Load Balancing Directory Servers with Access Manager - Simple questions

Similar Messages

• Integrate other directory servers with access manager

  How to integrate other directory servers with access manager ?

  Please read the Access Manager admin guide at http://docs.sun.com/app/docs/doc/819-4670/6n6qardvq
  Any further questions regarding this integration, post them to the AM forum at http://forums.sun.com/forum.jspa?forumID=770

• Load Balance HTTPS servers with redirection

  Hello,
  I have been tasked with ACE configuration at work as the prior go-to guy for load balancing is no longer available. Trouble is, I have little idea what I’m doing when it comes to the ACE. So, forgive me if the question I have is super basic. After doing some research I put together a LB config, but its not working.
  I was trying to load balance 10 servers, split into groups of 2 using 5 VIPS (1 VIP for each group of 2 servers). The servers serve an ssl web app.
  Below is my configuration. What am I doing wrong? Does the config have any glaring errors? I've been staring at this thing on and off for a week  and searching these forums trying to figure it out.
  Any help provided will greatly appreciated.
  probe tcp probe_443
    port 443
    interval 30
    passdetect interval 5
  probe https probe_https_test
    interval 30
    passdetect interval 5
    ssl version all
    request method get url /test.html
    expect status 200 200
  rserver host QA-1.1
  ip address 10.200.162.126
  inservice
  rserver host QA-1.2
  ip address 10.200.162.127
  inservice
  rserver redirect QA-group_1_redirect_rserver
  webhost-redirection https://10.37.5.73/ 302
    inservice
  rserver host QA-2.1
  ip address 10.200.162.22
  inservice
  rserver host QA-2.2
  ip address 10.200.162.240
  inservice
  rserver redirect QA-group_2_redirect_rserver
  webhost-redirection https://10.37.5.74/ 302
    inservice
  rserver host QA-3.1
  ip address 10.200.162.181
  inservice
  rserver host QA-3.2
  ip address 10.200.162.50
  inservice
  rserver redirect QA-group_3_redirect_rserver
  webhost-redirection https://10.37.5.75/ 302
    inservice
  rserver host QA-4.1
  ip address 10.200.162.23
  inservice
  rserver host QA-4.2
  ip address 10.200.162.241
  inservice
  rserver redirect QA-group_4_redirect_rserver
  webhost-redirection https://10.37.5.76/ 302
    inservice
  rserver host QA-5.1
  ip address 10.200.162.182
  inservice
  rserver host QA-5.2
  ip address 10.200.162.51
  inservice
  rserver redirect QA-group_5_redirect_rserver
  webhost-redirection https://10.37.5.77/ 302
    inservice
  serverfarm host SF_QA-group_1_HTTPS
  failaction reassign
  predictor leastconns
  probe probe_443
  probe probe_https_test
  rserver QA-1.1 443
  inservice
  rserver QA-1. 2 443
  inservice
  serverfarm host SF_QA-group_2_HTTPS
  failaction reassign
  predictor leastconns
  probe probe_443
  probe probe_https_test
  rserver QA-2.1 443
  inservice
  rserver QA-2. 2 443
  inservice
  serverfarm host SF_QA-group_3_HTTPS
  failaction reassign
  predictor leastconns
  probe probe_443
  probe probe_https_test
  rserver QA-3.1 443
  inservice
  rserver QA-3. 2 443
  inservice
  serverfarm host SF_QA-group_4_HTTPS
  failaction reassign
  predictor leastconns
  probe probe_443
  probe probe_https_test
  rserver QA-4.1 443
  inservice
  rserver QA-4. 2 443
  inservice
  serverfarm host SF_QA-group_5_HTTPS
  failaction reassign
  predictor leastconns
  probe probe_443
  probe probe_https_test
  rserver QA-5.1 443
  inservice
  rserver QA-5. 2 443
  inservice
  serverfarm redirect SF_ QA-group_1_REDIRECT
  rserver QA-group_1_redirect_rserver
  inservice
  serverfarm redirect SF_ QA-group_2_REDIRECT
  rserver QA-group_2_redirect_rserver
  inservice
  serverfarm redirect SF_ QA-group_3_REDIRECT
  rserver QA-group_3_redirect_rserver
  inservice
  serverfarm redirect SF_ QA-group_4_REDIRECT
  rserver QA-group_4_redirect_rserver
  inservice
  serverfarm redirect SF_ QA-group_5_REDIRECT
  rserver QA-group_5_redirect_rserver
  inservice
  sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_1_STICKY
  serverfarm SF_ QA-group_1_HTTPS
  timeout 30
  replicate sticky
  sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_2_STICKY
  serverfarm SF_ QA-group_2_HTTPS
  timeout 30
  replicate sticky
  sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_3_STICKY
  serverfarm SF_ QA-group_3_HTTPS
  timeout 30
  replicate sticky
  sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_4_STICKY
  serverfarm SF_ QA-group_4_HTTPS
  timeout 30
  replicate sticky
  sticky ip-netmask 255.255.255.255 address source SRC_ QA-group_5_STICKY
  serverfarm SF_ QA-group_5_HTTPS
  timeout 30
  replicate sticky
  class-map match-all QA-group_1_HTTP
  3 match virtual-address 10.37.5.73 tcp eq www
  class-map match-all QA-group_1_HTTPS
  3 match virtual-address 10.37.5.73 tcp eq https
  class-map match-all QA-group_2_HTTP
  3 match virtual-address 10.37.5.74 tcp eq www
  class-map match-all QA-group_2_HTTPS
  3 match virtual-address 10.37.5.74 tcp eq https
  class-map match-all QA-group_3_HTTP
  3 match virtual-address 10.37.5.75 tcp eq www
  class-map match-all QA-group_3_HTTPS
  3 match virtual-address 10.37.5.75 tcp eq https
  class-map match-all QA-group_4_HTTP
  3 match virtual-address 10.37.5.76 tcp eq www
  class-map match-all QA-group_4_HTTPS
  3 match virtual-address 10.37.5.76 tcp eq https
  class-map match-all QA-group_5_HTTPS
  3 match virtual-address 10.37.5.77 tcp eq www
  class-map match-all QA-group_5_HTTPS
  3 match virtual-address 10.37.5.77 tcp eq https
  class-map type management match-any remote-management
  2 match protocol http any
  3 match protocol https any
  4 match protocol icmp any
  5 match protocol snmp any
  6 match protocol ssh any
  policy-map type management first-match remote-access
  class remote-management
  permit
  policy-map type loadbalance first-match QA-group_1_REDIRECT
  class class-default
  serverfarm SF_ QA-group_1_REDIRECT
  policy-map type loadbalance first-match QA-group_2_REDIRECT
  class class-default
  serverfarm SF_ QA-group_2_REDIRECT
  policy-map type loadbalance first-match QA-group_3_REDIRECT
  class class-default
  serverfarm SF_ QA-group_3_REDIRECT
  policy-map type loadbalance first-match QA-group_4_REDIRECT
  class class-default
  serverfarm SF_ QA-group_4_REDIRECT
  policy-map type loadbalance first-match QA-group_5_REDIRECT
  class class-default
  serverfarm SF_ QA-group_5_REDIRECT
  policy-map multi-match SERVICE_VIPS
  class QA-group_1_HTTPS
      loadbalance vip inservice
      loadbalance policy HTTPS_ QA-group_1_HTTPS _L7_BALANCED
      loadbalance vip icmp-reply
      nat dynamic 1 vlan 25
    class QA-group_1_HTTP
      loadbalance vip inservice
      loadbalance policy QA-group_1_REDIRECT
  class QA-group_2_HTTPS
      loadbalance vip inservice
      loadbalance policy HTTPS_ QA-group_2_HTTPS _L7_BALANCED
      loadbalance vip icmp-reply
      nat dynamic 1 vlan 25
    class QA-group_2_HTTP
      loadbalance vip inservice
      loadbalance policy QA-group_2_REDIRECT
  class QA-group_3_HTTPS
      loadbalance vip inservice
      loadbalance policy HTTPS_ QA-group_3_HTTPS _L7_BALANCED
      loadbalance vip icmp-reply
      nat dynamic 1 vlan 25
    class QA-group_3_HTTP
      loadbalance vip inservice
      loadbalance policy QA-group_3_REDIRECT
  class QA-group_4_HTTPS
      loadbalance vip inservice
      loadbalance policy HTTPS_ QA-group_4_HTTPS _L7_BALANCED
      loadbalance vip icmp-reply
      nat dynamic 1 vlan 25
    class QA-group_4_HTTP
      loadbalance vip inservice
      loadbalance policy QA-group_4_REDIRECT
  class QA-group_5_HTTPS
      loadbalance vip inservice
      loadbalance policy HTTPS_ QA-group_4_HTTPS _L7_BALANCED
      loadbalance vip icmp-reply
      nat dynamic 1 vlan 25
    class QA-group_5_HTTP
      loadbalance vip inservice
      loadbalance policy QA-group_4_REDIRECT
  interface vlan 25
    ip address 10.37.5.72 255.255.255.0
      access-group input everyone
    service-policy input remote-access
    service-policy input SERVICE_VIPS
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.37.5.1

  Fnu,
  Thank you so much for your reply.
  At this point I can get to the real server IP's via ping and https in a browser from my PC. I can also ping the gateway and all the real server IP's from the ACE context i'm working on. However, the VIPS are not working. When I attempt to use one of the VIPS in the browser, the request times out. When I issue the command ":show service-policy"  I see a hit count (which increments every time I try and reach the VIP via the browser) but the dropped counter is equal to the hit counter. I will paste the running config from the context I’m working in along with the output from the show service-policy command.
  Any suggestions on how I can get this working would be greatly appreciated.
  csc#  show run
  Generating configuration....
  access-list Servers line 3 extended permit tcp any any eq https
  access-list Servers line 5 extended permit tcp any any eq www
  access-list everyone line 1 extended permit ip any any
  access-list everyone line 2 extended permit icmp any any
  probe tcp probe_443
    port 443
    interval 30
    passdetect interval 5
  rserver host QA-1.1
    ip address 10.37.5.111
    inservice
  rserver host QA-1.2
    ip address 10.37.5.88
    inservice
  rserver host QA-2.1
    ip address 10.37.5.84
    inservice
  rserver host QA-2.2
    ip address 10.37.5.89
    inservice
  rserver host QA-3.1
    ip address 10.37.5.85
    inservice
  rserver host QA-3.2
    ip address 10.37.5.90
    inservice
  rserver host QA-4.1
    ip address 10.37.5.86
    inservice
  rserver host QA-4.2
    ip address 10.37.5.81
    inservice
  rserver host QA-5.1
    ip address 10.37.5.87
    inservice
  rserver host QA-5.2
    ip address 10.37.5.92
    inservice
  rserver redirect QA-group_1_redirect_rserver
    webhost-redirection https://10.37.5.93/ 302
    inservice
  rserver redirect QA-group_2_redirect_rserver
    webhost-redirection https://10.37.5.94/ 302
    inservice
  rserver redirect QA-group_3_redirect_rserver
    webhost-redirection https://10.37.5.95/ 302
    inservice
  rserver redirect QA-group_4_redirect_rserver
    webhost-redirection https://10.37.5.96/ 302
    inservice
  rserver redirect QA-group_5_redirect_rserver
    webhost-redirection https://10.37.5.97/ 302
    inservice
  serverfarm host SF_QA-group_1_HTTPS
    failaction reassign
    predictor leastconns
    probe probe_443
    rserver QA-1.1 443
      inservice
    rserver QA-1.2 443
      inservice
  serverfarm redirect SF_QA-group_1_REDIRECT
    rserver QA-group_1_redirect_rserver
      inservice
  serverfarm host SF_QA-group_2_HTTPS
    failaction reassign
    predictor leastconns
    probe probe_443
    rserver QA-2.1 443
      inservice
    rserver QA-2.2 443
      inservice
  serverfarm redirect SF_QA-group_2_REDIRECT
    rserver QA-group_2_redirect_rserver
      inservice
  serverfarm host SF_QA-group_3_HTTPS
    failaction reassign
    predictor leastconns
    probe probe_443
    rserver QA-3.1 443
      inservice
    rserver QA-3.2 443
      inservice
  serverfarm redirect SF_QA-group_3_REDIRECT
    rserver QA-group_3_redirect_rserver
      inservice
  serverfarm host SF_QA-group_4_HTTPS
    failaction reassign
    predictor leastconns
    probe probe_443
    rserver QA-4.1 443
      inservice
    rserver QA-4.2 443
      inservice
  serverfarm redirect SF_QA-group_4_REDIRECT
    rserver QA-group_4_redirect_rserver
      inservice
  serverfarm host SF_QA-group_5_HTTPS
    failaction reassign
    predictor leastconns
    probe probe_443
    rserver QA-5.1 443
      inservice
    rserver QA-5.2 443
      inservice
  serverfarm redirect SF_QA-group_5_REDIRECT
    rserver QA-group_5_redirect_rserver
      inservice
  serverfarm host SF_QA-group_HTTPS
  serverfarm host SF_QA-group__HTTPS
  sticky ip-netmask 255.255.255.255 address source SRC_QA-group_1_STICKY
    serverfarm SF_QA-group_1_HTTPS
    timeout 30
    replicate sticky
  sticky ip-netmask 255.255.255.255 address source SRC_QA-group_2_STICKY
    serverfarm SF_QA-group_2_HTTPS
    timeout 30
    replicate sticky
  sticky ip-netmask 255.255.255.255 address source SRC_QA-group_3_STICKY
    serverfarm SF_QA-group_3_HTTPS
    timeout 30
    replicate sticky
  sticky ip-netmask 255.255.255.255 address source SRC_QA-group_4_STICKY
    serverfarm SF_QA-group_4_HTTPS
    timeout 30
    replicate sticky
  sticky ip-netmask 255.255.255.255 address source SRC_QA-group_5_STICKY
    serverfarm SF_QA-group_5_HTTPS
    timeout 30
    replicate sticky
  class-map match-all QA-group_1_HTTP
    3 match virtual-address 10.37.5.93 tcp eq www
  class-map match-all QA-group_1_HTTPS
    3 match virtual-address 10.37.5.93 tcp eq https
  class-map match-all QA-group_2_HTTP
    3 match virtual-address 10.37.5.94 tcp eq www
  class-map match-all QA-group_2_HTTPS
    3 match virtual-address 10.37.5.94 tcp eq https
  class-map match-all QA-group_3_HTTP
    3 match virtual-address 10.37.5.95 tcp eq www
  class-map match-all QA-group_3_HTTPS
    3 match virtual-address 10.37.5.95 tcp eq https
  class-map match-all QA-group_4_HTTP
    3 match virtual-address 10.37.5.96 tcp eq www
  class-map match-all QA-group_4_HTTPS
    3 match virtual-address 10.37.5.76 tcp eq https
  class-map match-all QA-group_5_HTTP
    3 match virtual-address 10.37.5.97 tcp eq www
  class-map match-all QA-group_5_HTTPS
    3 match virtual-address 10.37.5.97 tcp eq https
  class-map type management match-any remote-management
    2 match protocol http any
    3 match protocol https any
    4 match protocol icmp any
    5 match protocol snmp any
    6 match protocol ssh any
  policy-map type management first-match remote-access
    class remote-management
      permit
  policy-map type loadbalance first-match QA-group_1_REDIRECT
    class class-default
  policy-map type loadbalance first-match QA-group_2_REDIRECT
    class class-default
      serverfarm SF_QA-group_2_REDIRECT
  policy-map type loadbalance first-match QA-group_3_REDIRECT
    class class-default
      serverfarm SF_QA-group_3_REDIRECT
  policy-map type loadbalance first-match QA-group_4_REDIRECT
    class class-default
      serverfarm SF_QA-group_4_REDIRECT
  policy-map type loadbalance first-match QA-group_5_REDIRECT
    class class-default
      serverfarm SF_QA-group_5_REDIRECT
  policy-map multi-match SERVICE_VIPS
    class QA-group_1_HTTPS
      loadbalance vip inservice
      loadbalance policy QA-group_1_REDIRECT
      loadbalance vip icmp-reply
    class QA-group_1_HTTP
      loadbalance vip inservice
      loadbalance policy QA-group_1_REDIRECT
    class QA-group_2_HTTPS
      loadbalance vip inservice
      loadbalance policy QA-group_2_REDIRECT
      loadbalance vip icmp-reply
    class QA-group_2_HTTP
      loadbalance vip inservice
      loadbalance policy QA-group_2_REDIRECT
    class QA-group_3_HTTPS
      loadbalance vip inservice
      loadbalance policy QA-group_3_REDIRECT
      loadbalance vip icmp-reply
    class QA-group_3_HTTP
      loadbalance vip inservice
      loadbalance policy QA-group_3_REDIRECT
    class QA-group_4_HTTPS
      loadbalance vip inservice
      loadbalance policy QA-group_4_REDIRECT
      loadbalance vip icmp-reply
    class QA-group_4_HTTP
      loadbalance vip inservice
      loadbalance policy QA-group_4_REDIRECT
    class QA-group_5_HTTPS
      loadbalance vip inservice
      loadbalance policy QA-group_5_REDIRECT
      loadbalance vip icmp-reply
    class QA-group_5_HTTP
      loadbalance vip inservice
      loadbalance policy QA-group_5_REDIRECT
  interface vlan 25
    ip address 10.37.5.98 255.255.255.0
    access-group input everyone
    service-policy input remote-access
    service-policy input SERVICE_VIPS
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.37.5.1
  csc# show service-policy SERVICE_VIPS
  Status     : ACTIVE
  Interface: vlan 25
    service-policy: SERVICE_VIPS
      class: QA-group_1_HTTPS
        loadbalance:
          L7 loadbalance policy: QA-group_1_REDIRECT
          VIP Route Metric     : 77
          VIP Route Advertise  : DISABLED
          VIP ICMP Reply       : ENABLED
          VIP state: OUTOFSERVICE
          VIP DWS state: DWS_DISABLED
          Persistence Rebalance: DISABLED
          curr conns       : 0         , hit count        : 122      
          dropped conns    : 122      
          conns per second    : 0        
          client pkt count : 122       , client byte count: 6164               
          server pkt count : 0         , server byte count: 0                  
          conn-rate-limit      : 0         , drop-count : 0        
          bandwidth-rate-limit : 0         , drop-count : 0        
        compression:
          bytes_in  : 0                          bytes_out : 0                  
          Compression ratio : 0.00%
                  Gzip: 0               Deflate: 0        
        compression errors:
          User-Agent  : 0               Accept-Encoding    : 0        
          Content size: 0               Content type       : 0        
          Not HTTP 1.1: 0               HTTP response error: 0        
          Others      : 0        
      class: QA-group_1_HTTP
        loadbalance:
          L7 loadbalance policy: QA-group_1_REDIRECT
          VIP Route Metric     : 77
          VIP Route Advertise  : DISABLED
          VIP ICMP Reply       : DISABLED
          VIP state: OUTOFSERVICE
          VIP DWS state: DWS_DISABLED
          Persistence Rebalance: DISABLED
          curr conns       : 0         , hit count        : 58       
          dropped conns    : 58       
          conns per second    : 0        
          client pkt count : 58        , client byte count: 3628               
          server pkt count : 0         , server byte count: 0                  
          conn-rate-limit      : 0         , drop-count : 0        
          bandwidth-rate-limit : 0         , drop-count : 0        
        compression:
          bytes_in  : 0                          bytes_out : 0                  
          Compression ratio : 0.00%
                  Gzip: 0               Deflate: 0        
        compression errors:
          User-Agent  : 0               Accept-Encoding    : 0        
