Ug 7 2 4 by sanjay

AppBeat™ DC User Guide Software Version 7.2.4

Copyright ÂŠ 2009 by Crescendo Networks. All rights reserved worldwide. No part of this publication may be reproduced, modified, transmitted, transcribed, stored in retrieval system, or translated into any human or computer language, in any form or by any means, electronic, mechanical, magnetic, chemical, manual, or otherwise, without the express written permission of Crescendo Networks, 6 Yoni Netanyahu Street, OrYehuda 60376, Israel. Crescendo Networks provides this documentation without warranty in any form, either expressed or implied. Crescendo Networks may revise this document at any time without notice. This document may contain proprietary information and shall be respected as a proprietary document with permission for review and usage given only to the rightful owner of the equipment to which this document is associated. This document was designed, produced and published by Technical Publications, Crescendo Networks. Produced in U.S.A. December 22, 2008

Visit Crescendo Networks website at: http://www.crescendonetworks.com

The FCC and cTUVus Wants You to Know This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user will be required to correct the interference at his/her expense.

Use of controls or adjustment or performance of procedures other then those specified herein may result in hazardous radiation exposure CLASS 1 LASER PRODUCT internal lasers comply with IEC 60 825-1:1993 + A1:1997 + A2:2001 and EN 60825-1:1994+A1:1996+ A2:2001 Equipment may operate in maximum ambient temperature 40Â°C

FCC Warning Modifications not expressly approved by the manufacturer could void the user authority to operate the equipment under FCC Rules.

Table of Contents

Chapter 1. Introduction to the AppBeat DC Platform ................................................ 1 Overview of the AppBeat DC ......................................................................................................... 2 Hardware Technology ..................................................................................................................... 2 Hardware Platforms......................................................................................................................... 2 TCP Offload & Delivery Optimization.......................................................................................... 3 Connection Management Algorithms ......................................................................................3 Request Processing Algorithms.................................................................................................3 Response Optimization...............................................................................................................4 Load Balancing.................................................................................................................................. 4 Compression ..................................................................................................................................... 4 SSL Acceleration ............................................................................................................................... 5 Deployment Options........................................................................................................................ 5 Physical Configuration ...............................................................................................................5 Single Server Acceleration – Virtual Server Mode..................................................................5 Single Server Acceleration – Spoofed Server Mode................................................................7 Load Balanced Server Acceleration...........................................................................................7 VRRPc Redundancy ......................................................................................................................... 9 Installation and Configuration Guidelines ................................................................................... 9 Deployment Environment Preparation ....................................................................................9 Installation and Configuration ................................................................................................ 10

Chapter 2. AppBeat DC Installation............................................................................. 13 Introduction..................................................................................................................................... 14 AppBeat DC™ Kit General Specifications .................................................................................. 14 AppBeat DC Installation Kit Detailed Items List .................................................................. 14 Installing the AppBeat DC™ Hardware ..................................................................................... 15 Installing the AppBeat DC in the Rack................................................................................... 15 Inserting the SFP Gigabit Ethernet Modules and Connecting the Cables .........................16 LED Status Definitions................................................................................................................... 17 Status LEDs.................................................................................................................................17 Interface LEDs for CN-5500E ...................................................................................................18

AppBeat DC User Guide

y iii y

Chapter 3. Introduction to the Command Line Interface......................................... 19 Accessing the CLI ........................................................................................................................... 20 Serial Console Settings..............................................................................................................20 Conventions Used in this Guide .................................................................................................. 20 CLI Prompt Structure..................................................................................................................... 21 CLI Navigation ............................................................................................................................... 22 Case Sensitivity ..........................................................................................................................22 Basic Navigation ........................................................................................................................22 Online Help ................................................................................................................................23 Configurable CLI Parameters ....................................................................................................... 23 Using the ‘show’ Command ......................................................................................................... 24 Using the ‘no’ Command .............................................................................................................. 25

Chapter 4. Introduction to the Graphical User Interface.......................................... 27 Graphical User Interface (GUI) Overview .................................................................................. 28 Preparations – Installing Sun Java ............................................................................................... 28 Logging in to the GUI .................................................................................................................... 28 Navigating the GUI ........................................................................................................................ 29 Summary.....................................................................................................................................30 Monitoring..................................................................................................................................31 History ........................................................................................................................................32 Configuration .............................................................................................................................33 Events ..........................................................................................................................................34

Chapter 5. Initial Configuration & Global Settings.................................................. 35 Before Proceeding........................................................................................................................... 36 Conventions Used in this Guide .................................................................................................. 36 Initial Configuration....................................................................................................................... 37 Initiating the Auto Configuration Dialog (ACD) ..................................................................37 Initial Configuration Summary ............................................................................................... 40 Outbound Traffic Rate Shaping...............................................................................................40 Global Configuration Commands................................................................................................ 42 Showing Configuration Information from the CLI...............................................................43 Using the “no” command from the CLI .................................................................................44 Host Name..................................................................................................................................45 Calendar and Time Settings .....................................................................................................46 Telnet and Secure Shell (SSH) Management Configuration................................................47 SNMP Management Configuration ........................................................................................49 HTTP Management Configuration .........................................................................................50 Auto Configuration Dialog (A.C.D.).......................................................................................51 Global History Service ..............................................................................................................51

y iv y

AppBeat DC User Guide

Table of Contents

Proxy Signature (HTTP Header Settings) ..............................................................................52

Interface Commands ...................................................................................................................... 54 Configuring the Management Ethernet Interface .................................................................54 Configuring the Management Serial Interface ......................................................................56 Configuring Gigabit-Ethernet Interfaces................................................................................57 Configuring Interface Speed/Duplex Settings for the CN-5500E........................................59 VLAN Support...........................................................................................................................59 Link Aggregation.......................................................................................................................61 Networking Commands ................................................................................................................ 66 Routing........................................................................................................................................66 Disable Routing of Non-accelerated Traffic between Interfaces.........................................67 Client-side TCP Commands.......................................................................................................... 69 Client-side TCP Windows ........................................................................................................69 Client-side TCP Inactivity Timers ...........................................................................................71 Client-side MSS..........................................................................................................................71 FastTCP .......................................................................................................................................72 Server-side TCP Commands ......................................................................................................... 75 Server-side TCP Windows .......................................................................................................75 Security............................................................................................................................................. 77 User Configuration......................................................................................................................... 77 Access Lists for the Management Ethernet Interface............................................................78 System Commands......................................................................................................................... 80 Configuration File Management .............................................................................................80 Loading Additional Configuration Files to a Running Config ...........................................81 File Transfer/Management .......................................................................................................81 File Commands ..........................................................................................................................83 Software and Operating System Upgrade and Version Control ........................................84 Logging Commands....................................................................................................................... 87 Logging .......................................................................................................................................87

Chapter 6. Server Preparation and Logging Considerations ................................... 91 Server Preparation.......................................................................................................................... 92 HTTP Server Configuration Requirements............................................................................ 92 TCP Server Configuration Requirements...............................................................................93 Server Logging Considerations (Original Client IP) ................................................................. 93 Originator (Client) IP Address................................................................................................. 93 Server Log Configuration.........................................................................................................95

Chapter 7. Server Topology â&#x20AC;&#x201C; Farms/Clusters/Real Servers .................................... 99 Before Proceeding......................................................................................................................... 100 Configuration Overview ............................................................................................................. 100 Topology â&#x20AC;&#x201C; Farms, Clusters, and Real Servers ....................................................................100

AppBeat DC User Guide

yvy

Virtual Servers .........................................................................................................................101 Load Balancing Concepts - HTTP Application Load Balancing and Acceleration vs. TCP (Layer4) Load Balancing ..........................................................................................102 Health Monitoring...................................................................................................................102

Server Topology Configuration.................................................................................................. 103 Backend Connections (For HTTP Clusters) ......................................................................... 103 Dynamic File Extensions ........................................................................................................ 104 Acceleration of Authenticated HTTP Sessions.................................................................... 106 Farm Configuration...................................................................................................................... 107 Configuration Steps.................................................................................................................107 Cluster Configuration (Load Balancing, Health Checking, Persistence).............................. 109 Cluster Configuration .............................................................................................................109 Load Balancing Configuration............................................................................................... 112 Web Server Logging................................................................................................................116 Connection Profiles .................................................................................................................120 Persistency ................................................................................................................................ 121 Health Check Configuration .................................................................................................. 122 Server Inactivity Check...........................................................................................................127 Real Servers ................................................................................................................................... 131 Configuring a Real Server ......................................................................................................131 Device Configuration ................................................................................................................... 133 Configuring Devices................................................................................................................133 Associating Real Servers with Devices................................................................................. 136

Chapter 8. Virtual Servers, URL Rewriting, and L7 Switching / Redirection.... 139 Before Proceeding......................................................................................................................... 140 Virtual Servers .............................................................................................................................. 140 Configuring Virtual Servers................................................................................................... 140 URL Rewriting .............................................................................................................................. 143 URL Rewrite Rules ..................................................................................................................144 Configuring URL Rewrite Rules ........................................................................................... 145 L7 Switching & Redirection (HTTP Virtual Servers)............................................................... 150 L7 Switching Criteria ..............................................................................................................150 L7 Switching Criteria Options ............................................................................................... 151 L7 Switching Actions ..............................................................................................................151 L7 Switching Rule Priorities................................................................................................... 152 L7 Switching Example Configuration................................................................................... 153 Configuring L7 Switching Rules ........................................................................................... 153 HTTP Redirection Rules .............................................................................................................. 156 HTTP Redirection Configuration Criteria............................................................................ 156 Configuring HTTP Redirection Rules................................................................................... 158

y vi y

AppBeat DC User Guide

Table of Contents

Chapter 9. Compression................................................................................................ 161 Before Proceeding......................................................................................................................... 162 Compression Module Overview ................................................................................................ 162 Compression Profile Configuration........................................................................................... 162 Sample mime-types .................................................................................................................162 Configuring Compression......................................................................................................163 Global Configuration (Browser/File Exceptions) ..................................................................... 167 Configuring Browser/File Exceptions................................................................................... 167 Enhanced Compression Module Configuration ...................................................................... 169 Configuring the Enhanced Compression Module ..............................................................169

Chapter 10. SSL Acceleration....................................................................................... 173 Before Proceeding......................................................................................................................... 174 Overview of the SSL Acceleration Module............................................................................... 174 Configuration Preparation .......................................................................................................... 174 SSL Acceleration Configuration Outline .............................................................................. 174 Server Configuration...............................................................................................................175 Preparation ...............................................................................................................................176 Configuring a Virtual Server ...................................................................................................... 177 Configure Real or Virtual Server...........................................................................................177 Importing or Creating a Private Key ......................................................................................... 177 Importing or Creating a Private Key .................................................................................... 177 Importing or Creating a Certificate............................................................................................ 181 Importing or Creating a Certificate....................................................................................... 181 Cipher Profile ................................................................................................................................ 186 Creating a Cipher Profile........................................................................................................186 Configuring an SSL Server Profile (Client-side SSL)............................................................... 189 SSL Server Profile Configuration Outline ............................................................................189 Configuring an SSL Client Profile (Server-side SSL)............................................................... 192 SSL Client Profile Configuration Outline............................................................................. 192 Converting Keys, Certificates, and Chained Certificates........................................................ 195 OpenSSL....................................................................................................................................195 Keys ........................................................................................................................................... 195 Certificate..................................................................................................................................196 Converting Certificates and Keys Exported from Microsoft IIS .......................................198 Chained Certificates ................................................................................................................199

Chapter 11. Global Server Load Balancing ............................................................... 201 GSLB Overview ............................................................................................................................ 202 GSLB Algorithms.......................................................................................................................... 204

AppBeat DC User Guide

y vii y

GSLB Configuration ..................................................................................................................... 205 GSLB Monitoring.......................................................................................................................... 219

Chapter 12. VRRPc Redundancy................................................................................. 225 Before Proceeding......................................................................................................................... 226 VRRPc Overview .......................................................................................................................... 226 VRRPc in Hot-Standby Mode ..................................................................................................... 227 VRRPc Hot-Standby Configuration Guidelines.................................................................. 227 VRRPc in Load-Sharing Mode (Active/Active)........................................................................ 229 VRRPc Load-Sharing Configuration Guidelines................................................................. 230 Fast Switchover............................................................................................................................. 232 Configuration Synchronization .................................................................................................. 233 Configuring the Mate Unit ..................................................................................................... 233 Saving and Synchronizing the Unit Configurations........................................................... 234

Chapter 13. Monitoring the AppBeat DC.................................................................. 237 Overview ....................................................................................................................................... 238 Viewing the AppBeat DC Summary Feature ........................................................................... 238 Overview of the Summary Window..................................................................................... 239 Monitoring the AppBeat DC....................................................................................................... 240 Monitoring the AppBeat DC via the CLI .............................................................................240 Monitoring the AppBeat DC via the GUI.............................................................................241 Monitoring Attacks and Abnormal Network Behavior .......................................................... 248 Configuring Attack Monitors ................................................................................................ 249 Monitoring the Server .................................................................................................................. 251 Monitoring Servers or Groups of Servers via the CLI........................................................251 Monitoring the Server via the GUI........................................................................................ 252 Monitoring Devices ...................................................................................................................... 256 Monitoring Devices via the CLI............................................................................................. 256 Monitoring Devices via the GUI............................................................................................ 257

Chapter 14. Using the AppBeat DC History Feature............................................... 259 Overview of the AppBeat DC History Feature ........................................................................ 260 Selecting and Viewing AppBeat DC History Graphs.............................................................. 260 Available Historical Variables ............................................................................................... 261

Chapter 15. Troubleshooting ....................................................................................... 265 Common Issues and Solutions ................................................................................................... 266 Recovering a Lost Password ....................................................................................................... 269

y viii y

AppBeat DC User Guide

Table of Contents

AppBeat DC User Guide

y ix y

1 Introduction to the AppBeat DC Platform Chapter 1 provides an introduction to the AppBeat DC including a feature overview and implementation examples. Additionally, the Installation and Configuration Guidelines section on page 9 of this chapter is used to provide a configuration framework which can be referenced throughout any stage of configuration.

Overview of the AppBeat DC™ .

Hardware Technology.

Hardware Platforms.

TCP Offload & Delivery Optimization.

Load Balancing.

Compression.

SSL Acceleration.

Deployment Options.

VRRPc™ Redundancy.

Installation and Configuration Guidelines.

AppBeat DC User Guide

y1y

Overview of the AppBeat DC The AppBeat DC™ (Maestro Platform) provides a high performance, scalable, rackmounted solution designed specifically for demanding application environments. It incorporates ground breaking hardware and software technology which increases the performance of HTTP/HTTPS based applications and ensures consistent fast response times regardless of traffic or load demands. The AppBeat DC incorporates several critical technologies to provide best-of-breed performance, including TCP offload and delivery optimization, hardware-based compression, SSL acceleration, and load balancing.

Hardware Technology The AppBeat DC utilizes Crescendo Networks’ proprietary hardware architecture. Designed to specifically address the requirements of application acceleration and infrastructure scalability, the Maestro Application Delivery Platform provides superior server acceleration and resource optimization. The FreeFlow™ architecture, utilizing Network Processors (NP) and Field Programmable Gate Arrays (FPGA), incorporates over 80 micro-engines, explicitly tasked with various application-specific processes. The implementation of task-specific hardware enables the AppBeat DC to utilize all functionality simultaneously without suffering any performance degradation. This concept of Feature Concurrency allows the AppBeat DC to operate at maximum capacity, regardless of the features or configuration being used. Crescendo Networks’ hardware demonstrates a unique and powerful approach to application acceleration.

Hardware Platforms Four models of the AppBeat DC are available on the following platforms:

CN-5504E, CN-5504D, CN-5510E and CN-5510D.

2 RU Height*.

4 or 10 SFP GbE interfaces (10/100/1000/Auto Configurable Ethernet)*.

1 Fast Ethernet Management Interface.

1 RS-232 Serial/Console Interface.

Redundant Power Supply Capability* (available for CN-5504D and 5510D).

Enhanced Interface LED Display*.

* Denotes differences between the AppBeat DC series.

y2y

AppBeat DC User Guide

Chapter 1 Introduction to the AppBeat DC Platform

TCP Offload & Delivery Optimization The AppBeat DC is deployed as an Application Front End (AFE), meaning all application requests and responses are transmitted directly between the AppBeat DC and the servers. For example, a client connection will be sent to, or intercepted by, the AppBeat DC. The AppBeat DC establishes the TCP connection with the client and receives the application request. Since the AppBeat DC maintains several persistent connections directly to each accelerated server, it is able to quickly submit the client’s application request, receive the response, and forward it to the client. Short Lived Transaction (SLT™) technology is the core of the AppBeat DC. Using SLT, the AppBeat DC intelligently manages how requests are sent to servers and how responses are then transmitted to clients. SLT utilizes three main components:

Connection Management Algorithms Server-side sessions are managed through a set of advanced algorithms that provide an optimal approach to Connection Consolidation. These algorithms are dependent on a number of factors that include the type of request (dynamic content vs. static content), client-side TCP connection performance, and an inherent knowledge of what connection profiles are best suited for the various Web server operating systems.

Request Processing Algorithms As a session terminating intermediary, the AppBeat DC is responsible for terminating client connections, processing the requests that these connections carry, and then delivering them to the server over existing server-side connections. SLT™ optimizes this process by using two unique phases for handling and delivering the requests to the server:

The unit waits until the entire request has arrived from the client before it decides to deliver it to the server. This is incredibly beneficial in situations where long client requests are arriving over slow or problematic TCP connections. If the server were exposed to the weaknesses of these client-side TCP conditions, valuable resources would be tied up while it waited for the arrival of the complete request. By waiting for the entire request to arrive and then delivering it in whole to the server, SLT™ shields the server from client-side TCP conditions and allows it to minimize its processing time for each request.

Normally, a unit performing Connection Consolidation would need to fully buffer an object in route from the server to the client before starting to transmit it to the client. However, at high capacity, this would require massive amounts of memory, which leads to the solution either not being very scalable or very cost effective. SLT™ addresses this issue by using partial requests on the server side, causing the server to break up large objects into smaller ones. This is coupled with proper memory management allowing high performance consolidation to occur with a reasonable amount of memory, making the AppBeat DC both scalable and economical. This is

AppBeat DC User Guide

y3y

completely transparent to the client who never knows or needs to worry about the way in which objects are fetched from the server by the AppBeat DC.

Response Optimization One of the main objectives of SLT™ is to shield the server from weaknesses imposed by client connections that are subjected to WAN environments. These client connections experience packet loss, delay, and congestion, all of which would impact the server through increased CPU and memory utilization if it were exposed to them. By completely shielding the server from these issues, SLT™ allows the AppBeat DC to communicate with the servers in a highly optimized environment. The server is already dealing with fewer connections; and since those connections are managed by the AppBeat DC, the server can transmit its responses to the network at maximum throughput. Client requests are served as optimally as possible, allowing the server to quickly move on to the next request to be processed.

Load Balancing The AppBeat DC provides a comprehensive load balancing feature set that allows it to efficiently distribute user requests across clusters of identical servers. Additionally, since the AppBeat DC is in control of the actual request flow to the servers, it can direct traffic to them based on real-time request load as well as other L7 switching criteria (url, file name, hostname, browser language, etc.) All HTTP (L7) load-balancing functionality is fully and seamlessly integrated with all other optimization services provided by the highly scalable, multi-gigabit AppBeat DC platform. Additionally, because of its unique and powerful task-specific hardware architecture, all services can operate concurrently without any degradation in device performance. The AppBeat DC also incorporates traditional Layer 4 Load Balancing for providing load balancing for non-HTTP TCP-based protocols. A load balancing license must be configured on the AppBeat DC to enable this feature. Please contact your Crescendo Networks Reseller or Sales Associate for assistance with enabling this feature.

Compression Incorporating the hardware-based Compression module further enhances server acceleration and resource optimization. The compression module, using industry standard and broadly supported compression methods—gzip and deflate algorithms—enables a dramatic reduction in outbound bandwidth usage, while also significantly reducing enduser response times.

y4y

AppBeat DC User Guide

Chapter 1 Introduction to the AppBeat DC Platform

SSL Acceleration The hardware-based SSL Acceleration module reduces a significant level of processing resources from servers while allowing secure applications to easily scale beyond what normal server platforms can provide. Because the AppBeat DC™ relieves the servers from handling these tasks, the servers can redirect their full resources to provide up to 10 times more processing performance.

Deployment Options The AppBeat DC™ is a scalable, non-intrusive solution that is easy to integrate. The AppBeat DC provides flexible physical and logical configuration options to ensure seamless integration in different environments. The AppBeat DC can be configured to accelerate individual servers, in which each server is seen as a separate entity, or in a load balanced cluster, in which a group of identical servers is represented as a single Virtual Server (Virtual IP) to the outside world. Regardless of whether load balancing is used, all methods of server acceleration including TCP Offload, Compression, and SSL Acceleration can be used. This section describes the two options available for single server acceleration: virtual server and spoofed server modes.

Physical Configuration The AppBeat DC is available in 4 Gbic (CN-5504), and 10 Gbic (CN-5510) Gigabit Ethernet interface configurations. The AppBeat DC supports several physical configuration options enabling deployment in virtually any environment. Configuration options include:

“One-leg” single interface deployment.

“Routed” multiple interface deployment.

VLAN tagged implementation utilizing 802.1q tagging on one or more physical interfaces.

The flexibility of the AppBeat DC enables the deployment methods described to be used in combination with one another.

Single Server Acceleration – Virtual Server Mode In Virtual Server mode, a Virtual Server IP address and TCP port is configured on the AppBeat DC and is then mapped to a single real server IP and port. Client traffic is destined to the Virtual Server on the AppBeat DC, which communicates with the real server directly. Traffic previously destined to the real server is directed to the Virtual

AppBeat DC User Guide

y5y

Server Address on the AppBeat DC instead. The following diagrams present examples of Virtual mode configured in either one or two interface configurations.

Figure 1: Virtual Server â&#x20AC;&#x201C; One Interface

Figure 2: Virtual Server â&#x20AC;&#x201C; Two Interfaces

y6y

AppBeat DC User Guide

Chapter 1 Introduction to the AppBeat DC Platform

Single Server Acceleration – Spoofed Server Mode In Spoofed server mode, the AppBeat DC will be deployed as a router between client traffic and the real server. The real server IP address and port is configured in the AppBeat DC as a “spoofed” address and port. Traffic destined to this address will be intercepted by the AppBeat DC, which communicates with the real server directly. All other traffic is routed normally.

Figure 3: Spoofed Server – Two Interfaces

Load Balanced Server Acceleration When using Load Balancing, a cluster of identically configured servers will be configured with a single Virtual Server IP address.

AppBeat DC User Guide

y7y

Figure 4: Load Balancing – One Interface

Figure 5: Load Balancing – Two Interfaces

y8y

AppBeat DC User Guide

Chapter 1 Introduction to the AppBeat DC Platform

VRRPc Redundancy VRRPc is Crescendo Networks’ proprietary redundancy protocol for Application Delivery Controllers. VRRPc can be implemented in one of two ways: hot/standby or load-sharing (i.e. active/active). Implemented in a similar fashion to VRRP—using virtual MAC and IP addresses—VRRPc extends the capabilities of traditional VRRP by enabling more intelligent redundancy decisions. VRRPc tests more than simple network availability between two redundant units as VRRP does. Instead, failover decisions are based on upstream network unit availability as well as application server health and connectivity.

Installation and Configuration Guidelines The following section provides a basic configuration outline as well as chapter references associated with each specific concept. Required configuration information will be reviewed at the beginning of each chapter.

Deployment Environment Preparation The following questions should be addressed before proceeding with the installation of the AppBeat DC. Physical Network Topology What type of configuration topology will be used? Determine the number of physical interfaces desired.

Using a single interface configuration provides the flexibility of installing the AppBeat DC without making any additional network changes.

Using a two interface configuration requires the AppBeat DC to act as a router, meaning servers, routers, and other devices may require additional configuration (static or default routes, etc.).

Will single server acceleration or load balancing be used? If using single server, which method will be configured – virtual or spoofed?

A two-interface configuration is recommended when using spoofed mode.

IP Address Requirements Prepare IP addresses and route information. The following is a list of basic IP address requirements:

The Management Ethernet interface will require an IP address.

Each data interface of the AppBeat DC will require an IP address.

AppBeat DC User Guide

y9y

Each Virtual Server will require an IP address (unless using a spoofed server, in which an additional IP is not necessary).

VRRPc requires a separate IP address which will be shared between the redundantly deployed units.

SSL Considerations If configuring SSL Acceleration, the following information is required:

Private Key and Certificate in PEM format.

Most keys/certificates can be exported from existing servers and then imported into the AppBeat DC.

Additionally, the certificate must have the text prepend before the “BEGIN CERTIFICATE” statement.

If keys/certificates do not exist yet, a Certificate Request will have to be created and submitted to a Certificate Authority, which will then issue the appropriate certificate for import into the AppBeat DC.

Installation and Configuration Physical Installation

Unpack and securely install unit.

Plug in required Gbic(s) and attach AppBeat DC to local switch(es).

Attach provided serial cable to workstations running terminal emulation software (for example, Microsoft HyperTerminal or TeraTerm). Default serial configuration is as follows:

Baud:

115,200

Data:

8 bit

Parity:

none

Stop:

1 bit

Flow Control: none

Refer to Chapter 2. AppBeat DC Installation for specific information regarding unpacking and mounting instructions.

y 10 y

AppBeat DC User Guide

Chapter 1 Introduction to the AppBeat DC Platform

Initial Boot Configuration

Power on AppBeat DC.

During the initial boot process, the AppBeat DC will detect the existence of a startup configuration file. If one does not exist, a menu is displayed prompting the user to enter one of several configuration modes. It is recommended that the Automatic Configuration Dialog (ACD) be used. (Use option “2” to enter the ACD.) The following information should be configured:

Configure unit’s name.

Create admin username and password.

Configure IP address and default route for Management Ethernet Interface.

Configure IP address and default route for Gigabit Ethernet Interfaces.

Configuring “Accelerated services” at this point is optional, but is covered in later chapters to provide a more detailed explanation.

Save configuration. After finishing the ACD, the new configuration is presented for verification along with a menu. Choose option “2” to save and load the new configuration.

Refer to Chapter 5. Initial Configuration & Global Settings for additional details regarding the ACD and other basic unit configuration. Log in to AppBeat DC

Refer to Chapter 3. Introduction to the Command Line Interface or Chapter 4. Introduction to the Graphical User Interface for specific information regarding log in procedures and options. Additional Basic Configuration Options Once logged into the AppBeat DC, additional options can be configured.

Additional IP addresses and/or routes.

Management Access Control Lists.

Logging Options.

HTTP Header Options.

Refer to Chapter 5. Initial Configuration & Global Settings for additional configuration details and options.

AppBeat DC User Guide

y 11 y

Acceleration Topology Configuration

Create Farm(s).

Create Cluster(s).

Clusters are created inside of a farm.

Configure Real Server(s).

One server per cluster for single server acceleration.

The load balancing license is required to add more than one server to a cluster.

Create Virtual Server.

If deploying in “spoofed” mode, the Virtual Server IP will be the same as the real server. Otherwise, the Virtual Server IP should be a new, unused IP address.

Map Virtual Server to a Cluster.

Refer to Chapter 7. Server Topology – Farms/Clusters/Real Servers for additional information. Compression Configuration

Create Compression Profile.

Define content-type to be compressed within Compression Profile.

Enable Compression Profile per Cluster.

Refer to Chapter 9. Compression, for additional configuration details. SSL Configuration

Import or create private key.

Import or create Certificate/Request.

Create SSL Server Profile.

Profile should include previously created/imported key and certificate.

Enable SSL Profile per Cluster or Virtual Server.

Refer to Chapter 10. SSL Acceleration for additional configuration details. VRRPc Redundancy Configuration

Install two AppBeat DC units.

Configure VRRPc Interface IP addresses.

Configure VRRPc groups and enable feature.

Refer to Chapter 12. VRRPc Redundancy for additional configuration details.

y 12 y

AppBeat DC User Guide

2 AppBeat DC Installation Chapter 2 describes the hardware installation process for the AppBeat DC.

Introduction.

AppBeat DC Kit General Specifications.

Installing the AppBeat DC Hardware.

LED Status Definitions

AppBeat DC User Guide

y 13 y

Introduction This chapter provides the essential information required to unpack and mount the AppBeat DC. The CN-5500E is a 2U rack mounted unit. The AppBeat DC is offered in 2, 4, 8, or 10 SFP GbE interface configurations. Gbic interfaces enable the use of either Copper or Fiber Gigabit Ethernet connectivity based on the module(s) installed. The AppBeat DC™ comes with two management interfaces:

RS-232/RJ45 Console port.

100BT/RJ45 Out of Band Ethernet Interface.

AppBeat DC™ Kit General Specifications The AppBeat DC™ kit provides you with the following items:

AppBeat DC™ unit.

SFP (Gbic) Gigabit Ethernet modules (Fiber or Copper).

Documentation provided on CD.

Serial Cables.

Brackets and screws.

Power Cable(s) – Units sold in U.S.A. only.

Do not drop. Handle the AppBeat DC unit with care.

AppBeat DC Installation Kit Detailed Items List The AppBeat DC™ kit that you purchased should include the following equipment:

y 14 y

SFP (Gbic) Gigabit Ethernet modules – Comes according to the number and type you order.

Installation guide – Available on CD.

Cables:

1.5 meter power cable – According to the relevant standard of your country.

2 meter, RS-232 to RJ-45 Serial console cable.

AppBeat DC User Guide

Chapter 2 AppBeat DC Installation

Brackets and screws:

Rack mount brackets.

Screws (+1 spare) for the AppBeat DC™ brackets.

Installing the AppBeat DC™ Hardware Unpack the AppBeat DC™ unit from its protective cardboard box (packed with Styrofoam inserts). The next step requires that you prepare it for installation in the rack.

The AppBeat DC unit is an electrical appliance, handle it carefully and do not plug in the power cord until after it is installed in the rack.

Installing the AppBeat DC in the Rack To install the AppBeat DC 1.

Install the rack mount brackets included in the installation kit to the front of the AppBeat DC. Be sure to use the black screws that accompany the brackets, as they are longer than the screws removed from the AppBeat DC.

Tighten screws to ensure the brackets are securely connected to the front sides of the AppBeat DC.

Slide the AppBeat DC into an available rack.

Secure the AppBeat DC to the rack with the screws provided by the rack manufacturer as illustrated in Figure 6 below.

Figure 6: Mounting Brackets

AppBeat DC User Guide

y 15 y

Inserting the SFP Gigabit Ethernet Modules and Connecting the Cables After you mount the AppBeat DC™ in the rack, the next step requires you to insert the Gigabit Ethernet modules into the ports and connect the cables. Inserting the SFP Gigabit Ethernet module into the Ports

Insert the module (optical or copper) into the ports on the front panel of the AppBeat DC™ (Figure 7).

Figure 7: SFP (Gbic) Interfaces

Connecting Cables For the initial setup, you are required to attach the following cables to the AppBeat DC™:

Serial Console cable – See AppBeat DC Installation Kit Detailed Items List on page 14 for a description.

Management Ethernet cable – See AppBeat DC Installation Kit Detailed Items List on page 14 for a description.

Power cable – Standard 110 (US) or 220 (Europe/Asia) cable according to your location.

Gigabit Ethernet cables – Standard optical or copper cables.

To connect the cables 1.

y 16 y

Connect the serial console cable into the AppBeat DC™ console port and to the console (see Figure 8).

AppBeat DC User Guide

Chapter 2 AppBeat DC Installation

Figure 8: Front Panel

Connect the Management cable into the AppBeat DC™ Ethernet port and to the management network (see Figure 8).

Connect the power cable. The unit will become powered-on immediately after plugging the cable in.

LED Status Definitions The AppBeat DC has three operational status LEDs located on the right front panel as well as a single LED for each physical interface. The blinking activity and related status of each LED is defined in this section.

Status LEDs

Power.

On – Power is on.

System.

Off – Normal state.

On – Problem with FLASH memory, user intervention required.

Status.

Blinking – System is operational; ready for use.

Fast Blinking – Error; not operational.

AppBeat DC User Guide

y 17 y

Interface LEDs for CN-5500E The CN-5500E incorporates LEDs to represent interface activity in addition to the basic link notification. Link LED

On – Interface has link.

Off – Interface has no link.

Activity LED

y 18 y

Blinks depending on link activity level.

AppBeat DC User Guide

3 Introduction to the Command Line Interface Chapter 3 describes the AppBeat DC CLI command set. This chapter provides the basic information needed to access, navigate, and use the CLI as a powerful means of configuration.

Accessing the CLI.

Conventions used in this Guide.

CLI Prompt Structure.

CLI Navigation.

Configurable CLI Parameters.

Using the ‘show’ Command.

Using the ‘no’ Command.

AppBeat DC User Guide

y 19 y

Accessing the CLI

Connection – The CLI can be accessed via the Serial interface (RS-232) and Ethernet Management interface using SSH or Telnet.

Number of connections – The AppBeat DC supports up to 5 concurrent remote management connections via SSH or Telnet.

Authentication – Each connection requires a username and password. Each user is given privileges according to the user level (user, admin, or tech). In general, an “admin” or “tech” user level is required to perform configuration operations. All users can view the current configuration and the system status.

Serial Console Settings

Use the serial port in conjunction with the provided serial cable to open a console session using a Terminal Emulation program (for example, Microsoft HyperTerminal, TeraTerm, etc.).

Setup the serial port as follows:

Bits per second:

115,200.

Data bits:

Parity:

None.

Stop bits:

Flow control:

None.

Conventions Used in this Guide This User Guide presents instructions for configuring the AppBeat DC. All configuration variables are available through the CLI while a majority of them are also available in the GUI. When discussing configuration concepts, the CLI version of a command will be demonstrated first, followed by a GUI example if applicable.

y 20 y

AppBeat DC User Guide

Chapter 3 Introduction to the Command Line Interface

The CLI conventions used for this user guide are as follows: Table 1: CLI Conventions Convention

Description

Italicized

Indicates user input command elements like specifying a name or IP address.

Enter a question mark at any point to get help.

Indicates a delimiter between options.

{Braces}

Commands enclosed in braces indicate mandatory command elements.

[Brackets]

Commands enclosed in brackets indicate optional settings.

CLI Prompt Structure CLI navigation is composed of a prompt level based hierarchy. Each level contains specific commands relevant to that level. For example, at the interface level the user enters an interface name and can configure all the relevant parameters for that interface (i.e. IP address, VLAN information, etc.). The CLI command set consists of all the available CLI commands required to configure and monitor the AppBeat DCâ&#x201E;˘. The command structure is based on the following prompt levels:

Figure 9: Prompt Levels

The prompt represents the current prompt level a user is in. The prompt level is stated for each command explained throughout this User Guide.

AppBeat DC User Guide

y 21 y

Examples:

In Root level, the prompt is (root>).

In System level, the prompt is (system>).

In Configuration level, the prompt is (config>).

In Configuration Æ Interface level, the prompt is (gigabit-ethernet port 1>).

In Configuration Æ Farm level, the prompt is (farm "Farm">).

Commands on a higher level in the command tree are available. Command completion is only available when in the correct prompt level.

CLI Navigation Case Sensitivity CLI commands, keywords, and reserved words are not case-sensitive. Commands and keywords can be entered in upper or lower case. User-defined text strings are not case-sensitive and can be defined in both upper and lower case (including mixed cases). Character case in the user-defined text strings is preserved in the configuration for readability purposes only.

Basic Navigation The CLI allows for the use of the TAB key for command completion as well as supporting abbreviated commands. For example, instead of typing the command “configure terminal” a user can input “c t” instead. The CLI contains a command buffer of the last 16 commands. When using the up/down arrows, only the relevant commands related to the current configuration level display. Also, prior to accepting a configuration entry (line) the line can be edited Additionally, the following special keys can be used to aid in navigating within the CLI. Table 2: Special Keys for Navigating within CLI

y 22 y

Key

Function

List available choices in the current prompt level and privilege/security level.

Backspace

Deletes characters backward, one character at a time.

AppBeat DC User Guide

Chapter 3 Introduction to the Command Line Interface

Key

Function

Tab

Completes command word.

[ESC] [ESC]

Clears the prompt line.

Ctrl-N or Down Arrow

Go to the next line in the history buffer.

Ctrl-P or Up Arrow

Go to the previous line in the history buffer.

The special keys rely on a VT compatible terminal.

Online Help Commands that enable you to query the Online Help feature are specified according to:

Command mode.

Command.

Keyword.

Argument. Table 3: Online Help Query Commands

Convention

Description

abbreviated-command-entry

Obtain a list of commands that begin with a particular character string.

abbreviated-command-entry<Tab>

Complete a partial command name.

List all commands available for a particular command mode in given prompt level and with current user credentials.

command ?

List a command’s associated keywords.

command keyword ?

List a keyword’s associated arguments.

Configurable CLI Parameters There are several options for adjusting the way information is displayed within the CLI. All options can be accessed via the root> prompt as displayed below: root>cli abbreviated case-sensitive auto-clear error sort-help color parent-mode more idle-inactivity

AppBeat DC User Guide

set cli mode to abbreviated make cli case-sensitive make cli clear command line after syntax display cli help by alphabetical order enable color support set cli parent mode set number of lines for asking for more set idle time (before automatically exiting session)

y 23 y

Using the ‘show’ Command The show command is one of the most important commands available in the GUI. Show can be used to view virtually any configuration variable. The command is located in the root prompt level “root>” but will operate within any prompt level. To show configuration information Command Syntax: show variable

Prompt level - Root Example command: root> show ?

Output: root> show cli ip vrrpc ftp-record system version running startup file users compression boot-test global-data license-codes server-queue-limit connection-inactivity server-rx-window tcp real virtual farm cluster counters interfaces vlans snmp logging ssl

y 24 y

show cli information display IP information display vrrpc information display ftp record display system parameters display version display running configuration display startup configuration display a file from /FLD/cfg directory display users table display compression profiles data display startup test status show global data show codes for activated features show long queue protection status show time intervals to wait before resetting the connections show server RX window size display TCP information display real server information display virtual server information display farms display clusters display counters display interfaces table display vlans table display snmp information show logging information ssl cli commands

AppBeat DC User Guide

Chapter 3 Introduction to the Command Line Interface

root> show interfaces gigabit-ethernet 1

Output: gigabit-ethernet 1, Admin UP, Status UP Description giga ethernet 1 Hardware address 00-50-C2-22-A3-29 Fiber Sfp Internet address 10.1.1.100, Mask 255.255.255.0 MTU 9216 bytes, BW 1000 Mbit, FULL duplex

root> show system

Output: Hostname CN-5500, Date: 11:02:05 Time: 17:45:37 Servers: HTTP Server Enabled, SNMP Enabled, SSH Disabled, Telnet Enabled

Using the ‘no’ Command The CLI provides the “no” command to undo or disable most configuration elements of the AppBeat DC. To undo a command Command Syntax: no command [variable]

Prompt level - Configure Example command: To remove an IP Address from an interface: gigabit-ethernet-1> no ip address

To disable the http server for the GUI: config> no http

AppBeat DC User Guide

y 25 y

4 Introduction to the Graphical User Interface Chapter 4 introduces and explains the AppBeat DC Web-based Graphical User Interface (GUI).

Graphical User Interface (GUI) Overview.

Preparations – Installing Sun Java.

Logging in to the GUI.

Navigating the GUI.

AppBeat DC User Guide

y 27 y

Graphical User Interface (GUI) Overview The AppBeat DC GUI is a powerful tool for monitoring and managing the AppBeat DC. The GUI is a Java-based SNMP management application launched via a Web browser.

Preparations â&#x20AC;&#x201C; Installing Sun Java The workstation accessing the AppBeat DC must have the latest version of Sun Java installed. Java can be freely downloaded and installed at http://www.java.com.

Logging in to the GUI From a Web browser, connect to the IP address of the management interface of the AppBeat DC.

Ensure that ports 80 and 161 are available to enable access to the GUI. Once connected, a Crescendo Networks image will display in the existing browser window as shown in Figure 10. Do not close this window; doing so will close the Java-based GUI management application.

Figure 10: Management Interface of AppBeat DC â&#x20AC;&#x201C; Crescendo Networks Image

The user is presented with a separate window which prompts for log in credentials as shown in Figure 11.

y 28 y

AppBeat DC User Guide

Chapter 4 Introduction to the Graphical User Interface

Figure 11: Login Screen

Log in using a user name and password created during the Auto Configuration Dialog or normal CLI configuration. Once logged in, the AppBeat DC GUI will be presented as a separate window. See Chapter 5. Initial Configuration & Global Settings.

Navigating the GUI The GUI functions in five primary modes:

Summary – Displays basic real time information and unit status.

Monitoring – Enables the user to view real-time and “last 5 minutes” performance information for the AppBeat DC, farms, clusters, and servers.

History – Displays historical performance information for the AppBeat DC, farms, clusters, and servers.

Configuration – Enables the user to configure most aspects of the AppBeat DC.

Events – Enables the user to view real-time and past events.

AppBeat DC User Guide

y 29 y

Summary Summary mode displays basic global information such as the number of operational farms, clusters, and servers. Additionally, it shows real time relative performance and transaction performance within the previous 24 hours.

Figure 12: Summary Screen

y 30 y

AppBeat DC User Guide

Chapter 4 Introduction to the Graphical User Interface

Monitoring Monitoring Mode enables the user to view real-time and â&#x20AC;&#x153;last 5 minutesâ&#x20AC;? performance information for the AppBeat DC, farms, clusters, and servers. Click on an object in the Topology window to view related performance information. Selecting a cluster will present the aggregate information for all servers contained in that specific cluster. Selecting a farm will present the aggregate information for all clusters and servers contained in that specific farm.

Figure 13: Monitoring Screen

AppBeat DC User Guide

y 31 y

History The History mode displays historical performance information for the AppBeat DC, farms, clusters, and servers. The History service must be enabled for each unit you wish to view historical information for. History can be enabled through the Configuration mode.

Figure 14: History Screen

While in History mode, click on an object in the Topology window. If historical information is available, the pull down data menus will be available. Up to 4 data types can be viewed simultaneously. Once selected, the information will be charted in the right panel. Selecting a cluster will present the aggregate information for all servers contained in that specific cluster. Selecting a farm will present the aggregate information for all clusters and servers contained in that specific farm. Additionally, the graphs time scale can be adjusted to minutes, days, or weeks by cycling through the icon at the bottom of the window.

y 32 y

AppBeat DC User Guide

Chapter 4 Introduction to the Graphical User Interface

Configuration Configuration mode enables the user to configure most aspects of the AppBeat DC. Click on an object in the Topology window. Available configuration variables will be displayed in the right panel. Always click Apply to implement changes. To make the configuration change permanent for subsequent unit startups, make sure to save the running configuration by clicking File Ă&#x2020; Configuration Ă&#x2020; Save Configuration.

Figure 15: Configuration Screen

AppBeat DC User Guide

y 33 y

Events Events mode enables the user to view GUI Event information. In order to see information, GUI Events and Logging per unit/object must be enabled.

Figure 16: Events Screen

To enable GUI Events, enter Configuration mode. From the Topology window, select the AppBeat DC icon. In the right pane, select the Events & Logging tab. Check the box labeled “GUI Events” and customize the logging level for associated events you would like displayed in the Events mode window. Click Apply. Next, you will have to enable logging for each element you would like to see logging information. Do this by selecting each element in the Topology window and checking the box labeled “logging”. Click Apply.

y 34 y

AppBeat DC User Guide

5 Initial Configuration & Global Settings Chapter 5 introduces the initial configuration and basic administrative configuration options of the AppBeat DC.

Before Proceeding.

Conventions Used in this Guide.

Initial Configuration (Auto Configuration Dialog).

Global Configuration Commands.

Interface Commands.

Networking Commands.

Client-side TCP Commands.

Server-side TCP Commands.

Security Commands.

System Commands.

Supportability Commands.

AppBeat DC User Guide

y 35 y

Before Proceeding In order to proceed with the Initial Configuration & Global Setting, the following steps should be satisfied.

The AppBeat DC should be properly mounted and connected to power. Please see Chapter 2. AppBeat DC Installation.

The Gbic interfaces should be installed and connected via Fiber or Copper to a switch. Please see Chapter 2. AppBeat DC Installation.

Management connectivity, whether through Serial Console or via Management Ethernet Interface (GUI, Telnet, or SSH). Please see Chapter 3. Introduction to the Command Line Interface.

y 36 y

Convention

Description

Italicized

Indicates user input command elements like specifying a name or IP address.

Enter a question mark at any point to get help.

Indicates a delimiter between options.

{Braces}

Commands enclosed in braces indicate mandatory command elements.

[Brackets]

Commands enclosed in brackets indicate optional settings.

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

Initial Configuration Once the AppBeat DC is properly mounted and connected to a terminal via the provided serial cable (See Chapter 2. AppBeat DC Installation and Chapter 3. Introduction to the Command Line Interface), the unit can be powered on for the first time. The following section will demonstrate the configuration of a newly installed AppBeat DC by demonstrating the Auto Configuration Dialog. The remaining sections of Chapter 5 demonstrate additional global configuration parameters. The example used throughout this section assumes a basic network environment as displayed in Figure 17.

Figure 17: Basic Network Environment

Initiating the Auto Configuration Dialog (ACD) After the boot process initializes successfully, the following options will be displayed through the Serial Console if the AppBeat DC shipped without a configuration file (startup.cfg): [1] [2] [3]

Run startup config file from the current directory Activate the A.C.D (Auto Configuration Dialog) Run the CLI without running any startup config file

Enter your selection: 2

AppBeat DC User Guide

y 37 y

If a configuration file exists (for example, if the preceding menu is not displayed upon boot up) the existing startup.cfg file should be deleted or renamed, after which the box will present the startup menu upon the next reboot. The startup.cfg file can be renamed or deleted by logging into the CLI as an administrator or with the “rescue” account, entering the system> prompt, and then issuing the rename or delete commands for the “startup.cfg” file. File management operations are covered in greater detail later in this chapter.

Proceed by selecting option “2” to enter the Auto Configuration Dialog input the required information. Table 5: CLI Conventions

Configuration

Comments

Would you like to enter the initial configuration dialog (yes/no)? [yes] yes Enter host name [CN-5500]: CN-5500 Enter admin username [Admin]: admin Enter password: ***** Retype password for verification: *****

The username and password defined is case sensitive.

Enter IP address for the Management interface: 192.168.1.100 Enter subnet mask for this interface [255.255.255.0] : 255.255.255.0 Enter Management Default Gateway IP address: 192.168.1.1 Do you wish to enable SSH server (yes/no)? [yes] yes Do you wish to enable HTTP GUI (yes/no)? [yes] yes

If no DG is required, press enter. If SSH is disabled during this process, Telnet will be automatically enabled.

Please select a data port 1-8: 1 Enter IP address for this interface: 10.1.1.254 Enter subnet mask for this interface [255.255.255.0] : 255.255.255.0 Do you want to define an IP-address to another data port (yes/no)? [no] no Enter external network Default Gateway IP address: 10.1.1.253

If no DG is required, press enter

Do you wish to configure Accelerated services (yes/no)? [NO]:yes

The next section of the ACD deals with configuring servers. You can choose to skip this portion by answering “no” as the manual addresses the remaining config issues in detail.

Enter farm name: Farm-1

Enter cluster name: Cluster-1 Enter Real Server name: Server-1 Enter Real Server IP address:10.1.1.1

y 38 y

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

Configuration

Comments

Please select Real Server port [80]:80 Do you wish to add more real servers (yes/no)? [NO]:yes Enter Real Server name: Server-2 Enter Real Server IP address:10.1.1.2 Please select Real Server port [80]:80 Do you wish to add more real servers (yes/no)? [NO]:no Do you wish to add more clusters (yes/no)? [NO]:no Do you wish to add more farms (yes/no)? [NO]:no Do you wish to configure Virtual Servers (yes/no)? [NO]:yes Enter Virtual Server name: Virtual-1 Enter Virtual Server IP address:10.1.1.100 Please select Virtual Server port [80]: Do you wish to define a default cluster (yes/no)? [NO]:yes Enter Default Cluster name: Cluster-1 Do you wish to add more virtual servers (yes/no)? [NO]:no

Â&#x192;

Once complete, the AppBeat DC will display the configuration details, as follows: The following configuration has been created: File : /RAMD/auto_startup.cfg hostname CN-5080E user admin admin admin interface management ethernet ip address 192.168.1.100 255.255.255.0 ip route 0.0.0.0 0.0.0.0 192.168.1.1 ssh-server v1 http-server interface gigabit-ethernet 1 ip address 10.1.1.254 255.255.255.0 ip route 0.0.0.0 0.0.0.0 10.1.1.253 farm Farm-1 cluster Cluster-1 real Server-1 10.1.1.1 80 real Server-2 10.1.1.2 80 virtual Virtual-1 10.1.1.100 80 default cluster Cluster-1 [1] [2] [3] [4]

Return back to the setup without saving this config Save this configuration file, run it and exit the dialog Run the startup.cfg from the current directory Go to the CLI command prompt without saving this config

AppBeat DC User Guide

y 39 y

Enter option “1” to cancel the configuration and restart the ACD, or choose option “2” to save and load the new configuration. Enter your selection [2]: 2 Copy OK: 314 bytes copied run startup script "/FLD/cfg/startup.cfg" login: admin password: ***** root>

Initial Configuration Summary It is not required that “Accelerated Services” be configured during the ACD. The remaining sections in Chapter 5 deal with Global Configuration Settings such as interface, routing, user administration, and logging issues. Additional configuration details are provided in individual chapters for Server Acceleration & Load Balancing, Compression, SSL Acceleration, and unit redundancy.

Outbound Traffic Rate Shaping The AppBeat DC is equipped with Gigabit Ethernet data interfaces. Many outbound links utilize a Fast Ethernet (100Mb/s) connection. Therefore, all data transmissions are sent at Gigabit speed to the outbound link. In some network environments, this could result in the AppBeat DC flooding the outbound link causing dropped packets and subsequently poor performance. In these instances, the AppBeat DC must be configured to “shape” the rate at which data is transmitted to accommodate the slower outbound connection. This is accomplished with the rate-shaping command. By default, rate-shaping is disabled; meaning data is transmitted at maximum speed and burst rates. When installing the AppBeat DC in a network with slower outbound link connectivity, the command should be used as follows: To set the rate-shaping globally Command Syntax: rate-shaping {value in Mb/s} {max burst size in KB/s} no rate-shaping

y 40 y

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

Prompt level - Configure Example command: To set the rate-shaping for a Fast Ethernet (100Mb/s) link: config> rate-shaping 100 128

To set the rate-shaping per interface Command Syntax: rate-shaping {value in Mb/s} {max burst size in KB/s} no rate-shaping

Prompt level â&#x20AC;&#x201C; Configure Ă&#x2020; Interface Gigabit Example command: To set the rate-shaping for a Fast Ethernet (100Mb/s) link: gigabit-ethernet port 1> rate-shaping 100 128

To set the rate-shaping per interface from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, click on the AppBeat DC icon, then select the Ports & VLANs tab.

Figure 18: Setting the Rate-Shaping per Interface

AppBeat DC User Guide

y 41 y

Select the Port and Aggregator interface for adjusting the rate shaping.

Configure the Rate and Maximum Burst Size. A rate of 0 and Maximum Burst Size of 16 are the default values which represent no rate shaping.

Global Configuration Commands Use the CLI Global Commands to define the AppBeat DC™ basic administrative settings. They are as follows:

y 42 y

Showing Configuration Information.

Host Name.

Calendar set.

Internal clock.

Services for Remote Management (SSH/Telnet).

Services for SNMP server access.

SNMP Configuration.

HTTP Server Configuration.

Proxy Signature (HTTP Header configuration).

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

Showing Configuration Information from the CLI The show command is one of the most important commands available in the GUI. Show can be used to view almost any configuration variable. The command is located in the root prompt level â&#x20AC;&#x153;root>â&#x20AC;? but will operate within any prompt level. To show configuration information Command Syntax: show variable

Prompt level - Root Example command: root> show ?

Output: cli ip vrrpc ftp-record system version running startup file users compression boot-test global-data license-codes server-queue-limit connection-inactivity server-rx-window tcp real virtual farm cluster counters interfaces vlans snmp logging ssl

AppBeat DC User Guide

y 43 y

root> show interfaces gigabit-ethernet 1

Output: gigabit-ethernet 1, Admin UP, Status UP Description giga ethernet 1 Hardware address 00-50-C2-22-A3-29 Copper Sfp Internet address 10.1.1.100, Mask 255.255.255.0 MTU 9216 bytes, BW 1000 Mbit, FULL duplex

root> show system

Output: Hostname CN-5020E, Date: 25:07:06 Time: 16:19:23 Servers: HTTP Server Enabled (listening on port 80), SNMP Enabled, SSH Disabled, Telnet Disabled

Using the “no” command from the CLI The CLI provides the “no” command to undo or disable most configuration elements of the AppBeat DC. To undo a command Command Syntax: no command [variable]

Prompt level - Configure Example command: To remove an IP Address from an interface: gigabit-ethernet-1> no ip address

To disable the http server for the GUI: config> no http

y 44 y

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

Host Name The host name is specified to distinguish the AppBeat DC being managed. Perform the following commands to set the AppBeat DC hostname. To set the hostname from the CLI Command Syntax: hostname box-name

Prompt level - Configure Example command: config> hostname CN-1

To set the Hostname from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, click on the AppBeat DC icon.

Figure 19: Setting the Hostname

Select the Global tab and input new hostname in the Name window.

AppBeat DC User Guide

y 45 y

Calendar and Time Settings To set the Calendar from the CLI Perform the following example commands to set the AppBeat DC calendar. Command Syntax: calendar dd:mm:yy

Prompt level - Configure Example command: config> calendar 22:02:04

To set the Calendar from the GUI The calendar can be set in the GUI via the Configuration Æ AppBeat DC Æ System tab screen as shown in Figure 19. To Set the Internal Clock from the CLI Perform the following example commands to set the AppBeat DC internal clock settings. Command Syntax: clock hh:mm:ss

Prompt level - Configure Example command: config> clock 15:00:00

To set the Clock from the GUI The clock can be set in the GUI via the Configuration Æ AppBeat DC Æ Global tab screen as shown in Figure 19.

y 46 y

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

Telnet and Secure Shell (SSH) Management Configuration Perform the following example commands to set the AppBeat DC service availability (Telnet/SSH): When performing the initial configuration using the Auto Configuration Dialog (A.C.D.), an option is presented to enable or disable SSH access. If the ssh-server is disabled, the telnet-server is automatically enabled. To enable/disable telnet server from the CLI Command Syntax telnet-server no telnet-server

Prompt level - Configure Example commands: config>telnet-server

Output: enabling telnet access config>no telnet-server

Output: disabling telnet access To enable/disable the SSH server from the CLI Command Syntax ssh-server [v1 | v2] no ssh-server

AppBeat DC User Guide

y 47 y

Prompt level - Configure Example commands: config> ssh-server

Output: enabling ssh access config> no ssh-server

Output: disable ssh-server The telnet-server and ssh-server toggle each other. When one is enabled, the other is disabled. To enable/disable Telnet or SSH from the GUI The clock can be set in the GUI via the Configuration Æ AppBeat DC Æ Global tab screen as shown in Figure 19. To configure Telnet/SSH Session Idle Inactivity Timer from the CLI Telnet/SSH connection made to the AppBeat DC’s management port are automatically closed by the AppBeat DC after a configured period of inactivity. The default value for telnet/SSH session inactivity is 10 minutes, but the value can be changed if necessary. Command Syntax cli idle-inactivity {seconds} no cli idle-inactivity

Prompt level - Configure Example commands: root> cli idle-inactivity 1200 root> no cli idle-inactivity

y 48 y

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

SNMP Management Configuration The SNMP server can be enabled and disabled only from the CLI. Perform the following example commands to set the AppBeat DC SNMP server configuration. To enable/disable the SNMP server from the CLI Command Syntax snmp-server no snmp-server

Prompt level - Configure Example commands: config> snmp-server

Output: enabling Snmp access config> no snmp-server

Output: disabling Snmp access The SNMP server status can be enabled or disabled only from the CLI. The SNMP “name” and “location” variables are the only fields modifiable via the GUI. Additionally, the SNMP server must be enabled for the GUI to operate. To configure the SNMP server contact from the CLI Command Syntax snmp-server contact contact-string

Prompt level - Configure Example command: config> snmp-server contact jones

To configure the SNMP server location from the CLI Command Syntax snmp-server location location-string

AppBeat DC User Guide

y 49 y

Prompt level - Configure Example command: config> snmp-server location "main office"

To configure the SNMP server community from the CLI Command Syntax snmp-server community community-string {read | write-read}

Prompt level - Configure Example commands: config> snmp-server community-string read password config> snmp-server community-string write-read read_and_write

SNMP Configuration from the GUI The SNMP server must be enabled for the GUI to operate. The SNMP server status can be enabled or disabled only from the CLI. The SNMP “name” and “location” variables are the only fields modifiable via the GUI. These options can be set in the GUI via the Configuration Æ Topology screen as shown in Figure 4.1.3.1.

HTTP Management Configuration The HTTP service can be enabled and configured. Perform the following example commands to set the AppBeat DC HTTP server configuration. The HTTP service must be enabled in order for the GUI to function properly. To enable/disable the HTTP server from the CLI Command Syntax http-server [listening-port] no http-server

y 50 y

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

Prompt level - Configure Example commands: config> http-server

Output: enabling HTTP access config> no http-server

Output: disabling HTTP access

Auto Configuration Dialog (A.C.D.) The Auto Configuration Dialog provides a wizard-like approach to configuring the AppBeat DC. When the AppBeat DC boots and the initial configuration file (startup.cfg) does not exist, the user is prompted to use the A.C.D. to create a configuration file. Upon completion of the wizard, the user will be prompted to load and save the new configuration information as startup.cfg. During the next boot process, the AppBeat DC will use the information found in the startup.cfg file. To initiate the Auto Configuration Dialog during normal operation from the CLI Command Syntax auto-config

Prompt level â&#x20AC;&#x201C; Configure

Global History Service To enable the AppBeat DC to save historical performance information for specified objects like farms, clusters, or servers, the History service must be enabled globally. Once enabled globally, individual objects must enable the history function as a separate configuration action before historical data will be available. To enable/disable history from the CLI Command Syntax: service history no service history

AppBeat DC User Guide

y 51 y

Prompt level - Configure Example command: config>service history config>no service history

Proxy Signature (HTTP Header Settings) The AppBeat DC acts as a TCP intermediary, maintaining separate client and server connections. In this way, the AppBeat DC operates as a proxy and enables the ability to insert special headers on the client and server connections to identify itself. By default, the AppBeat DC inserts the following header into client-side responses and server-side requests: Via: CN-5500E

The header used to identify the AppBeat DC can be disabled or configured as either “Via” or “X-Via” for either the client or server side connections. To configure proxy signature from the CLI Command Syntax: proxy-sign {via | x-via} {to-client | to-server | [CR] (to both)} no proxy-sign

Prompt level - Configure Example command: config> proxy-sign via config> proxy-sign x-via to-server

To configure proxy signature (to backend server) from the GUI

y 52 y

From the Configuration mode of the GUI, click on the Servers Topology icon.

Adjust the Proxy Signature settings in the General tab.

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

Figure 20: Setting the Proxy Signature to the Backend Server

To configure proxy signature (to clients) from the GUI 1.

From the Configuration mode of the GUI, click on the Virtual Servers icon.

Adjust the Proxy Signature settings in the Advanced tab.

Figure 21: Setting the Proxy Signature to the Clients

AppBeat DC User Guide

y 53 y

Interface Commands Use the CLI commands to configure the following AppBeat DC’s interfaces:

Management Ethernet port.

Management Serial port.

Use the CLI and the GUI to configure the following AppBeat DC interface:

Gigabit-Ethernet data ports.

It is important to understand that the AppBeat DC utilizes an out-of-band management architecture for enhanced security and manageability. Because of this, two terms are used throughout this User Guide to discuss the path of data: data-path and management-path. Data-path refers to any traffic being accelerated or routed through the primary interfaces of the AppBeat DC. Management-path refers only to traffic destined to the management Ethernet port. For each path, there is a separate routing table and PING commands.

Configuring the Management Ethernet Interface The management Ethernet interface can only be configured from the CLI. Perform the following commands to configure the AppBeat DC Management interfaces. The management Ethernet interface is used for all remote management access, e.g., GUI, SNMP, Software and configuration file management, etc. The management Ethernet interface has a separate routing table and must have a default route to access a remote network. To configure the management Ethernet interface from the CLI Command Syntax interface management ethernet

Prompt level - Configure Example commands: config> interface management ethernet

To add IP-address to the management Ethernet interface from the CLI Command Syntax ip address ip-address subnet-mask no ip address

y 54 y

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

Prompt level - Configure Æ Interface Management Ethernet Example commands: management-ethernet> ip address 192.168.1.100 255.255.255.0 management-ethernet>no ip address

To configure management Ethernet interface description from the CLI Command Syntax: description interface-description

Prompt level - Configure Æ Interface Management Ethernet Example commands: management-ethernet> description FW_DMZ_2

To configure the management interface route from the CLI Command Syntax: ip route prefix-ip-address prefix-mask nexthop-ip no ip route prefix-ip-address prefix-mask nexthop-ip

Prompt level - Configure Æ Interface Management Ethernet Example commands: management-ethernet> ip route 0.0.0.0 0.0.0.0 10.0.0.1 management-ethernet> no ip route 0.0.0.0. 0.0.0.0

To ping via the management interfaces from the CLI Command Syntax: ping mgmt IP-address [count number of pings] [size buffer-size]

Prompt level - Root Example commands: root> ping mgmt 10.0.0.8

AppBeat DC User Guide

y 55 y

Configuring the Management Serial Interface The management serial interface can only be configured from the CLI. Perform the following commands to configure the AppBeat DC Management interface. The default settings for the Management Serial Interface are: Baud: Data bits: Parity: Stop bits: Flow Control:

115,200 8 none 1 none

To configure the management serial interface from the CLI Command Syntax interface management serial

Prompt level - Configure Example commands: config> interface management serial

Perform the following example commands to configure the AppBeat DC console port. Management-serial console configuration is required so port specific characteristics can be configured. To configure management serial interfaces from the CLI Command Syntax: speed bps

Prompt level - Configure Ă&#x2020; Management Serial Example command: management-serial> speed 115200

To configure management-serial interface descriptions from the CLI Command Syntax: description interface-description

y 56 y

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

Prompt level – Configure Æ Management Serial Example command: management-serial> description "TS11"

Configuring Gigabit-Ethernet Interfaces Perform the following example commands to configure the AppBeat DC Gigabit-Ethernet interfaces. To configure gigabit-ethernet interfaces from the CLI Command Syntax: interface gigabit-ethernet {1-2 | 1-8 | 1-4 | 1-10}

Prompt level - Configure Example commands: config> interface gigabit-ethernet 1

To configure gigabit-ethernet interface descriptions from the CLI Command Syntax: description interface-description

Prompt level - Configure Æ Interface Gigabit Example commands: gigabit-ethernet port 1> description "link to web farm"

To set the administrative status of the gigabit-ethernet interface from the CLI Command Syntax: shutdown no shutdown

Prompt level - Configure Æ Interface Gigabit Example commands: gigabit-ethernet port 1> shutdown gigabit-ethernet port 1> no shutdown

AppBeat DC User Guide

y 57 y

To configure gigabit-ethernet interface IP addresses from the CLI Command Syntax: ip address ip-address subnet-mask no ip address ip-address

Prompt level - Configure Ă&#x2020; Interface Gigabit Example commands: gigabit-ethernet port 1> ip address 10.1.1.254 255.255.255.0 gigabit-ethernet port 1> no ip address

To configure gigabit-ethernet interfaces from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, click on the AppBeat DC icon, then select the IP tab.

Figure 22: Setting Gigabit-Ethernet Interfaces

y 58 y

From the Ports window, use the drop down menu to select the physical port or aggregator on the AppBeat DC to be configured.

Enter the IP Address, Subnet Mask, and/or VLAN information.

Click Apply.

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

Configuring Interface Speed/Duplex Settings for the CN-5500E The CN-5500E supports the ability to configure individual port speed and duplex parameters. Each interface can be configured for auto negotiation of these options, manually configured as 10/100/1000 speed and full/half duplex. To configure speed/duplex settings per interface Command Syntax: speed {10mb | 100mb | 1000mb | auto} duplex {full | half | auto}

Prompt level - Interface Example commands: gigabit-ethernet port 1> speed 1000mb gigabit-ethernet port 1> duplex full

VLAN Support VLAN support is achieved by defining sub-interfaces on a physical port. The range can be from 1 to 4095. The VLAN is exactly the same configuration as a regular Gigabit ethernet port with added VLAN and VLAN number. The AppBeat DC supports 802.1q VLAN tagging. Tagging is automatically enabled upon configuration of a VLAN interface. Packets leaving a VLAN interface are tagged using that interfaces associated VLAN number. To establish single or multiple sub-interfaces per port from the CLI Command Syntax: interface gigabit-ethernet inf-number vlan vlan-number

Prompt level - Configure Example commands: config>interface gigabit-ethernet 6 vlan 901

AppBeat DC User Guide

y 59 y

To configure Vlan gigabit-ethernet interface description from the CLI Command Syntax: description interface-description

Prompt level - Configure - interface gigabit Vlan Example commands: gigabit-ethernet port 6 Vlan 901>description Server Ian on Vlan 901

To set the administrative status of the Vlan gigabit-ethernet interface from the CLI Command Syntax: shutdown no shutdown

Prompt level - Configure - interface gigabit Vlan Example commands: gigabit-ethernet port 6 Vlan 901> shutdown gigabit-ethernet port 6 Vlan 901> no shutdown

To configure Vlan gigabit-ethernet interface IP addresses from the CLI Command Syntax: ip address ip-address subnet-mask no ip address ip-address

Prompt level - Configure - interface gigabit Vlan Example commands: gigabit-ethernet port 6 Vlan 901> ip address 10.10.10.5 255.255.255.0

While in the interface prompt, a shortcut to the sub-interface with VLAN tag is available with the command: VLAN {vlan-number}. This brings the user into the prompt level: "interface GigabitEthernet {port} VLAN {vlan-number}". The Gigabit Ethernet port cannot have an IP address if VLANs are associated with the port. Each VLAN interface can be shut down individually, or the entire Gigabit Ethernet port can be shut down which results in all associated VLANs being shut down. For security purposes, tagged packets are only accepted when the port/network/VLAN match, any mismatched packets are discarded.

y 60 y

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

To configure VLAN variables from the GUI VLAN interfaces can be set in the GUI via the Configuration Æ AppBeat DC icon Æ Ports & VLANs tab screen as shown in Figure 23.

Figure 23: Setting VLAN Variables

Link Aggregation The AppBeat DC supports Link Aggregation (LAG), which enables the configured system to reach increased bandwidth and availability by creating a Link Aggregation Group, or aggregator. Depending on the configuration, there are either 2 or 5 predefined aggregators in the system. The aggregator enables one or more physical ports to be grouped together and treated as a single link. The aggregator is a system interface, for which IP subnets or VLANs can be created. The IP subnet and VLANs are created the same way for aggregators as they are for a regular interface. To switch the CLI interface to specific aggregator’s context menu: In the CLI, some aggregation commands can only be used within a specific aggregator’s context menu. Use this command to ensure that you are working in the correct aggregator’s context menu. Command Syntax: interface aggregator <1…5>

AppBeat DC User Guide

y 61 y

Prompt level - Configure Example commands: config>interface aggregator 2 aggr 2>exit

The aggregator context menu has the following available commands: Exit No ip vrrpc shutdown mode description

exit the current context undo command ip related commands vrrpc configuration shutdown the interface set the mode of the interface (speed only) set the interface description

To add or remove a port from an aggregator Command Syntax: Description aggregator-group <1…10> Description no aggregator-group <1…10>

Prompt level - Configure - interface gigabit VLAN Example commands: Config> interface gigabit-ethernet 4 gigabit-ethernet port 4> aggregator-group <1…5> Config> interface gigabit-ethernet 4 gigabit-ethernet port 4> no aggregator-group <1…5>

To configure a VLAN for an aggregator from the CLI Command Syntax: interface aggregator <1…5> vlan <1…4095>

Prompt level - Configure - interface gigabit VLAN Example commands: Config>interface aggregator 2 vlan 55 aggr 2.55>

y 62 y

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

To display aggregators Command Syntax: show interfaces show interfaces aggregator <1â&#x20AC;Ś5>

Prompt level - Configure - interface gigabit VLAN Example commands: Example for displaying information about all physical interfaces, VLANs, aggregators, and Vlans on aggregators: show interfaces

Example for displaying information about a specific aggregator: root> show interfaces aggregator 1

Output: aggregator 1, Admin UP, Status UP Description link aggregator 1 Hardware address 00-50-C2-22-A5-71 Internet address 2.1.2.1, Mask 255.255.255.192 MTU 9216 bytes, BW 1000 Mbps, FULL duplex Physical ports 1,2,8,10

To display information about all interfaces, as well as VLANs with configured IP addresses Command Syntax: show interfaces ip

Prompt level - Configure - interface gigabit VLAN Example commands: root> show interfaces ip

Output: root> show interfaces ip Interface IP Address IP Mask 1 1.2.3.1 255.0.0.0 2.56 10.20.3.6 255.255.0.0 3 2.2.3.4 255.0.0.0 aggr1 4.2.3.4 255.0.0.0 aggr3.40 5.2.3.4 255.0.0.0 Mgmt 10.0.2.146 255.255.252.0 Available Ethernet ports: 4

AppBeat DC User Guide

ShapeRate No Limit No Limit No Limit No Limit No Limit No Limit

BurstSize No Limit No Limit No Limit No Limit No Limit No Limit

Admin UP UP UP UP UP UP

Oper DOWN DOWN DOWN DOWN DOWN UP

y 63 y

The output contains a line for each interface. The interfaces can be any of the following:

Aggregator – Appears as aggr<aggregator number>, for example, agg1.

Physical port – Appears as <port number>, for example, 1.

VLANs with IP addresses – Appears as aggr<aggregator number>.<VID>, for example, agg3.40.

Management – Appears as Mgmt.

To add a port to an aggregator from the GUI 1.

Once logged in through the GUI, click the Configuration button on the left panel.

In the Topology window, click the AppBeat DC icon, then select the IP tab

Ensure that no IP addresses are specified in the IP tab.

Select the Ports & VLANs tab.

Figure 24: Adding a Port to an Aggregator

y 64 y

From the Port window, use the drop down menu to select the port that you want to add to an aggregator. For example, Port 5.

In the Aggregator window, select the Aggregator to which you want to add the port. For example, Aggregator 4.

Ensure each of the following:

The Admin check box is checked.

Auto mode (1000 Mbps / Full Duplex) is selected.

No VLANs are specified in the Ports and VLANs window.

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

Click Apply. In the example, Port 5 is added to Aggregator 4.

To remove a port from an aggregator from the GUI 1.

Once logged in through the GUI, click the Configuration button on the left panel.

In the Topology window, click the AppBeat DC icon, then select the Ports & VLANs tab.

Figure 25: Removing a Port from an Aggregator

From the Port window, use the drop down menu to select the port that you want to remove from an aggregator. For example, Port 5.

In the Aggregator window, select None.

Click Apply. The Port is removed from the Aggregator.

AppBeat DC User Guide

y 65 y

Networking Commands The networking commands for the AppBeat DC provide the functionality to configure static routes (including default gateway) for the data path.

Routing Configure the routing for the AppBeat DC unit by performing the following example commands. To add/remove routes from the CLI Command Syntax: ip route ip-address mask nexthop-ip [enable | disable] no ip route ip-address mask

Prompt level - Configure Example commands: config> ip route 0.0.0.0 0.0.0.0 10.1.1.200 config> no ip route 192.168.1.0 255.255.255.0

To show IP route information from the CLI Command Syntax: show ip route

Prompt level - Root Example commands: root> show ip route

To add/remove routes from the GUI

y 66 y

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, click on the AppBeat DC icon, then select the IP tab.

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

Figure 26: Adding and Removing Routes

From the Ports window, use the drop down menu to select the physical port or aggregator on the AppBeat DC to which you want to add or remove a route.

In the IP route window:

Â&#x192;

To add an IP route, enter the IP Address, Network Mask, and Next Hop information and click Apply.

Â&#x192;

To remove an IP route, select the row of the IP route that you want to remove, and click Delete.

Disable Routing of Non-accelerated Traffic between Interfaces By default, the AppBeat DC routes traffic between all the IP interfaces configured on its data ports. This applies to all non-accelerated traffic that is not terminated at the AppBeat DC itself. Routing between the AppBeat DC IP interfaces can be disabled in order to prevent the unit from passing non-accelerated from one IP interface to another. To disable routing of non-accelerated traffic from the CLI Command Syntax: routing {enable | disable}

AppBeat DC User Guide

y 67 y

Prompt level - Configure Example commands: config> routing enable config> routing disable

To disable routing of non-accelerated traffic from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, click on the AppBeat DC icon, then select the Global tab.

Figure 27: Disabling Routing of Non-Accelerated Traffic

y 68 y

Uncheck Routing (non-accelerated traffic) and click Apply.

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

Client-side TCP Commands As the termination point of all incoming connections, the AppBeat DC sets up and maintains all client-side connections. For these connections, a number of variables are configurable. Always consult with Crescendo’s technical support staff before changing these parameters.

Client-side TCP Windows The AppBeat DC terminates and owns all TCP connections with clients. A number of parameters are configurable on the AppBeat DC:

Initial Transmit Window (KB) – the initial transmit window used for client-side TCP connections. This is the total number of bytes the AppBeat DC will send to the client without waiting for an ACK, in the start of a TCP connection. The transmit window will increase as the connection ramps up. The default value for this parameter is 3KB.

Maximum Transmit Window (KB) – the most number of bytes the AppBeat DC will send over a client connection without waiting for an ACK. The default value for this parameter is 6KB.

Maximum Receive Window (KB) – the maximum window size the AppBeat DC will advertise to a TCP client. The default value for this parameter is 8KB.

To configure client-side TCP windows from the CLI Command Syntax: tcp {client-initial-tx-window | client-max-tx-window | client-rxwindow} window-size

Prompt level - Configure Example commands: config> tcp client-initial-tx-window 5

The client-initial-tx-window is a value between 1KB and 6KB. config> tcp client-max-tx-window 16

The client-max-tx-window is a value between 1KB and 32KB config> tcp client-rx-window 32

The client-initial-tx-window is a value between 8KB and 64KB

AppBeat DC User Guide

y 69 y

To configure client-side TCP windows from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, click on the Virtual Servers icon, then select the Advanced tab.

Figure 28: Setting Client-Side TCP Windows

y 70 y

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

Client-side TCP Inactivity Timers There are also two TCP inactivity timers that control how long idle client connections are kept open by the AppBeat DC. There are two kinds of TCP client connections. An Active client connection is one where the connection is currently in use for a transaction. This is most common when the client has sent a request but has yet to receive a response. An Idle client connection is one where there is no activity on the TCP connection at all; the last transaction (if applicable) was completed successfully and the TCP connection is now idle with the client not waiting for a response. The inactivity timers for these two types of connections are both configurable and indicate how long the AppBeat DC will keep each kind of connection open when there is no data present over the connection. The default timer for both kinds of connections is 30 seconds. After this inactivity timer, the AppBeat DC will close the connection. To configure client-side TCP inactivity timers from the CLI Command Syntax: tcp connection-inactivity {idle-client-time | active-client-time} inactivity-time

Prompt level - Configure Example commands: config> tcp connection-inactivity idle-client-time 30

The idle-client-time is a value between 15 and 4,096 seconds. config> tcp connection-inactivity active-client-time 30

The active-client-time is a value between 15 and 4,096 seconds. To configure client-side TCP inactivity timers from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, click on the Virtual Servers icon, then select the Advanced tab as shown in Figure 28.

Client-side MSS TCP Maximum Segment Size (MSS) is used for a TCP client to announce the maximum TCP segment its willing to receive to its TCP peer. The peer, in turn, should not send any TCP segments larger than the MSS announced by the client. This occurs by both TCP endpoints, each endpoint announcing the MSS itâ&#x20AC;&#x2122;s expecting to receive to its peer when the connection is initially set up. The TCP MSS will have an impact on packet sizes as well. MSS is a TCP option and is only seen in TCP SYN segments.

AppBeat DC User Guide

y 71 y

The AppBeat DC uses a default MSS of 1462 Bytes for client-side TCP connections. However, this MSS is configurable and can be adjusted if necessary. To configure client-side TCP MSS from the CLI Command Syntax: tcp client-max-mss mss-size

Prompt level - Configure Example commands: config> tcp client-max-mss 1452

The client-max-mss is a value between 536 and 1452 bytes.

FastTCP FastTCP refers to a collection of advanced algorithms used by the AppBeat DC to optimize and further accelerate TCP connections. There are three primary mechanisms deployed by FastTCP:

y 72 y

Accelerated Slow Start – FastTCP employs a slow start algorithm that ramps up to optimal TCP connection speed quicker than standard TCP slow start algorithms. This is done by ramping up the TCP transmit window for the clients quickly. This mechanism is always used by the AppBeat DC and the Initial Transmit Window and Maximum Transmit Window configurations control the transmit window sizes used for a connection. Each connection starts at the Initial Transmit Window and ramps up to the Maximum Transmit Window as quickly as the TCP connection allows.

Slow Start Avoidance – FastTCP can adaptively adjust the inactivity timers used for active and idle client TCP connections (see definition of connection types above). This is done by enabling the Adaptive Inactivity feature of the AppBeat DC. Enabling this mechanism overrides the static inactivity timer configuration and enables FastTCP to dynamically adjust how long client connections are kept open, based on client behavior and system load. Keeping connections open longer encourages clients to reuse TCP connections and not move to new connections. This reduces the total number of connections seen per individual client therefore reducing the number of slow starts each client is subjected to.

Advanced Congestion Avoidance – Standard TCP congestion avoidance algorithms ramp up TCP connections until there are dropped packets and then continue to implement a rudimentary trial-and-error mechanism in order to find the optimal bandwidth of a connection. FastTCP employs an adaptive mechanism that continually monitors the possible bandwidth of a TCP connection and dynamically adjusts the AppBeat DC’s transmit window in order to continue operating at maximum TCP connection capacity, avoiding dropped packets altogether. This mechanism is activated

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

by enabling the FastTCPâ&#x20AC;&#x2122;s Adaptive Transmit Window functionality. Enabling the Adaptive Transmit Window overrides the Maximum Transmit Window configured since FastTCP adaptively adjusts the transmit window during a TCP connection. The following two diagrams illustrate how standard TCP operates and the ways in which FastTCP optimizes and accelerate client-side TCP connections to the AppBeat DC:

Figure 29: FastTCP (1)

Figure 30: FastTCP (2)

AppBeat DC User Guide

y 73 y

To configure FastTCP from the CLI Command Syntax: fast-tcp adaptive-transmit-window

Prompt level - Configure Example commands: config> fast-tcp adaptive-transmit-window config> fast-tcp no-adaptive-transmit-window

To configure FastTCP from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, click on the Virtual Servers icon, then select the Advanced tab.

Figure 31: Setting FastTCP

y 74 y

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

Server-side TCP Commands Just as the AppBeat DC is the termination point for all client-side TCP connections, it also sets up a small number of TCP connections with each server it’s front-ending. These are highly optimized connections, owned and maintained by the AppBeat DC. For these connections, a number of variables are configurable. Always consult with Crescendo’s technical support staff before changing these parameters.

Server-side TCP Windows The server-side TCP window configuration parameters are similar to those on the clientside:

Initial Transmit Window (KB) – the initial transmit window used for server-side TCP connections. This is the total number of bytes the AppBeat DC will send to the server without waiting for an ACK, in the start of a TCP connection. The transmit window will increase as the connection ramps up. The default value for this parameter is 6KB.

Maximum Transmit Window (KB) – the most number of bytes the AppBeat DC will send over a server connection without waiting for an ACK. The default value for this parameter is 6KB.

Maximum Receive Window (KB) – the maximum window size the AppBeat DC will advertise to a TCP server. The default value for this parameter is 8KB.

To configure server-side TCP windows from the CLI Command Syntax: tcp {server-initial-tx-window | server-max-tx-window | server-rxwindow} window-size

Prompt level - Configure Example commands: config> tcp server-initial-tx-window 5

The server-initial-tx-window is a value between 1KB and 6KB config> tcp server-max-tx-window 16

The server-max-tx-window is a value between 1KB and 32KB config> tcp server-rx-window 32

The server-initial-tx-window is a value between 8KB and 64KB.

AppBeat DC User Guide

y 75 y

To configure server-side TCP windows from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, click on the Virtual Servers icon, then select the Advanced tab.

Figure 32: Setting Server-Side TCP Windows

y 76 y

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

Security The Security commands for the AppBeat DC unit enable the definition of users/password, access-lists, SSH, etc.

User Configuration Three categories of users can be assigned to logon to the AppBeat DC, each with their own set of privileges. The user categories are:

User – permitted to use show commands and view statistics.

Administrator (admin) – permitted privileges to do all operations.

Technician (tech) – permitted the same privileges as the admin, with the addition of "debug" facilities.

The default user created during with the Auto Configuration Dialog (A.C.D.) has administrator privilege. Define users for the AppBeat DC unit by performing the following example commands. Substitute real names in place of the listed example names, where required. To configure user/password privileges from the CLI Command Syntax: user username {password | encrypted encrypted-passwd} {admin | user | technician}

Prompt level - Configure Example commands: config> user james jeremy user config> username bob password encrypted 095F571A0D001A admin config> no user james

The option to add a user with an encrypted password is to allow inserting a user from a previous configuration without having to know the user’s clear text password.

AppBeat DC User Guide

y 77 y

To view online users information from the CLI Command Syntax: show users

Prompt level - Root Example commands: root> show users

Output: User Table: user name bob james

permission admin user

Access Lists for the Management Ethernet Interface The access lists (ACL) provide a key protection component for management of the AppBeat DC. The ACL consists of a list of rules that enable administrators to permit or deny remote management access from specific hosts or networks. The following steps are required to create and apply an access list to the management interface.

Â&#x192;

Define an access list name and the first policy within it.

Â&#x192;

Each policy within the access list can either "permit" or "deny" management access from a specified host or network.

Â&#x192;

By default, there is no access list enabled on the AppBeat DC, therefore allowing remote administration from any IP address.

To define access list for management Ethernet port from the CLI Command Syntax: ip access-list name permit ip-address mask subnet-mask

Prompt level - Configure Example commands: The following example demonstrates the creation of an access list (ACL1), which restricts remote management access from all but one host (1.2.3.4). config> ip access-list ACL1 deny 0.0.0.0 mask 0.0.0.0 config> ip access-list ACL1 permit 1.2.3.4

The maximum number of entries in an access list is limited to 100.

y 78 y

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

To implement the access list on the management Ethernet interface from the CLI Command Syntax: ip access-list acl-name no ip access-list

Prompt level - Configure - Management ethernet Example commands: config> interface management ethernet management-ethernet> ip access-list ACL1 management-ethernet> no ip access-list ACL1

The access list uses best match, and not order priority. To view access list information from the CLI Command Syntax: show ip access-list name

Prompt level - Root Example commands: root> show ip access list james

The access list is based on best match, longest prefix, and not based on the order of the permit/deny command.

AppBeat DC User Guide

y 79 y

System Commands The system commands for the AppBeat DC unit consist of the following categories:

Configuration File Management.

File Transfer/Management.

File Commands.

Software and Operating System Upgrade and Version Control.

Configuration File Management Manage the configuration file by performing the following example commands. Substitute real names in place of the listed example names, where required. The configuration file will save the running configuration to flash. The startup.cfg file loads after the system boots. The configuration file is text based and can be viewed with a standard text editor. To save the configuration file from the CLI Command Syntax: save-config {[Startup.cfg] | filename}

Prompt level - System Example commands: system> save-config backup.cfg

To view running configuration from the CLI Command Syntax: show running-config

Prompt level - Root Example command: root> show running-config

To view saved configuration file from the CLI Command Syntax: show startup-config

y 80 y

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

Prompt level - Root Example command: root> show startup-config

Loading Additional Configuration Files to a Running Config This feature enables an administrator to apply configuration variables from a separate configuration file. For example, an administrator adding to or modifying an existing configuration may choose to upload a file which contains all of the required configuration modifications. The add-config command can be used to process all new configuration changes found in the file. The changes can then be saved to the start-up configuration. To execute commands from a file from the CLI Command Syntax add-config file-name

Prompt level - System This command processes commands found in the defined file. The file should be ASCII text and be located on the local file system. The ftp-get command can be used to download the file to the local file system.

File Transfer/Management The AppBeat DC has the capability to transfer files/software versions to and from a remote FTP server. The initial configuration of a remote FTP account is required using the ftprecord command. To configure an FTP record from the CLI Command Syntax: ftp-record username : passwd @ ipaddress directory

Prompt level - Configure Example commands: config> ftp-record james : er @ 10.10.10.10 samsonzi

AppBeat DC User Guide

y 81 y

To retrieve a remote file via FTP from the CLI There are four types of files which can be transferred via ftp. Each file type is addressed in a different way, it is important to select the correct operation:

default – retrieved as a regular file and is saved as-is to flash file system.

config – downloads a configuration file, tests for validity and saves as "startup.cfg".

operating system – downloads operating system image. Low level system drives are rarely changed. There are two banks, primary and secondary. The newly downloaded operating system is saved to the primary bank and will be used after the next system reboot. The backup is available in case the primary is corrupted.

version – downloads application image. This is the combined hardware and software image. As with the operating system, there are two banks, primary and secondary. Unlike the operating system, the downloaded version is saved to the secondary bank, and can be ’toggled’ to be the primary, at the user’s discretion. Command Syntax: ftp-get filename {config | version | operating-system}

Prompt level - System Example command: system> ftp-get startup.cfg

To export a file via FTP from the CLI Command Syntax: ftp-put filename

Prompt level - System Example command: system> ftp-put startup.cfg

y 82 y

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

File Commands The AppBeat DC has a flash file system for storing configuration files. The following commands will aid in managing the files. To display files in the current directory from the CLI

Command Syntax: dir

Prompt level - System Example command: system> dir

To copy files from the CLI Command Syntax: copy filename1 filename2

Prompt level - System Example command: system> copy startup.cfg backup.cfg

To delete files from the CLI Command Syntax: delete filename

Prompt level - System Example command: system> delete startup.cfg

To rename files from the CLI Command Syntax: rename filename1 filename2

AppBeat DC User Guide

y 83 y

Prompt level - System Example commands: system> rename backup.cfg startup.cfg

To save the configuration or license files from the CLI Command Syntax: save [config | license]

Prompt level - System Example commands: system> save config

Software and Operating System Upgrade and Version Control The AppBeat DC has two software images, primary and secondary. The system boots from the primary image. Each image has an operating system and application software component. Before upgrading software, read the associated Release Notes carefully to understand if the new version of application software requires a new operating system version as well. To upgrade Application and OS from the CLI

Check Release Notes of new Application Software and determine if a new Operating System is required.

Download the necessary file(s) from the Crescendo Networks Support website.

Application software is typically named “CN5KA_x_xx_xx.ar”.

Operation System software is name “CN5KO-x_xx_xx.tar”.

Place these files on the FTP server configured for access by the AppBeat DC.

From the CLI, log in as an administrator.

Verify the username, password, ftp server IP address, and directory path are setup correctly for the ftp-record command.

Use the show ftp-record command to verify settings.

From the system> prompt, transfer the new Operating System first, if required:

As described in File Transfer/Management on page 81, use the following command: ftp-get CN5KO-x_xx_xx.tar operating-system

y 84 y

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

Next, transfer the new Application Software:

As described in File Transfer/Management on page 81, use the following command: ftp-get CN55A_x_xx_xx.ar version

Verify that the new Application is downloaded and installed successfully by using the show version detailed command. The version should exist in the “Secondary version” section.

From the system> prompt, use the software-toggle-boot command to switch the Secondary (new) software with the Primary software.

Reboot the AppBeat DC.

To upgrade Application from the GUI The AppBeat DC application software can be upgraded from the GUI using HTTP. This alleviates the need to place the new application software on an FTP server. Please note, upgrading the Operating System via HTTP is currently not supported. Verify that the new application version does not require an operating system upgrade. If so, the traditional method of upgrading both the OS and Application must be followed. When upgrading through the GUI, using the HTTP method, the application software is automatically uploaded to the secondary memory space. An upload status will not be displayed during upload. On a LAN, software update typically takes between 2-3 minutes. Before resetting the unit, the secondary version (new software) must be placed in the primary version memory space.

From the GUI, click on File Æ Software Æ Update via HTTP.

Select application file to be uploaded; usually in the format “CN5KA_4_xx_xx.ar”.

When upload is complete, click on File Æ Software Æ Switch Between Secondary and Primary Application.

Verify the new version is correctly located in the Primary Version memory space by clicking on Help Æ About.

Reboot the AppBeat DC by clicking File Æ Software Æ Reset Device.

To view the current running software version from the CLI Command Syntax: show version

AppBeat DC User Guide

y 85 y

Prompt level - Root Example commands: root> show version detailed

Output: board type : CN5510E hardware version : a.0.0 board serial number : CN608070277 management port MAC : 00-1D-B1-00-11-50 physical memory : 1024 Mbytes primary version : 55A.7.0.1 primary os version: 1.04.34 secondary version : 55A.7.1.5 secondary os version: 1.04.34 running version : 55A.7.0.1 running os version: 1.04.34 software version : Nov 28 2007-14:52:57 firmware version : V000 07-03-07 / V000

14-01-07

SSL H/W version : 177d/1 Compression H/W version : 0xFFFF0000 ALP is not licensed uptime is 0 weeks, 0 days, 22 hours, 39 minutes, 26 seconds

To show system information from the CLI Command Syntax: show system

Prompt level - Root Example command: root> show system

Output Hostname Crescendo, Date: 06:07:06 Time: 16:44:56 Servers: HTTP Server Enabled (listening on port 80), SNMP Enabled, SSH Disabled, Telnet Enabled

To toggle the boot to alternate software image from the CLI Command Syntax: software-toggle-boot

y 86 y

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

Prompt level - System Example commands: system> software-toggle-boot

To synchronize the secondary OS version with the primary from the CLI Command Syntax: operating-system-sync

Prompt level - System Example commands: system> operating-system-sync

To synchronize the secondary software image with the primary from the CLI Command Syntax: software-sync

Prompt level - System Example commands: system> software-sync

Logging Commands Logging The logging commands all reside under the "configure" prompt level and are configurable by the administrator user. The administrator user can access levels 0-6 (Debug level 7 is restricted to debug with technician privileges). The log information is configured globally and each "client" can be configured to filter or receive all the logs. A client can be a console, memory, file on flash, or syslog server. To set the AppBeat DC message logging level setting from the CLI Command Syntax: logging threshold {[global | syslog | console | buffer | persistent]} level subject]

AppBeat DC User Guide

y 87 y

Prompt level - Configure Example commands: config> logging threshold global

To display filter thresholds from the CLI Command Syntax: show logging threshold

Prompt level - Root Example commands: root> show logging threshold

Output: logging configuration logging to syslog is disabled, server 10.0.0. logging to console is disabled 01 test events generated from level debug buffer does not capture events persistent buffer does not capture events console does not capture events syslog does not capture events 02 network events generated from level debug buffer does not capture events persistent buffer does not capture events console does not capture events syslog does not capture events 03 system....

This command continues for all the services. To direct logs to the console from the CLI Command Syntax: logging console no logging console

Prompt level - Configure Example commands: config> logging console config> no logging console

y 88 y

AppBeat DC User Guide

Chapter 5 Initial Configuration & Global Settings

Only one console can receive debug information, it can be to a serial connection or telnet/ssh session. The total number of CLIs at any given time can be five (5). To direct logs to the internal buffer (cyclic 4096 lines) from the CLI Command Syntax: logging buffered no logging buffered

Prompt level - Configure Example commands: config> logging buffered config> no logging buffered

To log messages to the Syslog server from the CLI Command Syntax: logging syslog ip-address {port-num [514]}

facility [local7]

no logging syslog

Prompt level - Configure Example commands: config> logging syslog 1.2.3.4 513 facility 20 config> no logging syslog

To show which units are configured to log from the CLI Command Syntax: show logging

Prompt level - Root Example commands: config>show logging

Output: logging configuration: logging to syslog is disabled, server 10.0.0.48:514 base 184 logging to console is enabled (this terminal)

AppBeat DC User Guide

y 89 y

To set logging server configuration from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, click on the Topology icon.

Figure 33: Setting Logging Server Configuration

y 90 y

Click the check box of the Syslog and/or GUI Events to configure the associated servers.

AppBeat DC User Guide

6 Server Preparation and Logging Considerations Chapter 6 provides critical information regarding server configuration. This chapter should be consulted to ensure the proper server configuration before attempting to accelerate and/or load balance with the AppBeat DC.

Â&#x192;

Server Preparation.

Â&#x192;

Server Logging Considerations (Original Client IP).

AppBeat DC User Guide

y 91 y

Server Preparation Within the AppBeat DC configuration, servers are defined as “real” servers. A real server definition includes the server IP address and TCP port from which the application can be accessed. Real servers can be configured within HTTP clusters or TCP clusters. HTTP clusters are defined for HTTP based applications which have the ability to utilize the full suite of acceleration features within the AppBeat DC such as TCP Offload (multiplexing and optimization), Compression, and SSL Acceleration. TCP clusters are used for nonHTTP based TCP applications. Depending on the type of application—and, ultimately the type of cluster—the server must be properly configured to ensure functionality and optimum performance.

HTTP Server Configuration Requirements When a server is configured in an HTTP cluster, the Maestro opens a small number of “backend” connections to it. These connections are designed to stay open indefinitely, limiting the overall TCP connection setup and teardown activity on the server. Because of this behavior, it is important that the servers be configured to optimally take advantage of the small number of backend connections. Typically, many servers are not configured to use long-lasting TCP connections because of the burden of managing them when not frontended by the AppBeat DC. Therefore, it is important to follow the following guidelines before configuring a server to be accelerated by the Maestro. Failure to do so may result in poor performance and in some cases, increased CPU utilization on the server. Apache Apache requires the following modifications be made to the httpd.conf file usually found in the /etc/httpd/conf/ directory.

KeepAlive On (By default, this is set to “Off”).

MaxKeepAliveRequests 0 (Provides unlimited requests, by default, set to “100”).

KeepAliveTimeout 45 (By default, set to 15).

Microsoft IIS There is no special configuration required for default configurations of Microsoft IIS 5 or IIS 6.

y 92 y

AppBeat DC User Guide

Chapter 6 Server Preparation and Logging Considerations

Other Servers If the server being load balanced/accelerated by the Maestro is a server other than Apache, or Microsoft IIS, please verify that the HTTP Keep-Alive and Request per Connection settings are set to appropriate values, as outlined for Apache-based servers.

TCP Server Configuration Requirements If a server is not an HTTP server, but will be load balanced via the AppBeat DC using the Layer 4 Load balancing feature—Cluster and Virtual Server set to TCP protocol mode—the servers default gateway (or return path route) must be configured as the interface (or VRRPc interface) of the Maestro. If the routes are not properly configured on the server, asymmetrical routing will occur, causing the application not to function. Please note, if the AppBeat DC is deployed redundantly using VRRPc, then the default gateway of the server should be configured as the Maestro’s VRRPc interface.

Server Logging Considerations (Original Client IP) When a cluster is configured in HTTP mode, all client traffic is terminated by the AppBeat DC, enabling high-speed communication between the AppBeat DC and the accelerated servers. Therefore, all communication to the server is from the IP address of AppBeat DC. For organizations that utilize logging on the server, the Source/Client IP address field will always be reported as the IP address of the AppBeat DC. This section outlines the different methods in which the AppBeat DC can be configured to preserve the original client IP address, as well as steps to configure existing servers to properly report the client IP address.

Originator (Client) IP Address To ensure that the original client IP (i.e. “originator IP”) address is preserved, the AppBeat DC has the ability to embed the client IP in the HTTP headers of the request forwarded to the server. If enabled, one of the following headers can be used: X-Forwarded-For: <original_ip> OAS-IP: <original_ip> Client-IP: <original_ip> Cres-Client-IP: <original_ip>

The X-Forwarded-For header is used by default, and a sample HTTP GET request and headers are provided below: GET /sales/homepage.html HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (Compatible; MSIE 6.0)

AppBeat DC User Guide

y 93 y

Host: 10.1.1.101 Connection: Keep-Alive Via: CN-5500 X-Forwarded-For: 128.38.22.167

Additionally, the Originator-IP feature also has the following configurable actions:

Add always – The client source IP observed by the AppBeat DC is inserted in the header, even if another header exists. For example, if the AppBeat DC receives a request which contains the same header used by the AppBeat DC, X-Forwarded-For, for example, the AppBeat DC will overwrite the existing header with its own header and observed source IP.

Add if not present – If the AppBeat DC receives a request which contains the same header used by the AppBeat DC, X-Forwarded-For, for example, the AppBeat DC will leave the original header and not modify or add an additional header, preserving the original header and contents.

Server logging software should be reconfigured to identify the Client IP address in the header configured in the AppBeat DC. To configure originator IP header from the CLI Command Syntax: originator-ip {no-mark | mark} [xforwardedfor | oasip | clientip | cresclientip]

Prompt level - Configure Example commands: config> originator-ip mark xforwardedfor config> originator-ip no-mark

To configure originator IP header from the GUI

y 94 y

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, click on the Servers Topology icon.

AppBeat DC User Guide

Chapter 6 Server Preparation and Logging Considerations

Figure 34: Setting Originator IP Header

Enable the Originator IP feature by placing a check box next to Originator IP. Select the header and action to be used.

In addition to configuring the client’s Originator IP address on the global level, the Originator IP address can also be configured for each Virtual Server. For more information, see Configuring Virtual Servers on page 140.

Server Log Configuration The following section provides instructions for configuring the logging functionality within some popular Web/application servers to properly use the originator IP information provided by the AppBeat DC. Microsoft Internet Information Server (IIS) Logging Before proceeding, verify that the AppBeat DC is configured to insert the original client IP address in the X-Forwarded-For header. Through the GUI, verify this by logging in as an “admin” user and entering the Configuration mode. Click on the Servers Topology icon and select the General tab. Verify that Originator IP is checked, and that “x-forwardedfor” is selected in the Header field. To configure IIS to report the Client IP address from the X-Forwarded-For header, an ISAPI filter must be installed on each server. The process is outlined below:

Download the CN-XFF.dll file from the Crescendo Networks Support website or contact your local Technical Support Engineer for assistance.

AppBeat DC User Guide

y 95 y

Copy the CN-XFF.dll file into a directory on the server.

Open the IIS Manager on the server.

Right-click and enter the Web Site Properties menu for the desired Web server.

Click on the ISAPI Filters tab.

Click New and input a name, like “Crescendo Filter”, and browse for the CN-XFF.dll file. Click OK.

The Web server may need to be restarted for the changes to take affect.

Figure 35: Installing an ISAPI filter on each Server

The IIS Server will now search for the “X-Forwarded-For:” header when populating the Client-IP field in the logs. For all other application traffic not forwarded by the AppBeat DC, the log files will display the correct Client-IP. Apache Logging Before proceeding, verify that the AppBeat DC is configured to insert the original client IP address in the X-Forwarded-For header. Through the GUI, verify this by logging in as an “admin” user and entering the Configuration mode. Click on the Servers Topology icon and select the General tab. Verify that Originator IP is checked, and that “x-forwardedfor” is selected in the Header field. Follow the following steps to configure Apache to log the X-Forwarded-For header:

y 96 y

Open the httpd.conf file – typically located in the /etc/httpd/conf/ directory.

AppBeat DC User Guide

Chapter 6 Server Preparation and Logging Considerations

Look for the Logformat section and edit the logging format nickname, e.g.: common.

Add the following logging parameter: %{X-Forwarded-For}i

Example in httpd.conf: LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b" common

The preceding example enables Apache to log the information found in the X-ForwardedFor header in Source-IP field of the log files. Sun ONE Server (formerly iPlanet) Logging Before proceeding, verify that the AppBeat DC is configured to insert the original client IP address in the X-Forwarded-For header. Through the GUI, verify this by logging in as an “admin” user and entering the Configuration mode. Click on the Servers Topology icon and select the General tab. Verify that Originator IP is checked, and that “x-forwardedfor” is selected in the Header field. Follow the following steps to configure Sun ONE Server for correct source IP logging:

Go to the Preferences tab Æ Access Logging Options Æ Custom Format.

For Custom Format, replace the string: %Ses->client.ip% with the following string: %Req->headers.X-Forwarded-For% As shown in Figure 36.

AppBeat DC User Guide

y 97 y

Figure 36: Configuring Sun ONE Server for Correct Source IP Logging

y 98 y

AppBeat DC User Guide

7 Server Topology – Farms/Clusters/Real Servers Chapter 7 provides information for configuring the AppBeat DC server topology settings, including Farms, Clusters, and Real servers. Additionally, this section discusses concepts such as HTTP Application Based Load Balancing, Layer 4 (TCP-based) Load balancing, Backend Server Connection Management, Server Health Checking, and Session Persistence.

Before Proceeding.

Configuration Overview.

Farm Configuration.

Cluster Configuration (Load Balancing, Health Checking, Persistence).

Real Server Configuration.

AppBeat DC User Guide

y 99 y

Before Proceeding In order to proceed with configuring server acceleration and/or load balancing, the following steps should be satisfied.

Management connectivity for each unit, whether through Serial Console or via Management Ethernet Interface (GUI, Telnet, or SSH). Please see Chapter 3. Introduction to the Command Line Interface.

At least one Data Interface on each unit configured with an IP Address and connected to the same network as the server(s) to be accelerated. Please see Chapter 5. Initial Configuration & Global Settings.

Some servers may require a configuration change to work properly with the AppBeat DC. Please see Chapter 6. Server Preparation and Logging Considerations.

Configuration Overview Topology – Farms, Clusters, and Real Servers The configuration topology is comprised of Farms, which contain one or more Clusters, which in turn contain one or more real servers. For instance, a configuration designed to accelerate a single server would look as follows:

Farm-1.

Cluster-1.

Server-1.

As discussed in Chapter 1, the AppBeat DC can be configured to accelerate individual servers or a load balanced cluster of servers. Therefore, the configuration of a cluster with three identically configured servers intended to be load balanced would look as follows:

Farm-1.

Cluster-1.

Server-1.

Server-2.

Server-3.

If the Load Balancing license is not installed, you will be unable to add more than one server to a cluster. However, all other features, including single server acceleration will still function. Please contact your Crescendo Networks Reseller or Sales Associate for assistance with enabling this feature.

y 100 y

AppBeat DC User Guide

Chapter 7 Server Topology – Farms/Clusters/Real Servers

The concept of Farms and Clusters exists primarily as a logical grouping tool for administration as well as monitoring and viewing performance information. For example, performance information can be viewed for a real server, cluster, farm, or entire unit. It is common for a AppBeat DC to be configured to accelerate several different groups of servers. It may make sense for an administrator to logically group the servers in separate Farms or Clusters for administrative and reporting reasons. For example:

Accounting.

Application-1.

Server-1.

Server-2.

Server-3.

Application-2.

Server-4.

Server-5.

Sales.

Application-3.

Server-6.

Server-7.

