04-10-2014 03:58 PM
Hi all,
I have to load balance two CAS servers. Is this the correct way to setup the probes and serverfarm. I am using an ACE 20.
probe tcp TESTCAS-PROBE
interval 3
passdetect interval 5
parameter-map type ssl SSL-TESTCAS-FARM-ADVANCED
cipher RSA_WITH_RC4_128_MD5
rserver host TSTCAS
ip address 10.192.6.2
inservice
rserver host TSTCAS2
ip address 10.192.6.3
inservice
ssl-proxy service SSL-TESTCAS-FARM
key testcas.pem
cert testcascert
chaingroup TEST-CHAINGRP
ssl advanced-options SSL-TESTCAS-FARM-ADVANCED
serverfarm redirect HTTP-TESTCAS-FARM
rserver HTTP-TESTCAS
inservice
serverfarm host TESTCAS-FARM
predictor leastconns
probe TESTCAS-PROBE
rserver TSTCAS 80
inservice
rserver TSTCAS2 80
inservice
sticky ip-netmask 255.255.255.255 address source
STICKY-SSL-TESTCAS-FARM
timeout 720
timeout activeconns
replicate sticky
serverfarm TESTCAS-FARM
class-map match-any TESTCAS-VIP
2 match virtual-address 10.192.6.1 tcp eq https
policy-map type loadbalance first-match TESTCAS-POLICY
class class-default
sticky-serverfarm STICKY-SSL-TESTCAS-FARM
policy-map multi-match TESTCASPOLICY
class TESTCAS-VIP
loadbalance vip inservice
loadbalance policy TESTCAS-POLICY
loadbalance vip icmp-reply active
ssl-proxy server SSL-TESTCAS-PROXY
service-policy input TESTCASPOLICY
Solved! Go to Solution.
04-15-2014 02:17 PM
Hi Netter,
I am glad i was of help. Have a good evening man!
Regards,
Kanwal
04-10-2014 06:13 PM
Hi,
The above looks good. Looking at the probe i would recommend that you always keep more than passdetect interval time. You can read about "Skipped probes" for detail. Ideally, interval should not be too aggressive. 3 seconds is very aggressive time to probe servers/application. I would suggest to increase it to 10-15 seconds.
Other than that config looks fine and i see that you have selected a particular cipher too so i guess that was the requirement. A client coming with another cipher will renegotiate and if it cannot come with the above cipher in list, handshake will fail.
Let me know if you have any questions.
Regards,
Kanwal
04-11-2014 02:03 AM
Thanks Kanwalsi,
I am not sure on passdetect interval as I have had no information from the server guys. This isn't micrsoft CAS but it is CAS for a webportal application.
I will let you know what requirements the server guys get back to me with. Again they didn't specify a cipher but this has been used in all other load balancer configs.
Thanks.
04-12-2014 06:40 AM
Hi Netter,
It is your set up and you shall tweak different parameters available to suit your environment.
But let me know if you need anything from my side.
Regards,
Kanwal
04-14-2014 01:49 AM
Thanks Kanwalsi,
Seems there is a change in design. They want to pass traffic straight onto the CAS servers, where the certificates will be installed. The CAS certificates have to be on the CAS servers, both http and https traffic to be enabled from Load Balancer to CAS.
They say this method ensures that all servers and internal communication to CAS takes place securely.
I will redo the config and see how it goes.
04-14-2014 08:28 AM
Hi,
No problem. Let me know if you need anything. Also, if they don't want ACE to do anything but just loadbalance then it is just going to be simple L3-L4 based loadbalancing and should be pretty straight forward.
Good luck!
Regards,
Kanwal
04-14-2014 08:44 AM
Thanks Kanwalsi,
Is the configuration in the post above correct? I am not sure if the redirect server farm is the right approach to doing this. it may work but would the right approach be to 443 from the servers in the serverfarm and have it like this:
serverfarm host TESTCAS-FARM
predictor leastconns
probe TESTCAS-PROBE
rserver TSTCAS
inservice
rserver TSTCAS2
inservice
And then just add another class match to the vip for www like below?
class-map match-any TESTCAS-VIP
2 match virtual-address 10.192.158.60 tcp eq https
3 match virtual-address 10.192.158.60 tcp eq www
And totally remove the redirect config?
04-14-2014 08:50 AM
Hi Netter,
Redirect would be needed if you want the ACE to redirect the users coming on HTTP to HTTPS. Once they come on HTTPS they will be loadbalanced.
If redirect is needed then you need to configure a redirect server, serverfarm, call it in policy map and then call the class-map for www in policy multi-match. So traffic would be redirected from http to HTTPS. Once the user comes on HTTPS, it will match class 443, and get loadbalanced to a different serverfarm.
Coming back to your configuration i don't see you have called redirect serverfarm in policy map. That will not work. So you need to be very clear what customer wants and we can configure accordingly.
Regards,
Kanwal
04-14-2014 09:31 AM
Thanks Kanwalsi,
This is what I got from the external server guys.
· For the CAS Tier, pass the traffic straight onto the CAS servers, on which the certificates will be installed. The CAS Certificates just have to be on the CAS servers, both http and https traffic to be enabled from Load balancer to CAS.
