After a ton of back and forth with RIM and a ton of trial and error, here is how we were able to setup successfully Blackberry Administration Service 5.0 with an F5 3600 LTM (OS 10.2)

1)      Install BAS per RIM installation guide specifying a BAS pool name. This is the FQDN that ultimately you will want to connect to when using the BAS.

2)      Configure BAS to use TCP to communicate between nodes. http://www.blackberry.com/btsc/dynamickc.do?externalId=KB19436&sliceID=1&command=show&forward=nonthr...

3)      Configure the Blackberry Administration Services to startup automatically and start them on all BAS nodes. The goal here is to have all your BAS instances running at the same time for high availability. Confirm that the BAS is running properly on each node by going to https://<servername>/webconsole/login where <BAS_servername> is each server running the BAS services. (This is contrary to my previous post that only one BAS instance can be running at a given time)

4)      Generate and submit to your certificate authority (CA) a  certificate signing request (CSR) for a trusted certificate to be used on each node in your BAS pool. In our case we used an internally signed certificate since or BAS will never see the Internet but that decision is at your discretion. Thew command we used to generate a 2048 bit CSR against the BAS keystore was:

 keytool -genkey -alias httpssl -keyalg RSA -keysize 2048 -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\bas\bin\web.keystore" -storepass <password> - dname “CN= <BAS_pool_name >,OU= <Company_division>, O= <company name>, L= <City>, ST= <State>, C=<Country>”

We actually found a freeware GUI tool that makes managing the java keystore much easier. I would recommend it if you aren’t familiar with the keytool command line utility. http://www.lazgosoftware.com/kse/index.html

NOTE: If your CA supports subject alternative names (SAN), you can create a CSR that has the BAS pool name as the common name (CN) on the certificate and each BAS server node as a SAN to ensure that you don’t get a certificate error when connecting to the BAS pool through the LTM or directly using the server name. If your CA doesn’t support SANs, be sure to minimally use the BAS pool name as the CN in the CSR.

5)      Once you get the signed certificate back from your CA, install it on each BAS node. Again, this is easily done through the Keystore Explorer app but can also be done by using the keytool utility as well.

6)      Once it is installed on each BAS node, use Keystore Explorer to export the certificate and private key to a PKCS#12 bundle which we will later import on the F5 LTM.

7)      On the F5 LTM, go to Local Traffic ->Certificates and import the PKCS#12 certificate bundle you just created. If necessary, import any intermediate certificates in the certificate chain onto the LTM as well.

8)      On the F5 LTM, go to Local Traffic ->Profiles ->SSL -> Client and select’ Create.’

• NAME BAS_clientssl
• Parent Profile – clientssl
• Certificate – select the BAS_ssl certificate you imported to the LTM in step 7.
• Key – select the BAS_key you imported in step 7.

9)      On the F5 LTM, go to Local Traffic -> Persistence and select ‘Create.’

• NAME – BAS_cookie
• Persistence Type – Cookie
• Parent profile – cookie
• Cookie Method – Hash
• Cookie Name - JSESSIONID

10)      Create a BAS virtual server on your F5 LTM like the following:

a.       NODES (Add a node for each BAS_servername:

• NAME <BAS_ servername1>
• Health Monitor – https
• Connection Limit – 0

b.      POOL

• NAME <BAS_Pool>
• Health Monitor – https
• Members – <BAS_servername1>, <BAS_servername2<, etc…
• Load Balancing Method – Round Robin

c.       VIRTUAL SERVER

• NAME <BAS_Virtual_Server>
• Destination – Host
• Address - <Virtual IP Address> (This is the IP address you will connect to through the LTM load balanced pool)
• Service Port – HTTPS
• Type – Standard
• Protocol Profile (Client)– http
• Protocol Profile (Client)– (Use client Profile)
• HTTP Profile – http
• SSL Profile (Client) – select the SSLclient profile you created in step 8.
• SSL Profile (Server) – serverssl (This is the built in sslserver profile that comes on the LTM)
• SNAT Pool – Automap
• Address Translation –checked
• Port translation – checked
• Default Pool – select the BAS_pool you created in step 10B with all the BAS nodes.
• Default Persistence – select the BAS_cookie persistence profile you created in step 9.
• Fallback persistence – source address.
• iRule – BAS_irule (Optional)

For those interested on redirecting users who go to https://<BAS _pool_name> to https://<BAS _pool_name/ webconsole/login you can create an iRule like the following:

when HTTP_REQUEST {

if { ([HTTP::uri] equals "/") } {

HTTP::redirect https://[HTTP::host]/webconsole/login}

11)      Once all this I complete, have a DNS A record created that points <BAS_pool_name> to the Virtual IP Address of the BAS Virtual Server.

While these steps are specific to an F5 LTM, this should work with any load balancer that supports persistence. Also I tried to keep this as short as I could so if you have any questions about any of these please post your question and I will be glad to help if at all possible.