Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

edits from feedback #109

Merged
merged 2 commits into from
Jan 26, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file modified docs/class5/module1/images/introduction-2.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/class5/module2/images/udf-access.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified docs/class5/module2/images/udf-deployment.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified docs/class5/module2/images/udf-documentation.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/class5/module2/images/udf-overview.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file removed docs/class5/module2/images/udf-sslo-tmui.png
Binary file not shown.
Binary file removed docs/class5/module2/images/udf-ubuntu-client-rdp.png
Binary file not shown.
Binary file not shown.
Binary file not shown.
52 changes: 40 additions & 12 deletions docs/class5/module2/lab1.rst
Original file line number Diff line number Diff line change
Expand Up @@ -9,28 +9,56 @@ If you are not familiar with the process for joining a training course, refer to
- |join_link|
- |interface_link|

You should have received a course registration email that contains the UDF course link. Click on the link and log into the UDF student portal.
#. You should have received a course registration email that contains the **UDF course link**. Click on the link and log into the UDF student portal.

After you **JOIN** the course, you will see the **DOCUMENTATION** tab with some information about the lab resources and a link to the Lab Guide (this document).
.. important::
If MFA is not configured for your account, you will be asked to set it up before proceeding.

.. image:: ./images/udf-documentation.png
:align: left

.. note::
You will only need your local web browser to perform the lab exercises.
#. Click on the **JOIN** button to enter the lab session. You will see 3 tabs: **Overview**, **Documentation**, and **Deployment**. The **Overview** tab will be shown.

.. image:: ./images/udf-overview.png
:align: left


#. Click on the **DEPLOYMENT** tab to see all of your lab resources:
#. Click on the **Documentation** tab to view lab information and a link to the Lab Guide (this document).

.. image:: ./images/udf-documentation.png
:align: left


#. Click on the **DEPLOYMENT** tab to see all of your lab resources.

- **BIG-IP Next Central Manager** - Access via web browser
- **BIG-IP Next instance** - Access via Web Shell
- **Ubuntu-Client** - Access via Web Shell and WebRDP
- **Ubuntu-Server** - Access via Web Shell

.. image:: ./images/udf-deployment.png
:align: left


.. list-table::
:header-rows: 1
:widths: auto

* - Virtual Machines
- Access Methods Used In this Lab
* - BIG-IP Central Manager
- GUI
* - BIG-IP Next instance
- Web Shell
* - Ubuntu-Client
- Web Shell
* - Ubuntu-Server
- Web Shell,

WebRDP (to *Ubuntu-Client* desktop)

To access a lab VM, click on the **ACCESS** link to view the remote access methods. Then, click on the desired option. Here is an example:

.. image:: ./images/udf-access.png
:align: left


.. note::
You will only need your local web browser access the lab VMs.


.. |join_link| raw:: html

Expand Down
58 changes: 29 additions & 29 deletions docs/class5/module2/lab2.rst
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ Network Diagram

Here is a visual representation of the virtual lab environment. The numbers inside the right edge of the SSL Orchestrator box indicate the port numbers and VLAN tags (if applicable). The colored boxes to the right of the services respresent some product examples for each respective service type.

The first interface is connected to the client-facing VLAN. The second interface is connected to the Internet-facing VLAN. The remaining interfaces are connected to various types of security services: L2, L3, HTTP, ICAP, and passive Tap. The SSL Orchestrator management interface is not shown.
The first interface is connected to the client-facing VLAN. The last interface is connected to the Internet-facing VLAN. One of the tagged interfaces connects to the application server VLAN. The remaining interfaces are connected to various types of security services: L2, L3, HTTP, ICAP, and passive Tap. The SSL Orchestrator management interface is not shown.

.. image:: ./images/labinfo-1.png
:align: left
Expand Down Expand Up @@ -76,7 +76,7 @@ this lab guide with your own environment, please ensure that you create these ob
configuration state. In most cases, objects created in CM (like iRules) are only deployed to a
Next instance when they are associated to an application. With respect to SSL Orchestrator, this
also applies to service chains and traffic policies. The exemption to this is inspection
services. While inspection services can be saves to CM and deployed later, they are generally
services. While inspection services can be saved to CM and deployed later, they are generally
deployed direct to an instance on creation, irrespective of applications, as they have network
attributes that are typically specific to a BIG-IP Next instance. This will be made evident in
the upcoming labs.
Expand Down Expand Up @@ -168,14 +168,14 @@ The following tables provide device/service network configuration details. Login
* - 1.3
- 10.1.30.7/24
- TAP service - Inbound
* - 1.4 / Future
- TBD (10.1.40.0/24)
* - 1.4
- Future (10.1.40.0/24)
- Inline L2 service - Inbound
* - 1.5 / Future
- TBD (10.1.50.0/24)
* - 1.5
- Future (10.1.50.0/24)
- Inline L2 service - Outbound
* - 1.6 / Future
- TBD (10.1.60.0/24)
* - 1.6
- Future (10.1.60.0/24)
- Internet

|
Expand Down Expand Up @@ -259,11 +259,11 @@ The **WebRDP** service leverages an instance of Guacamole running on the Ubuntu
:header-rows: 0
:widths: auto

