SSL traffic management

Similar Messages

• Is it recommended to scan SSL traffic

  Depends on your company policy and provision of services
  If you are in a highly regulated industry where web use is pinned down to work use only then yes you should be.
  If you allow different devices on your network that arent managed it can be an issue deploying the intermediate certs needed
  In more liberal working environments it can create staff "privacy" issues if you are intercepting their banking transactions, facebook posts and amazon purchases

  We are using McAfee web filtering devices, where I have the option of scanning SSL traffic, I know and understand the SSL technology but still have a question in my mind, so it is better to get some suggestions. 
   Any suggestions will be highly appreciated.
  This topic first appeared in the Spiceworks Community

• Re: P2P technical clarification and Traffic manage...

  I do not need info regarding best package.
  I mentioned that i was having line issues and wanted a mod to check the line etc I want to understand the
  technical details of p2p and traffic management etc.
  If you wont move it back just forget about this post and I will draft up another post where I can get a mod to look
  at my line and answer my technical questions.

  Hi raydun,
  I can see that we've received your details from the form that you filled in.  Whenever we pick up your details we'll give you a shout back.
  All the best,
  Robbie
  BTCare Community Mod
  If we have asked you to email us with your details, please make sure you are logged in to the forum, otherwise you will not be able to see our ‘Contact Us’ link within our profiles.
  We are sorry that we are unable to deal with service/account queries via the private message(PM) function so please don't PM your account info, we need to deal with this via our email account :-)
  If someone answers your question correctly please let other members know by clicking on ’Mark as Accepted Solution’.

• Best Practice while configuring Traffic Manager for Azure Website

  Hi Team,
  I want to understand What is the best practice while we configure traffic manager for Azure website.
  To give you the base, Here let me explain my requirement. I have one website which 40% target audiences would be East US, while  40% would be UK and rest 20% would be from Asia-pacific.
  Now, What I want is Failover + Performance based Traffic Manager Configuration.
  My thinking:
  1) we need to create 1 website with 2 instances in each region (east us, east asia, west us for an example). so, total 3 deployment of website. (give region based url for the website)
  2) create traffic manager based on performance and add 3 of those instances. that would become website-tmonperformance
  3) create traffic manager based on failover and add 3 of those instances. that would become website-tmonfailover
  4) create traffic manager and ?? don't know the criteria but add both above traffic manager here and take your final url for end user.
  I am not sure (1) this may be the right approach or not (2) if this is right, in the 4th step which criteria we should select while creating final traffic manager round-robin/ performance/ failover?
  after all these if use try to access site from US.. traffic manager will divert that to US Data-Centre or it will wait for failover and till that it will be served from east-asia if in configuration, east-asia is my 1st instance?
  Regards, Brijesh Shah

  Hi Jonathan,
  Thanks for your quick reply. actually question is bit different. Let me explain you different way.
  I was asking for recommendation from Azure Traffic Manager team. whether my understanding is correct or not.We want Performance with Failover.
  So, One azure website we have: take an example todoapp. I deployed that in 3 different region. now, I want to have performance based routing as well as failover based routing. but obviously I can't give two URL to my end user. so, at the top of that I will
  require one more traffic manager. So,
  step 1: I will create one traffic manager with performance criteria named: TMForPerformance.trafficmanager.com where I will add all those 3 instances (all are from different region so, it want create any issue.)
  step 2: I will create one more traffic manager with failover criteria named: TMForFailover.trafficmanager.com where I will add all those 3 instances (all are from different region so, it want create any issue.)
  step 3: I will create one final traffic manager with performance criteria named: todoapp.trafficmanager.com where I will add these two traffic manager instead of 3 different region's website.
  Question 1) Is it correct structure if we want to achieve Performance with Failover or Is there any better solution?
  Question 2) in step 3, what criteria we should select? performance/ round robin/ failover
  Regards, Brijesh Shah

• Using Sun Traffic manager in SC

  Dear Gurus
  Is there any specfic requirement using Sun traffic Manager in Sun cluster
  i am using Sun cluster 3.1 on Solaris 9
  Regard

  I'm not sure which meaning of 'specific' you're implying here. You could interpret the question as:
  A. Do I have to run Sun traffic manager with Sun Cluster?
  Answer: yes, if you have multiple paths to the same storage, otherwise it is superfluous.
  B. Does Sun traffic manager depend on other s/w to run with Sun Cluster?
  Answer: no, just Solaris and relevant patches.
  C. Can I use something other that Sun traffic manager with Sun Cluster?
  Answer: yes, with EMC you can use PowerPath and with HDS you can use HDLM (?), but you can't use VxDMP.
  Hope that helps,
  Tim
  ---

• Sun Traffic Manager not managing 2 QLC controllers

  We have a V440 solaris 9, latest patch cluster and storedge traffic manager 4.4 with patches. 2 Sun QLC single channel controllers each see the same SAN disks via brocade switches.
  Why wont Traffic Manager create pseudo controller details in /dev/rdsk & /dev/dsk? I have checked fp.conf, scsi_vhci.conf, qlc.conf for mpxio_disable="no" etc
  reboot -- -r messages show multipathing enabled, auto failback enabled.
  Help! Suggestions for further checks and gotchas
  stmsboot -L shows the correct associations so somewhere STMS is not enabled but I cannot figure it out.
  The local scsi boot disks are not dual pathed, they are mirrored. Running stmsboot -e errors immediately refering to the root mirror.

  connected, configured, failed or failing, indicates that one ore more devices could not be accessed to complete the configure process
  during boot.
  Keep in mind, that if you turn on STMS, and you have only one path, it will still create the pseudo device path for fibre-channel devices.
  So work with only the one-path model for now.
  Try:
  cfgadm -c unconfigure c3::50060e8003286f10
  cfgadm -c unconfigure c4::50060e8003286f00
  devfsadm -Cv
  make sure that the the above WWPNs do NOT appear in the /etc/cfg/fp/fabric_WWN_map
  init 6
  Now there is one caviate that I forgot to ask you about earlier, there are certain array makes that require an entry in the scsi_vhci.conf. If your array is not a Sun Branded array, Hitachi,
  or LSI-Logic array, it may require the "symmetric-option". Take a moment to evaluate this before performing the "init 6" above.
  Once the system is init 6'd, take a look at
  cfgadm -o show_FCP_dev -al
  Do you see all the luns, and are they in the unconfigured, unknown state?
  If so, configure only one of the paths. If possible have a "tail -f /var/adm/messages" running in another terminal window. This will show you the messages that occur during the configure. If you get some WARNINGs, I'd suggest taking a look a the lun masking/security on the array. If no warning, check format, you should see your paths!!
  Another question is if you turn STMS off, are all the paths able to configure successfully, and can they be seen in format with:
  cNtWWPNdN

• Do we need to manually deploy the application at all region if we want to use Traffic Manager

  Hi Team,
  I am little confused before I want to start work on Azure Traffic Manager.
  Actually I have one site at East US. now I want to use Traffic Manager. so, I probably need to deploy the site on different region. take an example we deploy on East Asia and West US.
  Now, we have same site deployment at 3 region. we can setup traffic manager based on loan balance/ round robin/ failover.
  But the question here is Do we need to deploy the same site at all 3 region manually (one-by-one).
  Through Visual Studio or FTP, we need to keep that deployment whenever we keep updating the site? Support we have little complex scenario where we create 3 traffic managers based on their each type (like load balance, round robin and failover) at top we
  have 1 traffic manager where we have these 3 configured. each of these might have site in 3 different region then probably we will have around 1 same site at-least around 9 region.
  So, whenever we have any changes, we need redeploy that on each region one by one?
  Regards, Brijesh Shah

  Hi Brij,
  Traffic Manager is separate from the underlying sites.  So yes, you will need to manage the deployment of those sites separately from Traffic Manager.  How easy or difficult that is depends on what kind of site you are using (PaaS?  IaaS? 
  Websites?) and how it is architected (is there a back-end database?)
  Traffic Manager supports the ability to enable/disable endpoints, which allows you to easily divert traffic away from a particular site whilst it is being updated.
  Regards,
  Jonathan Tuliani
  Program Manager
  Azure Networking - DNS and Traffic Manager

• Does Traffic Manager provide database load balancing for MySQL?

  I need two VMs to implement MySQL Cluster in Windows Azure. VMs allow configure endpoint load balance set for Mysql, but I did not find tcp protocol in Traffic Manager. Does it provide this service for database
  load balancing?

  Hi,
  Traffic Manager works on the DNS level and routes traffic between public endpoints that sit behind a common DNS name. So you can't use this for your scenario.
  However, You can implement
  load balancing for VMs in another way.
  Edward

• ACE Best Sticky Method for SSL Traffic

  Hi, With ACE 4710 running serverfarms primarily running SSL traffic, what is the best method for configuring stickiness. Here are some parameters:
  1) low volume sites, 2 real servers
  2) ACE _will not_ do SSL offloading
  3) Balancing HTTPS requests
  4) Many versions of HTTP clients
  5) Currently running ACE A1 code
  I am thinking of:
  1) TCP Header | HostID inspection
  2) SSL-session ID (not good if re-key often though)
  3) Any suggestions?
  many thx,
  WR

  Hi Will,
  You can see a comple configured example for your perusal in this regard for
  Configure ACE Module for End to End SSL Termination
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c6f37.shtml
  And Many more here regarding
  Data Center Application Services Configuration Examples:
  http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples
  Hope these configuration examples will be useful to you.
  Sachin Garg

• The New Traffic Management Transparency Code

  I'm hoping that at some point this month (in April),  BT will make some kind of official statement to the effect that the existing 300GB allowance on Infinity Option 2 has been removed. Which means anyone going over 300GB (uploads + downloads) in a single month will no longer be penalised. This doesn't mean that the heaviest users are let off the hook, as I understand it, even after the 300GB allowance is scrapped you can still be classified as a heavy user and be penalised for it. The question that people will be asking is this ...
  "At what point above 300 GB will I be classified as a "Heavy User", or "How Much can I safely  download during Peak Periods
  before being classified as a "Heavy User" ?
  This also implies BT will probably be using traffic managment as the way to control bandwidth demands on the network; We won't know exactly what those traffic Management policies will be until the end of June 2011, when BT along with a number of other Broadband providers launch a new traffic management transparency code ...
  The new voluntary code includes three commitments:
  1. Firstly to provide more information to consumers about what traffic management takes place, for what purpose and with what impact.
  2. Secondly to comply with a set of good practice principles on providing information to consumer that is:  understandable; appropriate; accessible; current; comparable; and verifiable.
  3. Thirdly to publish a common Key Facts Indicator (KFI) table, summarising the traffic management practices they use for each broadband product they currently market, which will be available on ISPs’ websites by end of June 2011.
  http://www.broadbanduk.org/content/view/479/7/

  sahotaquack wrote:
  Thats because i asked if i will still be restricted if i go over the 300GB allowance per month. Everyone knows we will still be restricted with the p2p at peak times. You seem to be so anti-bt, why are you even on these forums if you hate them so much?
  Don't start turning this into an issue of me hating BT, this is an issue of your reluctance to face the facts.
  I'm not anti BT in any way shape or form, and very happy with my Infinity connection. You on the other hand  don't seem to be very happy with yours. You see, I have little patience for someone who repeatedly posts the same question in the forums, and then because he doesn't like the answer, reposts the same question in another thread.
  I responded to your question here:
  http://community.bt.com/t5/BB-Speed-Connection-Iss​ues/BT-TO-SCRAP-300GB-LIMIT/m-p/165579#M70898
  you obviously don't like my answer or don't believe my answer, either way I dont really care. But you then continue on to say that you had called BT and are told by someone at BT that ...
  "I confirm to you that, from April 2011 we’ll be removing this fair usage policy for BT Total Broadband Option 3 and BT Infinity Option 2. The Broadband speed will not be restricted once this action is taken. However, as I am not able to confirm the exact date to you, I would request you to wait till the end of April, 2011. "
  and it would appear that you like this answer from BT so much that you are forced to post it in a different thread I had started regarding the traffic management transparancy code. And once again I tell you that whoever gave you that information is wrong.
  Are you beginning to see a pattern here, let's just end this here & now. If you would like to believe that after the 300GB allowance is removed that you can download over 300 GB and remain untouched by traffic management go right ahead, because at some point above 300GB you will trip traffic management & have your speed cut. END OF STORY, bye bye.

• BT Traffic management key facts indicator Section ...

  BT's P2P traffic management policy now comes in  table form. There's no mention of  the 24 hour P2P upload throttle,  and theres a feedback button at the end of the section.
  http://bt.custhelp.com/app/answers/detail/a_id/10495/c/346,402,424

  kevin51 wrote:
  BT's P2P traffic management policy now comes in  table form. There's no mention of  the 24 hour P2P upload throttle,  and theres a feedback button at the end of the section.
  http://bt.custhelp.com/app/answers/detail/a_id/10495/c/346,402,424
  Hi kevin, Correct there is no mention of 24hr upload throttling, but any throttling could come under the words:
   We manage these restrictions daily based on the demands on the network, but downstream restrictions will typically be in place 4pm - midnight on weekdays and 9am - midnight on the weekend. Upstream restrictions may be in place at other times.
  You can, of course, still use P2P services, but downloads will take longer during the peak times.
  We may need to vary the policy from time to time to ensure the best possible experience for all our customers. This site will always be kept up to date with the latest information.
  toekneem
  http://www.no2nuisancecalls.net
  (EASBF)

• Cisco CSS as non-HTTPS SSL-traffic terminator

  Hi!
  Does anybody know is it real to use Cisco CSS as SSL-traffic terminator. I need to terminate non-HTTPS SSL-traffic on this device (i.e. SSL-encrypted sessions of any particular TCP-based application-layer protocol, not https)? If not, is there any CISCO device capable of doing such a job?
  Regards, Amir

