CSS11503 - balance ACA

Similar Messages

• Balance aca

  Hi Gilles,
  balance aca and adavance-balance sticky srcip under the same content
  content 1
  port 1111
  advance-balance sticky srcip
  balance aca
  add service s1
  add service s2
  vip address 1.1.1.1
  active
  Is the above configuration adviceble.

  I never advice ACA. leastconn gives good result but with sticky-srcip it is preferable to use roundrobin.
  Giles.

• Load balancing sftp servers on css11503

  I have an 11503 and I am trying to load balance sftp servers behind it. not sure why it's not working.
  here is the content rule:
  content test_sftp
  add service www1_sftp
  add service www2_sftp
  port 22
  protocol tcp
  balance aca
  advanced-balance sticky-srcip
  vip address 172.17.0.248
  active
  here are the service rules:
  service www1_sftp
  ip address 172.17.0.27
  protocol tcp
  keepalive port 22
  keepalive type tcp
  active
  service www2_sftp
  ip address 172.17.0.25
  protocol tcp
  keepalive port 22
  keepalive type tcp
  active
  couple of questions:
  1) do I need to set up a source group like I would have to for ftp? Does the return traffic from the servers need to be NAT'd back out as the VIP?
  2) the content rule and service rules are all set for port 22 only....is that enough ports open for the control and data channels? I think sftp uses port 22 for both.
  Any assistance would be greatly appreciated.
  Thanks!
  Sandeep

  You definitely need a group to nat the data-channel.
  But I'm not even sure that will make it work.
  You can give it a try so.
  Gilles.

• Monitoring a CSS11503 sticky decision

  Hi everybody,
  we want to see and log (best would be to syslog) why the CSS takes a loadbalancing decision on stickiness. Is this possible and how should this be configured?
  Our current problem is the following. We got a CSS11503 pair in box redundancy. They are loadbalancing https traffic to two SUN iPlanet instances using SSLv3. The rule is the following:
  content https
  protocol tcp
  port 443
  application ssl
  balance aca
  add service service1_https
  add service service2_https
  vip address 10.1.1.1
  advanced-balance ssl
  active
  what we see is that some client gets forwarded to the second server during a session although it was directed to the first one before. And this leads to an 'authorization required' error in the client application. We can trace this in the iPlanet logs.
  When using src-sticky, everything works fine, so this leads to the conclusion that it has to do with SSL loadbalancing.
  Of course the application guys now blame the CSS for not working correctly, but I think (as a CSS guy) that the application is doing something wrong. So, I need to trace the sticky decision on the CSS.
  Any ideas are welcome.
  -Alex

  Hi Alex,
  (I'm a CSS guy too!)
  Have you investigated the actual SSL session ID's being used for that particular client when this error occurs?
  We had a problem with very similar symptoms and had to use a Sniffer in order to find the root cause.
  Our servers (I think they were IPlanet too, running on Linux) were not handling the SSL session-id "re-use" option properly. They were instead providing a bran new SSL session-id each time the client would send a SSL "re-negotiation handshake" (I'm not sure about terminology here!). In our case, we saw this happenning every 90 seconds, causing the clients to bounce from server to server because the CSS would not find a match in its SSL-sticky table and load-balancing would therefore take effect and cause the client to end up on a different server (similar to what you are reporting).
  Unfortunately, in our case (also) we were unable to resolve this server issue and we resorted to src-sticky.
  Good luck!
  Dan