The internal server guys say the servers listen on both 80 and 443 and if a request comes in on 80 the servers redirect to 443.
This makes me think I need my server farm setup as follows:
serverfarm host TESTCAS-FARM
predictor leastconns
probe TESTCAS-PROBE
rserver TSTCAS
inservice
rserver TSTCAS2
inservice
And then my class match as follows:
class-map match-any TESTCAS-VIP
2 match virtual-address 10.192.158.60 tcp eq https
3 match virtual-address 10.192.158.60 tcp eq www
Am I totally wrong or is this the right idea? Never had to do a configuration where the servers handled ssl offload and where they accepted traffic on both 80 and 443.
Do I need two probes configured to the one serverfarm? Then two vips as above?
04-14-2014 11:35 AM
Hi Netter,
So you should have two class-maps:
class-map match-any TESTCAS-VIP
2 match virtual-address 10.192.158.60 tcp eq https
class-map match-any TESTCAS-VIP1
3 match virtual-address 10.192.158.60 tcp eq www
Then you should have two serverfarms:
serverfarm host TESTCAS-FARM
predictor leastconns
probe TESTCAS-PROBE
rserver TSTCAS
inservice
rserver TSTCAS2
inservice
serverfarm host TESTCAS-FARM-HTTPS
rserver TSTCAS 443
inservice
rserver TSTCAS2 443
inservice
policy-map type loadbalance first-match TESTCAS-POLICY-HTTP
class class-default
serverfarm TESTCAS-FARM
policy-map type loadbalance first-match TESTCAS-POLICY-HTTPS
class class-default
serverfarm TESTCAS-FARM-HTTPS
policy-map multi-match TESTPOLICY
Class TESTCAS-VIP
loadbalance vip inservice
loadbalance policy TESTCAS-POLICY-HTTPS
class TESTCAS-VIP1
loadbalance vip inservice
loadbalance policy TESTCAS-POLICY-HTTP
That's the configuration you need to do. I just did it for you:)
Now of course you should have two different probes. Simply you can have TCP port 80 for serverfarm TESTCAS-FARM and TCP port 443 for serverfarm TESTCAS-FARM-HTTPS or you can have HTTP and HTTPS for respective serverfarms.
Let me know if you have any questions.
Regards,
Kanwal
04-14-2014 03:42 PM
Hi Kanwal,
Firstly thanks for all your help and time spent on this. I have taken your advice and redone the hole config. I have 2 class maps and 2 serverfarms. Can you please double check my serverfarms and probes?
Below is the full config. Does it look ok to you? Am I on the right track?
probe https TESTCASHTTPS-PROBE
interval 3
passdetect interval 5
expect status 200 200
probe http TESTCASWWW-PROBE
interval 3
passdetect interval 5
expect status 200 200
rserver host TSTCAS
ip address 10.192.158.44
inservice
rserver host TSTCAS2
ip address 10.193.158.58
inservice
serverfarm host TESTCASHTTPS-FARM
predictor leastconns
probe TESTCASHTTPS-PROBE
rserver TSTCAS
inservice
rserver TSTCAS2
inservice
serverfarm host TESTCASWWW-FARM
predictor leastconns
probe TESTCASWWW-PROBE
rserver TSTCAS
inservice
rserver TSTCAS2
inservice
sticky ip-netmask 255.255.255.255 address source STICKY-TESTCASWWW-FARM
timeout 720
timeout activeconns
replicate sticky
serverfarm TESTCASWWW-FARM
sticky ip-netmask 255.255.255.255 address source STICKY-TESTCASHTTPS-FARM
timeout 720
timeout activeconns
replicate sticky
serverfarm TESTCASHTTPS-FARM
class-map match-any TESTCASHTTPS-VIP
2 match virtual-address 10.192.158.60 tcp eq https
class-map match-any TESTCASWWW-VIP
3 match virtual-address 10.192.158.60 tcp eq www
policy-map type loadbalance first-match TESTCAS-POLICY-HTTPS
class class-default
sticky-serverfarm STICKY-TESTCASHTTPS-FARM
policy-map type loadbalance first-match TESTCAS-POLICY-WWW
class class-default
sticky-serverfarm STICKY-TESTCASWWW-FARM
policy-map multi-match TESTCASPOLICYHTTPS
class TESTCASHTTPS-VIP
loadbalance vip inservice
loadbalance policy TESTCAS-POLICY-HTTPS
policy-map multi-match TESTCASPOLICYWWW
class TESTCASWWW-VIP
loadbalance vip inservice
loadbalance policy TESTCAS-POLICY-WWW
service-policy input TESTCASPOLICYWWW
service-policy input TESTCASPOLICYHTTPS
04-14-2014 04:06 PM
Hi Netter,
The configuration looks good but you should also have port number 443 defined in the HTTPS serverfarm.
Regards,
Kanwal
04-14-2014 04:15 PM
Thanks Kanwal,
But why when the probe is https? Am I missing something?
probe https TESTCASHTTPS-PROBE
interval 3
passdetect interval 5
expect status 200 200
04-14-2014 04:17 PM
Hi Netter,
No. You are good:)
Regards,
Kanwal
04-14-2014 04:25 PM
Great, thanks again for all the help on this. Lets hope the server guys are happy. I will let you know how it goes.
Thanks/
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide