SSL Cetificate and F5 load balancer.

Similar Messages

• SSL termination using Hardware Load Balancer

  We are trying to implement SSL at the Hardware LoadBalancer layer and terminate the SSL there.  Architecture includes Apache Reverse Proxy and Portal server running EP7 SP18.  In this scenario we want encruption between the client browser and the Load Balancer (BigIP F5).  The Load blancer will then decrypt the request and send it to the Apache reverse proxy on port 80.  Apache Reverse proxy will send request to Portal J2EE engine on the http port.
  this scenario seems to work in most cases but we are having issues with the standard portal login page.  The login page is sent to the browser on https but when entering credentials and selecting the login button a request gets generated on port 80, not 443 (https) and is not serviced by the load balancer.  99% of the requests that get generated from the client borwser stay on port 443 as expected but for some reason this particular request switches to port 80.
  How can we keep all requests generated on port 443 (https)?

  Hello Brian (all)
  I am facing the same issue - except we do not have the Apache proxy in the setup..... just HTTPS to a Cisco ACE load balancer and then HTTP to the portal. 
  Nearly all of the portal content is working great, but am facing the situation that some ESS content is switching to HTTP.  In discussing with the network team, they have done the following:
  1/ Replies from the portal server back to the client have an SSL rewrite performed, which modifies a 301 or 302 reply and changes http ULRs to https.
  2/ The load balancer adds an HTTP header u201CClientProtocol httpsu201D to the request it sends to the portal server.
  They feel we need to find a way to have the portal server only send either references with no host:header (i.e. http) or only send host:header with https to keep it all SSL.
  Any advice?
  Edited by: Eric Poellinger on Jan 5, 2011 5:09 AM

• H-REAP and Client Load-Balancing

  I'm told by Cisco that H-REAP does not support client load-balancing.
  We have a situation where we want to deploy LWAPPs using H-REAP into a conference room where training would take place.
  Any suggestions on how to overcome the inevitable slowness these people are going to experience from being unevenly associated with the APs?
  We can't re-write the application so we are looking for a wireless solution.
  Anyone hear about how other organizations have dealt with this type of situation?
  I'll be glad to supply more details if I am not being clear in my description of the problem.
  Thanks in advance. All responses will be rated.
  Paul

  This is the functionality which is missing in H-REAP: Client and Network Load Balancing
  "Radio Resource Management (RRM) load-balances new clients across grouped lightweight access points reporting to each controller. This function is particularly important when many clients converge in one spot (such as a conference room or auditorium) because RRM can automatically force some subscribers to associate with nearby access points, allowing higher throughput for all clients. The controller provides a centralized view of client loads on all access points. This information can be used to influence where new clients attach to the network or to direct existing clients to new access points to improve wireless LAN performance. The result is an even distribution of capacity across an entire wireless network.
  Note: Client load balancing works only for a single controller. It is not operate in a multi-controller environment."
  I suppose if we limit the number of users that can associate with a particular AP then we will achieve some client load-balancing. Though a hard limit on the number of end-users will also lead to situations where some end users will not be allowed any access.

• ASA and vpn load balancing

  Hi,
  I am configuring 2 ASA5540 for internet trafic inside to outside ,
  outside to inside (web,smtp) but also vpn load balancing for client to site , site to site and webvpn.
  In the doc I can configure them for internet trafic as Active/Standby or Active/active.
  for vpn : I can use vpn load balancing
  But no information if I want to use the active/passif and vpn load balancing together.
  Any thoughts on which way to go? what is the best thing to do ?
  Regards

  Hi,
  I think that you cannot use an Active/Active configuration for VPN connections as it is stated on Cisco's documentation: "Note: VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only for Active/Standby Failover configurations in single context configurations" available at http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
  Hope it helps

• SSL Setup in a load balanced portal

  Hi,
  We are implementing a portal landscape and also we are using a hardware based (Cisco ACE) load balancer for load balancing purposes.
  So the configuration would be:
  Portal requests --> Load Balancer --> Portal --> Backend
  We are trying to implement SSL until the portal server and I have a question regarding the SSL certificate installation process.
  The URL on the load balancer would be for example https://portaltest.mycompany.com which would load balance the requests between the application servers of the portal (https://sapeptest1.mycompany.com:50001/irj/portal and https://sapeptest2.mycompany.com:50001/irj/portal).
  So, first thing we will have to do would be to install an SSL certificate (signed by a Trusted CA) on the load balancer with a CN=portaltest.mycompany.com.
  I understand that for https to function properly, the host name in the URL we are using to get to the server should match the CN of the SSL certificate installed on the server.
  Now, can we install the same certificate (that we put on the LB) on the portal as well?
  (This might not work because the server type will be different)
  (or)
  Do we need to buy 2 certificates with the same CN and install one each on the LB and portal ?
  Can some one please suggest on how to proceed with the SSL setup and certificate installation process ?
  Thank You ,
  Raj

  Raj Kumar wrote:
  My question is about how to go about installing the certificates on the LB and on the portal.
  If you aren't using web dispatcher, then the details of the installation on the LB will depend on your LB (Cisco? Radware? etc?). I suggest contacting your LB vendor for that.
  Sen's link is for SSO, you want the [SSL procedure|http://help.sap.com/saphelp_nw70/helpdata/en/f1/2de3be0382df45a398d3f9fb86a36a/frameset.htm].
  You probably don't need a signed cert on the portal server itself (depending on whether your LB validates the cert). You could just use the default self-signed cert, since users won't be connecting to it directly and so won't be troubled by warnings about untrusted certs: the traffic from the AS would still be encrypted, you would only lose out on the server authentication feature (which you don't need, since again users won't see it).
  On the other hand, do you really need SSL on portal server? That adds overhead at both the LB and portal. It's usually sufficient to use HTTP from the LB to the back-end, as long as the servers only allow connections from the LB. I realize you aren't using web dispatcher, but this looks like scenario #3 in [this diagram|http://help.sap.com/saphelp_nw70/helpdata/en/d8/a922d7f45f11d5996e00508b5d5211/frameset.htm]
  Regards,
  Sean

• Lync 2010 and ACE load balancing

  Hi there,
  Has anyone deployed [or will be deploying] Lync 2010 utilising the ACE as a hardware load balancer. The ACE is not {yet] on the Microsoft list of supported devices for this product, but I am told this because of lack of documentation from Cisco.
  The consensus from a few colleagues is that it should work as it did for OCS, which we have already deployed, so assuming that the set up and operation is similar, there shouldn't be much difference in the configurations.
  regards,
  Glenne.

  Hey Glenne,
  It seems you got that working already but I wanted to share this simple sample:
  parameter-map type http PARAMETER
    set header-maxparse-length 65535
    set content-maxparse-length 65535
  ============================================
  interface vlan 112
    ip address 10.198.16.71 255.255.255.192
    alias 10.198.16.124 255.255.255.192
    peer ip address 10.198.16.72 255.255.255.192
    mac-sticky enable
    access-group input anyone
    nat-pool 25 10.198.16.125 10.198.16.125 netmask 255.255.255.0 pat
    service-policy input ANS-MGT
    service-policy input VIPS
    no shutdown
  ============================================
  policy-map multi-match VIPS
    class LYNC_VIP
      loadbalance policy  LYNC_POLICY
      ssl-proxy server SSL_LYNC_TERMINATION
      loadbalance vip icmp-reply active
      nat dynamic 25 vlan 112
      appl-parameter http advanced-options  PARAMETER
  ============================================
  class-map match-all LYNC_VIP
    2 match virtual-address 10.198.16.125 tcp eq https
  ============================================
  ssl-proxy service SSL_LYNC_TERMINATION
    key tac-key
    cert tac-cert
    chaingroup tac-chaingroup
  ============================================
  policy-map type loadbalance first-match LYNC_POLICY
    class class-default
      sticky-serverfarm LYNC_COOKIE
  ============================================
  sticky http-cookie ACE_COOKIE LYNC_COOKIE
    timeout 30
    replicate sticky
    serverfarm LYNC_FARM
  ============================================
  serverfarm host LYNC_FARM
    rserver LYNC_SERVER1 80
      inservice
    rserver LYNC_SERVER2 80
      inservice
  ============================================
  rserver host LYNC_SERVER1
  ip address 10.198.16.93
  inservice
  rserver host LYNC_SERVER2
  ip address 10.198.16.113
  inservice
  ===========================================
  Jorge

