic coming from an iPhone to a different set of servers than the ones used to serve up content to standard desktop browsers.  To augment the workshop Nexum provided an excellent booklet which just so happens to have a very handy page that lists almost all of the iRule Events that can be used in iRule generation.

We went over several other things, but the jest of this entry isn’t to really rehash everything that we covered.  The purpose is to encourage everyone using the LTM module to go check one of these workshops out.  Peter Maag did a phenomenal job explaining things for newcomers and veterans alike, which is not an easy thing to do.  To summarize, if you have just recently purchased an f5 BIG-IP product or are looking into purchasing one, attend one of these workshops.  You will walk away a wiser person and I cannot think of a better way to sell someone on f5 BIG-IP products.  Once you see it in action you will be wondering why you have stuck with Brand X for so long.

My next entry will be over the value of attending the SecureWorld Expo.  Is it worth the cost if you had to pay for it out of your own pocket?  What are the driving reasons for one to attend such an event?  I will be asking those questions and more soon and you may be surprised by my conclusions.  Stay tuned.

What a great way to segway into my first SecureWorld Expo blog entry!  Be afraid, be very afraid…  I am just kidding of course.  The Expo was excellent and I walked away from the event a wiser person.  It definitely helped me look at things differently and as Ralph Waldo Emerson once said, “Fear always springs from ignorance.” 

Man, oh man.  I think I may have committed a blunder of cosmic proportions.  Are you allowed to quote Yoda and Emerson in the same blog post?  Yes? No?  Anway, moving on…

The Expo started off with an awesome keynote by a very nice man named Jeff Bardin.  His topic was “Extremist Online Social Networks – Jihadis” and I was enthralled the whole time.  The banners that he had up on his very first presentation slide are the same web site banners that I have helped keep off of our network up at work.  When I saw those banners, I knew that he was going to be talking about a topic that hit close to home.

After taking the stage Mr. Bardin began explaining how Jihadis use resources provided by many American companies against America.  He talked about the Madrid train bombings, how Jihadis are using software like vBulletin and hacked copies of various software suites to pull off all kinds of nefarious acts.  He also discussed with great clarity how Jihadis are continuing to demonstrate their technical prowess.

Now I will not provide any more information about his presentation other than that.  Not because I do not want others to have the information, but because I cannot do the subject justice.  Mr. Bardin is an expert in his field and has spent countless hours researching, compiling information and teaching others.  I do not wish to diminish his work in any form or fashion.  Check out that link that I provided and the one at the bottom of this post for more information.

I would advise anyone, if Mr. Bardin is speaking at an event within a 12 hour driving distance, make the drive.  It really was that good.

After his presentation he stayed for a while answering questions.  I waited in the background for a bit, allowing others to ask questions as I listened in an attempt to take in as much information as I could.  When I did finally open my mouth he kindly gave me a his business card and answered all of the questions I had.  Anybody that will go out of there way to answer questions and share knowledge like Mr. Bardin did is a good man in my book.

For those seeking more information about Jeff Bardin and Treadstone 71, here is a link to some great information that will save you a trip to Google: http://blogs.csoonline.com/user/jeff_bardin

So what is coming up next?  Well I can’t go to long without talking about the F5 BIG-IP product line!  I am The F5 Guy after all.  My next post will be about the Nexum LTM Workshop that was lead by Peter Maag.

A friend of mine supplied the image to the left.  I am thinking that it may have to be the official logo for my website!  Of course, had I known he was taking pictures of me with his cell phone I would have flexed a bit more…

Not buying that are you?  Well OK, maybe that is just what I look like in my mind!  Coming next week to “The F5 Guy” website, news and reviews straight from the Dallas SecureWorld Expo!

For those who haven’t had a chance to examine the file at length, the globalfragment.xml file is basically a roadmap that the WebAccelerator module can read to know how to handle or classify different file types.  If you want the WebAccelerator recognize and classify a particular file type it would be good for it to be defined in this file.

If you take the upgrade path I mentioned above, it might be wise to make a backup copy of that particular file first.  The file can be found in the “/config/wa/” directory.  It is possible for that file to be overwritten during the upgrade and if you have custom entries defined in it… well you get the picture!

Unbeknownst to me, custom entries had been inserted into that file for .wmv files at some earlier date.  Shortly after the upgrade of course, .wmv files stopped streaming properly from virtual servers utilizing WebAccelerator based HTTP class profiles.  So I took the profiles off the virtual servers in question and contacted F5 Networks Support.  I was unaware of how the WebAccelerator module used the globalfragments.xml file until I was educated by an excellent F5 Networks Senior Network Support Engineer about it.

