Configuring customized ldap ports on cisco load balancer
Hi,
I have configured ldap on a different ports than the 389 and 636. How do I configure this port to be allowed on the Cisco load balancer. I'm a newbie to cisco load balancer. Is there any specific configuration to be followed to set the customized port on the load balancer ?
Any help is appreciated.
Thanks in advance
Hi,
By default, ACE denies all traffic coming to an interface and you need to define ACL's to allow traffic. You can define an extended ACL to allow the traffic from IP's, TCP/UDP ports etc. Please visit the below for details about ACL configuration on ACE.
http://www.cisco.com/c/en/us/td/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/securgd/acl.html#wp1018359
Also, pasting another link for basic TS related to ACE.
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide_--_Troubleshooting_Access_Control_Lists
Regards,
Kanwal
Similar Messages
-
CISCO Load Balancer with SAP on Unix and Oracle
Hello Experts,
Explain me the steps How CISCO Load balancing Mechanism works with SAP Enterprise Portal?
If anyone implemented and achieved the same,please explain me the steps to follow from Initial Stage to end of implementation.
Or If you have any documentation on this just share with me or point me to the particular link.
I have seen the below SAP help which is somewhat helpful.
http://help.sap.com/saphelp_nw04s/helpdata/en/d3/e12840d89d185de10000000a1550b0/frameset.htm
I would like to know how CISCO will connect to M/essage Server /Java Dispatcher.
And explain me the steps to follow to implement External Facing Portal using Cisco Loadbalancer.
This should be achieved in Unix environment.
Any help would be greatly appreciated.
Regards,
Karthick Eswaran
*Points will be rewarded for helpful suggestionsWe use F5 for loadbalancing, but all hardware loadbalancing solutions should similar. They offer multiple algorithms, we use simple round robin (SAP's webdispatcher has better options for load balancing). You create virtual IP to your CISCO loadbalancer. You then configure Cisco to route traffic to each portal application server. If you have CI + 2 appservers, you configure the loadbalancer to send traffic to cihost:port, appserver1:port, appserver2:port. You also create a DNS alias to the virtual IP of the loadbalancer. End users will use the DNS alias to connect your portal. Typically you use standard ports (80 & 443) on Cisco, so that end user URL does not contain any ports (so http traffic goes to port 80, https goes to port 443). You also need to enable cookie persistence on the load balancer for session persistence.
For external facing portal, you need to have your loadbalancer in DMZ and you want to use SSL. You also need to setup firewall rules for your portal and backend servers.
-RK -
Just curious if anybody has tried using a Cisco load balancer with Directory Server (5.x.) Specifically:
http://www.cisco.com/warp/public/cc/pd/si/11000/prodlit/cs105_ds.htm
(They start out talking about web, but if you look further down you'll see they also support LDAP.)
Here's my thought: get two 5.x servers in multi-master configuration behind one of these Cisco products. That way applications that like to cache DNS info on the LDAP server they should be using won't get confused if one of the hosts is taken down for upgrades/whatever. Thoughts?
I guess the other way to handle this would be to run Sun Cluster + necessary stuff for LDAP. Any unbiased opinions as to which approach might be better? ;-)Or use the Directory Proxy (aka iDAR)...
We have customers using the Cisco load balancer with Directory server 5. Others are using iDAR, others use Sun Cluster... Can't tell which approach is better.
The only issue I forsee with a load balancer in front of 2 masters, is that it may increase the risks of conflicts if the servers are not fully synchronized (such as under heavy load).
Regards,
Ludovic. -
Cisco Load balancer and Web Dispatcher to the same portal
Hello Experts,
We have implemented intranet portal with Cisco as the load balancer. Now we need to expose this intranet to the outside world as an extranet portal. So the same portal will be accessed from both intranet and from outside. We are thinking of installing a web dispatcher in the DMZ so that outside users can access the Web Dispatcher URL to access the intranet portal. In effect intranet users will use load balancer and extranet users will use Web Dispatcher to access the same portal. Now my question is if we configure Load Balancer and Web Dispatcher to the same portal, will the portal be able to load balance properly? Is this the right approach?
Thank You,
mansooralip1Dear Andrew,
We need to provide access to our intranet to some outside companies for them to also use some of our portal applications. As per your answer, I understand that I can configure Web Disptacher to talk to the Cisco Load Balancer of our portal. In this case Web Dispatcher will work just as a reverse proxy. But when I discussed this with one of our basis resource, he told me that when we install and configure Web Dispatcher, it always ask for the Message Server URL and Port number, even if I just want to use Web Dispatcher as a Reverse Proxy. If his concerns are valid, I do not think I will be able to configure Web Dispatcher to access the cisco Load Balancer because I cannot put Cisco load banacer URL and port instead of the Message Server URL and Post Number. Can you kindly share your comment on the same?
Now the second part of my question, if Web Dispatcher cannot be configured to talk to Load Balancer(as mentioned by our basis resource), I will have to use two load balancers. One web Dispatcher in DMZ as a Load Balancer *** Reverse Proxy for the external users. Second the internal Cisco Load Balancer for the intranet users. So the same portal will be accessed by two load balancers. My question here is, in this set up, can the portal work efficieintly here by distributing equal loads two both the server instances?
Thank You,
mansooralip1 -
CISCO Load Balancing Mechanism with SAP
Hello Experts,
Explain me the steps How CISCO Load balancing Mechanism works with SAP Enterprise Portal?
If anyone implemented and achieved the same,please explain me the steps to follow from Initial Stage to end of implementation.
Or If you have any documentation on this just share with me to my google id kekarthick or point me to the particular link.
I have seen the below SAP help which is somewhat helpful.
http://help.sap.com/saphelp_nw04s/helpdata/en/d3/e12840d89d185de10000000a1550b0/frameset.htm
I would like to know how CISCO will connect to Java Dispatcher.
And explain me the steps to follow to implement External Facing Portal using Cisco Loadbalancer.
This should be achieved in Unix and Windows 2003 environment.
Any idea?
Regards,
Karthick Eswaran
Edited by: Karthick Eswaran on May 21, 2008 12:40 AMHello Karthick,
let's say you have 2 servers for your portal:
host1 -> e.g. DB, SCS + CI --> http://host1.my.company:50000/irj/portal
host2 -> DI --> http://host2.my.company:50000/irj/portal
Now you can implement an CISCO hardware load balancer. You have to connect it to your network and reserve one port and another ip adress of it for the portal.
After that you have to add the ip adress of the both servers (host1+host2) to this port, so that the CISCO load balancer knows to which servers it has to forward the incoming connections.
If you use DNS in your company you can now map a more user-friendly name to the CISCO port (e.g. http://portal.my.company:50000/irj/portal) and distribute this link to the users of the portal.
When they connect to the portal via this link the CISCO load balancer will forward the request to one of the configured servers (host1 or host2) depending which one is online and/or the load of them.
I hope I understood your question right and my answer helps a little.
Regards,
Norman Schröder -
Iview contents missing when using FQDN Cisco Load Balancer
Hello Experts,
We are using Cisco load balancer to distribute the load across the portal servers. Everything was working fine, but after upgrades to the latest support package stack SP18, we ran into some odd behavior. Some of the contents on the iview are blank when using FQDN load balancer URL e.g. http://sap1234.corp.com/irj/portal . But those blank contents does show up if we donu2019t use FQDN e.g. http://sap1234./irj/portal . At this point we are not sure where to start troubleshooting?
Any helps would be appreciated,
Dave
Edited by: davidn on Feb 27, 2009 11:50 AMIsn't this the same as your other post? I'm locking this one...
-
Configuring 2 css11503s for multiple service load-balancing
first here's my present config on one of my CSS11503:
!************************** CIRCUIT **************************
circuit VLAN33
ip address 19.10.28.211 255.255.255.0
ip virtual-router 2 priority 110 preempt
ip redundant-vip 2 19.10.28.210
ip critical-service 2 UpstreamRouter
circuit VLAN200
ip address 10.15.15.251 255.255.255.0
ip virtual-router 1 priority 110 preempt
ip redundant-interface 1 10.15.15.1
ip critical-service 1 UpstreamRouter
!************************** SERVICE **************************
service BrowServ-1
ip address 10.15.15.21
redundant-index 1
protocol tcp
port 80
active
service BrowServ-2
ip address 10.15.15.22
redundant-index 2
protocol tcp
port 80
active
service UpstreamRouter
ip address 19.10.28.1
active
!*************************** OWNER ***************************
owner BrowServ_Owner
content BrowServ_Rule
add service BrowServ-1
add service BrowServ-2
vip address 19.10.28.210
redundant-index 1
active
!*************************** GROUP ***************************
group BrowServ_Group
vip address 19.10.28.210
add service BrowServ-1
add service BrowServ-2
redundant-index 1
active
here are my questions:
1) how do I configure an additional vip address? e.g. I'd like to configure a vip - 19.10.28.215 to load-balance http traffic to 10.15.15.25 and 10.15.15.26?
2) I presently have a static route in my core router "ip route 10.15.15.0 255.255.255.0 19.10.28.210". (this enables the load-balanced servers to connect to Oracle servers on the Core network). do I need to configure a new route on my core router when I add the additional vip 19.10.28.215?
relevant references and/or examples will be much appreciated.
dayo1/ configure the following :
service web1
ip address 10.15.15.25
active
service web
ip address 10.15.15.26
active
content WEB
vip address 19.10.28.215
proto tcp
port 80
add service web1
add service web2
active
2/ I would create a redundant-interface and point your static route to this redundant ip address.
you should not use vip address in static route.
VIP address should only be used when you want to reach the vip address not a when you want a direct connection to the real server.
Gilles. -
NW04 Portal and Cisco Load balancer
Hi everybody,
does anyone have a similar landscape as I have?
Reverse Proxy - Cisco Content Switch Module for Load Balancing - two NW04 Portal Servers.
How did you configure the stickyness / Load balancing mechanism on the load balancer in order to get it running?
Cheers
JochenHi,
Web AS Java issues a cookie called saplb.
You can check its value by connecting to the portal and then launching the command
"javascript:alert(document.cookie)"
within the browser. You will get a cookie value like
saplb_*=(J2EE6202500)6202551
The value in brackets determines the Instance; the second number equals the actual ClusterID (can also be found in the VisualAdmin. Usually 50 indicates the 1st server node, 51 the second one etc.
The saplb_*-cookie can be checked by the cisco see Cisco-Link above. Just configure the Cisco to be sticky on the instance number (value in the first brackets, in the example 6202500).
Several Customers do it like this, and actually the SAP Webdispatcher is also using this cookie to determine the instance to distribute the request to.
Good luck Bernhard -
Shared public IP with same tcp port (round robin/load balance)
Hi all,
I want to know if I can do that with my ASA5515-X, I have two servers that can do the same thing, there are SSO servers, What I want to do is to publish the 2 servers on Internet with the same public IP address and on TCP 443.
Is it supported ? will it works like load balancing per sessions ?
or do I need to add an HLB between ASA and my SSO servers ?
ThanksHi Yann,
You can configure the ASA to allow traffic to your SSO server from outside on two public IP's. Users can hit either of the IP to reach the inside server. Now, load balancing would be achieved based on source devices sending request to public IP's. If source machine son internet use one public IP more to access the server, ASA can't do anything to load balance in such scenario. Here is how you can accomplish this:
Assuming SSO server on inside is 192.168.16.110 and two public IP's are 192.168.17.110 and 192.168.17.111
object network SSO_1
host 192.168.17.110
object network SSO_2
host 192.168.17.111
object network SSO
host 192.168.16.110
object service https
service tcp source eq https
nat (inside,outside) source static SSO SSO_1 service https https
nat (inside,outside) source static SSO SSO_2 service https https
Hostname(config)# sh xl
2 in use, 6 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
TCP PAT from inside:192.168.16.110 443-443 to outside:192.168.17.110 443-443
flags sr idle 0:00:06 timeout 0:00:00
TCP PAT from inside:192.168.16.110 443-443 to outside:192.168.17.111 443-443
flags sr idle 0:00:08 timeout 0:00:00
Verification:
Hostname(config)# packet-tracer input outside tcp 4.4.4.4 discard 192.168.17.110 443
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static SSO SSO_1 service https https
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.17.110/443 to 192.168.16.110/443
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside in interface outside
access-list outside extended permit ip any any
Additional Information:
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static SSO SSO_1 service https https
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3670, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Hostname(config)# packet-tracer input outside tcp 4.4.4.4 discard 192.168.17.111 443
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static SSO SSO_2 service https https
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.17.111/443 to 192.168.16.110/443
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside in interface outside
access-list outside extended permit ip any any
Additional Information:
Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static SSO SSO_1 service https https
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3671, packet dispatched to next module
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
Sourav -
Terminate SSL on Cisco Load Balancer
Hi,
We have a rights Management server that will be behind a load balancer. I would like to terminate the SSL on the Load balancer instead of terminating it on the LC server. is there any settings need to be set on the LC server. I will appreciate any help on this topic.Check the following basic ssl config
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples
I think you do get a little of ssl resource without a license.
Gilles. -
Cisco load balancer with Real to VIP mapping ?
Hi ,
brief about the setup -
Client IP x - Virtual server IP y = Real server IP's A , B ,C
I know that by SLB we can map traffic originating from Client IP x to VIP y towards any of real server IP's (A,B,C).
I want to know how we can map traffic originating from Real server IP's(A,B,C) so that when it reaches Client IP x the source IP should be VIP y.
Please can some body help with this query !!!!If the real server's default gateway is to the load balancer, whatever that object may be, you could be able to source NAT to the VIP address. With real load balancer I.e. F5's / ACE / netscaler, it's very easy to manipulate the packets and traffic flow
-
How to configure SSL on Cisco Load Balancer
I want to configure SSL termination on cisco LB. i just want to know is there any license required for this deployment ? please share me some configuration steps to deploy the SSL.
Thanks
Irfan HussainCheck the following basic ssl config
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples
I think you do get a little of ssl resource without a license.
Gilles. -
Nexus port channel load balance
Hi
I just want to clarify one setting for the port channel load balance on Nexus 6k switch. If I use the load balance option source-dest-ip-only, will following four converstions be load balanced?
10.10.10.1 -> 192.168.1.1
10.10.10.2 -> 192.168.1.1
10.10.10.1 -> 192.168.1.1
10.10.10.1 -> 192.168.1.2
Thanks. LeoHi Leo,
I think there may be typo in your question as I only see three conversations and not four. That aside I've not seen the Nexus port-channel load balancing sufficiently well documented to be able to give you the exact answer.
In their configuration guides Cisco only include the following statement:
Cisco NX-OS load balances traffic across all operational interfaces in a port channel by reducing part of the binary pattern formed from the addresses in the frame to a numerical value that selects one of the links in the channel.
There is other documentation that states the load balancing algorithm uses a CRC-8 based polynomial, but as we don't know exactly which parts of the frame are used in the calculation, I don't see it's possible to calculate the answer and so derive the link that will be used for a given conversation.
While I've not seen full documentation regarding the science used in the calculation, what Cisco have done is provide a command on the switch CLI that will allow you to determine which link of a port-channel will be used.
If you run the command show port-channel load-balance forwarding-path interface port-channel vlan src-ip dst-ip then one of the parts of the output is the member link of the port-channel that will be used for that flow.
You can find full details of the options for the show port-channel load-balance command in the command reference.
One other point to remember is that the load balancing across a port-channel is unidirectional, and the hashing might be completely different for the return flow of a conversation. For example it is entirely possible that traffic from A to B could use one link of a port-channel, while the return traffic from B to A for the same conversation could use a different link.
In general I would use the source-dest-port option for load balancing on the Nexus switches as this will obviously include the Layer-4 port numbers in the calculation, and so give you a better distribution of flows across all member links.
Regards -
Office Web Apps Load Balancing Configuration Issue for SharePoint 2013
I have load balanced servers dedicated for Office Web Apps with name “md1xxxwfe1” and “md1xxxwfe2”
, both this servers are load balanced by CISCO Load balancer. And I have mapped Load Balancer Virutal IP with host name officeapps.jda.corp.local in the DNS records.
Things are working fine if I add new farm by using New-OfficeWebAppsFarm
with server name as internalurl in PowerShell console
as like “ -internalurl http://
md1xxxwfe1 but when I use –internalurl officeapps.jda.corp.local it is not working at all. I’m not getting what to do at this point.
I have gone through following blogs but no luck.
http://blogs.technet.com/b/meamcs/archive/2013/03/27/office-web-apps-2013-multi-servers-nlb-installation-and-deployment-for-sharepoint-2013-step-by-step-guide.aspx
http://blogs.technet.com/b/office_resource_kit/archive/2012/09/11/introducing-office-web-apps-server.aspx
http://davidlimsharepoint.blogspot.in/2013/02/installing-and-configuring-office-web.html
http://sps2013.blogspot.in/2013/09/office-web-apps-with-sharepoint-2013.html
The output of the wfe1 server is attached with this. When I open http:// /hosting/discovery in wfe1 I’m getting following result (attached
screenshot) but it should show hostname rather than server name.
Please help me
Thanks, Ram ChHi Ram ,
For troubleshooting your issue, please take steps as below:
Just about any load balancing solution will work, including a server that runs the Web Server (IIS) role running Application Request Routing (ARR):Install
Application Request Routing
Install the certificate on the load balancer as described under Securing Office Web Apps Server communications by using
HTTPS.
Make sure you have configured the cluster correctly for full internet name:
Reference:
http://technet.microsoft.com/en-us/library/jj219435.aspx#loadbalancer
Thanks,
Eric
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support,
contact [email protected]
Eric Tao
TechNet Community Support -
Issue with Site Configuration / Load Balancing
Were noticing strange behavior with our servers that are configured behind a load balancer. Weve got two servers with different ports and a load balancer:
Server1: https://host1:30003/opensso
Server2: https://host2:30103/opensso
Load Balancer: https://loadbalancer:30003/opensso
When we go to the admin console, we can access Server1 without a problem, but the second time we go the load balancer sends us to Server2, and our browser returns a page not found error. Weve traced the HTTP traffic and discovered that every other time we go to the admin console (the load balancers are configured round robin), Server2 always returns a bogus HTTP found URL. The response it provides is something like https://loadbalancer:*30103*/opensso/UI/Login (just an example).
The issue here is that it is properly directing the end users browser to the load balancer DNS entry. It is not however directing the end users browser to the proper port. It seems to sends its own port value to the browser. Obviously when the browser tries to access this URL the Load Balancer rejects the request because it is not listening on port 30103.
Can Multiple OpenSSO application servers (configured as a site) run from behind a load balancer when they are listening on different ports? If so, why is the application server responding to the user request with its own port, rather than that of the load balancer, yet still providing the DNS hostname entry for the load balancer the whole time.Major updates of Muse are targeted to release roughly every quarter. The 1.0 release was in mid-May. The 2.0 release was in mid-August. A fundamental change to image loading would only appear as part of a major update due to the engineering and testing efforts required.
As provided in your previous thread http://forums.adobe.com/message/4659347#4659347 the only workaround until then is to reduce the number of images in the slideshow.
Maybe you are looking for
-
Can you get photos on the iphone 5 that's were deleted back
I had a nephew just delete pictures from my camera roll need help finding a way I'd there is one to get them back
-
Where is the Format Bar in 5.0?
Where is the Format Bar in Pages 5.0? It would also appear that some of the tools such as list styles that were formerly available are missing as well.
-
How to make a photo gallery like this?
This couple has an impressive portfolio of mtn climbing accomplishments that will make you want to get out of your chair: http://www.pfint.com/pics/peaks/RussellWhitneyMuir/RussellWhitneyMuir.htm I like the way the pics open in new window exactly the
-
OneStep rewinds tape but doesn't play
I have a Sony DSR-1500a and wanted to use OneStep to mindlessly archive a bunch of stuff. The program correctly asks for a blank DVD, rewinds the tape but never gets the deck to play. If I notice it in time I can manually hit play and the process wor
-
Can I find a site's IP address in Firefox?
1. If I am connected to a website and would like to find the resolved IP address, how do I do that? I know that I can use commands such as tracert in a terminal window, but I would prefer to find the IP address Firefox just used to get to the webpage