          Content size: 0               Content type       : 0        
          Not HTTP 1.1: 0               HTTP response error: 0        
          Others      : 0        
      class: QA-group_2_HTTPS
        loadbalance:
          L7 loadbalance policy: QA-group_2_REDIRECT
          VIP Route Metric     : 77
          VIP Route Advertise  : DISABLED
          VIP ICMP Reply       : ENABLED
          VIP State: INSERVICE
          VIP DWS state: DWS_DISABLED
          Persistence Rebalance: ENABLED
          curr conns       : 0         , hit count        : 13       
          dropped conns    : 0        
          conns per second    : 0        
          client pkt count : 74        , client byte count: 7648               
          server pkt count : 0         , server byte count: 0                  
          conn-rate-limit      : 0         , drop-count : 0        
          bandwidth-rate-limit : 0         , drop-count : 0        
        compression:
          bytes_in  : 0                          bytes_out : 0                  
          Compression ratio : 0.00%
                  Gzip: 0               Deflate: 0        
        compression errors:
          User-Agent  : 0               Accept-Encoding    : 0        
          Content size: 0               Content type       : 0        
          Not HTTP 1.1: 0               HTTP response error: 0        
          Others      : 0        
      class: QA-group_2_HTTP
        loadbalance:
          L7 loadbalance policy: QA-group_2_REDIRECT
          VIP Route Metric     : 77
          VIP Route Advertise  : DISABLED
          VIP ICMP Reply       : DISABLED
          VIP State: INSERVICE
          VIP DWS state: DWS_DISABLED
          Persistence Rebalance: ENABLED
          curr conns       : 0         , hit count        : 3        
          dropped conns    : 0        
          conns per second    : 0        
          client pkt count : 12        , client byte count: 1398               
          server pkt count : 0         , server byte count: 0                  
          conn-rate-limit      : 0         , drop-count : 0        
          bandwidth-rate-limit : 0         , drop-count : 0        
        compression:
          bytes_in  : 0                          bytes_out : 0                  
          Compression ratio : 0.00%
                  Gzip: 0               Deflate: 0        
        compression errors:
          User-Agent  : 0               Accept-Encoding    : 0        
          Content size: 0               Content type       : 0        
          Not HTTP 1.1: 0               HTTP response error: 0        
          Others      : 0        
      class: QA-group_3_HTTPS
        loadbalance:
          L7 loadbalance policy: QA-group_3_REDIRECT
          VIP Route Metric     : 77
          VIP Route Advertise  : DISABLED
          VIP ICMP Reply       : ENABLED
          VIP State: INSERVICE
          VIP DWS state: DWS_DISABLED
          Persistence Rebalance: ENABLED
          curr conns       : 0         , hit count        : 34       
          dropped conns    : 0        
          conns per second    : 0        
          client pkt count : 201       , client byte count: 23495              
          server pkt count : 0         , server byte count: 0                  
          conn-rate-limit      : 0         , drop-count : 0        
          bandwidth-rate-limit : 0         , drop-count : 0        
        compression:
          bytes_in  : 0                          bytes_out : 0                  
          Compression ratio : 0.00%
                  Gzip: 0               Deflate: 0        
        compression errors:
          User-Agent  : 0               Accept-Encoding    : 0        
          Content size: 0               Content type       : 0        
          Not HTTP 1.1: 0               HTTP response error: 0        
          Others      : 0        
      class: QA-group_3_HTTP
        loadbalance:
          L7 loadbalance policy: QA-group_3_REDIRECT
          VIP Route Metric     : 77
          VIP Route Advertise  : DISABLED
          VIP ICMP Reply       : DISABLED
          VIP State: INSERVICE
          VIP DWS state: DWS_DISABLED
          Persistence Rebalance: ENABLED
          curr conns       : 0         , hit count        : 5        
          dropped conns    : 0        
          conns per second    : 0        
          client pkt count : 20        , client byte count: 1907               
          server pkt count : 0         , server byte count: 0                  
          conn-rate-limit      : 0         , drop-count : 0        
          bandwidth-rate-limit : 0         , drop-count : 0        
        compression:
          bytes_in  : 0                          bytes_out : 0                  
          Compression ratio : 0.00%
                  Gzip: 0               Deflate: 0        
        compression errors:
          User-Agent  : 0               Accept-Encoding    : 0        
          Content size: 0               Content type       : 0        
          Not HTTP 1.1: 0               HTTP response error: 0        
          Others      : 0        
      class: QA-group_4_HTTPS
        loadbalance:
          L7 loadbalance policy: QA-group_4_REDIRECT
          VIP Route Metric     : 77
          VIP Route Advertise  : DISABLED
          VIP ICMP Reply       : ENABLED
          VIP State: INSERVICE
          VIP DWS state: DWS_DISABLED
          Persistence Rebalance: ENABLED
          curr conns       : 0         , hit count        : 0        
          dropped conns    : 0        
          conns per second    : 0        
          client pkt count : 0         , client byte count: 0                  
          server pkt count : 0         , server byte count: 0                  
          conn-rate-limit      : 0         , drop-count : 0        
          bandwidth-rate-limit : 0         , drop-count : 0        
        compression:
          bytes_in  : 0                          bytes_out : 0                  
          Compression ratio : 0.00%
                  Gzip: 0               Deflate: 0        
        compression errors:
          User-Agent  : 0               Accept-Encoding    : 0        
          Content size: 0               Content type       : 0        
          Not HTTP 1.1: 0               HTTP response error: 0        
          Others      : 0        
      class: QA-group_4_HTTP
        loadbalance:
          L7 loadbalance policy: QA-group_4_REDIRECT
          VIP Route Metric     : 77
          VIP Route Advertise  : DISABLED
          VIP ICMP Reply       : DISABLED
          VIP State: INSERVICE
          VIP DWS state: DWS_DISABLED
          Persistence Rebalance: ENABLED
          curr conns       : 0         , hit count        : 2        
          dropped conns    : 0        
          conns per second    : 0        
          client pkt count : 8         , client byte count: 697                
          server pkt count : 0         , server byte count: 0                  
          conn-rate-limit      : 0         , drop-count : 0        
          bandwidth-rate-limit : 0         , drop-count : 0        
        compression:
          bytes_in  : 0                          bytes_out : 0                  
          Compression ratio : 0.00%
                  Gzip: 0               Deflate: 0        
        compression errors:
          User-Agent  : 0               Accept-Encoding    : 0        
          Content size: 0               Content type       : 0        
          Not HTTP 1.1: 0               HTTP response error: 0        
          Others      : 0        
      class: QA-group_5_HTTPS
        loadbalance:
          L7 loadbalance policy: QA-group_5_REDIRECT
          VIP Route Metric     : 77
          VIP Route Advertise  : DISABLED
          VIP ICMP Reply       : ENABLED
          VIP State: INSERVICE
          VIP DWS state: DWS_DISABLED
          Persistence Rebalance: ENABLED
          curr conns       : 0         , hit count        : 0        
          dropped conns    : 0        
          conns per second    : 0        
          client pkt count : 0         , client byte count: 0                  
          server pkt count : 0         , server byte count: 0                  
          conn-rate-limit      : 0         , drop-count : 0        
          bandwidth-rate-limit : 0         , drop-count : 0        
        compression:
          bytes_in  : 0                          bytes_out : 0                  
          Compression ratio : 0.00%
                  Gzip: 0               Deflate: 0        
        compression errors:
          User-Agent  : 0               Accept-Encoding    : 0        
          Content size: 0               Content type       : 0        
          Not HTTP 1.1: 0               HTTP response error: 0        
          Others      : 0        
      class: QA-group_5_HTTP
        loadbalance:
          L7 loadbalance policy: QA-group_5_REDIRECT
          VIP Route Metric     : 77
          VIP Route Advertise  : DISABLED
          VIP ICMP Reply       : DISABLED
          VIP State: INSERVICE
          VIP DWS state: DWS_DISABLED
          Persistence Rebalance: ENABLED
          curr conns       : 0         , hit count        : 0        
          dropped conns    : 0        
          conns per second    : 0        
          client pkt count : 0         , client byte count: 0                  
          server pkt count : 0         , server byte count: 0                  
          conn-rate-limit      : 0         , drop-count : 0        
          bandwidth-rate-limit : 0         , drop-count : 0        
        compression:
          bytes_in  : 0                          bytes_out : 0                  
          Compression ratio : 0.00%
                  Gzip: 0               Deflate: 0        
        compression errors:
          User-Agent  : 0               Accept-Encoding    : 0        
          Content size: 0               Content type       : 0        
          Not HTTP 1.1: 0               HTTP response error: 0        
          Others      : 0        

• Load Balancing Linux servers with CSS 11050 series

  We would like to load balance Linux FTP and Web servers with a CSS 11050 series device. Does the content switch use SNMP to load balance the servers? If so, which MIBs need to be loaded on the servers?

  I dont believe that the CSS supports any SNMP load balancing mechanism.
  There is basically two factors involved in load balancing. One: the state of the servers which can be done via a range of mechanisms including ping, TCP connection, Application request, etc. Two: the way a server is chosen when a request comes in including round-robin, least connections, ACA etc.
  Checkout these links:-
  http://www.cisco.com/warp/customer/117/basic_css_lb_config.html
  http://www.cisco.com/warp/customer/117/methods_load_bal.html

• Too  Slow - Domino 6.5.4  with access manager agent 2.2 ?

  I don't know how to tune Domino 6.5.4 with access manager agent 2.2?
  I think AMAgent.properties is not good for SSO.
  Please help me to tune it.
  # $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
  # Copyright ? 2002 Sun Microsystems, Inc. All rights reserved.
  # U.S. Government Rights - Commercial software. Government users are
  # subject to the Sun Microsystems, Inc. standard license agreement and
  # applicable provisions of the FAR and its supplements. Use is subject to
  # license terms. Sun, Sun Microsystems, the Sun logo and Sun ONE are
  # trademarks or registered trademarks of Sun Microsystems, Inc. in the
  # U.S. and other countries.
  # Copyright ? 2002 Sun Microsystems, Inc. Tous droits r閟erv閟.
  # Droits du gouvernement am閞icain, utlisateurs gouvernmentaux - logiciel
  # commercial. Les utilisateurs gouvernmentaux sont soumis au contrat de
  # licence standard de Sun Microsystems, Inc., ainsi qu aux dispositions en
  # vigueur de la FAR [ (Federal Acquisition Regulations) et des suppl閙ents
  # ? celles-ci.
  # Distribu? par des licences qui en restreignent l'utilisation. Sun, Sun
  # Microsystems, le logo Sun et Sun ONE sont des marques de fabrique ou des
  # marques d閜os閑s de Sun Microsystems, Inc. aux Etats-Unis et dans
  # d'autres pays.
  # The syntax of this file is that of a standard Java properties file,
  # see the documentation for the java.util.Properties.load method for a
  # complete description. (CAVEAT: The SDK in the parser does not currently
  # support any backslash escapes except for wrapping long lines.)
  # All property names in this file are case-sensitive.
  # NOTE: The value of a property that is specified multiple times is not
  # defined.
  # WARNING: The contents of this file are classified as an UNSTABLE
  # interface by Sun Microsystems, Inc. As such, they are subject to
  # significant, incompatible changes in any future release of the
  # software.
  # The name of the cookie passed between the Access Manager
  # and the SDK.
  # WARNING: Changing this property without making the corresponding change
  # to the Access Manager will disable the SDK.
  com.sun.am.cookie.name = iPlanetDirectoryPro
  # The URL for the Access Manager Naming service.
  com.sun.am.naming.url = http://sportal.yjy.dqyt.petrochina:80/amserver/namingservice
  # The URL of the login page on the Access Manager.
  com.sun.am.policy.am.login.url = http://sportal.yjy.dqyt.petrochina:80/amserver/UI/Login
  # Name of the file to use for logging messages.
  com.sun.am.policy.agents.config.local.log.file = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAgent
  # This property is used for Log Rotation. The value of the property specifies
  # whether the agent deployed on the server supports the feature of not. If set
  # to false all log messages are written to the same file.
  com.sun.am.policy.agents.config.local.log.rotate = true
  # Name of the Access Manager log file to use for logging messages to
  # Access Manager.
  # Just the name of the file is needed. The directory of the file
  # is determined by settings configured on the Access Manager.
  com.sun.am.policy.agents.config.remote.log = amAuthLog.Dominoad.yjy.dqyt.petrochina.80
  # Set the logging level for the specified logging categories.
  # The format of the values is
  #     <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
  # The currently used module names are: AuthService, NamingService,
  # PolicyService, SessionService, PolicyEngine, ServiceEngine,
  # Notification, PolicyAgent, RemoteLog and all.
  # The all module can be used to set the logging level for all currently
  # none logging modules. This will also establish the default level for
  # all subsequently created modules.
  # The meaning of the 'Level' value is described below:
  #     0     Disable logging from specified module*
  #     1     Log error messages
  #     2     Log warning and error messages
  #     3     Log info, warning, and error messages
  #     4     Log debug, info, warning, and error messages
  #     5     Like level 4, but with even more debugging messages
  # 128     log url access to log file on AM server.
  # 256     log url access to log file on local machine.
  # If level is omitted, then the logging module will be created with
  # the default logging level, which is the logging level associated with
  # the 'all' module.
  # for level of 128 and 256, you must also specify a logAccessType.
  # *Even if the level is set to zero, some messages may be produced for
  # a module if they are logged with the special level value of 'always'.
  com.sun.am.log.level =
  # The org, username and password for Agent to login to AM.
  com.sun.am.policy.am.username = UrlAccessAgent
  com.sun.am.policy.am.password = LYnKyOIgdWt404ivWY6HPQ==
  # Name of the directory containing the certificate databases for SSL.
  com.sun.am.sslcert.dir = c:/Sun/Access_Manager/Agents/2.2/domino/cert
  # Set this property if the certificate databases in the directory specified
  # by the previous property have a prefix.
  com.sun.am.certdb.prefix =
  # Should agent trust all server certificates when Access Manager
  # is running SSL?
  # Possible values are true or false.
  com.sun.am.trust_server_certs = true
  # Should the policy SDK use the Access Manager notification
  # mechanism to maintain the consistency of its internal cache? If the value
  # is false, then a polling mechanism is used to maintain cache consistency.
  # Possible values are true or false.
  com.sun.am.notification.enable = true
  # URL to which notification messages should be sent if notification is
  # enabled, see previous property.
  com.sun.am.notification.url = http://Dominoad.yjy.dqyt.petrochina:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
  # This property determines whether URL string case sensitivity is
  # obeyed during policy evaluation
  com.sun.am.policy.am.url_comparison.case_ignore = true
  # This property determines the amount of time (in minutes) an entry
  # remains valid after it has been added to the cache. The default
  # value for this property is 3 minutes.
  com.sun.am.policy.am.polling.interval=3
  # This property allows the user to configure the User Id parameter passed
  # by the session information from the access manager. The value of User
  # Id will be used by the agent to set the value of REMOTE_USER server
  # variable. By default this parameter is set to "UserToken"
  com.sun.am.policy.am.userid.param=UserToken
  # Profile attributes fetch mode
  # String attribute mode to specify if additional user profile attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user profile attributes will be introduced.
  # HTTP_HEADER - additional user profile attributes will be introduced into
  # HTTP header.
  # HTTP_COOKIE - additional user profile attributes will be introduced through
  # cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
  # The user profile attributes to be added to the HTTP header. The
  # specification is of the format ldap_attribute_name|http_header_name[,...].
  # ldap_attribute_name is the attribute in data store to be fetched and
  # http_header_name is the name of the header to which the value needs
  # to be assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-
  number,c|country
  # Session attributes mode
  # String attribute mode to specify if additional user session attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user session attributes will be introduced.
  # HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
  # HTTP_COOKIE - additional user session attributes will be introduced through cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
  # The session attributes to be added to the HTTP header. The specification is
  # of the format session_attribute_name|http_header_name[,...].
  # session_attribute_name is the attribute in session to be fetched and
  # http_header_name is the name of the header to which the value needs to be
  # assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.session.attribute.map=
  # Response Attribute Fetch Mode
  # String attribute mode to specify if additional user response attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user response attributes will be introduced.
  # HTTP_HEADER - additional user response attributes will be introduced into
  # HTTP header.
  # HTTP_COOKIE - additional user response attributes will be introduced through
  # cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
  # The response attributes to be added to the HTTP header. The specification is
  # of the format response_attribute_name|http_header_name[,...].
  # response_attribute_name is the attribute in policy response to be fetched and
  # http_header_name is the name of the header to which the value needs to be
  # assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.response.attribute.map=
  # The cookie name used in iAS for sticky load balancing
  com.sun.am.policy.am.lb.cookie.name = GX_jst
  # indicate where a load balancer is used for Access Manager
  # services.
  # true | false
  com.sun.am.load_balancer.enable = false
  ####Agent Configuration####
  # this is for product versioning, please do not modify it
  com.sun.am.policy.agents.config.version=2.2
  # Set the url access logging level. the choices are
  # LOG_NONE - do not log user access to url
  # LOG_DENY - log url access that was denied.
  # LOG_ALLOW - log url access that was allowed.
  # LOG_BOTH - log url access that was allowed or denied.
  com.sun.am.policy.agents.config.audit.accesstype = LOG_DENY
  # Agent prefix
  com.sun.am.policy.agents.config.agenturi.prefix = http://Dominoad.yjy.dqyt.petrochina:80/amagent
  # Locale setting.
  com.sun.am.policy.agents.config.locale = en_US
  # The unique identifier for this agent instance.
  com.sun.am.policy.agents.config.instance.name = unused
  # Do SSO only
  # Boolean attribute to indicate whether the agent will just enforce user
  # authentication (SSO) without enforcing policies (authorization)
  com.sun.am.policy.agents.config.do_sso_only = true
  # The URL of the access denied page. If no value is specified, then
  # the agent will return an HTTP status of 403 (Forbidden).
  com.sun.am.policy.agents.config.accessdenied.url =
  # This property indicates if FQDN checking is enabled or not.
  com.sun.am.policy.agents.config.fqdn.check.enable = true
  # Default FQDN is the fully qualified hostname that the users should use
  # in order to access resources on this web server instance. This is a
  # required configuration value without which the Web server may not
  # startup correctly.
  # The primary purpose of specifying this property is to ensure that if
  # the users try to access protected resources on this web server
  # instance without specifying the FQDN in the browser URL, the Agent
  # can take corrective action and redirect the user to the URL that
  # contains the correct FQDN.
  # This property is set during the agent installation and need not be
  # modified unless absolutely necessary to accommodate deployment
  # requirements.
  # WARNING: Invalid value for this property can result in the Web Server
  # becoming unusable or the resources becoming inaccessible.
  # See also: com.sun.am.policy.agents.config.fqdn.check.enable,
  # com.sun.am.policy.agents.config.fqdn.map
  com.sun.am.policy.agents.config.fqdn.default = Dominoad.yjy.dqyt.petrochina
  # The FQDN Map is a simple map that enables the Agent to take corrective
  # action in the case where the users may have typed in an incorrect URL
  # such as by specifying partial hostname or using an IP address to
  # access protected resources. It redirects the browser to the URL
  # with fully qualified domain name so that cookies related to the domain
  # are received by the agents.
  # The format for this property is:
  # com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
  # This property can also be used so that the agents use the name specified
  # in this map instead of the web server's actual name. This can be
  # accomplished by doing the following.
  # Say you want your server to be addressed as xyz.hostname.com whereas the
  # actual name of the server is abc.hostname.com. The browsers only knows
  # xyz.hostname.com and you have specified polices using xyz.hostname.com at
  # the Access Manager policy console, in this file set the mapping as
  # com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
  # Another example is if you have multiple virtual servers say rst.hostname.com,
  # uvw.hostname.com and xyz.hostname.com pointing to the same actual server
  # abc.hostname.com and each of the virtual servers have their own policies
  # defined, then the fqdnMap should be defined as follows:
  # com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
  # WARNING: Invalid value for this property can result in the Web Server
  # becoming unusable or the resources becoming inaccessible.
  com.sun.am.policy.agents.config.fqdn.map =
  # Cookie Reset
  # This property must be set to true, if this agent needs to
  # reset cookies in the response before redirecting to
  # Access Manager for Authentication.
  # By default this is set to false.
  # Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
  com.sun.am.policy.agents.config.cookie.reset.enable=false
  # This property gives the comma separated list of Cookies, that
  # need to be included in the Redirect Response to Access Manager.
  # This property is used only if the Cookie Reset feature is enabled.
  # The Cookie details need to be specified in the following Format
  # name[=value][;Domain=value]
  # If "Domain" is not specified, then the default agent domain is
  # used to set the Cookie.
  # Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
  # token=value;Domain=subdomain.domain.com
  com.sun.am.policy.agents.config.cookie.reset.list=
  # This property gives the space separated list of domains in
  # which cookies have to be set in a CDSSO scenario. This property
  # is used only if CDSSO is enabled.
  # If this property is left blank then the fully qualified cookie
  # domain for the agent server will be used for setting the cookie
  # domain. In such case it is a host cookie instead of a domain cookie.
  # Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
  com.sun.am.policy.agents.config.cookie.domain.list=
  # user id returned if accessing global allow page and not authenticated
  com.sun.am.policy.agents.config.anonymous_user=anonymous
  # Enable/Disable REMOTE_USER processing for anonymous users
  # true | false
  com.sun.am.policy.agents.config.anonymous_user.enable=false
  # Not enforced list is the list of URLs for which no authentication is
  # required. Wildcards can be used to define a pattern of URLs.
  # The URLs specified may not contain any query parameters.
  # Each service have their own not enforced list. The service name is suffixed
  # after "# com.sun.am.policy.agents.notenforcedList." to specify a list
  # for a particular service. SPACE is the separator between the URL.
  com.sun.am.policy.agents.config.notenforced_list = http://dominoad.yjy.dqyt.petrochina/*.nsf http://dominoad.yjy.dqyt.petrochina/teamroom.nsf/TROutline.gif?
  OpenImageResource http://dominoad.yjy.dqyt.petrochina/icons/*.gif
  # Boolean attribute to indicate whether the above list is a not enforced list
  # or an enforced list; When the value is true, the list means enforced list,
  # or in other words, the whole web site is open/accessible without
  # authentication except for those URLs in the list.
  com.sun.am.policy.agents.config.notenforced_list.invert = false
  # Not enforced client IP address list is a list of client IP addresses.
  # No authentication and authorization are required for the requests coming
  # from these client IP addresses. The IP address must be in the form of
  # eg: 192.168.12.2 1.1.1.1
  com.sun.am.policy.agents.config.notenforced_client_ip_list =
  # Enable POST data preservation; By default it is set to false
  com.sun.am.policy.agents.config.postdata.preserve.enable = false
  # POST data preservation : POST cache entry lifetime in minutes,
  # After the specified interval, the entry will be dropped
  com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
  # Cross-Domain Single Sign On URL
  # Is CDSSO enabled.
  com.sun.am.policy.agents.config.cdsso.enable=false
  # This is the URL the user will be redirected to for authentication
  # in a CDSSO Scenario.
  com.sun.am.policy.agents.config.cdcservlet.url =
  # Enable/Disable client IP address validation. This validate
  # will check if the subsequent browser requests come from the
  # same ip address that the SSO token is initially issued against
  com.sun.am.policy.agents.config.client_ip_validation.enable = false
  # Below properties are used to define cookie prefix and cookie max age
  com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
  com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
  # Logout URL - application's Logout URL.
  # This URL is not enforced by policy.
  # if set, agent will intercept this URL and destroy the user's session,
  # if any. The application's logout URL will be allowed whether or not
  # the session destroy is successful.
  com.sun.am.policy.agents.config.logout.url=
  #http://sportal.yjy.dqyt.petrochina/amserver/UI/Logout
  # Any cookies to be reset upon logout in the same format as cookie_reset_list
  com.sun.am.policy.agents.config.logout.cookie.reset.list =
  # By default, when a policy decision for a resource is needed,
  # agent gets and caches the policy decision of the resource and
  # all resource from the root of the resource down, from the Access Manager.
  # For example, if the resource is http://host/a/b/c, the the root of the
  # resource is http://host/. This is because more resources from the
  # same path are likely to be accessed subsequently.
  # However this may take a long time the first time if there
  # are many many policies defined under the root resource.
  # To have agent get and cache the policy decision for the resource only,
  # set the following property to false.
  com.sun.am.policy.am.fetch_from_root_resource = true
  # Whether to get the client's hostname through DNS reverse lookup for use
  # in policy evaluation.
  # It is true by default, if the property does not exist or if it is
  # any value other than false.
  com.sun.am.policy.agents.config.get_client_host_name = false
  # The following property is to enable native encoding of
  # ldap header attributes forwarded by agents. If set to true
  # agent will encode the ldap header value in the default
  # encoding of OS locale. If set to false ldap header values
  # will be encoded in UTF-8
  com.sun.am.policy.agents.config.convert_mbyte.enable = false
  #When the not enforced list or policy has a wildcard '*' character, agent
  #strips the path info from the request URI and uses the resulting request
  #URI to check against the not enforced list or policy instead of the entire
  #request URI, in order to prevent someone from getting access to any URI by
  #simply appending the matching pattern in the policy or not enforced list.
  #For example, if the not enforced list has the value http://host/*.gif,
  #stripping the path info from the request URI will prevent someone from
  #getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
  #However when a web server (for exmample apache) is configured to be a reverse
  #proxy server for a J2EE application server, path info is interpreted in a different
  #manner since it maps to a resource on the proxy instead of the app server.
  #This prevents the not enforced list or policy from being applied to part of
  #the URI below the app serverpath if there is a wildcard character. For example,
  #if the not enforced list has value http://host/webapp/servcontext/* and the
  #request URL is http://host/webapp/servcontext/example.jsp the path info
  #is /servcontext/example.jsp and the resulting request URL with path info stripped
  #is http://host/webapp, which will not match the not enforced list. By setting the
  #following property to true, the path info will not be stripped from the request URL
  #even if there is a wild character in the not enforced list or policy.
  #Be aware though that if this is set to true there should be nothing following the
  #wildcard character '*' in the not enforced list or policy, or the
  #security loophole described above may occur.
  com.sun.am.policy.agents.config.ignore_path_info = false
  # Override the request url given by the web server with
  # the protocol, host or port of the agent's uri specified in
  # the com.sun.am.policy.agents.agenturiprefix property.
  # These may be needed if the agent is sitting behind a ssl off-loader,
  # load balancer, or proxy, and either the protocol (HTTP scheme),
  # hostname, or port of the machine in front of agent which users go through
  # is different from the agent's protocol, host or port.
  com.sun.am.policy.agents.config.override_protocol =
  com.sun.am.policy.agents.config.override_host =
  com.sun.am.policy.agents.config.override_port =
  # Override the notification url in the same way as other request urls.
  # Set this to true if any one of the override properties above is true,
  # and if the notification url is coming through the proxy or load balancer
  # in the same way as other request url's.
  com.sun.am.policy.agents.config.override_notification.url =
  # The following property defines how long to wait in attempting
  # to connect to an Access Manager AUTH server.
  # The default value is 2 seconds. This value needs to be increased
  # when receiving the error "unable to find active Access Manager Auth server"
  com.sun.am.policy.agents.config.connection_timeout =
  # Time in milliseconds the agent will wait to receive the
  # response from Access Manager. After the timeout, the connection
  # will be drop.
  # A value of 0 means that the agent will wait until receiving the response.
  # WARNING: Invalid value for this property can result in
  # the resources becoming inaccessible.
  com.sun.am.receive_timeout = 0
  # The three following properties are for IIS6 agent only.
  # The two first properties allow to set a username and password that will be
  # used by the authentication filter to pass the Windows challenge when the Basic
  # Authentication option is selected in Microsoft IIS 6.0. The authentication
  # filter is named amiis6auth.dll and is located in
  # Agent_installation_directory/iis6/bin. It must be installed manually on
  # the web site ("ISAPI Filters" tab in the properties of the web site).
  # It must also be uninstalled manually when unintalling the agent.
  # The last property defines the full path for the authentication filter log file.
  com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
  com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
  com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAuthFilter

  Hi,
  I installed opensso (so Sun Java(TM) System Access Manager 7.5) and the agent for Domino 6.5.4 and I have the message in logs "amAgent"
  2007-07-11 18:40:16.119 Error 1708:3dbcf768 PolicyAgent: render_response(): Entered.
  I have the box to identify but it doesnot connect me on my opensso server.
  It still identify with Domino's server
  Thanks for your response
  Thomas

• How to load balance Agents across multiple Oracle Management Servers?

  Hi everyone
  We have the 2 OMS servers in our OEM environment. We would like to set up our management agents to load balance over these 2 servers...Or if not load balance then at least set up the agents so they can access either/or OMS.
  I've looked through the documentation and in google, but can't seem to find the answer.
  Can someone point me towards the documentation please
  Thanks
  R

  OMS is just an appserver with a repository. You can load balance the appservers with an F5. You can load balance the repository with RAC.
  So ... your options for load balancing and resilience are :-
  1. one agent on each server, multiple OMS appservers load balanced, one RAC database (with dataguard standby)
  2. two agents per server, two appservers, two repositories.
  Both architectures work. Option 1 offers the best load balancing and resilience.

• Problem with Access Manager intergration

  Hi,
  I'm integrating Identity Manager and Access Manager.
  I've configured the End User interface to use Access Manager for authentication, and I have (as far as I can tell) everything else set up and working correctly. When I access the end user pages I get the following error:
  Access Manager (Sun Access Manager Realm):Successfully authenticated '00000001' on resource 'Access Manager' and found a Lighthouse user with the same accountId, but no matching resource accountIdI've checked and confirmed that there is an attribute being passed in the header
  'sois_user = 00000001'
  And I have the following defined:
        <Attribute name='common resources'>
          <Object>
            <Attribute name='AM Resources'>
              <List>
                <String>Enterprise Directory</String>
                <String>Access Manager</String>
              </List>
            </Attribute>
          </Object>
        </Attribute>I suspect that it is the common resources that is failing, because its looking for an accountId that matches the DN of the account in LDAP rather than the LogonID. Can anyone provide pointers on how to resolve this?
  All suggestions gladly received,
  R

  Michael,
  Thanks for your help, I understand your answer. However, I am using the Access Manager realm adapter which the docs say can't manage users, so no account is being exposed there.
  I have found the solution though and it involves a couple of steps:
  Firstly, the sois_user value that is passed by the header has to be the DN of the LDAP account.
  Secondly, I think the order of the accounts in the 'common resources' definition needs to have the LDAP resource defined first.
  Finally, the Login group needs to have both the Access Manager and LDAP login modules.
  With these 3 components in place, SSO to IdM works.
  R

• Load balancing sftp servers on css11503

  I have an 11503 and I am trying to load balance sftp servers behind it. not sure why it's not working.
  here is the content rule:
  content test_sftp
  add service www1_sftp
  add service www2_sftp
  port 22
  protocol tcp
  balance aca
  advanced-balance sticky-srcip
  vip address 172.17.0.248
  active
  here are the service rules:
  service www1_sftp
  ip address 172.17.0.27
  protocol tcp
  keepalive port 22
  keepalive type tcp
  active
  service www2_sftp
  ip address 172.17.0.25
  protocol tcp
  keepalive port 22
  keepalive type tcp
  active
  couple of questions:
  1) do I need to set up a source group like I would have to for ftp? Does the return traffic from the servers need to be NAT'd back out as the VIP?
  2) the content rule and service rules are all set for port 22 only....is that enough ports open for the control and data channels? I think sftp uses port 22 for both.
  Any assistance would be greatly appreciated.
  Thanks!
  Sandeep

  You definitely need a group to nat the data-channel.
  But I'm not even sure that will make it work.
  You can give it a try so.
  Gilles.

• ACE to load balance Citrix servers

  Hello,
  Have anyone configured ACE Modules to load balance Citrix Servers (HTTP) ?
  Any special considerations needed?
  Many thanks,

  HI Javier,
  There is one complete design guide available on ciso site.
  Kindly go through the below mentioned URL for complete config for ACE to load balance CITRIX as follows:
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/App_Networking/citrixdg_final.html
  You will get othe design guides also which can be very useful:
  http://www.cisco.com/en/US/netsol/ns751/networking_solutions_design_guidances_list.html
  Sachin Garg

• Load balancing outgoing mail with 3 outgoing servers

  We are trying to balance our mail out with 3 separate mail servers from our incoming server. Our organization sends alot of mail and we wanted to balance it with 3 outgoing SMTP servers. We have them all working, in the zone for the primary DNS and incoming mail server. And we can get mail to go out on the three servers, BUT and this is a problem if the mail includes any messages to the network (hence the incoming server) then the SMTP servers complain they cannot find it and give a error message about not being able to connect to deliver any local mails out of the bulk mail we send. Any ideas how to get the SMTP to see the incoming mail server (which is the DNS server for network) and deliver mail to accounts on the network? Maybe we are doing something that OS X SNL server cannot do? Any ideas.
  I will post the error message later but I need to leave for meeting for now.
  Thanks
  Russ

  Here is error message we get:
  Mar 17 21:34:45 mailout1 postfix/smtp[32307]: connect to mail.vineyardil.net [173.161.44.97]:25 Operation timed out
  Mar 17 21:34:45 mailout1 postfix/smtp[32307]: DE90A1AF591: to =<[email protected]>, relay=none, delay=23732, delays=23701/0.01/30/0, dsn4.4.1, status=deferred (connect to mail.vineyardil.net [173.161.44.97]:25 Operation timed out)
  To explain mailout1 is the first one in priority of outgoing separate SMTP servers we set up in the zone of mail.vineyardil.net which is the DNS server. They send out ok all outgoing mail to other addresses as we wanted them (rather than having mail.vineyardil.net do it) but when we send to an address with vineyardil.net on it then we get this same message.
  It seems like mailout1 cannot send to the incoming server. Note the ip address it gives is the ip of the cable modem on this network not the ip address locally in the net we have.
  Our MX records all look good and things work with mail if we use it both as incoming and outgoing (SMTP) but when we use the secondary servers for outgoing they seem to not be able to send to this server. Is there something we should look for?
  Is SL server not capable of what we are trying? Any feedback would be most appreciated. We would like to really use this setup as I explained to do load balancing of mail as part of our attempt on this new network to get our bulk mailing split up between the 3 outgoing servers so we will not be labeled spam by the security systems out there these days like it was on our old network.
  Thanks for your time.
  Russ Jacobson

• FRM-92101: Load Balancing Forms 10g with Webcache

  Hi,
  I´m having some problems with Oracle Forms and Webcache 10g and I was wondering if you
  could help.
  Machines: (Pentium IV 2.6 GHz; 2GB RAM; 80GB HD)
  A. Red Hat Linux AS 2.1
  Oracle AS 10g - Infrastructure Installation
  B. Windows 2000 Server - Service Pack 4
  Oracle AS 10g - BI and Forms Installation (Using Infrastructure on machine A)
  C. Windows 2000 Server - Service Pack 4
  Oracle AS 10g - BI and Forms Installation (Using Infrastructure on machine A)
  I didn´t apply any Patchsets of Oracle AS 10g. My current version is 9.0.4.0 .
  Goal:
  Use Oracle Webcache 10g on machine B for Load Balancing an Oracle Forms Application
  on machines B and C.
  Facts:
  The Oracle AS 10g installation on the 3 machines was made without problems.
  The Forms Applications are running without problems on both Forms servers in machine B and C.
  Symptoms:
  I´m getting the following error when I try to access the forms application through Webcache:
  FRM-92101: There was a failure in the forms server during startup.
  This could happen due to invalid configuration.
  Please look in the web-server log file for details.
  But, this error happens ONLY when BOTH OC4J_BI_Forms instances (machines B and C) are
  running.
  When just one of the OC4J_BI_Forms is running everything works fine.
  Webcache Configuration:
  I´ve followed Metalink note 207668.1: Configuring Web Cache as a Load Balancer for Application Servers
  step by step to make the configuration of the following components:
  1. Configuration of the origin servers
  2. Configuration of Site definitions
  3. Configuration of Site to server mapping
  After that, I´ve follwed the Metalink note 229900.1: Integrating and using Web Cache with Forms 9i for Load Balancing
  step by step to make the configuration of the following components:
  4. Session Binding
  Then I try to test the Load Balancing and I got the error FRM-92101 when both OC4J_BI_Forms
  instance were running.
  I´ve searched Metalink and found note 268830.1: Webcache Won't Load Balance 2 Forms Instances.
  Following the note instructions I did the following changes:
  Added these lines at the end of HTTPD.conf (machine B):
  CookieTracking On
  CookieName myformscookie1
  Added these lines at the end of HTTPD.conf (machine C):
  CookieTracking On
  CookieName myformscookie2
  In Webcache configuration:
  I´ve Changed the default session binding from JSESSIONID to "ANY SET COOKIE" for the
  site's session binding.
  But even after these changes I´m getting FRM-92101 error on the same conditions.
  How can I solve this problem ?
  Thank you in advance.
  Marcus Santos.
  ([email protected])

  Did you ever Get this to work?
  I am having some problems trying to load balance with Oracle Forms, Discover and reports Oracle Application Server Release 10g (9.0.4.0.2) and I was wondering if you could help. Has any one ever got this to work consistently? We are an ERP product written mostly in forms (904) and are trying to implement are largest customer there performance issue so we need the load balancing to work. Will also accept other recommendation as cost effective as solutions.
  Site 1:
  A: SERVER –
  •     Host as1.xyzco.local
  •     Version 10.1.2.0.2
  •     Installation Type Identity Management and Metadata Repository
  •     Oracle Home E:\oracle\inf_1012
  •     Farm as1db.xyzco.net
  o     HTTP_Server
  o     Internet Directory
  o     OC4J_SECURITY
  o     Single Sign-On:orasso
  o     Management
  B SERVER –
  •     Host as2. xyzco.local
  •     Version 9.0.4.0.2
  •     Installation Type Business Intelligence and Forms
  •     Oracle Home E:\oracle\mid_904
  •     Farm as2db. xyzco.net
  o     Discoverer
  o     Forms
  o     home
  o     HTTP_Server
  o     OC4J_BI_Forms
  o     Reports Server
  o     Web Cache
  o     Management
  C SERVER –
  •     Host as3. xyzco.local
  •     Version 9.0.4.0.2
  •     Installation Type Business Intelligence and Forms – Discoverer and Reports
  •     Oracle Home E:\oracle\mid_904
  •     Farm as2db. xyzco.net
  o      Discoverer
  o     Forms
  o     home
  o     HTTP_Server
  o     OC4J_BI_Forms
  o     Reports Server
  o     Web Cache
  o     Management
  All servers Are:
  •     Windows 2003 Standard Server with current service packs
  •     Xeon Dual Processor with 4GB ram
  •     Raid 0 drives 2 for OS and 2 for Oracle
  Daniel Brody
  [email protected]

• External Load Balancing OAM11g Servers

  With OAM 11g, DB 11.2.0.1, RHEL5.6, and WLS 10.3.5... we have clustered the managed servers and all that displays, starts, stops as expected -- hosts are H1 and H2. We also have an external load balancer (haproxy). By "external", I mean that the host (PRHost) where the protected resource (PR) resides is outside the LB and all of the OAM infrastructure is inside the LB. We actually have 2 layers of LB because we are also trying to create a disaster recovery site, but for now we'll concentrate on the just the webgate and the LB.
  We have installed WLS 10.3.5, OHS 11.1.1.2, and have deployed a PR on the PRHost. We then installed the 11g webgate on PRHost and instantiated the webgate within the OAM Server on H1 and moved the artifacts to the PRHost.
  The question is fairly simple -- at least from my perspective -- the webgate gets its connection information from the ObAccessClient.xml artifact created when the webgate was added to the OAM Server. The only connection the webgate understands is the listing of the primary/secondary OAM Servers within that artifact.
  QUESTION:+ When we access the protected resource, how will it know to go through the external LB if the only connection information it has is the OAM Server? We realize that there is LB information within the OAM Server setup, but this means that in order to determine where the LB is, we need to first access the OAM Server setup. We require the PR to first go through the LB to find an available OAM server, but there appears to be nothing on the PR webgate to inform it how to find the LB.

  Luis,
  you need the command 'portmap disable' available in 5.01 and 5.03
  gilles.