• CSS Troubleshooting "advanced-balance url" based on string-range

  Hi together,
  a questions for troubleshooting "string range stickyness".
  I configured a content rule:
  content L5_HTTP_81
  vip address 192.168.1.1
  balance aca
  no persistent
  protocol tcp
  port 81
  url "/*"
  advanced-balance url
  add service service1 weight 1
  add service service2 weight 1
  string range 30 to 255
  string eos-char "_"
  string prefix "shopId="
  active
  service service1
  ip address 10.1.128.23
  keepalive maxfailure 2
  protocol tcp
  redundant-index 2102
  keepalive frequency 15
  keepalive retryperiod 10
  keepalive type http
  keepalive port 80
  keepalive method get
  keepalive uri "/admin/Ping.simple"
  string 148.49
  port 80
  active
  service service2
  ip address 10.1.128.22
  keepalive maxfailure 2
  protocol tcp
  redundant-index 2101
  keepalive type http
  keepalive method get
  keepalive frequency 15
  keepalive retryperiod 10
  keepalive port 80
  keepalive uri "/admin/Ping.simple"
  string 148.48
  port 80
  active
  1. I take a string from the 30rd to 255 character out of the URL starting at "/".
  2. Now I search for a string between "shop_Id=" and "_", on which the stickyness is based.
  3. string "148.49" is allocated to service1, string "148.48" is allocated to service2.
  Is there any possibillity to view or debug the handling, how the string is matched in the http request and on which service the request is forwarded ?
  thanks in advance
  sascha

  Here is the command reference. take a look at the available commands.
  http://www.cisco.com/univercd/cc/td/doc/product/webscale/css/css_710/cmdrefgd/index.htm

• Load Balance AJP13 on CSS 11501

  We are trying to load balance AJP13 protocol using port 8009 between Apache servers and JBOSS application servers.
  We are getting Page cannot be found in the browser.
  Content rule used:
  content webdev_ajp13_8009
  add service dil01
  add service dil02
  vip address 192.168.x.x
  balance aca
  no persistent
  protocol tcp
  port 8009
  url "/*"
  active
  Has anyone come across the problem before and what was the solution.
  Thanks in advance.
  Anthony

  Hi Zach,
  Just to let you know that we have run extensive tests and found that if the URL uses the workers file to reference the AJP13 protocol, traffic goes from the Apache servers to the Content Switch VIP but does not forward the traffic onto the servers. TCP packets are detected on the sniffer but once the AJP13 protocol is detected then an error occurs, ERROR AJP13 unassembled packet. If we however use the URL with the parameter :8009 then the traffic passes from the content switch VIP to the JBOSS servers.
  We have decided to use AJP13 Mod_jk so only HTTP and HTTPS traffic will be passed between all the servers.
  Thanks for your assistance in this matter.
  Regards
  Anthony

• Load balance LDAP with the CSS 501

  I'm trying to setup a content rule to test load balancing LDAP traffic via the CSS but it doesn't seem to be working. Here's my configuration:
  service 10.125.5.56:389
  ip address 10.125.5.56
  protocol tcp
  port 389
  keepalive type script ap-kal-ldap "10.125.5.56"
  active
  content test-ldap:389
  vip address 10.124.155.50
  add service 10.125.5.56:389
  protocol tcp
  balance aca
  port 389
  advanced-balance sticky-srcip-dstport
  active
  Anything I'm doing wrong? I see somebody posted a similar issue but doesn't seem like a solution was provided (see below):
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Data%20Center&topic=Application%20Networking&topicID=.ee7814f&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dda3585/2

  What's the issue ?
  Get a sniffer trace simultanously on client and server and see what's going on.
  G.

• Terminal Server Farm balancing with down server

  I have an 11501 that is balancing connections between my 10 terminal servers.
  We are using roundrobin because we were told by TAC that leastconn and ACA do not work well with terminal server environment.
  The problem is that whenever a server goes down and comes back up that server is not first inline for people reconnecting. I need help finding a way, once the down server comes back online, to make this server have a higher weight until its connections are about equal to what the other server loads are.
  Any help would be greatly appreciated.