• Wlp and apache load balancing

  Hi,
            I have been trying to understand webloigc clustering and load balancing capabilities. I have been through the edocs but it does not explain how things work, instead they only emphasis on how to configure.
            Consider the following scenario:
            --------cisco firewall/load balancer------------
            apatche1 apache2 apache3
            -------------------firewall-------------------------
            WLP1 WLP2 WLP3 WLP4
            My questions are:
            (1) how apache servers load balance incoming requests amongst the four portal instances? I understand that it will use weblogic proxy plug-in. the httpd.config also should be configured to proxy requests to WLP instances by adding the corresponding address:prot entries for each instance, using WebLogicCluster keyword.
            (2) Weblogic cluster will have nothing to do with load balancing? The only benefit I get of configuring weblogic cluster is session replication, right?
            (3) even failover is going to be handled by apache servers?
            (4) if I need to use SSL and I need to have my SSL encryption/decryption to be done on WLP instances; apache servers will only forward requests, no encryption/decryption to be done on the web tier. Is this possible?
            See in WebSphere the edge component will handle the load balancing and through it I can assign load weights for each appserver instance.
            (5) Are there any best practice to implement load balancing and failover on weblogic portal?
            I appreciate any input in this regards.

  1. yes, configure the apache plugin. put your 4 servers in the WeblogicCluster property (host:port,host:port...). The proxy will round robin requests between the servers in the cluster, although sessions are pinned to a single server. So if a request with a session (jsessionid cookie) comes in, it will read the primary server from the cookie and route it to that server.
  note that we have had trouble with keep alives ON and load balancing. we had to turn keep alives off to get load balancing working.
  2. right, the cluster allows failover by replication. apache plugin will perform the failover.
  3. the plugin will keep a dynamic server list so if a server goes down, it will update the cluster list and not route to it. it will also retry requests on another server on an error or timeout connecting. you can tweak timeout settings like WLSocketTimeoutSecs and ConnectTimeoutSecs. and keep idempotent ON which allows failover, unless you aplpication can't handle this.

• SSL setup with a load balancer

  We are running EP 7.0 SP14 and have set it up to run through a Cisco ACE loadbalancer.  We have also setup SSL with the certificate on the ACE load balancer.  Everythign work fine, except we keep getting a Security Alert popup message in IE that states "You are about to be redirected to a connection that is not secure."
  Are there some additional configurations that I need to do in EP to make this go away?
  Maximum points to the first correct answer.

  You can change logoff URL to any value:
  http://help.sap.com/saphelp_nw04s/helpdata/en/44/aada5230be5e77e10000000a155369/frameset.htm
  Regarding VC apps.
  It is strange you cannot see HTTP in the IEWatch. IE should not be able to alert about something it does not see. I suggest you to use something more substantial to trace network calls: http://www.wireshark.org
  This is the best tool I know for network tracing.
  Regards,
  Slava

• CSS on multiple subnets and separate load balancing

  Hello,
  I've a situation where I need to load balance incoming clients on subnet A to 3 real servers on subnet B - no problems there.
  But I also need to load balance different clients on subnet C to 3 other servers on subnet D and clients on subnet E to 2 servers on subnet F.
  Basically I want to use the CSS for 3 different load balancing operations.
  Rather than using 3 separate CSS11503s can I do all this with multiple VLANs on the LAN switches and 1 CSS?
  Any help appreciated
  Regards Tony

  you can have as many vlan as you want.
  So yes you can do what you want.
  Just be aware that the CSS can route as well between those vlans, so if you separation between them you may have to use ACL.
  Gilles.

• CSS and Oracle Load Balancing

  Hi,
  I have CSS in single arm deployment model. I have multiple servers load balancing on this CSS on port 80 etc. Today I am trying to load balance one Oracle server but I am facing problem with it.
  Real servers are accessible on port 80 without any problem but when we are trying to access the same servers on VIP we are not able to see the web page.
  real server http://192.168.17.12/irs.htm
  real server http://192.168.17.14/irs.htm
  real server http://192.168.10.37/irs.htm
  VIP
  http://192.168.200.58/irs.htm
  Below is the configuration. I can do the telnet on port 80 and I can ping the VIP IP address.
  I will only put 192.168.200.58 in browser I can see the oracle page but with the full URL i am not able to see it.
  Though I have other oracle servers which I have load balance with the same configuration and I can access the web page.
  ==========================================================================================
  http://tptest.enoc.com/forms/frmservlet?config=tp  (This is working fine).
  ========================================================================
  http://irs.enoc.com/irs.htm  (This is not working).
  By name and by IP address both are not working.
  http://192.168.200.58/irs.htm  (This is not working).
  =============================================================================
  service IRC_1
    ip address 192.168.17.12
    keepalive type tcp
    keepalive port 80
    active
  service IRC_2
    ip address 192.168.17.14
    keepalive type tcp
    keepalive port 80
  service IRC_DR
    ip address 192.168.10.37
    keepalive type tcp
    keepalive port 80
  content ENOC_IRC
      add service IRC_1
      add service IRC_2
      add service IRC_DR
      vip address 192.168.200.58
      protocol tcp
      port 80
      advanced-balance sticky-srcip
      active
  owner ENOC_GIT
  content ENOC_IRC
      add service IRC_1
      add service IRC_2
      add service IRC_DR
      vip address 192.168.200.58
      protocol tcp
      port 80
      advanced-balance sticky-srcip
      active
  group ENOC_IRC
    add destination service IRC_1
    add destination service IRC_2
    add destination service IRC_DR
    vip address 192.168.200.58
    active
  ===================================================================================================
  ENOCDC-CSS01(config)# show service summary
  Service Name                     State     Conn  Weight  Avg   State
                                                           Load  Transitions
  IRC_1                            Alive         0      1     2            0
  IRC_2                            Suspended     0      1   255            1
  IRC_DR                           Suspended     0      1   255            1
  ENOCDC-CSS01(config)# show summary
  Global Bypass Counters:
     No Rule Bypass Count:     0
     Acl Bypass Count:         0
  Owner            Content Rules    State     Services         Service Hits
  ENOC_GIT        
                ENOC_IRC         Active    IRC_1            103
                                              IRC_2            10
                                              IRC_DR           7
  =======================================================================================================
  Same setting I am doing for other servers and working fine only for these servers I am facing problem. Curently only one server is active in the configuration.
  Kindly let me know what I am missing and how to fix the problem.
  I have also attached the full configuration of CSS.

  Hi,
  My point of concern is that I did the same for Oracle server and this is working fine
  http://192.168.200.95/forms/frmservlet?config=tp
  only when I am doing the load balancing for
  http://irs.enoc.com/irs.htm  (This is not working).
  By name and by IP address both are not working.
  http://192.168.200.58/irs.htm  (This is not working).
  I dont have a option for TAC case is there a a way to fix the problem by apply other load balancing method. Is there something to do with the Circut VLAN. I didnt create the Circut VLAN 17 where this server is located.
  I am doing almost 8 differenceservers load balancing in this CSS.
  your expert opinion will definately help me.

• Web dispatcher and J2EE load balancing

  I have portal DBCI on one server and DI on multiple servers. I implemented Web dispatcher in front of the DI and it does the load balancing across all DI and CI. What I want to do though is not to route any users to CI instance - ie take CI server processes out of load balancing.
  In ABAP environment you could create a logon group and not put CI in the group and users coming through the logon group do not go to the CI. I would like to do the same with Portal Java processes. In help.sap.com I found that web dispatcher uses default !J2EE group if there are no groups defined - to distribute users but I can not find anyway to define a logon group for J2EE java.
  Does anybody out there know how to do this - define a logon group and include only DI and not CI in that?

  > Raj,
  >
  > Which versions are you on J2EE? EP?
  > If you are on EP SP14 or NW01 you can do workload
  > distribution within the portal.
  >
  > James
  We are using NW 04 based EP 6 SP 16. I am looking for to use web dispatcher to distribute users on the DI servers and not distribute any users on the CI server. What can I do so that if admin user enter http://CI_server:50000/irj then they can login to the CI server if users come through webdispatcher then they are not put on the CI but go to one of the DI servers only. By default web dispatcher would send some users to CI and I don't want that.

• New ASA5512- 5515: content filter and WAN load balancing

  Hi,
  it's possible to make the content filter with the new models of asa?
  One of our customers would like to have content filter with the possibiliy to monitor the single client activity (log).
  It' s possible also make the load balancing between 2 WAN?
  Now in HQ they have 2 WAN with WAN backup (ASA5505) and VPN to another site.
  Thanks in advance,
  Paolo.