I added the entries back for the .wmv files, reapplied the HTTP class profiles that I had disabled during troubleshooting and everything worked like a charm.  The Engineer was also kind enough to create CR12834 to add .wmv files to the stock list of file types into future TMOS versions.  Thanks again to Dale Anderson for all your help!

If you are having trouble with certain file types after applying a WebAcceleration HTTP class profile then you might take a peek at the globalfragments.xml file and ensure the file type is defined correctly within.

This issue and the one mentioned in my previous post are the only two issues that I had from upgrading from version 9.4.4 to version 9.4.8!

The unit that was upgraded has three modules running on it, the GTM, LTM and WA modules.  The issue is caused by the WebAccelerator module logging to many messages out to the PVAC log, which can lead to excessive disk I/O and may cause the log file to grow so large it crashes the WebAccelerator module.  It is now a Known Issue and is being tracked in CR127854.  So if you have upgraded to TMOS 9.4.8 and you are running the WebAcceleration module you might want to keep an eye out for this!

If you believe you have a unit experiencing this issue I would advise you to contact F5 Technical Support and open a case with them.  An Engineering Hotfix can be provided to you that addresses this issue.  In the meantime, if you are able to stop using the WebAccelerator class profiles, then I would suggest not using those until you have downloaded and applied the hotfix.  Below is the text from AskF5.com regarding the issue.

Known Issue
Updated: 9/17/09 10:11 AM

I have to say, they really went out of there way to make me feel welcome.  I had fun (despite being a little nervous) and I think a good time was had by all.  It is weird listening to myself in the audio though.  I have never done that before and nobody told me that I have a southern accent!   Hehehe… just kidding of course.

The USTREAM video of the event can be found at http://www.ustream.tv/recorded/2359077.  If you would like to participate in a DevCentral LIVE event yourself, I am certain they would love to speak with you.  The DevCentral LIVE page is located at http://devcentral.f5.com/Default.aspx?tabid=197.  Events usually begin around 1:50 P.M. PST every Thursday.  Just log in and participate!

]]> http://www.TheF5Guy.com/blog/2009/10/devcentral-weekly-roundup-episode-107-the-f5-guy/feed/ 1 http://www.TheF5Guy.com/blog/2009/10/secureworld-expo-dallas/ http://www.TheF5Guy.com/blog/2009/10/secureworld-expo-dallas/#comments Sun, 11 Oct 2009 22:52:10 +0000 naladar http://www.TheF5Guy.com/blog/?p=438 Well, I am back from my vacation to Cozumel, Mexico.  A week full of sun, sand, scuba and margaritas.  Ahh…  The only downside was the 11 hour trip from Cozumel back to the DFW airport.  Which is usually only a two and a half hour trip…  (Insert derogatory remark about American Airlines and Cozumel airport maintenance workers)  Anyway, after a mad dash through the MIAMI airport, I checked my e-mail and I am glad to say it looks like I will be fortunate enough to attend the SecureWorld Expo Conference in Dallas this year!  The conference, taking place November 4 – 5, will be held in the Plano Convention Centre and seems to have a number of  excellent conference sessions to check out.

On top of my list though is a F5 BIG-IP LTM related event (of course!) being hosted by Nexum.  The “Nexum LTM Workshop”, which will be November 4 from 1:00 PM to 4:30 PM, is free for all who register for the SecureWorld Expo.  Registration for the Expo is also free, so go register before it fills up!  You certainly can’t beat the price!

The agenda for this particular event shows that they will first give an Intro and Overview of Nexum.  Then move on to Load Balancing, Monitors, Profiles (Persistence and SSL Termination), iRules, Maintaining and Mastering the BIG-IP, discuss version 10.x and then wrap it all up with a Q&A session.  I am really looking forward to meeting some local F5′ers and will of course be doing a write up on my blog about the event.  The “Maintaining and Mastering the BIG-IP” part certainly sounds interesting.

I will also be attending a number of the other events at SecureWorld and will be posting a few blog entries regarding those.  The main purpose is not really to provide ALL of the information gleaned from each event, but to give a few highlights from each and share my overall thoughts on the value of the SecureWorld Expo Conference as a whole.

Go here to check out the SecureWorld Expo Dallas Conference Agenda.

The great folks over at F5 Networks DevCentral have outdone themselves once again!  They have added a new section to their website called “Online Events” and rather than do injustice to the site with my own words, allow me to plagiarize their own description of the section:

Here of course is a direct link to the new content!

How awesome is that?  I have worked with a number of IT related companies over the years, but never have  I seen a technology based company so dedicated to their customers.  Post after post the experts driving the helm over at DevCentral continue to share and spread knowledge of all types.  They help people solve real world challenges and now they are doing it live!  Anyone can call or join them on chat during their weekly podcast and ask questions and seek their input about various things.  I have had to work with some companies in the past that… well, lets just say, you would consider yourself lucky if you got a call back from them within three days.  I must say it is a very refreshing approach and well done folks!