Virtual Servers After the real servers are defined in a cluster, a Virtual Server must be configured to enable acceleration and/or load balancing. The Virtual Server has several configuration options depending on whether load balancing is used and how the server is intended to be accelerated. Virtual Server setup and configuration is covered in detail in Chapter 8. Virtual Servers, URL Rewriting, and L7 Switching / Redirection. As discussed in Chapter 1, servers can be accelerated as stand-alone servers (no load balancing), or exist within a load balanced cluster. If the server is a stand-alone server, it will be configured in a Cluster by itself. An administrator has the option of accelerating the server using a Virtual Server IP (VIP), in which server traffic is destined to the VIP configured on the AppBeat DC, or in “spoofed” mode, in which traffic is routed through the AppBeat DC, and only traffic destined to the server is intercepted and accelerated while all other traffic is routed normally. Please note that load-balancing is not supported when using spoofed mode, since traffic is not destined to a unique Virtual Server (VIP). Regardless of mode, a Virtual Server must be created. The Virtual Server is then “mapped” to a cluster. The Virtual Server is configured with a Virtual IP address and TCP port number. In the case of a stand-alone server which will operate in spoofed mode, the Virtual Server IP address should be configured as the same IP address as the real server.

AppBeat DC User Guide

y 101 y

Additionally, a check box will be selected indicating the Virtual Server is a “spoofed” server. For load balanced HTTP clusters, additional HTTP Switching rules can be configured which enable the ability to direct client requests to different clusters based on Layer 7 application-based information such as host name, file extension, URL, or browser language.

Load Balancing Concepts - HTTP Application Load Balancing and Acceleration vs. TCP (Layer4) Load Balancing The AppBeat DC inherently operates at the HTTP layer providing advanced load balancing capabilities, SSL termination, compression, and L7 switching/redirection features. Additionally, the AppBeat DC is capable of performing load balancing for non-HTTP applications that run over the TCP protocol. Non-HTTP load balancing is performed at layer 4 (TCP) and on a per-connection basis. When creating a Cluster or Virtual Server, the administrator has the option of configuring these entities as “HTTP” or “TCP”. The HTTP setting should be used for all HTTP/HTTPS applications, whereas any other, non-HTTP TCP-based application requiring load balancing should be configured as TCP. The Maestro treats traffic destined to TCP and HTTP Virtual Servers and Clusters differently. When a Cluster and Virtual Server are configured as “HTTP”, the Maestro will operate in its native proxy-based acceleration mode—opening a small number of persistent backend connections to each configured server. In this mode, the Maestro can apply compression, SSL termination, Layer 7 Switching/Redirection, and advanced load balancing functionality to HTTP traffic. When a Cluster and Virtual Server are configured as “TCP”, the Maestro will function as a traditional Layer 4 load balancer. Unlike HTTP mode, which utilizes TCP-multiplexing— many client-side connections and a smaller number of server-side connections—TCP mode utilizes a 1:1 connection ratio between the client and the server. Therefore, the Maestro load balances each new connection among the cluster of servers using one of several load balancing algorithms. Additionally, because the Maestro is not functioning as a Proxy (communicating to the backend server via its own IP address), the backend server sees the client IP address. Therefore, a server in a TCP cluster must have its Default Gateway configured as the interface of the AppBeat DC (or, the VRRPc interface address if two AppBeat DC units are deployed redundantly).

Health Monitoring Each cluster can be configured to monitor the health of servers. Health checking can include the following mechanisms:

y 102 y

Verifying the server’s ability to open a TCP connection on the designated port.

AppBeat DC User Guide

Chapter 7 Server Topology – Farms/Clusters/Real Servers

Confirming the existence and ability for the server to serve a specific page requested by the Maestro.

Finally, the Maestro can also confirm the existence (or non-existence) of specific content being retrieved.

Server Topology Configuration Backend Connections (For HTTP Clusters) Once a real server is configured and administratively enabled (“Up” Admin Status), the AppBeat DC establishes a small number of persistent TCP connections. The AppBeat DC distinguishes between these connections by the type of requests being made. For example, a set number of these TCP connections are used only for static content requests (for example, images, etc.), while another set of these connections is used for dynamic content requests (for example, ASP, cgi, etc.). The number of connections is configurable on a global level or per server. Globally, these connections are set from the config> prompt with the CLI commands described below. Recommended Connection Settings per Platform Table 6: Recommended Connection Settings Per Platform Platform

Static

Dynamic

Apache

Microsoft IIS 5

Microsoft IIS 6

Sun

Bluecoat

128

CacheFlow

To configure backend connections from the CLI Command Syntax: set conns {# of static} dynamic {# of dynamic}

AppBeat DC User Guide

y 103 y

Prompt level - Configure By default, these settings are globally set to 64 static connections and 32 dynamic connections (96 backend connections per server). To configure backend connections from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, click on the Servers Topology icon.

Figure 37: Configuring Backend Connections

Specify the Static and Dynamic connections to be used globally. These numbers represent the number of connections opened for each new server configured.

When configuring servers, the global connection numbers can be ignored by specifying specific connection counts per individual server on a “local” level.

Dynamic File Extensions The AppBeat DC classifies the requests to be sent via the “dynamic” connections based on the file extension. Any requests which do not have a matching file extension will be sent to a server via a “static” connection. The following file extensions are included in the dynamic list by default: asp, jsp, pl, cgi, php, dll, cfm.

y 104 y

AppBeat DC User Guide

Chapter 7 Server Topology â&#x20AC;&#x201C; Farms/Clusters/Real Servers

To configure dynamic file extensions from the CLI: Command Syntax: http dynamic-file-extension extension

Prompt level - Configure Example commands: config> http dynamic-file-extension php config> no http dynamic-file-extension php

To configure dynamic file extensions from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, click on the Servers Topology icon.

Figure 38: Configuring Dynamic File Extensions

Specify the file extensions to be used to classify dynamic requests. File extensions should be specified using a semicolon delimiter between values.

AppBeat DC User Guide

y 105 y

Acceleration of Authenticated HTTP Sessions The HTTP protocol allows various user authentication techniques to be used in case a server requires certain credentials from a user. Authentication protocols include Basic, Digest, NTLM, and Negotiate (SPNGEO), among others. Sometimes, however, HTTP authentication does not work properly with TCP consolidation (multiplexing) because the server authenticates an actual TCP connection, rather than the client’s HTTP session. Because of this, the AppBeat DC can enable/disable multiplexing for various authentication protocols. The AppBeat DC recognizes the authentication protocol used from a user’s request headers (specifically, the “Authorization” request header). What happens with each authentication protocol depends on the configuration of the AppBeat DC. The following authentication protocols are recognized:

NTLM – multiplexing is always disabled for NTLM.

Basic – multiplexing can be enabled/disabled via user configuration.

Negotiate (SPNGEO) – multiplexing can be enabled/disabled via user configuration.

Other (protocols other than those listed above) – multiplexing can be enabled/disabled via user configuration.

For multiplexing authenticated sessions, the AppBeat DC provides enable/disable configuration options at two levels: global and per-cluster. First, which authentication protocols are multiplexed is configured globally. Then, each cluster has the option of handling authenticated sessions either per the global configuration, or per configuration specifically for that cluster. To configure Authentication Multiplexing from the CLI Command Syntax: http {basic-authentication | negotiate-authentication | otherauthentication} {accelerate | not-accelerate}

Prompt level - Configure Example commands: config> http basic-authentication accelerate

To configure Authentication Multiplexing from the GUI

y 106 y

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, click on the Servers Topology icon.

AppBeat DC User Guide

Chapter 7 Server Topology â&#x20AC;&#x201C; Farms/Clusters/Real Servers

Figure 39: Configuring Authentication Multiplexing

Check the appropriate authentication method to be accelerated.

Farm Configuration Configuration Steps Perform the following example commands to add/remove farms. Substitute actual names for the example names where required. To add farms from the CLI Command Syntax: farm name no farm name

Prompt level - Configure Example commands: config> farm Farm-1 config> no farm Farm-1

AppBeat DC User Guide

y 107 y

To enable/disable services on a farm from the CLI Command Syntax: service {history | logging} no service {history | logging}

Prompt level - Configure - Farm Example command: farm "Farm-1"> service history farm "Farm-1"> no service history

To add farms from the GUI 4.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, click on the Servers Topology icon then click the New button.

Figure 40: Adding Farms

y 108 y

The Add New Farm window will display, specify a name for the farm and click Apply.

AppBeat DC User Guide

Chapter 7 Server Topology â&#x20AC;&#x201C; Farms/Clusters/Real Servers

Figure 41: Add a New Farm Window

Cluster Configuration (Load Balancing, Health Checking, Persistence) Several variables are configured for a Cluster, including load balancing, health checks, the association of Compression policies (covered in Chapter 9) and server-side SSL (covered in Chapter 10). Load balancing and server health check configuration is covered in detail later in this section.

Cluster Configuration Please note that the load balancing license is required to configure more than one server per Cluster. To add a cluster from the CLI Command Syntax: cluster name no cluster name

AppBeat DC User Guide

y 109 y

Prompt level - Configure - Farm Example commands: farm "Farm-1"> cluster Cluster-1 farm "Farm-1"> no cluster Cluster-1

To add/remove a service for entire cluster from the CLI Command Syntax: service {history | logging | ssl | compression } no service {history | logging | ssl | compression }

Prompt level - Configure - Farm - Cluster Example commands: cluster "Cluster-1">service history cluster "Cluster-1">no service history

The other features configurable at a cluster level include health-check, server-inactivity, load balancing, and compression. These features are addressed individually in greater detail throughout this manual. To add a cluster from the GUI

y 110 y

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, expand the Servers Topology icon by clicking the + symbol then click the farm to which you want to add the cluster.

AppBeat DC User Guide

Chapter 7 Server Topology â&#x20AC;&#x201C; Farms/Clusters/Real Servers

Figure 42: Adding a Cluster

Click the New button.

The Add New Cluster window will display, specify a Cluster Name and Protocol for the cluster and click Apply.

Figure 43: Add New Cluster Window

AppBeat DC User Guide

y 111 y

Load Balancing Configuration Traffic is load balanced among available servers in a cluster. There are several configurable variables including the protocol being load balanced, load balancing algorithm, method of session persistency, and health checking. Cluster Protocol: HTTP or TCP (Layer 4 Load Balancing) The AppBeat DC inherently operates at the application (HTTP) layer, functioning as a full proxy. The Maestro therefore, sees an application as a series of requests and responses, instead of only packets and TCP sessions—like a traditional Layer 4 Load Balancer. Functioning at the HTTP level also enables the Maestro to perform advanced load balancing functions like L7 Switching and Redirection, while simultaneously having the ability to compress response data in real time and secure an application with SSL. The AppBeat DC is capable of performing load balancing for non-HTTP applications that run over the TCP protocol as well. Non-HTTP load balancing is performed at layer 4 (TCP) and on a per-connection basis. Layer 4 load balancing is still performed using TCP termination. The AppBeat DC will terminate all TCP connections that need layer 4 load balancing services, thus allowing them to use the unit’s advanced TCP services such as FastTCP and buffering. These services will help the TCP connections perform more optimally. With layer 4 load balancing, since client-side connections are terminated by the AppBeat DC, server-side connections are initiated by the unit. Since there is no connection consolidation for non-HTTP connections (i.e. no multiplexing), there will be a 1-to-1 relationship between client-side and server-side connections. However, the server-side connections will still carry the source IP address of the original client, in order to allow server logging mechanisms to operate as before. This means that TCP servers must guarantee their path back to the client through the AppBeat DC. This is often done by configuring the IP address of server-side interface of the AppBeat DC to be the default gateway of the server. This way, all response traffic from the server will flow through the AppBeat DC to assure proper TCP connection handling. To configure Layer 4 Load Balancing, the following steps must be followed:

y 112 y

Each cluster that is configured with non-HTTP servers will be configured as a TCP cluster, rather than an HTTP cluster.

The real servers within the TCP cluster must be configured to route return traffic back through the AppBeat DC. This is accomplished by configuring the servers default route (or network specific route) to route through the AppBeat DC physical IP interface (or VRRPc interface if redundantly deployed).

A Virtual Server (with IP address and TCP port) is configured as a TCP Virtual Server, rather than an HTTP virtual server.

AppBeat DC User Guide

Chapter 7 Server Topology – Farms/Clusters/Real Servers

A TCP virtual server can only be bound to a single cluster. That cluster must be configured as a TCP cluster. Also, no SSL or compression services are available to TCP virtual servers or TCP clusters. Load Balancing Algorithms The algorithm represents the logic by which application requests will be distributed to available servers in a cluster. Four options exist:

Round Robin (RR) – Application requests are forwarded in a cyclical fashion to each available server.

Weighted Round Robin (WRR) – Similar to Round Robin in that requests are cyclically distributed among available servers, however they are forwarded based on each server’s configured weight. Servers are configured with a weight, or metric, between 1 and 100. The higher the weight, the greater priority, or amount of traffic a server should receive relative to other lower weighted servers.

Weighted Least Pending Requests (WLPR) – For HTTP Clusters only. The AppBeat DC is fully application aware—knowing the status of each outstanding client request and the servers subsequent response. This application level intelligence enables the AppBeat DC to make extremely accurate load balancing decisions based on real-time application knowledge of each servers pending request load.

Weighted Least Connections (WLC) – For TCP Clusters. When performing in TCP mode (Layer 4 Load Balancing), the AppBeat DC keeps track of the number of individual TCP connections load balanced to each server within a cluster. The Maestro can make load balancing decisions based on a combination of the server’s configured weight as well as the number of connections currently established with each server.

Server Response Time (SRV-RSP-TIME-BASED) – The AppBeat DC calculates the server’s response time as it receives updates from the server health check mechanism regarding the servers in the cluster. The load balancing process distributes a high percentage of the load to the fast servers, enabling them to receive more traffic and a small percentage of the load to the slow servers, enabling them to receive less traffic. In addition, each cluster has a Stop Traffic Factor (STF) parameter, which removes very slow servers from being eligible for traffic distribution. When a server’s response time is greater than STF multiplied by the response time of the fastest server, the server is no longer eligible for new requests. STF has the value of three by default, but can accept values from 1 to 100. The server response time is updated every five seconds by default, enabling the response times to be recalculated and the server priorities to change.

The server response time option can only be enabled when the Health Check is enabled. If the Health Check is disabled on the cluster, a warning message appears.

AppBeat DC User Guide

y 113 y

To configure load balancing algorithm from the CLI Command Syntax: load-balancing algorithm { wlpr | wlc | wrr | rr } load-balancing algorithm { wlpr | wlc | wrr srv-rsp-time-based}

Prompt level - Configure - Farm - Cluster Example commands: cluster "Cluster-1">load-balancing algorithm rr

Example of enabling load balancing based on the server’s response time: cluster "Cluster-2">load-balancing algorithm wrr | wlpr srv-rsptime-based

Example of disabling load balancing based on the server’s response time: cluster "Cluster-3">load-balancing algorithm wrr | wlpr no srv-rsptime-based

Example of setting STF: cluster "Cluster-4">load-balancing algorithm wrr | wlpr srv-rsptime-based stop-traffic-factor “4”

To configure load balancing algorithm from the GUI

y 114 y

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, expand the Servers Topology icon by clicking the + symbol and then clicking the Farm icon. The Farm window appears.

AppBeat DC User Guide

Chapter 7 Server Topology â&#x20AC;&#x201C; Farms/Clusters/Real Servers

Figure 44: Adding a Cluster

Click the New button. The Add New Cluster window appears.

Figure 45: Add New Cluster Window

Specify a Cluster Name and Protocol for the cluster.

Select the Load Balance Algorithm. In the Use Server Response Time window, specify whether to enable the server response time mechanism. Set the STF to the desired value in Stop Traffic Factor.

AppBeat DC User Guide

y 115 y

Ensure that the health check is enabled. Otherwise, the Server Response Time mode is disabled. When the Load Balance Algorithm is set to RR, the server response mechanism is disabled. When Use Server Response Time is set to Disable, the Stop Traffic Factor field is disabled.

Figure 46: Configuring Load Balancing Parameter

Web Server Logging The Web server logging feature is used by organizations with large server farms, enabling them to perform log consolidation of their websiteâ&#x20AC;&#x2122;s servers. Instead of having to log each individual server, the organization can keep a consolidated log file for all of the servers. For all the traffic that is sent to the cluster for which the Web server logging feature is enabled, the AppBeat DC sends log messages to a designated Syslog server in the client environment. The log messages include the HTTP request and response parameters for all of the logged transactions. Organizations can access the log messages at the designated Syslog server and use the information in a variety of areas, such as security, data mining, usage trending, etc. Log messages use the standard NCSA format, with the addition of several parameters, as follows: <cluster_name>.<real_name> <client_ip> - - [dd/mm/yyyy:hh:mm:ss -] "<request_line>" <status_code> <data_in_bytes> <response_time_in_ms>

y 116 y

AppBeat DC User Guide

Chapter 7 Server Topology – Farms/Clusters/Real Servers

Each log entry records the following data:

Cluster name.

Real name.

Client IP address.

Remote log name (this value is always a hyphen).

User name (this value is always a hyphen).

Time and date in the following format: dd/mm/yyyy:hh:mm:ss

Request line including the http method, URL, and http version.

Status code of the response.

Size of the received data in bytes.

Response time in ms.

For example: 08/03/08 11:35:36 [1.1.1.10] (local4.info) AUG 03 11:01:40 Crescendo c.a 10.20.30.10 - [03/AUG/2008:11:01:40 -] "GET /hz.avi HTTP/1.1" 200 10121216 300 To operate the Web server logging feature, use a Syslog server to receive the server logs transmitted from the AppBeat DC. Web Server Logging Configuration Perform the following steps to enable Web server logging: 1.

Install a Syslog server in your data center environment.

Configure the Web server logging settings.

Enable the Web server logging feature for the cluster.

Configuring the Web Server Logging Settings

Configure the IP address and port of a dedicated Syslog server that will record the Web server log messages.

AppBeat DC User Guide

y 117 y

To configure the Web server logging settings from the CLI Command Syntax: config> web-server-logger <ip address of the syslog server> <port number>

Prompt level - Configure Example commands: config> web-server-logger 10.0.0.8 4

To configure the Web server logging settings from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, click the AppBeat DC icon and select the Global tab. The Global tab appears.

Figure 47: Configuring the Web Server Settings

y 118 y

In the Web server logger IP field, enter the IP address of the Syslog server that will receive Web server logging messages.

In the Port field, enter the port number of the Web log Syslog server.

Click Apply.

AppBeat DC User Guide

Chapter 7 Server Topology â&#x20AC;&#x201C; Farms/Clusters/Real Servers

Enabling Web Server Logging for a Cluster

Once the Syslog server and Web server settings are configured, you can simply enable or disable the Web server logging feature for a specific cluster. To enable Web server logging from the CLI Command Syntax: cluster cluster1> service web-server-logging

Prompt level - Configure - Farm - Cluster Example commands: cluster cluster1> service web-server-logging

To enable Web server logging from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, expand the Servers Topology icon by clicking the + symbol and then expanding the Farm icon. Click the Cluster icon of the cluster to which you want to enable Web server logging. The Cluster window appears.

Figure 48: Enabling Web Server Logging

In the Services area, check Web Server Logging and click the Apply button. The web server logging feature is enabled for this cluster.

AppBeat DC User Guide

y 119 y

Connection Profiles The Connection Profiles feature enables you to configure the number of persistent connections (static and dynamic) for each cluster. This feature is used by organizations hosting large server farms to simplify the configuration process. Instead of having to configure the serverâ&#x20AC;&#x2122;s dynamic and static connections multiple times (for each server), you can configure the connection settings once for each cluster. The connection settings for the application are then applied to all real servers within the cluster. When a clusterâ&#x20AC;&#x2122;s connection settings are not configured, the global settings are used for the cluster. To configure the connection profiles for each cluster from the CLI Command Syntax: conns [global | static] # dynamic #

Prompt level - Configure - Farm - Cluster Example commands: conns global conns static 100 dynamic 3

To configure the connection profiles for each cluster from the GUI

y 120 y

Once logged in through the GUI, click on the Configuration button on the left panel.

AppBeat DC User Guide

Chapter 7 Server Topology – Farms/Clusters/Real Servers

Figure 49: Connection Profiles

In the Connections area, select Global or Local from the Mode drop-down list.

If you select Global mode, the default global configurations are used for the cluster.

If you select Local mode, enter the number of static and dynamic connections in the Static and Dynamic fields. These local settings will override the default global configurations.

Click Apply.

Persistency Some applications require that a client communicate with the same server in a load balanced cluster throughout the duration of their session. This functionality is called persistence, as each new connection from the same client should be kept persistent, or “sticky” to the same server. The persistency mechanism of the AppBeat DC offers several settings:

None – No persistence is enabled for the cluster. All requests are distributed via the configured load balancing algorithm.

By IP Address – The AppBeat DC will identify a client by the Source IP address. When configured, the first request from a client will be load balanced to the best server. Subsequent requests from the same Source IP address will remain persistent to the chosen server.

Application Level Persistency – (Available only for HTTP Clusters). The AppBeat DC will insert data into the HTTP/HTTPS response of each new client request. The data will identify which server the client’s requests should be forwarded to. Therefore, each request from the client will include the inserted data which the AppBeat DC will use to

AppBeat DC User Guide

y 121 y

identify which server to forward the request to, thus maintaining persistency throughout the duration of the client’s session. To Configure Persistency Method from the CLI Command Syntax: load-balancing { persistency | no-persistency } [ by-ip | application-level-persistency ]

Prompt level - Configure - Farm - Cluster Example commands: cluster "Cluster-1">load-balancing persistency by-ip cluster "Cluster-1">load-balancing no-persistency

To Configure Persistency from the GUI

Enter the Configuration mode and select the desired cluster, as described in To add farms from the GUI on page 108.

Health Check Configuration The AppBeat DC will only forward traffic to available (“healthy”) servers and verifies the health of a server by one of several means. By default, the Maestro attempts to connect directly to and verify the basic connectivity of each server configured in a cluster (HTTP or TCP). If the connection cannot be established, the Maestro marks the server as “Operationally Down” and will continue to periodically check the health of the server. More advanced health checking options exist allowing the capability to request specific content from a server and verify content within server responses. This type of health checking is referred to as “data checks” within the configuration. The server’s response is analyzed to determine whether the server is functioning properly. Data checks are available for HTTP or TCP clusters and are covered in more detail in Health Checking for HTTP Clusters on page 123 and Health Checking for TCP (non-HTTP) Clusters on page 124 respectively. If Health Checks are to be used, the following variables should be configured:

y 122 y

Mode – Enable or Disable Health Checks.

Frequency (1-300 seconds) – Default value is 5 seconds. Defines the number of seconds between health checks.

Wait Time (1-300 seconds) – Default value is 3 seconds. Defines the number of seconds the AppBeat DC should wait for a server response. If a healthy response is not returned within the time designated, the AppBeat DC will classify the request as a failure.

AppBeat DC User Guide

Chapter 7 Server Topology – Farms/Clusters/Real Servers

Consecutive Failures (1-100) – The number of consecutive failures which must occur before the AppBeat DC classifies a server as “down”.

URL to be checked – Used with HTTP clusters only. The URL to be requested from each server within the cluster. The URL is requested at the configured Frequency. It is recommended that a small page be designated to reduce the load on the server.

Host Header – Used with HTTP clusters only. The host name to be used for the health check request. This is useful if several “Virtual Hosts” exist on a single server. For example, a server may have a single IP address, but distinguishes between several virtual servers by the Host Header (ex. www.site1.com vs. www.site2.com) to determine which virtual server should serve the content. If no Host Header is configured, the host header will consist of the IP address of the server being health checked.

How these options are used depends on whether the cluster is made up of HTTP servers or TCP (non-HTTP) servers. This is configured on a per-cluster basis. Health Checking for HTTP Clusters If the cluster is HTTP, then only the following configuration parameters are relevant:

Standard options.

Mode.

Frequency.

Wait time.

Consecutive failures.

URL.

Host.

Data Checks.

Response.

Validate absence of response string.

The data check “request” field is not applicable since the URL field determines the request that is sent to the server. If the data check “response” field is left blank, then the health check mechanism operates exactly as it did in versions before 4.2: it sends a request to the server and only validates that the response has a status code of 200. If the data check “response” field is configured, however, then the AppBeat DC will parse the response from the server. The Maestro will parse both the headers and the body of the response in order to look for the presence or absence of the “response” string configured,

AppBeat DC User Guide

y 123 y

depending on whether the “validate the absence of the response string” option is enabled or not. The data check “response” field is case-sensitive. The “binary” option of the data check “response” field is not relevant with HTTP. Health Checking for TCP (non-HTTP) Clusters If the cluster is a TCP (non-HTTP) cluster, then only the following configuration parameters are relevant:

Standard options.

Mode.

Frequency.

Wait time.

Consecutive failures.

Data Checks.

Request.

Response.

Validate absence of response string.

With TCP clusters, there are four ways of configuring health checks:

Without using data checks If no data check options are configured, then the TCP servers will only be checked at the TCP connection level. The Maestro attempts to open a TCP connection to the server. If the connection is successfully opened before the “wait time” expires, then the health check is considered a success. Otherwise, it’s considered a failure.

Only using the “request” data check option If the intent of health checking is only to verify that the server responds with some data to a request (any data), then only configure the data check “request” option. In this case, the Maestro first attempts to open a connection with the server. If the connection is successfully opened, the Maestro sends the data configured in the “request” field to the server (either text or binary, per configuration). After the request is sent, the Maestro expects a response (any response) from the server. All of this (opening a connection, sending the request, and getting a response) has to happen before the “wait time” expires; otherwise the health check is considered a failure.

y 124 y

AppBeat DC User Guide

Chapter 7 Server Topology – Farms/Clusters/Real Servers

Only using the “response” data check option Certain TCP applications respond with a “banner” when a connection is first opened to them. Mail servers (SMTP and POP) are examples of such cases. For checking the health of these servers, you only need to configure the data check “response” option. If only the “response” data check option is configured, the Maestro first attempts to open a connection with the server. If the connection is opened successfully, the Maestro expects data from the server to follow immediately after the connection is opened. The contents of the response are compared to the “response” option (text or binary, per configuration) and the presence or absence of the configured “response” is validated, depending on whether the “validate absence of response” option is configured. All of this (opening the connection, receiving the response, and validating it against the “response” option one way or another) needs to happen before the “wait time” expires; otherwise, the health check is considered a failure.

Using both “request” and “response” data check options For bi-directional application health checking of TCP servers, both the “request” and “response” data check options must be configured. In these cases, the AppBeat DC first attempts to open a connection with the server. Once the connection is opened, the Maestro sends the server the contents of the “request” field (in text or binary, per configuration). Then, the Maestro examines the server response and compares it to the content of the “response” field (in text or binary, per configuration) to validate the presence or absence of the configured “response,” depending on whether the “validate absence of response” option is configured. All of this (opening the connection, sending the request, receiving the response, and validating it against the “response” option on way or another) needs to happen before the “wait time” expires; otherwise, the health check is considered a failure. Through these four options, all cases of server health checking for TCP (non-HTTP) servers are covered. Clusters should be configured according to the type of application the TCP servers within the cluster host.

With all TCP checks, the time it takes to open the TCP connection is part of the overall time of the health check. As with HTTP checks, the “response” field is case-sensitive (in text responses). When analyzing server responses, the AppBeat DC will accept data from the server regardless of the number of packets exchanged between the AppBeat DC and the server – as long as the total time does not exceed the “wait time.”

AppBeat DC User Guide

y 125 y

Prompt level - Configure - Farm - Cluster Example commands: cluster "Cluster-1">health-check enable cluster "Cluster-1">health-check url /index.html cluster "Cluster-1">health-check failures 3 cluster "Cluster-1">health-check data-check resp-str â&#x20AC;&#x153;testâ&#x20AC;?

To Configure Health Checks from the GUI 1.

Enter the Configuration mode and select the desired cluster. Once the cluster is highlighted, click on the Health Checks tab.

Change the Mode to Enable.

Figure 50: Configuring Health Checks

y 126 y

AppBeat DC User Guide

Chapter 7 Server Topology – Farms/Clusters/Real Servers

Adjust the Frequency, Wait Time, and Consecutive Failures settings for the specific application to be tested.

For HTTP clusters, specify the URL to be requested.

Define a Data Check Response if required. If not defined, the AppBeat DC will determine health based on the HTTP response code returned from the server, identifying a response of “200” as healthy.

Server Inactivity Check The AppBeat DC opens a limited number of persistent TCP connections to each accelerated server. If a connection is idle—no data sent to, or received from the server—for 30 seconds (default setting), one of three actions can be defined:

The connection can be closed, and a new one immediately opened.

The connection can be kept alive using an HTTP HEAD method to verify connectivity over the open connection.

The connection can be kept alive using an HTTP GET method to verify connectivity over the open connection.

A path and file name can be specified for the HEAD and GET keep-alive methods. The server-inactivity feature can be configured on a global level, affecting all servers configured for acceleration, or on an individual server level. By default, the server-inactivity feature is configured globally to close connections. If configured in Keep-Alive GET mode, it is advised to configure the url as a small static page, up to 1000 Bytes in total size, to avoid creating unnecessary load on the server. Keep in mind, the server-inactivity feature only executes after 30 seconds of inactivity on each individual backend server connection. Recommended Server Settings Table 7: Recommended Server Settings Web Server / Operating System

Recommended Configuration

Microsoft IIS 6.0 (Server 2003)

server-inactivity close

Microsoft IIS 5.0 (Server 2000)

server-inactivity keep-alive [HEAD | GET]

Apache* (Linux, BSD, Windows)

server-inactivity close

* Apache requires the following modifications be made to the httpd.conf file usually found in the /etc/httpd/conf/ directory.

KeepAlive On (By default, this is set to “Off”).

MaxKeepAliveRequests 0 (Provides unlimited requests, by default, set to “100”).

AppBeat DC User Guide

y 127 y

Â&#x192;

KeepAliveTimeout 45 (By default, set to 15).

The settings outlined in the table are recommendations based on typical environments. Because many applications may vary based on customization, it is recommended that the settings be verified with a Crescendo Networks Support Engineer to ensure optimal performance. For example, the default server-inactivity timer is set to 30 seconds. If for some reason a request may take longer than 30 seconds to be processed by the server, the server-inactivity timer value should be increased to allow for maximum server processing time. To configure server-inactivity globally from the CLI Command Syntax server-inactivity [close | keep-alive] url [GET | HEAD]

Prompt level - Configure Example commands: config> server-inactivity close config> server-inactivity keep-alive /test.html GET config> server-inactivity keep-alive /test.html HEAD

To configure server-inactivity globally from the GUI

y 128 y

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, click on the Server Topology icon under the AppBeat DC icon.

AppBeat DC User Guide

Chapter 7 Server Topology – Farms/Clusters/Real Servers

Figure 51: Configuring Server-Inactively Globally

Configure the Server Inactivity setting in the Advanced tab.

If the Server Inactivity option is checked, this signifies “Keep-alive” mode and a URL and method—GET or HEAD—should be specified.

If the Server Inactivity option is left unchecked, this signifies “close” mode.

To configure server-inactivity per cluster from the CLI Configuring the server-inactivity is an extension of the Cluster configuration within the Farm > Cluster prompt level. Each cluster can be configured with a unique server-inactivity action (Close, Keep-Alive GET, or Keep-Alive HEAD) similar to the global configuration. Additionally, the Cluster can be configured to use the global settings. Command Syntax server-inactivity [close | global | keep-alive] url [GET | HEAD]

AppBeat DC User Guide

y 129 y

Prompt level – Configure – Farm – Cluster Example commands: Cluster “Cluster-1”> server-inactivity close Cluster “Cluster-1”> server-inactivity keep-alive /test.html GET Cluster “Cluster-1”> server-inactivity keep-alive /test.html HEAD Cluster “Cluster-1”> server-inactivity global

To configure server-inactivity per cluster from the GUI Server inactivity can be configured per Cluster. 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, expand the Topology icon by clicking the + symbol then expand the Farm icon and click on the desired Cluster icon.

Figure 52: Configuring Server-Inactivity Per Cluster

y 130 y

The Server Inactivity variable is configured as “Close,” “Keep-alive,” or “Global.”

AppBeat DC User Guide

Chapter 7 Server Topology – Farms/Clusters/Real Servers

Real Servers When configuring servers to be accelerated or just load-balanced, it is important to verify several settings in the server configuration before defining them in the AppBeat DC configuration. For information pertaining to server configuration please consult Chapter 6. Server Preparation and Logging Considerations before proceeding with configuring real servers.

Configuring a Real Server Real servers are defined within a cluster. When the server is configured, the Maestro immediately attempts to connect to the server. In the case of a real server defined in an HTTP cluster, the AppBeat DC will attempt to open the preconfigured number backend connections to the server, as well as begin performing separate Health Checks (if configured). In the case of a real server defined in a TCP cluster, the Maestro will begin performing health checks (if configured). Backup Servers When configuring a real server, the option exists to make the server a “backup server”. This designation means that the server configured as “backup” within the cluster will not receive any traffic, unless all other servers within the cluster are unavailable. The configuration allows for only one backup server to be designated per cluster. When all servers in a cluster fail, the backup server will become “active.” When the previously failed server becomes available again, the backup server will do the following, based on whether the cluster is configured as an HTTP or TCP-based cluster:

HTTP Cluster – The backup server will immediately stop receiving new traffic and will be placed in “backup” mode again.

TCP Cluster – The backup server will not be forwarded any new TCP connections, and will gracefully timeout any existing connections. Once all connections are no longer active, and have been timed-out, the server will be placed in “backup” mode again

To add a real server from the CLI Command Syntax: real real-name {shutdown | [no shutdown]} real-ip port {backupserver} no real real-name

AppBeat DC User Guide

y 131 y

Prompt level - Configure - Farm - Cluster Example commands: cluster "Cluster-1"> real Server-1 10.1.1.1 80 cluster "Cluster-1"> no real Server-1 cluster “Cluster-1”> real Server-1 backup-server cluster “Cluster-1”> real Server-1 no-backup-server

To add a real server from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, expand the Servers Topology icon by clicking the + symbol, then expand the Farm icon and the Cluster icon. Click the Real Server icon and click New.

The Add New Server window is displayed. Specify a name for the server, the server’s real IP address, and TCP port of the HTTP application to be accelerated. Additionally, configure additional services such as Logging, History, or the backend connections. Click Apply.

Figure 53: Add New Server Window

y 132 y

Repeat this step for each server.

AppBeat DC User Guide

Chapter 7 Server Topology – Farms/Clusters/Real Servers

To configure backend connections per server from the CLI When configuring an individual server, the backend connections will use the global settings unless otherwise specified. The following command outlines the configuration of connection settings per server. Command Syntax: real name conns [global | static] # dynamic #

Prompt level - Configure - Farm - Cluster Example commands: cluster "Cluster-1"> real Server-1 conns global cluster "Cluster-1"> real Server-1 conns static 100 dynamic 3

Device Configuration Devices are optional logical entities you can define to limit the number of concurrent TCP connections on a single physical server at any point in time. A Device corresponds to a physical server, to which you can attach any number of Real servers. The aggregation of the current connections of all the Real servers belonging to the device cannot exceed the maximum number of TCP connections you specify for the device. Device configuration does not replace the mandatory Farm – Cluster – Real configuration you must perform. Device configuration is optional. Device configuration does not impose a hierarchy as does Farm – Cluster – Real configuration, it only provides a method for limiting the number of concurrent connections on a physical server. Device configuration consists of specifying a Device and the maximum number of connections it can support, and of logically associating Real servers with the Device.

Configuring Devices Perform the following example commands to configure Devices. Substitute actual names for the example names where required. To add or remove Devices from the CLI Command Syntax: device name no device name

AppBeat DC User Guide

y 133 y

Prompt level - Configure Example commands: config> device Device-A config> no device Device-A

To specify a description for a Device from the CLI Command Syntax: description description

Prompt level - Configure - Device Example command: device Device-A> description Marketing

To rename a Device from the CLI Command Syntax: device old_name new-name new_name

Prompt level - Configure Example command: config> device Device-A new-name Device-Marketing

To configure the maximum connections for a Device from the CLI Command Syntax: cons num

Prompt level - Configure - Device Example command: device â&#x20AC;&#x153;Device-Aâ&#x20AC;?> cons 500

When configuring the maximum number of connections, you can specify a number between 1-131072, or enter the number 0 to specify an unlimited number of connections. To configure Devices from the GUI 1.

y 134 y

Once logged in through the GUI, click on the Configuration button on the left panel.

AppBeat DC User Guide

Chapter 7 Server Topology â&#x20AC;&#x201C; Farms/Clusters/Real Servers

In the Topology window, click on the Devices icon, and then click the New button. The New Device window appears.

Figure 54: New Device Window

Specify a name for the device.

Optionally enter a description for the device.

Specify the maximum number of connections for the device.

Click Apply.

AppBeat DC User Guide

y 135 y

Associating Real Servers with Devices Perform the following example commands to attach or detach Real servers from a device. Substitute actual names for the example names where required. To attach a Real server to a Device from the CLI Command Syntax: real real-name attach-device device-name

Prompt level - Configure - Farm - Cluster Example command: Cluster “Cluster-1” > real Server-1 attach-device Device-A

To detach a Real server from a Device, from the CLI Command Syntax: real real-name detach-device

Prompt level - Configure - Farm - Cluster Example command: Cluster “Cluster-1” > real Server-1 detach-device

To attach a Real server to a Device from the GUI

y 136 y

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, expand the Servers Topology icon by clicking the + symbol, then expand the Farm icon and the Cluster icon. Click the Real Server icon and then select the Real server you wish to add to a device. The Server Properties window appears.

AppBeat DC User Guide

Chapter 7 Server Topology â&#x20AC;&#x201C; Farms/Clusters/Real Servers

Figure 55: Attaching a Real Server to a Device

Specify to which device to attach this Real server, and click Apply.

AppBeat DC User Guide

y 137 y

y 138 y

AppBeat DC User Guide

8 Virtual Servers, URL Rewriting, and L7 Switching / Redirection Chapter 8 provides information about configuring Virtual Servers (VIPS) as well as advanced configuration concepts such as L7 Switching and HTTP Redirection rules.

Before Proceeding.

Virtual Servers.

URL Rewriting.

L7 Switching & Redirection (HTTP Virtual Servers).

HTTP Redirection Rules.

AppBeat DC User Guide

y 139 y

Before Proceeding In order to proceed with configuring server acceleration and/or load balancing, the following steps should be satisfied.

Management connectivity for each unit, whether through Serial Console or via Management Ethernet Interface (GUI, Telnet, or SSH). Please see Chapter 3. Introduction to the Command Line Interface.

Farms, Clusters, and at least one Real Server must be defined and properly configured within the Server Topology configuration. Please see Chapter 7. Server Topology – Farms/Clusters/Real Servers.

Virtual Servers Configuring Virtual Servers The following section outlines the steps required to create and configure a Virtual Server (VIP). Virtual Servers are mapped to Clusters. Similar to Clusters, Virtual Servers have a protocol configuration; either HTTP or TCP. A Virtual Servers protocol configuration must match that of the Cluster it is mapped to. Therefore, a Cluster configured as HTTP can only be mapped to a Virtual Server configured as HTTP. Similarly, a Cluster configured as TCP must be mapped to a Virtual server configured as TCP. Cluster and Virtual Server protocol designations cannot be mismatched. Virtual Servers configured for HTTP protocol also allow configuration of HTTP/L7 Switching and Redirection rules, as well as Client-Side SSL which is covered in Chapter 10. SSL Acceleration. To add virtual servers from the CLI Command Syntax: virtual virtual-name {shutdown | [no shutdown]} virtual-ip virtualport {protocol [http | tcp]} no virtual virtual-name

y 140 y

AppBeat DC User Guide

Chapter 8 Virtual Servers, URL Rewriting, and L7 Switching / Redirection

Prompt level - Configure Example commands: config> virtual Virtual-1 10.1.1.100 80 default-cluster Cluster-1 protocol http config> no virtual Virtual-1 config> virtual Virtual-1 shutdown config> virtual Virtual-1 no-shutdown

To add services to a virtual server from the CLI Command Syntax: virtual virtual-name service {history | logging | ssl} virtual virtual-name no service {history | logging | ssl}

Prompt level - Configure Example commands: config> virtual Virtual-1 service history config> virtual Virtual-1 no service history

To add a virtual server from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, expand the Servers Topology icon by clicking the + symbol then click on the Virtual icon. Click on the New button.

AppBeat DC User Guide

y 141 y

Figure 56: Adding a Virtual Server from the GUI

The New Virtual Server window will be displayed. Specify a name for the Virtual Server, the Virtual IP address, and TCP port of the HTTP application to be accelerated.

Choose the Protocol. If the Virtual Server will be mapped to a TCP-based cluster (for non-HTTP load balancing), then the Protocol must be set to TCP within the Virtual Server configuration. The GUI will generate an error if an HTTP Virtual Server is configured with a TCP cluster.

Specify whether to insert the originating client IP address in the requests sent to servers. In the Originator IP Mode drop-down list, select one of the following:

Â&#x192;

Global. Use the global Originator IP configurations. For more information on configuring the global Originator IP settings, see Originator (Client) IP Address on page 93.

Â&#x192;

Local. Configure an Originator IP address for this Virtual Server. Check Enable, and select the header and action to be used.

The local Originator IP settings override the global level Originator IP settings.

y 142 y

Next, specify the Default Action as sending traffic to a specific cluster, redirecting to a URL, or denying access.

Once the Default Action is configured, additional L7 Switching and Redirection configuration can be made via the respective tabs if the Virtual Server and subsequent Clusters are configured as HTTP protocol.

AppBeat DC User Guide

Chapter 8 Virtual Servers, URL Rewriting, and L7 Switching / Redirection

URL Rewriting URL Rewrite is the method by which the AppBeat DC rewrites the URL in an incoming request, before sending the URL to the Cluster / Real Server. The URL is rewritten based on the original URL, the Host field of the URL’s HTTP header, and the matching URL rewrite rule. The first step of the URL rewrite process is performed by checking whether the Virtual Server has a URL that is waiting to be rewritten. The AppBeat DC then selects the URL rewrite rule to be used by comparing the rule’s format with the format of the incoming URL. When a match is found between a rule and a URL, the URL is rewritten according to the selected rule. Since more than one rule can match a URL, the AppBeat DC selects the rule according to its priority level. The URL rewrite is performed by removing or copying parts of the URL and pasting them in other areas within the URL. Once the URL is rewritten, the L7 switching decisions that were determined before the URL was rewritten are used. The L7 switching decisions are based on the parameters from the incoming URL request, before the URL is rewritten. The ability to rewrite URLs enables site administrators to achieve greater control of the HTTP traffic entering their site. URL rewriting can be used for the following scenarios:

Hiding Web server names and server configuration information from your users by redirecting an external URL to an internal URL. This improves the security on your site and makes the site’s URLs shorter.

Redirecting an old webpage to a new webpage.

Redirecting specific keyword searches to simplified URLs.

As mentioned above, the URL is rewritten based on the original URL, the Host field of the URL’s HTTP header, and the matching URL rewrite rule. An example of a URL rewrite request is:

The URL: GET /sports/bball/index.asp?id=12213234

The host name: www.cnn.com

The rewrite rule:

Input – www.cnn.com/$01/$02/$R

Output – $01.cnn.com/$02/$R

After the rewrite, a host name must be included in the URL input request as well as the output URL. The only time a host name is not included in the request, is when matching HTTP 1.0 requests.

AppBeat DC User Guide

y 143 y

URL Rewrite Rules Creating URL rewrite rules enables you to control how each incoming URL is rewritten. This involves creating a generic format for the input URL and for the output URL. Predefined variables are used in the rules to indicate the generic information that varies with each URL. You can create up to 100 URL rewrite rules. URL rewrite rules can contain two types of variables:

<$R>

<$XX>, where XX is 01, 02, 03…

The following example rule demonstrates the use of the variable <$R>, which contains the end of the URL. URL From Incoming Request

URL After Rewrite

www.x.com/images/<$R>

www.x.com/images/jpg/<$R>

When using this rule, the URL www.x.com/images/hello is rewritten to www.x.com/images/jpg/hello. Using the same rule, the URL www.x.com/images/goodbye is rewritten to www.x.com/images/jpg/goodbye. The <$R> variable can contain any character, including slashes and periods, except for a space. Since a space indicates the end of the URL, it cannot be used within the variable. The following example rule demonstrates the use of the variable <$XX>, which indicates a string from the URL. URL From Incoming Request

URL After Rewrite

www.x.com/<$01>friend/<$02>index.htm

www.x.com/<$02>/<$01>/index.htm

When using this rule, the URL www.x.com/myfriend/homeindex.htm is rewritten to www.x.com/home/my/index.htm. The <$XX> variable cannot contain slashes, periods, question marks, or spaces. This variable can appear only once between a set of dashes, periods, or question marks in the URL. The following table displays additional examples of URL rewrite rules, using the <$R> and <$XX> variables. The Desired row describes the desired output according to the specified input. The Rule row displays the input and output rule to be used to receive the desired result.

y 144 y

AppBeat DC User Guide

Chapter 8 Virtual Servers, URL Rewriting, and L7 Switching / Redirection

Table 8: Examples of URL Rewrite Rules Example Number 1

URL Input

URL After Rewrite

Desired

www.x.com/images/<rest>

www.x.com/images/jpg/<rest>

Rule

www.x.com/images/$R

www.x.com/images/jpg/$R

Desired

www.x.com/images/<rest>

www.x.com/pictures/<rest>

Rule

www.x.com/images/$R

www.x.com/pictures/$R

Desired

www.x.com/images/<rest>

pictures.x.com/<rest>

Rule

www.x.com/images/$R

pictures.x.com/$R

Desired

images.x.com/<rest>

www.x.com/pictures/<rest>

Rule

images.x.com/$R

www.x.com/pictures/$R

Desired

www.x.com/~<uname>/<rest>

Rule

$1.x.com/$R

www.x.com/~$1/$R

Desired

www.x.com/<app>/<rest>

Rule

www.x.com/$1/$R

$1.x.com/$R

Desired

www.x.com/<uname>

www.x.com/user.php?uname=<uname>

Rule

www.x.com/$1

www.x.com/user.php?uname=$1

Desired

www.x.com/dir

www.x.com/dir/

Rule

www.x.com/$1

www.x.com/$1/

Configuring URL Rewrite Rules You can configure the rewrite rules through the CLI or GUI. This includes adding, editing, and removing rules from the Configured rules list. Once a rewrite rule is created, you need to commit the rule. In addition to the regular configurations mentioned above, you can run the newly modified rules. You can view the committed rules or perform a rollback, to undo the recent run and return the list of previously run rewrite rules. This section outlines the steps required to configure URL rewrite rules through the CLI and GUI. To add a URL rewriting rule from the CLI Command Syntax: virtual name rewrite before url-string-before after url-string-after priority

AppBeat DC User Guide

y 145 y

Prompt level - Configure Example commands: config> virtual v1 rewrite before www.x.com/$01 after www.x.com/user.php?uname=$01 2 config> virtual v1 rewrite before www.$01.com/ after www.x.com/user.php?uname=$01 3

To remove a URL rewriting rule from the CLI Command Syntax: no virtual name rewrite id internal-id no virtual name rewrite before url-string-before

Prompt level - Configure Example commands: no virtual v1 rewrite before www.$01.com/

To commit the rewrite rules from the CLI Command Syntax: virtual name rewrite commit

Prompt level - Configure Example commands: virtual v1 rewrite commit

To perform a rollback from the CLI After running a list of rules, you can perform a rollback to restore the previously run list of rules. These rules will then need to be run again before they can be used. Command Syntax: virtual name rewrite rollback

Prompt level - Configure Example commands: virtual v-1 1.2.3.4 80 redundancy-group 1 default-cluster c1

y 146 y

AppBeat DC User Guide

Chapter 8 Virtual Servers, URL Rewriting, and L7 Switching / Redirection

virtual v-1 rewrite before $01.before-$02-after.$03/$04/$05.txt after www.match-$05-$01.com/$04/$01/before-$03after/$02.txt 90 virtual v-1 rewrite before www.endofpath.com/$01 after www.matchendofpath.com/$01 89 virtual v-1 rewrite before $01.constpost.com/default.html after $01.constpost.com/$01/default.html 88 virtual v-1 rewrite before "before $01.rest.$R" after www.match-$01.$R 86 virtual v-1 rewrite before $01.restendofhost.com$R after www.match$01.$R 85 virtual v-1 rewrite before www.str1$$str2.com/$01/$$ after www.matchstr1$$str2.com/$01/$$ 84 no virtual v-1 rewrite before $01.before1-$02-after.$03/$R after www.match1-$01.com/$02/$R 91 virtual v-1 rewrite commit virtual v-1 rewrite before $01.before1-$02-after.$03/$R after www.match1-$01.com/$02/$R 91

To view the URL rewrite configured rules from the CLI Command Syntax: show virtual rewrite configured

Prompt level - Root Example commands: root> show Virtual Id v-1 7 6 5 3 2 1 4

virtual rewrite configured Before URL After URL www.str1$$str2.co www.match-str1$$s $01.restendofhost www.match-$01.$R before $01.rest.$ www.match-$01.$R $01.constpost.com $01.constpost.com www.endofpath.com www.match-endofpa $01.before-$02-af www.match-$05-$01 $01.before1-$02-a www.match1-$01.co

Priority Commit 84 committed 85 committed 86 committed 88 committed 89 committed 90 committed 91 Not committed

To view the URL rewrite rules that are running from the CLI Command Syntax: show virtual rewrite committed

Prompt level - Root Example commands: root> show virtual rewrite actual Virtual Before URL v-1 www.str1$$str2.com/$01/ $01.restendofhost.com$R before $01.rest.$R $01.constpost.com/defau www.endofpath.com/$01 $01.before-$02-after.$0 $01.before-$02-after.$0

AppBeat DC User Guide

After URL www.match-str1$$str2.co www.match-$01.$R www.match-$01.$R $01.constpost.com/$01/d www.match-endofpath.com www.match-$05-$01.com/$ www.match-$01.com/$02/$

Priority 84 85 86 88 89 90 91

y 147 y

To add URL rewriting rules from the GUI 1.

Once logged in through the GUI, click the Configuration button on the left panel.

In the Topology panel, expand the Virtual Servers icon by clicking the + symbol then click the specific Virtual Server icon.

Select the URL Rewriting tab to display the URL rewrite rules.

In the URL Rewriting Rules area, select the Configured tab to configure the rules.

Figure 57: Configuring the URL Rewrite Rules from the GUI

In the Rule Before, Rule After, and Priority fields, enter the ruleâ&#x20AC;&#x2122;s input and output information and the ruleâ&#x20AC;&#x2122;s priority level.

Click Apply to add the rule to the list of available rewrite rules. Once the rule is added, you must run the rule before it can be used.

To commit the URL rewriting rules from the GUI

y 148 y

Once logged in through the GUI, click the Configuration button on the left panel.

In the Topology panel, expand the Virtual Servers icon by clicking the + symbol then click the specific Virtual Server icon.

Select the URL Rewriting tab to display the URL rewrite rules.

In the URL Rewriting Rules area, select the Configured tab.

Click Commit All. The rules are running and can be matched with incoming URLs.

Click the Committed tab to display the URL rewriting rules that are being used for this virtual server.

AppBeat DC User Guide

Chapter 8 Virtual Servers, URL Rewriting, and L7 Switching / Redirection

Figure 58: Running the URL Rewrite Rules from the GUI

To perform a rollback from the GUI 1.

Once logged in through the GUI, click the Configuration button on the left panel.

In the Topology panel, expand the Virtual Servers icon by clicking the + symbol then click the specific Virtual Server icon.

Select the URL Rewriting tab to display the URL rewrite rules.

In the URL Rewriting Rules area, select the Configured tab.

Click Rollback to restore the list of previously run URL rewriting rules.

To edit URL rewriting rules from the GUI 1.

Once logged in through the GUI, click the Configuration button on the left panel.

In the Topology panel, expand the Virtual Servers icon by clicking the + symbol then click the specific Virtual Server icon.

Select the URL Rewriting tab to display the URL rewrite rules.

In the URL Rewriting Rules area, select the Configured tab.

In the URL Rewriting Rules table, select the rule you want to edit.

Edit the rule and click Apply.

AppBeat DC User Guide

y 149 y

To remove URL rewriting rules from the GUI 1.

Once logged in through the GUI, click the Configuration button on the left panel.

In the Topology panel, expand the Virtual Servers icon by clicking the + symbol then click the specific Virtual Server icon.

Select the URL Rewriting tab to display the URL rewrite rules.

In the URL Rewriting Rules area, select the Configured tab.

In the URL Rewriting Rules table, select the rule that you want to remove and click Delete.

L7 Switching & Redirection (HTTP Virtual Servers) HTTP Switching—referred to as L7 Switching—is the method by which requests sent to a Virtual Server (configured for HTTP traffic) are classified and forwarded to a specific cluster. HTTP switching is only available when the load-balancing feature is enabled (licensed) and the Virtual Server and subsequent Clusters to receive traffic are configured in HTTP protocol mode. HTTP Switching enables the creation of ordered (prioritized) rules within the Virtual Server to determine which cluster should receive matching requests. Rules can be configured to classify based on any combination of the following criteria: Host Name, File Extension, URL, and Language. An example of an environment that may benefit from HTTP Switching is one with different content types being served by different clusters. For instance, a cluster may be optimized to serve only image content, like jpegs and gifs, while another cluster is optimized to serve application requests and communicate with a backend database. In this scenario, two separate clusters would be configured. Through the use of HTTP switching rules, a single Virtual Server would be created with rules designating which clusters receive client requests based on content. Therefore, requests for images are served by the image cluster and requests for all other data is served by the application or default cluster. HTTP Switching is also ideal when content is served in different languages. Administrators can manage different clusters setup to serve content in different languages. HTTP Switching enables the AppBeat DC to forward requests to the correct cluster based on the language specified in the client’s browser.

L7 Switching Criteria As previously mentioned, HTTP Switching rules are built with a combination of the following criteria:

y 150 y

Hostname – Hostname specified in the clients Host header limited to 32 characters. (For example www.site1.com or www.site2.com).

File Extension – Extension of object being requested. (Ex. jpg, gif, html, etc.)

AppBeat DC User Guide

Chapter 8 Virtual Servers, URL Rewriting, and L7 Switching / Redirection

URL – Commonly used for directory structure and based on longest match. For example, if “/products/” is specified, the following URLs would match “/products/” and “/products/shoes/”. It is important that the leading slash be specified. Additionally, the URL field can accommodate only 30 characters.

Language – As specified in the browser’s “Accept-Language” header. If more than one language is listed in the client’s request, the AppBeat DC will only classify based on the first language listed.

L7 Switching Criteria Options Each of the rule criteria are configured with a defined value as demonstrated above, or one of two different options.

Doesn’t Exist – Set when you require the rule to match based on the non-existence of a value. For example, setting the File Extension to “Doesn’t Exist” means that the AppBeat DC will classify a request for a file with no extension as a match, whereas a file with an extension will not match.

Don’t Care – Set when the criteria does not matter. For instance, setting the File Extension criteria to “Don’t Care” means that the AppBeat DC will not care what file extensions are requested.

After specifying criteria for a rule, a priority should be configured, as well as a defined Cluster for traffic matching the rule. URL Criteria Options When creating an HTTP Switching rule based on the URL, two options are available to ensure proper functionality:

Exact Match – If the URL is configured with an “exact match” option, then it’s a match only if the portion after GET matches exactly the configured string.

Longest Prefix – If the URL is configured with a “longest prefix” option, then it’s a match if the string is found. Additionally, the search for longest prefix always starts at the beginning of the URI (right after “GET”) – this is why the URL section is always required to start with a “/” in the AppBeat DC configuration.

L7 Switching Actions When configuring HTTP switching rules, two possible actions are available if a rule matches a user request:

Send to cluster – the virtual server will direct the user request to the configured cluster.

Deny – the virtual server will deny the user request and reset the TCP connection.

AppBeat DC User Guide

y 151 y

L7 Switching Rule Priorities When configuring an HTTP Switching or Redirection rule, a priority value is required. The priority value is only used in instances when more than one HTTP Switching or Redirection rule is matched. Important Information about Priorities

A priority value must be assigned to each L7 switching or Redirection rule.

Priority values are only used when two rules match all criteria for a request.

Priority is based on a descending scale, so a rule with priority 2 has a higher precedence than a rule with a priority of 5.

Even though there are two tables to configure L7 Switching and Redirection rules per Virtual Server (VIP) in the GUI, they effectively utilize the same table. This means that for the same Virtual Server, you cannot have an L7 Switching rule with a priority of 2 and a Redirection rule with a value of 2 also. Instead, the two tables must utilize nonconflicting priority values since they are actually executed as a single table. For example, a request is received which contains the following information:

Request URL: /images/image1.jpg.

Host name: www.site1.com.

The AppBeat DC has the following HTTP Switching and Redirection rules: Table 9: L7 Switching Hostname

File Ext.

URL

Language

Priority

Cluster

Don’t Care

jpg

Don’t Care

Cluster-1

Table 10: Redirection Hostname

File Ext.

URL

Language

Priority

Redirecti on to:

www.site1.com

Don’t Care

www.site2. com

In this example, the request actually matches both configured rules. When this occurs, the AppBeat DC uses the configured priority to determine which action to take. In this case, the L7 Switching rule has a higher priority (1) and the request will be forwarded to Cluster-1 per the configured action.

y 152 y

AppBeat DC User Guide

Chapter 8 Virtual Servers, URL Rewriting, and L7 Switching / Redirection

L7 Switching Example Configuration Assume the following configuration in which two clusters exist:

Farm-1.

Cluster-1.

Server-1.

Server-2.

Cluster-2.

Server-3.

Server-4.

Server-5.

Cluster-1 serves image content consisting of jpegs and gifs, while Cluster-2 serves all other content and application requests. After configuring each Cluster on the AppBeat DC, a Virtual Server must be created with the following configuration:

Virtual Server = 10.1.1.100; Port = 80.

Default Cluster = Cluster-2.

L7 Switching Rules: Table 11: L7 Switching Rules Hostname

File Ext.

URL

Language

Priority

Cluster

Don’t Care

jpg

Don’t Care

Cluster-1

Don’t Care

gif

Don’t Care

Cluster-1

As the Virtual Server configuration demonstrates, requests for jpg or gif objects will be forwarded to Cluster-1 as stipulated in Rule 1 and 2, while all other requests will be forwarded to Cluster-2 (default rule).

Configuring L7 Switching Rules The following section outlines the steps required to configure L7 switching rules through the CLI and GUI.

AppBeat DC User Guide

y 153 y

To add L7 switching rules from the CLI Command Syntax: virtual name rule { hostname variable | no-hostname | any-hostname | file-ext variable | no-file-ext | any-file-ext | url variable | nourl | any-url | language variable | no-language | any-language} rule_priority_[1…100] {to-cluster cluster | redirect url | deny}

Prompt level - Configure Example commands: config> virtual Virtual-1 rule any-hostname file-ext jpg any-url any-language to-cluster Cluster-1

To add L7 switching rules from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, expand the Virtual Servers icon by clicking the + symbol then click on the specific Virtual Server icon.

Figure 59: Configuring L7 Switching

y 154 y

The L7 Switching rules can be found in the L7 Switching tab.

Select a blank row, and then configure the desired variables by either selecting one of the options from the drop down menu (for example “Don’t Care” or “Doesn’t Exist”). Or, specify a specific value by clicking in the variable window and input the desired text.

AppBeat DC User Guide

Chapter 8 Virtual Servers, URL Rewriting, and L7 Switching / Redirection

Click Apply.

To remove an L7 switching rule from the CLI Command Syntax 1: no virtual <vir-name> rule id <number> / <language>

In some cases, when using this command, you will need to make modifications to the rule before the rule can be removed. For example, when you use the command Show Run to discover the rule, you will need to make modifications to the rule. For this reason it is recommended to use the following command. Command Syntax 2: show virtual rule no vir <vir-name> rule id <number>

Prompt level - Configure Example commands: show virtual rule no virtual LAN2 rule any-hostname any-file-ext url / any-language

To remove L7 switching rules from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, expand the Virtual Servers icon by clicking the + symbol then click on the specific Virtual Server icon.

AppBeat DC User Guide

y 155 y

Figure 60: Configuring L7 Switching

The L7 Switching rules can be found in the L7 Switching tab.

Select the row of the rule that you want to delete and click Delete.

HTTP Redirection Rules For each virtual server, redirection rules can be configured instructing the AppBeat DC virtual server to redirect specific user requests to alternate URLs. Each redirection rule is configured exactly as an L7 switching rule. Also, the priorities assigned to redirection rules are compared to other priorities in both redirection and L7 switching rules for the same Virtual Server. Therefore, L7 switching priorities cannot conflict with those of the redirection rule table for the same Virtual Server (VIP).

HTTP Redirection Configuration Criteria Configuring a redirection rule is exactly like configuring an L7 switching rule with regards to matching for host name, file extension, URL, language, and priority. In addition, a number of redirection-specific parameters are available for configuration:

y 156 y

Redirect to – The location to which the AppBeat DC will redirect the client request to, if there is a rule match. See below for a more detailed description of how to configure this parameter.

Connection – The Connection header used in the redirect message from the AppBeat DC. The unit can send the redirect with a Connection: keep-alive or Connection: close header.

AppBeat DC User Guide

Chapter 8 Virtual Servers, URL Rewriting, and L7 Switching / Redirection

Preserve Original Path – Enabling this option will instruct the AppBeat DC to append the path of the request URL to the redirection URL. The path, in this case, refers to everything from the first slash (not counting the protocol slashes) to the end of the request. For example, if the request URL is http://www.site.com/abc/def/index.html, then the original path would be “/abc/def/index.html” – including the first slash. See below for how this parameter affects the redirection location.

Permanent redirection – By default, the AppBeat DC uses temporary redirects for the redirection mechanism. This means that it redirects HTTP/1.1 clients using response code 307 and HTTP/1.0 clients using response code 302. The option is available to make the redirection permanent. If the option is enabled, the AppBeat DC will use a response code 301 with the redirect for all clients.

The “redirect to” Field The redirection mechanism of the AppBeat DC has an extensive set of capabilities that allows it to perform much more than simple HTTP redirection. The mechanism allows for protocol switching (http->https), redirection to a new host and/or new port number, and the ability to preserve the original request path if necessary, as discussed above. As such, the “redirect to” parameter can take many forms. The figure below describes the general anatomy of the parameter:

Figure 61: Redirect To… Field

The table below shows possible configurations for this parameter and what each means. All examples shown below are valid configurations. Also shown is the effect of the “preserve original path” option to each of the redirects. In these examples, we assume that the original request was to “http://<host>/abc/def/x.htm”:

AppBeat DC User Guide

y 157 y

Table 12: Redirect To…Field’s Possible Configurations “redirect to” parameter

Location header of the redirect Pres. orig. path disabled

Pres. orig. path enabled

https://

https://<host>

https://<host>/abc/def/x.htm

https:///

https://<host>/

https://<host>/abc/def/x.htm

:8080

http://<host>:8080

http://<host>:8080/abc/def/x.htm

https://:444

https://<host>:444

https://<host>:444/abc/def/x.htm

www.site.com

http://www.site.com

http://www.site.com/abc/def/x.htm

www.site.com/

http://www.site.com/

http://www.site.com/abc/def/x.htm

www.site.com:8080

http://www.site.com:8080

http://www.site.com:8080/abc/def/x.htm

www.site.com:8080/

http://www.site.com:8080/

http://www.site.com:8080/abc/def/x.htm

https://www.site.com:444

https://www.site.com:444/abc/def/x.htm

https://www.site.com:444/

https://www.site.com:444/abc/def/x.htm

www.site.com/dir1

http://www.site.com/dir1

http://www.site.com/dir1/abc/def/x.htm

www.site.com/dir1/

http://www.site.com/dir1/

http://www.site.com/dir1/abc/def/x.htm

:8080/dir1

http://<host>:8080/dir1

http://<host>:8080/dir1/abc/def/x.htm

/dir1

http://<host>/dir1

http://<host>/dir1/abc/def/x.htm

https:///dir1/

https://<host>/dir1/

https://<host>/dir1/abc/def/x.htm

Configuring HTTP Redirection Rules The following section outlines the steps required to configure L7 switching rules through the CLI and GUI. To Configure Redirection from the CLI Command Syntax: virtual name rule { hostname variable | no-hostname | any-hostname | file-ext variable | no-file-ext | any-file-ext | url variable | nourl | any-url | language variable | no-language | any-language} rule_priority_[1…100] {to-cluster cluster | redirect url | deny}

y 158 y

AppBeat DC User Guide

Chapter 8 Virtual Servers, URL Rewriting, and L7 Switching / Redirection

Prompt level - Configure Example commands: config> virtual Virtual-1 rule any-hostname file-ext jpg any-url any-language redirect http://www.test.com/ root> show virtual Virtual-1 rule

To Configure Redirection from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, expand the Virtual Servers icon by clicking the + symbol then click on the specific Virtual Server icon.

Figure 62: Configuring HTTP Redirection

The HTTP Redirection rules can be found in the Redirection tab.

Click Apply.

AppBeat DC User Guide

y 159 y

9 Compression Chapter 9 introduces and explains the configuration of the Compression module.

Before Proceeding.

Compression Module Overview.

Compression Module Configuration.

Global Configuration (Browser/File Exceptions).

Enhanced Compression Module Configuration.

AppBeat DC User Guide

y 161 y

Before Proceeding In order to proceed with configuring Compression, the following steps should be satisfied.

Â&#x192;

Management connectivity, whether through Serial Console or via Management Ethernet Interface (GUI, Telnet, or SSH). Please see Chapter 5. Initial Configuration & Global Settings.

Â&#x192;

Server(s) configured in at least one HTTP cluster. Please see Chapter 7. Server Topology â&#x20AC;&#x201C; Farms/Clusters/Real Servers.

Compression Module Overview The compression feature requires the installation of an optional hardware compression module. If you are interested in purchasing either the basic or the enhanced compression module, please contact your local sales representative or email sales@crescendonetworks.com. The AppBeat DC utilizes industry standard gzip and deflate-compression algorithms accepted by most Web browsers for HTTP content. Not all content is compressible; therefore, the AppBeat DC determines compressibility by analyzing the mime-type defined in server responses. If the content matches a configurable list of compressible mime-types, the AppBeat DC compresses and forwards the data to the end-user. Otherwise, noncompressible data is forwarded normally. The basic and enhanced compression modules also include a global set of compression rules that act based on browser characteristics and file extensions. These rules can be used in order to compensate for certain browsers that have issues either with all compression or with specific file types. The global rules override individual profiles and apply to all traffic compressed by the AppBeat DC. While the basic compression module uses a static compression level and throughput, the enhanced compression module enables you to configure the compression level and throughput size per second.

Compression Profile Configuration Sample mime-types The full list of mime-types is available at the Internet Assigned Numbers Authority (IANA) website at http://www.iana.org/assignments/media-types/.

y 162 y

AppBeat DC User Guide

Chapter 9 Compression

Below is a sample of common mime-types: Table 13: Common Mime-types Sample Mime-type (includes type/subtype)

File Extension

application/x-javascript

application/xml

xml xsl

image/bmp

Bmp

image/jpeg

jpeg jpg jpe

text/html

html htm

text/plain

asc txt

Configuring Compression Configuring compression requires the following steps.

Create a compression profile.

Define mime-types for use with compression profile.

Apply compression profile to a Cluster.

To create a compression profile from the CLI The Compression Module enables a great deal of flexibility with regard to Profile configuration. For example, a Profile can be created with a default action of “exclude”, meaning no data will be compressed unless mime-types are added with the “include” setting. Alternatively, a profile could be created with a default action of “include”, meaning all data will be compressed except for that with mime-types specifically defined as “exclude”. Command Syntax compression profile profile_name [include | exclude]

Prompt level – Configure Example commands: config> compression profile Cmp-Profile-1 exclude

To configure mime-types for a policy from the CLI The AppBeat DC parses the server response headers for matching mime-type information. If a match is found, and the content being sent is greater than 128 bytes, the AppBeat DC will compress the content. Mime-types are listed as a type and sub-type in the format of:

AppBeat DC User Guide

y 163 y

type/sub-type. When configuring mime-types for a Compression Profile, you can choose to specify the exact mime type, like “text/plain”, or specify only the type, like “text”. Specifying only the type will ensure that all content within the specific type will be included or excluded for compression by the AppBeat DC without having to input each individual mime-type. Command Syntax compression mime-type profile_name content-type [include | exclude]

Prompt level – Configure Example commands: config> compression profile test_profile exclude config> compression mime-type test_profile text/html include config> compression mime-type test_profile text/plain

To display compression configuration information from the CLI Command Syntax show compression

Prompt level – Root Example commands: root> show compression

To create a compression profile from the GUI

y 164 y

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology panel, click on Compression under the Services icon.

AppBeat DC User Guide

Chapter 9 Compression

Figure 63: Creating a Compression Profile

Click on the New button to display the “Add New Compression Profile” window shown below.

Figure 64: Add a New Compression Profile

Specify the Profile Name and Action. If “Include” is chosen, the profile will include all data types for compression. If “Exclude” is chosen, the profile will not perform compression for any mime-type, except for types manually added in the next step.

AppBeat DC User Guide

y 165 y

To configure mime-types for a policy from the GUI 1.

Custom mime-types can be configured for inclusion or exclusion within a compression profile. Once the profile is created, click on the profile name in the Topology panel to display profile details.

Figure 65: Importing a Private Key

Data types are added as HTTP mime-types. Click on a blank entry in the Mime-Type table to enable the ability to add a mime-type and action.

To apply compression profile to a Cluster from the CLI Command Syntax service compression profile-name

Prompt level – Configure Æ Farm Æ Cluster Example commands: Cluster “Cluster1”> service compression Cmp-Profile-1

To apply compression profile to a Cluster from the GUI

y 166 y

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology panel, click on a Cluster under the Topology Æ Farm Æ Cluster icon. This will display the Cluster configuration settings as shown in the figure below.

AppBeat DC User Guide

Chapter 9 Compression

Figure 66: Applying a Compression Profile to a Cluster

Check the box next to Compression to Client and choose the Profile created in the previous steps.

Global Configuration (Browser/File Exceptions) The compression module includes a global set of compression rules that act based on browser characteristics and file extensions. These rules can be used in order to compensate for certain browsers that have issues either with all compression or with specific file types. The global rules override individual profiles and apply to all traffic compressed by the AppBeat DC.

Configuring Browser/File Exceptions The following section outlines the configuration steps required for configuring the global compression actions for the AppBeat DC, including browser type/version and file extensions. Each rule must include a browser and a file extension. To Configure Global Configuration Rules from the CLI Command Syntax compression default-action file-ext {name | id} {name or id of browser} {include | exclude | mime-type}

AppBeat DC User Guide

y 167 y

Prompt level â&#x20AC;&#x201C; Configuration Example commands: config> compression default-action css id 23 exclude root> show compression default-action

To View the Browser IDs from the CLI The following command displays the browser/version ID list for use with configuring default-action rules through the CLI. Command Syntax show classified-user-agent

Prompt level â&#x20AC;&#x201C; Root To Configure Global Configuration Rules from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology panel, expand the Services icon and click on the Compression icon.

Figure 67: Configuring Global Configuration Rules

y 168 y

Click on a blank rule, and input the Browser Group, Version, File Extension, and Action variables.

AppBeat DC User Guide

Chapter 9 Compression

Enhanced Compression Module Configuration The enhanced compression module enables you to configure the compression ratio or throughput levels as described in the following modes:

Normal – Enhanced compression throughput using normal compression ratio. This option provides enhanced compression throughput of the unit according to the acquired license and up to 66 percent compression ratio. Boosting the compression throughput enables you to create the following compression throughput levels:

Up to 1 Gbps – baseline.

Up to 1.5 Gbps.

Up to 2 Gbps.

Up to 3 Gbps.

High – Normal compression throughput using a high compression ratio. This option provides up to 1 Gbps of throughput and up to 86 percent compression on certain file types, while maintaining zero latency performance.

The enhanced compression module is purchased as a separate add-on. After installing the module, you must install the software and software license before the module is available for use.

Configuring the Enhanced Compression Module You can configure the enhanced compression module from the CLI or the GUI. To configure the compression level from the CLI Command Syntax compression level {normal | high}

Prompt level – Configuration Example commands: config> compression level normal config> compression level high

AppBeat DC User Guide

y 169 y

To view the available compression type and compression level from the CLI Command Syntax show compression level

Prompt level â&#x20AC;&#x201C; Configuration Example commands: root> show compression level

Output: Enhanced compression card unavailable for use: Enhanced compression module: Compression Level: Compression Throughput:

n/a Normal 1 Gbps

Output: Enhanced compression card available for use, with a high compression level: Enhanced compression module: Compression Level: Compression Throughput:

ON High 1 Gbps

Output: Enhanced compression card available for use, with a normal compression level: Enhanced compression module: ON Compression Level: Normal Compression Throughput: 1Gbps, 1.5Gbps, 2Gbps, or 3Gbps according to the software license settings

y 170 y

AppBeat DC User Guide

Chapter 9 Compression

To configure the compression level from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology panel, expand the Services icon and click on the Compression icon.

Figure 68: Configuring Enhanced Compression

If the enhanced compression module is not installed on your system the Enhanced Compression Module field displays OFF and the Compression level and Compression throughput fields are disabled. 3.

From the Compression level drop down menu, select the compression level.

Â&#x192;

If you select High, the Compression throughput is automatically set to 1Gbps.

Â&#x192;

If you select Normal, the Compression throughput is automatically set according to the acquired license.

Click Apply.

If the compression throughput selected does not match the license level installed, the throughput is set automatically according to the acquired license level and compression level.

AppBeat DC User Guide

y 171 y

10 SSL Acceleration Chapter 10 introduces and explains the configuration of the SSL Acceleration module.

Before Proceeding.

Overview of the SSL Acceleration Module.

Configuration Preparation.

Configuring a Real or Virtual Server.

Importing or Creating a Private Key.

Importing or Creating a Certificate.

Creating a Cipher Profile.

Configuring an SSL Server Profile (Client-side SSL).

Configuring an SSL Client Profile (Server-side SSL).

AppBeat DC User Guide

y 173 y

Before Proceeding In order to proceed with configuring SSL Acceleration, the following steps should be satisfied.

Management connectivity for each unit, whether through Serial Console or via Management Ethernet Interface (GUI, Telnet, or SSH). Please see Chapter 3. Introduction to the Command Line Interface.

Server(s) configured in at least one cluster. Please see Chapter 7. Server Topology – Farms/Clusters/Real Servers.

Overview of the SSL Acceleration Module The AppBeat DC terminates inbound SSL connections from requesting clients. Requests are then processed and sent from the AppBeat DC to the server over an existing backend connection. By default, communication with backend servers utilizes unencrypted (i.e. clear text) HTTP. For implementations which require encryption to the server, the AppBeat DC can be configured with an SSL Client Profile. This profile enables the AppBeat DC to maintain a configurable number of encrypted backend connections using HTTPS, ensuring that all data is transmitted to the server using SSL. The SSL module provides a significant level of processing off-load from the server. Furthermore, the AppBeat DC provides a centralized facility for managing all SSL keys and certificates. All SSL functions can be aggregated on to the AppBeat DC instead of having to modify each new server added or removed from the environment.

Configuration Preparation SSL Acceleration Configuration Outline Configuring SSL Acceleration requires the following steps:

Create a Virtual Server on port 443.

y 174 y

SSL is customarily configured to operate on TCP port 443. However, the AppBeat DC can provide SSL Acceleration on any port designated by the virtual server.

Create or import an SSL private key.

Create or import an SSL certificate, or create an SSL Certificate Request for submission to a Certificate Authority.

Create a Cipher Profile, or use the default list.

AppBeat DC User Guide

Chapter 10 SSL Acceleration

Create an SSL Server Profile.

Map the SSL Server Profile to a Virtual Server.

By default all communication to the server, even if originally terminated as SSL, is transmitted from the AppBeat DC as HTTP. This section also outlines the configuration of “server-side SSL” using a “Client-Profile” which enables encrypted communication between the AppBeat DC and the backend server.

Server Configuration This section outlines the various methods in which the AppBeat DC and server are configured to support applications encrypted with SSL. Virtual Server Providing SSL only To configure a Virtual Server (VIP) which only accepts encrypted HTTPS communication and communicates with the backend server over unencrypted HTTP, the following logical configuration would apply: Virtual Server 10.1.1.100 TCP port 443 Mapped to Cluster-1 Server-1 TCP port 80

The server configuration and further SSL configuration is covered later in this chapter. Virtual Server Providing HTTP and SSL to Single Cluster To configure a Virtual Server (VIP) with HTTP and SSL Acceleration, create two Virtual Servers each configured to listen on a different port, mapped to the same cluster. For example: Virtual Server 10.1.1.100 TCP port 80 Mapped to Cluster-1 Server-1 TCP port 80 Virtual Server 10.1.1.100 TCP port 443 Mapped to Cluster-1 Server-1 TCP port 80

In this example, the server has the entire website or application available over port 80. Depending on the authentication and content control mechanisms being used, it may not be desirable to have content accessible over HTTP (port 80) which would otherwise only be accessible via HTTPS (port 443). If this is the case, proceed to the following example.

AppBeat DC User Guide

y 175 y

Virtual Server Providing HTTP and SSL to Two Clusters As discussed in the previous section, some applications being offloaded by the AppBeat DC may require originally encrypted content to be served through a different Web service running on the same server. For example, it may not be desirable—depending on the authentication and content control mechanisms being used—to have content accessible over HTTP (port 80) which would otherwise only be accessible via HTTPS (port 443). In these cases, it is advisable to have content which is only intended to be accessed by users over HTTP to be served over port 80 on the server. Content intended to be accessed by users using HTTPS should be served over a different port (separate Web server instance); port 81 for example. All communication to the backend server is still offloaded, using only HTTP communication; however, the data is now secured, preventing a user accessing the site with HTTP from viewing or downloading content which should only be accessed via HTTPS. The configuration of such a setup looks as follows: Virtual Server 10.1.1.100 TCP port 80 Mapped to Cluster-1 Server-1-80 TCP port 80 Virtual Server 10.1.1.100 TCP port 443 Mapped to Cluster-2 Server-1-81 TCP port 81

Different server names are used to differentiate the port being configured. All communication to the server, even if originally terminated as SSL, is transmitted from the AppBeat DC as HTTP.

Preparation In preparation for configuring SSL Acceleration, the following steps will need to be completed:

If your servers are currently using SSL, the Private Keys and Certificates must be exported as individual files so they can be imported into the AppBeat DC.

There should be one file for the private key, and one file for the certificate which includes the public key.

The files must be in PEM (.pem) format.

The key cannot have a pass phrase (password) associated with it.

In addition to being in PEM format, the certificate file must have the correct text information at the beginning of the certificate.

Read Converting Keys, Certificates, and Chained Certificates on page 195 before proceeding for detailed steps to modify, convert, and verify the format of keys and certificates before proceeding.

y 176 y

AppBeat DC User Guide

Chapter 10 SSL Acceleration

OpenSSL can be used to modify, convert, and verify format of the keys and certificates before being imported into the AppBeat DC. OpenSSL can be downloaded for free for most popular operating systems (including binary versions for Windows machines) at http://www.openssl.org. See Converting Keys, Certificates, and Chained Certificates on page 195 for detailed information before proceeding.

If you do not have a valid SSL key(s) or certificate(s), they should be requested from a Certificate Authority (for example, Verisign or DigiCert). The AppBeat DC enables you to create your own private key which is associated with a Certificate Request. The Certificate Request can then be sent to a Certificate Authority to be officially signed and validated.

The SSL Configuration requires the AppBeat DC to import and/or export files from an FTP server. Therefore, the ftp-record should be configured in the AppBeat DC configuration. As discussed in Chapter 5. Initial Configuration & Global Settings, the ftprecord specifies an available FTP server, user credentials, and home directory.

Configuring a Virtual Server Configure Real or Virtual Server Chapter 8. Virtual Servers, URL Rewriting, and L7 Switching / Redirection discusses how to create a Virtual Server. The virtual server should be configured on the TCP port used for SSL by clients accessing the application. The examples presented throughout this document assume that SSL is operating on port 443.

Importing or Creating a Private Key Follow the following steps to import or create a private key. If creating a key, the key size can be specified as a value between 384 and 2048 bits. When importing files into the AppBeat DC, the ftp-record must be configured correctly and the files being imported must reside on the associated FTP server. Please see Chapter 5. Initial Configuration & Global Settings.

Importing or Creating a Private Key To import a private key from the CLI Command Syntax ssl key name {import | export} filename

AppBeat DC User Guide

y 177 y

Prompt level - Configure Example commands: config>ssl key Key-1 import Key1.pem

To import a private key from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, expand the Services icon by clicking the + symbol then expand the SSL icon.

Click on the Key icon and click the New button.

Figure 69: Importing a Private Key

The Add New Key window will appear.

y 178 y

AppBeat DC User Guide

Chapter 10 SSL Acceleration

Figure 70: Importing a Private Key – Add New Key Window

Specify a key name, check the Import box, and provide the file name of the key and click Apply. The AppBeat DC will automatically log in and download the file based on the FTP information configured for the ftp-record command. The imported key will be displayed under Services Æ SSL Æ Key

To create a private key from the CLI Command Syntax ssl key name [key-size 384…2048] no ssl key name

Prompt level - Configure Example commands: config>ssl key Key-1 1024

To create a private key from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, expand the Services icon by clicking the + symbol then expand the SSL icon.

Click on the Key icon and click the New button.

AppBeat DC User Guide

y 179 y

Figure 71: Creating a Private Key

The Add New Key window will appear.

Figure 72: Creating a Private Key – Add New Key Window

Specify a key name and size (between 384-2048) click Apply. The created key will be displayed under Services Æ SSL Æ Key.

y 180 y

AppBeat DC User Guide

Chapter 10 SSL Acceleration

Importing or Creating a Certificate The Certificate is associated with the Private key created or imported in Configuring a Virtual Server on page 177. The certificate configuration involves one of the following steps:

Import an existing, signed and valid, certificate from a Certificate Authority.

Create a Certificate Request which is then exported from the AppBeat DC and sent to a Certificate Authority for validation. The signed certificate received from the Certificate Authority is then imported into the AppBeat DC.

Create a “self-signed” certificate. This certificate is not validated by a Certificate Authority and should typically be used only for testing purposes. Clients accessing accelerated servers using a “self-signed” certificate will receive a security message from their browser.

When an SSL client receives a certificate from a server, it checks the Certificate Authority (CA) that authorized the certificate and if that CA is trusted, then the certificate itself can be trusted. Servers may also send the client a Certificate Chain which is essentially a series of certificates. A Chained Certificate allows SSL hierarchies to be conveyed from a server to a client. In a Chained Certificate, the first certificate is always that of the sender itself (i.e. the server). The second certificate is of the CA that authorized the sender’s certificate. The third certificate is of the CA that authorized the second certificate, and so on. As long as the client can validate the last certificate in the chain, the entire chain is trusted. The AppBeat DC supports both individual certificates and chained certificates without any special configuration.

Importing or Creating a Certificate To import a certificate from the CLI Command Syntax ssl certificate name key-name {export | import} name

Prompt level - Configure Example commands: config>ssl certificate Certificate-1 Key-1 import Cert.pem

To import a certificate from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, expand the Services icon by clicking the + symbol then expand the SSL icon. Click on the Certificate icon and click the New button.

AppBeat DC User Guide

y 181 y

Figure 73: Importing a Certificate

The Add New Certificate window will be displayed. 3.

Even though a certificate will be imported, all fields should still be filled out. If any of the field values are different than those in the actual certificate, they will be overwritten by the correct values from the imported certificate. Make sure the key name specified is the correct key which will correspond with the certificate to be imported.

Figure 74: Importing a Certificate â&#x20AC;&#x201C; Add New Certificate Window

y 182 y

AppBeat DC User Guide

Chapter 10 SSL Acceleration

Do not check the “Self Signed” box. Click Apply. The AppBeat DC will automatically log in and download the file based on the FTP information configured for the ftp-record command.

To create a certificate request from the CLI The following command generates a new interactive certificate request which is exported to the ftp server and directory specified in ftp-record. Once the command is issued, the user will be prompted to answer a series of questions regarding the Certificate to be requested. Before a certificate request can be created, a key must be created as discussed in Importing or Creating a Private Key on page 177. Command Syntax ssl certificate name key-name [export-name]

Prompt level - Configure Example commands: config>ssl certificate Certificate-1 Key-1 export Request.pem

Output: Enter Enter Enter Enter Enter Enter

Subject Subject Subject Subject Subject Subject

Country (2 characters): US State: CA Locality: “San Jose” Org: “Sample, Co.” Common: www.sample.com Email address: admin@sample.com

Use quotation marks for values which contain spaces. To create a certificate request from the GUI Before a certificate request can be created, a key must be created as discussed in Importing or Creating a Private Key on page 177. 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, expand the Services icon by clicking the + symbol then expand the SSL icon. Click on the Certificate icon and click the New button.

The Add New Certificate window will be displayed.

AppBeat DC User Guide

y 183 y

Figure 75: Creating a Certificate Request – Add New Certificate 1

Specify a name for the certificate, the associated Key name for the key created in the previous step. Complete the subject information.

Do not check the “Self Signed” box. Click Apply.

Figure 76: Creating a Certificate Request – Add New Certificate 2

y 184 y

Once created, click on the Certificate Name created in the previous step under Services Æ SSL Æ Certificates.

AppBeat DC User Guide

Chapter 10 SSL Acceleration

Check the Export box, and provide the file name of the Certificate Request and click Apply. The AppBeat DC will automatically log in and upload the file based on the FTP information configured for the ftp-record command. The Certificate Request should then be retrieved from the FTP server and submitted to a Certificate Authority for validation. Once a signed and valid certificate has been received from the Certificate Authority, it should be placed on the FTP server and uploaded to the AppBeat DC.

To upload the certificate, click on the Certificate Name created in the previous step under Services Ă&#x2020; SSL Ă&#x2020; Certificates.

Check the Import box, and provide the file name of the certificate to be uploaded. Click Apply.

To create a self-signed certificate from the CLI A self-signed certificate is not validated by a Certificate Authority and should typically be used only for testing purposes. Clients accessing accelerated servers using a self-signed certificate will receive a security message from their browser. Command Syntax ssl certificate

name key-name self-signed export export-file-name

Prompt level - Configure Example commands: config>ssl certificate Certificate-1 Key-1 self-signed export cert1.pem

To create a self-signed certificate from the GUI Before a self-signed certificate can be created, a key must be created as discussed in Importing or Creating a Private Key on page 177. 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, expand the Services icon by clicking the + symbol then expand the SSL icon. Click on the Certificate icon and click the New button.

The Add New Certificate window will be displayed.

AppBeat DC User Guide

y 185 y

Figure 77: Creating a Certificate Request – Add New Certificate 2

Specify a name for the certificate, the associated Key name for the key created in the previous step. Complete the subject information.

Check the Self Signed box and specify the number of days the certificate should be valid. Click Submit.

Cipher Profile The cipher is the algorithm used for encryption and decryption. Typically, the client and server have the ability to use several different ciphers. During the initiation of the SSL session, the cipher to be used is negotiated between the two end points. The AppBeat DC supports many ciphers used by different client browsers.

Creating a Cipher Profile The available ciphers on the AppBeat DC can be configured with a Cipher Profile. Therefore, an administrator can specify the exact ciphers—encryption methods—they would like to use for their application. It is not mandatory to create a Cipher Profile. If no profile is created and associated with a Server Profile, the AppBeat DC will simply negotiate the cipher based on the default list. The following steps are required for creating a Cipher Profile: 1.

y 186 y

Create a Cipher Profile.

AppBeat DC User Guide

Chapter 10 SSL Acceleration

Add Cipher types to the profile with associated priorities for negotiation.

To create a cipher profile from the CLI The following command creates a cipher profile. Once created, the profile does not contain any ciphers. Proceed to the following section to learn how to add cipher types to the profile. Command Syntax ssl cipher profile profile-name

Prompt level - Configure Example commands: config>ssl cipher profile Profile-1

To add cipher types to a cipher profile from the CLI The following command adds individual cipher types to a profile configured in the previous step. The available list of cipher types are as follows:

EXP1024-RC4-MD5.

EXP1024-RC4-SHA.

AES128-SHA.

AES256-SHA.

RC4-MD5.

EXP-RC4-MD5.

RC4-SHA.

DES-CBC-SHA.

DES-CBC3-SHA.

ADH-RC4-MD5.

A priority is also associated with each cipher entry. The priority is used during cipher negotiation between the AppBeat DC and the client. Command Syntax ssl cipher type profile-name cipher-type cipher-priority

AppBeat DC User Guide

y 187 y

Prompt level - Configure Example commands: config>ssl cipher type Profile-1 RC4-SHA 1

To create a cipher profile from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, expand the Services icon by clicking the + symbol then expand the SSL icon. Click on the Cipher icon and click the New button.

The Add New Cipher window will be displayed.

Figure 78: Creating a Cipher Profile

Input a Cipher Profile Name and click Apply.

By default, no Ciphers will be selected for the newly created profile. Follow the steps outlined in the next section.

To add cipher types to a cipher profile from the GUI

y 188 y

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, expand the Services icon by clicking the + symbol then expand the SSL icon, and the Cipher icon. Click on the Cipher Profile created in the previous section.

AppBeat DC User Guide

Chapter 10 SSL Acceleration

Figure 79: Adding Cipher Types to a Cipher

In the right panel, select the cipher type from the Available window and click the Add button to move it to the Selected window.

Once a cipher type is selected, its priority (shown in parenthesis) can be changed by clicking on the cipher type, and then clicking either of the single up/down arrows.

Configuring an SSL Server Profile (Client-side SSL) The Server Profile consolidates the individual SSL components: key, certificate, cipher profile, etc. Additional information is then configured. Once created, the Server Profile can be associated with one or more Virtual Servers, enabling SSL Acceleration.

SSL Server Profile Configuration Outline An SSL Client Profile is configured within the Services Ă&#x2020; SSL section of the GUI and applied at the Virtual Server level. To create an SSL server profile from the CLI Command Syntax ssl server-profile [name] [certificate name] [cipher-profile name] [SSL-3] [cipher-selection {server | client}]

AppBeat DC User Guide

y 189 y

Prompt level - Configure Example commands: config>ssl server-profile Profile-1 Certificate-1 SSL-3 TLS-1

Cipher Selection specifies which end point will have priority over determining the selected cipher. The options are “client” or “server.” Selecting “server” enables the AppBeat DC to make the decision.

To create an SSL server profile from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, expand the Services icon by clicking the + symbol then expand the SSL icon. Click on the Server Profile icon and click the New button.

Figure 80: Adding Cipher Types to a Cipher

y 190 y

The Add Server Profile window will be displayed.

AppBeat DC User Guide

Chapter 10 SSL Acceleration

Figure 81: Adding Cipher Types to a Cipher

Specify a Profile name and select the associated Certificate and Cipher profile.

To apply an SSL server profile to a Virtual Server from the CLI SSL Acceleration will function once an SSL Server Profile is associated with an existing Virtual Server or Cluster. Command Syntax virtual server-name ssl profile-name

Prompt level – Configure Example commands: config> virtual Virtual-1 ssl SSL-Profile-1

To apply an SSL server profile to a Virtual Server from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, expand the Topology icon by clicking the + symbol then expand the Virtual icon. Select the desired Virtual Server.

AppBeat DC User Guide

y 191 y

Figure 82: Applying an SSL Server to a Virtual Server

In the right panel, check the SSL box and choose the desired profile from the pulldown menu.

Click Apply.

Configuring an SSL Client Profile (Server-side SSL) When a Server Profile is configured, the AppBeat DC terminates HTTPS client connections (i.e. acting as the server) and communicates with the backend servers using clear text HTTP by default. For implementations which require data to be encrypted all the way to the server, an SSL Client Profile can be configured on the AppBeat DC. The Client Profile enables the AppBeat DC to open and maintain the backend connections using HTTPS (i.e. acting as the client).

SSL Client Profile Configuration Outline An SSL Client Profile is configured within the Services Æ SSL section of the GUI and applied at the cluster level. The following items should be considered when implementing server-side SSL.

Verify that the servers defined in the cluster have the appropriate TCP port number configured for HTTPS communication.

y 192 y

SSL traditionally operates on TCP port 443.

AppBeat DC User Guide

Chapter 10 SSL Acceleration

To create an SSL Client Profile from the CLI Command Syntax ssl client-profile [name] [key name] [cipher-profile name | nocipher-profile] [SSL-2 | no-SSL-2] [SSL-3 | no-SSL-3] [TLS-1 | noTLS-1]

Prompt level - Configure Example commands: config>ssl client-profile Client-1 SSL-2 SSL-3 TLS-1

To create an SSL Client Profile from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, expand the Topology icon by clicking the + symbol then expand the Services icon. Highlight the SSL icon and click the + icon to expand the available options. Highlight the Client Profile icon and click the New button.

Figure 83: Creating an SSL Client Profile

In the right panel, configure the Client Profile Name and specify a Profile Name and select the desired Protocols.

Key, Cipher Profile, Server Certificate, and Verify Server options are not required for configuration.

Click Apply.

AppBeat DC User Guide

y 193 y

To apply an SSL Client Profile to a Cluster from the CLI Command Syntax service ssl client-profile-name

Prompt level – Configure Æ Farm Æ Cluster Example commands: Cluster-1> service ssl client-1

To apply an SSL Client profile to a Cluster from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, expand the Topology icon by clicking the + symbol then expand the Farm icon. Highlight the desired Cluster icon.

Figure 84: Applying an SSL Profile to a Cluster

y 194 y

In the right panel, check the SSL box and select the desired Client Profile.

Click Apply.

AppBeat DC User Guide

Chapter 10 SSL Acceleration

Converting Keys, Certificates, and Chained Certificates The AppBeat DC requires that keys and certificates be in PEM format. When exporting keys and certificates from Web servers or other SSL offload devices, they may need to be modified before being imported into the AppBeat DC. This section outlines how to verify the correct format for keys and certificates, and if not correct, outlines the appropriate procedure to convert them to the proper format before being imported. Additionally, when exporting keys and certificates from Microsoft IIS servers, the key and certificate are typically in a single PFX file and require manipulation. The steps for exporting and properly converting files from a Microsoft IIS server are provided in this section.

OpenSSL All of the commands required for verifying and converting keys and certificates will use OpenSSL. OpenSSL can be downloaded for free for most popular operating systems (including binary versions for Windows machines) at http://www.openssl.org.

Keys As previously discussed, the key must be a separate file. The key must also be in PEM format and cannot have a pass phrase associated with it. The AppBeat DC will not function properly if a key with a pass phrase is imported. To remove the pass phrase follow the steps outlined in To remove the pass phrase on an RSA private key on page 196. Sample Key file: The “MII” located after the --BEGIN RSA PRIVATE KEY-- tag indicate that the key is in PEM format. -----BEGIN RSA PRIVATE KEY----MIICXQIBAAKBgQDEs8ST2FxGTCZNR1/0hqxk0umq//MFVhxI7qzXJvCnVFBE5M1r eWY0s1wMO1t9o9frmSEqTSq+wmFYhNq7Ilel/EsbpTpa5FhnEO9iuI8MHXDET7yx KRjF5NqxFOGYyldKWdXNCX3nsXeWTdGEsJdMN3je9Ab9pbfmdVLIUBUxswIDAQAB AoGAJHR0sDnfECA40QWzYOw8swrrx4dcENcest2ZJt7OpxRXNA17jLmZGZdMLfAq SqS89asRnHdkvqnjxLYKm7gHqiYRFYCxEU17T9hFtuQpSI4oPa+79bMjuriik78W vnnA3u0JhRNP4Z743O7Ku2UEbbtVRPKCVS53TjF11z3yLkECQQD1J8jMH78YHuhD RD6j+ZIPCADZEVtMiO0tDRAKphGQj2xJAejlbSIXAIvWYdsRnQqU7ByaZbL4lcRt kqEpSWQRAkEAzWdI3MJhfMs8NYt1e2SwkqvKlouFbha927up2251jYMO4buGHtF6 uGJNn/P6uu3juKjT5Ak/3jt0Fmtd6fAtgwJBAMMpJMS7ERlWoXfLQEKxTwEAUgx7 sL7A0m7m0zpm8dyvEHkeOBVMR7MgEDJePFNNPTtIq4yOIWebcn/4FqwTbMECQCD/ 4/vbms/y0uSDWEePwLJ/uReAqNor+yqvNrXTRD2M/boUZ5LR8tZmrLPy/ahEid5j +U7ckY9Bm//yFe98r8MCQQDgBYH8Xd+MjmsZEBDQQsHMP8lZLxTqqWImyblLTs4D HQiqeez97sFqUTUQoRNeJolGQ1cGceyaj3bNGVXWO6CS -----END RSA PRIVATE KEY-----

AppBeat DC User Guide

y 195 y

To remove the pass phrase on an RSA private key The following command should be input on a workstation with read and write access to the key file. If you are unsure whether a private key file has a pass phrase, it is ok to run the following command against the key; if the original key file does not have a pass phrase, it will not be altered. openssl rsa -in key.pem -out keyout.pem

You will be prompted for the current pass phrase before openssl will allow you to remove it. Once the pass phrase has been removed, the new key can be properly imported into the AppBeat DC.

Certificate Like the key, the certificate must also be in PEM format. Additionally, the certificate must include the text information within the certificate file. The following are samples demonstrating the certificate file with and without the required text information. Follow the steps outlined in 10.10.3.1 to properly format the certificate. Sample Certificate in PEM format without text information. The “MII” located after the -BEGIN CERTIFICATE-- tag indicate that the certificate is in PEM format. -----BEGIN CERTIFICATE----MIICcjCCAdugAwIBAgIBADANBgkqhkiG9w0BAQQFADB/MQswCQYDVQQGEwJVUzEL MAkGA1UECBMCTkoxEDAOBgNVBAcTB1RlbmFmbHkxGzAZBgNVBAoTEkNyZXNjZW5k byBOZXR3b3JrczEVMBMGA1UEAxMMd3d3LnRlc3QuY29tMR0wGwYJKoZIhvcNAQkB Fg5hZG1pbkB0ZXN0LmNvbTAeFw0wNzA2MjUwODI4MjNaFw0wODA2MjQwODI4MjNa MH8xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOSjEQMA4GA1UEBxMHVGVuYWZseTEb MBkGA1UEChMSQ3Jlc2NlbmRvIE5ldHdvcmtzMRUwEwYDVQQDEwx3d3cudGVzdC5j b20xHTAbBgkqhkiG9w0BCQEWDmFkbWluQHRlc3QuY29tMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQDEs8ST2FxGTCZNR1/0hqxk0umq//MFVhxI7qzXJvCnVFBE 5M1reWY0s1wMO1t9o9frmSEqTSq+wmFYhNq7Ilel/EsbpTpa5FhnEO9iuI8MHXDE T7yxKRjF5NqxFOGYyldKWdXNCX3nsXeWTdGEsJdMN3je9Ab9pbfmdVLIUBUxswID AQABMA0GCSqGSIb3DQEBBAUAA4GBAID1oCh6dXj1SijrYIx2tHBFX4Jlw7isazut JW4byRWtAtYcCGVEKGKgjxsD7SB3rTyGKGveYDyoiEh/uodac6EYPJT0gcUtg0Ku izR25RuYklMZ+nQybaWnXA2yYA3YHED8hcXbx5GwpNTxeDMnDmQZj5ri51FQU4Ux bhMy7o0/ -----END CERTIFICATE-----

Sample Certificate in PEM format with text information: Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=NJ, L=Tenafly, O=Crescendo Networks, CN=www.test.com/emailAddress=admin@test.com Validity Not Before: Jun 25 08:28:23 2007 GMT Not After : Jun 24 08:28:23 2008 GMT Subject: C=US, ST=NJ, L=Tenafly, O=Crescendo Networks, CN=www.test.com/emailAddress=admin@test.com

y 196 y

AppBeat DC User Guide

Chapter 10 SSL Acceleration

Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c4:b3:c4:93:d8:5c:46:4c:26:4d:47:5f:f4:86: ac:64:d2:e9:aa:ff:f3:05:56:1c:48:ee:ac:d7:26: f0:a7:54:50:44:e4:cd:6b:79:66:34:b3:5c:0c:3b: 5b:7d:a3:d7:eb:99:21:2a:4d:2a:be:c2:61:58:84: da:bb:22:57:a5:fc:4b:1b:a5:3a:5a:e4:58:67:10: ef:62:b8:8f:0c:1d:70:c4:4f:bc:b1:29:18:c5:e4: da:b1:14:e1:98:ca:57:4a:59:d5:cd:09:7d:e7:b1: 77:96:4d:d1:84:b0:97:4c:37:78:de:f4:06:fd:a5: b7:e6:75:52:c8:50:15:31:b3 Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 80:f5:a0:28:7a:75:78:f5:4a:28:eb:60:8c:76:b4:70:45:5f: 82:65:c3:b8:ac:6b:3b:ad:25:6e:1b:c9:15:ad:02:d6:1c:08: 65:44:28:62:a0:8f:1b:03:ed:20:77:ad:3c:86:28:6b:de:60: 3c:a8:88:48:7f:ba:87:5a:73:a1:18:3c:94:f4:81:c5:2d:83: 42:ae:8b:34:76:e5:1b:98:92:53:19:fa:74:32:6d:a5:a7:5c: 0d:b2:60:0d:d8:1c:40:fc:85:c5:db:c7:91:b0:a4:d4:f1:78: 33:27:0e:64:19:8f:9a:e2:e7:51:50:53:85:31:6e:13:32:ee: 8d:3f -----BEGIN CERTIFICATE----MIICcjCCAdugAwIBAgIBADANBgkqhkiG9w0BAQQFADB/MQswCQYDVQQGEwJVUzEL MAkGA1UECBMCTkoxEDAOBgNVBAcTB1RlbmFmbHkxGzAZBgNVBAoTEkNyZXNjZW5k byBOZXR3b3JrczEVMBMGA1UEAxMMd3d3LnRlc3QuY29tMR0wGwYJKoZIhvcNAQkB Fg5hZG1pbkB0ZXN0LmNvbTAeFw0wNzA2MjUwODI4MjNaFw0wODA2MjQwODI4MjNa MH8xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOSjEQMA4GA1UEBxMHVGVuYWZseTEb MBkGA1UEChMSQ3Jlc2NlbmRvIE5ldHdvcmtzMRUwEwYDVQQDEwx3d3cudGVzdC5j b20xHTAbBgkqhkiG9w0BCQEWDmFkbWluQHRlc3QuY29tMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQDEs8ST2FxGTCZNR1/0hqxk0umq//MFVhxI7qzXJvCnVFBE 5M1reWY0s1wMO1t9o9frmSEqTSq+wmFYhNq7Ilel/EsbpTpa5FhnEO9iuI8MHXDE T7yxKRjF5NqxFOGYyldKWdXNCX3nsXeWTdGEsJdMN3je9Ab9pbfmdVLIUBUxswID AQABMA0GCSqGSIb3DQEBBAUAA4GBAID1oCh6dXj1SijrYIx2tHBFX4Jlw7isazut JW4byRWtAtYcCGVEKGKgjxsD7SB3rTyGKGveYDyoiEh/uodac6EYPJT0gcUtg0Ku izR25RuYklMZ+nQybaWnXA2yYA3YHED8hcXbx5GwpNTxeDMnDmQZj5ri51FQU4Ux bhMy7o0/ -----END CERTIFICATE-----

To add text information to certificate in PEM format The following command should be input on a workstation with read and write access to the certificate file. openssl x509 -in cert.pem -out certout.pem -text

Once the command has been completed, check the new certificate file to verify the existence of the text information. The certificate will not import correctly without the text at the beginning of the file.