  Hi,
  in my pinion balance leastconn should the job as it only counts the number of connections see :
  http://www.cisco.com/en/US/customer/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a008029c621.html#wp1038118:
  balance leastconn - Least connection algorithm. This balance method chooses a running service that has the fewest number of connections.
  We do not recommend that you use UDP content rules with the balance leastconn load-balancing algorithm. The service connection counters do not increment and remain at 0 because UDP is a connectionless protocol. Because the counters remain at 0, the CSS will give inconsistent results.
  So if your terminal service is a running via UDP you are having a problem but in any other case it should do the job from the description given above.
  The balance aca will fail due to the fact that the first and keepalive is very fast and so it can not determin the real load what you already found out.
  Which method did you use balance aca or balance leastconn?
  Cheers,
  Joerg

• How do you specify a string with advanced-balance url?

  I am trying to configure a CSS 11501 to send requests with a specific string in the URL to a specific server. How and where I would specify the string? The documentation, as far as I can tell, mentions that it can be done but does not show how. Any input is greatly appreciated.

  Thanks again, Syed. Now it makes sense, but I was digging more into the documentation and found a simpler way to accomplish this.
  service webServer1
  ip address 10.1.1.1
  keepalive type http
  active
  service webServer2
  ip address 10.1.1.2
  keepalive type http
  active
  content webServers
  add service webServer1
  add service webServer2
  balance aca
  vip address 10.2.2.1
  protocol tcp
  active
  content fileServer
  add service webServer1
  vip address 10.2.2.1
  protocol tcp
  url “/files/*”
  active
  The idea being that most requests will get load-balanced between both web servers, but if the URL starts with "/files/", then only webServer1 will receive the requests.

• Css excessive arp requests

  Hello all,
  my CSS 11150 with WebNS 5.00 does excessive arp requests on its interfaces (up to 100 arps per second). The box seems to arp EVERYTHING especially in the 10.147.0.0 /16 subnet even if it is not used at all. My config is as follows:
  ip no-implicit-service
  ip opportunistic disable
  ip route 0.0.0.0 0.0.0.0 10.147.1.1 1
  circuit VLAN1
  ip address 10.147.248.10 255.255.0.0
  circuit VLAN2
  ip address 10.145.45.254 255.255.255.128
  service sunbl3s6-443
  ip address 10.145.45.136
  protocol tcp
  port 443
  keepalive type tcp
  keepalive port 443
  active
  service sunbl3s6-80
  ip address 10.145.45.136
  protocol tcp
  port 80
  keepalive type tcp
  keepalive port 80
  active
  service sunbl3s7-443
  ip address 10.145.45.137
  protocol tcp
  port 443
  keepalive type tcp
  keepalive port 443
  active
  service sunbl3s7-80
  ip address 10.145.45.137
  protocol tcp
  port 80
  keepalive type tcp
  keepalive port 80
  active
  owner unix-systems
  content vrp-test-443
  vip address 10.145.45.253
  protocol tcp
  port 443
  balance aca
  add service sunbl3s6-443
  add service sunbl3s7-443
  active
  content vrp-test-80
  vip address 10.145.45.253
  protocol tcp
  port 80
  balance aca
  add service sunbl3s6-80
  add service sunbl3s7-80
  active
  group vrp-test
  vip address 10.145.45.253
  add destination service sunbl3s6-80
  add destination service sunbl3s6-443
  add destination service sunbl3s7-80
  add destination service sunbl3s7-443
  active
  Does anybody have any hints?
  Many thanks in advance
  Uli

  Hi,
  I did a software upgrade yesterday and put ap0610405.adi.gz on the box. But the behaviour didn't change. We also checked the cabling for loops, that's also fine.
  We have observed some further things:
  The broadcasts are only on the 10.147.0.0 /16 subnet. As this is our local lan backbone we can't change it, I could only shift the frontend into another subnet and route it towards the backbone.
  We have another two boxes (CSS11503 with 7.4) with a similar configuration - they also do excessive arp requests in the same subnet, the primary as well as the secondary. But the addresses being arped for are not necessarily the same.
  I took some packet traces looking for broadcasts and multicasts that could inspire the boxes to arp for every address they see - nothing, the addresses being arped for are not seen in the seconds before the CSS arp request.
  What could trigger arp requests for machines which never accessed or used the CSS services / rules??? I've never seen such a behaviour before...
  Best Regards
  Uli