• Load Balancing Forms Services with an effective healthcheck

  I am in the process of configuring two forms 11.1.2 servers running with weblogic 10.3.5 with multiple forms applications clustered across both physical servers. We are looking to load balance to the various forms applications using a hardware load balancer. Can anyone comment on their experience with setting up effective application healthchecks using either hardware or software load balancers?
  For example say that we have 3 applications clustered across 2 servers with the following
  URLs:
  http://server01:7777/forms/frmservlet?config=myapp1
  http://server01:7777/forms/frmservlet?config=myapp2
  http://server01:7777/forms/frmservlet?config=myapp3
  http://server02:7777/forms/frmservlet?config=myapp1
  http://server02:7777/forms/frmservlet?config=myapp2
  http://server02:7777/forms/frmservlet?config=myapp3
  We would need a checking mechanism on the load balancer that could tell if myapp2 was down on say server01 and therefore block traffic to that application yet keep traffic open for the other 2 apps on the same server.
  A specific difficulty with forms is that when the database behind the application is down forms services will return an error message within a displayed error form. From the load balancer's point of view the forms services are "up". We need to find a way of detecting that the application is actually available and not just that the forms services themselves are available. To detect that the forms services are available we might normally use the status check:
  http://server01:7777/forms/frmservlet?ifcmd=status
  however this will only tell use the availability of the forms services on a physical server and not whether any actual applications are available.
  I am aware that f5 do a BIGIP offering that includes some Oracle Forms specific components. Can anyone comment on how they have setup Oracle Forms healthchecks using various load balancing methods. In particular if a load balancer is limited to using WGET commands to check HTTP returned content is there a way of checking a forms application's availability and if not how have other people achieved an effective healthcheck?
  Many thanks,
  Philippe

  Did you ever Get this to work?
  I am having some problems trying to load balance with Oracle Forms, Discover and reports Oracle Application Server Release 10g (9.0.4.0.2) and I was wondering if you could help. Has any one ever got this to work consistently? We are an ERP product written mostly in forms (904) and are trying to implement are largest customer there performance issue so we need the load balancing to work. Will also accept other recommendation as cost effective as solutions.
  Site 1:
  A: SERVER –
  •     Host as1.xyzco.local
  •     Version 10.1.2.0.2
  •     Installation Type Identity Management and Metadata Repository
  •     Oracle Home E:\oracle\inf_1012
  •     Farm as1db.xyzco.net
  o     HTTP_Server
  o     Internet Directory
  o     OC4J_SECURITY
  o     Single Sign-On:orasso
  o     Management
  B SERVER –
  •     Host as2. xyzco.local
  •     Version 9.0.4.0.2
  •     Installation Type Business Intelligence and Forms
  •     Oracle Home E:\oracle\mid_904
  •     Farm as2db. xyzco.net
  o     Discoverer
  o     Forms
  o     home
  o     HTTP_Server
  o     OC4J_BI_Forms
  o     Reports Server
  o     Web Cache
  o     Management
  C SERVER –
  •     Host as3. xyzco.local
  •     Version 9.0.4.0.2
  •     Installation Type Business Intelligence and Forms – Discoverer and Reports
  •     Oracle Home E:\oracle\mid_904
  •     Farm as2db. xyzco.net
  o      Discoverer
  o     Forms
  o     home
  o     HTTP_Server
  o     OC4J_BI_Forms
  o     Reports Server
  o     Web Cache
  o     Management
  All servers Are:
  •     Windows 2003 Standard Server with current service packs
  •     Xeon Dual Processor with 4GB ram
  •     Raid 0 drives 2 for OS and 2 for Oracle
  Daniel Brody
  [email protected]

• Configuring ACE 4710 for Load Balancing Speech servers

  Hello, I'm configuring ACE 4710's for the first time and I want to load balance my Nuance speech servers on port 554. Here's my configuration on ACE01:
  hostname ace471001
  interface gigabitEthernet 1/1
    switchport access vlan 1000
    no shutdown
  interface gigabitEthernet 1/2
    shutdown
  interface gigabitEthernet 1/3
    shutdown
  interface gigabitEthernet 1/4
    shutdown
  access-list ALL line 8 extended permit ip any any
  rserver host nss01
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  interface vlan 1000
    ip address 10.20.17.21 255.255.248.0
    access-group input ALL
    service-policy input remote_mgmt_allow_policy
    no shutdown
  How would I configure my speech server to isten on 554?
  Thanks in advance

  Hello Reginald
  Currently you have only basic network configuration, there is no loadbalancing config
  I'm not sure what exactly you're asking about , but basically you need to have
  - real servers configured on ACE (
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp999495)
  - serverfarm configured on ACE (
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/rsfarms.html#wp1014522)
  - L7 policy map (
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1171109 ,
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1027248 )
  - L4 policy map , class-map (
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1027819)
  And then apply it on necessary interface.
  This is a general configuration, in your specific case you may need to configure some additinal features (e.g. I think you will need to have stickiness enabled
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html but it depends on your application)
  links are for old config guids , but basic is pretty much the same for all versions.
  Please check them and try to narrow down your question a bit.

• Load Balancing Two Servers

  i have two Solaris servers running 9iAS R2 OC4j.
  current patch level is 9.0.2.3
  i'm trying to load balance the instances according
  to the instructions in this document:
  Oracle9i Application Server: mod_oc4j Technical Overview
  all i should need to do is run the command:
  dcmctl addOPMNLink <IP>:<PORT>
  but when i do this i get this error:
  ADMN-906026
  i could not find any info on this error with searches of:
  Google, Google Groups, Oracle MetaLink, Oracle OTN.
  ideas? suggestions? anything?
  thanks,
  .rich

  Rich -- if you have installed the Oracle9iAS instances and associated them with the infrastructure, then you don't need to perform the manual clustering operations which are contained in the doc you reference.
  By associating with the infrastructure (as the error message indicates you have done), the components should all be associated with one another and you'll be working in what we call a managed cluster mode.
  If you do have the instances associated with the infrastructure, then what you need to do is use the management console (or dcmctl) to create a cluster and then add the two instances to the cluster. This will then mean that the same applications get deployed to the two instances, and will add an Oc4jMount point to OHS that will allow the incoming requests to be dispatched to the two backend instances.
  There should be a guide on OTN (HA Guide, Concepts Guide) which explains the concepts behind these terms if you need.
  Here's the dcmctl commands to create a cluster then add the instances to the cluster (this is from my 904 instance, I don't have a 902 instance installed)
  [oracle@peterman ~]$ dcmctl -help createcluster
  createCluster
  Creates a managed Oracle Application Server cluster.
  Note
  Oracle recommends that Oracle Application Server Clusters using a file based repository contain four (4) or less than four instances.
  Type
  Configuration Management
  Syntax
  createCluster -cl cluster_name
  Description
  A managed cluster is created.
  Notes for using createCluster:
  You must issue this command in the Oracle home of an instance that
  belongs to a farm (that is, is associated with a metadata repository).
  The cluster will be created in that farm.
  The cluster has no members when created. You can add members using
  joinCluster.
  You can create an unlimited number of clusters.
  Example
  dcmctl createCluster -cl cluster1
  [oracle@peterman ~]$ dcmctl -help joincluster
  joinCluster
  Adds an Oracle Application Server instance to the named managed cluster.
  Notes for using Oracle Application Server clusters:
  Oracle Application Server supports heterogeneous instances as part of the same farm. For example, an instance running on Solaris Operating System, an instance running on a Linux system, and an instance running on an HP-UX system can reside in the same farm.
  Oracle Application Server instances that you want to be part of a cluster must be installed on identical operating systems
  Oracle recommends that Oracle Application Server Clusters using a file based repository contain four (4) or less than four instances.
  If you are using Oracle Enterprise Manager Application Server Control, then, after issuing the dcmctl joinCluster command, you must stop and then start Oracle Enterprise Manager Application Server Control using the commands:
  %emctl stop iasconsole
  %emctl start iasconsole
  Type
  Configuration Management
  Syntax
  joinCluster -cl cluster_name [-i instance_name]
  Description
  Adds an application server instance to the managed Oracle Application Server cluster specified with the -cl option. By default, this command uses the local instance. You can specify a different instance with the -i option. The instance must be a member of the same farm as the
  cluster. There is no limit to the number of instances you can add to a cluster. An instance is stopped after being added to a cluster, so you must manually start it.
  Example
  To add the local application server instance to cluster1 and restart
  it:
  dcmctl joinCluster -cl cluster1
  dcmctl start
  To add instance1 to cluster1 and restart it:
  dcmctl joinCluster -cl cluster1 -i instance1
  dcmctl start -i instance1
  cheers
  -steve-