* - Description
* - **Description**
- Ubuntu server host -- ens8 and ens9

br0 (bridge) tied to ens8 and ens9 interfaces on host
* - Services
* - **Services**
- Suricata

|
Expand All @@ -275,9 +275,9 @@ The **WebRDP** service leverages an instance of Guacamole running on the Ubuntu
* - Traffic Flow
- BIG-IP Interface
* - Inbound
- TBD
- Future
* - Outbound
- TBD
- Future

|

Expand All @@ -287,11 +287,11 @@ The **WebRDP** service leverages an instance of Guacamole running on the Ubuntu
:header-rows: 0
:widths: auto

* - Description
* - **Description**
- Ubuntu server host -- ens6.60 and ens6.70
* - Services
* - **Services**
- Firewall
* - Access
* - **Access**
- $ ``docker exec -it layer3 /bin/bash``

|
Expand All @@ -318,11 +318,11 @@ The **WebRDP** service leverages an instance of Guacamole running on the Ubuntu
:header-rows: 0
:widths: auto

* - Description
* - **Description**
- Ubuntu server host -- ens6.30 and ens6.40
* - Services
* - **Services**
- Squid - Port 3128
* - Access
* - **Access**
- $ ``docker exec -it explicit-proxy /bin/bash``

|
Expand Down Expand Up @@ -350,11 +350,11 @@ The **WebRDP** service leverages an instance of Guacamole running on the Ubuntu
:header-rows: 0
:widths: auto

* - Description
* - **Description**
- Ubuntu server host -- ens7

ens7 interface tied to tap service on host
* - Services
* - **Services**
- Passive TAP

|
Expand All @@ -378,11 +378,11 @@ The **WebRDP** service leverages an instance of Guacamole running on the Ubuntu
:header-rows: 0
:widths: auto

* - Description
* - **Description**
- Ubuntu server host -- ens6.50
* - Services
* - **Services**
- ICAP Clamav
* - Access
* - **Access**
- $ ``docker exec -it icap /bin/bash``

|
Expand All @@ -409,13 +409,13 @@ The **WebRDP** service leverages an instance of Guacamole running on the Ubuntu
:header-rows: 0
:widths: auto

* - Description
* - **Description**
- Ubuntu server host -- ens6.80
* - Services
* - **Services**
- Apache web server

\*.f5labs.com
* - Access
* - **Access**
- $ ``docker exec -it apache /bin/bash``

|
Expand Down Expand Up @@ -443,11 +443,11 @@ The **WebRDP** service leverages an instance of Guacamole running on the Ubuntu
:header-rows: 0
:widths: auto

* - Description
* - **Description**
- Ubuntu server host -- ens6.80
* - Services
* - **Services**
- NGINX app
* - Access
* - **Access**
- $ ``docker exec -it nginx /bin/sh``

|
Expand Down
Binary file added docs/class5/module3/images/udf-access-cm.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
5 changes: 5 additions & 0 deletions docs/class5/module3/lab1.rst
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,11 @@ Instantiating a BIG-IP Next Instance
Follow these steps to instantiate and activate a BIG-IP Next instance
through the Central Manager.

#. In the UDF **Deployment** tab, access the **BIG-IP Central Manager** VM by clicking on the **ACCESS** link and then selecting **GUI**. A new browser tab will open.

.. image:: ./images/udf-access-cm.png


#. Log into Central Manager with username: ``admin`` and password: ``Welcome123!``.

.. image:: ./images/cm-login.png
Expand Down
8 changes: 4 additions & 4 deletions docs/class5/module3/lab2.rst
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ TLS Certificates and Keys
.. note::
The **wildcard.f5labs.com** certificate and key has been pre-loaded into the BIG-IP CM, so you will not need to import any certificates at this time.

#. In the top left corner of the BIG-IP Central Manager (CM) UI, click on the **Workspace** icon (it looks like a waffle pattern) to show the **Workspace Menu**.
#. In the top left corner of the BIG-IP Central Manager GUI, click on the **Workspace** icon (it looks like a waffle pattern) to show the **Workspace Menu**.

.. image:: ./images/workspace-menu-1.png

Expand Down Expand Up @@ -71,7 +71,7 @@ Now, you will create a simple HTTPS application.
.. image:: ./images/add-app-4.png


#. Enable the **Enable HTTPS (Client-Side TLS)** option to show additional settings.
#. Enable (toggle on) the **Enable HTTPS (Client-Side TLS)** option to show additional settings.