• Help to move a simple CSS design to an ACE

  Hi, I have a production system on a CSS11503, and the service will be moving to an ACE shortly. I'm nost sure how to convert a couple of "features" of the CSS configuration.
  1. WebDAV support: I had to add the extra HTTP methods;
  http-method parse RFC2518-methods
  http-method parse user-defined-method POLL
  http-method parse user-defined-method SEARCH
  http-method parse user-defined-method SUBSCRIBE
  http-method parse user-defined-method BMOVE
  http-method parse user-defined-method BCOPY
  http-method parse user-defined-method BDELETE
  http-method parse user-defined-method BPROPPATCH
  Do I still need to and how do I?
  2. The stickiness: It is done with an arrowpoint thingy.
  content HTTP-80
  add service Online-1-80
  add service Online-2-80
  add service Online-3-80
  add service Online-4-80
  protocol tcp
  port 80
  vip address x.x.x.x
  advanced-balance arrowpoint-cookie
  balance aca
  active
  How do I acheive the same with the ACE.
  I also intend to use HTTPS in the front, talking to HTTP backend. The balancing should not be affected by this, as the ACE can see the cookies etc.
  Anyone able to guide me on this setup.
  Thanks.

  1. not required with ACE
  2. The equivalent of arrowpoint-cookie in ACE is cookie insert.
  More info on the cookie insert @
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_command_reference_chapter09186a0080685364.html
  Finally for SSL termination look @
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a008068816c.html
  If you need additional help, do not hesitate.
  Gilles.

• Https front end and http backend

  Hi there....I am having a small issue....I have a web app that is https based....I have installed the cert on the CSS, and DNS for this app points to the VIP....the client is wanting to have an https front end, and then load balance in http to the backend servers....the issue I am running into is that this only works if I have an active port 80 rule on that same VIP....if I suspend the port 80 rule and only leave the port 443 rule active on that VIP, it doesn't work....please see appropriate config portions below....Thanks in advance!
  Sandeep
  ANy suggestions? I have been trying this for a couple of days now...it works fine if the backend sessions are also https, but the client has changed their requirement....
  ssl-proxy-list SSL1
  ssl-server 1
  ssl-server 1 rsakey app1-test
  ssl-server 1 rsacert app1-test
  ssl-server 1 vip address 10.19.55.10
  ssl-server 1 cipher rsa-with-rc4-128-md5 10.19.55.10 81
  backend-server 1
  backend-server 1 port 81
  backend-server 1 server-ip 10.19.55.132
  backend-server 1 ip address 10.19.55.132
  backend-server 2
  backend-server 2 port 81
  backend-server 2 server-ip 10.19.55.133
  backend-server 2 ip address 10.19.55.133
  backend-server 3
  backend-server 3 port 83
  backend-server 3 server-ip 10.19.55.132
  backend-server 3 ip address 10.19.55.132
  backend-server 4
  backend-server 4 port 83
  backend-server 4 server-ip 10.19.55.133
  backend-server 4 ip address 10.19.55.133
  backend-server 5
  backend-server 5 port 85
  backend-server 5 server-ip 10.19.55.132
  backend-server 5 ip address 10.19.55.132
  backend-server 6
  backend-server 6 port 85
  backend-server 6 server-ip 10.19.55.133
  backend-server 6 ip address 10.19.55.133
  active
  service webserver002:81
  ip address 10.19.55.132
  port 81
  keepalive port 2199
  keepalive type tcp
  protocol tcp
  active
  service webserver003:81
  ip address 10.19.55.133
  port 81
  keepalive port 2199
  keepalive type tcp
  protocol tcp
  add ssl-proxy-list SSL1
  active
  service webserver002:83
  ip address 10.19.55.132
  port 83
  add ssl-proxy-list SSL1
  keepalive port 2399
  keepalive type tcp
  protocol tcp
  active
  service webserver003:83
  ip address 10.19.55.133
  port 83
  keepalive port 2399
  keepalive type tcp
  protocol tcp
  add ssl-proxy-list SSL1
  active
  service webserver002:85
  ip address 10.19.55.132
  port 85
  add ssl-proxy-list SSL1
  keepalive port 2599
  keepalive type tcp
  protocol tcp
  active
  service webserver003:85
  ip address 10.19.55.133
  port 85
  keepalive port 2599
  keepalive type tcp
  protocol tcp
  add ssl-proxy-list SSL1
  active
  service SSL_Front
  slot 2
  type ssl-accel
  keepalive type none
  add ssl-proxy-list SSL1
  active
  owner app1-test
  content app-test_back
  vip address 10.19.55.10
  add service webserver002:81
  add service webserver003:81
  add service webserver002:83
  add service webserver003:83
  add service webserver002:85
  add service webserver003:85
  balance aca
  protocol tcp
  port 81
  active
  content app1-test_front
  vip address 10.19.55.10
  application ssl
  add service SSL_Front
  protocol tcp
  port 443
  advanced-balance ssl
  balance aca
  active

  Thanks for the quick reply....there is another port 80 rule setup for that vip....I was using that to test with the app until I got the front end https rules working....
  my port 80 rules just says listen to 10.19.55.10 on port 80 and load balance btwn the webervers on port 8x in the back end...
  I am trying to do https front end and http backend....
  no where in my SSL config have I configured port 80....but when I suspend that rule it all fails....
  I am wondering if the backend server sessions are happening properly?
  I don't fully get what you mean by "You need to have the rule in port 443 to match traffic coming from the client and the clear text rule (port 81) to match traffic already decrypted coming from the SSL module"
  Haven'tI done that?
  Thanks again!
  Sandeep

• How can I keepalive for 2 different applications without using script?

  Have a CSS with 2 web server loadbalanced. Initially the keepalive was set to ssl but now the client would like to add another keepalive type http. How can i do this without writing script. Though there is quite number of example in the forum but I'm still confused. Is there any clear and complete sample config for this type of installation.
  Below is the example of working config of my client.
  service server1
  ip address 10.150.1.10
  keepalive type ssl
  active
  service server2
  ip address 10.150.1.11
  keepalive type ssl
  active
  Owner Layer3
  content Layer3_a
  add service server1
  add service server2
  vip address 10.150.1.12
  balance aca
  advance-balance sticky-srcip

  If you want to use multiple keepalives for a service, you must use a script. The alternative would be to create 2 content rules, and 2 sets of services, one for port 80 (or whatever) and one for port 443 (or whatever), and use http for one and ssl for the other.
  Michael Voight
  CSE

• CSS 11501 web timeout

  Hi,
  I have a CSS11501 running 8.10.0.02 software. I have 2 windows 2003 web servers that connect to a backend database. I am recieving complaints that intermittently the end user is getting a session timeout.
  I set the flow multiple to 2700 so the flow would be active for 12 hours, but when I issue the show flows command I see flow disappearing after just a few minutes.
  Is this normal behavior?
  Does my config look correct otherwise?
  service A
  ip address 192.168.248.17
  keepalive type http
  active
  service B
  keepalive type http
  ip address 192.168.248.18
  active
  !*************************** OWNER ***************************
  owner test1
  content web
  port 80
  protocol tcp
  add service A
  add service B
  vip address 192.168.248.16
  balance aca
  advanced-balance sticky-srcip
  sticky-inact-timeout 720
  flow-timeout-multiplier 2700
  active
  Thanks
  Frank

  Frank,
  if the client or the server closed the connection, it will disappear.
  Sniff the traffic on both side of the css and see which device is closing the connection.
  Don't forget that servers also come with an idle timeout which is usually far less than 12 hours.
  Gilles.

