Load balancing FTP/HTTP on same VIP

Similar Messages

• How to config CSM load balance of http combined https

  In this case,when I config CSM for load balance http and https service separately was ok.2 VIPs , 2 Serverfarms, One for http , and one for https .But I found that the https would referred to http information on IIS , because when the client first to access http is ok,and then login by https ,the information is not right.So,how to config CSM in this case,any reply will be very be appreciated.

  There are 2 different ways.
  You could combine the 2 vserver into a single one by not specifying the tcp port.
  Another solution would be to use the same sticky group for both vservers.
  For example, you could use sticky srcip.
  ie:
  sticky 10 netmask /32 address source
  vserver http
  sticky 60 group 10
  inservice
  vserver https
  sticky 60 group 10
  inservice
  Regards,
  Gilles.
  Thanks for rating this answer.

• Load balance multiple URLs on single VIP

  Hello,
  I have a fairly typical load balance configuration on a pair of ACE appliances running (A3)2.5 and now I need to load balance multiple URIs to these same servers on port 80 to the one VIP. Can someone direct me to a doc that shows a good example of this, or explain it below?
  Thanks,
  Dave
  serverfarm host application
  rserver webserver1 80
  probe server-80-PROBE
  inservice
  rserver webserver2 80
  probe server-80-PROBE
  inservice
  sticky ip-netmask 255.255.255.255 address source application-80-STICKY
  replicate sticky
  serverfarm application
  class-map match-all application-80-CLASS
  2 match virtual-address 1.1.1.1.1 tcp eq www
  policy-map type loadbalance first-match application-80-POLICY
  class class-default
  sticky-serverfarm application-80-STICKY
  insert-http X-Forwarded-For header-value "%is"
  class application-80-CLASS
  loadbalance vip inservice
  loadbalance policy application-80-POLICY
  loadbalance vip icmp-reply
  nat dynamic 22 vlan 424
  appl-parameter http advanced-options CASE_PARAM

  Sean,
  Maybe a little confused.
  I have built the new serverfarm, policy-map and class-map in bold, I am just not sure how it gets referenced. Do I add it to the multi-match class statement?  My complete config for this particular app is below.
  Thanks,
  Dave
  serverfarm host application-80
    rserver server1 80
      probe server-80-PROBE
      inservice
    rserver server2 80
      probe server-80-PROBE
      inservice
  serverfarm host application-L7
    rserve rserver1 80
      probe server-80-PROBE
      inservice
    rserver server2 80
      probe server-80-PROBE
      inservice
  class-map match-all application-80-CLASS
    2 match virtual-address 1.1.1.1 tcp eq www
  class-map type http loadbalance match-any application-L7-CLASS
    3 match http url /uri1/
    4 match http url /uri2/uri2
    5 match http url /uri2/uri3.htm
  policy-map type loadbalance first-match application-80-POLICY
    class class-default
      sticky-serverfarm application-80-STICKY
      insert-http X-Forwarded-For header-value "%is"
  policy-map type loadbalance first-match application-L7-POLICY
    class application-L7-CLASS
      serverfarm application-L7
  policy-map multi-match POLICY-424
  class application-80-CLASS
      loadbalance vip inservice
      loadbalance policy application-80-POLICY
      loadbalance vip icmp-reply
      nat dynamic 22 vlan 424
      appl-parameter http advanced-options CASE_PARAM

• WCF service fronted with SSL enabled NGINX load balancer shows HTTP based WSDL url instead of HTTPS

  Hi,
  I have WCF service hosted using IIS 8.5 on application server. And application servers are fronted with NGINX load balancer with SSL enabled. Backend communication protocol between NGINX to application server is http. 
  When customer visits public domain url (https://xxx.com/service.svc), they can see the WSDL url with http://xxx.com/service.svc?wsdl. 
  What change should I make so that WSDL url will have https instead of http ? 
  This is service side configuration.
  <system.serviceModel>
      <services>
        <service name="Service.IService">
          <endpoint address="" binding="basicHttpBinding" bindingNamespace="http://xyz.com/Service" name="Service_Endpoint" contract="Service.IService" />
        </service>
      </services>
      <bindings>
        <basicHttpBinding />
      </bindings>
      <client />
      <behaviors>
        <serviceBehaviors>
          <behavior>
            <serviceThrottling maxConcurrentCalls="5000" maxConcurrentInstances="2147483647" maxConcurrentSessions="5000" />
            <serviceMetadata httpGetEnabled="true" />
            <serviceDebug includeExceptionDetailInFaults="true" />
          </behavior>
        </serviceBehaviors>
      </behaviors>
      <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
    </system.serviceModel>
  Thanks in advance !!

