CSS to transparent Proxy load-balancing

We have a single bluecoat proxy that is exposed to internet ,  which we need to add another one and load balance traffic to both of them . The problem is that this traffic cannot be routed to proxy explicitly ( i.e not like the Ineternet Explorer ) so this loadbalancing has to be done blindly to the users .
So is there a way or another that I can loadbalance internet traffic to these proxies with an inline CSS or maybe L2 loadbalancing to the proxies without involving a VIP ?
I was thinking about making the CSS VIP the default gateway of the clients so that traffic hits by it and make the 2 proxies the two real servers behind this VIP but I'm not sure if this will hit through the rule before routing traffic or not .

Thank you Gilles , I was hoping that YOU see and reply to this post
This sounds logical to remove the VIP , but I am not going to connect the CSS physically inline , I will make it the gateway of the clients so that all traffic hits by it and then by the rule .
Do you have concerns ?

Similar Messages

  • Proxy Load Balancing with CSS

    Are there any chances to use CSS with 2 CE50x to implement proxy load balacing and improve the conection to the internet?

    Preferred method would be domain, domainhash, url or urlhash as described in:
    http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/bsccfggd/contrule.htm#xtocid2610122.
    do not recommend to use round-robin method for load balancing internet proxies. It creates inefficient usage of the storage and bandwidth, as more proxies can have to cache the same objects.

  • HttpClusterServlet Proxy Load Balancing with Multiple Clusters

              How do I load balance JSPs and Servlets using the HttpClusterServlet proxy server
              approach when I have more than one cluster?
              It appears from the docs that there is a 1 to 1 relationship between the non-clustered
              managed proxy server that has the HttpClusterServlet and the cluster (1 proxy
              to 1 cluster).
              

    Preferred method would be domain, domainhash, url or urlhash as described in:
    http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/bsccfggd/contrule.htm#xtocid2610122.
    do not recommend to use round-robin method for load balancing internet proxies. It creates inefficient usage of the storage and bandwidth, as more proxies can have to cache the same objects.

  • CSS 11000 series with load balancing for high availablity servers

    Hi,
    We have arrived at a designed,which has 2 PIX firewall(525)in a fault tolerant mode.Two interfaces from each of the PIX is connected directly to two css1000 switch which works in a fault tolerant mode.
    other Two interface from each of the two css11000 switch is connected directly to two catalys 4003 switches to which we have Servers attached.
    Pls let me know whether this design will work or If you could suggest some other design for high availablity servers which are kept at the DMZ.
    Pls note in our design the internet user first hit the frewall and then the CSS11000 and then catalys 4003 and finally the Servers.
    If anyone can help me out,pls send me a mail at [email protected]

    Are the PIXes to be setup in a failover bundle?
    If you use two interfaces in each PIX to connect
    to the two CSS systems, are you not complicating the
    setup? Which of the two should be called the inside?
    I cannot recall whether you can have two inside legs at the current PIX level.

  • CSS on multiple subnets and separate load balancing

    Hello,
    I've a situation where I need to load balance incoming clients on subnet A to 3 real servers on subnet B - no problems there.
    But I also need to load balance different clients on subnet C to 3 other servers on subnet D and clients on subnet E to 2 servers on subnet F.
    Basically I want to use the CSS for 3 different load balancing operations.
    Rather than using 3 separate CSS11503s can I do all this with multiple VLANs on the LAN switches and 1 CSS?
    Any help appreciated
    Regards Tony

    you can have as many vlan as you want.
    So yes you can do what you want.
    Just be aware that the CSS can route as well between those vlans, so if you separation between them you may have to use ACL.
    Gilles.

  • Load Balancing Linux servers with CSS 11050 series

    We would like to load balance Linux FTP and Web servers with a CSS 11050 series device. Does the content switch use SNMP to load balance the servers? If so, which MIBs need to be loaded on the servers?

    I dont believe that the CSS supports any SNMP load balancing mechanism.
    There is basically two factors involved in load balancing. One: the state of the servers which can be done via a range of mechanisms including ping, TCP connection, Application request, etc. Two: the way a server is chosen when a request comes in including round-robin, least connections, ACA etc.
    Checkout these links:-
    http://www.cisco.com/warp/customer/117/basic_css_lb_config.html
    http://www.cisco.com/warp/customer/117/methods_load_bal.html

  • Solution load Balancing for two Servers  run Sun One Web Server 7.0

    Hi All ,
    I must configure load balancing web server for two server . Could you tell me Solution ?
    Please help
    Thanks .