• CSS and Exchange Mobile ActiveSync not working

  I have a question relating to a CSS and Exchange Mobile devices The customer has 2 Exchange Client Access Servers CAS1 and CAS2 and has problems with ActiveSync on mobile devices. (OWA is working fine) I am trying to test Exchange ActiveSync (using the Microsoft test site https://www.testexchangeconnectivity.com) When I perform an ‘Exchange ActiveSync Autodiscover’ it works fine, but when I use the test ‘Exchange ActiveSync’, it fails Has anyone had this problem before or can suggest a fix please http://mobile.thamesriver.co.uk The config is underneath Any help would be appreciated Kind Regards Tony !*********************** SSL PROXY LIST *********************** ssl-proxy-list TRC_List   ssl-server 10   ssl-server 10 vip address x.x.x.x   ssl-server 10 cipher rsa-with-rc4-128-md5 x.x.x.x 80   ssl-server 10 rsakey myrsakey   ssl-server 10 rsacert myrsacert   active !************************** SERVICE ************************** service mobile1   ip address 10.1.230.200   keepalive type tcp   protocol tcp   port 80   active service mobile2   ip address 10.1.230.201   keepalive type tcp   protocol tcp   port 80   active service CASservice1_HTTP   protocol tcp   port 80   keepalive type tcp   ip address 10.1.230.200   string cashttp1   active   service CASservice2_HTTP   protocol tcp   port 80   keepalive type tcp   ip address 10.1.230.201   string cashttp2   active   service CASservice1_EPM   protocol tcp   port 135   keepalive type tcp   ip address 10.1.230.200   string EPM1   active service RPC_Address1   port 59533   keepalive type tcp   ip address 10.1.230.200   protocol tcp   active service RPC_Address2   port 59533   keepalive type tcp   ip address 10.1.230.201   protocol tcp   active service RPC_Mailbox1   protocol tcp   keepalive type tcp   ip address 10.1.230.200   port 59532   active service RPC_Mailbox2   protocol tcp   keepalive type tcp   ip address 10.1.230.201   port 59532   active service ssl_module1   keepalive type none   add ssl-proxy-list TRC_List   type ssl-accel   slot 3   active !*************************** OWNER *************************** owner TRC   content AuthHead     add service mobile1     add service mobile2     vip address x.x.x.x     protocol tcp     port 80     url "//mobile.thamesriver.co.uk/Microsoft-Server-ActiveSync"     active   content EPM     balance aca     add service CASservice1_EPM     add service CASservice2_EPM     protocol tcp     port 135     url "/*"     vip address x.x.x.x     advanced-balance sticky-srcip     sticky-inact-timeout 1     active   content OWA     balance aca     add service CASservice1_HTTP     add service CASservice2_HTTP     protocol tcp     port 80     url "/*"     vip address x.x.x.x     advanced-balance sticky-srcip-dstport     active   content RPC-Address     balance aca     add service RPC_Address1     add service RPC_Address2     port 59533     protocol tcp     advanced-balance sticky-srcip     vip address x.x.x.x     active   content RPC-Mailbox     balance aca     add service RPC_Mailbox1     add service RPC_Mailbox2     advanced-balance sticky-srcip     vip address x.x.x.x     port 59532     protocol tcp     active     content ssl-rule     vip address x.x.x.x     protocol tcp     port 443     add service ssl_module1     active !*************************** GROUP *************************** group RDP   add service TSservice1   add service TSservice2   add service TSservice3   add service TSservice4   add service TSservice5   add service TSservice6   add service TSservice7   vip address 172.26.100.190   active group WWW   add service CASservice1_HTTP   add service CASservice2_HTTP   vip address x.x.x.x   active TRC_CSS#