  Hi,
  For this scenario, you could just enable SSL in IIS to get HTTPS endpoints. If your service is exposed at https then you configure the same using “httpsGetEnabled”:
  <behaviors>
  <serviceBehaviors>
  <behavior
  name="MyServiceTypeBehaviors"
  >
  <serviceMetadata
  httpGetEnabled="true"
  />
       </behavior>
  </serviceBehaviors>
  </behaviors>
  For more information, you could refer to:
  http://www.codeproject.com/Articles/327260/What-s-new-in-WCF-Automatic-HTTPS-endpoint-for
  http://blogs.msdn.com/b/brajens/archive/2007/04/26/accessing-description-metadata-wsdl-of-wcf-web-service.aspx
  Regards

• Load Balancing FTP Server thru CSM using a single Client IP

  Hello,
  We have a need to load balance 3 FTP servers. These servers are reached only from a single client IP which is a database server. The FTP method that is being used is currently passive. Our configuration is currently unidirectional, ie, the FTP client (the one database server) sends to the VIP and the FTP Servers then talk directly back to the FTP client and the traffic does not go back through the CSM. The problem is that because FTP negotiates another port to talk on, we have to use sticky so that the connection is sent back to the original FTP server that sent the FTP data port to talk on. But, since we only have a single client IP that is ever used we are not load balancing appropriately across the FTP servers.
  Traffic flow goes something like this, tcp port followed after colon as an example
  1. FTP Client ----> VIP:21
  2. CSM ---------> FTP Server:21
  3. FTP Server --------> FTP Client(FTP server says come talk to me on port 1700)
  4. FTP Client ---------> VIP:1700
  5. CSM ---------> FTP Server:1700
  6. FTP Server:1700 ---------> FTP Client
  repeat steps 4 thru 6
  Here's our hardware and software:
  WS-X6066-SLB-APC running 4.2(2)
  Config is as follows
  module ContentSwitchingModule 9
  ft group 101 vlan 9
  priority 10
  vlan 216 client
  ip address 10.209.16.31 255.255.252.0
  gateway 10.209.16.1
  vlan 20 server
  ip address 10.209.0.31 255.255.252.0
  alias 10.209.0.11 255.255.252.0
  probe ICMP1 icmp
  interval 3
  failed 3
  receive 3
  serverfarm FHEPRT
  no nat server
  no nat client
  real 10.209.0.72
  inservice
  real 10.209.0.73
  inservice
  real 10.209.0.71
  inservice
  probe ICMP1
  sticky 106 netmask 255.255.255.255 address source timeout 3
  policy FHEPRT_POL1
  sticky-group 106
  serverfarm FHEPRT
  vserver FHEPRT1
  virtual 10.209.16.71 any
  vlan 216
  unidirectional
  serverfarm FHEPRT
  replicate csrp connection
  no persistent rebalance
  slb-policy FHEPRT_POL1
  inservice

  You are missing "service ftp" config in the Vip definition. Try the following
  vserver FHEPRT1
  virtual 10.209.16.71 tcp ftp service ftp
  Syed Iftekhar Ahmed

• Load balancing between Instance for same external IP client

  Hi,
  I have a azure website which is single tenant and is going to be used inside a single Domain from same region.
  Now my website provide good  performance till 20 concurrent request. I want to scale this so that it can reach up to 30 - 40 -100 so on.
  What are the options available to achieve this. till now what i have figured out is that
  1. If i increase the web site instance or on the auto scale option. It load balances between the instances on the basis of Client external I.P. but in my case all the users which are using the site shares the same external IP. 
  I have tested it increasing the instances doesn't make any impact on my performance results. 
  2. I have also looked in traffic manager but that case is valid when the clients are on different GeoLocations which is also not valid in my case.
  So my basic Question is if i have a pool of different scenarios where 
  100 users uses 1 azure website
  200 uses uses 1 azure website
  1000 users uses 1 azure website
  what infra should i take for each website to support this have performnace same as 100 users.
  Whenever you see a reply and if you think is helpful,Vote As Helpful! And whenever you see a reply being an answer to the question of the thread, click Mark As Answer

  Hi,
  I would request you to configure Web hosting plan and check if it helps in increasing the performance.
  It gives a set of features and capacity that you can share across your websites separately.
  http://azure.microsoft.com/en-us/documentation/articles/azure-web-sites-web-hosting-plans-in-depth-overview/
  Regards,
  Azam Khan

• Safari cannot load balance with https

  I am a developer for a web site which runs ASP.NET pages on Windows Server 2003, IIS 6.0. We use Basic Authentication and HTTPS.
  We are using a load balancing solution to distribute the load to 4 web servers.
  We have been using this setup for over 5 years with IE and Firefox/Mozilla/Netscape browsers.
  Recently I have been asked to make Safari browsers work with our site ... MAC, Windows and iPhone versions.
  On all 3 platforms I am seeing the same problem ...
  The load balancer uses the SSL 3.0 Session ID to determine if the requests to the site are coming from the same client (browser) and thus will ensure that all requests from that browser go to the same web server.
  This works fine with IE, Firefox ... it does not work with any version of Safari. When the load balancer gets a request from a single Safari browser session, it sends the requests to multiple servers, causing issues with the pages returned.
  If I run Safari with an HTTP debugger ... like Fiddler (where it uses a proxy server) ... Safari works fine.
  Some questions:
  1. Does Safari expose the SSL 3.0 session id in the same manner as the other browsers ... i.e. an un-encrypted version of the header.
  2. Does Safari send many concurrent requests? Firefox and IE limit concurrent requests to 2.
  3. Could Safari be timing out it's SSL 3.0 session id frequently or quickly?
  4. Is there a reason Safari does not send the http Basic Authentication header with every request once it authenticates with a particular realm?
  3. Are there any other possible causes of this problem?
  What do you think?

  Thank you for your reply.
  The session server id is being maintained by Safari and when the connections are kept on a single server (like when I use Fiddler's proxy to connect) it works fine.
  The SSL 3.0 Session ID is part of the SSL handshake which is used to establish an https connection. It is established between the browser and the web server as part of encypting the traffic.
  As I understand it ... part of the SSL 3.0 protocol is to include an un-ecrypted header along with the encrypted data.
  Our load balancing sofware is using a portion of this header (as it is un-encrypted and thus it can read it) to establish when requests are coming from the same web browser. This is the SSL Session ID.
  If the Session ID is the same, it will send all traffic to the same web server ... as it knows it is the same web browser.
  The problem arises in that the load balancer is not able to indentify requests from the same Safari browser as part of the same secure session.
  So I am trying to understand what Safari is doing within the SSL header ... as it is not normally visible to standard web debugging tools ... they only show the http headers.
  Unfortunately I cannot easily change out the load balancing software or change it to use session state ids. I am trying to understand how Safari handles this to determine strategies to resolve this issue ... and thus allow my client base to use their Safari browsers to access out service.
  What do you think?

• VMware vCloud Load Balancing SSL / HTTP

  Hi,
  I'm having issues with enabling SSL Health check for my CAS VMs, works fine when I select TCP however doesn't work when I change health check to SSL.  This relates to a previous issue I've raised (http://social.technet.microsoft.com/Forums/office/en-US/0b3e2573-99ed-49a0-9fbb-c46a629dcc50/exchange-2013-load-balancing-owaecp?forum=exchangesvravailabilityandisasterrecovery
  TCP is great but would much prefer to do an SSL check instead;
  Tests servers using SSLv3 client hello messages. The server is considered valid only when the response contains server hello messages.
  This url helps,
  http://blogs.vmware.com/vsphere/2012/11/load-balancing-using-vcloud-networking-and-security-5-1-edge.html
  The only other issue is I have a redirect at root mail.domain.com => mail.domain.com/owa  Could that be the issue because of the re-direct!
  Thanks ;)

  Hi,
  Try to redirect to HTTPs. More details as below:
  Simplify the Outlook Web App URL
  http://technet.microsoft.com/en-us/library/aa998359(v=exchg.150).aspx
  How to configure Exchange to redirect OWA HTTP requests to HTTPS requests in IIS 7
  http://support.microsoft.com/kb/975341
  Please correct me if there is any misunderstanding.
  Also find some external resource for your reference:
  Add a Pool Server to an Edge Gateway
  http://pubs.vmware.com/vcd-51/index.jsp?topic=%2Fcom.vmware.vcloud.admin.doc_51%2FGUID-C12B3954-155F-48AF-9855-E0DE026752D0.html
  Introduction to Gateway Services: Load Balancing
  http://vcloud.vmware.com/using-vcloud-hybrid-service/tutorials/introduction-to-gateway-services-load-balancing
  Disclaimer:
  Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure
  that you completely understand the risk before retrieving any suggestions from the above link.
  Thanks
  Mavis
  Mavis Huang
  TechNet Community Support

• Load balance for HTTP Connection to ABAP System (Type H) RFC connection

  Experts,
  For proxy we are using HTTP Connection to ABAP System (Connection type H) RFC connection in PI to get connected to ECC. I only see the option to use Target host in the Target system settings than Load balance option. In general ABAP Connection (Connection type 3) has Load balancing status option in Target system settings.
  My requirement is I should use a logon group with the message server when PI connects to ECC. How can we achieve this? At the moment I can only use the Central Instance or any dialog server (App server) in RFC but not a logon group.
  Thanks in advance.
  Mahesh

  Hi Naga
  Could you check the link below?
  http://help.sap.com/saphelp_nwmobile71/helpdata/en/47/c5935087b62d66e10000000a42189c/content.htm
  https://service.sap.com/sap/support/notes/1040325

• ACE Load balancing FTP connections.

  I have my ACE blade (running A1(4d) ) currently set-up to static nat to an FTP server.
  I have tried setting up a sticky SLB VIP for FTP across this server and an additional box but firewall in front of the ACE throws the connections.
  It appears that the servers are responding directly to the clients when in SLB and so the control connection has the wrong IP (real vs. VIP)
  How do I set this up so that it works?

  Here's the relevant config, IPs change to protect the innocent.
  probe ftp FTP_DL
  description FTP Probe
  expect status 220 220
  rserver host HTTPDL_01
  ip address 10.2.200.21
  inservice
  rserver host HTTPDL_02
  ip address 10.2.200.22
  inservice
  serverfarm host Download_FTP
  probe FTP_DL
  rserver HTTPDL_01
  inservice
  rserver HTTPDL_02
  inservice
  sticky ip-netmask 255.255.255.255 address both FTP_DL
  timeout 10
  replicate sticky
  serverfarm Download_FTP
  class-map match-any FTP_DL
  3 match virtual-address A.A.A.A any
  policy-map type loadbalance first-match FTP_DL
  class class-default
  sticky-serverfarm FTP_DL
  policy-map multi-match FTP_Download
  class FTP_DL
  loadbalance vip inservice
  loadbalance policy FTP_DL
  interface vlan 200
  description Back End Connection
  ip address 10.2.200.2 255.255.255.0
  alias 10.2.200.1 255.255.255.0
  peer ip address 10.2.200.3 255.255.255.0
  no normalization
  service-policy input ICMP_ALLOW_POLICY
  no shutdown
  interface vlan 300
  description ACE to Firewall
  ip address 10.3.100.252 255.255.255.0
  alias 10.3.100.254 255.255.255.0
  peer ip address 10.3.100.253 255.255.255.0
  no normalization
  service-policy input FTP_Download
  no shutdown
  There is an active/passive cluster of firewalls in front of the ACE and all the VIPs are Public IPs from our class C range which are routed through from the firewalls.
  The vlan300 interface on the ACE is in a transport VLAN with the back end FW interfaces. The vlan200 interface is on the same VLAN as the rservers.
  If I change the Class map to
  match virtual address A.A.A.A tcp eq ftp
  I see the data connections being bounced on the inside interface on the firewall as they are not matched to the VIP.

• CSS 11501 http load balancing

  Hi,
  i have configured to load balancing the http traffic to 2 servers, servers have the ip address 10.10.50.100 and 10.10.50.101 resp and the vip is 10.10.46.10
  iam not able to access the http through the vip, can some one help on this
  am i required to the nating, below is the connectivity
  User -->SW->ASA->CSS->SW->server1 & server2
  iam not able to access the server through vip
  Please help
  Thanks
  Ravi
  Ravi

  What is the default gateway defined on Servers?
  Is it CSS circuit IP or the ASA?
  How is CSS conected? Are there diff vlans connected to servers and ASA? Or CSS is connected to the Switch in one arm mode?
  You need to make sure that the return traffic from Servers should pass through the CSS.
  Syed

• Using ACE to load balance HTTP/S traffic between client & proxy server using tcp 8080

  Folks,
  I have a scenario where ACE is in load balancing connections to a bunch of Websense servers in a one-armed topology.  ACE presents a single VIP to web browser clients and each client's browser proxy configuration is populated with the VIP DNS name.  Traffic then gets load balanced between the Websense servers.  The problem arises due to Websense requiring the 'X-Forwarded-For' HTTP header in order to obtain the source IP of the client.  
  ACE inserts this header into the standard HTTP 'proxied' traffic but doing this for HTTPS traffic has required the configuration of the ACE SSL proxy client server.
  So the problem I have is this:
  How to configure ACE to load balance both HTTP & HTTPS applications using a single VIP and tcp port number ie tcp 8080
  The ACE hardware being used is ACE20-MOD-K9  -  MODULE
  I have attempted to use a L7 class map to match all ciphers and attach this to a L7 Policy-Map but the documentation highlights the fact the 'match cipher' configuration is only available on the ACE appliance.  
  I believe I am on the correct track.  The HTTPS traffic must be identified and used to match against PolicyA and HTTP traffic matched against PolicyB
  I'm looking for ideas!  I'm hopeful someone must have solved this problem previously!!
  Regards,
  Simon

  Hi Simon,
  The classification has to work on different ports. Whether client types http or https doesn't matter to client. His request will reach VIP which will classify the traffic based on port, protocol first and then it can look into further detail to send the traffic to appropriate serverfarm.
  You can class-map match-any xxxxx
  2 match virtual-address x.x.x.x tcp any
  and then you configure further classification on the basis of L7 like  url, header etc. 
  But again, you will still need SSL termination on ACE.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• HTTPS with load balancing

  Hi guys,
  We have a portal system with instance 08, so we typically connect to the portal using port 50800 for HTTP, and 50801 for HTTPS.
  We have just created a second server node for this portal (in the config tool).
  When we connect to 50800, does this automatically load balance the user to the better server? From some reading on these forums, it seemed to indicate that load balancing will only occur if I connect using port 8109. (where 09 is the instance number for the SCS of our portal)
  When connecting to port 8109, we are redirected to port 50800, as I'd expect.
  Question 1 - do we need to use 8109 for load balancing, or can we still use 50800?
  Question 2 - If we need to use 8109, which is a HTTP port, how can we achieve load balancing with HTTPS. Is there a different port we need to use to have HTTPS with load balancing?
  Question 3 - Is the creation of a second server node the best way to accomodate additional users and load on the portal system, or is there a better way to do things?
  Thanks,
  Michael.

  Better late than never.
  The load balancing you describe through the message server has its limitation. It redirects you to one of the dialog server hosts which means that any bookmarks will always point directly to a dialog server which may be down at that moment.
  Access directly to a dialog server on port 50800 will sort of load balanc on the java server instances that are on that server but not on other servers.
  The general recommendation is to setup an external loadbalancer and SAP Web dispatcher is a good match if the load is not very high. SAP webdispatcher will then bind up the cluster address and act as a proxy towards the dialog servers of the portal. The user will therefore only see one address. This will also work for HTTPS.
  Regards
  Dagfinn

• Load balancing Http/https requests of SRM

  Hi all,
  we are on SRM 5.0 with CI and one DI , we don't have any web dispatcher for routing http/https requests.
  Currently CI is flooded with all requests and DI is sitting idle no routing  is  going on.... and users are experiencing Time out expceptions ...
  we  have configured SMLG  and services in SICF have group assigned...
  we have BI portal where users log in and  access all SRM web applications like shopping cart, invoice....
  Please suggest how to handle the load balancing of http/https requests with message server...
  Thanks,
  Subhash.G

  Thanks

• CSS and Oracle Load Balancing

  Hi,
  I have CSS in single arm deployment model. I have multiple servers load balancing on this CSS on port 80 etc. Today I am trying to load balance one Oracle server but I am facing problem with it.
  Real servers are accessible on port 80 without any problem but when we are trying to access the same servers on VIP we are not able to see the web page.
  real server http://192.168.17.12/irs.htm
  real server http://192.168.17.14/irs.htm
  real server http://192.168.10.37/irs.htm
  VIP
  http://192.168.200.58/irs.htm
  Below is the configuration. I can do the telnet on port 80 and I can ping the VIP IP address.
  I will only put 192.168.200.58 in browser I can see the oracle page but with the full URL i am not able to see it.
  Though I have other oracle servers which I have load balance with the same configuration and I can access the web page.
  ==========================================================================================
  http://tptest.enoc.com/forms/frmservlet?config=tp  (This is working fine).
  ========================================================================
  http://irs.enoc.com/irs.htm  (This is not working).
  By name and by IP address both are not working.
  http://192.168.200.58/irs.htm  (This is not working).
  =============================================================================
  service IRC_1
    ip address 192.168.17.12
    keepalive type tcp
    keepalive port 80
    active
  service IRC_2
    ip address 192.168.17.14
    keepalive type tcp
    keepalive port 80
  service IRC_DR
    ip address 192.168.10.37
    keepalive type tcp
    keepalive port 80
  content ENOC_IRC
      add service IRC_1
      add service IRC_2
      add service IRC_DR
      vip address 192.168.200.58
      protocol tcp
      port 80
      advanced-balance sticky-srcip
      active
  owner ENOC_GIT
  content ENOC_IRC
      add service IRC_1
      add service IRC_2
      add service IRC_DR
      vip address 192.168.200.58
      protocol tcp
      port 80
      advanced-balance sticky-srcip
      active
  group ENOC_IRC
    add destination service IRC_1
    add destination service IRC_2
    add destination service IRC_DR
    vip address 192.168.200.58
    active
  ===================================================================================================
  ENOCDC-CSS01(config)# show service summary
  Service Name                     State     Conn  Weight  Avg   State
                                                           Load  Transitions
  IRC_1                            Alive         0      1     2            0
  IRC_2                            Suspended     0      1   255            1
  IRC_DR                           Suspended     0      1   255            1
  ENOCDC-CSS01(config)# show summary
  Global Bypass Counters:
     No Rule Bypass Count:     0
     Acl Bypass Count:         0
  Owner            Content Rules    State     Services         Service Hits
  ENOC_GIT        
                ENOC_IRC         Active    IRC_1            103
                                              IRC_2            10
                                              IRC_DR           7
  =======================================================================================================
  Same setting I am doing for other servers and working fine only for these servers I am facing problem. Curently only one server is active in the configuration.
  Kindly let me know what I am missing and how to fix the problem.
  I have also attached the full configuration of CSS.

  Hi,
  My point of concern is that I did the same for Oracle server and this is working fine
  http://192.168.200.95/forms/frmservlet?config=tp
  only when I am doing the load balancing for
  http://irs.enoc.com/irs.htm  (This is not working).
  By name and by IP address both are not working.
  http://192.168.200.58/irs.htm  (This is not working).
  I dont have a option for TAC case is there a a way to fix the problem by apply other load balancing method. Is there something to do with the Circut VLAN. I didnt create the Circut VLAN 17 where this server is located.
  I am doing almost 8 differenceservers load balancing in this CSS.
  your expert opinion will definately help me.