AppBeat DC User Guide

y 197 y

Converting Certificates and Keys Exported from Microsoft IIS Microsoft IIS server does not support the ability to export keys and certificates as separate files in PEM format. Instead, a single PFX file is exported which includes the key and certificate. Use the following instructions to properly export the PFX file from the IIS server and then convert the file into a separate key and certificate file. Exporting the Keys and Certificates from Microsoft IIS Detailed Steps for migrating an SSL certificate from an IIS server to the Maestro 1.

From the Run prompt, type mmc, and click enter.

Go to Console->Add/Remove Snap-in.

Click on Add.

Select Certificates and click Add.

Select Computer Account and click Next and Finish.

Click Close and Ok.

Expand Certificates tree and expand Personal->Certificates.

Highlight the certificate you want to export.

Right-click on it and select All Tasks-> Export. The Export Welcome Screen loads.

10. Click Next. 11. On the next screen, you MUST select to export the private key. Select Yes, Export the private key and click Next. 12. Check Include all certificates in the certificate path. Doing so guarantees the proper exporting of all parent certificates if the certificate being exported is a chained certificate. 13. Uncheck Enable Strong Protection. Then click Next. 14. On the next screen leave the two password fields blank, unless a password was assigned when generating the key. Click Next. 15. Select a destination and file name. In this example, letâ&#x20AC;&#x2122;s call it cert.pfx. Converting the PFX File into Separate Key and Certificate Files

Â&#x192;

Once the certificate has been exported, open a command prompt window, go to the directory where the certificate was saved, and type in the following commands: openssl pkcs12 -in cert.pfx -out cert_temp.pem -nodes -nokeys<enter> <enter>

y 198 y

AppBeat DC User Guide

Chapter 10 SSL Acceleration

Extract the private key from the PFX Certificate to a separate file

Run the following command to extract the key from the original certificate file: openssl pkcs12 –in cert.pfx –out cert.key –nodes –nocerts <enter> <enter>

If there is a password on the private key, you will need to enter it, otherwise, just press enter twice. Add required Header information to PEM certificate using OpenSSL

Check the contents of cert_temp.pem, to verify whether there is more than a single certificate within the file. Every certificate in the file will have some existing header information followed by a -----BEGIN CERTIFICATE----- tag, and ending with an ----END CERTIFICATE----- tag. If there is only one certificate in the file, this means the exported certificate was not a chained certificate, and you should therefore proceed to step 21 now.

If, however, there is more than one certificate in the file, this means that a chained certificate was exported from the IIS server, and additional steps need to be taken before each certificate can be processed. For chained certificates, skip to Chained Certificates on page 199.

Now, run the following command from the command prompt: openssl x509 -in cert_tmp.pem -out cert.pem –text

The last step is to validate that the certificate file and key file have same signature. To do this, run the following two commands, and verify that the output strings match: openssl x509 -noout -modulus -in cert.pem | openssl md5 openssl rsa -noout -modulus -in cert.key | openssl md5

Once you have verified the signatures, copy the two files onto the FTP server.

Chained Certificates As explained above, if the PEM file contains more than one Certificate, this means that the certificate that was exported from IIS was a chained certificate. The first step to handling a chained certificate file is to separate each of the certificates into separate files. Here are the detailed steps for handling a chained certificate (proceed with these steps after completing steps above). 1.

Cut and paste each certificate contained in the cert_temp.pem file into a separate text file, by doing the following:

Cut and paste each certificate from and including the -----BEGIN CERTIFICATE----tag, up to and including the -----END CERTIFICATE----- tag.

AppBeat DC User Guide

y 199 y

There will be additional header information that precedes each certificate in the PEM file, but you need not copy this header information into each new file â&#x20AC;&#x201C; only the certificates themselves need to be copied. 3.

Name each certificate file sequentially. For example: chain_cert1.pem, chain_cert2.pem, etc... This is important, as the order of the certificates will need to be preserved at the end of this process.

After the certificates are separated into separate files, run the following OpenSSL command for each certificate file, to add the necessary header: openssl x509 -in chain_cert1.pem -out cert1_with_header.pem â&#x20AC;&#x201C;text

Once all certificate files have been converted to include a header, merge the contents of the individual certificate files into a single new file, called cert.pem. Make sure to paste the certificates in the same order that they existed in the original certificate.

Once you have verified the signatures, copy the two files onto the FTP server. The key and certificate files are now ready to be imported into the AppBeat DC.

y 200 y

AppBeat DC User Guide

11 Global Server Load Balancing Chapter 11 discusses the Global Server Load Balancing (GSLB) feature designed to distribute application traffic evenly among multiple site locations.

GSLB Overview.

GSLB Algorithms.

GSLB Configuration.

GSLB Monitoring.

AppBeat DC User Guide

y 201 y

GSLB Overview Global Server Load Balancing (GSLB) is a service that runs locally on the AppBeat DC and provides a load balancing and redundancy solution for applications and websites operating across globally dispersed data center locations. GSLB enables communication between the site locations, by listening to messages from the remotely located AppBeat DCs. GSLB determines the best performing site and directs the traffic to that site. The best performing site is determined according to the following:

Load balancing. GSLB directs the traffic to the location of the best performing site, according to the configured load balancing policy.

Disaster recovery. GSLB directs the traffic to the location of the healthy site, in case one or more of the sites are not operating.

The GSLB functionality is only available if a GSLB license is obtained. The GSLB flow is described in the following figure:

Figure 85: GSLB Flow

An AppBeat DC is deployed to each of the website’s physical locations to accelerate traffic to each cluster on each location. For example, in Figure 85 AppBeat DCs CN1 and CN2 are deployed to the London and New York locations of the www.customer.com website. A DNS service should be operated on one or more AppBeat DC units. It is recommended to employ a DNS service on all AppBeat DC units used by the GSLB service. External configuration is required to delegate the authority of the domain name to the AppBeat DC.

y 202 y

AppBeat DC User Guide

Chapter 11 Global Server Load Balancing

When DNS queries are received for the www.customer.com website, the GSLB services located in various geographic locations exchange site status and health information using an inter-unit communication protocol to determine the website with the best performance. You can optionally configure the communication protocol as one or both of the following:

Private. Using SSL.

Authenticated. Using a secret password that was shared among the AppBeat DCs.

Each AppBeat DC using the GSLB service to communicate with other AppBeat DCs must be configured with a GSLB listener. The AppBeat DCs return a DNS resolution, based on the load balancing algorithm configured for the domain, taking into account each of the location’s load and health parameters. For example, if the load balancing algorithm configured for the Maestro GSLB service is Round Robin and there are two locations for the www.customer.com website, the DNS queries are resolved according to the following: For the first DNS query received, the IP address of the first location is returned. For the next DNS query received, the IP address of the second location is returned. The IP addresses returned continue to alternates for each DNS query received, as long as both of the locations are reported as operating and healthy. Once the DNS resolution is returned and the best website is determined, the AppBeat DC directs the request to the IP address of the AppBeat DC virtual server on the best performing site. For example, www.customer.com in NY is accessed via AppBeat DC CN2’s virtual IP address of 192.168.0.10 and www.customer.com in London is accessed via AppBeat DC CN1’s virtual IP address of 172.16.0.10 (see Figure 85). The appropriate AppBeat DC receives an HTTP stream containing configured application logic. This logic determines the AppBeat DC’s local load balancing and site fault tolerance decisions. GSLB operation can be configured with multiple services that are not necessarily symmetric. For example, AppBeat DC CN1 can operate with AppBeat DC CN2 on one service, while AppBeat DC CN2 operates with another AppBeat DC, such as CN3, on another service.

AppBeat DC User Guide

y 203 y

GSLB Algorithms The location’s health is determined by its score, which is calculated according to the location’s configured load balancing method. GSLB’s load balancing methods are described in the following table. Table 14: GSLB Score Calculations Load Balancing Algorithm

Description

Score Calculation

Round Robin (rr)

The system directs the traffic to all of the operating sites equally, one after another.

A score value of 1 is given to all sites with the status of UP and with at least one server connection.

The system places the IP addresses of all of the operating GSLB sites into a queue. Every DNS response picks the IP address at the start of the queue, directs the traffic to that site, and moves the IP address to the end of the queue. Weighted Round Robin (wrr)

The same as Round Robin, taking into account the relative configured weight. For example: Site A has a weight value of 10. Site B has a weight value of 20. Out of 3 DNS queries, one is directed to Site A, the other two are directed to Site B.

A score value of the configured weight is given to the sites with the status of UP and with at least one server connection.

Weighted Least Loaded Site (wll)

The system responds to DNS queries with the IP address of the current least loaded site, according the following formula:

A representation of the load, relative to the other sites.

L = W * ( S / C) Where: L – Load W – Configured weight S – Servers metric (see Table 16) C – Connections metric (see Table 16)

y 204 y

AppBeat DC User Guide

Chapter 11 Global Server Load Balancing

Load Balancing Algorithm

Description

Score Calculation

Weighted Least Loaded Site Normalized to Servers Connections (wls)

The system responds to DNS queries with the IP address of the current least loaded site (same as WLL), with the following addition:

A representation of the load, relative to the other sites.

If two sites have the same load value, the site with a higher Conns value is the site that is given preference, since more connections generally means that there are stronger servers. The algorithm works according to the following formula: L = W * ( S / C) * Conns Where: L – Load W – Configured weight S – Servers metric (see Table 16) C – Connections metric (see Table 16) Conns – Total number of servers connections

GSLB Configuration GSLB configuration consists of configuring all of the AppBeat DCs in the domain. Some of the configurations are identical for all of the AFEs in the domain and are referred to as common configurations. The configurations that are specific for each individual AFE are referred to as local configurations. The GSLB configuration flow consists of the following steps: 1.

Configure the common GSLB services and sites within each service as described in Configuring the Common GSLB Services and their Sites on page 206.

Configure the local DNS servers’ IP address, port, and IP protocol as described in Configuring the Local DNS Server Settings on page 214.

Configure the local listeners as described in Configuring the Local GSLB Listener Settings on page 215.

Associate a local cluster to a GSLB service as described in Associating a Local Cluster to the GSLB Service on page 216.

Enable GSLB locally on each AppBeat DC CN as described in Enabling Local GSLB on page 218.

The common and local GSLB entities that must be configured are described in the following table.

AppBeat DC User Guide

y 205 y

Table 15: GSLB Entities Configuration Type

Entity

Description

Common

gslb-service

Parameters describing load balanced access to the website and name service properties of the website.

gslb-site

Parameters describing the physical location of the websiteâ&#x20AC;&#x2122;s deployment.

dns-server

Parameters used for running the local DNS service. There can be more than one instance configured, while all instances share the same NS database.

gslb-listener

Parameters used for running the local GSLB communication service. This indicates whether the communication is:

Local

y Secure (SSL) or clear. y Via a publicly routable IP address or a locally routable IP address. <cluster context> service gslb

The administrative association of a cluster to the GSLB service (which is configured as a common entity).

Before beginning the GSLB configurations, verify that your AppBeat DCs are configured. For example, AppBeat DC CN1 and CN2 are configured as follows: AppBeat DC CN1 (London): farm fa_london cluster cl_london server-inactivity global real r1 . . . real r2 . . . real r3 . . . virtual v_lon 172.16.0.50 80 redundancy-group 1 default-cluster cl_london AppBeat DC CN2 (New York): farm fa_new_york cluster cl_new_york server-inactivity global real r1 . . . real r2 . . . real r3 . . . virtual v_ny 198.168.0.50 80 redundancy-group 1 default-cluster cl_new_york

Configuring the Common GSLB Services and their Sites For each AppBeat DC, the common GSLB settings must be configured. Once you configure the first AppBeat DC, copy and paste the configurations for the remaining AFEs so that the configurations are all identical to each other.

y 206 y

AppBeat DC User Guide

Chapter 11 Global Server Load Balancing

The common GSLB configuration flow consists of the following steps: 1.

Configure a new GSLB service.

You can configure up to 64 GSLB services. 2.

Configure the DNS information relevant to this service. This includes the domain name of the website and the DNS time-to-live value of the DNS resolution of the domain name.

Configure the load balancing characteristics:

Select one of the following load balancing algorithms:

Round Robin (rr).

Weighted Round Robin (wrr).

Weighted Least Loaded Site (wll).

Weighted Least Loaded Site Normalized to Servers Connections (wls).

For more information about the load balancing algorithms, see Table 14.

Configure the client IP persistency. The IP persistency is used to ensure that after performing subsequent accesses to a specific location, the DNS resolution is directed to the same location.

Indicate whether HTTP IP redirect is enabled. The HHTP IP redirect ensures that when a DNS resolution is directed to a location where a virtual and/or real server is operationally down, the DNS is redirected to an operating location.

Configure the disaster recovery settings. The GSLB inter-unit communication protocol is used to advertise periodic messages among AppBeat DC boxes. Configure the following:

The interval in seconds between two such consecutive messages.

The count of advertisements a remote location had neglected to send, in order to consider this location as non-reporting, and therefore as down.

Configure the GSLB site. Specify all the information of a location on which the website is deployed. This includes the following information:

The name of the site’s location.

The virtual IP address of the site’s location given as a resolution for DNS queries. This is identical to the original IP address configured for the AppBeat DC, before beginning GSLB configurations.

The priority level, or weight, given to the location in comparison to the site’s other locations (this used for load balancing purposes).

AppBeat DC User Guide

y 207 y

The IP address on which this location listens to GSLB inter-unit messages from remote locations with the GSLB listener. During the local configurations in Configuring the Local GSLB Listener Settings on page 215, the AppBeat DC’s local listener settings are configured, enabling the AppBeat DC to recognize the remote AFE with which it is communicating.

Indicate whether the communication is secure or not. There are two types of secure communication:

Clear. The password is entered into the CLI as a regular string. When viewing the site configurations, the password is encrypted. This is only available when configuring via the CLI.

Encrypted. The password is entered obscurely, and is then encrypted. The encrypted password is cut-and-pasted to and sent to other AppBeat DCs to enable communication. The remote AppBeat DC can then decrypt the password.

You can configure up to 10 sites for each service. To configure a new GSLB service in the CLI Command Syntax: config> gslb-service gslb_svc gslb-service gslb_svc >

A new entity named gslb_svc is created and entered in the CLI context. To configure the service’s DNS settings in the CLI Command Syntax: gslb-service gslb_svc> domain-name <domain name> gslb-service gslb_svc> dns-ttl <time to live value>

A smaller time-to-live value makes the setup more resilient during disaster recovery. Nevertheless, it may increase DNS traffic since a DNS resolution with a relatively small time-to-live value ages fast. Example commands: gslb-service gslb_svc> domain-name www.customer.com gslb-service gslb_svc> dns-ttl 2

y 208 y

AppBeat DC User Guide

Chapter 11 Global Server Load Balancing

To configure the load balancing characteristics in the CLI Command Syntax: The following command is used to configure the load balancing algorithm, persistency, and HTTP IP redirect. gslb-service gslb_svc> load-balancing algorithm [rr | wrr | wll | wls ] persistency <ip address mask> [ttl | no-ttl] <the persistency time-to-live value in seconds [1-86400]> http-ip-redirect

Example commands: You can set only some of the load balancing settings, by removing the irrelevant parts of the command. For example, the following command configures the algorithm to be Round Robin, while the persistency and HTTP IP redirect settings are disabled: gslb-service gslb_svc> load-balancing algorithm rr

The following example configures the load balancing algorithm to Round Robin, disables persistency, and enables HTTP IP redirect: gslb-service gslb_svc> load-balancing algorithm rr http-ip-redirect

The following example configures the load balancing algorithm to Weighted Round Robin, configures the persistency including a time to-live-value, and disables HTTP IP redirect: gslb-service gslb_svc> load-balancing algorithm wrr persistency 255.255.255.255 TTL 3600

The following example configures the load balancing algorithm to Weighted Round Robin, configures the persistency without a time-to-live value, and enables HTTP IP redirect: gslb-service gslb_svc> load-balancing algorithm wrr persistency 255.255.255.255 NO-TTL http-ip-redirect

To configure the disaster recovery settings in the CLI Command Syntax: gslb-service gslb_svc> gslb-threshold advertisement-interval <interval in seconds between messages sent [1-60]> site-down <site is considered down after this many tries of being reached [1-10]>

Example commands: gslb-service gslb_svc> gslb-threshold advertisement-interval 2 sitedown 3

AppBeat DC User Guide

y 209 y

To configure the GSLB site in the CLI Command Syntax: To configure the GSLB site without a password: gslb-service gslb_svc> gslb-site <name of the site location> virtual-address <virtual IP address of the site> weight <the siteâ&#x20AC;&#x2122;s weight used for load balancing purposes> listener <the IP address on which this remote location listens to GSLB inter-unit messages> port <the port on which this remote location listens to GSLB inter-unit messages> no-secure

To configure the GSLB site with a password: gslb-service gslb_svc> gslb-site <name of the site location> virtual-address <virtual IP address of the site> weight <the siteâ&#x20AC;&#x2122;s weight used for load balancing purposes> listener <the IP address on which this remote location listens to GSLB inter-unit messages> port <the port on which this remote location listens to GSLB inter-unit messages> secure [encrypted password <the password string> | password]

The virtual IP address of the site must be identical to the original virtual server configured for the AppBeat DC before beginning the GSLB configurations. Example commands: To configure the GSLB site without a password: gslb-service gslb_svc> gslb-site lon virtual-address 172.16.0.50 weight 10 listener 172.16.0.5 80 no-secure

To configure the GSLB site with an encrypted password: gslb-service gslb_svc> gslb-site ny virtual-address 192.168.0.50 weight 10 listener 192.168.0.5 80 secure encrypted password 3333333333

To configure the GSLB site with a clear password: gslb-service gslb_svc> gslb-site lon virtual-address 172.16.0.50 weight 10 listener 172.16.0.5 80 secure password Do you want to set password for the site (Y/N)? y Please enter password (1..64 characters): ******

y 210 y

AppBeat DC User Guide

Chapter 11 Global Server Load Balancing

To configure a public IP address for the GSLB listener in the CLI Command Syntax: config> gslb-listener <the IP address on which this remote location listens to GSLB inter-unit messages> port <the port on which this remote location listens to GSLB inter-unit messages> [public-ipaddress | no-public-ip-address]

Example commands: config> gslb-listener 192.168.0.5 80 public-ip-address config> gslb-listener 192.168.0.5 80 no-public-ip-address

To view the configured GSLB service in the CLI Command Syntax: root> show gslb services

Example commands: root> show gslb services gslb service: gslb_svc Domain name: www.customer.com DNS record TTL: 2 seconds Load balancing: RR Persistency: Off Advertisement interval: 2 seconds Site down: 3 HTTP IP redirect: Off Sites: Name Address Listener Weight ny 192.168.0.50 192.168.0.5:80 10 lon 172.16.0.50 172.16.0.5:80 10

Secure 0 1

Password Off Off

Example commands: root> show running gslb

The common configurations for the first AppBeat DC are complete. Copy and paste these settings for the remaining AppBeat DCs to ensure that the common configurations are identical among all AFEs. To configure a common GSLB service and its sites for a single AppBeat DC in the GUI 1.

Once logged in through the GUI, click the Configuration button on the left panel.

In the Topology window, expand the Services icon by clicking the + symbol and then clicking the GLSB icon.

AppBeat DC User Guide

y 211 y

Click New. The GSLB Service window is displayed.

Figure 86: Adding a GSLB Service

In the Service name field, enter a name for the service.

In the Domain name and DNS TTL fields, configure the DNS information relevant to this service. Enter the domain name of the website and the DNS time-to-live value of the DNS resolution of the domain name.

A smaller time-to-live value makes the setup more resilient to disaster recovery. Nevertheless, it may increase DNS traffic since a DNS resolution with a relatively small time-to-live value ages fast. 6.

Configure the load balancing settings:

In the LB algorithm drop down menu, select the load balancing algorithm. The possible values are: None, RR, WRR, WLL, and WLS.

Check Persistency to configure the client IP persistency. In the Mask and Persistency Timeout fields, enter the IP mask and the number of seconds after which a timeout is generated.

Check HTTP IP redirect to enable IP redirect.

Configure the Disaster recovery settings. The GSLB inter-unit communication protocol is used to advertise periodic messages among AppBeat DC units.

y 212 y

In the Advertisement Interval field, enter the interval in seconds between two such consecutive messages.

AppBeat DC User Guide

Chapter 11 Global Server Load Balancing

In the Site down field, enter the number of messages sent that do not receive any response, after which a remote location is considered as non-reporting and therefore as down.

Click Apply. The GSLB site appears on the left panel under the GSLB icon.

From the left panel, click the location of the site that you want to configure. The GSLB Site window is displayed.

Figure 87: Adding a GSLB Site

10. Configure the Site fields:

In the IP field, enter the virtual IP address of the site given as a resolution for DNS queries. This is identical to the original virtual server that was configured before performing the GSLB configurations. This IP address is used by the AppBeat DCs to communicate with each other.

In the Public IP field, enter the IP address used to access the site from the Internet.

The public IP address is used as the DNS response, in cases where a NAT machine exists between the AppBeat DC and the Internet. This enables the IP address to be accessible from the Internet. In such a case, both local and public IP addresses are used. The local IP address operates the relevant services while the public IP address enables access to those services from the Internet.

In the Weight field, enter the site’s priority with regard to the other locations, used for load balancing purposes.

AppBeat DC User Guide

y 213 y

11. Configure the Listener fields:

In the IP field, enter the IP address on which this remote location listens to GSLB inter-unit messages (GSLB listener).

In the Port field, enter the port on which this remote location listens to GSLB interunit messages.

Check Secure to indicate that the messages should be encrypted. In the Encrypted Password field, enter the password for the site to use to decrypt the message.

12. Click Apply. The common GSLB service for the AppBeat DC of the first location is configured. Repeat steps 1 through 12, for the remaining AppBeat DCs. Configuring the Local DNS Server Settings For each location, configure the DNS server settings. You can configure up to 64 DNS servers. To configure local DNS server settings in the CLI Command Syntax: config> dns-server ip-address <ip address of the DNS server>

Example commands: For AppBeat DC CN1 (London): dns-server ip-address 172.16.0.3

For AppBeat DC CN2 (New York): dns-server ip-address 192.168.0.3

To configure local DNS server settings in the GUI

y 214 y

Once logged in through the GUI, click the Configuration button on the left panel.

In the Topology window, expand the Services icon by clicking the + symbol and then clicking the GLSB icon. The GSLB window is displayed.

AppBeat DC User Guide

Chapter 11 Global Server Load Balancing

Figure 88: Configuring the Local GSLB Settings

Configure the DNS server settings:

In the IP field, enter the IP address for the location’s DNS server.

Click Apply.

Configuring the Local GSLB Listener Settings For each location, configure the local GSLB listener settings. The GSLB listener listens to GSLB inter-unit messages from a AppBeat DC at a remote location. The AppBeat DC’s local listener recognizes the remote AppBeat DC with which it is communicating according to the remote AppBeat DC’s configured local listener settings. For example, when the AppBeat DC CN1 (London) reads that the GSLB site configurations are gslb-site ny listener 192.168.0.5 80, CN1 recognizes these as the New York site settings and that AppBeat DC CN2 (New York) is listening on that address. You can configure up to 64 GSLB listeners. To configure local GSLB listener settings in the CLI Command Syntax: config> gslb-listener ip-address <IP address of the GSLB listener> <port number>

AppBeat DC User Guide

y 215 y

Example commands: For AppBeat DC CN1 (London): gslb-listener ip-address 172.16.0.5 80

For AppBeat DC CN2 (New York): config> gslb-listener ip-address 192.168.0.5 80

To configure local GSLB listener settings in the GUI 1.

Once logged in through the GUI, click the Configuration button on the left panel.

In the Topology window, expand the Services icon by clicking the + symbol and then clicking the GLSB icon. The GSLB window appears (see Figure 88).

Configure the GSLB inter-unit listener settings:

In the IP, Port, Public IP, and Public Port fields, enter the IP address, port, public IP and public port for the GSLB inter-unit listener server.

The public IP address is used, in cases where a NAT machine exists between the AppBeat DC and the Internet. This enables the IP address to be accessible from the Internet. When a GSLB listener is configured with a public IP address, verify that the respective listener on the GSLB site is configured with the same public IP address.

Click Apply.

Associating a Local Cluster to the GSLB Service For each AppBeat DC, associate the website’s clusters to the GSLB service. The health of these clusters is used to determine the status of the AppBeat DC. To configure the local cluster GSLB service settings in the CLI Command Syntax: cluster cl_london> service gslb <the name of the GSLB service, to which we are associating the cluster>

Example commands: For AppBeat DC CN1 (London): config> farm fa_london farm fa_london> cluster cl_london cluster cl_london> service gslb gslb_svc cluster cl_london> exit config> exit root> show running config

y 216 y

AppBeat DC User Guide

Chapter 11 Global Server Load Balancing

farm fa_london cluster cl_london server-inactivity global service gslb gslb_svc

For AppBeat DC CN2 (New York): config> farm fa_new_york farm fa_new_york> cluster cl_new_york cluster cl_new_york> service gslb gslb_svc cluster cl_new_york> exit config> exit root> show running config farm fa_new_york cluster cl_new_york server-inactivity global service gslb gslb_svc

To configure the local cluster GSLB service settings in the GUI 1.

Once logged in through the GUI, click the Configuration button on the left panel.

In the Topology window, click the + symbol next to the Servers Topology icon to expand the server topology. Click the + symbol next to the farms icon to which the cluster belongs. Click the cluster icon of the cluster you want to associate with the GSLB service. The Gslb window is displayed.

Figure 89: Associating the Clusters with the GSLB Service

In the Available area, select the name of the GLSB services that you want to associate with the cluster and click Add. The GLSB service names appear in the Selected area.

AppBeat DC User Guide

y 217 y

Repeat step 3 for each cluster that you want to associate with the GSLB service.

Enabling Local GSLB The last step is to enable each AppBeat DC. Once GSLB is enabled for a specific AppBeat DC site, the AppBeat DC handles DNS requests and uses the GSLB inter-unit communication protocol to share the siteâ&#x20AC;&#x2122;s status with other AppBeat DCs. To enable the local GSLB in the CLI Command Syntax: config> gslb-enable config> system system> save

To disable the GSLB operation on the AppBeat DC CN, use the gslb-disable command. This stops the location from handling DNS requests and using inter-unit communication to share the siteâ&#x20AC;&#x2122;s status. Example commands: For AppBeat DC CN1 (London): config> gslb-enable config> system system> save

For AppBeat DC CN2 (New York): config> gslb-enable config> system system> save

To enable the local GSLB in the GUI 1.

Once logged in through the GUI, click the Configuration button on the left panel.

In the Topology window, expand the Services icon by clicking the + symbol and then clicking the GLSB icon. The GSLB window is displayed (see Figure 88).

In the Mode field, select Enable to enable the AppBeat DC. You can disable the AppBeat DC by selecting Disable.

Click Apply.

To view the configured GSLB local settings in the CLI Command Syntax: root> show gslb

y 218 y

AppBeat DC User Guide

Chapter 11 Global Server Load Balancing

Example commands: root> show gslb GSLB Enabled DNS services: IP address 172.16.0.3

Port 53

GSLB listener: IP address 172.16.0.5

Port 80

Secure Public IP No 0.0.0.0

Public port 0

GSLB cluster services: Service name cluster gslb_svc cl_london

GSLB Monitoring Monitoring GSLB enables you to:

View the current health of the sites configured for the GSLB service and receive notification when the status changes.

View the DNS resolutions counters of the sites for the GSLB service and receive notification when there is a change in the counters.

View different types of log files used by technical support for debugging purposes.

To view the GSLB site’s health in the CLI Command Syntax: root> show gslb status

Example commands: root> show gslb status gslb service: gslb_svc Sites: Name ny lon Name ny lon

AppBeat DC User Guide

|Status | |UP |UP

| |Servers |3 |3

|Calculated Raw metrics connections Weight |site score 0 10 |1 0 10 |1

|Last report time |2008.05.04-19:02:49 |2008.05.04-19:02:48

y 219 y

To receive a notification when there is a change in the site’s status in the CLI Command Syntax: config> logging threshold syslog notification gslb

To view the GSLB site’s health in the GUI 1.

Once logged in through the GUI, click the Monitoring button on the left panel.

In the Topology window, expand the Services icon by clicking the + symbol and expand the GLSB icon by clicking the + symbol. Click the GSLB service name. The Sites window is displayed.

Figure 90: Monitoring the GSLB Sites Health

The Site’s fields are described in the following table. Table 16: GSLB Sites Fields

Field

Description

Site Name

The name of the site.

Status

The status of the site. This is determined according to the health of the clusters belonging to the site. Possible values are:

y UP – The site is up. y DOWN – The site is down. y No reporting – The site is not sending GSLB inter-unit messages.

y 220 y

AppBeat DC User Guide

Chapter 11 Global Server Load Balancing

Field

Description

Last Report Time

The last time a report was logged by the site.

Weight

The weight of the site. This is configured by the user and used for load balancing purposes.

Connections

This represents the actual load of the GSLB site. Within the clusters associated with the GSLB service, this is:

y For an L7 (HTTP) cluster – The number of active server connections + the number of pending requests in the real server queues + the number of pending requests in the clusters’ queues.

y For an L4 (TCP) cluster – The number of established connections with the relevant servers. Num. of servers

The total number of real servers with a status of UP, within the clusters associated with the GSLB service of the GSLB site.

Calculated site score

The representation of the site’s health, which is determined according to the fields in this table. The score is calculated differently for each type of load balancing algorithm. The method in which each load balancing algorithm’s score is calculated is described in Table 14.

To view the GSLB DNS counters in the CLI Command Syntax: root> sh gslb counters

Example commands: root> sh gslb counters gslb service: gslb_svc Name ny lon

To receive a notification when there is a change in the DNS counters in the CLI Command Syntax: config> logging threshold syslog informational gslb

AppBeat DC User Guide

y 221 y

To view the GSLB DNS counters in the GUI 1.

Once logged in through the GUI, click the Monitoring button on the left panel.

In the Topology window, expand the Services icon by clicking the + symbol and expand the GLSB icon by clicking the + symbol. Click the GSLB service name. The Sites window appears.

Figure 91: Monitoring the GSLB DNS Counters

The DNS Counterâ&#x20AC;&#x2122;s fields are described in the following table. Table 17: GSLB DNS Counter Fields Field

Description

Site Name

The name of the site.

Persistency

y 222 y

Total

The number of times a DNS resolution is returned based on the load balancing algorithm configured for the domain.

Per second

The average times per second that a number of times a DNS resolution is returned based on the load balancing algorithm configured for the domain.

Total

The number of times a DNS resolution is directed to this location after performing subsequent accesses to this site.

AppBeat DC User Guide

Chapter 11 Global Server Load Balancing

Field

HTTP redirections

AppBeat DC User Guide

Description Per second

The average times per second that a DNS resolution is directed to this location after performing subsequent accesses to this site.

Total

The number of times a DNS resolution is redirected to a new location after the HTTP request was sent to a location where the virtual and/or real servers are operationally down.

Per second

The average times per second that a DNS resolution is redirected to a new location after the HTTP request was sent to a location where the virtual and/or real servers are operationally down.

y 223 y

12 VRRPc Redundancy Chapter 12 discusses the VRRPc feature designed to provide redundancy between two AppBeat DC units.

Before Proceeding.

VRRPc Overview.

VRRPc in Hot-Standby Mode.

VRRPc in Load-Sharing Mode.

Fast Switchover.

Configuration Synchronization.

AppBeat DC User Guide

y 225 y

Before Proceeding In order to proceed with configuring VRRPc Redundancy, the following steps should be satisfied.

Two AppBeat DC units should be properly mounted and installed.

Management connectivity for each unit, whether through Serial Console or via Management Ethernet Interface (GUI, Telnet, or SSH). Please see Chapter 2. AppBeat DC Installation.

Server(s) configured in at least one cluster. Please see Chapter 7. Server Topology – Farms/Clusters/Real Servers.

VRRPc Overview VRRPc is Crescendo Networks’ proprietary redundancy protocol for Application Delivery Controllers. Implemented in a similar fashion to VRRP—using virtual MAC and IP addresses—VRRPc extends the capabilities of traditional VRRP by enabling more intelligent redundancy decisions. VRRPc tests more than simple network availability between two redundant units as VRRP does. Instead, it bases failover decisions on upstream network unit availability as well as application server health and connectivity. VRRPc is configured by assigning a VRRPc IP address and ID number to each participating interface of an AppBeat DC. Each unit can be configured to “health check” upstream routers or load balancers as well as verify the connectivity to servers configured for acceleration. Each AppBeat DC compares its availability (ability to reach all configured units) and then determines which AppBeat DC should be active. In the event of unit failure, or if the backup AppBeat DC has a greater level of successful connectivity to servers and/or upstream units, failover will take place insuring application availability. VRRPc can be implemented in one of two ways: hot/standby or load-sharing (i.e. active/active). In hot/standby mode, only one AppBeat DC will be active, while the other unit remains dormant. Load-sharing mode enables two AppBeat DC units to be simultaneously active, providing acceleration for different groups of servers at the same time. The configuration examples provided in the following sections pertain to the configuration of two AppBeat DC units. While most implementations will require an almost identical configuration between units, there are still small differences which are noted in the “Guidelines” for each section.

y 226 y

AppBeat DC User Guide

Chapter 12 VRRPc Redundancy

VRRPc in Hot-Standby Mode In hot-standby mode, only one AppBeat DC will be active at a given time.

VRRPc Hot-Standby Configuration Guidelines

Configure interface IP Address and mask on each gigabit-ethernet interface. Each AppBeat DC will have different regular IP addresses.

Configure VRRPc virtual router IP (VRIP) Address and Virtual Router ID (VID). The VRIP and VRID defined will be identical between AppBeat DCs.

The VRID must be a number within the range 1-255. The VRID should be different for each VRIP defined across all physical interfaces.

All VRRPc configurations for hot-standby mode should utilize “group-1” settings when defining VRRPc interfaces and virtual servers. Do not configure the second VRIP and VRID for group-2.

Enable VRRPc in hot-standby mode.

To configure VRRPc IP and ID per interface from the CLI Command Syntax vrrpc [group-1 | group-2] VID# vrrpc-ip-address

Prompt level – Configure > Gigabit Interface Configuration Example commands: gigabit-ethernet port 1> vrrpc group-1 100 1.1.1.150 gigabit-ethernet port 2> vrrpc group-1 200 2.1.1.150

If the AppBeat DC is installed as a router (i.e. when using “passive mode”), all units configured to route through the AppBeat DC should configure those routes to forward through the VRRPc IP Addresses. To configure VRRPc IP and ID per interface from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology panel, click on the Redundancy icon under Services. This will bring up the General VRRPc Configuration settings as shown below.

AppBeat DC User Guide

y 227 y

Figure 92: Configuring VRRPc IP and ID Per Interface in Hot-Standby Mode

Select the Port or Aggregator to which you want to add a VRRPc IP address.

Highlight the existing IP interface to populate the configuration windows below.

Configure VRRP address and VRID. VRID 1 and VRRP IP 1 belong to “group-1” while VRID 2 and VRRP IP 2 belong to “group-2”. For Hot-Standby, only use group-1 settings.

To enable VRRPc globally from the CLI Command Syntax vrrpc [enable | disable] [hot-standby | load-sharing]

Prompt level – Configure Example commands: config> vrrpc enable hot-standby config> vrrpc disable

To enable VRRPc globally from the GUI

y 228 y

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology panel, click on the Redundancy icon under Services. This will bring up the General VRRPc Configuration settings as shown in the figure below.

AppBeat DC User Guide

Chapter 12 VRRPc Redundancy

Figure 93: Enabling VRRPc Globally in Hot-Standby Mode

Configure the Mode as “Disable”, “Hot Standby”, or “Load Sharing”.

To view VRRPc status information from the CLI Command Syntax show vrrpc

Once the VRRPc IP Addresses and IDs are configured for each interface, VRRPc must be enabled globally. Once enabled, the AppBeat DC automatically takes into account connectivity to existing servers. Therefore, routing may not work properly until accelerated servers are defined in the configuration. Additionally, it is not required that health checks be configured for upstream routers or load balancer. However, it is recommended that these additional checks be configured to ensure the highest level of availability.

VRRPc in Load-Sharing Mode (Active/Active) Load-sharing enables the ability for two AppBeat DC units to be simultaneously active while providing redundancy between each unit. The concept of “groups” is used within the configuration to differentiate which servers should be accelerated for a given AppBeat DC. For instance, each AppBeat DC will have an identical farm, cluster, and server configuration, in which some of the Virtual Servers will be defined as “group-1” and some defined as “group-2”. Since each AppBeat DC has the same configuration, either unit could provide acceleration for each group of servers.

AppBeat DC User Guide

y 229 y

Using the VRRPc election mechanism, the two AppBeat DC units determine which should provide acceleration for each group. This is determined based on connectivity to the servers and other upstream units such as load balancers or routers. If network connectivity and server availability is the same for each AppBeat DC, then the MAC address of each unit is used as the final arbitrator. Essentially, if all things are equal (i.e. health and connectivity), the AppBeat DC with the highest MAC address will provide acceleration for servers denoted as “group-1” while the unit with the lowest MAC address will provide acceleration for servers denoted as “group2”. VRRPc will then provide seamless failover between each AppBeat DC should there be unit or connectivity failure.

VRRPc Load-Sharing Configuration Guidelines

Configure interface IP Address and mask on each gigabit-ethernet interface. Each AppBeat DC will have different regular IP addresses.

Configure VRRPc Virtual Router IP Address (VRIP) and Virtual Router ID (VRID). The VRIP and VRID defined will be identical between AppBeat DCs.

The VRID must be a number within the range 1-255. The VRID should be different for each VRIP defined across all physical interfaces.

Assign VRRPc interfaces and virtual servers as either group-1 or group-2. When both AppBeat DC units are functioning simultaneously, each will be responsible for a different group which will include an interface and servers.

Between redundant units, each VRID should correspond with each VRIP defined.

Configure each Virtual Server with the appropriate VRRPc group (either group-1 or group-2).

Enable VRRPc in load-sharing mode.

To configure VRRPc IP and ID per interface from the CLI Command Syntax vrrpc [group-1 | group-2] VID# vrrpc-ip-address

Prompt level – Configure > Gigabit Interface Configuration Example commands: gigabit-ethernet port 1> vrrpc group-1 100 1.1.1.100 gigabit-ethernet port 1> vrrpc group-2 200 1.1.1.200

y 230 y

AppBeat DC User Guide

Chapter 12 VRRPc Redundancy

To configure VRRPc IP and ID per interface from the GUI See the example from the previous “VRRPc in Hot-Standby mode” section. VRID 1 and VRRP IP 1 belong to “group-1” while VRID 2 and VRRP IP 2 belong to “group-2”. To Configure Virtual Servers for Load Sharing from CLI Command Syntax virtual virtual-server-name redundancy-group [1 | 2]

Prompt level – Configure Æ Farm Æ Cluster Example commands: config> virtual Virtual-1 redundancy-group 1

To Configure Virtual Servers for Load Sharing from GUI VRRPc variables can be configured for Virtual Servers. 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology panel, click on the individual Virtual Server under the Virtual Server icon. This will display the general Virtual Server Properties as shown in the figure below.

Figure 94: General Virtual Server Properties

Configure the VRRP Group as “group-1” or “group-2”. By default, servers are configured as group-1.

AppBeat DC User Guide

y 231 y

To enable VRRPc globally from the CLI Command Syntax vrrpc [enable | disable] [hot-standby | load-sharing]

Prompt level â&#x20AC;&#x201C; Configure Example commands: config> vrrpc enable load-sharing config> vrrpc disable

To enable VRRPc globally from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology panel, click on the individual Virtual Server under the Virtual Server icon. This will display the general Virtual Server Properties as shown in the figure below.

Figure 95: Enabling VRRPc Globally in Load-Sharing Mode

Fast Switchover The fast VRRPc switchover feature provides you with a sub-second switchover in case of unit or network failure in any of the AppBeat DC units.

y 232 y

AppBeat DC User Guide

Chapter 12 VRRPc Redundancy

To enable the fast switchover from the CLI Command Syntax vrrpc fast-switchover

Prompt level – Configure Example commands: vrrpc fast-switchover

To enable the fast switchover from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology panel, click on the Redundancy icon under Services. The General tab appears (see Figure 95).

Check Fast switchover and click Apply.

Configuration Synchronization Configuration synchronization enables you to duplicate the configuration data from one AppBeat DC to another. Once the units are synchronized, the mate unit can be used in the following cases:

When a failover occurs in the AppBeat DC, the mate unit assumes traffic processing.

When performing load sharing.

Configuration synchronization consists of the following steps: 1.

Configuring the AppBeat DC’s mate unit.

Synchronizing the unit configurations (with or without saving the configurations).

Configuring the Mate Unit To configure the mate unit from the CLI Command Syntax vrrpc mate <ip address of the target unit>

Prompt level – Configure Example commands: vrrpc mate 10.0.2.222

AppBeat DC User Guide

y 233 y

To configure the mate unit from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology panel, click the Redundancy icon under Services. The General tab appears.

Figure 96: Configuring the Mate IP

In the Mate IP field, enter the IP of the management interface of the mate unit and click Apply. The AppBeat DCâ&#x20AC;&#x2122;s mate unit is configured. You can now synchronize the units.

Saving and Synchronizing the Unit Configurations You can synchronize the units with or without saving the unit configurations. Synchronization is performed only if all interfaces maintain IP addresses in the same subnets. To synchronize the unit configurations from the CLI Command Syntax config-sync

y 234 y

AppBeat DC User Guide

Chapter 12 VRRPc Redundancy

Prompt level – Configure Example commands: config-sync

To save and synchronize the unit configurations from the CLI Command Syntax save [sync-to-mate]

Prompt level – System Example commands: system > save [sync-to-mate]

To synchronize the unit configurations from the GUI

Click File Æ Configuration Æ Synchronize Configuration.

To save and synchronize the unit configurations from the GUI

Click File Æ Configuration Æ Save and sync-to-mate.

AppBeat DC User Guide

y 235 y

13 Monitoring the AppBeat DC Chapter 13 provides a description and explanation about monitoring the AppBeat DC unit and the accelerated farms, clusters, servers, and Devices using either the GUI-Based Maestro Management system or the CLI.

Overview.

Viewing the AppBeat DC Summary.

Monitoring the AppBeat DC Unit.

Monitoring Attacks and Abnormal Network Behavior.

Monitoring the Server

Monitoring Devices.

AppBeat DC User Guide

y 237 y

Overview The Maestro Platform offers an intuitive tool for managing and monitoring the AppBeat DC. The GUI is accessible via any Web browser, which launches the java-based SNMP management and monitoring tool. The GUI provides a simple method to configure the AppBeat DC, while also accessing a rich level of statistical information about farms, clusters, individual servers, or even the global statistics regarding the AppBeat DC and how it is enhancing application performance. The following chapter describes the Maestro’s monitoring features with cross references to the relevant CLI monitoring commands.

Viewing the AppBeat DC Summary Feature Before going any further with the description and explanation of the monitoring feature, it is important to introduce the AppBeat DC Summary feature. This feature serves as the starting point for monitoring the AppBeat DC unit; it provides you with a visual display of the following vital system information that summarizes your system’s current status:

Active Port Indicators (1-10, according to the AppBeat DC unit purchased).

Server Inventory including the number of servers, clusters and farms, and the status of each.

Traffic per port/Accelerated traffic.

AppBeat DC Statistics.

Events legend.

The Summary window enables you to view, at a glance, your system’s current status, e.g., which servers are operational/failed, which AppBeat DC unit ports are configured, etc. To open the Summary window, click the Summary button on the left panel.

y 238 y

AppBeat DC User Guide

Chapter 13 Monitoring the AppBeat DC

Overview of the Summary Window

Figure 97: Summary Window

The Summary feature window contains the following information areas:

System Status – This area contains current information about the total number of farms, clusters and servers configured; and how many are operational/failed.

Traffic – This area contains the current graphical information about the traffic levels moving through the AppBeat DC ports, and how much of that traffic is accelerated.

Acceleration Statistics – This area provides the current graphical information about two system acceleration indicators:

Transactions your system is handling.

Active clients your system is handling.

Events legend – This legend contains a tri-color code that categorizes the system events as:

Red (X) = Critical.

Yellow (!) = Warning.

Green (i) = Informational.

AppBeat DC User Guide

y 239 y

Monitoring the AppBeat DC Unit Monitoring the AppBeat DC via the CLI Monitoring the AppBeat DC via the CLI enables you to check connectivity using Ping, and display various information using the â&#x20AC;&#x2122;Showâ&#x20AC;&#x2122; commands. For example, Global counters, Logging, Utilization metrics, etc. See the following examples. To show all counters Command Syntax: show counters {global-counters | farm | cluster | server | virtual} [farm-name | cluster-name | server-name | virtual-server-name]

Prompt level - Root Example Command: root> show counters global-counters root> show counters farm root> show counters cluster Cluster-1

To show all utilization metrics Command Syntax: show utilization

Prompt level - Root Example Command: root> show utilization

Output: - DC processor CPU utilization : Memory consumption :

87 % 56 %

- SSL SSL engine CPU utilization SSL memory consumption

: :

45 % 23 %

- Compression Compression engine CPU utilization - HTTP HTTP engine CPU utilization

y 240 y

45 %

AppBeat DC User Guide

Chapter 13 Monitoring the AppBeat DC

HTTP request buffering memory consumption : HTTP response buffering memory consumption :

23 % 23 %

- TCP TCP engine CPU utilization : DC processor TCP client connections memory consumption : TCP engine connections table memory consumption :

45 % 23 % 23 %

Monitoring the AppBeat DC via the GUI The following section describes and explains the AppBeat DC GUI monitoring feature. You can pause the monitoring at any time by clicking the Pause Update button at the bottom of the screen. To view administrative information 1.

In the left panel of the AppBeat DC window, click the Monitoring button.

Figure 98: AppBeat DC – Traffic Tab

In the Topology window, click on the AppBeat DC icon. The tabs displayed in the right panel present global performance data for the AppBeat DC. Several tabs are available to display current configuration information. The Traffic tab window contains the following information, in read-only mode:

Byte/Second - Current and Last 5 Minute Max.

Packets/Second - Current and Last 5 Minute Max.

Request/Second - Current and Last 5 Minute Max.

Response/Second - Current and Last 5 Minute Max.

AppBeat DC User Guide

y 241 y

Average Client Time - Client and Server.

Ping/Second - ICMP traffic count.

Pause Update - Freezes the counters on the screen (internally the counters continue to progress). <releasing> continues to display the counters.

To view the TCP tab

Click the TCP tab to bring it forward.

Figure 99: AppBeat DC – TCP Tab

The TCP tab window contains the following information, in read-only mode:

y 242 y

Connections.

Active – Monitors the number of clients and servers connected.

Established/Accepted – Monitors the total number of clients and servers connected.

Connections per second.

Attempted – Monitors the number attempted connections per second for clients and servers.

Max. Attempted – Monitors the maximum number of attempted connections per second for clients and servers.

Accepted – Monitors the number of established connections per second for clients and servers.

Max. Accepted – Monitors the maximum number of established connections per second for clients and servers.

AppBeat DC User Guide

Chapter 13 Monitoring the AppBeat DC

Average Segment Size.

In.

Out.

To view the HTTP tab window

Click the HTTP tab to bring it forward.

Figure 100: AppBeat DC – HTTP Tab

The HTTP tab window contains the following information, in read-only mode:

Request - For HTTP 1.0 and 1.1.

Response - For HTTP 1.0 and 1.1.

Total - For HTTP 1.0 and 1.1.

Requests Breakdown (per second):

GET.

PUT.

HEAD.

POST.

Responses Breakdown (per second):

Success.

Redirect.

AppBeat DC User Guide

y 243 y

Client error.

Server error.

To view the IP tab window

Click the IP tab to bring it forward.

Figure 101: AppBeat DC – IP Tab

The IP tab window contains the following information, in read-only mode:

y 244 y

IP Address.

Network Mask.

Next Hop.

Status.

AppBeat DC User Guide

Chapter 13 Monitoring the AppBeat DC

To view the Ports tab window

Click the Ports tab to bring it forward.

Figure 102: AppBeat DC – Ports Tab

The Ports tab window contains the following counter information for each port and aggregator, in read-only mode:

Frames: In and Out.

Octets: In and Out.

Errors: In and Out.

Discards: In.

ARP Requests Sent.

ARP Responses Received.

PING (Echo requests).

ARP Learning.

IP Length Errors.

IP Checksum Errors.

TCP Checksum Errors.

VRRPc on Wrong Port.

VLAN ID is 0.

AppBeat DC User Guide

y 245 y

Global Frame Counters:

Unknown Layer 2.

Unknown Layer 3.

Invalid ARP.

Non-TCP.

No Route.

Routed.

To view the Attacks tab window

Click the Attacks tab to bring it forward.

Figure 103: AppBeat DC – Attacks Tab

The Attacks tab window displays the AppBeat DC’s attacks and abnormal traffic behavior. For more information on monitoring the system’s attacks, see Monitoring Attacks and Abnormal Network Behavior on page 248. To view the System tab window

y 246 y

Click the System tab to bring it forward.

AppBeat DC User Guide

Chapter 13 Monitoring the AppBeat DC

Figure 104: AppBeat DC – System Tab

The System tab window contains the following information, in read-only mode:

Delivery Control Processor:

CPU utilization.

Memory consumption.

SSL:

SSL engine CPU utilization.

SSL memory consumption.

Compression:

Compression engine CPU utilization.

HTTP:

HTTP engine CPU utilization.

HTTP request buffering memory consumption.

HTTP response buffering memory consumption.

TCP:

TCP engine CPU utilization.

DC processor TCP client connections memory consumption.

TCP engine connections table memory consumption.

AppBeat DC User Guide

y 247 y

Monitoring Attacks and Abnormal Network Behavior The hardware-based TCP/IP stack of the AppBeat DC is inherently immune to many DoS and DDoS (Denial of Service and Distributed Denial of Service) attacks, with specific provisions implemented to further protect the unit and the accelerated servers from harmful traffic. The AppBeat DC architecture innately protects the appliance and the servers from attacks such as:

Teardrop.

Ping of Death.

Open/Close.

ICMP unreachable attack.

ICMP redirect attack.

Ping attack.

ARP attack.

Christmas tree attack.

TCP flood.

The AppBeat DC is also capable of reporting attacks and abnormal traffic behavior to the administrator, providing a warning mechanism on top of the protection mechanisms implemented. Reporting is based on user-configurable thresholds, described below. The following attacks and abnormal traffic behavior are reported by the AppBeat DC:

y 248 y

Attacks.

Land attack – IP packets where the source address is the same as the destination address.

SYN attacks – SYN packets received from malicious clients indicating a need to open a TCP connection, but the client never fully opens the connection (the client does not respond to the SYN/ACK of the server).

Abnormal behavior.

IP broadcasts – packets with any broadcast IP address destination.

TCP frames (to virtual IP) – TCP frames destined for a virtual IP address, but not an associated TCP port.

Non-TCP frames (to primary IP) – Any non-TCP frame destined for one of the IP addresses associated with a data port on the AppBeat DC.

Non-TCP frames (to virtual IP) – Any non-TCP frame destined for one of the virtual IP addresses configured on the AppBeat DC.

AppBeat DC User Guide

Chapter 13 Monitoring the AppBeat DC

The AppBeat DC will monitor and report on any of these attacks and abnormal events based on two user-configurable parameters:

Â&#x192;

Interval â&#x20AC;&#x201C; a sample interval (in seconds) over which the number of frames matching the attack or abnormal behavior are counted.

Â&#x192;

Threshold - defined in terms of number of frames. If the number of frames (matching the attack or abnormal behavior) per sample interval exceeds this number, an event is generated indicating a single instance of an attack.

The default interval and threshold for all attacks and abnormal behavior are 5 seconds and 20 frames, respectively. That means that if 20 frames of each type are seen within a 5 second window, an attack event is registered and reported. The only exception to these default values is the SYN attack where the default threshold is 200 frames. The AppBeat DC reports each attack event and keeps track of the total number of attacks of each type. This number can be reset for any of the attacks or abnormal behaviors, independently.

Configuring Attack Monitors Configuring Attack Monitors from the CLI Follow the following steps to configure the attack monitors and associated thresholds from the CLI. Command Syntax attack-monitor {land | syn | ip-broadcast | tcp-to-virtual | nontcpto-virtual | all | default} {interval | threshold | enable | disable | reset-counter}

Prompt level - Configure Example commands: config> attack-monitor land interval 30 threshold 200

AppBeat DC User Guide

y 249 y

Configuring Attack Monitors from the GUI To configure attack monitors from the GUI 1.

Once logged in through the GUI, click on the Configuration button on the left panel.

In the Topology window, click on the AppBeat DC. Select the Attacks tab.

Figure 105: Configuring Attacks Tab

Monitoring Attacks from the CLI Follow the following steps to view the attack monitors status from the CLI. To monitor attacks from the CLI Command Syntax Example show attack-monitor

Prompt level - Configure

y 250 y

AppBeat DC User Guide

Chapter 13 Monitoring the AppBeat DC

Monitoring Attacks from the GUI To monitor attacks from the GUI 1.

Once logged in through the GUI, click on the Monitor button on the left panel.

In the Topology window, click on the AppBeat DC. Select the Attacks tab.

Figure 106: Monitoring Attacks Tab

Monitoring the Server The AppBeat DC provides you with the capability for monitoring your accelerated servers via the CLI or GUI. In the following section, examples of monitoring procedures using the CLI and GUI are described and explained. You can monitor servers (farm, cluster, real, and virtual) connected to the AppBeat DC unit via the CLI. It enables you to Ping and perform various â&#x20AC;&#x2122;Showâ&#x20AC;&#x2122; commands to view information. See the following examples.

Monitoring Servers or Groups of Servers via the CLI To show counters Command Syntax: show counters {farm|cluster|real|virtual}

AppBeat DC User Guide

y 251 y

Prompt level - Root Example Command: root> show counters farm farm1

Monitoring the Server via the GUI The following section describes and explains the server GUI monitoring feature. To view the server Traffic tab window

Under Server Topology, select the object (farm, cluster, real or virtual server) that you want monitor.

Figure 107: Server – Traffic Tab

The Traffic tab window contains the following information, in read-only mode:

Byte/Second - Current and Last 5 Minute Max.

Request/Second - Current and Last 5 Minute Max.

Response/Second - Current and Last 5 Minute Max.

Compression:

y 252 y

Transaction/Second

Pre-Bytes/Second

Post-Bytes/Second

AppBeat DC User Guide

Chapter 13 Monitoring the AppBeat DC

Summary:

Average Response Time

To view the TCP tab window

Click the TCP tab to bring it forward.

Figure 108: Server – TCP Tab

The TCP tab window contains the following information, in read-only mode:

Connections.

Active – Monitors the number of clients and servers connected.

Established – Monitors the total number of clients and servers connected.

Connections per second.

Attempted – Monitors the number of attempted connections per second for clients and servers.

Max. Attempted – Monitors the maximum number of attempted connections per second for clients and servers.

Accepted – Monitors the number of established connections per second for clients and servers.

Max. Accepted – Monitors the maximum number of established connections per second for clients and servers.

AppBeat DC User Guide

y 253 y

To view the HTTP tab window

Click the HTTP tab to bring it forward.

Figure 109: Server – HTTP Tab

The HTTP tab window contains the following information, in read-only mode:

y 254 y

Request – For HTTP 1.0 and 1.1.

Response – For HTTP 1.0 and 1.1.

Total Requests and Responses

Breakdown (per second).

Gets.

Puts.

Head.

Post.

Success.

Redirect.

Client error.

Server error.

AppBeat DC User Guide

Chapter 13 Monitoring the AppBeat DC

To view the Load Balancing tab window

Click the Load Balancing tab to bring it forward.

Figure 110: Server – Load Balancing Tab

The Load Balancing tab window contains the following information, in read-only mode:

Algorithm Used – The type of algorithm used for the Load Balancing table.

STF – The value of the Stop Traffic Factor parameter.

Load Balancing Table – Each row of the table contains the following information:

Name.

Static Weight.

Response Time.

Dynamic Weight.

Active Connections – Static.

Active Connections – Dynamic.

Queue – Static.

Queue – Dynamic.

Calculated % of Traffic.

AppBeat DC User Guide

y 255 y

Monitoring Devices The AppBeat DC provides you with the capability for monitoring your Devices via the CLI or GUI. In the following section, examples of monitoring procedures using the CLI and GUI are described and explained. You can also perform various â&#x20AC;&#x2122;Showâ&#x20AC;&#x2122; commands to view information. See the following examples.

Monitoring Devices via the CLI You can view information about a specific device or all configured devices, and information about the Real servers attached to a device. To show Device information Command Syntax: show device brief show device name device-name show device

Prompt level - Root Example Commands: root> show device brief root> show device name Device-A root> show device

To show information about a Real server associated with a Device Command Syntax: show real real-name

Prompt level - Root Example Command: root> show real Server-1

To show information about a cluster with Real servers associated with a Device Command Syntax: show cluster

y 256 y

AppBeat DC User Guide

Chapter 13 Monitoring the AppBeat DC

Prompt level - Root Example Command: root> show cluster

Monitoring Devices via the GUI The following section describes and explains the Device GUI monitoring feature. To view the Device Overview window 1.

Once logged in through the GUI, click the Monitoring button on the left panel.

In the Topology window, expand the Devices icon by clicking the + symbol. Click the Device name. The Overview window is displayed.

Figure 111: Device Overview Window

The Device Overview window contains the following information, in read-only mode:

Name – The name of the Device.

Max connections – The maximum number of permitted connections configured for the Device.

Description – The Device description.

Members – A list of the Real servers attached to the device, and the number of current connections for each one.

AppBeat DC User Guide

y 257 y

14 Using the AppBeat DC History Feature Chapter 14 provides you with the description and explanation of the AppBeat DC History feature.

Overview of the AppBeat DC History Feature.

Selecting and Viewing the AppBeat DC History Graphs.

AppBeat DC User Guide

y 259 y

Overview of the AppBeat DC History Feature The AppBeat DC unit History feature provides you with the capability to review and analyze the unit’s and servers’ performance for any period of time, up to one week past. You are able to obtain a graphical analysis of the history of any selected entity, such as box, farm, cluster, or server, and all counters for the entity are saved. The History service must be enabled for each element you wish to view historical information for. For example, history data will not be saved and made available for viewing until the History check box is checked for the specific object through the Configuration mode.

Selecting and Viewing AppBeat DC History Graphs In the following section the procedures for selecting and the viewing AppBeat DC History graphs will be described. To view AppBeat DC History

Once logged in through the GUI, click on the History button on the left panel.

Figure 112: Maestro History

y 260 y

AppBeat DC User Guide

Chapter 14 Using the AppBeat DC History Feature

The list of values for each list in the Data legend changes according to the level (global, farm, cluster, or server) selected in the Topology tree.

The History feature window contains the following information:

Data legend - Provides you with color-coded definitions for the data the history graph measures:

Green.

Blue.

Lavender.

Purple.

Four graphs can be viewed at any time. The four graphs are selected from the predefined counters for which history is gathered. There is a drop-down list for each of the four legends.

Available Historical Variables Client-side TCP Connection History Statistics

Client Attempted Conns PerSec.

Client Accepted Conns PerSec.

Client Max Accepted Conns PerSec.

Client Established Connections.

Client Active Connections.

Sever-side TCP Connection History Statistics

Server Attempted Conns PerSec.

Server Accepted Conns PerSec.

Server Max Accepted Conns PerSec.

Server Established Connections.

Server Active Connections.

Client-side HTTP History Statistics

L2 Bytes PerSec.

Client L7 Request Bytes PerSec.

Max L2 Bytes PerSec.

Max Client L7 Request Bytes PerSec.

AppBeat DC User Guide

y 261 y

Client Requests PerSec.

Client Responses PerSec.

Max Client Requests PerSec.

Max Client Responses PerSec.

Avg Client Transaction Time.

Avg Server Transaction Time.

Client HTTP 10 Requests PerSec.

Client HTTP 10 Responses PerSec.

Client HTTP 11 Requests PerSec.

Client HTTP 11 Responses PerSec.

Client Gets PerSec.

Client Others PerSec.

Client Puts PerSec.

Client Posts PerSec.

Client Heads PerSec.

Client 2xx Responses PerSec.

Client 3xx Responses PerSec.

Client 4xx Responses PerSec.

Client 5xx Responses PerSec.

Client Discarde dRequests.

Accelerated Bytes PerSec.

Max Accelerated Bytes PerSec.

Non Accelerated Bytes PerSec.

Max Non Accelerated Bytes PerSec.

Server Up Events.

Server Down Events.

Compression History Statistics

y 262 y

Compressible Transactions PerSec.

Compressed Transactions PerSec.

Compressed Bytes Before PerSec.

Compressed Bytes After PerSec.

Max Compressible Transactions PerSec.

AppBeat DC User Guide

Chapter 14 Using the AppBeat DC History Feature

Max Compressed Transactions PerSec.

Max Compressed BytesBefore PerSec.

Max Compressed BytesAfter PerSec.

Client L7 Response Bytes PerSec.

Server-side HTTP History Statistics

MaxClient L7 Response Bytes PerSec.

Server Requests.

Server Responses.

Server Requests PerSec.

Server Responses PerSec.

Max Server Requests PerSec.

Max Server Responses PerSec.

Server L7 Request Bytes PerSec.

MaxServer L7 Request Bytes PerSec.

Server L7 Response Bytes PerSec.

Max Server L7 Response Bytes PerSec.

Server HTTP 10 Requests PerSec.

Server HTTP 10Responses PerSec.

Server HTTP 11Requests PerSec.

Server HTTP 11Responses PerSec.

Server Gets PerSec.

Server Others PerSec.

Server Puts PerSec.

Server Posts PerSec.

Server Heads PerSec.

Server 2xx Responses PerSec.

Server 3xx Responses PerSec.

Server 4xx Responses PerSec.

Server 5xx Responses PerSec.

Client Max Attempted Conns PerSec.

Server Max Attempted Conns PerSec.

AppBeat DC User Guide

y 263 y

Attack History Statistics

y 264 y

Attack Land PerInt.

Attack Land Total Frames.

Attack Syn PerInt.

Attack Syn Total Frames.

Attack Ip Brdcst PerInt.

Attack Ip Brdcst Total Frames.

Attack Tcp Virtual PerInt.

Attack Tcp Virtual Total Frames.

Attack Non Tcp Primary PerInt.

Attack Non Tcp Primary Total Frames.

Attack Non Tcp Virtual PerInt.

AppBeat DC User Guide

15 Troubleshooting Chapter 15 provides example troubleshooting FAQs along with information outlining common issues and solutions for the AppBeat DC.

Â&#x192;

Common Issues and Solutions.

Â&#x192;

Recovering a Lost Password.

AppBeat DC User Guide

y 265 y

Common Issues and Solutions Table 18 Common Issues and Solutions Problem

Solution

All AppBeat DC LEDs are off

Check power cable

AppBeat DC reports that configured servers are operationally “Up”, but traffic destined to a configured Virtual Server does not work.

Verify networking environment. If outbound link is less than 1 gigabit connectivity (for example, a 100Mb router) set the shaping-rate command to accommodate the slower outbound connection. See Outbound Traffic Rate Shaping on page 40.

Box loads but configuration is missing

Connect via console and check if the startup.cfg file is present. root> system system>dir If file is not there, it may have been erased or was not saved prior to power cycling the unit. You may either restore from a backed up configuration file residing on your ftp server or reconfigure the unit.

Application loads with error during boot

Connect via console. Copy the error message (for later reference). Delete files from flash including startup.cfg. If problem persists – Upgrade OS and application, reboot. If problem persists; send the output from the debug> show tech-support, copy all text and send to Crescendo Networks Technical Support.

Console does not have connectivity

Check port settings – defaults are: 115k baud, 8 data bits, 1 stop bit no parity no flow control Make sure the console cable is plugged into the correct management port, labeled Serial, NOT Ethernet.

y 266 y

AppBeat DC User Guide

Chapter 15 Troubleshooting

Problem

Solution

AppBeat DC starts loading and then freezes

Power cycle the AppBeat DC.

SSH/Telnet refuses connection

Connect via console:

Contact Crescendo Networks Technical Support

Verify that the telnet/ssh servers are enabled. Check ACL is not preventing access. Verify username and password. Cannot open GUI

Verify that the snmp-server and http-server are enabled. Client: check that SUN Java is installed and enabled. Verify the Web browser cache does not have an older version of the GUI than the current release. (Clear cache from Java console and retry)

GUI login fails

Verify correct username/password via telnet/ssh or console. Verify that there are no intermediary devices (i.e. firewalls, filters, etc.) which may be blocking SNMP traffic between the workstation and the AppBeat DC management interface.

Management Ethernet interface does not respond

Check cables, IP configuration, and switch/hub port. Verify configuration of gateway on management port in order to get response to an external network.

CLI/ Telnet freezes

Close session and retry again. Try SSH This may happen with non standard telnet clients.

SNMP Communities are not working â&#x20AC;&#x201C; can not use MIB browser

Verify community configuration in the AppBeat DC and on the MIB Browser (or SNMP tool).

Syslog does not log anything on syslog server

Check syslog threshold settings. Verify that objects in configuration (i.e. servers, clusters, etc.) have logging enabled.

No traffic on data path

Check cablings (Fiber tx/rx for example) and IP. Check show IP interfaces. Verify server port is open.

AppBeat DC User Guide

y 267 y

Problem

Solution

Server is in status “operational down”

y Check server properties, IP and port. y Check connectivity from AppBeat DC to server with ping.

y Log onto the Web server and make sure its HTTP task is running, and that it is accepting new TCP connections. Also, check the Web server’s TCP connection timeout to make sure it is not set too low.

y Check to make sure the health check that is configured for this server is correct. Traffic not accelerated (a percentage of failures)

Use show real command to check that the server reports UP. Check that there is ping connectivity and the port on the server is open

Time stamps in logs are incorrect

Reset date and time.

FTP commands fail

Check management port is enabled and works. Check connectivity with PING to ftp server. Verify that the user/password/path configured in the ftp-record is correct. Verify that there are no intermediary devices (i.e. firewalls) which may block ftp transfers. Verify that the proper default gateway has been configured for the management interface.

y 268 y

AppBeat DC appears to be unresponsive on HTTP path

Check with a PING from other appliances that it is available on the network, as well as from the AppBeat DC.

AppBeat DC is working abnormally

Use the debug> show tech-support command. Issue the command twice in a 5 minutes interval. Copy the output and send it to Crescendo Network Technical Support.

Using a Maestro Self-Signed SSL certificate causes the browser to display a “certificate is expired or is not yet valid” warning

This can occur if the date and time were not configured on the AppBeat DC before the SSL certificate was generated. Reset the date and time, and re-create the certificate.

New Maestro features do not appear in the Maestro’s GUI console immediately after updating the Maestro via an HTTP upload

This issue occurs if the Maestro’s GUI console applet was not closed after updating the AppBeat DC. The GUI console and all other open browser windows must be closed following a Maestro code update, so that the new GUI console will be downloaded from the AppBeat DC.

AppBeat DC User Guide

Chapter 15 Troubleshooting

Problem

Solution

A real server intermittently appears to be “down”, and then “up” again after a few seconds.

Check the TCP timeout settings on both the Maestro and the Web server. Make sure the Web server’s TCP timeout setting is greater than the timeout setting on the Maestro.

After configuring the Maestro to offload SSL from an IIS server, you receive the following error message when trying to access a secure portion of the website via SSL.

This occurs because the “Require Secure Channel (SSL)” option in the IIS configuration is enabled. Contact Support for instructions on how to resolve this matter.

“The page must be viewed over a secure channel” While trying to access a specific farm or cluster in the CLI (Via Telnet, SSH or Console), you find that the farm or cluster is empty.

This can occur if you misspelled the name of the farm or the cluster when issuing the “Farm Farm_Name” or “Cluster Cluster_Name” commands. If the Farm_Name or Cluster_Name are not pre-existing entities, a new entity will be created with the misspelled name when the command is entered in the CLI.

CLI session ends spontaneously

Check the value of the “idle-inactivity” parameter. See Configurable CLI Parameters on page 23 for details.

After configuring two Maestro units to operate in Hot/Standby mode, the virtual IPs become intermittently inaccessible

Check to makes sure that the option “force master” is not enabled on both AppBeat DC, as this will cause a race condition among the two units. Disable this option on the standby unit.

Recovering a Lost Password In the case of a lost password, the AppBeat DC has a recovery system. The administrator can connect via the serial console and log in with the user name "rescue" and password "crescue". Once logged in, the permissions are those of an administrator and the password of the admin user can be changed. To logon through the AppBeat DC console 1.

Perform the following: login: rescue password: **** [crescue] rescue login accepted, please logout as soon as possible root>

Enter Configuration Prompt Level. root> config terminal config>

AppBeat DC User Guide

y 269 y

Change password of existing admin account. For this example, the admin account is called "hooman" and the new password should be "80hairband". config> user hooman 80hairband admin config>

Enter System Prompt Level and save new configuration changes. config> system system> save

Logout as rescue. system> exit root> exit login:

y 270 y

Once logged out, logon as the configured admin user.

AppBeat DC User Guide