- Click on the **Add** button to open the configuration panel.
- In the **Add Client-Side TLS** panel, enter ``wildcard.f5labs.com`` as the name
Expand All @@ -82,11 +82,11 @@ Now, you will create a simple HTTPS application.

#. Scroll down to see the other **Protocol & Profiles** options.

#. Enable the **Enable Server-side TLS** option.
#. Enable (toggle on) the **Enable Server-side TLS** option.

#. Ensure that the **Enable SNAT** and **Enable Auto SNAT** options are enabled (default).

#. Disable the **Enable Connection Mirroring** option.
#. Disable (toggle off) the **Enable Connection Mirroring** option.

.. image:: ./images/add-app-6.png

Expand Down
2 changes: 1 addition & 1 deletion docs/class5/module3/lab3.rst
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ Testing the Application Deployment

Congratulations! You have now deployed a simple HTTPS application on BIG-IP Next. The next step is to test your application from a client environment and verify that everything is working properly.

Accesing the Client VM
Accessing the Client VM
--------------------------------------------------------------------------------

The UDF lab environment provides an Ubuntu Linux VM instance (**Ubuntu-Client**) with access to an interactive shell for command line testing, as well as a GUI desktop to run web browsers and other tools.
Expand Down
Binary file added docs/class5/module4/images/second-app-0.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
16 changes: 14 additions & 2 deletions docs/class5/module4/lab1.rst
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
About Inbound Application Mode
==============================================================================

The SSL Orchestrator **inbound application mode** deployment describes a
The SSL Orchestrator **Inbound Application Mode** deployment describes a
scenario where the client's destination address terminates on the F5
BIG-IP. Effectively, this is a simple extension of a standard BIG-IP
Next application deployment, where SSL Orchestrator policy and
Expand All @@ -11,5 +11,17 @@ inspection services are applied to an application workflow.

|

For more information about the various SSL Orchestrator deployment modes, refer
to the |sslo-dg1|.

|

.. note::
The following instructions assume basic connectivity to the lab environment, and administrative access to the lab network and virtual machine configurations.
The following instructions assume basic connectivity to the lab
environment, and administrative access to the lab's network and virtual
machine configurations.


.. |sslo-dg1| raw:: html

<a href="https://clouddocs.f5.com/sslo-deployment-guide/" target="_blank"> SSL Orchestrator Deployment Guide </a>
29 changes: 19 additions & 10 deletions docs/class5/module4/lab2.rst
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ The first step in this journey is to create the SSL Orchestrator inspection serv
Create an Inline L3 Inspection Service
--------------------------------------------------------------------------------

#. In the top left corner of the BIG-IP Central Manager (CM) UI, click on the **Workspace** icon to show the **Workspace Menu**.
#. In the top left corner of the BIG-IP Central Manager GUI, click on the **Workspace** icon to show the **Workspace Menu**.

#. Click on **Security** to navigate to the Security workspace.

Expand All @@ -23,17 +23,16 @@ Create an Inline L3 Inspection Service

#. In the **Create Inspection Service** panel, select **Generic Inline L3** and then click the **Start Creating** button to open the configuration settings panel.

#. In the **General Properties** section:

- Enter ``my-sslo-ngfw`` in the service name field.

- Enter ``next-gen firewall`` in the description field (optional).

.. image:: ./images/service-3.png

- Click the **Save & Continue** button.

#. Click the **Save & Continue** button.


.. image:: ./images/service-4.png
.. image:: ./images/service-3.png


#. In the **Network** settings:
Expand All @@ -43,31 +42,41 @@ Create an Inline L3 Inspection Service
- Enter ``sslo-insp-l3-out`` in the **From: VLAN** Name field.

.. note::
In the future, the VLAN names will be selectable from a list.
VLAN names are 'SSLO-INSP-L3-IN' and 'SSLO-INSP-L3-OUT' (but lowercase).

In the future, the VLAN names will be selectable from a list.

- Select **ICMP** for the **Device Monitor**.

- In the **Inspection Service Endpoints** section, click the **Start Adding** button.
.. image:: ./images/service-4.png


#. In the **Inspection Service Endpoints** section above, click the **Start Adding** button.

- Enter ``198.19.64.30`` in the **Server Address** field.

.. image:: ./images/service-5.png


#. Click the **Review & Deploy** button.

#. In the **Deploy Inspection Service** panel, add the BIG-IP Next instance.

- Click the checkbox to the left of the assigned instance and then click the **Validate** button.

.. image:: ./images/service-6.png

- If Validation is successful, click the **Deploy Changes** button to push this inspection service configuration to the BIG-IP Next instance.

.. image:: ./images/service-6.png
- Click the **Start Adding** button
- Select the instance named **bigip-next.f5labs.com**.
- Click on the **+ Add to List** button.

- At the **Deploy Inspection Service?** prompt, click on the **Yes, Deploy** button and wait for the task to complete.

|

After deployment, the new inspection service will appear in the list.

.. image:: ./images/service-7.png


Loading
Loading