    The following should help you configure Web Server to reverse proxy (load balance) to your two backend servers.
    [http://blogs.sun.com/amit/entry/setting_up_a_reverse_proxy|http://blogs.sun.com/amit/entry/setting_up_a_reverse_proxy]

  • Load balancing imbalance in ACE

    We are facing slowness an http application which is due to connection imbalance. This setup has one set of Load balancer and a proxy in DMZ where the connections gets terminated from the users and a load balancer inside LAN which load balances between the end point servers. All user connections terminate on the DMZ load balancer / proxy and proxy connects back to the internal load balancer VIP. (By collating a number of connections to very few - default proxy behavior) . Internal load balancer VIP does load balancing based on the number of connections in a least loaded manner and this load balancer doesn’t see how many sessions are beneath each connections and it distributes each connection to server underneath. Thus if one connection has around 100 sessions, another may have only a few and each of this gets forwarded to the end server causing the imbalance.
    Is there a way that this imbalance can be tackled in this setup.
    Users --> Proxy ---> Load balancer (Cisco ACE) --> Server 1
                                                                                                    Server 2
                                                                                                    Server 3
    Least Connections predictor
    HTTP Cookie insert sticky

    Hi,
    Persistance rebalance should solve the issue for you.
    The persistent-rebalance function is required if you have proxy users and the proxy shares one TCP connection between multiple users.
    With this behavior, inside a single connection you will see different cookies. Therefore, for each cookie, ACE needs to first detect the new cookie and then loadbalance to the appropriate server.
    this is from the admin Guide :
    The following example specifies the parameter-map type http command to enable HTTP persistence after it has been disabled:
    host1/Admin(config)# parameter-map type http http_parameter_map
    Host1/Admin(config-parammap-http)# persistence-rebalance
    Please refer the following link for more info :
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_2_0/configuration/slb/guide/classlb.html#wp1062907
    hope that helps,
    Ajay Kumar

  • ACE 4710- Global Site load-balancing

    Does the 4710 have a feature like global site load balancing like the CSS?
    We have a site that will have 2 ISPs but we don't have our own block of IP addresses to advertise so we would need to use the ISPs IP blocks.  We've had issues in the past advertising one ISPs IP block out another ISP so I was wondering if there was a way we could configure the ACE similar to the way the CSS did global site load balancing.  Basically have the ACE act as a DNS server and respond back with the IP address of whichever ISP we wanted the end user to come in on and use a probe to ping the ISPs remote WAN IP to verify the circuit is passing traffic and resolve the correct IP if it's not.
    Thanks

    ACE does not have DNS server functionality.
    And these methods are not supported on the CSS anymore.
    The solution we offer is to install a Cisco GSS (Global Site Selector) which can interact with the ACE or CSS or CSM to determine which vip is up or down.
    Gilles.

  • CSS Load Balancing for MS Winsock Proxy Client

    Has anyone load balanced Microsoft Winsock Proxy client? I am trying to load balance internal users using the Winsock client to two MS ISA Servers running Winsock proxy for application access to the internet.

    Thanks for the post, I got this from Microsoft:
    I wanted to update you on the information I investigated on the firewall client. I found the the actual port connection used to control the connection thru ISA is by default UDP. This UDP session is over 1745 to the ISA server. This intial connection then allows for a connection over an ephemeral port to the ISA server for the actual data transfer. The data transfer is done via a TCP connection. The connection control is UDP based by default. This can be changed in the Wspcfg.ini file. By adding the ControlChannel value to the WSP_client_app section of this file, you can use WSP.TCP to allow the connections to be based with TCP. In your situation, this may be the best scenario due to the connections being load balanced.
    TCP is used by default when checking the Firewall configuration. This is why the traces showed the connection with TCP.
    Information on this can be found in the ISA help files. In the search panel of the ISA help, type in "ControlChannel" without the quotes and it will show information on this feature.
    I will re-test with TCP only setup, and see if this helps. I also have some sniffer traces I need to review to see if maybe NAT is killing me, not UDP traffic.
    I'll post back my findings next week.

  • Load-balancing of transparent cache + IP spoofing + RTSP + MMS not working

    We have already in production an architecture with load-balancing of
    transparent cache + ip spoofing.
    We are unable to do the same for streaming flows (MMS and RTSP).
    We are doing PBR from our core network (2 * C6K) to redirect port 80, 554 and
    1755 toward CSS boxes, same in our access router (2* Ciso7200).
    In this config desired flows are redirected toward the CSS.
    Then CSS should load balance the traffic toward our BlueCoat proxy-cache farm.
    It's working fine for HTTP but we are unable to make it works for MMS and
    RTSP.
    Note that we are requiered to use ECMP to perform IP Spoofing on the CSS, meaning we need 4 routes for each client subnet (one route toward upstream C6K, and 3 routes for each proxy cache). We use acl to get rid off looping condition.
    Anyone who has already put in place Load-balancing of Streaming transparent cache + IP spoofing could give us some hint.
    Many thanks.
    Regards,
    Pierre Viennet