Also while you are there, go check out the latest DevCentral Weekly Roundup Podcast: Episode #104. They covered a variety of topics and I was fortunate enough that they discussed The F5 Guy website as well of a few of the posts that I have put up!  They discussed two posts in particular.  “Using not In An iRule” and “F5 Network Certification” which you can find below this post or just click on the links to follow of course.  Rather than rehashing what was said, read the two posts, leave some comments if you like and head on over to DevCentral to hear what they have to say.

I had to make a tweak or two here or there, but I have to say overall I really like it.

Have you ever had a discussion with your co-workers about the value of technical certifications?  I have had that discussion many times with others and I have to say, the answers are always different.  Some will say they are just a waste of time, others will say it depends on the certification and others will say it should be a requirement to fill X or Y job role.  If you were to ask me, “Is it worth it to become certified in X?”  I would have to say that I fall in the camp that says “Yes”.  And yes to answer your question, I do hold a few certifications.  Feel free to check out my About page if you seek further details, as I am not a braggart.

So what certification shall I choose to discuss?  Well one of F5 Networks certification offerings of course!  I recently earned the “F5 Certified System Engineer” certification provided by F5 Networks, by passing the LTM (F50-511) and LTM: Advanced (F50-522) exams.  Woohoo!  It was fun to pursue, I read the manuals several times, tinkered with things, blew things up and in general learned a ton over the last few months.

I was driven towards obtaining this certification for several reasons.  Of course, as I type this article I am asking myself, is my judgment clouded?  I think it could be… BUT, let us take a look at a few facts and I will let you decide.  Here are few numbers for you, that I have obtained from our good friends over at F5 Networks.  A special thanks to F5 Networks for releasing these figures by the way!

Fact #1 – Currently there are around 2,400 people that hold the “F5 Certified Product Specialists” certification.

Fact #2 – There are around 1,200 people that hold the “F5 Certified System Engineer” certification.

Those numbers are Worldwide numbers by the way.  I guess it goes without saying, that I feel very fortunate to be one of those 1,200 and that feeling is actually reason #3 on my list.  So without further delay, here are the top 5 reasons I can think of as to why I feel that obtaining a certification from F5 Networks is a great thing:

Reason #1 – I’m “The F5 Guy”, I have to do my best to live up to my name!  Hehehe…

Reason #2 – F5 Networks is the leader for Application Delivery Control systems.  Their name holds weight with companies utilizing their products and a certification from them does as well.

Reason #3 – I like the challenge and the feeling of personal accomplishment.  In short, it is a bit of a moral boost.

Reason #4 -  I think it sends a clear signal to ones current employer that I take my work seriously and that I will do my best to learn everything I can about the technology that they have chosen to run their network on.

Reason #5 – I think it is excellent for the learning process.  Hours of reading the manual and hours of hands on experience is the idea I think.  I would even go so far as to say, I don’t think you could pass any of F5 Networks tests without having put in many hours of study in the manuals and the console.  For some I would recommend months or perhaps a year of daily application and study before attempting to take either test.  Know the manual, know your stuff from hands on experience and you will do well.

Now that you know my reasoning, I would like to pose a question to those of you in the community.  What value do you see in certifications?  What drives you to pursue or not to pursue certifications?  Feel free to post a comment or two, you do not have to register.  You do have to enter an e-mail address, but I don’t keep track of those.  We can all thank the spam bots for even having to do that!

Now this was an afront to my logic!  My brain was so used to thinking “If this, then this”, that it really was hard for me to wrap my brain around how I was going to pull this off.  So of course, I did what any sane F5′er does when he is looking for an answer to a puzzle he cannot solve.  I turned to Devcentral and the community forums.  I dug around for a while and eventually I found an old 4.0 iRule where an individual had used the “not” Logical Operator.

So I gave myself a big slap on the forehead and muttered a Homer Simpson’ish “DOH!!”.  I later went on to discover that the “not” Logical Operator is well documented on DevCentral here.  Below is the simple iRule that has saved our company thousands of dollars, saved the help desk many man hours of labor, prevented users from going insane because of broken links and keeps things simple.  It is amazing how an iRule so simple, can have such a dramatic impact.  So, the next time you are writing an iRule, just think of all the things you could “NOT” be doing!


when HTTP_REQUEST {
if { not ([string tolower [HTTP::host]] contains ".mycompany.com")}{
HTTP::redirect "https://[HTTP::host].mycompany.com[HTTP::uri]"
}
}


Coming soon, an interesting tale about BIG-IP™ TMOS Version 10.