  Hi!
  Thank you very much for your reply.
  I know about the S model - as per my post - but unfortunately I have realized after making the purchase.
  Can you please help me with the following issue: my unit is not able to boot from FTP, even if I follow up the CISCO official documentation for that version (I issue all the commands as in the manual). More than that, if I setup the Primary Boot Configuration and then I want to check it up there is nothing in that field. The Secondary Boot Configuration keeps its settings and after the Primary failure it will try the Network Booting but with Failed status - returning me to the OffDM.
  I mention that I am using the OffDM because the unit I bought has no Flash Card.
  Also I am not sure how can I have a "network mounted filesystem" and in the meantime to use the FTP protocol;  setting up a NFS server wont provide me with Windows style absolute path like k:/.... as per CISCO official guide. Is that a plain-ftp generically called as Network File System??? "First, create these subdirectories on the FTP server, then copy the files from the boot image to the subdirectories"
  Is this linked with the fact that I am using a Linux box for my FTP Server? Can you please help me to understand what the following line from CISCO official guide means "A network boot is not supported on UNIX workstations"
  Thank you!

• Think i may have my internet traffic managed?

  Hello
  I'm on Bt Infinity 2, the contract was taken out a couple years ago.
  everything was good until september 13 when my internet speed dropped consideraby, this was sorted out and solved but when i download any files from teh net i average about 800kb
  my connection speed is 50mb down 15 up (so bt wholesale speed test says)
  i've contacted bt just before christmas and they sent me a new hub hopign that this will solve the issue, it has'nt.
  also asked bt about being traffic managed, which they say they dont do anymore although running glasnost test has confirmed that i am.
  also re-installed windows and attempted after install still the same results.
  have spoekn to their tech guys and there're going to send engineer out to confirm what i'm saying.
  had a call from bt soon after as a curtisy call then after explaining everything to them was told that there's nothing they can do for.
  anyone got any suggestions what going on?

  If you contracted before Feb 2013 you would be on Unlimited broadband. This means you have unlimited data upload and download limits. It does not mean that your connection will not be limited at peak times.
  If you contracted after Feb 2013 you should be on Totally Unlimited. This means you have unlimited data uploads and download and you will not be limited at peak times.
  If you re-contracted after Feb 2013 you may not have been automatically put onto Totally Unlimited unless you asked for it when you re-contracted.
  If you have not re-contracted and are on a rolling monthly contract you will be on what ever package you were last contracted on.
  Telephone the Options Team on 0800 800 030 and ask them what package you are on and if need be you may need to re-contract to put you on Totally Unlimited. If you have any problems post back here for further advice.

• Traffic Manager versus Azure Load Balancer

  Hi All,
  We have an MVC5 app which we are planning to host either as an Azure Web App or Azure Web Role. The queries that we have is pertaining to load balancing of the same as follows:
  1. When we spawn multiple instances of Web Apps or WebRoles, does Azure Load Balancer automatically kick in?
  2. If the above case is true, then when is the need for the Traffic Manager? Is it used when instances are spanning across multiple regions?
  3. Will Azure load balancer suffice my requirement if I am hosting my app only in a single region?
  Regards, Saurabh

  Hi Saurabh,
  No, you would have to manually configure an Azure Load Balanced Set for Load Balancing purposes. You could refer this link for details on how to configure a Load Balanced Set:
  https://msdn.microsoft.com/library/azure/dn655055.aspx
  Yes, Traffic Manager allows you to control distribution of traffic to Cloud Services, Websites across different Data Centres.
  If you are hosting your app within a Cloud Service, Azure Load Balancer should suffice for your requirement.
  You could refer the following link for details on various load balancing methods for Azure Infrastructure Services:
  http://azure.microsoft.com/en-in/documentation/articles/virtual-machines-load-balance/
  Regards,
  Malar.

• URL filtering ACE after description of SSL traffic

  We currently have a Cisco CSS11501 which we have configured with SSL offloading.
  We offload the SSL traffic and after description of the ssl traffic we perform URL filtering.
  Can the Ace 4710 Appliance do the same?
  I have attached the current configuration of the css.
  Regards,
  Richard

  With the below config
  Traffic matching 10.10.10.10:443 will be SSL offloaded and then
  will be loadbalanced using rservers in Serverfarm "APP1-SFARM" if
  the request includes "/matchthis".
  ssl-proxy service APP1-SSL-PROXY
  key default-key.pem
  cert default-cert.pem
  class-map match-all APP1-443-VIP
  2 match virtual-address 10.10.10.10 tcp eq https
  class-map type http loadbalance match-any APP1-URLMAP
  2 match http url /matchthis.*
  policy-map type loadbalance first-match APP1-Policy
  class APP1-URLMAP
  serverfarm APP1-SFARM
  policy-map multi-match VIPS-VLAN79
  class APP1-443-VIP
  loadbalance vip inservice
  loadbalance vip icmp-reply active
  loadbalance policy APP1-Policy
  ssl-proxy server APP1-SSL-PROXY
  HTH
  Syed iftekhar Ahmed