  duh!
  I'll try that again....
  I have a question relating to a CSS and Exchange Mobile devices
  The customer has 2 Exchange Client Access Servers CAS1 and CAS2 and has problems with ActiveSync on mobile devices.
  OWA is working fine
  I am trying to test Exchange ActiveSync (using the Microsoft test site https://www.testexchangeconnectivity.com) I perform an ‘Exchange ActiveSync Autodiscover’ it works fine, but when I use the test ‘Exchange ActiveSync’, it fails
  When
  Has anyone had this problem before or can suggest a fix please
  http://mobile.thamesriver.co.uk config is underneath
  The
  Any help would be appreciated
  Kind Regards Tony
  !*********************** SSL PROXY LIST ***********************
  ssl-proxy-list TRC_List
    ssl-server 10
    ssl-server 10 vip address x.x.x.x
    ssl-server 10 cipher rsa-with-rc4-128-md5 x.x.x.x 80
    ssl-server 10 rsakey myrsakey
    ssl-server 10 rsacert myrsacert
    active
  !************************** SERVICE **************************
  service mobile1
    ip address 10.1.230.200
    keepalive type tcp
    protocol tcp
    port 80
    active
  service mobile2
    ip address 10.1.230.201
    keepalive type tcp
    protocol tcp
    port 80
    active
  service CASservice1_HTTP
    protocol tcp
    port 80
    keepalive type tcp
    ip address 10.1.230.200
    string cashttp1
    active
  service CASservice2_HTTP
    protocol tcp
    port 80
    keepalive type tcp
    ip address 10.1.230.201
    string cashttp2
    active
  service CASservice1_EPM
    protocol tcp
    port 135
    keepalive type tcp
    ip address 10.1.230.200
    string EPM1
    active
  service RPC_Address1
    port 59533
    keepalive type tcp
    ip address 10.1.230.200
    protocol tcp
    active
  service RPC_Address2
    port 59533
    keepalive type tcp
    ip address 10.1.230.201
    protocol tcp
    active
  service RPC_Mailbox1
    protocol tcp
    keepalive type tcp
    ip address 10.1.230.200
    port 59532
    active
  service RPC_Mailbox2
    protocol tcp
    keepalive type tcp
    ip address 10.1.230.201
    port 59532
    active
  service ssl_module1
    keepalive type none
    add ssl-proxy-list TRC_List
    type ssl-accel
    slot 3
    active
  !*************************** OWNER ***************************
  owner TRC
    content AuthHead
      add service AuthHead1
      add service AuthHead2
      vip address x.x.x.x
      protocol tcp
      port 80
      url "//mobile.thamesriver.co.uk/Microsoft-Server-ActiveSync"
      active
    content EPM
      balance aca
      add service CASservice1_EPM
      add service CASservice2_EPM
      protocol tcp
      port 135
      url "/*"
      vip address x.x.x.x
      advanced-balance sticky-srcip
      sticky-inact-timeout 1
      active
    content OWA
      balance aca
      add service CASservice1_HTTP
      add service CASservice2_HTTP
      protocol tcp
      port 80
      url "/*"
      vip address x.x.x.x
      advanced-balance sticky-srcip-dstport
      active
    content RPC-Address
      balance aca
      add service RPC_Address1
      add service RPC_Address2
      port 59533
      protocol tcp
      advanced-balance sticky-srcip
      vip address x.x.x.x
      active
    content RPC-Mailbox
      balance aca
      add service RPC_Mailbox1
      add service RPC_Mailbox2
      advanced-balance sticky-srcip
      vip address x.x.x.x
      port 59532
      protocol tcp
      active
    content ssl-rule
      vip address x.x.x.x
      protocol tcp
      port 443
      add service ssl_module1
      active
  !*************************** GROUP ***************************
  group RDP
    add service TSservice1
    add service TSservice2
    add service TSservice3
    add service TSservice4
    add service TSservice5
    add service TSservice6
    add service TSservice7
    vip address 172.26.100.190
    active
  group WWW
    add service CASservice1_HTTP
    add service CASservice2_HTTP
    vip address x.x.x.x
    active
  TRC_CSS#