    Gilles, thanks for your input.
    Here where we are at with streaming implementation:
    - HTTP on all type off client is working
    - RTSP: TCP 554 with Real Media client is working
    - RTSP: TCP 554 with WMP not working, but it's due to a bug in Bluecoat implementation, the proxy send an error when he see a request with ( User-Agent: WMPlayer ) for RTSP content.
    - MMS: TCP 1755 not working with IP spoofing enable on the proxy but OK without IP spoofing...
    - UDP 554: not working
    - UDP 1755: not working
    I fully understand the limitation for UDP traffic.
    But I don't see why it's not working for MMS over TCP traffic.
    Note that I have the exact same configuration for RTSP and MMS.
    Why is it not working for MMS with IP spoofing? Are you aware of a difference on the way CSS handle MMS flows? or a specificity of the MMS protocol?
    Below what we can see on the different equipement when trying to launch a MMS over TCP Stream:
    c6k-Faaa#sh mls ip source 195.83.182.72
    Displaying Netflow entries in Supervisor Earl
    DstIP SrcIP Prot:SrcPort:DstPort Src i/f:AdjPtr
    Pkts Bytes Age LastSeen Attributes
    202.3.225.5 195.83.182.72 tcp :1755 :1504 0 : 0
    3 124 17 18:58:12 L3 - Dynamic
    202.3.225.5 195.83.182.72 tcp :1755 :1527 0 : 0
    2 84 3 18:58:20 L3 - Dynamic
    202.3.225.5 195.83.182.72 tcp :554 :1503 0 : 0
    4 360 17 18:58:06 L3 - Dynamic
    c6k-Faaa#
    CSS11503_CORE1# sho flows 202.3.225.5 | grep 1755
    202.3.225.5 38531 195.83.182.72 1755 0.0.0.0 TCP
    2/3 2/1
    202.3.225.5 1527 195.83.182.72 1755 195.83.182.72 TCP
    2/7 2/3
    CSS11503_CORE1# sho flows 202.3.225.5 | grep 1755
    202.3.225.5 38531 195.83.182.72 1755 0.0.0.0 TCP
    2/3 2/1
    202.3.225.5 1527 195.83.182.72 1755 195.83.182.72 TCP
    2/7 2/3
    CSS11503_CORE1# sho flows 202.3.225.5 | grep 1755
    202.3.225.5 38531 195.83.182.72 1755 0.0.0.0 TCP
    2/3 2/1
    202.3.225.5 1527 195.83.182.72 1755 195.83.182.72 TCP
    2/7 2/3
    CSS11503_CORE1#
    TCP 192.168.4.19:1491 195.83.182.72:554 TIME_WAIT
    TCP 192.168.4.19:1492 195.83.182.72:554 TIME_WAIT
    TCP 192.168.4.19:1493 195.83.182.72:1755 TIME_WAIT
    TCP 192.168.4.19:1502 195.83.182.72:554 TIME_WAIT
    TCP 192.168.4.19:1503 195.83.182.72:554 TIME_WAIT
    TCP 192.168.4.19:1504 195.83.182.72:1755 TIME_WAIT
    TCP 192.168.4.19:1525 195.83.182.72:554 TIME_WAIT
    TCP 192.168.4.19:1526 195.83.182.72:554 TIME_WAIT
    TCP 192.168.4.19:1527 195.83.182.72:1755 TIME_WAIT
    Many Thanks for your input.
    Pierre Viennet.

  • How to set up load balancing with overload server on css

    can anyone tell me how to set up a load balancing config on css that will enable me to LB proxy caches and when they have too many connections then LB against an overload proxy-cache.
    Such that when the normal proxy-cache farm is under the ceiling of max connections then the overload server is not used ?
    I don't think redirect or sorry server will do this ?

    see the below configuration,any question,just tell me.
    service proxy-1
    ! below is the real ip of server
    ip address 10.1.1.1
    keepalive type icmp
    active
    service proxy-2
    ip address 10.1.1.2
    keepalive type icmp
    active
    ! enter owner config-mode
    owner proxy
    ! define a content rule,match what you want to load balancing
    content rule-proxy
    ! below is virtual ip,it can be another ip segment
    vip address 10.1.1.50
    add service proxy-1
    add service proxy-2
    protocol any
    advanced-balance sticky-srcip
    active

  • CSS 11501 Load Balancing with X-forwarded-for

    Hi,
    We have a pair of CSS 11501,
    Currently it is using source ip for load balancing and 5 servers as backend , however we have users loggin in using http and based on its source IP (ISP PROXY) , it is forwarded to SERVER A.
    However, we have a SSL page and when the client switches over to SSL , it is forwarded to SERVER B/C/D/E  based on its source IP ( REAL CLIENT IP) .
    This will cause the user to be terminated as the 5 servers are independent and not running in a cluster.
    Is there any way that we can use the X-Forwarded-For address to load balance so that when users loging , they are sent to SERVER A (Based on X-Forwarded-For Header IP which translate to REAL CLIENT IP).
    This way we are able to also send it back to the same server when it uses SSL.
    I believe that we should be able to load balance using X-Forwarded-For IP or to rewrite the X-Forwarded-For IP into client source IP
    Regards

    Hi,
    Unfortunately CSS does not support X-Forwarded-For, and even if CSS supports that, this wont work if you are not using SSL termination.
    One option that you can use here, is using SSL termination, so you can manage the SSL traffic on HTTP on the CSS, in this way you can use the same HTTP content rule which is the one currently working.
    In summary, you will have an SSL content rule that will decrypt the traffic, and this one will use the same content rule that already exist for HTTP, in case that the server is the one doing the redirect to SSL, but this is something that requires testing since depending on the redirect behavior we might have a redirect loop, but without details it is kind of hard to confirm that you will face this with this option.
    Another option, which is less complex, is to use a portless content rule, so this content rule will match port 443 and 80 at the same time, and using sticky or balance based on source IP, you will get the same result with less config. The downside is the troubleshooting, but in this way you will have what you want.
      content HTTP-HTTPS
        vip address 10.198.44.70
        advanced-balance sticky-srcip
        add service server1
        add service server2
        add service server3
        add service server4
        add service server5
        protocol tcp
        active
    Here the content rule is not looking for the destination port, it is just looking for the source IP, and HTTP and HTTPS will end all the time on the same server.
    Thanks,
    Rodrigo

  • CSS arrowpoint cookie load balancing issue

    Hi guys,
    I need some advice on a load balancing issue.
    We have connections hitting the CSS via a proxy environment. As a result i see only one source ip address. I want to use arrowpoint cookies for session stickeyness. However when i enable the rule the tcp session negotiation fails. The CSS sends a TCP/RST which terminates the session.
    Here's the rule config:
    content HTTP_rule
    add service ZSTS299102
    add service ZSTS281101
    vip address <filtered>
    add service LONS299102
    add service LONS281101
    balance weightedrr
    change service ZSTS299102 weight 5
    change service ZSTS281101 weight 5
    advanced-balance arrowpoint-cookie
    protocol tcp
    port 80
    url "/*"
    active
    Any help would be much appreciated.

    Remko,
    in L3/L4 the CSS sends the SYN directly to the server.
    So when the FIN comes in, we simply pass it to the server.
    With L5 the CSS spoofs the connection and we select the server only after receiving the GET.
    If there was some delay between the GET and the FIN, the CSS would have time to establish a connection with the server and the FIN could be simply forwarded.
    Unfortunately, in this case the FIN is right after the GET with no delay.
    Gilles.

  • Load balancing MS Winsock Proxy Server on WebNS 5.0

    Does anyone know what needs to be done on the service/content rule configuration to support Winsock Proxy requests from client to VIP for load balancing to work?

    Here is a link that may be helpful in configuring the CSS:
    http://www.cisco.com/warp/public/117/CSS_CEreverseproxy.html

Maybe you are looking for

  • Music moved from hardrive A to Harddrive B can't be found by iTunes

    A Windows techie moved my music library from Acer "C" harddisk to "D" data disk to "speed up" my computer. The music seems to be there, but iTunes says.."original file could not be found. Would you like to find it?" "D" disk has a "Music" file with a

  • My Account Has Been Hacked and Email Address Changed

     Hi  I have logged a request for this and have received a ticket number # 03369303. The email I have received back isn't clear as to whether the issue is being dealt with or whether I have to go and find the solution myself from the support channels

  • Win7 performance with or without Boot Camp

    Have you got any comparable experiences with installing Windows with MBR and then with BootCamp? How about processor performance and multitasking? Thanks

  • Problem during SLD configuration

    Hello frnds, I am getting error and unable to start the data suplier bridge of my LOCAL WAS.. getting following error <b>No SLD target system for updates defined. Set Update local SLD to true, or define additional SLDs to be updated.</b> please sugge

  • Firmware version of wrt54gs

    router less than 2 months purchased.  when i call up my router, viewed version = 1.50.6.  when i go to download area for the router, i find several versions available, but not this one specifically.  when downloading firmware upgrade, version = 4.71.