  I saw that you can add CX feature:
  CX - Context Aware Security Feature:
  Cisco  ASA CX Context-Aware Security is a modular security service that  extends the ASA platform with next-generation capabilities. It is  available with SSD purchase for model such as 5512-X, 5515-X, 5525-X,  55545-X and 5555-X.
  Application Visibility Control (AVC):
  This  is additional feature in CX. Activation of this feature require  seperate license. This is the feature that do deep packet inspection for  Application recognition. provide context-aware firewall security.
  Web Security Essentials (WSE):
  This  is additional feature in CX. Activation of this feature require  seperate license. It deliver features like "URL Filtering" and "Global  Threat Intelligence".
  Can somebody confirm that?
  Have somebody already used and configured this features?
  Thank you,
  Paolo.

• WLS 5.1 JMS and Message load balancing

  Would I be right in thinking that WLS 5.1 offers no out of the box component that distributes incoming messages over a series of JMS Destinations? (much like a distributed destination would do in WLS 8.1?)
            Is it BEA's recommendation then that any JMS Client sending to these JMS destinations pick's up the responsibility for carrying out load balancing?
            regards
            Barry

  Would I be right in thinking that WLS 5.1 offers no          > out of the box component that distributes incoming
            > messages over a series of JMS Destinations? (much
            > like a distributed destination would do in WLS 8.1?)
            Yes.
            >
            >
            > Is it BEA's recommendation then that any JMS Client
            > sending to these JMS destinations pick's up the
            > responsibility for carrying out load balancing?
            Application dependent.
            For example, you could set up an EJB that enqueues to the local queue - where the local queue's name is inferred from the server the EJB is running on.
            Load balancing (and fail-over) would then be accomplished by invoking the EJB and depending on standard EJB features...
            >
            > regards
            > Barry

• NW04 Portal and Cisco Load balancer

  Hi everybody,
  does anyone have a similar landscape as I have?
  Reverse Proxy - Cisco Content Switch Module for Load Balancing - two NW04 Portal Servers.
  How did you configure the stickyness / Load balancing mechanism on the load balancer in order to get it running?
  Cheers
  Jochen

  Hi,
  Web AS Java issues a cookie called saplb.
  You can check its value by connecting to the portal and then launching the command
  "javascript:alert(document.cookie)"
  within the browser. You will get a cookie value like
  saplb_*=(J2EE6202500)6202551          
  The value in brackets determines the Instance; the second number equals the actual ClusterID (can also be found in the VisualAdmin. Usually 50 indicates the 1st server node, 51 the second one etc.
  The saplb_*-cookie can be checked by the cisco see Cisco-Link above. Just configure the Cisco to be sticky on the  instance number (value in the first brackets, in the example 6202500).
  Several Customers do it like this, and actually the SAP Webdispatcher is also using this cookie to determine the instance to distribute the request to.
  Good luck Bernhard

• HTTP type connectivity between XI and R3 - load balancing options ?

  Hi
     We have a http type connectivity setup between XI and R3 in order enable XI to communicate with R3 using ABAP proxies. We did this by creating a RFC destination on the ABAP stack of XI of type 'H' ( http connection between R3 systems ). Now, while setting up this rfc destination, there is no option to specify a message server on R3 - we just see a target server field that can be filled in.
  In an rfc destination of type 3 - on the XI box ( which is used for a XI --> R3 idoc adapter ) , I  can see an option for specifying message server.
  Does this mean that using type 'H' connectivity between XI and R3 does not give us an option of hitting the load balancing - message server on R3 and thus cannot use the load balancing setup on R3 ? Is this is a limitation of type 'H' connectivity between XI and R3 ?

  for HTTP load balancing the options seems to be somewhat different....check if these threads provide you any help:
  http://help.sap.com/saphelp_nw04s/helpdata/en/ae/9bfc3f9ec4e669e10000000a155106/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/79/a1ce9569444647956b0ec1cf443c4d/content.htm
  http://help.sap.com/saphelp_nw70/helpdata/en/43/39c7b227b91bcbe10000000a1553f7/content.htm
  Regards,
  Abhishek.